All news with #lateral movement tag

🔒 Threat actor KongTuke has begun using Microsoft Teams to socially engineer employees and quickly gain persistent network access. Attackers impersonate IT staff, trick victims into running a malicious PowerShell command, and deploy ModeloRAT via a Dropbox-hosted ZIP containing a portable WinPython runtime. ReliaQuest observed the campaign active since April 2026, with attackers rotating Microsoft 365 tenants and employing Unicode tricks to appear legitimate. The malware includes resilient C2, multiple access paths, and persistence methods that can survive standard cleanup.

🔒 Bitdefender links a multi-wave intrusion against an Azerbaijani oil and gas company to the China-affiliated group FamousSparrow, observed between December 2025 and February 2026. The adversary repeatedly exploited a Microsoft Exchange Server ProxyNotShell chain to deploy alternating backdoors — Deed RAT and TernDoor — across three waves. Attackers used evolved DLL side-loading via the legitimate LogMeIn Hamachi binary, attempted web shell persistence and lateral movement, and re-entered the environment despite remediation efforts.

🔍 Microsoft Incident Response details a stealthy intrusion in which a compromised third‑party IT services provider abused trusted operational tooling to gain durable access. The actor executed VBScripts and web shells via HPE Operations Agent and HPOM, enabling credential theft, lateral movement, and persistent footholds while blending into normal administration. Malicious modules (mslogon.dll, passms.dll, msupdate.dll) captured and staged credentials for exfiltration over SMB and SMTP. The report outlines timeline, analysis, and Microsoft Defender detection and mitigation guidance.

🔐 ReliaQuest researchers describe a campaign where social-engineering ClickFix techniques were paired with the decade-old Python SOCKS5 proxy PySoxy to maintain persistent access on compromised hosts. Attackers staged the proxy after reconnaissance and used a scheduled task for re-execution, so blocking the initial ClickFix vector did not fully remove access. Analysts advise treating these incidents as active compromises and hunting for Python proxy artifacts, scheduled tasks, and staged components rather than assuming a blocked C2 equals containment.

🔒This webinar delivers a practical, technical playbook for identifying and neutralizing a corporate 'Patient Zero'—the first compromised device that enables rapid lateral movement. Speakers will unpack how generative AI enables stealthy phishing, the critical five-minute window, and how Zero Trust isolation halts spread. Attendees gain an actionable Recovery Blueprint to contain, remediate, and restore systems.

🔒 Cisco Talos discloses UAT-8302, a China-nexus APT targeting government entities in South America and southeastern Europe since late 2024 into 2025. Post-compromise activity includes reconnaissance, credential theft, and lateral movement using tools like Impacket, plus deployment of multiple custom backdoors such as NetDraft, CloudSorcerer v3, and VSHELL with stagers SNOWLIGHT and SNOWRUST. Talos links these artifacts to other China-nexus clusters and publishes IOCs, ClamAV signatures, and Snort rules to assist defenders.

🔒 UNC6692 used persistent social engineering to lure victims via Microsoft Teams, delivering a staged payload that installed an AutoHotkey loader and a malicious Chromium extension (SNOWBELT) from attacker-controlled AWS S3. The intruders deployed a modular suite — SNOWBELT, SNOWGLAZE, and SNOWBASIN — to establish WebSocket tunnels, local HTTP backdoors, and stealthy proxying for lateral movement. The campaign combined credential theft, LSASS and NTDS extraction, and exfiltration to cloud services, highlighting the need to monitor browser extensions and cloud egress.

🔐 Check Point researchers report that The Gentlemen, a ransomware-as-a-service operation first identified in mid-2025, has claimed over 320 victims with the majority of attacks occurring in early 2026. Affiliates are supplied with cross-platform ransomware written in Go for Windows, Linux, NAS and BSD, plus a C-based ESXi encryptor. The toolkit enables automated lateral movement, Group Policy deployment and credential reuse to achieve rapid, domain-wide encryption, and incidents frequently show defense evasion and post-exploitation tools such as SystemBC and Cobalt Strike.

🔐 Talos demonstrates how adversaries can repurpose legitimate macOS features to achieve remote execution and lateral movement across enterprise fleets. By weaponizing Remote Application Scripting (RAE) and abusing Spotlight Finder comments as a staging area, attackers can bypass static file analysis and traditional SSH-focused telemetry. The research validates multiple native transfer channels—including SMB, netcat, Git, TFTP, and SNMP—and urges defenders to emphasize process lineage, IPC anomalies, and strict MDM controls.

🔒 Check Point Research uncovered a SystemBC proxy botnet of over 1,570 infected hosts tied to a Gentlemen ransomware affiliate, with telemetry indicating primarily corporate victims across the US, UK, Germany, Australia, and Romania. The discovery shows affiliates pairing SystemBC SOCKS5 tunneling with Cobalt Strike for covert payload delivery and lateral movement. Check Point published IoCs and a YARA signature to help defenders identify related activity.

🔐 Microsoft Defender Security Research outlines a human-operated intrusion playbook where attackers abuse cross-tenant Microsoft Teams collaboration to impersonate IT/helpdesk staff and socially engineer users into granting remote assistance. With user consent, adversaries gain interactive access via Quick Assist or similar tools, then execute attacker modules by side-loading them into trusted vendor-signed applications. The chain leverages native administrative protocols such as WinRM and commercial RMM tooling to move laterally and stage sensitive business data for exfiltration. Microsoft Defender provides correlated identity, endpoint, and collaboration telemetry to surface and disrupt this pathway.

⚠️ AgingFly is a newly observed C# remote-access malware used in targeted attacks against Ukrainian local governments, hospitals, and potentially Defense Forces that steals authentication data from Chromium-based browsers and WhatsApp for Windows. The campaign begins with phishing emails linking to a compromised site or an AI-generated fake page and delivers an archive with an LNK that launches an HTA; the HTA displays a decoy form while creating a scheduled task to download and run a staged EXE which injects shellcode. The actor uses open-source forensic utilities such as ChromElevator and ZAPiDESK to extract cookies, saved passwords, and WhatsApp databases, and relies on tools like RustScan, Ligolo-ng, and Chisel for reconnaissance and lateral movement. CERT-UA attributes the cluster to UAC-0247 and recommends blocking LNK, HTA, and JS execution to disrupt this attack chain.

🔍 Cisco Talos details a widespread automated credential-harvesting campaign by cluster UAT-10608 that exploited a pre-authentication RCE in React Server Components impacting Next.js applications. Post-exploit scripts collected environment secrets, SSH keys, cloud tokens and container data, exfiltrating results to a web-based C2 called NEXUS Listener. Talos observed at least 766 compromised hosts and over 10,000 files harvested within 24 hours, and found exposed frontends that revealed aggregated victim data.

⚠️ Attackers increasingly bypass classic defenses by abusing trusted, built-in tools such as PowerShell, WMIC, and Certutil to move laterally, escalate privileges, and maintain persistence without dropping new malware. These Living Off The Land (LOTL) techniques mimic routine admin tasks and produce minimal alerts, creating stealthy blind spots for detection-focused teams. A data-driven Internal Attack Surface Assessment reveals unnecessary access, maps realistic attack paths, and prioritizes low-impact remediations so organizations can harden systems without disrupting workflows.

🔒 Ransomware in 2025 has shifted from noisy breaches to measured, identity-centric operations that mimic legitimate user activity. Attackers commonly gain initial access (about 40% via phishing) then use built-in tools like RDP, PowerShell, and PsExec to move laterally while using valid accounts. Talos highlights manufacturing and professional services as top targets and identifies Qilin as the most prolific group, frequently using double-extortion. Defenders should prioritize identity protections, continuous anomaly monitoring, accurate asset inventories, robust backups, EDR, segmentation, and regular ransomware response testing.

🛡️ Blackpoint discovered a lightweight Node.js implant named RoadK1ll that uses an outbound WebSocket reverse tunnel to convert compromised hosts into relay points. It forwards TCP traffic on demand, supports multiple concurrent connections, and implements a small set of commands (CONNECT, DATA, CONNECTED, CLOSE, ERROR) to manage proxied sessions. RoadK1ll lacks traditional registry or scheduled-task persistence and runs only while its process remains active. Its stealthy outbound-only design helps attackers pivot to internal systems and bypass perimeter controls.

🔒 Kubernetes clusters can be undermined by the very automation that makes them resilient. By registering or compromising a controller—most commonly via a MutatingWebhookConfiguration—an attacker can intercept pod-creation requests and inject a covert sidecar, turning the cluster’s control loop into a self-healing backdoor. These injections are often invisible to casual inspection, survive pod restarts and upgrades, and can be disguised under benign names. Teams should audit webhooks, monitor RoleBindings and OwnerReferences, and restrict webhook registration to reduce this risk.

🔒 A long-running espionage campaign attributed to China-linked threat cluster Red Menshen has embedded stealthy kernel-level implants into telecom networks to maintain persistent, low-noise access. Rapid7 highlights BPFDoor, a Linux backdoor that leverages Berkeley Packet Filter functionality to trigger shells only when a specifically crafted "magic" packet is seen, avoiding open listeners and conventional C2 channels. The actor also deploys CrossC2, Sliver, TinyShell, credential harvesting tools and a controller that can operate inside victim environments to enable lateral movement and covert monitoring.

🔒 LeakNet has begun using ClickFix on compromised websites to trick users into running malicious msiexec commands, according to ReliaQuest. The group pairs this social-engineering tactic with a staged, Deno-based in-memory loader that executes Base64-encoded JavaScript and pulls additional stages directly into memory, minimizing on-disk evidence. Post-compromise behavior is consistent and repeatable, with DLL side-loading, lateral movement via PsExec, S3-backed exfiltration, system fingerprinting (including cmd.exe klist), and eventual ransomware deployment. ReliaQuest warns the approach reduces reliance on brokers, broadens access vectors, and is being seen across varied threat activity.

🔒 Security researchers warn of a campaign abusing FortiGate Next-Generation Firewall appliances to extract service account credentials and network configuration files. Attackers exploited disclosed vulnerabilities (for example, CVE-2025-59718, CVE-2025-59719, CVE-2026-24858) or weak credentials to create persistent admin accounts and loosen firewall policies. Compromised service accounts were used to authenticate to Active Directory, enroll rogue workstations, and enable lateral movement prior to detection.