This report provides statistical data on published vulnerabilities and exploits we researched in Q2 2025. It also includes summary data on the use of C2 frameworks.| Securelist
El informe contiene datos estadísticos sobre las vulnerabilidades que nuestro equipo publicó, y los exploits que investigó en el segundo trimestre de 2025, así como datos resumidos sobre el uso de frameworks C2.| Securelist
Executive Summary This analysis represents the second instalment in a comprehensive examination of the KorPlug malware family. Previous reporting detailed the initial loading vector utilising DLL side-loading techniques against legitimate utilities to achieve code execution. The second-stage payload executes via a designated entry point function. Static analysis of the binary| RevEng.AI Blog
As businesses adopt AI-enabled interfaces, ransomware actors use them to expand, increase profits, and enhance successful attacks.| Help Net Security
I was using apt-cache in Ubuntu to get a list of dependencies for a certain package and parse the output programmatically, eventually I wanted to programatically download and package them within an archive for offline installs later on. I was not really sure about the exact meanings of the output ...| The Code Ship
Trends of Key APT Groups by Region 1) North Korea North Korea’s APT group actively utilized the ClickFix technique and performed the DLL side-loading technique through OLE objects inserted in Hangul (HWP) documents. Kimsuky The Kimsuky group utilized the ClickFix tactic to launch a multi-stage spear phishing attack targeting diplomats […]| ASEC
Overview Ahnlabs is monitoring APT (Advanced Persistent Threat) attacks in South Korea using its own infrastructure. This report covers the classification, statistics, and features of the APT attacks that were identified during the month of July 2025. Figure 1. Statistics of APT attacks in South Korea in July 2025 The majority of APT attacks […]| ASEC
…and its actually a pretty neat idea!| Made by Mikal
Regional APT Threat Situation In June 2025, the global threat hunting system of Fuying Lab detected a total of 33 APT attack activities. These activities were mainly distributed in regions such as South Asia, East Asia, West Asia, Eastern Europe, and South America, as shown in the figure below. In terms of organizational activity, the […] The post NSFOCUS Monthly APT Insights – June 2025 appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and ...| NSFOCUS, Inc., a global network and cyber security leader, protects enterpris...
CVE-2025-8088 (CVSS 8.4) ist eine neue, hoch riskante Path Traversal-Schwachstelle [CWE-35] in WinRAR bis einschließlich Version 7.12, sowie in verwandten Komponenten wie beispielsweise UnRAR.dll. Die Schwachstelle erlaubt unautorisierten Angreifenden, schadhafte Dateien in sensible Verzeichnisse wie den Windows-Autostart-Ordner zu kopieren, von wo sie automatisch ausgeführt werden können. Laut ESET Research wurde die aktive Ausnutzung erstmals am […]| Greenbone
Sicherheitsforscher von Trend Micro berichten, dass die Schadsoftware Lumma Stealer in einer neuen, verbesserten Version zurück ist. Die Malware ist schwerer z| B2B Cyber Security
Probably when you saw the title, your reaction was WTF?! Using astrology for APT detection, that's totally crazy! But, the sad fact is that it isn't so crazy after all because large number of products that are offered on the market claim that they are protecting you from APTs in the same way astrology claims it can predict your future. To elaborate a bit more this claim, the key question is how| Everything about nothing
Cybersecurity - Cybersecurity Threats - What is Cybersecurity Threat? - Types of Cybersecurity Threats - Cybersecurity Attacks| Gridinsoft Blogs
Kaspersky experts analyze an incident that saw APT41 launch a targeted attack on government IT services in Africa.| securelist.com
Overview UNC3886 is a state-sponsored advanced persistent threat (APT) group first identified by Mandiant in 2022. Believed to be linked to China, UNC3886 has been active since at least 2021, conducting highly targeted cyber espionage operations against critical infrastructure and virtualized environments worldwide—with a strategic focus on Asia and North America. Targeted Sectors and... Read more » The post Unmasking UNC3886: A Sophisticated Cyber Espionage Group Targeting Critical Inf...| TXOne Networks
AhnLab SEcurity intelligence Center (ASEC) has recently identified a case where a malicious LNK file is disguised as the credit card security email authentication pop-up to steal user information. The identified malicious LNK file has the following file name, disguising itself as the credit card company. **card_detail_20250610.html.lnk The threat actor has been using PowerShell scripts for keylogging […]| ASEC
AhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of RokRAT malware using a Hangul Word Processor document (.hwp). RokRAT is typically distributed by including a decoy file and malicious script inside a shortcut (LNK) file. However, ASEC found a case where the malware was distributed through HWP documents instead of an LNK file. […]| ASEC
June 2025 APT Attack Trends Report (South Korea) ASEC| ASEC
The newly discovered backdoor1 in the XZ Utils package2 affecting numerous Linux distributions3 and assigned CVE-2024-30944 is being dismissed by some members of the technology and security communities as yet another supply chain attack; relevant only because of how blatant it was and that it affected the Open Source ecosystem but in essence nothing out of the ordinary. Regardless of whether this perspective is gaining traction due to cynicism, as hyperbole for clicks or as a coping mechanism...| Jayson Salazar Rodriguez | @jdsalaro | Blog
Learn how the North Korean-aligned Famous Chollima is using the a new Python-based RAT, "PylangGhost," to target cryptocurrency and blockchain jobseekers in a campaign affecting users primarily in India.| Cisco Talos Blog
CERT Polska obserwuje złośliwą kampanię e-mail prowadzoną przez grupę APT28 przeciwko polskim instytucjom rządowym.| CERT Polska
The post The Blind Spot Scanner – Why THOR Detects What Others Miss appeared first on Nextron Systems.| Nextron Systems
Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper.”| Cisco Talos Blog
I’m currently learning Helm to improve how I deploy and manage Kubernetes applications. This post is a quick summary of […]| Vuyisile Ndlovu
Talos has observed exploitation of CVE-2025-0994 in the wild by UAT-6382, a Chinese-speaking threat actor, who then deployed malware payloads via TetraLoader.| Cisco Talos Blog
Nothing we have ever recorded on SCW has brought so much joy to David. However, at several points during the episode, we may have witnessed Matthew Green’s soul leave his body. Our esteemed guests Justin Schuh and Matt Green joined us to debate whether Dual_EC_DRBG was intentionally backdoored by the NSA or ‘just’ a major fuckup. Links: Dicky George at InfiltrateCon 2014, Life at Both Ends of the Barrel - An NSA Targeting Retrospective: https://youtu.be/qq-LCyRp6bU?si=MyTBKomkIVaxSy1Q D...| Security Cryptography Whatever
Kaspersky researchers analyze GOFFEE’s campaign in H2 2024: the updated infection scheme, new PowerModul implant, switch to a binary Mythic agent.| securelist.com
Join us at PostgresSQL Extension Mini Summit #3 this week, where PostgreSQL Debian packaging maintainer Christoph Berg will takes on a tour of APT extension packaging.| Just a Theory
Last week Christoph Berg, who maintains PostgreSQL’s APT packaging system, gave a very nice talk on that system. Herein lie the transcript and links to the slides and video.| ❖ Just a Theory
Understanding how to detect obfuscated threats is key to defending against stealthy cyber attacks. Learn how THOR uncovers hidden threats.| www.nextron-systems.com
Join us at PostgresSQL Extension Mini Summit #3 this week, where PostgreSQL Debian packaging maintainer Christoph Berg will takes on a tour of APT extension packaging.| ❖ Just a Theory
Discover how Lazarus leverages fake job sites in the ClickFake Interview campaign targeting crypto firms using the ClickFix tactic.| Sekoia.io Blog
One aspect of vulnerability intelligence is also doing a best-faith effort to track the threat actors that are using the vulnerabilities. While that information often isn’t published, when it…| Rants of a deranged squirrel.
In this article, we discuss the tools and TTPs used in the SideWinder APT's attacks in H2 2024, as well as shifts in its targets, such as an increase in attacks against the maritime and logistics sectors.| securelist.com
Delve into Finance-related cyber threats in 2024. Our report highlights major actors and tactics impacting the financial sector.| Sekoia.io Blog
The EarlyCrow system introduces a groundbreaking approach to detecting Advanced Persistent Threat (APT) malware command and control (C&C) communications.| Cyber Security News
An APT group known as Tonto Team has tried targeting the Singapore-based Group-IB cybersecurity firm for the second time.| Hackread - Latest Cybersecurity, Hacking News, Tech, AI & Crypto
Kaspersky researchers analyze EAGERBEE backdoor modules, revealing a possible connection to the CoughingDown APT actor.| securelist.com
Introduction On April 29, 2024, XLab's Cyber Threat Insight and Analysis System(CTIA) detected anomalous activity: IP 172.247.127.210 was distributing an ELF-based Winnti backdoor. Further investigation revealed the same IP had, on December 20, 2023, distributed a zero-detection malicious PHP file, init_task.txt, providing a key| 奇安信 X 实验室
简介 2024年4月29日,XLab 大网威胁感知系统捕获一起异常活动:IP 172.247.127.210 正在传播 ELF 版本的 winnti 后门木马。APT 相关告警的出现迅速引起了我们的注意。进一步溯源发现,该 IP 曾于2023年12月20日传播一个VirusTotal 0检测的恶意PHP文件init_task.txt ,这一线索为我们后续的调查提供了重要切入点。 以 init_task 为线索,我们进一步发现了一系列关联的恶意 PHP payload,包括 task_loade...| 奇安信 X 实验室
Background On July 27, 2024, XLab's Cyber Threat Insight and Analysis System(CTIA) detected an ELF file named pskt from IP address 45.92.156.166. Currently undetected on VirusTotal, the file triggered two alerts: an Overlay section and a communication domain mimicking Microsoft. Our analysis identified it as a| 奇安信 X 实验室
简介 2024年7月27日,XLab的大网威胁感知系统检测到 IP 地址 45.92.156.166 正在传播一个名为pskt的ELF 文件,它在 VirusTotal 上尚无检测。该样本触发了两条告警:文件存在 Overlay 区段,且通信域名疑似模仿微软。经过分析,我们确认这是一个专门针对 Red Hat Enterprise Linux (RHEL) 7.9 的 Melofee 后门木马变种。 Melofee 是一个用 C++ 编写的后门木马,支持信息收集、进程管理、文件操作和 SHEL...| 奇安信 X 实验室
When Julian Andres Klode and I added initial Zstandard compression support to Ubuntu’s APT and dpkg in Ubuntu 18.04 LTS we planned getting the changes accepted to Debian quickly and making Ubuntu 18.10 the first release where the new compression could speed up package installations and upgrades. Well, it took slightly longer than that. Since […]| Obsessed with reality
Terraform has now been open-source and forked with the OpenTofu project. The ‘tofu’ binary is a drop-in replacement for terraform, and this article will show you how to install on Debian/Ubuntu. After installation, we will then use the Debian/Ubuntu Alternatives concept to supersede existing calls to ‘terraform’ to instead invoke ‘tofu’. Setup OpenTofu apt repository ... OpenTofu: installing OpenTofu on Debian/Ubuntu| Fabian Lee : Software Engineer
Cisco Talos has uncovered a new remote access trojan (RAT) family we are calling “MoonPeak.” This a XenoRAT-based malware, which is under active development by a North Korean nexus cluster we are calling “UAT-5394.”| Cisco Talos Blog
ShadowPad, widely considered the successor of PlugX, is a modular remote access trojan (RAT) only seen sold to Chinese hacking groups.| Cisco Talos Blog
ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.| Cisco Talos Blog
My effort to improve transparency and confidence of public apt archives continues. I started to work on this in “Apt Archive Transparency” in which I mention the debdistget project in passing. Debdistget is responsible for mirroring index files for some Continue reading Apt archive mirrors in Git-LFS→| Simon Josefsson's blog
I’ve always found the operation of apt software package repositories to be a mystery. There appears to be a lack of transparency into which people have access to important apt package repositories out there, how the automatic non-human update mechanism Continue reading Apt Archive Transparency: debdistdiff & apt-canary→| Simon Josefsson's blog
Key Points Introduction In the summer of 2023, Avast identified a campaign targeting specific individuals in the Asian region through fabricated job offers. The motivation behind the attack remains uncertain, but judging from the low frequency of attacks, it appears that the attacker had a special interest in individuals with technical backgrounds. This sophistication is […] The post From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams appeared first on Avast Threat ...| Avast Threat Labs
Cisco Talos is disclosing a new malware campaign called “Operation Celestial Force” running since at least 2018. It is still active today, employing the use of GravityRAT, an Android-based malware, along with a Windows-based malware loader we track as “HeavyLift.”| Cisco Talos Blog
If apt update throws warnings about invalid signature verification and NO_PUBKEY, you may need to migrate from using the deprecated system keyring to using a ‘signed-by’ attribute in your apt repo definition file. Here are examples of errors you might see when doing an ‘apt update’. W: An error occurred during the signature verification. The ... Ubuntu: fixing apt NO_PUBKEY errors by converting deprecated keyring to signed-by attribute| fabianlee.org
If you have warning messages coming from apt about an invalid signature verification and EXPKEYSIG, then it is likely that a signing key for one of the remote apt repo has expired. Below is an example coming from an expired podman package at the “download.opensuse.org” repo. W: An error occurred during the signature verification. The ... Ubuntu: fixing apt invalid signature warnings| fabianlee.org
Ugrupowanie Lazarus nadal żeruje na kryptowalutach: cyberprzestępcy dystrybuują portfele DeFi z wbudowanym backdoorem.| Oficjalny blog Kaspersky
Table of Contents Background The IntructionsCreate An Apt Entry Add the Keyring and Install The apt-key SolutionThe Start of the Solution Getting the GPG File Now Back to Setting it Up Update and Install And Now, Another Problem What Have We Learned Today Children? Links Collected Background I have an old eeePC netbook that I thought I'd revive by loading Sparky Linux onto it. One of the things I set up on it is apt-fast, which the README on the github repository describes like this: apt-fast...| The Cloistered Monkey
If you ever used Process Monitor to track activity of a process, you might have encountered the following pattern: The image above is a snippet from events captured by Process Monitor during the execution of x32dbg.exe on Windows 7. DNSAPI.DLL and IPHLPPAPI.DLL are persisted in the System directory, so you might question yourself: Why would …The DLL Search Order And Hijacking It Read More »| Malware and Stuff
In this article we analyze social engineering aspects of the XZ backdoor incident. Namely pressuring the XZ maintainer to pass on the project to Jia Cheong Tan, and then urging major downstream maintainers to commit the backdoored code to their projects.| securelist.com
Brief notes on my switch from approx to apt-cacher-ng| Random Ramblings
The bookworm-frehi Debian package repository contains newer packages for AppArmor and libapache2-mod-qos fixing some bugs in Debian 12 Bookworm.| Frederik Himpe
Click here to learn more about the Apt Candied Fruits (or fruits confits d'Apt), delicious fruits candied in sugar syrup from Apt, Provence.| French Moments
Advanced persistent threats are highly sophisticated and targeted cyber attacks that can have far-reaching consequences for organizations and individuals| WeSecureApp :: Securing Offensively
This article sheds light on one of the infrastructure clusters employed by Lycantrox, potentially to compromise their targets.| Sekoia.io Blog
