KeyPlug-Linked Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company

A server linked to KeyPlug malware briefly exposed tooling used in active operations. The infrastructure, live for less than a day, revealed Fortinet firewall and VPN exploit scripts, a PHP webshell, and network reconnaissance tools targeting authentication and internal portals of a major Japanese company. The exposed directory provided insight into the attacker's workflow, from infrastructure reconnaissance to post-access session management. Notable files included Fortinet reconnaissance scripts, CDN fingerprinting tools, and encrypted command execution utilities. The server's brief exposure offers a rare glimpse into the operational staging and planning of a likely advanced adversary.

Pulse ID: 6801707ed48a87a19adaf031
Pulse Link: https://otx.alienvault.com/pulse/6801707ed48a87a19adaf031
Pulse Author: AlienVault
Created: 2025-04-17 21:19:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Proton66: Compromised WordPress Pages and Malware Campaigns

This intelligence briefing focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. It details how these sites were injected with malicious scripts to redirect Android users to fake Google Play Store pages. The report also covers the XWorm campaign targeting Korean-speaking users, the Strela Stealer targeting German-speaking countries, and the WeaXor ransomware. The analysis provides insights into the infection chains, malware configurations, and command-and-control servers used in these campaigns. Additionally, it offers recommendations for blocking associated IP ranges and lists numerous indicators of compromise (IOCs) for each campaign.

Pulse ID: 6802094e89f266c72f83bda4
Pulse Link: https://otx.alienvault.com/pulse/6802094e89f266c72f83bda4
Pulse Author: AlienVault
Created: 2025-04-18 08:11:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Russians lure European diplomats into #malware trap with wine-tasting invite - https://www.theregister.com/2025/04/16/cozy_bear_grapeloader/ "Vintage #phishing varietal has improved with age"

China-linked APT Mustang Panda upgrades tools in its arsenal – Source: securityaffairs.com https://ciso2ciso.com/china-linked-apt-mustang-panda-upgrades-tools-in-its-arsenal-source-securityaffairs-com/ #rssfeedpostgeneratorecho #informationsecuritynews #ITInformationSecurity #SecurityAffairscom #CyberSecurityNews #PierluigiPaganini #SecurityAffairs #SecurityAffairs #BreakingNews #Intelligence #MustangPanda #SecurityNews #hackingnews #Cybercrime #hacking #Malware #China #APT

Windows Systems being Targeted by LummaStealer Malware

LummaStealer is an experienced information-stealing malware. malware shared as
Malware-as-a-Service (MaaS), has evolved with new evasion techniques that abuse legitimate Windows utilities.

Pulse ID: 6801a0b625d602fd6b63829e
Pulse Link: https://otx.alienvault.com/pulse/6801a0b625d602fd6b63829e
Pulse Author: cryptocti
Created: 2025-04-18 00:45:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Downloader Malware Written in JPHP Interpreter

A newly discovered malware utilizes JPHP, a PHP interpreter running on Java Virtual Machine, to create a downloader. The malware is distributed in a ZIP file containing Java Runtime Environment and libraries, enabling execution without a separate Java environment. It communicates with a C2 server, disables Windows Defender's behavior monitoring, and uses Telegram for additional C2 connections. The malware can download and execute additional payloads, potentially including data breach-type malware like Strrat and Danabot. This case highlights how threat actors exploit lesser-known technologies like JPHP for malware distribution, emphasizing the importance of scrutinizing executable files and scripts from various sources.

Pulse ID: 68012d9425b7ccf942f5f065
Pulse Link: https://otx.alienvault.com/pulse/68012d9425b7ccf942f5f065
Pulse Author: AlienVault
Created: 2025-04-17 16:34:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Malicious HWP Document Disguised as Reunification Education Support Application

A deceptive HWP document, masquerading as a reunification education support application, was discovered on March 5. The document, when opened, creates multiple files in the TEMP folder, including a malicious BAT file. This BAT file executes various actions to ensure persistent malware operation, including registering task schedulers and executing additional malicious files. The malware ultimately accesses an external URL to download and execute additional files, allowing threat actors to execute various commands. This incident is part of a recent trend of malware distribution using HWP documents, with attacks now targeting the general public rather than specific users. Users are advised to be cautious and keep their security software updated.

Pulse ID: 68012d954e39a06027b615d2
Pulse Link: https://otx.alienvault.com/pulse/68012d954e39a06027b615d2
Pulse Author: AlienVault
Created: 2025-04-17 16:34:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

“Processing an audio stream in a maliciously crafted media file may result in code execution”
https://alecmuffett.com/article/113248
#apple #malware

Cascading Shadows: An Attack Chain Approach to Avoid Detection and Complicate Analysis

A multi-layered attack chain was uncovered in December 2024, employing distinct stages to deliver malware like Agent Tesla variants, Remcos RAT, or XLoader. The campaign uses phishing emails posing as order release requests with malicious attachments. The attack chain leverages multiple execution paths, including .NET and AutoIt compiled executables, to evade detection and complicate analysis. The final payload is typically an Agent Tesla variant, a well-known infostealer. This approach demonstrates how attackers are increasingly relying on complex delivery mechanisms to bypass traditional sandboxes and ensure successful payload execution. Despite the multi-layered approach, Advanced WildFire effectively detects each stage, providing better protection for customers.

Pulse ID: 680034fcd109b8fdaf831f36
Pulse Link: https://otx.alienvault.com/pulse/680034fcd109b8fdaf831f36
Pulse Author: AlienVault
Created: 2025-04-16 22:53:48

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Unmasking the new XorDDoS controller and infrastructure

The XorDDoS trojan, a DDoS malware targeting Linux machines, continues to spread globally with over 70% of attacks targeting the United States from Nov 2023 to Feb 2025. The operators are believed to be Chinese-speaking individuals based on language settings. A new 'VIP version' of the XorDDoS controller and central controller have been discovered, enabling more sophisticated and widespread attacks. The malware uses SSH brute-force attacks to gain access and implements persistence mechanisms. A new central controller allows threat actors to manage multiple sub-controllers simultaneously, enhancing attack coordination. The infection chain, decryption methods, and network communication patterns between the trojan, sub-controller, and central controller are analyzed in detail.

Pulse ID: 6800fccf8db6537ac15e75fb
Pulse Link: https://otx.alienvault.com/pulse/6800fccf8db6537ac15e75fb
Pulse Author: AlienVault
Created: 2025-04-17 13:06:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

New version of MysterySnail RAT and lightweight MysteryMonoSnail backdoor

A new version of the MysterySnail RAT, attributed to the Chinese-speaking IronHusky APT group, has been detected targeting government organizations in Mongolia and Russia. The malware, which hadn't been publicly reported since 2021, now features a modular architecture with five additional DLL modules for command execution. A lightweight version dubbed MysteryMonoSnail was also observed. The infection chain involves a malicious MMC script, an intermediary backdoor, and the main MysterySnail RAT payload. The attackers use public file storage and the piping-server project for command and control. This case highlights the importance of maintaining vigilance against seemingly obsolete malware families, as they may continue operating undetected for extended periods.

Pulse ID: 6800fcd0995e011520970651
Pulse Link: https://otx.alienvault.com/pulse/6800fcd0995e011520970651
Pulse Author: AlienVault
Created: 2025-04-17 13:06:24

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Benutzer von Outlook müssen wirklich seeehr geduldig sein.

Meiner Meinung nach einer der miesesten #EMail-Clients (aber leider der beste #Groupware-Client) und dann noch die ständigen #Cloud-Zwänge, das Abschnorcheln der Passwörter durch #Microsoft (iOS/Android/neues #Outlook), quasi optimiert als Einfallstor für #Phishing und #Malware und dann noch solche Kleinigkeiten:

Fehler in Microsoft Outlook kann das System massiv verlangsamen
https://www.derstandard.at/story/3000000266163/fehler-in-microsoft-outlook-kann-das-system-massiv-verlangsamen

Leute, ich frage mich ernsthaft, warum die Menschen nicht scharenweise zu zumindest #Thunderbird wechseln, wo man fast alle Outlook-Nachteile mit einem Schlag verliert. Auch bei Benutzung via #Exchange.

Came across a new report from Unit 42 on Slow Pisces, a North Korean state actor targeting crypto with some solid tradecraft.

They’re posing as recruiters on LinkedIn, baiting devs with coding challenges that drop custom Python malware (RN Loader, RN Stealer). Payloads get delivered through GitHub repos using escape tricks to stay quiet.

Over a billion stolen in 2023 alone. The opsec and targeting precision makes this worth paying attention to, especially if you’re in or adjacent to crypto.

Unit42 report: https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/

Sicherheitslücke bei Fortinet #Einbruch #Sicherheitslücke #Malware #TeamInfoSec #cyberangriff https://www.security-incidents.de/sicherheitsvorfaelle/sicherheitsluecke_bei_fortinet-9167.php

Aunque el uso de aplicaciones infectadas con malware para robar información financiera no es algo nuevo, los últimos hallazgos de la empresa rusa de antivirus Doctor Web apuntan a una escalada significativa, ya que los atacantes están atacando directamente la cadena de suministro de varios fabricantes chinos para cargar aplicaciones maliciosas en dispositivos completamente nuevos.
https://thehackernews.com/2025/04/chinese-android-phones-shipped-with.html
#Ciberseguridad #Seguridad #Privacidad #Aplicaciones #Malware

cannot believe it is occurring to people that #DOGE IS NOT ABOUT EFFICIENCY BUT #SURVEILLANCE. just like #creditCards #Paypal #Uber #Tesla #Doordash #Amazon #Netflix #GMail #Instagram and every fin/techbro business.

the apartheid clown’s #malware is a ruse to give techbros the power to spy on all Americans.

these are the consequences of your silence while many of your friends & relations vilified us for saying, DEFUND THE POLICE. we didn’t just mean PDs. we meant the whole police state.

UNC5174's evolution in China's ongoing cyber warfare: From SNOWLIGHT to VShell

Chinese state-sponsored threat actor UNC5174 has launched a new campaign using SNOWLIGHT malware and VShell, a Remote Access Trojan. The campaign targets Linux systems, employing domain squatting for phishing and social engineering. SNOWLIGHT acts as a dropper for VShell, which resides in memory as a fileless payload. The attackers use WebSockets for command and control communication, enhancing stealth. UNC5174's motivations include espionage and access brokering. The campaign has been active since November 2024, demonstrating sophisticated techniques such as memory manipulation and defense evasion. This development highlights the threat actor's expanding arsenal and continued support for Chinese government operations.

Pulse ID: 67ffc3f9b45a8daa24fcb4fe
Pulse Link: https://otx.alienvault.com/pulse/67ffc3f9b45a8daa24fcb4fe
Pulse Author: AlienVault
Created: 2025-04-16 14:51:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#MidnightBlizzard deploys new #GrapeLoader #malware in embassy #phishing

https://www.bleepingcomputer.com/news/security/midnight-blizzard-deploys-new-grapeloader-malware-in-embassy-phishing/

Threat actors misuse Node.js to deliver malware and other malicious payloads

Since October 2024, threat actors have been leveraging Node.js to deliver malware and payloads for information theft and data exfiltration. A recent malvertising campaign uses cryptocurrency trading themes to lure users into downloading malicious installers. The attack chain includes initial access, persistence, defense evasion, data collection, and payload delivery. The malware gathers system information, sets up scheduled tasks, and uses PowerShell for various malicious activities. Another emerging technique involves inline JavaScript execution through Node.js. Recommendations include educating users, monitoring Node.js execution, enforcing PowerShell logging, and implementing endpoint protection.

Pulse ID: 67fec5ac1e94a608250d9aa2
Pulse Link: https://otx.alienvault.com/pulse/67fec5ac1e94a608250d9aa2
Pulse Author: AlienVault
Created: 2025-04-15 20:46:36

Be advised, this data is unverified and should be considered preliminary. Always do further verification.