🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• Resurgence of a multi‑stage AiTM phishing and BEC campaign abusing SharePoint - Microsoft 🔍 Show Kagi Synopsis
  A sophisticated, multi-stage phishing campaign is **abusing SharePoint** to conduct Business Email Compromise (BEC) attacks, primarily targeting organizations within the **energy sector** 【1】. This campaign leverages a technique known as **Adversary-in-the-Middle (AiTM)** phishing, which poses significant security risks by bypassing multi-factor authentication (MFA) 【1】.
  
  **What Happened:**
  The campaign begins with initial access, often gained through the compromise of a trusted vendor. Attackers then guide victims through a series of malicious steps. This includes clicking on malicious URLs, which leads to an AiTM phishing page designed to steal session cookies. Once a session cookie is compromised, the attacker can gain access to the victim's account without needing their password or MFA. The attackers then establish persistence by manipulating inbox rules to hide malicious communications and forward sensitive information. This allows them to conduct large-scale phishing operations and ultimately execute BEC attacks, leading to account compromises 【1】.
  
  **Who is Affected:**
  The primary targets identified are **organizations within the energy sector** that utilize Microsoft services 【1】.
  
  **Security Implications:**
  The use of AiTM phishing is particularly concerning because it can **circumvent traditional MFA protections** by stealing active session cookies 【1】. The manipulation of inbox rules allows attackers to maintain a persistent presence within compromised accounts, making their activities harder to detect 【1】. This campaign highlights the risk of account compromise and the potential for significant financial and data loss through BEC tactics 【1】.
  
  **Technical Details:**
  The campaign is described as having multiple stages (Stages 1-7) 【1】. Key technical elements include:
  - **Abuse of SharePoint and OneDrive:** These services are used to host malicious links and facilitate the campaign's progression 【1】.
  - **Session Cookie Theft:** AiTM phishing pages are employed to steal user session cookies, granting attackers unauthorized access 【1】.
  - **Inbox Rule Manipulation:** Attackers create rules to automatically delete or mark incoming emails as read, thereby hiding their malicious activities from the victim 【1】.
  - **Detection Signals:** Microsoft Defender XDR, Defender for Cloud Apps, Entra ID Protection, and Office 365 provide various alerts and indicators of compromise (IoCs) that can help detect this campaign 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware of and actively monitor for several indicators:
  - **Suspicious Inbox Rules:** Look for newly created or modified inbox rules that might be hiding or redirecting emails 【1】.
  - **Unauthorized Session Cookies:** Monitor for unusual or unauthorized session cookies associated with user accounts 【1】.
  - **Unusual Sign-ins:** Investigate any anomalous sign-in activities, especially those that bypass MFA 【1】.
  - **Compromised Identities:** Be vigilant about detecting compromised user identities 【1】.
  - **Recommended Actions:** Implement **Conditional Access policies** with risk-based policies, enable **Continuous Access Evaluation**, promote **passwordless sign-in methods**, and deploy **network protection** and **mobile threat defense** solutions 【1】. Utilizing **Defender for Office 365** and **Microsoft Sentinel** with relevant hunting queries and templates is also crucial 【1】.
  - **User Education:** Educate users on secure file sharing practices and phishing awareness to mitigate the risk of initial compromise 【1】.
• TopazTerminator: Just another EDR killer - ThanniKudam 🔍 Show Kagi Synopsis
  The TopazTerminator project exploits a vulnerability in the `wsftprm.sys` kernel driver, also known as Topaz Antifraud, to terminate protected processes on Windows systems. This driver is not currently listed on Microsoft's official Vulnerable Driver Blocklist as of January 2026.
  
  **What Happened:**
  The TopazTerminator exploit targets the `wsftprm.sys` driver, which is designed to provide anti-fraud functionalities. By leveraging a vulnerability within this driver, an attacker can bypass security measures and terminate protected processes.
  
  **Who is Affected:**
  **Windows systems** are affected by this vulnerability. Specifically, the exploit has been tested on **Windows Version 25H2**. The primary targets for termination are **security software**, including antivirus and Endpoint Detection and Response (EDR) services, as well as processes protected by **PPL (Protected Process Light)**.
  
  **Security Implications:**
  The security implications are significant:
  - **Evasion of Detection:** By terminating security software, attackers can operate undetected on a compromised system.
  - **Privilege Escalation:** The ability to terminate protected processes can be a stepping stone for further malicious activities, potentially leading to privilege escalation.
  - **Bypassing Kernel-Level Protection:** The exploit targets a kernel driver, allowing it to circumvent standard user-mode security controls.
  
  **Technical Details:**
  The `wsftprm.sys` driver employs a non-standard IOCTL dispatch mechanism. It uses a chain of subtractions from the IOCTL code to obscure the intended values. The main dispatch function checks for specific conditions: `v11 == 4` and `InputBufferLength == 1036`. If these conditions are met, it proceeds to call a function that utilizes `ZwOpenProcess` and `ZwTerminateProcess` to terminate the target process. Through reverse engineering the subtraction logic, the specific IOCTL code `0x22201C` was identified. When this IOCTL is used with `DeviceIoControl` and a 1036-byte input buffer containing the Process ID (PID) of the target process, it can successfully terminate protected processes, including those with PPL protection. The SHA-256 hash of the vulnerable driver is `FF5DBDCF6D7AE5D97B6F3EF412DF0B977BA4A844C45B30CA78C0EEB2653D69A8`. 【1】
  
  **What Defenders Should Know:**
  Defenders need to be aware of the **`wsftprm.sys` driver** and its associated SHA-256 hash. Key actions include:
  - **Monitoring Driver Loading:** Implement mechanisms to detect the loading of this specific driver.
  - **Custom Blocklists:** Ensure that `wsftprm.sys` is added to any custom blocklists or driver signature enforcement policies.
  - **Vulnerability Management:** Stay updated on Microsoft's official Vulnerable Driver Blocklist and consider proactive measures for drivers not yet listed but known to be vulnerable.
  - **Kernel-Level Monitoring:** Enhance monitoring capabilities at the kernel level to detect suspicious driver activities and process termination attempts. 【1】
• Malicious-PixelCode: Malicious PixelCode is a security research project that demonstrates a covert technique for encoding executable files into pixel data and storing them inside images etc with ldr - S3N4T0R-0X0 🔍 Show Kagi Synopsis
  The "Malicious PixelCode" project demonstrates a novel cybersecurity technique where executable files are covertly encoded into pixel data within images or videos, allowing a lightweight loader to reconstruct and execute the binary in memory. 【1】
  
  **What Happened:**
  The research showcases a method to transform executable files into visual data, specifically MP4 videos, by embedding their binary bytes as pixel values. This encoded media is then uploaded to platforms like YouTube. A custom loader, containing the media's URL and a decoding stager, downloads the media, reconstructs the original binary, and executes it in memory. 【1】
  
  **Who is Affected:**
  This technique primarily affects users or systems that might unknowingly download or interact with media files containing hidden malicious payloads. Malicious actors could exploit this to disguise malware as harmless multimedia content, potentially impacting any system that downloads and executes files retrieved through such methods. 【1】
  
  **Security Implications:**
  The technique poses significant security risks by enabling malicious actors to bypass traditional security filters and disguise their payloads as benign multimedia content. This creates new attack vectors and challenges existing detection mechanisms, as malware can be hidden within commonly shared and trusted file types. It highlights the potential for covert data exfiltration or execution through unconventional channels. 【1】
  
  **Technical Details:**
  * **Encoding:** Binary data, such as a compiled C++ reverse shell payload, is converted into a visual MP4 representation using a Python tool. The binary bytes are embedded as pixel values across video frames. 【1】
  * **Delivery:** The generated "Pixel Code" MP4 is uploaded to platforms like YouTube. 【1】
  * **Loader:** A custom C++ loader is developed, which embeds the YouTube URL of the Pixel Code video. 【1】
  * **Stager:** A Python stager, compiled into an EXE and Base64 encoded, is embedded within the C++ loader. This is used because C++ may lack multimedia libraries for decoding. 【1】
  * **Execution:** Upon execution, the loader downloads the Pixel Code MP4 from YouTube. The embedded Python stager then reconstructs the original payload from the video frames in memory, and this reconstructed payload is executed. 【1】
  
  **What Defenders Should Know:**
  Defenders need to be aware of the potential for executable code to be hidden within multimedia files. This technique emphasizes the necessity for advanced content inspection that goes beyond file type and signature-based detection. Key defensive strategies include monitoring for unusual network traffic patterns, analyzing the behavior of downloaded media files, and understanding the full lifecycle of data delivery and execution. The project also underscores the importance of secure coding practices for loaders and decoders, and the need for robust defenses against sophisticated obfuscation and covert channel techniques. 【1】
• The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time - Unit 42, Palo Alto Networks 🔍 Show Kagi Synopsis
  A new cybersecurity threat has emerged where attackers use **Large Language Models (LLMs)** to generate malicious JavaScript in real-time within a user's browser. This technique allows for the creation of highly evasive and personalized phishing attacks.
  
  **What Happened:**
  Attackers embed code on a webpage that makes client-side API calls to LLM services. By using specially crafted prompts, they trick the LLM into generating malicious JavaScript. This code is then assembled and executed at runtime in the victim's browser, turning the webpage into a phishing site. The malicious code is polymorphic, meaning it changes with each visit, and is delivered from trusted LLM domains, making it difficult to detect through traditional network security measures.
  
  **Who is Affected:**
  **Users who visit compromised webpages** are affected by this attack. The generated malicious JavaScript can be tailored to individual victims, making the phishing attempts more effective.
  
  **Security Implications:**
  The security implications are substantial:
  - **Bypasses Network Security:** The use of trusted LLM domains and runtime execution circumvents traditional network-based security controls.
  - **Increased Malicious Script Diversity:** LLMs can generate a wide variety of malicious scripts, making it harder to rely on signature-based detection.
  - **Complicated Detection:** The runtime assembly and polymorphic nature of the code make static analysis and traditional detection methods less effective.
  
  **Technical Details:**
  The attack involves:
  - **Client-side API Calls:** The compromised webpage initiates API calls to LLM services.
  - **Prompt Engineering:** Attackers use specific prompts to manipulate the LLM into producing malicious JavaScript, bypassing safety guardrails.
  - **Real-time Code Generation:** The LLM generates JavaScript code on the fly.
  - **Runtime Assembly and Execution:** The generated JavaScript is assembled and executed within the user's browser during their visit.
  - **Polymorphic Nature:** The malicious code changes with each interaction, evading detection.
  
  **What Defenders Should Know:**
  Defenders need to shift their focus to **runtime behavioral analysis** within the browser to detect malicious activity at the point of execution. Key recommendations include:
  - **Implementing Runtime Monitoring:** Employing tools that can analyze code behavior as it runs in the browser.
  - **Restricting Unsanctioned LLM Use:** Establishing policies to control the use of LLM services within the organization.
  - **Advocating for LLM Safety:** Pushing for stronger safety mechanisms and guardrails within LLM services themselves.
  - **Leveraging Advanced Security Products:** Utilizing solutions like Palo Alto Networks' Advanced URL Filtering and Prisma Browser with Advanced Web Protection, which incorporate runtime behavioral analysis.
• Living Off the Web: How Trust Infrastructure Became a Malware Delivery Interface - The content posted on the page is controlled by **Andrew Northern**, a Principal Security Researcher at **Censys**. 🔍 Show Kagi Synopsis
  The article "Living Off the Web: How Trust Infrastructure Became a Malware Delivery Interface" by Censys details a sophisticated shift in malware delivery tactics where attackers are exploiting trusted web interfaces, such as "Fake Captcha" verification pages, to distribute malicious software. This method, termed "Living Off the Web," relies on the inherent trust users place in common web interactions rather than mimicking specific brands.
  
  **What Happened:**
  Attackers are using visually similar "Fake Captcha" lures, often designed to resemble legitimate services like Cloudflare, to trick users into downloading malware. While these lures may look alike, they are not necessarily part of a single coordinated campaign. Instead, a dominant visual interface (Cluster 0) acts as a standardized layer supporting various malware delivery models. These models include traditional clipboard execution (using VBScript or PowerShell), installer-based delivery (MSIEXEC), and advanced server-driven, fileless methods like Matrix Push C2, which leverage browser notification permissions.
  
  **Who is Affected:**
  **End-users** are directly impacted as they are deceived into performing actions that lead to malware infections. **Organizations** whose websites are compromised to host these deceptive lures are also indirectly affected.
  
  **Security Implications:**
  The primary security implication is that **visual similarity and user interaction are no longer reliable indicators for attribution or scoping** of threats. The decoupling of the interface from the execution method means that traditional detection methods focused on specific payloads, scripts, or infrastructure may fail to identify these threats. Attackers are essentially "inheriting trust" by operating within familiar, platform-sanctioned workflows, making the threat less dependent on brand imitation and more on universal web security conventions.
  
  **Technical Details:**
  * **Fake Captcha Ecosystem:** Analysis using perceptual hashing (pHash) on screenshots revealed a dominant visual cluster resembling Cloudflare verification challenges.
  * **Execution Diversity:** Despite visual uniformity, this dominant cluster supports at least 32 distinct payload variants across incompatible execution models: clipboard-driven (VBScript, PowerShell), installer-based (MSIEXEC), and server-driven push-based C2 (Matrix Push).
  * **Matrix Push C2:** This advanced model uses the Fake Captcha lure to request browser notification permissions, which are then used to push content later. It represents a fileless, deferred delivery mechanism.
  * **Infrastructure Silos:** Different execution techniques utilize distinct, largely non-overlapping infrastructure, suggesting specialized delivery pipelines rather than centralized control.
  
  **What Defenders Should Know:**
  * **Clipboard-focused detection is insufficient:** Many threats do not rely on clipboard abuse, so the absence of a clipboard payload does not guarantee safety.
  * **Payload-centric analysis is inadequate:** Fileless and push-based delivery methods do not present discrete payloads at the time of interaction, rendering artifact-first detection pipelines ineffective.
  * **Rethink the unit of analysis:** Visual similarity should not be equated with a single campaign or shared ownership. Activity should be clustered based on execution and infrastructure, not solely on appearance.
  * **Key signals to monitor:** Defenders should look for verification/security interfaces in unexpected contexts, notification requests following security lures, repeated "human verification" flows linked to unrelated infrastructure, and correlations between lures and downstream network behavior.
  * **Adopt a layered strategy:** Proactively block threats using threat intelligence and implement user education. Visibility gaps are structural, so detection must encompass the entire workflow, including notification permission prompts and push subscription events. 【1】
• NSA Releases First in Series of Zero Trust Implementation Guidelines - National Security Agency 🔍 Show Kagi Synopsis
  The National Security Agency (NSA) has released the first two Zero Trust Implementation Guidelines (ZIGs) as part of a series aimed at helping organizations implement Zero Trust (ZT) cybersecurity principles.
  
  **What Happened:**
  The NSA has published two foundational documents: the "Zero Trust Implementation Guideline Primer" and the "Zero Trust Implementation Guideline Discovery Phase." These guidelines offer practical advice for achieving Zero Trust capabilities, aligning with the Department of War (DoW) CIO ZT Framework. The Primer outlines the strategy and principles of the ZIGs, highlighting their adaptable, modular design. The Discovery Phase guide focuses on establishing a clear understanding of an organization's current architecture, including data, applications, assets, services, and access activities, to inform future Zero Trust planning and prioritization.
  
  **Who is Affected:**
  These guidelines are intended for **system owners, cybersecurity professionals, and other stakeholders** who are involved in the process of implementing Zero Trust within their organizations.
  
  **Security Implications:**
  The primary security implication is the **advancement and practical implementation of Zero Trust cybersecurity strategies**. By providing actionable guidance, the NSA aims to help organizations strengthen their security posture against evolving threats.
  
  **Technical Details:**
  The Discovery Phase guideline specifically focuses on gaining foundational visibility into an organization's environment. This includes understanding:
  - **Critical data**
  - **Applications**
  - **Assets**
  - **Services**
  - **Access and authorization activity**
  
  This foundational knowledge is crucial for informed planning and prioritization of Zero Trust initiatives. The guidelines are designed to be modular, allowing organizations to engage with them at their current stage of Zero Trust maturity.
  
  **What Defenders Should Know:**
  Defenders should be aware that these initial guidelines are **foundational and modular**. They are designed to help build essential visibility into an organization's systems and to lay the groundwork for implementing more advanced Zero Trust capabilities in subsequent phases.
• MacSync Stealer Returns: SEO Poisoning and Fake GitHub Repositories Target macOS Users - Daylight MDR Team 🔍 Show Kagi Synopsis
  A cybersecurity campaign is actively targeting macOS and Windows users through a combination of **SEO poisoning and fake GitHub repositories** 【1】.
  
  **What Happened:**
  Threat actors are manipulating search engine results to direct users to fraudulent GitHub repositories that mimic legitimate software, such as PagerDuty 【1】. These fake repositories contain misleading README files with links to external websites. Victims are then tricked by a social engineering tactic called "ClickFix" into executing a malicious command within their macOS Terminal 【1】. This command, disguised as a harmless instruction, downloads and runs a multi-stage payload, ultimately leading to the execution of the **MacSync information stealer** 【1】.
  
  **Who is Affected:**
  **macOS and Windows users** are the primary targets of this campaign 【1】. The attackers are specifically targeting both niche software and cross-platform applications to broaden their reach 【1】.
  
  **Security Implications:**
  The MacSync stealer is designed to **aggressively harvest sensitive information** 【1】. This includes credentials from web browsers, the macOS Keychain, password managers, cloud and development configuration files, and cryptocurrency wallets 【1】. Additionally, it collects detailed system information 【1】. The campaign employs evasion tactics, such as using "Readme-Only" repositories and distributed identities, to maintain its malicious infrastructure 【1】.
  
  **Technical Details:**
  The campaign leverages **SEO poisoning** to drive traffic to fake GitHub repositories 【1】. These repositories feature deceptive README files that link to external sites 【1】. A social engineering tactic known as "ClickFix" prompts users to execute a command in their macOS Terminal 【1】. This command downloads and executes a multi-stage payload, culminating in the **MacSync information stealer** 【1】. The stealer is known for its ability to exfiltrate a wide range of sensitive data 【1】.
  
  **What Defenders Should Know:**
  Defenders should **monitor endpoints for suspicious AppleScript and terminal commands** 【1】. It is crucial to deploy **Endpoint Detection and Response (EDR) solutions** and to **block identified Indicators of Compromise (IOCs)** to prevent communication with the malicious infrastructure 【1】.
• Don't Judge a PNG by Its Header: PURELOGS Infostealer Analysis - Swiss Post Cybersecurity 🔍 Show Kagi Synopsis
  A recent cybersecurity analysis by Swiss Post Cybersecurity has uncovered a sophisticated campaign involving the **PURELOGS infostealer**, which employs a multi-stage evasion technique to deliver its malicious payload. The campaign cleverly hides its final payload within a PNG image file, making it difficult for traditional security measures to detect.
  
  **What Happened:**
  The attack chain begins with a phishing email that appears to be a pharmaceutical invoice, containing a ZIP archive with a JavaScript file (.js). This JScript file, executed with high privileges, initiates a fileless attack by creating a PowerShell command with a Base64-encoded payload. This payload then downloads a PNG image from archive.org. Crucially, the PNG file contains an embedded Base64-encoded payload after its standard image data. A PowerShell script extracts this payload, decodes it, and loads it into memory. This .NET assembly, identified as "VMDetectLoader," performs environment checks (terminating if a virtual machine is detected) and then injects the next stage into a legitimate process, `CasPol.exe`, using a technique called "process hollowing" (RunPE). The final stage is a .NET unpacker that decrypts, decompresses, and executes the PURELOGS infostealer entirely in memory. 【1】
  
  **Who is Affected:**
  This campaign is described as a "spray-and-pray" operation, meaning it casts a wide net rather than targeting specific industries or high-value entities. The primary targets appear to be **home users, small businesses, and freelancers** who may be using consumer-grade antivirus and Windows Defender. However, the implications extend to organizations, as **corporate employees working from home, contractors on personal devices, and partners in the supply chain** can become entry points. Compromised credentials from these individuals can then be used to access corporate networks, VPNs, and cloud services. 【1】
  
  **Security Implications:**
  The PURELOGS infostealer is designed to steal a wide variety of sensitive information. Its capabilities include:
  - **Credential Theft:** It targets browsers built on the Chromium engine (Chrome, Edge, Opera) to extract login credentials, session cookies, autofill information, browsing history, and credit card details. 【1】
  - **Cryptocurrency Theft:** It targets both traditional desktop cryptocurrency wallets (e.g., Bitcoin Core, Electrum, Exodus) and browser-based Web3 wallets (e.g., MetaMask, Phantom, Trust Wallet), exfiltrating wallet files and potentially private keys and seed phrases. 【1】
  - **Other Data:** It also targets other applications and services such as Firefox, Outlook, Telegram, Steam, and more. 【1】
  
  The multi-stage, fileless delivery mechanism, use of legitimate infrastructure (archive.org), and process injection techniques allow PURELOGS to evade traditional signature-based detection and basic antivirus solutions. 【1】
  
  **Technical Details:**
  - **Initial Access:** Phishing email with a JScript dropper disguised as an invoice. 【1】
  - **First Stage Downloader:** PowerShell script fetching a specially crafted PNG from archive.org. 【1】
  - **Payload Embedding:** Base64-encoded payload embedded after the IEND chunk of the PNG, between custom markers. 【1】
  - **Fileless Execution:** Payloads are decoded and executed in memory using PowerShell and .NET Reflection, avoiding disk writes. 【1】
  - **VM Detection:** The VMDetectLoader stage includes sandbox evasion by terminating if it detects a virtualized environment. 【1】
  - **Process Injection:** The VMDetectLoader injects the next stage into `CasPol.exe` using RunPE (process hollowing). 【1】
  - **Secondary Unpacker:** A .NET unpacker obfuscated with .NET Reactor, using a pipeline of event-driven stages for decryption (legacy 3DES), decompression (GZip), and assembly loading via Reflection. 【1】
  - **PURELOGS Stealer:** The final payload, obfuscated with ConfuserEx, .NET Reactor, and custom virtualization. It decrypts its configuration (Protobuf, XOR, 3DES) and executes modules to harvest data. 【1】
  - **Data Exfiltration:** Stolen data is packaged and sent to a C2 server, with outgoing data encrypted using 3DES. 【1】
  
  **What Defenders Should Know:**
  - **Evasion Techniques:** Be aware of sophisticated evasion tactics such as fileless execution, legitimate website abuse (archive.org), process injection, and the use of legacy cryptography (3DES) to bypass security controls. 【1】
  - **Behavioral Analysis:** While PURELOGS aims for stealth, its memory-based execution, process hollowing, and reflection abuse leave behavioral traces that can be detected through robust endpoint monitoring and behavioral analysis. 【1】
  - **Visibility and Monitoring:** Organizations need visibility into endpoint activity and effective monitoring systems to detect anomalies like process hollowing and memory-based execution. 【1】
  - **Supply Chain Risk:** Recognize that attacks on individuals (employees, contractors, partners) can quickly escalate into enterprise security incidents due to compromised credentials. 【1】
  - **Commodity Malware Evolution:** Understand that even low-cost, commodity malware like PURELOGS (available for as little as $150/month) is becoming increasingly sophisticated and poses a significant threat due to its scalability and accessibility to a wide range of threat actors. 【1】
• PDFSIDER Malware - Exploitation of DLL Side-Loading for AV and EDR Evasion - Resecurity 🔍 Show Kagi Synopsis
  PDFSIDER is a sophisticated malware variant that employs **DLL side-loading** to evade detection by antivirus (AV) and endpoint detection and response (EDR) systems. It functions as a backdoor with encrypted command-and-control (C2) capabilities, exhibiting characteristics of **Advanced Persistent Threats (APTs)**.
  
  **What Happened:**
  The malware is delivered via spear-phishing emails containing a ZIP archive with a legitimate executable, such as 'PDF24 App.' When the victim runs this executable, it loads a malicious DLL disguised as `cryptbase.dll` instead of the legitimate system file. This allows the malware to gain execution and establish a covert, encrypted communication channel with its C2 server.
  
  **Who is Affected:**
  While the article mentions a specific instance where a **Fortune 100 corporation** was targeted, PDFSIDER is actively being used by **ransomware actors** as a payload delivery method. Its APT-like characteristics suggest it could be used in targeted attacks against various organizations.
  
  **Security Implications:**
  The primary security implication is the malware's ability to **bypass AV and EDR defenses** through DLL side-loading. This allows attackers to maintain a stealthy presence, gather system intelligence, and execute remote commands covertly. The use of strong encryption (AES-256-GCM) for C2 communications further enhances its stealth and makes it difficult to monitor or intercept. The malware also incorporates anti-VM and anti-debugger techniques to avoid analysis.
  
  **Technical Details:**
  - **Delivery:** Spear-phishing emails with ZIP archives containing legitimate executables.
  - **Evasion Technique:** DLL side-loading, where a malicious `cryptbase.dll` is loaded by a legitimate application (e.g., PDF24.exe).
  - **Encryption:** Utilizes the Botan 3.0.0 cryptographic library with AES-256-GCM for authenticated encryption of C2 communications. Data is decrypted and authenticated in memory, never written to disk.
  - **Functionality:** Initializes Winsock, gathers system information (username, computer name, PID), and provides an interactive, hidden command shell.
  - **Anti-Analysis:** Implements anti-VM and anti-debugger checks to prevent detection in analysis environments.
  - **C2 Communication:** Uses a custom Winsock C2 with AES-GCM encryption, exfiltrating command output over an encrypted channel. A C2 IP address identified is 45.76.9.248.
  
  **What Defenders Should Know:**
  Defenders should be aware of the DLL side-loading technique, particularly how legitimate applications can be exploited to load malicious DLLs. Monitoring for suspicious DLLs named `cryptbase.dll` or other system DLLs in unexpected locations, especially alongside legitimate executables, is crucial. Implementing robust endpoint security solutions that can detect process injection and anomalous DLL loading behavior is recommended. Additionally, understanding the indicators of compromise (IOCs) such as specific file hashes and C2 IP addresses can aid in detection and incident response. The use of strong encryption in C2 communications highlights the need for network traffic analysis that can identify unusual patterns or protocols, even if encrypted.
• To the past and beyond: Andariel’s latest arsenal and cyberattacks - WithSecure™ Labs controls the content posted on the page. 🔍 Show Kagi Synopsis
  The cybersecurity article details a breach attributed to the **Andariel group**, a state-sponsored cyberespionage group linked to North Korea's Reconnaissance General Bureau (RGB) 3rd bureau.
  
  **What Happened:**
  WithSecure proactively identified a breach affecting a European customer in the public/legal sector. This investigation also uncovered a separate attack by Andariel against an Enterprise Resource Planning (ERP) software in the Republic of Korea (ROK) in 2025. The ERP software had been a previous target of Andariel in 2017 and likely again in 2024.
  
  **Who is Affected:**
  The primary victim identified was a **European customer in the public/legal sector**. Additionally, an **Enterprise Resource Planning (ERP) software in the Republic of Korea** was targeted.
  
  **Security Implications:**
  The primary goal of the breach is assessed to be **cyberespionage**, evidenced by the access to anti-money laundering documents on the victim host. This aligns with North Korea's known activities in evading international sanctions through money laundering. The discovery of new malware and techniques also highlights the evolving capabilities of the Andariel group.
  
  **Technical Details:**
  The attribution to Andariel was based on unique malware such as **TigerRAT**, command execution patterns, infrastructure linkages, and other technical and non-technical evidence. WithSecure discovered three new, undocumented Remote Access Trojans (RATs) attributed to Andariel: **StarshellRAT, JelusRAT, and GopherRAT**. The group also utilized a staging server from which additional artifacts were found. Techniques and tools observed include privilege escalation tools like **PrintSpoofer and PetitPotato**, and the abuse of the **bring-your-own-vulnerable-driver (BYOVD)** technique to disable AV/EDR products. 【1】
  
  **What Defenders Should Know:**
  Defenders should be aware of Andariel's continued targeting of organizations for cyberespionage, particularly those in the public/legal sector and those involved with financial regulations. The group employs a mix of established and novel techniques, including new RATs and the BYOVD method for disabling security software. Vigilance against sophisticated malware and the use of privilege escalation tools is crucial. 【1】
• HuntCyberArk: CyberArk Security Audit - Logisek 🔍 Show Kagi Synopsis
  The HuntCyberArk tool is a PowerShell-based suite designed for security professionals to audit and assess the security of CyberArk Privileged Access Management (PAM) platforms.
  
  - **What Happened:** The HuntCyberArk tool was developed to provide offensive security professionals, red teamers, and penetration testers with a method to audit CyberArk environments. It aims to identify vulnerabilities and assess compliance with security benchmarks and best practices.
  - **Who is Affected:** The tool directly affects **CyberArk PAM platforms**.
  - **Security Implications:** The primary security implication is the potential for attackers to **uncover misconfigurations, potential exploits, and compliance gaps** within CyberArk environments. These weaknesses could be exploited to gain unauthorized privileged access.
  - **Technical Details:**
  - The tool operates **remotely** by interacting with the PVWA (Privileged Web Access) API.
  - It performs **port scanning** and **web testing**.
  - It does **not require installation** on the CyberArk servers themselves.
  - Features include **OPSEC mode**, **proxy integration**, **timing attacks**, **JWT security**, and the ability to generate detailed reports in **HTML, CSV, and JSON** formats.
  - **What Defenders Should Know:** Defenders need to be aware of the **capabilities of tools like HuntCyberArk** to understand potential attack vectors against their CyberArk infrastructure. This awareness can help organizations proactively **strengthen defenses**, **prioritize patching**, and **improve CyberArk security configurations** to mitigate identified risks. 【1】
• chisel-ng: Chisel new generation, written in rust. SSH under WSS with some customization. - nullsection 🔍 Show Kagi Synopsis
  **chisel-ng** is a Rust reimplementation of the chisel tool, designed for penetration testing and red team operations. It facilitates the creation of reverse tunnels that can traverse network security controls by encapsulating SSH traffic within WebSocket connections, which are themselves secured by TLS. This allows attackers to pivot through compromised hosts while making their traffic appear as legitimate HTTPS communication. 【1】
  
  **What Happened:**
  chisel-ng has been developed as a tool to establish covert reverse tunnels. 【1】
  
  **Who is Affected:**
  The tool is primarily used by **penetration testers and red team operators**. Organizations and networks that are targeted by these operations are indirectly affected, as the tool can be used to bypass security measures and gain deeper access. 【1】
  
  **Security Implications:**
  The primary security implication is the ability to **bypass network security controls** such as firewalls and intrusion detection systems. By disguising SSH traffic as HTTPS, chisel-ng makes it difficult to detect unauthorized access and lateral movement within a network. This can lead to compromised systems, data exfiltration, and further network penetration. 【1】
  
  **Technical Details:**
  - **Protocol Stack:** chisel-ng uses a layered approach: TCP -> TLS 1.3 -> WebSocket -> SSH -> Tunnel Data. This stack allows the traffic to blend in with standard HTTPS traffic. 【1】
  - **Modes:** It supports both **reverse** and **bind** modes for establishing tunnels. 【1】
  - **Multi-hop Pivoting:** The tool enables pivoting through multiple compromised hosts, extending the attacker's reach within a network. 【1】
  - **Authentication:** It utilizes **Pre-Shared Key (PSK)** authentication for securing the tunnels. 【1】
  - **Features:** Includes features like auto-reconnect and heartbeat mechanisms to maintain persistent connections. 【1】
  
  **What Defenders Should Know:**
  Defenders need to be aware of chisel-ng's capabilities and potential indicators of compromise:
  - **Detection Vectors:**
  - **TLS Fingerprints:** Unusual or unexpected JA3/JA4 TLS fingerprints associated with WebSocket traffic. 【1】
  - **WebSocket Upgrade Patterns:** Monitoring for the WebSocket upgrade request patterns within TLS traffic. 【1】
  - **Long-Lived Connections:** The presence of unusually long-lived TLS/WebSocket connections that do not align with typical browser behavior. 【1】
  - **Heartbeat Patterns:** Suspicious heartbeat patterns within the established tunnels. 【1】
  - **Defensive Recommendations:**
  - **Monitor Outbound Traffic:** Scrutinize outbound TLS and WebSocket traffic for anomalies. 【1】
  - **Verify Authentication:** Ensure that PSK authentication is robustly implemented and managed. 【1】
  - **Access Control:** Implement strict access controls on network egress points. 【1】
  - **Endpoint Inspection:** Inspect the endpoints of tunnels to identify unauthorized connections. 【1】
  - **Network Segmentation:** Employ network segmentation to limit the blast radius of a compromise. 【1】
  - **SSH Monitoring:** Monitor SSH channels, especially those tunneled over TLS and WebSocket. 【1】
• LiveContainer: Run iOS apps without actually installing them! - LiveContainer 🔍 Show Kagi Synopsis
  The provided GitHub repository README for LiveContainer does not detail a specific cybersecurity incident. Instead, it outlines the functionality and security considerations of the LiveContainer application itself.
  
  - **What happened:** The document does not describe a past event. It focuses on the present capabilities and potential risks associated with using LiveContainer.
  - **Who is affected:** Users who download and install **third-party, closed-source builds of LiveContainer** are potentially affected.
  - **Security implications:**
  - **Third-party builds pose a significant risk** as they have unrestricted access to user data, including sensitive information like keychain items and login credentials.
  - The application's ability to patch executables and bypass library validation could be exploited if the application itself is compromised or malicious.
  - **Technical details:**
  - LiveContainer allows for the patching of executables.
  - It bypasses library validation.
  - It supports app installation and management.
  - Features include app hiding and multi-account support.
  - **What defenders should know:**
  - **Be extremely cautious of third-party, closed-source applications** that require deep system access.
  - **Verify the source and integrity** of any application before installation, especially those that modify system behavior or access sensitive data.
  - Understand that such applications inherently carry risks due to their privileged access.
• sec-context: AI Code Security Anti-Patterns distilled from 150+ sources to help LLMs generate safer code. - Arcanum-Sec 🔍 Show Kagi Synopsis
  The **Sec-Context project** aims to tackle the problem of AI coding assistants frequently generating code with security flaws.
  
  **What Happened:**
  The project identified that AI coding assistants consistently reproduce dangerous security anti-patterns in the code they generate.
  
  **Who is Affected:**
  - **Developers:** Approximately 97% of developers use AI coding tools.
  - **Organizations:** 81% of organizations have deployed vulnerable AI-generated code into production. This means any organization utilizing AI for code generation is at risk.
  
  **Security Implications:**
  The security implications are significant, as AI-generated code has been found to be more susceptible to various vulnerabilities. These include:
  - **Cross-Site Scripting (XSS):** An 86% failure rate was observed.
  - **SQL Injection**
  - **Hardcoded Secrets**
  - **Command Injection**
  
  **Technical Details:**
  The Sec-Context project has documented over 25 security anti-patterns in two detailed documents: `ANTI_PATTERNS_BREADTH.md` and `ANTI_PATTERNS_DEPTH.md`. These documents provide:
  - Pseudocode examples
  - Common Weakness Enumeration (CWE) references
  - Mitigation strategies
  - Attack scenarios
  - Explanations for why AI models generate these vulnerabilities
  
  The top 10 identified anti-patterns are:
  - Dependency Risks
  - XSS
  - Hardcoded Secrets
  - SQL Injection
  - Authentication Failures
  - Missing Input Validation
  - Command Injection
  - Missing Rate Limiting
  - Excessive Data Exposure
  - Unrestricted File Upload
  
  **What Defenders Should Know:**
  Defenders can utilize the resources provided by Sec-Context to enhance their security practices. This includes:
  - **Integrating anti-pattern documentation** into AI workflows.
  - Using the documents as **system prompts** for AI models.
  - Employing them as **Retrieval Augmented Generation (RAG) references**.
  - Deploying **dedicated security review agents** that leverage this knowledge to identify common anti-patterns.
  This approach can help automate the detection of well-documented vulnerabilities, allowing human reviewers to focus on more complex security issues. 【1】
• GitLab Patch Release: 18.8.2, 18.7.2, 18.6.4 - "allowed an individual with existing knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses." - GitLab 🔍 Show Kagi Synopsis
  GitLab has released patch versions **18.8.2, 18.7.2, and 18.6.4** to address critical bug and security fixes. 【1】
  
  **What Happened:**
  These patch releases address several security vulnerabilities, including:
  - **Denial of Service (DoS)** issues in the Jira Connect integration and API endpoints. 【1】
  - **Incorrect Authorization** in the Releases API. 【1】
  - **Unchecked Return Value** in authentication services. 【1】
  - **Infinite Loop** in Wiki redirects. 【1】
  
  **Who is Affected:**
  **All self-managed GitLab installations** are strongly recommended to upgrade immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers require no action. 【1】
  
  **Security Implications:**
  The vulnerabilities addressed have varying severities, with some rated as **High**. For instance, CVE-2025-13927, a Denial of Service issue in the Jira Connect integration, has a CVSS score of 7.5. 【1】 These vulnerabilities could potentially lead to service disruptions or unauthorized access if not patched.
  
  **Technical Details:**
  Specific CVEs are provided for each vulnerability, along with the impacted GitLab versions and their CVSS scores. 【1】 For example, CVE-2025-13927 affects GitLab CE/EE versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2. 【1】
  
  **What Defenders Should Know:**
  Defenders should be aware that **these patches are crucial for maintaining security hygiene**. 【1】 It is important to upgrade to the latest patched versions promptly. Upgrading single-node instances may cause downtime due to database migrations, while multi-node instances can be upgraded with zero downtime if proper procedures are followed. 【1】 Version 18.7.2 includes post-deploy migrations. 【1】 Security fixes are made public 30 days after their release. 【1】