#threatresearch — Public Fediverse posts

Tenable Research Advisories listed these two items yesterday.

- Microsoft Foundry Toolkit for VS Code: Command Injection via Python Interpreter Path Leading to Arbitrary Code Execution https://www.tenable.com/security/research/tra-2026-40 #Linux #macOS #Microsoft #Python

- CVE-2026-45398 - IDOR: Retrieval API Bypasses Knowledge Base Access Controls https://www.tenable.com/security/research/tra-2026-39 @tenable #infosec #vulnerability #threatresearch

New.

Any.Run: LATAM Under Siege: Agent Tesla’s 18-Month Credential Theft Campaign Against Chilean Enterprises https://any.run/cybersecurity-blog/agent-tesla-latam-enterprise/ @anyrun_app #malware #threatresearch #infosec #cybercrime

New.

Sophos: Why AMOS matters: The macOS malware stealing data at scale https://www.sophos.com/en-us/blog/why-amos-matters-the-macos-malware-stealing-data-at-scale @SophosXOps #infosec #macOS #Apple #malware #threatresearch

New.

"Our monitoring indicates various strategic updates to the group’s arsenal, including the use of VSCode Tunneling, Cloudflare Quick Tunnels, DWAgent, large language models (LLMs), and the Rust programming language."

Kaspersky: Kimsuky targets organizations with PebbleDash-based tools https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/ @Kaspersky #infosec #threatresearch #malware

New.

ESET: FrostyNeighbor: Fresh mischief and digital shenanigans https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/ @ESETresearch #infosec #threatresearch #cybercrime

New.

Picus: Mini Shai-Hulud: The npm Supply Chain Worm Explained https://www.picussecurity.com/resource/blog/mini-shai-hulud-the-npm-supply-chain-worm-explained

Rapid7: When IT Support Calls: Dissecting a ModeloRAT Campaign from Teams to Domain Compromise https://www.rapid7.com/blog/post/tr-it-support-dissecting-modelorat-campaign-microsoft-teams-compromise/ @Rapid7Official

Published yesterday:

Sophos: Operating inside the lethal trifecta: Blast radius reduction in AI agent deployments https://www.sophos.com/en-us/blog/inside-the-lethal-trifecta-blast-radius-reduction-in-ai-agent-deployments @SophosXOps #infosec #threatresearch #npm #Teams #Microsoft #bot

New.

Picus: Mini Shai-Hulud: The npm Supply Chain Worm Explained https://www.picussecurity.com/resource/blog/mini-shai-hulud-the-npm-supply-chain-worm-explained

Rapid7: When IT Support Calls: Dissecting a ModeloRAT Campaign from Teams to Domain Compromise https://www.rapid7.com/blog/post/tr-it-support-dissecting-modelorat-campaign-microsoft-teams-compromise/ @Rapid7Official

Published yesterday:

Sophos: Operating inside the lethal trifecta: Blast radius reduction in AI agent deployments https://www.sophos.com/en-us/blog/inside-the-lethal-trifecta-blast-radius-reduction-in-ai-agent-deployments @SophosXOps #infosec #threatresearch #npm #Teams #Microsoft #bot

New.

Picus: Mini Shai-Hulud: The npm Supply Chain Worm Explained https://www.picussecurity.com/resource/blog/mini-shai-hulud-the-npm-supply-chain-worm-explained

Rapid7: When IT Support Calls: Dissecting a ModeloRAT Campaign from Teams to Domain Compromise https://www.rapid7.com/blog/post/tr-it-support-dissecting-modelorat-campaign-microsoft-teams-compromise/ @Rapid7Official

Published yesterday:

Sophos: Operating inside the lethal trifecta: Blast radius reduction in AI agent deployments https://www.sophos.com/en-us/blog/inside-the-lethal-trifecta-blast-radius-reduction-in-ai-agent-deployments @SophosXOps #infosec #threatresearch #npm #Teams #Microsoft #bot

New.

Picus: Mini Shai-Hulud: The npm Supply Chain Worm Explained https://www.picussecurity.com/resource/blog/mini-shai-hulud-the-npm-supply-chain-worm-explained

Rapid7: When IT Support Calls: Dissecting a ModeloRAT Campaign from Teams to Domain Compromise https://www.rapid7.com/blog/post/tr-it-support-dissecting-modelorat-campaign-microsoft-teams-compromise/ @Rapid7Official

Published yesterday:

Sophos: Operating inside the lethal trifecta: Blast radius reduction in AI agent deployments https://www.sophos.com/en-us/blog/inside-the-lethal-trifecta-blast-radius-reduction-in-ai-agent-deployments @SophosXOps #infosec #threatresearch #npm #Teams #Microsoft #bot

New.

Picus: Mini Shai-Hulud: The npm Supply Chain Worm Explained https://www.picussecurity.com/resource/blog/mini-shai-hulud-the-npm-supply-chain-worm-explained

Rapid7: When IT Support Calls: Dissecting a ModeloRAT Campaign from Teams to Domain Compromise https://www.rapid7.com/blog/post/tr-it-support-dissecting-modelorat-campaign-microsoft-teams-compromise/ @Rapid7Official

Published yesterday:

Sophos: Operating inside the lethal trifecta: Blast radius reduction in AI agent deployments https://www.sophos.com/en-us/blog/inside-the-lethal-trifecta-blast-radius-reduction-in-ai-agent-deployments @SophosXOps #infosec #threatresearch #npm #Teams #Microsoft #bot

https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised
#CyberSecurity #InfoSec #SupplyChainSecurity #SoftwareSupplyChain #NPM #OpenSourceSecurity #AppSec #DevSecOps #ThreatIntel #Malware #JavaScript #NodeJS #CICD #GitHubActions #CloudSecurity #TypeScript #ReactJS #WebDev #OpenSource #DevTools #SoftwareEngineering #DeveloperSecurity #SecureCoding #GitHub #SupplyChainAttack #Programming #TechNews #DevOps #ApplicationSecurity #ThreatResearch #SecurityEngineering #CyberAttack #Hackers #MalwareAlert #SecurityResearch #DevCommunity

https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised
#CyberSecurity #InfoSec #SupplyChainSecurity #SoftwareSupplyChain #NPM #OpenSourceSecurity #AppSec #DevSecOps #ThreatIntel #Malware #JavaScript #NodeJS #CICD #GitHubActions #CloudSecurity #TypeScript #ReactJS #WebDev #OpenSource #DevTools #SoftwareEngineering #DeveloperSecurity #SecureCoding #GitHub #SupplyChainAttack #Programming #TechNews #DevOps #ApplicationSecurity #ThreatResearch #SecurityEngineering #CyberAttack #Hackers #MalwareAlert #SecurityResearch #DevCommunity

https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised
#CyberSecurity #InfoSec #SupplyChainSecurity #SoftwareSupplyChain #NPM #OpenSourceSecurity #AppSec #DevSecOps #ThreatIntel #Malware #JavaScript #NodeJS #CICD #GitHubActions #CloudSecurity #TypeScript #ReactJS #WebDev #OpenSource #DevTools #SoftwareEngineering #DeveloperSecurity #SecureCoding #GitHub #SupplyChainAttack #Programming #TechNews #DevOps #ApplicationSecurity #ThreatResearch #SecurityEngineering #CyberAttack #Hackers #MalwareAlert #SecurityResearch #DevCommunity

https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised
#CyberSecurity #InfoSec #SupplyChainSecurity #SoftwareSupplyChain #NPM #OpenSourceSecurity #AppSec #DevSecOps #ThreatIntel #Malware #JavaScript #NodeJS #CICD #GitHubActions #CloudSecurity #TypeScript #ReactJS #WebDev #OpenSource #DevTools #SoftwareEngineering #DeveloperSecurity #SecureCoding #GitHub #SupplyChainAttack #Programming #TechNews #DevOps #ApplicationSecurity #ThreatResearch #SecurityEngineering #CyberAttack #Hackers #MalwareAlert #SecurityResearch #DevCommunity

https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised
#CyberSecurity #InfoSec #SupplyChainSecurity #SoftwareSupplyChain #NPM #OpenSourceSecurity #AppSec #DevSecOps #ThreatIntel #Malware #JavaScript #NodeJS #CICD #GitHubActions #CloudSecurity #TypeScript #ReactJS #WebDev #OpenSource #DevTools #SoftwareEngineering #DeveloperSecurity #SecureCoding #GitHub #SupplyChainAttack #Programming #TechNews #DevOps #ApplicationSecurity #ThreatResearch #SecurityEngineering #CyberAttack #Hackers #MalwareAlert #SecurityResearch #DevCommunity

New.

Cloudflare: When "idle" isn't idle: how a Linux kernel optimization became a QUIC bug https://blog.cloudflare.com/quic-death-spiral-fix/ #Cloudflare #Linux #infosec #threatresearch

New.

Orca: TanStack and 160+ npm/PyPI Packages Compromised in Supply Chain Worm Attack https://orca.security/resources/blog/tanstack-npm-supply-chain-worm/ #infosec #databreach #TanStack #GitHub #threatresearch

New. There's a conspicuous absence of dates and specifics.

Microsoft: Undermining the trust boundary: Investigating a stealthy intrusion through third-party compromise https://www.microsoft.com/en-us/security/blog/2026/05/12/undermining-the-trust-boundary-investigating-a-stealthy-intrusion-through-third-party-compromise/ #Microsoft #infosec #threatresearch

New.

ReliaQuest: ClickFix Evolves with PySoxy Proxying https://reliaquest.com/blog/threat-spotlight-clickfix-evolves-with-pysoxy-proxying/

More:

Infosecurity-Magazine: Attackers Combine ClickFix With PySoxy Proxying to Maintain Persistence https://www.infosecurity-magazine.com/news/clickfix-combined-pysoxy-proxying/ #infosec #Clickfix #threatresearch

New.

Huntress: Employee Monitoring and SimpleHelp Software Abused in Ransomware Operations https://www.huntress.com/blog/employee-monitoring-simplehelp-abused-in-ransomware-operations @huntress #infosec #ransomware #threatresearch

New.

ThreatFabric: New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps https://www.threatfabric.com/blogs/new-trickmo-variant-device-take-over-malware-targeting-banking-fintech-wallet-auth-app

More:

Infosecurity-Magazine: TrickMo Variant Routes Android Trojan Traffic Through TON https://www.infosecurity-magazine.com/news/trickmo-c-ton-network-android/ #infosec #Android #malware #threatresearch

New.

Kaspersky: CVE-2025-68670: discovering an RCE vulnerability in xrdp https://securelist.com/cve-2025-68670/119742/ @Kaspersky #infosec #threatresearch #vulnerability

ESET: Fake call logs, real payments: How CallPhantom tricks Android users https://www.welivesecurity.com/en/eset-research/fake-call-logs-real-payments-how-callphantom-tricks-android-users/ @ESETresearch #infosec #Android #threatresearch #Scam

Posted yesterday, if you missed this:

Socket: 5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer https://socket.dev/blog/5-malicious-nuget-packages-impersonate-chinese-ui-libraries @SocketSecurity #infosec #threatresearch #Windows

This research was published yesterday.

Dragos: AI in the Breach: How an Adversary Leveraged AI to Target a Water Utility’s OT https://www.dragos.com/blog/ai-assisted-ics-attack-water-utility

More:

Infosecurity-Magazine: OpenAI and Anthropic LLMs Used in Critical Infrastructure Cyber-Attack, Warns Dragos https://www.infosecurity-magazine.com/news/llm-critical-infrastructure/ #infosec #OpenAi #Anthropic #LLM #cyberattack #threatresearch

New research shows 3 flaws dubbed #ClaudyDay in Claude AI could be chained to steal user data using fake Google Ads, hidden prompts, and built-in features.

Read: https://hackread.com/claudy-day-flaws-data-theft-fake-claude-ai-ads/

#CyberSecurity #AI #ClaudeAI #InfoSec #DataSecurity #ThreatResearch #Malware #Privacy

REMnux v8 represents a structural modernization of a long-standing malware analysis distribution.

Technical highlights:
• Migration to Ubuntu 24.04 (modern kernel + LTS support)
• Cast-based installer replacing legacy CLI deployment
• AI-assisted workflows via MCP server
• Integration support for Ghidra with AI plugins

Tooling refresh includes:
YARA-X (Rust rewrite for performance improvements)
GoReSym (symbol recovery for Go binaries)
APKiD (Android packer detection)
Manalyze (PE/ELF/MachO static parsing)
This release signals an industry shift toward AI-augmented reverse engineering pipelines.
Is AI-assisted RE the new baseline for threat labs?

Source: https://cyberpress.org/remnux-v8-released/

Engage below.
Follow @technadu for deep technical cybersecurity updates.

#ThreatResearch #MalwareAnalysis #ReverseEngineering #YARAX #GoBinary #DFIR #Infosec #AIinSecurity #BlueTeam #StaticAnalysis #OpenSourceSecurity #SOC #ThreatHunting

REMnux v8 represents a structural modernization of a long-standing malware analysis distribution.

Technical highlights:
• Migration to Ubuntu 24.04 (modern kernel + LTS support)
• Cast-based installer replacing legacy CLI deployment
• AI-assisted workflows via MCP server
• Integration support for Ghidra with AI plugins

Tooling refresh includes:
YARA-X (Rust rewrite for performance improvements)
GoReSym (symbol recovery for Go binaries)
APKiD (Android packer detection)
Manalyze (PE/ELF/MachO static parsing)
This release signals an industry shift toward AI-augmented reverse engineering pipelines.
Is AI-assisted RE the new baseline for threat labs?

Source: https://cyberpress.org/remnux-v8-released/

Engage below.
Follow @technadu for deep technical cybersecurity updates.

#ThreatResearch #MalwareAnalysis #ReverseEngineering #YARAX #GoBinary #DFIR #Infosec #AIinSecurity #BlueTeam #StaticAnalysis #OpenSourceSecurity #SOC #ThreatHunting

REMnux v8 represents a structural modernization of a long-standing malware analysis distribution.

Technical highlights:
• Migration to Ubuntu 24.04 (modern kernel + LTS support)
• Cast-based installer replacing legacy CLI deployment
• AI-assisted workflows via MCP server
• Integration support for Ghidra with AI plugins

Tooling refresh includes:
YARA-X (Rust rewrite for performance improvements)
GoReSym (symbol recovery for Go binaries)
APKiD (Android packer detection)
Manalyze (PE/ELF/MachO static parsing)
This release signals an industry shift toward AI-augmented reverse engineering pipelines.
Is AI-assisted RE the new baseline for threat labs?

Source: https://cyberpress.org/remnux-v8-released/

Engage below.
Follow @technadu for deep technical cybersecurity updates.

#ThreatResearch #MalwareAnalysis #ReverseEngineering #YARAX #GoBinary #DFIR #Infosec #AIinSecurity #BlueTeam #StaticAnalysis #OpenSourceSecurity #SOC #ThreatHunting

REMnux v8 represents a structural modernization of a long-standing malware analysis distribution.

Technical highlights:
• Migration to Ubuntu 24.04 (modern kernel + LTS support)
• Cast-based installer replacing legacy CLI deployment
• AI-assisted workflows via MCP server
• Integration support for Ghidra with AI plugins

Tooling refresh includes:
YARA-X (Rust rewrite for performance improvements)
GoReSym (symbol recovery for Go binaries)
APKiD (Android packer detection)
Manalyze (PE/ELF/MachO static parsing)
This release signals an industry shift toward AI-augmented reverse engineering pipelines.
Is AI-assisted RE the new baseline for threat labs?

Source: https://cyberpress.org/remnux-v8-released/

Engage below.
Follow @technadu for deep technical cybersecurity updates.

#ThreatResearch #MalwareAnalysis #ReverseEngineering #YARAX #GoBinary #DFIR #Infosec #AIinSecurity #BlueTeam #StaticAnalysis #OpenSourceSecurity #SOC #ThreatHunting

We’ve been tracking a cluster of RDGA‑generated domains involved in distributing fake app‑store landing pages. These domains are consistently registered through Namecheap and protected by Cloudflare, which the operators use to obscure origin infrastructure and rapidly cycle through fresh front‑end domains.

The sites impersonate Google Play or iTunes, based on their device’s user‑agent, presenting users with pages that look and feel legitimate. Instead of real apps, the pages deliver Progressive Web Applications (PWAs) that persist on the device and enable ongoing notification abuse.

PWAs are a chrome application which plays cross platform, windows, linux, android, iOS and gets added as an icon on the desktop ofevery device.

Once installed, the PWA triggers a redirection chain through one or more intermediary domains before sending users to online casinos, adult content, or other low‑quality destinations. Because many of these casinos operate from regions where online gambling is restricted or illegal, the operators continually replace the final‑stage domains. This use of RDGA and PWAs allows them to evade regional blocking, reputation systems, and automated detection controls by rotating infrastructure at scale and keeping their persistence to the user devices.

fwiw, most large scale gambling operations like these are not simply illegal in the regions they target... they are scams and often connected to other major crimes, including human trafficking.

play-megawin[.]site
play-icefish[.]website
play-richcasino[.]site
play-casinostaat[.]site
mountainvertex[.]shop
play-fdjfrance[.]site
play-lucky7[.]site
funterra[.]shop
hotcoins[.]site
stonefestal[.]shop
spirevanguard[.]shop
play-crowngreen[.]website
forestoutpost[.]shop

#threatintel #gambling #pwa #dns #fake #infoblox #threatresearch #malware #scam #fakeApp #googleplay #infobloxthreatintel #itunes

Operation Bizarre Bazaar documents systematic abuse of exposed LLM and MCP infrastructure with commercial monetization.

The campaign demonstrates how AI endpoints without authentication, rate limits, or proper exposure controls can enable compute theft, data access, and potential lateral movement.

AI infrastructure security is increasingly inseparable from traditional cloud and app security.

What controls are most effective in your environment?

Source: https://www.pillar.security/blog/operation-bizarre-bazaar-first-attributed-llmjacking-campaign-with-commercial-marketplace-monetization

Follow TechNadu for objective infosec research coverage.

#AIsecurity #LLM #MCP #CloudDefense #ThreatResearch #InfosecCommunity

⚠️ Smishing alert for Greek citizens. 💳 🚨

Scammers are pushing fake AADE (Independent Authority for Public Revenue) “unpaid taxes” SMS that lead to cloned payment pages designed to steal credit‑card info. If a text suddenly demands urgent payment, treat it like a pop‑up from nowhere—don’t click, don’t trust, don’t pay. Share to protect others.

mycargr[.]com
aadcar[.]com
aadgee[.]com
aadgre[.]com

#CyberThreatIntel #Infoblox #DNS #ThreatResearch #phishing #smishing #Cybercrime #AADE #Greece

⚠️ Smishing alert for Greek citizens. 💳 🚨

Scammers are pushing fake AADE (Independent Authority for Public Revenue) “unpaid taxes” SMS that lead to cloned payment pages designed to steal credit‑card info. If a text suddenly demands urgent payment, treat it like a pop‑up from nowhere—don’t click, don’t trust, don’t pay. Share to protect others.

mycargr[.]com
aadcar[.]com
aadgee[.]com
aadgre[.]com

#CyberThreatIntel #Infoblox #DNS #ThreatResearch #phishing #smishing #Cybercrime #AADE #Greece

⚠️ Smishing alert for Greek citizens. 💳 🚨

Scammers are pushing fake AADE (Independent Authority for Public Revenue) “unpaid taxes” SMS that lead to cloned payment pages designed to steal credit‑card info. If a text suddenly demands urgent payment, treat it like a pop‑up from nowhere—don’t click, don’t trust, don’t pay. Share to protect others.

mycargr[.]com
aadcar[.]com
aadgee[.]com
aadgre[.]com

#CyberThreatIntel #Infoblox #DNS #ThreatResearch #phishing #smishing #Cybercrime #AADE #Greece

⚠️ Smishing alert for Greek citizens. 💳 🚨

Scammers are pushing fake AADE (Independent Authority for Public Revenue) “unpaid taxes” SMS that lead to cloned payment pages designed to steal credit‑card info. If a text suddenly demands urgent payment, treat it like a pop‑up from nowhere—don’t click, don’t trust, don’t pay. Share to protect others.

mycargr[.]com
aadcar[.]com
aadgee[.]com
aadgre[.]com

#CyberThreatIntel #Infoblox #DNS #ThreatResearch #phishing #smishing #Cybercrime #AADE #Greece

⚠️ Smishing alert for Greek citizens. 💳 🚨

Scammers are pushing fake AADE (Independent Authority for Public Revenue) “unpaid taxes” SMS that lead to cloned payment pages designed to steal credit‑card info. If a text suddenly demands urgent payment, treat it like a pop‑up from nowhere—don’t click, don’t trust, don’t pay. Share to protect others.

mycargr[.]com
aadcar[.]com
aadgee[.]com
aadgre[.]com

#CyberThreatIntel #Infoblox #DNS #ThreatResearch #phishing #smishing #Cybercrime #AADE #Greece

New, from me: Who Operates the Badbox 2.0 Botnet?

The cybercriminals in control of Kimwolf -- a disruptive botnet that has infected more than 2 million devices -- recently shared a screenshot indicating they'd compromised the control panel for Badbox 2.0, a vast China-based botnet powered by malicious software that comes pre-installed on many Android TV streaming boxes. Both the FBI and Google say they are hunting for the people behind Badbox 2.0, and thanks to bragging by the Kimwolf botmasters we may now have a much clearer idea about that.

https://krebsonsecurity.com/2026/01/who-operates-the-badbox-2-0-botnet/

#infosec #botnet #IoT #Android #Google #threatresearch

New, from me: The Kimwolf Botnet is Lurking in Corporate, Govt. Networks

A new Internet-of-Things botnet called Kimwolf has spread to more than 2 million devices, forcing infected systems to participate in massive distributed denial-of-service (DDoS) attacks and to relay other malicious and abusive Internet traffic. Kimwolf’s ability to scan the local networks of compromised systems for other IoT devices to infect makes it a sobering threat to organizations, and new research reveals Kimwolf is surprisingly prevalent in government and corporate networks.

https://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/

#botnet #infosec #IoT #DDoS #threatresearch #malware

Researchers disclosed Reprompt, a prompt-injection-based technique affecting Microsoft Copilot Personal, allowing session hijacking and stealthy data exfiltration via crafted URLs.

Although now patched and not seen in active exploitation, the research highlights:

- Prompt injection via URL parameters
- Session persistence risks in AI assistants
- Limitations of first-request-only guardrails
- Challenges for client-side detection

A useful case study in LLM threat modeling and defensive design.

What security control do you see as most critical for consumer AI assistants?

Source: https://www.bleepingcomputer.com/news/security/reprompt-attack-let-hackers-hijack-microsoft-copilot-sessions/

Follow @technadu for sober, security-first reporting.
Add your insights below.

#InfoSec #AIsecurity #PromptInjection #LLM #ThreatResearch #DataSecurity

Threat actors continue to operationalize current-events lures as part of malware delivery chains.

Recent research shows a backdoor deployed via attachments themed around breaking geopolitical news, using legitimate binaries and DLL sideloading techniques for persistence.

No attribution assumptions - just a reminder that contextual relevance remains one of the most effective social engineering tools.

What controls have you found most effective against news-driven phishing?

Engage with us in the comments and follow @technadu for practical threat intelligence coverage.

Source: https://www.darktrace.com/blog/maduro-arrest-used-as-a-lure-to-deliver-backdoor

#InfoSec #ThreatResearch #MalwareTTPs #PhishingDefense #CyberOperations #ThreatDetection #TechNadu

Gen Digital researchers have disclosed GhostPairing, a technique that leverages WhatsApp’s multi-device functionality via social engineering to enable persistent, low-noise access to user communications.

The case highlights how legitimate features can become attack surfaces when paired with deception rather than technical exploitation.

Open discussion: how can platforms mitigate abuse of trusted workflows without degrading user experience?

Follow TechNadu for objective threat analysis and security research updates.

Source: https://www.techrepublic.com/article/news-whatsapp-ghostpairing/

#InfoSec #ThreatResearch #SocialEngineering #MessagingSecurity #PrivacyEngineering #CyberRisk

Google just lost its “trusted sender” advantage.

Our Email Security researchers uncovered a phishing campaign abusing Google Cloud Application Integration to send emails that look like routine Google notifications — and they’re landing straight in inboxes.

No spoofing. No fake domains. Just trusted infrastructure used against users.

👉 See how it works, who’s being targeted, and why it’s so hard to detect: https://blog.checkpoint.com/research/phishing-campaign-leverages-trusted-google-cloud-automation-capabilities-to-evade-detection/

#CheckPoint #CyberSecurity #Phishing #ThreatResearch

Researchers disclosed that delivery-receipt behavior in WhatsApp and Signal can be leveraged to observe device activity using silent reactions, edits, and deletions.

Only a phone number is needed, and there’s no user control to disable receipts.
What types of safeguards would you consider appropriate here?

Source: https://gbhackers.com/hackers-exploit-delivery-receipts-in-messaging-app/

Follow us for measured, research-driven cybersecurity reporting.

#InfoSec #Cybersecurity #MobileSecurity #ThreatResearch #Privacy #MessagingSecurity #SecurityAwareness #TechNews #CyberRisk #DigitalSafety

The EU has fined X €120M under the Digital Services Act for transparency-related violations, including gaps in political ad repositories and restrictions on researcher access. X has stated it disagrees with the decision.

For the security community, this raises important questions about:
• the role of data access in identifying influence operations
• how platforms can support threat research at scale
• how regulatory frameworks may evolve across regions

Thoughts on how transparency and researcher access should be structured for large platforms?

Source: https://therecord.media/eu-fines-x-under-digital-services-act-disinformation-transparecy-rules

💬 Join the conversation
🔁 Boost & Follow for more neutral cybersecurity insights

#Infosec #CyberSecurity #DSA #Transparency #PlatformGovernance #ThreatResearch #DigitalPolicy #OnlineSafety #Disinformation #TechRegulation

Pull a thread, unravel a sweater.

Today's #ThreatResearch blog is about uncovering a massive #phishing operation after stumbling across a single URL.

Since February, the operators of this campaign have registered more than 4300 domain names and have used it to target people with fake hotel reservation "confirmation" messages.

A short 🧵

https://www.netcraft.com/blog/thousands-of-domains-target-hotel-guests-in-massive-phishing-campaign

And I just wanted to give a quick shoutout to our engineering team for noticing this bizarre trick that all of the #phishing pages do that we connect to this #LoggerEIO group.

The phishing kit in use has several pages that the victims are expected to click through. As one enters information onto the first page, then clicks a Continue button, the browser initiates a WebSocket connection with the server, and transmits the data inside of that WebSocket connection.

It isn't exactly encryption, but more obfuscation: The compression, while reversible, does have the effect of obfuscating the content of the exfiltrated data. That little bit of effort might prevent a Data Loss Prevention (DLP) tool from recognizing outbound sensitive data before it's too late.

And the reason we call them #LoggerEIO is because all of the sites that Netcraft connects to this campaign do this on the same URI string: The page makes a connection to the path /logger/?EIO=4&transport=websocket in its GET request - only when the victim sends the data.

/6

#smishing #phishing #NetcraftConfirmsIt #Netcraft #threatresearch #WebSocket

Happy Thursday! I'm celebrating the publication of my first blog post at @Netcraft as Principal Threat Researcher with a story about...#smishing for tax refunds.

Since the beginning of last month, a threat actor we're calling #LoggerEIO began registering domains for use in #phishing attacks.

They're now up to more than 850 domains registered, with thousands of websites in use (using a variety of subdomains) that dangle the prospect of a refund of state income tax overpayments as a lure.

Here's a quick 🧵 about it.

https://www.netcraft.com/blog/taxpayers-drivers-targeted-in-refund-and-road-toll-smishing-scams

#ThreatResearch #NetcraftConfirmsIt #Netcraft

September Patch Tuesday handles 81 CVEs – Source: news.sophos.com https://ciso2ciso.com/september-patch-tuesday-handles-81-cves-source-news-sophos-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #ThreatResearch #nakedsecurity #nakedsecurity #PatchTuesday #Microsoft #windows10 #Windows10 #FEATURED #featured #CVE

Velociraptor incident response tool abused for remote access – Source: news.sophos.com https://ciso2ciso.com/velociraptor-incident-response-tool-abused-for-remote-access-source-news-sophos-com/ #VisualStudioCode #ThreatResearch #nakedsecurity #Remoteaccess #Velociraptor #AttackTools #0CISO2CISO #featured