Malvertising Campaign Delivers Oyster/Broomstick Backdoor via SEO Poisoning and Trojanized Tools
trojanized PuTTY and WinSCP trgets to users...
https://arcticwolf.com/resources/blog/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-trojanized-tools/
trojanized PuTTY and WinSCP trgets to users...
https://arcticwolf.com/resources/blog/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-trojanized-tools/
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
PyPi Incident Report: Phishing Attack
- 4 user accounts were successfully phished
- 2 API Tokens were generated by the attackers
- 2 releases of the num2words project were uploaded by the attacker
https://blog.pypi.org/posts/2025-07-31-incident-report-phishing-attack/
- 4 user accounts were successfully phished
- 2 API Tokens were generated by the attackers
- 2 releases of the num2words project were uploaded by the attacker
https://blog.pypi.org/posts/2025-07-31-incident-report-phishing-attack/
blog.pypi.org
PyPI Phishing Attack: Incident Report - The Python Package Index Blog
Follow-up on the recent phishing attack targeting PyPI users.
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Arch Infected AUR packages - firefox, zen-browser, chrome
Just ten days after a previous incident, malware with a Remote Access Trojan has once again been discovered in Arch Linux AUR packages.
https://linuxiac.com/arch-aur-under-fire-once-more-as-malware-resurfaces/
Just ten days after a previous incident, malware with a Remote Access Trojan has once again been discovered in Arch Linux AUR packages.
https://linuxiac.com/arch-aur-under-fire-once-more-as-malware-resurfaces/
Linuxiac
Arch AUR Under Fire Once More as Malware Resurfaces
Just ten days after a previous incident, malware with a Remote Access Trojan has once again been discovered in Arch Linux AUR packages.
RoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response Strategies
https://www.genians.co.kr/en/blog/threat_intelligence/rokrat_shellcode_steganographic
https://www.genians.co.kr/en/blog/threat_intelligence/rokrat_shellcode_steganographic
www.genians.co.kr
RoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response Strategies
A new RoKRAT variant used by APT37 was found hiding malware in image files via steganography and using two-layer encrypted shellcode to evade analysis.
MCP Horror Stories: The Security Issues Threatening AI Infrastructure
https://www.docker.com/blog/mcp-security-issues-threatening-ai-infrastructure/
https://www.docker.com/blog/mcp-security-issues-threatening-ai-infrastructure/
Docker
MCP Security Issues Threatening AI Infrastructure | Docker
Learn about critical MCP security issues, their real-world horror stories, and how to best mitigate these rising vulnerabilities.
AWS deleted 10-year account and all data without warning
https://www.seuros.com/blog/aws-deleted-my-10-year-account-without-warning/
History of restoring:
https://www.seuros.com/blog/aws-restored-account-plot-twist/
https://www.seuros.com/blog/aws-deleted-my-10-year-account-without-warning/
History of restoring:
https://www.seuros.com/blog/aws-restored-account-plot-twist/
Seuros Blog
AWS deleted my 10-year account and all data without warning
After 10 years as an AWS customer and open-source contributor, they deleted my account and all data with zero warning. Here's how AWS's 'verification' process became a digital execution, and why you should never trust cloud providers with your only copy of…
New Streamlit Vulnerability Enables Cloud Account Takeover Attack and Stock Market Dashboard Tampering
https://www.catonetworks.com/blog/cato-ctrl-new-streamlit-vulnerability/
https://www.catonetworks.com/blog/cato-ctrl-new-streamlit-vulnerability/
Cato Networks
Cato CTRL™ Threat Research: New Streamlit Vulnerability Enables Cloud Account Takeover Attack and Stock Market Dashboard Tampering
Cato CTRL found a Streamlit flaw allowing attackers to bypass file checks, take over cloud instances, and access or alter stock data.
AWS Community Day 2025 Алматы — Доклады
Собраны в кучу темы первой части докладов:
• Building AI Agent on the AWS Bedrock Platform. Тельман И. (Tele2/Altel)
• Building Production GenAI: MCP and Multi-Agent Systems — Виктор В. (AWS)
• MVP with AWS Serverless by a Real Example — Виталий К. (ITS, Signify)
• Building production ready agents with Amazon Bedrock — Дазик А. (AWS)
• Гибридное облако + AI-инфраструктура - платформа для ML/GenAI-сервисов — Максим Г. (БЦК)
• Improve auction house search with vector capabilities: Bedrock or SageMaker Serverless — Михаил Ч. (ACTUM Digital)
📍 22-23 августа, Алматы, детали: community-day.awsug.kz
Собраны в кучу темы первой части докладов:
• Building AI Agent on the AWS Bedrock Platform. Тельман И. (Tele2/Altel)
• Building Production GenAI: MCP and Multi-Agent Systems — Виктор В. (AWS)
• MVP with AWS Serverless by a Real Example — Виталий К. (ITS, Signify)
• Building production ready agents with Amazon Bedrock — Дазик А. (AWS)
• Гибридное облако + AI-инфраструктура - платформа для ML/GenAI-сервисов — Максим Г. (БЦК)
• Improve auction house search with vector capabilities: Bedrock or SageMaker Serverless — Михаил Ч. (ACTUM Digital)
📍 22-23 августа, Алматы, детали: community-day.awsug.kz
ECScape: Understanding IAM Privilege Boundaries in Amazon ECS
A way to abuse an undocumented ECS internal protocol to grab AWS credentials belonging to other ECS tasks on the same EC2 instance. A malicious container with a low‑privileged IAM role can obtain the permissions of a higher‑privileged container running on the same host.
https://www.sweet.security/blog/ecscape-understanding-iam-privilege-boundaries-in-amazon-ecs
A way to abuse an undocumented ECS internal protocol to grab AWS credentials belonging to other ECS tasks on the same EC2 instance. A malicious container with a low‑privileged IAM role can obtain the permissions of a higher‑privileged container running on the same host.
https://www.sweet.security/blog/ecscape-understanding-iam-privilege-boundaries-in-amazon-ecs
www.sweet.security
ECScape: Understanding IAM Privilege Boundaries in Amazon ECS
The Cost of a Call: From Voice Phishing to Data Extortion
Google Data Breach
https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion
Google Data Breach
https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion
Google Cloud Blog
The Cost of a Call: From Voice Phishing to Data Extortion | Google Cloud Blog
UNC6040 uses vishing to impersonate IT support, deceiving victims into granting access to their Salesforce instances.
📌 AWS Community Day Almaty — Известны Доклады (вторая часть)
Доклады на 22 августа 2025:
• Гибридное облако+AI-инфраструктура: защищённая платформа для ML/GenAI-сервисов
• Гибридное облако по-казахски: опыт Freedom Cloud и AWS Outposts
• Centras Rankings: аналитика и ML на базе AWS: от сырых данных к бизнес-инсайтам
• Building AI Agent on the AWS Bedrock Platform
• 23 августа будет GameDay - командная симуляция реальных проблем в продакшне, когда "что-то пошло не так” и нужно принять решение и восстановить систему
📍 22-23 августа, Алматы, детали: community-day.awsug.kz
Доклады на 22 августа 2025:
• Гибридное облако+AI-инфраструктура: защищённая платформа для ML/GenAI-сервисов
• Гибридное облако по-казахски: опыт Freedom Cloud и AWS Outposts
• Centras Rankings: аналитика и ML на базе AWS: от сырых данных к бизнес-инсайтам
• Building AI Agent on the AWS Bedrock Platform
• 23 августа будет GameDay - командная симуляция реальных проблем в продакшне, когда "что-то пошло не так” и нужно принять решение и восстановить систему
📍 22-23 августа, Алматы, детали: community-day.awsug.kz
Adult sites trick users into Liking Facebook posts using a clickjack Trojan
https://www.malwarebytes.com/blog/news/2025/08/adult-sites-trick-users-into-liking-facebook-posts-using-a-clickjack-trojan
https://www.malwarebytes.com/blog/news/2025/08/adult-sites-trick-users-into-liking-facebook-posts-using-a-clickjack-trojan
Malwarebytes
Adult sites trick users into Liking Facebook posts using a clickjack Trojan
We found a host of blogspot pages involved in a malware campaign to promote their own content by using a LikeJack Trojan.
Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild
https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/
https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/
Unit 42
Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild
CVE-2025-32433 allows for remote code execution in sshd for certain versions of Erlang programming language’s OTP. We reproduced this CVE and share our findings.
A Comprehensive Analysis of HijackLoader and Its Infection Chain
Software repacks - bypass uBlock, Windows Defender...
https://www.trellix.com/blogs/research/analysis-of-hijackloader-and-its-infection-chain/
Software repacks - bypass uBlock, Windows Defender...
https://www.trellix.com/blogs/research/analysis-of-hijackloader-and-its-infection-chain/
Trellix
A Comprehensive Analysis of HijackLoader and its Infection Chain
HijackLoader, a stealthy loader which delivers a wide variety of payloads, has been found to be spreading using fake download links on various piracy websites as well as SEO poisoning using legitimate websites. In some cases, the malicious domains were not…
Dissecting PipeMagic: Inside the architecture of a modular backdoor framework
Among the plethora of advanced attacker tools that exemplify how threat actors continuously evolve their tactics, techniques, and procedures (TTPs) to evade detection and maximize impact, PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Desktop Application, stands out as particularly advanced..:
https://www.microsoft.com/en-us/security/blog/2025/08/18/dissecting-pipemagic-inside-the-architecture-of-a-modular-backdoor-framework/
Among the plethora of advanced attacker tools that exemplify how threat actors continuously evolve their tactics, techniques, and procedures (TTPs) to evade detection and maximize impact, PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Desktop Application, stands out as particularly advanced..:
https://www.microsoft.com/en-us/security/blog/2025/08/18/dissecting-pipemagic-inside-the-architecture-of-a-modular-backdoor-framework/
DOM-based Extension Clickjacking: Your Password Manager Data at Risk
Password managers are widely used as browser extensions to simplify website authentication. In this research, I tested 11 password managers using a new technique.
The following password managers were listed there:
- 1Password
- Bitwarden
- Dashlane
- Enpass
- Keeper
- LastPass
- LogMeOnce
- NordPass
- ProtonPass
- RoboForm..:
https://marektoth.com/blog/dom-based-extension-clickjacking/
Password managers are widely used as browser extensions to simplify website authentication. In this research, I tested 11 password managers using a new technique.
The following password managers were listed there:
- 1Password
- Bitwarden
- Dashlane
- Enpass
- Keeper
- LastPass
- LogMeOnce
- NordPass
- ProtonPass
- RoboForm..:
https://marektoth.com/blog/dom-based-extension-clickjacking/
Marektoth
DOM-based Extension Clickjacking: Your Password Manager Data at Risk
I described a new attack technique that I used against 11 password managers. The result was that stored data of tens of millions of users could be at risk.
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
QuirkyLoader - A new malware loader delivering infostealers and RATs
https://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader
https://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader
Ibm
IBM X-Force Threat Analysis: QuirkyLoader - A new malware loader delivering infostealers and RATs | IBM
Watch out! There’s a new malware loader spreading additional infection to already compromised systems. Read more about QuirkyLoader and what IBM X-Force has learned about it.
COOKIE SPIDER’s SHAMOS Delivery on macOS
https://www.crowdstrike.com/en-us/blog/falcon-prevents-cookie-spider-shamos-delivery-macos/
https://www.crowdstrike.com/en-us/blog/falcon-prevents-cookie-spider-shamos-delivery-macos/
CrowdStrike.com
Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS | CrowdStrike
Between June and August 2025, the CrowdStrike Falcon platform successfully blocked a COOKIE SPIDER malware campaign. Learn more.
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
SpyVPN: The Google-Featured VPN That Secretly Captures Your Screen
Most people turn to a VPN for one reason: privacy. And with its verified badge, featured placement, and 100k+ installs, FreeVPN.One looked like a safe choice. But once it’s in your browser, it’s not working to keep you safe, it’s continuously watching you..:
https://www.koi.security/blog/spyvpn-the-vpn-that-secretly-captures-your-screen
Most people turn to a VPN for one reason: privacy. And with its verified badge, featured placement, and 100k+ installs, FreeVPN.One looked like a safe choice. But once it’s in your browser, it’s not working to keep you safe, it’s continuously watching you..:
https://www.koi.security/blog/spyvpn-the-vpn-that-secretly-captures-your-screen
www.koi.ai
SpyVPN: The Google-Featured VPN That Secretly Captures Your Screen | Koi Blog
Android Droppers: The Silent Gatekeepers of Malware
Droppers have long been a cornerstone of Android malware campaigns. They’re small, seemingly harmless apps whose real job is to fetch and install a malicious payload. Historically, they were most widely used in families like banking trojans and, at times, Remote Access Trojans (RATs). Especially after Android 13 restricted permissions and APIs, these threats leaned on droppers to slip past upfront scanning and later request powerful permissions (such as Accessibility Services) upon installing payload, without drawing attention..:
https://www.threatfabric.com/blogs/android-droppers-the-silent-gatekeepers-of-malware
Droppers have long been a cornerstone of Android malware campaigns. They’re small, seemingly harmless apps whose real job is to fetch and install a malicious payload. Historically, they were most widely used in families like banking trojans and, at times, Remote Access Trojans (RATs). Especially after Android 13 restricted permissions and APIs, these threats leaned on droppers to slip past upfront scanning and later request powerful permissions (such as Accessibility Services) upon installing payload, without drawing attention..:
https://www.threatfabric.com/blogs/android-droppers-the-silent-gatekeepers-of-malware
ThreatFabric
Android Droppers: The Silent Gatekeepers of Malware
In our latest research we describe how droppers on Android are the silent malware gate keepers.
Hook Version 3: The Banking Trojan with The Most Advanced Capabilities
Hook Android banking trojan, now featuring some of the most advanced capabilities we’ve seen to date. This version introduces:
- Ransomware-style overlays that display extortion messages
- Fake NFC overlays to trick victims into sharing sensitive data
- Lockscreen bypass via deceptive PIN and pattern prompts
- Transparent overlays to silently capture user gestures
- Stealthy screen-streaming sessions for real-time monitoring
https://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities
Hook Android banking trojan, now featuring some of the most advanced capabilities we’ve seen to date. This version introduces:
- Ransomware-style overlays that display extortion messages
- Fake NFC overlays to trick victims into sharing sensitive data
- Lockscreen bypass via deceptive PIN and pattern prompts
- Transparent overlays to silently capture user gestures
- Stealthy screen-streaming sessions for real-time monitoring
https://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities
Zimperium
Hook Version 3: The Banking Trojan with The Most Advanced Capabilities
true