Cybercrime
-
DPRK-linked hackers use GitHub as command hub in South Korea attacks
DPRK-linked hackers used GitHub as command and control infrastructure in attacks on South Korean organizations, Fortinet said. The campaigns relied on LNK files, PowerShell, persistence tasks and trusted cloud services to hide activity.
-
Microsoft links Medusa ransomware affiliate to rapid zero-day attacks
Microsoft said Storm-1175 has used n-day and zero-day flaws in rapid Medusa ransomware attacks, sometimes within 24 hours of initial access, and has hit healthcare, education, finance and other sectors.
-
Qilin and Warlock ransomware groups use vulnerable drivers to disable security tools
Qilin and Warlock ransomware operators have used vulnerable drivers to disable security tools on compromised systems, according to a technical analysis by Cisco Talos and Trend Micro. The findings highlight growing use of BYOVD tactics and in-memory evasion.
-
Germany identifies two alleged REvil leaders behind 130 ransomware attacks
Germany’s Federal Criminal Police Office says it has identified two alleged REvil figures tied to 130 ransomware attacks in the country, with more than €35.4 million in reported damage.
-
Hackers use Next.js flaw to harvest credentials from 766 hosts, Cisco Talos says
Cisco Talos says hackers used a Next.js flaw to compromise at least 766 hosts and harvest credentials, keys and cloud secrets through an automated operation tied to UAT-10608.
-
Researchers track fake installer campaign tied to cryptominers and RATs
A fake-installer campaign tracked as REF1695 has spread RATs and cryptominers since November 2023, with researchers estimating at least 27.88 XMR in proceeds. The operation also used ISO lures, Defender evasion and GitHub-hosted payloads.
-
CERT-UA impersonation phishing campaign spread AGEWHEEZE malware
A phishing campaign impersonating Ukraine’s CERT-UA spread AGEWHEEZE malware to organizations and individuals in March, though officials said only a small number of personal devices were infected.
-
Phishing campaign uses Casbaneiro and Horabot to target Latin America and Europe
A phishing campaign is using court summons-themed emails, WhatsApp automation and ClickFix tactics to spread Casbaneiro and Horabot across Latin America and Europe, according to a BlueVoyant technical analysis.
-
Google links Axios npm compromise to suspected North Korean group
Google has linked the Axios npm supply chain compromise to a suspected North Korean group after attackers pushed trojanized package versions that could deliver malware to Windows, macOS and Linux systems.
-
DeepLoad malware uses ClickFix lure and WMI to spread and steal credentials
A new DeepLoad malware campaign is using ClickFix lures, Windows tools and WMI to steal credentials, hide activity and reinfect cleaned hosts, according to a technical analysis from ReliaQuest.
