What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2025-05-06 14:17:39 | Ransomware Attaque avril 2025: Qilin émerge du chaos Ransomware Attacks April 2025: Qilin Emerges from Chaos (lien direct) |
Global ransomware attacks in April 2025 declined to 450 from 564 in March – the lowest level since November 2024 – as major changes among the leading Ransomware-as-a-Service (RaaS) groups caused many affiliates to align with new groups. Still, the long-term trend for ransomware attacks remains decidedly upward (chart below) so April\'s decline could be reversed as soon as new RaaS leaders are established.
 ~ Rasomware attacks by month 2021-2025
For now, the uncertainty at RansomHub – which went offline at the start of April but plans to return – resulted in new groups taking over the top global attack spots. Qilin, which gained affiliates from the RansomHub uncertainty, led all groups with 74 attacks claimed in April (chart below), followed by Akira at 70, Play with 50, Lynx with 31 attacks, and NightSpire at 24. |
Ransomware Malware Vulnerability Threat Industrial Prediction Medical Cloud Technical | ★★ | |
|
2025-05-05 09:40:27 | Les cyberattaques ont frappé les principaux détaillants britanniques alors que le NCSC exhorte des défenses plus fortes Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences (lien direct) |
Ransomware Malware Threat Prediction | ★★★ | ||
|
2025-04-14 12:58:44 | Ransomware des «grosses balles» et la fausse connexion à Edward Coristine DOGE “Big Balls” Ransomware and the False Connection to Edward Coristine (lien direct) |
Key Takeaways
This attack leverages a ZIP file with a deceptive LNK shortcut to silently execute a multi-stage PowerShell-based infection chain, ensuring stealthy deployment.
A vulnerable driver (CVE-2015-2291) is exploited through a Bring Your Own Vulnerable Driver (BYOVD) technique to gain kernel-level read/write access for privilege escalation.
The payload is a customized version of Fog ransomware, branded as "DOGE BIG BALLS Ransomware," reflecting an attempt to add psychological manipulation and misattribution.
Ransomware scripts include provocative political commentary and the use of a real individual\'s name and address, indicating intent to confuse, intimidate, or mislead victims.
The malware uses router MAC addresses (BSSIDs) and queries the Wigle.net API to determine the victim\'s physical location-offering more accurate geolocation than IP-based methods.
Extensive system and network information, including hardware IDs, firewall states, network configuration, and running processes, is collected via PowerShell, aiding attacker profiling.
Embedded within the toolkit is a Havoc C2 beacon, hinting at the threat actor\'s (TA\'s) potential to maintain long-term access or conduct additional post-encryption activities.
Overview:
A recent ransomware operation has revealed a blend of technical sophistication and psychological manipulation, setting it apart from conventional attacks. Disguised under a finance-themed ZIP file, the campaign employs deceptive shortcut files and multi-stage PowerShell scripts to deliver custom payloads, including a kernel-mode exploit tool and reconnaissance modules. This layered approach allows attackers to gat |
Ransomware Spam Malware Tool Threat Cloud Technical | ★★★ | |
|
2025-04-04 08:22:37 | Les niveaux d'attaque des ransomwares restent élevés à mesure que le changement majeur se profile Ransomware Attack Levels Remain High as Major Change Looms (lien direct) |
March a vu des événements notables, y compris un changement potentiel au sommet du monde des ransomwares, des attaques persistantes et de l'émergence de nouveaux groupes.
mars 2025 s'est terminé sur une note surprenante lorsque le site de fuite de données basé sur l'oignon (DLS) de RansomHub - le plus grand groupe de ransomware au cours de la dernière année - s'est hors ligne, alimentant la spéculation d'une éventuelle prise de contrôle. Quelques jours plus tard, rival dragonforce a prétendu pour avoir pris le contrôle de l'infrastructure de RansomHub \\, la collecte du potentiel pour un changement majeur dans le paysage ransomatique dans les mois.
À une époque où les attaques de ransomware restent à des niveaux record Ransomware-as-a-Service (RAAS) Groupes du package et livrez des logiciels malveillants.
Il n'est pas encore clair si la course de RansomHub \\ est terminée, mais le groupe Raas a connu une course remarquable au cours de la dernière année, sa puissance de suspension par les perceptions d'une plus grande transparence que les groupes prédécesseurs, les paiements prévisibles et les play-books d'attaque bien emballés pour les affiliés, dans l'analyse Cyble \ 'S
Les attaques de ransomware restent élevées
ransomware Les niveaux record de février, mais ils restent toujours au-dessus d |
Ransomware Malware Vulnerability Threat Cloud | ★★★ | |
|
2025-03-28 12:33:16 | Tsarbot: Un nouveau cheval de Troie bancaire Android ciblant plus de 750 applications bancaires, financières et crypto-monnaie TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications (lien direct) |
Malware Threat Mobile | ★★ | ||
|
2025-03-25 09:36:32 | Les capteurs Cyble détectent les tentatives d'exploitation sur les caméras IP Ivanti, AVTech Cyble Sensors Detect Exploit Attempts on Ivanti, AVTECH IP Cameras (lien direct) |
aperçu
Les vulnérabilités dans les produits Ivanti, les caméras IP AVTech et les plugins WordPress ont récemment fait partie des dizaines de tentatives d'exploitation détectées par des capteurs de pot de miel Cyble.
Les tentatives d'attaque ont été détaillées dans les rapports hebdomadaires de Sensor Intelligence de la Menage Intelligence Company \\. Les rapports CYBLE ont également examiné les attaques persistantes contre les systèmes Linux et les appareils de réseau et de réseau, alors que les acteurs de la menace scarchent des appareils vulnérables pour ransomware href = "https://cyble.com/knowledge-hub/what-is-ddos-attack/" Target = "_ Blank" rel = "noreferrer noopener"> ddos et des botnets d'exploration de crypto. Les rapports ont également examiné les logiciels malveillants bancaires, les attaques brutes-force, les ports vulnérables et phishing campagnes.
Voici quelques-unes des campagnes d'attaque récentes couvertes dans les rapports de capteurs Cyble. Les utilisateurs pourraient être vulnérables à l'attaque si les versions de produits affectées ne sont pas corrigées et atténuées.
Exploits de vulnérabilité détectés par cyble
ivanti vulnérabilité s
Voici quelques-unes des vulnérabilités ciblées dans les récentes tentatives d'attaque détect |
Malware Vulnerability Threat Patching Industrial | ★★ | |
|
2025-03-24 11:09:37 | Fizzbuzz à Fogdoor: la campagne ciblée des logiciels malveillants exploite les développeurs de recherche d'emploi FizzBuzz to FogDoor: Targeted Malware Campaign Exploits Job-Seeking Developers (lien direct) |
Les logiciels malveillants extraient les cookies du navigateur, les informations d'identification enregistrées, les applications installées et les détails du fichier pour l'exfiltration. Le logiciel malveillant atteint la persistance par le biais de tâches planifiées et supprime les traces après l'exfiltration des données pour éviter la détection. La campagne évolue, utilisant maintenant des leurres sur le thème des factures aux côtés d'escroqueries de recrutement pour élargir sa portée cible. Présentation L'acteur de menace (TA) déploie un Social Engineering Campagne contre les développeurs de dissociation en déguisé malin github . À l'aide d'un faux test de recrutement nommé " FizzBuzz ", le TA tourne les victimes de télécharger un fichier ISO contenant un apparemment inoffensif javascript Exercice et un LNK malivet shortcut | Malware Tool Vulnerability Threat Technical | ★★★ | |
|
2025-03-20 14:02:25 | Les menaces hybrides et l'IA forment l'ADN du paysage des menaces organisées de l'UE en 2025: Europol Hybrid Threats and AI Form the DNA of EU\\'s Organized Threat Landscape in 2025: Europol (lien direct) |
Overview
The Europol released the EU-SOCTA 2025 report, which offers a comprehensive look into the complex dynamics shaping serious and organized crime across Europe.
Europol\'s analysis provides insight into the increasing intersection of cybercriminal activities, hybrid threats, and the exploitation of emerging technologies. Criminals are rapidly adapting to digital advancements, using technology to expand their reach, enhance their capabilities, and evade law enforcement, the reports said.
Hybrid Threats: A Blurring of Crime and Conflict
Hybrid threats, which combine conventional criminal methods with advanced digital strategies, present significant risks. These tactics destabilize societies, exploit critical infrastructures, and create uncertainty.
Criminal organizations now leverage methods traditionally associated with state-backed actors, including disinformation campaigns, targeted cyberattacks, and manipulation of public opinion. By exploiting vulnerabilities of interconnected systems, these actors disrupt supply chains, compromise sensitive data, and manipulate information on a large scale.
The blending of state-backed espionage and organized crime blurs the line between geopolitical conflict and tra |
Malware Tool Vulnerability Threat Legislation Medical | ★★ | |
|
2025-03-12 10:58:48 | Le NCSC rapporte une augmentation des incidents de cybersécurité ayant des pertes financières au quatrième trimestre 2024 NCSC Reports Surge in Cyber Security Incidents with Financial Losses in Q4 2024 (lien direct) |
aperçu
Le National Cyber Security Center (NCSC) a publié son Rapport des Cyber Security Insights Pour le quatrième trimestre de 2024, révélant les tendances de la récentration dans les tendances cybère dans le cyber-sécurité dans le nouveau zèle. Le rapport du NCSC, couvrant la période du 1er octobre au 31 décembre 2024, met en évidence une augmentation notable des pertes financières, les Néo-Zélandais perdant un total de 6,8 millions de dollars contre la cybercriminalité. Cela représente une augmentation de 24% par rapport au trimestre précédent, où les pertes s'élevaient à 5,5 millions de dollars
L'une des conclusions les plus intéressantes du rapport est l'augmentation des incidents impliquant des pertes financières substantielles. Il y a eu 17 rapports d'incidents ayant des pertes dépassant 100 000 $, représentant 4,7 millions de dollars du total de 6,8 millions de dollars signalés au NCSC. Selon Tom Roberts, le plomb de la menace de la NCSC \\ et i NCIDENT RESPONSE , c'est le plus grand nombre d'incidents de loss élevés enregistrés dans un seul trimestre.
Roberts a déclaré: "Ces incidents sont assez variés de cyberattaques Sur les ordinateurs et les comptes des escroqueries cyber-envelows." Il a également souligné une tendance émergente: bon nombre de ces incidents à forte défaite ont commencé par un appel téléphonique d'un individu imitant une organisation bien connue. Ces appels ont finalement conduit au compromis des ordin |
Malware Tool Threat Prediction | ★★★ | |
|
2025-03-11 07:42:54 | Les capteurs cyble détectent des tentatives d'exploitation sur les plugins WordPress, les appareils réseau Cyble Sensors Detect Exploit Attempts on WordPress Plugins, Network Devices (lien direct) |
Les capteurs de pot de miel cyble ont également détecté des tentatives d'attaque sur les vulnérabilités connues pour être ciblées par les groupes APT.
Présentation
Les capteurs de pot de miel Cyble ont détecté des dizaines de vulnérabilités ciblées dans les tentatives d'attaque ces dernières semaines, y compris certains connus pour être ciblés par des groupes avancés de menace persistante (APT).
wordpress plugins , les appareils de réseau et les feux de file
le Cyble Reports ont également examiné les attaques persistantes contre les systèmes liux et les appareils de réseau et IoT alors que les acteurs de menace continuent de scanner des appareils vulnérables pour ransomware attaque et pour ajouter à ddos et les botneaux de mine du crypto. Les rapports ont également examiné les logiciels malveillants bancaires, les attaques par force brute, les ports vulnérables et phishing campagnes.
Voici quelques-unes des campagnes d'attaque récentes couvertes dans les rapports de capteurs Cyble. Les utilisateurs pourraient être vulnérables aux attaques si les versions du produit affectées ne sont pas corrigées et atténuées.
Tentatives d'attaque du plugin wordpress
|
Malware Vulnerability Threat Patching Mobile Cloud | ★★★ | |
|
2025-03-07 08:41:16 | Les actes d'accusation américains mettent la lumière sur les outils de piratage I-Soon, les méthodes U.S. Indictments Shed Light on i-Soon Hacking Tools, Methods (lien direct) |
U.S. Les actes d'accusation de 10 ressortissants chinois sont liés à des outils et méthodes de piratage et de phishing et de méthodes de la société et du réseau d'entreprises privées de la République de Chine (PRC).
Un département américain de la Justice (DOJ) annonce des indications comprenant les dépistages de l'écran de certains i-\ \ \ 'Sovered Otinces Ofrecs, les indicex Uncellé Actes d'accusation Ajout de détails supplémentaires sur les méthodes et outils de la société \\.
Les actes d'accusation facturent à huit employés de l'I-Soon et à deux responsables de la RPC avec complot en vue de commettre des intrusions informatiques et de complot en vue de commettre une fraude par fil. Les défendeurs restent en liberté.
Schéma de piratage à 7 ans allégués
Les actes d'accusation allèguent que I-Soon a agi sous la direction du ministère de la Sécurité des États (MSS) du PRC \\ et du ministère de la Sécurité publique (MPS). Le communiqué du ministère de la Justice a déclaré que MSS et les députés «ont utilisé un vaste réseau d'entreprises privées et d'entrepreneurs en Chine pour mener des intrusions informatiques non autorisées (« hacks ») aux États-Unis et ailleurs. L'une de ces sociétés privées était i-Soon. »
De 2016 à 2023, le DOJ a déclaré que I-Soon et son personnel «se sont engagés dans le piratage nombreux et répandus des comptes de messagerie, des téléphones portables, des serveurs et des sites Web à la direction et en coordination étroite avec les MSS et MPS de PRC \\. I-SOON a généré des dizaines de millions de dollars de revenus et avait parfois plus de |
Malware Tool Vulnerability Threat Patching Mobile Cloud | ★★★★ | |
|
2025-03-06 11:50:55 | L'UAC-0173 reprend des cyberattaques contre les bureaux notariens ukrainiens utilisant des logiciels malveillants sombres UAC-0173 Resumes Cyberattacks Against Ukrainian Notary Offices Using DARKCRYSTALRAT Malware (lien direct) |
Vector d'attaque et exécution À partir de fin janvier 2025, UAC-0173 a intensifié son phishing campagnes. Le 11 février, les attaquants ont distribué des courriels malveillants imitants au ministère de la Justice de l'Ukraine. Ces e-mails contenaient des liens vers des fichiers exécutables, tels que: haka3.exe Ordonnance du ministère de la Justice du 10 février 2025 n ° 43613.1-03.exe pour votre information.exe L'exécution de ces fichiers infecte le système avec DarkCrystalrat (DCRAT), accordant aux attaquants un accès initial à la machine compromise. tactiques, techniques et procédures (TTPS) | Malware Tool Threat | ★★★ | |
|
2025-03-06 07:48:58 | Phantom-Goblin: Exploitation du vol d'identification et VSCODE Covert et VSCODE Phantom-Goblin: Covert Credential Theft and VSCode Tunnel Exploitation (lien direct) |
Key Takeaways
Threat Actors (TA) use social engineering to trick users into executing a malicious LNK file disguised as a PDF document, leading to malware infection.
The malware then leverages PowerShell to download and execute malicious payloads from a GitHub repository while ensuring persistence through registry modifications.
The malware extracts browser cookies by enabling remote debugging, bypassing Chrome\'s App Bound Encryption (ABE) for stealthy data exfiltration.
A malicious binary establishes a Visual Studio Code (VSCode) tunnel, allowing TA to maintain unauthorized remote access while evading detection.
Another payload collects browsing history, login credentials, session details, and other sensitive browser-related information before exfiltrating it to a Telegram channel.
Stolen data, including cookies and browser credentials, is archived and transmitted to the TA\'s Telegram bot, ensuring covert data transfer and persistence.
Executive Summary
A newly identified malware strain is being distributed through RAR attachments, using social engineering techniques to deceive users into executing a malicious LNK file disguised as a legitimate document. Once executed, this LNK file triggers a PowerShell command that retrieves additional payloads from a GitHub repository, allowing the malware to perform various malicious activities while operating stealthily.
The malware primarily targets web browsers and developer tools for data theft and unauthorized system access. It forcefully terminates browser processes to extract sensitive information such as cookies, login credentials, and browsing history. Additionally, it leverages Visual Studio Code tunnels to establish unauthorized |
Spam Malware Tool Threat | ★★ | |
|
2025-03-04 09:34:08 | IA, ransomware et cyberterrorisme: comment les EAU se battent 200 000 attaques quotidiennes AI, Ransomware, and Cyberterrorism: How UAE is Fighting 200,000 Daily Attacks (lien direct) |
Overview
The UAE Cyber Security Council (CSC) has disclosed that the country faces over 200,000 cyberattacks daily, primarily targeting strategic sectors. These cyberterrorist attacks originate from 14 countries, with their perpetrators and attack launch sites identified and countered using advanced global cybersecurity measures.
These attacks aim to disrupt critical infrastructure, steal sensitive data, and undermine national security. The CSC has implemented state-of-the-art threat detection and mitigation strategies to safeguard essential services and institutions from these cyber threats.
Strategic Sectors Under Attack
The CSC has reported that cyberterrorist groups primarily focus their attacks on key industries, aiming to disrupt operations and steal sensitive information. Among the affected sectors, the government sector accounted for the highest share at 30%, followed by the financial and banking sector at 7% and the education sector at 7%. Other affected industries, including technology, aviation, and hospitals, each experienced 4% of the attacks, while the remaining 44% were distributed among various other sectors.
Cyberattack Types and Methods
Cyberattacks come in various forms, each posing unique threats to digital infrastructure. The CSC identified several key attack types:
Attacks on Information Technology and Infrastructure – 40% of total incidents
File-sharing Attacks – 9%
Database Vulnerabilities – 3%
|
Ransomware Malware Vulnerability Threat | ★★ | |
|
2025-03-03 13:04:23 | La fraude et les ransomwares dominent le rapport de cybersécurité de la Malaisie \\'s Q4 2024 Fraud and Ransomware Dominate Malaysia\\'s Q4 2024 Cybersecurity Report (lien direct) |
augmenter de 5,74% de 2024 à 2029 . Le cyber999 Réponse des incidents Le centre rassemble activement l'intelligence et collabore avec des entités mondiales pour améliorer les défenses de la cybersécurité. Au Q4 2024, Cyber999 a enregistré 1 550 incidents , marquant une diminution de 4% à partir des 1 623 incidents au Q3 2024. Répartition des incidents par mois au Q4 2024: | Ransomware Malware Vulnerability Threat Legislation Mobile Prediction | ★★ | |
|
2025-03-03 12:17:52 | Rapport de vulnérabilité informatique: Mac, correctifs Windows poussés par Cyble IT Vulnerability Report: Mac, Windows Fixes Urged by Cyble (lien direct) |
Malware Tool Vulnerability Threat Patching | ★★ | ||
|
2025-02-24 08:24:19 | L'avertissement de ransomware FBI-Cisa Ghost montre la puissance des vieilles vulnérabilités FBI-CISA Ghost Ransomware Warning Shows Staying Power of Old Vulnerabilities (lien direct) |
Ransomware Malware Tool Vulnerability Threat Patching Industrial | ★★★ | ||
|
2025-02-21 05:30:52 | Ghost in the Shell: Null-AMSI Evading Traditional Security to Deploy AsyncRAT (lien direct) | 
Key Takeaways
Cyble Research and Intelligence Labs (CRIL) identified a campaign that utilizes malicious LNK files disguised as wallpapers to trick users into executing them.
The malware uses a multi-stage execution process, using obfuscated PowerShell scripts to fetch additional payloads from the remote server.
The Threat Actor (TA) behind this campaign leverages the open-source tool Null-AMSI to bypass the malware Scan Interface (AMSI) and Event Tracing for Windows (ETW).
The PowerShell script used to bypass AMSI and ETW contains comments and error messages in Portuguese, suggesting that the TA may be a Portuguese-speaking individual or group.
The malware employs AES encryption and GZIP compression to conceal its payloads, making it harder for security tools to analyze and detect malicious components.
The final payload is executed into memory using reflection loading, bypassing traditional security measures while ensuring persistence and executing AsyncRAT for remote control.
Overview
Cyble Research and Intelligence Labs (CRIL) identified a campaign likely orchestrated by a Portuguese-speaking TA, as evidenced by the comments and error messages present in one of the malicious scripts. While the initial infection vector remains unknown, the campaign distributes malware through a deceptive shortcut file.
Specifically, the campaign uses a malicious LNK file disguised as a wallpaper featuring popular animated characters, indicating that the TA is exploiting users\' interests to increase the likelihood of infection. When executed, the shortcut file initiates a series of mali |
Spam Malware Tool Vulnerability Threat Patching | ★★★ | |
|
2025-02-20 13:21:16 | (Déjà vu) Russia-Linked Actors Exploiting Signal Messenger\\'s “Linked Devices” Feature for Espionage in Ukraine (lien direct) | 
Overview
Google Threat Intelligence Group (GTIG) has identified multiple Russia-aligned threat actors actively targeting Signal Messenger accounts as part of a multi-year cyber espionage operation. The campaign, likely driven by Russia\'s intelligence-gathering objectives during its invasion of Ukraine, aims to compromise the secure communications of military personnel, politicians, journalists, and activists.
The tactics observed in this campaign include phishing attacks abusing Signal\'s linked devices feature, malicious JavaScript payloads and malware designed to steal Signal messages from compromised Android and Windows devices. While the focus remains on Ukrainian targets, the threat is expected to expand globally as adversaries refine their techniques.
Google has partnered with Signal to introduce security enhancements that mitigate these attack vectors, urging users to update to the latest versions of the app.
Tactics Used to Compromise Signal Accounts
Exploiting Signal\'s "Linked Devices" Feature
Russia-aligned threat actors have manipulated Signal\'s legitimate linked devices functionality to gain persistent access to victim accounts. By tricking users into scanning malicious QR codes, attackers can link an actor-controlled device to the victim\'s account, enabling real-time message interception without full device compromise.
The phishing methods used to deliver these malicious QR codes include:
Fake Signal group invites containing altered JavaScript redirects.
Phishing pages masquerading as Ukrainian military applications.
|
Malware Tool Vulnerability Threat Mobile Cloud Conference | APT 44 | ★★ |
|
2025-02-17 14:35:56 | CVE-2025-21415 & CVE-2025-21396: Microsoft Addresses Critical Security Risks (lien direct) | 
Cloud-based platforms and AI-driven services continue to remain in the crosshairs of rapidly evolving malware. Recently, Microsoft released a security advisory addressing two critical vulnerabilities affecting Azure AI Face Service (CVE-2025-21415) and Microsoft Account (CVE-2025-21396).
These flaws could allow attackers to escalate privileges under specific conditions, leading to unauthorized access and system compromise. Given the increasing reliance on AI and cloud technologies, understanding these vulnerabilities and their implications is crucial for organizations and security professionals.
Overview of the Vulnerabilities
Microsoft identified and patched two security vulnerabilities that could have led to privilege escalation:
1. CVE-2025-21396 (Microsoft Account Elevation of Privilege Vulnerability)
Severity Score: 7.5 (CVSS)
Cause: Missing authorization checks in Microsoft Accounts.
Risk: An unauthorized attacker could exploit this flaw to elevate privileges over a network.
Discovery: Reported by security researcher Sugobet.
2. CVE-2025-21415 (Azure AI Face Service Elevation of Privilege Vulnerability)
Severity Score: 9.9 (CVSS)
|
Malware Tool Vulnerability Threat Cloud | ★★★ | |
|
2025-02-12 10:31:36 | BTMOB RAT: Newly Discovered Android Malware Spreading via Phishing Sites (lien direct) | 
Key Takeaways
BTMOB RAT is an advanced Android malware evolved from SpySolr that features remote control, credential theft, and data exfiltration.
It spreads via phishing sites impersonating streaming services like iNat TV and fake mining platforms.
The malware abuses Android\'s Accessibility Service to unlock devices, log keystrokes, and automate credential theft through injections.
It uses WebSocket-based C&C communication for real-time command execution and data theft.
BTMOB RAT supports various malicious actions, including live screen sharing, file management, audio recording, and web injections.
The Threat Actor (TA) actively markets the malware on Telegram, offering paid licenses and continuous updates, making it an evolving and persistent threat.
Overview
On January 31, 2025, Cyble Research and Intelligence Labs (CRIL) identified a sample lnat-tv-pro.apk (13341c5171c34d846f6d0859e8c45d8a898eb332da41ab62bcae7519368d2248) being distributed via a phishing site “hxxps://tvipguncelpro[.]com/” impersonating iNat TV - online streaming platform from Turkey posing a serious threat to unsuspecting users.
 Figure 1 – Phishing site distributing this ma |
Malware Tool Threat Mobile | ★★★ | |
|
2025-02-07 12:57:51 | Open Graph Spoofing Toolkit: Old Exploitation Techniques Still in Use to Lure Social Media Users into Phishing Attacks (lien direct) | 
The current digital landscape necessitates an approach to sharing content on social media for significant user engagement and click-through rates. This is where the Open Graph Protocol (OGP) comes into play. Developed by Facebook, Open Graph allows web developers to control how their web pages appear when shared across various platforms. Developers use specific meta tags in a webpage\'s HTML to define essential elements such as the title, description, and image that accompany shared links.
Attackers have long exploited the Open Graph Protocol for malicious activities. Recently, Cyble Research and Intelligence Labs (CRIL) also observed a threat actor on a Russian underground offering a toolkit dubbed \'OG Spoof\' for similar operations. The toolkit was designed for phishing campaigns, aiming to mislead users and artificially inflate click-through rates by exploiting flaws in the Open Graph protocol.
Overview
The importance of Open Graph (OG) tags cannot be overstated. The OG tags enhance the visibility of content, making it appealing to a broader base of potential viewers and more likely to garner views and clicks.
 Figure 1: OG tags used in the header
Several content management systems (CMS), such as WordPress and Magento, come equipped with built-in functionalities or plugins that automatically generate these tags based on the post\'s content. This automation ensures that when links are shared, they are presented in an engaging manner while accurately previewing their content.
The TA released the \'OG Spoof\' kit for sale in October 2024 at a staggering USD 2,500 price and claimed that it was initially designed for their own fraudulent operations. However, as they developed advanced methods, the toolk |
Malware Vulnerability Threat | ★★★ | |
|
2025-02-05 09:40:09 | Stealthy Attack: Dual Injection Undermines Chrome\\'s App-Bound Encryption (lien direct) | 
Key Takeaways
Cyble Research and Intelligence Labs (CRIL) identified malware being spread via a ZIP file containing an .LNK file disguised as a PDF and an XML project file masquerading as a PNG to trick users into opening it.
The filename suggests that the malware is likely targeting organizations in Vietnam, particularly in the Telemarketing or Sales sectors.
The LNK file creates a scheduled task that runs every 15 minutes, executing MSBuild.exe to deploy malicious C# code.
The malware is capable of bypassing Chrome\'s App-Bound Encryption and deploying a stealer payload to target sensitive Chrome-related files.
Additionally, it uses the Double Injection technique to carry out fileless execution to evade detection.
The malware establishes a connection to the Threat Actor (TA) through the Telegram Web API for command execution.
The malware enables the TA to change the Telegram bot ID and chat ID as required, offering flexibility in controlling their communication channels.
Overview
Cyble Research & Intelligence Labs (CRIL) discovered malware potentially targeting organizations in Vietnam, especially those in the Telemarketing or Sales sectors. The initial infection vector is unknown at present.
This malware was discovered being delivered via a malicious ZIP archive containing an .LNK file disguised as a .PDF and an XML project file masquerading as a .PNG file, designed to deceive users into opening the fake PDF file. When executed, the shortcut file copies an XML project file to the Temp directory and initiates a command that creates a scheduled task running every 15 minutes. This task launches |
Malware Tool Vulnerability Threat | ★★★ | |
|
2025-02-04 10:58:37 | NETGEAR Urges Immediate Firmware Updates for Critical Security Flaws (lien direct) | 
Overview
NETGEAR has recently addressed two critical security vulnerabilities affecting its products, which, if exploited, could allow unauthenticated attackers to execute arbitrary code or remotely exploit devices. These vulnerabilities impact multiple models, including the XR series routers and WAX series access points. Given the high severity of these vulnerabilities, with Common Vulnerability Scoring System (CVSS) scores of 9.8 and 9.6, users are strongly advised to update their devices immediately to the latest firmware versions to prevent potential cyber threats.
Details of the Security Vulnerabilities
The vulnerabilities impact several NETGEAR devices and could allow remote attackers to take control of the affected routers and access points without requiring authentication. Such security flaws are particularly concerning as they can be leveraged for malicious activities, including data theft, network disruption, and unauthorized surveillance.
Affected Devices and Firmware Updates
NETGEAR has released fixes for the unauthenticated remote code execution (RCE) security vulnerability affecting the following models:
XR1000: Fixed in firmware version 1.0.0.74
XR1000v2: Fixed in firmware version 1.1.0.22
XR500: Fixed in firmware version 2.3.2.134
|
Malware Vulnerability Threat Mobile | ★★★ | |
|
2025-01-30 13:00:34 | DeepSeek\'s Growing Influence Sparks a Surge in Frauds and Phishing Attacks (lien direct) | 
Overview
DeepSeek is a Chinese artificial intelligence company that has developed open-source large language models (LLMs). In January 2025, DeepSeek launched its first free chatbot app, “DeepSeek - AI Assistant”, which rapidly became the most downloaded free app on the iOS App Store in the United States, surpassing even OpenAI\'s ChatGPT.
However, with rapid growth comes new risks-cybercriminals are exploiting DeepSeek\'s reputation through phishing campaigns, fake investment scams, and malware disguised as DeepSeek. This analysis seeks to explore recent incidents where Threat Actors (TAs) have impersonated DeepSeek to target users, highlighting their tactics and how readers can secure themselves accordingly.
Recently, Cyble Research and Intelligence Labs (CRIL) identified multiple suspicious websites impersonating DeepSeek. Many of these sites were linked to crypto phishing schemes and fraudulent investment scams. We have compiled a list of the identified suspicious sites:
abs-register[.]com
deep-whitelist[.]com
deepseek-ai[.]cloud
deepseek[.]boats
deepseek-shares[.]com
deepseek-aiassistant[.]com
usadeepseek[.]com
Campaign Details
Crypto phishing leveraging the popularity of DeepSeek
CRIL uncovered a crypto phishin |
Spam Malware Threat Mobile | ChatGPT | ★★★ |
|
2025-01-22 10:44:07 | Australian Cyber Security Centre Targets Bulletproof Hosting Providers to Disrupt Cybercrime Networks (lien direct) | >
Overview
The Australian Cyber Security Centre (ACSC) has issued a detailed warning regarding Bulletproof Hosting Providers (BPH). These illicit infrastructure services play a critical role in supporting cybercrime, allowing malicious actors to conduct their operations while remaining largely undetectable. The Australian government\'s growing efforts to combat cybercrime highlight the increasing difficulty for cybercriminals to maintain secure, resilient, and hidden infrastructures.
BPH services are an integral part of the Cybercrime-as-a-Service (CaaS) ecosystem, which provides a range of tools and services enabling cybercriminals to carry out their attacks. From ransomware campaigns to data theft, cybercriminals rely on BPH providers to host illicit websites, deploy malware, and execute phishing scams. These hosting services help criminals stay out of the reach of law enforcement and avoid detection, making it harder to track down those behind cyberattacks.
The term "bulletproof" is somewhat misleading, as it is more of a marketing ploy than a reflection of the actual capabilities of these providers. Despite the branding, BPH providers remain vulnerable to disruption just like other infrastructure providers. What sets them apart is their blatant disregard for legal requests to shut down services, as they refuse to comply with takedown orders or abuse complaints from victims or law enforcement. This allows cybercriminals to continue their activities with little fear of being interrupted or exposed.
How Bulletproof Hosting Providers Operate
BPH providers typically lease virtual or physical infrastructure to cybercriminals, offering them a platform to run their operations. These services often include leasing IP addresses and servers that obscure the true identities of their customers. Many BPH providers achieve this by utilizing complex network switching methods, making it difficult to trace activity back to its source. In some cases, these providers even lease IP addresses from legitimate data centers or Internet Service Providers (ISPs), many of whom may remain unaware that their infrastructure is being used for criminal purposes.
A key strategy employed by BPH providers is frequently changing the internet-facing identifiers associated with their customers. This could include altering IP addresses or domain names, further complicating efforts to track criminal activity. These techniques frustrate cybersecurity efforts and investigative agencies, hindering their ability to identify, apprehend, and disrupt criminal activity.
Anot |
Ransomware Malware Tool Vulnerability Threat Legislation | ★★ |
1
We have: 26 articles.
We have: 26 articles.
To see everything:
Our RSS (filtrered)
