📰 Cyber Feed Aggregator

🧠 Threat Intel

Latest Threat Intel coverage curated from trusted cybersecurity sources.

• Coming Soon: Discord to Roll Out Global Age Verification Using Facial Scans, ID
  Security Archives - TechRepublic — Tue, 10 Feb 2026 13:44:09 +0000

  Discord will soon roll out global age verification, using age inference plus video selfie or ID checks to limit access to sensitive content. Find out when. The post Coming Soon: Discord to Roll Out Global Age Verification Using Facial Scans, ID appeared first on TechRepublic.

• 23andMe Data Breach Settlement Deadline Is Near: Here’s How Much You Could Get
  Security Archives - TechRepublic — Mon, 09 Feb 2026 19:46:43 +0000

  23andMe customers affected by a data breach may be eligible for cash or monitoring services. Here’s how to file a claim before the deadline. The post 23andMe Data Breach Settlement Deadline Is Near: Here’s How Much You Could Get appeared first on TechRepublic.

• Google Warns Over 1 Billion Android Phones Are Now at Risk
  Security Archives - TechRepublic — Mon, 09 Feb 2026 19:37:37 +0000

  Google warns that over 40% of Android devices no longer receive security updates, leaving more than 1 billion devices exposed to malware and spyware attacks. The post Google Warns Over 1 Billion Android Phones Are Now at Risk appeared first on TechRepublic.

• AI Agents Are Creating Insider Security Threat Blind Spots, Research Finds
  Security Archives - TechRepublic — Mon, 09 Feb 2026 15:29:22 +0000

  AI agents are creating insider security blind spots — and vendors are racing to catch up. The post AI Agents Are Creating Insider Security Threat Blind Spots, Research Finds appeared first on TechRepublic.

• Flickr’s 35M Users Affected by Third-Party Data Exposure
  Security Archives - TechRepublic — Mon, 09 Feb 2026 14:00:35 +0000

  Flickr disclosed a data exposure tied to a third-party email provider, highlighting how external service vulnerabilities can put millions of users at risk. The post Flickr’s 35M Users Affected by Third-Party Data Exposure appeared first on TechRepublic.

• How Global Power Struggles Are Rewriting Cyber Defense
  Lohrmann on Cybersecurity — Sun, 08 Feb 2026 10:02:00 GMT

  Navigating insights from the World Economic Forum’s meeting at Davos on AI-driven threats, the push for digital sovereignty and the weaponization of critical global infrastructure.

• Novel Technique to Detect Cloud Threat Actor Operations
  Unit 42 — Fri, 06 Feb 2026 23:00:02 +0000

  We introduce a novel method that maps cloud alert trends to MITRE ATT&CK techniques. The patterns created could identify threat actors by behavior. The post Novel Technique to Detect Cloud Threat Actor Operations appeared first on Unit 42.

• All gas, no brakes: Time to come to AI church
  Cisco Talos Blog — Thu, 05 Feb 2026 19:00:39 GMT

  This week, Joe cautions the rush to adopt AI tools rife with truly awful security vulnerabilities.

• 2025 Q4 DDoS threat report: A record-setting 31.4 Tbps attack caps a year of massive DDoS assaults
  The Cloudflare Blog — Thu, 05 Feb 2026 14:00:00 GMT

  The number of DDoS attacks more than doubled in 2025. The network layer is under particular threat as hyper-volumetric attacks grew 700%.

• Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
  Cisco Talos Blog — Thu, 05 Feb 2026 11:00:55 GMT

  Cisco Talos uncovered “DKnife,” a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants.

• The Shadow Campaigns: Uncovering Global Espionage
  Unit 42 — Thu, 05 Feb 2026 11:00:10 +0000

  In 2025 a threat group compromised government and critical infrastructure in 37 countries, with reconnaissance in 155. The post The Shadow Campaigns: Uncovering Global Espionage appeared first on Unit 42.

• Ransom & Dark Web Issues Week 1, Fabruary 2026
  ASEC — Wed, 04 Feb 2026 15:00:00 +0000

  ASEC Blog publishes Ransom & Dark Web Issues Week 1, Fabruary 2026 Qilin Targets South Korean Public Broadcaster with Ransomware Confidential Military Data from U.S. Aerospace Composites Manufacturer Sold on BreachForums ShinyHunters Leaks Data from Two Prestigious U.S. Private Universities

• Why Smart People Fall For Phishing Attacks
  Unit 42 — Wed, 04 Feb 2026 00:00:43 +0000

  Why do successful phishing attacks target our psychology rather than just our software? Discover Unit 42’s latest insights on defeating social engineering and securing your digital life. The post Why Smart People Fall For Phishing Attacks appeared first on Unit 42.

• Enterprise Phishing: How Attackers Abuse Trusted Microsoft & Google Platforms 
  Malware Analysis - ANY.RUN's Cybersecurity Blog — Tue, 03 Feb 2026 09:41:32 +0000

  ANY.RUN observes a growing trend of phishing kit infrastructure being hosted on legitimate cloud and CDN platforms, rather than on newly registered domains. These campaigns often target enterprise users specifically, creating a global threat to businesses. The shift creates serious visibility challenges for...

• After TikTok: Navigating the Complex Web of Foreign Tech Bans
  Lohrmann on Cybersecurity — Sun, 01 Feb 2026 10:46:00 GMT

  As federal and state governments extend their lists of banned foreign technologies, where is this trend heading next? Is your home network safe for work use?

• Privileged File System Vulnerability Present in a SCADA System
  Unit 42 — Fri, 30 Jan 2026 23:00:01 +0000

  We detail our discovery of CVE-2025-0921. This privileged file system flaw in SCADA system Iconics Suite could lead to a denial-of-service (DoS) attack. The post Privileged File System Vulnerability Present in a SCADA System appeared first on Unit 42.

• Understanding the Russian Cyberthreat to the 2026 Winter Olympics
  Unit 42 — Thu, 29 Jan 2026 21:30:47 +0000

  Russia's current isolation from the Olympics may lead to increased cyberthreats targeting the 2026 Winter Games. We discuss the potential threat picture. The post Understanding the Russian Cyberthreat to the 2026 Winter Olympics appeared first on Unit 42.

• TAG Bulletin: Q4 2025
  Threat Analysis Group (TAG) — Thu, 29 Jan 2026 19:30:00 +0000

  An overview of coordinated influence operation campaigns terminated on our platforms in Q4 2025.

• I'm locked in!
  Cisco Talos Blog — Thu, 29 Jan 2026 19:00:34 GMT

  Hazel reflects on how to find balance while staying informed, then delivers practical updates and insights on the latest cybersecurity threats.

• Microsoft releases update to address zero-day vulnerability in Microsoft Office
  Cisco Talos Blog — Thu, 29 Jan 2026 14:43:54 GMT

  Microsoft has published three out-of-band (OOB) updates so far in January 2026. One of these updates was released to address a vulnerability, CVE-2026-21509, affecting Microsoft Office that has been reportedly exploited in the wild.

• Dissecting UAT-8099: New persistence mechanisms and regional focus
  Cisco Talos Blog — Thu, 29 Jan 2026 11:00:11 GMT

  Cisco Talos has identified a new, regionally targeted campaign by UAT-8099 that leverages advanced persistence techniques and custom BadIIS malware variants to compromise IIS servers, particularly in Thailand and Vietnam.

• Ransom & Dark Web Issues Week 4, January 2026
  ASEC — Wed, 28 Jan 2026 15:00:00 +0000

  ASEC Blog publishes Ransom & Dark Web Issues Week 4, January 2026 New Ransomware Group 0APT and BravoX Identified [1], [2] RAMP Cybercrime Forum Domains Seized by FBI and DOJ World Leaks Targets U.S. Global Sportswear Company in Ransomware Attack

• Attackers Are Taking Over Real Email Threads to Deliver Phishing: New Enterprise Risk
  Malware Analysis - ANY.RUN's Cybersecurity Blog — Wed, 28 Jan 2026 12:07:27 +0000

  Think you can trust every email that comes from a business partner? Unfortunately, that’s no longer guaranteed; attackers now slip into legitimate threads and send messages that look fully authentic. That’s exactly what happened in a new case uncovered by ANY.RUN researchers; a trust takeover inside a real...

• New Android Theft Protection Feature Updates: Smarter, Stronger
  Google Online Security Blog — 2026-01-27T16:59:00.001Z

  Posted by Nataliya Stanetsky, Fabricio Ferracioli, Elliot Sisteron, Irene Ang of the Android Security Team Phone theft is more than just losing a device; it's a form of financial fraud that can leave you suddenly vulnerable to personal data and financial theft. That’s why we're committed to providing multi-layered...

• Building a serverless, post-quantum Matrix homeserver
  The Cloudflare Blog — Tue, 27 Jan 2026 14:00:00 GMT

  As a proof of concept, we built a Matrix homeserver to Cloudflare Workers — delivering encrypted messaging at the edge with automatic post-quantum cryptography.

• Cybersecurity’s New Business Case: Fraud
  Lohrmann on Cybersecurity — Sun, 25 Jan 2026 10:41:00 GMT

  Government security leaders are struggling. Cyber investments are lagging. Resources are being cut. The problem is getting worse. Let’s explore solutions.

• Detection of Recent RMM Distribution Cases Using AhnLab EDR
  ASEC — Thu, 22 Jan 2026 15:00:00 +0000

  AhnLab SEcurity intelligence Center (ASEC) has recently observed an increase in attack cases exploiting Remote Monitoring and Management (RMM) tools. Whereas attackers previously exploited remote control tools during the process of seizing control after initial penetration, they now increasingly leverage RMM tools...

• Millions of people imperiled through sign-in links sent by SMS
  security - Ars Technica — Wed, 21 Jan 2026 23:22:14 +0000

  Even well-known services with millions of users are exposing sensitive data.

• Ransom & Dark Web Issues Week 3, January 2026
  ASEC — Wed, 21 Jan 2026 15:00:00 +0000

  ASEC Blog publishes Ransom & Dark Web Issues Week 3, January 2026 Qilin Ransomware Targets Korean Specialist in Semiconductor/Display Components & Surface Treatment U.S. DOJ: Access Broker “r1z” Pleads Guilty Qilin Ransomware Targets Vietnam’s National Airlines

• From Forgotten Tool to Powerful Pivot: Using JA3 to Expose Attackers’ Infrastructure 
  Malware Analysis - ANY.RUN's Cybersecurity Blog — Wed, 21 Jan 2026 07:30:02 +0000

  A growing skepticism around JA3 is evident, and quite understandable as well. Public lists are rarely updated, and initiatives like JA3-fingerprints have been effectively frozen since 2021, creating the impression that this is a “yesterday’s technology.” However, JA3 fingerprints have not disappeared. Sensors...

• December 2025 Security Issues in Korean & Global Financial Sector
  ASEC — Tue, 20 Jan 2026 15:00:00 +0000

  This report comprehensively covers real-world cyber threats and security issues that have occurred in the financial industry in Korea and worldwide. It includes an analysis of malware and phishing cases targeting the financial industry, a list of the top 10 malware strains targeting the industry, and statistics on...

• How we mitigated a vulnerability in Cloudflare’s ACME validation logic
  The Cloudflare Blog — Mon, 19 Jan 2026 14:00:00 GMT

  A vulnerability was recently identified in Cloudflare’s automation of certificate validation. Here we explain the vulnerability and outline the steps we’ve taken to mitigate it.

• Will 2026 See a ‘ChatGPT Moment’ for Microchip Implants?
  Lohrmann on Cybersecurity — Sun, 18 Jan 2026 10:06:00 GMT

  As Hollywood imagines our future, are brain and human microchip implants nearing a “ChatGPT moment” in 2026? Medical progress collides with privacy fears and state bans.

• Astro is joining Cloudflare
  The Cloudflare Blog — Fri, 16 Jan 2026 14:00:00 GMT

  The Astro Technology Company team — the creators of the Astro web framework — is joining Cloudflare. We’re doubling down on making Astro the best framework for content-driven websites, today and in the years to come.

• Many Bluetooth devices with Google Fast Pair vulnerable to “WhisperPair” hack
  security - Ars Technica — Thu, 15 Jan 2026 17:46:40 +0000

  Even Google's own earbuds are vulnerable to the Fast Pair hack.

• German Manufacturing Under Phishing Attacks: Tracking a Stealthy AsyncRAT Campaign 
  Malware Analysis - ANY.RUN's Cybersecurity Blog — Wed, 14 Jan 2026 09:28:12 +0000

  Manufacturing companies have quietly become one of the most hunted species in the modern threat landscape. Not because they are careless, but because they are operationally critical, geographically distributed, and often rely on complex IT and OT environments that attackers love to probe. Key Takeaways The Threat...

• CastleLoader Analysis: A Deep Dive into Stealthy Loader Targeting Government Sector
  Malware Analysis - ANY.RUN's Cybersecurity Blog — Tue, 13 Jan 2026 08:23:58 +0000

  ANY.RUN’s team conducted an extensive malware analysis of CastleLoader, the first link in the chain of attacks impacting various industries, including government agencies and critical infrastructures. It’s a unique walkthrough of its entire execution path, from a packaged installer to C2 server connection, as well...

• Most Popular Cybersecurity Blogs From 2025
  Lohrmann on Cybersecurity — Sun, 11 Jan 2026 10:33:00 GMT

  What were the top government technology and cybersecurity blog posts in 2025? The metrics tell us what cybersecurity and technology infrastructure topics were most popular.

• Google will end dark web reports that alerted users to leaked data
  security - Ars Technica — Mon, 15 Dec 2025 18:13:24 +0000

  Google says the reports lacked "helpful next steps."

• The 2025 Cloudflare Radar Year in Review: The rise of AI, post-quantum, and record-breaking DDoS attacks
  The Cloudflare Blog — Mon, 15 Dec 2025 14:00:00 GMT

  We present our 6th annual review of Internet trends and patterns observed across the globe, revealing the disruptions, advances and metrics that defined 2025.

• HTTPS certificate industry phasing out less secure domain validation methods
  Google Online Security Blog — 2025-12-10T20:00:00.001Z

  Posted by Chrome Root Program Team Secure connections are the backbone of the modern web, but a certificate is only as trustworthy as the validation process and issuance practices behind it. Recently, the Chrome Root Program and the CA/Browser Forum have taken decisive steps toward a more secure internet by...

• Further Hardening Android GPUs
  Google Online Security Blog — 2025-12-09T17:00:00.008Z

  Posted by Liz Prucka, Hamzeh Zawawy, Rishika Hooda, Android Security and Privacy Team Last year, Google's Android Red Team partnered with Arm to conduct an in-depth security analysis of the Mali GPU, a component used in billions of Android devices worldwide. This collaboration was a significant step in proactively...

• Architecting Security for Agentic Capabilities in Chrome
  Google Online Security Blog — 2025-12-08T18:03:00.001Z

  Posted by Nathan Parker, Chrome security team Chrome has been advancing the web’s security for well over 15 years, and we’re committed to meeting new challenges and opportunities with AI. Billions of people trust Chrome to keep them safe by default, and this is a responsibility we take seriously. Following the...

• Android expands pilot for in-call scam protection for financial apps
  Google Online Security Blog — 2025-12-03T16:59:00.000Z

  Posted by Aden Haussmann, Associate Product Manager and Sumeet Sharma, Play Partnerships Trust & Safety Lead Android uses the best of Google AI and our advanced security expertise to tackle mobile scams from every angle. Over the last few years, we’ve launched industry-leading features to detect scams and protect...

• We're at Black Hat Europe
  EclecticIQ Blog — Wed, 03 Dec 2025 13:31:15 GMT

  EclecticIQ is proud to sponsor and exhibit at Black Hat Europe 2025, one of the world’s leading cybersecurity and threat intelligence conferences. This year’s event brings more than 3,000 security professionals from over 70 countries to London’s ExCeL for two days of technical briefings, hands-on research, and...

• Autumn Dragon: China-nexus APT Group Targets South East Asia
  Blaze's Security Blog — 2025-11-19T22:52:00.001Z

  In this report, we describe how we tracked for several months a sustained espionage campaign against the government, media, and news sectors in several countries including Laos, Cambodia, Singapore, the Philippines and Indonesia. Since early 2025, China’s involvement in the Indo-Pacific has been more prolific, from...

• TAG Bulletin: Q3 2025
  Threat Analysis Group (TAG) — Thu, 13 Nov 2025 16:00:00 +0000

  Our bulletin covering coordinated influence operation campaigns terminated on our platforms in Q3 2025.

• The reality: Bargains bring risk
  EclecticIQ Blog — Mon, 10 Nov 2025 07:26:16 GMT

  From Black Friday to Boxing Day, shopping surges and so do cyber scams. Countdown timers and “last chance” offers create urgency that attackers exploit. Every click has consequences if you’re not prepared.

• Why no business is immune to cyberattacks
  EclecticIQ Blog — Mon, 03 Nov 2025 09:57:03 GMT

  The reality: every organization is a potential target Cybersecurity is no longer a concern reserved for the world’s largest enterprises or government agencies. In today’s hyperconnected world, every organization — regardless of size, sector, or geography — is a potential target.

• Leaker reveals which Pixels are vulnerable to Cellebrite phone hacking
  security - Ars Technica — Thu, 30 Oct 2025 20:29:43 +0000

  Cellebrite can apparently extract data from most Pixel phones, unless they're running GrapheneOS.

• EclecticIQ Intelligence Center 3.6: Built for finished intel, custom data modeling, and faster investigations
  EclecticIQ Blog — Tue, 28 Oct 2025 09:55:22 GMT

  EclecticIQ Intelligence Center 3.6 isn’t just an update - it’s a leap forward. With smarter finished intelligence reporting, flexible intelligence modelling, and next-level AI features, this release helps cybersecurity teams move faster, work smarter, and deliver more value across the organization. Let’s break down...

• Earth Estries alive and kicking
  Blaze's Security Blog — 2025-10-27T22:09:00.004Z

  Earth Estries, also known as Salt Typhoon and a few other names, is a China-nexus APT actor, and is known to have used multiple implants such as Snappybee (Deed RAT), ShadowPad, and several more. In their latest campaign, the actor leverages one of the latest WinRAR vulnerabilities that will ultimately lead to...

• Lessons from the BlackBasta Ransomware Attack on Capita
  @BushidoToken Threat Intel — 2025-10-18T13:17:00.000Z

  Introduction When a company that manages data for millions of UK citizens falls victim to ransomware, the whole industry should pay attention to it. On 15 October 2025, the UK Information Commissioner’s Office (ICO) published a detailed 136 page report about the Capita breach. The aim of this blog is to extract...

• Extending STIX: How Custom objects empower your intelligence work
  EclecticIQ Blog — Tue, 14 Oct 2025 07:15:00 GMT

  In today’s fast-moving threat landscape, your intelligence doesn’t always fit predefined categories. EclecticIQ Intelligence Center 3.6 gives you Custom objects, built on STIX’s extension capability, so you can capture and operationalize intelligence that goes beyond the standard object types.

• A biological 0-day? Threat-screening tools may miss AI-designed proteins.
  security - Ars Technica — Fri, 03 Oct 2025 20:12:52 +0000

  Ordering DNA for AI-designed toxins doesn't always raise red flags.

• Ransomware Tool Matrix Update: Community Reports
  @BushidoToken Threat Intel — 2025-09-13T20:38:00.000Z

  Introduction The Ransomware Tool Matrix continues to be a useful passion project that I am happy to continue maintaining. One piece of common feedback I've received for the Ransomware Tool Matrix was that individuals would like to contribute their observations to it, but do not have public links they can cite (such...

• Three Lazarus RATs coming for your cheese
  Fox-IT International blog — Mon, 01 Sep 2025 13:00:00 +0000

  Authors: Yun Zheng Hu and Mick Koomen Introduction In the past few years, Fox-IT and NCC Group have conducted multiple incident response cases involving a Lazarus subgroup that specifically targets organizations in the financial and cryptocurrency sector. This Lazarus subgroup overlaps with activity linked to...

• TAG Bulletin: Q2 2025
  Threat Analysis Group (TAG) — Mon, 21 Jul 2025 17:45:00 +0000

  Our bulletin covering coordinated influence operation campaigns terminated on our platforms in Q2 2025.

• Steam Phishing: popular as ever
  Blaze's Security Blog — 2025-06-20T17:20:00.005Z

  A month or so ago a friend of mine received the following message on Steam from someone in their Friends list (they were already friends): Figure 1 - 'this is for you' The two links are different and refer to a Gift Card on Steam's community platform. As you might have noticed, the domain is not related to Steam at...

• TAG Bulletin: Q1 2025
  Threat Analysis Group (TAG) — Thu, 15 May 2025 17:30:00 +0000

  This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q1 2025. It was last updated on May 15, 2025.JanuaryWe terminated 12 YouT…

• Ransomware Tool Matrix Project Updates: May 2025
  @BushidoToken Threat Intel — 2025-05-05T22:01:00.000Z

  Introduction This blog is a summary and analysis of recent additions to the Ransomware Tool Matrix (RTM) as well as the Ransomware Vulnerability Matrix (RVM). Feedback from the infosec community about these projects has been overwhelmingly positive and many researchers have contacted me to tell me how helpful they...

• Tracking Adversaries: EvilCorp, the RansomHub affiliate
  @BushidoToken Threat Intel — 2025-04-02T15:52:00.000Z

  Introduction This blog is part of a cyber threat intelligence (CTI) blog series called Tracking Adversaries that investigates prominent or new threat groups. The focus of this blog is EvilCorp, a sanctioned Russia-based cybercriminal enterprise known for launching ransomware attacks, and RansomHub, a prominent...

• BlackBasta Leaks: Lessons from the Ascension Health attack
  @BushidoToken Threat Intel — 2025-02-27T22:43:00.000Z

  The BlackBasta ransomware group’s leaked chat logs have proven to already be another unique and fascinating opportunity for researchers to better understand the internal operations of a Russia-based organised cybercrime enterprise. These leaks followed a major leak of Conti chat logs in 2022, which also proved to...

• TAG Bulletin: Q4 2024
  Threat Analysis Group (TAG) — Tue, 17 Dec 2024 22:00:00 +0000

  This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q4 2024. It was last updated on February 19, 2024.OctoberWe terminated 11…

• Decrypting Full Disk Encryption with Dissect
  Fox-IT International blog — Wed, 11 Dec 2024 07:30:00 +0000

  Author: Guus Beckers Back in 2022 Fox-IT decided to open source its proprietary incident response tooling known as Dissect. Since then it has been adopted by many different companies in their regular workflow. For those of you who are not yet familiar with Dissect, it is an incident response framework built with...

• Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualisation
  Fox-IT International blog — Wed, 25 Sep 2024 10:36:12 +0000

  Authors: Boudewijn Meijer && Rick Veldhoven Introduction As defensive security products improve, attackers must refine their craft. Gone are the days of executing malicious binaries from disk, especially ones well known to antivirus and Endpoint Detection and Reponse (EDR) vendors. Now, attackers focus on in-memory...

• Microsoft Word and Sandboxes
  Blaze's Security Blog — 2024-08-14T17:35:00.001Z

  Today's post is a brief one on some Microsoft Word and sandbox detection / discovery / fun. Collect user name from Microsoft Office Most sandboxes will trigger somehow or something if a tool or malware tries to collect system information or user information. But what if we collect the user name via the registry and...

• New North Korean based backdoor packs a punch
  Blaze's Security Blog — 2024-06-20T21:10:00.001Z

  In recent months, North Korean based threat actors have been ramping up attack campaigns in order to achieve a myriad of their objectives, whether it be financial gain or with espionage purposes in mind. The North Korean cluster of attack groups is peculiar seeing there is quite some overlap with one another, and...

• The State of Go Fuzzing - Did we already reach the peak?
  Low-level adventures — Wed, 15 May 2024 12:11:10 GMT

  During one of the recent working days, I was tasked with fuzzing some Go applications. That's something I had not done in a while, so my first course of action was to research the current state of the art of the tooling landscape. After like a couple of

• Sifting through the spines: identifying (potential) Cactus ransomware victims
  Fox-IT International blog — Thu, 25 Apr 2024 04:00:00 +0000

  Authored by Willem Zeeman and Yun Zheng Hu This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. To view all of them please check the central blog by Dutch special interest group...

• Android Malware Vultur Expands Its Wingspan
  Fox-IT International blog — Thu, 28 Mar 2024 10:00:15 +0000

  Authored by Joshua Kamp Executive summary The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim’s mobile device. Vultur has also started masquerading more of its malicious activity by...

• DarkGate - Threat Breakdown Journey
  Toxin Labs — 2023-08-06T00:00:00.000Z

  Intro Over the past month, a widespread phishing campaign has targeted individuals globally. The campaigns execution chain ends with the deployment of a malware known as: DarkGate. A loader type malware. DarkGate is exclusively sold on underground online forums and the developer keeps a very tight amount of seats...

• Kraken - The Deep Sea Lurker Part 2
  Toxin Labs — 2023-05-26T00:00:00.000Z

  Intro In the second part of analyzing the “KrakenKeylogger”, I will be diving into some proactive “threat hunting” steps I’ve done during my research about the Kraken. here What we have? Let’s start with what we currently have and how can we pivot with it: C2: thereccorp.com Payload fetching domain:...

• Kraken - The Deep Sea Lurker Part 1
  Toxin Labs — 2023-05-20T00:00:00.000Z

  Intro In this first part we will be going through a recent phishing campaign delivering a never seen before “KrakenKeylogger” malware. The Phish The mail sent to the victim is a simple malspam mail with archive attachment: The archive is a .zip archive that contains .lnk file: LNK Analysis LEcmd Tool In order to...

• PlutoCrypt - A CryptoJoker Ransomware Variant
  Toxin Labs — 2023-04-14T00:00:00.000Z

  Intro In This blog I will deep dive into a variant of CryptoJoker Ransomware alongside with analyzing the multi stage execution chain. BRACE YOURSELVES! The Phish Our story begins with a spear phishing email, targeting Turkish individuals and organizations. These attacks often begin with an email that appears to be...

• LummaC2 - Stealer Features BreakDown
  Toxin Labs — 2023-04-09T00:00:00.000Z

  Intro This blog will be a bit different from my ususal blogs, it will mainly contain scripts and some research I’ve spent on finding some of the things you’ll read through the blog. I’ve tried to cover things that weren’t covered in previous blogs that can be found on Lumma Stealer Malpedia entry The Phish The...

• WannaCry: The Most Preventable Ransomware is Still at Large
  Malicious History - ANY.RUN's Cybersecurity Blog — Tue, 17 Jan 2023 07:47:38 +0000

  The WannaCry attack of 2017 is the perfect example of why you should always install security updates as soon as they’re released. This was, probably, the most avoidable ransomware incident. And, at the same time, one of the most damaging and rapidly spreading malware outbreaks. This is the story of the WannaCry...

• Vulnerability Research Digest - Issue 1 (macOS/iOS in 2022)
  Blog — 2022-12-29T00:00:00.000Z

  In the past few years I created some twitter threads (e.g. Windows Kernel Security Linux Kernel Security) on a number of publications I found the most interesting within the vulnerability research space, this didn’t really give me that much space to actually provide detail or allow this to be stored within a format...

• The End of Sodinokibi: the Infamous Ransomware Goes Down
  Malicious History - ANY.RUN's Cybersecurity Blog — Tue, 13 Dec 2022 05:50:08 +0000

  Sodinokibi was, perhaps, the most ill-renowned ransomware. While it was active, it netted crooks hundreds of millions of dollars, hitting prominent targets such as Apple, Acer, Donald Trump’s lawyers, and most recently, HX5, a US defense company. It took a law enforcement operation coordinated between 17 countries...

• Learning Linux kernel exploitation - Part 2 - CVE-2022-0847
  Low-level adventures — Mon, 09 May 2022 11:56:35 GMT

  Continuing to walk down Linux Kernel exploitation lane. This time around with an unanticipated topic: DirtyPipe as it actually nicely fits the series as an example.

• Demystifying Security Research - Part 1
  Blog — 2022-04-24T00:00:00.000Z

  There are a number of key questions which are always asked by people wanting to get into security research, find out more about how others go about it or just generally improve their processes. In this post I want to highlight some of things which work for me and some guidance which may help for others. This is a...

• Learning Linux kernel exploitation - Part 1 - Laying the groundwork
  Low-level adventures — Tue, 01 Mar 2022 08:47:34 GMT

  Table fo contents Disclaimer: This post will cover basic steps to accomplish a privilege escalation based on a vulnerable driver. The basis for this introduction will be a challenge from the hxp2020 CTF called "kernel-rop". There's (obviously) write-ups for this floating around the net (check

• Overview of GLIBC heap exploitation techniques
  Low-level adventures — Sun, 13 Feb 2022 15:15:47 GMT

  Overview of current GLIBC heap exploitation techniques up to GLIBC 2.34, including their ideas and introduced mitigations along the way

• MISC study notes about ARM AArch64 Assembly and the ARM Trusted Execution Environment (TEE)
  Low-level adventures — Sat, 12 Feb 2022 15:44:31 GMT

  Disclaimer: These are unfiltered study notes mostly for myself. Guaranteed not to be error free. So if you did land here, managed to get to the end of it and found some mistakes just hit me up, I'd love to know what's wrong :) AArch64 - Preface

• CVE-2021-30660 - XNU Kernel Memory Disclosure
  Blog — 2021-06-01T00:00:00.000Z

  The msgrcv_nocancel syscall could disclose uninitialized memory from kernel space into userspace. This is due to an incorrect calculation being performed when copying the memory. The vulnerability was patched in the following releases: macOS 11.3 iOS 14.5 Vulnerability Details (sysv_msg.c) The msgrcv_nocancel...

• Rise and Fall of Emotet
  Malicious History - ANY.RUN's Cybersecurity Blog — Fri, 05 Feb 2021 06:02:36 +0000

  Emotet was the most threatening malware in the world. This nightmare of cybersecurity specialists challenged millions of infected computers and caused more than $2 billion in losses. And now the sophisticated botnet is taken down. Emotet was known as a destructive cyber threat out there. And ANY.RUN sandbox faced...

• CVE-2020-9967 - Apple macOS 6LowPAN Vulnerability
  Blog — 2020-12-22T00:00:00.000Z

  Inspired by Kevin Backhouse’s great work on finding XNU remote vulnerabilities I decided to spend some time looking at CodeQL and performing some variant analysis. This lead to the discovery of a local root to kernel (although documented by Apple as remote) vulnerability within the 6LowPAN code of macOS 10.15.4....

• Time Bombs: Malware with Delayed Execution
  Malicious History - ANY.RUN's Cybersecurity Blog — Thu, 17 Sep 2020 13:38:00 +0000

  Did you know that there’s malware that behaves just like cliched ticker-bombs from Hollywood blockbusters? It enters the system and waits there, sometimes for ages, with the timer slowly but inevitably counting towards the destructive explosion. Or in our case — execution. Once the time comes, a cyber-bomb like...

• Malware History: MyDoom
  Malicious History - ANY.RUN's Cybersecurity Blog — Wed, 16 Sep 2020 11:37:00 +0000

  MyDoom, sometimes also called Novarg, W32.MyDoom@mm, Shimgapi, and Mimail.R is a worm type malware that infects Windows PCs. After infecting machines, the malware gets access to all files and distributes itself to the email contacts of the victim. It also features a countback timer that starts DOS attacks on...

• Coverage Guided Fuzzing in Go
  Blog — 2020-07-27T00:00:00.000Z

  Recently I had the need to explore coverage guided fuzzing in Go. Whilst there is a bit of information scattered around on multiple different sites, as someone who is fairly new to Go, I couldn’t find a good concise source of information on what is already out there and the current state of play of fuzzer tooling...