< ciso
brief />
Tag Banner

All news with #lateral movement tag

57 articles

Enterprises favor convenience, increasing lateral movement risk

๐Ÿ”’ Zero Networksโ€™ 2026 report, analyzing 54 trillion activities across 312 enterprise environments, finds that most internal servers remain broadly reachable and rely on legacy protocols. The study highlights that >80% of servers are accessible from anywhere inside networks, with 87% accepting RDP/SSH and 78% reachable via SMB/WinRM, while 43% still use NTLM. Experts warn this widespread internal connectivity enables easy lateral movement for attackers and call for segmentation, identity controls, and containment strategies.
read more โ†’

Gentlemen ransomware tests identity and recovery controls

๐Ÿ” The Gentlemen ransomware highlights challenges for CISOs in stopping attackers after an initial foothold. Researchers report the malware self-propagates using legitimate Windows management tools while attempting to disable security and recovery systems. Picus Security notes the encryptor, written in Go and obfuscated with Garble, leverages multiple lateral-movement methods and targets backups, EDR, and virtualization services to hinder recovery.
read more โ†’

Gamaredon expands malware and exfiltration tactics

๐Ÿ›ก๏ธ ESET observed 35 spear-phishing campaigns by the Russian APT group Gamaredon across 2025, primarily targeting Ukrainian government and military entities. Campaigns used HTML smuggling, archive attachments and a patched WinRAR flaw (CVE-2025-8088) to deploy HTA downloaders that drop payloads like PteroSand. The group enhanced persistence and lateral movement via PteroLNK, PteroPaste and PteroSetup while increasingly abusing tunnel and serverless services to hide infrastructure.
read more โ†’

Three real-world incident case studies from GERT

๐Ÿ” Over the past year, Kasperskyโ€™s Global Emergency Response Team and MDR service investigated diverse security incidents that informed the Anatomy of a Cyber World Global Report 2026. The post presents three real case studies illustrating how adversaries use credential theft, known vulnerabilities, and lateral movement to achieve persistence, escalate privileges, and deploy ransomware or wipers. It highlights recurring misconfigurations, delayed patching, and blind spots in monitoring as root causes of successful attacks.
read more โ†’

Stealthy Mistic backdoor tied to KongTuke broker

๐Ÿ›ก๏ธ Symantec and Zscaler have detected a new backdoor named Mistic (tracked as MTLBackdoor) used in financially motivated intrusions since April, linked to the initial access broker KongTuke/Woodgnat. The malware was observed in attacks against insurance, education, IT, and professional services organizations and was sometimes deployed after ModeloRAT via social-engineering on Microsoft Teams. Mistic is designed for long-term stealth, side-loading as version.dll from a legitimate executable and running payloads in memory while offering file management, remote command execution, configurable C2 check intervals, and a self-deletion kill switch.
read more โ†’

One intrusion, two attackers: uncovering parallel threats

๐Ÿ” Microsoft DART describes a complex multi-stage intrusion where two unrelated threat actors operated simultaneously, blending ransomware tactics with stealthy reconnaissance and persistence. Investigators observed exploitation attempts against on-premises SharePoint, use of legitimate tools like Velociraptor, cloud tunneling, credential misuse, and DLL sideloading to maintain access and evade detection. Coordinated telemetry correlation and threat intelligence enabled containment and targeted remediation guidance.
read more โ†’

Silent Ransom Group Escalates Law Firm Attacks

๐Ÿ”’ The FBI warns that the Silent Ransom Group (SRG), also known as Luna Moth and UNC3753, has increasingly targeted US law firms since 2023 using advanced social engineering. SRG has shifted from phishing and callback tactics to impersonating IT staff via phone and in-person visits to gain remote or physical access. Once inside, actors use legitimate tools like WinSCP or renamed Rclone to exfiltrate data without encrypting systems. The FBI recommends stronger cyber hygiene, phishing-resistant MFA, visitor verification, and limiting remote access and external drive installation on sensitive endpoints.
read more โ†’

KongTuke Uses Microsoft Teams to Gain Corporate Access

๐Ÿ”’ Threat actor KongTuke has begun using Microsoft Teams to socially engineer employees and quickly gain persistent network access. Attackers impersonate IT staff, trick victims into running a malicious PowerShell command, and deploy ModeloRAT via a Dropbox-hosted ZIP containing a portable WinPython runtime. ReliaQuest observed the campaign active since April 2026, with attackers rotating Microsoft 365 tenants and employing Unicode tricks to appear legitimate. The malware includes resilient C2, multiple access paths, and persistence methods that can survive standard cleanup.
read more โ†’

Chinese-Linked Group Repeatedly Hits Azerbaijani Energy

๐Ÿ”’ Bitdefender links a multi-wave intrusion against an Azerbaijani oil and gas company to the China-affiliated group FamousSparrow, observed between December 2025 and February 2026. The adversary repeatedly exploited a Microsoft Exchange Server ProxyNotShell chain to deploy alternating backdoors โ€” Deed RAT and TernDoor โ€” across three waves. Attackers used evolved DLL side-loading via the legitimate LogMeIn Hamachi binary, attempted web shell persistence and lateral movement, and re-entered the environment despite remediation efforts.
read more โ†’

Stealthy Intrusion via Trusted Third-Party Compromise

๐Ÿ” Microsoft Incident Response details a stealthy intrusion in which a compromised thirdโ€‘party IT services provider abused trusted operational tooling to gain durable access. The actor executed VBScripts and web shells via HPE Operations Agent and HPOM, enabling credential theft, lateral movement, and persistent footholds while blending into normal administration. Malicious modules (mslogon.dll, passms.dll, msupdate.dll) captured and staged credentials for exfiltration over SMB and SMTP. The report outlines timeline, analysis, and Microsoft Defender detection and mitigation guidance.
read more โ†’

ClickFix and PySoxy Combined to Maintain Persistence

๐Ÿ” ReliaQuest researchers describe a campaign where social-engineering ClickFix techniques were paired with the decade-old Python SOCKS5 proxy PySoxy to maintain persistent access on compromised hosts. Attackers staged the proxy after reconnaissance and used a scheduled task for re-execution, so blocking the initial ClickFix vector did not fully remove access. Analysts advise treating these incidents as active compromises and hunting for Python proxy artifacts, scheduled tasks, and staged components rather than assuming a blocked C2 equals containment.
read more โ†’

Webinar: Stopping Patient Zero โ€” One Click Defense

๐Ÿ”’This webinar delivers a practical, technical playbook for identifying and neutralizing a corporate 'Patient Zero'โ€”the first compromised device that enables rapid lateral movement. Speakers will unpack how generative AI enables stealthy phishing, the critical five-minute window, and how Zero Trust isolation halts spread. Attendees gain an actionable Recovery Blueprint to contain, remediate, and restore systems.
read more โ†’

UAT-8302: China-Nexus APT Targeting Government Networks

๐Ÿ”’ Cisco Talos discloses UAT-8302, a China-nexus APT targeting government entities in South America and southeastern Europe since late 2024 into 2025. Post-compromise activity includes reconnaissance, credential theft, and lateral movement using tools like Impacket, plus deployment of multiple custom backdoors such as NetDraft, CloudSorcerer v3, and VSHELL with stagers SNOWLIGHT and SNOWRUST. Talos links these artifacts to other China-nexus clusters and publishes IOCs, ClamAV signatures, and Snort rules to assist defenders.
read more โ†’

UNC6692: Social Engineering and Custom SNOW Malware

๐Ÿ”’ UNC6692 used persistent social engineering to lure victims via Microsoft Teams, delivering a staged payload that installed an AutoHotkey loader and a malicious Chromium extension (SNOWBELT) from attacker-controlled AWS S3. The intruders deployed a modular suite โ€” SNOWBELT, SNOWGLAZE, and SNOWBASIN โ€” to establish WebSocket tunnels, local HTTP backdoors, and stealthy proxying for lateral movement. The campaign combined credential theft, LSASS and NTDS extraction, and exfiltration to cloud services, highlighting the need to monitor browser extensions and cloud egress.
read more โ†’

The Gentlemen RaaS Expands, Targeting Enterprise Systems

๐Ÿ” Check Point researchers report that The Gentlemen, a ransomware-as-a-service operation first identified in mid-2025, has claimed over 320 victims with the majority of attacks occurring in early 2026. Affiliates are supplied with cross-platform ransomware written in Go for Windows, Linux, NAS and BSD, plus a C-based ESXi encryptor. The toolkit enables automated lateral movement, Group Policy deployment and credential reuse to achieve rapid, domain-wide encryption, and incidents frequently show defense evasion and post-exploitation tools such as SystemBC and Cobalt Strike.
read more โ†’

Weaponizing macOS Primitives for Movement and Execution

๐Ÿ” Talos demonstrates how adversaries can repurpose legitimate macOS features to achieve remote execution and lateral movement across enterprise fleets. By weaponizing Remote Application Scripting (RAE) and abusing Spotlight Finder comments as a staging area, attackers can bypass static file analysis and traditional SSH-focused telemetry. The research validates multiple native transfer channelsโ€”including SMB, netcat, Git, TFTP, and SNMPโ€”and urges defenders to emphasize process lineage, IPC anomalies, and strict MDM controls.
read more โ†’

Gentlemen Ransomware Uses SystemBC Botnet for Corporates

๐Ÿ”’ Check Point Research uncovered a SystemBC proxy botnet of over 1,570 infected hosts tied to a Gentlemen ransomware affiliate, with telemetry indicating primarily corporate victims across the US, UK, Germany, Australia, and Romania. The discovery shows affiliates pairing SystemBC SOCKS5 tunneling with Cobalt Strike for covert payload delivery and lateral movement. Check Point published IoCs and a YARA signature to help defenders identify related activity.
read more โ†’

Crossโ€‘tenant helpdesk impersonation and exfiltration

๐Ÿ” Microsoft Defender Security Research outlines a human-operated intrusion playbook where attackers abuse cross-tenant Microsoft Teams collaboration to impersonate IT/helpdesk staff and socially engineer users into granting remote assistance. With user consent, adversaries gain interactive access via Quick Assist or similar tools, then execute attacker modules by side-loading them into trusted vendor-signed applications. The chain leverages native administrative protocols such as WinRM and commercial RMM tooling to move laterally and stage sensitive business data for exfiltration. Microsoft Defender provides correlated identity, endpoint, and collaboration telemetry to surface and disrupt this pathway.
read more โ†’

AgingFly malware targets Ukrainian government and hospitals

โš ๏ธ AgingFly is a newly observed C# remote-access malware used in targeted attacks against Ukrainian local governments, hospitals, and potentially Defense Forces that steals authentication data from Chromium-based browsers and WhatsApp for Windows. The campaign begins with phishing emails linking to a compromised site or an AI-generated fake page and delivers an archive with an LNK that launches an HTA; the HTA displays a decoy form while creating a scheduled task to download and run a staged EXE which injects shellcode. The actor uses open-source forensic utilities such as ChromElevator and ZAPiDESK to extract cookies, saved passwords, and WhatsApp databases, and relies on tools like RustScan, Ligolo-ng, and Chisel for reconnaissance and lateral movement. CERT-UA attributes the cluster to UAC-0247 and recommends blocking LNK, HTA, and JS execution to disrupt this attack chain.
read more โ†’

UAT-10608: Large-scale automated credential harvesting

๐Ÿ” Cisco Talos details a widespread automated credential-harvesting campaign by cluster UAT-10608 that exploited a pre-authentication RCE in React Server Components impacting Next.js applications. Post-exploit scripts collected environment secrets, SSH keys, cloud tokens and container data, exfiltrating results to a web-based C2 called NEXUS Listener. Talos observed at least 766 compromised hosts and over 10,000 files harvested within 24 hours, and found exposed frontends that revealed aggregated victim data.
read more โ†’