Tag: PERSISTENCE

Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine | Microsoft Security Blog
Microsoft Threat Intelligence has reported on the Russian nation-state actor Secret Blizzard, which has been using co-opted tools and infrastructure from other threat actors to conduct espionage activities against targets in Ukraine. The campaigns have involved the deployment of custom malware, including the Tavdig and KazuarV2 backdoors, often facilitated through cybercriminal tools like Amadey bot malware.…
Read More
How to Eliminate Identity-Based Threats
Summary: Credential and user-based attacks are a major threat to enterprises, accounting for 50-80% of breaches. Traditional security measures focus on risk reduction rather than prevention, leaving organizations vulnerable. However, modern authentication technologies now offer a paradigm shift that can fully eliminate identity-based threats, transforming identity security practices.…
Read More
QakBot-Linked BC Malware Adds Enhanced DNS Tunneling and Remote Access Features
Summary: Cybersecurity researchers have uncovered a new BackConnect (BC) malware linked to the QakBot loader, which enhances the threat actors’ capabilities for persistence and exploitation. The malware utilizes modules like DarkVNC and IcedID to maintain remote access and gather system information. This development highlights the interconnected nature of cybercriminal groups, particularly between QakBot and the Black Basta ransomware operations.…
Read More
Cisco Fixes Critical Privilege Escalation Flaw in Meeting Management (CVSS 9.9)
Summary: Cisco has issued critical software updates to address a privilege escalation vulnerability (CVE-2025-20156) in its Meeting Management system, allowing remote attackers to gain administrator access. Additionally, patches were released for a denial-of-service (DoS) flaw in BroadWorks and an integer underflow bug in ClamAV. The vulnerabilities highlight ongoing security challenges faced by organizations using Cisco products.…
Read More
Fileless Malware Nedir? S1Ep2 Cobalt Kitty Operasyonu
This article examines “Operation Cobalt Kitty,” a sophisticated cyberattack targeting financial companies in Asia. The attackers primarily employed fileless malware, spear-phishing, and DNS tunneling techniques to gain access to sensitive systems and maintain persistence. The operation exemplifies the potential damage posed by fileless malware and highlights the lack of detection by existing security measures.…
Read More
Advanced Threat Detection: Exploitation Tactics from a CIRT Technical Interview
This article examines two scenarios wherein attackers exploit misconfigured Redis servers and utilize cloud storage resources to execute malicious scripts and gain unauthorized access. The sophisticated techniques employed emphasize the necessity for proactive defensive measures. Affected: Redis servers, macOS systems

Keypoints :

Attackers exploit misconfigurations in Redis services to execute remote commands.…
Read More
Four Critical Ivanti CSA Vulnerabilities Exploited, CISA and FBI Urge Mitigation
The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint advisory regarding the active exploitation of four critical vulnerabilities in Ivanti Cloud Service Appliances. These include CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380, which can lead to unauthorized access, remote code execution, and credential theft.…
Read More
ValleyRAT: A Rootkit Leveraging Stolen Certificates and Bypassing AVs
The ValleyRAT malware represents a significant evolution in cyber threats, employing advanced tactics to maintain control over compromised systems while evading detection. This analysis provides insights into its behavior, technical composition, and how it leverages a stolen code-signing certificate to enhance its stealth capabilities. Affected: Windows systems, cybersecurity sector

Keypoints :

The ValleyRAT malware utilizes sophisticated methods to evade detection and maintain persistence.…
Read More
Beyond Flesh and Code: Building an LLM-Based Attack Lifecycle With a Self-Guided Malware Agent
This article discusses the integration of older automation tools with large language models (LLMs) to enhance malware development and delivery methods, including the use of tools like Mantis and Stopwatch.ai for reconnaissance and obfuscation. It highlights the potential of LLMs in creating convincing phishing attacks and guiding malware operations, ultimately leading to a more sophisticated attack lifecycle.…
Read More
Dark Web Profile: OilRig (APT34)
OilRig, also known as APT34, is a state-sponsored APT group linked to Iranian intelligence, primarily targeting sectors like government, energy, finance, and telecommunications. Their sophisticated cyber-espionage tactics include spear-phishing and custom malware, making them a persistent threat across the Middle East and beyond. Affected: government, energy, financial, telecommunications sectors

Keypoints :

OilRig is a state-sponsored APT group associated with Iranian intelligence.…
Read More
PlushDaemon compromises supply chain of Korean VPN service
ESET researchers have uncovered a previously undisclosed APT group, PlushDaemon, linked to China, which executed a supply-chain attack on a South Korean VPN developer in 2023. The attackers replaced the legitimate VPN installer with a malicious version that deployed a sophisticated backdoor known as SlowStepper. This backdoor features a comprehensive toolkit with over 30 components, allowing extensive cyber espionage capabilities.…
Read More
PlushDaemon APT Targets South Korean VPN Provider in Supply Chain Attack
Summary: A newly identified China-aligned advanced persistent threat (APT) group named PlushDaemon has been linked to a supply chain attack on a South Korean VPN provider, utilizing a sophisticated backdoor known as SlowStepper. This backdoor features a comprehensive toolkit designed for espionage and data collection, indicating the group’s significant operational capabilities since at least 2019.…
Read More
Imperva Protects Against the Exploited CVEs in the Cleo Data Theft Attacks
The Clop ransomware group has exploited critical vulnerabilities (CVE-2024-50623 and CVE-2024-55956) in Cleo’s managed file transfer software, leading to unauthorized access and data exfiltration. Imperva has observed over 1 million attempts to exploit these vulnerabilities across various industries, particularly targeting the Financial Services and Government sectors.…
Read More
Critical Mozilla Vulnerabilities Prompt Urgent Updates for Firefox and Thunderbird Users
Mozilla Firefox and Thunderbird users are facing critical vulnerabilities that could result in arbitrary code execution and system instability. The Indian Computer Emergency Response Team (CERT-In) has issued an advisory urging immediate software updates to mitigate these risks. Affected: Mozilla Firefox, Mozilla Thunderbird

Keypoints :

High-severity vulnerabilities found in Mozilla Firefox and Thunderbird.…
Read More
Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”
Sophos X-Ops’ Managed Detection and Response (MDR) has reported on two active threat clusters, STAC5143 and STAC5777, utilizing Microsoft Office 365 to infiltrate organizations for data theft and ransomware deployment. The tactics include email-bombing, fake tech support, and exploiting remote control tools. Both clusters exhibit overlapping techniques with known threat groups like FIN7 and Storm-1811.…
Read More