Tag: PAYLOAD

Operation HollowQuill: Malware delivered into Russian R&D Networks via Research Decoy PDFs
The article discusses Operation HollowQuill, a targeted cyber campaign against the Baltic State Technical University, designed to infiltrate academic and defense networks through weaponized decoy documents. The attack utilizes a multi-stage infection chain, including a malicious RAR file, a .NET malware dropper, Golang shellcode, and a Cobalt Strike payload.…
Read More
Bulletproof Hosting Fuels Russia-Linked Intrusion Sets’ Global Cyber Campaign
Summary: A recent Intrinsec report highlights the operations of Russian-aligned intrusion sets UAC-0050 and UAC-0006, which are conducting spam campaigns motivated by financial theft and cyber espionage targeting Ukraine and its allies. Their activities include a mix of phishing, malware delivery, and psychological warfare, utilizing resilient infrastructure linked to shadowy hosting providers.…
Read More
Analyzing New HijackLoader Evasion Tactics
HijackLoader is a modular malware loader discovered in 2023, capable of delivering payloads and employing various evasion techniques. Recently uncovered modules feature advanced tactics such as call stack spoofing, virtual machine detection, and persistence through scheduled tasks. Affected: malware, cybersecurity sector, antivirus software

Keypoints :

HijackLoader is a malware downloader first identified in 2023, continually receiving updates.…
Read More
Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp
Summary: A Russian hacking group known as Water Gamayun is exploiting a Microsoft Windows vulnerability (CVE-2025-26633) to deliver the backdoors SilentPrism and DarkWisp. The group uses malicious provisioning packages and signed .msi files to execute commands and steal sensitive data. Their operations have evolved, utilizing sophisticated methods for persistence, command and control, and stealthy data exfiltration.…
Read More
Threat Actors Deploy WordPress Malware in ‘mu-plugins’ Directory
Summary: Malicious hackers are exploiting the ‘mu-plugins’ directory in WordPress to conceal malware, which is difficult for standard security checks to detect. Recently identified files, such as redirect.php and index.php, facilitate backdoor access, redirect users to harmful sites, and alter site content. The exploitation often stems from vulnerabilities such as weak credentials and poorly configured server permissions.…
Read More
Russia-Linked Gamaredon Uses Troop-Related Lures to Deploy Remcos RAT in Ukraine
Summary: A recent phishing campaign targeting Ukrainian entities has been identified, utilizing social engineering techniques to distribute the Remcos RAT trojan. This campaign, attributed to the Russian hacking group Gamaredon, uses deceptive files related to military movements to trick victims. The campaign highlights ongoing cyber espionage efforts associated with Russian Intelligence Services against Ukraine.…
Read More
The Espionage Toolkit of Earth Alux: A Closer Look at its Advanced Techniques
The cyberespionage group Earth Alux, linked to China, employs sophisticated techniques to target critical sectors in the Asia-Pacific (APAC) and Latin America. Their primary backdoor, VARGEIT, facilitates stealthy data exfiltration, affecting vital industries including government, technology, and logistics. To mitigate the risks of such cyber threats, organizations should adopt proactive security measures.…
Read More
Red Team Perspective: Known Attack Surface and Potential Risks of GitLab – Security KER – Security Information Platform
This article discusses various known attack surfaces and potential risks associated with GitLab, highlighting a range of vulnerabilities, including Remote Code Execution (RCE), SSRF, XSS, and permission escalation issues. The information covers the history of vulnerabilities, their impact, and famous cases, emphasizing the importance of security measures for self-managed GitLab instances.…
Read More
Exposed Jupyter Notebooks Targeted to Deliver Cryptominer
Cado Security Labs uncovered a new cryptomining campaign that exploits misconfigured Jupyter Notebooks across Windows and Linux systems. This campaign employs a series of executables, scripts, and binary downloads to install cryptominers targeting various cryptocurrencies. Affected: Jupyter Notebooks, Windows systems, Linux systems, cloud environments

Keypoints :

A cryptomining campaign utilizes Jupyter Notebooks, targeting Windows and Linux.…
Read More
SVC New Stealer on the Horizon
SvcStealer 2025 is a sophisticated information-stealing malware delivered through spear phishing emails. It captures sensitive data from victims, including credentials and cryptocurrency wallet information, and sends it to a command and control (C2) server. With a focus on evading detection, it deletes traces of its activities and can potentially download additional malware.…
Read More
Gamaredon Exploits Troop Movement Lures to Spread Remcos via DLL Sideloading
Summary: A targeted malware campaign by the Russian state-aligned group Gamaredon is exploiting Windows shortcut files to disseminate the Remcos backdoor, primarily targeting users in Ukraine. By masquerading as sensitive military documents, this operation takes advantage of the ongoing geopolitical strife, using sophisticated techniques for stealth and access retention.…
Read More
The Ransom Group D0glun: Hidden Threat or Just for Fun?
The D0glun ransomware, first identified on January 16, 2025, showcases a unique method of operation, targeting victims by displaying their private information and requiring a key and ID for file decryption. The attack seems motivated by low confidence, potentially signaling an inept beginner. Affected: ransomware, cybersecurity

Keypoints :

D0glun ransomware was first submitted on January 16, 2025.…
Read More
Unveiling APT28’s Advanced Obfuscated Loader and HTA Trojan: A Deep Dive with x32dbg Debugging
APT28 has been observed conducting cyber espionage activities focusing on Central Asia and Kazakhstan. This analysis explores a heavily obfuscated malware sample, assessing its capabilities, particularly its use of VBScript and interaction with a command-and-control server. Affected: APT28, Central Asia, Kazakhstan

Keypoints :

APT28 is engaged in cyber espionage targeting Central Asia and Kazakhstan.…
Read More
Stealthy Snake Keylogger Malware Targets Credentials in Sophisticated Attacks
Summary: Seqrite Labs reports on a malicious campaign using SnakeKeylogger, an advanced info-stealing malware, which employs a multi-stage infection chain and stealthy execution methods to extract sensitive data from victims. The infection begins with malicious spam emails that contain disguised executable files, leading to the deployment of sophisticated payloads that evade detection.…
Read More
150,000 Sites Compromised by JavaScript Injection Promoting Chinese Gambling Platforms
Summary: A malware campaign has compromised approximately 150,000 websites by injecting malicious JavaScript to redirect users to Chinese-language gambling platforms. These attacks utilize iframe tactics for full-screen overlays, targeting visitors of infected sites. Another related operation, dubbed DollyWay, has affected over 20,000 websites globally by redirecting traffic through a complex network of compromised WordPress sites to various scam pages.…
Read More
Apache Tomcat: CVE-2025-24813
CVE-2025-24813 is a critical vulnerability in Apache Tomcat that can allow remote, unauthenticated attackers to execute arbitrary code or access sensitive files. Organizations using vulnerable versions need to apply patches to protect their systems. Affected: Apache Tomcat

Keypoints :

Critical path equivalence vulnerability in Apache Tomcat, identified as CVE-2025-24813.…
Read More