Tag: zero-day

49 Attack Reports | 0 Vulnerabilities

Attack reports

Prolific Zero-Day Exploits Continue

Despite sanctions, Intellexa continues to operate, developing and selling spyware to various clients. The company has been linked to 15 unique zero-day vulnerabilities since 2021, targeting mobile browsers and operating systems. Their exploit chain, known as 'smack', uses a framework called JSKit f…
ios
surveillance
android
zero-day
spyware
CVE-2024-4610
chrome
CVE-2025-6554
2025-12-04
predator
CVE-2023-41991
CVE-2023-41992
CVE-2023-41993
exploit-chain
CVE-2023-2033
preyhunter
CVE-2023-4762
CVE-2021-37976
CVE-2023-2136
CVE-2023-3079
CVE-2021-37973
CVE-2021-38003
CVE-2021-1048
CVE-2025-48543
CVE-2021-38000
Published: December 4, 2025
Linked vulnerabilities : CVE-2024-4610, CVE-2025-6554 (CVSS 8.1), CVE-2025-12480 (CVSS 9.1), CVE-2025-48543, CVE-2021-1048, CVE-2023-2136, CVE-2021-38003, CVE-2021-37976, CVE-2023-2033, CVE-2023-41993, CVE-2023-41992, CVE-2023-41991, CVE-2023-4762, CVE-2023-3079, CVE-2021-38000, CVE-2021-37973, CVE-2022-42856
Downloadable IOCs: 2

Water APT Multi-Stage Attack Uncovered

A sophisticated multi-stage attack attributed to the Water Gamayun APT group has been analyzed. The attack begins with a compromised legitimate website redirecting to a lookalike domain, delivering a double-extension RAR payload disguised as a PDF. This payload exploits the MSC EvilTwin vulnerabili…
supply-chain
obfuscation
apt
powershell
rhadamanthys
zero-day
CVE-2025-26633
msc eviltwin
encrypthub
darkwisp
silentprism
russia-aligned
2025-11-26
Published: November 26, 2025
Linked vulnerabilities : CVE-2025-26633 (CVSS 7.0)
Downloadable IOCs: 5

New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices

Unit 42 researchers have uncovered LANDFALL, a previously unknown Android spyware family targeting Samsung Galaxy devices. The spyware exploits CVE-2025-21042, a zero-day vulnerability in Samsung's image processing library, to deliver commercial-grade surveillance capabilities. LANDFALL is embedded…
android
whatsapp
zero-day
spyware
samsung
CVE-2025-43300
CVE-2025-55177
2025-11-07
CVE-2025-21042
CVE-2025-21043
landfall
dng
commercial-grade
Published: November 7, 2025
Downloadable IOCs: 18

BRONZE BUTLER exploits Japanese asset management software vulnerability

In mid-2025, a sophisticated campaign by the Chinese state-sponsored threat group BRONZE BUTLER (also known as Tick) exploited a zero-day vulnerability in Motex LANSCOPE Endpoint Manager. The vulnerability, CVE-2025-61932, allowed remote attackers to execute arbitrary commands with SYSTEM privilege…
zero-day
havoc
CVE-2025-61932
2025-10-31
oaed loader
gokcpdoor
lanscope
Published: October 31, 2025
Downloadable IOCs: 0

How ForumTroll APT was linked to Dante spyware

Kaspersky researchers uncovered a sophisticated attack campaign dubbed Operation ForumTroll, targeting organizations in Russia and Belarus. The campaign utilized a zero-day exploit (CVE-2025-2783) in Google Chrome to deliver spyware. Further investigation revealed connections to previously unknown …
zero-day
sandbox escape
dante
2025-10-27
leetagent
Published: October 27, 2025
Linked vulnerabilities : CVE-2025-2783 (CVSS 8.3), CVE-2025-2857 (CVSS 10.0)
Downloadable IOCs: 3

Mem3nt0 mori – The Hacking Team is back!

Kaspersky researchers uncovered a sophisticated attack campaign dubbed Operation ForumTroll, targeting organizations in Russia and Belarus. The campaign utilized a zero-day exploit (CVE-2025-2783) in Google Chrome to deliver spyware. Further investigation revealed connections to previously unknown …
zero-day
sandbox escape
dante
2025-10-27
leetagent
Published: October 27, 2025
Downloadable IOCs: 0

Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors | Google Cloud Blog

Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. Since March 2025, Mandiant Consulting has responded to intrusions across a range of industry verticals, most notably legal…
linux
windows
zero-day
brickstorm
ssh
2025-10-08
unc5221
vpxd
backup scan
sentinel
silk typhoon
systemconfiguration
socks proxy
vcenter
Published: October 8, 2025
Downloadable IOCs: 12

Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors

Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. Since March 2025, Mandiant Consulting has responded to intrusions across a range of industry verticals, most notably legal…
linux
windows
zero-day
brickstorm
ssh
2025-10-08
unc5221
vpxd
backup scan
sentinel
silk typhoon
systemconfiguration
socks proxy
vcenter
Published: October 8, 2025
Downloadable IOCs: 12

Three Lazarus RATs coming for your cheese

This report analyzes three remote access trojans (RATs) used by a Lazarus subgroup targeting financial and cryptocurrency organizations: PondRAT, ThemeForestRAT, and RemotePE. It details an incident response case from 2024 involving social engineering and possible zero-day exploitation. PondRAT is …
rat
social engineering
cryptocurrency
zero-day
poolrat
pondrat
financial
2025-09-02
remotepe
themeforestrat
2025-09-03
Published: September 3, 2025
Downloadable IOCs: 0

WinRAR Directory Traversal & NTFS ADS Vulnerabilities (CVE-2025-6218 & CVE-2025-8088)

Two high-severity vulnerabilities in WinRAR for Windows enable attackers to write files outside intended extraction directories. CVE-2025-6218 involves traditional path traversal, while CVE-2025-8088 extends the attack using NTFS Alternate Data Streams. Both flaws allow for reliable persistence and…
zero-day
remote code execution
winrar
CVE-2025-8088
CVE-2025-6218
2025-08-25
Published: August 25, 2025
Linked vulnerabilities : CVE-2025-8088, CVE-2025-6218
Downloadable IOCs: 4

Paper Werewolf targets Russia with WinRAR zero-day vulnerability

A series of attacks by the Paper Werewolf (GOFFEE) cluster exploited vulnerabilities in WinRAR, including CVE-2025-6218 and a zero-day flaw. The threat actor used phishing emails impersonating Russian organizations, delivering malware through archive files. The attacks targeted Russian entities, ut…
phishing
zero-day
shellcode
c2
winrar
directory traversal
2025-08-20
rar
CVE-2025-6218
xpsrchvw74.exe
winrunapp.exe
Published: August 20, 2025
Downloadable IOCs: 0

Dissecting PipeMagic: Inside the architecture of a modular backdoor framework

PipeMagic is a sophisticated modular backdoor used by the Storm-2460 threat actor, disguised as a legitimate ChatGPT Desktop Application. It employs a highly flexible architecture with multiple linked list structures for payload management, execution, and networking. The malware communicates with i…
backdoor
ransomware
windows
zero-day
modular
chatgpt
CVE-2025-29824
clfs
pipemagic
2025-08-18
Published: August 18, 2025
Linked vulnerabilities : CVE-2025-29824 (CVSS 7.8)
Downloadable IOCs: 4

ToolShell Exploit: Critical SharePoint Zero-Day Threatens Global Enterprises

A zero-day exploit chain named 'ToolShell' is actively targeting on-premises Microsoft SharePoint servers worldwide, potentially affecting thousands of organizations. The attack leverages two critical vulnerabilities (CVE-2025-53770 and CVE-2025-53771) to achieve remote code execution and steal cry…
zero-day
chinese threat actors
sharepoint
CVE-2025-53770
CVE-2025-53771
toolshell
CVE-2025-49704
CVE-2025-49706
exploit chain
2025-08-14
in-memory payload
cryptographic keys
Published: August 14, 2025
Linked vulnerabilities : CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 8

ToolShell: An all-you-can-eat buffet for threat actors

A set of zero-day vulnerabilities in SharePoint Server, dubbed ToolShell, has been exploited in the wild since July 17, 2025. The vulnerabilities, CVE-2025-53770 and CVE-2025-53771, allow remote code execution and server spoofing, affecting on-premises SharePoint servers. Attackers have been chaini…
backdoor
apt
vulnerability
zero-day
exploitation
webshell
sharepoint
CVE-2025-53770
CVE-2025-53771
toolshell
CVE-2025-49704
CVE-2025-49706
2025-08-12
msil/webshell.js
china-aligned
Published: August 12, 2025
Linked vulnerabilities : CVE-2025-49704
Downloadable IOCs: 20

Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability

A zero-day vulnerability in WinRAR, CVE-2025-8088, has been discovered being exploited in the wild by the Russia-aligned group RomCom. The vulnerability allows attackers to hide malicious files in archives, which are silently deployed when extracted. The exploit was used in spearphishing campaigns …
backdoor
exploit
spearphishing
vulnerability
zero-day
mythic
winrar
snipbot
rustyclaw
russia-aligned
2025-08-11
CVE-2025-8088
Published: August 11, 2025
Linked vulnerabilities : CVE-2023-36884, CVE-2025-8088
Downloadable IOCs: 9

Observed Malicious Driver Use Associated with Akira SonicWall Campaign

Akira affiliates have been observed exploiting two common drivers as part of a suspected AV/EDR evasion effort following initial access involving SonicWall abuse. The drivers, rwdrv.sys and hlpdrv.sys, are being used to facilitate AV/EDR evasion or disablement through a Bring Your Own Vulnerable Dr…
ransomware
zero-day
vpn
akira
byovd
drivers
sonicwall
2025-08-08
av/edr evasion
Published: August 8, 2025
Downloadable IOCs: 2

Active Exploitation of SonicWall VPNs

A potential zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware. The attack chain begins with a breach of the SonicWall appliance, followed by post-exploitation techniques including enumeration, detection evasion, lateral movement, and credential…
ransomware
zero-day
credential theft
lateral movement
vpn
mfa bypass
akira
sonicwall
2025-08-04
Published: August 4, 2025
Downloadable IOCs: 12

SharePoint Zero-Day Exploit (ToolShell) - Network Infrastructure Mapping

Chinese threat actors have been exploiting zero-day vulnerabilities in SharePoint servers, known as ToolShell, affecting nearly 150 organizations worldwide. The attacks, attributed to groups like Linen Typhoon and Violet Typhoon, began as early as July 17, 2025, targeting government agencies, criti…
zero-day
reconnaissance
webshell
chinese threat actors
sharepoint
cloud infrastructure
CVE-2025-53770
CVE-2025-53771
CVE-2025-49704
CVE-2025-49706
2025-08-02
warlock ransomware
network mapping
telecommunication abuse
mapp
Published: August 2, 2025
Downloadable IOCs: 0

Inside The ToolShell Campaign

FortiGuard Labs has identified a new exploit chain called 'ToolShell' targeting on-premises Microsoft SharePoint servers. This attack combines two previously patched vulnerabilities (CVE-2025-49704 and CVE-2025-49706) with two zero-day variants (CVE-2025-53770 and CVE-2025-53771) to achieve remote …
zero-day
fileless
remote code execution
sharepoint
CVE-2025-53770
CVE-2025-53771
toolshell
CVE-2025-49704
CVE-2025-49706
2025-07-25
keysiphon
exploit chain
ghostwebshell
Published: July 25, 2025
Downloadable IOCs: 0

Defending Against ToolShell: SharePoint's Latest Critical Vulnerability

A critical zero-day vulnerability named ToolShell (CVE-2025-53770) has been discovered in on-premises SharePoint Server deployments. This vulnerability allows unauthenticated remote code execution, posing a significant threat to organizations worldwide. SentinelOne has detected active exploitation …
vulnerability
zero-day
cybersecurity
remote code execution
threat detection
sharepoint
patch
CVE-2025-53770
toolshell
2025-07-23
Published: July 23, 2025
Downloadable IOCs: 2

SharePoint ToolShell | Zero-Day Exploited in-the-Wild Targets Enterprise Servers

A zero-day vulnerability dubbed 'ToolShell' targeting on-premises Microsoft SharePoint Servers has been actively exploited. The flaw, identified as CVE-2025-53770 with an accompanying bypass CVE-2025-53771, allows unauthenticated remote code execution. Three distinct attack clusters have been obser…
vulnerability
zero-day
webshell
remote code execution
sharepoint
CVE-2025-53770
CVE-2025-53771
toolshell
2025-07-22
CVE-2025-49704
CVE-2025-49706
Published: July 22, 2025
Linked vulnerabilities : CVE-2025-53770 (CVSS 9.8), CVE-2025-49704
Downloadable IOCs: 3

SharePoint Vulnerabilities (CVE-2025-53770 & CVE-2025-53771): Everything You Need to Know

Two critical zero-day vulnerabilities, CVE-2025-53770 and CVE-2025-53771, are actively exploited in on-premises Microsoft SharePoint servers. These flaws enable unauthenticated remote code execution through an exploit chain dubbed ToolShell. CVE-2025-53770 is a critical RCE vulnerability caused by …
zero-day
spoofing
sharepoint
rce
authentication bypass
patch
CVE-2025-53770
CVE-2025-53771
2025-07-21
toolshell
deserialization
on-premises
Published: July 21, 2025
Linked vulnerabilities : CVE-2025-23266 (CVSS 9.0), CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 3

Operation RoundPress targeting high-value webmail servers

ESET researchers have uncovered a Russia-aligned espionage operation named RoundPress, targeting high-value webmail servers through XSS vulnerabilities. The campaign, attributed to the Sednit group, aims to steal confidential data from specific email accounts. Initially focused on Roundcube in 2023…
espionage
spearphishing
russia
zero-day
credential theft
xss
data exfiltration
CVE-2024-27443
CVE-2024-11182
2025-05-15
2025-05-18
webmail
eastern europe
spypress.roundcube
spypress.mdaemon
CVE-2023-43770
spypress.zimbra
spypress.horde
Published: May 18, 2025
Linked vulnerabilities : CVE-2024-27443, CVE-2024-11182 (CVSS 6.1), CVE-2020-35730, CVE-2023-23397, CVE-2023-43770
Downloadable IOCs: 16

The Good, the Bad and the Ugly in Cybersecurity – Week 20

This intelligence update covers recent cybersecurity events. In positive developments, global authorities disrupted a major botnet, arrested a ransomware actor, and dismantled a dark web marketplace. On the negative side, a malicious NPM package was discovered hiding multi-stage malware using Unico…
ransomware
zero-day
botnet
npm
dns hijacking
dark web
CVE-2025-27920
omserverservice.exe
omclientservice.exe
output messenger
2025-05-16
kurdish military
doppelpaymer
Published: May 16, 2025
Linked vulnerabilities : CVE-2025-27920 (CVSS 9.8)
Downloadable IOCs: 1

CVE-2025-32756: FortiVoice Zero-Day Exploit Alert

A critical zero-day vulnerability (CVE-2025-32756) in multiple Fortinet products, including FortiVoice, has been actively exploited. The flaw is a stack-based buffer overflow that allows remote code execution without authentication. Attackers can gain full control of affected systems, access sensit…
zero-day
fortinet
patch
2025-05-14
fortivoice
remote-code-execution
credential-capture
CVE-2025-32756
network-scan
buffer-overflow
Published: May 14, 2025
Linked vulnerabilities : CVE-2025-32756
Downloadable IOCs: 6

Marbled Dust leverages zero-day in Output Messenger for regional espionage

A Türkiye-affiliated espionage threat actor, Marbled Dust, has been exploiting a zero-day vulnerability in Output Messenger since April 2024. The attacks target Kurdish military entities in Iraq, allowing the actor to deliver malicious files and exfiltrate data. The exploit involves a directory tra…
backdoor
espionage
zero-day
golang
data exfiltration
iraq
dns hijacking
CVE-2025-27920
CVE-2025-27921
2025-05-12
omserverservice.exe
omserverservice.vbs
omclientservice.exe
kurdistan
output messenger
2025-05-13
directory traversal
om.vbs
Published: May 13, 2025
Linked vulnerabilities : CVE-2025-27920 (CVSS 9.8), CVE-2025-27921 (CVSS 6.1)
Downloadable IOCs: 3

DslogdRAT Malware Installed in Ivanti Connect Secure

The article discusses a malware called DslogdRAT, which was installed on Ivanti Connect Secure systems by exploiting CVE-2025-0282. The malware communicates with a C2 server during business hours to avoid detection. It uses a web shell for initial access and supports various commands for file opera…
zero-day
c2 communication
web shell
CVE-2025-0282
CVE-2025-22457
spawnsnare
ivanti connect secure
2025-04-28
spawnchimera
dslogdrat
Published: April 28, 2025
Downloadable IOCs: 0

Two sides of the same coin

This intelligence report analyzes the similarities between two previously separate APT groups, Team46 and TaxOff, concluding they are likely the same entity. The analysis covers their shared tactics, techniques, and procedures, including similar PowerShell commands, loader functionality, and infras…
backdoor
loader
obfuscation
apt
powershell
cobalt strike
zero-day
encryption
CVE-2024-6473
CVE-2025-2783
2025-04-18
dante
trinper
Published: April 18, 2025
Downloadable IOCs: 0

Exploitation of CLFS zero-day leads to ransomware activity

A zero-day elevation of privilege vulnerability in Windows Common Log File System (CLFS) has been exploited against targets in IT, real estate, finance, software, and retail sectors across multiple countries. The exploit, deployed by PipeMagic malware and attributed to Storm-2460, enables privilege…
ransomware
windows
zero-day
privilege escalation
ransomexx
CVE-2025-24983
CVE-2025-29824
2025-04-09
clfs
pipemagic
Published: April 9, 2025
Linked vulnerabilities : CVE-2025-24983 (CVSS 7.0), CVE-2025-29814 (CVSS 9.3), CVE-2025-29824 (CVSS 7.8)
Downloadable IOCs: 0

Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457)

A critical security vulnerability, CVE-2025-22457, affecting Ivanti Connect Secure VPN appliances has been actively exploited since mid-March 2025. The vulnerability allows remote code execution through a buffer overflow. Two new malware families, TRAILBLAZE and BRUSHFIRE, have been deployed along …
espionage
zero-day
vpn
remote code execution
edge devices
buffer overflow
china-nexus
spawnsloth
CVE-2025-22457
2025-04-04
brushfire
spawnsnare
trailblaze
ivanti connect secure
spawnwave
Published: April 4, 2025
Downloadable IOCs: 0

A Deep Dive into Water Arsenal and Infrastructure

Water Gamayun, a suspected Russian threat actor, exploits the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) to compromise systems and exfiltrate data. The group uses custom payloads like EncryptHub Stealer variants, SilentPrism and DarkWisp backdoors, as well as known malware like Stealc and…
backdoor
powershell
rhadamanthys
zero-day
stealer
stealc
c&c
CVE-2025-26633
msc eviltwin
2025-03-29
lolbins
darkwisp
encrypthub stealer
silentprism
Published: March 29, 2025
Downloadable IOCs: 0

Operation ForumTroll exploits zero-days in Google Chrome

In March 2025, a sophisticated malware campaign exploited a zero-day vulnerability in Google Chrome to infect targets. The attack, dubbed Operation ForumTroll, used personalized phishing emails with short-lived links to deliver malware. Kaspersky detected the exploit, reported it to Google, and an …
apt
phishing
zero-day
google chrome
2025-03-25
trojan.win64.convagent.gen
sandbox escape
trojan.win64.agent
CVE-2025-2783
Published: March 25, 2025
Downloadable IOCs: 0

CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin

Trend Research uncovered a campaign by the Russian threat actor Water Gamayun that exploits a zero-day vulnerability in the Microsoft Management Console framework to execute malicious code, named MSC EvilTwin (CVE-2025-26633).
backdoor
windows
infostealer
zero-day
github
trojanspy
sha256
detection
CVE-2025-26633
2025-03-25
disease vector
msc eviltwin
filename
water gamayun
files
related
domain
description
encrypthub
Published: March 25, 2025
Linked vulnerabilities : CVE-2025-26633 (CVSS 7.0)
Downloadable IOCs: 58

Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns

A Windows .lnk file vulnerability, ZDI-CAN-25373, has been extensively exploited by state-sponsored and cybercriminal groups. The vulnerability allows hidden command execution through crafted shortcut files, exposing organizations to data theft and cyber espionage risks. Nearly 1,000 malicious .lnk…
apt
espionage
windows
vulnerability
data theft
zero-day
lnk
raspberry robin
command execution
2025-03-18
shortcut
Published: March 18, 2025
Downloadable IOCs: 851

CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks

A zero-day vulnerability in 7-Zip (CVE-2025-0411) was exploited by Russian cybercrime groups to target Ukrainian organizations. The vulnerability allows bypassing Windows Mark-of-the-Web protections through double archiving, enabling execution of malicious content. The campaign involved spear-phish…
zero-day
cyberespionage
smokeloader
spear-phishing
CVE-2025-0411
2025-02-04
7-zip
homoglyph attacks
mark-of-the-web bypass
Published: February 4, 2025
Downloadable IOCs: 0

From Credit Card Skimming to Exploiting Zero-Days

XE Group, a cybercriminal organization active since 2013, has evolved from credit card skimming to exploiting zero-day vulnerabilities. The group initially focused on web vulnerabilities and supply chain attacks but has now shifted to targeted information theft in manufacturing and distribution sec…
powershell
zero-day
meterpreter
aspxspy
webshell
supply-chain-attack
2025-02-03
CVE-2024-57968
CVE-2025-25181
information-theft
remote-access-trojan
sql-injection
persistent-access
Published: February 3, 2025
Linked vulnerabilities : CVE-2024-57968 (CVSS 9.9), CVE-2025-25181 (CVSS 5.8), CVE-2019-18935, CVE-2017-9248
Downloadable IOCs: 17

Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls

A recent campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces has been observed. The threat actors gained unauthorized access to the firewalls' administrative controls, created new accounts, established SSL VPN connections, and made various configuration changes…
zero-day
lateral movement
fortigate
vulnerability scanning
fortinet
2025-01-11
ssl vpn
firewall
jsconsole
Published: January 11, 2025
Downloadable IOCs: 0

New Cleo zero-day RCE flaw exploited in data theft attacks

A critical zero-day vulnerability in Cleo's managed file transfer software is being actively exploited by hackers to breach corporate networks and steal data. The flaw affects Cleo LexiCom, VLTrader, and Harmony products, allowing unrestricted file upload and downloads leading to remote code execut…
data theft
zero-day
CVE-2024-50623
rce
termite
cleo
lexicom
2024-12-11
vltrader
cleo harmony
Published: December 11, 2024
Downloadable IOCs: 0

Potential ZERO-DAY, Attackers Use Corrupted Files to Evade Detection

A sophisticated ongoing attack has been discovered that evades antivirus software, prevents sandbox uploads, and bypasses Outlook's spam filters. The attackers deliberately corrupt files to conceal their type, making detection difficult for security tools. These corrupted files, often identified as…
zero-day
sandbox evasion
2024-12-04
spam filter bypass
antivirus bypass
file corruption
Published: December 4, 2024
Downloadable IOCs: 6

Chinese hackers exploit Fortinet VPN zero-day to steal credentials

Chinese threat actors, known as BrazenBamboo, are exploiting a zero-day vulnerability in Fortinet's FortiClient Windows VPN client to steal credentials. The hackers use a custom post-exploitation toolkit called DeepData, which includes a FortiClient plugin to extract usernames, passwords, and VPN s…
espionage
lightspy
zero-day
credential theft
vpn
post-exploitation
chinese hackers
2024-11-18
deeppost
deepdata
forticlient
Published: November 18, 2024
Downloadable IOCs: 0

Weaponizing FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA

A Chinese state-affiliated threat actor, BrazenBamboo, has exploited a zero-day vulnerability in Fortinet's Windows VPN client to steal user credentials. The vulnerability allows extraction of login information from the FortiClient process memory. BrazenBamboo uses two malware families: DEEPDATA, a…
lightspy
zero-day
credential theft
vpn
post-exploitation
chinese threat actor
2024-11-16
deeppost
deepdata
forticlient
Published: November 16, 2024
Downloadable IOCs: 0

Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails

A newly discovered vulnerability in Windows NT LAN Manager (NTLM) has been exploited by suspected Russian hackers in cyber attacks against Ukraine. The flaw, identified as CVE-2024-43451, allows attackers to steal NTLMv2 hashes through minimal user interaction with malicious files. The exploit chai…
rat
phishing
windows
russia
ukraine
zero-day
CVE-2024-43451
2024-11-14
ntlm
spark rat
pass-the-hash
hash stealing
Published: November 14, 2024
Downloadable IOCs: 24

The Good, the Bad and the Ugly in Cybersecurity - Week 43

CISA proposes new security measures to protect sensitive data from adversary nations, following President Biden's Executive Order. A free file recovery tool for early Mallox ransomware victims is released. A novel macOS ransomware, macOS.NotLockBit, is discovered abusing AWS S3 for data exfiltratio…
ransomware
zero-day
mallox
cisa
CVE-2024-47575
2024-10-25
fortinet
aws s3
macos.notlockbit
Published: October 25, 2024
Downloadable IOCs: 0

Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)

A new threat cluster, UNC5820, has been observed exploiting a zero-day vulnerability in FortiManager appliances across multiple industries. The vulnerability allows unauthorized execution of arbitrary code or commands on vulnerable devices. The attackers staged and exfiltrated configuration data fr…
vulnerability
zero-day
exploitation
fortigate
CVE-2024-47575
2024-10-24
fortimanager
cyber-espionage
configuration-exfiltration
network-security
Published: October 24, 2024
Linked vulnerabilities : CVE-2024-47575 (CVSS 9.8)
Downloadable IOCs: 4

Lazarus APT steals cryptocurrency and user data via a decoy MOBA game

Lazarus APT launched a sophisticated attack campaign using a decoy MOBA game website to exploit a zero-day vulnerability in Google Chrome. The exploit allowed remote code execution and bypassed the V8 sandbox. The attackers used social engineering tactics on social media to promote the fake game, w…
apt
exploit
social engineering
cryptocurrency
zero-day
CVE-2024-4947
2024-10-23
google chrome
manuscrypt
game
v8 sandbox
Published: October 23, 2024
Linked vulnerabilities : CVE-2024-4947
Downloadable IOCs: 2

Unmasking CVE-2024-38178: The Silent Threat of Windows Scripting Engine

CVE-2024-38178 is a type confusion vulnerability in JScript9.dll, patched by Microsoft in August 2024. It allows bypassing the CVE-2022-41128 patch through incorrect JIT engine optimizations. APT37, a North Korean threat group, exploited this vulnerability in June 2024 against South Korean targets.…
windows
vulnerability
zero-day
rokrat
remote code execution
CVE-2024-38178
2024-10-17
apt37
CVE-2022-41128
type confusion
jscript9.dll
Published: October 17, 2024
Downloadable IOCs: 0

Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112)

Check Point Research discovered threat actors leveraging novel techniques to execute malicious code on Windows systems by exploiting Internet Explorer's vulnerabilities. The attackers utilized specially crafted .url files that, when opened, would launch IE and visit attacker-controlled URLs. Additi…
social engineering
windows
zero-day
CVE-2023-36025
exploitation
CVE-2021-40444
CVE-2024-38112
2024-07-10
internet explorer
malicious files
Published: July 10, 2024
Linked vulnerabilities : CVE-2024-38112 (CVSS 7.5), CVE-2021-40444, CVE-2023-36025
Downloadable IOCs: 7

Uncovering Espionage Operations

This comprehensive analysis delves into the intricate tactics employed by a suspected China-nexus cyber espionage actor, UNC3886. The report unveils the group's sophisticated exploitation of zero-day vulnerabilities and their deployment of rootkits like REPTILE and MEDUSA for persistent system acce…
espionage
rootkit
supply chain
zero-day
2024-06-24
CVE-2022-42475
CVE-2023-20867
CVE-2023-34048
CVE-2022-41328
CVE-2022-22948
virtualsphere
Published: June 24, 2024
Linked vulnerabilities : CVE-2023-20867, CVE-2022-41328, CVE-2022-22948, CVE-2023-34048, CVE-2022-42475
Downloadable IOCs: 39

Uncorking Old Wine: Zero-Day from 2017 + Loader in Unholy Alliance

An analysis uncovered a suspected malicious campaign targeting entities in Ukraine. The attack employed an old vulnerability from 2017, CVE-2017-8570, as the initial entry vector. The operation utilized a customized loader to deliver the Cobalt Strike Beacon payload. While the specific threat actor…
apt
cobalt strike
ukraine
malicious document
cobalt strike beacon
zero-day
CVE-2017-8570
Published: April 29, 2024
Downloadable IOCs: 6
Click here to see more Attack Reports