NEW#0879SSpiderlabsabout 9 hours ago13 min▣LLM reporthigh A structured, multi-stage infection chain delivers the CrySome RAT via a logistics-themed spear-phishing lure. Initial access is achieved through a fake rate confirmation portal that drops a batch file, which chains UAC bypass (ICMLuaUtil COM interface), in-memory AMSI patching, and the open-source WinDefCtl utility to weaken Microsoft Defender before deploying the persistent RAT payload. CrySome RAT provides the operator with remote command execution, credential theft from Chromium browsers, HVNC, keylogging, and persistence via a scheduled task executing every 5 minutes.
NEW#0878
Canadian Centre for Cyber Securityabout 9 hours ago6 min▣LLM reportmedium The Canadian Centre for Cyber Security published a daily advisory digest on 2026-07-06 compiling eight security advisories from Red Hat, Ubuntu, Dell, CISA ICS, IBM, Roundcube, OpenSSH, and Microsoft Edge. The advisories address vulnerabilities across a broad range of products including Linux kernels, industrial control systems, enterprise software suites, webmail, SSH, and browser software. No specific CVEs, IOCs, or threat actor details are provided in the digest; administrators are directed to vendor advisories for patching guidance.
NEW#0877
Check Pointabout 10 hours ago13 min▣LLM reporthigh Cavern Manticore, an Iran-MOIS-linked APT group, deploys a modular .NET C2 framework targeting Israeli government and IT organizations. The framework uses three compilation formats (Mixed-Mode C++/CLI, NativeAOT, .NET Framework) as an anti-analysis layer, with DLL sideloading via WinDirStat.exe for initial execution. Post-exploitation modules provide DPAPI decryption, LDAP brute-forcing, SQL browsing, network reconnaissance, and SOCKS5 tunneling, with C2 traffic XOR-encrypted over HTTPS/WebSocket channels.
NEW#0876KKasperskyabout 13 hours ago9 min▣LLM reporthigh Attackers are abusing Microsoft's legitimate Device Authorization Grant (OAuth 2.0 Device Code Flow) to conduct phishing attacks that bypass traditional URL-based anti-phishing defenses. By pre-fetching a device code from Microsoft's identity platform and tricking victims into entering it on the genuine login.microsoftonline.com page, attackers harvest access and refresh tokens that grant persistent access to the victim's Microsoft 365 account. Two campaign variants were observed: one using password-protected PDF attachments impersonating a law firm, and another targeting Brazilian users via open redirects on cacoo.com.
NEW#0875
Check Pointabout 13 hours ago10 min▣LLM reportcritical This weekly threat intelligence bulletin covers multiple active ransomware campaigns, four critical vulnerabilities under active exploitation, and emerging AI-driven threats. Notable items include actively exploited RCE flaws in Oracle E-Business Suite and Progress Kemp LoadMaster, a Citrix NetScaler memory disclosure flaw exploited within 24 hours of disclosure, a North Korean supply-chain campaign (PolinRider) deploying 108 malicious packages, and a proof-of-concept browser-native ransomware generated by an LLM abusing Chrome's File System Access API.
NEW#0874SSymantecabout 20 hours ago13 min▣LLM reportcritical DragonForce ransomware operators deployed a novel Go-based backdoor called Backdoor.Turn that abuses Microsoft Teams TURN relay infrastructure to hide C2 traffic as legitimate Teams communications. The attack chain involves SQL/MSSQL server exploitation for initial access, DLL sideloading via VirtualBox/DbgView executables, multiple BYOVD techniques for defense evasion including a novel exploit of a Huawei driver, and ultimately DragonForce ransomware deployment. The group demonstrated exceptional sophistication with custom tooling and stealth techniques that evade standard network monitoring.
NEW#0873SSymantecabout 20 hours ago11 min▣LLM reporthigh BYOVD (Bring Your Own Vulnerable Driver) attacks have become a standard component of ransomware operations, allowing attackers to exploit signed kernel drivers for kernel-level access and subsequently disable AV/EDR products. The technique involves dropping a legitimate but vulnerable signed driver, loading it via a Windows service, and sending crafted IOCTL commands to terminate, blind, or strip privileges from security software. Microsoft's kernel hardening features and Vulnerable Driver Blocklist provide insufficient protection, as data-only kernel attacks bypass hardening and the blocklist has significant update lag. Behavioral monitoring of anomalous driver IOCTL interactions is the most effective defensive approach, as it is driver-agnostic and does not depend on prior driver identification.
NEW#0872SSymantecabout 20 hours ago14 min▣LLM reporthigh Backdoor.Mistic is a new stealthy backdoor deployed in cybercrime intrusions since April 2026, using DLL sideloading via legitimate MpExtMs.exe and masquerading as EndpointDlp.dll. It executes payloads in memory with a self-deleting kill switch, enabling long-term covert access. Mistic is likely linked to Woodgnat (aka KongTuke), an initial access broker whose ModeloRAT toolkit has been used in attacks delivering Qilin ransomware, connecting this backdoor to the broader ransomware ecosystem.
NEW#0871SSpiderlabsabout 20 hours ago8 min▣LLM reporthigh QuimaRAT is a cross-platform, Java-based remote access trojan sold as a malware-as-a-service subscription on the dark web. It targets Windows, macOS, and Linux systems by embedding JNA native libraries for multiple architectures within a JAR archive built for Java SE 8. The RAT decrypts an internal configuration file using repeating-key XOR, performs anti-analysis and virtualization checks, establishes persistence via OS-specific mechanisms, and maintains resilient C2 communication through HANDSHAKE and HEARTBEAT protocols. With 23 implemented commands and 212 protocol-only commands, the platform is highly extensible through runtime modules and fileless payloads.
NEW#0870SSpiderlabsabout 20 hours ago12 min▣LLM reporthigh LevelBlue GSOC has identified accelerating ValleyRAT campaigns delivered through fake installers and malicious emails targeting Chinese and Japanese-speaking users. The email-based attack chain uses DLL sideloading via a legitimate VLC executable to load a malicious DLL that downloads an RC4-encrypted, Donut-generated ValleyRAT payload, which is then injected into a suspended rundll32.exe process for fileless execution. The malware incorporates extensive anti-analysis checks (memory size, sleep timing, CPU count, VHD boot detection) and establishes persistence via registry Run keys.
NEW#0869SSpiderlabsabout 21 hours ago11 min▣LLM reporthigh An active multi-stage phishing campaign distributes AsyncRAT and Remcos RATs through weaponized Excel attachments targeting sales, procurement, and vendor management staff globally. The infection chain uses VBA macros to retrieve HTA payloads via URL shorteners and Cloudflare Workers, with final payloads hidden via PNG steganography and loaded filelessly into memory via .NET assembly loading. The campaign demonstrates high-volume, automated payload generation with consistent obfuscation patterns including Base64 encoding, character substitution, and string reversal.
NEW#0868PProofpointabout 21 hours ago18 min▣LLM reporthigh UNK_DeadDrop is a likely North Korean threat actor conducting broad phishing campaigns targeting software developers with fake job offers and code review requests. The campaign delivers malicious GitHub/GitLab repositories that abuse VS Code and Cursor IDE task automation to silently execute cross-platform malware. Linux and macOS systems receive the Overlord Go RAT with custom credential and wallet theft modules, while Windows runs a fileless Node.js/Python pipeline inside the editor's Electron process. The malware exfiltrates cryptocurrency wallets, browser credentials, and OS keychain data to a hardcoded C&C server at 23.137.105.75:5173.
NEW#0867PProofpointabout 21 hours ago10 min▣LLM reporthigh Operation Endgame, a coordinated law enforcement action by Netherlands, Canada, US, and Germany, disrupted TA569's SocGholish web inject infrastructure by taking down over 100 servers and remediating 14,971 compromised websites. TA569 compromises legitimate websites—often WordPress installations—to inject obfuscated JavaScript that presents fake browser update pages to visitors, ultimately delivering GhoLoader malware which can lead to ransomware deployments. The attack chain leverages traffic direction systems (TA2726's Keitaro TDS and ParrotTDS) for victim filtering and uses advanced client-side blob URL construction to evade sandbox detection and network-based download tracing.
NEW#0866PProofpointabout 21 hours ago10 min▣LLM reporthigh Proofpoint and IBM X-Force collaborated with Europol and Microsoft's Digital Crimes Unit to disrupt the StealC malware-as-a-service ecosystem as part of Operation Endgame, seizing 66 domains, 296 servers, and over 25.6 million stolen credentials. Researchers discovered a directory traversal vulnerability in the StealC PHP C2 panel's filename handling during ZIP extraction, which was exploited by law enforcement to access and seize C2 servers. The teams also built a StealC bot emulator to track affiliate infrastructure and observe payload delivery chains, revealing StealC's loader functionality distributing a broad range of secondary malware including ransomware, RATs, and additional stealers.
NEW#0865FFortinetabout 21 hours ago14 min▣LLM reporthigh Threat actors are weaponizing AI-themed lure documents to deliver a complex multi-stage infection chain culminating in AsyncRAT and a custom .NET RAT called clay_Client. The attack uses hidden LNK files inside compressed archives to initiate a chain of PowerShell scripts that extract, decrypt, and execute payloads from disguised PDF containers using AES-CBC, XOR, and GZip decompression. AutoHotkey scripts perform process hollowing into legitimate .NET Framework executables, while defense evasion includes adding Microsoft Defender exclusions and restoring disabled VBS execution. The final RAT provides full remote control with screen capture, input simulation, fileless assembly loading, and process injection capabilities.
NEW#0864FFortinetabout 21 hours ago13 min▣LLM reporthigh The Shai Hulud supply chain worm, attributed to TeamPCP, compromises CI/CD pipelines by injecting malicious npm/PyPI packages that harvest build credentials and pivot into production AWS cloud infrastructure. In a confirmed breach, attackers stole Jenkins EC2 instance role credentials via the Instance Metadata Service (IMDS), used them from external IPs, escalated privileges by creating an IAM user with AdministratorAccess, modified Redshift and Aurora security groups to open network paths, enumerated Secrets Manager for warehouse credentials, and exfiltrated data via the Redshift Data API. The attack demonstrates that pipeline identity equals production identity, with explicit attacker naming conventions (exfil-s3-* policies, exfil STS session names) providing high-fidelity detection opportunities.
NEW#0863FFortinetabout 21 hours ago11 min▣LLM reporthigh FortiGuard Labs identified an ongoing Ousaban banking Trojan campaign targeting users in Spain and Portugal, delivered via phishing PDFs that redirect victims to geofenced malicious webpages. The attack chain involves a VBS script extracting a ZIP payload from a steganographic image, with the final Ousaban EXE establishing persistence via registry Run keys and communicating with C2 servers resolved through daily-changing DDNS hostnames. The malware targets over 25 Spanish and Portuguese financial institutions and employs a custom encryption algorithm shared with the Casbaneiro family to evade detection.
NEW#0862AAsecabout 22 hours ago6 min▣LLM reportmedium AhnLab ASEC's Week 1 July 2026 ransomware and dark web roundup reports three active threat campaigns. Settra claims a data leak at a Korean industrial firm's foreign affiliate. The Gentlemen ransomware group has targeted Spanish defense, aerospace, and IT service firms. DragonForce claims data theft against a South Korean smart factory and digital twin company. Detailed IOCs and analysis are available only to AhnLab TIP subscribers.
NEW#0861AAsecabout 22 hours ago5 min▣LLM reportmedium This weekly roundup from AhnLab's ASEC team highlights three notable dark web and ransomware developments: BreachForums is experiencing internal issues with staff impersonation and unauthorized sales, Lapsus$ claims to have leaked data from a Myanmar bank, and Qilin ransomware targeted a South Korean law firm. No technical IOCs, detection rules, or vulnerability details are provided in the public article; full analysis is available via AhnLab TIP subscription.
NEW#0860AAsecabout 22 hours ago10 min▣LLM reporthigh The Q2 2026 trend report from AhnLab ASEC documents a significant expansion of attack surfaces into AI stacks, identity infrastructure, and public-facing applications. CISA KEV listings rose 27% year-over-year to 75 entries, with ransomware-linked vulnerabilities nearly doubling. Notable developments include prompt injection-to-RCE chains in Microsoft Semantic Kernel, data exfiltration via M365 Copilot Enterprise (SearchLeak), three Microsoft Defender zero-days used for telemetry evasion, and continued AI supply chain attacks via malicious skills. The report recommends shifting from signature-based to behavior-based detection and implementing ITDR, conditional access, and AI-specific input validation controls.