Tag: EDR

Hackers Repurpose RansomHub’s EDRKillShifter in Medusa, BianLian, and Play Attacks
Summary: A recent analysis reveals a connection between RansomHub affiliates and several other ransomware groups through a custom tool called EDRKillShifter, which disables endpoint detection and response software. This tool utilizes a method known as Bring Your Own Vulnerable Driver (BYOVD) to ensure ransomware execution is not flagged by security measures.…
Read More
How SVigil Prevented a Massive Supply Chain Breach in Banking Infrastructure?
This article highlights the cybersecurity vulnerabilities that arise when financial institutions rely on third-party vendors. It details how CloudSEK’s SVigil platform discovered exposed credentials of a key communication service provider, which led to a significant data breach affecting a major banking entity. The timely detection helped prevent potential misuse of sensitive data and loss of customer trust.…
Read More
Shifting the sands of RansomHub’s EDRKillShifter
ESET researchers examine the ransomware landscape in 2024, highlighting the emergence of RansomHub, a prominent ransomware-as-a-service (RaaS) group linked to established gangs like Play, Medusa, and BianLian. The article discusses the rise of EDR killers, particularly EDRKillShifter, developed by RansomHub, and reflects on the shifting dynamics of ransomware payments and victim statistics.…
Read More
CoffeeLoader: A Brew of Stealthy Techniques
Zscaler ThreatLabz has uncovered CoffeeLoader, a sophisticated malware family capable of bypassing detection mechanisms and deploying second-stage payloads. Originating in September 2024, CoffeeLoader employs advanced evasion techniques like GPU execution, call stack spoofing, and sleep obfuscation. It is primarily distributed through SmokeLoader and can utilize DGA for command-and-control communication.…
Read More
Arkana Ransomware Group Hacks WideOpenWest Using Data from an Infostealer Infection
The Arkana ransomware group has claimed a massive breach of WideOpenWest (WOW!), one of the largest ISPs in the U.S., exposing over 403,000 customer accounts. This breach originated from an infostealer infection in September 2024, highlighting the urgent need for improved monitoring of such threats. Affected: WideOpenWest, customers, ISPs

Keypoints :

The Arkana ransomware group claimed responsibility for breaching WideOpenWest, exposing over 403,000 customer accounts.…
Read More
YouTube Creators Under Siege Again: Clickflix Technique Fuels Malware Attacks
This report reveals a sophisticated malware campaign targeting YouTube creators through spearphishing, utilizing the Clickflix technique to deceive victims into executing malicious scripts. Attackers leverage brand impersonation and exploit interest in professional collaborations to spread malware via meticulously crafted phishing emails. Once activated, the malware steals sensitive data or allows remote access.…
Read More
Shedding Light on the ABYSSWORKER Driver – Elastic Security Labs
The article discusses a financially motivated cybercriminal campaign utilizing a malicious driver known as ABYSSWORKER, which disables endpoint detection and response systems to deploy MEDUSA ransomware. This driver exploits revoked certificates and incorporates various evasion techniques against EDR systems while showcasing its capabilities to manipulate processes and files.…
Read More
Cybercriminals Exploit Check Point Driver Flaws in Malicious Campaign
Summary: A report by security researcher Nima Bagheri reveals that a component of CheckPoint’s ZoneAlarm antivirus is being exploited in a BYOVD attack, allowing threat actors to bypass Windows security. The vulnerabilities in vsdatant.sys, a driver associated with ZoneAlarm, enable unauthorized access to sensitive information and persistent control over infected systems.…
Read More
⚡ THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More
Summary: Recent cyber threats highlight vulnerabilities in open-source tools, escalating ad fraud through mobile apps, and advanced ransomware tactics targeting critical defenses. Notably, attacks have leveraged AI, and a supply chain breach at Coinbase exemplifies these risks. A rise in stolen credentials further underscores the urgent need for improved cybersecurity measures.…
Read More
New VMware Attack Vector Goes From Web Shell to Ransomware
Summary: Researchers at Sygnia have identified a new attack method that leverages vulnerabilities in VMware, allowing malicious actors to escape virtual machines and deploy ransomware across corporate networks. The report illustrates how attackers can exploit web server weaknesses to gain unauthorized access to VMware’s ESXi hypervisor and emphasizes the urgent need for improved security measures.…
Read More
Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates
Summary: The Medusa ransomware operation employs a malicious driver, ABYSSWORKER, in a BYOVD attack to disable anti-malware tools. This driver uses stolen certificates to pose as a legitimate system driver, allowing it to bypass security measures and enable detailed control over the attacker’s actions. Additionally, a new backdoor called Betruger has been associated with RansomHub, enhancing their ransomware’s capabilities without relying solely on traditional encrypting payloads.…
Read More
SideWinder Threat Group: Maritime and Nuclear Sectors at Risk with Updated Toolset
SideWinder, also known as Rattlesnake or T-APT-04, is an advanced persistent threat group from India that has expanded its operations to target maritime and nuclear sectors across Asia, the Middle East, and Africa since 2012. Known for quickly adapting to security measures, SideWinder employs various tactics, techniques, and procedures (TTPs) to execute sophisticated cyber-attacks, primarily through phishing and malware.…
Read More
CVE-2025-21333 Windows heap-based buffer overflow analysis
CVE-2025–21333 is a heap-based buffer overflow vulnerability in the Windows 11 kernel-mode driver vkrnlintvsp.sys, actively exploited by threat actors. Microsoft released a patch (KB5050021) on January 14, 2024. The vulnerability can lead to privilege escalation and arbitrary read/write access in kernel space. The article details the vulnerability analysis, exploitation techniques, and recommendations for detection.…
Read More
Emulating the Sophisticated Chinese Adversary Salt Typhoon
Salt Typhoon, a Chinese APT group active since 2019, targets critical sectors, including Telecommunications and Government entities across multiple regions. Known for its advanced cyberespionage tactics, the group utilizes various tools and techniques to maintain access while evading detection. This includes exploiting Microsoft Exchange vulnerabilities and employing a range of persistence and privilege escalation techniques.…
Read More
Malvertising Campaign Leads to Info Stealers Hosted on GitHub
In December 2024, a widespread malvertising campaign was discovered that affected nearly a million devices globally, originating from illegal streaming websites embedded with malicious advertisements. The attack involved a series of redirections leading to GitHub, Dropbox, and Discord, where malware was hosted. This campaign targeted various sectors indiscriminately, highlighting the need for enhanced security measures across devices and networks.…
Read More
Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers | Google Cloud Blog
Mandiant’s discovery in mid-2024 revealed that the China-nexus espionage group, UNC3886, deployed custom backdoors on Juniper Networks’ Junos OS routers, utilizing various capabilities to maintain long-term access while circumventing security protections. Mandiant urges organizations to upgrade their Juniper devices to mitigate these vulnerabilities and recommends security measures.…
Read More