Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Social Engineering
DLL DNS attacks Emails malware Microsoft Teams Social Engineering

Fake IT Support on Microsoft Teams Used to Deliver New A0Backdoor Threat

 


A contemporary cyber campaign has been identified where attackers are using Microsoft Teams to target employees in financial and healthcare organizations, eventually infecting systems with a newly observed malware known as A0Backdoor.

Research from BlueVoyant shows that the attackers rely heavily on social engineering. They begin by overwhelming an employee’s inbox with large volumes of spam emails. Soon after, they contact the same individual on Microsoft Teams, pretending to be part of the company’s IT support team and offering help to resolve the issue. This sequence is designed to build trust and make the request appear routine.

Once the victim is convinced, the attacker asks them to start a remote session using Quick Assist, a built-in Windows feature meant for remote troubleshooting. After access is granted, the attacker delivers a set of malicious tools through MSI installer files. These installers are digitally signed and hosted on a personal Microsoft cloud storage account, which helps them appear legitimate at first glance.

The researchers found that these MSI files are disguised as familiar Microsoft-related components, including Microsoft Teams elements and CrossDeviceService, a real Windows service used by the Phone Link application. This naming strategy helps the files blend in with normal system processes.

To execute the attack, the threat actor uses a technique called DLL sideloading. This involves running trusted Microsoft programs to load a malicious file named hostfxr.dll. Inside this file is data that is either compressed or encrypted. When the file is loaded into memory, it decrypts this data into shellcode and begins execution.

The malware also uses the CreateThread function to generate multiple threads. This behavior is not meant to improve performance but to make analysis harder. According to the researchers, creating too many threads can cause debugging tools to crash, even though it does not noticeably affect normal system activity.

After execution begins, the shellcode checks whether it is running inside a sandbox environment, which is commonly used by security analysts. If no such environment is detected, it proceeds to create a cryptographic key derived from SHA-256. This key is then used to decrypt the A0Backdoor payload, which is protected using AES encryption.

Once decrypted, the malware moves itself to a different region in memory and activates its main functions. It collects system-level information using Windows API calls such as DeviceIoControl, GetUserNameExW, and GetComputerNameW. This allows it to identify and profile the infected machine.

For communication with its operators, the malware avoids traditional methods and instead uses DNS traffic. It sends DNS MX queries that contain encoded data within complex subdomains to public recursive DNS servers. The responses it receives include MX records that carry encoded instructions. The malware extracts the relevant part of the response, decodes it, and then follows the commands.

Researchers explain that using MX records helps the traffic appear normal, making it harder to detect compared to other DNS-based techniques, especially those that rely on TXT records, which are more commonly monitored.

The campaign has already targeted at least two organizations, including a financial institution in Canada and a global healthcare company.

BlueVoyant assesses with moderate to high confidence that this activity builds on methods previously linked to the BlackBasta group. Although that group reportedly shut down after internal chat logs were leaked, parts of its approach appear to be continuing in this operation.

At the same time, the researchers point out that several elements in this campaign are new. These include the use of signed MSI installers, the A0Backdoor malware itself, and the use of DNS MX records for command-and-control communication.

This case reflects how attackers are adapting their methods by combining trusted tools, familiar platforms, and layered techniques to bypass detection.

Read more »
Social Engineering
Blockchain Forensics Cloud Breach Crypto Laundering Crypto Theft cyber espionage Cyber Threats DevOps Security Kubernetes Exploits North Korean Hackers Social Engineering

North Korean Hackers Orchestrate Impeccable Multi Million Dollar Crypto Theft

 


Several highly calculated cloud intrusion campaigns have been linked to a North Korean threat actor identified as UNC4899, demonstrating the growing convergence between cyber espionage and financial crime. Using a sophisticated methodology, the operation appears to have been meticulously designed with the singular objective of siphoning millions of dollars in digital assets off a cryptocurrency organization in 2025. 

Researchers who have assessed the breach note a degree of precision and operational discipline that are consistent with state-sponsored activity, thereby reinforcing its moderate attribution to Pyongyang's cyber apparatus. Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor are other aliases used by the group. 

The group is part of a larger trend in which adaptive threat actors are quietly infiltrating and persisting in complex cloud environments for the purpose of monetizing access. Despite the scale and persistence of these operations, they are not without precedent. 

ased on the findings of a United Nations Panel of Experts, at least 58 targeted intrusions against cryptocurrency platforms were perpetrated by the Democratic People's Republic of Korea between 2017 and 2023 that targeted the extraction of a total of $3 billion in virtual assets. 

A number of senior U.S. officials have expressed parallel views, including Anne Neuberger, Deputy National Security Advisor for Emerging Technology, that proceeds derived from these cyber campaigns are not simply opportunistic gains, but are strategically directed, with some of the proceeds believed to be used for nuclear weapons development. 

Collectively, these developments demonstrate how the use of cyber operations has become deeply ingrained in Pyongyang's overall statecraft, serving both as a means of revenue generation and as a means of enabling strategic capabilities. 

Further strengthening this dual-use approach is the sustained investment in technological infrastructure, operator training, and tooling sophistication of North Korea’s cyber units, which has enabled them to refine their tradecraft and maintain a persistent edge in both financial and intelligence-driven operations. 

Recently, threat intelligence has indicated a significant change in both target patterns and operational methodologies regarding cryptocurrency threats. Despite the fact that exchanges will continue to account for a significant share of financial losses in 2025, a greater proportion will involve high net-worth individuals whose digital asset portfolios are becoming increasingly attractive targets as a result. 

Threat actors are often able to exploit exploitable security gaps created by these individuals compared to institutional platforms because these individuals typically operate with relatively limited security controls. In several cases, it appears that the targeting extends beyond personal holdings, with individuals being targeted for their proximity to organizations managing substantial cryptocurrency reserves. 

As victimology has evolved, attack vectors have also evolved. Social engineering techniques are presently the dominant intrusion methods. In addition to exploiting vulnerabilities within blockchain infrastructure, adversaries are increasingly obtaining credentials and bypassing authentication safeguards by deception, impersonation, and psychological manipulation, underscoring human weakness as an important point of failure. 

In parallel, the post-exploitation phase has evolved into an increasingly adaptive contest between illicit actors and blockchain intelligence providers. Due to the increasing sophistication of analytical tools used by law enforcement and compliance teams in tracing transactional flows, North Korean-linked operators have enhanced their laundering strategies by increasing the level of technical complexity and layering of operations. 

In recent years, these methods have become increasingly complex, involving iterative mixing cycles, interchain transfers, as well as the deliberate use of non-monitored blockchain networks with limited visibility. 

A number of tactics can also be employed to maximize cost through the acquisition of protocol-specific utility tokens, manipulate refund mechanisms to redirect funds to newly created wallets, and create bespoke tokens within controlled ecosystems for the purpose of obscuring data. 

A sustained and evolving cat-and-mouse dynamic is evident in these practices, in which advances in forensic capabilities are accompanied by escalation of adversarial tradecraft. Further contextualization of this incident is provided by Google Cloud’s Cloud Threat Horizons Report, which reveals an intrusion chain involving social engineering as well as the exploiting of trust boundaries between corporate and personal environments. 

Initial access was reportedly gained by tricking a developer into downloading a trojanized file masquerading as a legitimate open-source collaboration. A seemingly benign interaction resulted in compromising a personal workstation, which ultimately became the gateway to the organization's corporate environment and, ultimately, its cloud infrastructure as a whole. 

A nuanced understanding of cloud-native architecture was demonstrated by the attackers once access had been established. By exploiting legitimate DevOps processes, they harvested credentials and manipulated managed database services, including Cloud SQL instances, to enable the covert extraction of cryptocurrency assets. This post-compromise activity has been intentionally designed to blend malicious operations with normal system behavior.

Through the modification of Kubernetes configurations and the execution of carefully crafted commands, threat actors were able to maintain persistence while minimizing detection. This tactic is increasingly referred to as “living off-the-cloud” in which native platform features are repurposed to maintain unauthorized access. 

Moreover, it reveals systemic weaknesses in the management of sensitive data and credentials in hybrid environments, especially where personal and corporate workflows are not adequately separated. Security practitioners emphasize the need for layered defensive measures in order to mitigate such threats, including stringent identity verification controls, tighter governance over data transmission channels, and isolation within cloud execution contexts in order to contain potential vulnerabilities. 

A growing consensus is urging the reduction of the attack surface by limiting the use of external devices and unsecured communication methods, including ad hoc file-sharing protocols, to reduce attack vulnerabilities, as adversaries continue to develop methods for exploiting human trust alongside technical complexity.

There has been a shocking increase in losses approaching the $2 billion mark, which serves as a stark indication of both the maturation of adversarial capabilities and the expansion of the attack surface within the digital asset ecosystem. At the same time, advanced blockchain intelligence reinforces the importance of protecting against such threats at the same time. 

In spite of North Korean-linked operators' continued refinement of tactics, distributed ledger technology offers a structural advantage to investigators equipped with sophisticated forensic tools due to its inherent transparency. Using deep transaction tracing, behavioral analytics, and cross-chain visibility, firms such as Elliptic have demonstrated how illicit financial flows can be illuminated that would otherwise remain undetected. 

There is a clear indication that the balance between attackers and defenders is evolving as threat actors innovate in obfuscation and laundering. Analytics-driven oversight is paralleling this innovation, enabling industry stakeholders and law enforcement agencies to identify anomalies, attribute malicious activities, and disrupt financial pipelines in an increasingly precise manner. 

Consequently, blockchain transparency, once regarded primarily as a feature of decentralization, is now emerging as a critical enforcement mechanism, supporting efforts to maintain trust, security, and innovation while maintaining the integrity of the crypto ecosystem.
Read more »
data security
AI Risks AI Systems ChatGPT. OpenAI Corporate data Cyber Security Data protection Data Risk data security

China Warns Government Staff Against Using OpenClaw AI Over Data Security Concerns

 

Recently, Chinese government offices along with public sector firms began advising staff not to add OpenClaw onto official gadgets - sources close to internal discussions say. Security issues are a key reason behind these alerts. As powerful artificial intelligence spreads faster across workplaces, unease about information safety has been rising too. 

Though built on open code, OpenClaw operates with surprising independence, handling intricate jobs while needing little guidance. Because it acts straight within machines, interest surged quickly - not just among coders but also big companies and city planners. Across Chinese industrial zones and digital centers, its presence now spreads quietly yet steadily. Still, top oversight bodies along with official news outlets keep pointing to possible dangers tied to the app. 

If given deep access to operating systems, these artificial intelligence programs might expose confidential details, wipe essential documents, or handle personal records improperly - officials say. In agencies and big companies managing vast amounts of vital information, those threats carry heavier weight. A report notes workers in public sector firms received clear directions to avoid using OpenClaw, sometimes extending to private gadgets. Despite lacking an official prohibition, insiders from a federal body say personnel faced firm warnings about downloading the software over data risks. 

How widely such limits apply - across locations or agencies - is still uncertain. A careful approach reveals how Beijing juggles competing priorities. Even as officials push forward with plans to embed artificial intelligence into various sectors - spurring development through widespread tech adoption - they also work to contain threats linked to digital security and information control. Growing global tensions add pressure, sharpening concerns about who manages data, and under what conditions. Uncertainty shapes decisions more than any single policy goal. 

Even with such cautions in place, some regional projects still move forward using OpenClaw. Take, for example, health-related programs under Shenzhen’s city government - these are said to have run extensive training drills featuring the artificial intelligence model, tied into wider upgrades across digital infrastructure. Elsewhere within the same city, one administrative area turned to OpenClaw when building a specialized helper designed specifically for public sector workflows. 

Although national leaders call for restraint, some regional bodies might test limited applications tied to progress targets. Whether broader limits emerge - or monitoring simply increases - stays unclear. What happens next depends on shifting priorities at different levels. Recently joining OpenAI, Peter Steinberger originally created OpenClaw as an open-source initiative hosted on GitHub. Attention around the tool has grown since his new role became known. 

When AI systems gain greater independence and embed themselves into daily operations, questions about safety will grow sharper - especially where confidential or controlled information is involved.
Read more »
Zombie ZIP
Antivirus Bypass Security Flaw malware ZIP Exploit Zombie ZIP

Zombie ZIP Evasion Exposes Antivirus Blind Spot

 

A recently revealed technique known as Zombie ZIP demonstrates how attackers can embed malware inside fragmented and corrupted archives that can’t be fully scanned by most security solutions. By exploiting the way ZIP headers are processed, it enables malicious payloads to evade antivirus and EDR solutions even if the file appears corrupted to end users.

Zombie ZIP works by manipulating the ZIP header so that the archive claims its contents are stored with the “Method 0” (STORED) mode, which means uncompressed data. In reality, the payload is still compressed with the standard Deflate algorithm, so scanners that trust the header see only high-entropy “noise” instead of recognizable malware signatures. Standard utilities like WinRAR, 7‑Zip, or unzip will usually throw errors or report corruption when users attempt to extract these malformed files. 

Security researcher Chris Aziz of Bombadil Systems tested this approach against VirusTotal and found that 50 out of 51 antivirus engines failed to detect the hidden payload when using Zombie ZIP archives. He also published proof-of-concept code and sample archives on GitHub, making it easier for security teams and, unfortunately, attackers to reproduce the method. A key trick is setting the CRC integrity value to match the uncompressed payload, which further confuses extraction and scanning tools. 

While common archivers fail, a custom loader can simply ignore the misleading header and decompress the data as Deflate, recovering the embedded malware without issues. This means an attacker only needs to get the loader executed once on a target system to start unpacking any number of Zombie ZIP containers. Once the loader runs, traditional defenses lose the benefit of pre-execution scanning at the file level. 

The CERT Coordination Center (CERT/CC) issued an advisory assigning CVE‑2026‑0866 to the issue and warning that malformed archives can undermine current detection models. CERT/CC notes that some tools do manage to decompress these archives correctly, but many popular solutions still fail, echoing an old flaw tracked as CVE‑2004‑0935 in early ESET antivirus versions. The agency urges vendors to validate compression method fields against actual data, detect structural inconsistencies, and enable more aggressive archive inspection. 

Not all experts agree that Zombie ZIP deserves a CVE, however, with several researchers arguing it is a clever evasion trick rather than a true vulnerability. They point out that these archives are not openable with standard tools and that using a custom loader already implies the system is compromised in some way. As one researcher put it, corrupting or encrypting any file and then requiring a special loader achieves a similar outcome without necessarily exposing a new flaw. 

For everyday users and organizations, the practical takeaway is to treat suspicious ZIP files with extra caution, especially from unknown senders. CERT/CC advises deleting archives that fail to extract and show “unsupported method” or similar errors, rather than repeatedly trying to open them. Meanwhile, defenders should pressure vendors to harden archive parsing and incorporate deeper content validation so that tricks like Zombie ZIP do not become a reliable blind spot in the malware detection chain.
Read more »
WhatsApp hacking
AIVD MIVD warning cyber espionage Data Breach Russian Hackers Signal security breach social engineering attacks WhatsApp hacking

Russian Cyber Campaign Targets Signal and WhatsApp Users Through Social Engineering Tactics

 

Hackers believed to be linked to Russia are attempting to gain access to Signal and WhatsApp accounts of government officials, journalists, and military personnel worldwide—not by breaking encryption, but by manipulating users into giving up their access credentials.

This warning was issued on Monday by the Netherlands’ intelligence and military agencies, AIVD and MIVD, which reported a "large-scale" cyber operation focused on compromising accounts on these messaging platforms. Instead of attacking the apps’ end-to-end encryption, the campaign aims to take control of user accounts and discreetly monitor their communications.

According to the agencies, attackers directly contact targets through chats and convince them to share verification codes or PINs, effectively handing over account access. In certain instances, the hackers impersonate a Signal support bot to make their requests appear authentic. Once the code is provided, they can log in and view private messages or track group conversations without bypassing encryption.

Another technique involves exploiting Signal’s “linked devices” feature, which allows multiple devices to connect to one account. If attackers successfully link their own device, they can observe messages in real time. Dutch authorities confirmed that this campaign has already impacted individuals, including those within the Dutch government. "The Russian hackers have likely gained access to sensitive information," the AIVD and MIVD said, adding that "targets and victims of the campaign include Dutch government employees" as well as journalists.

Ironically, the strong encryption that makes these platforms popular among officials and reporters also increases their value as targets once an account is compromised. While end-to-end encryption secures messages during transmission, it offers no protection if an attacker gains direct access to the account.

A Meta spokesperson told The Register that users should never share their six-digit code with others and that it provides detailed advice on how WhatsApp users can protect themselves from scams.

Signal did not immediately respond to The Register’s inquiries. Meanwhile, Dutch authorities have issued a cybersecurity advisory and are helping affected users secure their accounts. They also highlighted warning signs of a potential breach, such as duplicate contacts appearing or numbers being marked as “deleted account” unexpectedly.

The broader takeaway from intelligence officials is that while encrypted messaging apps are convenient, they are not designed for highly sensitive communication. As MIVD director Vice-Admiral Peter Reesink put it:

"Despite their end-to-end encryption option, messaging apps such as Signal and WhatsApp should not be used as channels for classified, confidential or sensitive information."

In essence, relying solely on the assumption that no one will request a verification code may not be sufficient for maintaining operational security.
Read more »
Privacy
AI Data Governance Artificial Intelligence Data Regulation DPDP Act India Meta Privacy

Meta’s Smart Glasses Face Privacy Backlash as Experts Flag Legal and Ethical Risks

 



A whirlwind of concerns around Meta’s AI-enabled smart glasses are intensifying after reports suggested that human reviewers may have accessed sensitive user recordings, raising broader questions about privacy, consent, and data protection.

Online discussions have surged, with users expressing alarm over how much data may be visible to the company. Some individuals on forums have claimed that recorded footage could be manually reviewed to train artificial intelligence systems, while others raised concerns about the use of such devices in sensitive environments like healthcare settings, where patient information could be unintentionally exposed.


What triggered the controversy?

The debate gained momentum following an investigation by Swedish media outlets, which reported that contractors working at external facilities were tasked with reviewing video recordings captured through Ray-Ban Meta Smart Glasses. According to these findings, some of the reviewed material included highly sensitive content.

The issue has since drawn regulatory attention in multiple regions. Authorities in the United Kingdom, including the Information Commissioner's Office, have sought clarification on how such user data is processed. In the United States, the controversy has also led to legal action against Meta Platforms, with allegations that consumers were not adequately informed about the device’s privacy safeguards.

The timing is of essence here, as smart glasses are rapidly gaining popularity. Legal filings suggest that more than seven million units were sold in 2025 alone. Unlike smartphones, these glasses resemble regular eyewear but can discreetly capture images, audio, and video from the wearer’s perspective, often without others being aware.


Why are experts concerned?

Legal analysts highlight that such practices could conflict with India’s Digital Personal Data Protection Act, 2023 if data involving Indian individuals is collected.

According to legal experts, consent remains a foundational requirement. Any access to recordings involving identifiable individuals must be based on informed approval. If footage is reviewed without the knowledge or permission of those captured, it could constitute a violation of Indian data protection law.

Beyond legality, specialists argue that wearable AI devices introduce a deeper structural issue. Unlike traditional data collection methods, these tools continuously capture real-world environments, making it difficult to define clear boundaries for data usage.

Experts also point out that although Meta includes visible indicators such as LED lights to signal recording, these measures do not fully address how the data of bystanders is processed. There are concerns about the absence of strict limitations on why such data is collected or how much of it is retained.

Additionally, outsourcing the review of user-generated content introduces further complications. Apart from the risk of misuse or unauthorized sharing, there are also ethical concerns regarding the working conditions and psychological impact on individuals tasked with reviewing potentially distressing material.


Cross-border and systemic risks

Another key concern is international data handling. If recordings involving Indian users are accessed by contractors located overseas, companies are still expected to maintain the same standards of security and confidentiality required under Indian regulations.

Experts emphasize that these devices are part of a much larger artificial intelligence ecosystem. Data captured through smart glasses is not simply stored. It may be uploaded to cloud servers, processed by machine learning systems, and in some cases, reviewed by humans to improve system performance. This creates a chain of data handling where highly personal information, including facial features, voices, surroundings, and behavioral patterns, may circulate beyond the user’s direct control.


What is Meta’s response?

Meta has stated that protecting user data remains a priority and that it continues to refine its systems to improve privacy protections. The company has explained that its smart glasses are designed to provide hands-free AI assistance, allowing users to interact with their surroundings more efficiently.

It also acknowledged that, in certain cases, human reviewers may be involved in evaluating shared content to enhance system performance. According to the company, such processes are governed by its privacy policies and include steps intended to safeguard user identity, such as automated filtering techniques like face blurring.

However, reports citing Swedish publications suggest that these safeguards may not always function consistently, with some instances where identifiable details remain visible.

While recording must be actively initiated by the user, either manually or through voice commands, experts note that many users may not fully understand that their captured content could be subject to human review.


The Ripple Effect

This controversy reflects a wider shift in how personal data is generated and processed in the age of AI-driven wearables. Unlike earlier technologies, smart glasses operate in real time and in shared environments, raising complex questions about consent not just for users, but for everyone around them.

As adoption runs rampant, regulators worldwide are likely to tighten scrutiny on such devices. The challenge for companies will be to balance innovation with transparent data practices, especially as public awareness around digital privacy continues to rise.

For users, this is a wake up call to not rely on new age technology blindly and take into account that convenience-driven technologies often come with hidden trade-offs, particularly when it comes to control over personal data.

Read more »
Velvet Tempest
CastleRAT ClickFix Cyber Attacks Termite Ransomware Velvet Tempest

Termite Ransomware Linked to Velvet Tempest's ClickFix, CastleRAT Attacks

 

Cyber threat actors known as Velvet Tempest have been observed deploying sophisticated attacks involving Termite ransomware, utilizing the ClickFix social engineering technique and the CastleRAT backdoor.These intrusions, tracked by MalBeacon researchers, unfolded over 12 days in a simulated U.S. non-profit environment with over 3,000 endpoints.Velvet Tempest, active for at least five years, has affiliations with major ransomware strains like Ryuk, REvil, Conti, BlackCat, LockBit, and RansomHub. 

The attacks begin with malvertising campaigns directing victims to fake CAPTCHA pages that trick users into pasting obfuscated PowerShell commands into the Windows Run dialog This ClickFix method bypasses browser security features, chaining cmd.exe processes and using legitimate tools like finger.exe to fetch malware loaders, often disguised as PDF archives.Subsequent stages involve PowerShell downloads, .NET compilation via csc.exe, and Python-based persistence in ProgramData directories. 

Once inside, attackers conduct Active Directory reconnaissance, host discovery, and credential harvesting from Chrome browsers using hosted PowerShell scripts linked to Termite staging servers. They deploy DonutLoader to retrieve CastleRAT, a remote access trojan that steals credentials, logs keystrokes, captures screens, and employs UAC bypass via trusted binaries like ComputerDefaults.exe. CastleRAT hides its command-and-control servers using Steam Community profiles as dead-drop resolvers, blending traffic with legitimate web activity. 

Although ransomware deployment was not observed in this intrusion, Termite—a Babuk-based variant emerged in late 2024—employs double-extortion by exfiltrating data before encrypting files. It deletes shadow copies with vssadmin.exe, empties the Recycle Bin, and targets high-profile victims like SaaS provider Blue Yonder and Australian IVF firm Genea. The group exploits vulnerabilities, such as those in Cleo's file transfer software, for initial access via phishing or compromised sites. 

Organizations should prioritize defenses against ClickFix by training users on suspicious prompts, monitoring PowerShell abuse, and blocking anomalous tool executions like finger.exe or csc.exe. Implementing deception environments, as used by MalBeacon, aids early detection of such hands-on-keyboard activities. With Velvet Tempest's history of devastating breaches, vigilance against evolving ransomware tactics remains critical in 2026.
Read more »
SlimAgent
Advanced Persistent Threat APT28 BeardShell Cloud Based C2 Covenant Malware Cyber Attacks cyber espionage Office Exploits SlimAgent

APT28 Deploys Enhanced Version of Covenant in Ongoing Threat Activity


 

In recent months, the contours of cyber warfare have once again become clearer as APT28 - an agent of Russian intelligence that has operated in Ukraine for a number of years - elicits renewed precision and technological sophistication in its operations against Ukrainian defense networks. 

Fancy Bear has been referred to by multiple aliases, including Sednit, Forest Blizzard, Unit 26165, and TA422, throughout the cybersecurity community due to its ability to adapt to geopolitical objectives when necessary. With its latest campaign, APT28 has implemented a dual-pronged malware strategy based on innovation and intent. 

The company has deployed an undocumented backdoor, BEARDSHELL, alongside a heavily customized implementation of the open-source post-exploitation framework COVENANT, which has been heavily customized. 

The development indicates a calculated effort to refine persistence, avoid detection, and gain deeper operational footholds in sensitive military environments by modifying tactics, evading detection, and improving operational capabilities. 

Designed specifically for stealth and long-term access, BEARDSHELL works in conjunction with the modified COVENANT toolkit, which has been modified to better suit the group's command-and-control requirements and operational procedures. Combined, these tools represent a growing trend toward modular and adaptable malware ecosystems that can be tailored to specific target and mission requirements. 

It is becoming increasingly apparent that as the conflict in Ukraine continues to escalate into the digital realm, state-backed actors are utilizing cyber capabilities in a variety of ways, often invisible but profoundly consequential, to gather intelligence and shape the strategic landscape. 

The campaign illustrates a tightly coordinated intrusion chain designed to penetrate Ukrainian military and government networks with minimal friction and maximum persistence based on this operational shift. 

Based on the investigations conducted, it has been determined that the activities attributed to APT28 are mainly directed towards central executive bodies, where access to strategic communications and operational data provides a valuable source of information. 

As part of the initial compromise, spear-phishing lures are developed that masquerade as routine administrative or defense correspondence, distributed via email as well as encrypted messaging channels such as Signal, which are often distributed using spear-phishing lures. Upon opening the weaponized Office documents, these messages initiate a fileless infection sequence that is designed to evade conventional endpoint defenses. 

It is comprised of a memory-resident backdoor derived from a substantially altered variant of the Covenant framework which has been repurposed to serve as a discreet loader for further payloads. During this stage, bespoke implants, such as BeardShell and SlimAgent, are deployed.

The latter bears architectural resemblance to the earlier XAgent toolkit developed by the group in the past. The combination of these components creates a robust surveillance environment within compromised systems, facilitating continuous data collection of keystrokes, screen captures, and clipboards. 

Exfiltrating intelligence is organized into HTML-based logs that include color-coded segmentation for rapid parsing and prioritization by operators. It is noteworthy that the group has implemented a command-and-control infrastructure that meets their requirements. A number of cloud storage platforms, including pCloud, Koofr, Filen, and Icedrive, are used by the attackers to relay instructions and store stolen data rather than using servers that are easily identifiable. 

As a result, malicious activity is blended with routine user activity, resulting in significantly tampering with detection efforts. Based on the forensic analysis of these cloud-linked accounts, it has been determined that certain Ukrainian systems have been continuously monitored for extensive periods of time, demonstrating APT28's ability to collect intelligence in high-value environments in a low-visibility manner. 

Moreover, the researchers at ESET have provided additional technical insight into the operation, tracing its deployment to at least April 2024, when a structured, sustained intrusion effort began. According to their findings, the coordinated use of BeardShell and Covenant was not an accident, but intentionally designed to provide prolonged, low-noise surveillance of Ukrainian military personnel and government organizations. 

Recent incidents have indicated that the infection chain exploits a vulnerability tracked as CVE-2026-21509, which is embedded within malicious DOC files designed to execute code upon opening. In the end, SlimAgent, a surveillance-focused implant that was identified within a compromised Ukrainian government system, enabled the discovery of this implant, which was capable of collecting keystrokes, clipboard contents, and screen captures systematically without causing immediate suspicion. 

According to the subsequent analysis, BeardShell is a modern, modular backdoor that emphasizes stealth and flexibility. Icedrive's infrastructure is utilized to communicate with commands and controls. Remote PowerShell commands are executed within a managed .NET runtime environment using this infrastructure. 

An obfuscation method previously associated with Xtunnel, a network pivot utility historically connected to APT28's earlier campaigns is included in its internal design, demonstrating a deliberate reuse of proven techniques. Meanwhile, the Covenant framework is used as the primary operational implant, having been reworked from its original open-source version. 

There have also been changes observed in the generation of deterministic identifiers linked to host-specific attributes, in the execution logic intended to bypass behavioral detection engines, as well as the integration of cloud-based communication channels. As part of the group's infrastructure strategy, Koofr and pCloud have gradually been replaced by newer platforms such as Filen beginning mid-2025. 

As a result of this architecture, Covenant serves as the primary access mechanism, while BeardShell serves as a contingency tool to ensure operations continue even in cases of partial detection or remediation. Further extending the scope of the analysis, researchers have also highlighted that the threat actor's toolkit reflects a deliberate blend of legacy codebases and newly developed capabilities, reflecting a deliberate combination of heritage codebases and newly developed capabilities. 

SLIMAGENT, an implant that was formally disclosed by the CERT-UA in mid-2025 and examined in greater detail by ESET in the following year. With SLIMAGENT, granular data collection is possible through keystroke logging, screenshot capture, and clipboard harvesting, effectively turning compromised systems into persistent intelligence gathering nodes. It is designed for continuous data collection with granular data collection capabilities. 

SLIMAGENT is distinguished by more than its functionality; it is also distinguished by its lineage. Based on technical comparisons, SLIMAGENT does not appear to be a completely new development, but rather is an evolution of APT28's earlier XAgent toolset, which was widely deployed by the group during the 2010s. 

In support of this assessment, code-level similarities have been identified across multiple samples, including artifacts recovered from early-2018 intrusion campaigns targeting European governmental entities. Moreover, the correlation between the keylogging routines and an XAgent variant observed in late 2014 suggests an ongoing development rather than a one-time invention of the routines, suggesting continuity of development. The structured formatting of exfiltrated data remains one of the most distinctive features across these generations. 

The SLIMAGENT surveillance software, like its predecessor, compiles its output into HTML-formatted logs, utilizing a consistent color code scheme to distinguish between application identification numbers, captured keystrokes, and active window titles. As a result of this seemingly inconsequential design choice, operators now benefit from a streamlined interface to speed up the data triage process, thereby reinforcing the campaign's operational efficiency.

Additionally, BEARDSHELL's backdoor function as an execution layer within the compromised environment, facilitating remote command delivery via PowerShell within a controlled .NET environment in conjunction with SLIMAGENT's data collection capabilities. 

By relying on Icedrive for command-and-control, the group maintains covert access while minimizing detection risk while continuing its emphasis on blending malicious activity with legitimate network traffic. All of these findings reinforce that organizations operating in geopolitical environments characterized by high levels of risk, particularly those within the government and defense sectors, need to recalibrate their defensive posture.

There is a need for security teams to adopt behavior-driven monitoring as an alternative to traditional signature-based detection models to identify anomalous processes, in-memory payload delivery, and misuse of legitimate cloud services. 

In addition to stricter controls on macro execution and file provenance, it is essential to scrutinize document-based attack vectors, particularly those exploiting known vulnerabilities like CVE-2026-21509. 

Meanwhile, the increasing use of trusted cloud platforms for command-and-control activities underscores the significance of maintaining visibility into outbound network traffic and implementing zero-trust principles to restrict lateral movement.

A coordinated threat hunt in conjunction with timely intelligence sharing among national and international cybersecurity bodies will be essential in combating such campaigns. With adversaries continuing to combine legacy techniques with modern infrastructure to refine their toolchains, resilience will depend on defenders' abilities to anticipate and adapt to an environment that is becoming increasingly covert and persistent.
Read more »
data security
Authentication Bypass authentication bypass flaw Compromised Passwords Cyber Security Cyber Vulnerabilities cybersecurity vulnerabilities data security

HPE Patches Critical Aruba AOS-CX Vulnerabilities Including Authentication Bypass Flaw

 

Hewlett Packard Enterprise (HPE) has released security updates to address multiple vulnerabilities in its Aruba AOS-CX network operating system, including a critical flaw that could allow attackers to bypass authentication and gain administrative control. 

AOS-CX comes from Aruba Networks, a part of HPE, built specifically for cloud-based networking needs. These systems run on CX-series switches found in big company campuses and data centers. Because so many rely on them, any flaws present serious concerns when discovered. 

What stands out is CVE-2026-23813 - a severe flaw tied to how AOS-CX switches handle login security via their web portal. HPE confirms that hackers could abuse this weakness from afar, needing no prior access nor advanced skills. Control over compromised devices might follow, including forced changes to admin credentials. Though simple to trigger, the outcome carries heavy risk. Such exposure emerges solely through network interaction. Little effort may yield full system override. 

Security hinges on timely updates, yet patch details remain sparse. Remote manipulation becomes feasible once entry points open. Without safeguards, unintended access escalates quickly. This condition persists until corrective measures apply. Come mid-advisory, the firm stated they’d seen no signs of real-world attacks nor any public tools built to exploit these flaws. Still, given how serious the weakness happens to be, rolling out fixes quickly becomes a top priority for most teams. 

When updates cannot happen right away, HPE suggests ways to lower exposure. One path involves isolating management ports inside private network zones. Access rules should be tightly defined, minimizing who can connect. Unneeded web-based entry points over HTTP or HTTPS ought to be turned off completely. Trust boundaries may also tighten by using ACLs that allow only known devices to interact. 

Watching system logs closely adds another layer - unexpected login efforts often show up there first. Security weaknesses fit into a wider trend of issues HPE has tackled lately. Back in July 2025, hidden login details emerged in Aruba Instant On wireless units, opening doors for unauthorized access. Before that, fixes rolled out for several problems in the StoreOnce data protection system - some let intruders skip verification steps entirely. Remote control exploits also surfaced, giving hackers potential command over affected machines. 

More recently, the Cybersecurity and Infrastructure Security Agency (CISA) flagged a high-severity vulnerability in HPE OneView as actively exploited in the wild, underscoring the growing focus of threat actors on enterprise infrastructure tools. With more than 55,000 enterprise clients worldwide, HPE points out that timely updates and stronger network defenses help reduce risks. Many of these clients appear on the Fortune 500 list, highlighting the scale of exposure when security lapses occur. Because threats evolve quickly, waiting is rarely an option. 

Instead, consistent maintenance becomes a quiet but steady shield. Even small delays can widen vulnerabilities across complex systems. When flaws appear in network management tools, specialists warn these often pose high risk - attackers might gain extensive access across company systems. Without immediate fixes, even unused weaknesses invite trouble down the line. 

Updates applied quickly, combined with multiple protective layers, help reduce potential harm before incidents occur. When companies depend heavily on unified network systems, events such as these reveal how crucial it is to maintain constant oversight while reacting quickly when new risks appear.
Read more »
Isreal
Bypass of Sensitive data. Cyber Security Data Hackers data security Data Theft Hacker attack Isreal

Spyware Disguised as Safety App Targets Israelis Amid Rising Cyber Espionage Activity

 

A fresh wave of digital spying has emerged, aiming at people within Israel through fake apps made to look like official warning tools. Instead of relying on obvious tricks, it uses the credibility of public alerts to encourage downloads of harmful programs. 

Cyber experts highlight how these disguised threats pretend to offer protection while actually stealing information. Trust in urgent notifications becomes the weak spot exploited here. What seems helpful might carry hidden risks beneath its surface. Noticed first by experts at Acronis, the operation involves fake texts mimicking alerts from Israel’s Home Front Command - an IDF division. 

Instead of genuine warnings, these messages push a counterfeit app update for civilian missile notifications. While seeming official, the link leads to malicious software disguised as protection tools. Rather than safety, users face digital risks when installing the altered program. Falling for the guide, people install spyware rather than a genuine program. The harmful software can harvest exact whereabouts, texts, stored credentials, phone directories, along with private files kept on the gadget, experts say. Years of activity mark this group within cyber intelligence circles. 

Thought to connect with Arid Viper, the operation fits patterns seen before. Targets often include Israeli military figures, alongside people in areas like Egypt and Palestine. Instead of complex tools, they lean on social engineering to spread malicious software. Their methods persist over time, adapting without drawing attention. What stands out is the level of preparation seen in the attackers, according to Acronis. Their operations show a clear aim, targeting systems people rely on when tensions rise between nations. 

Instead of random strikes, these actions follow a pattern meant to blend in. Official-looking messages appear during crises, shaped like real alerts. Because they resemble legitimate warnings, users are more likely to respond without suspicion. Infrastructure once seen as safe now becomes a vector - simply because it's trusted at critical moments. 

A fresh report from Check Point Software Technologies reveals cyberattacks targeting surveillance cameras in Israel and neighboring areas of the Middle East. These intrusions point toward coordinated moves to collect data while possibly preparing to interfere with essential infrastructure. Cyber operations have emerged alongside rising friction after documented strikes by U.S. and Israeli forces on locations inside Iran. 

In response, several groups aligned with Tehran have stated they carried out digital intrusions aimed at both official Israeli bodies and corporate networks. Even so, specialists observe that such assaults still lack major influence on the overall struggle. Yet, as nations lean more heavily on hacking methods, it becomes clear - cyber tactics now weave tightly into global power contests. When links arrive unexpectedly, skipping the download is wise - trust matters less than origin. 

Official storefronts serve as safer gateways compared to random web prompts. Messages mimicking familiar brands often hide traps beneath clean designs. Jumping straight to installation bypasses crucial checks best left intact. Verified platforms filter out many hostile imitations by design. Risk shrinks when access follows established paths instead of sudden urges. 

When emergencies strike, cyber threats tend to rise - manipulating panic instead of logic. Pressure clouds judgment, creating openings for widespread breaches. Urgency becomes a tool, not a shield, in these moments. Digital attacks grow sharper when emotions run high. Crises rarely pause harm; they invite it.
Read more »
Phone Tracking
Ad Data Privacy CBP Cyber Security Location Brokers Phone Tracking

CBP Admits Buying Ad Data to Secretly Track Phone Locations

 

U.S. Customs and Border Protections (CBP) has confessed to buying phone location data from the online advertising world, with the purchase making it now the first government agency to confirm such practices. The disclosure was made in a Privacy Threshold Analysis document from 2019 to 2021 that 404 Media obtained via a Freedom of Information Act request and describing a proof-of-concept trial. The data, embedded in real-time bidding (RTB) mechanisms in apps, can be used to track people’s movements with great precision, unbeknownst to them. 

Real-time bidding is what drives the ads that users see in mobile apps, where advertisers bid in real time to display targeted content. In these auctions, mysterious advertising tech companies are peddling tens of thousands of apps, including popular games like Candy Crush and fitness trainers like MyFitnessPal, collecting device identifiers, app usage, and geolocation data. That information is packaged and resold, and tracking it creates a “gold mine” of delivery because it exposes daily routines, home addresses and places of work. 

CBP’s use of such data is troubling from a privacy standpoint, as it circumvent traditional warrants and has access to an ecosystem that most users don’t actually agree to use. The agency evaluated the technology to track activity close to borders, but would not say whether it still uses the method after queries. Related agencies, such as Immigration and Customs Enforcement, have sought to procure similar tools, like Webloc, which allows users to track phones on a neighborhood scale. 

This incident highlights broader government reliance on commercial data brokers for surveillance, echoing past revelations about low-cost ad-based location spying. Apps from dating services to social networks unwittingly feed this pipeline, often without developers' awareness. Critics argue it erodes Fourth Amendment protections, enabling mass tracking under the guise of national security. 

As digital ad ecosystems expand, regulators face pressure to curb these hidden data flows before they normalize warrantless monitoring. Users can mitigate risks by limiting app permissions, using VPNs, and supporting privacy laws like those targeting data brokers. Policymakers must now scrutinize how border security intersects with everyday app usage to safeguard civil liberties in an ad-driven world.
Read more »
Toolkit
Advanced Persistent Threats Chinese cyber espionage Cisco Talos Cyber Intelligence Operations malware Network Security Threats Telecom Cyber Attacks Toolkit

Chinese Cyber Espionage Group Targets Telecom Infrastructure With New Toolkit


 

In the midst of intensifying geopolitical competition in cyberspace, a previously undetected cyberattack linked to China is quietly unfolding across South America's telecommunications industry since 2024. Cisco Talos researchers have reported that the operation represents a methodical and deeply embedded effort to secure long-term access to core communications infrastructure -- an objective which goes well beyond opportunistic intrusions. 

The group is responsible for the UAT-9244 malware, a suite of tools engineered not only for initial compromise but also for durability, stealth, and sustained intelligence collection. A number of analysts have noted that this campaign's tactics, techniques, and operational overlaps have a strong resemblance to those of Chinese advanced persistent threat actors like Famous Sparrow and Tropic Trooper, suggesting a shared tooling framework, coordination of activities, or a broader strategic alignment. 

As a result of this campaign's apparent emphasis on maintaining uninterrupted footholds within telecom environments, which underpin national connectivity, sensitive data flows, and, by extension, elements of sovereign control, are apparent to have been paramount. In embedding themselves within these networks, operators position their capabilities at a crucial vantage point where surveillance, data interception, and disruption can all converge. 

According to the findings, telecommunications companies are no longer peripheral targets, but rather are central elements in state-aligned intelligence gathering. This reflects a dramatic shift in modern cyber warfare towards infrastructure-level persistence. 

On the basis of these observations, Cisco Talos researchers believe the activity cluster has a strong operational affinity with Famous Sparrow and Tropic Trooper, while remaining sufficiently distinct to qualify for its own classification.

The attribution does not rely on any particular indicator, but instead on a convergence of technical evidence, including shared tooling characteristics, overlapping tactics, techniques, and procedures, as well as a unified victimology focused on telecommunications infrastructure. 

A comparison between the targeting profile and campaigns attributed to Salt Typhoon cannot be established without establishing a definitive link, suggesting either parallel operational tracks or compartmentalized tasking within the context of a broad state-aligned actor ecosystem. 

In addition to the three previously undocumented malware families in the intrusion set, a variety of newly developed malware families have been specifically developed to provide resilience in heterogeneous telecom environments. There are several backdoors that are designed for covert persistence and flexible post-exploitation control, including TernDoor. 

he malware deploys itself using DLL side-loading, by abusing the legitimate wsprint.exe executable to load the malicious library BugSplatRc64.dll, which, in turn, decrypts and executes the payload directly in memory by injecting it into msiexec.exe, thereby minimizing its forensic impact. It also includes a kernel-level component, WSPrint.sys, which enables granular manipulation of system processes, such as terminating, suspending, or resuming them, improving evasion as well as operational stability. 

A layering of persistence mechanisms is created through scheduled tasks and carefully crafted modifications to the Windows Registry, as well as additional steps taken to obscure these artifacts from routine examination. 

 Additionally, the malware is capable of performing many operator-controlled actions, including remote shell execution, initiation of arbitrary processes, file system interaction, reconnaissance, and even controlled self-removal, underscoring a level of engineering consistent with long-term intelligence-driven campaigns rather than transient intrusions. 

Considering the historical context of this threat landscape further reinforces the assessment of continuity. It is believed that Famous Sparrow has been operating since at least 2019, consistently targeting sectors such as the hospitality industry, government institutions, international organizations, and legal services, whereas Tropic Trooper has been in business since 2011, concentrating on government entities, transportation systems, and advanced technology industries across a range of regions, including Taiwan, Philippines, and Hong Kong, as well as more recently in the Middle East. 

In light of this background, the current campaign's focus on telecommunication networks illustrates a deliberate preference for infrastructure that aggregates vast amounts of sensitive information related to communications, positioning compromised environments as strategic vantage points for the collection of long-term intelligence. 

There was a coordinated deployment of three malware families within the intrusions, including TernDoor, PeerTime, and BruteEntry, each designed to fulfil a specific operational role across heterogeneous networks. Apparently, TernDoor, an implant for Windows, can be traced back to earlier implants like CrowDoor and SparrowDoor, underscoring the iterative nature of the development process within established espionage working groups. 

In order to execute the malware, it uses DLL side-loading, by manipulating trusted executables in order to load malicious libraries that decrypt and inject the payload into msiexec.exe, which allows the malware to operate under the guise of legitimate system activity. 

Upon establishing the implant, remote command execution, system reconnaissance, and file manipulation are available, while persistence is enhanced by scheduling tasks and registry-based autorun mechanisms designed to avoid routine inspection. 

As a result of the malicious kernel driver, the campaign has a greater ability to bypass security controls since it is capable of suspending or terminating processes. Furthermore, PeerTime extends the campaign’s reach to Linux-based infrastructure commonly used in telecom environments, including servers, routers, and embedded systems. 

The ELF binary is compatible with multiple architectures including ARM, MIPS, PowerPC, and AArch64 and demonstrates a deliberate effort to maximize operational coverage. As a result of this design choice, it obscures infrastructure dependencies and complicates attribution and detection by utilizing BitTorrent protocol to retrieve instructions and secondary payloads from distributed peers, diverging from conventional command-and-control paradigms. 

An embedded debug string in Simplified Chinese within associated binaries serves as an additional linguistic indicator that aligns the activity with Chinese-speaking operators. Additionally, the malware can masquerade as legitimate processes while executing commands and facilitating lateral file transfers between compromised hosts in addition to executing commands. 

A third component, BruteEntry, allows for expansion of the threat by transforming compromised edge devices into operational relay boxes that serve as distributed scanning nodes in the event that they are compromised. 

By using predefined credential sets, the tool systematically probes exposed services, including SSH, Postgres, and Tomcat, using attacker-controlled infrastructure that receives target lists. Authentication attempts that are successful are relayed back to command infrastructure, effectively converting compromised systems into contributors within a broader framework of reconnaissance and access acquisition. 

As a result of this distributed approach, operators can scale credential harvesting efforts across large address spaces while minimizing the exposure of their core infrastructure to direct exposure. This study matches a larger pattern of cyberespionage activity targeting global telecommunications providers, which is increasingly recognized as a critical sector for both national security and intelligence. 

The scope of Salt Typhoon's campaigns has already been demonstrated with incidents spanning multiple major carriers in the United States and dozens of countries worldwide, and this activity is believed to be continuing into early 2026. 

A renewed focus on infrastructure-centric operations aiming to secure enduring access to the world's communications backbones is underscored by the emergence of UAT-9244 and its tailored malware ecosystem. In further investigation of the Linux-oriented component, it becomes evident that the architecture is intentionally designed to facilitate operation across diverse hardware environments. 

PeerTime has been designed to support multiple processor architectures including ARM, MIPS, PowerPC, and AArch64 so it can propagate across a wide range of devices, including routers, network appliances, and embedded systems, that are essential components of modern telecommunications infrastructures. 

The deployment of the application is managed by a shell-based installation procedure, which introduces both a loader and a secondary "instrumentor" module, the latter of which facilitates operational management and control of execution. 

Typically, when containerization is implemented, particularly when Docker is used, the loader is executed within a container context, a technique aligned with contemporary infrastructure practices but also provides a layer of abstraction, thereby complicating detection and forensic analysis. 

Additionally, by utilizing BruteEntry, the campaign is systematically extending its reach beyond initially compromised hosts in parallel to this foothold. Specifically, Cisco Talos has documented that the tool is specifically designed to convert infected Linux systems especially edge-facing devices into operational relay boxes that can conduct large-scale scanning operations and credential harvesting operations. 

Upon deployment, BruteEntry communicates with attacker-controlled command infrastructure, from which it receives dynamically assigned IP addresses for reconnaissance. This application probes common enterprise and telecommunications services, including SSH endpoints, PostgreSQL databases, and Apache Tomcat management interfaces, using predefined credential sets that are then matched by a structured brute-force approach. 

As successful authentication attempts are relayed back to the command infrastructure, attackers are effectively able to pivot laterally and incrementally expand their access across interconnected systems as a consequence. By using modular tooling coordinated in this way, a deliberate strategy to enhance scalability and persistence can be seen, with each compromised node contributing to an overall reconnaissance and intrusion framework. 

Especially significant is the emphasis placed on telecommunication providers, as these entities provide access to vast volumes of sensitive communications and metadata by operating at the convergence of data flow and network control. Their positioning enables them to act not only as a target of opportunity but also as critical assets in a broader context of state-aligned intelligence gathering, where sustained access can offer both immediate and long-term benefits.

It is important for telecommunications operators to take note of these findings and to reassess their defensive posture in the face of highly persistent, state-sponsored threats designed to disrupt operations for extended periods of time rather than to create short-term disruptions. In environments where adversaries actively blend into legitimate system processes and take advantage of trusted execution paths, traditional perimeter-based controls are no longer sufficient.

In order to protect critical network assets, a shift is becoming increasingly important toward continuous monitoring, behavior-based threat detection, and rigorous segmentation is needed. Edge devices are being hardened, credential policies are being enforced, and containerized environments are being audited in particular, since they are emerging as attractive platforms for covert operations. 

Additionally, proactive threat hunting and intelligence sharing across sectors are essential, as campaigns of this nature often unfold slowly across multiple jurisdictions and often take a long time to complete. An organization can improve early detection and limit lateral movement by identifying anomalous activity based on known adversarial patterns and maintaining visibility across Windows and Linux ecosystems. 

 As a result of the persistence and adaptability demonstrated in this operation, cyberespionage strategy has evolved with silent access to critical infrastructure being prioritized over overt disruption putting the onus on defenders to adopt security frameworks that are equally adaptive and intelligence-driven.
Read more »
Vidar Stealer
Atomic Stealer Bing AI search security GitHub fake repositories malware OpenClaw Vidar Stealer

Malicious OpenClaw Installers on GitHub Exploit Bing AI Search to Spread Data-Stealing Malware

 

Cybersecurity researchers have uncovered a campaign where fake installers for OpenClaw were distributed through GitHub repositories and surfaced via Microsoft Bing’s AI-powered search results, ultimately infecting users with information-stealing and proxy malware.

OpenClaw, a widely used open-source AI assistant, is designed to perform tasks with access to local files and integrations across email, messaging platforms, and other online services. Its extensive permissions made it an attractive target for cybercriminals aiming to extract sensitive user data.

Threat actors leveraged this by uploading malicious instruction files and fake installers to GitHub, including listings that appeared in the tool’s official registry. The activity was identified last month by researchers at Huntress, a managed detection and response firm, who observed multiple malware variants being distributed to users attempting to install OpenClaw.

According to Huntress, attackers created deceptive GitHub repositories posing as legitimate OpenClaw installers. These repositories were even recommended in Bing’s AI-generated search results for the Windows version of the software, increasing their visibility and credibility.

The researchers noted that "just hosting the malware on GitHub was enough to poison Bing AI search results."

One such repository analyzed by Huntress looked convincing at first glance, as it was linked to a GitHub organization named “openclaw-installer,” which may have influenced Bing’s AI recommendations. Although the GitHub accounts behind these repositories were newly created, the attackers attempted to appear legitimate by copying code from the Cloudflare moltworker project.

For macOS users, the fake repository included installation instructions directing users to execute a bash command in Terminal. This command connected to another GitHub organization called “puppeteerrr” and a repository named “dmg,” which hosted malicious payloads.

"The repository contained a number of files that followed a theme of containing a shell script paired with a Mach-O executable,"

Huntress researchers identified this payload as Atomic Stealer malware.

Windows users were targeted through a fake installer named OpenClaw_x64.exe, which deployed several harmful executables. In one analyzed case, security tools such as Managed AV and Defender for Endpoint successfully quarantined the files before further damage occurred.

Most of the payloads were written in Rust and functioned as loaders to run information stealers directly in memory. Among them was the Vidar stealer, which retrieved command-and-control instructions via Telegram and Steam profiles.

Another payload delivered through the campaign was GhostSocks, a backconnect proxy malware that converts infected machines into proxy nodes. Such compromised systems can be used to access stolen accounts, bypass fraud detection systems, route malicious traffic, or conceal attacker activity.

During the investigation, Huntress uncovered multiple GitHub accounts and repositories linked to this campaign, all targeting individuals searching for OpenClaw installation files.

Although the malicious repositories have been reported to GitHub, it remains uncertain whether all of them have been removed.

Users are advised to rely on official sources when downloading software and to bookmark trusted websites instead of repeatedly searching for them online.
Read more »
RDP
Brute Force Attacks credential harvesting IP Address Ransomware RDP

How a Brute-Force Attack Exposed a Wider Ransomware Ecosystem

 



What initially appeared to be a routine brute-force alert ultimately revealed a far more complex ransomware-linked infrastructure, demonstrating how even low-level signals can expose deeper cybercriminal operations.

According to analysis by Huntress, an investigation that began with a single successful Remote Desktop Protocol (RDP) login uncovered unusual credential-harvesting behavior, globally distributed attacker infrastructure, and connections to services potentially supporting ransomware-as-a-service and initial access brokers.


When “Routine” Alerts Are Not Routine

Brute-force attempts against internet-exposed RDP systems are common and often treated as background noise. However, intrusion detection rarely follows a clean, linear path. Analysts frequently receive alerts from the middle of an attack chain, requiring them to investigate both earlier entry points and potential next steps simultaneously.

In this case, a network had an RDP server exposed online. While widely recognized as risky, many organizations maintain such exposure due to operational needs. The investigation began after a security operations center detected domain enumeration activity.


Detecting the Initial Compromise

Reviewing Windows event logs revealed sustained brute-force login attempts. Investigating such activity can be difficult because logs often become saturated with failed login records, sometimes overwriting valuable security data. Additional noise from automated service accounts used in scanning tools further complicates analysis.

Despite these challenges, analysts identified that one account had been successfully compromised among many failed attempts.

The compromised account showed logins from multiple IP addresses. While unusual, timestamp analysis indicated a single attacker leveraging distributed infrastructure rather than multiple actors.

Once inside, the attacker began enumerating domain groups and configurations, a typical step before lateral movement. Upon confirming malicious activity, defenders isolated systems across the network to contain the intrusion.


Unusual Credential Collection Methods

At first glance, the attack appeared standard. However, further analysis revealed behavior that did not align with typical attacker playbooks.

Threat actors usually extract credentials from system memory or registry data using tools such as Mimikatz, Procdump, or Secretsdump, or they collect browser-stored authentication data. These approaches are efficient and widely used.

In this case, the attacker instead manually searched for credentials stored in files across the system. Evidence showed the use of simple tools like text editors to open files containing potential login information. Jumplist artifacts confirmed repeated access to such files.

This approach is uncommon because credentials stored in files may be outdated or unreliable, requiring manual verification. Researchers suggest most attackers avoid this method due to its inefficiency, preferring automated techniques that consistently yield usable credentials. The behavior here suggests an effort to gather as much credential material as possible, even through less reliable means.


Mapping the Infrastructure

This unusual activity prompted deeper analysis of the attacking infrastructure. Initial intelligence linked one IP address to known ransomware activity, including associations with Hive and references in advisories from the Cybersecurity and Infrastructure Security Agency related to BlackSuite.

Further investigation into TLS certificates revealed a domain, specialsseason[.]com. By pivoting through certificate fingerprints, analysts identified additional infrastructure, including multiple domains and IPs following a consistent naming pattern such as NL-<countrycode>.specialsseason[.]com.

This indicated a geographically distributed network spanning regions including the United States and Russia. Many of these systems exposed active services across multiple ports, suggesting operational infrastructure.

Additional analysis uncovered another domain, 1vpns[.]com, closely resembling a legitimate VPN provider. Related domains advertised services claiming to maintain zero logs, a feature that could enable anonymity for malicious actors.

The terminology “special season,” often associated with “big game hunting,” aligns with ransomware campaigns targeting high-value organizations. Public reporting has also linked similar VPN infrastructure to ransomware groups, suggesting use within ransomware-as-a-service ecosystems and by initial access brokers who sell network access.


Why This Case Stands Out

Cybersecurity incidents are often analyzed through frameworks focusing on tactics and indicators, but rarely provide visibility into the underlying infrastructure. This case offers insight into how such ecosystems operate and highlights the attackers’ clear focus on acquiring credentials.

It also underlines the importance of expanding investigations beyond immediate containment. While most incidents lack sufficient data for deeper analysis, this case demonstrates how a single data point can reveal a broader operational network.

Ransomware remains a persistent threat across industries, and brute-force attacks continue to serve as a common entry point. While often dismissed as routine, this case shows that deeper investigation can uncover coordinated and large-scale cybercriminal activity.

For defenders, the lesson is clear: even the most ordinary alert can expose something far more substantial when examined closely.

Read more »
Subscribe to: Comments (Atom)