admin

admin

  • Joined: September 10, 2024
  • Articles: 4794

Google Reports APT41’s Exploitation of Open Source GC2 Tool to Target Media and Job Websites

April 17, 2023
Cyber Threat / Cloud Security

A Chinese nation-state group has reportedly targeted an unnamed Taiwanese media outlet using an open-source red teaming tool called Google Command and Control (GC2). This activity is part of a larger trend of utilizing Google’s infrastructure for malicious purposes. Google’s Threat Analysis Group (TAG) attributes the operation to a threat actor known as HOODOO, also identified as APT41, Barium, Bronze Atlas, Wicked Panda, and Winnti. The attack begins with a phishing email that includes links to a password-protected file on Google Drive. This file contains the Go-based GC2 tool, which retrieves commands from Google Sheets and exfiltrates data via the cloud storage service. “Once installed on the victim’s machine, the malware queries Google Sheets for attacker commands,” stated Google’s cloud division in its latest Threat Horizons Report.

APT41 Exploits Open Source Tool to Target Taiwanese Media Outlets In a recently uncovered cyber operation, Google’s Threat Analysis Group (TAG) reported that a Chinese state-sponsored threat actor known as APT41 has aimed its sights on a Taiwanese media organization.…

How ACI Worldwide Intends to Tackle APP Scams Head-On

Fraud Management & Cybercrime, Fraud Risk Management, Mobile Payments Fraud ACI Worldwide’s New Signals Network Intelligence Technology Aims to Combat APP Scams Brian Pereira (creed_digital) • August 26, 2025 Image: Shutterstock Real-time payments (RTP) and other cashless transaction methods allow…

Microsoft Enhances MSA Signing Security with Azure Confidential VMs Post-Storm-0558 Breach

Apr 22, 2025
Identity Management / Cloud Security

Microsoft announced on Monday the migration of its Microsoft Account (MSA) signing service to Azure confidential virtual machines (VMs) and is currently in the process of transitioning the Entra ID signing service. This move follows updates made about seven months ago to Microsoft Entra ID and MS for both public and U.S. government clouds, enabling the generation, storage, and automatic rotation of access token signing keys using the Azure Managed Hardware Security Module (HSM) service. “These enhancements aim to mitigate the vulnerabilities we believe were exploited in the 2023 Storm-0558 attack,” stated Charlie Bell, Executive Vice President for Microsoft Security, in a pre-publication post shared with The Hacker News. Microsoft also highlighted that 90% of identity tokens from Microsoft Entra ID for its applications are validated by a robust identity Software Development Kit (SDK), with 92% of employee…

Microsoft Enhances MSA Signing Security with Azure Confidential VMs Post Storm-0558 Breach On April 22, 2025, Microsoft announced a significant upgrade to its Microsoft Account (MSA) signing service, relocating it to Azure confidential virtual machines (VMs). This move comes as…

251 Amazon-Hosted IP Addresses Target ColdFusion, Struts, and Elasticsearch in Exploit Scanning Campaign

May 28, 2025
Network Security / Vulnerability

Cybersecurity researchers have revealed coordinated cloud-based scanning activities that targeted 75 unique “exposure points” earlier this month. Observed by GreyNoise on May 8, 2025, this activity involved up to 251 malicious IP addresses geolocated in Japan and hosted by Amazon. The threat intelligence firm reported that these IPs exhibited 75 distinct behaviors, including CVE exploits, misconfiguration probes, and reconnaissance activities. Notably, the IPs remained inactive before and after this surge, suggesting they were temporarily rented for a single operation. The scanning efforts targeted various technologies, including Adobe ColdFusion, Apache Struts, Apache Tomcat, Drupal, Elasticsearch, and Oracle WebLogic. This opportunistic operation included attempts to exploit known CVEs and probes for misconfigurations, highlighting the threat actors’ intent to identify weaknesses in web infrastructure.

Coordinated Scanning Activity Targeting ColdFusion, Struts, and Elasticsearch Uncovered May 28, 2025 | Network Security / Vulnerability Recent investigations by cybersecurity experts revealed a coordinated scanning initiative that exploited vulnerabilities across a range of platforms. On May 8, 2025, GreyNoise…

New QBot Banking Trojan Campaign Exploits Business Emails to Distribute Malware

April 17, 2023
Financial Security / Malware

Recent findings by Kaspersky reveal a fresh QBot malware campaign that uses compromised business correspondence to deceive victims into installing the malicious software. This ongoing operation, which began on April 4, 2023, is primarily targeting users in Germany, Argentina, Italy, Algeria, Spain, the U.S., Russia, France, the U.K., and Morocco.

QBot, also known as Qakbot or Pinkslipbot, has been active since at least 2007. It not only steals passwords and cookies from web browsers but also acts as a backdoor for delivering next-stage payloads like Cobalt Strike or ransomware. Distributed through phishing campaigns, QBot has undergone continuous updates to incorporate techniques that evade detection, such as anti-VM, anti-debugging, and anti-sandbox measures. Notably, it emerged as the most prevalent malware in March 2023, according to Check Point. In its early distribution, it relied on infected websites and other methods.

New QBot Banking Trojan Campaign Exploits Business Emails to Distribute Malware April 17, 2023 Financial Security / Malware Recent research from Kaspersky has unveiled a new initiative utilizing the QBot banking Trojan to compromise business email communications as a method…

Agentic AI Browsers: A New Target for Online Scammers

Artificial Intelligence & Machine Learning , Cybercrime , Fraud Management & Cybercrime AI Agent Deceptively Purchases and Exposes Sensitive Data After Single Prompt Pooja Tikekar (@PoojaTikekar) • August 25, 2025     Image: Shutterstock Research reveals that AI agents designed…

Major Supply Chain Compromise: Backdoor Found in Ripple’s xrpl.js npm Package Targeting Private Keys

April 23, 2025
Blockchain / Cryptocurrency

The JavaScript library xrpl.js, associated with Ripple cryptocurrency, has been compromised in a supply chain attack by unidentified threat actors, aimed at stealing users’ private keys. This vulnerability impacts several versions of the package: 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2. Versions 4.2.5 and 2.14.3 have since addressed the issue. xrpl.js serves as a widely-used API for interacting with the XRP Ledger blockchain, developed by Ripple Labs since 2012, and has garnered over 2.9 million downloads along with more than 135,000 weekly downloads. “The official xrpl (Ripple) NPM package was compromised by sophisticated attackers who embedded a backdoor specifically designed to steal cryptocurrency private keys and access wallets,” stated Charlie Eriksen of Aikido Security. The malicious code modifications are believed to have been introduced by a…

Ripple’s xrpl.js npm Package Compromised in Significant Supply Chain Attack April 23, 2025 Blockchain / Cryptocurrency In a concerning development within the cryptocurrency sector, the npm JavaScript library for Ripple, known as xrpl.js, has fallen victim to unknown adversaries in…

Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptocurrency Miners and Proxyware

Date: May 28, 2025
Categories: Cryptojacking / Vulnerability

A financially motivated threat actor has been observed exploiting a recently disclosed remote code execution vulnerability in the Craft Content Management System (CMS). This flaw has been leveraged to deploy multiple payloads, including a cryptocurrency miner, a loader known as Mimo Loader, and residential proxyware. The vulnerability, identified as CVE-2025-32432, is a high-severity issue in Craft CMS that was patched in versions 3.9.15, 4.14.15, and 5.6.17. The security defect was first revealed in April 2025 by Orange Cyberdefense SensePost after it was linked to attacks that occurred earlier in February. According to a recent report from Sekoia, the attackers have weaponized CVE-2025-32432 to gain unauthorized access to targeted systems and deploy a web shell for persistent remote control. This web shell is utilized to download and execute a shell script (“4l4md4r.sh”) from a remote server using tools such as curl, wget, or the Python library urllib2.

Mimo Hackers Target Craft CMS Flaw to Deploy Cryptomining and Proxy Services On May 28, 2025, cybersecurity analysts reported an alarming trend in which financially motivated hackers have been exploiting a serious vulnerability in the Craft Content Management System (CMS)—designated…