The post Sindoor Dropper: New Phishing Campaign appeared first on Nextron Systems.| Nextron Systems
Executive Summary On 19 August 2025, the Arctic Wolf® Cybersecurity Operations Center (cSOC) uncovered and remediated a sophisticated delivery chain: a threat actor leveraged GitHub’s repository structure together with paid placements on Google Ads to funnel users toward a malicious download hosted on a lookalike domain. By embedding a commit‑specific link in the advertisement, the attackers ... GPUGate Malware: Malicious GitHub Desktop Implants Use Hardware-Specific Decryption, Abuse...| Arctic Wolf
We explore why an OT-centric approach is critical for addressing CIP-015-1’s unique demands and introduce MixMode’s Third-Wave AI, a transformative solution with origins in SCADA and mechanical engineering.| MixMode
A campaign leverages CVE-2024-36401 to stealthily monetize victims' bandwidth where legitimate software development kits (SDKs) are deployed for passive income. The post Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth appeared first on Unit 42.| Unit 42
GenAI-created phishing campaigns misuse tools ranging from website builders to text generators in order to create more convincing and scalable attacks.| Unit 42
Many of our customers value the broad module support and high detection coverage found in our professional-grade products. However, we are also committed to continuously improving our free tools, ensuring that the gap in detection capabilities does not grow too wide.| Nextron Systems
The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standard CIP-015-1, effective September 2, 2025, demands a new approach to securing critical infrastructure, exposing the inadequacies of conventional methods.| MixMode
CVE-2025-32433 allows for remote code execution in sshd for certain versions of Erlang programming language’s OTP. We reproduced this CVE and share our findings. The post Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild appeared first on Unit 42.| Unit 42
DarkCloud Stealer's delivery has shifted. We explore three different attack chains that use ConfuserEx obfuscation and a final payload in Visual Basic 6. The post New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer appeared first on Unit 42.| Unit 42
BadSuccessor is an attack vector in Windows Server 2025. Under certain conditions it allows privilege elevation via dMSAs. We analyze its mechanics. The post When Good Accounts Go Bad: Exploiting Delegated Managed Service Accounts in Active Directory appeared first on Unit 42.| Unit 42
Project AK47, a toolset including ransomware, was used to leverage SharePoint exploit chain ToolShell. This activity overlaps with Storm-2603. The post Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks appeared first on Unit 42.| Unit 42
Peel back the layers on Unit 42's Attribution Framework. We offer a rare inside view into the system used to ultimately assign attribution to threat groups. The post Introducing Unit 42’s Attribution Framework appeared first on Unit 42.| Unit 42
Recent activity targeting telecom infrastructure is assessed with high confidence to overlap with Liminal Panda activity. The actors used custom tools, tunneling and OPSEC tactics for stealth. Recent activity targeting telecom infrastructure is assessed with high confidence to overlap with Liminal Panda activity. The actors used custom tools, tunneling and OPSEC tactics for stealth.| Unit 42
The post AURORA – Leveraging ETW for Advanced Threat Detection appeared first on Nextron Systems.| Nextron Systems
The recently exploited SharePoint vulnerability chain known as ToolShell (CVE-2025-53770) has shown once again that patching alone isn’t enough. Attackers gained unauthenticated remote access to vulnerable on-premises SharePoint servers, planted web shells, and exfiltrated cryptographic keys to enable further exploitation.| Nextron Systems
Explore how CVE-2025-53770 mirrors past web application exploits like ProxyLogon and Confluence RCE, revealing that despite new vulnerabilities, attacker tactics remain strikingly consistent — from deserialization to persistence.| Binary Defense
We are excited to announce a strategic partnership between Nextron Systems and Threatray AG. This collaboration aims to significantly enhance our existing threat detection capabilities and further improve the precision and sensitivity of our detection signatures. Nextron will leverage Threatray’s advanced Binary Intelligence Platform to refine and extend our detection rules, benefiting both our THOR and Valhalla customers, while Threatray will enhance its own platform by integrating detecti...| Nextron Systems
Water and Wastewater Systems are increasingly becoming soft targets for sophisticated cyber attackers. A new joint fact sheet from the EPA and CISA puts this threat front and center, warning utilities about the growing risk of internet-exposed Human Machine Interfaces (HMIs).| MixMode
Our telemetry shows a surge in Windows shortcut (LNK) malware use. We explain how attackers exploit LNK files for malware delivery. Our telemetry shows a surge in Windows shortcut (LNK) malware use. We explain how attackers exploit LNK files for malware delivery.| Unit 42
Ransomware is hitting the food and agriculture sector hard in 2025. Learn why it's a target and how to reduce your attack surface.| TXOne Networks
In an extensive campaign affecting 270k webpages, compromised websites were injected with the esoteric JavaScript programming style JSF*ck to redirect users to malicious content. In an extensive campaign affecting 270k webpages, compromised websites were injected with the esoteric JavaScript programming style JSF*ck to redirect users to malicious content.| Unit 42
Using data from machine learning tools, we predict a surge in cloud attacks leveraging reworked Linux Executable and Linkage Format (ELF) files. Using data from machine learning tools, we predict a surge in cloud attacks leveraging reworked Linux Executable and Linkage Format (ELF) files.| Unit 42
Antivirus engines and EDRs have their place – no doubt. But what happens when malware simply slips through their nets? What if the malicious file was never executed? What if the incident happened months ago? That’s where THOR comes in. Our compromise assessment scanner has a unique superpower: it operates where others stay blind – in the calm, post-incident stillness of a system.| Nextron Systems
The Cookie-Bite attack is an advanced evolution of Pass-the-Cookie exploits. This tactic bypasses Multi-Factor Authentication (MFA) by leveraging stolen authentication cookies—such as Azure Entra ID’s ESTSAUTH and ESTSAUTHPERSISTENT—to impersonate users.| MixMode
Linux PAM backdoor analysis revealing stealthy credential theft. See why AV misses them - and how THOR detects what others overlook.| www.nextron-systems.com
This second annual study offers a deeper look at how organizations are using AI to detect and respond to attacks faster, where it’s making the biggest impact, and what’s holding adoption back.| MixMode
SAP systems are the backbone of enterprise finance—and they’re under attack. As economic pressures rise, so do attempts to exploit financial platforms. From insider threats to ransomware and zero-day vulnerabilities, SAP’s critical role in handling billions of dollars daily makes it a high-value target.| MixMode
Lampion malware distributors are now using the social engineering method ClickFix. Read our analysis of a recent campaign. Lampion malware distributors are now using the social engineering method ClickFix. Read our analysis of a recent campaign.| Unit 42
Artificial intelligence (AI) is transforming industries, but it’s also empowering cybercriminals to launch sophisticated, high-speed cyberattacks. AI-driven attacks, particularly those orchestrated by autonomous AI agents, operate at an accelerated pace, compressing the window for detection and protection.| MixMode
China’s state-sponsored cyber operations, driven by groups like Volt Typhoon, Salt Typhoon, Brass Typhoon, and APT41, and amplified by techniques like Fast Flux DNS, are not chasing Hollywood apocalypse—they’re seizing America’s networks, turning our infrastructure into a weapon against us.| MixMode
One of the biggest challenges organizations face today is detecting malicious activity in cloud environments. As highlighted in MixMode’s latest Threat Research Report, cybercriminals are increasingly leveraging trusted cloud providers like AWS, Microsoft Azure, and Google Cloud to disguise their attacks, a strategy known as infrastructure laundering.| MixMode
The 2025 PyPI supply chain attack is a stark reminder of just how vulnerable cloud ecosystems remain to sophisticated, stealthy, and evolving threats.| MixMode
On April 2, 2025, the NSA, alongside CISA, the FBI, and international allies, sounded the alarm with their “Fast Flux: A National Security Threat” advisory. This isn’t just a technical nuisance—it’s a geopolitical and hacktivist powder keg demanding urgent action.| MixMode
Artificial Intelligence (AI) has quickly become an integral part of modern workflows, with AI-powered applications like copilots, chatbots, and large-scale language models streamlining automation, decision-making, and data processing. However, these same tools introduce significant security risks—often in ways organizations fail to anticipate.| MixMode
Web browsers have evolved from passive document viewers into complex platforms essential for cloud-based work. But this transformation has also made them a prime target for cyber threats, leaving enterprises and government networks vulnerable.| MixMode
As organizations continue to integrate cloud-based services and third-party applications, OAuth authentication has become a cornerstone of modern security frameworks. However, recent cybersecurity incidents highlight a growing concern: OAuth-based vulnerabilities remain an overlooked entry point for attackers, particularly in Zero Trust environments.| MixMode
While its capabilities are impressive, this development raises significant concerns about the hidden costs and potential security risks associated with its widespread adoption.| MixMode
The Codefinger ransomware represents a new frontier in cyber threats, specifically targeting AWS S3 buckets. By exploiting Server-Side Encryption with Customer-Provided Keys (SSE-C), attackers gain control over the encryption process, rendering recovery impossible without their AES-256 keys.| MixMode
Our researchers first detected a surge in fake e-shop scams preying on bargain-hunting consumers during Black Friday and Christmas shopping sprees. However, just because the holiday season ended, doesn’t mean that shoppers are off the hook.| blog.avast.com EN
Arctic Wolf Labs identified a campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces.| Arctic Wolf
We examine an LLM jailbreaking technique called "Deceptive Delight," a technique that mixes harmful topics with benign ones to trick AIs, with a high success rate. We examine an LLM jailbreaking technique called "Deceptive Delight," a technique that mixes harmful topics with benign ones to trick AIs, with a high success rate.| Unit 42
In this blog Morphisec researchers provide technical analysis of CVE-2024-30103, a remote code execution vulnerability impacting Microsoft Outlook.| blog.morphisec.com
ARC Labs recently recovered a tool leveraged in Qilin ransomware attacks aimed at impairing defenses by disabling popular endpoint detection and response (EDR) and antivirus (AV) tools. ARC Labs has labeled this malware as "Killer Ultra" based on a module name within the malware.| Binary Defense
Morphisec researchers have discovered an important Microsoft Outlook vulnerability. Read on for CVE-2024- 38021 details and technical impact.| blog.morphisec.com
The issue with deception does not appear to be within the deception concepts but rather in providers not offering a solution that addresses the issues facing deception adoption.| Binary Defense
Sisense provides data analytics products and services. Researchers and government agencies have found Sisense-related data outside the authorized space, but it is unclear if Sisense's network has been breached.| Binary Defense
This analysis of 30 cybersecurity incidents from January 2023 to February 2024 shows the automotive industry's vulnerability to ransomware and APT attacks.| TXOne Networks
This blog provides an analysis by Morphisec of responding to actual Citrix Bleed attacks (CVE-2023-4966), detailing threat actor tactics and recommended safeguards.| blog.morphisec.com