Dissecting PipeMagic: Inside the architecture of a modular backdoor framework

Among the plethora of advanced attacker tools that exemplify how threat actors continuously evolve their tactics, techniques, and procedures (TTPs) to evade detection and maximize impact, PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Desktop Application, stands out as particularly advanced..:

https://www.microsoft.com/en-us/security/blog/2025/08/18/dissecting-pipemagic-inside-the-architecture-of-a-modular-backdoor-framework/

DOM-based Extension Clickjacking: Your Password Manager Data at Risk

Password managers are widely used as browser extensions to simplify website authentication. In this research, I tested 11 password managers using a new technique.

The following password managers were listed there:

- 1Password
- Bitwarden
- Dashlane
- Enpass
- Keeper
- LastPass
- LogMeOnce
- NordPass
- ProtonPass
- RoboForm..:

https://marektoth.com/blog/dom-based-extension-clickjacking/

QuirkyLoader - A new malware loader delivering infostealers and RATs

https://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader

COOKIE SPIDER’s SHAMOS Delivery on macOS

https://www.crowdstrike.com/en-us/blog/falcon-prevents-cookie-spider-shamos-delivery-macos/

SpyVPN: The Google-Featured VPN That Secretly Captures Your Screen

Most people turn to a VPN for one reason: privacy. And with its verified badge, featured placement, and 100k+ installs, FreeVPN.One looked like a safe choice. But once it’s in your browser, it’s not working to keep you safe, it’s continuously watching you..:

https://www.koi.security/blog/spyvpn-the-vpn-that-secretly-captures-your-screen

Android Droppers: The Silent Gatekeepers of Malware

Droppers have long been a cornerstone of Android malware campaigns. They’re small, seemingly harmless apps whose real job is to fetch and install a malicious payload. Historically, they were most widely used in families like banking trojans and, at times, Remote Access Trojans (RATs). Especially after Android 13 restricted permissions and APIs, these threats leaned on droppers to slip past upfront scanning and later request powerful permissions (such as Accessibility Services) upon installing payload, without drawing attention..:

https://www.threatfabric.com/blogs/android-droppers-the-silent-gatekeepers-of-malware

Hook Version 3: The Banking Trojan with The Most Advanced Capabilities

Hook Android banking trojan, now featuring some of the most advanced capabilities we’ve seen to date. This version introduces:

- Ransomware-style overlays that display extortion messages
- Fake NFC overlays to trick victims into sharing sensitive data
- Lockscreen bypass via deceptive PIN and pattern prompts
- Transparent overlays to silently capture user gestures
- Stealthy screen-streaming sessions for real-time monitoring

https://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities

Loophole allows threat actors to claim VS Code extension names

https://www.reversinglabs.com/blog/malware-vs-code-extension-names

Like PuTTY in Admin’s Hands

weaponized PuTTY distributed through Bing

https://levelblue.com/blogs/security-essentials/like-putty-in-admins-hands

🦄 Open SysConf'25 - Интересные факты по докладам

Уникальность не только в том, что доклады от первого лица, но и в том, что этот успех достигнут собственными силами.

- Жаслан, автор одного из докладов - История про деплои 2 стартапов в сфере ИИ (dapmeet.kz, marbix.io) это возможность задать вопросы напрямую автору этих сервисов.
- Денис, опытный системный архитектор, преподаватель матчасти - Архитектура ПО для системных администраторов. Что такие Архитектура ПО, принципы, паттерны и стили. Монолит и микросервисы. Представление архитектуры (C4), архитектура как код.

Лично для меня - это будет уникальный опыт узнать, спросить и "намотать на ус", полезную информацию.

Ты готов продолжать катать вату или уже наконец пришло время узнавать новое?

4 Октября, Алматы, Smart Point. Вход свободный.

https://sysconf.io/2025

The largest hacker conference in Central Asia is coming back to Almaty🔥

📆 September 17–19, KazHackStan 2025 will take place at Sadu Arena.

This year’s theme — Zero Day: “A vulnerability doesn’t wait. It appears. And it changes everything.”

The program includes:

- 10,000 participants from across the region,
- top speakers and workshops,
- the legendary CyberKumbez competition.

Organizers: TSARKA Group
Co-organizers: The Committee on Information Security of the Ministry of Digital Development, Innovations and Aerospace Industry (CIS MDDIAI RK).

Registration is available at kazhackstan.com.

AMOS Stealer Campaign Targeting macOS via ‘Cracked’ Apps

https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html

The Rise of RatOn: From NFC heists to remote control and ATS

https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats

VMScape: Exposing and Exploiting Incomplete Branch Predictor Isolation in Cloud Environments

https://comsec.ethz.ch/research/microarch/vmscape-exposing-and-exploiting-incomplete-branch-predictor-isolation-in-cloud-environments/

Satori Threat Intelligence Alert: SlopAds Covers Fraud with Layers of Obfuscation

https://www.humansecurity.com/learn/blog/satori-threat-intelligence-alert-slopads-covers-fraud-with-layers-of-obfuscation/

Prompts as Code & Embedded Keys | The Hunt for LLM-Enabled Malware

https://www.sentinelone.com/labs/prompts-as-code-embedded-keys-the-hunt-for-llm-enabled-malware/

SystemBC – Bringing The Noise

“SystemBC” botnet, a network composed of over 80 C2s with a daily average of 1,500 victims, nearly 80% of which are compromised VPS systems from several large commercial providers..:

https://blog.lumen.com/systembc-bringing-the-noise/

🚀 Open SysConf'25 → Старт через неделю! Трансляции быть!

4 Октября уже на след. неделе! Готовность и настрой присуствуют, при наличии хорошего Интернета в локации, будет трансляция с вероятностю 90%+!

Доклады, предварительная очередность:

- Мониторинг, как в нем не утонуть.
- Использование MCP и LLM для анализа вредоносного ПО.
- Как запустить два AI-стартапа за месяц и не сойти с ума.
- "Вопрос со звёздочкой" с собеседований: разбор и подходы.
- История о MacOS malware: от "безопасной по умолчанию" до реальных угроз криптографии и ядра.
- Архитектура ПО для сисадминов: монолит, микросервисы, C4, принципы и стили.
- Цепочки DNS на примере малвари под macOS

Встречаемся через неделю!

Все детали здесь: https://sysconf.io/2025

The God Mode Vulnerability That Should Kill “Trust Microsoft” Forever

https://tide.org/blog/god-mode-vulnerability-microsoft-authorityless-security

Phishing attacks with new domains likely to continue

Unfortunately the string of phishing attacks using domain-confusion and legitimate-looking emails continues.

In short, there's a new phishing campaign targeting PyPI users occurring right now..:

https://blog.pypi.org/posts/2025-09-23-plenty-of-phish-in-the-sea/