This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-10T18:49:03+00:00 www.secnews.physaphae.fr GB Hacker - Blog de reverseur Les chercheurs en cybersécurité sont tombés sur un trésor d'outils et de scripts opérationnels liés aux logiciels malveillants de Keyplug, associés au groupe de menaces Redgolf, également connu sous le nom d'APT41.  Le serveur, qui a été exposé par inadvertance pendant moins de 24 heures, a fourni un aperçu sans précédent des tactiques, techniques et procédures sophistiquées (TTP) employés par cette avancée […] avancée.

---

>Cybersecurity researchers have stumbled upon a treasure trove of operational tools and scripts linked to the KeyPlug malware, associated with the threat group RedGolf, also known as APT41.  The server, which was inadvertently exposed for less than 24 hours, provided an unprecedented glimpse into the sophisticated tactics, techniques, and procedures (TTPs) employed by this advanced […] ]]> 2025-04-18T11:53:49+00:00 https://gbhackers.com/keyplug-malware-server/ www.secnews.physaphae.fr/article.php?IdArticle=8664457 False Malware,Tool,Threat APT 41 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The China-linked threat actor known as Winnti has been attributed to a new campaign dubbed RevivalStone that targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024. The activity, detailed by Japanese cybersecurity company LAC, overlaps with a threat cluster tracked by Trend Micro as Earth Freybug, which has been assessed to be a subset within the APT41]]> 2025-02-18T15:22:00+00:00 https://thehackernews.com/2025/02/winnti-apt41-targets-japanese-firms-in.html www.secnews.physaphae.fr/article.php?IdArticle=8648844 False Threat,Prediction APT 41 3.0000000000000000 Mandiant - Blog Sécu de Mandiant 2025-02-11T20:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cybercrime-multifaceted-national-security-threat/ www.secnews.physaphae.fr/article.php?IdArticle=8648141 False Ransomware,Malware,Tool,Vulnerability,Threat,Legislation,Medical,Cloud,Technical APT 41,APT 38,APT 29,APT 43,APT 44 3.0000000000000000 Mandiant - Blog Sécu de Mandiant science, technology, and beyond. In cybersecurity, AI is poised to transform digital defense, empowering defenders and enhancing our collective security. Large language models (LLMs) open new possibilities for defenders, from sifting through complex telemetry to secure coding, vulnerability discovery, and streamlining operations. However, some of these same AI capabilities are also available to attackers, leading to understandable anxieties about the potential for AI to be misused for malicious purposes.  Much of the current discourse around cyber threat actors\' misuse of AI is confined to theoretical research. While these studies demonstrate the potential for malicious exploitation of AI, they don\'t necessarily reflect the reality of how AI is currently being used by threat actors in the wild. To bridge this gap, we are sharing a comprehensive analysis of how threat actors interacted with Google\'s AI-powered assistant, Gemini. Our analysis was grounded by the expertise of Google\'s Threat Intelligence Group (GTIG), which combines decades of experience tracking threat actors on the front lines and protecting Google, our users, and our customers from government-backed attackers, targeted 0-day exploits, coordinated information operations (IO), and serious cyber crime networks. We believe the private sector, governments, educational institutions, and other stakeholders must work together to maximize AI\'s benefits while also reducing the risks of abuse. At Google, we are committed to developing responsible AI guided by our principles, and we share ]]> 2025-01-29T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/adversarial-misuse-generative-ai/ www.secnews.physaphae.fr/article.php?IdArticle=8644222 False Ransomware,Malware,Tool,Vulnerability,Threat,Studies,Legislation,Mobile,Industrial,Cloud,Technical,Commercial APT 41,APT 43,APT 42 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Introduction Since 2022, Google Threat Intelligence Group (GTIG) has been tracking multiple cyber espionage operations conducted by China-nexus actors utilizing POISONPLUG.SHADOW. These operations employ a custom obfuscating compiler that we refer to as "ScatterBrain," facilitating attacks against various entities across Europe and the Asia Pacific (APAC) region. ScatterBrain appears to be a substantial evolution of ScatterBee, an obfuscating compiler previously analyzed by PWC. GTIG assesses that POISONPLUG is an advanced modular backdoor used by multiple distinct, but likely related threat groups based in the PRC, however we assess that POISONPLUG.SHADOW usage appears to be further restricted to clusters associated with APT41. GTIG currently tracks three known POISONPLUG variants: POISONPLUG POISONPLUG.DEED POISONPLUG.SHADOW POISONPLUG.SHADOW-often referred to as "Shadowpad," a malware family name first introduced by Kaspersky-stands out due to its use of a custom obfuscating compiler specifically designed to evade detection and analysis. Its complexity is compounded by not only the extensive obfuscation mechanisms employed but also by the attackers\' highly sophisticated threat tactics. These elements collectively make analysis exceptionally challenging and complicate efforts to identify, understand, and mitigate the associated threats it poses. In addressing these challenges, GTIG collaborates closely with the FLARE team to dissect and analyze POISONPLUG.SHADOW. This partnership utilizes state-of-the-art reverse engineering techniques and comprehensive threat intelligence capabilities required to mitigate the sophisticated threats posed by this threat actor. We remain dedicated to advancing methodologies and fostering innovation to adapt to and counteract the ever-evolving tactics of threat actors, ensuring the security of Google and our customers against sophisticated cyber espionage operations. Overview In this blog post, we present our in-depth analysis of the ScatterBrain obfuscator, which has led to the development of a complete stand-alone static deobfuscator library independent of any binary analysis frameworks. Our analysis is based solel]]> 2025-01-28T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/scatterbrain-unmasking-poisonplug-obfuscator/ www.secnews.physaphae.fr/article.php?IdArticle=8643871 False Malware,Tool,Threat,Studies,Patching,Cloud APT 41 2.0000000000000000 Netskope - etskope est une société de logiciels américaine fournissant une plate-forme de sécurité informatique Summary DLL side-loading is a popular technique used by threat actors to execute malicious payloads under the umbrella of a benign, usually legitimate, executable. This allows the threat actor to exploit whitelists in security products that exclude trusted executables from detection. Among others, this technique has been leveraged by APT41 to deploy DUSTTRAP and Daggerfly […]

---

>Summary DLL side-loading is a popular technique used by threat actors to execute malicious payloads under the umbrella of a benign, usually legitimate, executable. This allows the threat actor to exploit whitelists in security products that exclude trusted executables from detection. Among others, this technique has been leveraged by APT41 to deploy DUSTTRAP and Daggerfly […] ]]> 2024-12-13T15:00:00+00:00 https://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials www.secnews.physaphae.fr/article.php?IdArticle=8624596 False Threat APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-12-11T22:38:07+00:00 https://community.riskiq.com/article/9dd28182 www.secnews.physaphae.fr/article.php?IdArticle=8623712 False Malware,Tool,Threat,Cloud APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-11-18T12:22:31+00:00 https://community.riskiq.com/article/2560112c www.secnews.physaphae.fr/article.php?IdArticle=8613484 False Ransomware,Malware,Tool,Vulnerability,Threat,Prediction,Medical,Cloud,Technical APT 41,APT 38 3.0000000000000000 Dark Reading - Informationweek Branch The China-affiliated group is using the highly modular DeepData framework to target organizations in South Asia.]]> 2024-11-13T22:39:34+00:00 https://www.darkreading.com/cyberattacks-data-breaches/toolkit-expands-apt41s-surveillance-powers www.secnews.physaphae.fr/article.php?IdArticle=8610664 False None APT 41 2.0000000000000000 BlackBerry - Fabricant Matériel et Logiciels The threat actor behind LightSpy has expanded their toolset with the introduction of DeepData, a modular Windows-based surveillance framework that significantly broadens their espionage capabilities.]]> 2024-11-12T09:01:00+00:00 https://blogs.blackberry.com/en/2024/11/lightspy-apt41-deploys-advanced-deepdata-framework-in-targeted-southern-asia-espionage-campaign www.secnews.physaphae.fr/article.php?IdArticle=8610605 False Threat APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-11-04T12:25:16+00:00 https://community.riskiq.com/article/d6da7f0d www.secnews.physaphae.fr/article.php?IdArticle=8605948 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Prediction,Medical,Cloud,Technical APT 41,APT 28,APT 31,Guam 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-31T20:29:50+00:00 https://community.riskiq.com/article/798c0fdb www.secnews.physaphae.fr/article.php?IdArticle=8604363 False Malware,Tool,Vulnerability,Threat,Legislation,Cloud APT 41,APT 31 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The prolific Chinese nation-state actor known as APT41 (aka Brass Typhoon, Earth Baku, Wicked Panda, or Winnti) has been attributed to a sophisticated cyber attack targeting the gambling and gaming industry. "Over a period of at least six months, the attackers stealthily gathered valuable information from the targeted company including, but not limited to, network configurations, user passwords,]]> 2024-10-21T18:38:00+00:00 https://thehackernews.com/2024/10/chinese-nation-state-hackers-apt41-hit.html www.secnews.physaphae.fr/article.php?IdArticle=8601022 False None APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-10T21:13:00+00:00 https://community.riskiq.com/article/998e3172 www.secnews.physaphae.fr/article.php?IdArticle=8595647 False Ransomware,Malware,Tool,Threat,Technical APT 41 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-02T19:54:58+00:00 https://community.riskiq.com/article/161e114f www.secnews.physaphae.fr/article.php?IdArticle=8568711 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Medical,Cloud APT 41,APT 32 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-08-28T20:46:51+00:00 https://community.riskiq.com/article/e3cd79c3 www.secnews.physaphae.fr/article.php?IdArticle=8565688 False Ransomware,Malware,Tool,Vulnerability,Threat,Technical APT 41 3.0000000000000000 Dark Reading - Informationweek Branch A threat actor resembling APT41 performed "AppDomainManager Injection," which is like DLL sideloading, but arguably easier and stealthier.]]> 2024-08-26T21:33:17+00:00 https://www.darkreading.com/application-security/hackers-use-rare-stealth-techniques-to-down-asian-military-govt-orgs www.secnews.physaphae.fr/article.php?IdArticle=8564337 False Threat APT 41 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-08-19T10:58:28+00:00 https://community.riskiq.com/article/256c3cbd www.secnews.physaphae.fr/article.php?IdArticle=8560248 False Ransomware,Malware,Tool,Threat,Prediction APT 41,APT 42 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The China-backed threat actor known as Earth Baku has diversified its targeting footprint beyond the Indo-Pacific region to include Europe, the Middle East, and Africa starting in late 2022. Newly targeted countries as part of the activity include Italy, Germany, the U.A.E., and Qatar, with suspected attacks also detected in Georgia and Romania. Governments, media and communications, telecoms,]]> 2024-08-14T10:31:00+00:00 https://thehackernews.com/2024/08/china-backed-earth-baku-expands-cyber.html www.secnews.physaphae.fr/article.php?IdArticle=8557427 False Threat APT 41 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-08-12T19:53:21+00:00 https://community.riskiq.com/article/23e31fb6 www.secnews.physaphae.fr/article.php?IdArticle=8556555 False Malware,Tool,Threat,Medical APT 41 3.0000000000000000 Dark Reading - Informationweek Branch Earth Baku, yet another subgroup of the highly active and increasingly sophisticated collective, is moving into EMEA with new malware and living-off-the-land (LOL) tactics.]]> 2024-08-12T14:30:31+00:00 https://www.darkreading.com/cyberattacks-data-breaches/apt41-spinoff-expands-chinese-actor-scope-beyond-asia www.secnews.physaphae.fr/article.php?IdArticle=8557118 False Malware APT 41 3.0000000000000000 TrendLabs Security - Editeur Antivirus Earth Baku has broadened its scope from the Indo-Pacific region to Europe, the Middle East, and Africa. In this blog entry, we examine the threat actor\'s latest tools, tactics, and procedures.]]> 2024-08-09T00:00:00+00:00 https://www.trendmicro.com/en_us/research/24/h/earth-baku-latest-campaign.html www.secnews.physaphae.fr/article.php?IdArticle=8554460 False Tool,Threat APT 41 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-08-05T10:51:17+00:00 https://community.riskiq.com/article/ed438f56 www.secnews.physaphae.fr/article.php?IdArticle=8552050 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat,Mobile APT33,APT 41,APT 33,APT-C-17 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A Taiwanese government-affiliated research institute that specializes in computing and associated technologies was breached by nation-state threat actors with ties to China, according to new findings from Cisco Talos. The unnamed organization was targeted as early as mid-July 2023 to deliver a variety of backdoors and post-compromise tools like ShadowPad and Cobalt Strike. It has been attributed]]> 2024-08-02T22:02:00+00:00 https://thehackernews.com/2024/08/apt41-hackers-use-shadowpad-cobalt.html www.secnews.physaphae.fr/article.php?IdArticle=8549909 False Tool,Threat APT 41 3.0000000000000000 Dark Reading - Informationweek Branch The state-sponsored Chinese threat actor gained access to three systems and stole at least some research data around computing and related technologies.]]> 2024-08-02T19:20:49+00:00 https://www.darkreading.com/threat-intelligence/chinas-apt41-targets-taiwan-research-institute-for-cyber-espionage www.secnews.physaphae.fr/article.php?IdArticle=8550033 False Threat APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-08-01T18:42:27+00:00 https://community.riskiq.com/article/d791dc39 www.secnews.physaphae.fr/article.php?IdArticle=8549111 False Malware,Tool,Vulnerability,Threat APT 41 3.0000000000000000 Recorded Future - FLux Recorded Future 2024-08-01T17:27:04+00:00 https://therecord.media/taiwan-government-backed-research-institution-apt41-hack www.secnews.physaphae.fr/article.php?IdArticle=8549044 False None APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-22T10:33:31+00:00 https://community.riskiq.com/article/12ac549a www.secnews.physaphae.fr/article.php?IdArticle=8541988 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Prediction,Cloud APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-19T18:51:32+00:00 https://community.riskiq.com/article/3ecd0e46 www.secnews.physaphae.fr/article.php?IdArticle=8540438 False Malware,Tool,Threat,Medical,Cloud APT 41 3.0000000000000000 Dark Reading - Informationweek Branch According to Mandiant, among the many cyber espionage tools the threat actor is using is a sophisticated new dropper called DustTrap.]]> 2024-07-19T14:00:00+00:00 https://www.darkreading.com/threat-intelligence/china-apt41-targets-global-logistics-utilities www.secnews.physaphae.fr/article.php?IdArticle=8540255 False Tool,Threat APT 41 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Several organizations operating within global shipping and logistics, media and entertainment, technology, and automotive sectors in Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. have become the target of a "sustained campaign" by the prolific China-based APT41 hacking group. "APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims\' networks since]]> 2024-07-19T12:54:00+00:00 https://thehackernews.com/2024/07/apt41-infiltrates-networks-in-italy.html www.secnews.physaphae.fr/article.php?IdArticle=8540107 False None APT 41 3.0000000000000000 IndustrialCyber - cyber risk firms for industrial La société de renseignement sur les menaces Mandiant en collaboration avec le groupe d'analyse des menaces de Google (TAG) a observé une campagne soutenue par le ...

---

>Threat intelligence firm Mandiant in collaboration with Google\'s Threat Analysis Group (TAG) observed a sustained campaign by the... ]]> 2024-07-19T10:54:39+00:00 https://industrialcyber.co/ransomware/mandiant-and-google-tag-detail-apt41-cyber-campaign-targeting-global-industries/ www.secnews.physaphae.fr/article.php?IdArticle=8540163 False Threat APT 41 3.0000000000000000 Mandiant - Blog Sécu de Mandiant   Executive Summary In collaboration with Google\'s Threat Analysis Group (TAG), Mandiant has observed a sustained campaign by the advanced persistent threat group APT41 targeting and successfully compromising multiple organizations operating within the global shipping and logistics, media and entertainment, technology, and automotive sectors. The majority of organizations were operating in Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom. APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims\' networks since 2023, enabling them to extract sensitive data over an extended period.  APT41 used a combination of ANTSWORD and BLUEBEAM web shells for the execution of DUSTPAN to execute BEACON backdoor for command-and-control communication. Later in the intrusion, APT41 leveraged DUSTTRAP, which would lead to hands-on keyboard activity. APT41 used publicly available tools SQLULDR2 for copying data from databases and PINEGROVE to exfiltrate data to Microsoft OneDrive. Overview Recently, Mandiant became aware of an APT41 intrusion where the malicious actor deployed a combination of ANTSWORD and BLUEBEAM web shells for persistence. These web shells were identified on a Tomcat Apache Manager server and active since at least 2023. APT41 utilized these web shells to execute certutil.exe to download the DUSTPAN dropper to stealthily load BEACON.  As the APT41 intrusion progressed, the group escalated its tactics by deploying the DUSTTRAP dropper. Upon execution, DUSTTRAP would decrypt a malicious payload and execute it in memory, leaving minimal forensic traces. The decrypted payload was designed to establish communication channels with either APT41-controlled infrastructure for command and control or, in some instances, with a compromised Google Workspace account, further blending its malicious activities with legitimate traffic. The affected Google Workspace accounts have been successfully remediated to prevent further unauthorized access. Furthermore, APT41 leveraged SQLULDR2 to export data from Oracle Databases, and used PINEGROVE to systematically and efficiently exfiltrate large volumes of sensitive data from the compromised networks, transferring to OneDrive to enable exfiltration and subsequent analysis. ]]> 2024-07-18T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust/ www.secnews.physaphae.fr/article.php?IdArticle=8539580 False Ransomware,Malware,Tool,Threat,Patching,Medical,Cloud APT 41 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-15T11:27:07+00:00 https://community.riskiq.com/article/fdcb22e4 www.secnews.physaphae.fr/article.php?IdArticle=8537522 False Ransomware,Malware,Tool,Vulnerability,Threat,Legislation,Prediction,Medical APT 41,APT 40 2.0000000000000000 The Register - Site journalistique Anglais Meet DodgeBox, son of StealthVector Chinese government-backed cyber espionage gang APT41 has very likely added a loader dubbed DodgeBox and a backdoor named MoonWalk to its malware toolbox, according to cloud security service provider Zscaler\'s ThreatLabz research team.…]]> 2024-07-12T01:29:11+00:00 https://go.theregister.com/feed/www.theregister.com/2024/07/12/china_apt41_malware/ www.secnews.physaphae.fr/article.php?IdArticle=8535375 False Malware,Cloud APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot In April 2024, Zscaler ThreatLabz discovered a new loader named DodgeBox, an upgraded and evolved version of StealthVector, a tool previously used by the Chinese APT group, APT41, tracked by Microsoft as [Brass Typhoon](https://security.microsoft.com/intel-profiles/byExternalId/e49c4119afe798db103058c3ffda5bd85e83534940247449478524d61ae6817a). ## Description After their analysis of DodgeBox, researchers from Zscaler ThreatLabz assess that the malware is an enhanced version of StealthVector loader as there are significant similarities between the two malwares. Written in C, DodgeBox is a reflective DLL loader that has a number of attributes, including the ability to decrypt and load embedded DLLs, perform environment checks, and carry out cleanup procedures. Notably, DodgeBox also employs call stack spoofing, a technique used by malware to obfuscate the origins of API calls, making it difficult for Endpoint Detection and Response (EDR) solutions and antivirus programs to detect the malware. DodgeBox has been used by APT41 to deliver the MoonWalk backdoor, a new backdoor being employed by the threat group.  DodgeBox and StealthVector both have similarities in their:  - checksum and configuration decryption, - decrypted conf]]> 2024-07-11T22:03:33+00:00 https://community.riskiq.com/article/3524d2ae www.secnews.physaphae.fr/article.php?IdArticle=8535322 False Malware,Tool,Threat,Patching APT 41 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The China-linked advanced persistent threat (APT) group codenamed APT41 is suspected to be using an "advanced and upgraded version" of a known malware called StealthVector to deliver a previously undocumented backdoor dubbed MoonWalk. The new variant of StealthVector – which is also referred to as DUSTPAN – has been codenamed DodgeBox by Zscaler ThreatLabz, which discovered the loader strain in]]> 2024-07-11T18:01:00+00:00 https://thehackernews.com/2024/07/chinese-apt41-upgrades-malware-arsenal.html www.secnews.physaphae.fr/article.php?IdArticle=8534993 False Malware,Threat APT 41 3.0000000000000000 Mandiant - Blog Sécu de Mandiant   Following the discovery of malware residing within ESXi hypervisors in September 2022, Mandiant began investigating numerous intrusions conducted by UNC3886, a suspected China-nexus cyber espionage actor that has targeted prominent strategic organizations on a global scale. In January 2023, Mandiant provided detailed analysis of the exploitation of a now-patched vulnerability in FortiOS employed by a threat actor suspected to be UNC3886. In March 2023, we provided details surrounding a custom malware ecosystem utilized on affected Fortinet devices. Furthermore, the investigation uncovered the compromise of VMware technologies, which facilitated access to guest virtual machines. Investigations into more recent operations in 2023 following fixes from the vendors involved in the investigation have corroborated Mandiant\'s initial observations that the actor operates in a sophisticated, cautious, and evasive nature. Mandiant has observed that UNC3886 employed several layers of organized persistence for redundancy to maintain access to compromised environments over time. Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available even if the primary layer is detected and eliminated. This blog post discusses UNC3886\'s intrusion path and subsequent actions that were performed in the environments after compromising the guest virtual machines to achieve access to the critical systems, including: The use of publicly available rootkits for long-term persistence Deployment of malware that leveraged trusted third-party services for command and control (C2 or C&C) Subverting access and collecting credentials with Secure Shell (SSH) backdoors Extracting credentials from TACACS+ authentication using custom malware  Mandiant has published detection and hardening guidelines for ESXi hypervisors and attack techniques employed by UNC3886. For Google SecOps Enterprise+ customer]]> 2024-06-18T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations/ www.secnews.physaphae.fr/article.php?IdArticle=8520461 False Malware,Tool,Vulnerability,Threat,Cloud,Technical APT 41 3.0000000000000000 DarkTrace - DarkTrace: AI bases detection Analyzing how the cyber-criminal group APT41 exploited a zero-day vulnerability, we show how Darktrace\'s AI detected and investigated the threat immediately.]]> 2024-05-30T02:45:40+00:00 https://darktrace.com/blog/catching-apt41-exploiting-a-zero-day-vulnerability www.secnews.physaphae.fr/article.php?IdArticle=8509713 False Vulnerability,Threat APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-08T15:09:15+00:00 https://community.riskiq.com/article/974639f2 www.secnews.physaphae.fr/article.php?IdArticle=8478203 False Ransomware,Spam,Malware,Tool,Threat,Cloud APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Trend Micro analyzed a cyberespionage attack the company has attributed to Earth Freybug, a subset of APT41 (tracked by Microsoft as [Brass Typhoon](https://sip.security.microsoft.com/intel-profiles/f0aaa62bfbaf3739bb92106688e6a00fc05eafc0d4158b0e389b4078112d37c6?)). According to Trend Micro, Earth Freybug has been active since at least 2012 and the Chinese-linked group has been active in espionage and financially motivated attacks. Earth Freybug employs diverse tools like LOLBins and custom malware, targeting organizations globally. The attack used techniques like dynamic link library (DLL) hijacking and API unhooking to avoid monitoring for a new malware called UNAPIMON. UNAPIMON evades detection by preventing child processes from being monitored. The attack flow involved creating remote scheduled tasks and executing reconnaissance commands to gather system information. Subsequently, a backdoor was launched using DLL side-loading via a service called SessionEnv, which loads a malicious DLL. UNAPIMON, the injected DLL, uses API hooking to evade monitoring and execute malicious commands undetected, showcasing the attackers\' sophistication. [Check out Microsoft\'s write-up on dynamic-link library (DLL) hijacking here.](https://sip.security.microsoft.com/intel-explorer/articles/91be20e8?) #### Reference URL(s) 1. https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html #### Publication Date April 2, 2024 #### Author(s) Christopher So]]> 2024-04-03T20:46:53+00:00 https://community.riskiq.com/article/327771c8 www.secnews.physaphae.fr/article.php?IdArticle=8475473 False Malware,Tool,Prediction APT 41 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) New findings have identified connections between an Android spyware called DragonEgg and another sophisticated modular iOS surveillanceware tool named LightSpy. DragonEgg, alongside WyrmSpy (aka AndroidControl), was first disclosed by Lookout in July 2023 as a strain of malware capable of gathering sensitive data from Android devices. It was attributed to the Chinese nation-state group APT41. On]]> 2023-10-04T20:39:00+00:00 https://thehackernews.com/2023/10/researchers-link-dragonegg-android.html www.secnews.physaphae.fr/article.php?IdArticle=8391492 False Malware,Tool APT 41,APT 41 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine ThreatFabric found evidence that LighSpy is linked to Android spyware DragonEgg, attributed to the Chinese-sponsored group]]> 2023-10-04T15:30:00+00:00 https://www.infosecurity-magazine.com/news/lightspy-iphone-spyware-linked/ www.secnews.physaphae.fr/article.php?IdArticle=8391493 False None APT 41,APT 41 2.0000000000000000 GoogleSec - Firm Security Blog whitepaper from Dekra, a safety certifications and testing lab, the security shortcomings of SMS can notably lead to: SMS Interception: Attackers can intercept SMS messages by exploiting vulnerabilities in mobile carrier networks. This can allow them to read the contents of SMS messages, including sensitive information such as two-factor authentication codes, passwords, and credit card numbers due to the lack of encryption offered by SMS. SMS Spoofing: Attackers can spoof SMS messages to launch phishing attacks to make it appear as if they are from a legitimate sender. This can be used to trick users into clicking on malicious links or revealing sensitive information. And because carrier networks have independently developed their approaches to deploying SMS texts over the years, the inability for carriers to exchange reputation signals to help identify fraudulent messages has made it tough to detect spoofed senders distributing potentially malicious messages. These findings add to the well-established facts about SMS\' weaknesses, lack of encryption chief among them. Dekra also compared SMS against a modern secure messaging protocol and found it lacked any built-in security functionality. According to Dekra, SMS users can\'t answer \'yes\' to any of the following basic security questions: Confidentiality: Can I trust that no one else can read my SMSs? Integrity: Can I trust that the content of the SMS that I receive is not modified? Authentication: Can I trust the identity of the sender of the SMS that I receive? But this isn\'t just theoretical: cybercriminals have also caught on to the lack of security protections SMS provides and have repeatedly exploited its weakness. Both novice hackers and advanced threat actor groups (such as UNC3944 / Scattered Spider and APT41 investigated by Mandiant, part of Google Cloud) leverage the security deficiencies in SMS to launch different ]]> 2023-09-27T12:51:29+00:00 http://security.googleblog.com/2023/09/sms-security-privacy-gaps-make-it-clear.html www.secnews.physaphae.fr/article.php?IdArticle=8388447 False Vulnerability,Threat,Studies APT 41 3.0000000000000000 IT Security Guru - Blog Sécurité Yesterday, Lookout, Inc., announced the discovery of sophisticated Android surveillanceware known as WyrmSpy and DragonEgg, which has been linked to the Chinese espionage group APT41 (AKA Double Dragon, BARIUM and Winnti). Despite being indicted on multiple charges by the U.S. government for its attacks on more than 100 private and public enterprises in the U.S. […] ]]> 2023-07-20T09:34:15+00:00 https://www.itsecurityguru.org/2023/07/20/lookout-uncovers-advanced-android-surveillanceware-linked-to-chinas-apt41/?utm_source=rss&utm_medium=rss&utm_campaign=lookout-uncovers-advanced-android-surveillanceware-linked-to-chinas-apt41 www.secnews.physaphae.fr/article.php?IdArticle=8359177 False Mobile APT 41,APT 41 3.0000000000000000 Bleeping Computer - Magazine Américain The Chinese state-backed APT41 hacking group is targeting Android devices with two newly discovered spyware strains dubbed WyrmSpy and DragonEgg by Lookout security researchers.  [...]]]> 2023-07-20T07:01:12+00:00 https://www.bleepingcomputer.com/news/security/apt41-hackers-target-android-users-with-wyrmspy-dragonegg-spyware/ www.secnews.physaphae.fr/article.php?IdArticle=8359232 False None APT 41,APT 41 2.0000000000000000 Dark Reading - Informationweek Branch Nation-states see the opportunity in targeting people directly through their mobile phones, in this case with sophisticated Android surveillanceware.]]> 2023-07-19T20:40:00+00:00 https://www.darkreading.com/threat-intelligence/china-s-apt41-linked-wyrmspy-dragonegg-mobile-spyware www.secnews.physaphae.fr/article.php?IdArticle=8358966 False None APT 41,APT 41 2.0000000000000000 Recorded Future - FLux Recorded Future Le tristement célèbre groupe de piratage chinois suivi en tant qu'APT41 a utilisé deux souches de logiciels espions nouvellement identifiées pour infecter les appareils Android, ont déclaré des chercheurs en cybersécurité.APT41, également connu sous le nom de Winnti et Brass Typhoon (anciennement Barium), est un groupe d'espionnage parrainé par l'État qui a été actif pour Plus d'une décennie et est connu pour cibler les organisations gouvernementales pour le renseignement

---

The infamous Chinese hacking group tracked as APT41 has been using two newly-identified spyware strains to infect Android devices, cybersecurity researchers said. APT41, also known as Winnti and Brass Typhoon (formerly Barium), is a state-sponsored espionage group that has been active for more than a decade and is known for targeting government organizations for intelligence]]> 2023-07-19T19:36:00+00:00 https://therecord.media/china-linked-hackers-target-mobile-devices-wyrmspy-dragonegg-spyware www.secnews.physaphae.fr/article.php?IdArticle=8358951 False None APT 41,APT 41,APT-C-17 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Lookout attributed WyrmSpy and DragonEgg to APT41 due to overlapping Android signing certificates]]> 2023-07-19T16:00:00+00:00 https://www.infosecurity-magazine.com/news/apt41-linked-wyrmspy-dragonegg/ www.secnews.physaphae.fr/article.php?IdArticle=8358867 False None APT 41,APT 41 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The prolific China-linked nation-state actor known as APT41 has been linked to two previously undocumented strains of Android spyware called WyrmSpy and DragonEgg. "Known for its exploitation of web-facing applications and infiltration of traditional endpoint devices, an established threat actor like APT 41 including mobile in its arsenal of malware shows how mobile endpoints are high-value]]> 2023-07-19T15:50:00+00:00 https://thehackernews.com/2023/07/chinese-apt41-hackers-target-mobile.html www.secnews.physaphae.fr/article.php?IdArticle=8358765 False Malware,Threat APT 41,APT 41 2.0000000000000000 Global Security Mag - Site de news francais Malwares]]> 2023-07-19T12:04:07+00:00 https://www.globalsecuritymag.fr/Lookout-decouvre-un-logiciel-de-surveillance-Android-avance-attribue-au-groupe.html www.secnews.physaphae.fr/article.php?IdArticle=8358785 False None APT 41,APT 41 3.0000000000000000 AhnLab - Korean Security Firm Les cas de grands groupes APT pour le mai 2023 réunis à partir de documents rendus publics par des sociétés de sécurité et des institutions sont comme commesuit.& # 8211;Agrius & # 8211;Andariel & # 8211;APT28 & # 8211;APT29 & # 8211;APT-C-36 (Blind Eagle) & # 8211;Camaro Dragon & # 8211;CloudWizard & # 8211;Earth Longzhi (APT41) & # 8211;Goldenjackal & # 8211;Kimsuky & # 8211;Lazarus & # 8211;Lancefly & # 8211;Oilalpha & # 8211;Red Eyes (Apt37, Scarcruft) & # 8211;Sidecopy & # 8211;Sidewinder & # 8211;Tribu transparente (APT36) & # 8211;Volt Typhoon (Silhouette de bronze) ATIP_2023_MAY_TRADEAT Rapport sur les groupes APT_20230609

---

The cases of major APT groups for May 2023 gathered from materials made public by security companies and institutions are as follows. – Agrius – Andariel – APT28 – APT29 – APT-C-36 (Blind Eagle) – Camaro Dragon – CloudWizard – Earth Longzhi (APT41) – GoldenJackal – Kimsuky – Lazarus – Lancefly – OilAlpha – Red Eyes (APT37, ScarCruft) – SideCopy – SideWinder – Transparent Tribe (APT36) – Volt Typhoon (Bronze Silhouette) ATIP_2023_May_Threat Trend Report on APT Groups_20230609 ]]> 2023-07-07T02:33:29+00:00 https://asec.ahnlab.com/en/55184/ www.secnews.physaphae.fr/article.php?IdArticle=8353225 False Threat,Prediction APT 41,APT 38,APT 37,APT 37,APT 29,APT 29,APT 28,APT 28,APT 36,APT 36,Guam,Guam,APT-C-17,APT-C-17,GoldenJackal,GoldenJackal,APT-C-36 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A Chinese state-sponsored hacking outfit has resurfaced with a new campaign targeting government, healthcare, technology, and manufacturing entities based in Taiwan, Thailand, the Philippines, and Fiji after more than six months of no activity. Trend Micro attributed the intrusion set to a cyber espionage group it tracks under the name Earth Longzhi, which is a subgroup within APT41 (aka HOODOO]]> 2023-05-03T18:57:00+00:00 https://thehackernews.com/2023/05/chinese-hacker-group-earth-longzhi.html www.secnews.physaphae.fr/article.php?IdArticle=8333157 False Malware APT 41 2.0000000000000000 SecurityWeek - Security News A subgroup of China-linked hacker group APT41 is using a new \'stack rumbling\' DoS technique to disable security software. ]]> 2023-05-03T10:46:02+00:00 https://www.securityweek.com/chinese-apt-uses-new-stack-rumbling-technique-to-disable-security-software/ www.secnews.physaphae.fr/article.php?IdArticle=8333095 False None APT 41 2.0000000000000000 Dark Reading - Informationweek Branch The notorious Chinese APT is spreading cyber maliciousness around Southeast Asia, and its next targets are already in sight.]]> 2023-05-02T21:58:00+00:00 https://www.darkreading.com/vulnerabilities-threats/apt41-subgroup-plows-through-asia-pacific-utilizing-layered-stealth-tactics www.secnews.physaphae.fr/article.php?IdArticle=8332939 False None APT 41,APT 41 2.0000000000000000 TrendLabs Security - Editeur Antivirus After months of dormancy, Earth Longzhi, a subgroup of advanced persistent threat (APT) group APT41, has reemerged using new techniques in its infection routine. This blog entry forewarns readers of Earth Longzhi\'s resilience as a noteworthy threat.]]> 2023-05-02T00:00:00+00:00 https://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html www.secnews.physaphae.fr/article.php?IdArticle=8332806 False Threat APT 41 2.0000000000000000 Dark Reading - Informationweek Branch China-linked APT41 group targeted a Taiwanese media organization and an Italian job agency with standard, open source penetration test tools, in a change in strategy.]]> 2023-04-18T17:58:00+00:00 https://www.darkreading.com/vulnerabilities-threats/apt41-taps-google-red-teaming-tool-targeted-info-stealing-attacks www.secnews.physaphae.fr/article.php?IdArticle=8328985 False Tool APT 41,APT 41 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A Chinese nation-state group targeted an unnamed Taiwanese media organization to deliver an open source red teaming tool known as Google Command and Control (GC2) amid broader abuse of Google\'s infrastructure for malicious ends. The tech giant\'s Threat Analysis Group (TAG) attributed the campaign to a threat actor it tracks under the geological and geographical-themed moniker HOODOO, which is]]> 2023-04-17T17:16:00+00:00 https://thehackernews.com/2023/04/google-uncovers-apt41s-use-of-open.html www.secnews.physaphae.fr/article.php?IdArticle=8328593 False Tool,Threat APT 41,APT 41 3.0000000000000000 Dark Reading - Informationweek Branch 2023-02-28T16:10:00+00:00 https://www.darkreading.com/endpoint/china-blackfly-targets-materials-sector-relentless-quest-ip www.secnews.physaphae.fr/article.php?IdArticle=8314200 False None APT 41 3.0000000000000000 Security Affairs - Blog Secu Trend Micro reported that the Earth Longzhi group, a previously undocumented subgroup of APT41, targets Ukraine and Asian Countries. Early this year, Trend Micro investigated a security breach suffered by a company in Taiwan. Threat actors employed a custom Cobalt Strike loader in the attack. Further analysis, revealed that the same threat actor targeted multiple regions […] ]]> 2022-11-15T08:46:34+00:00 https://securityaffairs.co/wordpress/138536/apt/earth-longzhi-subgroup-apt41.html www.secnews.physaphae.fr/article.php?IdArticle=8023019 False Threat,Guideline APT 41 4.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-11-14T18:33:00+00:00 https://thehackernews.com/2022/11/new-earth-longzhi-apt-targets-ukraine.html www.secnews.physaphae.fr/article.php?IdArticle=8009314 False Threat,Guideline APT 41 2.0000000000000000 TrendMicro - Security Firm Blog 2022-11-09T00:00:00+00:00 https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html www.secnews.physaphae.fr/article.php?IdArticle=7904747 False Threat,Guideline APT 41 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Threat Analysis: Active C2 Discovery Using Protocol Emulation Part3 (ShadowPad) (published: October 27, 2022) ShadowPad is a custom, modular malware in use by multiple China-sponsored groups since 2015. VMware researchers analyzed the command-and-control (C2) protocol in recent ShadowPad samples. They uncovered decoding routines and protocol/port combinations such as HTTP/80, HTTP/443, TCP/443, UDP/53, and UDP/443. Active probing revealed 83 likely ShadowPad C2 servers (during September 2021 to September 2022). Additional samples communicating with this infrastructure included Spyder (used by APT41) and ReverseWindow (used by the LuoYu group). Analyst Comment: Researchers can use reverse engineering and active probing to map malicious C2 infrastructure. At the same time, the ShadowPad malware changes the immediate values used in the packet encoding per variant, so finding new samples is crucial for this monitoring. MITRE ATT&CK: [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 Tags: detection:ShadowPad, C2, APT, China, source-country:CN, actor:APT41, actor:LuoYu, detection:Spyder, detection:ReverseWindow, TCP, HTTP, HTTPS, UDP Raspberry Robin Worm Part of Larger Ecosystem Facilitating Pre-Ransomware Activity (published: October 27, 2022) The Raspberry Robin USB-drive-targeting worm is an increasingly popular infection and delivery method. Raspberry Robin works as a three-file infection: Raspberry Robin LNK file on an USB drive, Raspberry Robin DLL (aka Roshtyak) backdoor, and a heavily-obfuscated .NET DLL that writes LNKs to USB drives. Microsoft researchers analyzed several infection chains likely centered around threat group EvilCorp (aka DEV-0206/DEV-0243). Besides being the initial infection vector, Raspberry Robin was seen delivered by the Fauppod malware, which shares certain code similarities both with Raspberry Robin and with EvilCorp’s Dridex malware. Fauppod/Raspberry Robin infections were followed by additional malware (Bumblebee, Cobalt Strike, IcedID, TrueBot), and eventually led to a ransomware infection (LockBit, Clop). Analyst Comment: Organizations are advised against enabling Autorun of removable media on Windows by default, as it allows automated activation of an inserted, Raspberry Robin-infected USB drive. Apply best practices related to credential hygiene, network segmentation, and attack surface reduction. MITRE ATT&CK: [MITRE ATT&CK] Replicat]]> 2022-11-01T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-active-probing-revealed-shadowpad-c2s-fodcha-hides-behind-obscure-tlds-awaiting-openssl-30-patch-and-more www.secnews.physaphae.fr/article.php?IdArticle=7765391 False Ransomware,Malware,Hack,Tool,Vulnerability,Threat,Guideline APT 41 None Mandiant - Blog Sécu de Mandiant InfluencerCampagne Nous évaluons avec une grande confiance pour fonctionner à l'appui des intérêts politiques de la République de Chine du peuple, ciblant agressivement les États-Unis parCherchant à semer la division entre les États-Unis et ses alliés et au sein du système politique américain lui-même.Les récits récents incluent: affirme que le China-Nexus Threat Group apt41 est plutôt un acteur soutenu par le gouvernement américain. Tentatives agressives de discréditer le processus démocratique américain, y compris les tentatives de décourager les Américains de voter aux États-Unis

---

Mandiant has recently observed DRAGONBRIDGE, an influence campaign we assess with high confidence to be operating in support of the political interests of the People\'s Republic of China (PRC), aggressively targeting the United States by seeking to sow division both between the U.S. and its allies and within the U.S. political system itself. Recent narratives include: Claims that the China-nexus threat group APT41 is instead a U.S. government-backed actor. Aggressive attempts to discredit the U.S. democratic process, including attempts to discourage Americans from voting in the 2022 U.S]]> 2022-10-26T09:00:00+00:00 https://www.mandiant.com/resources/blog/prc-dragonbridge-influence-elections www.secnews.physaphae.fr/article.php?IdArticle=8377414 False Threat APT 41 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-10-18T15:41:00+00:00 https://thehackernews.com/2022/10/chinese-spyder-loader-malware-spotted.html www.secnews.physaphae.fr/article.php?IdArticle=7538339 False Malware,Threat,Guideline APT 41 None Security Affairs - Blog Secu China-linked threat actors APT41 (a.k.a. Winnti) targeted organizations in Hong Kong, in some cases remaining undetected for a year. Symantec researchers reported that cyberespionage group APT41 targeted organizations in Hong Kong in a campaign that is a likely continuation of the Operation CuckooBees activity detailed by Cybereason in May. Winnti (aka APT41, Axiom, Barium, Blackfly) is a cyberespionage […] ]]> 2022-10-18T14:15:09+00:00 https://securityaffairs.co/wordpress/137300/apt/apt41-spyder-loader.html www.secnews.physaphae.fr/article.php?IdArticle=7541666 False Threat,Guideline APT 41,APT 17 None Bleeping Computer - Magazine Américain 2022-10-18T06:00:00+00:00 https://www.bleepingcomputer.com/news/security/hackers-compromised-hong-kong-govt-agency-network-for-a-year/ www.secnews.physaphae.fr/article.php?IdArticle=7540828 False Guideline APT 41 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Hacker Pwns Uber Via Compromised VPN Account (published: September 16, 2022) On September 15, 2022, ride-sharing giant Uber started an incident response after discovering a data breach. According to Group-IB researchers, download file name artifacts point to the attacker getting access to fresh keylogger logs affecting two Uber employees from Indonesia and Brazil that have been infected with Racoon and Vidar stealers. The attacker allegedly used a compromised VPN account credentials and performed multifactor authentication fatigue attack by requesting the MFA push notification many times and then making a social-engineering call to the affected employee. Once inside, the attacker allegedly found valid credentials for privilege escalation: a PowerShell script containing hardcoded credentials for a Thycotic privileged access management admin account. On September 18, 2022, Rockstar Games’ Grand Theft Auto 6 suffered a confirmed data leak, likely caused by the same attacker. Analyst Comment: Network defenders can consider setting up alerts for signs of an MFA fatigue attack such as a large number of MFA requests in a relatively short period of time. Review your source code for embedded credentials, especially those with administrative privileges. MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Credentials from Password Stores - T1555 Tags: MFA fatigue, Social engineering, Data breach, Uber, GTA 6, GTA VI, detection:Racoon, detection:Vidar, malware-type:Keylogger, malware-type:Stealer Self-Spreading Stealer Attacks Gamers via YouTube (published: September 15, 2022) Kaspersky researchers discovered a new campaign spreading the RedLine commodity stealer. This campaign utilizes a malicious bundle: a single self-extracting archive. The bundle delivers RedLine and additional malware, which enables spreading the malicious archive by publishing promotional videos on victim’s Youtube channel. These videos target gamers with promises of “cheats” and “cracks.” Analyst Comment: Kids and other online gamers should be reminded to avoid illegal software. It might be better to use different machines for your gaming and banking activities. MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Resource Hijacking - T1496 Tags: detection:RedLine, malware-type:Stealer, Bundle, Self-spreading, Telegraph, Youtub]]> 2022-09-20T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-uber-and-gta-6-were-breached-redline-bundle-file-advertises-itself-on-youtube-supply-chain-attack-via-ecommerce-fishpig-extensions-and-more www.secnews.physaphae.fr/article.php?IdArticle=7016803 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline Uber,Uber,APT 41,APT 15 None InfoSecurity Mag - InfoSecurity Magazine 2022-08-19T16:30:00+00:00 https://www.infosecurity-magazine.com/news/china-apt41-campaign-13-victims/ www.secnews.physaphae.fr/article.php?IdArticle=6416340 False None APT 41 None Dark Reading - Informationweek Branch 2022-08-18T18:34:08+00:00 https://www.darkreading.com/remote-workforce/china-apt41-baffling-approach-cobalt-strike-payload www.secnews.physaphae.fr/article.php?IdArticle=6397228 False Tool,Threat APT 41 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-08-18T06:33:50+00:00 https://thehackernews.com/2022/08/china-backed-apt41-hackers-targeted-13.html www.secnews.physaphae.fr/article.php?IdArticle=6394982 False Threat,Guideline APT 41 2.0000000000000000 Mandiant - Blog Sécu de Mandiant Manialiant Managed Defense . Dans cette édition, nous fournissons un aperçu de notre défense des entités ukrainiennes après avoir initié des mesures de protection supplémentaires pour les clients, observationsd'APT41, et une ventilation des attaques Web: perturber les attaques russes : en prévision de la poursuiteLes cyberattaques russes à l'appui de son invasion de l'Ukraine ont géré la défense améliorée des services de surveillance et de menace pour les clients à partir de février 2022 . Cela a conduit au

---

Available today is the latest edition of Trending Evil, our quarterly report that breaks down the most recent threats observed by Mandiant Managed Defense. In this edition we provide an inside look at our defense of Ukrainian entities after initiating additional protective measures for customers, observations of APT41, and a breakdown of web attacks: Disrupting Russian Attacks: In anticipation of continued Russian cyber attacks in support of its invasion of Ukraine, Managed Defense enhanced monitoring and threat hunting services for customers beginning in February 2022. This led to the]]> 2022-06-02T11:00:00+00:00 https://www.mandiant.com/resources/blog/trending-evil-spotlight-ukraine www.secnews.physaphae.fr/article.php?IdArticle=8377462 False Threat APT 41 3.0000000000000000 Security Affairs - Blog Secu 2022-05-04T22:06:34+00:00 https://securityaffairs.co/wordpress/130909/apt/china-winnti-apt-steals-intellectual-property.html www.secnews.physaphae.fr/article.php?IdArticle=4545707 False None APT 41 None SecurityWeek - Security News 2022-05-04T16:28:39+00:00 https://www.securityweek.com/china-linked-winnti-apt-group-silently-stole-trade-secrets-years-report www.secnews.physaphae.fr/article.php?IdArticle=4543929 False None APT 41 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-05-04T06:04:06+00:00 https://thehackernews.com/2022/05/chinese-hackers-caught-stealing.html www.secnews.physaphae.fr/article.php?IdArticle=4542726 False Threat APT 41 None CybeReason - Vendor blog In 2021, the Cybereason Nocturnus Incident Response Team investigated multiple intrusions targeting technology and manufacturing companies located in Asia, Europe and North America. Based on the findings of our investigation, it appears that the goal behind these intrusions was to steal sensitive intellectual property for cyber espionage purposes. ]]> 2022-05-04T04:01:00+00:00 https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques www.secnews.physaphae.fr/article.php?IdArticle=4541155 False None APT 41 None CybeReason - Vendor blog In part one of this research, the Cybereason Nocturnus Incident Response Team provided a unique glimpse into the Wintti intrusion playbook, covering the techniques that were used by the group from initial compromise to stealing the data, as observed and analyzed by the Cybereason Incident Response team. ]]> 2022-05-04T04:00:00+00:00 https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive www.secnews.physaphae.fr/article.php?IdArticle=4541156 False Malware APT 41 None Fortinet ThreatSignal - Harware Vendor 2022-03-10T23:39:03+00:00 https://fortiguard.fortinet.com/threat-signal-report/4449 www.secnews.physaphae.fr/article.php?IdArticle=4258974 False Malware,Tool,Vulnerability,Threat,Guideline APT 41,APT 15,APT 15 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2022-03-09T21:10:20+00:00 https://threatpost.com/apt41-spies-broke-into-6-us-state-networks-via-livestock-app/178838/ www.secnews.physaphae.fr/article.php?IdArticle=4251227 False Hack,Threat APT 41 None InformationSecurityBuzzNews - Site de News Securite 2022-03-09T12:24:11+00:00 https://informationsecuritybuzz.com/expert-comments/comment-chinese-spies-hacked-a-livestock-app-to-breach-us-state-networks/ www.secnews.physaphae.fr/article.php?IdArticle=4249622 False Vulnerability,Guideline APT 41 None InformationSecurityBuzzNews - Site de News Securite 2022-03-09T12:04:33+00:00 https://informationsecuritybuzz.com/expert-comments/log4j-breaches-at-least-6-u-s-state-governments/ www.secnews.physaphae.fr/article.php?IdArticle=4249280 False Guideline APT 41 None InfoSecurity Mag - InfoSecurity Magazine 2022-03-09T09:30:00+00:00 https://www.infosecurity-magazine.com/news/chinese-apt41-group-compromises/ www.secnews.physaphae.fr/article.php?IdArticle=4249247 False None APT 41 None ComputerWeekly - Computer Magazine 2022-03-09T07:15:00+00:00 https://www.computerweekly.com/news/252514376/Chinas-APT41-exploited-Log4j-within-hours www.secnews.physaphae.fr/article.php?IdArticle=4249713 False None APT 41 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-03-09T02:04:37+00:00 https://thehackernews.com/2022/03/chinese-apt41-hackers-broke-into-at.html www.secnews.physaphae.fr/article.php?IdArticle=4249140 False Vulnerability,Threat,Guideline APT 41 None Mandiant - Blog Sécu de Mandiant UPDATE (Mar. 8): The original post may not have provided full clarity that CVE-2021-44207 (USAHerds) had a patch developed by Acclaim Systems for applicable deployments on or around Nov. 15, 2021. Mandiant cannot speak to the affected builds, deployment, adoption, or other technical factors of this vulnerability patch beyond its availability. In May 2021 Mandiant responded to an APT41 intrusion targeting a United States state government computer network. This was just the beginning of Mandiant\'s insight into a persistent months-long campaign conducted by APT41 using vulnerable Internet]]> 2022-03-08T15:00:00+00:00 https://www.mandiant.com/resources/blog/apt41-us-state-governments www.secnews.physaphae.fr/article.php?IdArticle=8377495 False Vulnerability APT 41,APT 41 4.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence FBI Warns Of Malicious QR Codes Used To Steal Your Money (published: January 23, 2022) The Federal Bureau of Investigation (FBI) recently released a notice that malicious QR codes have been found in the wild. These codes, when scanned, will redirect the victim to a site where they are prompted to enter personal and payment details. The site will then harvest these credentials for cybercriminals to commit fraud and empty bank accounts. This threat vector has been seen in Germany as of December 2021. Analyst Comment: Always be sure to check that emails have been sent from a legitimate source, and that any financial details or method of payment is done through the website. While QR codes are useful and being used by businesses more often, it is easy for cybercriminals to perform this kind of scam. If scanning a physical QR code, ensure the code has not been replaced with a sticker placed on top of the original code. Check the final URL to make sure it is the intended site and looks authentic. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 Tags: EU & UK, Banking and Finance MoonBounce: The Dark Side Of UEFI Firmware (published: January 20, 2022) Kaspersky has reported that in September 2021, a bootloader malware infection had been discovered that embeds itself into UEFI firmware. The malware patches existing UEFI drivers and resides in the SPI flash memory located on the motherboard. This means that it will persist even if the hard drive is replaced. Code snippets and IP addresses link the activity to APT41, a group that is operated by a group of Chinese-speaking individuals. MoonBounce is highly sophisticated and very difficult to detect. Analyst Comment: Systems should be configured to take advantage of Trusted Platform Module (TPM) hardware security chips to secure their systems' boot image and firmware, where available. Secure boot is also a viable option to mitigate against attacks that would patch, reconfigure, or flash existing UEFI firmware to implant malicious code. MITRE ATT&CK: [MITRE ATT&CK] Pre-OS Boot - T1542 | [MITRE ATT&CK] Data Obfuscation - T1001 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | ]]> 2022-01-25T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-moonbounce-accesspress-qr-code-scams-and-more www.secnews.physaphae.fr/article.php?IdArticle=4030711 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline APT 41,APT 28 None Security Affairs - Blog Secu 2022-01-21T11:59:14+00:00 https://securityaffairs.co/wordpress/126998/apt/moonbounce-uefi-implant-apt41.html?utm_source=rss&utm_medium=rss&utm_campaign=moonbounce-uefi-implant-apt41 www.secnews.physaphae.fr/article.php?IdArticle=4008740 False Threat,Guideline APT 41 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-01-21T03:40:40+00:00 https://thehackernews.com/2022/01/chinese-hackers-spotted-using-new-uefi.html www.secnews.physaphae.fr/article.php?IdArticle=4008833 False Malware,Threat,Guideline APT 41,APT 41 None Kaspersky - Kaspersky Research blog 2022-01-20T10:00:11+00:00 https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ www.secnews.physaphae.fr/article.php?IdArticle=4002396 False Guideline APT 41 None Bleeping Computer - Magazine Américain 2022-01-20T07:55:29+00:00 https://www.bleepingcomputer.com/news/security/new-moonbounce-uefi-malware-used-by-apt41-in-targeted-attacks/ www.secnews.physaphae.fr/article.php?IdArticle=4002987 False Malware,Guideline APT 41 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques (published: January 17, 2022) The Earth Lusca threat group is part of the Winnti cluster. It is one of different Chinese groups that share aspects of their tactics, techniques, and procedures (TTPs) including the use of Winnti malware. Earth Lusca were active throughout 2021 committing both cyberespionage operations against government-connected organizations and financially-motivated intrusions targeting gambling and cryptocurrency-related sectors. For intrusion, the group tries different ways in including: spearphishing, watering hole attacks, and exploiting publicly facing servers. Cobalt Strike is one of the group’s preferred post-exploitation tools. It is followed by the use of the BioPass RAT, the Doraemon backdoor, the FunnySwitch backdoor, ShadowPad, and Winnti. The group employs two separate infrastructure clusters, first one is rented Vultr VPS servers used for command-and-control (C2), second one is compromised web servers used to scan for vulnerabilities, tunnel traffic, and Cobalt Strike C2. Analyst Comment: Earth Lusca often relies on tried-and-true techniques that can be stopped by security best practices, such as avoiding clicking on suspicious email/website links and or reacting on random banners urging to update important public-facing applications. Don’t be tricked to download Adobe Flash update, it was discontinued at the end of December 2020. Administrators should keep their important public-facing applications (such as Microsoft Exchange and Oracle GlassFish Server) updated. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Services - T1569 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hijack Execution Flow]]> 2022-01-19T22:45:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-russia-sponsored-cyber-threats-china-based-earth-lusca-active-in-cyberespionage-and-cybertheft-bluenoroff-hunts-cryptocurrency-related-businesses-and-more www.secnews.physaphae.fr/article.php?IdArticle=3999162 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching,Guideline APT 41,APT 38,APT 29,APT 28,APT 28 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence NSW Government Casual Recruiter Suffers Ransomware Hit (published: December 17, 2021) Finite Recruitment suffered a ransomware attack during the month of October 2021, resulting in the exfiltration of some data. Their incident responders (IR) identified the ransomware as Conti, a fast encrypting ransomware commonly attributed to the cybercriminal group Wizard Spider. The exfiltrated data was published on the dark web, however the firm remains fully operational, and affected customers are being informed. Analyst Comment: Always check to see if there is a decryptor available for the ransomware before considering payment. Enforce a strong backup policy to ensure that data is recoverable in the event of encryption or loss. MITRE ATT&CK: [MITRE ATT&CK] Scheduled Transfer - T1029 Tags: Conti, Wizard Spider, Ransomware, Banking and Finance Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions (published: December 16, 2021) Check Point Research has uncovered a new variant of the Phorpiex botnet named Twizt. Historically, Phorpiex utilized sextortion, ransomware delivery, and cryptocurrency clipping. Twizt however, appears to be primarily focused on stealing cryptocurrency and have stolen half a million dollars since November 2020 in the form of Bitcoin, Ether and ERC20 tokens.The botnet features departure from it’s traditional command and control (C2) infrastructure, opting for peer-to-peer (P2P) communications between infected hosts, eliminating the need for C2 communication as each host can fulfill that role. Analyst Comment: Bots within a P2P network need to communicate regularly with other bots to receive and share commands. If the infected bots are on a private network, private IP addresses will be used. Therefore, careful monitoring of network traffic will reveal suspicious activity, and a spike in network resource usage as opposed to the detection of C2 IP addresses. MITRE ATT&CK: [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Clipboard Data - T1115 Tags: Phorpiex, Twizt, Russia, Banking and Finance, Cryptocurrency, Bitcoin ‘PseudoManuscrypt’ Mass Spyware Campaign Targets 35K Systems (published: December 16, 2021) Kaspersky researchers have documented a spyware that has targeted 195 countries as of December 2021. The spyware, named PseudoManuscrypt, was developed and deployed by Lazarus Group ]]> 2021-12-21T16:57:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-pseudomanuscrypt-mass-spyware-campaign-targets-35k-systems-apt31-intrusion-set-campaign-description-countermeasures-and-code-state-sponsored-hackers-abuse-slack-api-to-steal www.secnews.physaphae.fr/article.php?IdArticle=3841167 False Ransomware,Malware,Vulnerability,Threat,Guideline,Medical APT 41,APT 38,APT 28,APT 31 None InfoSecurity Mag - InfoSecurity Magazine 2021-11-18T13:00:00+00:00 https://www.infosecurity-magazine.com/news/chinas-apt41-manages-library/ www.secnews.physaphae.fr/article.php?IdArticle=3674310 False None APT 41,APT 41 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Russian Cyberattacks Pose Greater Risk to Governments and Other Insights from Our Annual Report (published: October 7, 2021) Approximately 58% of all nation-state attacks observed by Microsoft between July 2020 and June 2021 have been attributed to the Russian-sponsored threat groups, specifically to Cozy Bear (APT29, Nobelium) associated with the Russian Foreign Intelligence Service (SVR). The United States, Ukraine, and the UK were the top three targeted by them. Russian Advanced Persistent Threat (APT) actors increased their effectiveness from a 21% successful compromise rate to a 32% rate comparing year to year. They achieve it by starting an attack with supply-chain compromise, utilizing effective tools such as web shells, and increasing their skills with the cloud environment targeting. Russian APTs are increasingly targeting government agencies for intelligence gathering, which jumped from 3% of their targets a year ago to 53% – largely agencies involved in foreign policy, national security, or defense. Following Russia by the number of APT cyberattacks were North Korea (23%), Iran (11%), and China (8%). Analyst Comment: As the collection of intrusions for potential disruption operations via critical infrastructure attacks became too risky for Russia, it refocused back to gaining access to and harvesting intelligence. The scale and growing effectiveness of the cyberespionage requires a defence-in-depth approach and tools such as Anomali Match that provide real-time forensics capability to identify potential breaches and known actor attributions. MITRE ATT&CK: [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Brute Force - T1110 Tags: Fancy Bear, APT28, APT29, The Dukes, Strontium, Nobelium, Energetic Bear, Cozy Bear, Government, APT, Russia, SVR, China, North Korea, USA, UK, Ukraine, Iran Ransomware in the CIS (published: October 7, 2021) Many prominent ransomware groups have members located in Russia and the Commonwealth of Independent States (CIS) - and they avoid targeting this region. Still, businesses in the CIS are under the risk of being targeted by dozens of lesser-known ransomware groups. Researchers from Kaspersky Labs have published a report detailing nine business-oriented ransomware trojans that were most active in the CIS in the first half of 2021. These ransomware families are BigBobRoss (TheDMR), Cryakl (CryLock), CryptConsole, Crysis (Dharma), Fonix (XINOF), Limbozar (VoidCrypt), Phobos (Eking), Thanos (Hakbit), and XMRLocker. The oldest, Cryakl, has been around since April 2014, and the newest, XMRLocker, was first detected in August 2020. Most of them were mainly distributed via the cracking of Remote Deskto]]> 2021-10-12T17:41:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-aerospace-and-telecoms-targeted-by-iranian-malkamak-group-cozy-bear-refocuses-on-cyberespionage-wicked-panda-is-traced-by-malleable-c2-profiles-and-more www.secnews.physaphae.fr/article.php?IdArticle=3505382 False Ransomware,Malware,Tool,Threat,Guideline,Prediction APT 41,APT 41,APT 39,APT 29,APT 29,APT 28 None Kaspersky - Kaspersky Research blog 2021-10-12T16:00:34+00:00 https://securelist.com/sas-2021-learning-to-chacha-with-apt41/104536/ www.secnews.physaphae.fr/article.php?IdArticle=3505410 False Malware,Threat,Guideline APT 41 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-10-05T06:16:08+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/wFMqRw3SpeE/new-study-links-seemingly-disparate.html www.secnews.physaphae.fr/article.php?IdArticle=3471174 False Malware,Guideline APT 41 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag. Trending Cyber News and Threat Intelligence S.O.V.A. – A New Android Banking Trojan with Fowl Intentions (published: September 10, 2021) ThreatFabric researchers have discovered a new Android banking trojan called S.O.V.A. The malware is still in the development and testing phase and the threat actor is publicly-advertising S.O.V.A. for trial runs targeting banks to improve its functionality. The trojan’s primary objective is to steal personally identifiable information (PII). This is conducted through overlay attacks, keylogging, man-in-the-middle attacks, and session cookies theft, among others. The malware author is also working on other features such as distributed denial-of-service (DDoS) and ransomware on S.O.V.A.’s project roadmap. Analyst Comment: Always keep your mobile phone fully patched with the latest security updates. Only use official locations such as the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. Furthermore, always review the permissions an app will request upon installation. MITRE ATT&CK: [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Man-in-the-Middle - T1557 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: Android, Banking trojan, S.O.V.A., Overlay, Keylogging, Cookies, Man-in-the-Middle Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances (published: September 9, 2021) Unit 42 researchers identified and disclosed critical security issues in Microsoft’s Container-as-a-Service (CaaS) offering that is called Azure Container Instances (ACI). A malicious Azure user could have compromised the multitenant Kubernetes clusters hosting ACI, establishing full control over other users' containers. Researchers gave the vulnerability a specific name, Azurescape, highlighting its significance: it the first cross-account container takeover in the public cloud. Analyst Comment: Azurescape vulnerabilities could have allowed an attacker to execute code on other users' containers, steal customer secrets and images deployed to the platform, and abuse ACI's infrastructure processing power. Microsoft patched ACI shortly after the discl]]> 2021-09-14T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-azurescape-cloud-threat-mshtml-0-day-in-the-wild-confluence-cloud-hacked-to-mine-monero-and-more www.secnews.physaphae.fr/article.php?IdArticle=3369753 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat,Guideline Uber,APT 41,APT 15 None Security Affairs - Blog Secu 2021-09-10T15:11:45+00:00 https://securityaffairs.co/wordpress/122069/apt/grayfly-apt-backdoor.html?utm_source=rss&utm_medium=rss&utm_campaign=grayfly-apt-backdoor www.secnews.physaphae.fr/article.php?IdArticle=3360477 False Guideline APT 41 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-09-10T01:18:43+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/mK3ON58t51s/experts-link-sidewalk-malware-attacks.html www.secnews.physaphae.fr/article.php?IdArticle=3358606 False Malware,Guideline APT 41 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-09-09T14:30:56+00:00 https://threatpost.com/sidewalk-backdoor-china-espionage-grayfly/169310/ www.secnews.physaphae.fr/article.php?IdArticle=3357166 False Malware,Guideline APT 41 None