CySecurity News - Latest Information Security and Hacking Incidents: malware

Campaign Iran hackers Iranian state malware RedKitten

Iran-Linked Hackers Target Human Rights Groups in Redkitten Malware Campaign

A Farsi-speaking threat actor believed to be aligned with Iranian state interests is suspected of carrying out a new cyber campaign targeting non-governmental organizations and individuals documenting recent human rights abuses in Iran, according to a report by HarfangLab.

The activity, tracked in January 2026 and codenamed RedKitten, appears to coincide with nationwide unrest that erupted in Iran in late 2025 over soaring inflation, rising food prices, and currency depreciation. The protests were followed by a severe security crackdown, mass casualties, and an internet blackout.

“The malware relies on GitHub and Google Drive for configuration and modular payload retrieval, and uses Telegram for command-and-control,” HarfangLab said.

Researchers said the campaign is notable for its apparent use of large language models to help develop and coordinate its tooling. The attack chain begins with a 7-Zip archive bearing a Farsi filename, which contains malicious Microsoft Excel files embedded with macros.

The XLSM spreadsheets purport to list details of protesters who died in Tehran between Dec. 22, 2025, and Jan. 20, 2026. Instead, the files deploy a malicious VBA macro that acts as a dropper for a C# implant known as AppVStreamingUX_Multi_User.dll using a technique called AppDomainManager injection. HarfangLab said the VBA code itself shows signs of being generated by an LLM, citing its structure, variable naming patterns, and comments such as “PART 5: Report the result and schedule if successful.”

Investigators believe the campaign exploits the emotional distress of people searching for information about missing or deceased protesters. Analysis of the spreadsheet data found inconsistencies such as mismatched ages and birthdates, suggesting the content was fabricated. The implanted backdoor, dubbed SloppyMIO, uses GitHub as a dead drop resolver to obtain Google Drive links hosting images that conceal configuration data using steganography. This data includes Telegram bot tokens, chat IDs, and links to additional modules.

The malware supports multiple modules that allow attackers to run commands, collect and exfiltrate files, establish persistence through scheduled tasks, and launch processes on infected systems. “The malware can fetch and cache multiple modules from remote storage, run arbitrary commands, collect and exfiltrate files and deploy further malware with persistence via scheduled tasks,” HarfangLab said. “SloppyMIO beacons status messages, polls for commands and sends exfiltrated files over to a specified operator leveraging the Telegram Bot API for command-and-control.”

Attribution to Iranian-linked actors is based on the use of Farsi-language artifacts, protest-themed lures, and tactical overlaps with earlier operations, including campaigns associated with Tortoiseshell, which previously used malicious Excel documents and AppDomainManager injection techniques. The use of GitHub as part of the command infrastructure mirrors earlier Iranian-linked operations. In 2022, Secureworks, now part of Sophos, documented a campaign by a sub-group of Nemesis Kitten that also leveraged GitHub to distribute malware.

HarfangLab noted that reliance on widely used platforms such as GitHub, Google Drive, and Telegram complicates traditional infrastructure-based attribution but can also expose operational metadata that poses risks to the attackers themselves. The findings follow recent disclosures by U.K.-based Iranian activist and cyber investigator Nariman Gharib, who detailed a separate phishing campaign using a fake WhatsApp Web login page to hijack victims’ accounts.

“The page polls the attacker’s server every second,” Gharib said. “This lets the attacker serve a live QR code from their own WhatsApp Web session directly to the victim.” That phishing infrastructure was also designed to request access to a victim’s camera, microphone, and location, effectively turning the page into a surveillance tool. The identity and motive of the operators behind that campaign remain unclear.

Separately, TechCrunch reporter Zack Whittaker reported that related activity also targeted Gmail credentials using fake login pages, impacting around 50 victims across the Kurdish community, academia, government, and business sectors. The disclosures come amid growing scrutiny of Iranian-linked cyber groups following a major data leak affecting Charming Kitten, which exposed details about its operations and a surveillance platform known as Kashef. Gharib has also highlighted leaked records tied to Ravin Academy, a cybersecurity school linked to Iran’s Ministry of Intelligence and Security, which was sanctioned by the United States in 2022.

eScan Antivirus Faces Scrutiny After Compromised Update Distribution



 

Trusted Update Abuse

Antivirus Update Breach command and control servers Compromised Code Signing Cybersecurity Infrastructure Endpoint security eScan Malware Incident malware Supply Chain Attack Trusted Update Abuse

eScan Antivirus Faces Scrutiny After Compromised Update Distribution

MicroWorld Technologies has acknowledged that there was a breach of its update distribution infrastructure due to a compromise of a server that is used to deliver eScan antivirus updates to end users, which was then used to send an unauthorized file to end users.

It was reported that the incident took place within a narrow two-hour window on January 20, 2026, in a regional update cluster. It affected only a small fraction of customers who had downloaded updates during that period, and was confined to that cluster.

Following the analysis of the file, it was confirmed that it was malicious, and this demonstrates how even tightly controlled security ecosystems can be compromised when trust mechanisms are attacked.

Despite MicroWorld reporting that the affected systems were swiftly isolated, rebuilt from clean baselines, and secured through credential rotation and customer remediation within hours of the incident, the episode took place against the backdrop of escalating cyber risks that are continually expanding.

An unprecedented convergence of high-impact events took place in January 2026, beginning with a major supply chain breach involving a global antivirus vendor, followed by a technical assault against a European power grid, and the revelation of fresh vulnerabilities in artificial intelligence-driven systems in the first few weeks of January 2026.

There are a number of developments which have led to industry concerns that the traditional division between defensive software and offensive attack surfaces is eroding, forcing organizations to revisit long-standing assumptions about where trust begins and ends in their security architectures as a result.

According to further technical analysis, eScan's compromised update channel was directly used to deliver the previously unknown malware, effectively weaponizing a trusted distribution channel that had been trusted.

A report indicated that multiple security platforms detected and blocked attempted attacks associated with the malicious file the day of its distribution, prompting a quick external scrutiny to take place. It was MicroWorld Technologies who indicated to me that the incident was identified internally on January 20 through a combination of monitoring alerts and customer reports, with the affected infrastructure isolated within an hour of being identified.

The company issued a security advisory the following day, January 21, as soon as the attack was under control and the situation had been stabilised. In spite of the fact that cybersecurity firm Morphisec later revealed that it had alerted eScan during its own investigation, MicroWorld maintains that containment efforts were already underway when the communication took place.

The company disputes any suggestion that customers were not informed of the changes, claiming proactive notifications and direct outreach as part of the remediation process to address any concerns.

A malicious update was launched by a file called Reload.exe, which set off a multi-stage infection sequence on the affected systems through the use of a file called Reload.exe.

The researchers that conducted the initial analysis reported that the executable modified the local HOSTS file to prevent the delivery of corrective updates from eScan update servers and that this led to a number of client machines experiencing update service errors.

As part of its persistence strategy, the malware created scheduled tasks, such as CorelDefrag, and maintained communication with external command-and-control infrastructure to retrieve additional payloads, in addition to disrupting operations.

During the infection process, there was also a secondary malicious component called consctlx.exe written to the operating system, which further embedding the threat within the system. A further detail provided by Morphisec, an endpoint security company, provided a deeper technical insight into the underlying mechanism and intent of the malicious update distributed through the trusted infrastructure of eScan.

As Morphisec stated in its security bulletin, the compromised update package contained a modified version of the eScan update component Reload.exe that was distributed both to enterprise environments and consumer environments via legitimate update channels.

Despite the binary's appearance of being signed with eScan's code signing certificate, validation checks conducted by Windows and independent analysis platforms revealed that the signature was not valid. Morphisec's analysis revealed that the altered Reload.exe functions as a loader for a malware framework that consists of several stages. This raises concerns about certificate integrity and abuse of trusted signing processes.

When the component is executed, it establishes persistence on infected machines, executes arbitrary commands, and alters the Windows HOSTS file to prevent access to eScan's update servers, preventing eScan from releasing updates by using routine update mechanisms.

Additionally, the malware started communicating outwards with a distributed command-and-control infrastructure, thus allowing it to download additional payloads from a variety of different domains and IP addresses in order to increase its reach.

According to Morphisec, the final stage of the attack chain involved the deployment of a second executable, CONSCTLX.exe. This secondary executable acted as both a backdoor and a persistent downloader.

A malicious component that was designed to maintain long-term access created scheduled tasks with benign-sounding names like CorelDefrag that were designed to avoid casual inspection while ensuring that the task would execute across restarts as well.

The company MicroWorld Technologies developed a remediation utility in response to the incident that is specifically intended to identify and reverse unauthorized changes introduced by the malicious update. Using this tool, the company claims that normal update functionality is restored, a successful cleanup has been verified, and the process only requires a standard reboot of the computer to complete.

Several companies, including eScan and Morphisec, have advised customers to take additional network-level security measures to protect themselves from further malicious communications during the recovery phase of the campaign by blocking the command-and-control endpoints associated with it.

In addition, the incident has raised concerns about the recurring exploitation of antivirus update mechanisms, which have caused an increase in industry concern. There was an incident of North Korean threat actors exploiting eScan’s update process in 2024 to install backdoors inside corporate networks, illustrating again how security infrastructure remains one of the most attractive targets for state-sponsored attacks, particularly those aiming for high volumes of information.

As this breach unfolds, it is part of a wider pattern of consequential supply chain incidents that have taken place in early 2026. These incidents range from destructive malware targeting European energy systems to large-scale intellectual property theft coupled with soon-to-appear AI-driven assault tactics.

The events highlighted by these events also point to a persistent strategic reality in that organizations are increasingly dependent on trusted vendors and automated updates pipelines. If trust is compromised across the digital ecosystem, defensive technologies can become vectors of systemic risk as a result of a compromise in trust.

In an industry context, the incident is notable for the unusual method of delivery used by the perpetrators. In spite of the fact that software supply chain compromises have been a growing problem over the past few years, malware is still uncommonly deployed through the security product’s own update channel.

An analysis of the implants involved indicates that a significant amount of preparation has been performed and that the target environment is well known. A successful operation would have required attackers to have acquired access to eScan’s update infrastructure, reverse engineering aspects of its update workflow, and developing custom malware components designed specifically to function within that ecosystem in order to be successful.

Such prerequisites suggest a deliberate, resource-intensive effort rather than a purely opportunistic one. In addition, a technical examination of the implanted components revealed resilience features that were designed to ensure that attacker access would not be impeded under adverse conditions.

There were multiple fallback execution paths implemented in the malware, so that continuity would be maintained even if individual persistence mechanisms were disrupted. In one instance, the removal of a scheduled task used to launch a PowerShell payload was not sufficient to neutralize the infection, since the CONSCTLX.exe component would also be able to invoke the same functionality.

Furthermore, blocking the command-and-control infrastructure associated with the PowerShell stage did not completely eliminate an attacker's capabilities, as CONSCTLX.exe retained the ability to deliver shellcode directly to affected systems, as these design choices highlight the importance of operational redundancy, which is one of the hallmarks of well-planned intrusion campaigns.

In spite of the sophistication evident in the attack's preparation, the attack's impact was mitigated by its relatively short duration and the techniques used in order to prevent the attack from becoming too effective.

Modern operating systems have an elevated level of trust when it comes to security software, which means that attackers have theoretically the possibility to exploit more intrusive methods, including kernel-mode implants, which provide attackers with an opportunity to carry out more invasive attacks.

In this case, however, the attackers relied on user-mode components and commonly observed persistence mechanisms, such as scheduled tasks, which constrained the operation's stealth and contributed to its relatively quick detection and containment, according to analysts.

It is noteworthy that the behavioral indicators included in eScan's advisory closely correspond with those found by Morphisec independently. Both parties deemed the incident to have a medium-to-high impact on the enterprise environments in question. Additionally, this episode has revealed tensions between the disclosures made by vendors and researchers.

As reported by Bloomberg News, MicroWorld Technologies has publicly challenged parts of Morphisec's public reporting, claiming some of it was inaccurate. It is understood that they are seeking legal advice in response to these claims.

It was advised by eScan to conduct targeted checks to determine whether the systems were affected from an operational perspective, including reviewing schedule tasks for anomalous entries, inspecting the system HOSTS file for blocked eScan domains, and reviewing update logs from January 20 for irregularities.

A remediation utility has been released by the company and is available through its technical support channels. This utility is designed to remove malicious components, reverse unauthorized changes, and restore normal update functionality.

Consequently, customers are advised to block known command-and-control addresses associated with this campaign as a precaution, reinforcing the lesson of the incident: even highly trusted security infrastructure must continually be examined as potential attack surfaces in a rapidly changing threat environment.

BadIIS Malware Used in Coordinated Attacks on Asian Web Servers



 

Web Infrastructure Security

BadIIS Malware China Linked Threats Cybercrime Operations data theft attacks IIS Server Attacks malware SEO Fraud Campaign UAT-8099 Web Infrastructure Security

BadIIS Malware Used in Coordinated Attacks on Asian Web Servers

There was an ongoing quiet, methodical campaign unfolding across many sections of the web infrastructure in Asia by the spring of 2025, a campaign which did not rely on loud disruptions or overt destruction, but instead relied on subtle manipulation of trust.

Cisco Talos researchers have discovered evidence that a Chinese-speaking threat group known as UAT-8099 has been systematically infiltrating vulnerable Microsoft Internet Information Services (IIS) servers that hold established credibility within their region's digital eco-systems as a result of ongoing campaign of spam attacks.

In contrast to targeting any system that could be compromised indiscriminately, the attackers opted for high-reputation servers, leveraging the ranking of such servers to manipulate search engine results and generate illicit revenue rather than targeting every exposed system.

With a specialized SEO fraud operation, UAT-8099 also combined its manipulation with deeper post-compromised activity by accessing compromised systems with Remote Desktop Protocol access and searching for sensitive certificates, credentials, configuration files, and logs, assets which could be repurposed in follow-on attacks or aquired quietly into underground markets, making it a powerful enterprise.

In this instance, it underscores the persistent threat posed by exposing, internet-facing infrastructure, especially in cases where critical services are exposed, and are vulnerable to compromise. According to Cisco Talos findings, UAT-8099 has demonstrated that it has taken a multifaceted approach to compromising a system, as it does not merely consider susceptible IIS servers to be entry points but also as long-term assets in its criminal workflow as a whole.

By gaining access to these systems, the group then uses them as a covert way to forward searches in mobile search to spam-driven advertising networks and gambling platforms that are illicit, allowing them to monetize the established credibility of well-known organizations.

Meanwhile, the attackers harvest sensitive information contained on the servers in a systematic manner, including authentication information as well as internal access records, which may be used for later intrusions or are sold on underground markets in order to maintain control over the servers.

There are some operations that are common to Chinese-language SEO fraud collectives that exhibit UAT-8099's operational characteristics—and they are similar to the clusters that have been tracked by other security firms such as GhostRedirector and CL-UNK-1037. However, the boundaries between these groups remain indistinct, indicating that financial motivations play an integral role in the evolution of cybercrime.

There is some evidence that indicates that the activity is linked to a Chinese-based threat cluster that has been ongoing since April 2025, with operational evidence indicating that the campaign began in April of that year. The analysis also shows significant parallels with a separate BadIIS attack, identified by WithSecure as WEBJACK by Finnish cybersecurity firm WithSecure, which includes similar tooling, command-and-control infrastructures, and patterns in victim selection.

Cisco Talos has observed a significant increase in activity against IIS servers located in India, Pakistan, Thailand, Vietnam, and Japan during the recent wave of activity. In particular, Cisco Talos has noted an increase in targeting in Thailand and Vietnam. This geographic focus reflects a broader refinement in the group's targeting strategy, which is why the attackers prioritize regions where compromised servers can be exploited in order to monetize and maintain long-term control.

The Talos researchers have noted that UAT-8099 has shown a significant evolution in terms of its tradecraft from a technical perspective. The group is still relying on web shells and network utilities like SoftEther VPN and EasyTier to maintain access to infected servers, but it has increasingly incorporated red team frameworks and legitimate administrative tools in order to reduce its footprint and extend its longevity.

An initial attack typically involves exploiting vulnerabilities within IIS environments or misconfigured file upload mechanisms to gain access to the host system. Once the attackers have embedded themselves within the host system, they conduct reconnaissance in order to profile it, create concealed user accounts to establish persistence, and set up utilities aimed at suppressing forensic visibility, disabling defensive controls, and facilitating remote control of the system.

This attack ensures uninterrupted operation of the SEO fraud infrastructure by dynamically adjusting the persistence mechanisms to counter detection measures that flag previously used account names. As a result, attackers create alternative hidden accounts to ensure their persistence mechanisms are constantly adjusted.

BadIIS malware represents the last stage of the attack chain, and variants have been observed that have been specifically tailored for regional audiences. A strain of the virus was specifically developed to target systems in Vietnam, while another strain of the virus was designed specifically for Thai-based environments or users who speak the Thai language.

It intercepts and evaluates inbound web traffic, identifies search engine crawlers, and covertly redirects them to fraudulent SEO sites despite these customizations. By injecting malicious scripts into server responses, the malware manipulates server responses for ordinary users, particularly those whose browser language settings match the targeted region.

There is a twin-path approach to this operation, which enables them to quietly manipulate search rankings without the risk of being discovered by legitimate visitors, increasing the significance of the group's emphasis on stealth and sustained exploitation as a result.

Despite its importance as a foundational component of web infrastructure for organizations across sectors, Microsoft Internet Information Services remains one of the most easily abused components of the Internet.

When the security controls on the IIS environment are not adequate, it is an easy target for abuse. Threat actors have proven that compromised IIS environments can be repurposed to deliver malicious or misleading content to unwitting visitors, effectively turning trusted websites into distribution points for criminals.

There have been recent examples in which newly observed malware variants were primarily used to promote online gambling content, although security experts caution that this technique is easily capable of being applied to large-scale malware delivery or carefully crafted watering hole attacks that target specific audiences as well.

It is worth emphasizing that unsecured web servers that retain outward signs of legitimacy pose a broader risk than simply adapting to these methods. In addition to technical disruption, the consequences of a misuse of a reputable website can have long-term consequences for organizations affected.

A misuse of a reputable website can lead to a loss of user confidence, erode reputations, and expose site owners to a variety of legal and regulatory scrutiny, especially when they are found to have a role in malicious activity. Those who work in the field of cybersecurity emphasize the importance of disciplined server management as well as proactive defense measures in order to reduce such risks. '

Among the key tasks that must be accomplished is maintaining a clear inventory of internet-facing assets, applying security updates on a timely basis, and closely monitoring the IIS environments for irregular modules installed or binaries placed in unanticipated locations.

An attacker's ability to operate undetected can be further hindered if additional safeguards are put in place, such as limiting administrative access, enforcing strong authentication mechanisms backed by multifactor authentication, and regulating inbound and outbound traffic using firewalls.

It remains important to perform continuous log analysis in order to minimize the attack surface of IIS deployments while maintaining their integrity. It is clear that UAT-8099's activities have a major impact on the stolen sensitive data from compromised environments, both immediately and tangiblely.

Once access has been secured, this group reinforces its foothold by deploying additional backdoors, as well as commercial-grade post-exploitation frameworks, and they proceed to collect credentials, configuration files, and digital certificates that are used to support additional intrusions or that can be monetized through underground channels in order to strengthen its foothold.

The secondary layer of exploitation aims to exploit vulnerable IIS servers to create staging points for larger campaigns, extending the risk much further than the initial compromise, and increasing the value of the targeted systems as a result. However, much of the group’s activity remains largely unknown both to the affected organizations as well as to the users of the website, making detection and response a challenging task.

There is a tendency for site owners to dismiss external warnings as false positives since the integrity and outward appearance of compromised websites usually remain the same, and it is believed that no visible changes equate to the lack of intrusion on the compromised website.

The perception gap, according to practitioners in threat intelligence, is often at the core of remediation efforts, despite attempts at the national and sectorion levels of alerting organizations to covert compromises. In spite of the fact that the immediate effects may seem abstract or low priority, experts warn that the underlying vulnerabilities that are being exploited are anything but benign.

In the same way that hackers can silently manipulate content or insert hidden redirects by utilizing the same weaknesses, malicious scripts can also be injected into a system that will harvest session cookies, login credentials, and payment information from legitimate users, putting organizations at greater risk than they ever imagined.

It was revealed by an analysis of the latest BadIIS variants that they were designed in a modular way that supported a variety of operational modes while remaining undetected. As the malware is working in proxy mode, it validates the request paths and decodes an embedded command-and-control address. This address is used by the malware as an intermediary for fetching content from secondary infrastructure, which is then relayed back through the Internet Information System.

It is important to note that the responses submitted to search engines are modified before they are routed. This is done to simulate legitimate HTTP traffic with content being injected directly into the bodies of response via native IIS APIs, ensuring seamless delivery without affecting the server itself.

Additionally, the malware's SEO fraud capability relies on large-scale backlink manipulation: exploiting compromised servers, it displays search engines with HTML-based link structures intended to artificially inflate rankings for attacker-controlled domains, thereby attempting to fool search engines into believing users are the owner of the site.

There is also an injector mode that enables users tasked with searching for the answer to a search query, retrieved JavaScript from remote servers and embedded in web responses to trigger covert redirections, which can be used with this approach. When operators host redirect logic externally instead of within the malware itself, they have the option of switching destinations, localizing messages by region, and evading signature-based defenses.

Additionally, a second cluster of BadIIS samples enhances these capabilities by implementing additional request-handling mechanisms to enforce redirects at multiple stages of the HTTP lifecycle and supporting a variety of hijacking scenarios ranging from a complete site replacement to selective homepage redirection or path-based proxying, as well as providing different levels of functionality.

All these features are taken together to demonstrate a mature, adaptable framework, capable of manipulating search ecosystems as well as exploiting trust web infrastructure for long-term abuse without being visible to victims or their families. It's important to mention that security experts caution that this campaign highlights what is arguably one of the most serious risks facing organizations that use internet-facing web infrastructure to function.

There is a possibility that IIS servers, which have not been properly hardened, will gradually become long-term assets for cybercriminal operations without causing immediate operational alarms when left unhardened.

As a result, organizations should reassess their web environments' security posture, and to treat reputation and visibility as potential risks, rather than as safeguards, as they might be. There is an increasing need for proactive patch management, strict access controls, continuous monitoring, and regular integrity checks, which are regarded not as best practices but as a fundamental requirement.

Campaigns such as UAT-8099 show us that despite the absence of visible disruption, compromise is still a threat, and organizations and their users may suffer far more severe outcomes if they fail to address these silent threats in the future.

GoTo Resolve Tool Mimics Ransomware Tactics in Stealth Attacks



 

Stealth Attack

GoTo Resolve malware Malware PUA Threat Ransomware Stealth Attack

GoTo Resolve Tool Mimics Ransomware Tactics in Stealth Attacks

Security researchers have raised alarms over a remote administration tool that can quietly turn into a stealthy entry point for cybercriminals. The program, flagged as HEURRemoteAdmin.GoToResolve.gen, is now classified as a Potentially Unwanted Application (PUA) due to the way it conceals its presence and behavior from end users.

The warning comes from the Lat61 Threat Intelligence Team at Point Wild, a data breach prevention firm that analyzed how this tool can transform a routine IT utility into a serious security liability. According to their report, the application is linked to GoTo Resolve, a legitimate platform formerly known as LogMeIn, widely used by IT support teams for remote access and troubleshooting.

What makes this case particularly concerning is the tool’s ability to install and operate “silently,” maintaining a persistent foothold on the system without any visible prompts or notifications. Researchers found it buried in a directory named C:\Program Files (x86)\GoTo Resolve Unattended\, along with a bundled file called “32000~” that contains hidden instructions for managing the application in the background.

Because it runs unattended, this component effectively creates a new attack surface, similar to leaving a window unlocked for intruders. Threat actors who manage to hijack the tool could exploit its background capabilities to move laterally, gather intelligence, or prepare a larger compromise, all without attracting attention from the user sitting at the keyboard.

The most disturbing link is to ransomware tradecraft through the use of the Windows Restart Manager library, RstrtMgr.dll. This DLL has been abused in past campaigns by high-profile groups like Conti and Cactus ransomware, as well as the BiBi wiper, to terminate processes that might block file encryption or forensic analysis, including antivirus tools and security services. Even more deceptive is the fact that the software carries a valid digital signature from GoTo Technologies USA, LLC, giving it an appearance of full legitimacy in the eyes of both users and operating systems.

Experts stress that a trusted signature does not guarantee safe behavior and warn organizations to treat this tool as a high-risk component unless explicitly approved and monitored by their security teams, calling its stealthy execution and Restart Manager loading a form of “dangerous pre-positioning” for future, more destructive attacks.

Researchers Uncover Pakistan-Linked Cyber Activity Targeting India



 

State Sponsored Cyber Attacks

Advanced Persistent Threats APT36 Cyber Espionage Cloud Infrastructure Abuse Defense Sector Government Network Security India Pakistan Cyber Conflict malware State Sponsored Cyber Attacks

Researchers Uncover Pakistan-Linked Cyber Activity Targeting India

A familiar, uneasy brink appears to be looming between India and Pakistan once again, where geopolitical tension spills over borders into less visible spheres and risks spilling over into more obscure regions. As the war intensified in May 2025, cyberspace became one of the next arenas that was contested.

Pakistan-linked hacktivist groups began claiming widespread cyberattacks on Indian government bodies, academic institutions, and critical infrastructure elements as the result of heightened hostilities. It appeared, at first glance, that the volume of asserted attacks indicated that there was a broad cyber offensive on the part of the perpetrators. There is, however, a more nuanced story to be told when we take a closer look at the reports.

According to findings from security firm CloudSEK, many of these alleged breaches were either overstated or entirely fabrications, based on recycled data dumps, cosmetic website defacements, and short-lived interruptions that caused little harm to operations.

Despite the symphonic noise surrounding the Pahalgam terror attack, a more sobering development lay instead behind the curtain. It was an intrusion campaign targeting Indian defense-linked networks based on the Crimson RAT malware that was deployed by the APT36 advanced persistent threat group.

Using a clear distinction between spectacle and substance, this study examines what transpired in India-Pakistan cyber conflict, why it matters, and where the real risks lie in the coming months in order to discern what has truly unfolded.

In spite of the noise of hacktivist claims, researchers warn that a much more methodical and state-aligned cyber espionage effort has been quietly unfolding beneath the surface level noise. There has been a significant increase in the focus of Pakistan-linked threat actors operating under the designation APT36, also referred to by cybersecurity experts as Earth Karkaddan, Mythic Leopard, Operation C-Major, and Transparent Tribe in the past couple of years.

It has been more than a decade since this group established itself, and it has demonstrated a track record of conducting targeted intelligence-gathering operations against Indian institutions through its work.

Analysts observed in August 2025 a shift in tactics for a campaign known as APT36 that focused on Linux-based systems, using carefully designed malware delivery techniques, rather than targeting Windows-based systems.

APT36 used procurement-themed phishing lures to distribute malware ZIP archives disguised as routine documents, allowing attackers to distribute malware. The malware dropper was coveredtly downloaded and installed by these files, which were then executed through Windows desktop entry configurations.

A decoy PDF was also displayed to avoid suspicion, while the malware dropper itself retrieved a malware dropper on Google Drive. According to a further analysis, the payload was designed to avoid detection using anti-debugging and anti-sandbox measures, maintain persistence on compromised systems, and establish covert communication with command-and-control infrastructure over WebSockets, which were all hallmarks of a calculated espionage operation rather than an opportunistic intrusion.

According to further analysis conducted by Zscaler ThreatLabz, the activity appears to be part of two coordinated campaigns, identified as Gopher Strike and Sheet Attack, both of which were carried out from September 2025 to October 2025. It is worth keeping in mind that while elements of the operations bear resemblance to techniques that have historically been associated with APT36, researchers are generally inclined to believe that the observed activity may be the work of a distinct subgroup or a separate threat actor which is linked to Pakistan.

There are two main types of attacks known as Sheet Attacks and they are characterized by their use of trusted cloud-based platforms for command-and-control communications, including Google Sheets, Firebase, and email services, which enables your attack traffic to blend into legitimate network traffic.

It has been reported that the Gopher Strike, on the other hand, is initiated by phishing emails that provide PDF attachments which are meant to deceive recipients into installing an Adobe Acrobat Reader DC update that is falsely advertised. A blurred image is displayed on top of a seemingly benign prompt, which instructs users to download the update before they can view the contents of this document.

A user selecting the embedded option will initiate the download of an ISO image, but only when the request originated from an address in India and corresponds to an Indian user agent specified in a Windows registry - server-side checks to frustrate automated analysis and prevent delivery to a specific audience.

A downloader built on the Golang programming language is embedded within the ISO copy, named GOGITTER, in order for it to be able to establish persistent downloads across multiple directories of the system by creating and repeatedly executing Visual Basic scripts in several locations.

A portion of the malware periodically retrieves commands from preconfigured command-and-control servers and can, if necessary, access additional payloads from a private GitHub repository, which was created earlier in 2025. This indicates the campaign was deliberately designed and has sustained operational intent for the above period.

An intrusion sequence is initiated once the malicious payload has been retrieved by executing a tightly coordinated series of actions designed to establish deeper control as well as confirm compromise. The investigator notes that the infected system first sends a HTTP GET request to a domain adobe-acrobat[.]in in order to inform the operator that the target had been successfully breached.

GOGBITTER downloaders unpack and launch executable files that are then executed from previously delivered archives, called edgehost.exe. It is this component's responsibility to deploy GITSHELLPAD, a lightweight Golang backdoor which relies heavily on attackers' control of private GitHub repositories for command-and-control purposes. This backdoor keeps in close touch with the operators by periodically polling a remote server for instructions stored in a file called command.txt that is updated every few seconds.

In addition to being able to navigate directories and execute processes on a compromised system, attackers are also able to transfer files between the compromised and non-compromised system. The execution results are recorded in a separate file and sent back to GitHub, where they are then exfiltrated and stored until the forensic trace is completely removed.

Moreover, Zscaler researchers have observed that operators after initial access downloaded additional RAR archives using the cURL-based command line. As part of these packages, there were tools for system reconnaissance, as well as a custom Golang loader known as GOSHELL that was used to eventually deploy a Cobalt Strike beacon after several decoding stages were completed.

There is no doubt about the fact that the loader was intentionally padded with extraneous data in order to increase its size to about one gigabyte, which is a tactic that was used as a way to bypass antivirus detections.

When the auxiliary tools had fulfilled their purpose, they were systematically removed from the host, reflecting a disciplined effort to keep the campaign as stealthy as possible.

Recently, investigations indicate that cyber tensions between India and Pakistan are intensifying. It is important to distinguish between high-impact threats and performative digital noise in order to avoid the loss of privacy.

Even though waves of hacktivist claims created the illusion of a widespread cyberattack on Indian institutions in mid-2025, detailed analysis reveals that the majority of these disruptions were exaggerated or of inconsequential nature. Among the more consequential risks that Pakistan-linked actors, including groups such as APT36, are associated with is sustained and technically sophisticated espionage operations.

The attacks illustrate a clear evolution in the use of tradecraft, combining targeted phishing attacks, exploitation of trusted cloud platforms, and the use of custom malware frameworks, all of which are being used to quietly penetrate both Linux and Windows environments within governments and defense organizations.

It is important to note that selective delivery mechanisms, stealthy persistence techniques, and layering of payloads-all culminating in the deployment of advanced post-exploitation tools-underline a strategic focus on long-term access rather than immediate disruption of the network.

The findings underscore to policymakers and security teams that the importance of detecting covert, state-aligned intrusions over headline-driven hacktivist activity needs to be prioritized, and that in an increasingly contested cyber world, it is crucial that cybersecurity defenses are strengthened against phishing, cloud abuse, and endpoint monitoring.

Some ChatGPT Browser Extensions Are Putting User Accounts at Risk



 

MFA

AI AI Browsers ChatGPT Data Theft malware MFA

Some ChatGPT Browser Extensions Are Putting User Accounts at Risk

Cybersecurity researchers are cautioning users against installing certain browser extensions that claim to improve ChatGPT functionality, warning that some of these tools are being used to steal sensitive data and gain unauthorized access to user accounts.

These extensions, primarily found on the Chrome Web Store, present themselves as productivity boosters designed to help users work faster with AI tools. However, recent analysis suggests that a group of these extensions was intentionally created to exploit users rather than assist them.

Researchers identified at least 16 extensions that appear to be connected to a single coordinated operation. Although listed under different names, the extensions share nearly identical technical foundations, visual designs, publishing timelines, and backend infrastructure. This consistency indicates a deliberate campaign rather than isolated security oversights.

As AI-powered browser tools become more common, attackers are increasingly leveraging their popularity. Many malicious extensions imitate legitimate services by using professional branding and familiar descriptions to appear trustworthy. Because these tools are designed to interact deeply with web-based AI platforms, they often request extensive permissions, which exponentially increases the potential impact of abuse.

Unlike conventional malware, these extensions do not install harmful software on a user’s device. Instead, they take advantage of how browser-based authentication works. To operate as advertised, the extensions require access to active ChatGPT sessions and advanced browser privileges. Once installed, they inject hidden scripts into the ChatGPT website that quietly monitor network activity.

When a logged-in user interacts with ChatGPT, the platform sends background requests that include session tokens. These tokens serve as temporary proof that a user is authenticated. The malicious extensions intercept these requests, extract the tokens, and transmit them to external servers controlled by the attackers.

Possession of a valid session token allows attackers to impersonate users without needing passwords or multi-factor authentication. This can grant access to private chat histories and any external services connected to the account, potentially exposing sensitive personal or organizational information. Some extensions were also found to collect additional data, including usage patterns and internal access credentials generated by the extension itself.

Investigators also observed synchronized publishing behavior, shared update schedules, and common server infrastructure across the extensions, reinforcing concerns that they are part of a single, organized effort.

While the total number of installations remains relatively low, estimated at fewer than 1,000 downloads, security experts warn that early-stage campaigns can scale rapidly. As AI-related extensions continue to grow in popularity, similar threats are likely to emerge.

Experts advise users to carefully evaluate browser extensions before installation, pay close attention to permission requests, and remove tools that request broad access without clear justification. Staying cautious is increasingly important as browser-based attacks become more subtle and harder to detect.

Fake Tax Emails Used to Target Indian Users in New Malware Campaign



 

Phishing emails

Data Theft Income Tax Department India malware Phishing emails

Fake Tax Emails Used to Target Indian Users in New Malware Campaign

A newly identified cyberattack campaign is actively exploiting trust in India’s tax system to infect computers with advanced malware designed for long-term surveillance and data theft. The operation relies on carefully crafted phishing emails that impersonate official tax communications and has been assessed as potentially espionage-driven, though no specific hacking group has been confirmed.

The attack begins with emails that appear to originate from the Income Tax Department of India. These messages typically warn recipients about penalties, compliance issues, or document verification, creating urgency and fear. Victims are instructed to open an attached compressed file, believing it to be an official notice.

Once opened, the attachment initiates a hidden infection process. Although the archive contains several components, only one file is visible to the user. This file is disguised as a legitimate inspection or review document. When executed, it quietly loads a concealed malicious system file that operates without the user’s awareness.

This hidden component performs checks to ensure it is not being examined by security analysts and then connects to an external server to download additional malicious code. The next stage exploits a Windows system mechanism to gain administrative privileges without triggering standard security prompts, allowing the attackers deeper control over the system.

To further avoid detection, the malware alters how it identifies itself within the operating system, making it appear as a normal Windows process. This camouflage helps it blend into everyday system activity.

The attackers then deploy another installer that adapts its behavior based on the victim’s security setup. If a widely used antivirus program is detected, the malware does not shut it down. Instead, it simulates user actions, such as mouse movements, to quietly instruct the antivirus to ignore specific malicious files. This allows the attack to proceed while the security software remains active, reducing suspicion.

At the core of the operation is a modified banking-focused malware strain known for targeting organizations across multiple countries. Alongside it, attackers install a legitimate enterprise management tool originally designed for system administration. In this campaign, the software is misused to remotely control infected machines, monitor user behavior, and manage stolen data centrally.

Supporting files are also deployed to strengthen control. These include automated scripts that change folder permissions, adjust user access rights, clean traces of activity, and enable detailed logging. A coordinating program manages these functions to ensure the attackers maintain persistent access.

Researchers note that the campaign combines deception, privilege escalation, stealth execution, and abuse of trusted software, reflecting a high level of technical sophistication and clear intent to maintain prolonged visibility into compromised systems.

Sandworm-Associated DynoWiper Malware Targets Polish Power Infrastructure



 

State Sponsored Hacking

Critical Infrastructure Security DynoWiper ESET Research malware Polish Energy Sector Power Grid Cybersecurity Russia Linked Cyberattack Sandworm State Sponsored Hacking

Sandworm-Associated DynoWiper Malware Targets Polish Power Infrastructure

A cyber intrusion targeting the nation's energy infrastructure occurred in late 2025, which security experts have described as one of the largest cyberattacks the nation has faced in many years. It underscores the growing vulnerability of critical national systems in light of increasing geopolitical tensions, which are at odds with one another.

ESET, a cybersecurity company specializing in cyber security, has uncovered new data indicating that the operation was carried out by Sandworm, an advanced persistent threat group closely aligned with Russia that has been associated with disrupting energy and industrial networks for decades.

ESET researchers found that a deeper analysis of the malware used during the incident revealed operational patterns and code similarities that are consistent with Sandworm's past campaigns, indicating that the attack follows Sandworm's established playbook for damaging cyber activity.

According to the assailants, they were planning to use a malware strain named DynoWiper that was designed to permanently destroy files and cripple affected systems by irreversibly destroying them, a strategy which could have caused widespread disruptions across the Poland electricity industry if it had been successful.

At the time of publication, the Russian Embassy in Washington did not respond to requests for comment. According to cyber experts, Sandworm, which is also known as UAC-0113, APT44, or Seashell Blizzard in the cybersecurity community, has been active for more than a decade and is widely regarded as an act of state-sponsored hacking, most likely aimed at Russian military intelligence agencies.

The group's ties to Unit 74455 of the Main Intelligence Directorate (GRU) have been established by security researchers after repeated accusations that the organization has committed high-impact cyber-operations intended to disrupt and degrade critical infrastructure systems.

Throughout its history, Sandworm has been credited with some of the most significant cyber incidents against energy networks, most notably a devastating attack on the Ukraine's power grid nearly a decade ago, which used data-wiping malware and left around 230,000 people without power for a period of nearly 10 days.

It is important to note that this episode still remains a prototypical example of the group's capabilities and intentions, and it continues to shape the assessment of the group's role in more recent attempts to undermine energy systems beyond Ukraine's borders.

As detailed in a recent report issued by ESET, they believed that the operation bore the hallmarks of Sandworm, a threat actor widely linked to Russia's military and intelligence apparatus, evidenced by its involvement in the operation.

A data wiping malware, DynoWiper, dubbed DynoWiper, was identified by investigators and tracked as Win32/KillFiles.NMO, which had previously been undocumented, pointing the finger at the group. The wiper campaign was similar in both technical and operational aspects to earlier Sandworm wiper campaigns, especially those that were observed following Russian invasion of Ukraine in February of that year.

In a statement published by ESET on December 29, 2025, the company stated that the malware had been detected during an attempt to disrupt Poland's energy sector, but that there are no indications that the attackers succeeded in causing outages or permanently damage the energy sector.

In an email sent on December 29, the Polish authorities confirmed that there was activity observed in the area of two combined heat and power plants and a system used to manage the generation of electricity from renewable sources, such as the power of wind and sun.

In a public statement, the Prime Minister said that the attacks were directed by groups “directly linked to Russian services,” citing the government's plans to strengthen national defenses through additional safeguards and cybersecurity legislation that will require more stringent requirements on risk management, information technology and operational technology security, and preparedness for incidents. Tusk said this legislation is expected to be implemented very soon.

Moreover, the timing of the incident attracted the attention of analysts as it coincided with the tenth anniversary of Sandworm's historic attack on Ukraine's power grid in 2015. BlackEnergy and KillDisk malware were deployed during the attack, and the attack caused hours-long blackouts for thousands of people, something that was cited as a continuation of a pattern of disruption campaigns against critical infrastructure that has been occurring for years.

A company named ESET stated that the attempted intrusion coincided with Sandworm's tenth anniversary of the devastating attack on Ukraine's power grid in the year 2000, though it only provided limited technical information beyond the identification of the malware involved.

Researchers are pointing out that the use of a custom-built wiper, as well as the pattern of Russian cyber operations in which data-destroying malware has been a strategic tool, aligns with a broader pattern observed in cyber operations. The use of wipers in attacks linked to Moscow has increased significantly since 2022.

The use of AcidRain to disable roughly 270,000 satellite modems in Ukraine has been an effort to disrupt the communication of the country. A number of campaigns targeting universities, critical infrastructure, and the like have been attributed to Sandworm. This is also true in the case of the NotPetya outbreak in 2017, a destructive worm that in its early stage was targeted at Ukrainian targets, but quickly spread worldwide, causing an estimated $10 billion in damage and securing its place as one of the highest-profile case studies in the history of cybercrime.

There are no indications yet as to why DynoWiper had failed to trigger power outages in Poland; the investigation has left open the possibility that the operation may have been strategically calibrated to avoid escalation or that strong defenses within the country’s energy grid prevented it.

In the aftermath of the incident, governments and operators of critical infrastructure across Europe have been reminded once again that energy systems continue to be an attractive target among state-sanctioned cyber operations even when those attacks do not result in immediate disruptions.

It is noted that security analysts have noted the attempt to deploy DynoWiper in a strategic capacity reflects a continued reliance on destructive malware as a strategy tool, and emphasize the importance of investing in cyber resilience, real-time monitoring, and coordinated incident response across both the information technology as well as operational technologies.

Although it appears that Polish officials are using the episode as a springboard in order to strengthen their defenses, experts point out that similar threats may not be bound by borders in the near future since geopolitical tensions are unlikely to ease at all.

Despite the fact that the failure of the attack may offer some reassurance for the time being, it also emphasizes a more significant reality: adversaries continue to search energy networks for weaknesses, and it will be crucial to be prepared and cooperative if we wish to avoid future disruptions, as well as to be able to detect and neutralize malware before it becomes a major problem.

Android Malware Uses Artificial Intelligence to Secretly Generate Ad Clicks



 

Trojan

AD fraud AI APK Files Clickjacking malware Trojan

Android Malware Uses Artificial Intelligence to Secretly Generate Ad Clicks

Security researchers have identified a new category of Android malware that uses artificial intelligence to carry out advertising fraud without the user’s knowledge. The malicious software belongs to a recently observed group of click-fraud trojans that rely on machine learning rather than traditional scripted techniques.

Instead of using hard-coded JavaScript instructions to interact with web pages, this malware analyzes advertisements visually. By examining what appears on the screen, it can decide where to tap, closely imitating normal user behavior. This approach allows the malware to function even when ads frequently change layout, include video content, or are embedded inside iframes, which often disrupt older click-fraud methods.

The threat actors behind the operation are using TensorFlow.js, an open-source machine learning library developed by Google. The framework allows trained AI models to run inside web browsers or server environments through JavaScript. In this case, the models are loaded remotely and used to process screenshots taken from an embedded browser.

Researchers from mobile security firm Dr.Web reported that the malware has been distributed through GetApps, Xiaomi’s official application store. The infected apps are mainly games. In several cases, the applications were initially uploaded without harmful functionality and later received malicious components through software updates.

Once active, the malware can run in what researchers describe as a “phantom” mode. In this mode, it opens a hidden browser based on Android’s WebView component. This browser loads a webpage containing advertisements and a JavaScript file designed to automate interactions. The browser operates on a virtual screen that is not visible to the device owner. Screenshots of this screen are repeatedly captured and sent to the AI model, which identifies relevant ad elements and triggers taps that appear legitimate.

A second operational mode, referred to as “signalling,” gives attackers direct control. Using WebRTC technology, the malware streams a live video feed of the hidden browser to the threat actor. This allows them to perform actions such as tapping, scrolling, or entering text in real time.

Dr.Web identified multiple infected games hosted on Xiaomi’s platform, including titles with tens of thousands of downloads. Beyond official app stores, the malware has also been found in modified versions of popular streaming applications distributed through third-party APK websites, Telegram channels, and a Discord server with a large subscriber base. Many of these apps function as expected, which reduces user suspicion.

Although this activity does not directly target personal data, it still affects users through increased battery drain, higher mobile data usage, and faster device wear. For cybercriminals, however, covert ad fraud remains a profitable operation.

Security experts advise Android users to avoid downloading apps from unofficial sources and to be cautious of altered versions of well-known apps that promise free access to paid features.

North Korean Hackers Abuse VS Code Projects in Contagious Interview Campaign to Deploy Backdoors



 

VS Code malware

BeaverTail malware Contagious Interview campaign malicious GitHub repository malware North Korea Hackers VS Code malware

North Korean Hackers Abuse VS Code Projects in Contagious Interview Campaign to Deploy Backdoors

North Korea–linked threat actors behind the long-running Contagious Interview campaign have been seen leveraging weaponized Microsoft Visual Studio Code (VS Code) projects to trick victims into installing a backdoor on their systems.

According to Jamf Threat Labs, this activity reflects a steady refinement of a technique that first came to light in December 2025. The attackers continue to adapt their methods to blend seamlessly into legitimate developer workflows.

"This activity involved the deployment of a backdoor implant that provides remote code execution capabilities on the victim system," security researcher Thijs Xhaflaire said in a report shared with The Hacker News.

Initially revealed by OpenSourceMalware last month, the attack relies on social engineering job seekers. Targets are instructed to clone a repository hosted on platforms such as GitHub, GitLab, or Bitbucket and open it in VS Code as part of an alleged hiring assessment.

Once opened, the malicious repository abuses VS Code task configuration files to run harmful payloads hosted on Vercel infrastructure, with execution tailored to the victim’s operating system. By configuring tasks with the "runOn: folderOpen" option, the malware automatically runs whenever the project or any file within it is opened in VS Code. This process ultimately results in the deployment of BeaverTail and InvisibleFerret.

Later versions of the campaign have introduced more complex, multi-stage droppers concealed within task configuration files. These droppers masquerade as benign spell-check dictionaries, serving as a fallback if the malware cannot retrieve its payload from the Vercel-hosted domain.

As with earlier iterations, the obfuscated JavaScript embedded in these files executes immediately when the project is opened in the integrated development environment (IDE). It connects to a remote server ("ip-regions-check.vercel[.]app") and runs any JavaScript code sent back. The final payload stage consists of yet another heavily obfuscated JavaScript component.

Jamf also identified a newly observed infection method that had not been documented previously. While the initial lure remains the same—cloning and opening a malicious Git repository in VS Code—the execution path changes once the repository is trusted.

"When the project is opened, Visual Studio Code prompts the user to trust the repository author," Xhaflaire explained. "If that trust is granted, the application automatically processes the repository's tasks.json configuration file, which can result in embedded arbitrary commands being executed on the system."

"On macOS systems, this results in the execution of a background shell command that uses nohup bash -c in combination with curl -s to retrieve a JavaScript payload remotely and pipe it directly into the Node.js runtime. This allows execution to continue independently if the Visual Studio Code process is terminated, while suppressing all command output."

The JavaScript payload, delivered from Vercel, contains the core backdoor logic. It establishes persistence, gathers basic system information, and maintains communication with a command-and-control server to enable remote code execution and system profiling.

In at least one observed incident, Jamf noted additional JavaScript being executed approximately eight minutes after the initial compromise. This secondary payload beacons to the server every five seconds, executes further JavaScript instructions, and can delete traces of its activity upon command. Researchers suspect the code may have been generated with the help of artificial intelligence (AI), based on the language and inline comments found in the source.

Actors linked to the Democratic People's Republic of Korea (DPRK) are known to aggressively target software developers, especially those working in cryptocurrency, blockchain, and fintech environments. These individuals often possess elevated access to financial systems, wallets, and proprietary infrastructure.

By compromising developer accounts and machines, attackers could gain access to sensitive source code, internal platforms, intellectual property, and digital assets. The frequent tactical changes observed in this campaign suggest an effort to improve success rates and further the regime’s cyber espionage and revenue-generation objectives.

The disclosure coincides with findings from Red Asgard, which investigated a malicious repository abusing VS Code tasks to install a full-featured backdoor known as Tsunami (also called TsunamiKit), along with the XMRig cryptocurrency miner. Separately, Security Alliance reported on a similar attack where a victim was contacted on LinkedIn by actors posing as the CTO of a project named Meta2140. The attackers shared a Notion[.]so page containing a technical test and a Bitbucket link hosting the malicious code.

Notably, the attack framework includes multiple fallback mechanisms. These include installing a rogue npm package called "grayavatar" or executing JavaScript that downloads an advanced Node.js controller. This controller runs five modules designed to log keystrokes, capture screenshots, scan the home directory for sensitive data, replace clipboard wallet addresses, steal browser credentials, and maintain persistent communication with a remote server.

The malware further establishes a parallel Python environment using a stager script that supports data exfiltration, cryptocurrency mining via XMRig, keylogging, and the installation of AnyDesk for remote access. The Node.js and Python components are tracked as BeaverTail and InvisibleFerret, respectively.

Collectively, these observations show that the state-sponsored group is testing several delivery mechanisms simultaneously to maximize the chances of successful compromise.

"While monitoring, we've seen the malware that is being delivered change very quickly over a short amount of time," Jaron Bradley, director of Jamf Threat Labs, told The Hacker News. It's worth noting that the payload we observed for macOS was written purely in JavaScript and had many signs of being AI assisted. It's difficult to know exactly how quickly attackers are changing their workflows, but this particular threat actor has a reputation for adapting quickly."

To reduce exposure, developers are urged to remain cautious when handling third-party repositories—particularly those shared during hiring exercises—carefully review source code before opening it in VS Code, and limit npm installations to trusted, well-vetted packages.

"This activity highlights the continued evolution of DPRK-linked threat actors, who consistently adapt their tooling and delivery mechanisms to integrate with legitimate developer workflows," Jamf said. "The abuse of Visual Studio Code task configuration files and Node.js execution demonstrates how these techniques continue to evolve alongside commonly used development tools."

StealC Malware Operators Exposed After XSS Bug Leaks Session and Hardware Data



 

XSS Vulnerability

CyberArk research dark web cybercrime info-stealer malware malware Malware-as-a-Service StealC malware XSS Vulnerability

StealC Malware Operators Exposed After XSS Bug Leaks Session and Hardware Data

A cross-site scripting (XSS) vulnerability in the web-based management panel used by StealC information-stealing malware operators enabled security researchers to monitor live activity and collect intelligence about the attackers’ systems.

First appearing in early 2023, StealC quickly gained traction on dark web forums due to aggressive promotion and its ability to evade detection while harvesting large volumes of sensitive data. Over time, the malware continued to evolve, with its developer rolling out several upgrades to expand functionality and appeal among cybercriminals.

A major update arrived in April last year with the launch of StealC version 2.0. This release introduced Telegram bot integration for real-time notifications, along with a revamped builder capable of creating customized malware samples based on templates and tailored data-exfiltration rules. Around the same period, the source code for StealC’s administrative panel was leaked, allowing researchers deeper insight into its internal workings.

CyberArk analysts later identified an XSS flaw within the panel that proved particularly revealing. By abusing this weakness, the team was able to gather browser and hardware fingerprints of StealC operators, monitor ongoing sessions, extract session cookies, and remotely take over active panel logins.

“By exploiting the vulnerability, we were able to identify characteristics of the threat actor’s computers, including general location indicators and computer hardware details,” the researchers say.

“Additionally, we were able to retrieve active session cookies, which allowed us to gain control of sessions from our own machines.”

To avoid tipping off attackers and enabling a rapid fix, CyberArk chose not to publish technical specifics about the XSS issue.

The research also details a StealC user tracked as ‘YouTubeTA’, who reportedly took over dormant but legitimate YouTube channels—likely through stolen credentials—and used them to distribute malicious links. Throughout 2025, this actor conducted sustained malware campaigns, amassing more than 5,000 victim logs, roughly 390,000 passwords, and around 30 million cookies, the majority of which were non-sensitive.

Screenshots from the attacker’s control panel suggest that infections largely occurred when victims searched online for pirated versions of Adobe Photoshop and Adobe After Effects. Exploiting the XSS flaw further allowed researchers to profile the attacker’s setup, revealing the use of an Apple M3-based machine configured with English and Russian language settings, operating in an Eastern European time zone, and connecting from Ukraine.

The individual’s real location was exposed after they accessed the StealC panel without a VPN, revealing an IP address tied to Ukrainian internet provider TRK Cable TV.

CyberArk emphasized that while malware-as-a-service (MaaS) platforms allow threat actors to scale operations quickly, they also introduce significant risks by increasing the chances of operational exposure.

BleepingComputer reached out to CyberArk to understand the timing behind the disclosure. Researcher Ari Novick explained that the decision was driven by a recent surge in StealC activity, possibly linked to upheaval surrounding the Lumma malware ecosystem.

"By posting the existence of the XSS we hope to cause at least some disruption in the use of the StealC malware, as operators re-evaluate using it. Since there are now relatively many operators, it seemed like a prime opportunity to potentially cause a fairly significant disruption in the MaaS market."

Researchers Exploit Flaw in StealC Malware Panel to Monitor Cybercriminals



 

StealC

Cybersecurity information stealer MaaS malware StealC

Researchers Exploit Flaw in StealC Malware Panel to Monitor Cybercriminals

Security researchers have identified a weakness in the web-based dashboard used by operators of the StealC information-stealing malware, allowing them to turn the malware infrastructure against its own users. The flaw made it possible to observe attacker activity and gather technical details about the systems being used by cybercriminals.

StealC first surfaced in early 2023 and was heavily promoted across underground cybercrime forums. It gained traction quickly because of its ability to bypass detection tools and extract a wide range of sensitive data from infected devices, including credentials and browser-stored information.

As adoption increased, the malware’s developer continued to expand its capabilities. By April 2024, a major update labeled version 2.0 introduced automated alerting through messaging services and a redesigned malware builder. This allowed customers to generate customized versions of StealC based on predefined templates and specific data theft requirements.

Around the same time, the source code for StealC’s administration panel was leaked online. This leak enabled researchers to study how the control system functioned and identify potential security gaps within the malware’s own ecosystem.

During this analysis, researchers discovered a cross-site scripting vulnerability within the panel. By exploiting this weakness, they were able to view live operator sessions, collect browser-level fingerprints, and extract session cookies. This access allowed them to remotely take control of active sessions from their own systems.

Using this method, the researchers gathered information such as approximate location indicators, device configurations, and hardware details of StealC users. In some cases, they were able to directly access the panel as if they were the attacker themselves.

To prevent rapid remediation by cybercriminals, the researchers chose not to publish technical specifics about the vulnerability.

The investigation also provided insight into how StealC was being actively deployed. One customer, tracked under an alias, had taken control of previously legitimate video-sharing accounts and used them to distribute malicious links. These campaigns remained active throughout 2025.

Data visible within the control panel showed that more than 5,000 victim systems were compromised during this period. The operation resulted in the theft of roughly 390,000 passwords and tens of millions of browser cookies, although most of the cookies did not contain sensitive information.

Panel screenshots further indicated that many infections occurred when users searched online for pirated versions of widely used creative software. This reinforces the continued risk associated with downloading cracked applications from untrusted sources.

The researchers were also able to identify technical details about the attacker’s setup. Evidence suggested the use of an Apple device powered by an M3 processor, with both English and Russian language configurations enabled, and activity aligned with an Eastern European time zone.

The attacker’s real network location was exposed when they accessed the panel without a privacy tool. This mistake revealed an IP address associated with a Ukrainian internet service provider.

Researchers noted that while malware-as-a-service platforms allow criminals to scale attacks efficiently, they also increase the likelihood of operational mistakes that can expose threat actors.

The decision to disclose the existence of the vulnerability was driven by a recent increase in StealC usage. By publicizing the risk, the researchers aim to disrupt ongoing operations and force attackers to reconsider relying on the malware, potentially weakening activity across the broader cybercrime market.

Transparent Tribe Targets Indian Public Sector and Academic Networks



 

Transparent Tribe

Advanced Persistent Threat APT36 Command And Control cyber espionage Indian Government Cyber Attacks malware Remote Access Trojan Spear Phishing Transparent Tribe

Transparent Tribe Targets Indian Public Sector and Academic Networks

Several recent cyber espionage campaigns have drawn attention to Transparent Tribe, a long-standing advanced persistent threat group associated with a new wave of intrusions targeting Indian government bodies, academic institutions, and strategically sensitive organizations, which have re-opened the issue of Transparent Tribe.

According to security researchers, the activity has been attributed to the deployment of a sophisticated remote access trojan that is designed to establish a persistent, covert control over the compromised system, allowing the monitoring and access of data over a period of time.

In the process of carrying out this operation, it is evident that the execution was carried out with a high degree of social engineering finesse, as it used carefully crafted delivery mechanisms, including a weaponized Windows shortcut file disguised as a legitimate PDF document, filled with authentic-looking content, which reduced suspicion and increased execution rates, according to the technical analysis carried out by CYFIRMA.

APT36 is a name that has been associated with Transparent Tribe in the security community for more than a decade. Transparent Tribe has maintained a consistent focus on Indian targets since the beginning of the 20th century, refining tradecraft and tooling to support the group's goals. In the past few years, the group has steadily added malware to its malware portfolio.

To adapt to changing defenses while maintaining access to high-value networks, the group has deployed a suite of custom remote access trojans like CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT. As the investigation has found, the intrusion chain was initiated by a targeted spear-phishing email that delivered a compressed ZIP archive that contained a Windows shortcut file, crafted to look like a benign PDF document.

Upon execution, the file silently invokes a remote HTML Application using the native Windows component called mshta.exe, which has been abused numerous times over the years to circumvent security checks.

To maintain the illusion of legitimacy, a PDF decoy file is also downloaded and opened while the HTA script is decrypted and loaded entirely in memory, minimizing its footprint on the disk. This decoy PDF can be downloaded and opened without triggering the HTA script.

It has been reported by CYFIRMA that when the malware is able to decode the data, it will make extensive use of ActiveX objects, particularly WScript.Shell, to profile the host environment and manipulate runtime behavior. As a result of this technique, execution reliability and compatibility with the victim system will be improved.

Furthermore, this campaign's adaptive persistence strategy differs from the rest in that it dynamically adjusts itself in accordance with the endpoint security software detecting the compromised machine on the runtime.

Depending on the software people are running, Kaspersky, Quick Heal, Avast, AVG, or Avira have a tailor-made persistence mechanism that includes obfuscated HTA payloads, batch scripts, registry modifications, and malicious shortcut files placed in the Windows Startup directory to encrypt data.

As for systems lacking recognizable antivirus protection, a broader combination of these strategies can be used. This operation is anchored on a secondary HTA component which delivers a malicious DLL — known as iinneldc.dll — that performs the function of a fully featured RAT capable of allowing attackers to remotely administer a host, execute file operations, exfiltrate data, capture screenshots, monitor clipboards and control processes, allowing them to take complete control of infected systems.

In terms of operations, this campaign underscores Transparent Tribe's reliance on deceiving its adversaries as a central pillar of its intrusion strategy, emphasizing the importance of adaptability and deception.

The researchers found that attackers intentionally embedded complete, legitimate-looking PDF documents as shortcut files, presenting them as regular correspondence while hiding executable logic under the surface so that they would appear to be routine correspondence.

When this is done, it greatly increases the chances that the user will interact with the malware before it becomes apparent that any warning signs have been raised. Once access is gained, the malware doesn't need to rely on a single, static method to maintain its position.

Instead, it actively evaluates the compromised system's security posture and dynamically selects persistence mechanisms based on the installed endpoint protection, with a degree of conditional logic that is a reflection of careful planning and familiarity with common defensive environments in an attempt to meet their needs.

Using encrypted command-and-control channels, the remote access trojan can communicate with attacker-controlled infrastructure, enabling it to receive instructions and exfiltrate sensitive data all while blending into the normal traffic stream on the network, reducing the chances it will be detected.

According to security analysts, this operation has far broader implications than just a routine malware incident and has a lot to do with the overall threat landscape. It is clear from the campaign that it is an operation of cyber-espionage carried out by a cyber-espionage group with a long history of targeting the Indian government, defense and research institutions as a target for their attacks.

There is an intentional effort to avoid traditional signature-based defenses with this attack by focusing on in-memory execution and fileless techniques, while the use of socially engineered, document-based lures indicates that an understanding is in place of how trust and familiarity can be exploited within targeted organizations in order to achieve a successful attack.

The combination of these elements suggests that a persistent and mature adversary has been refining its tradecraft for years, reinforcing concerns about the sustained cyber threat facing critical sectors in India. Additionally, the malware deployed in this campaign functions as a remote access trojan that allows attackers to control infected systems in a persistent and covert manner. Based on this analysis, it can be concluded that this malware is a highly sophisticated remote access trojan.

In addition to the use of trusted Windows binaries such as mshta.exe, PowerShell, and cmd.exe, researchers discovered the toolset focuses heavily on stealth, utilizing in-memory execution as well, which minimizes the on-disk footprint, as well as evading traditional detection methods.

In addition to setting up an encrypted command-and-control channel, the RAT also provides operators with the ability to issue commands, collect detailed system information, and exfiltrate sensitive information without being noticed.

By exploiting the exploits of the malware, operators are able to create a profile of compromised hosts by gathering information such as the operating system’s details, usernames, installed software, and active antivirus software, enabling them to implement follow-up actions tailored to their needs.

This software enables remote command execution, comprehensive file management, targeted document theft, screenshot capture, clipboard monitoring and manipulation, granular process control, as well as the ability to execute commands remotely. This software is supported by persistence mechanisms that are adjusted according to the victim's security environment.

Collectively, these capabilities strengthen the perception that the malware has been designed to support long-term surveillance and data collection rather than short-term disruption, thus confirming that it was built specifically for espionage. Typically, the infection lifecycle begins with a carefully constructed social engineering lure that appears to be legitimate and routine.

As the payload in this case was framed as an examination-related document, it was used to target victims and spread the word that they would be able to receive a ZIP archive titled "Online JLPT Exam Dec 2025.zip." The archive reveals a shortcut file whose extension is .pdf.lnk when extracted, which is a tactic that exploits Windows’ way of handling shortcut files, where it conceals the executable nature of the payload even though the file extensions can be seen on the file.

This shortcut, which is unusually large—measuring over 2 megabytes instead of the usual 10 to 12 megabytes—prompted closer examination to reveal that the file was deliberately inflated in order to closely resemble a legitimate PDF file.

It was discovered that the shortcut contained multiple markers associated with embedded image objects, indicating that it contained a complete PDF structure as opposed to serving simply as a pointer. This design choice was made so the shortcut would appear in line with user expectations, as well as fit the file size within the archive.

In addition to this, a multi-stage design can be observed in the archive as well. An investigation revealed that there is a hidden directory labelled “usb” containing a file titled usbsyn.pim in it, which was unable to be decoded conclusively during analysis, but which researchers believe to contain encrypted data or code that will be used later on in the execution process.

As a result of activating the shortcut, a legitimate Windows application called MSSHTA.exe is invoked, passing a remote URL to a malicious HTML application hosted on attacker-controlled infrastructure in order to retrieve and execute this malicious HTML application.

It is evident from file metadata that the shortcut was created in late March 2025, a timeframe which provides some insight into the campaign's timeline. It is the intent of the HTA loader, to create the illusion of legitimacy, to retrieve and open a legitimate PDF document simultaneously, so the victim perceives the activity as harmless and expected.

Moreover, the HTA loader itself is the basis of the execution chain, which has been designed to operate with the least amount of user visibility possible.

A script launching at zero dimensions hides the activity of its execution by resizing its window to zero dimensions. The script then initializes a series of custom functions that perform Base64 decoding and XOR-based decryption routines, in order to gradually reconstruct the malicious payload in memory. This is all accomplished by the loader exploiting ActiveX components, such as WScript.Shell, in order to interact with the underlying Windows environment during this process.

Through the querying of registry keys to determine which .NET runtimes are available and the dynamic adjustment of environment variables such as COMPLUS_Version, the malware ensures that the malware is compatible with different systems.

It is clear that Transparent Tribe's campaign has been highly calculated and methodical in its approach to environment profiling, runtime manipulation, and abuse of legitimate system components, demonstrating a mature tradecraft that is reflected in the campaign's methodical approach.

Researchers report that, beyond the activities linked to Transparent Tribe, there are growing threats that are being targeted at Indian institutions, and tools and infrastructure that overlap are increasingly blurring the lines between various regional espionage groups who are using overlapping tools and infrastructure.

A former hacker named Patchwork has also been identified as the perpetrator of an assault program dubbed StreamSpy, which introduces a dual-channel command-and-control model that utilizes WebSocket and HTTP protocols to deliver distinct operational benefits, as of December 2025.

Using WebSocket connections for executing commands and returning execution results, as opposed to the traditional HTTP connections for transferring files, displays the analysis by QiAnXin, indicating a design choice intended to reduce visibility and evade routine network inspection by the company.

By using ZIP archive delivery services hosted on attacker-controlled domains, the malware has delivered a payload capable of harvesting information about a system, establishing persistence through multiple mechanisms, including registry modifications, scheduled tasks, and startup shortcuts, and providing an array of commands for remote file manipulation, execution, and file retrieval.

Furthermore, investigators have identified code-level similarities between StreamSpy and Spyder, a backdoor variant previously attributed to SideWinder and historically used by Patchwork, as well as digital signatures reminiscent of ShadowAgent, a Windows RAT associated with the DoNot Team, that are similar to ShadowAgent.

According to the convergence of these technical indicators, coupled with independent detections by several security firms in late 2025, it appears that regional threat actors continue to integrate tooling and cross-pollinate among themselves.

Analysts are stating that the emergence of StreamSpy and its variants reflects a sustained effort among these groups to refine the arsenals they possess, experiment with alternative communication channels, and maintain operational relevance while the defensive capabilities of these groups improve. Taking all of the findings presented in this investigation together, people are able to identify a cyber-espionage ecosystem that is more widespread and more entrenched against Indian institutions.

It is characterized by patience, technical depth, and convergence between multiple threat actors in terms of tools and techniques. This campaign provides an example of how mature adversaries continue to improve their social engineering skills, take advantage of trusted components of systems and customize persistence mechanisms in order to maintain long-term access to high-value networks through social engineering and system abuse.

StreamSpy, for instance, illustrates a parallel trend in which regional espionage groups iterate on one another's malware frameworks, while experimenting with alternative command-and-control systems to evade detection, a trend that has been accelerating since the advent of related toolsets.

Defendants should be aware that the significance of these campaigns lies not in any particular exploit or payload, but rather in the cumulative messages that they send, demonstrating that state-aligned threat actors are still deeply involved in collecting persistent intelligence and that the threat to government institutions, educational institutions, and strategic sectors is evolving rather than receding in sophistication.

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

Report Abuse

About Me

Footer About

Labels

Showing result(s) for

Popular Posts

Pages

Iran-Linked Hackers Target Human Rights Groups in Redkitten Malware Campaign

eScan Antivirus Faces Scrutiny After Compromised Update Distribution

BadIIS Malware Used in Coordinated Attacks on Asian Web Servers

GoTo Resolve Tool Mimics Ransomware Tactics in Stealth Attacks

Researchers Uncover Pakistan-Linked Cyber Activity Targeting India

Some ChatGPT Browser Extensions Are Putting User Accounts at Risk

Fake Tax Emails Used to Target Indian Users in New Malware Campaign

Sandworm-Associated DynoWiper Malware Targets Polish Power Infrastructure

Android Malware Uses Artificial Intelligence to Secretly Generate Ad Clicks

North Korean Hackers Abuse VS Code Projects in Contagious Interview Campaign to Deploy Backdoors

StealC Malware Operators Exposed After XSS Bug Leaks Session and Hardware Data

Researchers Exploit Flaw in StealC Malware Panel to Monitor Cybercriminals

Transparent Tribe Targets Indian Public Sector and Academic Networks

Footer About

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

About Me

Footer About

Labels

Showing result(s) for

Popular Posts

Pages

Menu Item