UAC-0247 Targets Ukrainian Clinics and Government in Data-Theft Malware Campaign

The Computer Emergencies Response Team of Ukraine CERT-UA has disclosed details of a new campaign that has targeted governments and municipal healthcare institutions, mainly clinics and emergency hospitals, to deliver malware capable of stealing sensitive data from Chromium-based web browsers and...

APT28-Linked Campaign Deploys BadPaw Loader and MeowMeow Backdoor in Ukraine

Cybersecurity researchers have disclosed details of a new Russian cyber campaign that has targeted Ukrainian entities with two previously undocumented malware families named BadPaw and MeowMeow. "The attack chain initiates with a phishing email containing a link to a ZIP archive. Once extracted, ...

PT-2026-7658

Name of the Vulnerable Software and Affected Versions XWEB Pro versions prior to 1.12.1 MSHTML affected versions not specified Description An OS command injection issue exists in XWEB Pro, allowing a user with network access to execute code remotely by injecting malicious input into the request...

Cloud Atlas activity in the first half of 2025: what changed

Known since 2014, the Cloud Atlas group targets countries in Eastern Europe and Central Asia. Infections occur via phishing emails containing a malicious document that exploits an old vulnerability in the Microsoft Office Equation Editor process CVE-2018-0802 to download and execute malicious cod...

New JS#SMUGGLER Campaign Drops NetSupport RAT Through Infected Sites

Securonix Threat Research details the complex JSSMUGGLER campaign, a three-step web attack using obfuscated JavaScript and hidden HTA files to install the NetSupport RAT on user Windows desktops, granting hackers full remote control and persistent access...

Experts Confirm JS#SMUGGLER Uses Compromised Sites to Deploy NetSupport RAT

Cybersecurity researchers are calling attention to a new campaign dubbed JSSMUGGLER that has been observed leveraging compromised websites as a distribution vector for a remote access trojan named NetSupport RAT. The attack chain, analyzed by Securonix, involves three main moving parts: An...

easysploit

This is an exploit module/toolkit targeting various platforms, including Windows, Android, Linux, MacOS, and Web applications. The primary vulnerability targeted is ms17010, specifically EternalBlue, which is a remote code execution vulnerability in Windows systems. The toolkit also includes...

Cloud Atlas seen using a new tool in its attacks

Introduction Known since 2014, Cloud Atlas targets Eastern Europe and Central Asia. We're shedding light on a previously undocumented toolset, which the group used heavily in 2024. Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formul...

Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia

Cisco Talos discovered a new remote access trojan RAT dubbed SpiceRAT, used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia. We observed that SneakyChef launched a phishing campaign, sending emails delivering SugarGh0st and SpiceRAT with the same...

UAC-0099 Using WinRAR Exploit to Target Ukrainian Firms with LONEPAGE Malware

The threat actor known as UAC-0099 has been linked to continued attacks aimed at Ukraine, some of which leverage a high-severity flaw in the WinRAR software to deliver a malware strain called LONEPAGE. "The threat actor targets Ukrainian employees working for companies outside of Ukraine,"...

Aladdin - Payload Generation Technique That Allows The Deseriallization Of A .NET Payload And Execution In Memory

Aladdin is a payload generation technique based on the work of James Forshaw @tiraniddo that allows the deseriallization of a .NET payload and execution in memory. The original vector was documented on https://www.tiraniddo.dev/2017/07/dg-on-windows-10-s-executing-arbitrary.html. By spawning the...

Foxit Reader Javascript exportDataObject HTA file creation vulnerability

Talos Vulnerability Report TALOS-2023-1834 Foxit Reader Javascript exportDataObject HTA file creation vulnerability November 27, 2023 CVE Number CVE-2023-35985 SUMMARY An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due to a...

Malvertisers Using Google Ads to Target Users Searching for Popular Software

Details have emerged about a malvertising campaign that leverages Google Ads to direct users searching for popular software to fictitious landing pages and distribute next-stage payloads. Malwarebytes, which discovered the activity, said it's "unique in its way to fingerprint users and distribute...

The forgotten malvertising campaign

In recent weeks, we have noted an increase in malvertising campaigns via Google searches. Several of the threat actors we are tracking have improved their techniques to evade detection throughout the delivery chain. We believe this evolution will have a real world impact among corporate users...

Old Loader, New Threat: Exploring XWorm RAT's Distribution and Tactics 

Old Loader, New Threat: Exploring XWorm RAT's Distribution and Tactics By Pratik Pachpor and Adarsh S · July 31, 2023 Executive Summary: In March-April 2023, we detected a malicious email campaign delivering .Net based XWorm RAT in which embedded blogspot.com URLs were used as an entry point. Thi...

CERT-UA Uncovers Gamaredon's Rapid Data Exfiltration Tactics Following Initial Compromise

The Russia-linked threat actor known as Gamaredon has been observed conducting data exfiltration activities within an hour of the initial compromise. "As a vector of primary compromise, for the most part, emails and messages in messengers Telegram, WhatsApp, Signal are used, in most cases, using...

Sophisticated DownEx Malware Campaign Targeting Central Asian Governments

Government organizations in Central Asia are the target of a sophisticated espionage campaign that leverages a previously undocumented strain of malware dubbed DownEx. Bitdefender, in a report shared with The Hacker News, said the activity remains active, with evidence likely pointing to the...

ScarCruft's Evolving Arsenal: Researchers Reveal New Malware Distribution Techniques

The North Korean advanced persistent threat APT actor dubbed ScarCruft is using weaponized Microsoft Compiled HTML Help CHM files to download additional malware onto targeted machines. According to multiple reports from AhnLab Security Emergency response Center ASEC, SEKOIA.IO, and Zscaler, the...

YoroTrooper Stealing Credentials and Information from Government and Energy Organizations

A previously undocumented threat actor dubbed YoroTrooper has been targeting government, energy, and international organizations across Europe as part of a cyber espionage campaign that has been active since at least June 2022. "Information stolen from successful compromises include credentials...

Post-Macro World Sees Rise in Microsoft OneNote Documents Delivering Malware

In a continuing sign that threat actors are adapting well to a post-macro world, it has emerged that the use of Microsoft OneNote documents to deliver malware via phishing attacks is on the rise. Some of the notable malware families that are being distributed using this method include AsyncRAT,...