Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label malware. Show all posts
Windows
AI Akira Ransomware Bugs Internet malware Ransomware Windows

Akira ransomware turns off Windows Defender to install malware on Windows devices

Akira ransomware turns off Windows Defender to install malware on Windows devices

Akira ransomware strikes again. This time, it has abused an Intel CPU tuning driver to stop Microsoft Defender in attacks from EDRs and security tools active on target devices.

Windows defender turned off for attacks

The exploited driver is called “rwdrv.sys” (used by ThrottleStop), which the hackers list as a service that allows them to gain kernel-level access. The driver is probably used to deploy an additional driver called “hlpdrv.sys,” a hostile tool that modifies Windows Defender to shut down its safety features.

'Bring your own vulnerable driver' attack

Experts have termed the attack “Bring your vulnerable driver (BYOVD), where hackers use genuine logged-in drivers that have known bugs that can be exploited to get privilege escalation. The driver is later used to deploy a hostile that turns off Microsoft Defender. According to the experts, the additional driver hlpdrv.sys is “similarly registered as a service. When executed, it modifies the DisableAntiSpyware settings of Windows Defender within \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware.” The malware achieves this by executing regedit.exe. 

Discovery of the Akira ransomware attack

The technique was observed by Guidepoint Security, which noticed repeated exploitation of the rwdrv.sys driver in Akira ransomware attacks. The experts flagged this tactic due to its ubiquity in the latest Akira ransomware incidents. “This high-fidelity indicator can be used for proactive detection and retroactive threat hunting,” the report said. 

To assist security experts in stopping these attacks, Guidepoint Security has offered a YARA rule for hlpdrv.sys and complete indicators of compromise (IoCs) for the two drivers, as well as their file paths and service names.

SonicWall VPN attack

Akira ransomware was also recently associated with SonicWall VPN attacks. The threat actor used an unknown bug. According to Guidepoint Security, it could not debunk or verify the abuse of a zero-day flaw in SonicWall VPNs by the Akira ransomware gang. Addressing the reports, SonicWall has advised to turn off SSLVPN, use two-factor authentication (2FA), remove inactive accounts, and enable Botnet/Geo-IP safety.

The DFIR report has also released a study of the Akira ransomware incidents, revealing the use of Bumblebee malware loader deployed through trojanized MSI loaders of IT software tools.

Read more »
trending news
Cyber Attacks malware Malware Campaign News trending news

New Malware Campaign Using Legitimate-Looking Software Targets Users Worldwide

 

Cybersecurity experts are warning about a new wave of cyberattacks involving PXA Stealer, a sophisticated info-stealing malware now spreading rapidly across multiple countries. Originally detected by Cisco Talos researchers, PXA Stealer, written in Python was initially deployed against government agencies and educational institutions in Europe and Asia. 

However, its operators, believed to be Vietnamese-speaking cybercriminals, have shifted focus to everyday users in the U.S., South Korea, the Netherlands, Hungary, and Austria. 

According to SentinelOne, the campaign has already compromised over 4,000 unique IP addresses in 62 countries. The malware is designed to harvest browser-stored passwords, cookies, credit card information, autofill data, cryptocurrency wallet keys, and credentials from applications like Discord. Sideloading Tactics to Evade Detection The attackers are leveraging “sideloading” techniques to bypass antivirus detection. 

Victims are lured through phishing sites or tricked into downloading ZIP archives containing a legitimate, signed copy of Haihaisoft PDF Reader alongside a malicious DLL file. Once installed, the DLL ensures persistence via the Windows Registry and downloads additional payloads often hosted on platforms like Dropbox. 

When the PDF reader is launched, the malware executes a script that prompts Microsoft Edge to open a booby-trapped PDF file. Although the file triggers an error message instead of displaying content, the infection process is already complete. In another variation of the campaign, a fake Microsoft Word 2013 executable is sent as an email attachment. 

It looks like a standard document but executes a different DLL with the same malicious objective deploying PXA Stealer. Telegram Used for Data Theft Once the malware collects the stolen data, it transmits it via Telegram to the attackers, who then sell the information on underground forums and the dark web. 

Experts advise extreme caution with unsolicited emails, links, and attachments, even when they appear legitimate. Hovering over links to check their destination and avoiding downloads from unknown senders are essential safety steps. Users are also urged not to store sensitive information such as passwords or credit card details in their web browsers. Instead, dedicated password managers and secure payment methods are recommended. 

While antivirus tools remain an important layer of defence, the advanced evasion methods used in this campaign highlight the need for strong user vigilance. With PXA Stealer’s shift from targeting high-profile organisations to everyday users, security professionals warn that more variants of the malware may emerge in future attacks.
Read more »
Windows
Artificial Intelligence DevilsTongue Internet malware Microsoft Spyware surveillance Windows

DevilsTongue Spyware Attacking Windows System, Linked to Saudi Arabia, Hungary


Cybersecurity experts have discovered a new infrastructure suspected to be used by spyware company Candiru to target computers via Windows malware.

DevilsTongue spyware targets Windows systems

The research by Recorded Future’s Insikt Group disclosed eight different operational clusters associated with the spyware, which is termed as DevilsTongue. Five are highly active, including clusters linked to Hungary and Saudi Arabia. 

About Candiru’ spyware

According to the report, the “infrastructure includes both victim-facing components likely used in the deployment and [command and control] of Candiru’s DevilsTongue spyware, and higher-tier infrastructure used by the spyware operators.” While a few clusters directly handle their victim-facing infrastructure, others follow an intermediary infrastructure layers approach or through the Tor network, which allows threat actors to use the dark web.

Additionally, experts discovered another cluster linked to Indonesia that seemed to be active until November 2024. Experts couldn’t assess whether the two extra clusters linked with Azerbaijan are still active.

Mode of operation

Mercenary spyware such as DevilsTongue is infamous worldwide, known for use in serious crimes and counterterrorism operations. However, it also poses various legal, privacy, and safety risks to targets, their companies, and even the reporter, according to Recorded Future.

Windows itself has termed the spyware Devil's Tongue. There is not much reporting on its deployment techniques, but the leaked materials suggest it can be delivered via malicious links, man-in-the-middle attacks, physical access to a Windows device, and weaponized files. DevilsTongue has been installed via both threat actor-controlled URLs that are found in spearphishing emails and via strategic website attacks known as ‘watering hole,’ which exploit bugs in the web browser.

Insikt Group has also found a new agent inside Candiru’s network that is suspected to have been released during the time when Candiru’s assets were acquired by Integrity Partners, a US-based investment fund. Experts believe that a different company might have been involved in the acquisition.

How to stay safe?

In the short term, experts from Recorded Future advise defenders to “implement security best practices, including regular software updates, hunting for known indicators, pre-travel security briefings, and strict separation of personal and corporate devices.” In the long term, organizations are advised to invest in robust risk assessments to create effective policies.

Read more »
Scattered Spider
AI news Cyber Attacks cyberattacks trending news malware Scattered Spider

Scattered Spider Targets VMware ESXi Hosts in Rapid, High-Impact Cyber Attacks Across North America

 

A notorious cybercrime group known as Scattered Spider is ramping up sophisticated attacks on VMware ESXi hypervisors, zeroing in on critical infrastructure across North America’s retail, airline, and transportation sectors. Also referred to as 0ktapus, Muddled Libra, Octo Tempest, and UNC3944, the group is renowned for bypassing traditional security measures through elaborate social engineering campaigns rather than exploiting software vulnerabilities. 

In a recent in-depth analysis, Google’s Mandiant unit revealed that the group’s hallmark tactic involves impersonating employees during phone calls to IT help desks. Once initial access is secured, attackers proceed with highly targeted and well-organized operations, focusing on core enterprise systems and sensitive data. "Their campaigns are aggressive, precise, and driven by human engineering more than by code,” noted Mandiant researchers. 

Rather than launching broad opportunistic attacks, Scattered Spider operates with an almost surgical approach. The group frequently mimics legitimate IT infrastructure by registering domain names resembling official portals — including variations like victimname-sso[.]com, victimname-servicedesk[.]com, and sso-victimname[.]com. 

To counter the evolving tactics of groups like Scattered Spider, cybersecurity experts advise a layered and proactive defense strategy. At the infrastructure level, organizations should enable lockdown mode in VMware vSphere, enforce the use of only signed binaries through execInstalledOnly, apply VM encryption, retire outdated virtual machines, and strengthen help desk protocols to prevent social engineering exploits. 

Identity security is equally crucial, companies must implement phishing-resistant multi-factor authentication, segregate critical identity systems, and avoid authentication loops that could be exploited by attackers. 

Additionally, effective monitoring and backup practices are essential. This includes centralizing log collection for better threat visibility, ensuring backups are stored separately from production Active Directory environments, and making them inaccessible to compromised administrators. These measures collectively form a more resilient defense posture, helping organizations detect, contain, and recover from sophisticated intrusion attempts targeting their virtual infrastructure.
Read more »
Software
Android BadBox threat Credential Theft FBI malware Software

FBI Issues Urgent Warning: Millions of Android Devices Compromised by Malware Operation

 


A dangerous malware campaign known as BadBox 2.0 has infected more than 10 million Android-powered devices, according to a recent alert from the FBI and major cybersecurity researchers. Users are being advised to immediately disconnect any suspicious smart devices connected to their home networks.

This large-scale cyberattack targets a range of low-cost electronics, such as smart TVs, tablets, digital picture frames, car infotainment systems, and streaming boxes, many of which are manufactured by lesser-known brands and sold at discounted prices. Authorities warn that these products may already be infected before leaving the factory.


How Are Devices Getting Infected?

Investigators say that the malware is often pre-installed into the system’s firmware, meaning it’s embedded into the device itself. In some cases, users unknowingly allow the malware in when accepting software updates or installing apps from unofficial sources.

Once active, the malware can silently take over the infected device, turning it into part of a global botnet. These infected devices are then used by cybercriminals for illegal activities like online ad fraud, credential theft, and hiding internet traffic through proxy networks.

The LAT61 Threat Intelligence Team at Point Wild helped trace how the malware operates. They discovered that the malware secretly converts devices into residential proxy nodes, making it hard to detect while still carrying out harmful actions behind the scenes.


What Are Google and the FBI Doing?

In response to the threat, Google has taken legal action against the individuals behind BadBox 2.0 and has updated its Google Play Protect system to block apps associated with the malware. The FBI, through alert I-060525-PSA, has also issued a detailed warning and urged users to take caution, especially with devices from unverified brands.

The team at Human Security, which first exposed the malware operation, confirmed that multiple hacker groups contributed to building and maintaining the botnet infrastructure. Their CEO praised the collaboration between cybersecurity firms, law enforcement, and tech companies to take down the threat.


A New Threat Also Detected

Meanwhile, researchers from GreyNoise have reported signs of another emerging cyber threat, this time involving VoIP (Voice over Internet Protocol) devices. Their investigation revealed a spike in activity where hackers are attempting to gain access to poorly secured systems using default or weak passwords. These devices are often older, rarely updated, and left exposed to the internet, making them easy targets.


What Should You Do?

The FBI advises users to look out for the following red flags:

1. Devices requiring you to turn off Google Play Protect

2. Gadgets that offer “fully unlocked” or “free streaming” features

3. Unfamiliar or generic brand names

4. Apps from third-party app stores

5. Unexpected internet activity from your devices


If you notice any of these signs, disconnect the device from your network immediately and consider replacing it with a trusted brand.

Read more »
Visual Deception
cryptomining CyberCrime Cybersecurity CyberThreat Koske Linux malware Panda Visual Deception

Emerging Koske Malware Leverages Visual Deception on Linux Platforms


 

The new Linux malware strain, Kosk, has emerged in a striking demonstration of how artificial intelligence is being used to fight cybercrime. In a remarkable development in how cybercrime intersects with artificial intelligence, the malware uses stealthy delivery mechanisms and AI-assisted development to deploy cryptomining payloads. 

Koske disguises himself behind seemingly harmless images of pandas and uses dropper techniques and advanced evasion tactics in order to infiltrate target systems using a variety of techniques. Aqua Nautilus, Aqua Security's threat intelligence team, reports that the malware's code structure indicates a large language model (LLM) influence on its code structure. 

It is believed that Koske, a sophisticated Linux threat, has evidently been developed using artificial intelligence tools, as the malware was partially generated or optimised using them. According to Aqua researcher Assaf Morag, "Koske, a sophisticated Linux threat, shows clear signs of artificial intelligence-assisted development." A new generation of adaptable and highly specialised malware is now available on the market. Koske is characterised by modular payloads, persistent rootkits, and innovative steganographic delivery methods. 

Koske represents an entirely new type of malware, able to perform one unique goal: the unauthorised mining of cryptocurrency on a large scale. As discovered by Aqua Nautilus researchers through a honeypot, the malware strain known as Koske combines a unique blend of advanced threat engineering, automation, and artificial intelligence. 

According to the Koske cryptominer manual, the application is designed in such a way that it will assess the processing capabilities of the host environment and then deploy GPU-or CPU-optimised miners that are tailored specifically for extracting value from a wide range of digital assets, including Monero and Ravencoin. In his opinion, Koske was almost entirely artificial intelligence-generated, according to Assaf Morag, Aqua Nautilus' Director of Threat Intelligence. Several indicators within the code itself supported this assessment, such as context-aware, explanatory comments and a structurally consistent, machine-like coding style that was consistent with the underlying code. 

Koske stands out from a crowd of malware generated by artificial intelligence in 2025 by providing levels of sophistication that can rival—and in some cases exceed—that of traditional, manually crafted malware strains. In a brilliant demonstration of deception mixed with technical sophistication, Koske exploits a misconfigured JupyterLab instance exposed to the internet to gain initial system access. 

Once the attackers have penetrated the system, they execute remote commands to retrieve two panda-themed JPEG images that have been hosted by legitimate websites like Postimage, OVH Images, and Freeimage that have been compromised. Although these images may appear harmless, they are in fact polyglot files that conceal executable scripts, allowing them to run arbitrary commands on the host computer as long as they are hidden within the files. 

Research by AquaSec suggests that the malware's architecture was shaped by automation frameworks or large language models, which contributed to the malware's modularity and scalability. After Koske has been executed, it activates both GPU- and CPU-optimised cryptocurrency miners that exploit system resources to mine over 18 digital assets, including Monero, Tari, Zano, Ravencoin, and Nexa, among others. In the future, Koske could evolve to incorporate real-time adaptive capabilities, positioning it as a precursor to a class of AI-assisted cyber threats that are expected to prove more powerful in the future. 

As a stunning example of the dual-purpose manipulation of files, Koske uses polyglot files rather than traditional steganography to conceal the malicious payloads, a method that illustrates its technical ingenuity as a hacker. Aqua Security points out that these files are structured in such a way that they can be understood as both valid JPEG images as well as executable scripts, depending on what context they are accessed.

There appears to be no harm in the fact that the files are innocent panda-themed images to the casual user, but upon processing by a script interpreter, the files contain shell scripts and C code embedded within. It is important to note that each image file within the attack chain contains its own payload, which is executed simultaneously upon activation. 

It is common for these payloads to consist of C code that is directly written to memory, compiled, and then run as a shared object (.so) file, which functions as a rootkit. In addition to overriding the readdir() function, the rootkit uses LD_PRELOAD to conceal malware-related processes, files, and directories from user space monitoring tools, thereby causing the malware to appear as if it were unrelated to them. 

Besides hardcoded keywords like koske and hideproc, the data is filtered using hidden process identifiers located in /dev/shm/.hiddenpid, as well. In addition to this payload, there is a stealth shell script implemented by hacking native Linux utilities in order to execute it entirely in memory. Through the use of cron jobs that run every 30 minutes and custom system services, persistence is established. 

As part of the script, Cloudflare and Google DNS are rewritten into /etc/resolv.conf, chattr +i attribute is added to it, iptables rules are flushed, proxy environment variables are reset, and a custom module is deployed to brute-force operational proxies using curl, wget, and raw TCP calls in order to further enhance operational security.

According to AquaSec researchers, this degree of adaptability, combined with the fact that Koske executes in memory and has a minimal forensic footprint, strongly suggests that automation frameworks or large language models may have been used in the development of the application. Koske's exemplifies how artificial intelligence is playing an increasingly prominent role in cyber warfare as a whole, signalling a significant shift in the cyber threat landscape. 

It was observed by Aqua Security analysts that the malware's codebase had several characteristics that suggested an AI-assisted development process. These included verbose scripts with well-commented comments, clean logic structures with a modular approach, and consistent defensive programming techniques. In addition, the malware contains Serbian language strings in some functions, which are likely to have been inserted to obscure the malware's true origin or to make attribution attempts difficult.

In the Aqua team's opinion, Koske may be an early indicator of a bigger trend: a weaponisation of artificial intelligence by malicious actors that could be a larger trend over time. While defenders have increasingly adopted AI as a way of detecting threats and automating processes, adversaries are also beginning to use the same technology to enhance obfuscation, develop polymorphic code, and implement adaptive features that may make it difficult to detect and attribute a cyberattack. 

There is an arms race going on between attackers and cybersecurity teams due to the dual-use potential of AI. It is recommended that organisations maintain a proactive monitoring system for shell file changes, unexpected startup behaviours, and changes to DNS configurations or systemd services. Each of these changes may indicate that malicious activity has occurred. The container security tools should also be optimised so they can prevent rootkit injection as well as block unknown binaries.

In the face of the next generation of malware, Koske stands as a warning not simply of the skillfulness of human hackers but likewise of the increasing influence of artificial intelligence on the next generation of malware, which raises the stakes for security professionals across multiple industries. The Aqua Security team stresses that organizations must adopt a more proactive and layered defense strategy in light of Koske's advanced capabilities and stealthy infection vectors, as well as adopt a proactive, layered defense strategy. 

As a first line of defence, people need to audit and secure all exposed instances of JupyterLab, which is commonly used in Koske campaigns. People also need to disable unnecessary services and enforce robust access controls to protect the environment. Likewise, it is imperative to continuously monitor system activity for anomalies like executions that take place only in memory, or cron jobs that are unauthorised, or the misuse of native Linux utilities, to establish persistence. 

Given that the threat consists of hybrid elements - image files that act as scripts as well as executables - traditional signature-based defences may be insufficient. It is Aqua's recommendation to deploy behaviour-based detection tools in order to identify suspicious execution patterns. These tools are especially helpful for bypassing disk-based traces, and Aqua recommends doing so. 

Furthermore, organisations are advised to revise their incident response plans to accommodate AI-assisted, polymorphic threats such as Koske, which blur the lines between conventional malware and intelligent automation. Security teams can greatly benefit from integrating these countermeasures to be more equipped in detecting, containing, and neutralising emerging cyberattacks whose intelligence and adaptability are on the rise. 

In Koske's opinion, the evolution of cyber threats has reached a critical point, where artificial intelligence, automation, and sophisticated evasion techniques have converged to create malware that is more agile, stealthy, and adaptive than ever before. Apart from its cryptomining function, Koske also illustrates the shift towards intelligent, modular, and self-sustaining threats that challenge traditional security assumptions in a way that is beyond the scope of crypto mining. 

Incorporating polyglot files, memory-resident execution and AI-generated code into attacks demonstrates how attackers are rapidly evolving, leveraging the same technologies that are used by defenders to defend themselves. The data from Koske indicates that organisations need to take proactive measures to defend themselves against modern threats. They need to be able to detect threats using behaviour-based detection, hardened environments, and proactive monitoring. 

As attackers begin to use artificial intelligence more and more industrially, Koske's discovery is only the beginning. This discovery reminds us that in the era of intelligent automation, cyber defence must be equally agile, adaptable, and forward-looking.
Read more »
malware
Android App Store Apple Dating App Google iOS malware

Fake Dating Apps Target Users in a New Appstore Phishing Campaign

Fake Dating Apps Target Users in a New Appstore Phishing Campaign

Malicious dating apps are stealing user information

When we download any app on our smartphones, we often don't realize that what appears harmless on the surface can be a malicious app designed to attack our device with malware. What makes this campaign different is that it poses as a utility app and uses malicious dating apps, file-sharing apps, and car service platforms. 

When a victim installs these apps on their device, the apps deploy an info-stealing malware that steals personal data. Threat actors behind the campaign go a step further by exposing victims’ information if their demands are not met.

iOS and Android users are at risk

As anyone might have shared a link to any malicious domains that host these fake apps, Android and iOS users worldwide can be impacted. Experts advise users to exercise caution when installing apps through app stores and to delete those that seem suspicious or are not used frequently. 

Zimperium’s security researchers have dubbed the new campaign “SarangTrap,” which lures potential targets into opening phishing sites. These sites are made to mimic famous brands and app stores, which makes the campaign look real and tricks users into downloading these malicious apps. 

How does the campaign work?

After installation, the apps prompt users to give permissions for proper work. In dating apps, users are asked to give a valid invitation code. When a user enters the code, it is sent to a hacker-controlled server for verification, and later requests are made to get sensitive information, which is then used to deploy malware on a device. This helps to hide the malware from antivirus software and other security checks. The apps then show their true nature; they may look real in the beginning, but they don’t contain any dating features at all.

How to stay safe from fake apps

Avoid installing and sideloading apps from unknown websites and sources. If you are redirected to a website to install an app instead of the official app store, you should immediately avoid the app.

When installing new apps on your device, pay attention to the permissions they request when you open them. While it is normal for a text messaging app to request access to your texts, it is unusual for a dating app to do the same. If you find any permission requests odd, it is a major sign that the app may be malicious.

Experts also advise users to limit the number of apps they install on their phones because even authentic apps can be infected with malicious code when there are too many apps installed on your device.

Read more »
phishing email scam
cybercrime awareness email malware threat fake credit card email malware Malware Attack online safety tips phishing email scam

New Phishing Scam Uses Fake Credit Card Emails to Spread Info-Stealing Malware

 

A new wave of phishing emails is targeting unsuspecting users with what appears to be a harmless message from their credit card company—but behind that official-looking facade lies a dangerous malware threat.

According to a report by Cybernews, cybercriminals are sending fake emails that warn recipients about recent credit card activity, urging them to confirm or verify a transaction. These emails mimic genuine alerts from financial institutions and appear convincing at first glance. However, the real danger lies within the attachment or link included in the message.

Rather than a standard PDF or receipt, the attachment hides a .LNK file—commonly used for Windows shortcuts—disguised as an HTML page or pop-up. When clicked, it redirects the user to a seemingly legitimate website designed to hold their attention. Meanwhile, in the background, a multi-stage malware infection quietly begins.

One of the key techniques used in this attack is known as Reflective DLL Injection, which loads malicious code directly into the system's memory—specifically targeting Chrome browsers. This allows hackers to bypass traditional antivirus detection and gain deep access to the user’s device.

“The hackers can then proceed with any additional attacks including keylogging, data theft and creating a backdoor on the infected computer,” the report notes.

Once compromised, the infected device becomes a goldmine for attackers. They can log keystrokes, steal browser history, capture passwords, harvest credit card numbers, and even take over accounts—leading to financial fraud or identity theft.

To avoid falling victim, users are advised to exercise caution with any unexpected email that urges action, especially those involving money or security. Instead of clicking on links or attachments, visit the company’s official website by manually entering the URL, or access your account via their official app.

Additional cybersecurity measures can offer crucial layers of protection:

  • Enable two-factor or multi-factor authentication to block unauthorized access even if credentials are stolen.
  • Use a password manager to create and securely store complex, unique passwords across all online accounts.
  • Install trusted antivirus software with features like browser protection, real-time scanning, and a VPN to guard against shady websites and network threats.

As phishing scams continue to evolve, staying alert and informed is the best defense. If an email seems too urgent, too alarming, or too convenient—pause, verify, and protect your data.
Read more »
Windows
Banking Credential Theft Coyote Cybeattacks CyberCrime malware Microsoft RAT Trojon UIA UL Elements Windows

Emerging Threat Uses Windows Tools to Facilitate Banking Credential Theft


An alarming development that underscores how financial cybercrime is evolving is a Windows-based banking trojan dubbed Coyote. It has been observed for the first time that a malware strain leveraging the Microsoft UI Automation (UIA) framework for stealthy extraction of sensitive user data has emerged. It was developed in 2024 by Kaspersky, and it is specifically targeted at Brazilian users. Through its advanced capabilities, Coyote can log keystrokes, record screenshots, and use deceptive overlays on banking login pages that are designed to fool users into providing their information to the malware. 


A security researcher at Akamai has reported that in the latest variant, the legitimate Microsoft UIA component, which is designed to provide accessibility to desktop UI elements for those with disabilities, is exploited to retrieve credentials from websites linked to 75 financial institutions and cryptocurrency platforms via a phishing attack. A novel abuse of an accessibility tool demonstrates that threat actors are becoming increasingly sophisticated in their attempts to circumvent traditional security measures and compromise digital financial ecosystems. 

The Coyote virus first appeared in Latin American cybersecurity in February 2024 and has since been a persistent and damaging threat across the region. Coyote, a banking trojan, was originally used to steal financial information from unsuspecting users by using traditional methods, such as keylogging and phishing overlays. 

Despite being classified as a banking trojan, its distribution mechanism is based on the popular Squirrel installer, a feature which is also the inspiration for its name, a reference to the coyote-squirrel relationship, which is a predator-prey relationship. It was not long ago that Coyote began targeting Brazilian businesses, with the intent of deploying an information-stealing Remote Access Trojan (RAT) in their networks in an effort to steal information. 

After the malware was discovered, cybersecurity researchers began to discover critical insight into its behaviour as soon as it became apparent. The Fortinet company released a comprehensive technical report in January 2025 that detailed Coyote's attack chain, including the methods used to propagate the attack and the techniques used to infiltrate the system. In the evolution of Coyote from conventional credential theft to sophisticated abuse of legitimate accessibility frameworks, one can see a common theme in modern malware development—a trend in which native system utilities are retooled to facilitate covert surveillance and data theft. 

Through innovation and stealth, Coyote is proving to be an excellent example of how regionally focused threats can rapidly escalate into globally significant risks through the use of innovation and stealth. The Coyote malware has evolved significantly in its attack methodology since its previous appearance in 2015, which has prompted cybersecurity professionals to have new concerns. 

Since December 2024, Akamai researchers have been following Coyote closely, and they have found out that earlier versions of the malware have mainly relied on keylogging and phishing overlays to steal login credentials from users of 75 targeted banking and cryptocurrency websites. However, users had to access financial applications outside of traditional web browsers in order for these methods to work, meaning that browser-based sessions largely remained safe. 

In contrast, Coyote's newest version, which was released earlier this year, demonstrates a markedly higher level of sophistication. Using Microsoft's UI Automation framework (UIA), Coyote can now detect and analyse banking and crypto exchange websites that are open directly within browsers by utilising its Microsoft UI Automation framework. As a result of this enhancement, malware is now able to identify financial activity more accurately and extract sensitive information even from less vulnerable sessions, significantly increasing the scope and impact of the malware. 

With stealth and precision, the Coyote malware activates on a victim's computer as soon as the program they are infected with—typically through the widely used Squirrel installer—is executed on their system. As soon as the malware has been installed, it runs silently in the background, gathering fundamental system details as well as continuously monitoring all active programs and windows. One of the primary objectives of this malware is to detect interactions with cryptocurrency platforms or banking services.

If Coyote detects such activity, it utilises the UI Automation framework (UIA) to programmatically read the content displayed on the screen, bypassing traditional input-based detection mechanisms. Furthermore, the malware is capable of extracting web addresses directly from browser tabs or the address bar, cross-referenced to a predefined list of financial institutions and crypto exchanges that are targeted. This further elevates the malware's threat profile. 

Upon finding a match, the tool initiates a credential harvesting operation that is aimed at capturing credentials such as login information and wallet information. As of right now, Coyote appears to have a geographic focus on Brazilian users, targeting companies like Banco do Brasil, Santander, as well as global platforms like Binance, as well. 

Although it is unlikely that this regional concentration will remain static for long, threat actors often launch malware campaigns in limited geographies for the purpose of testing them out before attempting to spread their campaign to a broader audience. Among the latest versions of Coyote malware, there is an impressive combination of technical refinement and operational stealth that sets it apart from typical financial Trojans in terms of performance.

It is particularly noteworthy that it utilises Microsoft's UI Automation framework to look directly at application window content to be able to steal sensitive information without having to rely on visible URLs or browser titles. There are no longer any traditional techniques for this variant that rely on keylogging or phishing overlays, but rather rely on UI-level reconnaissance that allows it to identify and engage with targeted Brazilian cryptocurrency and banking platforms with remarkable subtlety. Further increasing its evasiveness is its ability to operate offline. 

By doing so, it can gather and scan data without requiring a connection to the command-and-control (C2) server. In order to initiate an attack sequence, the malware first profiles the infected system, obtaining information such as the name of the device, the operating system version, and the credentials of the user. As a result, Coyote scans the titles of active windows in an attempt to find financial platforms that are well-known. 

If no direct match is found, Coyote escalates its efforts by parsing the visual user interface elements via the UIA interface, resulting in critical data such as URLs and tab labels that are crucial for the application. As soon as the application detects a target, it uses an array of credential harvesting techniques, which include token interception and direct access to usernames and passwords.

Although the current campaign remains focused in Brazil, the fact that Coyote can operate undetected at the user interface layer and that it uses native Windows APIs poses a serious and scalable threat to businesses across the globe. Considering its offline functionality, small network footprint, and ability to evade standard security solutions, it is a potent reminder that legitimate system tools can be repurposed to quietly undermine digital defences complex cybersecurity landscape that is getting ever more complex. 

Cybersecurity is rapidly evolving, and it is becoming increasingly apparent to us that the dynamic between threat actors and defenders has become more of a high-stakes game, where innovation can change the balance quite rapidly between the two sides. A case study such as the Coyote malware underscores the fact that even system components which appear harmless, such as Microsoft's UI Automation (UIA) framework, can be exploited to achieve malicious objectives. 

Although UIA was created to enhance accessibility and usability, the abuse of the tool by advanced malware proves the inherent risks associated with native tools that are trusted. The objective of security researchers is to give defenders a better understanding of the inner workings and methods employed by Coyote, so they can detect, mitigate, and respond more effectively to such stealthy intrusions. 

It is important to note that the exploitation of UIA as an attack vector is not simply a tactic that is used for a single attack-it signals a shift in adversarial strategy that emphasises invisibility and manipulation of systems. Organisations must strengthen their security posture by observing how legitimate technologies may be repurposed as a means to commit cybercrime, as well as staying vigilant against threats that blur the line between utility and vulnerability. 

There is no question that the advent of Coyote malware marked a turning point in the evolution of cyber threats. It underscores the growing abuse of legitimate system tools for malicious purposes as well. Using Microsoft's UI Automation framework (UIA), an accessibility feature which was created to support users with disabilities, Coyote illustrates to us that trusted functionality could be repurposed to steal information from systems by silently infiltrating them. 

The malware operations of this company, which are currently focused on Brazilian financial institutions and crypto exchanges, represent the emerging trend toward stealth-driven malware campaigns that target specific regions of the globe. A call to action has been issued to defenders by this evolution, as traditional security tools that are based on network-based detection or signature matching may not be up to the task of combating threats that operate entirely within the user interface layer and do not require the use of command-and-control communications. 

Consequently, organisations have to develop more nuanced strategies to keep their data secure, such as behavioural monitoring, heuristic analysis, and visibility of native API usage. As a further precaution, maintaining strict controls over software distribution methods, such as Squirrel installers, is also a great way to prevent the spread of early-stage infections. By adopting a silent, system-native approach, Coyote reflects a change in the cyber threat landscape, shifting away from overt, disruptive attacks to covert, credential-stealing surveillance. 

Coyote utilizes low-noise approaches to achieve maximum data exfiltration, often as part of long-term campaigns, in order to evade detection, resulting in maximum data exfiltration. This demonstrates the sophistication of modern malware and the urgent need for adaptive cybersecurity frameworks to cope with these threats. In addition to exploiting UIA, it is also likely that it will result in more widespread abuse of accessibility features that have traditionally been overlooked in security planning, and which may eventually become a major security concern.

As threat actors continue to refine their approaches, companies need to be vigilant, rethink what constitutes potential attack surfaces, and take measures to detect threats as soon as possible. Coyote is an example of malware that requires a combination of stronger tools, as well as a deeper understanding of the way even helpful technology can be turned into a security liability quickly if it is misused.
Read more »
Xred malware threat
cybersecurity in gaming Endgame Gear OP1w gaming mouse gaming software breach infected configuration tool malware Xred malware threat

Malware Discovered in Endgame Gear Gaming Mouse Tool: Company Investigates, Assures Data Safety

 

A configuration utility designed for an Endgame Gear gaming mouse was recently found to have been compromised with malware, raising concerns among users and prompting a swift response from the company.

Endgame Gear issued a public alert on Wednesday after a customer flagged suspicious activity related to the configuration tool for the OP1w 4k v2 mouse. The user had downloaded the software directly from Endgame Gear’s official site, only to discover it was laced with Xred—a Windows-based malware known for creating backdoors, stealing user data, and executing further malicious payloads on infected systems.

The malware was active on the product page between June 26 and July 9, according to Endgame Gear. “We have since removed the infected file,” the company stated, emphasizing that “this issue was isolated to the OP1w 4k v2 product page download only.”

While it's still unclear how the malware infiltrated the page, Endgame Gear insists its file servers remain uncompromised and no customer data has been accessed. An internal investigation is ongoing to determine whether this was an isolated incident or part of a broader breach.

The compromised tool came to light when a Reddit user warned others, stating: “This did not come from a sketchy site or a third-party mirror. It came from the official vendor page.” The user noticed odd behavior, such as Windows error messages, after installing the tool—triggering a deeper look into the file’s contents.

“This situation is more than just a technical hiccup. It's a serious legal issue, because essentially malware was distributed from their infrastructure," the user added. “Endgame Gear should not be allowed to brush this under the rug.”

The issue was further highlighted by PC review platform Igor’sLAB, which also reported the malware concerns. In response, Endgame Gear has issued an apology to customers, pledging to strengthen its cybersecurity protocols. “A clean version of the affected file was immediately published as soon as we identified the situation," the company noted.

Endgame Gear also confirmed that other official download sources—such as its main downloads page, GitHub repository, and Discord channel—remained unaffected and continued to host only clean files. Additionally, no other v2 series products or tools have been compromised.

Users who may have downloaded the affected software are urged to remove the infected file immediately. Further instructions are available in the company’s detailed security advisory.
Read more »
Windows
Coyote Data Theft malware Microsoft UIA Windows

New Coyote Malware Variant Exploits Windows Accessibility Tool for Data Theft

 




A recently observed version of the banking malware known as Coyote has begun using a lesser-known Windows feature, originally designed to help users with disabilities, to gather sensitive information from infected systems. This marks the first confirmed use of Microsoft’s UI Automation (UIA) framework by malware for this purpose in real-world attacks.

The UI Automation framework is part of Windows’ accessibility system. It allows assistive tools, such as screen readers, to interact with software by analyzing and controlling user interface (UI) elements, like buttons, text boxes, and navigation bars. Unfortunately, this same capability is now being turned into a tool for cybercrime.


What is the malware doing?

According to recent findings from cybersecurity researchers, this new Coyote variant targets online banking and cryptocurrency exchange platforms by monitoring user activity on the infected device. When a person accesses a banking or crypto website through a browser, the malware scans the visible elements of the application’s interface using UIA. It checks things like the tab names and address bar to figure out which website is open.

If the malware recognizes a target website based on a preset list of 75 financial services, it continues tracking activity. This list includes major banks and crypto platforms, with a focus on Brazilian users.

If the browser window title doesn’t give away the website, the malware digs deeper. It uses UIA to scan through nested elements in the browser, such as open tabs or address bars, to extract URLs. These URLs are then compared to its list of targets. While current evidence shows this technique is being used mainly for tracking, researchers have also demonstrated that it could be used to steal login credentials in the future.


Why is this alarming?

This form of cyberattack bypasses many traditional security tools like antivirus programs or endpoint detection systems, making it harder to detect. The concern grows when you consider that accessibility tools are supposed to help people with disabilities not become a pathway for cybercriminals.

The potential abuse of accessibility features is not limited to Windows. On Android, similar tactics have long been used by malicious apps, prompting developers to build stricter safeguards. Experts believe it may now be time for Microsoft to take similar steps to limit misuse of its accessibility systems.

While no official comment has been made regarding new protections, the discovery highlights how tools built for good can be misused if not properly secured. For now, the best defense remains being careful, both from users and from developers of operating systems and applications.



Read more »
ZIP files
Artificial Intelligence Business Security LameHug malware ZIP files

AI-Powered Malware ‘LameHug’ Attacks Windows PCs via ZIP Files

 

Cybersecurity researchers have discovered a new and alarming trend in the world of online threats: "LameHug". This malicious program distinguishes out because it uses artificial intelligence, notably large language models (LLMs) built by companies such as Alibaba. 

LameHug, unlike classic viruses, can generate its own instructions and commands, making it a more adaptive and potentially difficult to detect adversary. Its primary goal is to infiltrate Windows-based personal PCs and then take valuable data surreptitiously. 

The malicious program typically begins its infiltration camouflaged as ordinary-looking ZIP files. These files are frequently sent via fraudulent emails that seem to come from legitimate government sources. When a user opens the seemingly innocent archive, the hidden executable and Python files inside begin to work. The malware then collects information about the affected Windows PC. 

Following this first reconnaissance, LameHug actively looks for text documents and PDF files stored in popular computer directories before discreetly transferring the obtained data to a remote web server. Its ability to employ AI to write its own commands makes it exceptionally cunning in its actions. 

LameHug was discovered by the Ukrainian national cyber incident response team (CERT-UA). Their investigation points to the Russian cyber group APT028, as the most likely source of this advanced threat. The malware is written in Python and uses Hugging Face's programming interfaces. These interfaces, in turn, are powered by a special Alibaba Cloud language model known as Qwen-2.5-Coder-32B-Instruct LLM, demonstrating the complex technological foundation of this new digital weapon. 

LameHug's arrival marks the first instance of malicious software being observed to use artificial intelligence to produce its own executable commands. Existing security software, which is often made to identify known attack patterns, has significant challenges as a result of these capabilities. The ongoing and intensifying arms race in the digital sphere is highlighted by this breakthrough as well as the mention of other emerging malware, such as "Skynet," that may elude AI detection techniques.
Read more »
Security Alert
Adobe Commerce and Magento CMS CyberCrime CyberThreat E-Commerce malware Security Alert

Security Alert as Malware Campaign Hits Widely Used E-commerce CMS



It has been discovered that a malicious program has been launched, posing a serious threat to thousands of online retailers worldwide, as it exploits vulnerabilities in widely used content management systems. According to security researchers, the attack primarily targets platforms that utilise open-source e-commerce CMS frameworks, such as Magento and WooCommerce, by injecting malicious code into the platform and stealing customer data, compromising checkout pages, and gaining administrative control over backend systems. 

In addition to being part of a wider cybercriminal operation, the malware is capable of silently harvesting sensitive information, such as payment details and login credentials, without the user being notified. As a result of this campaign, several online storefronts have already suffered significant losses. Cybersecurity companies, as well as digital commerce platforms, have issued urgent advisories. 

Using outdated plugins, unpatched CMS instances, and misconfigured servers, the attackers have been able to distribute the malware on an unprecedented scale. Due to the fact that e-commerce remains a lucrative target for financially motivated threat actors, this incident highlights the importance of merchants regularly updating their systems, monitoring for abnormal activity, and implementing security best practices in order to ensure that they remain secure. 

The malware campaign signals an urgent need for immediate defence action, with consumer trust and financial transactions at risk. The following sections explain how the attack mechanics work, which platforms are affected, and what mitigations should be taken to prevent this from happening in the future. 

In the ever-evolving cybercrime landscape, e-commerce platforms have become prime targets, with recent studies indicating that 32.4% of successful cyberattacks are directed at online retailers and transaction-based companies. It is no secret that the e-commerce ecosystem is under a growing number of threats, and so is the interest of malicious actors who are continually developing sophisticated methods of exploiting vulnerabilities to gain an edge over their competitors. 

Store administrators, internal employees, as well as unsuspecting customers are all susceptible to the growing range of threats facing the industry. Various attack vectors are being deployed by cybercriminals these days, including phishing attacks, credit card fraud, fake checkout pages, malicious bots, and Distributed Denial of Service (DDoS) attacks, all to disrupt operations, steal sensitive information, and compromise customer trust. 

Businesses that fail to secure their systems adequately not only suffer immediate financial losses but also long-term reputation damage and legal consequences. These threats not only result in immediate financial loss but also cause long-term reputational damage and legal consequences for businesses. It is of utmost importance that businesses take proactive and robust security measures, given that these incidents have never been more prevalent and severe. 

With comprehensive malware removal and prevention solutions from leading cybersecurity companies like Astra Security, businesses are able to detect, neutralise, and recover from breaches of this nature. Attackers are one of the most common ways that they infiltrate ecommerce websites by taking advantage of vulnerabilities within the platform, its infrastructure, or insecure third-party integrations. 

A number of breaches can be attributed to inadequate configuration management, outdated software, and weak security controls among external vendors, which are often a result of an unfortunate combination. In spite of the popularity of high-profile platforms like Magento among online retailers, cybercriminals are also looking to target these platforms—particularly in cases where security patches are delayed or misconfigured—because they present a logical target for them. 

In the past few years, cybercriminals have increasingly exploited known vulnerabilities (CVEs) in e-commerce platforms, with Adobe Magento seeing disproportionate attacks compared to other platforms. It is worth mentioning that CVE-2024-20720 has a critical command injection flaw that was discovered in early 2024, with its CVSS score of 9.1. 

In the exploitation of this vulnerability, attackers were able to execute system commands remotely without the need for user interaction. Cybercriminal groups, such as the notorious Magecart, have exploited the vulnerability for the purposes of implanting persistent backdoors and exfiltrating sensitive customer information. 

There was also the CosmicSting campaign, which exploited a chain of vulnerabilities, CVE-2024-34215 and CVE-2024-2961, which were responsible for affecting more than 75% of Adobe Commerce and Magento installations worldwide. A malicious script injected into a CMS block or CMS block modification enabled remote code execution, the access to critical configuration files (including encryption keys), the escalation of privileges, and long-term control by enabling remote code execution. 

E-commerce platforms must take proactive measures to manage vulnerabilities and monitor real-time threats as a result of CosmicSting's widespread nature and sophistication. There is a disturbing new wave of cyberattacks that specifically target e-commerce websites built on the OpenCart content management system (CMS) and are modelled after Magecart in a Magecart-style attack.

Despite the stealthy and sophisticated execution methods used in this latest incident, cybersecurity experts have been particularly attentive to it. In this attack, malicious JavaScript was injected directly into landing pages by the attackers, which were cleverly disguised by the tags of legitimate third-party marketing and analytics providers such as Google Tag Manager and Meta Pixel. 

When attackers embed malicious code within commonly used tracking snippets, they dramatically reduce their chances of traditional security tools being able to detect them early. Analysts at c/side, a cybersecurity company that specialises in client-side threat monitoring, stated that the script used in this experiment was crafted to mimic the behaviour of a typical tag, but on closer examination, it exhibited suspicious patterns. 

A very deceptive aspect of this campaign is the use of Base64 encoding for obfuscating the payload URLs, which are then routed through suspicious domains like /tagscart.shop/cdn/analytics.min.js, which conceal the script’s true intent from detection during transmission, allowing it to operate undetected in legitimate traffic flows throughout the entire process. 

After the script has been decoded, it generates new HTML elements that are then inserted into the document ahead of the existing scripts in a way that effectively launches secondary malicious payloads in the background. In order to prevent reverse engineering from occurring and to bypass basic security filters, the final stage involves heavily obfuscated JavaScript. 

It utilises techniques such as hexadecimal encoding, array manipulation, and dynamic execution via eval() that are all designed to obfuscate JavaScript. To safeguard e-commerce infrastructures, real-time script monitoring and validation mechanisms are essential to safeguarding them against the sophistication of client-side attacks, which are becoming increasingly sophisticated. 

Nowadays, with the globalisation of the internet, securing an e-commerce website has become a fundamental requirement for anyone who engages in online commerce. Whether it be through a personal website or a full-scale business, security is now an essential part of any online commerce process. 

The costs of not acting can become devastating as malware campaigns become more complex, targeting platforms like Magento, WooCommerce, OpenCart, and others. Leaving a vulnerability unchecked or using an outdated plugin can result in credit card theft, customer data breaches, ransomware, or even a complete loss of control of the site. For businesses, these actions can result in financial losses, reputational damage, legal liabilities, and the loss of customer trust, while for individual entrepreneurs, it can lead to the death of a growing business. 

Through practical, proactive strategies, these threats can be mitigated by performing regular updates and patches, developing strong access controls, integrating secure third parties with the applications, installing web application firewalls (WAFs), scanning continuously for malware, and using real-time monitoring tools. As the threat landscape evolves with each passing year, cybersecurity is not a one-time task, but rather a continuous process. 

The e-commerce industry continues to grow around the world, which means that the question is no longer whether the sit, or a competitor's will be targeted, but when. Investing in robust security measures today means more than just protecting the business; it means you'll be able to survive. Stay informed, stay current, and stay safe.

Read more »
Russian APT28
Data Theft LameHug LLM malware Russian APT28

LameHug Malware Crafts Real-Time Windows Data-Theft Commands Using AI LLM

 

LameHug, a novel malware family, generates commands for execution on compromised Windows systems using a large language model (LLM). 

Russia-backed threat group APT28 (also known as Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, and Forest Blizzard) was attributed for the assaults after LameHug was identified by Ukraine's national cyber incident response team (CERT-UA). Written in Python, the malware communicates with the Qwen 2.5-Coder-32B-Instruct LLM via the Hugging Face API, which allows it to generate commands in response to prompts. 

Alibaba Cloud developed the LLM, which is open-source and designed to produce code, reason, and follow coding-focused instructions. It can translate natural language descriptions into executable code (in several languages) or shell commands. CERT-UA discovered LameHug after receiving reports on July 10 of malicious emails received from hacked accounts impersonating ministry officials and attempting to disseminate malware to executive government organisations.

The emails include a ZIP attachment that contains a LameHub loader. CERT-UA identified at least three variants: 'Attachment.pif,' 'AI_generator_uncensored_Canvas_PRO_v0.9.exe,' and 'image.py.’ 

With a medium degree of confidence, the Ukrainian agency links this action to the Russian threat group APT28. In the reported attacks, LameHug was tasked with carrying out system reconnaissance and data theft directives generated dynamically by the LLM. LameHug used these AI-generated instructions to gather system information and save it to a text file (info.txt), recursively search for documents in critical Windows directories (Documents, Desktop, Downloads), then exfiltrate the data over SFTP or HTTP POST. 

LameHug is the first publicly known malware that uses LLM to carry out the attacker's duties. From a technical standpoint, this could signal a new attack paradigm in which threat actors can modify their techniques throughout a compromise without requiring new payloads. 

Furthermore, employing Hugging Face infrastructure for command and control may help to make communication more stealthy, allowing the intrusion to remain undetected for a longer period of time. The malware can also avoid detection by security software or static analysis tools that search for hardcoded commands by employing dynamically generated commands. CERT-UA did not specify if LameHug's execution of the LLM-generated commands was successful.
Read more »
UNC9344
ALPHV CyberCrime Cybersecurity CyberThreat Financial crime IT Help Desk malware Rasnomware Scattered Spider UNC9344

Scattered Spider Broadens Attack Techniques in Latest Cyber Incidents

 


Known by aliases such as UNC3944, Scatter Swine, and Muddled Libra, Scatter Spider is an extremely persistent and adaptable cybercriminal group focused on financial gain. In the current cyber threat environment, the Scatter Spider group stands out as one of the most persistent and adaptive threat actors. Having been active since May of 2022, the group has built a reputation for targeting high-value organisations in several sectors, including telecommunications, outsourcing companies, cloud providers, and technology companies. 


A deliberate strategy to exploit industries that have large customer bases and complex IT infrastructure has been demonstrated by their focus on expanding further in recent months to include retail giants, financial institutions, and airlines. 

Scattered Spider is known for its sophisticated use of social engineering, specifically utilising the manipulation of IT help desks to gain unauthorised access to enterprise networks. That is why Scattered Spider has become one of the world's leading social engineering firms. As a result of this approach, the group has been able to bypass conventional perimeter defences and move laterally inside victim environments with alarming speed and precision, often without any detection. 

Despite the group's continuous evolution, both in terms of their technical abilities and their operational scope, recent breaches involving large UK retailers and airline companies highlight their continued evolution. A cybersecurity practitioner is strongly advised to gain a deeper understanding of the evolving techniques used by Scattered Spider because their operations are escalating in frequency and impact. 

It is vital to implement proactive defence measures to combat the threat posed by this increasingly sophisticated adversary, including training employees on security risks, implementing rigorous access controls, and monitoring the network continuously. With Scattered Spider, there is a significant shift in the threat landscape since it emphasises identity-based attacks over technical exploits, which represents a disruptive shift in the threat landscape that differs from traditional threat actors who tend to exploit technical vulnerabilities and deploy advanced malware. 

They use social engineering as their main attack vector rather than zero-day vulnerabilities, which means their operations are rooted in human manipulation rather than zero-day vulnerabilities. They typically attack outsourced IT services providers and help desks as their entry points. They usually pose as legitimate employees and exploit routine support workflows by impersonating them. 

With the help of social engineering, Scattered Spider bypasses many conventional security controls and gains privileged access to any network with minimal resistance. Once within a network, Scattered Spider does not rely on complex backdoors or stealthy implants to gain access to the network. By exploiting identity systems, they can move laterally and escalate privileges by utilising legitimate credentials and internal knowledge.

In addition to their ability to mimic internal users, use company-specific jargon and employ familiar tools, they are able to blend seamlessly into normal operations with ease. Despite the fact that it is common for commonly trusted administrative tools like PowerShell, remote monitoring and management (RMM) platforms, and cloud service provider consoles to be misused, detecting these threats can be a challenge. Scattered Spider performs independent attacks regularly.

It has been linked to notorious ransomware collectives such as ALPHV (BlackCat) and DragonForce and often acts as an initial access broker or even the operator of the attack, although their alliances are only opportunistic at best. Throughout their history, the group has demonstrated a willingness to abandon or undermine partners if that would serve their own objectives. This is an unpredictable behaviour that has earned them a reputation for being volatile. In their operations, Scattered Spider has demonstrated agility, resourcefulness, and defiance towards conventional hierarchies, the mindset of a rogue start-up. 

The combination of this unpredictability with their deep knowledge of enterprise environments makes them a formidable adversary that is unique in the industry. As a result of recent developments, Scattered Spider has been increasing its operational reach, which has heightened concerns within the cybersecurity community. In a public statement shared with me via LinkedIn, Sam Rubin, a representative of Palo Alto Networks' Unit 42, confirmed that the threat actor has been actively targeting the aviation sector for some time. 

The expert stressed that organisations, particularly those within critical infrastructure and transportation sectors-have to remain vigilant against sophisticated social engineering campaigns. Specifically, Rubin advised that suspicious requests for multi-factor authentication resets (MFA) were becoming increasingly common among identity-centric intrusion groups, a hallmark of their approach to identity theft. 

Similarly, Google's cybersecurity company Mandiant echoed these concerns as it observed Scattered Spider's activities as well. In response to this, Mandiant also issued a warning. In its recent report, Mandiant highlighted a pattern of attacks affecting airline and transportation companies in the U.S., as well asthe  recent targeting of companies within the U.S. insurance industry. 

As the firm says, the numerous incidents of this group closely align with its established method of operation, particularly in terms of impersonation, identity abuse, and exploitation of IT support workflows, which are all part of the group's established modus operandi. It is clear that Scattered Spider is continuing to broaden its attack surface and has increasingly targeted industries that handle large amounts of personal and financial data, as well as those that have intricate supply chains and third-party dependents that need to manage large amounts of sensitive data. 

In late June of 2025, Scattered Spider demonstrated an even more dramatic strategic shift as it aggressively focused its efforts on the global aviation industry. In a matter of hours, what seemed like isolated and unconfirmed cyberattacks on a few airlines quickly escalated into a coordinated series of cyberattacks that had global repercussions. 

A report issued by the Federal Bureau of Investigation (FBI) confirmed that the Scattered Spider was targeting major airline operators as well as the general public in an official advisory. This alert occurred at a time when two prominent Canadian carriers, WestJet, as well as Hawaiian Airlines, experienced disruptions caused by suspected cyberattacks, both of which experienced service interruptions as a result of these cyberattacks. 

Additionally, Australia’s flagship airline, Qantas, also recently reported a significant security breach that was allegedly perpetrated by a third-party service provider. One of the systems compromised was the call centre platform used to handle customer service, highlighting a recurring pattern in Scattered Spider's operations: exploiting the weakest links in the supply chain to achieve its objectives. 

Approximately 6 million Qantas passengers' sensitive data was accessed by hacker groups, including their full names, contact information, birth dates, and frequent flyer numbers, and was exposed in this manner. In spite of the fact that no financial or passport information was reported to have been taken, the breach underscores the dangers associated with third-party access points in highly interconnected environments. 

A preliminary investigation into each of these three incidents revealed that the threat actors used a phone-based phishing technique that is commonly known as "vishing" in order to manipulate airline IT departments and contractors in all three incidents. It was aimed at obtaining VPN credentials and resetting Multi-factor authentication (MFA) security settings in order to impersonate internal employees and escalate privileges within corporate systems by impersonating internal employees. 

Rather than relying on traditional technical exploits, Scattered Spider takes advantage of the trust placed in third-party vendors, such as those able to manage ticketing systems, call centres, and backend IT services. In addition to a deep understanding of aviation operations, Scattered Spider's tactical preference is to attack through a social engineering-based and identity-based attack vector rather than a traditional technical attack vector. 

Scattered Spider has been evolving its operational sophistication, and its focus is increasingly on high-ranking executives, according to a recent report from security firm ReliaQuest. In an incident disclosed last Friday, a threat group infiltrated an unidentifiedorganisationn by targeting its Chief Financial Officer (CFO), who is a role that is generally granted access and authority to the organization. 

As stated by ReliaQuest, the attackers conducted extensive reconnaissance to map the CFO's digital footprint before launching a highly targeted social engineering campaign to compromise the CFO's identity and credentials. The attackers succeeded in persuading staff members to reset the multi-factor authentication device linked to the account in order to start the intrusion process. 

They impersonated the CFO and reached out to the IT help desk in order to convince them that their account could not be protected. In the course of verifying their identity via the company's public login portal, they used previously collected information, including the CFO's birthdate and the last four digits of his Social Security Number, further legitimising their access.

As a result of their broad privileges and the high priority that their support requests receive, Scattered Spider strategically targets C-suite executives as a target due to their strategic use of these systems, allowing them to successfully impersonate C-suite executives. With impressive speed and precision, the attackers were able to escalate privileges and move laterally across the organisation's infrastructure with remarkable speed and precision once inside the organisation by using the CFO's account. 

In the post-compromise activity, it was evident that the group had an extensive understanding of enterprise environments. In order to identify privileged accounts, groups, and service principals, they initiated Entra ID enumeration to establish a platform for escalation and persistence of privileges. Moreover, they performed a SharePoint discovery to determine where sensitive data was located and how business workflows worked, followed by compromising Horizon Virtual Desktop Infrastructure (VDI), which was accompanied by further account takeovers by social engineering. 

In order to ensure that remote access would remain uninterrupted, Scattered Spider breached the organisation's VPN network infrastructure. To access VMware's vCenter platform, the group reactivated and created new virtual machines that had been decommissioned. Using elevated access, they then compromised the CyberArk password vault, taking over 1,400 credentials. In addition to disabling a production domain controller, they also extracted the NTDS.dit database containing critical Active Directory information. 

They used legitimate tools such as ngrok for persistent remote access to compromised accounts to firmly establish themselves in control of compromised accounts. When the attackers were discovered, they switched tactics, deploying a destructive "scorched-earth" attack — deleting entire policy rule collections from Azure Firewall as well as causing significant disruptions in operations. 

It is clear from this incident that Scattered Spider is an incredibly adaptable and ruthless cybercriminal organisation, which reinforces its reputation as one of the most dangerous and unpredictable cybercriminals around today. In light of Scattered Spider's increasing activity and its increasingly tailored, identity-based attack strategies, organisations should reassess the security posture of their organisation beyond conventional perimeter defences and evaluate how resilient they are. 

The threat vectors posed by this group continue to exploit human behaviour, trust-based processes, and fragmented digital ecosystems, which require defenders to adopt a proactive and intelligence-driven approach to threat detection and response. To accomplish this, robust identity verification workflows must be implemented for privileged access requests, behavioural analysis of high-value accounts must be conducted regularly, and third-party risk management policies should be strengthened. 

Additionally, organisations need to ensure that cross-functional incident response plans are in place that take social engineering intrusions, privilege abuse scenarios, and other types of threat models into account-threat models that are no longer theoretical but operationally routine for adversaries such as Scattered Spider. 

There is no doubt that cybercriminals are evolving with startup-like agility, and so defenders must also adapt to meet these demands. It is important to work collaboratively, share threat intelligence, and foster an organisational culture in which security is not just a technical function, but a core responsibility of the organisation. 

Data loss is not the only issue that is at stake anymore-the stakes now include operational continuity, brand trust, and strategic resilience as well. Rather than simply building technical defences to protect against threats such as Scattered Spider, organizations should cultivate a culture of security resilience and go beyond technical defenses. 

The purpose of red team exercises that simulate identity-based attacks, aligning executive leadership, IT, and security teams around shared accountability, and conducting adversary emulation exercises to continuously validate security assumptions is all part of the process. Keeping an organisation safe from attackers, regardless of the level of trust they exploit, requires vigilance across all levels of the organisation - strategic, operational, and human. 

Organisations that have invested in adaptive, intelligence-driven defence programs are better equipped not only to withstand such threats, but also to recover quickly and decisively if they do occur. It is no longer about building higher walls when it comes to cybersecurity—it is about outsmarting the intruders already at the gate with your help. 

With Scattered Spider utilising surgical precision and manipulating human trust, hijacking identities, and exploiting operational vulnerabilities, organizations have to reconsider what resilience is really about. The era of static defenses has come to an end. In order to respond to incident effectively, security teams need to implement adaptive strategies based on intelligence, behavior analytics, and proactive incident management. 

In order to accomplish this, rigorous identity verification processes need to be implemented, privileged user behaviour needs to be continually monitored, and third-party integrations should be more tightly vetted—areas that are increasingly exploited by cybercriminals with startup-like agility. But resilience is more than just tools and tech. 

A shared responsibility exists between executive leadership, IT, and security operations. Simulated red-team exercises that mimic real-world identity breaches are effective at exposing hidden vulnerabilities while adversary emulation challenges long-standing security assumptions. In the end, if people are going to defend themselves against adversaries such as Scattered Spider, they must adopt a defensive-in-depth philosophy where they integrate people, process, and technology.

Those companies that are committed to investing in continuous readiness—not just in the prevention of a disaster, but also in responding to one when it happens and recovering from it—will be better positioned to counter tomorrow's threats and emerge stronger from them.
Read more »
Subscribe to: Posts (Atom)