The Breach News

Researchers Raise Alarm Over MystRodX Backdoor Utilizing DNS and ICMP Triggers for Covert Control

Sep 02, 2025 – Cyber Espionage / Network Security

Cybersecurity experts have revealed a new stealthy backdoor named MystRodX, designed to capture sensitive information from compromised systems. According to a report from QiAnXin XLab, “MystRodX is a typical backdoor developed in C++, featuring capabilities such as file management, port forwarding, reverse shell, and socket management.” The report highlights that MystRodX distinguishes itself from standard backdoors through its exceptional stealth and versatility. Also referred to as ChronosRAT, this malware was initially documented by Palo Alto Networks Unit 42 last month, linked to a threat activity cluster named CL-STA-0969, which shows connections to a China-based cyber espionage group called Liminal Panda. Its stealthy nature is enhanced by multiple layers of encryption that obscure both the source code and payloads, while its flexibility allows it to dynamically activate different functionalities based on configuration settings, including the choice between TCP or HTTP for network communication.

Cybersecurity Experts Raise Alarm Over MystRodX Backdoor Utilizing DNS and ICMP for Discreet Control September 2, 2025 Cyber Espionage / Network Security Cybersecurity experts have recently unveiled MystRodX, a sophisticated backdoor designed to stealthily infiltrate systems and extract sensitive information. According to a report from QiAnXin XLab, MystRodX operates using…

Read More

Researchers Raise Alarm Over MystRodX Backdoor Utilizing DNS and ICMP Triggers for Covert Control

Sep 02, 2025 – Cyber Espionage / Network Security

Cybersecurity experts have revealed a new stealthy backdoor named MystRodX, designed to capture sensitive information from compromised systems. According to a report from QiAnXin XLab, “MystRodX is a typical backdoor developed in C++, featuring capabilities such as file management, port forwarding, reverse shell, and socket management.” The report highlights that MystRodX distinguishes itself from standard backdoors through its exceptional stealth and versatility. Also referred to as ChronosRAT, this malware was initially documented by Palo Alto Networks Unit 42 last month, linked to a threat activity cluster named CL-STA-0969, which shows connections to a China-based cyber espionage group called Liminal Panda. Its stealthy nature is enhanced by multiple layers of encryption that obscure both the source code and payloads, while its flexibility allows it to dynamically activate different functionalities based on configuration settings, including the choice between TCP or HTTP for network communication.

Security Flaws Discovered in Three Widely Used Open-Source Software Solutions

On July 27, 2021, cybersecurity researchers revealed nine vulnerabilities across three popular open-source projects—EspoCRM, Pimcore, and Akaunting. These platforms are commonly utilized by small to medium businesses, and successful exploitation of these flaws could lead to more advanced cyberattacks. The identified vulnerabilities affect EspoCRM v6.1.6, Pimcore Customer Data Framework v3.0.0, Pimcore AdminBundle v6.8.0, and Akaunting v2.1.12. Fortunately, all issues were addressed within a day of being disclosed, according to researchers Wiktor Sędkowski from Nokia and Trevor Christiansen from Rapid7. Notably, six of the nine vulnerabilities originated in the Akaunting project. EspoCRM serves as an open-source customer relationship management application, while Pimcore functions as an open-source enterprise platform for managing customer data, digital assets, content, and commerce. Akaunting provides open-source online accounting solutions.

Multiple Vulnerabilities Discovered in Popular Open-Source Software Jul 27, 2021 Cybersecurity researchers have identified nine security vulnerabilities across three widely utilized open-source projects: EspoCRM, Pimcore, and Akaunting. These platforms are commonly adopted by small to medium-sized businesses and, if exploited, could pave the way for more complex cyber-attacks. The flaws…

Read More

Security Flaws Discovered in Three Widely Used Open-Source Software Solutions

On July 27, 2021, cybersecurity researchers revealed nine vulnerabilities across three popular open-source projects—EspoCRM, Pimcore, and Akaunting. These platforms are commonly utilized by small to medium businesses, and successful exploitation of these flaws could lead to more advanced cyberattacks. The identified vulnerabilities affect EspoCRM v6.1.6, Pimcore Customer Data Framework v3.0.0, Pimcore AdminBundle v6.8.0, and Akaunting v2.1.12. Fortunately, all issues were addressed within a day of being disclosed, according to researchers Wiktor Sędkowski from Nokia and Trevor Christiansen from Rapid7. Notably, six of the nine vulnerabilities originated in the Akaunting project. EspoCRM serves as an open-source customer relationship management application, while Pimcore functions as an open-source enterprise platform for managing customer data, digital assets, content, and commerce. Akaunting provides open-source online accounting solutions.

Lazarus Group Enhances Malware Toolkit with PondRAT, ThemeForestRAT, and RemotePE

Sep 02, 2025
Malware / Threat Intelligence

The North Korea-linked threat actor, Lazarus Group, has been linked to a social engineering campaign that distributes three new cross-platform malware variants: PondRAT, ThemeForestRAT, and RemotePE. This attack, observed by NCC Group’s Fox-IT in 2024, specifically targeted an organization within the decentralized finance (DeFi) sector, resulting in the breach of an employee’s system.

“As the actor accessed the internal network, they utilized various RATs along with other tools to collect credentials and establish proxy connections,” noted Yun Zheng Hu and Mick Koomen. “Subsequently, the attacker transitioned to a more stealthy RAT, indicating a potential progression in their attack strategy.”

The attack began with the threat actor impersonating a current employee of a trading firm via Telegram and using counterfeit websites resembling Calendly and Picktime to arrange a meeting with the target. Although the initial steps were…

Lazarus Group Enhances Malware Capabilities with New Tools: PondRAT, ThemeForestRAT, and RemotePE On September 2, 2025, cybersecurity researchers revealed that the Lazarus Group, a North Korean-affiliated threat actor, has expanded its malware toolkit. This development includes the introduction of three distinct pieces of cross-platform malware: PondRAT, ThemeForestRAT, and RemotePE. The…

Read More

Lazarus Group Enhances Malware Toolkit with PondRAT, ThemeForestRAT, and RemotePE

Sep 02, 2025
Malware / Threat Intelligence

The North Korea-linked threat actor, Lazarus Group, has been linked to a social engineering campaign that distributes three new cross-platform malware variants: PondRAT, ThemeForestRAT, and RemotePE. This attack, observed by NCC Group’s Fox-IT in 2024, specifically targeted an organization within the decentralized finance (DeFi) sector, resulting in the breach of an employee’s system.

“As the actor accessed the internal network, they utilized various RATs along with other tools to collect credentials and establish proxy connections,” noted Yun Zheng Hu and Mick Koomen. “Subsequently, the attacker transitioned to a more stealthy RAT, indicating a potential progression in their attack strategy.”

The attack began with the threat actor impersonating a current employee of a trading firm via Telegram and using counterfeit websites resembling Calendly and Picktime to arrange a meeting with the target. Although the initial steps were…

Microsoft Alerts Users to New Unresolved Windows Print Spooler RCE Vulnerability

August 12, 2021

Following the release of its Patch Tuesday updates, Microsoft has revealed yet another remote code execution (RCE) vulnerability in the Windows Print Spooler component. The company is actively working on a fix for this issue, scheduled for an upcoming security update. Identified as CVE-2021-36958 (CVSS score: 7.3), this unaddressed vulnerability adds to the ongoing list of issues collectively referred to as PrintNightmare, which have affected the printing service in recent months. Victor Mata from FusionX, Accenture Security, credited with reporting the flaw, noted that the issue was disclosed to Microsoft back in December 2020. “A remote code execution vulnerability occurs when the Windows Print Spooler service improperly handles privileged file operations,” the company stated in its out-of-band bulletin, while reiterating the details of CVE-2021-34481. “An attacker who successfully exploits this vulnerability could execute arbitrary code with system-level privileges…

Microsoft Issues Warning Over New Unpatched Windows Print Spooler RCE Vulnerability On August 12, 2021, Microsoft publicly acknowledged a newly discovered remote code execution (RCE) vulnerability affecting the Windows Print Spooler service. This announcement came just a day after the company’s Patch Tuesday updates, which typically address various security flaws…

Read More

Microsoft Alerts Users to New Unresolved Windows Print Spooler RCE Vulnerability

August 12, 2021

Following the release of its Patch Tuesday updates, Microsoft has revealed yet another remote code execution (RCE) vulnerability in the Windows Print Spooler component. The company is actively working on a fix for this issue, scheduled for an upcoming security update. Identified as CVE-2021-36958 (CVSS score: 7.3), this unaddressed vulnerability adds to the ongoing list of issues collectively referred to as PrintNightmare, which have affected the printing service in recent months. Victor Mata from FusionX, Accenture Security, credited with reporting the flaw, noted that the issue was disclosed to Microsoft back in December 2020. “A remote code execution vulnerability occurs when the Windows Print Spooler service improperly handles privileged file operations,” the company stated in its out-of-band bulletin, while reiterating the details of CVE-2021-34481. “An attacker who successfully exploits this vulnerability could execute arbitrary code with system-level privileges…

Google Researcher Uncovers Internet Explorer Vulnerability Now Exploited in Targeted Attacks

July 11, 2013

Tensions are rising between Google and Microsoft once again. Recently, Microsoft announced that hackers have been actively taking advantage of a vulnerability disclosed by Google researcher Tavis Ormandy. This flaw, affecting Windows 7 and 8, allows local users to gain escalated privileges, facilitating system compromise.

Microsoft has addressed the vulnerability in its July “Patch Tuesday” updates. However, Ormandy has faced criticism from Microsoft and parts of the security community for publicly revealing the flaw before it was patched—an approach some believe undermines the opportunity for the software developer to respond. Ormandy, in turn, expressed frustrations with Microsoft’s hostile treatment of vulnerability researchers, suggesting that they are often difficult to collaborate with. He advised fellow researchers to consider using pseudonyms when interacting with major tech companies.

Targeted Exploitation of Internet Explorer Vulnerability by Google Researcher On July 11, 2013, a significant vulnerability within Internet Explorer was brought to light by Google researcher Tavis Ormandy, prompting a rapid response from Microsoft. Reports indicate that this specific flaw is being actively exploited by cybercriminals in targeted attacks against…

Read More

Google Researcher Uncovers Internet Explorer Vulnerability Now Exploited in Targeted Attacks

July 11, 2013

Tensions are rising between Google and Microsoft once again. Recently, Microsoft announced that hackers have been actively taking advantage of a vulnerability disclosed by Google researcher Tavis Ormandy. This flaw, affecting Windows 7 and 8, allows local users to gain escalated privileges, facilitating system compromise.

Microsoft has addressed the vulnerability in its July “Patch Tuesday” updates. However, Ormandy has faced criticism from Microsoft and parts of the security community for publicly revealing the flaw before it was patched—an approach some believe undermines the opportunity for the software developer to respond. Ormandy, in turn, expressed frustrations with Microsoft’s hostile treatment of vulnerability researchers, suggesting that they are often difficult to collaborate with. He advised fellow researchers to consider using pseudonyms when interacting with major tech companies.

UK Government’s Mythos AI Tests Distinguish Cybersecurity Threats from Hype

Mythos Model Surpasses Previous AI Systems in Cyber Infiltration Tests In a recent evaluation by AISI, the Mythos model has been recognized for its exceptional performance in tackling the TLO (Tactics, Logics, Objectives) framework, achieving a breakthrough as the first model to navigate this complex challenge from start to finish.…

Read MoreUK Government’s Mythos AI Tests Distinguish Cybersecurity Threats from Hype

Salesloft Shuts Down Drift Temporarily Following OAuth Token Theft Affecting Numerous Organizations

 
Sep 03, 2025
Data Breach / Threat Intelligence

Salesloft announced on Tuesday the temporary suspension of Drift, slated to occur “in the very near future,” due to an extensive supply chain attack impacting multiple companies. This breach has led to the widespread theft of authentication tokens linked to the marketing software-as-a-service platform. The company stated, “This action will allow us to thoroughly review the application and enhance its resilience and security before restoring full functionality.” Consequently, the Drift chatbot on customer websites will be offline, and Drift itself will not be accessible. Salesloft emphasized its commitment to preserving the integrity and security of its systems and customers’ data, collaborating with cybersecurity partners Mandiant and Coalition as part of their incident response strategy. This announcement follows a disclosure from Google Threat Intelligence Group (GTIG) and Mandiant regarding the ongoing threats.

Salesloft to Temporarily Suspend Drift Following Widespread OAuth Token Theft September 3, 2025 In a significant development within the cybersecurity landscape, Salesloft has announced plans to take its Drift service offline imminently. This decision follows a widespread supply chain attack that has affected numerous organizations, leading to the unauthorized acquisition…

Read More

Salesloft Shuts Down Drift Temporarily Following OAuth Token Theft Affecting Numerous Organizations

 
Sep 03, 2025
Data Breach / Threat Intelligence

Salesloft announced on Tuesday the temporary suspension of Drift, slated to occur “in the very near future,” due to an extensive supply chain attack impacting multiple companies. This breach has led to the widespread theft of authentication tokens linked to the marketing software-as-a-service platform. The company stated, “This action will allow us to thoroughly review the application and enhance its resilience and security before restoring full functionality.” Consequently, the Drift chatbot on customer websites will be offline, and Drift itself will not be accessible. Salesloft emphasized its commitment to preserving the integrity and security of its systems and customers’ data, collaborating with cybersecurity partners Mandiant and Coalition as part of their incident response strategy. This announcement follows a disclosure from Google Threat Intelligence Group (GTIG) and Mandiant regarding the ongoing threats.

Unresolved Remote Hacking Vulnerability Found in Fortinet’s FortiWeb WAF

Aug 18, 2021

Recent revelations highlight a serious, unpatched security flaw in Fortinet’s web application firewall (WAF) that could enable a remote authenticated attacker to execute harmful commands on the system. According to cybersecurity firm Rapid7, an OS command injection vulnerability in FortiWeb’s management interface (versions 6.3.11 and earlier) allows this exploitation through the SAML server configuration page. This issue is linked to CVE-2021-22123, which was noted in advisory FG-IR-20-120. Rapid7 identified and reported the vulnerability in June 2021, and Fortinet plans to release a fix in late August with FortiWeb version 6.4.1. While this command injection flaw has not yet been assigned a CVE identifier, it carries a severity rating of 8.7 on the CVSS scoring system. Exploiting this vulnerability could enable authenticated users to execute arbitrary commands.

Unresolved Remote Hacking Vulnerability Uncovered in Fortinet’s FortiWeb WAF Published on August 18, 2021 A newly identified, unaddressed security vulnerability has been reported in Fortinet’s FortiWeb Web Application Firewall (WAF) appliances, raising concerns among cybersecurity experts. This flaw could potentially permit a remote, authenticated attacker to execute arbitrary commands on…

Read More

Unresolved Remote Hacking Vulnerability Found in Fortinet’s FortiWeb WAF

Aug 18, 2021

Recent revelations highlight a serious, unpatched security flaw in Fortinet’s web application firewall (WAF) that could enable a remote authenticated attacker to execute harmful commands on the system. According to cybersecurity firm Rapid7, an OS command injection vulnerability in FortiWeb’s management interface (versions 6.3.11 and earlier) allows this exploitation through the SAML server configuration page. This issue is linked to CVE-2021-22123, which was noted in advisory FG-IR-20-120. Rapid7 identified and reported the vulnerability in June 2021, and Fortinet plans to release a fix in late August with FortiWeb version 6.4.1. While this command injection flaw has not yet been assigned a CVE identifier, it carries a severity rating of 8.7 on the CVSS scoring system. Exploiting this vulnerability could enable authenticated users to execute arbitrary commands.