APT ANALYSIS

♣️BTMOB RAT: Newly Discovered Android Malware Spreading via Phishing Sites ♣️Hunters International Ransomware: Tactics, Impact, and Defense Strategies ♣️Threat updates: AidLocker/Frag - new variants of HellCat/Morpheus ransomware ♣️Dark Web Profile: Fog Ransomware ♣️Merlin, Loki buddy: another agent for Mythic attacks Russian companies ♣️JavaScript to Command-and-Control (C2) Server Malware ♣️Magento Credit Card Stealer Disguised in an <img> Tag ♣️New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs ♣️Ransomware Roundup – Lynx ♣️ Hey SDDL SDDL: Breaking Down Windows Security One ACE at a Time ♣️Qilin Ransomware: Exposing the TTPs Behind One of the Most Active Ransomware Campaigns of 2024 ♣️Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks ♣️Don’t Ghost the SocGholish: GhostWeaver Backdoor ♣️Lumma Stealer Chronicles: PDF-themed Campaign Using Compromised Educational Institutions' Infrastructure ♣️LDAPNightmare Spoof Stealer ⭐️@APTANALYSIS

♣️Unraveling the Many Stages and Techniques Used by RedCurl/EarthKapre APT #️⃣Blog : https://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt ♣️How to check for OAuth apps with specific Graph permissions assigned #️⃣Blog : https://jeffreyappel.nl/how-to-check-for-oauth-apps-with-specific-graph-permissions-assigned/ ♣️Writing a Ghidra processor module #️⃣Blog : https://irisc-research-syndicate.github.io/2025/02/14/writing-a-ghidra-processor-module/ ♣️Infostealing Malware Infections in the U.S. Military & Defense Sector: A Cybersecurity Disaster in the Making #️⃣Blog : https://www.infostealers.com/article/infostealing-malware-infections-in-the-u-s-military-defense-sector-a-cybersecurity-disaster-in-the-making/ ♣️Breaking the Chain: Wiz Uncovers a Signature Verification Bypass in Nuclei, the Popular Vulnerability Scanner (CVE-2024-43405) #️⃣Blog : https://www.wiz.io/blog/nuclei-signature-verification-bypass ♣️How Wiz found a Critical NVIDIA AI vulnerability:  Deep Dive into a container escape (CVE-2024-0132) #️⃣Blog : https://www.wiz.io/blog/nvidia-ai-vulnerability-deep-dive-cve-2024-0132 ♣️Debugging An Undebuggable App #️⃣Blog : https://bryce.co/undebuggable/ ⭐️@APTANALYSIS

♣️Velvet Chollima APT Adversary Simulation 🙂Blog : https://github.com/S3N4T0R-0X0/APT-Attack-Simulation/tree/main/North%20Koreans%20APT/Velvet%20Chollima 🔥Blog : https://medium.com/@S3N4T0R/labyrinth-chollima-apt-adversary-simulation-b4f6a79bb68f ♣️Concealing Payloads: Hiding Shellcode in Image Files with Python and C/C++ 🐍Blog : https://wafflesexploits.github.io/posts/Hide_a_Payload_in_Plain_Sight_Embedding_Shellcode_in_a_Image_file/ 🩸Repo : https://github.com/WafflesExploits/hide-payload-in-images ⭐️@APTANALYSIS

♣️Malware installed using the Ivanti Connect Secure vulnerability ⚗️Blog : https://blogs.jpcert.or.jp/ja/2025/02/spawnchimera.html ♣️You've Got Malware: FINALDRAFT Hides in Your Drafts ⚗️Blog : https://www.elastic.co/security-labs/finaldraft ♣️RevivalStone: Winnti Group's attack campaign targeting Japanese organizations ⚗️Blog : https://www-lac-co-jp.translate.goog/lacwatch/report/20250213_004283.html ♣️Digital Breadcrumbs in Memory: Unmasking a Web Server Compromise ⚗️Blog : https://www.securityblue.team/blog/posts/digital-breadcrumbs-memory-web-server-compromise ♣️CTO at NCSC Summary: week ending February 16th ⚗️Blog : https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-february-db4 ♣️Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication ⚗️Blog : https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication ♣️Lazarus Backdoor with IT Lure ⚗️Blog : https://dmpdump.github.io/posts/Lazarus-Backdoor-ITLure/ ♣️MAC(B)ypassing for Persistence ⚗️Blog : https://medium.com/@hacksplaining/mac-b-ypassing-for-persistence-22e425ca7c85 ♣️Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence ⚗️Blog : https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence ♣️Lurking in the shadows: Unsupervised decoding of beaconing communication for enhanced cyber threat hunting ⚗️Blog : https://www.sciencedirect.com/science/article/pii/S1084804525000244 ⭐️@APTANALYSIS

♣️The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation 👁Blog : https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation ♣️Curious case of AD CS ESC15 vulnerable instance and its manual exploitation 👁Blog : https://www.mannulinux.org/2025/02/Curious-case-of-AD-CS-ESC15-vulnerable-instance-and-its-manual-exploitation.html ♣️Anti-Rootkit Techniques 👁Part 1 : https://eversinc33.com/posts/anti-anti-rootkit-part-i.html 👁Part 2 : https://eversinc33.com/posts/anti-anti-rootkit-part-ii.html 👁Part 3 : https://eversinc33.com/posts/anti-anti-rootkit-part-iii.html ♣️SonicWall CVE-2024-53704: SSL VPN Session Hijacking 👁Blog : https://bishopfox.com/blog/sonicwall-cve-2024-53704-ssl-vpn-session-hijacking ♣️Exploring the DOMPurify library 👁Part 1 : https://mizu.re/post/exploring-the-dompurify-library-bypasses-and-fixes 👁Part 2 : https://mizu.re/post/exploring-the-dompurify-library-hunting-for-misconfigurations ⭐️@APTANALYSIS

♣️Nginx/Apache Path Confusion to Auth Bypass in PAN-OS (CVE-2025-0108) ⚰️Blog : https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os ⭐️@APTANALYSIS

♣️How We Hacked a Software Supply Chain for $50K 💰Blog : https://www.landh.tech/blog/20250211-hack-supply-chain-for-50k/ ♣️Leaking the email of any YouTube user for $10,000 💰Blog : https://brutecat.com/articles/leaking-youtube-emails ♣️From Convenience to Contagion: The Half-Day Threat and Libarchive Vulnerabilities Lurking in Windows 11 📺Blog : https://devco.re/blog/2025/02/12/from-convenience-to-contagion-the-half-day-threat-and-libarchive-vulnerabilities-lurking-in-windows-11-en/ ♣️cloud image name confusion attack 📺Blog : https://securitylabs.datadoghq.com/articles/whoami-a-cloud-image-name-confusion-attack/ ⭐️@APTANALYSIS

♣️Further insights into Ivanti CSA 4.6 vulnerabilities exploitation 🐈Blog : https://harfanglab.io/insidethelab/insights-ivanti-csa-exploitation ♣️Detecting cases of Akira Ransomware Attacks with AhnLab EDR 🐈Blog : https://asec.ahnlab.com/ko/86186 ♣️Linux Detection Engineering - Approaching the Summit on Persistence Mechanisms 🐈Blog : https://www.elastic.co/security-labs/approaching-the-summit-on-persistence ♣️Inside a Malware Campaign: A Nigerian Hacker’s Perspective 🐈Blog : https://cyberarmor.tech/inside-a-malware-campaign-a-nigerian-hackers-perspective ♣️RATatouille: Cooking Up Chaos in the I2P Kitchen 🐈Blog : https://blog.sekoia.io/ratatouille-cooking-up-chaos-in-the-i2p-kitchen ♣️Secret message: TE-558 steganism ploys in cyber attacks on enterprises of Russia and Belarus 🐈Blog : https://www.facct.ru/blog/ta558 ♣️ Persistent Threats from the Kimsuky Group Using RDP Wrapper 🐈Blog : https://asec.ahnlab.com/en/86098 ♣️NetSupport RAT Clickfix Distribution 🐈Blog : https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution ⭐️@APTANALYSIS

♣️The auditor has arrived: pg_anon checks whether everything is hidden 😈Blog : https://habr.com/ru/companies/rostelecom/articles/876124 ♣️BitLocker Stale Recovery Key Cleanup: No More Silent Encryption Failures 🔪Blog : https://patchmypc.com/bitlocker-recovery-key-cleanup-fix-200-key-limit ♣️No need to RSVP: a closer look at the Tria stealer campaign 😈Blog : https://securelist.com/tria-stealer-collects-sms-data-from-android-devices/115295 ♣️Infostealer malware linked to Lazarus Group campaigns 🔪Blog : https://medium.com/@rayssac/infostealer-malware-linked-to-lazarus-group-campaigns-a510ad5f3e4f ♣️Targeted Threats Research - South & North Korea (a breakdown of 3 years of civil society threat research in Korea) 😈Blog : https://www.0x0v1.com/targeted-threats-research-south-north-korea ♣️Malicious ML models discovered on Hugging Face platform 🔪Blog : https://www.reversinglabs.com/blog/rl-identifies-malware-ml-model-hosted-on-hugging-face ♣️Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber Espionage Campaigns 😈Blog : https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns ♣️How to Investigate Malware WMI Event Consumers 2025 🔪Blog : https://www.cybertriage.com/blog/how-to-investigate-malware-wmi-event-consumers-2025/ ⭐️@APTANALYSIS

♣️Exploring a VPN Appliance: A Researcher’s Journey 🔴Blog : https://www.akamai.com/blog/security-research/2025-february-fortinet-critical-vulnerabilities#vulnerabilities ♣️CVE-2025-0693: AWS IAM User Enumeration 🔴Blog : https://rhinosecuritylabs.com/research/unauthenticated-username-enumeration-in-aws ♣️How auto-generated passwords in Sitevision leads to signing key leakage - CVE-2022-35202 🔴Blog : https://www.shelltrail.com/research/how-auto-generated-passwords-in-sitevision-leads-to-signing-key-leakage-cve-2022-35202 ⭐️@APTANALYSIS

♣️PsExec’ing the right way and why zero trust is mandatory 😈Blog : https://sensepost.com/blog/2025/psexecing-the-right-way-and-why-zero-trust-is-mandatory ⭐️@APTANALYSIS

♣️Fault Injection – Looking for a Unicorn 🔮Blog : https://security.humanativaspa.it/fault-injection-looking-for-a-unicorn

♣️Build Your Own Offensive Security Lab A Step-by-Step Guide with Ludus ✝️Blog : https://xphantom.nl/posts/Offensive-Security-Lab ⭐️@APTANALYSIS

♣️Exploitable Episode One - Breaking IoT 🦖Blog : https://blog.doyensec.com/2025/02/11/exploitable-iot.html ⭐️@APTANALYSIS

♣️Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated…(claroty-t82) 👁Blog : https://claroty.com/team82/research/are-contec-cms8000-patient-monitors-infected-with-a-chinese-backdoor-the-reality-is-more-complicated ⭐️@APTANALYSIS

♣️Hidden in Plain Sight: PDF Mishing Attack 😈Blog : https://zimpstage.wpengine.com/blog/hidden-in-plain-sight-pdf-mishing-attack/ ♣️ROPing our way to RCE 😈Blog : https://modzero.com/en/blog/roping-our-way-to-rce/ ♣️Beyond the Chatbot: Meta Phishing with Fake Live Support 😈Blog : https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/beyond-the-chatbot-meta-phishing-with-fake-live-support/ ♣️Lynx Ransomware: Exposing How INC Ransomware Rebrands Itself 😈Blog : https://www.picussecurity.com/resource/blog/lynx-ransomware ♣️Premium Panel : phishing tool used in longstanding campaigns worldwide 😈Blog : https://www.intrinsec.com/wp-content/uploads/2025/01/TLP-CLEAR-Live-Control-Panel-Premium-EN.pdf ♣️FinStealer 😈Blog : https://www.cyfirma.com/research/finstealer/ ♣️SiphonDNS: covert data exfiltration via DNS 😈Blog :https://ttp.report/evasion/2025/02/03/siphondns-covert-dns-exfiltration.html ⭐️@APTANALYSIS

♣️NowSecure Uncovers Multiple Security and Privacy Flaws in DeepSeek iOS Mobile App 🐦Blog : https://www.nowsecure.com/blog/2025/02/06/nowsecure-uncovers-multiple-security-and-privacy-flaws-in-deepseek-ios-mobile-app/ ♣️Malicious NPM packages target marked-js library 😶Blog : https://sourcecodered.com/npm-packages-target-marked-js ⭐️@APTANALYSIS

♣️CVE-2023-6080: A Case Study on Third-Party Installer Abuse 👁Blog : https://cloud.google.com/blog/topics/threat-intelligence/cve-2023-6080-third-party-installer-abuse ♣️Silent Lynx APT Targets Various Entities Across Kyrgyzstan & Neighbouring Nations 👁Blog : https://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/ ♣️Scalable Vector Graphics files pose a novel phishing threat 👁‍🗨Blog : https://news.sophos.com/en-us/2025/02/05/svg-phishing/ ⭐️@APTANALYSIS

♣️Funksec Ransomware Teams Up with Another Ransomware Group to Double Down on Targets 🐦Blog : https://www.sonicwall.com/blog/funksec-ransomware-teams-up-with-another-ransomware-group-to-double-down-on-targets ⭐️@APTANALYSIS

♣️ALPHV Ransomware : Analyzing the BlackCat After Change Healthcare Attack 🐈‍⬛Blog : https://www.picussecurity.com/resource/blog/alphv-ransomware ⭐️@APTANALYSIS