DEFENSE EVASION Archives - Page 3 of 49 - Cybersecurity News Everyday

Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber Espionage Campaigns

March 8, 2025March 10, 2025 Eclecticiq

Sandworm, a threat actor linked to Russia’s GRU, has been conducting cyber espionage against Ukrainian Windows users by exploiting pirated software to distribute malware, notably the BACKORDER loader and Dark Crystal RAT. This activity has been ongoing since late 2023, coinciding with the Russian invasion of Ukraine, and highlights the vulnerabilities created by the country’s high rates of software piracy.…

Threat Research

Medusa Ransomware Activity Continues to Increase

March 7, 2025 Symantec

The article discusses the tools and tactics utilized by the Medusa ransomware group, Spearwing. It highlights various software and methods employed for data exfiltration, credential dumping, and maintaining persistence within victim networks. The consistency of their tactics suggests an organized operation, potentially indicating that Spearwing operates more as an individual group rather than a traditional Ransomware-as-a-Service (RaaS).…

Threat Research

Kimsuky Group’s Watering Hole Attack: Beware of Malicious Files Disguised as Educational Support Documents in the Field of Unification

March 7, 2025March 7, 2025 iocOne

A recent watering hole attack was identified, targeting applicants for an educational program in the field of unification at a prominent university. Attackers embedded malicious HWP file links in a notice post, which when executed, creates further malicious files and executes them to maintain persistence in the infected systems.…

Cyber Security News

Attackers Targeting Japanese Firms with Cobalt Strike

March 7, 2025March 7, 2025 iocOne

Threat analysts have identified a sophisticated cyber-intrusion campaign targeting various sectors in Japan, including technology and e-commerce. The attackers exploited a remote code execution flaw in PHP-CGI to gain initial access, followed by deploying PowerShell scripts for persistence and executing other malicious tactics such as credential theft and lateral movement.…

Threat Research

Dark Web Profile: Ghost (Cring) Ransomware – SOCRadar® Cyber Intelligence Inc.

March 7, 2025 SocRadar

The Ghost (Cring) ransomware is a critical cybersecurity threat primarily targeting organizations with vulnerable systems, including healthcare, finance, government, and education sectors. This ransomware employs sophisticated techniques such as exploiting vulnerabilities, lateral movement, and advanced evasion methods to encrypt sensitive data and demand ransom payments. Affected: healthcare, financial services, government, critical infrastructure, manufacturing, education, professional services, retail, e-commerce

Keypoints :

Ghost (Cring) ransomware has been active since at least 2021, targeting vulnerable internet-facing systems.…

Threat Research

Unveiling EncryptHub: Analysis of a Multi-Stage Malware Campaign

March 6, 2025March 6, 2025 iocOne

EncryptHub, a notable cybercriminal organization, has gained increasing attention from threat intelligence teams due to its operational security missteps. These lapses have allowed analysts to gain insights into their tactics and infrastructure. The report details EncryptHub’s multi-stage attack chains, trojanized application distribution strategies, and their evolving killchain, making them a significant threat in the cyber landscape.…

Threat Research

GO Language Based Ebyte Ransomware – A Brief Analysis – CYFIRMA

March 6, 2025 Cyfirma

EByte Ransomware is a new variant developed by EvilByteCode that targets Windows systems using advanced encryption methods. It encrypts user data, displays a ransom note, and has significant potential risks due to its public availability on GitHub. Affected: Windows systems, organizations, individuals

Keypoints :

Developed in Go language and utilizes ChaCha20 encryption and ECIES for key transmission.…

Threat Research

Phantom-Goblin: Covert Credential Theft and VSCode Tunnel Exploitation

March 6, 2025 Cyble

A newly identified malware operation, named “Phantom Goblin,” utilizes social engineering to deceive users into executing a malicious LNK file that triggers a PowerShell script to download and execute additional payloads. These payloads enable the malware to extract sensitive data, maintain unauthorized remote access via Visual Studio Code tunnels, and exfiltrate the stolen data to a Telegram bot.…

Threat Research

Booking a Threat: Inside LummaStealer’s Fake reCAPTCHA

March 6, 2025March 6, 2025 iocOne

Cybercriminals are exploiting the travel industry’s rising demand by creating fake booking websites and utilizing phishing scams to deceive travelers. They have employed an advanced attack strategy through malicious booking sites, using techniques like fake CAPTCHAs to deploy LummaStealer, a malware designed to steal information. Affected: users in the travel sector, individuals in the Philippines, individuals in Germany

Keypoints :

New campaign using fake booking websites to deliver LummaStealer.…

Threat Research

SLOW#TEMPEST: Explaining the TTPs of the Cyber Espionage Campaign

March 5, 2025 Picussecurity

SLOW#TEMPEST is a covert cyber espionage group that emerged in 2024, renowned for its stealthy infiltration tactics using sophisticated phishing and malware techniques. Their operations primarily target organizations in Chinese-speaking regions, employing methods like DLL hijacking and credential harvesting. This article analyzes their tactics, providing insights into their operational methods and defense strategies.…

Threat Research

Boramae Ransomware

March 5, 2025 Cyfirma

Boramae Ransomware is a newly discovered strain aimed at Windows systems, known for its effective encryption and evasion tactics. The ransomware not only encrypts files but also leaves threat-laden ransom notes demanding payment under duress. These findings emphasize the need for robust cybersecurity measures and incident response strategies.…

Threat Research

Infostealer Campaign against ISPs | Splunk

March 5, 2025March 5, 2025 Securonix

The Splunk Threat Research Team has uncovered a widespread cyber campaign targeting ISP infrastructure providers in the United States and China, originating from Eastern Europe. The campaign exploits weak credentials for initial access, installs cryptomining malware, and employs various strategies to evade detection while performing data exfiltration and credential abuse.…

Cyber Security News

Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail

March 4, 2025 CybersecurityNews

Summary: Threat actors, identified as TGR-UNK-0011 and related to the JavaGhost group, are exploiting misconfigurations in Amazon Web Services (AWS) environments to conduct phishing campaigns. They have evolved their tactics since 2019, focusing on gaining unauthorized access through exposed AWS access keys and leveraging services like Amazon SES and WorkMail.…

Threat Research

Turkey’s Attacking APT Groups and Attack Analyses

March 2, 2025March 2, 2025 iocOne

This study offers a comprehensive examination of Advanced Persistent Threats (APTs), focusing on their dynamics, techniques employed, and preventive measures. The article discusses the identification of APTs, the reasons behind attacks on Turkey, and their geopolitical and economic impacts. Furthermore, it explains the concept of Tactics, Techniques, and Procedures (TTP), their subdivision into sub-techniques, and details effective strategies to mitigate APT attacks.…

Threat Research

Fake CAPTCHA Delivers Lumma Stealer Malware

March 2, 2025March 2, 2025 Securonix

A new malware campaign has been discovered that utilizes fake CAPTCHA pages to deliver Lumma Stealer. The attackers employ phishing techniques with misleading Cloudflare verification prompts, tricking victims into executing malicious commands. The attack heavily relies on social engineering tactics and various Windows utilities. Affected: Lumma Stealer, phishing sectors, cybersecurity.…

Threat Research

Healthcare Malware Hunt, Part 1: Philips DICOM Viewers

March 1, 2025March 1, 2025 Securonix

The article discusses a campaign by the China-based Advanced Persistent Threat (APT) group Silver Fox, which exploited vulnerabilities in Philips DICOM viewers to deploy malware such as a Remote Access Tool (RAT), keyloggers, and crypto miners targeting healthcare organizations. The healthcare sector remains a significant target for cyberattacks, necessitating robust security measures.…

Threat Research

Cellebrite zero-day exploit used to target phone of Serbian student activist – Amnesty International Security Lab

February 28, 2025February 28, 2025 iocOne

Amnesty International’s Security Lab revealed a case of Cellebrite’s forensic tools being misused to surveil a youth activist in Serbia. Subsequent investigations indicated that the Serbian authorities continue to exploit such tools for illegitimate surveillance of civil society despite international criticism. Further research highlighted zero-day vulnerabilities in Android USB drivers potentially affecting over a billion devices.…

Threat Research

Securonix Threat Labs Monthly Intelligence Insights – January 2025

February 28, 2025 Securonix

The Monthly Intelligence Insights report for November 2024 by Securonix Threat Labs highlights critical cybersecurity threats, incidents, and responses, including notable breaches involving Cyberhaven and the exploitation of Ivanti vulnerabilities. Organizations are urged to enhance their security measures, such as updating software and implementing more vigilant monitoring systems.…

Threat Research

Resecurity | DragonForce Ransomware Group is Targeting Saudi Arabia

February 27, 2025 iocOne

The DragonForce ransomware group has recently targeted organizations in the Kingdom of Saudi Arabia, resulting in the significant exfiltration of over 6 TB of confidential data from a major real estate and construction firm. The incident highlights a worrying trend of cyber threats against critical infrastructure in the region, indicating a potential expansion beyond the MENA area.…

Threat Research

Play Ransomware: Exposing One of 2024’s Greediest Cyber Extortionists

February 26, 2025 Picussecurity

Play ransomware, also known as PlayCrypt, is a cybercrime organization that has surfaced since 2022, targeting organizations globally through sophisticated double-extortion tactics. They encrypt systems after exfiltrating sensitive data, demanding communication via email without revealing ransom amounts. The group has stricken over 300 entities across multiple sectors such as telecommunications, healthcare, and government.…

Tag: DEFENSE EVASION