This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-10T21:01:23+00:00 www.secnews.physaphae.fr The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) High-profile entities in India have become the target of malicious campaigns orchestrated by the Pakistan-based Transparent Tribe threat actor and a previously unknown China-nexus cyber espionage group dubbed IcePeony. The intrusions linked to Transparent Tribe involve the use of a malware called ElizaRAT and a new stealer payload dubbed ApoloStealer on specific victims of interest, Check Point]]> 2024-11-08T17:53:00+00:00 https://thehackernews.com/2024/11/icepeony-and-transparent-tribe-target.html www.secnews.physaphae.fr/article.php?IdArticle=8608093 False Malware,Tool,Threat APT 36 3.0000000000000000 Dark Reading - Informationweek Branch The Pakistan-based advanced persistent threat actor has been carrying on a cyber-espionage campaign targeting organizations on the subcontinent for more than a decade, and it\'s now using a new and improved "ElizaRAT" malware.]]> 2024-11-04T22:39:41+00:00 https://www.darkreading.com/cyberattacks-data-breaches/apt36-refines-tools-attacks-indian-targets www.secnews.physaphae.fr/article.php?IdArticle=8606147 False Malware,Tool,Threat APT 36 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-11-04T19:39:03+00:00 https://community.riskiq.com/article/f01e1d00 www.secnews.physaphae.fr/article.php?IdArticle=8606105 False Ransomware,Malware,Tool,Threat,Mobile,Cloud,Technical APT 36 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-30T13:21:55+00:00 https://community.riskiq.com/article/70e8b264 www.secnews.physaphae.fr/article.php?IdArticle=8588927 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching,Mobile ChatGPT,APT 36 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-27T19:44:31+00:00 https://community.riskiq.com/article/f74aeee5 www.secnews.physaphae.fr/article.php?IdArticle=8586788 True Ransomware,Malware,Tool,Threat,Mobile APT 36 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-29T10:58:35+00:00 https://community.riskiq.com/article/72f3426d www.secnews.physaphae.fr/article.php?IdArticle=8546560 False Ransomware,Data Breach,Spam,Malware,Tool,Vulnerability,Threat,Legislation,Mobile,Industrial,Medical APT 28,APT 36 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-24T21:28:53+00:00 https://community.riskiq.com/article/dfae4887 www.secnews.physaphae.fr/article.php?IdArticle=8543707 True Ransomware,Malware,Tool,Threat APT 36 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-08T15:06:59+00:00 https://community.riskiq.com/article/9a175891 www.secnews.physaphae.fr/article.php?IdArticle=8532909 False Malware,Tool,Vulnerability,Threat,Mobile,Cloud APT 36 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-02T21:54:47+00:00 https://community.riskiq.com/article/d62a3110 www.secnews.physaphae.fr/article.php?IdArticle=8529579 False Malware,Tool,Threat,Mobile APT 36 2.0000000000000000 Techworm - News a écrit dans une analyse lundi. Selon les chercheurs, les APK malveillants ne sont pas distribués via Google Play Store d'Android, ce qui signifie que les victimes sont probablement socialement conçues pour télécharger et installer l'application à partir d'une source tierce. L'analyse des trois APK a révélé qu'elles contenaient le Caprarat Trojan et ont été téléchargées sur Virustotal en avril, juillet et août 2023. Deux des Caprarat APK ont été nommés \\ 'YouTube \', et l'un a été nommé \'Piya Sharma \', associée à un canal potentiellement utilisé pour les techniques d'ingénierie sociale basées sur la romance pour convaincre les cibles d'installer les applications. La liste des applications est la suivante: base.media.service moves.media.tubes videos.watchs.share Pendant l'installation, les applications demandent un certain nombre d'autorisations à risque, dont certaines pourraient initialement sembler inoffensives pour la victime pour une application de streaming médiatique comme YouTube et la traiter sans soupçon. L'interface des applications malveillantes tente d'imiter l'application YouTube réelle de Google, mais ressemble plus à un navigateur Web qu'à une application en raison de l'utilisation de WebView à partir de l'application Trojanisée pour charger le service.Ils manquaient également de certaines fonctionnalités et fonctions disponibles dans l'application Android YouTube native légitime. Une fois que Caprarat est installé sur le dispositif de victime, il peut effectuer diverses actions telles que l'enregistrement avec le microphone, les caméras avant et arrière, la collecte de SMS et les contenus de messages multimédias et les journaux d'appels, d'envoi de messages SMS, de blocage des SMS entrants, initier les appels téléphoniques, prendre des captures d'écran, des paramètres système primordiaux tels que GPS & AMP;Réseau et modification des fichiers sur le système de fichiers du téléphone \\ Selon Sentinelabs, les variantes de caprarat récentes trouvées au cours de la campagne actuelle indiquent un développement continu des logiciels malveillants par la tribu transparente. En ce qui concerne l'attribution, les adresses IP des serveurs de commande et de contrôle (C2) avec lesquels Caprarat communique sont codées en dur dans le fichier de configuration de l'application et ont été liés aux activités passées du groupe de piratage. Cependant, certaines adresses IP étaient liées à d'autres campagnes de rats, bien que la relation exacte entre ces acteurs de menace et la tribu transparente reste claire. ]]> 2023-09-19T17:06:25+00:00 https://www.techworm.net/2023/09/hacker-fake-youtube-apps-android.html www.secnews.physaphae.fr/article.php?IdArticle=8393055 False Malware,Tool,Threat APT 36 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The suspected Pakistan-linked threat actor known as Transparent Tribe is using malicious Android apps mimicking YouTube to distribute the CapraRAT mobile remote access trojan (RAT), demonstrating the continued evolution of the activity. "CapraRAT is a highly invasive tool that gives the attacker control over much of the data on the Android devices that it infects," SentinelOne security]]> 2023-09-19T12:26:00+00:00 https://thehackernews.com/2023/09/transparent-tribe-uses-fake-youtube.html www.secnews.physaphae.fr/article.php?IdArticle=8385200 False Malware,Tool,Threat APT 36 1.00000000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Pakistan-based advanced persistent threat (APT) actor known as Transparent Tribe used a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon. "Poseidon is a second-stage payload malware associated with Transparent Tribe," Uptycs security researcher Tejaswini Sandapolla said in a technical report published this week.]]> 2023-04-19T16:58:00+00:00 https://thehackernews.com/2023/04/pakistani-hackers-use-linux-malware.html www.secnews.physaphae.fr/article.php?IdArticle=8329331 False Malware,Tool,Threat APT 36 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Xenomorph V3: a New Variant with ATS Targeting More Than 400 Institutions (published: March 10, 2023) Newer versions of the Xenomorph Android banking trojan are able to target 400 applications: cryptocurrency wallets and mobile banking from around the World with the top targeted countries being Spain, Turkey, Poland, USA, and Australia (in that order). Since February 2022, several small, testing Xenomorph campaigns have been detected. Its current version Xenomorph v3 (Xenomorph.C) is available on the Malware-as-a-Service model. This trojan version was delivered using the Zombinder binding service to bind it to a legitimate currency converter. Xenomorph v3 automatically collects and exfiltrates credentials using the ATS (Automated Transfer Systems) framework. The command-and-control traffic is blended in by abusing Discord Content Delivery Network. Analyst Comment: Fraud chain automation makes Xenomorph v3 a dangerous malware that might significantly increase its prevalence on the threat landscape. Users should keep their mobile devices updated and avail of mobile antivirus and VPN protection services. Install only applications that you actually need, use the official store and check the app description and reviews. Organizations that publish applications for their customers are invited to use Anomali's Premium Digital Risk Protection service to discover rogue, malicious apps impersonating your brand that security teams typically do not search or monitor. MITRE ATT&CK: [MITRE ATT&CK] T1417.001 - Input Capture: Keylogging | [MITRE ATT&CK] T1417.002 - Input Capture: Gui Input Capture Tags: malware:Xenomorph, Mobile, actor:Hadoken Security Group, actor:HadokenSecurity, malware-type:Banking trojan, detection:Xenomorph.C, Malware-as-a-Service, Accessibility services, Overlay attack, Discord CDN, Cryptocurrency wallet, target-industry:Cryptocurrency, target-industry:Banking, target-country:Spain, target-country:ES, target-country:Turkey, target-country:TR, target-country:Poland, target-country:PL, target-country:USA, target-country:US, target-country:Australia, target-country:AU, malware:Zombinder, detection:Zombinder.A, Android Cobalt Illusion Masquerades as Atlantic Council Employee (published: March 9, 2023) A new campaign by Iran-sponsored Charming Kitten (APT42, Cobalt Illusion, Magic Hound, Phosphorous) was detected targeting Mahsa Amini protests and researchers who document the suppression of women and minority groups i]]> 2023-03-14T17:32:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-xenomorph-automates-the-whole-fraud-chain-on-android-icefire-ransomware-started-targeting-linux-mythic-leopard-delivers-spyware-using-romance-scam www.secnews.physaphae.fr/article.php?IdArticle=8318511 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Conference APT 35,ChatGPT,ChatGPT,APT 36,APT 42 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence What’s With The Shared VBA Code Between Transparent Tribe And Other Threat Actors? (published: February 9, 2022) A recent discovery has been made that links malicious VBA macro code between multiple groups, namely: Transparent Tribe, Donot Team, SideCopy, Operation Hangover, and SideWinder. These groups operate (or operated) out of South Asia and use a variety of techniques with phishing emails and maldocs to target government and military entities within India and Pakistan. The code is similar enough that it suggests cooperation between APT groups, despite having completely different goals/targets. Analyst Comment: This research shows that APT groups are sharing TTPs to assist each other, regardless of motive or target. Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel. MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Phishing - T1566 Tags: Transparent Tribe, Donot, SideWinder, Asia, Military, Government Fake Windows 11 Upgrade Installers Infect You With RedLine Malware (published: February 9, 2022) Due to the recent announcement of Windows 11 upgrade availability, an unknown threat actor has registered a domain to trick users into downloading an installer that contains RedLine malware. The site, "windows-upgraded[.]com", is a direct copy of a legitimate Microsoft upgrade portal. Clicking the 'Upgrade Now' button downloads a 734MB ZIP file which contains an excess of dead code; more than likely this is to increase the filesize for bypassing any antivirus scan. RedLine is a well-known infostealer, capable of taking screenshots, using C2 communications, keylogging and more. Analyst Comment: Any official Windows update or installation files will be downloaded through the operating system directly. If offline updates are necessary, only go through Microsoft sites and subdomains. Never update Windows from a third-party site due to this type of attack. MITRE ATT&CK: [MITRE ATT&CK] Video Capture - T1125 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 Tags: RedLine, Windows 11, Infostealer ]]> 2022-02-15T20:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-mobile-malware-is-on-the-rise-apt-groups-are-working-together-ransomware-for-the-individual-and-more www.secnews.physaphae.fr/article.php?IdArticle=4134740 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline Uber,APT 43,APT 36,APT-C-17 None Security Affairs - Blog Secu 2021-05-23T12:33:32+00:00 https://securityaffairs.co/wordpress/118186/breaking-news/security-affairs-newsletter-round-315.html?utm_source=rss&utm_medium=rss&utm_campaign=security-affairs-newsletter-round-315 www.secnews.physaphae.fr/article.php?IdArticle=2827928 False Ransomware,Tool APT 36 None IT Security Guru - Blog Sécurité 2020-03-18T10:48:32+00:00 https://www.itsecurityguru.org/2020/03/18/crimson-rat-spread-via-coronavirus-phishing/?utm_source=rss&utm_medium=rss&utm_campaign=crimson-rat-spread-via-coronavirus-phishing www.secnews.physaphae.fr/article.php?IdArticle=1604445 True Tool,Threat APT 36 2.0000000000000000