This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-11T03:29:13+00:00 www.secnews.physaphae.fr SecureMac - Security focused on MAC également connu sous le nom de heur: trojan-downloader.osx.lazarus.gen Type: Menace hybride Plateforme: Mac OS 9 Dernière mise à jour: 28/11/24 7:01 AM Niveau de menace: High Description Ce malware installe une porte dérobée pour l'exécution de la commande distante et abuse du fichier de configuration Zshenv pour la persistance, en contournant les mécanismes de sécurité de MacOS comme les notifications des éléments de connexion. BLUENOROFF REPLATION DE LA MONAGE MacScan peut détecter et supprimer la menace hybride Bluenoroff de votre système, ainsi que de protéger d'autres menaces de sécurité et de confidentialité. Un essai de 30 jours est disponible pour scanner votre système pour cette menace. Télécharger macScan

---

>also known as HEUR:Trojan-Downloader.OSX.Lazarus.gen Type: Hybrid Threat Platform: Mac OS 9 Last updated: 11/28/24 7:01 am Threat Level: High Description This malware installs a backdoor for remote command execution and abuses the zshenv configuration file for persistence, bypassing macOS’s security mechanisms like Login Items notifications. BlueNoroff Threat Removal MacScan can detect and remove BlueNoroff Hybrid Threat from your system, as well as provide protection against other security and privacy threats. A 30-day trial is available to scan your system for this threat. Download MacScan ]]> 2025-05-07T10:17:41+00:00 https://www.securemac.com/definitions/BlueNoroff www.secnews.physaphae.fr/article.php?IdArticle=8672872 False Malware,Threat APT 38 2.0000000000000000 Mandiant - Blog Sécu de Mandiant Résumé exécutif GoogleThreat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). We divided the reviewed vulnerabilities into two main categories: end-user platforms and products (e.g., mobile devices, operating systems, and browsers) and enterprise-focused technologies, such as security software and appliances.  Vendors continue to drive improvements that make some zero-day exploitation harder, demonstrated by both dwindling numbers across multiple categories and reduced observed attacks against previously popular targets. At the same time, commercial surveillance vendors (CSVs) appear to be increasing their operational security practices, potentially leading to decreased attribution and detection. We see zero-day exploitation targeting a greater number and wider variety of enterprise-specific technologies, although these technologies still remain a smaller proportion of overall exploitation when compared to end-user technologies. While the historic focus on the exploitation of popular end-user technologies and their users continues, the shift toward increased targeting of enterprise-focused products will require a wider and more diverse set of vendors to increase proactive security measures in order to reduce future zero-day exploitation attempts. Scope  This report describes what Google Threat Intelligence Group (GTIG) knows about zero-day exploitation in 2024. We discuss how targeted vendors and exploited products drive trends that reflect threat actor goals and shifting exploitation approaches, and then closely examine several examples of zero-day exploitation from 2024 that demonstrate how actors use both historic and novel techniques to exploit vulnerabilities in targeted products. The following content leverages original research conducted by GTIG, combined with breach investigation findings and reporting from reliable open sources, though we cannot independently confirm the reports of every source. Research in this space is dynamic and the numbers may adjust due to the ongoing discovery of past incidents through digital forensic investigations. The numbers presented here reflect our best understanding of current data. GTIG defines a zero-day as a vulnerability that was maliciously exploited in the wild before a patch was made publicly available. GTIG acknowledges that the trends observed and discussed in this report are based on detected and disclosed zero-days. Our analysis represents exploitation tracked by GTIG but may not reflect all zero-day exploitation. aside_block Key Takeaways Zero-day exploitation continues to grow gradually. The 75 zero-day vulnerabilities exploited in 2024 follow a pattern that has emerged ]]> 2025-04-29T05:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/2024-zero-day-trends/ www.secnews.physaphae.fr/article.php?IdArticle=8669387 False Malware,Tool,Vulnerability,Threat,Patching,Mobile,Prediction,Cloud,Commercial APT 37 2.0000000000000000 GB Hacker - Blog de reverseur Les analystes de menaces de push silencieuses ont découvert une nouvelle campagne de cyberattaque effrayante orchestrée par le groupe de menace persistante avancée (APT) nord-coréen connue sous le nom d'interview contagieuse, également appelée célèbre Chollima, un sous-groupe du célèbre groupe Lazare. Cette entité parrainée par l'État a été impliquée dans de nombreux efforts de cyber-espionnage sophistiqués ciblant les industries mondiales, avec un […] particulier […]

---

>Silent Push Threat Analysts have uncovered a chilling new cyberattack campaign orchestrated by the North Korean Advanced Persistent Threat (APT) group known as Contagious Interview, also referred to as Famous Chollima, a subgroup of the notorious Lazarus group. This state-sponsored entity has been implicated in numerous sophisticated cyber-espionage efforts targeting global industries, with a particular […] ]]> 2025-04-25T17:34:28+00:00 https://gbhackers.com/north-korean-apt-hackers-pose-as-companies/ www.secnews.physaphae.fr/article.php?IdArticle=8667769 False Malware,Threat APT 38 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) At least six organizations in South Korea have been targeted by the prolific North Korea-linked Lazarus Group as part of a campaign dubbed Operation SyncHole. The activity targeted South Korea\'s software, IT, financial, semiconductor manufacturing, and telecommunications industries, according to a report from Kaspersky published today. The earliest evidence of compromise was first detected in]]> 2025-04-24T19:41:00+00:00 https://thehackernews.com/2025/04/lazarus-hits-6-south-korean-firms-via.html www.secnews.physaphae.fr/article.php?IdArticle=8667217 False Malware,Vulnerability,Threat APT 38 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korean threat actors behind Contagious Interview have adopted the increasingly popular ClickFix social engineering tactic to lure job seekers in the cryptocurrency sector to deliver a previously undocumented Go-based backdoor called GolangGhost on Windows and macOS systems. The new activity, assessed to be a continuation of the campaign, has been codenamed ClickFake Interview by]]> 2025-04-03T17:52:00+00:00 https://thehackernews.com/2025/04/lazarus-group-targets-job-seekers-with.html www.secnews.physaphae.fr/article.php?IdArticle=8660049 False Malware,Threat APT 38 3.0000000000000000 SecurityWeek - Security News Les pirates de Lazarus de la Corée du Nord utilisent la technique ClickFix pour le déploiement de logiciels malveillants dans de nouvelles attaques ciblant l'écosystème de crypto-monnaie.

---

>North Korea\'s Lazarus hackers are using the ClickFix technique for malware deployment in fresh attacks targeting the cryptocurrency ecosystem. ]]> 2025-04-02T10:45:54+00:00 https://www.securityweek.com/lazarus-uses-clickfix-tactics-in-fake-cryptocurrency-job-attacks/ www.secnews.physaphae.fr/article.php?IdArticle=8659799 False Malware APT 38 3.0000000000000000 Bleeping Computer - Magazine Américain The notorious North Korean Lazarus hacking group has reportedly adopted \'ClickFix\' tactics to deploy malware targeting job seekers in the cryptocurrency industry, particularly centralized finance (CeFi). [...]]]> 2025-03-31T11:56:54+00:00 https://www.bleepingcomputer.com/news/security/north-korean-hackers-adopt-clickfix-attacks-to-target-crypto-firms/ www.secnews.physaphae.fr/article.php?IdArticle=8659416 False Malware APT 38 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) An advanced persistent threat (APT) group with ties to Pakistan has been attributed to the creation of a fake website masquerading as India\'s public sector postal system as part of a campaign designed to infect both Windows and Android users in the country. Cybersecurity company CYFIRMA has attributed the campaign with medium confidence to a threat actor called APT36, which is also known as]]> 2025-03-27T18:01:00+00:00 https://thehackernews.com/2025/03/apt36-spoofs-india-post-website-to.html www.secnews.physaphae.fr/article.php?IdArticle=8658566 False Malware,Threat,Mobile APT 36 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korea-linked threat actor known as ScarCruft is said to have been behind a never-before-seen Android surveillance tool named KoSpy targeting Korean and English-speaking users. Lookout, which shared details of the malware campaign, said the earliest versions date back to March 2022. The most recent samples were flagged in March 2024. It\'s not clear how successful these efforts were. "]]> 2025-03-13T19:53:00+00:00 https://thehackernews.com/2025/03/north-koreas-scarcruft-deploys-kospy.html www.secnews.physaphae.fr/article.php?IdArticle=8655561 False Malware,Tool,Threat,Mobile APT 37 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korean threat actor known as the Lazarus Group has been linked to a previously undocumented JavaScript implant named Marstech1 as part of limited targeted attacks against developers. The active operation has been dubbed Marstech Mayhem by SecurityScorecard, with the malware delivered by means of an open-source repository hosted on GitHub that\'s associated with a profile named "]]> 2025-02-14T23:58:00+00:00 https://thehackernews.com/2025/02/lazarus-group-deploys-marstech1.html www.secnews.physaphae.fr/article.php?IdArticle=8648530 False Malware,Threat APT 38 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine SecurityScorecard has uncovered a sophisticated campaign linked to North Korea\'s Lazarus Group, distributing crypto-stealing malware]]> 2025-02-13T10:15:00+00:00 https://www.infosecurity-magazine.com/news/north-korea-crypto-devs-npm/ www.secnews.physaphae.fr/article.php?IdArticle=8648337 False Malware APT 38 3.0000000000000000 Mandiant - Blog Sécu de Mandiant 2025-02-11T20:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cybercrime-multifaceted-national-security-threat/ www.secnews.physaphae.fr/article.php?IdArticle=8648141 False Ransomware,Malware,Tool,Vulnerability,Threat,Legislation,Medical,Cloud,Technical APT 41,APT 38,APT 29,APT 43,APT 44 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korea-linked Lazarus Group has been linked to an active campaign that leverages fake LinkedIn job offers in the cryptocurrency and travel sectors to deliver malware capable of infecting Windows, macOS, and Linux operating systems. According to cybersecurity company Bitdefender, the scam begins with a message sent on a professional social media network, enticing them with the promise of]]> 2025-02-05T20:25:00+00:00 https://thehackernews.com/2025/02/cross-platform-javascript-stealer.html www.secnews.physaphae.fr/article.php?IdArticle=8647065 False Malware APT 38 3.0000000000000000 Techworm - News wrote in a blog post published on Thursday. In Windows, a Relative Identifier (RID) is part of a Security Identifier (SID), which exclusively distinguishes each user and group within a domain. For instance, an administrator account will have a RID value of “500”, “501” for guest accounts, “512” for the domain admins group, and for regular users, the RID will start from the value “of 1000”. In a RID hijacking attack, hackers change the RID of a low-privilege account to the same value as an administrator account. As a result, Windows grants administrative privileges to the account. However, to pull this off, attackers need access to the SAM (Security Account Manager) registry, which requires them to already have SYSTEM-level access to the targeted machine for modification. Attackers typically use tools such as PsExec and JuicyPotato to escalate their privileges and launch a SYSTEM-level command prompt. While SYSTEM access is the highest privilege in Windows, it has certain limitations: it doesn\'t allow remote access, cannot interact with GUI apps, generates noisy activity that can be easily detected and doesn\'t persist after a system reboot. To work around these issues, Andariel first created a hidden, low-privilege local user account by appending a “$” character to its username. This made the account invisible in regular listings but still accessible in the SAM registry. The attackers then carried out RID hijacking to escalate the account’s privileges to the administrator level. According to the researchers, Andariel added the modified account to the Remote Desktop Users and Administrators groups, giving them more control over the system. The group tweaked the SAM registry using custom malware and an open-source tool to execute the RID hijacking. Although SYSTEM access could allow the direct creation of administrator accounts, this method is less conspicuous, making it difficult to detect and prevent. To avoid detection, Andariel also exported and backed up the modified registry settings, deleted the rogue account, and restored it later from the backup when needed, bypassing system logs and making detection even harder. To reduce the risk of RID hijacking, system administrators should implement proactive measures such as: Use the Local Security Authority (LSA) Subsystem Service to monitor unusual login attempts and password changes. Prevent unauthorized access to the SAM registry. Restricting the use of tools like PsExec and JuicyPotato. Disabling guest accounts. Enforcing multi-factor authentication (MFA) for all user accounts, including low-privileged ones.

---

Cybersecurity researchers at AhnLab have discovered that a North Korean threat group uses malicious files to hijack RIDs and grant admin access to low-privilege Windows accounts. According to ASEC researchers, AhnLab’s security intelligence center, the hacking group behind the attack is the “Andariel” threat group, linked to North Korea’s Lazarus hacker group. “RID Hijacking is ]]> 2025-01-25T20:07:25+00:00 https://www.techworm.net/2025/01/hacker-rid-hijacking-create-admin-accounts-windows.html www.secnews.physaphae.fr/article.php?IdArticle=8642525 False Malware,Tool,Threat APT 38,APT 45 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korea-linked Lazarus Group has been attributed to a new cyber attack campaign dubbed Operation 99 that targeted software developers looking for freelance Web3 and cryptocurrency work to deliver malware. "The campaign begins with fake recruiters, posing on platforms like LinkedIn, luring developers with project tests and code reviews," Ryan Sherstobitoff, senior vice president of Threat]]> 2025-01-15T21:07:00+00:00 https://thehackernews.com/2025/01/lazarus-group-targets-web3-developers.html www.secnews.physaphae.fr/article.php?IdArticle=8637830 False Malware,Threat APT 38 2.0000000000000000 Dark Reading - Informationweek Branch "Operation 99" uses job postings to lure freelance software developers into downloading malicious Git repositories. From there, malware infiltrates developer projects to steal source code, secrets, and cryptocurrency.]]> 2025-01-15T16:02:08+00:00 https://www.darkreading.com/threat-intelligence/north-korea-lazarus-apt-developer-recruitment-attacks www.secnews.physaphae.fr/article.php?IdArticle=8637791 False Malware APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Last week\'s OSINT reporting highlights the persistence and evolution of cyber threats targeting a wide range of sectors, from cryptocurrency exchanges to aerospace and defense industries. The predominant attack vectors include phishing, exploitation of long-standing vulnerabilities, and the use of advanced malware like StealBit, OtterCookie, and VBCloud. Threat actors such as North Korea\'s Lazarus Group and TraderTraitor, as well as botnets like FICORA and CAPSAICIN, continue to refine their tactics, leveraging]]> 2024-12-30T12:02:43+00:00 https://community.riskiq.com/article/2ec56fef www.secnews.physaphae.fr/article.php?IdArticle=8631656 False Ransomware,Malware,Tool,Vulnerability,Threat,Cloud APT 38 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Iranian nation-state hacking group known as Charming Kitten has been observed deploying a C++ variant of a known malware called BellaCiao. Russian cybersecurity company Kaspersky, which dubbed the new version BellaCPP, said it discovered the artifact as part of a "recent" investigation into a compromised machine in Asia that was also infected with the BellaCiao malware. BellaCiao was first]]> 2024-12-25T15:54:00+00:00 https://thehackernews.com/2024/12/irans-charming-kitten-deploys-bellacpp.html www.secnews.physaphae.fr/article.php?IdArticle=8629826 False Malware APT 35 2.0000000000000000 HackRead - Chercher Cyber KEY SUMMARY POINTS Securelist by Kaspersky has published its latest threat intelligence report focused on the activities of…]]> 2024-12-23T20:06:03+00:00 https://hackread.com/lazarus-group-nuclear-industry-cookieplus-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8629231 False Malware,Threat APT 38 4.0000000000000000 Recorded Future - FLux Recorded Future Researchers at Kaspersky said they found the Lazarus Group using “a complex infection chain that included multiple types of malware, such as a downloader, loader, and backdoor, demonstrating the group\'s evolved delivery and improved persistence methods.”]]> 2024-12-23T19:32:18+00:00 https://therecord.media/lazarus-group-new-tools-kaspersky www.secnews.physaphae.fr/article.php?IdArticle=8629232 False Malware,Tool APT 38 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Lazarus Group, an infamous threat actor linked to the Democratic People\'s Republic of Korea (DPRK), has been observed leveraging a "complex infection chain" targeting at least two employees belonging to an unnamed nuclear-related organization within the span of one month in January 2024. The attacks, which culminated in the deployment of a new modular backdoor referred to as CookiePlus, are]]> 2024-12-20T16:14:00+00:00 https://thehackernews.com/2024/12/lazarus-group-spotted-targeting-nuclear.html www.secnews.physaphae.fr/article.php?IdArticle=8627927 False Malware,Threat APT 38 4.0000000000000000 Kaspersky - Kaspersky Research blog Lazarus targets employees of a nuclear-related organization with a bunch of malware, such as MISTPEN, LPEClient, RollMid, CookieTime and a new modular backdoor CookiePlus.]]> 2024-12-19T10:00:55+00:00 https://securelist.com/lazarus-new-malware/115059/ www.secnews.physaphae.fr/article.php?IdArticle=8627438 False Malware APT 38 3.0000000000000000 RedTeam PL - DarkTrace: AI bases detection https://blog.redteam.pl/2019/05/badwpad-dns-suffix-wpad-wpadblocking-com.html]. WPAD TLDs First of all we checked TLD list from IANA [https://data.iana.org/TLD/tlds-alpha-by-domain.txt] for first level of wpad domains: 101.37.23.113 wpad.bike 104.18.54.241 wpad.mobi 104.18.55.241 wpad.mobi 104.199.123.6 wpad.ac 104.24.104.177 wpad.online 104.24.104.228 wpad.army 104.24.105.177 wpad.online 104.24.105.228 wpad.army 104.24.120.45 wpad.space 104.24.121.45 wpad.space 104.25.51.128 wpad.world 104.27.176.234 wpad.site 104.27.177.234 wpad.site 104.27.188.57 wpad.co 104.27.189.57 wpad.co 104.28.10.19 wpad.kz 104.28.11.19 wpad.kz 104.31.74.75 wpad.exchange ]]> 2024-12-01T15:56:58+00:00 https://blog.redteam.pl/2019/05/wpad-software-case-dns-threat-hunting.html www.secnews.physaphae.fr/article.php?IdArticle=8618460 False Malware,Threat APT 32 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-11-18T12:22:31+00:00 https://community.riskiq.com/article/2560112c www.secnews.physaphae.fr/article.php?IdArticle=8613484 False Ransomware,Malware,Tool,Vulnerability,Threat,Prediction,Medical,Cloud,Technical APT 41,APT 38 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Researchers at Group-IB have ide]]> 2024-11-15T15:40:32+00:00 https://community.riskiq.com/article/7c6b391d www.secnews.physaphae.fr/article.php?IdArticle=8611812 False Malware,Threat,Prediction APT 38 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Threat actors have been found leveraging a new technique that abuses extended attributes for macOS files to smuggle a new malware called RustyAttr. The Singaporean cybersecurity company has attributed the novel activity with moderate confidence to the infamous North Korea-linked Lazarus Group, citing infrastructure and tactical overlaps observed in connection with prior campaigns, including]]> 2024-11-14T15:21:00+00:00 https://thehackernews.com/2024/11/new-rustyattr-malware-targets-macos.html www.secnews.physaphae.fr/article.php?IdArticle=8610957 False Malware,Threat APT 38 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Lazarus APT has been found smuggling malware onto macOS devices using custom extended attributes, evading detection]]> 2024-11-13T16:00:00+00:00 https://www.infosecurity-magazine.com/news/lazarus-extended-attributes-macos/ www.secnews.physaphae.fr/article.php?IdArticle=8610465 False Malware APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-11-11T12:45:44+00:00 https://community.riskiq.com/article/3b100c61 www.secnews.physaphae.fr/article.php?IdArticle=8609345 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Cloud APT 37 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) High-profile entities in India have become the target of malicious campaigns orchestrated by the Pakistan-based Transparent Tribe threat actor and a previously unknown China-nexus cyber espionage group dubbed IcePeony. The intrusions linked to Transparent Tribe involve the use of a malware called ElizaRAT and a new stealer payload dubbed ApoloStealer on specific victims of interest, Check Point]]> 2024-11-08T17:53:00+00:00 https://thehackernews.com/2024/11/icepeony-and-transparent-tribe-target.html www.secnews.physaphae.fr/article.php?IdArticle=8608093 False Malware,Tool,Threat APT 36 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-11-07T21:47:54+00:00 https://community.riskiq.com/article/fd1c0c96 www.secnews.physaphae.fr/article.php?IdArticle=8607767 False Malware,Threat,Cloud APT 37 2.0000000000000000 Global Security Mag - Site de news francais Malwares]]> 2024-11-05T13:08:28+00:00 https://www.globalsecuritymag.fr/transparent-tribe-apt36-son-nouveau-malware-elizarat-evolue-encore.html www.secnews.physaphae.fr/article.php?IdArticle=8606418 False Malware APT 36 3.0000000000000000 Dark Reading - Informationweek Branch The Pakistan-based advanced persistent threat actor has been carrying on a cyber-espionage campaign targeting organizations on the subcontinent for more than a decade, and it\'s now using a new and improved "ElizaRAT" malware.]]> 2024-11-04T22:39:41+00:00 https://www.darkreading.com/cyberattacks-data-breaches/apt36-refines-tools-attacks-indian-targets www.secnews.physaphae.fr/article.php?IdArticle=8606147 False Malware,Tool,Threat APT 36 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-11-04T19:39:03+00:00 https://community.riskiq.com/article/f01e1d00 www.secnews.physaphae.fr/article.php?IdArticle=8606105 False Ransomware,Malware,Tool,Threat,Mobile,Cloud,Technical APT 36 2.0000000000000000 Checkpoint - Fabricant Materiel Securite Résumé exécutif: Dans les cyberattaques récentes, la tribu transparente ou l'APT36, a utilisé un malware de plus en plus sophistiqué appelé Elizarat.Vérifier les recherches sur le point de contrôle a suivi l'évolution d'Elizarat \\, en découvrant ses méthodes d'exécution améliorées, son évasion de détection et sa communication de commandement et de contrôle depuis sa divulgation publique en septembre 2023. Les campagnes Elizarat ont d'abord exécuté la même fonction pour vérifier que le système a été mis en IndeTemps standard, indiquant que les campagnes ont ciblé les systèmes indiens.La tribu transparente, autrement connue sous le nom d'APT36, est un acteur de menace affilié au Pakistan qui cible notoirement les entités associées aux Indiens.Le principal objectif du groupe de menaces est le cyber-espionnage, qui a auparavant ciblé les organisations gouvernementales, diplomatique [& # 8230;]

---

>Executive Summary: In recent cyber attacks, Transparent Tribe, or APT36, has utilized an increasingly sophisticated malware called ElizaRAT. Check Point Research tracked ElizaRAT\'s evolution, uncovering its improved execution methods, detection evasion, and Command and Control communication since its public disclosure in September 2023. The ElizaRAT campaigns first executed the same function to verify that the system was set to India Standard Time, indicating that the campaigns targeted Indian systems. Transparent Tribe, otherwise known as APT36, is a Pakistan-affiliated threat actor that notoriously targets Indian-associated entities. The threat group\'s main objective is cyber espionage, which has previously targeted governmental organizations, diplomatic […] ]]> 2024-11-04T13:00:51+00:00 https://blog.checkpoint.com/research/the-evolution-of-transparent-tribes-new-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8605928 False Malware,Threat APT 36 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-11-04T12:25:16+00:00 https://community.riskiq.com/article/d6da7f0d www.secnews.physaphae.fr/article.php?IdArticle=8605948 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Prediction,Medical,Cloud,Technical APT 41,APT 28,APT 31,Guam 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-31T20:29:50+00:00 https://community.riskiq.com/article/798c0fdb www.secnews.physaphae.fr/article.php?IdArticle=8604363 False Malware,Tool,Vulnerability,Threat,Legislation,Cloud APT 41,APT 31 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-30T18:25:16+00:00 https://community.riskiq.com/article/3c757860 www.secnews.physaphae.fr/article.php?IdArticle=8603864 True Ransomware,Malware,Tool,Vulnerability,Threat APT 31 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-28T11:27:40+00:00 https://community.riskiq.com/article/fa5a55d5 www.secnews.physaphae.fr/article.php?IdArticle=8602805 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat,Prediction,Medical,Cloud,Technical APT 38,Guam 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-25T16:11:10+00:00 https://community.riskiq.com/article/e831e4ae www.secnews.physaphae.fr/article.php?IdArticle=8601740 False Ransomware,Malware,Tool,Vulnerability,Threat APT 38 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Lazarus Group exploited Google Chrome zero-day, infecting systems with Manuscrypt malware]]> 2024-10-24T16:00:00+00:00 https://www.infosecurity-magazine.com/news/lazarus-group-exploits-google/ www.secnews.physaphae.fr/article.php?IdArticle=8601571 False Malware,Vulnerability,Threat APT 38 2.0000000000000000 SecurityWeek - Security News Le Lazarus APT a créé un site Web trompeur qui a exploité un chrome zéro-jour pour installer des logiciels malveillants et voler la crypto-monnaie.

---

>The Lazarus APT created a deceptive website that exploited a Chrome zero-day to install malware and steal cryptocurrency. ]]> 2024-10-24T13:02:10+00:00 https://www.securityweek.com/north-korean-hackers-exploited-chrome-zero-day-for-cryptocurrency-theft/ www.secnews.physaphae.fr/article.php?IdArticle=8601542 False Malware,Vulnerability,Threat APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-21T11:41:26+00:00 https://community.riskiq.com/article/02320e34 www.secnews.physaphae.fr/article.php?IdArticle=8600983 False Ransomware,Malware,Tool,Vulnerability,Threat,Cloud APT 38,APT 37,APT-C-17 2.0000000000000000 Dark Reading - Informationweek Branch The "Code-on-Toast" supply chain cyberattacks by APT37 delivered data-stealing malware to users in South Korea who had enabled Toast pop-up ads.]]> 2024-10-21T01:00:00+00:00 https://www.darkreading.com/vulnerabilities-threats/dprk-microsoft-zero-day-no-click-toast-attacks www.secnews.physaphae.fr/article.php?IdArticle=8600761 False Malware,Vulnerability,Threat APT 37 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-18T20:59:53+00:00 https://community.riskiq.com/article/b0437795 www.secnews.physaphae.fr/article.php?IdArticle=8599903 False Malware,Tool APT 38 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-18T20:53:46+00:00 https://community.riskiq.com/article/d11b6766 www.secnews.physaphae.fr/article.php?IdArticle=8599904 False Malware,Vulnerability,Threat APT 37 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korean threat actor known as ScarCruft has been linked to the zero-day exploitation of a now-patched security flaw in Windows to infect devices with malware known as RokRAT. The vulnerability in question is CVE-2024-38178 (CVSS score: 7.5), a memory corruption bug in the Scripting Engine that could result in remote code execution when using the Edge browser in Internet Explorer Mode.]]> 2024-10-16T16:20:00+00:00 https://thehackernews.com/2024/10/north-korean-scarcruft-exploits-windows.html www.secnews.physaphae.fr/article.php?IdArticle=8598696 False Malware,Vulnerability,Threat APT 37 2.0000000000000000 Bleeping Computer - Magazine Américain The North Korean hacking group ScarCruft launched a large-scale attack in May that leveraged an Internet Explorer zero-day flaw to infect targets with the RokRAT malware and exfiltrate data. [...]]]> 2024-10-16T09:59:12+00:00 https://www.bleepingcomputer.com/news/security/malicious-ads-exploited-internet-explorer-zero-day-to-drop-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8598745 False Malware,Vulnerability,Threat APT 37 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-15T21:16:48+00:00 https://community.riskiq.com/article/9ce29d67 www.secnews.physaphae.fr/article.php?IdArticle=8598422 False Malware,Tool,Threat APT 38 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - United Arab Emirates ## Snapshot Researchers at Trend Micro have identif]]> 2024-10-11T21:41:42+00:00 https://community.riskiq.com/article/bc0f3dd1 www.secnews.physaphae.fr/article.php?IdArticle=8596273 False Malware,Tool,Vulnerability,Threat,Prediction APT 34 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-07T16:54:11+00:00 https://community.riskiq.com/article/33015049 www.secnews.physaphae.fr/article.php?IdArticle=8593765 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Prediction,Cloud APT 37,APT 45 2.0000000000000000 Recorded Future - FLux Recorded Future Researchers linked the campaign to APT37, a hacking group allegedly housed within North Korea\'s Ministry of State Security.]]> 2024-10-03T20:53:04+00:00 https://therecord.media/north-korea-malware-espionage-cambodia www.secnews.physaphae.fr/article.php?IdArticle=8591527 False Malware APT 37 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-03T20:13:46+00:00 https://community.riskiq.com/article/2e62a43c www.secnews.physaphae.fr/article.php?IdArticle=8591525 False Malware,Tool,Vulnerability,Threat,Cloud APT 37 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-30T13:21:55+00:00 https://community.riskiq.com/article/70e8b264 www.secnews.physaphae.fr/article.php?IdArticle=8588927 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching,Mobile ChatGPT,APT 36 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-27T19:44:31+00:00 https://community.riskiq.com/article/f74aeee5 www.secnews.physaphae.fr/article.php?IdArticle=8586788 True Ransomware,Malware,Tool,Threat,Mobile APT 36 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Threat actors with ties to North Korea have been observed using poisoned Python packages as a way to deliver a new malware called PondRAT as part of an ongoing campaign. PondRAT, according to new findings from Palo Alto Networks Unit 42, is assessed to be a lighter version of POOLRAT (aka SIMPLESEA), a known macOS backdoor that has been previously attributed to the Lazarus Group and deployed in]]> 2024-09-23T12:09:00+00:00 https://thehackernews.com/2024/09/new-pondrat-malware-hidden-in-python.html www.secnews.physaphae.fr/article.php?IdArticle=8582747 False Malware,Threat APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-20T15:50:36+00:00 https://community.riskiq.com/article/906408c8 www.secnews.physaphae.fr/article.php?IdArticle=8580619 False Malware,Tool,Threat APT 38 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-19T21:39:29+00:00 https://community.riskiq.com/article/e882507d www.secnews.physaphae.fr/article.php?IdArticle=8579917 False Malware,Tool,Threat,Cloud APT 34 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Executive Summary UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran\'s Ministry of Intelligence and Security (MOIS). A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East. UNC1860\'s tradecraft and targeting parallels with Shrouded Snooper, Scarred Manticore, and Storm-0861, Iran-based threat actors publicly reported to have targeted the telecommunications and government sectors in the Middle East. These groups have also reportedly provided initial access for destructive and disruptive operations that targeted Israel in late October 2023 with BABYWIPER and Albania in 2022 using ROADSWEEP. Mandiant cannot independently corroborate that UNC1860 was involved in providing initial access for these operations. However, we identified specialized UNC1860 tooling including GUI-operated malware controllers, which are likely designed to facilitate hand-off operations, further supporting the initial access role played by UNC1860. UNC1860 additionally maintains an arsenal of utilities and collection of “main-stage” passive backdoors designed to gain strong footholds into victim networks and establish persistent, long-term access. Among these main-stage backdoors includes a Windows kernel mode driver repurposed from a legitimate Iranian anti-virus software filter driver, reflecting the group\'s reverse engineering capabilities of Windows kernel components and detection evasion capabilities. These capabilities demonstrate that UNC1860 is a formidable threat actor that likely supports various objectives ranging from espionage to network attack operations. As tensions continue to ebb and flow in the Middle East, we belie]]> 2024-09-19T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks/ www.secnews.physaphae.fr/article.php?IdArticle=8579617 False Malware,Tool,Vulnerability,Threat,Cloud,Technical APT 34 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN. The activity cluster is being tracked by Google-owned Mandiant under the moniker UNC2970, which it said overlaps with a threat group known as TEMP.Hermit, which is]]> 2024-09-18T15:02:00+00:00 https://thehackernews.com/2024/09/north-korean-hackers-target-energy-and.html www.secnews.physaphae.fr/article.php?IdArticle=8579019 False Malware,Threat APT 37 2.0000000000000000 Schneier on Security - Chercheur Cryptologue Américain Convainquez-les de télécharger des logiciels malveillants.De A Article de presse Ces attaques particulières de l'équipe de piratage de piratage financée par l'État nord-coréen Lazarus est nouveau, mais la campagne globale de logiciels malveillants contre la communauté de développement de Python est en cours depuis au moins août 2023, lorsqu'un certain nombre de Python open source populaireLes outils ont été dupliqués avec malveillance avec des logiciels malveillants ajoutés.Maintenant, cependant, il y a aussi des attaques impliquant & # 8220; Tests de codage & # 8221;Cela n'existe que pour amener l'utilisateur final à installer des logiciels malveillants cachés sur son système (intelligemment caché avec le codage de base64) qui permet une exécution à distance une fois présente.La capacité d'exploitation à ce stade est à peu près illimitée, en raison de la flexibilité de Python et de la façon dont elle interagit avec le système d'exploitation sous-jacent ...

---

Interesting social engineering attack: luring potential job applicants with fake recruiting pitches, trying to convince them to download malware. From a news article These particular attacks from North Korean state-funded hacking team Lazarus Group are new, but the overall malware campaign against the Python development community has been running since at least August of 2023, when a number of popular open source Python tools were maliciously duplicated with added malware. Now, though, there are also attacks involving “coding tests” that only exist to get the end user to install hidden malware on their system (cleverly hidden with Base64 encoding) that allows remote execution once present. The capacity for exploitation at that point is pretty much unlimited, due to the flexibility of Python and how it interacts with the underlying OS...]]> 2024-09-17T11:02:34+00:00 https://www.schneier.com/blog/archives/2024/09/python-developers-targeted-with-malware-during-fake-job-interviews.html www.secnews.physaphae.fr/article.php?IdArticle=8578307 False Malware,Tool APT 38 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-16T11:20:34+00:00 https://community.riskiq.com/article/f4ae836f www.secnews.physaphae.fr/article.php?IdArticle=8577706 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching,Prediction,Cloud APT 34 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Iraqi government networks have emerged as the target of an "elaborate" cyber attack campaign orchestrated by an Iran state-sponsored threat actor called OilRig. The attacks singled out Iraqi organizations such as the Prime Minister\'s Office and the Ministry of Foreign Affairs, cybersecurity company Check Point said in a new analysis. OilRig, also called APT34, Crambus, Cobalt Gypsy, GreenBug,]]> 2024-09-12T16:19:00+00:00 https://thehackernews.com/2024/09/iranian-cyber-group-oilrig-targets.html www.secnews.physaphae.fr/article.php?IdArticle=8575176 False Malware,Threat APT 34 3.0000000000000000 Contagio - Site d infos ransomware 2023-11-23 Palo Alto Unit42: Hacking Employers and Seeking Employment: Two Job-Related This is a 2023 article by Unit42 covering two cyber campaigns, "Contagious Interview" (CL-STA-0240) and "Wagemole" (CL-STA-0241), linked to the Lazarus group (North Korea). There is a more recent campaign VMCONNECT described by Reversing Labs here 2024-09-10 Fake recruiter coding tests target devs with malicious Python packages but I don\'t have samples for that one. These campaigns target job-seeking activities to deploy malware and conduct espionage. Contagious Interview (CL-STA-0240):The campaign targets software developers by posing as employers and convincing them to download malicious NPM packages during fake job interviews. The malware, BeaverTail and InvisibleFerret, is cross-platform, running on Windows, Linux, and macOS.BeaverTail: A JavaScript-based malware that steals cryptocurrency wallet information and loads the second-stage payload, InvisibleFerret.InvisibleFerret: A Python-based backdoor with capabilities including fingerprinting, remote control, keylogging, and browser credential theft. It communicates with a C2 server using JSON-formatted messages and supports commands for data exfiltration and additional malware deployment.The threat actors use GitHub to host malicious NPM packages, creating accounts with minimal activity to avoid detection.Wagemole (CL-STA-0241):Wagemole involves North Korean actors using fake identities to apply for remote IT jobs, likely to funnel wages to North Korea\'s weapons programs and potentially conduct espionage.Exposed Infrastructure: Researchers found resumes, interview scripts, and other fraudulent materials on GitHub. These documents impersonate IT professionals and aim to gain unauthorized employment at US companies.Download]]> 2024-09-12T14:11:31+00:00 https://contagiodump.blogspot.com/2024/09/2023-11-23-beavertail-and.html www.secnews.physaphae.fr/article.php?IdArticle=8575417 False Malware,Threat APT 38 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Lazarus Group has been observed impersonating Capital One staff to lure developers into downloading malware on open source repositories]]> 2024-09-12T13:00:00+00:00 https://www.infosecurity-magazine.com/news/lazarus-developers-vmconnect/ www.secnews.physaphae.fr/article.php?IdArticle=8575244 False Malware APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-11T23:46:33+00:00 https://community.riskiq.com/article/6289e51f www.secnews.physaphae.fr/article.php?IdArticle=8574915 False Malware,Tool,Threat APT 34 2.0000000000000000 Bleeping Computer - Magazine Américain Members of the North Korean hacker group Lazarus posing as recruiters are baiting Python developers with coding test project for password management products that include malware. [...]]]> 2024-09-11T17:09:36+00:00 https://www.bleepingcomputer.com/news/security/fake-password-manager-coding-test-used-to-hack-python-developers/ www.secnews.physaphae.fr/article.php?IdArticle=8574813 False Malware,Hack APT 38 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments. "The new samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews," ReversingLabs researcher Karlo Zanki said. The activity has been assessed to be part of]]> 2024-09-11T15:16:00+00:00 https://thehackernews.com/2024/09/developers-beware-lazarus-group-uses.html www.secnews.physaphae.fr/article.php?IdArticle=8574518 False Malware APT 38 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-09T11:04:46+00:00 https://community.riskiq.com/article/563312a4 www.secnews.physaphae.fr/article.php?IdArticle=8573205 False Ransomware,Malware,Tool,Vulnerability,Threat,Prediction,Medical,Commercial APT 38,APT 29 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-06T20:50:58+00:00 https://community.riskiq.com/article/2d5ffbad www.secnews.physaphae.fr/article.php?IdArticle=8571535 True Ransomware,Malware,Tool,Threat APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-04T18:51:15+00:00 https://community.riskiq.com/article/22951902 www.secnews.physaphae.fr/article.php?IdArticle=8569939 False Malware,Tool,Threat,Prediction APT 34 2.0000000000000000 Mandiant - Blog Sécu de Mandiant Where money goes, crime follows. The rapid growth of Web3 has presented new opportunities for threat actors, especially in decentralized finance (DeFi), where the heists are larger and more numerous than anything seen in the traditional finance sector. Mandiant has a long history of investigating bank heists. In 2016, Mandiant investigated the world\'s largest bank heist that occurred at the Bank of Bangladesh and resulted in the theft of $81 million by North Korea\'s APT38. While the group\'s operations were quite innovative and made for an entertaining 10-episode podcast by the BBC, it pales in comparison to Web3 heists. In 2022, the largest DeFi heist occurred on Sky Mavis\' Ronin Blockchain, which resulted in the theft of over $600 million by North Korean threat actors. While North Korea is arguably the world\'s leading cyber criminal enterprise, they are not the only player. Since 2020, there have been hundreds of Web3 heists reported, which has resulted in over $12 billion in stolen digital assets Source: Chainalysis 2024 Crypto Crime Report While social engineering, crypto drainers, rug pulls (scams), and ]]> 2024-09-03T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/examining-web3-heists/ www.secnews.physaphae.fr/article.php?IdArticle=8569124 False Malware,Hack,Vulnerability,Threat,Cloud APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-02T19:54:58+00:00 https://community.riskiq.com/article/161e114f www.secnews.physaphae.fr/article.php?IdArticle=8568711 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Medical,Cloud APT 41,APT 32 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A non-profit supporting Vietnamese human rights has been the target of a multi-year campaign designed to deliver a variety of malware on compromised hosts. Cybersecurity company Huntress attributed the activity to a threat cluster known as APT32, a Vietnamese-aligned hacking crew that\'s also known as APT-C-00, Canvas Cyclone (formerly Bismuth), Cobalt Kitty, and OceanLotus. The intrusion is]]> 2024-08-29T21:45:00+00:00 https://thehackernews.com/2024/08/vietnamese-human-rights-group-targeted.html www.secnews.physaphae.fr/article.php?IdArticle=8566270 False Malware,Threat APT 32 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-08-29T19:44:20+00:00 https://community.riskiq.com/article/0ce29639 www.secnews.physaphae.fr/article.php?IdArticle=8567037 False Malware,Tool,Vulnerability,Threat APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-08-29T18:15:40+00:00 https://community.riskiq.com/article/de978ca1 www.secnews.physaphae.fr/article.php?IdArticle=8566388 False Ransomware,Malware,Tool,Vulnerability,Threat APT 32 3.0000000000000000 Bleeping Computer - Magazine Américain The APT33 Iranian hacking group has used new Tickler malware to backdoor the networks of organizations in the government, defense, satellite, oil and gas sectors in the United States and the United Arab Emirates. [...]]]> 2024-08-28T14:36:52+00:00 https://www.bleepingcomputer.com/news/security/new-tickler-malware-used-to-backdoor-us-govt-defense-orgs/ www.secnews.physaphae.fr/article.php?IdArticle=8565594 False Malware APT33,APT 33 3.0000000000000000 Bleeping Computer - Magazine Américain The APT33 Iranian hacking group has used new Tickler malware to backdoor the networks of organizations in the government, defense, satellite, oil and gas sectors in the United States and the United Arab Emirates. [...]]]> 2024-08-28T14:36:52+00:00 https://www.bleepingcomputer.com/news/security/APT33-Iranian-hacking-group-uses-new-tickler-malware-to-backdoor-us-govt-defense-orgs/ www.secnews.physaphae.fr/article.php?IdArticle=8565689 False Malware APT33,APT 33 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine TA453, also known as Charming Kitten, launched a targeted phishing attack using PowerShell malware BlackSmith]]> 2024-08-20T15:30:00+00:00 https://www.infosecurity-magazine.com/news/iran-ta453-phishing-attacks-isw/ www.secnews.physaphae.fr/article.php?IdArticle=8560899 False Malware APT 35 3.0000000000000000 Dark Reading - Informationweek Branch Charming Kitten goes retro and consolidates its backdoor into a tighter package, abandoning the malware framework trend.]]> 2024-08-20T09:00:00+00:00 https://www.darkreading.com/threat-intelligence/irgc-linked-hackers-package-modular-malware-into-monolithic-trojan www.secnews.physaphae.fr/article.php?IdArticle=8561183 False Malware,Prediction APT 35 2.0000000000000000 ProofPoint - Cyber Firms 2024-08-20T05:00:25+00:00 https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering www.secnews.physaphae.fr/article.php?IdArticle=8560720 False Malware,Threat,Studies APT 35,APT 42 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-08-14T18:17:06+00:00 https://community.riskiq.com/article/55996e79 www.secnews.physaphae.fr/article.php?IdArticle=8557777 False Ransomware,Malware,Tool,Threat,Cloud APT 27,APT 31 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-08-05T10:51:17+00:00 https://community.riskiq.com/article/ed438f56 www.secnews.physaphae.fr/article.php?IdArticle=8552050 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat,Mobile APT33,APT 41,APT 33,APT-C-17 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-29T10:58:35+00:00 https://community.riskiq.com/article/72f3426d www.secnews.physaphae.fr/article.php?IdArticle=8546560 False Ransomware,Data Breach,Spam,Malware,Tool,Vulnerability,Threat,Legislation,Mobile,Industrial,Medical APT 28,APT 36 2.0000000000000000 Mandiant - Blog Sécu de Mandiant   Executive Summary APT45 is a long-running, moderately sophisticated North Korean cyber operator that has carried out espionage campaigns as early as 2009. APT45 has gradually expanded into financially-motivated operations, and the group\'s suspected development and deployment of ransomware sets it apart from other North Korean operators.  APT45 and activity clusters suspected of being linked to the group are strongly associated with a distinct genealogy of malware families separate from peer North Korean operators like TEMP.Hermit and APT43.  Among the groups assessed to operate from the Democratic People\'s Republic of Korea (DPRK), APT45 has been the most frequently observed targeting critical infrastructure. Overview Mandiant assesses with high confidence that APT45 is a moderately sophisticated cyber operator that supports the interests of the DPRK. Since at least 2009, APT45 has carried out a range of cyber operations aligned with the shifting geopolitical interests of the North Korean state. Although the group\'s earliest observed activities consisted of espionage campaigns against government agencies and defense industries, APT45 has expanded its remit to financially-motivated operations, including targeting of the financial vertical; we also assess with moderate confidence that APT45 has engaged in the development of ransomware. Additionally, while multiple DPRK-nexus groups focused on healthcare and pharmaceuticals during the initial stages of the COVID-19 pandemic, APT45 has continued to target this vertical longer than other groups, suggesting an ongoing mandate to collect related information. Separately, the group has conducted operations against nuclear-related entities, underscoring its role in supporting DPRK priorities. Shifts in Targeting and Expanding Operations Similar to other cyber threat activity attributed to North Korea-nexus groups, shifts in APT45 operations have reflected the DPRK\'s changing priorities. Malware samples indicate the group was active as early as 2009, although an observed focus on government agencies and the defense industry was observed beginning in 2017. Identified activity in 2019 aligned with Pyongyang\'s continued interest in nuclear issues and energy. Although it is not clear if financially-motivated operations are a focus of APT45\'s current mandate, the group is distinct from other North Korean operators in its suspected interest in ransomware. Given available information, it is possible that APT45 is carrying out financially-motivated cybercrime not only in support of its own operations but to generate funds for other North Korean state priorities. Financial Sector Like other North Korea]]> 2024-07-25T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine/ www.secnews.physaphae.fr/article.php?IdArticle=8544047 False Ransomware,Malware,Tool,Threat,Medical APT 37,APT 43 5.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-24T23:34:10+00:00 https://community.riskiq.com/article/31828df1 www.secnews.physaphae.fr/article.php?IdArticle=8544253 False Ransomware,Malware,Tool,Vulnerability,Threat,Industrial,Cloud,Technical,Commercial APT 38 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-24T21:28:53+00:00 https://community.riskiq.com/article/dfae4887 www.secnews.physaphae.fr/article.php?IdArticle=8543707 True Ransomware,Malware,Tool,Threat APT 36 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-08T15:06:59+00:00 https://community.riskiq.com/article/9a175891 www.secnews.physaphae.fr/article.php?IdArticle=8532909 False Malware,Tool,Vulnerability,Threat,Mobile,Cloud APT 36 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-02T21:54:47+00:00 https://community.riskiq.com/article/d62a3110 www.secnews.physaphae.fr/article.php?IdArticle=8529579 False Malware,Tool,Threat,Mobile APT 36 2.0000000000000000 Mandiant - Blog Sécu de Mandiant   Since early 2022, Mandiant has observed the revival and intensification of threat activity from actors leveraging hacktivist tactics and techniques. This comes decades after hacktivism first emerged as a form of online activism and several years since many defenders last considered hacktivism to be a serious threat. However, this new generation of hacktivism has grown to encompass a more complex and often impactful fusion of tactics different actors leverage for their specific objectives. Today\'s hacktivists exhibit increased capabilities in both intrusion and information operations demonstrated by a range of activities such as executing massive disruptive attacks, compromising networks to leak information, conducting information operations, and even tampering with physical world processes. They have leveraged their skills to gain notoriety and reputation, promote political ideologies, and actively support the strategic interests of nation-states. The anonymity provided by hacktivist personas coupled with the range of objectives supported by hacktivist tactics have made them a top choice for both state and non-state actors seeking to exert influence through the cyber domain. This blog post presents Mandiant\'s analysis of the hacktivism threat landscape, and provides analytical tools to understand and assess the level of risk posed by these groups. Based on years of experience tracking hacktivist actors, their claims, and attacks, our insight is meant to help organizations understand and prioritize meaningful threat activity against their own networks and equities. Figure 1: Sample of imagery used by hacktivists to promote their threat activity Proactive Monitoring of Hacktivist Threats Necessary for Defenders to Anticipate Cyberattacks Mandiant considers activity to be hacktivism when actors claim to or conduct attacks with the publicly stated intent of engaging in political or social activism. The large scale of hacktivism\'s resurgence presents a critical challenge to defenders who need to proactively sift through the noise and assess the risk posed by a multitude of actors with ranging degrees of sophistication. While in many cases hacktivist activity represents a marginal threat, in the most significant hacktivist operations Mandiant has tracked, threat actors have deliberately layered multiple tactics in hybrid operations in such a way that the effect of each component magnified the others. In some cases, hacktivist tactics have been deliberately employed by nation-state actors to support hybrid operations that can seriously harm victims. As the volume and complexity of activity grows and new actors leverage hacktivist tactics, defenders must determine how to filter, assess, and neutralize a range of novel and evolving threats. The proactive moni]]> 2024-06-27T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/global-revival-of-hacktivism/ www.secnews.physaphae.fr/article.php?IdArticle=8526607 False Malware,Tool,Threat,Legislation,Industrial,Cloud,Commercial APT 38 3.0000000000000000 Mandiant - Blog Sécu de Mandiant   Executive Summary  Mandiant assesses with high confidence that the Paris Olympics faces an elevated risk of cyber threat activity, including cyber espionage, disruptive and destructive operations, financially-motivated activity, hacktivism, and information operations.  Olympics-related cyber threats could realistically impact various targets including event organizers and sponsors, ticketing systems, Paris infrastructure, and athletes and spectators traveling to the event.  Mandiant assesses with high confidence that Russian threat groups pose the highest risk to the Olympics. While China, Iran, and North Korea state sponsored actors also pose a moderate to low risk. To reduce the risk of cyber threats associated with the Paris Olympics, organizations should update their threat profiles, conduct security awareness training, and consider travel-related cyber risks. The security community is better prepared for the cyber threats facing the Paris Olympics than it has been for previous Games, thanks to the insights gained from past events. While some entities may face unfamiliar state-sponsored threats, many of the cybercriminal threats will be familiar. While the technical disruption caused by hacktivism and information operations is often temporary, these operations can have an outsized impact during high-profile events with a global audience. Introduction  The 2024 Summer Olympics taking place in Paris, France between July and August creates opportunities for a range of cyber threat actors to pursue profit, notoriety, and intelligence. For organizations involved in the event, understanding relevant threats is key to developing a resilient security posture. Defenders should prepare against a variety of threats that will likely be interested in targeting the Games for different reasons:  Cyber espionage groups are likely to target the 2024 Olympics for information gathering purposes, due to the volume of government officials and senior decision makers attending. Disruptive and destructive operations could potentially target the Games to cause negative psychological effects and reputational damage. This type of activity could take the form of website defacements, distributed denial of service (DDoS) attacks, the deployment of wiper malware, and operational technology (OT) targeting. As a high profile, large-scale sporting event with a global audience, the Olympics represents an ideal stage for such operations given that the impact of any disruption would be significantly magnified.  Information operations will likely leverage interest in the Olympics to spread narratives and disinformation to target audiences. In some cases, threat actors may leverage disruptive and destructive attacks to amplify the spread of particular narratives in hybrid operations. Financially-motivated actors are likely to target the Olympics in v]]> 2024-06-05T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics/ www.secnews.physaphae.fr/article.php?IdArticle=8513588 False Ransomware,Malware,Threat,Studies,Mobile,Cloud,Technical APT 15,APT 31,APT 42 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-31T22:14:46+00:00 https://community.riskiq.com/article/08f4a417 www.secnews.physaphae.fr/article.php?IdArticle=8510885 False Malware,Tool,Vulnerability,Threat APT 38 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A never-before-seen North Korean threat actor codenamed Moonstone Sleet has been attributed as behind cyber attacks targeting individuals and organizations in the software and information technology, education, and defense industrial base sectors with ransomware and bespoke malware previously associated with the infamous Lazarus Group. "Moonstone Sleet is observed to set up fake companies and]]> 2024-05-29T16:05:00+00:00 https://thehackernews.com/2024/05/microsoft-uncovers-moonstone-sleet-new.html www.secnews.physaphae.fr/article.php?IdArticle=8509208 False Ransomware,Malware,Threat,Industrial APT 38 2.0000000000000000 The Register - Site journalistique Anglais Microsoft says Kim\'s hermit nation is pivoting to latest tools as it evolves in cyberspace A brand-new cybercrime group that Microsoft ties to North Korea is tricking targets using fake job opportunities to launch malware and ransomware, all for financial gain.…]]> 2024-05-29T13:00:09+00:00 https://go.theregister.com/feed/www.theregister.com/2024/05/29/north_korea_using_ransomware_and/ www.secnews.physaphae.fr/article.php?IdArticle=8509278 False Ransomware,Malware,Tool APT 37 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-28T17:37:40+00:00 https://community.riskiq.com/article/eb5e10a2 www.secnews.physaphae.fr/article.php?IdArticle=8508725 False Ransomware,Malware,Hack,Tool,Threat APT 34 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-22T15:21:21+00:00 https://community.riskiq.com/article/d5d5c07f www.secnews.physaphae.fr/article.php?IdArticle=8504864 False Ransomware,Malware,Tool,Threat APT 34 3.0000000000000000 Mandiant - Blog Sécu de Mandiant   Mandiant Intelligence is tracking a growing trend among China-nexus cyber espionage operations where advanced persistent threat (APT) actors utilize proxy networks known as “ORB networks” (operational relay box networks) to gain an advantage when conducting espionage operations. ORB networks are akin to botnets and are made up of virtual private servers (VPS), as well as compromised Internet of Things (IoT) devices, smart devices, and routers that are often end of life or unsupported by their manufacturers. Building networks of compromised devices allows ORB network administrators to easily grow the size of their ORB network with little effort and create a constantly evolving mesh network that can be used to conceal espionage operations.  By using these mesh networks to conduct espionage operations, actors can disguise external traffic between command and control (C2) infrastructure and victim environments including vulnerable edge devices that are being exploited via zero-day vulnerabilities.  These networks often use both rented VPS nodes in combination with malware designed to target routers so they can grow the number of devices capable of relaying traffic within compromised networks.  Mandiant assesses with moderate confidence that this is an effort to raise the cost of defending an enterprise\'s network and shift the advantage toward espionage operators by evading detection and complicating attribution. Mandiant believes that if network defenders can shift the current enterprise defense paradigm away from treating adversary infrastructure like indicators of compromise (IOCs) and instead toward tracking ORB networks like evolving entities akin to APT groups, enterprises can contend with the rising challenge of ORB networks in the threat landscape. IOC Extinction and the Rise of ORB Networks The cybersecurity industry has reported on the APT practice of ORB network usage in the past as well as on the functional implementation of these networks. Less discussed are the implications of broad ORB network usage by a multitude of China-nexus espionage actors, which has become more common over recent years. The following are three key points and paradigm shifting implications about ORB networks that require enterprise network defenders to adapt the way they think about China-nexus espionage actors: ORB networks undermine the idea of “Actor-Controlled Infrastructure”: ORB networks are infrastructure networks administered by independent entities, contractors, or administrators within the People\'s Republic of China (PRC). They are not controlled by a single APT actor. ORB networks create a network interface, administer a network of compromised nodes, and contract access to those networks to multiple APT actors that will use the ORB networks to carry out their own distinct espionage and reconnaissance. These networks are not controlled by APT actors using them, but rather are temporarily used by these APT actors often to deploy custom tooling more conventionally attributable to known China-nexus adversaries. ORB network infrastructure has a short lifesp]]> 2024-05-22T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks/ www.secnews.physaphae.fr/article.php?IdArticle=8504765 False Malware,Tool,Vulnerability,Threat,Prediction,Cloud,Commercial APT 15,APT 5,APT 31 3.0000000000000000 Techworm - News avertir dans un article de blog . «La seiche est en attente, reniflant passivement les paquets, n'agissant que lorsqu'il est déclenché par un ensemble de règles prédéfini.Le renifleur de paquets utilisé par la seiche a été conçu pour acquérir du matériel d'authentification, en mettant l'accent sur les services publics basés sur le cloud. » ]]> 2024-05-01T23:25:26+00:00 https://www.techworm.net/2024/05/malware-target-router-steal-password.html www.secnews.physaphae.fr/article.php?IdArticle=8491968 False Malware,Threat,Cloud,Technical APT 32 4.0000000000000000 Mandiant - Blog Sécu de Mandiant   APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim networks, including cloud environments. The actor is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services and activists. Mandiant assesses APT42 operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). APT42 was observed posing as journalists and event organizers to build trust with their victims through ongoing correspondence, and to deliver invitations to conferences or legitimate documents. These social engineering schemes enabled APT42 to harvest credentials and use them to gain initial access to cloud environments. Subsequently, the threat actor covertly exfiltrated data of strategic interest to Iran, while relying on built-in features and open-source tools to avoid detection. In addition to cloud operations, we also outline recent malware-based APT42 operations using two custom backdoors: NICECURL and TAMECAT. These backdoors are delivered via spear phishing, providing the attackers with initial access that might be used as a command execution interface or as a jumping point to deploy additional malware. APT42 targeting and missions are consistent with its assessed affiliation with the IRGC-IO, which is a part of the Iranian intelligence apparatus that is responsible for monitoring and preventing foreign threats to the Islamic Republic and domestic unrest. APT42 activities overlap with the publicly reported actors CALANQUE (Google Threat Analysis Group), Charming Kitten (ClearSky and CERTFA), Mint Sandstorm/Phosphorus (Microsoft), TA453 (Proofpoint), Yellow Garuda (PwC), and ITG18 (]]> 2024-05-01T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations/ www.secnews.physaphae.fr/article.php?IdArticle=8500390 False Malware,Tool,Threat,Cloud Yahoo,APT 35,APT 42 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korea-linked threat actor known as Lazarus Group employed its time-tested fabricated job lures to deliver a new remote access trojan called Kaolin RAT. The malware could, "aside from standard RAT functionality, change the last write timestamp of a selected file and load any received DLL binary from [command-and-control] server," Avast security researcher Luigino]]> 2024-04-25T22:17:00+00:00 https://thehackernews.com/2024/04/north-koreas-lazarus-group-deploys-new.html www.secnews.physaphae.fr/article.php?IdArticle=8488646 False Malware,Threat APT 38 2.0000000000000000 Mandiant - Blog Sécu de Mandiant   Executive Summary The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections. Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts.  When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure.   Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity.  Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google\'s Advanced Protection Program to protect high-risk accounts. Introduction  The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture.  The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence.  ]]> 2024-04-25T10:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections/ www.secnews.physaphae.fr/article.php?IdArticle=8500393 False Ransomware,Malware,Hack,Tool,Vulnerability,Threat,Legislation,Cloud,Technical APT 40,APT 29,APT 28,APT 43,APT 31,APT 42 3.0000000000000000