ECScape: Understanding IAM Privilege Boundaries in Amazon ECS
A way to abuse an undocumented ECS internal protocol to grab AWS credentials belonging to other ECS tasks on the same EC2 instance. A malicious container with a low‑privileged IAM role can obtain the permissions of a higher‑privileged container running on the same host.
https://www.sweet.security/blog/ecscape-understanding-iam-privilege-boundaries-in-amazon-ecs
A way to abuse an undocumented ECS internal protocol to grab AWS credentials belonging to other ECS tasks on the same EC2 instance. A malicious container with a low‑privileged IAM role can obtain the permissions of a higher‑privileged container running on the same host.
https://www.sweet.security/blog/ecscape-understanding-iam-privilege-boundaries-in-amazon-ecs
www.sweet.security
ECScape: Understanding IAM Privilege Boundaries in Amazon ECS
The Cost of a Call: From Voice Phishing to Data Extortion
Google Data Breach
https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion
Google Data Breach
https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion
Google Cloud Blog
The Cost of a Call: From Voice Phishing to Data Extortion | Google Cloud Blog
UNC6040 uses vishing to impersonate IT support, deceiving victims into granting access to their Salesforce instances.
📌 AWS Community Day Almaty — Известны Доклады (вторая часть)
Доклады на 22 августа 2025:
• Гибридное облако+AI-инфраструктура: защищённая платформа для ML/GenAI-сервисов
• Гибридное облако по-казахски: опыт Freedom Cloud и AWS Outposts
• Centras Rankings: аналитика и ML на базе AWS: от сырых данных к бизнес-инсайтам
• Building AI Agent on the AWS Bedrock Platform
• 23 августа будет GameDay - командная симуляция реальных проблем в продакшне, когда "что-то пошло не так” и нужно принять решение и восстановить систему
📍 22-23 августа, Алматы, детали: community-day.awsug.kz
Доклады на 22 августа 2025:
• Гибридное облако+AI-инфраструктура: защищённая платформа для ML/GenAI-сервисов
• Гибридное облако по-казахски: опыт Freedom Cloud и AWS Outposts
• Centras Rankings: аналитика и ML на базе AWS: от сырых данных к бизнес-инсайтам
• Building AI Agent on the AWS Bedrock Platform
• 23 августа будет GameDay - командная симуляция реальных проблем в продакшне, когда "что-то пошло не так” и нужно принять решение и восстановить систему
📍 22-23 августа, Алматы, детали: community-day.awsug.kz
Adult sites trick users into Liking Facebook posts using a clickjack Trojan
https://www.malwarebytes.com/blog/news/2025/08/adult-sites-trick-users-into-liking-facebook-posts-using-a-clickjack-trojan
https://www.malwarebytes.com/blog/news/2025/08/adult-sites-trick-users-into-liking-facebook-posts-using-a-clickjack-trojan
Malwarebytes
Adult sites trick users into Liking Facebook posts using a clickjack Trojan
We found a host of blogspot pages involved in a malware campaign to promote their own content by using a LikeJack Trojan.
Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild
https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/
https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/
Unit 42
Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild
CVE-2025-32433 allows for remote code execution in sshd for certain versions of Erlang programming language’s OTP. We reproduced this CVE and share our findings.
A Comprehensive Analysis of HijackLoader and Its Infection Chain
Software repacks - bypass uBlock, Windows Defender...
https://www.trellix.com/blogs/research/analysis-of-hijackloader-and-its-infection-chain/
Software repacks - bypass uBlock, Windows Defender...
https://www.trellix.com/blogs/research/analysis-of-hijackloader-and-its-infection-chain/
Trellix
A Comprehensive Analysis of HijackLoader and its Infection Chain
HijackLoader, a stealthy loader which delivers a wide variety of payloads, has been found to be spreading using fake download links on various piracy websites as well as SEO poisoning using legitimate websites. In some cases, the malicious domains were not…
Dissecting PipeMagic: Inside the architecture of a modular backdoor framework
Among the plethora of advanced attacker tools that exemplify how threat actors continuously evolve their tactics, techniques, and procedures (TTPs) to evade detection and maximize impact, PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Desktop Application, stands out as particularly advanced..:
https://www.microsoft.com/en-us/security/blog/2025/08/18/dissecting-pipemagic-inside-the-architecture-of-a-modular-backdoor-framework/
Among the plethora of advanced attacker tools that exemplify how threat actors continuously evolve their tactics, techniques, and procedures (TTPs) to evade detection and maximize impact, PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Desktop Application, stands out as particularly advanced..:
https://www.microsoft.com/en-us/security/blog/2025/08/18/dissecting-pipemagic-inside-the-architecture-of-a-modular-backdoor-framework/
DOM-based Extension Clickjacking: Your Password Manager Data at Risk
Password managers are widely used as browser extensions to simplify website authentication. In this research, I tested 11 password managers using a new technique.
The following password managers were listed there:
- 1Password
- Bitwarden
- Dashlane
- Enpass
- Keeper
- LastPass
- LogMeOnce
- NordPass
- ProtonPass
- RoboForm..:
https://marektoth.com/blog/dom-based-extension-clickjacking/
Password managers are widely used as browser extensions to simplify website authentication. In this research, I tested 11 password managers using a new technique.
The following password managers were listed there:
- 1Password
- Bitwarden
- Dashlane
- Enpass
- Keeper
- LastPass
- LogMeOnce
- NordPass
- ProtonPass
- RoboForm..:
https://marektoth.com/blog/dom-based-extension-clickjacking/
Marektoth
DOM-based Extension Clickjacking: Your Password Manager Data at Risk
I described a new attack technique that I used against 11 password managers. The result was that stored data of tens of millions of users could be at risk.
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
QuirkyLoader - A new malware loader delivering infostealers and RATs
https://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader
https://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader
Ibm
IBM X-Force Threat Analysis: QuirkyLoader - A new malware loader delivering infostealers and RATs | IBM
Watch out! There’s a new malware loader spreading additional infection to already compromised systems. Read more about QuirkyLoader and what IBM X-Force has learned about it.
COOKIE SPIDER’s SHAMOS Delivery on macOS
https://www.crowdstrike.com/en-us/blog/falcon-prevents-cookie-spider-shamos-delivery-macos/
https://www.crowdstrike.com/en-us/blog/falcon-prevents-cookie-spider-shamos-delivery-macos/
CrowdStrike.com
Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS | CrowdStrike
Between June and August 2025, the CrowdStrike Falcon platform successfully blocked a COOKIE SPIDER malware campaign. Learn more.
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
SpyVPN: The Google-Featured VPN That Secretly Captures Your Screen
Most people turn to a VPN for one reason: privacy. And with its verified badge, featured placement, and 100k+ installs, FreeVPN.One looked like a safe choice. But once it’s in your browser, it’s not working to keep you safe, it’s continuously watching you..:
https://www.koi.security/blog/spyvpn-the-vpn-that-secretly-captures-your-screen
Most people turn to a VPN for one reason: privacy. And with its verified badge, featured placement, and 100k+ installs, FreeVPN.One looked like a safe choice. But once it’s in your browser, it’s not working to keep you safe, it’s continuously watching you..:
https://www.koi.security/blog/spyvpn-the-vpn-that-secretly-captures-your-screen
www.koi.ai
SpyVPN: The Google-Featured VPN That Secretly Captures Your Screen | Koi Blog
Android Droppers: The Silent Gatekeepers of Malware
Droppers have long been a cornerstone of Android malware campaigns. They’re small, seemingly harmless apps whose real job is to fetch and install a malicious payload. Historically, they were most widely used in families like banking trojans and, at times, Remote Access Trojans (RATs). Especially after Android 13 restricted permissions and APIs, these threats leaned on droppers to slip past upfront scanning and later request powerful permissions (such as Accessibility Services) upon installing payload, without drawing attention..:
https://www.threatfabric.com/blogs/android-droppers-the-silent-gatekeepers-of-malware
Droppers have long been a cornerstone of Android malware campaigns. They’re small, seemingly harmless apps whose real job is to fetch and install a malicious payload. Historically, they were most widely used in families like banking trojans and, at times, Remote Access Trojans (RATs). Especially after Android 13 restricted permissions and APIs, these threats leaned on droppers to slip past upfront scanning and later request powerful permissions (such as Accessibility Services) upon installing payload, without drawing attention..:
https://www.threatfabric.com/blogs/android-droppers-the-silent-gatekeepers-of-malware
ThreatFabric
Android Droppers: The Silent Gatekeepers of Malware
In our latest research we describe how droppers on Android are the silent malware gate keepers.
Hook Version 3: The Banking Trojan with The Most Advanced Capabilities
Hook Android banking trojan, now featuring some of the most advanced capabilities we’ve seen to date. This version introduces:
- Ransomware-style overlays that display extortion messages
- Fake NFC overlays to trick victims into sharing sensitive data
- Lockscreen bypass via deceptive PIN and pattern prompts
- Transparent overlays to silently capture user gestures
- Stealthy screen-streaming sessions for real-time monitoring
https://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities
Hook Android banking trojan, now featuring some of the most advanced capabilities we’ve seen to date. This version introduces:
- Ransomware-style overlays that display extortion messages
- Fake NFC overlays to trick victims into sharing sensitive data
- Lockscreen bypass via deceptive PIN and pattern prompts
- Transparent overlays to silently capture user gestures
- Stealthy screen-streaming sessions for real-time monitoring
https://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities
Zimperium
Hook Version 3: The Banking Trojan with The Most Advanced Capabilities
true
Loophole allows threat actors to claim VS Code extension names
https://www.reversinglabs.com/blog/malware-vs-code-extension-names
https://www.reversinglabs.com/blog/malware-vs-code-extension-names
ReversingLabs
Loophole allows threat actors to claim VS Code extension names | ReversingLabs
RL has discovered a loophole on VS Code Marketplace that allows threat actors to reuse legitimate, removed package names for malicious purposes.
Like PuTTY in Admin’s Hands
weaponized PuTTY distributed through Bing
https://levelblue.com/blogs/security-essentials/like-putty-in-admins-hands
weaponized PuTTY distributed through Bing
https://levelblue.com/blogs/security-essentials/like-putty-in-admins-hands
LevelBlue
Like PuTTY in Admin’s Hands
Co-author: special thanks to Nikki Stanziale for their invaluable contributions to the research, insights, and development of this blog. While not listed as a primary author, their expertise and collaboration were instrumental in shaping the final content.…
Forwarded from Yevgeniy Goncharov
🦄 Open SysConf'25 - Интересные факты по докладам
Уникальность не только в том, что доклады от первого лица, но и в том, что этот успех достигнут собственными силами.
- Жаслан, автор одного из докладов - История про деплои 2 стартапов в сфере ИИ (dapmeet.kz, marbix.io) это возможность задать вопросы напрямую автору этих сервисов.
- Денис, опытный системный архитектор, преподаватель матчасти - Архитектура ПО для системных администраторов. Что такие Архитектура ПО, принципы, паттерны и стили. Монолит и микросервисы. Представление архитектуры (C4), архитектура как код.
Лично для меня - это будет уникальный опыт узнать, спросить и "намотать на ус", полезную информацию.
Ты готов продолжать катать вату или уже наконец пришло время узнавать новое?
4 Октября, Алматы, Smart Point. Вход свободный.
https://sysconf.io/2025
Уникальность не только в том, что доклады от первого лица, но и в том, что этот успех достигнут собственными силами.
- Жаслан, автор одного из докладов - История про деплои 2 стартапов в сфере ИИ (dapmeet.kz, marbix.io) это возможность задать вопросы напрямую автору этих сервисов.
- Денис, опытный системный архитектор, преподаватель матчасти - Архитектура ПО для системных администраторов. Что такие Архитектура ПО, принципы, паттерны и стили. Монолит и микросервисы. Представление архитектуры (C4), архитектура как код.
Лично для меня - это будет уникальный опыт узнать, спросить и "намотать на ус", полезную информацию.
Ты готов продолжать катать вату или уже наконец пришло время узнавать новое?
4 Октября, Алматы, Smart Point. Вход свободный.
https://sysconf.io/2025
The largest hacker conference in Central Asia is coming back to Almaty🔥
📆 September 17–19, KazHackStan 2025 will take place at Sadu Arena.
This year’s theme — Zero Day: “A vulnerability doesn’t wait. It appears. And it changes everything.”
The program includes:
- 10,000 participants from across the region,
- top speakers and workshops,
- the legendary CyberKumbez competition.
Organizers: TSARKA Group
Co-organizers: The Committee on Information Security of the Ministry of Digital Development, Innovations and Aerospace Industry (CIS MDDIAI RK).
Registration is available at kazhackstan.com.
📆 September 17–19, KazHackStan 2025 will take place at Sadu Arena.
This year’s theme — Zero Day: “A vulnerability doesn’t wait. It appears. And it changes everything.”
The program includes:
- 10,000 participants from across the region,
- top speakers and workshops,
- the legendary CyberKumbez competition.
Organizers: TSARKA Group
Co-organizers: The Committee on Information Security of the Ministry of Digital Development, Innovations and Aerospace Industry (CIS MDDIAI RK).
Registration is available at kazhackstan.com.
AMOS Stealer Campaign Targeting macOS via ‘Cracked’ Apps
https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html
https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html
Trend Micro
An MDR Analysis of the AMOS Stealer Campaign Targeting macOS via Cracked Apps
Trend™ Research analyzed a campaign distributing Atomic macOS Stealer (AMOS), a malware family targeting macOS users. Attackers disguise the malware as “cracked” versions of legitimate apps, luring users into installation.
The Rise of RatOn: From NFC heists to remote control and ATS
https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats
https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats
ThreatFabric
The Rise of RatOn: From NFC heists to remote control and ATS
This new research by ThreatFabric exposes RatOn, a new banking trojan with powerful capabilities.
How an Attacker’s Blunder Gave Us a Rare Look Inside Their Day-to-Day Operations
https://www.huntress.com/blog/rare-look-inside-attacker-operation
https://www.huntress.com/blog/rare-look-inside-attacker-operation
Huntress
An Attacker’s Blunder Gave Us a Look Into Their Operations | Huntress
An attacker installed Huntress onto their operating machine, giving us a detailed look at how they’re using AI to build workflows, searching for tools like Evilginx, and researching targets like software development companies.
VMScape: Exposing and Exploiting Incomplete Branch Predictor Isolation in Cloud Environments
https://comsec.ethz.ch/research/microarch/vmscape-exposing-and-exploiting-incomplete-branch-predictor-isolation-in-cloud-environments/
https://comsec.ethz.ch/research/microarch/vmscape-exposing-and-exploiting-incomplete-branch-predictor-isolation-in-cloud-environments/