< ciso
brief />
Tag Banner

All news with #threat research tag

91 articles · page 4 of 5

Cybersecurity Needs Diverse Skills Beyond Traditional STEM

🔐 Samantha Stallings argues that cybersecurity benefits from a wide range of backgrounds and talents, not just traditional STEM training. She challenges common stereotypes — the lone hacker or the inevitable technical prodigy — and shows how many roles contribute to effective threat research. Drawing on her own path from art school to Technical Writing Manager and referencing examples such as Dr. Sian Proctor, Stallings emphasizes that writers, marketers, product managers, and social media professionals all have valuable places in security teams. The piece is a direct invitation for nontechnical professionals to consider careers in cybersecurity.
read more →

RansomHouse upgrades encryptor with multi-layered processing

🔒 RansomHouse has upgraded its encryptor to a multi-layered variant called 'Mario', shifting from a single-pass linear transform to a two-stage process that uses a 32-byte primary key and an 8-byte secondary key. The change increases entropy, speeds processing, and aims to improve reliability on modern targets. It also introduces dynamic chunk sizing with intermittent encryption for files over 8GB, complicating static analysis. The updated binary targets VM files, appends the .emario extension, drops a How To Restore Your Files.txt ransom note, and Unit 42 warns this upgrade makes decryption and reverse engineering notably harder.
read more →

Stealka infostealer targets Windows users’ data, wallets

🛡️ Kaspersky researchers uncovered a new Windows infostealer named Stealka in November 2025 that steals browser data, extension files and application settings to enable account takeover, cryptocurrency theft and deployment of a cryptominer. The malware is most often distributed as game cracks, cheats and pirated software hosted on legitimate platforms; activation requires the victim to run the delivered file. Stealka specifically targets Chromium- and Gecko-based browsers and dozens of popular wallet, password manager and 2FA extensions. Users are advised to rely on reputable endpoint protection, avoid pirated software and keep secrets out of browser storage.
read more →

AI Is Reshaping Modern Cybercrime: Practitioner Findings

🔍 Fortinet and academic partners, including UC Berkeley’s CLTC and the Berkeley Risk and Security Lab, collaborated on global tabletop exercises and analysis to assess how AI is reshaping cybercrime. The Singapore TTX demonstrated that AI amplifies existing attack vectors—speeding reconnaissance, phishing, and malware development—while lowering barriers to entry and fostering criminal specialization. Defenders reported that governance, decision rights, and human judgment often mattered more than specific tools, underscoring the need for strong public-private collaboration and human oversight of AI-assisted detection.
read more →

AI Is Reshaping Modern Cybercrime: Key TTX Findings

🔎 Fortinet and UC Berkeley partners analyzed a Singapore tabletop exercise to assess how AI is reshaping cybercrime and defense. The practitioner perspective complements CLTC’s academic work and shows AI is amplifying existing attack vectors—speeding phishing, reconnaissance, code generation, and malware iteration—while lowering barriers to entry. The exercise highlighted that governance, human judgment, and cross-sector collaboration frequently determine response effectiveness more than specific tools.
read more →

Behind the Breaches: Case Studies of Modern Threat Actors

🔍 This analysis examines leaked communications and recent incidents to reveal how modern threat actors organize, adapt and blur the lines between criminal, contractor and researcher roles. Leaked BlackBasta chats show internal discord, leadership opacity, technical debt and disputes over revenue and workload. The EncryptHub case highlights a solo operator who both conducted malware and credited vulnerability disclosures to Microsoft, illustrating the growing hybridization of actor identities. Finally, BlackLock’s open recruitment for "traffers" demonstrates how the ransomware supply chain is becoming commoditized and industrialized.
read more →

Intellexa Continues Exploitation of Zero-Day Bugs Worldwide

🔍 Google Threat Intelligence Group (GTIG) analysis shows that Intellexa, vendor of the Predator spyware, continues to develop and deploy zero‑day exploits against mobile browsers and operating systems despite sanctions. GTIG attributes 15 unique zero‑days to Intellexa out of roughly 70 discovered since 2021, spanning RCE, sandbox escape, and LPE flaws on iOS, Android, and Chrome. The company uses modular exploit frameworks, acquires exploit chain steps from third parties, delivers payloads via one‑time messaging links and malvertising, and embeds anti‑analysis watcher modules to abort operations on detection.
read more →

Check Point Scores 99.59% in NSS Labs Firewall Test

🔒 Check Point Software achieved the highest security effectiveness rating in the recent NSS Labs Enterprise Firewall Test, posting a 99.59% score. The result spotlights its prevention-first architecture and comprehensive threat coverage, which the company says outperformed competing vendors. The blog links this independent validation to rising AI-driven risks, citing Check Point Research findings that 1 in 54 GenAI prompts carries a high risk of sensitive-data exposure and that 91% of frequent AI users are affected, underscoring the need for robust network defense.
read more →

UNK_SmudgedSerpent Targets Academics and Policy Experts

🛡️ Proofpoint has identified a previously unknown cluster it calls UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025. Attackers initiated benign, topical conversations and used think‑tank impersonation alongside an OnlyOffice‑styled link that led to health-themed domains harvesting credentials and delivering a ZIP with an MSI. The installer deployed remote monitoring and management tooling — notably PDQConnect and later ISL Online — and although email activity paused in early August, related infrastructure later surfaced hosting TA455-linked malware, leaving attribution unresolved.
read more →

Google: New AI-Powered Malware Families Deployed

⚠️Google's Threat Intelligence Group reports a surge in malware that integrates large language models to enable dynamic, mid-execution changes—what Google calls "just-in-time" self-modification. Notable examples include the experimental PromptFlux VBScript dropper and the PromptSteal data miner, plus operational threats like FruitShell and QuietVault. Google disabled abused Gemini accounts, removed assets, and is hardening model safeguards while collaborating with law enforcement.
read more →

GTIG report: Adversaries adopt AI for advanced attacks

⚠️ The Google Threat Intelligence Group (GTIG) reports that adversaries are evolving beyond simple productivity uses of AI toward operational misuse. Observed behaviors include state-sponsored actors from North Korea, Iran and the People's Republic of China using AI for reconnaissance, automated phishing lure creation and data exfiltration. The report documents AI-powered malware that can generate and modify malicious scripts in real time and attackers exploiting deceptive prompts to bypass model guardrails. Google says it has disabled assets linked to abuse and applied intelligence to improve classifiers and harden models against misuse.
read more →

Generative AI Speeds XLoader Malware Analysis and Detection

🔍 Check Point Research applied generative AI to accelerate reverse engineering of XLoader 8.0, reducing days of manual work to hours. The models autonomously identified multi-layer encryption routines, decrypted obfuscated functions, and uncovered hidden command-and-control domains and fake infrastructure. Analysts were able to extract IoCs far more quickly and integrate them into defenses. The AI-assisted workflow delivered timelier, higher-fidelity threat intelligence and improved protection for users worldwide.
read more →

Researchers Expose GhostCall and GhostHire Campaigns

🔍 Kaspersky details two tied campaigns, GhostCall and GhostHire, that target Web3 and blockchain professionals worldwide and emphasize macOS-focused infection chains and social-engineering lures. The attacks deploy a range of payloads — DownTroy, CosmicDoor, RooTroy and others — to harvest secrets, escalate access, and persist. Guidance stresses user vigilance, strict dependency vetting, and centralized secrets management. Kaspersky links the activity to the BlueNoroff/Lazarus cluster and notes the actor has increasingly used generative AI to craft imagery and accelerate malware development.
read more →

Herodotus Android malware mimics human typing behavior

🛡️ Herodotus is a newly observed Android malware family offered as a MaaS that deliberately mimics human input timing to evade behavior-based detection. Threat Fabric says operators likely linked to Brokewell are distributing a dropper via smishing targeting Italian and Brazilian users. The installer requests Accessibility access and uses deceptive overlays to hide permission flows while a built-in "humanizer" inserts randomized 0.3–3s delays between keystrokes to imitate human typing. Users should avoid sideloading APKs, enable Play Protect, and promptly review or revoke Accessibility permissions for unfamiliar apps.
read more →

Chrome zero-day exploited to deliver LeetAgent spyware

⚠️ Kaspersky reports a patched Google Chrome zero-day (CVE-2025-2783) was exploited to deploy a newly documented spyware called LeetAgent linked to Italian firm Memento Labs. The operation used personalized, short‑lived phishing links to a Primakov Readings lure that triggered a sandbox escape in Chromium browsers and dropped a loader to launch the implant. Targets included media, universities, research centers, government and financial organizations in Russia and Belarus.
read more →

SideWinder Adopts ClickOnce and PDF Lures in 2025 Campaign

🛡️ Trellix researchers report that the threat actor SideWinder has evolved its tradecraft in 2025 by adopting a PDF + ClickOnce infection chain alongside previously used Word exploit vectors. Four spear‑phishing waves from March through September targeted a European embassy in New Delhi and organizations in Sri Lanka, Pakistan and Bangladesh, using tailored lures and a signed MagTek executable that side‑loads a malicious DLL. The DLL decrypts and runs a .NET loader (ModuleInstaller) which fetches StealerBot, a .NET implant capable of reverse shells, delivering additional payloads, and collecting screenshots, keystrokes, credentials and files.
read more →

VirusTotal Success: SEQRITE APT Hunting Case Studies

🔎 SEQRITE's APT-Team describes how they used VirusTotal to pivot from isolated clues to comprehensive campaign mapping, tracking UNG0002, Silent Lynx, and DRAGONCLONE between May 2024 and May 2025. Their work combined malware configuration extraction, LNK metadata, code-sign certificate pivots, YARA and Sigma rules, and Livehunt queries to surface related samples and previously unreported implants. The post highlights practical hunting queries and pivots — public key and LNK-ID searches, submitter geofilters, and malware_config values — that enabled attribution and expanded detection across multiple Asian geographies.
read more →

Talos: New PlugX Variant Targets Telecom and Manufacturing

🔍 Cisco Talos revealed a new PlugX malware variant active since 2022 that targets telecommunications and manufacturing organizations across Central and South Asia. The campaign leverages abuse of legitimate software, DLL-hijacking techniques and stealthy persistence to evade detection, and it shares technical fingerprints with the RainyDay and Turian backdoors. Talos describes the activity as sophisticated and ongoing. Organizations should update endpoint, email and network protections, review DLL-hijack mitigations and proactively hunt for related indicators.
read more →

RainyDay, Turian and PlugX Variant Abuse DLL Hijacking

🛡️ Cisco Talos describes an ongoing campaign in which Naikon-linked actors abused DLL search order hijacking to load multiple backdoors, including RainyDay, a customized PlugX variant and Turian. The report highlights shared loaders that use XOR and RC4 decryption with identical keys and an XOR-RC4-RtlDecompressBuffer unpacking chain. Talos notes the PlugX variant adopts a RainyDay-style configuration and includes embedded keylogging and persistence, with activity observed since 2022 targeting telecom and manufacturing organizations in Central and South Asia. Talos published IOCs and recommended mitigations for detection and prevention.
read more →

BadIIS SEO-Poisoning Campaign Targets Vietnam Servers

🔍 Palo Alto Networks Unit 42 is tracking an SEO poisoning campaign dubbed Operation Rewrite that employs a native IIS implant called BadIIS. The module inspects User-Agent strings, identifies search engine crawlers, and fetches poisoned content from a remote C2 to inject keywords and links so compromised sites artificially rank for targeted queries. Unit 42 observed multiple tooling variants — lightweight ASP.NET handlers, a managed .NET IIS module, and an all‑in‑one PHP script — and reports a focus on East and Southeast Asia, particularly Vietnam.
read more →