MalWhere?

(3/3)
Attackers installed Zoho Assist, AnyDesk, PuTTY, and Plink for remote access and lateral movement.
✅ Patched in Triofox v16.7.10368.56560 — update to v16.10.10408.56683 and review antivirus settings + admin accounts for abuse.

(2/3)
The threat group UNC6485 used the flaw to access setup pages, create a fake admin account “Cluster Admin,” and weaponize the antivirus feature to run malicious scripts, gaining full system control and fetching payloads via PowerShell.

(1/3)
🚨 Hackers exploited a critical flaw in Gladinet’s Triofox (#CVE202512480), using the built-in antivirus feature for remote code execution with SYSTEM privileges. The auth bypass was caused by spoofing “localhost” in HTTP headers. #CyberSecurity #Infosec #RCE #Triofox

This 2025 campaign shows major escalation — 40+ code-signing certs used, 200+ revoked by Microsoft. The gang also pushes Latrodectus malware via similar tactics. Rhysida’s malvertising ops are growing bolder & more dangerous.
#APT #Rhysida #OysterLoader #CyberThreat

How it works: Rhysida buys search ads on Bing, leading users to fake download sites that mimic legit software pages. Clicking downloads OysterLoader, a stealthy first-stage loader giving attackers long-term system access.
#ThreatIntel #CyberAttack #Malvertising

A new wave of malvertising is putting millions at risk. Since June 2025, the Rhysida ransomware gang has been using fake ads for popular tools like PuTTy, Teams & Zoom to spread the OysterLoader malware — hitting users & orgs with precision.
#CyberSecurity #Malware #Ransomware #Infosec

The campaigns enable credential theft, cloud compromise, and extensive data exfiltration across both platforms. Kaspersky notes BlueNoroff’s growing use of generative AI to enhance malware development and streamline operations.
#CyberSecurity #LazarusGroup #ThreatIntel

GhostCall uses fake Zoom or Teams meeting links that push malicious SDK “updates,” infecting macOS and Windows systems. GhostHire delivers malware through booby-trapped GitHub coding tests sent to developers, executing payloads like DownTroy, RooTroy, and CosmicDoor.

GhostCall & GhostHire — two ongoing campaigns tied to North Korea’s Lazarus sub-cluster BlueNoroff, part of the long-running SnatchCrypto operation. They target Web3 and blockchain professionals via Telegram lures posing as investors or recruiters.
#CyberEspionage #APT38 #Web3Threats

3/3
Researchers warn Transparent Tribe is expanding cross-platform espionage ops alongside Bitter, SideWinder, and OceanLotus, marking an escalating South Asian cyber arms race. #CyberSecurity #APT #ThreatIntel

2/3
DeskRAT hits BOSS Linux, using systemd, cron, and bashrc persistence to steal files, drop payloads, and execute commands over WebSockets. Windows variants called StealthServer share its code and methods. #LinuxSecurity #ThreatIntel #Infosec

1/3
🚨 Pakistan-linked Transparent Tribe (APT36) is targeting Indian gov’t entities with phishing lures delivering DeskRAT, a Golang-based backdoor. Malicious ZIPs deploy fake “CDS Directive” PDFs to hide infection activity. #APT36 #CyberEspionage #DeskRAT

Analysts say ColdRiver refined its chains, encrypting payloads + hiding artifacts. Active Jun–Sept, campaigns hit Western govs, NGOs + journalists. Linked to Russia’s FSB, Star Blizzard keeps adapting — a storm that won’t fade. #CyberEspionage #Malware #GTIG

After Google exposed LostKeys in May, Star Blizzard dumped it fast — retooling within days. Their Robot malware family evolved fast: NOROBOT builds persistence, while MAYBEROBOT (a PowerShell backdoor) steals data + executes commands. #ThreatIntel #Infosec

Russian state-backed hackers Star Blizzard (aka #ColdRiver / Callisto / UNC4057) have ramped up ops, unleashing new malware — NOROBOT, YESROBOT, MAYBEROBOT — via ClickFix CAPTCHA-style lures. Victims think they’re proving they’re human — but end up running code. #CyberSecurity #APT

(3/3)
The August 2025 update added victim profiling, letting attackers filter and sell stolen data by value.
Experts call OtterCandy a glimpse of the future — decentralized, intelligent malware built on trusted web frameworks.
#InfoSec #CyberThreats #Malware #WaterPlumClusterB

(2/3)
Unlike typical malware, OtterCandy uses Socket.IO servers to maintain encrypted, real-time C2 connections — hiding in normal web traffic.
Its modular design and cross-OS compatibility mark it as a new generation of stealthy, adaptable cyberweapons.

🚨 OtterCandy— a new cross-platform malware from the WaterPlum Cluster B threat group is turning heads across the cybersecurity world.
It infiltrates Windows, macOS, and Linux, stealing browser data, crypto wallets, and sensitive files with surgical precision.
#CyberSecurity #ThreatIntel #OtterCandy

The attackers then installed SoftEther VPN to maintain persistence and move laterally across internal systems.
Researchers say Flax Typhoon’s use of legitimate software like ArcGIS shows a growing trend in “living off the land” espionage tactics.
#InfoSec #CyberEspionage

Using stolen admin credentials, the hackers uploaded a malicious Java extension (SOE) that took encoded commands through the ArcGIS REST API — disguised as normal activity. A secret key ensured only they could access the hidden backdoor.

🚨 A suspected Chinese state-backed hacking group, likely Flax Typhoon, remained hidden in a target’s network for over a year by turning a component of Esri’s ArcGIS mapping tool into a stealthy web shell.
#CyberSecurity #ThreatIntel #APT #China #FlaxTyphoon

🚨Threat group Storm-2603 (aka Gold Salem) is exploiting the open-source DFIR tool Velociraptor in ransomware attacks using strains like Warlock and LockBit.
Attackers use it for recon, lateral movement, and data theft — blending in with legitimate activity.
#CyberSecurity #ThreatIntel

Victims get ransom notes via AWS’s own email service (SES).
Crimson Collective has teamed up with Scattered Lapsus$ Hunters to boost extortion pressure.
AWS urges use of short-term creds, least-privilege IAM, and secret monitoring.
#InfoSec #CloudAttacks #Hacking #CrimsonCollective

According to Rapid7, the group compromises long-term AWS keys and IAM accounts to gain admin-level control.
They use TruffleHog to find exposed credentials, create new privileged IAM users, and exfiltrate data from RDS, EBS, and S3 via API calls — all from within AWS.

Threat group Crimson Collective has been targeting AWS cloud environments to steal data and extort companies.
They’ve claimed responsibility for the Red Hat breach, saying they exfiltrated 570GB from thousands of private GitLab repos — and demanded ransom.
#CyberSecurity #ThreatIntel #Ransomware

Attackers used the zero-day to gain admin access, drop RMM tools (SimpleHelp, MeshAgent) & move laterally before exfiltrating data via Cloudflare tunnels. CISA says patch now or disconnect by Oct 20—unpatched systems risk full compromise.

🚨Microsoft warns affiliates of the Medusa ransomware RaaS are exploiting a critical GoAnywhere MFT flaw (CVE-2025-10035) to deploy crypto-locking malware. The bug allows command injection via forged license signatures. #ransomware #Medusa #infosec #CVE202510035 #GoAnywhere

Analysts warn ransomware actors are shifting from banks to luxury & retail, exploiting weak defenses in high-profile brands. As groups monetize stolen data through resale & leaks, the luxury sector faces mounting risk to reputation & customer trust.

Luxury retailers like CHRIST hold high-value data—financials, client info & private purchases—making them prime extortion targets. WorldLeaks often leaks stolen data if ransoms go unpaid, weaponizing reputation damage to pressure payment.

🚨CHRIST Juweliere has been added to the victim list of the WorldLeaks ransomware group, per ThreatMon intel. The breach follows ASICS’ hack by ShinyHunters, marking a surge in dark web attacks on global retail. #cyberattack #ransomware #WorldLeaks #infosec