All news with #data exfil via tools tag

Gamaredon 2024: Enhanced Spearphishing vs Ukrainian Targets

🔍 ESET Research describes Gamaredon’s 2024 shift to exclusively target Ukrainian government institutions, significantly increasing spearphishing scale and frequency while adopting new delivery techniques such as malicious hyperlinks and LNK files served from Cloudflare domains. The group introduced six new PowerShell and VBScript-based tools and upgraded existing implants with improved obfuscation, registry-based persistence, and stealth features. Operators have largely hidden C2 infrastructure behind Cloudflare tunnels and increasingly rely on third-party platforms and DoH for resilience.

Layered Defenses Against Indirect Prompt Injection

🔒 Google GenAI Security Team outlines a layered defense strategy to mitigate indirect prompt injection attacks that hide malicious instructions in external content like emails, documents, and calendar invites. They combine model hardening in Gemini 2.5 with adversarial training, purpose-built ML classifiers, and "security thought reinforcement" to keep models focused on user tasks. Additional system controls include markdown sanitization, suspicious URL redaction via Google Safe Browsing, a Human-In-The-Loop confirmation framework for risky actions, and contextual end-user mitigation notifications that complement Gmail protections.

Watering-Hole Campaign Deploys ScanBox Keylogger Nearby

🕵️ A China-linked actor, assessed as APT TA423 (Red Ladon), used targeted phishing and watering-hole pages to serve the ScanBox JavaScript reconnaissance framework to Australian domestic organizations and offshore energy firms between April and mid‑June 2022. The injected script acts as a browser-based keylogger and conducts extensive fingerprinting, enumerating OS, plugins, extensions, WebRTC and Flash. ScanBox further leverages STUN and ICE via WebRTC to establish peer connections and reach hosts behind NAT, enabling covert collection of typed data without writing malware to disk. Proofpoint and PwC researchers link the campaign to TA423 and note its likely intelligence focus on regional maritime and naval activity.

Fake Reservation Links Target Travel and Hospitality Industry

✈️ A longtime threat group tracked as TA558 has resumed phishing campaigns that spoof hotel or reservation notices to lure travelers into downloading malware. Campaigns increasingly deliver ISO and RAR container files via URLs that, when decompressed, execute batch scripts and PowerShell helpers to fetch RATs such as AsyncRAT. TA558 has shifted from macro-laden Office documents to containerized attachments after Microsoft limited macros. Travel organizations and customers should be wary of unexpected reservation emails and avoid opening unknown archives.