Tag: INITIAL ACCESS

How To Bypass Windows UAC With UACMe
This article discusses bypassing User Account Control (UAC) in Windows using the UACMe tool, developed by @hfire0x. It explains UAC’s purpose in Windows security and details the steps to exploit its vulnerabilities, specifically for educational purposes. Affected: Windows Operating System

Keypoints :

User Account Control (UAC) was introduced in Windows Vista to prevent unauthorized system changes.…
Read More
Signed Sideloaded Compromised
This article outlines a sophisticated multi-stage cyber attack characterized by the use of vishing, remote access tools, and legitimate software exploitation to gain unauthorized access and maintain persistence. The attack involved delivering malicious payloads through Microsoft Teams, using Quick Assist for remote access, and deploying malware including TeamViewer and a JavaScript-based command and control backdoor.…
Read More
Ivanti patches Connect Secure zero-day exploited since mid-March – PRSOL:CC
Ivanti has addressed a critical remote code execution vulnerability (CVE-2025-22457) in its Connect Secure product, exploited by a China-linked espionage actor. The flaw stems from a stack-based buffer overflow and impacts several versions of Ivanti and Pulse Connect Secure products. Admins are urged to update their systems to the patched version 22.7R2.6 and monitor for signs of compromise.…
Read More
SpotBugs Access Token Theft Identified as Root Cause of GitHub Supply Chain Attack
Summary: A cascading supply chain attack initiated through the SpotBugs project has been linked to a theft of a personal access token (PAT), impacting users of the “tj-actions/changed-files” GitHub Action, including Coinbase. The attackers gained access via compromised GitHub Actions workflows, allowing them to manipulate repositories over several months.…
Read More
Outlaw Linux Malware: Persistent, Unsophisticated, and Surprisingly Effective — Elastic Security Labs
OUTLAW is a persistent, auto-propagating coinminer that utilizes simple techniques such as SSH brute-forcing and modification of commodity miners for infection and persistence. By deploying a honeypot, researchers gained insights into how OUTLAW operates, revealing the malware’s ability to maintain control and expand its botnet with basic tactics.…
Read More
Wiz Threat Research has identified an ongoing campaign by the threat actor JINX-0126, targeting poorly configured and publicly exposed PostgreSQL servers. By exploiting weak login credentials, the actor gains access to deploy XMRig-C3 cryptominers, impacting over 1,500 victims. The attacker employs advanced techniques to evade detection while continuously scanning for vulnerable systems.…
Read More
Threat actors leverage tax season to deploy tax-themed phishing campaigns
As the tax season approaches in the U.S., Microsoft has noted an increase in phishing campaigns using tax-related themes to steal sensitive information and deploy malware. These campaigns exploit various techniques, including URL shorteners, QR codes, and legitimate file-hosting services to evade detection. The reported threats include credential theft linked to platforms like RaccoonO365 and various malware types such as Remcos and Latrodectus.…
Read More
Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware
Summary: Microsoft has issued warnings about multiple phishing campaigns utilizing tax-related themes to distribute malware and steal credentials. These campaigns employ sophisticated methods like URL shorteners and QR codes to mask malicious intent while targeting thousands of organizations, especially in the U.S. The attacks often involve a phishing-as-a-service platform, RaccoonO365, and various malware types, including remote access trojans and information stealers.…
Read More
Triada Malware Preloaded on Counterfeit Android Phones Infects 2,600+ Devices
Summary: Counterfeit smartphones have been found preloaded with a modified version of the Triada Android malware, affecting over 2,600 users primarily in Russia. This malware can steal sensitive information, control devices remotely, and has been distributed through compromised production processes. The ongoing threat from Triada highlights vulnerabilities in the hardware supply chain and the potential financial gain for attackers.…
Read More
My book on Cyber Threat Intel, that never quite made it as a book, Chapter 1.1
This content explores the significance of Cyber Threat Intelligence (CTI) in improving organizational security and understanding the threat landscape. It delves into the motivations of various types of threat actors, their tactics, and how to effectively mitigate risks. The goal is to provide a comprehensive guide that enhances awareness and proactive measures against cyber threats.…
Read More
RedCurl’s Ransomware Debut: A Technical Deep Dive
This research by Bitdefender Labs introduces the QWCrypt ransomware campaign, linked to the RedCurl group, marking a significant shift in their tactics from data exfiltration to ransomware. RedCurl has been operating since 2018 but has historically utilized Living-off-the-Land techniques for corporate espionage. Their targeting of specific infrastructures and the use of hypervisor encryption underscores a sophisticated evolution in their operational strategy, raising questions regarding their motivations and business model.…
Read More
Emulating the Sophisticated Russian Adversary Seashell Blizzard
Seashell Blizzard, also known as APT44, is a highly sophisticated Russian adversary linked to military intelligence, targeting various critical sectors to conduct espionage through persistent access and custom tools. The AttackIQ assessment template helps organizations validate their security against this threat. Affected: energy, telecommunications, government, military, transportation, manufacturing, retail sectors.…
Read More
BYOVD Reloaded: Abusing a New Driver to Kill EDR
The article discusses a sophisticated ransomware attack involving Qilin ransomware, which utilizes the technique of bring-your-own-vulnerable-driver (BYOVD) to bypass traditional Endpoint Detection and Response (EDR) measures. The analysis uncovers the exploitation of a lesser-known driver, TPwSav.sys, in the context of a ransomware-as-a-service model. It emphasizes the vulnerabilities exploited, the attack chain, and the retaliation measures taken by Blackpoint’s Security Operations Center (SOC).…
Read More
Malicious PyPI Package Targets WooCommerce Stores with Automated Carding Attacks
The Socket research team uncovered a malicious Python package named disgrasya on PyPI, designed to automate carding attacks against WooCommerce stores using CyberSource as a payment gateway. This openly malicious tool facilitates the testing of stolen credit card numbers, allowing low-skilled fraudsters to simulate transactions without raising fraud detection alarms.…
Read More
Outlaw Group Uses SSH Brute-Force to Deploy Cryptojacking Malware on Linux Servers
Summary: Researchers have uncovered a cryptocurrency mining botnet known as Outlaw, which exploits weak SSH credentials to propagate and control compromised systems. Active since 2018, it utilizes brute-force attacks and a multi-stage infection process to deploy malicious miners and maintain persistence. The botnet also exhibits features for self-propagation and remote control, using IRC channels for command and control operations.…
Read More
FIN7 Deploys Anubis Backdoor to Hijack Windows Systems via Compromised SharePoint Sites
Summary: The financially motivated threat actor FIN7 has been linked to a Python-based backdoor known as Anubis, which grants attackers remote access to compromised Windows systems. This malware enables a variety of malicious activities while minimizing detection risks and is delivered through malspam campaigns. Additionally, FIN7 continues to expand its capabilities and monetization strategies by promoting tools that can disable security measures.…
Read More
Tomcat in the Crosshairs: New Research Reveals Ongoing Attacks
Aqua Nautilus researchers have identified a new malware campaign that exploits Apache Tomcat servers, capable of hijacking resources for cryptocurrency mining. The attackers leverage encrypted payloads to establish backdoors, steal SSH credentials, and execute arbitrary code. Rapid exploitation was noted, taking just 30 hours to weaponize the vulnerability, indicating the urgency for organizations to secure their Tomcat instances.…
Read More