🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• drvtrace: WinDbg plugin to trace module transitions from a debugged driver. - eversinc33 🔍 Show Kagi Synopsis
  The provided article from eversinc33.com discusses **driver reverse engineering**, a technique used to analyze and understand how software drivers, particularly those operating at the Windows kernel level, function. This is a technical deep dive into the methods and challenges involved in dissecting these low-level components.
  
  **What Happened:**
  The article series, specifically "Driver Reverse Engineering 101," details the process of **static and dynamic analysis of Windows kernel drivers** 【1】【3】. It covers techniques for unpacking protected drivers (like those using VMProtect) and understanding how to analyze them by setting breakpoints and navigating the Windows kernel 【1】. The author also touches upon anti-rootkit techniques and how to uncover mapped memory 【5】, as well as methods for **keylogging within the Windows kernel** using undocumented data structures 【2】.
  
  **Who is Affected:**
  The primary audience for this information is **security researchers, malware analysts, and developers** interested in reverse engineering and Windows kernel internals 【6】. While not directly about a specific attack, the techniques discussed are fundamental to understanding and defending against sophisticated malware, rootkits, and other kernel-level threats that could affect any Windows user or organization.
  
  **Security Implications:**
  The ability to reverse engineer kernel drivers has significant security implications:
  - **Malware Analysis:** It allows researchers to understand the inner workings of malicious drivers, such as rootkits, which can hide their presence and actions from the operating system and security software 【4】.
  - **Vulnerability Discovery:** By analyzing drivers, security professionals can identify vulnerabilities that could be exploited by attackers.
  - **Development of Defensive Tools:** Understanding these techniques aids in the creation of tools and methods to detect and counter kernel-level threats.
  - **Exploitation:** Conversely, attackers use these reverse engineering skills to develop and refine their own kernel-level exploits and malware.
  
  **Technical Details:**
  The articles delve into several technical aspects:
  - **Static Analysis:** Examining the driver's code without executing it, often using tools like IDA Pro, to understand its structure and functionality 【3】. This includes restoring the Import Address Table (IAT) for better analysis 【1】.
  - **Dynamic Analysis:** Observing the driver's behavior while it is running, often in a debugger like WinDbg, to understand its execution flow and interactions 【3】.
  - **Unpacking:** Removing anti-analysis protections, such as VMProtect, applied to drivers 【1】.
  - **Kernel Internals:** Understanding how Windows kernel operates, including undocumented data structures and system functions like `RtlCaptureStackBackTrace` for stack analysis 【2】【5】.
  - **Keylogging:** Demonstrating how to capture keystrokes at the kernel level 【2】.
  - **Anti-Rootkit Techniques:** Exploring methods to detect and bypass rootkit functionalities 【4】【5】.
  
  **What Defenders Should Know:**
  Defenders should be aware that sophisticated threats can operate at the **kernel level**, making them difficult to detect with traditional user-mode security tools. Understanding the principles of driver reverse engineering helps in:
  - **Recognizing the potential for kernel-level malware:** Threats like rootkits can deeply embed themselves in the system 【4】.
  - **Appreciating the complexity of modern malware:** Techniques like VMProtect are used to hinder analysis 【1】.
  - **Understanding the importance of kernel-level security monitoring:** Tools and techniques that can inspect kernel activity are crucial for detecting advanced threats.
  - **The ongoing cat-and-mouse game:** As defenders develop better detection methods, attackers evolve their techniques, necessitating continuous research into areas like driver analysis 【2】【5】.
• Meet IClickFix: a widespread WordPress-targeting framework using the ClickFix tactic - Sekoia.io 🔍 Show Kagi Synopsis
  The **IClickFix framework** is a significant cybersecurity threat that has been actively compromising WordPress sites since late 2024 to distribute malware.
  
  - **What Happened**: IClickFix operates by injecting malicious JavaScript into compromised WordPress websites. These sites are then used in watering hole attacks to trick visitors into downloading malware. The framework has evolved over time, incorporating new techniques to evade detection and expand its reach. It has been observed abusing the YOURLS URL shortener as a Traffic Distribution System (TDS) to hide its malicious activities and employing multi-stage JavaScript payloads. The final payload often includes a lure that impersonates Cloudflare Turnstile to further deceive users.
  
  - **Who is Affected**: The campaign has a **global footprint**, affecting users in 82 countries. It targets **WordPress sites** and their visitors, with the distribution across various industries indicating **opportunistic mass exploitation** rather than specific targeting. Over 3,800 WordPress sites have been compromised by this framework.
  
  - **Security Implications**: The primary security implication is the **distribution of commodity malware**, including **NetSupport RAT**, **Emmenhtal Loader**, and **XFiles Stealer**. NetSupport RAT, in particular, grants attackers **full control over infected hosts**, enabling capabilities such as screen and audio monitoring, keystroke logging, command execution, persistence, and file transfers. This poses a severe risk to data confidentiality and system integrity.
  
  - **Technical Details**:
  - **Initial Compromise**: Malicious JavaScript is injected into vulnerable WordPress sites.
  - **Traffic Distribution System (TDS)**: The YOURLS URL shortener is abused to manage and direct traffic, enhancing stealth.
  - **Multi-stage Payloads**: The framework uses several stages of JavaScript delivery.
  - **Lure**: A ClickFix tactic is employed, often impersonating Cloudflare Turnstile to trick users into downloading the malware.
  - **Final Payload**: Malware such as NetSupport RAT is deployed.
  - Indicators of Compromise (IoCs), including domain names, IP addresses, and file hashes, are available for detection and mitigation efforts 【1】.
  
  - **What Defenders Should Know**:
  - This threat is **persistent and widespread**, with continuous technical advancements by the operators 【1】.
  - The use of a TDS makes the campaign **stealthier and more difficult to detect** 【1】.
  - Defenders should be aware of the **mass exploitation of WordPress sites** and implement robust security measures for these platforms 【1】.
  - Proactive monitoring for the described tactics, techniques, and procedures (TTPs) is crucial 【1】.
• RedKitten: AI-accelerated campaign targeting Iranian protests - HarfangLab controls the content posted on the page . 🔍 Show Kagi Synopsis
  The cybersecurity article details a campaign named **RedKitten**, which targets Iranian interests, particularly those involved in documenting human rights abuses during recent protests. The campaign was first observed in early January 2026 and is believed to be a rapid development, potentially utilizing AI tools for its creation.
  
  **What Happened:**
  RedKitten is a newly identified campaign that emerged in early January 2026. It leverages GitHub and Google Drive for configuration and payload retrieval, with Telegram used for command and control (C2). The campaign's activity aligns with the "Dey 1404 Protests," a period of significant civil unrest in Iran that began in late December 2025, following economic strikes. This wave of protests was met with a severe crackdown, including mass arrests and casualties.
  
  **Who is Affected:**
  The primary targets of RedKitten appear to be **Iranian non-governmental organizations (NGOs)** and **individuals involved in documenting human rights abuses** related to the recent protests.
  
  **Security Implications:**
  The campaign's rapid development, potentially accelerated by AI, suggests an evolving threat landscape where adversaries can quickly deploy sophisticated tools. The use of legitimate cloud services like GitHub, Google Drive, and Telegram for C2 and payload delivery makes detection more challenging, as these platforms are commonly used for benign purposes. The campaign's alignment with Iranian government security interests indicates a potential state-sponsored or state-aligned threat actor.
  
  **Technical Details:**
  - **Malware Distribution:** Relies on **GitHub** and **Google Drive** for configuration and modular payload retrieval.
  - **Command and Control (C2):** Utilizes **Telegram** for C2 communications.
  - **Development:** Evidence suggests the use of **AI tools**, specifically Large Language Models (LLMs), in the campaign's development.
  - **Attribution:** While not definitively attributed to a known actor, the techniques and linguistic indicators point towards a threat actor aligned with **Iranian government security interests**. The activity is tracked as RedKitten.
  
  **What Defenders Should Know:**
  Defenders should be aware of the potential for AI-accelerated malware development, leading to faster deployment of new campaigns. Vigilance is required regarding the use of legitimate cloud services and messaging apps for malicious C2 and data exfiltration. Understanding the tactics, techniques, and procedures (TTPs) associated with Iranian state-aligned actors is crucial for effective defense. The campaign's focus on individuals and organizations documenting human rights abuses highlights the importance of securing sensitive data and communications for activists and NGOs operating in or reporting on such environments.
• LABYRINTH CHOLLIMA Evolves into Three Adversaries - CrowdStrike 🔍 Show Kagi Synopsis
  The cybersecurity article details the evolution of the North Korean (DPRK) cyber threat actor, **LABYRINTH CHOLLIMA**, into three distinct, specialized subgroups: **GOLDEN CHOLLIMA**, **PRESSURE CHOLLIMA**, and the core **LABYRINTH CHOLLIMA** group. This segmentation allows the DPRK regime to pursue multiple objectives simultaneously and enhances its cyber capabilities.
  
  **What Happened:**
  LABYRINTH CHOLLIMA, historically known for prolific intrusions including destructive attacks and the WannaCry ransomware incident 【1】, has reorganized since 2018 into three specialized units 【1】. These subgroups share some tools and infrastructure, suggesting centralized coordination within the DPRK's cyber operations 【1】.
  
  **Who is Affected:**
  - **GOLDEN CHOLLIMA** targets economically developed regions with significant cryptocurrency and fintech presence, including the **U.S., Canada, South Korea, India, and Western Europe** 【1】. They focus on smaller, consistent thefts to generate baseline revenue 【1】.
  - **PRESSURE CHOLLIMA** pursues high-payout cryptocurrency heists globally, focusing on organizations with substantial digital asset holdings. They are responsible for some of the largest cryptocurrency thefts on record 【1】.
  - The core **LABYRINTH CHOLLIMA** group focuses on **espionage operations**, targeting entities in the **manufacturing and defense sectors**, particularly in **Europe, the U.S., Japan, and Italy**. They have also shown increasing interest in **logistics and shipping companies** 【1】.
  
  **Security Implications:**
  The evolution of LABYRINTH CHOLLIMA into specialized units signifies a more sophisticated and adaptable threat landscape. The cryptocurrency-focused groups (GOLDEN and PRESSURE CHOLLIMA) pose a direct financial threat, with PRESSURE CHOLLIMA being one of the DPRK's most technically advanced adversaries 【1】. The core LABYRINTH CHOLLIMA's espionage activities threaten sensitive industrial, logistics, and defense information 【1】. The need for additional revenue for these groups is likely intensified by international sanctions crippling the DPRK's economy, driving their pursuit of financial gains to fund military ambitions 【1】.
  
  **Technical Details:**
  - **GOLDEN CHOLLIMA** utilizes malware originating with `Jeus` and its macOS variant `AppleJeus`, which masquerade as cryptocurrency applications. They also employ a specialized fintech targeting toolkit including `PipeDown`, `DevobRAT`, `HTTPHelper`, and `Anycon` 【1】. Recent operations show cloud-focused tradecraft, delivering malicious Python packages via recruitment fraud and pivoting to cloud environments to divert cryptocurrency 【1】. They have also reportedly used the `FudModule` malware 【1】.
  - **PRESSURE CHOLLIMA** has evolved into a technically advanced adversary, deploying sophisticated, low-prevalence implants. Their recent campaigns leverage malicious Node.js and Python projects to deliver malware such as `Scuzzyfuss` and `TwoPence Electric` 【1】.
  - The core **LABYRINTH CHOLLIMA** group uses malware with a `Hoplight` lineage and has developed `FudModule`, which employs direct kernel manipulation for stealth and has exploited zero-day vulnerabilities 【1】. Their delivery mechanisms in 2025 include WhatsApp messaging to deliver malicious ZIP files containing trojanized applications, often using employment-themed social engineering 【1】.
  
  **What Defenders Should Know:**
  Organizations, particularly in the **cryptocurrency, fintech, defense, and logistics sectors**, should be highly vigilant against DPRK social engineering campaigns 【1】. Key defensive measures include:
  
  - **Mitigating Social Engineering:**
  - Implement strict validation for all incoming communications, especially job-related inquiries.
  - Train employees to be suspicious of unsolicited messages on platforms like WhatsApp and unexpected emails with attachments or links.
  - Enforce policies against downloading and executing software from untrusted sources.
  - Scan and vet all third-party and open-source dependencies.
  - Implement software supply chain security practices.
  - **Cloud and Identity Security:**
  - Monitor cloud logs (e.g., CloudTrail, GuardDuty) for suspicious activity related to IAM, command-line usage, and access patterns.
  - Enforce the principle of least privilege for cloud IAM users and roles.
  - Implement multi-factor authentication (MFA) for all cloud accounts.
  - **General Recommendations:**
  - Prioritize patching of known remote code execution (RCE) and server-side request forgery (SSRF) vulnerabilities.
  - Maintain updated operating systems, drivers, and edge devices to mitigate zero-day exploits.
  - For cryptocurrency organizations, implement multi-signature wallets and time-locked transfers, and isolate crypto management systems from the corporate network 【1】.
  
  Notable malware families associated with these groups include `Dozer`, `Brambul`, `Jeus`, `FudModule`, `Scuzzyfuss`, and `SparkDownloader` 【1】.
• North Korean Threat Actor Targets Financial Sector in the Nordics - Truesec 🔍 Show Kagi Synopsis
  A cybersecurity campaign, attributed to the North Korean state-sponsored group **Lazarus**, has been observed targeting individuals within the **financial sector in the Nordics** 【1】.
  
  **What Happened:**
  The attack commences with a **deceptive message on LinkedIn**, posing as a job offer from a prominent U.S. financial and asset management company. If the recipient accepts this offer, they are guided through a process that results in the infection of their system with a remote access trojan named **BeaverTail** 【1】.
  
  **Who is Affected:**
  The primary targets of this campaign are **individuals working in the financial sector in the Nordic region** 【1】.
  
  **Security Implications:**
  The BeaverTail trojan is designed to **automatically search the victim's machine for cryptocurrency-related data**. Beyond this specific function, it also serves as a **remote access tool**, enabling further malicious activities and deeper network penetration 【1】.
  
  **Technical Details:**
  The attack chain appears to be similar to previously documented methods by other researchers 【1】. The initial vector is a social engineering tactic via LinkedIn, leading to the deployment of the BeaverTail malware.
  
  **What Defenders Should Know:**
  Organizations within the Nordic financial sector are advised to **educate their personnel about this ongoing campaign**. Employees should be encouraged to **report any suspicious direct messages received on LinkedIn** 【1】. Further investigation into the full attack chain is ongoing 【1】.
• CVE-2025-40551: SolarWinds WHD RCE - Horizon3.ai 🔍 Show Kagi Synopsis
  A critical vulnerability, **CVE-2025-40551**, has been discovered in **SolarWinds Web Help Desk (WHD)**, enabling unauthenticated remote-code execution (RCE) through Java deserialization. This vulnerability, along with others like static default credentials (CVE-2025-40537) and a security protection bypass (CVE-2025-40536), allows attackers to gain administrative access and execute arbitrary code on affected systems.
  
  **Who is Affected:**
  **SolarWinds Web Help Desk (WHD)** instances are affected by these vulnerabilities.
  
  **Security Implications:**
  The primary implication is **unauthenticated remote-code execution (RCE)**, meaning an attacker can run malicious code on the server without needing any prior access or credentials. This can lead to a complete compromise of the WHD system and potentially the broader network. The static default credentials and protection bypass further exacerbate the risk by simplifying unauthorized access and control.
  
  **Technical Details:**
  The exploit chain for CVE-2025-40551 involves several steps:
  - **Bypassing CSRF checks:** Attackers can circumvent Cross-Site Request Forgery (CSRF) protections by using a malformed URI parameter, specifically by changing the URI from "ajax" to "wo".
  - **Accessing vulnerable components:** This bypass allows access to components like `LoginPref`, which can then interact with the `AjaxProxy` functionality.
  - **Exploiting Java deserialization:** The `jabsorb` library used by `AjaxProxy` is susceptible to deserialization attacks. Attackers can manipulate JSONRPC bridge requests to create malicious Java objects.
  - **Bypassing blacklists:** By leveraging whitelisted terms, attackers can bypass blacklist filters designed to prevent malicious input.
  - **Achieving RCE:** The ultimate goal is to trigger these deserialized objects, leading to code execution on the WHD server.
  
  **What Defenders Should Know:**
  - **Upgrade immediately:** The most crucial step is to **upgrade to SolarWinds Web Help Desk version 2026.1**, which addresses these vulnerabilities.
  - **Monitor logs:** Defenders should actively monitor WHD log files for suspicious activities. Indicators of compromise include:
  - Login events for the default "client" account.
  - JSONRPC errors.
  - The presence of whitelisted payloads in requests.
  - Unusual requests to `/Helpdesk.woa/wo/*`, especially those with non-whitelisted parameters or parameters containing "/ajax/".
  - **Understand the exploit:** Awareness of the exploit chain, including CSRF bypass, `AjaxProxy` interaction, and deserialization techniques, is vital for detecting and responding to attacks.
• ErrTraffic Under the Hood: A look at the source code - LenAI 🔍 Show Kagi Synopsis
  The cybersecurity article details **ErrTraffic**, a Traffic Distribution System (TDS) that threat actors utilize to distribute malware through deceptive ClickFix-style lures.
  
  **What Happened:**
  The analysis of ErrTraffic's source code uncovered significant vulnerabilities. These flaws allow for the potential compromise of the entire ErrTraffic panel, enabling attackers to execute arbitrary code, bypass authentication, and reinstall panels.
  
  **Who is Affected:**
  - **Primary users affected are threat actors** who deploy ErrTraffic.
  - **Indirectly affected are users of websites that are compromised** by these ClickFix lures.
  
  **Security Implications:**
  - **Authenticated Arbitrary Code Execution (RCE):** Achieved through file upload functionalities.
  - **Authentication Bypass and Panel Reinstallation:** Possible via an exposed `install.php` endpoint.
  - **Local File Disclosure:** Exploitable through path traversal by manipulating file paths controlled by the database.
  
  **Technical Details:**
  The article outlines how ErrTraffic is obtained and analyzed. Specific vulnerabilities identified include:
  - **`install.php`:** If not deleted after initial setup, this script can be used for reinstallation and authentication bypass.
  - **`upload_file.php` (v2):** Allows for the direct upload of executable PHP payloads.
  - **`update_file.php` (v2.1):** Enables the replacement of existing files with PHP payloads.
  - **Path Traversal:** This is facilitated by manipulating the `et_files` table in the database, which stores file references.
  
  **What Defenders Should Know:**
  Tools like ErrTraffic, while potentially lowering the entry barrier for attackers, also introduce inherent weaknesses. The article suggests that as AI-assisted crimeware becomes more prevalent, predictable vulnerabilities in these systems are likely to increase. Defenders should remain vigilant and focus on understanding these specific types of vulnerabilities to better protect against them.