Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Attack. Show all posts
threat
APT41 Attack Calendar Cybersecurity Detection Google Hacking malware phishing threat

APT41 Exploits Google Calendar in Stealthy Cyberattack; Google Shuts It Down

 

Chinese state-backed threat actor APT41 has been discovered leveraging Google Calendar as a command-and-control (C2) channel in a sophisticated cyber campaign, according to Google’s Threat Intelligence Group (TIG). The team has since dismantled the infrastructure and implemented defenses to block similar future exploits.

The campaign began with a previously breached government website — though TIG didn’t disclose how it was compromised — which hosted a ZIP archive. This file was distributed to targets via phishing emails.

Once downloaded, the archive revealed three components: an executable file and a dynamic-link library (DLL) disguised as image files, and a Windows shortcut (LNK) masquerading as a PDF. When users attempted to open the phony PDF, the shortcut activated the DLL, which then decrypted and launched a third file containing the actual malware, dubbed ToughProgress.

Upon execution, ToughProgress connected to Google Calendar to retrieve its instructions, embedded within event descriptions or hidden calendar events. The malware then exfiltrated stolen data by creating a zero-minute calendar event on May 30, embedding the encrypted information within the event's description field.

Google noted that the malware’s stealth — avoiding traditional file installation and using a legitimate Google service for communication — made it difficult for many security tools to detect.

To mitigate the threat, TIG crafted specific detection signatures, disabled the threat actor’s associated Workspace accounts and calendar entries, updated file recognition tools, and expanded its Safe Browsing blocklist to include malicious domains and URLs linked to the attack.

Several organizations were reportedly targeted. “In partnership with Mandiant Consulting, GTIG notified the compromised organizations,” Google stated. “We provided the notified organizations with a sample of TOUGHPROGRESS network traffic logs, and information about the threat actor, to aid with detection and incident response.”

Google did not disclose the exact number of impacted entities.
Read more »
Trojan
Aikido Attack Backdoor Cyber Security DevSecOps JavaScript NPM npmregistry obfuscatedcode Opensource randuseragent RAT Security Supplychain Trojan

Compromised npm Package 'rand-user-agent' Used to Spread Remote Access Trojan

 

A widely-used npm package, rand-user-agent, has fallen victim to a supply chain attack, where cybercriminals injected obfuscated code designed to install a Remote Access Trojan (RAT) on users’ systems.

Originally developed to generate randomized user-agent strings—helpful in web scraping, automation, and cybersecurity research—the package was deprecated but remained in use, logging approximately 45,000 downloads per week.

Security experts at Aikido uncovered the compromise on May 5, 2025, when their malware detection tools flagged version 1.0.110 of rand-user-agent. A deeper investigation revealed hidden malicious code in the dist/index.js file. This code was deliberately obscured and only viewable with horizontal scrolling on the npm website.

Researchers confirmed that the last legitimate release was version 2.0.82, uploaded seven months ago. The malicious code appeared in unauthorized versions 2.0.83, 2.0.84, and 1.0.110, none of which corresponded with updates on the project's GitHub repository—an indicator of foul play.

Once installed, the malicious versions create a hidden directory in the user’s home path (~/.node_modules) and modify the module loading path to prioritize this directory. They then load specific dependencies such as axios and socket.io-client, and establish a persistent connection to the attacker’s command and control (C2) server at http://85.239.62[.]36:3306.

Through this connection, the attacker retrieves critical system data—such as hostname, OS type, username, and a generated UUID. Once activated, the RAT listens for the following commands:
  • cd <path>: Change directory
  • ss_dir: Reset directory to script path
  • ss_fcd:<path>: Force change to a new directory
  • ss_upf:f,d: Upload single file
  • ss_upd:d,dest: Upload all files in a directory
  • ss_stop: Stop ongoing upload
  • Any other input is executed via child_process.exec()

Currently, the malicious versions have been removed from the npm repository. Developers are urged to revert to the latest clean version. However, users who installed versions 2.0.83, 2.0.84, or 1.0.110 are advised to run a full malware scan, as downgrading the package does not eliminate the RAT.

For continued use, it’s recommended to switch to a forked and actively maintained alternative of rand-user-agent.

The original developer responded to BleepingComputer with the following statement:

“On 5 May 2025 (16:00 UTC) we were alerted that three unauthorized versions of rand-user-agent had been published to the npm registry (1.0.110, 2.0.83, 2.0.84). The malicious code was never present in our GitHub repository; it was introduced only in the npm artifacts, making this a classic supply-chain attack.

Our investigation (still ongoing) shows that the adversary obtained an outdated automation token from an employee and used it to publish releases to npm. That token had not been scoped with 2-factor authentication, allowing the attacker to: Publish versions that did not exist in GitHub, Increment the version numbers to appear legitimate, Deprecate nothing, hoping the new releases would propagate before anyone noticed.

There is no evidence of a breach in our source-code repository, build pipeline, or corporate network. The incident was limited to the npm registry.

We apologize to every developer and organization impacted by this incident. Protecting the open-source ecosystem is a responsibility we take seriously, and we are committed to full transparency as we close every gap that allowed this attack to occur.”
Read more »
Ransomware
Akira Attack Breach Cloud Cybersecurity Data Encryption Extortion FBI Hitachi malware Ransomware

Hitachi Vantara Takes Servers Offline Following Akira Ransomware Attack

 

Hitachi Vantara, a subsidiary of Japan's Hitachi conglomerate, temporarily shut down several servers over the weekend after falling victim to a ransomware incident attributed to the Akira group.

The company, known for offering data infrastructure, cloud operations, and cyber resilience solutions, serves government agencies and major global enterprises like BMW, Telefónica, T-Mobile, and China Telecom.

In a statement to BleepingComputer, Hitachi Vantara confirmed the cyberattack and revealed it had brought in external cybersecurity specialists to assess the situation. The company is now working to restore all affected systems.

“On April 26, 2025, Hitachi Vantara experienced a ransomware incident that has resulted in a disruption to some of our systems," Hitachi Vantara told BleepingComputer.

"Upon detecting suspicious activity, we immediately launched our incident response protocols and engaged third-party subject matter experts to support our investigation and remediation process. Additionally, we proactively took our servers offline in order to contain the incident.

We are working as quickly as possible with our third-party subject matter experts to remediate this incident, continue to support our customers, and bring our systems back online in a secure manner. We thank our customers and partners for their patience and flexibility during this time."

Although the company has not officially attributed the breach to any specific threat actor, BleepingComputer reports that sources have linked the attack to the Akira ransomware operation. Insiders allege that the attackers exfiltrated sensitive data and left ransom notes on infiltrated systems.

While cloud services remained unaffected, sources noted that internal platforms at Hitachi Vantara and its manufacturing arm experienced disruption. Despite these outages, clients operating self-hosted systems are still able to access their data.

A separate source confirmed that several government-led initiatives have also been impacted by the cyberattack.

Akira ransomware first appeared in March 2023 and swiftly became notorious for targeting a wide range of sectors worldwide. Since its emergence, the group has reportedly compromised more than 300 organizations, including high-profile names like Stanford University and Nissan (in Oceania and Australia).

The FBI estimates that Akira collected over $42 million in ransom payments by April 2024 after infiltrating over 250 organizations. According to chat logs reviewed by BleepingComputer, the gang typically demands between $200,000 and several million dollars, depending on the scale and sensitivity of the targeted entity.

Keywords: ransomware, cybersecurity, Hitachi, Akira, cloud, breach, data, FBI, malware, attack, encryption, extortion, hacking, disruption, recovery, infrastructure, digital, protection
Read more »
Websites
Attack Blackcat hackers Change Healthcare critical infrastructure providers Data Breach digital decryption keys Extortion Hospitals International law enforcement seizure Websites

Notorious Hacker Group Strikes US Pharmacies

In December, international law enforcement targeted a gang, leading to the seizure of various websites and digital decryption keys, as reported by Reuters. In response to this crackdown, the Blackcat hackers threatened to extort critical infrastructure providers and hospitals.

A recent attack on Change Healthcare, resulting in its parent company UnitedHealth Group disconnecting its systems to prevent further impact, has caused disruptions in prescription insurance claims, according to the American Pharmacists Association. This outage, which has persisted through Tuesday, is attributed to a notorious hacker group, as per a new report.

The outage at Change Healthcare, which handles payment management for UnitedHealth Group, was caused by a ransomware attack by hackers associated with Blackcat, also known as ALPHV, according to Reuters, citing anonymous sources. Blackcat has been involved in several recent high-profile data breaches, including attacks on Reddit, Caesars Entertainment, and MGM Resorts.

As a result of the breach, pharmacies nationwide are facing significant delays in processing customer prescriptions. Change Healthcare stated they are actively working to restore the affected environment and ensure system security.

UnitedHealth Group mentioned that most pharmacies have implemented workarounds to mitigate the impact of the outage on claim processing. The company expressed confidence that other data systems in its healthcare portfolio were unaffected by the breach.

While last week's breach was suspected to be "nation-state-associated," according to an SEC filing by UnitedHealth, it's uncertain if the group responsible was sponsored by foreign actors. Cybersecurity firms Mandiant and Palo Alto Networks, appointed by UnitedHealth, will lead the investigation into the breach.
Read more »
W3LL
Account Attack BEC Business Compromise Cyber Security Cyberattack CyberCrime Email hack Hacking MFA Microsoft Panel phishing Report Security threat W3LL

W3LL Store: Unmasking a Covert Phishing Operation Targeting 8,000+ Microsoft 365 Accounts

 

A hitherto undisclosed "phishing empire" has been identified in a series of cyber attacks targeting Microsoft 365 business email accounts spanning six years. 

According to a report from cybersecurity firm Group-IB, the threat actor established an underground market called W3LL Store, catering to a closed community of around 500 threat actors. This market offered a custom phishing kit called W3LL Panel, specifically designed to bypass Multi-Factor Authentication (MFA), alongside 16 other specialized tools for Business Email Compromise (BEC) attacks.

Between October 2022 and July 2023, the phishing infrastructure is estimated to have aimed at over 56,000 corporate Microsoft 365 accounts,  compromising at least 8,000 of them. The majority of the attacks were concentrated in countries including the U.S., the U.K., Australia, Germany, Canada, France, the Netherlands, Switzerland, and Italy. The operators of this operation reportedly reaped approximately $500,000 in illegal gains.

Various sectors fell victim to this phishing campaign, notably manufacturing, IT, consulting, financial services, healthcare, and legal services. Group-IB pinpointed almost 850 distinct phishing websites associated with the W3LL Panel during the same timeframe.

The Singapore-based cybersecurity company has characterized W3LL as a comprehensive phishing tool that offers an array of services, encompassing customized phishing tools, mailing lists, and access to compromised servers. This underscores the growing prevalence of phishing-as-a-service (PhaaS) platforms.

The threat actor responsible for this kit has been active since 2017, initially focusing on creating tailored software for bulk email spam (referred to as PunnySender and W3LL Sender) before shifting their attention towards developing phishing tools for infiltrating corporate email accounts.

A key element of W3LL's arsenal is an adversary-in-the-middle (AiTM) phishing kit, capable of evading multi-factor authentication (MFA) protections. It is available for purchase at $500 for a three-month subscription, followed by a monthly fee of $150. The panel not only harvests credentials but also includes anti-bot features to bypass automated web content scanners, prolonging the lifespan of their phishing and malware campaigns.

The W3LL Store extends a 70/30 split on commissions earned through its reseller program to PhaaS affiliates, along with a 10% "referral bonus" for bringing in other trusted parties. To prevent unauthorized distribution or resale, each copy of the panel requires a license-based activation.

BEC attacks employing the W3LL phishing kit involve a preparatory phase to verify email addresses using an auxiliary utility known as LOMPAT, followed by the delivery of phishing messages. Victims who interact with the deceptive link or attachment are directed through an anti-bot script to filter out unauthorized visitors, subsequently landing on the phishing page via a redirect chain employing AiTM tactics to extract credentials and session cookies.

With this access, the threat actor proceeds to log into the target's Microsoft 365 account without triggering MFA, utilizing a custom tool called CONTOOL for automated account discovery. This enables the extraction of emails, phone numbers, and other sensitive information.

Noteworthy tactics employed by the malware author include using Hastebin, a file-sharing service, to store stolen session cookies, and utilizing platforms like Telegram and email for exfiltrating the credentials to criminal actors.

This disclosure comes shortly after Microsoft's warning regarding the proliferation of AiTM techniques through PhaaS platforms, such as EvilGinx, Modlishka, Muraena, EvilProxy, and Greatness, which facilitate unauthorized access to privileged systems at scale without the need for re-authentication.

"What really makes W3LL Store and its products stand out from other underground markets is the fact that W3LL created not just a marketplace but a complex phishing ecosystem with a fully compatible custom toolset that covers almost entire killchain of BEC and can be used by cybercriminals of all technical skill levels," Group-IB's Anton Ushakov said.

"The growing demand for phishing tools has created a thriving underground market, attracting an increasing number of vendors. This competition drives continuous innovation among phishing developers, who seek to enhance the efficiency of their malicious tools through new features and approaches to their criminal operations."


Read more »
Spyware
Apple MacOS Attack cloud storage CloudMensis Flaws malware Spyware

Experts Discover New CloudMensis Spyware Targeting Apple macOS Users

 

Researchers in cybersecurity have revealed previously unknown malware targeting Apple's macOS operating system. The malware, nicknamed CloudMensis by the Slovak cybersecurity firm ESET, is reported to exploit popular cloud storage systems like pCloud, Yandex Disk, and Dropbox only for receiving attacker orders and exfiltrating files. 

"Its capabilities clearly show that the intent of its operators is to gather information from the victims' Macs by exfiltrating documents, keystrokes, and screen captures," ESET researcher Marc-Etienne M.Léveillé stated in a report published. 

CloudMensis was found in April 2022, written in Objective-C, and is intended to attack both Intel and Apple semiconductor architectures. The initial infection vector for the attacks, as well as the targets, are yet unclear. However, the malware's limited dissemination suggests that it is being utilised as a part of a carefully targeted operation targeting businesses of interest. 

ESET discovered an attack chain that exploits code execution and administrative rights to launch a first-stage payload that is used to retrieve and run a second-stage malware housed on pCloud, which exfiltrates documents, screenshots, and email attachments, among other things. 

The first-stage downloader is also known to delete evidence of Safari sandbox escape and privilege escalation attacks in 2017 that make use of four now-resolved security flaws, implying that CloudMensis may have gone undetected for many years. The implant also includes capabilities that allow it to circumvent the Transparency, Consent, and Control (TCC) security system, which requires all programmes to seek user permission before accessing files in Documents, Downloads, Desktop, iCloud Drive, and network volumes. 

It accomplishes this by exploiting another fixed security flaw known as CVE-2020-9934, which was discovered in 2020. The backdoor also allows you to access a list of running processes, capture screenshots, list files from removable storage devices, and launch shell commands and other arbitrary payloads. 

Furthermore, an examination of information from the cloud storage infrastructure reveals that the pCloud accounts were established on January 19, 2022, with compromises beginning on February 4 and spiking in March. 

M.Léveillé said, "The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets."
Read more »
threat
Attack Hackers malware Passwords phishing Safety threat

Google Blocked Dozens of Domains Used by Hack-for-hire Groups

 

Google's Threat Analysis Group released a blog post on Thursday detailing the actions of hack-for-hire groups in Russia, India, and the United Arab Emirates. More than 30 domains used by these threat groups have been added to the internet giant's Safe Browsing system, preventing users from accessing them. 

Hack-for-hire groups are sometimes confused with businesses that provide surveillance tools. As per Google, surveillance vendors often give the tools required for spying but leave it up to the end-user to run them, whereas hack-for-hire groups perform the attacks themselves. Several hack-for-hire groups have been found in recent years. Google's investigation focuses on three groups thought to be based in India, Russia, and the United Arab Emirates. 

Google has been tracking the threat actor linked to India since 2012, with some of its members formerly working for offensive security firms. They now appear to be employed by Rebsec, a new firm that publicly sells corporate espionage services. The group has been observed phishing credentials for AWS, Gmail, and government services accounts from healthcare, government, and telecom firms in the Middle East. 

The Russia-linked threat actor, known as Void Balaur by others, has targeted journalists, politicians, NGOs and organisations, and persons who looked to be ordinary residents in Russia and neighbouring nations. Phishing was also used in these assaults. 

“After the target account was compromised, the attacker generally maintained persistence by granting an OAuth token to a legitimate email application like Thunderbird or generating an App Password to access the account via IMAP. Both OAuth tokens and App Passwords are revoked when a user changes their password,” explained Shane Huntley, director of Google’s Threat Analysis Group. 

This group also had a public website where it advertised social media and email account hacking services. The UAE group primarily targets government, political, and educational groups in North Africa and the Middle East. This threat actor also employs phishing emails, but unlike many other organisations, it employs a custom phishing kit rather than open source phishing frameworks. 

“After compromising an account, the actor maintains persistence by granting themselves an OAuth token to a legitimate email app like Thunderbird, or by linking the victim Gmail account to an attacker-owned account on a third-party mail provider. The attacker would then use a custom tool to download the mailbox contents via IMAP,” Huntley said. 

Google believes Mohammed Benabdellah, who was sued by Microsoft in 2014 for developing the H-Worm (njRAT) malware, is associated with the group.
Read more »
Websites
Attack Cyber Attacks data security Hackers Russia-Ukraine War Transit Websites

Cyberattack Struck Norway, Pro-Russian Hacker Group Fingered

 

According to Norwegian authorities, a cyberattack momentarily took offline public and private websites in Norway in the last 24 hours.

As per Norwegian Prime Minister Jonas Gahr Stre, the attack has not caused any serious harm. According to the Norwegian National Security Authority, the distributed-denial-of-service (DDOS) attack targeted a secure national data network, causing the temporary suspension of internet services for many hours. 

According to NSM chief Sofie Nystrm, the attacks appear to be the work of a criminal pro-Russian gang. She went on to say that the attacks "create the sense that we are a piece in Europe's present political crisis." 

So according to Norwegian media, the country's ambassador to Moscow was called to the Foreign Ministry on Wednesday for a protest about Russian supplies being denied transit via Norway to an Arctic Russian coal-mining settlement. 

The hamlet of Barentsburg is located in the Svalbard archipelago, some 800 kilometres (500 miles) north of the Norwegian mainland. Because of the war in Ukraine, the European Union has imposed restrictions on a number of Russian commodities. 

Norway is not a member of the EU, although it follows its policies on most issues. Norway has sovereignty over the Svalbard archipelago by a 1920 treaty, but other signatory countries have the right to use its natural resources. 

The cyberattack on Norway occurred two days after a similar attack briefly shut down official and private websites in Lithuania, with a pro-Moscow hacking group claiming responsibility. That event occurred just a week after Russian authorities warned of retaliation because Lithuania blocked the transit of steel and ferrous metals sanctioned by the EU via its territory to Russia’s exclave of Kaliningrad.
Read more »
Subscribe to: Posts (Atom)