Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cybersecurity. Show all posts
quasar
chain attacks Cybersecurity Digital Supply Chain Risk Linux malware quasar

Quasar Linux Malware Targets Developers in Stealthy Supply Chain Attack

 

A newly discovered Linux implant called Quasar Linux, or QLNX, is a serious threat because it goes after the people and systems that build software. Instead of behaving like ordinary malware, it is designed to quietly take root in developer and DevOps environments, steal valuable credentials, and open the door to supply-chain attacks. 

QLNX is dangerous because it combines several attack techniques in one package. Trend Micro says it can function as a rootkit, a backdoor, and a credential stealer, while also running filelessly, wiping logs, spoofing process names, and removing its original binary from disk to make investigation harder. It also uses multiple persistence methods, including LD_PRELOAD, systemd, crontab, init.d scripts, XDG autostart, and .bashrc injection, so it can keep coming back even if part of it is removed.

The malware’s main prize is access to developer secrets. Researchers say it targets credentials tied to npm, PyPI, GitHub, AWS, Docker, Kubernetes, Terraform, and other tools that are deeply embedded in modern software delivery pipelines. If attackers get those tokens or keys, they can publish malicious packages, tamper with builds, or move from one system into cloud infrastructure and CI/CD environments.

What makes the threat especially troubling is how stealthy it is. Trend Micro found that QLNX can dynamically compile rootkit and PAM backdoor components on the victim host using gcc, which helps it blend in with normal Linux activity. It also harvests clipboard contents, SSH keys, browser profiles, and authentication data, giving attackers a wide view into how developers work and where their secrets are stored.

The broader issue is that developer machines have become high-value targets in the software supply chain. One compromised workstation can expose publishing pipelines, cloud accounts, and internal codebases, so the impact may spread far beyond the original victim. The safest response is to treat developer endpoints like crown-jewel systems: monitor for unusual persistence, restrict secret storage, rotate tokens quickly, and assume a stolen workstation could become the first step in a wider breach.
Read more »
Windows 11
attack surface reduction Bitdefender Cyber Attacks Cyber Threats Cybersecurity LOLBins PowerShell Windows 11

Trusted Tools Becoming the New Cybersecurity Threat, Says Bitdefender Report

 

Cybersecurity threats are evolving rapidly, and according to recent findings, attackers are increasingly relying on tools that organizations already trust. In its latest analysis, Bitdefender highlighted that modern cyberattacks often resemble routine administrative activity rather than traditional malware-based intrusions.

In the earlier report titled “Your Biggest Security Risk Isn't Malware — It's What You Already Trust,” Bitdefender explained how commonly used utilities such as PowerShell, WMIC, netsh, Certutil, and MSBuild have become popular among cybercriminals. These tools are regularly used by IT teams for legitimate purposes, making malicious activity harder to detect. The company revealed that legitimate-tool misuse was identified in 84% of 700,000 high-severity incidents analyzed.

To help organizations address this growing concern, Bitdefender introduced a complimentary Internal Attack Surface Assessment program. Designed for companies with 250 or more employees, the 45-day assessment aims to identify risky tools, users, and endpoints that could potentially be exploited by attackers while ensuring normal business operations remain unaffected.

The company noted that a standard Windows 11 installation includes 133 unique living-off-the-land binaries (LOLBins) across 987 instances. In addition, Bitdefender Labs found that PowerShell was active on 73% of endpoints, often running silently through third-party applications. According to the report, this indicates that the issue is less about malware and more about excessive permissions and unrestricted tool access.

Industry trends also point toward a shift in cybersecurity strategy. Gartner predicts that preemptive cybersecurity measures will account for 50% of IT security spending by 2030, compared to less than 5% in 2024. It also forecasts that 60% of large enterprises will adopt dynamic attack surface reduction technologies by 2030, up from less than 10% in 2025.

The Internal Attack Surface Assessment operates in four phases over approximately 45 days using GravityZone PHASR, Bitdefender’s proactive hardening and attack surface reduction technology.

The process begins with behavioral learning, where PHASR studies activity patterns for each machine-user combination over roughly 30 days. Organizations then receive an Attack Surface Dashboard featuring an exposure score between 0 and 100, along with prioritized findings related to living-off-the-land binaries, remote administration tools, tampering utilities, cryptominers, and piracy software.

An optional reduction phase allows businesses to apply restrictions either manually or through PHASR’s Autopilot feature. Employees can request restored access through a built-in one-click approval system. The final review measures how much the organization’s attack surface has been reduced and identifies any unauthorized applications or shadow IT risks discovered during the process.

Bitdefender stated that some early-access customers managed to reduce their attack surface by more than 30% within the first month, while one organization reportedly achieved nearly 70% reduction after restricting LOLBins and remote administration tools.

The assessment is intended to benefit multiple stakeholders within an organization. CISOs receive measurable exposure data suitable for board-level reporting, while SOC teams and IT administrators can potentially reduce investigation workloads by eliminating unnecessary suspicious activity. Business leaders may also benefit from documented security improvements that align with regulatory, auditing, and cyber-insurance expectations.

Bitdefender concluded that security risks are no longer solely external threats but often exist within existing systems and trusted tools already present in enterprise environments
Read more »
telecom systems
5G Network Cyber Warfare Cybersecurity Mobile Security sim SIMjacking telecom systems

How Telecom Systems Were Used to Secretly Track Mobile Users Worldwide

A new investigation by the digital rights research group Citizen Lab has revealed how weaknesses inside global telecom infrastructure were allegedly exploited to secretly monitor mobile phone users in more than ten countries over the past three years.

The findings, reviewed by Haaretz, highlight how parts of the global mobile network system, originally developed decades before smartphones existed, continue to expose users to modern surveillance risks despite the arrival of 4G and 5G technologies.

According to the report, researchers uncovered two separate surveillance operations that appear to be linked to commercial spyware and cyber intelligence vendors selling tracking capabilities to government clients worldwide. One of the operations reportedly used telecom infrastructure connected to Israeli providers 019Mobile and Partner Communications, although both companies denied involvement.

Researchers say the operations relied on weaknesses in SS7, an older telecom signaling protocol used globally to route phone calls, text messages, and roaming traffic between mobile operators. SS7 was designed during a period when telecom networks trusted one another by default, long before today’s cybersecurity threats emerged. Security experts have warned for years that attackers can abuse the protocol to monitor phone activity, intercept communications, or identify a user’s location.

The report states that some surveillance firms were able to impersonate legitimate mobile carriers and gain access to these legacy telecom systems in order to track users internationally. A second operation was reportedly linked to Fink Telecom Services, a Swiss company previously named in a 2023 investigation by Haaretz and Lighthouse Reports involving telecom surveillance services supplied to cyber intelligence vendors, including Rayzone.

Last week, British regulators reportedly moved to ban similar telecom signaling abuse practices, describing them as a major source of malicious activity affecting mobile networks. However, the new findings suggest that even newer systems built for 4G and 5G communications are vulnerable to similar exploitation.

One example highlighted in the report is Diameter, a signaling protocol widely used in 4G roaming and many 5G environments to manage subscriber connectivity and authentication. Although Diameter was introduced with stronger security protections than SS7, researchers found that attackers are still capable of abusing the system to conduct tracking operations.

In the first campaign identified by Citizen Lab, researchers documented more than 500 location-tracking attempts between November 2022 and 2025 across countries including Thailand, Bangladesh, Norway, Malaysia, South Africa, and several African nations. The investigation reportedly began after researchers observed a Middle Eastern businessman being repeatedly tracked over a four-hour period through international telecom queries.

Citizen Lab found that telecom identifiers associated with 019Mobile were used to send location-tracking requests through infrastructure connected to Partner Communications, which supports 019Mobile’s services. Another network route reportedly passed through Exelera Telecom, a communications and cloud services provider that also manages international fiber-optic infrastructure. Exelera did not publicly respond to requests for comment.

019Mobile’s head of security denied involvement and stated that the company operates as a virtual provider using another carrier’s infrastructure rather than maintaining its own roaming agreements. Researchers noted that attackers may have forged the company’s telecom identity to access the network.

Although Citizen Lab did not publicly identify the companies behind the operations, the report referenced several possible actors, including Cognyte. Internal files reviewed by Haaretz reportedly showed that Cognyte’s former parent company, Verint Systems, sold an SS7-based tracking product called SkyLock to a government customer in the Democratic Republic of Congo.

According to the report, SkyLock could reportedly locate mobile devices globally by exploiting telecom roaming systems. The documents also pointed to commercial relationships with telecom operators in Thailand, Malaysia, Indonesia, Vietnam, and Congo, several of which overlap with countries mentioned in the surveillance campaign.

Researchers also uncovered a more advanced surveillance method known as SIMjacking. The technique exploits vulnerabilities inside SIM cards by sending hidden binary text messages containing secret instructions. Once received, the SIM card can silently transmit the device’s location back to the attacker without displaying any visible warning or notification to the user.

Citizen Lab identified more than 15,700 suspected SIMjacking-related tracking attempts since late 2022. Researchers noted that when Haaretz and Lighthouse Reports first exposed Fink Telecom Services in 2023, the company had not yet been linked to the SIMjacking technique.

Cybersecurity experts warn that these attacks are especially concerning because they target weaknesses within telecom infrastructure itself rather than requiring malware installation or phishing attacks on individual devices. Researchers also cautioned that many telecom providers continue operating old and new signaling systems together, creating additional opportunities for attackers to bypass modern protections.

Fink Telecom Services, Exelera Telecom, Verint, and Cognyte did not publicly respond to the allegations referenced in the report. Partner Communications stated that it had no connection to the incident and rejected attempts to associate the company with the activity described by researchers.

Read more »
Vulnerabilities and Exploits
Cybersecurity Exim security flaw Exim vulnerability remote code execution Vulnerabilities and Exploits

Critical Exim Flaw Exposes Email Servers to Remote Code Execution Risk

 

A newly discovered security vulnerability in the widely used mail transfer agent Exim has raised serious concerns among cybersecurity experts, as attackers could exploit the flaw to potentially execute malicious code remotely on vulnerable email servers.

According to researchers, the vulnerability occurs due to improper memory handling during the TLS session shutdown process. The issue specifically affects Exim installations using GnuTLS configurations.

“This sequence of events can cause Exim to write into a memory buffer that has already been freed during the TLS session teardown, leading to heap corruption. An attacker only needs to be able to establish a TLS connection and use the CHUNKING (BDAT) SMTP extension.”

Security experts confirmed that all Exim versions starting from 4.97 through 4.99.2 are vulnerable. However, systems relying on OpenSSL or other TLS libraries are not affected, as the flaw only impacts builds compiled with USE_GNUTLS=yes.

The vulnerability was identified by Federico Kirschbaum, Head of Security Lab at XBOW, an autonomous cybersecurity testing platform, who reported the issue on May 1, 2026.

“During TLS shutdown, Exim frees its TLS transfer buffer – but a nested BDAT receive wrapper can still process incoming bytes and end up calling ungetc(), which writes a single character (\n) into the freed region,” Kirschbaum said. “That one-byte write lands on Exim's allocator metadata, corrupting the allocator's internal shape; the exploit then leverages that corruption to gain further primitives.”

XBOW described the flaw as one of the most severe vulnerabilities uncovered in Exim in recent years, noting that attackers require minimal server-side configuration to trigger the exploit successfully.

To address the issue, Exim developers released version 4.99.3 and urged administrators to upgrade immediately. The developers also clarified that no temporary workaround or mitigation is currently available.

“The fix ensures that the input processing stack is cleanly reset when a TLS close notification is received during an active BDAT transfer, preventing the stale pointers from being used,” Exim noted.

This is not the first major security concern involving Exim. Back in 2017, the platform fixed another critical use-after-free vulnerability, tracked as CVE-2017-16943, which allowed unauthenticated attackers to execute remote code using specially crafted BDAT commands and potentially take control of email servers.
Read more »
Red Team
ATT&CK Framework Blue Team Cyber Security Cybersecurity Purple Teaming Red Team

Purple Team Myth Exposed: Why It's Just Red vs Blue in 2026

 

Many organizations tout their "purple teams" as the pinnacle of cybersecurity collaboration, blending offensive red team tactics with defensive blue team strategies. However, a critical issue persists: these teams often remain siloed, functioning more like red and blue in disguise rather than a true integrated purple force. This misnomer stems from superficial exercises where attackers simulate breaches while defenders watch passively, failing to foster real-time learning or adaptive defenses. 

The problem intensifies in 2026's threat landscape, where exploit windows have shrunk dramatically to just 10 hours on average, demanding rapid response capabilities. Traditional purple teaming, limited to periodic workshops, cannot keep pace with agile adversaries exploiting zero-days and supply chain vulnerabilities. Without genuine fusion, red teams uncover flaws that blue teams log but rarely operationalize, leading to repeated failures during live incidents. This disconnect leaves enterprises exposed, as detections remain unrefined and defenses static. 

At its core, authentic purple teaming requires shared goals, continuous feedback loops, and joint ownership of outcomes, not just shared meeting rooms. Many setups falter here, with red teams prioritizing stealthy attacks over teachable moments and blue teams focusing on alerts without contextual adversary emulation. The result is a performative exercise that boosts resumes but not resilience, ignoring metrics like mean-time-to-respond or coverage of MITRE ATT&CK frameworks. 

To evolve, organizations must shift to autonomous, continuous purple teaming powered by AI agents that simulate attacks, investigate alerts, and map to real-world tactics. This approach validates detections in real-time, bridges the red-blue gap, and scales beyond human bandwidth. Forward-thinking teams are adopting adversarial exposure validation, ensuring defenses evolve proactively rather than reactively. Ultimately, ditching the purple label for hollow collaborations unlocks true synergy, fortifying organizations against 2026's relentless threats. By measuring success through integrated KPIs and embracing automation, security programs can transform from fragmented efforts into unified powerhouses.
Read more »
Robinhood phishing scam
Cybersecurity Data Phishing Attack Robinhood email exploit Robinhood login alert Robinhood phishing scam

Robinhood Email System Exploited to Deliver Phishing Messages Through Legitimate Alerts

 

Online trading platform Robinhood recently faced a phishing campaign in which cybercriminals manipulated its account creation process to send fake security alerts through legitimate company emails. The incident caused confusion among users, as the fraudulent messages appeared to come directly from Robinhood’s official email system.

The phishing emails carried the subject line “Your recent login to Robinhood” and warned recipients about an “Unrecognized Device Linked to Your Account.” The messages included suspicious IP addresses and partially hidden phone numbers to create a sense of urgency and authenticity.

"We detected a login attempt from a device that is not recognized," reads the phishing email. "If this was not you, please review your account activity immediately to secure your account."

Recipients were directed to click a button labeled “Review Activity Now,” which redirected users to a phishing domain designed to steal login credentials. The malicious site has since been taken offline, though screenshots shared on Reddit suggested it was being used to capture Robinhood account details.

What made the attack particularly convincing was that the emails originated from Robinhood’s legitimate email address, noreply@robinhood.com
, and successfully passed SPF and DKIM authentication checks commonly used to verify email legitimacy.

According to findings by BleepingComputer, attackers exploited a weakness in Robinhood’s onboarding workflow that failed to properly sanitize HTML input during account registration.

During the signup process, Robinhood automatically sends a “Your recent login to Robinhood” notification containing information such as device details, IP address, login time, and approximate location. Threat actors reportedly manipulated the device metadata field by inserting malicious HTML code, which was later rendered inside the email.

This caused the “Device” section of the message to display a fake warning about suspicious account activity, effectively embedding a phishing alert into a legitimate email template.

Researchers believe the attackers may have used previously leaked customer email lists to target existing Robinhood users. In 2021, Robinhood experienced a breach that affected nearly 7 million customers, with stolen information later appearing for sale on hacking forums.

The attackers also reportedly took advantage of Gmail’s dot aliasing feature, which allows email addresses with added periods to still route to the same inbox. This method enabled cybercriminals to create multiple Robinhood accounts using slight variations of real customer email addresses while ensuring delivery to the intended victims.

As a result, many recipients received what looked like a genuine Robinhood login notification containing a fraudulent warning about “unrecognized activity” and instructions to review their accounts immediately.

Robinhood later addressed the incident publicly on X.

"On Sunday evening, some customers received a falsified email from noreply@robinhood.com
 with the subject line 'Your recent login to Robinhood.'," posted RobinHood.

"This phishing attempt was made possible by an abuse of the account creation flow. It was not a breach of our systems or customer accounts, and personal information and funds were not impacted."

The company has since resolved the vulnerability by removing the abused Device field from account creation emails. Robinhood also advised affected users to delete the suspicious email and avoid interacting with any embedded links.
Read more »
Malware Campaign
Banking Cyber Scammers Cybersecurity Discord Illegal Porn malware Malware Campaign

Malware Campaign: Porn Viewers Should Hide Webcams

 

Any users who visit porn sites should be extra careful now. Porn viewers should hide their cameras. If users do not hide their webcams, they risk unpleasant recordings and extortion. Porn viewers should hide their webcams. 

According to a new blog post by security experts at Proofpoint, a new malware type is currently going viral. It is classified as an infostealer that reads various data and sends it in text form. However, there’s more to it. Another component of the new malware campaign specifically hacks the privacy of those impacted. 

Now, porn viewers should immediately protect their cameras. According to the report, the malicious software would immediately detect when someone opens an adult website on compromised browsers.  

Attack tactic 


The malware scans the page for keywords like “sex” or “porn”. In such incidents, it promptly captures a screenshot of the desktop and accesses the webcam to click an image of the person in front of it. 

These screen captures (sometimes nudes) are later used for extortion. Thus, it becomes crucial for porn viewers to at least cover their webcams to protect themselves from unsolicited recordings, from apps like Omegle. This is not the first time porn viewers have been targeted by scammers.  

While malware taking pictures is not a new tactic, it is still comparatively rare. Porn viewers should secure their cameras as much as possible. 

Potential for extensive data theft 


Researchers from Proofpoint explained that there can be extensive data theft, and the information can be disseminated through different platforms. The stolen data comprises: bank details, session cookies, session data, logins, email, access info, and system information keystrokes. The distribution takes place via platforms such as Telegram, SMTP, Discord, or file hosts. 

Phishing emails for malware 


The current malware is based on the open-source malware Stealerium; it is publicly accessible and has been active since 2022. Hackers can easily download and adjust it for their needs. 

Recently, there has been a surge in attacks despite the malware age. From May to August 2025, there was a spike in malware campaigns. The key distribution method of malware was phishing emails concerning legal or banking issues. Impacted users should be careful with messages from unknown senders and recognize phishing emails.  Even a single click could be hazardous.
Read more »
Vulnerability Management
AI Security APRA Artificial Intelligence Banking Security Critical Infrastructure Cyber Threats Cybersecurity Mythos AI Vulnerability Management

Australia Demands Faster Cybersecurity Action to Address Mythos Activity


 

Australian financial regulators are increasingly concerned about the safety of frontier artificial intelligence platforms such as myth, and are reviewing their cybersecurity policies. A strong worded communication issued by the Australian Securities and Investments Commission on Friday stressed that financial institutions should no longer regard artificial intelligence-driven cyber exposure as a future threat, and that defensive controls, governance mechanisms, and operational resilience frameworks must be strengthened immediately. 

According to the regulator, the rapid integration of advanced artificial intelligence technologies within financial ecosystems is increasing the attack surface across critical systems, making robust cybersecurity preparedness an urgent priority. This increased regulatory focus comes as a result of ongoing government engagement with developers of advanced artificial intelligence systems, such as Anthropic, as officials attempt to assess the security implications of increasingly autonomous cyber capabilities. 

Tony Burke's spokesperson confirmed earlier this week that Australian authorities are actively coordinating with software vendors and artificial intelligence firms to ensure they remain informed of newly discovered vulnerabilities and evolving threats affecting critical infrastructure. 

It is unclear whether the government is directly participating in the restricted Mythos Preview platform of Anthropic or is participating only through advisory and intelligence sharing channels. However, the statement underscores growing institutional concerns regarding the operational risks posed by artificial intelligence security tools of the future.

A small group of major technology companies was given access to the platform instead of the platform being made available publicly, a practice that has sparked intense debate within the cybersecurity community. 

Some analysts believe the technology will accelerate vulnerability discovery and defensive research, while others warn that such concentrated offensive capabilities can pose significant systemic risks if compromised or misused. There have also been questions surrounding the credibility of claims made about Mythos’ capabilities, comparing them to previous industry claims about very capable artificial intelligence systems that did not live up to public expectations. 

Concerns raised by the Australian Prudential Regulation Authority have escalated further after it warned that the country's banking sector is falling behind artificial intelligence developments, in particular when it comes to cyber resilience and governance oversight. 

As stated in a formal communication addressed to financial institutions, APRA expressed concern that many existing information security frameworks are not evolving rapidly enough to address the operational risks introduced by frontier AI systems such as Anthropic's Mythos. 

APRA warned that rapidly evolving AI models could significantly increase the speed, scale, and precision of cyber intrusions by enabling automated vulnerability discovery and exploit development. An analysis of the industry by APRA indicated growing concerns regarding the potential material changes to the cybersecurity threat landscape for Australia's financial sector by high-capability AI systems with advanced coding capabilities. 

Project Glasswing, an initiative that involves a number of major technology companies such as Amazon, Microsoft, Nvidia, and Apple, specifically cited Anthropic’s Claude Mythos. A number of security experts have cautioned that systems capable of autonomously analyzing software architectures and identifying vulnerabilities can introduce unprecedented offensive potential if accessed by malicious actors. 

Despite the fact that Anthropic did not respond to the request for comment, regulators continue to assess the implications of artificial intelligence-driven cyber operations, as the scrutiny surrounding the platform continues to intensify. An increasing regulatory focus on frontier artificial intelligence reflects a general shift in cyber risk assessment across the financial sector, in which advanced AI capabilities and critical digital infrastructure are creating an increasingly volatile threat environment as a result of their convergence. 

The Australian government appears increasingly concerned that conventional security models may not be sufficient against AI-assisted intrusion techniques capable of speeding reconnaissance, vulnerability discovery, and large-scale exploitation. 

Since the announcement, there has been considerable debate within the cyber security and artificial intelligence sectors. Supporters have framed Mythos as a potentially transformative platform aimed at accelerating defensive security research and fundamentally transforming vulnerability management. In contrast, critics argue that concentrating such capabilities within a limited ecosystem would pose systemic severe risks if malicious actors were to leak, weaponize or replicate the technology.

A number of people have questioned whether the narrative surrounding Mythos is a reflection of true technological advancement or an attempt to gain market attention through fear-based security messaging. Furthermore, earlier claims regarding advanced AI models in the broader industry have been compared, including statements regarding OpenAI systems which were later criticized for a failure to match the public image of their capabilities with actual performance.

As financial institutions continue integrating AI into critical operations, regulators are signaling that stronger technical oversight, faster defensive adaptation, and deeper executive-level understanding of emerging technologies will become essential to maintaining resilience against increasingly sophisticated cyber threats

Read more »
unauthorised access
browser data Credential Theft Cybersecurity Google Infostealer malware Sensitive data Storm unauthorised access

New Malware “Storm” Steals Browser Data and Hijacks Sessions Without Passwords

 



A newly identified infostealer called Storm has emerged on underground cybercrime forums in early 2026, signalling a change in how attackers steal and use credentials. Priced at under $1,000 per month, the malware collects browser-stored data such as login credentials, session cookies, and cryptocurrency wallet information, then covertly transfers the data to attacker-controlled servers where it is decrypted outside the victim’s system.

This change becomes clearer when compared to earlier techniques. Traditionally, infostealers decrypted browser credentials directly on infected machines by loading SQLite libraries and accessing local credential databases. Because of this, endpoint security tools learned to treat such database access as one of the strongest indicators of malicious activity.

The approach began to break down after Google Chrome introduced App-Bound Encryption in version 127 in July 2024. This mechanism tied encryption keys to the browser environment itself, making local decryption exponentially more difficult. Initial bypass attempts relied on injecting into browser processes or exploiting debugging protocols, but these techniques still generated detectable traces.

Storm avoids this entirely by skipping local decryption. Instead, it extracts encrypted browser files and quietly sends them to attacker infrastructure, removing the behavioural signals that endpoint tools typically rely on. It extends this model by supporting both Chromium-based browsers and Gecko-based browsers such as Firefox, Waterfox, and Pale Moon, whereas tools like StealC V2 still handle Firefox data locally.

The data collected includes saved passwords, session cookies, autofill entries, Google account tokens, payment card details, and browsing history. This combination gives attackers everything required to rebuild authenticated sessions remotely. In practice, a single compromised employee browser can provide direct access to SaaS platforms, internal systems, and cloud environments without triggering any password-based alerts.

Storm also automates session hijacking. Once decrypted, credentials and cookies appear in the attacker’s control panel. By supplying a valid Google refresh token along with a geographically matched SOCKS5 proxy, the platform can silently recreate the victim’s active session.

This technique aligns with earlier research by Varonis Threat Labs. Its Cookie-Bite study showed that stolen Azure Entra ID session cookies can bypass multi-factor authentication, granting persistent access to Microsoft 365. Similarly, its SessionShark analysis demonstrated how phishing kits intercept session tokens in real time to defeat MFA protections. Storm packages these methods into a commercial subscription service.

Beyond credentials, the malware collects files from user directories, extracts session data from applications like Telegram, Signal, and Discord, and targets cryptocurrency wallets through browser extensions and desktop applications. It also gathers system information and captures screenshots across multiple monitors. Most operations run in memory, reducing the likelihood of detection.

Its infrastructure design adds resilience. Operators connect their own virtual private servers to Storm’s central system, routing stolen data through infrastructure they control. This setup limits the impact of takedowns, as enforcement actions are more likely to affect individual operator nodes rather than the core service.

Storm supports multi-user operations, allowing teams to divide responsibilities such as log access, malware build generation, and session restoration. It also automatically categorises stolen credentials by service, with visible rules for platforms including Google, Facebook, Twitter/X, and cPanel, helping attackers prioritise targets.

At the time of analysis, the control panel displayed 1,715 log entries linked to locations including India, the United States, Brazil, Indonesia, Ecuador, and Vietnam. While it is unclear whether all entries represent real victims or test data, variations in IP addresses, internet service providers, and data volumes suggest ongoing campaigns.

The logs include credentials associated with platforms such as Google, Facebook, Twitter/X, Coinbase, Binance, Blockchain.com, and Crypto.com. Such information often feeds into underground credential marketplaces, enabling account takeovers, fraud, and more targeted intrusions.

Storm is offered through a tiered pricing model: $300 for a seven-day trial, $900 per month for standard access, and $1,800 per month for a team licence supporting up to 100 operators and 200 builds. Use of an additional crypter is required. Notably, once deployed, malware builds continue operating even after a subscription expires, allowing ongoing data collection.

Security researchers view Storm as part of a broader evolution in credential theft. By shifting decryption to remote servers, attackers avoid detection mechanisms designed to identify on-device activity. At the same time, session cookie theft is increasingly replacing password theft as the primary objective.

The data collected by such tools often marks the beginning of further attacks, including logins from unusual locations, lateral movement within networks, and unauthorised access patterns.


Indicators of compromise include:

Alias: StormStealer

Forum ID: 221756

Registration date: December 12, 2025

Current version: v0.0.2.0 (Gunnar)

Build details: Developed in C++ (MSVC/msbuild), approximately 460 KB in size, targeting Windows systems


This advent of Storm underlines how cybercriminal tools are becoming more advanced, automated, and difficult to detect, requiring organisations to strengthen monitoring of sessions, user behaviour, and access patterns rather than relying solely on traditional credential protection methods.


Read more »
Vulnerability management
Cybersecurity Data Breach Data protection Digital Infrastructure Incident response Network Security Ransomware Threat Intelligence Vulnerability management

Uffizi Cyber Incident Serves as a Warning for Europe’s Cultural Sector

 


The cyber intrusion at the Uffizi Galleries in early 2026 has quickly evolved from an isolated security lapse into a case study of systemic digital exposure within Europe’s cultural infrastructure. One of the continent’s most prestigious custodians of artistic heritage, the institution disclosed that attackers succeeded in extracting its photographic archive an asset of both scholarly and operational value before containment measures were enacted.

Although restoration from secured backups ensured continuity of operations, the incident has sharpened attention on how legacy systems, often peripheral to core modernization efforts, can quietly become high-risk vectors within otherwise well-defended environments. Subsequent forensic assessments indicate that the breach was neither abrupt nor opportunistic.

Investigative timelines trace initial compromise activity as far back as August 2025, suggesting a calculated persistence campaign rather than a single-point intrusion. The suspected entry vector was an overlooked software component responsible for handling low-resolution image flows on the museum’s public-facing infrastructure an element deemed non-critical and therefore excluded from rigorous patch cycles. This miscalculation enabled attackers to establish a stable foothold, from which they executed disciplined lateral movement across interconnected systems spanning the Uffizi complex, including Palazzo Pitti and the Boboli Gardens.

Operating under a low-and-slow exfiltration model, the actors deliberately avoided triggering conventional detection thresholds, transferring data incrementally over several months. By the time administrative servers exhibited disruption, the extraction phase had largely concluded underscoring a level of operational maturity that challenges traditional assumptions about breach visibility and response timelines. 

Beyond its digital architecture, the Uffizi Galleries safeguards some of Italy’s most iconic works, including The Birth of Venus and Primavera by Sandro Botticelli, alongside Doni Tondo by Michelangelo a cultural weight that amplifies the implications of any security compromise. 

Institutional statements have sought to contextualize the operational impact, indicating that service disruption was limited to the restoration window required for backup recovery, with public disclosure issued post-incident in line with internal verification protocols. 

Reports circulating in Italian media suggested that threat actors had extended their reach across interconnected sites, including Palazzo Pitti and the Boboli Gardens, briefly asserting control over the photographic server and issuing a ransom demand directly to director Simone Verde. 

However, the institution maintains that comprehensive backups remained intact and that parallel developments such as restricted access to sections of Palazzo Pitti and the temporary relocation of select valuables to the Bank of Italy were pre-scheduled measures linked to ongoing renovation cycles rather than reactive security responses.

Similarly, the transition from analogue to digital surveillance infrastructure, initially recommended by law enforcement in 2024, was accelerated within a broader risk recalibration framework influenced in part by high-profile incidents such as the Louvre Museum theft case. 

The convergence of these events including the recent theft of works by Pierre-Auguste Renoir, Paul Cézanne and Henri Matisse from a northern Italian museum reinforces a broader pattern in which physical and cyber threats are increasingly intersecting, demanding integrated security postures across Europe’s cultural institutions. 

The reference to the Louvre Museum is neither incidental nor rhetorical. On 19 October 2025, a highly coordinated physical breach exposed critical lapses in on-site security when individuals, posing as construction workers, accessed restricted areas via a freight lift, breached a second-floor entry point, and removed multiple pieces of the French Crown Jewels within minutes.

Subsequent findings from a Senate-level inquiry pointed to systemic deficiencies, including limited CCTV coverage across exhibition spaces, misaligned external surveillance equipment, and fundamentally weak access controls at the credential level. The incident, which ultimately led to the resignation of director Laurence des Cars in February 2026, remains unresolved, with the stolen artefacts yet to be recovered. 

Against this backdrop, the distinction drawn by the Uffizi Galleries becomes materially significant. Unlike the Louvre breach, the Uffizi incident remained confined to the digital domain, with no evidence of physical intrusion or compromise of exhibition assets. 

Public-facing operations, including ticketing systems and visitor access, continued uninterrupted, with the only measurable impact attributed to backend restoration processes following data recovery. Amid intensifying scrutiny, conflicting narratives have emerged regarding the scope of data exposure. 

Reporting referenced by Cybernews, citing local sources including Corriere della Sera, alleged that attackers exfiltrated operationally sensitive artefacts ranging from authentication credentials and alarm configurations to internal layouts and surveillance telemetry before issuing a ransom demand.

The Uffizi Galleries has firmly contested these assertions, maintaining that forensic validation has yielded no evidence supporting the compromise of architectural maps or restricted security schematics, and emphasizing that certain observational elements, such as camera placement, remain inherently visible within public-facing environments. 

From a technical standpoint, the institution reiterated that core security systems are logically segregated and not externally addressable, limiting the feasibility of direct remote extraction as described. While investigations indicate that threat actors may have leveraged interconnected endpoints—including workstation nodes and peripheral devices to incrementally profile the environment, officials stress that no physical assets were impacted and no confirmed data misuse has been established. 

The ransom communication, reportedly directed to director Simone Verde with threats of dark web exposure, further underscores the psychological dimension often accompanying such campaigns. Notably, precautionary measures observed in parallel such as temporary gallery closures and the transfer of select holdings to the Bank of Italy have been attributed to pre-existing operational planning rather than reactive containment. 

In the broader context of heightened sectoral vigilance following incidents like the breach-linked vulnerabilities exposed at the Louvre Museum, the Uffizi has accelerated its transition from analogue to digital surveillance infrastructure, aligning with law enforcement recommendations issued in 2024. 

In its final clarification, the Uffizi Galleries moved to separate speculation from confirmed facts. While it did not deny that some valuables had been temporarily moved to a secure vault at the Bank of Italy, officials stressed that this step was part of planned renovation work, not a response to the cyber incident.

Reports from Corriere della Sera about sealed doors and restricted staff communication were also addressed, with the museum explaining that certain closures were linked to long-pending fire safety compliance and structural adjustments required for a historic building of its age. 

On the technical front, the Uffizi confirmed that its photographic archive remained safe, clarifying that although the server had been taken offline, it was done to restore data from backups a process now completed without any loss.

Despite the attention surrounding the breach, the museum continues to function normally, with visitor areas and ticketing operations unaffected, underlining how effective backup systems and planning helped limit real-world impact.
Read more »
Google
Cyber Security Cybersecurity data security Gmail Google

Gmail Address Change Feature Fails to Address Core Security Risks, Report Warns

 

A recent update by Google allowing users to change their Gmail address has drawn attention, but cybersecurity experts say it does little to solve deeper issues tied to email privacy and security. 

The feature, which has gained visibility following its rollout in the United States, lets users modify their primary Gmail address while keeping the old one active as an alias. 

The change has been framed as a way to move beyond outdated or inappropriate usernames created years ago. Google CEO Sundar Pichai highlighted the shift in a public post, noting that users no longer need to be tied to early-era email identities. 

However, experts say the update does not address the main problem facing email users today, widespread exposure of email addresses to marketers, data brokers and cybercriminals. 

Once an email address is used online, it is likely to be stored across multiple databases, making it a long-term target for spam and phishing attempts. Changing the visible username does not remove that exposure, especially since older addresses continue to function. 

Jake Moore, a cybersecurity specialist at ESET, said the ability to edit email addresses reflects a broader shift in how digital identity works, but warned it could introduce new risks. “Old addresses will still work as aliases,” he said, adding that this could increase the risk of impersonation and phishing attacks. 

Security researchers also point to the absence of a built-in privacy feature similar to Apple’s “Hide My Email,” which allows users to generate disposable email addresses for sign-ups and online transactions. These temporary addresses can be disabled at any time, limiting long-term exposure. 

Without a comparable system, Gmail users who change their address may still need to share their primary email widely, continuing the cycle of data exposure. 

The update may also create new vulnerabilities in the short term. Cybersecurity reports indicate that attackers are already using the feature as a lure in phishing campaigns, sending emails that direct users to fake login pages designed to steal account credentials. 

There are also early signs of increased spam activity. Online forums have reported a rise in unwanted emails, with some researchers suggesting the address change feature could allow attackers to bypass existing spam filters and start fresh. 

According to security researchers cited by industry outlets, many email filtering systems rely heavily on known sender addresses. 

If attackers rotate or modify those addresses, they may temporarily evade detection until new filters are applied. At the same time, changing a Gmail address does not stop unwanted messages from reaching the original account, since it remains active in the background. 

Experts say the update highlights a broader issue in email security. While giving users more flexibility over their identity, it does not reduce reliance on a single, permanent address that is repeatedly shared across services. 

They suggest that more effective solutions would include tools that limit how widely a primary email address is distributed, along with stronger controls over incoming messages. 

For now, users are being advised to treat emails related to the new feature with caution, particularly those that include links to account settings, as these may be part of phishing attempts.
Read more »
worm
Block Chain Canister Cybersecurity malware Supply Chain worm

CanisterWorm Campaign Combines Supply Chain Attack, Data Destruction, and Blockchain-Based Control

 



Malware that can automatically spread between systems, commonly referred to as worms, has long been a recurring threat in cybersecurity. What makes the latest campaign unusual is not just its ability to propagate, but the decision by its operators to deliberately destroy systems in a specific region. In this case, machines located in Iran are being targeted for complete data erasure, alongside the use of an unconventional control architecture.

The activity has been linked to a relatively new group known as TeamPCP. The group first appeared in reporting late last year after compromising widely used infrastructure tools such as Docker, Kubernetes, Redis, and Next.js. Its earlier operations appeared focused on assembling a large network of compromised systems that could function as proxies. Such infrastructure is typically valuable for conducting ransomware attacks, extortion campaigns, or other financially driven operations, either by the group itself or by third parties.

The latest version of its malware, referred to as CanisterWorm, introduces behavior that diverges from this profit-oriented pattern. Once inside a system, the malware checks the device’s configured time zone to infer its geographic location. If the system is identified as being in Iran, the malware immediately executes destructive commands. In Kubernetes environments, this results in the deletion of all nodes within a cluster, effectively dismantling the entire deployment. On standard virtual machines, the malware runs a command that recursively deletes all files on the system, leaving it unusable. If the system is not located in Iran, the malware continues to operate as a traditional worm, maintaining persistence and spreading further.

The decision to destroy infected machines has raised questions among researchers, as disabling systems reduces their value for sustained exploitation. In comments reported by KrebsOnSecurity, Charlie Eriksen of Aikido Security suggested that the action may be intended as a demonstration of capability rather than a financially motivated move. He also indicated that the group may have access to a much larger pool of compromised systems than those directly impacted in this campaign.

The attack chain appears to have begun over a recent weekend, starting with the compromise of Trivy, an open-source vulnerability scanning tool frequently used in software development pipelines. By gaining access to publishing credentials associated with Node.js packages that depend on Trivy, the attackers were able to inject malicious code into the npm ecosystem. This allowed the malware to spread further as developers unknowingly installed compromised packages. Once executed, the malware deployed multiple background processes designed to resemble legitimate system services, reducing the likelihood of detection.

A key technical aspect of this campaign lies in how it is controlled. Instead of relying on conventional command-and-control servers, the operators used a decentralized approach by hosting instructions on the Internet Computer Project. Specifically, they utilized a canister, which functions as a smart contract containing both executable code and stored data. Because this infrastructure is distributed across a blockchain network, it is significantly more resistant to disruption than traditional centralized servers.

The Internet Computer Project operates differently from widely known blockchain systems such as Bitcoin or Ethereum. Participation requires node operators to undergo identity verification and provide substantial computing resources. Estimates suggest the network includes around 1,400 machines, with roughly half actively participating at any given time, distributed across more than 100 providers in 34 countries.

The platform’s governance model adds another layer of complexity. Canisters are typically controlled only by their creators, and while the network allows reports of malicious use, any action to disable such components requires a vote with a high approval threshold. This structure is designed to prevent arbitrary or politically motivated shutdowns, but it also makes rapid response to abuse more difficult.

Following public disclosure of the campaign, there are indications that the malicious canister may have been temporarily disabled by its operators. However, due to the design of the system, it can be reactivated at any time. As a result, the most effective defensive measure currently available is to block network-level access to the associated infrastructure.

This campaign reflects a convergence of several developing threat trends. It combines a software supply chain compromise through npm packages, selective targeting based on inferred geographic location, and the use of decentralized technologies for operational control. Together, these elements underline how attackers are expanding both their technical methods and their strategic objectives, increasing the complexity of detection and response for organizations worldwide.

Read more »
Threat Intelligence
Cyber Warfare Cybersecurity Data Breach Endpoint Management Enterprise security identity-based attacks Microsoft Intune supply chain security Threat Intelligence

Stryker Attack Prompts Scrutiny of Enterprise Device Management Tools



A significant shift has occurred in the strategic calculus behind destructive cyber operations in recent years, expanding beyond the confines of traditional critical infrastructures into lesser-noticed yet equally vital ecosystems underpinning modern economies. 

State-aligned threat actors are increasingly focusing their efforts on organizations embedded within logistics and supply chain frameworks that support entire industries through their operational continuity. A single, well-placed intrusion at these junctions can have a far-reaching impact on interconnected networks, reverberating across multiple interconnected networks with minimal direct involvement. 

Healthcare supply chains, however, stand out as especially vulnerable in this context. As central channels of delivery of care, medical technology companies, pharmaceutical distributors, and logistics companies operate as central hubs for the delivery of care, providing support for large healthcare networks. 

The scale of these organizations, their interdependence, and their operational criticality make them high-value targets, which allows adversaries to inflict widespread damage indirectly, without exposing themselves to the immediate impact and consequences associated with attacking frontline healthcare organizations. It is against this backdrop that a less examined yet increasingly consequential risk is becoming increasingly evident one that is not related to adversaries' offensive tooling, but rather to the systems organizations use to orchestrate and secure their own environments. 

As part of the evolving force multipliers role of device and endpoint management platforms, designed to provide centralized control, visibility, and resilience at scale, these platforms are now emerging as force multipliers. Several recent cyber incidents have provided urgency to this issue, including the recent incident involving Stryker Corporation, where an intrusion into its Microsoft-based environment caused rapid operational disruptions across the company's global footprint. 

In response to the company's disclosure of the breach approximately a week later, the Cybersecurity and Infrastructure Security Agency issued a formal alert stating that malicious activity was targeting endpoint management systems within U.S. organizations. 

A broader investigation was initiated after the Stryker event triggered it. Through coordination with the Federal Bureau of Investigation, the agency has undertaken efforts to determine the scope of the threat and identify potential affected entities. As illustrated in mid-March, such access can provide a systemic leverage. 

An incident occurred on March 11, 2019, causing Stryker's order processing functions to be interrupted, its manufacturing throughput to be restricted, and outbound shipments to be delayed. These effects are consistent with interference at the management level as opposed to a single, isolated system compromise. 

The subsequent reporting indicated the incident may have involved the wiping of about 200,000 managed devices as well as the exfiltration of approximately 50 terabytes of data, indicating that both destructive and intelligence-gathering objectives were involved. 

A later claim of responsibility was made by Handala, which described the operation as retaliatory in nature after a strike in southern Iran, emphasizing the growing intersection between geopolitical signaling and supply chain disruption in contemporary cyber campaigns. 

During the course of the incident, it became increasingly evident that such a compromise would have practical consequences. Several key operational capabilities, including order processing, manufacturing execution, and distribution, were lost as a result of the intrusion, effectively limiting Stryker Corporation's ability to service demand across a globally distributed network. As a result of this disruption, traceable to Microsoft's environment, supply chain processes were immediately slowed down, creating bottlenecks beyond internal systems that led to downstream delivery commitments. 

Consequently, the organization initiated its incident response protocol, undertaking containment and forensic analysis, assisted by external cybersecurity specialists, in order to determine the scope, entry vectors, and persistence mechanisms of the incident. Observations from industry observers indicate that Microsoft Intune may be misused as an integral part of a network attack chain, based on preliminary assessments. 

Apparently, Lucie Cardiet of Vectra AI has found that threat actors may have exploited the platform's legitimate administration capabilities to remotely wipe managed endpoints, triggering large-scale factory resets on corporate laptops and mobile devices. The implementation of such an approach is technically straightforward, but operationally disruptive at scale, particularly in environments where endpoint integrity is a primary component of production systems and logistics operations. 

As a result of these device resets, widespread reconfiguration efforts were necessary, interrupting the availability of inventory management systems, production scheduling platforms, and coordination tools crucial to ensuring supply continuity. 

Applied cumulatively, these disruptions delayed manufacturing cycles and affected the timely processing and fulfillment of orders across multiple facilities, demonstrating the rapid occurrence of tangible operational paralysis that can be caused by control-plane compromises. There is evidence from the incident that the pattern of advanced enterprise intrusions is increasingly characterized by the convergence of compromised privileged identities, trusted management infrastructure, and intentional misuse of administrative functions, resulting in disruption of the enterprise. 

In the field of security, this alignment is often referred to as a "lethal trifecta," a technique that enables adversaries to inflict systemic damage without using conventional malware techniques. According to investigators, Stryker Corporation was compromised as a result of an intrusion centered on administrative access to its Microsoft Identity and Device Management stack, allowing attackers to utilize enterprise-approved tools in their operations. 

Intune platforms, such as Microsoft's, which provide centralized control over device fleets, are naturally equipped with high-impact capabilities. These capabilities can range from the enforcement of policies to the provision of remote wipe functions that can be repurposed into mechanisms for disruption if commandeered. 

Employees have been abruptly locked out of corporate systems across geographical boundaries, suggesting that administrative actions have been coordinated. This is consistent with "living off the land" techniques that exploit native enterprise controls in order to avoid detection and maximize operational consequences. It is evident that the scale of disruption underscores the structural dependence that is inherent within the global healthcare supply chain. 

Stryker, one of the most prominent companies in the sector, operates in dozens of countries and employs tens of thousands of people. In the event that internal systems underlying manufacturing and order fulfillment were rendered inaccessible, the effects spread rapidly across the organization's international operations. 

Many facilities, including major hubs in Ireland, reported experiencing widespread downtime, with employees being unable to access company network services. In spite of the fact that the company stated that its medical devices continued to function safely in clinical settings due to their segregation from affected corporate systems, the incident nevertheless highlights the fragility of interconnected supply chains. 

Medical technology providers serve as critical intermediaries and disruptions at this level can have an adverse effect on distributors, healthcare providers, and ultimately the timeline for delivering patient care. On a technical level, the breach indicates that attacker priorities have shifted from endpoint compromise to identity dominance. 

Identity-centric operations are increasingly replacing traditional intrusion models, which typically involve malware deployment, lateral movement, and persistence mechanisms. These adversaries use credential, authentication token, or privileged session vulnerabilities to gain control over the enterprise control planes.

After being embedded within identity infrastructure, attackers are able to interact with administrative portals, SaaS management consoles, and device orchestration platforms as if they were legitimate operators. Because actions are executed through trusted channels, malicious activity is significantly less visible. It is therefore important to note that the extent to which the attackers have affected the network is determined by the scope of privileges that the compromised identities possess. 

Additionally, it is evident that the attacker's intent has shifted from financial extortion to outright disruption. Although ransomware continues to dominate the threat landscape, these incidents are more closely associated with destructive operations, which are aimed at disabling systems and degrading functionality rather than extracting payment.

In light of the reported scale of device resets and data exfiltration, it appears the campaign was intended to disrupt operational continuity, echoing tactics employed in previous wiper-style attacks often associated with state-aligned actors. Operations of this type are often designed to disrupt organizations for maximum disruption, rather than to maximize financial gain, and are frequently deployed to signal strategic intent. 

As evidenced by the attribution claims surrounding the incident, the group Handala defined the operation within the framework of broader geopolitical tensions, indicating that it was aimed at retaliation. Even if such claims are not capable of being fully attributed to such entities, the narrative is consistent with an observation that private sector entities - particularly those involved in critical supply chains - are increasingly at risk of state-linked cyber activity. 

Cyberspace geopolitical contestation is no longer confined to peripheral targets, but encompasses integral elements of healthcare, manufacturing, and logistics. A recalibration of enterprise security priorities is particularly necessary in environments in which identity systems and management platforms serve as the operational backbone. These events emphasize the need to refocus enterprise security priorities. 

The tactics that are employed today are increasingly misaligned with defenses centered around endpoint detection and malware prevention. Organizations must instead adopt a security posture that focuses on identity-centric risk management, enforcing strict privilege governance, performing continuous authentication validation, and monitoring administrative actions across control planes at the granular level. 

Additionally, it is crucial that enterprise management tools themselves be hardened, ensuring that high impact functions such as remote wipe, policy enforcement, and system-wide configuration changes are subject to layered authorization controls and real-time anomaly detection. For industries embedded in critical supply chains, resilience planning extends to the capability of sustaining operations when control-plane disruptions occur, as well as the prevention of intrusions. 

Ultimately, Stryker's incident serves as a reminder that in modern enterprise settings, the most trusted of systems can inadvertently turn into the most damaging failure points-and their secure operation requires a degree of scrutiny commensurate with their impact. It can also be argued that the Stryker incident provides a useful illustration of how modern cyber operations can transcend isolated breaches into instruments that can cause widespread disruptions throughout global networks.

Read more »
Threat actors
Credential Theft Cyber Attacks Cybersecurity DLL Sideloading Enterprise security Fake VPN Infostealer Malware SEO Poisoning Threat actors

Deceptive VPN Websites Become Gateway for Corporate Data Theft


 

The financial motivation of a threat group tracked by Microsoft as Storm-2561 has been quietly exploiting the familiarity of enterprise VPN ecosystems in a campaign intended to demonstrate how easy it is to weaponize trust in routine IT processes. 

Rather than rely solely on technical exploits, this group has adopted a more insidious approach that blends search engine manipulation with near-perfect impersonations of popular VPN products from companies such as Check Point Software Technologies, Cisco, Fortinet, and Ivanti.

Storm-2561 has been active since May 2025 and is representative of an emerging class of cyber criminals that prioritize deception over disruption, leveraging SEO poisoning techniques to ensure fraudulent download pages appear indistinguishable from legitimate vendor resources. As a result of this strategy, malicious VPN installers have been positioned at the top of search results since mid-January, effectively transforming a routine search into an attack vector. 

Users looking for common enterprise tools such as Pulse Secure are directed to convincingly spoofed websites instead of real-world enterprise tools. By blurring the distinction between legitimate software distribution and carefully orchestrated credential theft, the campaign extends its reach to SonicWall, Sophos, and WatchGuard Technologies products. 

With the foundation of this initial access vector, the operation displays a carefully layered deception system capable of withstanding moderate user scrutiny. As a result of poisoning search engine results for queries such as "Pulse Secure client" or "Pulse VPN download," attackers ensure that fraudulent vendor portals occupy prime visibility, effectively intercepting users at the point of intent by poisoning search engine results. 

A lookalike site designed to replicate legitimate branding and user experience is used to deliver malware rather than authentic software as a channel for malicious payloads. When victims attempt to download software, they are directed to ZIP archives hosted on public code repositories, which are resembling trusted VPN clients while trojanized installers are deployed. 

The installer initiates a multistage infection chain when executed, dropping files into directories corresponding to actual installation paths and using DLL side-loading techniques to introduce malicious components into the system silently. Hyrax infostealer is an example of such a payload. Specifically designed to extract VPN credentials and session data, this payload is then exfiltrated to the threat actor's infrastructure. 

Further reducing suspicion and bypassing conventional security controls, the malicious binaries were signed using a genuine digital certificate issued by Taiyuan Lihua Near Information Technology Co., Ltd, an approach that lends the malicious binaries a sense of authenticity and makes detection more difficult. 

Despite its revoked validity, the certificate illustrates the increasing abuse of trusted code-signing mechanisms throughout the threat landscape. The campaign, as noted by Microsoft in their findings, demonstrates a broader shift toward combining social engineering with technical subversion, in which attackers do not need to breach hardened perimeters directly but instead manipulate user behavior and trust in widely used enterprise tools to accomplish the same objective. 

In analyzing the intrusion chain in greater detail, it is evident that a carefully orchestrated execution flow was designed to appear comparable to legitimate software behavior. As documented, victims of the malicious attack are directed to a now-removed repository that hosts a compressed archive that contains a counterfeit VPN installer in the form of an MSI file. 

Upon execution of the installer, Pulse.exe is installed within the standard %CommonFiles%/Pulse Secure directory, accompanied by additional components such as a loader (dwmapi.dll) and a malicious module known as the Hyrax infostealer (inspector.dll). As a result of incorporating itself into a directory structure consistent with authentic installation, the malware utilizes side-loading of DLL files in order to ensure that the payload is executed under the guise of trusted applications. 

There is also a convincing replica of the Pulse Secure login screen provided by the rogue client, leading users to enter their credentials under the assumption that an authentication process is standard. In place of establishing a VPN session, the application intercepts these inputs and transmits them to the attacker-controlled infrastructure, along with additional sensitive data, such as VPN configuration information obtained from the connectionstore.dat file located in the C:/ProgramData/Pulse Secure/ConnectionStore location. 

A once-valid certificate issued by Taiyuan Lihua Near Information Technology Co., Ltd. was used to sign the malicious binaries, further bolstering the perception of their legitimacy. After credential harvest, evasion mechanisms are employed immediately in order to maximize evasion. This application displays a plausible installation error instead of maintaining persistence or creating obvious system anomalies, which subtly attributes the failure to benign technical problems. 

After receiving the genuine VPN client, users are redirected -often automatically - to the official vendor website. By redirecting traffic post-exploitation, the likelihood of being detected is significantly reduced, as successful installation of legitimate software masks the compromise completely, thereby obscuring any immediate suspicions from the standpoint of the user. 

Microsoft disclosed that the campaign is accompanied by a defined set of indicators of compromise and defensive guidance, highlighting the need to pay close attention to software sourcing, code signing validation, and anomalous installation behaviors in enterprise environments. 

In the end, the campaign emphasizes the necessity for organizations to reconsider how trust is established within the everyday operation of their business processes as a broader defensive imperative.  A security team should extend their awareness efforts beyond user awareness and enforce stricter controls regarding the acquisition of software, including limiting downloads to trusted sources, implementing application allowlistings, and validating digital signatures against trusted certificate authorities. The monitoring of anomalous process behavior, especially side loading patterns of DLLs and unexpected outbound connections, will lead to earlier detection. 

The adoption of multi-factor authentication and conditional access policies, among other phishing-resistant authentication mechanisms, is equally critical to minimize credential exposure consequences. According to Microsoft, these types of attacks focus less on exploiting technical weaknesses and more on exploiting implicit trust, which makes using zero-trust and layered verification principles essential to reducing organizational risk.
Read more »
Threat Intelligence
Advanced Persistent Threats Critical Infrastructure Security cyber espionage Cyber Security Cybersecurity EU Sanctions State Sponsored Attacks Threat Intelligence

Europe Targets Chinese and Iranian Entities in Response to Cyber Threats


 

Council of the European Union, in response to the escalation of state-linked cyber intrusions, has tightened its defensive posture by imposing targeted sanctions on a cluster of entities and individuals allegedly engaged in sophisticated digital attacks against European interests in a measured yet unmistakably firm manner. 

According to the Council, on behalf of the bloc's member states, this decision represents a broader strategic shift within the European Union, where cyber threats are increasingly treated as instruments of geopolitical pressure capable of compromising critical infrastructure, public trust, and economic stability rather than isolated technical disruptions. 

It was announced earlier this week that sanctions would extend beyond corporate entities and include senior leadership figures, indicating a desire to hold not only organizations, but also their decision-makers accountable for orchestrating or enabling malicious cyber activity. 

China's Integrity Technology Group and Anxun Information Technology Co., a company formerly known as iSoon, were among those names, along with Iranian entity Emennet Pasargad, who are believed to have participated directly in attacks against essential services and government networks. 

The inclusion of executives such as Wu Haibo and Chen Cheng further underscores the EU's evolving approach to cyber operations, one in which the traditional veil of denial is pierced. 

The European Union attempts to reset deterrence in cyberspace by formally assigning responsibility and imposing economic and legal constraints, where attribution is a challenging task, accountability is often elusive, and the consequences of inaction continue to increase with each successive breach by establishing a new standard of deterrence. 

European authorities have also focused attention on Anxun Information Technology Co., commonly referred to as I-Soon. The company appears to be closely connected to Chinese domestic security apparatuses, particularly the Ministry of Public Security. Despite its formal positioning as a commercial company, Huawei has long been associated with cyber operations aligned with Beijing's strategic intelligence objectives, blurring the line between state-directed activity and outsourced service. 

As a result of this dual-purpose posture, Western governments have paid sustained attention to the situation; following sanctions imposed by the United Kingdom in March 2025, the Department of Justice unveiled charges against multiple I-Soon personnel for participating in coordinated intrusion campaigns. 

In confirming these concerns, the European Union has made the claim that I-Soon operated as an offensive cyber services provider, systematically attacking critical infrastructure sectors and governmental systems both within member states and abroad. 

As alleged by investigators, its activities extend beyond unauthorized access to include sensitive data exfiltration and monetization, introducing persistent risks to the diplomatic and security frameworks supporting the Common Foreign and Security Policy as a result of institutionalizing the hacker-for-hire model.

It is also important to note that the Council has designated key corporate figures, including Wu Haibo and Chen Cheng, who are senior managers and legal representatives within the company's structure. This reinforces the EU's intention to attribute accountability at both the individual and organization level. There have also been actions taken against Emennet Pasargad, an Iranian threat actor known by various aliases, such as Cotton Sandstorm, Marnanbridge, and Haywire Kitten and widely considered to be linked with the Cyber-Electronic Command of the Islamic Revolutionary Guard Corps. 

A wide range of disruptive and influence-driven cyber activities have been associated with the group, ranging from interference operations in connection with the 2020 presidential election to intrusion attempts related to the Summer Olympics in 2024. 

In accordance with European assessments, cyberattacks against Sweden's digital infrastructure, including the compromise of the national SMS distribution service, were also attributed to the group, indicating a pattern of operations intended not only to infiltrate systems but also to undermine public trust and operational resilience.

Furthermore, additional technical assessments further demonstrate the extent and persistence of Emennet Pasargad's activities. As indicated by Microsoft's analysis previously, the group-tracked as "Neptunium"-is suspected of compromising the personal information of over 200,000 Charlie Hebdo subscribers. 

According to many observers, the intrusion was a retaliatory act in response to the publication's controversial content targeting Ali Khamenei, illustrating the trend of politically motivated cyber operations being increasingly integrated with information exposure and intimidation methods.

The Council of the European Union identifies the group as conducting hybrid operations, including the unauthorized control of digital advertising billboards during the 2024 Summer Olympics for propaganda purposes, as well as a compromise of a Swedish SMS distribution service.

Interestingly, the latter incident is consistent with an earlier documented campaign that utilized mass messaging to incite retaliatory sentiments within the Swedish community, a tactic that has later been referenced by the Federal Bureau of Investigation in its threat advisories. 

Additionally, the Council's documentation illustrates earlier interference activities targeting the 2020 United States presidential elections, during which stolen voter data was used to deliver coercive communications using false political identities, demonstrating a deliberate campaign to undermine the trust of voters. 

Indictments have been issued in the United States against individuals such as Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian as a result of enforcement actions. Financial sanctions have been imposed by the Treasury Department in an attempt to disrupt the group's operations funding. In spite of these measures, the actor has remained active, and subsequent attribution has linked it to ransomware campaigns believed to be affiliated with the Islamic Revolutionary Guard Corps.

There are parallel findings regarding Integrity Technology Group that reinforce the transnational nature of these threats. Investigators discovered that the company's infrastructure and tooling were used by the Flax Typhoon threat group as a means of gaining access to tens of thousands of devices throughout the European continent, as well as facilitating espionage-focused activities targeting Taiwanese entities. 

In addition, coordinated sanctions between the United Kingdom and the United States indicate a growing alignment of international responses targeted at reducing the ability of state-linked cyber activities to sustain their operations.

In combination, these coordinated efforts indicate a maturing enforcement posture in which cyber operations are not viewed merely as technical incidents but rather as matters of strategic significance that require sustained, multilateral responses. 

As part of the ongoing process of improving the European Union's cyber sanctions framework, the EU will emphasize attribution, intelligence sharing, and alignment with international partners in order to ensure that punitive measures are effectively translated into tangible operational disruptions.

It becomes increasingly important for organizations operating both within and outside of Europe to strengthen their resilience against advanced persistent threats, in particular those that utilize supply chain access, managed service providers, and covert infrastructure. 

It has been noted that the convergence of espionage, cybercrime, and influence operations calls for a more integrated defense model that includes technical controls, threat intelligence, and regulatory compliance. 

Having said that, the effectiveness of sanctions will ultimately depend on the consistency with which they are enforced, on the timely attribution of the perpetrators and on the ability of both public and private sectors to anticipate and mitigate the evolving threat environment.
Read more »
Subscribe to: Posts (Atom)