< ciso
brief />
Tag Banner

All news with #threat research tag

91 articles · page 3 of 5

Threat Actor Used Elastic Cloud SIEM to Store Stolen Data

🔒 Researchers uncovered a campaign in which a threat actor exploited multiple enterprise software flaws to harvest system data and deposit it into a free-trial Elastic Cloud SIEM instance. The attacker used an encoded PowerShell payload to collect OS, hardware, Active Directory and patch details, sending records into an Elasticsearch index named systeminfo. Telemetry showed the trial was registered via a disposable email and accessed repeatedly through Kibana as the operator triaged victims. Huntress coordinated with Elastic and law enforcement to notify affected organisations and take the instance offline.
read more →

Weekly Cybersecurity Recap: Exploits, Takedowns, Trends

🛡️ This week's roundup highlights major offensive operations, critical vulnerabilities, and notable law enforcement wins. Security firms and authorities dismantled the infrastructure behind Tycoon2FA and disrupted LeakBase, striking at large-scale AitM phishing and underground data markets. At the same time, researchers disclosed high-impact flaws — from a Qualcomm chipset exploit to the powerful Coruna iOS kit — underscoring persistent risk and the need for rapid patching. Prioritize the listed CVEs and accelerate triage and remediation.
read more →

SMBs, threat research and MDR: building a defensive edge

🔍 ESET’s threat research team combines telemetry, incident investigation and curated intelligence to help SMBs understand attacker methods and improve detections. Through MDR the company layers human-led hunting and rapid, tailored responses on top of endpoint protection, giving organizations clearer visibility and faster containment. This practical blend of technology and expertise makes advanced defence accessible without the cost of an in-house SOC.
read more →

Local KTAE On-Prem Deployment and IDA Pro Plugin Integration

🔒 Kaspersky outlines the on-premise Kaspersky Threat Attribution Engine (KTAE) and a free IDA Pro plugin that embeds attribution into the reverse-engineering workflow. The local KTAE keeps all analysis inside the customer perimeter, supports adding proprietary threat groups, and enriches attribution with internal research. The Python-based plugin requires IDA Pro (not IDA Free), a local KTAE URL and an API token, then highlights code fragments that triggered the attribution.
read more →

Internal and External Threat Intelligence for Security

🔍 Threat intelligence isn't the problem—it's the type and context. Security teams need both internal intelligence (signals and telemetry from inside their environment) and external intelligence (attacker activity, campaigns, and indicators) because each alone gives an incomplete picture. Many organizations ingest multiple generic, fragmented, and delayed feeds that confuse rather than clarify risk, causing critical decisions to be based on underrefined data. Integrating and enriching feeds with internal telemetry turns raw alerts into prioritized, actionable insights.
read more →

Top Cybersecurity Documentaries for Security Leaders

🎬 This curated list highlights notable documentaries that explore hacker culture, cybercrime, surveillance, and the internet's infrastructure from the mid‑1980s to the mid‑2020s. It features landmark films such as Citizenfour, Zero Days, and profiles of figures including Steve Wozniak, Marcus Hutchins, and Ross Ulbricht. Several entries are freely available, and the compilation is recommended for security leaders seeking historical context and practical insights for training and strategy.
read more →

Smashing Security #454: AI panic, Moltbook, and risks

🤖 In episode 454 of the Smashing Security podcast Graham Cluley and guest Iain Thomson examine the Moltbook saga — an AI-only social network that sparked doomsday talk but largely reflected humans role-playing as bots. They also warn that “vibe coding” can be a dangerous design choice when security researchers can easily peek into private messages, API keys and databases. The show touches on pro-Russian hacker activity around the Winter Olympics and cites reporting from Forbes, Wired, Reuters, The Record and the BBC.
read more →

AI-Enabled Cybercrime Tabletop: From Theory to Pressure

🔐 Fortinet and UC Berkeley's CLTC led the third AI-enabled cybercrime tabletop, Operation Black Ice, to test governance and executive decision-making under compressed timelines. The exercise showed AI accelerates impersonation and extortion, turning trust dependencies into primary attack surfaces. Key lessons: identity verification must be multi-channel, third-party disclosures must be predefined, and ransom choices require rehearsed coordination rather than improvisation.
read more →

Phishing Happens to Everyone, Including Experts Today

🔒 A convincing, routine text claiming an unpaid toll demonstrates how even cautious people can fall for phishing. A well-known security expert admitted to repeatedly failing internal simulations, showing that distraction, emotional context, and timing defeat training. Flare's analysis of 8,627 underground conversations describes a mature phishing economy — PhaaS platforms, AI tools like PhishGPT, turnkey kits, and resilient infrastructure. The practical lesson: build habits, add friction, and pause before you click.
read more →

VoidLink: AI-Assisted Linux Malware Framework Revealed

🛡️ Check Point Research and Sysdig examined a sophisticated Linux malware framework called VoidLink and concluded a single developer used an AI coding agent to accelerate development. The Zig-based project grew to over 88,000 lines by December 2025 and exhibits systematic artifacts — consistent debug formatting, placeholder data like "John Doe", uniform _v3 API patterns, and exhaustive JSON templates — that suggest heavy LLM involvement. No real-world infections have been observed, but researchers warn this case demonstrates how AI can rapidly lower the barrier to creating advanced offensive tooling.
read more →

VoidLink cloud malware shows clear signs of AI generation

🧠 Check Point Research reports that the VoidLink Linux cloud malware framework displays clear evidence of being developed predominantly with AI assistance. The actor used an AI-centric IDE, TRAE, and its assistant TRAE SOLO to produce specification documents, sprint plans, and large portions of source code, which reached a working state within days. Exposed development artifacts — including TRAE helper files and an open directory of source and docs — allowed researchers to match generated specs to the recovered code and reproduce the development workflow, leading Check Point to conclude this is a notable example of AI-driven malware development.
read more →

VoidLink Signals a New Era in AI-Generated Malware

🤖 Check Point Research's analysis of VoidLink describes one of the first advanced malware families largely generated using artificial intelligence. Unlike earlier AI-assisted samples, which were often low-quality or derivative, VoidLink exhibits clear sophistication, modularity, and rapid evolution. AI appears to have enabled a single actor to plan, build, and iterate a complex malware framework in days rather than months, compressing development cycles and increasing operational tempo. Security teams must adapt detection, attribution, and incident response to meet this emerging threat class.
read more →

Mandiant Publishes Tool to Expose NTLMv1 Insecurity

🔓 Mandiant released a pre-computed Net-NTLMv1 rainbow table so anyone can map challenge-response data back to real NT hashes, a move intended to force organizations to abandon the insecure NTLMv1 protocol. The dataset, hosted via the Google Cloud Research Dataset portal, can recover keys in about 12 hours using roughly $600 of hardware. Mandiant says the goal is to demonstrate immediate risk and prompt remediation rather than to create new vulnerabilities.
read more →

GootLoader Employs Malformed ZIPs to Bypass Detection

🛡️ Expel researchers report that the JavaScript loader GootLoader is using deliberately malformed ZIP archives — concatenating 500–1,000 archives and truncating the EOCD — to evade analysis while remaining extractable by the default Windows unarchiver. The technique, described as hashbusting, ensures each archive is unique and frustrates automated tooling like WinRAR or 7-Zip. Distribution relies on SEO poisoning and malvertising, and the payload executes via wscript.exe, establishing persistence and launching PowerShell activity. Recommended mitigations include blocking wscript.exe/cscript.exe for downloaded content and configuring Group Policy to open .js in Notepad by default.
read more →

TamperedChef malvertising drops trojanised PDFs globally

🔒 Sophos researchers warn that the TamperedChef malvertising campaign is delivering trojanised PDF manuals and fake downloads to organisations worldwide. Attackers use malicious adverts and promoted search results to trick users searching for technical manuals into installing an infostealer that harvests browser-stored credentials and contacts a C2 server. A second-stage payload, ManualFinderApp.exe, is a trojanised application that acts as both an infostealer and a persistent backdoor. The campaign employs delayed activation, staged payload delivery and code-signing abuse to evade detection; organisations should avoid clicking advert links and obtain software only from official vendor sites.
read more →

Malicious DLL Sideloading Campaign Impersonating Vendors

🔍 This Flash Hunting Findings brief describes an active campaign (Jan 11–15, 2026) distributing ZIP archives that impersonate vendors such as Malwarebytes and use a consistent behash (4acaac53c8340a8c236c91e68244e6cb) for identification. Each archive bundles a legitimate EXE and a malicious CoreMessaging.dll which is executed via DLL sideloading and subsequently drops secondary-stage infostealers. Analysts can pivot using embedded TXT files (gitconfig.com.txt / Agreement_About.txt), unique metadata signature strings, exported function names, the supplied YARA rule, or the VirusTotal collection to map related infrastructure.
read more →

SHADOW#REACTOR Delivers Remcos RAT via Evasive Chain

🔍Researchers described a newly observed SHADOW#REACTOR campaign that uses an evasive, multi-stage chain to deliver the commercial Remcos RAT and maintain covert persistence. An obfuscated win64.vbs launcher invokes a Base64 PowerShell stager that retrieves fragmented, text-only payloads and reconstructs loaders in memory using a .NET Reactor–protected reflective assembly. The final stage abuses MSBuild.exe to execute the Remcos backdoor, and wrapper scripts ensure re-execution, all designed to frustrate detection and analysis.
read more →

Malicious email campaign mimics government services

🔒 Kaspersky researchers have detected a new wave of malicious emails targeting Russian private-sector organizations that aim to deploy an infostealer. The attackers use executable files disguised as PDFs (examples include "УВЕДОМЛЕНИЕ о возбуждении исполнительного производства" and "Дополнительные выплаты") which launch a .NET downloader. That downloader fetches a secondary loader that installs as NetworkDiagnostic.exe and creates a persistent Network Diagnostic Service, pulling encrypted payloads from a command-and-control server hosted on a lookalike domain (gossuslugi.com). The final payload collects system details, screenshots and document files and exfiltrates data to a separate server; Kaspersky recommends using reliable endpoint security and corporate email-gateway protections to block such threats.
read more →

Palo Alto Unit 42 Warns of Risks from Vibe Coding Practices

🛡️ Palo Alto Networks' Unit 42 warns that the generalization of vibe coding — using natural-language AI prompts to write code — has already been linked to data breaches, arbitrary code injection and authentication bypass incidents. Researchers say rapid adoption by both hobbyists and experienced developers often outpaces governance, leaving organizations with limited visibility and inadequate monitoring. To help customers assess and mitigate these risks, Unit 42 introduced SHIELD, a targeted security governance framework outlining separation of duties, human-in-the-loop checks, input/output validation, security-focused helper models, least agency and defensive technical controls.
read more →

n8n npm Packages Used in OAuth Credential Theft Campaign

🔒 Researchers found eight malicious npm packages impersonating n8n community nodes that were designed to steal developers' OAuth credentials. The packages mimicked legitimate integrations (for example, Google Ads), saved encrypted OAuth tokens to n8n's credential store, then used the instance master key at runtime to decrypt and exfiltrate tokens to attacker-controlled servers. Analysts urge disabling community nodes and auditing packages before installation.
read more →