Tag: INITIAL ACCESS

Tempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup
The article discusses the evolution of the Lazarus group, indicating that it has now transformed into a collection of subgroups rather than a single entity. It emphasizes the importance of understanding these subgroups, their tactics, and their individual characteristics for effective cyber defense strategies. Affected: Japan, cryptocurrency sector, defense industry, aviation industry

Keypoints :

The term “Lazarus” has evolved from a singular APT group to multiple subgroups.…
Read More
VanHelsing RaaS Launch: 3 Victims, K Entry Fee, Multi-OS, and Double Extortion Tactics
Summary: The VanHelsing ransomware-as-a-service (RaaS) operation emerged on March 7, 2025, quickly claiming multiple victims through a user-friendly platform that supports a variety of operating systems. The scheme employs double extortion tactics and allows affiliates to profit significantly while only prohibiting attacks on the Commonwealth of Independent States (CIS).…
Read More
The Crazy Hunter ransomware attack exploited Active Directory misconfigurations and utilized Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques to escalate privileges and distribute ransomware through Group Policy Objects. Despite claims of data exfiltration, forensic investigations found no supporting evidence. This attack resulted in significant operational disruptions and highlighted the importance of proactive threat intelligence in cybersecurity.…
Read More
⚡ THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More
Summary: Recent cyber threats highlight vulnerabilities in open-source tools, escalating ad fraud through mobile apps, and advanced ransomware tactics targeting critical defenses. Notably, attacks have leveraged AI, and a supply chain breach at Coinbase exemplifies these risks. A rise in stolen credentials further underscores the urgent need for improved cybersecurity measures.…
Read More
Technical Advisory: Mass Exploitation of CVE-2024-4577
In June 2024, Bitdefender Labs highlighted a critical security vulnerability (CVE-2024-4577) in PHP affecting Windows systems in CGI mode, allowing remote code execution through manipulated character encoding. This vulnerability has seen an increase in exploitation attempts, especially in Taiwan and Hong Kong, with attackers also modifying firewall settings to block known malicious IPs.…
Read More
Dragon RaaS: Pro-Russian Hacktivist Group Walks the Razor’s Edge Between Cybercrime and Propaganda
Summary: A new Ransomware-as-a-Service player, Dragon RaaS, combines political hacktivism with opportunistic cybercrime, targeting organizations with weak security. It emerged as a splinter group from the Stormous ransomware gang and is affiliated with various cybercrime syndicates. Dragon RaaS’s operations focus on defacement attacks and ransomware extortion, utilizing a rebranded version of existing ransomware techniques.…
Read More

🔴 RECONNAISSANCE:

RustScan ==https://github.com/bee-san/RustScanNmapAutomator ==https://github.com/21y4d/nmapAutomatorAutoRecon ==https://github.com/Tib3rius/AutoReconAmass ==https://github.com/OWASP/AmassCloudEnum ==https://github.com/initstring/cloud_enumRecon-NG ==https://github.com/lanmaster53/recon-ngAttackSurfaceMapper ==https://github.com/superhedgy/AttackSurfaceMapperDNSDumpster ==https://dnsdumpster.com/

🔴 INITIAL ACCESS:

SprayingToolKit ==https://github.com/byt3bl33d3r/SprayingToolkito365Recon ==https://github.com/nyxgeek/o365reconPsudohash ==https://github.com/t3l3machus/psudohashCredMaster ==https://github.com/knavesec/CredMasterDomainPasswordSpray ==https://github.com/dafthack/DomainPasswordSprayTheSprayer ==https://github.com/coj337/TheSprayer…
Read More
South Korean Organizations Targeted by Cobalt Strike Cat Delivered by a Rust Beacon
Hunt researchers exposed a web server hosting tools linked to an intrusion campaign against South Korean organizations. This server, available for less than 24 hours, encompassed a Rust-compiled Windows executable that deployed Cobalt Strike Cat along with several other open-source tools. The attacker appears to have focused on exploiting vulnerabilities in government and commercial entities.…
Read More
New Ransomware Operator Exploits Fortinet Vulnerability Duo
Forescout Research has identified a new ransomware strain, dubbed SuperBlack, linked to the threat actor “Mora_001”, exploiting vulnerabilities in Fortinet devices. This threat actor is connected to the LockBit ransomware ecosystem and demonstrates sophisticated tactics including rapid ransomware deployment, user account creation across victim networks, and the use of modified LockBit tools.…
Read More
Rust Beacon Deploys Cobalt Strike in South Korean Cyber Intrusion Campaign
Summary: Hunt researchers have detected a sophisticated cyber intrusion campaign focusing on South Korean organizations, utilizing modified Cobalt Strike tools and various open-source exploitation tools. The attackers leveraged a publicly exposed web server to distribute their malware and gather intelligence on over 1,000 Korean domains, targeting government and commercial entities.…
Read More
Rapid7 MDR Supports AWS GuardDuty’s New Attack Sequence Alerts
AWS GuardDuty has introduced two new alerts—”Potential Credential Compromise” and “Potential S3 Data Compromise”—to enhance threat detection by correlating multiple signals over time, which aids in detecting sophisticated attacks. These improvements allow for rapid response to potential threats, supported by Rapid7’s Managed Threat Complete and InsightCloudSec services.…
Read More
The Biggest Supply Chain Hack Of 2025: 6M Records For Sale Exfiltrated from Oracle Cloud Affecting over 140k Tenants
A significant data breach occurred involving a threat actor known as “rose87168,” who sold 6 million records extracted from Oracle Cloud’s SSO and LDAP systems. The compromised data includes sensitive credentials and key files, affecting over 140,000 tenants. The actor’s activities suggest they exploited a web application vulnerability, raising severe concerns regarding Oracle Cloud’s security.…
Read More
Operation FishMedley
The US Department of Justice has indicted employees of the Chinese contractor I‑SOON for conducting espionage campaigns, particularly targeting governments, NGOs, and think tanks through the FishMonger APT group. The campaign, termed Operation FishMedley, involved complex techniques and tools typically used by China-aligned threat actors, leading to the compromise of several organizations across various continents.…
Read More
Ransomware Group Claims Attack on Virginia Attorney General’s Office
Summary: The Cloak ransomware group has executed a cyberattack on the Virginia Attorney General’s Office, leading to significant disruptions in their computer systems and services. Following the attack, Cloak claimed responsibility and released purportedly stolen data on their leak site. This incident marks Cloak’s first confirmed attack in 2023, amid an increasing number of victims since the group’s emergence.…
Read More
UAT-5918 Targets Taiwan’s Critical Infrastructure Using Web Shells and Open-Source Tools
Summary: A new advanced persistent threat (APT) group named UAT-5918 has been identified, targeting critical infrastructure and various sectors in Taiwan since 2023. Their tactics include gaining long-term access for information theft using web shells and open-source tools, leveraging known security flaws in outdated systems. Researchers associate their methods with other Chinese hacking groups and highlight a sophisticated approach to credential harvesting and data theft.…
Read More
China-Linked APT Aquatic Panda: 10-Month Campaign, 7 Global Targets, 5 Malware Families
Summary: The China-linked APT group Aquatic Panda has been implicated in a global espionage campaign targeting various organizations across multiple countries in 2022. This operation, codenamed “Operation FishMedley,” involved sophisticated malware tools and is attributed to a collective recognized for reusing well-known hacking mechanisms. The campaign underscores ongoing cybersecurity threats posed by state-sponsored actors using advanced techniques for espionage.…
Read More
SideWinder Threat Group: Maritime and Nuclear Sectors at Risk with Updated Toolset
SideWinder, also known as Rattlesnake or T-APT-04, is an advanced persistent threat group from India that has expanded its operations to target maritime and nuclear sectors across Asia, the Middle East, and Africa since 2012. Known for quickly adapting to security measures, SideWinder employs various tactics, techniques, and procedures (TTPs) to execute sophisticated cyber-attacks, primarily through phishing and malware.…
Read More
Critical RCE Vulnerability Discovered in Veeam Backup & Replication
Summary: A critical-severity vulnerability (CVE-2025-23120) affecting Veeam Backup & Replication can lead to remote code execution by authenticated users, with a CVSS score of 9.9. This flaw impacts version 12.3.0.310 and all earlier builds, prompting urgent patching to the newly released version 12.3.1. Organizations are cautioned about the potential threats to data integrity and privilege escalation associated with this vulnerability.…
Read More