The Breach News

Microsoft Releases Patches for Active 0-Day Vulnerability and 55 Other Windows Flaws

On February 10, 2021, Microsoft addressed a total of 56 vulnerabilities, including a critical 0-day exploit that is currently being targeted in the wild. Among these, 11 vulnerabilities are classified as Critical, 43 as Important, and 2 as Moderate in severity, with six being previously disclosed. The updates enhance security across various platforms, including .NET Framework, Azure IoT, Microsoft Dynamics, Microsoft Edge for Android, Microsoft Exchange Server, Microsoft Office, Windows Codecs Library, Skype for Business, Visual Studio, Windows Defender, and key system components such as Kernel, TCP/IP, Print Spooler, and Remote Procedure Call (RPC).

The most critical vulnerability addressed is a Windows Win32k privilege escalation issue (CVE-2021-1732, CVSS score 7.8), which could allow attackers with access to a system to execute malicious code with elevated privileges. Microsoft acknowledges the contributions of JinQuan, MaDongZe, TuXiaoYi, and LiHao from DBAPPSecurity in identifying this vulnerability.

Microsoft Releases Security Updates Addressing 0-Day Vulnerability and 55 Additional Windows Flaws On February 10, 2021, Microsoft rolled out critical updates targeting 56 vulnerabilities, among which is a severe exploit that is currently being actively utilized in cyber-attacks. The updates categorize 11 vulnerabilities as Critical, 43 as Important, and 2…

Read More

Microsoft Releases Patches for Active 0-Day Vulnerability and 55 Other Windows Flaws

On February 10, 2021, Microsoft addressed a total of 56 vulnerabilities, including a critical 0-day exploit that is currently being targeted in the wild. Among these, 11 vulnerabilities are classified as Critical, 43 as Important, and 2 as Moderate in severity, with six being previously disclosed. The updates enhance security across various platforms, including .NET Framework, Azure IoT, Microsoft Dynamics, Microsoft Edge for Android, Microsoft Exchange Server, Microsoft Office, Windows Codecs Library, Skype for Business, Visual Studio, Windows Defender, and key system components such as Kernel, TCP/IP, Print Spooler, and Remote Procedure Call (RPC).

The most critical vulnerability addressed is a Windows Win32k privilege escalation issue (CVE-2021-1732, CVSS score 7.8), which could allow attackers with access to a system to execute malicious code with elevated privileges. Microsoft acknowledges the contributions of JinQuan, MaDongZe, TuXiaoYi, and LiHao from DBAPPSecurity in identifying this vulnerability.

Google Uncovers Three New Malware Families Linked to Russian COLDRIVER Hackers

October 21, 2025
Cyber Espionage / Threat Intelligence

Google’s Threat Intelligence Group (GTIG) has revealed that the hacking group COLDRIVER, associated with Russia, has introduced a new suite of malware, indicating an intensified operational pace. Since May 2025, the group has shown a knack for rapid development and refinement, unveiling these new malware families just five days after the release of their previously documented LOSTKEYS. While the exact duration of development for the new malware remains unclear, GTIG noted a complete absence of LOSTKEYS activities since its disclosure. The newly identified threats—codenamed NOROBOT, YESROBOT, and MAYBEROBOT—constitute a “collection of related malware families interconnected through a delivery chain,” according to GTIG researcher Wesley Shields in a Monday analysis. These recent attack strategies mark a significant shift from COLDRIVER’s standard operational patterns.

Google Uncovers Three New Malware Families Linked to COLDRIVER Hackers October 21, 2025 Cyber Espionage / Threat Intelligence In a recent revelation, Google’s Threat Intelligence Group (GTIG) has identified three new malware families attributed to the Russian hacking group COLDRIVER. This discovery, made public on October 21, highlights a concerted…

Read More

Google Uncovers Three New Malware Families Linked to Russian COLDRIVER Hackers

October 21, 2025
Cyber Espionage / Threat Intelligence

Google’s Threat Intelligence Group (GTIG) has revealed that the hacking group COLDRIVER, associated with Russia, has introduced a new suite of malware, indicating an intensified operational pace. Since May 2025, the group has shown a knack for rapid development and refinement, unveiling these new malware families just five days after the release of their previously documented LOSTKEYS. While the exact duration of development for the new malware remains unclear, GTIG noted a complete absence of LOSTKEYS activities since its disclosure. The newly identified threats—codenamed NOROBOT, YESROBOT, and MAYBEROBOT—constitute a “collection of related malware families interconnected through a delivery chain,” according to GTIG researcher Wesley Shields in a Monday analysis. These recent attack strategies mark a significant shift from COLDRIVER’s standard operational patterns.

New PS1Bot Malware Campaign Utilizes Malvertising for Multi-Stage In-Memory Attacks

Aug 13, 2025
Malvertising / Cryptocurrency

Cybersecurity experts have identified a new malvertising campaign aimed at deploying a multi-stage malware framework known as PS1Bot. Researchers Edmund Brumaghin and Jordyn Dunk from Cisco Talos explained that “PS1Bot features a modular architecture, incorporating various modules for malicious activities such as information theft, keylogging, reconnaissance, and creating persistent access to compromised systems.” The design emphasizes stealth, leaving minimal traces on infected machines and using in-memory execution techniques to run subsequent modules without writing them to disk. Since early 2025, campaigns distributing this PowerShell and C# malware have actively exploited malvertising to propagate, executing modules in-memory to reduce forensic footprints.

New PS1Bot Malware Campaign Deploys Multi-Stage In-Memory Attacks via Malvertising August 13, 2025 Cybersecurity experts have uncovered a sophisticated malvertising campaign that aims to deploy a multi-stage malware framework known as PS1Bot. This threat is characterized by its modular architecture, allowing various malicious components to be executed on compromised systems.…

Read More

New PS1Bot Malware Campaign Utilizes Malvertising for Multi-Stage In-Memory Attacks

Aug 13, 2025
Malvertising / Cryptocurrency

Cybersecurity experts have identified a new malvertising campaign aimed at deploying a multi-stage malware framework known as PS1Bot. Researchers Edmund Brumaghin and Jordyn Dunk from Cisco Talos explained that “PS1Bot features a modular architecture, incorporating various modules for malicious activities such as information theft, keylogging, reconnaissance, and creating persistent access to compromised systems.” The design emphasizes stealth, leaving minimal traces on infected machines and using in-memory execution techniques to run subsequent modules without writing them to disk. Since early 2025, campaigns distributing this PowerShell and C# malware have actively exploited malvertising to propagate, executing modules in-memory to reduce forensic footprints.

Iranian Hackers Deploy ScreenConnect for Espionage Against UAE and Kuwait Government Agencies

February 11, 2021

Recent research reveals that UAE and Kuwait government agencies have fallen victim to a new cyberespionage initiative, likely orchestrated by Iranian threat actors. Attributed to the group known as Static Kitten (also referred to as MERCURY or MuddyWater), Anomali reports that the aim of this operation is to install a remote management tool named ScreenConnect, which was acquired by ConnectWise in 2015, using unique launch parameters and custom properties. Malware samples and URLs have been disguised as communications from the Kuwaiti Ministry of Foreign Affairs and the UAE National Council. Since its emergence in 2017, MuddyWater has been linked to several attacks targeting Middle Eastern nations, actively exploiting the Zerologon vulnerability to launch real-world attacks against significant Israeli organizations. This state-sponsored hacking group is believed to operate under the direction of Iran’s Islamic Revolutionary Guard Corps.

Iranian Hackers Target UAE and Kuwait Government Agencies Using ScreenConnect Feb 11, 2021 In a recent development, government agencies in the United Arab Emirates (UAE) and Kuwait have fallen victim to a sophisticated cyberespionage campaign, thought to be executed by Iranian threat actors. According to findings from Anomali, the attack…

Read More

Iranian Hackers Deploy ScreenConnect for Espionage Against UAE and Kuwait Government Agencies

February 11, 2021

Recent research reveals that UAE and Kuwait government agencies have fallen victim to a new cyberespionage initiative, likely orchestrated by Iranian threat actors. Attributed to the group known as Static Kitten (also referred to as MERCURY or MuddyWater), Anomali reports that the aim of this operation is to install a remote management tool named ScreenConnect, which was acquired by ConnectWise in 2015, using unique launch parameters and custom properties. Malware samples and URLs have been disguised as communications from the Kuwaiti Ministry of Foreign Affairs and the UAE National Council. Since its emergence in 2017, MuddyWater has been linked to several attacks targeting Middle Eastern nations, actively exploiting the Zerologon vulnerability to launch real-world attacks against significant Israeli organizations. This state-sponsored hacking group is believed to operate under the direction of Iran’s Islamic Revolutionary Guard Corps.

Bearlyfy Targets Russian Companies with Custom GenieLocker Ransomware

Mar 27, 2026
Threat Intelligence / Vulnerability

The pro-Ukrainian group Bearlyfy has carried out over 70 cyber attacks on Russian firms since emerging in January 2025, deploying a custom Windows ransomware strain known as GenieLocker in their latest campaigns. According to Russian security firm F6, “Bearlyfy (also referred to as Labubu) is a dual-purpose group focused on maximizing damage to Russian businesses, aiming for both financial extortion and acts of sabotage.” The group was first identified by F6 in September 2025, noted for using encryptors linked to LockBit 3 (Black) and Babuk, initially targeting smaller companies before escalating to ransom demands around €80,000 (approximately $92,100). By August 2025, Bearlyfy had claimed at least 30 victims. Additionally, starting in May 2025, the group began to use a modified version of PolyVice, a ransomware variant associated with Vice Society.

Bearlyfy Launches Custom GenieLocker Ransomware Against Russian Firms March 27, 2026 In a significant escalation of cyber hostilities, a pro-Ukrainian hacking group known as Bearlyfy has been linked to over 70 cyber attacks directed at Russian companies since it emerged on the cybersecurity radar in January 2025. The latest operations…

Read More

Bearlyfy Targets Russian Companies with Custom GenieLocker Ransomware

Mar 27, 2026
Threat Intelligence / Vulnerability

The pro-Ukrainian group Bearlyfy has carried out over 70 cyber attacks on Russian firms since emerging in January 2025, deploying a custom Windows ransomware strain known as GenieLocker in their latest campaigns. According to Russian security firm F6, “Bearlyfy (also referred to as Labubu) is a dual-purpose group focused on maximizing damage to Russian businesses, aiming for both financial extortion and acts of sabotage.” The group was first identified by F6 in September 2025, noted for using encryptors linked to LockBit 3 (Black) and Babuk, initially targeting smaller companies before escalating to ransom demands around €80,000 (approximately $92,100). By August 2025, Bearlyfy had claimed at least 30 victims. Additionally, starting in May 2025, the group began to use a modified version of PolyVice, a ransomware variant associated with Vice Society.

CISA Adds Two Vulnerabilities in N-able N-central to Its Known Exploited Vulnerabilities Catalog

Aug 14, 2025 | Vulnerability / Network Security

On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included two security flaws affecting N-able N-central in its Known Exploited Vulnerabilities (KEV) catalog, due to evidence of active exploitation. N-able N-central is a Remote Monitoring and Management (RMM) platform tailored for Managed Service Providers (MSPs) to effectively manage and safeguard their clients’ Windows, Apple, and Linux endpoints from a centralized platform.

The identified vulnerabilities are as follows:

  • CVE-2025-8875 (CVSS score: N/A): An insecure deserialization vulnerability that may allow for command execution.
  • CVE-2025-8876 (CVSS score: N/A): A command injection vulnerability resulting from improper sanitization of user input.

Both issues have been resolved in N-central versions 2025.3.1 and 2024.6 HF2, released on August 13, 2025. N-able is also advising customers to ensure multi-factor authentication (MFA) is enabled, particularly for admin accounts.

CISA Adds Two N-able N-central Vulnerabilities to High-Risk Catalog On August 14, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the inclusion of two significant vulnerabilities related to N-able N-central in its Known Exploited Vulnerabilities (KEV) catalog. This decision comes in response to evidence indicating that these flaws…

Read More

CISA Adds Two Vulnerabilities in N-able N-central to Its Known Exploited Vulnerabilities Catalog

Aug 14, 2025 | Vulnerability / Network Security

On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included two security flaws affecting N-able N-central in its Known Exploited Vulnerabilities (KEV) catalog, due to evidence of active exploitation. N-able N-central is a Remote Monitoring and Management (RMM) platform tailored for Managed Service Providers (MSPs) to effectively manage and safeguard their clients’ Windows, Apple, and Linux endpoints from a centralized platform.

The identified vulnerabilities are as follows:

  • CVE-2025-8875 (CVSS score: N/A): An insecure deserialization vulnerability that may allow for command execution.
  • CVE-2025-8876 (CVSS score: N/A): A command injection vulnerability resulting from improper sanitization of user input.

Both issues have been resolved in N-central versions 2025.3.1 and 2024.6 HF2, released on August 13, 2025. N-able is also advising customers to ensure multi-factor authentication (MFA) is enabled, particularly for admin accounts.

Malvertising Group Harnesses WebKit 0-Day to Redirect Users to Scam Sites

February 17, 2021

A malvertising collective known as “ScamClub” has exploited a zero-day vulnerability in WebKit-based browsers to inject malicious payloads that redirect users to fraudulent gift card scam websites. The attacks, first identified by the advertising security firm Confiant in late June 2020, took advantage of a bug (CVE-2021–1801) that allowed malicious actors to circumvent the iframe sandboxing policy in the browser engine used by Safari and Google Chrome on iOS, enabling them to execute harmful code. This technique specifically targeted the way WebKit manages JavaScript event listeners, allowing attackers to escape the sandbox of an ad’s inline frame even with the “allow-top-navigation-by-user-activation” attribute in place, which typically prevents redirection unless an event occurs within the iframe. To validate this approach, researchers created a simple HTML file featuring a cross-origin sandboxed iframe, along with an external button…

Malvertisers Exploit WebKit 0-Day to Redirect Users to Fraudulent Schemes On February 17, 2021, security researchers revealed a significant cybersecurity threat posed by a malvertising group dubbed “ScamClub.” This group has taken advantage of a zero-day vulnerability within WebKit-based browsers, enabling them to inject malicious payloads that redirect unsuspecting users…

Read More

Malvertising Group Harnesses WebKit 0-Day to Redirect Users to Scam Sites

February 17, 2021

A malvertising collective known as “ScamClub” has exploited a zero-day vulnerability in WebKit-based browsers to inject malicious payloads that redirect users to fraudulent gift card scam websites. The attacks, first identified by the advertising security firm Confiant in late June 2020, took advantage of a bug (CVE-2021–1801) that allowed malicious actors to circumvent the iframe sandboxing policy in the browser engine used by Safari and Google Chrome on iOS, enabling them to execute harmful code. This technique specifically targeted the way WebKit manages JavaScript event listeners, allowing attackers to escape the sandbox of an ad’s inline frame even with the “allow-top-navigation-by-user-activation” attribute in place, which typically prevents redirection unless an event occurs within the iframe. To validate this approach, researchers created a simple HTML file featuring a cross-origin sandboxed iframe, along with an external button…

The Race to Prevent AI Agents from Misusing Your Credit Cards

In light of the escalating threats posed by malware, impersonation, and account takeovers, digital security continues to be a critical concern for businesses. The emergence of agentic AI has further complicated matters, introducing new risks where automated agents act on behalf of users, and creating potential vulnerabilities in digital transactions.…

Read MoreThe Race to Prevent AI Agents from Misusing Your Credit Cards