Tag: HUNTING

Silk Typhoon Targeting IT Supply Chain
Microsoft Threat Intelligence has revealed that the Chinese espionage group Silk Typhoon is shifting tactics to exploit IT solutions and cloud applications for gaining access to organizations. Despite not directly targeting Microsoft services, they utilize unpatched applications for malicious activities once inside a victim’s network. The article emphasizes the need for awareness and suggests mitigation strategies to defend against this growing threat.…
Read More
Malvertising Campaign Leads to Info Stealers Hosted on GitHub
In December 2024, a widespread malvertising campaign was discovered that affected nearly a million devices globally, originating from illegal streaming websites embedded with malicious advertisements. The attack involved a series of redirections leading to GitHub, Dropbox, and Discord, where malware was hosted. This campaign targeted various sectors indiscriminately, highlighting the need for enhanced security measures across devices and networks.…
Read More
Phishing campaign impersonates Booking dot com delivers a suite of credential stealing malware
A phishing campaign impersonating Booking.com has been identified targeting organizations within the hospitality sector, particularly in relation to travel. Using the ClickFix social engineering technique, this campaign seeks to steal credentials and engage in financial fraud, affecting various regions including North America and Europe. Affected: hospitality industry, Booking.com…
Read More
Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor
In August 2024, ESET researchers uncovered cyberespionage activities by the MirrorFace APT group targeting a Central European diplomatic institute related to Expo 2025 in Osaka, Japan. This marks the first instance of MirrorFace infiltrating a European entity, showcasing new tactics and tools, including the backdoor ANEL and a customized variant of AsyncRAT.…
Read More
Threat Spotlight: Credential Theft vs. Admin Control—Two Devastating Paths to VPN Exploitation
This report discusses the ongoing exploitation of older VPN vulnerabilities, particularly CVE-2018-13379 and CVE-2022-40684, highlighting how attackers, including cybercriminal and state-sponsored groups, continue to target these flaws for credential theft and administrative control. The research indicates substantial growth in discussions around Fortinet VPN vulnerabilities on cybercriminal forums, illustrating their significance in the current threat landscape.…
Read More
Cyberattackers Prey on Health Fears in Sophisticated Phishing Campaign
Summary: A new report from JUMPSEC’s DART team reveals a disturbing trend of cybercriminals exploiting health fears through sophisticated phishing attacks. The report outlines how attackers used enticing health-related emails to deceive victims into providing sensitive information, employing multi-stage tactics to enforce these scams. Investigations into the infrastructure of the attackers revealed connections to poorly-reputed networks and the use of legitimate platforms to mask phishing activities.…
Read More
New XCSSET Malware Adds New Obfuscation and Persistence Techniques to Infect Xcode Projects | Microsoft Security Blog
A new variant of XCSSET malware has been discovered, which is specifically designed to infect macOS Xcode projects. This sophisticated malware utilizes advanced obfuscation, updated persistence techniques, and novel infection strategies to exfiltrate sensitive information, including digital wallet data. It operates in a stealthy manner, often remaining fileless, which complicates detection and removal efforts.…
Read More
StilachiRAT analysis: From system reconnaissance to cryptocurrency theft | Microsoft Security Blog
In November 2024, Microsoft Incident Response uncovered StilachiRAT, a remote access trojan that employs sophisticated evasion techniques and data exfiltration capabilities, targeting sensitive information such as credentials, digital wallet data, and clipboard contents. StilachiRAT establishes command-and-control connectivity with remote servers, and Microsoft has issued guidance to bolster defenses against this growing threat.…
Read More
The GitHub Action tj-actions/changed-files was compromised on March 14, 2024, allowing exposed secrets in public repositories to be logged. The incident has been assigned CVE-2025-30066, and although the malicious repository has been removed, risks remain due to previously exposed secrets. Immediate actions are needed for credential recovery and mitigating future exploits.…
Read More
How to Choose the Correct Severity or CVSS Score for a Bug: A Practical Guide
A thorough understanding of CVSS (Common Vulnerability Scoring System) is crucial for bug bounty hunters when determining the severity of vulnerabilities they encounter. By accurately scoring vulnerabilities, hunters can effectively communicate the urgency of issues to development teams. The severity levels inform teams on how to prioritize remediation efforts.…
Read More
Patching is Not Enough: Why You Must Search for Hidden Intrusions
Organizations often fail to investigate after patching zero-day vulnerabilities, leading to undetected compromises. A proactive approach involving compromise assessments is critical to uncover potential breaches. Affected: VMware ESXi, cybersecurity sector

Keypoints :

Patching alone does not confirm if systems have been breached. Recent zero-day vulnerabilities in VMware ESXi (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) have been exploited.…
Read More
Phishing campaign impersonates Booking dot com delivers a suite of credential stealing malware
A phishing campaign identified by Microsoft Threat Intelligence targets the hospitality industry, impersonating Booking.com and utilizing the ClickFix social engineering technique to deliver credential-stealing malware. The campaign, ongoing since December 2024, aims at financial fraud by tricking users into executing malicious commands. Affected: hospitality organizations, Booking.com…
Read More
ClickFix Widely Adopted by Cybercriminals, APT Groups
Summary: Since August 2024, state-sponsored hackers and cybercriminals have been using a technique called ClickFix to deploy information stealer malware. This method involves social engineering through malicious JavaScript that manipulates users into executing harmful commands. Group-IB reports an increase in this attack vector, particularly targeting users on various platforms that offer free content or software.…
Read More
SocGholish’s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware
Trend Research’s analysis of SocGholish’s MaaS framework highlights its critical role in delivering RansomHub ransomware via compromised websites. Utilizing highly obfuscated JavaScript loaders, SocGholish evades detection and successfully executes malicious tasks. Notably, the framework propels initial access for ransomware attacks, mainly affecting government entities in the United States.…
Read More
Threat Intelligence: A Deep Dive into Cyber Kill Chains, Diamond Models, and the Zero-Day Crisis
The recent VMware zero-day vulnerability (CVE-2023–20867) has made numerous organizations—including cloud providers and financial institutions—vulnerable to serious attacks such as data theft and ransomware. This incident highlights the importance of cybersecurity frameworks like the Cyber Kill Chain and Diamond Model for developing effective defenses against increasingly sophisticated threats.…
Read More
Red Report 2025: Unmasking a 3X Spike in Credential Theft and Debunking the AI Hype
Summary: The Picus Labs’ Red Report 2025 reveals a alarming increase in credential theft and the tactics employed by cybercriminals, notably through a rise in malware targeting password stores. The report highlights the prevalence of a few critical MITRE ATT&CK techniques driving the majority of attacks and debunks the myth that AI has transformed malware strategies.…
Read More
Analyzing OBSCURE#BAT: Threat Actors Lure Victims into Executing Malicious Batch Scripts to Deploy Stealthy Rootkits
The Securonix Threat Research team has uncovered a sophisticated malware campaign known as OBSCURE#BAT, which employs social engineering tactics and deceptive downloads to install a user-mode rootkit (r77 rootkit) that evades detection and maintains persistence on compromised systems. Attackers use fake captchas and legitimate-looking software downloads to trick users into executing obfuscated batch scripts that initiate a multi-stage infection process.…
Read More