Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Attacks. Show all posts
cybersecurity threat
BYOVD Attack cyber attack Cyber Attacks cybersecurity threat

BYOVD Attacks Turn Trusted Windows Drivers Into Security Threats

 

Cybersecurity researchers are warning about a growing wave of attacks that exploit legitimate Windows drivers to bypass security protections and gain deep control over targeted systems. 

The technique, known as Bring Your Own Vulnerable Driver or BYOVD, involves attackers loading digitally signed but flawed drivers onto a compromised machine. Once active, the vulnerable driver can be exploited to gain kernel level privileges, the highest level of access in the Windows operating system. 

Researchers from Picus Security said the method allows threat actors to “load a legitimate, digitally signed, but vulnerable driver onto a target system” and then exploit weaknesses in that driver to gain arbitrary kernel mode execution. 

With this level of access, attackers can disable endpoint security tools, manipulate operating system processes and carry out further malicious activity without interference. 

How the attack works 

BYOVD attacks do not provide the initial entry point into a system. Instead, attackers use the technique after gaining administrative access through other methods such as phishing campaigns, stolen credentials, exploitation of exposed services or purchasing access from an initial access broker. 

Once administrative privileges are obtained, attackers introduce a vulnerable driver file into the system. The driver, typically a .sys file, is often placed in directories that allow easy writing access such as temporary Windows folders or public user directories. 

Many of these drivers are taken directly from legitimate vendor software packages, including hardware utilities, monitoring tools or gaming applications. Because the drivers are officially signed and appear legitimate, they can pass Windows trust checks. Attackers then load the driver into the Windows kernel. 

This is commonly done through the Windows Service Control Manager using commands such as sc.exe create and sc.exe start, or by calling system level APIs like NtLoadDriver. 

Since the driver carries a valid digital signature, Windows allows it to run in kernel space without immediately triggering alerts. 

Exploiting driver weaknesses 

After the vulnerable driver is loaded, attackers exploit unsafe input and output control functions exposed by the driver. These functions can allow direct reading and writing of system memory. 

By sending specially crafted requests, attackers can gain access to protected kernel memory regions. This effectively provides full control over the operating system’s most privileged layer. 

With kernel read and write capabilities, attackers can disable security protections in several ways. They may remove endpoint detection and response callbacks from kernel structures, patch tamper protection routines in memory, terminate antivirus processes or manipulate system process objects to conceal malicious activity. 

Even though security software may still appear installed, the endpoint may effectively be left unprotected. 

Example of driver abuse 

One attack analyzed by Picus researchers involved ransomware actors exploiting the mhyprot2.sys anti cheat driver used by the popular video game Genshin Impact. 

In that case, attackers installed the legitimate driver and then used a separate executable to send a specific command instructing the driver to terminate antivirus processes. Because the driver operated with kernel level privileges, it successfully executed system level commands to kill security services. 

Once defenses were disabled, ransomware encryption was deployed without resistance.

Structural weaknesses in driver trust 

The effectiveness of BYOVD attacks stems partly from how Windows manages driver trust. Since Windows 10, most new kernel drivers must be signed through Microsoft’s developer portal. 

However, compatibility requirements allow certain older cross signed drivers to still load under specific conditions. 

These conditions include systems where Secure Boot is disabled or devices that were upgraded from older Windows installations rather than freshly installed. 

Such compatibility allowances create gaps that attackers can exploit by loading vulnerable legacy drivers that remain trusted by the system. 

Microsoft also maintains a vulnerable driver blocklist, but this list is updated only after vulnerabilities are discovered and reported. Updates often coincide with major Windows releases, meaning newly identified vulnerable drivers may remain usable for extended periods. 

As a result, BYOVD attacks do not technically bypass Windows security mechanisms. Instead, they take advantage of drivers that the operating system still considers trustworthy. 

Defending against BYOVD 

Security experts say defending against this technique requires layered protections rather than a single configuration change. 

Organizations are advised to enable hypervisor protected code integrity and the broader virtualization based security framework to prevent unauthorized kernel memory changes. 

Controls such as Windows Defender Application Control and Microsoft’s vulnerable driver blocklist can restrict which drivers are allowed to run. Limiting administrative privileges is another critical step. 

Companies should remove unnecessary local administrator rights, enforce least privilege policies and require multi factor authentication for privileged accounts. Monitoring for suspicious activity is also essential. 

Security teams should watch for unusual driver loading events or new kernel service creation logs. Maintaining Secure Boot and restricting driver installation through group policy can further reduce the risk of unauthorized or legacy drivers being loaded. 

Regular auditing of third party drivers installed on systems can help reduce the overall kernel attack surface. 

Security analysts say BYOVD reflects a broader change in attacker strategy. Instead of relying only on new vulnerabilities or zero day exploits, threat actors increasingly use trusted components that already exist within systems. 

Read more »
US
Cyber Attacks Data Internet Iran Israel US

Threat Actors Hit Iranian Sites and Apps After the US-Israel Strike


A series of cyber attacks happened last week during the U.S- Israel attack on targets throughout Iran. 

The cyberattacks included hijacking the various news sites to show messages and also hacking BadeSaba, a religious calendar application over 5 million downloads, which showed messages warning users “It’s time for reckoning” and telling armed forces to give up and quit. 

The U.S Cyber Command spokesperson didn't comment on the issue. 

Internet connectivity in Iran has dropped significantly at 0706 GMT, with minimum connectivity remaining, according to Kentik’s director of internet analysis. It was a smart move to launch a cyberattack on BadeSaba as pro-government people use it and are more religious, said Hamid Kashfi, a security expert and founder of DarkCell, a cybersecurity firm. 

Cyberattacks also hit various Iranian military targets and government services to restrict a coordinated Iranian response, according to the Jerusalem Post. Reuters hasn't verified the claims yet. Sophos director of threat intelligence said that “As Iran considers its options, ‌the likelihood increases that proxy groups and hacktivists may take action, including cyberattacks, against Israeli and U.S.-affiliated military, commercial, or civilian targets,” said Rafe Pilling, the director of threat intelligence with cybersecurity firm.”

These cyber operations may include old data breaches reported as new, vain efforts to breach interne-exposed industrial systems, and may also redirect offensive cyber operations. 

Cynthia Kaiser, a senior vice president at the anti-ransomware company Halcyon and a former top FBI cyber official, stated that activity has escalated in the Middle East. 

According to Kaiser, the company has also received calls to action from well-known pro-Iranian cyber personalities who have previously carried out ransomware attacks, hack-and-leak operations, and distributed denial-of-service (DDoS) attacks, which overload internet services and make them unavailable. He stated, "CrowdStrike is already seeing activity consistent with Iranian-aligned threat actors and hacktivist groups conducting reconnaissance and initiating DDoS attacks.”

Experts also believe that state-sponsored Iranian hacking gangs already launched “wiper “ attacks that remove data on Israeli targets before the strikes. 

Apart from a brief disruption of services in Tirana, the capital of Albania, there was little indication of the disruptive cyberattacks frequently mentioned during discussions about Iran's digital capabilities in June following the U.S. strike on Iranian nuclear targets, according to media sources.

Read more »
cybersecurity risk
corporate cyber attacks Corporate Data Breach Cyber Attacks Cyber Gangs Cyber Security Ransomware Attacks cybersecurity risk

Crazy Ransomware Gang Abuses Net Monitor and SimpleHelp for Stealthy Network Persistence

 

Not long ago, security analysts from Huntress spotted someone tied to the Crazy ransomware group using standard employee surveillance and remote assistance programs. This person used common system tools - not custom malware - to stay hidden within company networks. Instead of flashy attacks, they moved quietly through digital environments already familiar to IT teams. What stands out is how ordinary software became part of a stealthy buildup toward data encryption. Behind the scenes, attackers mimic regular maintenance tasks to avoid suspicion. Their method skips complex hacking tricks in favor of blending in. Over time, such tactics make detection harder since alerts resemble routine actions. Rather than breaking in, they act like insiders who belong. Recently, this approach has become more frequent across different cybercrime efforts. Normal-looking tool usage now masks malicious goals deep inside infrastructure.

Throughout several cases reviewed by Huntress, Net Monitor for Employees Professional appeared next to SimpleHelp’s remote access software. Using both together let attackers maintain ongoing, hands-on access to affected machines. This pairing lowered their chances of setting off detection mechanisms. Each tool played a role in staying under the radar. 

A single instance involved deployment of surveillance software through Windows Installer by running msiexec.exe, enabling adversaries to pull the agent straight from the official provider site. With it active, complete remote screen access emerged alongside command launching, data movement, and live observation of machine activity - delivering control similar to admin privileges on compromised devices. 

To tighten their hold, the hackers tried turning on the default admin account via "net user administrator /active:yes." Another layer came when they pulled down SimpleHelp using PowerShell scripts. Files were hidden under names that looked real - some copied Visual Studio’s vshost.exe pattern. Others posed as OneDrive components, tucked inside folders like ProgramData. Despite detection of a single remote component, operations persisted due to multiple deployment layers. 

Occasionally, the SimpleHelp executable appeared under altered names, mimicking standard corporate software files. Observed by analysts, these changes helped it evade immediate recognition. At times, Huntress noticed efforts aimed at weakening Microsoft Defender - achieved by halting and removing related system services - to limit detection on infected devices. One breach showed attackers setting up alert triggers inside SimpleHelp, activated whenever machines reached sites tied to digital currency storage or trading. 

These triggers watched for terms linked to wallet providers, exchange portals, blockchain lookup tools, and online payment systems. Elsewhere, the surveillance tool logged mentions of remote access software like RDP, AnyDesk, TeamViewer, UltraViewer, and VNC, possibly to spot signs of IT staff or security teams logging into affected endpoints. Despite just a single confirmed instance leading to Crazy ransomware activation, Huntress identified shared command servers and repeated file names like “vhost.exe.” These similarities point toward one actor behind both breaches. 

Notably, infrastructure links emerged across incidents. One attack stood out in impact. Yet patterns in execution imply coordination. File artifacts matched closely. Operation methods showed consistency. The evidence ties the events together indirectly. Reuse of tools strengthens that view. Infrastructure overlap was clear. Execution timing varied. Still, the digital fingerprints align. Not just one but two security incidents traced back to stolen SSL VPN login details, showing how shaky remote entry points can open doors. 

Instead of assuming safety, watch for odd patterns - like when trusted remote management software shows up without warning, used now more often by attackers who twist normal tools into stealthy weapons. Despite growing reliance on standard tools by attackers, requiring extra verification steps for every remote login helps block stolen passwords from being useful. Because hackers now blend in using common management programs, watching network behavior closely while limiting who can enter key systems stays essential for company security.
Read more »
Group IB
Credential Theft Cyber Attacks Cyberbreaches Cybercrime Ecosystem Digital Supply Chain Risk Global Supply-Chain Attack Group IB

Group-IB Warns Supply Chain Attacks Are Becoming a Self-Reinforcing Cybercrime Ecosystem

 

Cybercrime outfits now reshape supply chain intrusions into sprawling, linked assaults - spinning out data leaks, stolen login details, and ransomware in relentless loops, says fresh research by Group-IB. With each trend report, the security group highlights how standalone hacks have evolved: today’s strikes follow blueprints meant to ripple through corporate systems, setting off chains of further break-ins. 

Instead of going after one company just to make money fast, hackers now aim at suppliers, support services, or common software tools - gaining trust-based entry to many users at once. Cases highlighted in recent reports - the Shai-Hulud NPM worm, the break-in at Salesloft, and the corrupted OpenClaw package - all show how problems upstream spread quickly across systems. Not limited to isolated targets, these attacks ripple outward when shared platforms get hit. 

Modern supply chain attacks unfold in linked phases, says Group-IB. One stage might begin with a tainted open-source component spreading malicious code while quietly collecting login details. Following that, attackers may launch phishing efforts - alongside misuse of OAuth tokens - to seize user identities, opening doors to cloud services and development pipelines. Breached data feeds these steps, supplying access keys, corporate connections, and situational awareness required to move sideways across systems. Later comes ransomware, sometimes followed by threats - built on insights gathered during earlier stages of breach. One step enables another, creating loops experts call self-sustaining networks of attack. 

Soon, Group-IB expects artificial intelligence to push this shift further. Because of AI-powered tools, scanning for flaws in vendor networks, software workflows, or browser add-on stores happens almost instantly. These systems let hackers find gaps faster - operating at speeds humans cannot match. 

Expectations point to declining reliance on classic malware, favoring tactics centered on stolen identities. Rather than using obvious harmful software, attackers now mimic authorized personnel, slipping into everyday operational processes. Moving quietly through standard behaviors allows them to stay hidden longer, gradually reaching linked environments. Because they handle sensitive operations like human resources, customer data, enterprise planning, or outsourced IT support, certain platforms draw strong interest from threat actors. 

When a compromise occurs at that level, it opens doors not just to one company but potentially hundreds connected through shared services - multiplying consequences far beyond the initial point of failure. Cases like Salesloft and the breach tied to Oracle in March 2025 show shifts in how data intrusions unfold. Rather than seeking quick payouts, hackers often collect OAuth credentials first. Missteps in third-party connections give them room to move inward. 

Once inside client systems, fresh opportunities open up. Data copying follows naturally. Trust-based communication chains become tools for disguise later. Infected updates spread quietly through established channels. Fraud grows without drawing early attention. Fault lines in digital confidence now shape modern cyber threats, according to Dmitry Volkov, who leads Group-IB. Rather than one-off breaches, what unfolds are ripple effects across systems. Because outside providers act like open doors, companies should treat them as part of their own risk landscape. 

Instead of reacting late, they build models for supply chain risks early. Automated scans track software links continuously. Insight into how information moves becomes essential - without it, gaps stay hidden until exploited. With breaches in supply chains turning into routine operations, protecting confidence among users, collaborations, and code links has shifted from being a backup measure to a core part of today’s security planning. 

What once seemed secondary now shapes the foundation. Trust must hold firm where systems connect - because failure at one point pulls down many. Security can no longer treat relationships as external risks; they are built-in conditions. When components rely on each other, weakness spreads fast. The report frames this shift clearly: resilience lives not just in tools but in verified connections. Not adding layers matters most - it is about strengthening what already ties everything together.
Read more »
Data Exfilteration
APT28 APT28 Cyber Espionage Cyber Attacks Cyber Phishing cybersecurity threat Data Exfilteration

APT28’s Operation MacroMaze Targets Western Europe With Stealthy Macro-Based Attacks

 

A fresh wave of digital intrusions, tied to Russian operatives known as APT28, emerges through findings uncovered by S2 Grupo’s LAB52 analysts. Throughout late 2025 into early 2026, these efforts quietly unfolded across Western and Central European institutions. Dubbed Operation MacroMaze, the pattern reveals reliance on minimalistic yet precisely timed actions. Instead of complex tools, attackers favored subtle coordination - bypassing alarms by design. Each phase unfolded with restraint, avoiding flashiness while maintaining persistence behind the scenes. 

Starting the operation, cyber actors send targeted emails with harmful attachments designed to trick users. Instead of using typical methods, these documents include an XML feature named “INCLUDEPICTURE.” That field points to a JPG stored on webhook[.]site, acting as a hidden reference. As soon as someone views the file, the system pulls the image from that external address. Unlike passive downloads, this transfer initiates a background connection outward. Midway through loading, the request exposes details about the user’s environment automatically. So, without visible signs, attackers receive confirmation plus technical footprints tied to the access event. 

Over time, different versions of the documents appeared, spotted by analysts during an extended review period. Each one carried small changes in macro design, though the core behavior stayed largely unchanged. Instead of sticking with automated browser launching, newer samples began mimicking keystrokes through SendKeys functions. This shift may have aimed at dodging detection mechanisms while keeping interactions less obvious to people opening files. 

When turned on, it runs a Visual Basic Script pushing the attack forward. A CMD file gets started by the script, setting up ongoing access using timed system jobs before releasing a batch routine. Out of nowhere, a tiny HTML segment encoded in Base64 appears inside Edge running without display. That fragment pulls directives from one online trigger point, carries out those steps on the machine, gathers what happens, then sends everything back - packed into an HTML document - to another web destination. 

A different version of the batch script skips headless browsing by shifting the browser window beyond the visible screen area. Following that shift, any active Edge instances are closed - this isolates the runtime setting. Once the created HTML document opens, form submission begins on its own, sending captured command results to a server managed by the attacker, all without engaging the user. 

LAB52 points out that the attack shows hackers using ordinary tools - batch scripts, minimal VBS launchers, basic HTML forms - to form a working breach system. Hidden browser tabs become operational zones, letting intrusions unfold without obvious footprints. Webhook platforms, meant for routine tasks, carry commands one way and stolen information the other. Instead of loud breaches, quiet integration with standard processes helps evade detection. The method thrives not on complexity, but on repurposing everyday components in stealthy ways. 

What stands out in Operation MacroMaze is how basic tools, when timed precisely, achieve advanced results. Not complexity - but clever order - defines its success. Common programs, used one after another in quiet succession, form an invisible path through defenses. Trusted system features play a central role, slipping past alarms. Persistence emerges not from novelty, but repetition masked as routine. Across several European organizations, the method survives simply by avoiding attention.
Read more »
XFS API exploitation
ATM jackpotting ATM malware attacks Cyber Attacks cyber physical crime FBI security alert Ploutus malware XFS API exploitation

FBI Warns of Surge in ATM Jackpotting Attacks After $20 Million Stolen in 2025

 

More than $20 million was stolen from compromised ATMs across the United States last year through a growing malware-driven scheme, according to a recent alert from the Federal Bureau of Investigation (FBI). Authorities say the tactic, known as ATM jackpotting, has seen a sharp rise in activity.

ATM jackpotting is a cyber-physical attack in which criminals manipulate both hardware and software weaknesses in ATMs to install malicious programs. Once deployed, the malware forces the machine to release cash on command without approval from the bank. Since 2020, nearly 1,900 such incidents have been recorded, with over 700 reported in 2025 alone, as detailed in a Thursday security advisory.

Attackers typically begin by using universal or generic keys to unlock the ATM cabinet. After gaining access, they either remove the machine’s hard drive to load malware onto it before reinstalling it, or swap it entirely with a pre-infected drive containing jackpotting software.

One of the most frequently used tools in these operations is Ploutus malware. This malicious program targets eXtensions for Financial Services (XFS), an open-standard API that enables ATMs and point-of-sale systems to communicate with banking applications across different hardware providers. 

Under normal conditions, XFS allows banking software to process transactions and authorize cash withdrawals. However, the malware manipulates this system, letting attackers send unauthorized commands that trigger the ATM to dispense money instantly.

Unlike card skimming schemes that compromise customer data and PIN numbers, jackpotting attacks primarily impact financial institutions. Banks and ATM operators bear the financial losses, which total tens of millions of dollars annually. These incidents are also challenging to detect in real time, often only becoming apparent after funds have already been removed.

In its latest advisory, the FBI outlined several warning signs for ATMs operating on Windows systems. These include suspicious executable files and scripts, unusual system event IDs linked to USB device insertions, missing hard drives, unauthorized hardware connected to the machine, and unexpected “out of cash” notifications. Financial institutions are urged to review these indicators closely to prevent further exploitation
Read more »
Supply Chain Attack
Crypto Exchange Cyber Attacks dYdX PyPI Package Supply Chain Attack

Malicious dYdX Packages Drain User Wallets in Supply Chain Attack

 

Malicious open-source packages targeting the dYdX cryptocurrency exchange have enabled attackers to drain user wallets, exposing once again how fragile software supply chains can be in the crypto ecosystem. Researchers found that legitimate-looking libraries on popular repositories were quietly stealing seed phrases and other sensitive data from both developers and end users, turning everyday development workflows into vectors for wallet compromise. The incident shows that even reputable projects using standard tooling are not immune when upstream dependencies are poisoned.

The attack focused on npm and PyPI packages associated with dYdX’s v4 trading stack, specifically the JavaScript package @dydxprotocol/v4-client-js and the Python package dydx-v4-client in certain versions. These libraries are widely used to build trading bots, automated strategies, and backend services that interact with the exchange and therefore routinely handle mnemonics and private keys needed to sign transactions. By compromising such central components, attackers gained access not just to individual wallets but to any application that pulled in the tainted releases.

Inside the malicious npm package, attackers added a surreptitious function that executed whenever a wallet seed phrase was processed, quietly exfiltrating it along with a fingerprint of the device running the code. The fingerprinting allowed the threat actors to correlate stolen credentials across multiple compromises and track victims over time. Stolen data was sent to a typosquatted domain crafted to resemble legitimate dYdX infrastructure, increasing the chances that network defenders would overlook the outbound connections.

The PyPI package carried similar credential-stealing behavior but escalated the threat by bundling a remote access Trojan capable of executing arbitrary Python code on infected systems. Running as a background daemon, this RAT regularly contacted a command‑and‑control server, fetched attacker-supplied code, and executed it in an isolated subprocess using a hard-coded authorization token. With this access, adversaries could steal keys and source code, plant persistent backdoors, and broadly surveil developer environments beyond just wallet data.

This is not the first time dYdX has faced targeted abuse of its ecosystem, following prior incidents involving malicious npm uploads and website hijacking campaigns aimed at draining user funds. For the broader industry, the episode underlines how high‑value crypto platforms and their developer tooling have become prime targets for supply-chain attacks. Developers are urged to rigorously audit dependencies, verify package integrity and publishers, and avoid using real wallet credentials in testing environments, while users should quickly review any apps or bots that rely on the affected dYdX client libraries.
Read more »
social engineering attacks
Cryptographic Credential Theft Cyber Attacks Device Linking Exploitation QR Code Phishing Secure Messaging Security Signal Account Hijacking social engineering attacks

German Authorities Alert Public to Signal Account Takeover Campaign

 

The use of secure messaging applications has long been seen as the final line of defense against persistent digital surveillance in an era of widespread digital surveillance. This assumption is now being challenged by Germany's domestic intelligence service, the Federal Office for the Protection of the Constitution, which, in conjunction with the Federal Office for Information Security, has jointly issued a rare advisory detailing a calculated cyberattack attributed to a state-backed adversary. 

It is clear that the warning highlights a deliberate strategy to infiltrate private communications through deception, rather than technical exploits, targeting individuals who rely heavily on them. The agencies report that the operation targets high-ranking political decision-makers, senior military personnel, diplomatic representatives, and investigative journalists in Germany and across Europe. Its implications go beyond the compromise of individual accounts to include high-ranking officials and foreign diplomats. 

Access to secure messenger profiles by unauthorized users could expose confidential information, sensitive professional networks, and trusted contact chains, which in turn could compromise entire institutional ecosystems. 

As a result, the campaign does not rely on malware deployment or the exploitation of Signal platform vulnerabilities. It attempts to manipulate the application's legitimate account recovery and verification features in order to achieve its objectives.

The attackers intend to quietly intercept private conversations and harvest contact information without triggering conventional security alarms by exploiting human trust rather than software vulnerabilities. The attack sequence reflects this strategy. The attackers are impersonating “Signal Support” or impersonating a fabricated assistance channel called a “Signal Security ChatBot” and contacting selected victims directly. 

Receivers are pressured to divulge verification codes or PINs sent via SMS as a precaution against data loss or account suspension, under the pretense that the adversary will be able to take control of the account upon surrendering these credentials. Based on the initial findings, the joint advisory clarifies that the attack is not a result of technical compromise of the platform's codebase or malicious payload deployment. 

By combining carefully staged social engineering with Signal's routine functionality, the operators are exploiting the trust users place in its privacy-centered design. By manipulating the standard account verification and recovery workflows, the attackers are able to induce their victims to divulge the very credentials that secure their communication. 

In one documented scenario, a person impersonating an official support channel is referred to as “Signal Support” or “Signal Security Chatbot.” The targeted organization receives messages alleging fabricated security irregularities and urges it to act immediately to prevent alleged data loss or account suspension. 

By engineering urgency, recipients are prompted to disclose their Signal PINs or SMS verification codes, overriding caution. When the adversary possesses these credentials, they may re-register the account on infrastructure under their control, effectively transferring ownership of the account. Such situations may result in the legitimate user being locked out and the intruder gaining unfettered access to message histories, active conversations, and stored contact information. 

A parallel technique utilizes Signal's multi-device linking capability, enabling seamless synchronization across mobile, tablet, and desktop clients. By causing victims to scan a malicious QR code, threat actors are able to inadvertently attach additional devices to their accounts by posing as a threat actor. With this method, one-on-one exchanges, group discussions, and associated metadata are persistently visible, almost real-time, without generating immediate suspicion.

Since the original device remains functional, the victims may not be aware that their communications are mirrored elsewhere. Authorities emphasize that the absence of malware is a defining characteristic of the campaign. In lieu of exploit chains or zero-day vulnerabilities, attackers rely solely on the voluntary disclosure of valid cryptographic credentials to gain access. 

Through the use of this approach, they are able to circumvent conventional endpoint security systems and network monitoring systems because the account access appears to be procedurally valid within the platform's security environment. 

Using trusted features inappropriately complicates the detection process as well as amplifies the potential intelligence value of the intrusion. It is further noted that individuals whose communications are sensitive from a diplomatic, military, political, or investigative perspective have been given priority in the targeting profile. 

By compromised such accounts, one can gain access to confidential discussions, gain insight into policy decisions and operational planning, and reconstruct professional networks to target subsequent targets. Furthermore, controlling trusted accounts provides an opportunity for impersonation, allowing misleading information to be distributed or sensitive exchanges to be manipulated.

It is reported that the activity was likely to be perpetrated by a state-sponsored actor, but officials caution that these techniques are neither technical complex nor exclusive to government-backed organizations. 

The use of social engineering rather than sophisticated exploitation reduces the barrier to replication, enhancing the likelihood that criminal enterprises or other hostile actors may use similar tactics with comparable impact in the future. The German authorities emphasize in their concluding guidance that the durability of encrypted communication ultimately depends on both informed user vigilance and cryptographic strength. 

Educating institutions and high profile individuals on how to respond to unsolicited account-related requests with heightened scrutiny, strengthening internal awareness of verification workflows, and integrating secure messaging hygiene into operational security procedures is recommended.

An audit of linked devices on a regular basis, strict control over authentication credentials, as well as the activation of additional account safeguards are not offered as optional enhancements, but as mandatory requirements in a threat environment where deception replaces exploitation. 

According to the agencies, resilience will depend more on disciplined user behavior and proactive defensive posture than on technological assurances alone, as adversaries continue to use legitimate platform features for covert access. 

s a result of the advisory, institutions will not be able to protect themselves from compromise when authentication workflows themselves become an attack surface for compromised platforms. 

It is recommended that organizations evaluate how secure messaging tools are integrated into executive and diplomatic communications, ensuring that account recovery procedures, device management policies, and identity verification protocols are governed by formal security controls as opposed to informal user discretion, according to German officials. 

An adversary who weaponizes legitimacy rather than exploiting flaws will need to cultivate procedural discipline, a continuous threat awareness, and a recognition that trust, once manipulated, can have the same impact as any technical vulnerability.
Read more »
Spanish government data breach
Cyber Attacks cybercrime surge 2025 GordonFreeman hacker IDOR vulnerability exploit Ministry of Science cyberattack Spain Spanish government data breach

Spain Ministry of Science Cyberattack Triggers IT Shutdown, Hacker Claims Data Breach

 

A cyberattack targeting the Ministry of Science, Innovation and Universities has led to a partial shutdown of government IT infrastructure, interrupting essential digital services relied upon by researchers, universities, students, and businesses nationwide.

Authorities initially referred to the disruption as a “technical incident,” but mounting evidence — alongside confirmations from Spanish media — now indicates the event was the result of a cyberattack that may have compromised sensitive academic, personal, and financial data.

The ministry is a key pillar of Spain’s higher education and research framework. Any outage affecting its digital systems carries significant operational and administrative consequences, elevating the seriousness of the breach beyond a routine technical malfunction.

In a statement posted on its electronic headquarters, the ministry acknowledged the disruption and announced the temporary closure of several digital services.

“As a result of a technical incident that is currently being assessed, the electronic headquarters of the Ministry of Science, Innovation and Universities has been partially closed.”

The notice further stated: “All ongoing administrative procedures are suspended, safeguarding the rights and legitimate interests of all persons affected by said temporary closure, resulting in an extension of all deadlines for the various procedures affected.”

Officials added that deadline extensions would remain active: "until the complete resolution of the aforementioned incident occurs," citing Article 32 of Law 39/2015.

While the extension of deadlines offers procedural protection to affected users, the absence of immediate clarity regarding the nature of the disruption sparked concern among stakeholders.

Hacker Claims Responsibility for Breach

Concerns escalated after a threat actor operating under the alias Gordon Freeman appeared on underground forums claiming responsibility for the attack. The individual alleged exploitation of a critical Insecure Direct Object Reference (IDOR) vulnerability, which reportedly granted “full-admin-level access” to internal systems.

The attacker published sample screenshots online — though their authenticity has not been independently confirmed — showing what appear to be official documents, email addresses, enrollment records, and internal communications.

Spanish outlet OKDIARIO reported that a ministry spokesperson acknowledged the IT disruption stemmed from a cyberattack and confirmed that the electronic headquarters had been taken offline to evaluate the potential scope of the breach.

Although the forum where the leak was allegedly posted has since gone offline and the data has not resurfaced elsewhere, early indicators suggest the materials could be genuine. If verified, the breach would represent a significant failure in access control safeguards.
According to the attacker’s claims, the compromised data may include:
  • Scanned identification documents, including NIEs and passports
  • Email addresses
  • Payment confirmations displaying IBAN numbers
  • Academic transcripts and apostilled degrees
  • Curricula containing private personal details
If confirmed, the breach could expose thousands of students and researchers to identity theft, financial fraud, and long-term privacy risks. Academic records, once leaked, are particularly difficult to revoke or replace.

The incident reflects a broader cybersecurity challenge in Spain. Cybercrime now represents more than one in six recorded criminal offenses nationwide. Authorities have reported a 35% increase in cyberattacks this year, with daily incidents exceeding 45,000. Between late February and early March, reported attacks surged by 750% compared to the same timeframe last year.

During the week of 5–11 March 2025, Spain ranked as the most targeted country globally, accounting for 22.6% of all recorded cyber incidents — surpassing even the United States.

Experts attribute the trend to two primary factors: rapid digital transformation — accelerated by EU-backed modernization initiatives — and insufficient investment in cybersecurity infrastructure. Ransomware incidents alone have climbed 120%, disproportionately affecting public institutions and small-to-medium enterprises.


Read more »
Technology
Chelsea Cyber Attacks data intrusion Kensington London Technology

London Boroughs Struggle to Restore Services After November Cyber Attack




A cyber intrusion identified on November 24, 2025 has disrupted essential local authority services in two central London boroughs, freezing parts of the property market and delaying administrative functions.

The Royal Borough of Kensington and Chelsea and Westminster City Council have both been unable to operate several core systems since the breach was detected. Although Kensington and Chelsea is internationally associated with high-value homes, luxury retail outlets and tree-lined residential streets, routine civic operations in the borough are currently under strain.

A notice published on the Kensington and Chelsea council website states that disruption is expected to continue for several more weeks and that restoring all services may take months.

According to HM Land Registry figures, approximately 2,000 property transactions occur annually within Kensington and Chelsea. Many of those transactions are now impacted because the councils cannot conduct local authority searches. These searches are mandatory checks that examine planning history, land charges, infrastructure proposals and regulatory constraints linked to a property.

Nick Gregori, Head of Research at property data platform LonRes, explained that local authority searches are fundamental to the conveyancing process. Buyers relying on mortgage financing cannot secure loans without completed searches. Even purchasers using cash are advised to obtain them to ensure proper due diligence.

Jo Eccles, founder of buying agency Eccord, said two of her clients purchasing in Westminster have had to obtain indemnity insurance because official searches are not expected to resume until April due to accumulated delays. She noted that private banks are sometimes willing to proceed with indemnity-backed transactions, whereas retail lenders are generally less accommodating.

Robert Green, Head of Sales at John D Wood & Co. in Chelsea Green, stated that indemnity policies do not eliminate the need for careful investigation. Solicitors are attempting to reconstruct due diligence by reviewing historical documentation held by sellers or from previous acquisition files. Buyers without access to private lending or substantial liquidity are finding transactions extremely difficult to complete.

Planning services have also stalled. Architect Emily Ceraudo has two projects paused: one involving listed building consent in South Kensington and another concerning a mansard roof extension in Mayfair. She said clients initially struggled to accept that the entire planning system could remain offline for this duration, prompting her to share official correspondence confirming the cause of delay. Councils have indicated that some applications may be processed offline, but no revised timeframe has been provided.

There are reports of contractors reconsidering site activity and some clients contemplating proceeding with works in anticipation of retrospective approval.

Housing benefit payments were also interrupted. Laurence Turner, who rents a studio flat in Chelsea to an elderly tenant with medical needs, said he only became aware of the issue after two missed payments. He emphasized that he has no contractual relationship with the council and that his tenant had consistently paid rent early for five years. His letting agent, Maskells, contacted the council for clarification. Payments due in mid-December and mid-January were missed, leaving £2,870 outstanding before funds were eventually received.

Turner observed that council service charges were skipped once in mid-December but resumed in mid-January, whereas housing benefit was missed twice. He acknowledged that municipal financial systems are complex and that he may not see the full administrative context.

Neither borough has provided a definitive restoration date. Kensington and Chelsea stated that systems are being reactivated gradually under guidance from NCC Group, the Metropolitan Police and the National Cyber Security Centre. Property searches are expected to return as soon as possible, with a limited search service available before full restoration.

Council Leader Cllr Elizabeth Campbell described the incident as a n intricate criminal cyber attack. She said prior investment in digital, data and technology infrastructure, including updated cyber defence systems, helped reduce overall damage. She confirmed that the planning system is undergoing checks, that new planning applications cannot progress beyond validation, and that local land charge searches remain unavailable. She added that £10 million in housing benefits has been issued since the incident and that recovery work continues with specialist partners to ensure systems are restored safely and with strengthened resilience. 

Read more »
Ransomware
Cloud Corporate Cyber Attacks Data Ransomware

Iron Man Data Breach Only Impacted Marketing Resources


Data storage and recovery services company ‘Iron Mountain’ suffered a data breach. Extortion gang ‘Everest’ was behind the breach. Iron Mountain said the breach was limited to marketing materials. The company specializes in records management and data centers, it has more than 240,000 customers globally in 61 countries. 

About the breach 

The gang claimed responsibility on the dark web, claiming to steal 1.4 TB of internal company documents. Threat actors used leaked login credentials to access a single folder on a file-sharing server having marketing materials. 

Experts said that Everest actors didn't install any ransomware payloads on the server, and no extra systems were breached. No sensitive information was exposed. The compromised login accessed one folder that had marketing materials. 

The Everest ransomware group started working from 2020. It has since changed its tactics. Earlier, it used to encrypt target's systems via ransomware. Now, it focuses on data-theft-only corporate extortion. Everest is infamous for acting as initial access broker for other hackers and groups. It also sells access to compromised networks. 

History 

In the last 5 years, Everest’s victim list has increased to hundreds in its list portal. This is deployed in double-extortion attacks where hackers blackmail to publish stolen files if the victims don't pay ransom. 

The U.S. Department of Health and Human Services also issued a warning in August 2024 that Everest was increasingly focusing on healthcare institutions nationwide. More recently, the cybercrime operation removed its website in April 2025 after it was vandalized and the statement "Don't do crime CRIME IS BAD xoxo from Prague" was posted in its place.

If the reports of sensitive data theft turn out to be accurate, Iron Mountain's clients and partners may be at risk of identity theft and targeted phishing. Iron Mountain's present evaluation, however, suggests that the danger is restricted to the disclosure of non-confidential marketing and research documents. 

What is the impact?

Such purported leaks usually result in short-term reputational issues while forensic investigations are being conducted. Iron Mountain has deactivated the compromised credential as a precaution and is still keeping an eye on its systems. 

Vendors or affected parties who used the aforementioned file-sharing website should be on the lookout for odd communications. Iron Mountain's response to these unsubstantiated allegations must be transparent throughout the investigation.

Read more »
TGR-STA-1030
APT28 Cyber Espionage Chinese Hackers Cyber Attacks Palo Alto TGR-STA-1030

Palo Alto Softens China Hack Attribution Over Beijing Retaliation Fears

 

Palo Alto Networks is facing scrutiny after reports that it deliberately softened public attribution of a vast cyberespionage campaign that its researchers internally linked to China. According to people familiar with the matter, a draft from its Unit 42 threat intelligence team tied the prolific hacking group, dubbed “TGR-STA-1030,” directly to Beijing, but the final report described it only as a “state-aligned group that operates out of Asia.” The change has reignited debate over how commercial cybersecurity firms navigate geopolitical pressure while disclosing state-backed hacking operations. 

The underlying campaign, branded “The Shadow Campaigns,” involved years-long reconnaissance and intrusions spanning nearly every country, compromising government and critical infrastructure targets in at least 37 nations. Investigators noted telltale clues suggesting a Chinese nexus, including activity patterns aligned with the GMT+8 time zone and tasking that appeared to track diplomatic flashpoints involving Beijing, such as a focus on Czech government systems after a presidential meeting with the Dalai Lama. The operators also reportedly targeted Thailand shortly before a high‑profile state visit by the Thai king to China, hinting at classic intelligence collection around sensitive diplomatic events. 

According to sources cited in the report, Palo Alto executives ordered the language to be watered down after China moved to ban software from about 15 U.S. and Israeli cybersecurity vendors, including Palo Alto, on national security grounds. Leadership allegedly worried that an explicit attribution to China could trigger further retaliation, potentially putting staff in the country at risk and jeopardizing business with Chinese or China‑exposed customers worldwide. The episode illustrates the mounting commercial and personal-security stakes facing global security vendors that operate in markets where they may also be calling out state-backed hacking. 

The researchers who reviewed Unit 42’s technical findings say they have observed similar tradecraft and infrastructure in activity they already attribute to Chinese state-sponsored espionage. U.S. officials and independent analysts have for years warned of increasingly aggressive Chinese cyber operations aimed at burrowing into critical infrastructure and sensitive government networks, a trend they see reflected in the Shadow Campaigns’ breadth and persistence. While Beijing consistently denies involvement in hacking, the indicators described by Palo Alto and others fit a pattern Western intelligence agencies have been tracking across multiple high‑impact intrusions. 

China’s embassy in Washington responded by reiterating that Beijing opposes “all forms of cyberattacks” and arguing that attribution is a complex technical issue that should rest on “sufficient evidence rather than unfounded speculation and accusations.” The controversy around Palo Alto’s edited report now sits at the intersection of that diplomatic line and the realities of commercial risk in authoritarian markets. For the wider cybersecurity industry, it underscores a hardening dilemma: how to speak plainly about state-backed intrusions while safeguarding employees, customers, and revenue in the very countries whose hackers they may be exposing.
Read more »
HoneyMyte
Chinese Hacker CoolClient Cyber Attacks Data Theft HoneyMyte

HoneyMyte Upgrades CoolClient: New Browser Stealers Target Asia, Europe

 

The HoneyMyte threat group, also known as Mustang Panda or Bronze President, has escalated its cyber espionage efforts by significantly upgrading its CoolClient backdoor malware. This China-linked advanced persistent threat (APT) actor, active since at least 2012, primarily targets government organizations in Asia and Europe to harvest sensitive geopolitical and economic intelligence.

In 2025, security researchers from Kaspersky identified enhanced versions of CoolClient deployed in campaigns hitting countries like Myanmar, Mongolia, Malaysia, Thailand, Russia, and Pakistan.These updates reflect HoneyMyte's ongoing adaptation to evade detection and maximize data theft from high-value targets. CoolClient now employs a multi-stage infection chain, often using DLL side-loading to hijack legitimate applications from vendors like BitDefender, VLC Media Player, and Sangfor. 

This technique allows the malware to masquerade as trusted software while executing malicious payloads for persistence and command-and-control communication. The backdoor supports extensible plugins, including new capabilities to extract HTTP proxy credentials from network traffic—a feature not previously observed in HoneyMyte's arsenal. Combined with tools like ToneShell rootkit, PlugX, and USB worms such as Tonedisk, these enhancements enable deeper system compromise and long-term surveillance.

A standout addition is HoneyMyte's browser credential stealer, available in at least three variants tailored to popular browsers. Variant A targets Google Chrome, Variant B focuses on Microsoft Edge, and Variant C handles multiple Chromium-based browsers like Brave and Opera. The stealer copies login databases to temporary folders, leverages Windows Data Protection API (DPAPI) to decrypt master keys and passwords, then reconstructs full credential sets for exfiltration. This shift toward active credential harvesting, alongside keylogging and clipboard monitoring, marks HoneyMyte's evolution from passive espionage to comprehensive victim surveillance.

Supporting these implants, HoneyMyte deploys scripts for reconnaissance, document exfiltration, and system profiling, often in tandem with CoolClient infections. These campaigns exploit spear-phishing lures mimicking government services in victims' native languages, exploiting regional events for credibility.Earlier variants of CoolClient were analyzed by Sophos in 2022 and Trend Micro in 2023, but 2025 iterations show marked improvements in stealth and modularity. The group's focus on Southeast Asian governments underscores its alignment with Chinese strategic interests.

Organizations face heightened risks from HoneyMyte's refined toolkit, demanding robust defenses like behavioral monitoring for DLL side-loading, browser credential anomalies, and anomalous network traffic. Government entities in targeted regions should prioritize endpoint detection, credential hygiene, and threat intelligence sharing to counter these persistent threats. As HoneyMyte continues innovating—potentially expanding to Europe—proactive measures remain essential against this adaptable adversary.
Read more »
Microsoft Outlook security
Customer Data Cyber Attacks Cyber Phishing Data Theft Hijacking Microsoft Microsoft Outlook Microsoft Outlook security

Malicious Outlook Add-In Hijack Steals 4,000 Microsoft Credentials

 

A breach transformed the AgreeTo plug-in for Microsoft Outlook - once meant for organizing meetings - into a weapon that harvested over four thousand login details. Though built by a third-party developer and offered through the official Office Add-in Store starting in late 2022, it turned against its intended purpose. Instead of simplifying calendars, it funneled user data to attackers. What began as a practical tool ended up exploited, quietly capturing credentials under false trust. 

Not every tool inside Office apps runs locally - some pull data straight from web addresses. For AgreeTo, its feature lived online through a link managed via Vercel. That address stopped receiving updates when the creator walked away, even though people kept using it. With no one fixing issues, the software faded into silence. Yet Microsoft still displayed it as available for download. Later, someone with harmful intent took control of the unused webpage. From there, they served malicious material under the app’s trusted name. A login screen mimicking Microsoft’s design appeared where the real one should have been, according to analysts at Koi Security. 

Instead of authentic access points, users faced a counterfeit form built to harvest credentials. Hidden scripts ran alongside, silently sending captured data elsewhere. After approval in Microsoft’s marketplace, the add-in escaped further checks. The company examines just the manifest when apps are submitted - nothing beyond that gets verified later. Interface components and features load externally, pulled from servers run by developers themselves. 

Since AgreeTo passed initial review, its updated files came straight from machines now under malicious control. Oversight ended once publication was complete. From inside the attacker’s data pipeline, Koi Security found over 4,000 Microsoft login details already taken. Alongside these, information such as credit card records and responses to bank verification questions had also been collected. While analyzing activity, experts noticed live attempts using the breached logins unfolding in real time. 

Opening the harmful AgreeTo add-on in Outlook displayed a counterfeit Microsoft login screen within the sidebar rather than the expected calendar tool. Resembling an authentic authentication portal, this imitation proved hard to recognize as fraudulent. Once victims submitted their details, those credentials got sent through a Telegram bot interface. Following that transfer, individuals saw the genuine Microsoft sign-in page appear - helping mask what had just occurred. Despite keeping ReadWriteItem access, which enables viewing and editing messages, there's no proof the tool tampered with any emails. 

Behind the campaign, investigators spotted a single actor running several phishing setups aimed at financial services, online connectivity firms, and email systems. Notable because it lives inside Microsoft’s official store, AgreeTo stands apart from past threats that spread via spam, phishing, or malvertising. This marks the first time a verified piece of malware has appeared on the Microsoft Marketplace, according to Oren Yomtov at Koi. He also notes it is the initial harmful Outlook extension spotted actively used outside test environments. 

A removal of AgreeTo from the store was carried out by Microsoft. Anyone keeping the add-in should uninstall it without delay, followed by a password change. Attempts to reach Microsoft for input have been made; no reply came so far.
Read more »
Windows
BYOVD Attack cloud storage Cyber Attacks Linux phishing Ransomware Reynolds Windows

New Ransomware Uses Trusted Drivers to Disable Security Defenses

 


Security monitoring teams are tracking a new ransomware strain called Reynolds that merges system sabotage and file encryption into a single delivery package. Instead of relying on separate utilities to weaken defenses, the malware installs a flawed system driver as part of the infection process, allowing it to disable protective software before encrypting data.

The method used is known in security research as Bring Your Own Vulnerable Driver, or BYOVD. This approach abuses legitimate drivers that contain known weaknesses. Because operating systems recognize these drivers as trusted components, attackers can exploit them to gain deep system access and stop endpoint protection tools with reduced risk of detection. This tactic has been repeatedly observed across multiple ransomware operations in recent years.

In the Reynolds incidents, the malware deploys the NSecKrnl driver produced by NsecSoft. This driver contains a publicly documented vulnerability tracked as CVE-2025-68947, rated 5.7 in severity. The flaw allows any running process to be forcibly terminated, which attackers use to shut down security platforms including Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos with HitmanPro.Alert, and Symantec Endpoint Protection. The same driver has previously been abused by a threat actor known as Silver Fox in campaigns that disabled security tools before deploying ValleyRAT. Silver Fox has also relied on other vulnerable drivers, such as truesight.sys and amsdk.sys, during similar operations.

Security analysts note that integrating defense suppression into ransomware itself is not unprecedented. A comparable approach appeared during a Ryuk ransomware incident in 2020 and later in activity linked to the Obscura ransomware family in August 2025. Folding multiple attack stages into a single payload reduces operational complexity for attackers and decreases the number of separate files defenders might detect.

Investigations into recent intrusions uncovered signs of long-term preparation. A suspicious loader that used side-loading techniques was found on victim networks several weeks before encryption occurred. Following deployment of the ransomware, a remote access program known as GotoHTTP was installed within one day, indicating an effort to preserve long-term control over compromised systems.

Parallel ransomware campaigns reveal additional shifts in attacker behavior. Large phishing operations are circulating shortcut file attachments that trigger PowerShell scripts, leading to the installation of Phorpiex malware, which then delivers GLOBAL GROUP ransomware. This ransomware conducts all operations locally and does not transmit stolen data, allowing it to function in networks without internet access. Other campaigns tied to WantToCry have exploited virtual machines provisioned through ISPsystem, a legitimate infrastructure management service, to distribute malware at scale. Some of the same hosting infrastructure has been linked to LockBit, Qilin, Conti, BlackCat, and Ursnif, as well as malware families including NetSupport RAT, PureRAT, Lampion, Lumma Stealer, and RedLine Stealer.

Researchers assess that bulletproof hosting providers are renting ISPsystem virtual machines to criminal actors by abusing a design flaw in VMmanager’s default Windows templates. Because these templates reuse identical hostnames and system identifiers, thousands of virtual machines can be created with the same fingerprint, making takedown efforts more difficult.

Ransomware groups are also expanding their business models. DragonForce now provides affiliates with a “Company Data Audit” service, which includes risk assessments, pre-written call scripts, executive-level letters, and negotiation guidance. The group operates as a cartel that allows affiliates to launch their own brands while sharing infrastructure and services.

Technical changes are shaping newer ransomware versions. LockBit 5.0 has replaced AES encryption with ChaCha20 and now targets Windows, Linux, and ESXi environments. The latest version includes file wiping capabilities, delayed execution, encryption progress tracking, improved evasion techniques, stronger in-memory operation, and reduced disk footprints. The Interlock group continues to target organizations in the United Kingdom and United States, particularly in education. One attack exploited a zero-day vulnerability in the GameDriverx64.sys anti-cheat driver, tracked as CVE-2025-61155 with a 5.5 severity score, to disable security tools using BYOVD methods. The same campaign deployed NodeSnake, also known as Interlock RAT or CORNFLAKE, with MintLoader identified as the initial access point.

Targeting strategies are also shifting toward cloud storage. Poorly configured Amazon Web Services S3 buckets are being abused through native platform functions to erase data, restrict access, overwrite files, or quietly extract sensitive information while remaining difficult to detect.

Industry tracking from Cyble indicates that GLOBAL GROUP is among several ransomware crews that appeared in 2025, alongside Devman, DireWolf, NOVA, J group, Warlock, BEAST, Sinobi, NightSpire, and The Gentlemen. ReliaQuest reported that Sinobi’s data leak activity increased by 306 percent in the final quarter of 2025, ranking it third behind Qilin and Akira. LockBit’s resurgence included 110 victim listings in December alone. Researchers estimate that ransomware actors claimed 4,737 attacks in 2025, compared with 4,701 in 2024. Incidents centered only on data theft rose to 6,182, reflecting a 23 percent increase. Coveware reported that average ransom demands reached $591,988 in late 2025, driven by a small number of exceptionally large settlements, and warned that attackers may shift back toward encryption-based extortion to increase pressure on victims.

Read more »
United Kingdom
Botnet construction Cyber Attacks Prometei Russia United Kingdom

UK Construction Company’s Windows Server Infiltrated by Prometei Botnet

 



In January 2026, a construction company in the United Kingdom found an unwelcome presence inside one of its Windows servers. Cybersecurity analysts from eSentire’s Threat Response Unit (TRU) determined that the intruder was a long-running malware network known as Prometei, a botnet with links to Russian threat activity and active since at least 2016.

Although Prometei has been widely observed conducting covert cryptocurrency mining, the investigation showed that this malware can do much more than simply generate digital currency. In this case, it was also capable of capturing passwords and potentially enabling remote control of the affected system.

According to the analysis shared with cybersecurity media, this attack did not involve complex hacking techniques. The initial intrusion appears to have occurred because the attackers were able to successfully log into the server using Remote Desktop Protocol (RDP) with weak or default login credentials. Remote Desktop, a tool used to access computers over a network, can be exploited easily if account passwords are simple.

Prometei is not a single program that drops onto a system. Instead, it operates as a collection of tools designed to carry out multiple functions once it gains access. When the malware first infects a machine, it adds a new service with a name such as “UPlugPlay,” and it creates a file called sqhost.exe to ensure that it relaunches automatically every time the server restarts.

Once these persistence mechanisms are in place, the malware downloads its main functional component, often called zsvc.exe, from a command server linked to an entity identified in analysis as Primesoftex Ltd. This payload is transmitted in encrypted form and disguised to avoid detection.

After establishing itself, Prometei collects basic technical information about the infected system by using legitimate Windows utilities. It then employs credential-harvesting techniques that resemble the behaviour of publicly known tools, capturing passwords stored on the server and within the network. In the course of this activity, Prometei commonly leverages the TOR anonymity network to conceal its command and control communications, making it harder for defenders to trace its actions.

Prometei also has built-in countermeasures to evade analysis and detection. For example, the malware checks for the presence of a specific file called mshlpda32.dll. If this file is absent, instead of crashing or revealing obvious malicious behaviour, the malware executes benign-looking operations that mimic routine system tasks. This is a deliberate method to confuse security researchers and automated analysis tools that attempt to study the malware in safe environments.

In a further twist, once Prometei has established a foothold, it also deploys a utility referred to as netdefender.exe. This component monitors failed login attempts and blocks them, effectively locking out other potential attackers. While this might seem beneficial, its purpose is to ensure that the malicious operator retains exclusive control of the compromised server.

To protect systems from similar threats, cybersecurity experts urge organisations to replace default passwords with complex, unique credentials. They recommend implementing multi-factor authentication for remote access services, keeping software up to date with security patches, and monitoring login activity for unusual access attempts. eSentire has also released specialised analysis tools that allow defenders to unpack Prometei’s components and study its behaviour in controlled settings.


Read more »
Singapore Telecoms
China Nexus Cyber Attacks cyber espionage Singapore Telecoms

Singapore Telecoms Hit by China-Linked Cyber Espionage

 

Singapore’s cyber watchdog has disclosed that an advanced cyber espionage group — UNC3886, with which APT10 and Red October have been linked — was behind attacks that targeted the four major telecom operators last year. The affected companies were Singtel, StarHub, M1 and Simba Telecom, which collectively provide the backbone of Singapore’s communications infrastructure. The authorities said this is the first time they have publicly acknowledged that the group’s targets have included telecommunications networks, highlighting how these systems are increasingly viewed as vital to national security. 

Although the hackers were able to gain access to some areas of the operators' networks, the Cyber Security Agency of Singapore said that no disruptions were caused to services and that no data belonging to customers was stolen. The breaches were deemed to be orchestrated to be stealthy, rather than loud, investigators said, with the hackers taking a sideways route through compromised networks inside chosen segments, rather than triggering massive outages. Officials stressed the incident was isolated and that there is no indication that the end users were directly affected and cautioned that the breaches are a serious security issue even if the attacks didn’t seem to affect them. 

The hackers were able to extract a limited amount of technical information from the telecom environments, primarily network‑related data such as configuration details and system metadata. Singapore’s cyber agency believes this information was stolen to support the group’s longer‑term operational objectives, including planning future intrusions, improving their understanding of the infrastructure and identifying potential weak points. While the volume of exfiltrated data was described as small, officials cautioned that even narrow slices of high‑value technical data can significantly enhance a sophisticated actor’s capabilities.

Google‑owned cybersecurity firm Mandiant has profiled UNC3886 as a highly advanced “China‑nexus” espionage group that has previously targeted defence, technology and telecommunications organisations in both the United States and Asia. Beijing routinely rejects allegations that it conducts or sponsors cyber espionage, insisting that China opposes all forms of cyberattacks and is itself a victim of malicious cyber activity. The Chinese Embassy in Singapore did not immediately respond to requests for comment on the latest disclosures about UNC3886.

In a joint statement, Singtel, StarHub, M1 and Simba Telecom acknowledged that they regularly face a wide spectrum of cyber threats, ranging from distributed denial‑of‑service attacks and malware to phishing campaigns and more persistent, stealthy intrusions. The operators said they employ “defence‑in‑depth” strategies, combining layered security controls with continuous monitoring and prompt remediation when suspicious activity is detected. They added that they work closely with government agencies and industry experts to strengthen the resilience of Singapore’s telecom infrastructure as cyber adversaries grow more capable.
Read more »
KEV
CISA CISA advisory CISA KEV catalog CVE CVE vulnerability CVEs Cyber Attacks Cyber Security Ransomware Attacks cybersecurity vulnerability KEV

CISA Warns of Actively Exploited SmarterMail Flaw Used in Ransomware Attacks

 

CISA includes a fresh SmarterMail weakness in its KEV list - this marks the third such addition linked to the messaging system within fourteen days. Identified as CVE-2026-24423, the security gap faces real-world abuse during ransom operations. Evidence points to sustained interest in compromising SmarterTools’ broadly adopted software suite. 

Another entry joins a pair of prior SmarterMail flaws listed in the KEV database since January 26. One was tagged CVE-2025-52691 - marked by unchecked uploads of hazardous files. The second, assigned CVE-2026-23760, let attackers skip login checks entirely. Analysis came first from experts at watchTowr, who unpacked how each could be triggered. Once those specifics emerged, several security teams observed active attacks; the login flaw saw more frequent abuse. Although both were dissected publicly, it was the broken verification that drew wider misuse. 

A security issue labeled CVE-2026-24423 arises because a key part of SmarterMail - the ConnectToHub API - lacks proper access checks. Versions before v100.0.9511 are exposed, letting outsiders run harmful code remotely. Instead of requiring login details, hackers exploit it by submitting a modified POST message. This leads to direct command control on the target machine through intentional input manipulation. 

Separate findings came from teams at watchTowr, CODE WHITE GmbH, and VulnCheck. As noted by Cale Black of VulnCheck, the affected endpoint skips any login checks - opening a way to set up server directory links remotely. Because that setup pulls instructions directly from an outside machine under attacker influence, control is effectively handed over. Those instructions appear as support routines inside the system. Once SmarterMail reads them, they run unchecked on whatever platform hosts the software. 

Starting at the ConnectToHub endpoint, the process handles a remote address sent via one particular parameter. Afterward, communication initiates from the SmarterMail server toward a machine controlled by the attacker. That system replies - not with ordinary data - but with settings containing command inputs meant to run. Provided minimal checks are satisfied, execution follows without further barriers. Control over the compromised environment expands widely under these conditions. 

By February 26, 2026, U.S. federal civilian agencies must fix the vulnerability - this stems from ongoing attacks involving ransomware. Though only binding for federal bodies, its listing in CISA’s KEV catalog hints at wider exposure across any organization using affected SmarterMail versions. Not just government systems face potential harm; real-world misuse raises stakes beyond official mandates. 

Right now, updating to the newest SmarterMail release is a top priority, according to analysts watching threats closely. Instead of waiting, teams managing large systems should examine log data - especially activity tied to the open ConnectToHub interface, since probes might show up as odd patterns in API traffic. What stands out is how quickly multiple flaws in SmarterMail entered official exploit databases, signaling that delays in patching could lead to real breaches. Because of this, those overseeing network access must act fast while rethinking how exposed their mail platforms really are.
Read more »
Subscribe to: Comments (Atom)