Tag: HUNTING

Patching is Not Enough: Why You Must Search for Hidden Intrusions
Organizations often fail to investigate after patching zero-day vulnerabilities, leading to undetected compromises. A proactive approach involving compromise assessments is critical to uncover potential breaches. Affected: VMware ESXi, cybersecurity sector

Keypoints :

Patching alone does not confirm if systems have been breached. Recent zero-day vulnerabilities in VMware ESXi (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) have been exploited.…
Read More
Microsoft Research Reveals – Phishing Campaign Impersonates Booking(.)com, Delivers a Suite of Credential-Stealing Malware
A phishing campaign identified by Microsoft Threat Intelligence targets the hospitality industry, impersonating Booking.com and utilizing the ClickFix social engineering technique to deliver credential-stealing malware. The campaign, ongoing since December 2024, aims at financial fraud by tricking users into executing malicious commands. Affected: hospitality organizations, Booking.com…
Read More
ClickFix Widely Adopted by Cybercriminals, APT Groups
Summary: Since August 2024, state-sponsored hackers and cybercriminals have been using a technique called ClickFix to deploy information stealer malware. This method involves social engineering through malicious JavaScript that manipulates users into executing harmful commands. Group-IB reports an increase in this attack vector, particularly targeting users on various platforms that offer free content or software.…
Read More
SocGholish’s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware
Trend Research’s analysis of SocGholish’s MaaS framework highlights its critical role in delivering RansomHub ransomware via compromised websites. Utilizing highly obfuscated JavaScript loaders, SocGholish evades detection and successfully executes malicious tasks. Notably, the framework propels initial access for ransomware attacks, mainly affecting government entities in the United States.…
Read More
Threat Intelligence: A Deep Dive into Cyber Kill Chains, Diamond Models, and the Zero-Day Crisis
The recent VMware zero-day vulnerability (CVE-2023–20867) has made numerous organizations—including cloud providers and financial institutions—vulnerable to serious attacks such as data theft and ransomware. This incident highlights the importance of cybersecurity frameworks like the Cyber Kill Chain and Diamond Model for developing effective defenses against increasingly sophisticated threats.…
Read More
Red Report 2025: Unmasking a 3X Spike in Credential Theft and Debunking the AI Hype
Summary: The Picus Labs’ Red Report 2025 reveals a alarming increase in credential theft and the tactics employed by cybercriminals, notably through a rise in malware targeting password stores. The report highlights the prevalence of a few critical MITRE ATT&CK techniques driving the majority of attacks and debunks the myth that AI has transformed malware strategies.…
Read More
Analyzing OBSCURE#BAT: Threat Actors Lure Victims into Executing Malicious Batch Scripts to Deploy Stealthy Rootkits
The Securonix Threat Research team has uncovered a sophisticated malware campaign known as OBSCURE#BAT, which employs social engineering tactics and deceptive downloads to install a user-mode rootkit (r77 rootkit) that evades detection and maintains persistence on compromised systems. Attackers use fake captchas and legitimate-looking software downloads to trick users into executing obfuscated batch scripts that initiate a multi-stage infection process.…
Read More
The AI race: Dark AI is in the lead, but good AI is catching up
Summary: Cyberattackers are increasingly leveraging artificial intelligence (AI) to enhance phishing tactics and develop sophisticated tools for breaches. In response, cybersecurity vendors are rapidly adopting AI technologies to bolster defenses, automate security tasks, and improve incident response. The evolving dynamics of AI in cybersecurity highlight an ongoing battle, as both attackers and defenders innovate their strategies.…
Read More
Steganography Explained: How XWorm Hides Inside Images
Summary: Steganography allows cybercriminals to hide malicious code within seemingly harmless files, such as images, making it difficult for traditional security tools to detect. This practice poses a significant threat, as it can facilitate data theft, remote access, and other malicious activities without triggering alarms. Understanding how these attacks work and how to prevent them is crucial for maintaining cybersecurity integrity.…
Read More
AI-Assisted Fake GitHub Repositories Fuel SmartLoader and LummaStealer Distribution
The article discusses a cybercriminal campaign using fake GitHub repositories to distribute SmartLoader, which delivers Lumma Stealer and other malware. These repositories masquerade as gaming cheats and software cracks to lure users, taking advantage of GitHub’s credibility. The use of AI-generated content makes the repositories appear legitimate, making it crucial for individuals and organizations to be vigilant.…
Read More
SideWinder targets the maritime and nuclear sectors with an updated toolset
SideWinder, an advanced persistent threat (APT) group, has intensified attacks targeting military, government, and logistics entities in various regions, particularly in Asia, Africa, and beyond. With sophisticated malware and exploitation techniques, including those leveraging CVE-2017-11882, their operations indicate a strategic focus on maritime infrastructures and nuclear energy sectors.…
Read More
Ransomware Groups Favor Repeatable Access Over Mass Exploits
Summary: Ransomware groups are evolving their tactics by focusing on targeting weak credentials rather than exploiting vulnerabilities, as highlighted in Travelers’ latest Cyber Threat Report. There was a noted surge in ransomware activity, particularly in Q4 2024, with a record number of victims. The report emphasizes the effectiveness of basic attack techniques, urging businesses to implement stronger security measures like multifactor authentication (MFA).…
Read More
🚨Cyber Attack Chronicles🚨
The SolarWinds hack, a significant supply chain attack discovered in December 2020, compromised numerous Fortune 500 companies and government agencies, resulting in extensive cybersecurity repercussions. Attackers embedded malicious code into SolarWinds’ Orion software updates, infiltrating thousands of networks and highlighting the vulnerabilities in vendor trust. Affected: Fortune 500 companies, US Government agencies, SolarWinds

Keypoints :

The hack was discovered in December 2020, but the infiltration began as early as March 2020.…
Read More
XWorm Cocktail: A Mix of PE data with PowerShell Code – SANS Internet Storm Center
The article discusses the deobfuscation of malicious files identified as potential malware, specifically indicating they are related to a variant of XWorm. The files contain obfuscated PowerShell code and information related to system commands, revealing their malicious intent. Affected: online gaming, cybersecurity, Windows environment

Keypoints :

Two files identified as malicious: “XClient.exe”…
Read More
Who are Hellcat Ransomware Group? | Bridewell
The Hellcat Ransomware Group is a newly identified Ransomware-as-a-Service (RaaS) threat group, recognized for targeting various organizations, especially in telecommunications and government sectors. Their operations reveal sophisticated tactics, including phishing, exploitation of public-facing applications, and deployment of PowerShell for maintaining persistence. The group has shown strong ties with other ransomware actors and employs unique methods for data exfiltration.…
Read More
Dark Web Profile: Ghost (Cring) Ransomware – SOCRadar® Cyber Intelligence Inc.
The Ghost (Cring) ransomware is a critical cybersecurity threat primarily targeting organizations with vulnerable systems, including healthcare, finance, government, and education sectors. This ransomware employs sophisticated techniques such as exploiting vulnerabilities, lateral movement, and advanced evasion methods to encrypt sensitive data and demand ransom payments. Affected: healthcare, financial services, government, critical infrastructure, manufacturing, education, professional services, retail, e-commerce

Keypoints :

Ghost (Cring) ransomware has been active since at least 2021, targeting vulnerable internet-facing systems.…
Read More
Unmasking the new persistent attacks on Japan
Cisco Talos discovered a malicious campaign attributed to an unknown attacker targeting organizations in Japan since January 2025, primarily exploiting the CVE-2024-4577 vulnerability to gain initial access and deploy advanced adversarial tools via Cobalt Strike. The attacker’s activities entail credential theft, system compromise, and potential lateral movement which could impact various industries.…
Read More
Unveiling EncryptHub: Analysis of a Multi-Stage Malware Campaign
EncryptHub, a notable cybercriminal organization, has gained increasing attention from threat intelligence teams due to its operational security missteps. These lapses have allowed analysts to gain insights into their tactics and infrastructure. The report details EncryptHub’s multi-stage attack chains, trojanized application distribution strategies, and their evolving killchain, making them a significant threat in the cyber landscape.…
Read More
GO Language Based Ebyte Ransomware – A Brief Analysis – CYFIRMA
EByte Ransomware is a new variant developed by EvilByteCode that targets Windows systems using advanced encryption methods. It encrypts user data, displays a ransom note, and has significant potential risks due to its public availability on GitHub. Affected: Windows systems, organizations, individuals

Keypoints :

Developed in Go language and utilizes ChaCha20 encryption and ECIES for key transmission.…
Read More