X-Industry

Our colleagues at Sentinel Labs have provided yet another great research and analysis.  As Large Language Models (LLMs) are increasingly incorporated into software‑development workflows, they also have the potential to become powerful new tools for adversaries; as defenders, it is important that we understand the implications of their use and how that use affects the dynamics of the security space.

In Sentinel’s research, they wanted to understand how LLMs are being used and how analysts could s

In 2025, Chaos ransomware resurfaced with a C++ variant.  This marks the first time it was not written in .NET.  Beyond encryption and ransom demands, it adds destructive extortion tactics and clipboard hijacking for cryptocurrency theft.  This evolution underscores Chaos's shift toward more aggressive methods, amplifying both its operational impact and the financial risk it poses to victims.

This Fortinet report provides a comprehensive technical analysis of Chaos-C++, covering its execution fl

The Clop ransomware gang has been exploiting a critical Oracle E-Business Suite (EBS) zero-day bug in data theft attacks since at least early August 2025, according to cybersecurity company CrowdStrike.  Tracked as CVE-2025-61882 and patched by Oracle on 01 October 2025, this vulnerability was discovered in the BI Publisher Integration component of Oracle EBS's Concurrent Processing component, allowing unauthenticated attackers to gain remote code execution on unpatched systems in low-complexity

The Confucius group is a long-running cyber-espionage actor operating primarily across South Asia.  First identified in 2013, the group is believed to have links to state-sponsored operations in the region.  Over the past decade, Confucius has repeatedly targeted government agencies, military organizations, defense contractors, and critical industries, especially in Pakistan, using spear-phishing and malicious documents as initial access vectors.  Recent campaigns have highlighted a sharp evolut

Attacker Breakout Time refers to the time it takes for an intruder to begin moving laterally outside of the initial beachhead to other systems in the network.  Threat actors are accelerating their attacks and adopting innovative new ways to circumvent endpoint detection mechanisms, according to a new report from ReliaQuest.  The threat intelligence vendor claimed in its latest Threat Spotlight report for the period June–August 2025 that the average breakout time dropped to only 18 minutes.  One

Successful phishing campaigns typically combine sophisticated victim-deception tactics with layers of stealth, persistence, and advanced evasion techniques, so that threat actors can quietly maintain access across compromised systems and networks.  A prime example is a new operation involving the use of a banking malware–turned–remote access Trojan (RAT) that researchers at Fortinet are tracking as "MostereRAT." It chains the use of an obscure programming language, security tool tampering, and t

The US Secret Service on 23 September reported it has foiled what appears to be a sophisticated plot for cyber-espionage and disruption of mobile networks in New York at a time when more than 100 heads of state and governments and foreign ministers are in the city for the UN General Assembly’s leaders’ session.

In a statement, the Secret Service said that the agency recovered more than 300 co-located SIM servers and 100,000 SIM cards across multiple sites in New York tristate area.  The agency s

A new sneaky type of malware, known as Raven Stealer, has been identified by the Lat61 Threat Intelligence Team at Point Wild.  The research team, led by Onkar R. Sonawane, has found that this seemingly simple program is surprisingly adept at remaining undetected while stealing your personal information.  The research, shared with Hackread.com, reveals that the malware is primarily spread through underground forums and often bundled with pirated software.

Built using the programming languages De

Over the past year, FortiGuard Labs has been tracking a stealthy malware strain exploiting a range of vulnerabilities to infiltrate systems.  Initially disclosed by a Chinese cybersecurity firm under the name “Gayfemboy,” the malware resurfaced in July with new activity, targeting vulnerabilities in products from vendors such as DrayTek, TP-Link, Raisecom, and Cisco, and exhibiting signs of evolution in both form and behavior.  This Fortinet research presents an in-depth analysis of Gayfemboy, r

A threat actor has been observed “patching” a vulnerability post exploitation, likely in a bid to lock out other adversaries and secure exclusive access.  The novel tactic was detected by Red Canary researchers in a cluster of activity targeting a flaw in Apache ActiveMQ, an open-source message broker, to gain persistent access on cloud-based Linux systems.  The critical vulnerability, CVE-2023-46604, allows for remote code execution (RCE) in Linux systems due to inadequate validation of throwab

Remote Access Trojans, also known as RATs, have been around for years, although their prevalence in the market has surged recently.  RATs are digital skeleton keys, giving an attacker remote control over a system, often without the user ever knowing.  This kind of access often starts with someone clicking a malicious link or opening a rogue attachment in a phishing email or messaging app.  From there, the attacker can move laterally, steal data, monitor activity, or trigger ransomware.

RATs have

The US can dreadfully report that they are #1 in malware activity.  Canada is #2.  Not to be outdone, the UK is now the third most targeted country in the world for malware after seeing over 100 million cyber-attacks over the past three months, this according to a new report.  Research from cyber security firm NordVPN found that criminals are increasingly targeting everyday internet users through links in emails and texts, as well as through malicious websites and attachments.[1]

The UK now rank

A new backdoor malware campaign targeting Linux systems and exploiting critical vulnerability in SAP has been uncovered by cybersecurity researchers.  The malware, known as Auto-Color, was deployed in a targeted intrusion against a US-based chemicals company in April 2025.  According to an advisory published by Darktrace on 29 July 2025, the attack began when a threat actor exploited CVE-2025-31324, a critical flaw in SAP NetWeaver that allows remote file uploads and potential system compromise.

The notorious Russian cyber-espionage gang known as Fancy Bear, also known as APT28, has increased its attacks against governments and military entities worldwide using new sophisticated cyber tools and technology.   Fancy Bear is perhaps best known in the United States for its hack and leak of Democratic National Committee emails in the lead-up to the 2016 presidential election.  Eleven Western countries have accused the hacking group of targeting defense, transport, and tech firms involved in

Hackers believed to be affiliated with an Iranian intelligence agency are using a newly-discovered strain of the DCHSpy malware to snoop on adversaries.  Researchers from the cybersecurity firm Lookout detected the latest version of DCHSpy one week after Israel’s June bombing campaign targeting Iran’s nuclear program began.  DCHSpy was first detected in 2024, but has since evolved and can now exfiltrate data from WhatsApp and files stored on devices, Lookout said.  The malware also collects cont

In April 2025, Huntabil.IT observed a targeted attack on a Web3 startup, attributing the incident to a DPRK threat actor group.  Several reports on social media at the time described similar incidents at other Web3 and Crypto organizations.  Analysis revealed an attack chain consisting of an eclectic mix of scripts and binaries written in AppleScript, C++, and Nim.  Although the early stages of the attack follow a familiar DPRK pattern using social engineering, lure scripts, and fake updates, th

Researchers from FortiGuard Labs recently uncovered an active delivery site that hosts a weaponized HTA script and silently drops the infostealer “NordDragonScan” into victims’ environments.  Once installed, NordDragonScan examines the host and copies documents, harvests entire Chrome and Firefox profiles, and takes screenshots.  The package is then sent over TLS to its command-and-control server, “kpuszkiev.com,” which also serves as a heartbeat server to confirm the victim is still online and

Threat actors are abusing the ConnectWise ScreenConnect installer to build signed remote access malware by modifying hidden settings within the client’s Authenticode signature.  ConnectWise ScreenConnect is a remote monitoring and management (RMM) software that enables IT administrators and managed service providers (MSPs) to troubleshoot devices remotely.  When a ScreenConnect installer is built, it can be customized to include the remote server the client should connect to, the text displayed

Almost half (44%) of mobile users report being exposed to scams and threats daily, with a majority concerned about losing important files and productivity loss as a result, according to Malwarebytes.  The security vendor polled 1,300 adults in the US, UK, Austria, Germany, and Switzerland for its "Tap, Swipe, Scam" report.  Although it focused on the personal impact of such threats, they’re having a growing impact on enterprise risk, given the large number of organizations that allow Bring Your

A new malware called LOSTKEYS, capable of stealing files and system data, has been identified by Google’s Threat Intelligence Group (GTIG) as part of a series of cyberattacks attributed to COLDRIVER, a threat actor linked to the Russian government.   The malware, observed in attacks during January, March, and April 2025, marks a new step in COLDRIVER’s evolving capabilities.  Previously known primarily for credential phishing targeting Western diplomats, NGOs, and intelligence personnel, the gr