Posts on Security, Cloud, DevOps, Citrix, VMware and others.
Words and views are my own and do not reflect on my companies views.
Disclaimer: some of the links on this site are affiliate links, if you click on them and make a purchase, I make a commission.
Google on Thursday announced it's rolling out new artificial intelligence (AI)-powered countermeasures to combat scams across Chrome, Search, and Android.
The tech giant said it will begin using Gemini Nano, its on-device large language model (LLM), to improve Safe Browsing in Chrome 137 on desktops.
"The on-device approach provides instant insight on risky websites and allows us to offer protection, even against scams that haven't been seen before. Gemini Nano's LLM is perfect for this use because of its ability to distill the varied, complex nature of websites, helping us adapt to new scam tactics more quickly," the company said.
Google noted that it's already using this AI-driven approach to tackle remote tech support scams, which often seek to trick users into parting with their personal or financial information under the pretext of a non-existent computer problem.
This works by evaluating the web pages using the LLM for potential signals that are emblematic of tech support scams, such as the use of the keyboard lock API. The security signals are then extracted and passed to Safe Browsing to determine if the page is likely a scam.
"In addition to ensuring that the LLM is only triggered sparingly and run locally on the device, we carefully manage resource consumption by considering the number of tokens used, running the process asynchronously to avoid interrupting browser activity, and implementing throttling and quota enforcement mechanisms to limit GPU usage," Jasika Bawa, Andy Lim, and Xinghui Lu of the Google Chrome Security team said.
Google said it intends to expand this feature to detect other kinds of scams, including those related to package tracking and unpaid tolls. The feature is also expected to be rolled out to Chrome on Android later this year.
As part of the announcement, Google also revealed that it has enhanced its AI-powered scam detection systems to ensnare 20 times more deceptive pages and block such pages from search results, reducing schemes that impersonate airline customer service providers by over 80% and those that mimic official resources like visas and government services by over 70% in 2024.
Lastly, Google said it's launching a new warnings feature for Chrome on Android that uses an on-device machine learning model to alert users of unwanted notifications sent by malicious sites that aim to trick them into downloading suspicious software or providing sensitive data.
"This new feature uses on-device machine learning to detect and warn you about potentially deceptive or spammy notifications, giving you an extra level of control over the information displayed on your device," Chrome Security's Hannah Buonomo and Sarah Krakowiak Criel said.
"When a notification is flagged by Chrome, you'll see the name of the site sending the notification, a message warning that the contents of the notification are potentially deceptive or spammy, and the option to either unsubscribe from the site or see the flagged content."
The features come a little over two months after Google rolled out AI-powered scam detection features in the Messages app for Android. Last year, the company unveiled similar ways to flag scam calls.
The updates also arrive as Google appears to be readying an Advanced Protection feature in Android 16 that, in some ways, mirrors Apple's approach by turning off JavaScript, disabling 2G connections, and activating a number of security features by default, such as Theft Detection Lock, Offline Device Lock, Android Safe Browsing, spam protection in Messages.
Google has also been spotted working on a feature to detect scams that coax victims into opening their banking apps during phone calls, Android Authority reported earlier this week.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/mGUcL6I
via IFTTT
A China-linked unnamed threat actor dubbed Chaya_004 has been observed exploiting a recently disclosed security flaw in SAP NetWeaver.
Forescout Vedere Labs, in a report published today, said it uncovered a malicious infrastructure likely associated with the hacking group weaponizing CVE-2025-31324 (CVSS score: 10.0) since April 29, 2025.
CVE-2025-31324 refers to a critical SAP NetWeaver flaw that allows attackers to achieve remote code execution (RCE) by uploading web shells through a susceptible "/developmentserver/metadatauploader" endpoint.
The vulnerability was first flagged by ReliaQuest late last month when it found the shortcoming being abused in real-world attacks by unknown threat actors to drop web shells and the Brute Ratel C4 post-exploitation framework.
According to Onapsis, hundreds of SAP systems globally have fallen victim to attacks spanning industries and geographies, including energy and utilities, manufacturing, media and entertainment, oil and gas, pharmaceuticals, retail, and government organizations.
The SAP security firm said it observed reconnaissance activity that involved "testing with specific payloads against this vulnerability" against its honeypots as far back as January 20, 2025. Successful compromises in deploying web shells were observed between March 14 and March 31.
Google-owned Mandiant, which is also engaged in incident response efforts related to these attacks, has evidence of exploitation occurring on March 12, 2025.
In recent days, multiple threat actors are said to have jumped aboard the exploitation bandwagon to opportunistically target vulnerable systems to deploy web shells and even mine cryptocurrency.
This, per Forescout, also includes Chaya_004, which has hosted a web-based reverse shell written in Golang called SuperShell on the IP address 47.97.42[.]177. The operational technology (OT) security company said it extracted the IP address from an ELF binary named config that was put to use in the attack.
"On the same IP address hosting Supershell (47.97.42[.]177), we also identified several other open ports, including 3232/HTTP using an anomalous self-signed certificate impersonating Cloudflare with the following properties: Subject DN: C=US, O=Cloudflare, Inc, CN=:3232," Forescout researchers Sai Molige and Luca Barba said.
Further analysis has uncovered the threat actor has to be hosting various tools across infrastructure: NPS, SoftEther VPN, Cobalt Strike, Asset Reconnaissance Lighthouse (ARL), Pocassit, GOSINT, and GO Simple Tunnel.
"The use of Chinese cloud providers and several Chinese-language tools points to a threat actor likely based in China," the researchers added.
To defend against attacks, it's essential that users apply the patches as soon as possible, if not already, restrict access to the metadata uploader endpoint, disable the Visual Composer service if not in use, and monitor for suspicious activity.
Onapsis CTO Juan Pablo JP Perez-Etchegoyen told The Hacker News that the activity highlighted by Forescout is post-patch, and that it "will further expand the threat of leveraging deployed web shells not only to opportunistic (and potentially less sophisticated) threat actors, but also more advanced ones seem to have been rapidly reacting to this issue to leverage the existing compromises and further expand."
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/z0iktPx
via IFTTT
Welcome to this week’s edition of the Threat Source newsletter.
Authority bias is one of the many things that shape how we think. Taking the advice of someone with recognized authority is often far easier (and usually leads to a better outcome) than spending time and effort in researching the reasoning and logic behind that advice. Put simply, it’s easier to take your doctor’s advice on health matters than it is to spend years in medical school learning why the advice you received is necessary.
This tendency to respect and follow authoritative instructions translates into our use of computers, too. If you’re reading this, you’ve likely been the recipient of many questions about computer-related matters from friends and family. However, your trust can be abused, even by someone who seems knowledgeable and respectable.
Attackers have learned that by impersonating individuals with some form of authority, such as banking staff, tax officials or IT professionals, they can persuade victims to carry out actions against their own interests. In our most recent Incident Response Quarterly Trends update, we describe how ransomware actors masquerade as IT agents when contacting their victims, instructing them to install remote access software. This allows the threat actor to set up long-term access to the device and continue the pursuit of their malicious objectives.
If someone contacts you out of the blue professing to be an IT or bank/tax expert with urgent or helpful instructions, end the conversation immediately. Follow up with a call to the main contact details of the team or organization that contacted you to verify if the call was genuine. Be aware of the scams that the bad guys are using and spread awareness far and wide. Expect threat actors to attempt to exploit human nature and its own vulnerabilities.
The one big thing
Threat hunting is an integral part of any cyber security strategy because identifying potential incursions early allows issues to be swiftly resolved before harm is incurred. There are many different approaches to threat hunting, each of which may uncover different threats.
Why do I care?
As threat actors increasingly use living-off-the-land binaries (LOLBins) — i.e. using either dual-use tools or the tools that they find already in place on compromised systems — detecting the presence of an intruder is no longer a case of simply finding their malware.
Spotting bad guys is still possible, but requires a slightly different approach: either looking for evidence of the potential techniques they use, or finding evidence that things aren’t quite as they should be.
So now what?
Read about the different types of threat hunting strategies the Talos IR team uses and investigate how these can be used within your environment to improve your chances of finding incursions early.
Top security headlines of the week
MySQL turns 30
The popular database was founded on May 23, 1995 and is at the heart of many high-traffic applications such as Facebook, Netflix, Uber, Airbnb, Shopify, and Booking.com. (Oracle)
Disney Slack attack wasn't Russian protesters, just a Cali dude with malware
A resident of California has pleaded guilty to conducting an attack in which 1.1 TB of data was stolen. The attack was conducted by releasing a trojan masquerading as an AI art generation application. (The Register)
Ransomware Group Claims Attacks on UK Retailers
The DragonForce ransomware group says it orchestrated the disruptive cyberattacks that hit UK retailers Co-op, Harrods, and Marks & Spencer (M&S). (Security Week)
Attackers Ramp Up Efforts Targeting Developer Secrets
Attackers are increasingly seeking to steal secret keys or tokens that have been inadvertently exposed in live environments or published in online code repositories. (Dark Reading)
Can’t get enough Talos?
Spam campaign targeting Brazil abuses Remote Monitoring and Management tools
A new spam campaign is targeting Brazilian users with a clever twist — abusing the free trial period of trusted remote monitoring tools and the country’s electronic invoice system to spread malicious agents. Read now
Threat Hunting with Talos IR
Talos recently published a blog on the framework behind our Threat Hunting service, featuring this handy video:
Cybersecurity researchers have exposed what they say is an "industrial-scale, global cryptocurrency phishing operation" engineered to steal digital assets from cryptocurrency wallets for several years.
The campaign has been codenamed FreeDrain by threat intelligence firms SentinelOne and Validin.
"FreeDrain uses SEO manipulation, free-tier web services (like gitbook.io, webflow.io, and github.io), and layered redirection techniques to target cryptocurrency wallets," security researchers Kenneth Kinion, Sreekar Madabushi, and Tom Hegel said in a technical report shared with The Hacker News.
"Victims search for wallet-related queries, click on high-ranking malicious results, land on lure pages, and are redirected to phishing pages that steal their seed phrases."
The scale of the campaign is reflected in the fact that over 38,000 distinct FreeDrain sub-domains hosting lure pages have been identified. These pages are hosted on cloud infrastructure like Amazon S3 and Azure Web Apps, and mimic legitimate cryptocurrency wallet interfaces.
The activity has been attributed with high confidence to individuals based in the Indian Standard Time (IST) time zone, working standard weekday hours, citing patterns of GitHub commits associated with the lure pages.
The attacks have been found to target users searching for wallet-related queries like "Trezor wallet balance" on search engines like Google, Bing, and DuckDuckGo, redirecting them to bogus landing pages hosted on gitbook.io, webflow.io, and github.io.
Unsuspecting users who land on these pages are served a static screenshot of the legitimate wallet interface, clicking which, one of the below three behaviors happen -
Redirect the user to legitimate websites
Redirect the user to other intermediary sites
Direct the user to a lookalike phishing page that prompts them to enter their seed phrase, effectively draining their wallets
"The entire flow is frictionless by design, blending SEO manipulation, familiar visual elements, and platform trust to lull victims into a false sense of legitimacy," the researchers said. "And once a seed phrase is submitted, the attacker's automated infrastructure will drain funds within minutes."
It is believed that the textual content used in these decoy pages is generated using large language models like OpenAI GPT-4o, indicative of how threat actors are abusing generative artificial intelligence (GenAI) tools to produce content at scale.
FreeDrain has also been observed resorting to flooding poorly-maintained websites with thousands of spammy comments to boost the visibility of their lure pages via search engine indexing, a technique called spamdexing that's often used to game SEO.
It's worth pointing out that someaspects of the campaign have been documented by Netskope Threat Labs since August 2022 and as recently as October 2024, when the threat actors were found utilizing Webflow to spin up phishing sites masquerading as Coinbase, MetaMask, Phantom, Trezor, and Bitbuy.
"FreeDrain's reliance on free-tier platforms is not unique, and without better safeguards, these services will continue to be weaponized at scale," the researchers noted.
"The FreeDrain network represents a modern blueprint for scalable phishing operations, one that thrives on free-tier platforms, evades traditional abuse detection methods, and adapts rapidly to infrastructure takedowns. By abusing dozens of legitimate services to host content, distribute lure pages, and route victims, FreeDrain has built a resilient ecosystem that's difficult to disrupt and easy to rebuild."
The disclosure comes as Check Point Research said it uncovered a sophisticated phishing campaign that abuses Discord and singles out cryptocurrency users in order to steal their funds using a Drainer-as-a-Service (DaaS) tool called Inferno Drainer.
The attacks entice victims into joining a malicious Discord server by hijacking expired vanity invite links, while also taking advantage of Discord OAuth2 authentication flow to evade automated detection of their malicious websites.
Breakdown of total domains into suspected and confirmed URLs by quantity.
Between September 2024 and March 2025, more than 30,000 unique wallets are estimated to have been victimized by Inferno Drainer, leading to at least $9 million in losses.
Inferno Drainer claimed to have shut down its operations in November 2023. But the latest findings reveal that the crypto drainer remains active, employing single-use smart contracts and on-chain encrypted configurations to make detection more challenging.
"Attackers redirect users from a legitimate Web3 website to a fake Collab.Land bot and then to a phishing site, tricking them into signing malicious transactions," the company said. "The drainer script deployed on that site was directly linked to Inferno Drainer."
"Inferno Drainer employs advanced anti-detection tactics — including single-use and short-lived smart contracts, on-chain encrypted configurations, and proxy-based communication — successfully bypassing wallet security mechanisms and anti-phishing blacklists."
The findings also follow the discovery of a malvertising campaign that leverages Facebook ads that impersonate trusted cryptocurrency exchanges and trading platforms like Binance, Bybit, and TradingView to lead users to sketchy websites instructing them to download a desktop client.
"Query parameters related to Facebook Ads are used to detect legitimate victims, while suspicious or automated analysis environments receive benign content," Bitdefender said in a report shared with the publication.
"If the site detects suspicious conditions (e.g., missing ad-tracking parameters or an environment typical of automated security analysis), it displays harmless, unrelated content instead."
The installer, once launched, displays the login page of the impersonated entity through msedge_proxy.exe to keep up the ruse, while additional payloads are silently executed in the background to harvest system information, or execute a sleep command for "hundreds of hours on end" if the exfiltrated data indicates a sandboxing environment.
The Romanian cybersecurity company said hundreds of Facebook accounts have advertised these malware-delivering pages mainly targeting men over 18 years in Bulgaria and Slovakia.
"This campaign showcases a hybrid approach, merging front-end deception and a localhost-based malware service," it added. "By dynamically adjusting to the victim's environment and continuously updating payloads, the threat actors maintain a resilient, highly evasive operation."
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/kHcweMy
via IFTTT
Security automation tools can lower risk of a breach while also increasing efficiency, effectiveness, and ROI of security investments. But these, too, are a balancing act.
When does it make sense to invest in automation tools to strengthen and scale your security posture versus hiring more people?
People vs. automation: Balancing cost and talent in risk management
Automation — especially when paired with artificial intelligence (AI) — is already remaking the workplace and the cybersecurity landscape. Over 44% of organizations already use some form of AI-driven automation in cybersecurity. At the same time, the need for security talent has never been higher. Here are some guidelines to help determine when to invest in technology automation and when to hire.
When to invest in automation
Organizations have different needs. But all of them share the need to lower cybersecurity risk. Over the years, this has led to a proliferation of security products installed as organizations chase the latest tech trends, adding complexity to an already challenging discipline. Many organizations use a common set of criteria or guiding principles when making investment decisions for automation.
High volume of repetitive tasks
Automation tools can parse huge volumes of data and perform repetitive tasks with speed and accuracy. Tasks like security data analysis, log monitoring, and compliance reporting are good examples of high-volume risk management activities that can be automated. Others include infrastructure provisioning and security policy enforcement.
For example, many data breaches are caused by cloud misconfigurations because security controls are either overlooked or inappropriately set, creating a vulnerability that is exploited. Automation tools can prevent configuration errors through automated provisioning and policy as code and catch any potential problems that may creep into environments over time through continuous monitoring.
Need for real-time threat detection and response
Many security enthusiasts argue that the sophistication and sheer volume of threats today means every organization needs real-time threat detection and response capability. Whether that is true or not is a decision for each organization. If this capability is needed, automation tools are required. These tools combine AI, machine learning, and threat intelligence to continuously monitor for threats and mitigate them at a rate that simply cannot be done by a human. Organizations using AI and automation identify and contain breaches 100 days faster on average than ones that don’t.
Rapid growth where scalability matters
Any organization planning to scale quickly will lean on automation tools to accelerate operations without increasing staff or adding unnecessary workload onto existing teams. This includes many risk management and security-related tasks.
Tight budget
Cost is a big consideration when choosing between hiring staff or investing in automation. For some organizations, it may be the leading factor because hiring and training teams of security analysts to analyze alerts and respond to incidents is simply unaffordable. Both activities can be done more efficiently and cost-effectively by a small team using automation tools.
Too many review steps that can be done with software
Automation is a good solution for streamlining any operation that involves repeatable steps or relatively simple decisions. If risk management processes are being slowed down waiting on manual review steps (e.g. tickets), those tasks could be automated, mitigating vulnerabilities faster and potentially reducing incident response time.
Demanding regulatory requirements
When regulatory compliance is mandated and the cost of noncompliance is high, many organizations lean on automation tools to continuously monitor environments and ensure requirements are met instead of relying solely on conducting interviews and performing manual audits.
Lack of security talent
Even organizations with large security budgets struggle with finding talented, experienced security experts. The security talent gap has been a problem for years and continues to grow. Automation tools can help offset staffing shortages and skills gaps.
When to invest in more talent
While the security talent gap remains and automation tools continue to become more capable of handling tasks, there are some risk management activities that require security experts.
Complex threat analysis
Security tools produce mountains of alerts. Which alerts really pose a threat and which ones are merely noise? While automated tools can help reduce the volume of alarms that make it to a security analyst’s desk, there are some alerts that require detailed risk analysis performed by someone with expertise, contextual understanding, and intuition to determine exposure. And while some products excel in removing noise, there’s still a level of human customization for alerting that needs to take place.
Incident investigation and response
When a security incident occurs, it must be investigated to understand the root cause, regardless of the severity of the event. Tools can aid in this process, but the investigation must be led by security experts.
Strategic risk planning and collaboration
Evaluating risk is an ongoing process that involves strategic planning to align an organization’s security strategy and capabilities with its short- and long-term goals and risk appetite. In fact, it is one of the top priorities for executives this year, especially in light of AI’s developments.
Strategic risk planning involves identification and analysis of risks and priorities with a clear understanding of organizational strategy to develop security policies and set direction, which can only be done with cross-functional input from key people across an organization.
Calculating the numbers
How to balance the cost of adding staff and investing in automation is a complicated, multi-factor decision. But from a high-level financial perspective, the following formula can help compare the costs (rough estimates are often sufficient):
Cost of automation
Yearly cost of product + (Yearly maintenance hours x Administrator’s hourly cost) + Yearly product education costs + support costs
Cost of hiring
(Annual salary + benefits) x Number of employees needed + Yearly overall employee training costs
In most technology fields, automation will always win in terms of costs over employment costs. If a task can be automated, it will almost always be cheaper to automate that task, especially as automation technology gets more sophisticated and less expensive.
The key differentiator between hiring versus automation is quality:
Is the task something that can be automated at all?
Can it be automated safely and properly without quality degradation compared to a human?
Will the automation be safer than adding a human touchpoint?
If the instructions configured into the automation products are good, automation is typically more consistent than humans at higher scale.
Learn more
Organizations are continuously increasing the use of automation to drive efficiencies, productivity, and growth. Generative AI and detection AI are compelling new areas for automation, but there’s still a large amount of basic tool-based automation that has yet to be leveraged.
Threat actors with ties to the Qilinransomware family have leveraged malware known as SmokeLoader along with a previously undocumented .NET compiled loader codenamed NETXLOADER as part of a campaign observed in November 2024.
"NETXLOADER is a new .NET-based loader that plays a critical role in cyber attacks," Trend Micro researchers Jacob Santos, Raymart Yambot, John Rainier Navato, Sarah Pearl Camiling, and Neljorn Nathaniel Aguas said in a Wednesday analysis.
"While hidden, it stealthily deploys additional malicious payloads, such as Agenda ransomware and SmokeLoader. Protected by .NET Reactor 6, NETXLOADER is difficult to analyze."
Qilin, also called Agenda, has been an active ransomware threat since it surfaced in the threat landscape in July 2022. Last year, cybersecurity company Halcyon discovered an improved version of the ransomware that it named Qilin.B.
Recent data shared by Group-IB shows that disclosures on Qilin's data leak site have more than doubled since February 2025, making it the top ransomware group for April, surpassing other players like Akira, Play, and Lynx.
"From July 2024 to January 2025, Qilin's affiliates did not disclose more than 23 companies per month," the Singaporean cybersecurity company said late last month. "However, [...] since February 2025 the amount of disclosures have significantly increased, with 48 in February, 44 in March and 45 in the first weeks of April."
Qilin is also said to have benefited from an influx of affiliates following RansomHub's abrupt shutdown at the start of last month. According to Flashpoint, RansomHub was the second-most active ransomware group in 2024, claiming 38 victims in the financial sector between April 2024 and April 2025.
"Agenda ransomware activity was primarily observed in healthcare, technology, financial services, and telecommunications sectors across the U.S., the Netherlands, Brazil, India, and the Philippines," according to Trend Micro's data from the first quarter of 2025.
NETXLOADER, the cybersecurity company said, is a highly obfuscated loader that's designed to launch next-stage payloads retrieved from external servers (e.g., "bloglake7[.]cfd"), which are then used to drop SmokeLoader and Agenda ransomware.
Protected by .NET Reactor version 6, it also incorporates a bevy of tricks to bypass traditional detection mechanisms and resist analysis efforts, such as the use of just-in-time (JIT) hooking techniques, and seemingly meaningless method names, and control flow obfuscation.
"The operators' use of NETXLOADER is a major leap forward in how malware is delivered," Trend Micro said. "It uses a heavily obfuscated loader that hides the actual payload, meaning you can't know what it truly is without executing the code and analyzing it in memory. Even string-based analysis won't help because the obfuscation scrambles the clues that would normally reveal the payload's identity."
Attack chains have been found to leverage valid accounts and phishing as initial access vectors to drop NETXLOADER, which then deploys SmokeLoader on the host. The SmokeLoader malware proceeds to perform a series of steps to perform virtualization and sandbox evasion, while simultaneously terminating a hard-coded list of running processes.
In the final stage, SmokeLoader establishes contact with a command-and-control (C2) server to fetch NETXLOADER, which launches the Agenda ransomware using a technique known as reflective DLL loading.
"The Agenda ransomware group is continually evolving by adding new features designed to cause disruption," the researchers said. "Its diverse targets include domain networks, mounted devices, storage systems, and VCenter ESXi."
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/Zr4eaXh
via IFTTT
The nation-state threat actor known as MirrorFace has been observed deploying malware dubbed ROAMINGMOUSE as part of a cyber espionage campaign directed against government agencies and public institutions in Japan and Taiwan.
The activity, detected by Trend Micro in March 2025, involved the use of spear-phishing lures to deliver an updated version of a backdoor called ANEL.
"The ANEL file from the 2025 campaign discussed in this blog implemented a new command to support an execution of BOF (Beacon Object File) in memory," security researcher Hara Hiroaki said. "This campaign also potentially leveraged SharpHide to launch the second stage backdoor NOOPDOOR."
The China-aligned threat actor, also known as Earth Kasha, is assessed to be a sub-cluster within APT10. In March 2025, ESET shed light on a campaign referred to as Operation AkaiRyū that targeted a diplomatic organization in the European Union in August 2024 with ANEL (aka UPPERCUT).
The targeting of various Japanese and Taiwanese entities points to a continued expansion of their footprint, as the hacking crew seeks to conduct information theft to advance their strategic objectives.
The attack starts with a spear-phishing email -- some of which are sent from legitimate-but-compromised accounts -- that contains an embedded Microsoft OneDrive URL, which, in turn, downloads a ZIP file.
The ZIP archive includes a malware-laced Excel document, and a macro-enabled dropper codenamed ROAMINGMOUSE that serves as a conduit to deliver components related to ANEL. It's worth noting that ROAMINGMOUSE has been put to use by MirrorFace since last year.
"ROAMINGMOUSE then decodes the embedded ZIP file by using Base64, drops the ZIP on a disk, and expands its components," Hiroaki said. This includes -
JSLNTOOL.exe, JSTIEE.exe, or JSVWMNG.exe (a legitimate binary)
JSFC.dll (ANELLDR)
An encrypted ANEL payload
MSVCR100.dll (a legitimate DLL dependency of the executable)
The end goal of the attack chain is to launch the legitimate executable using explorer.exe and then use it to sideload the malicious DLL, in this case, ANELLDR, which is responsible for decrypting and launching the ANEL backdoor.
What's notable about the ANEL artifact used in the 2025 campaign is the addition of a new command to support in-memory execution of beacon object files (BOFs), which are compiled C programs designed to extend the Cobalt Strike agent with new post-exploitation features.
"After installing the ANEL file, actors behind Earth Kasha obtained screenshots using a backdoor command and examined the victim's environment," Trend Micro explained. "The adversary appears to investigate the victim by looking through screenshots, running process lists, and domain information."
Select instances have also leveraged an open-source tool named SharpHide to launch a new version of NOOPDOOR (aka HiddenFace), another backdoor previously identified as used by the hacking group. The implant, for its part, supports DNS-over-HTTPS (DoH) to conceal its IP address lookups during command-and-control (C2) operations.
"Earth Kasha continues to be an active advanced persistent threat and is now targeting government agencies and public institutions in Taiwan and Japan in its latest campaign which we detected in March 2025," Hiroaki said.
"Enterprises and organizations, especially those with high-value assets like sensitive data relating to governance, as well as intellectual property, infrastructure data, and access credentials should continue to be vigilant and implement proactive security measures to prevent falling victim to cyber attacks."
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/DVXfeEc
via IFTTT
Cisco Talos identified a spam campaign targeting Brazilian users with commercial remote monitoring and management (RMM) tools since at least January 2025. Talos observed the use of PDQ Connect and N-able remote access tools in this campaign.
The spam message uses the Brazilian electronic invoice system, NF-e, as a lure to entice users into clicking hyperlinks and accessing malicious content hosted in Dropbox.
Talos has observed the threat actor abusing RMM tools in order to create and distribute malicious agents to victims. They then use the remote capabilities of these agents to download and install Screen Connect after the initial compromise.
Talos assesses with high confidence that the threat actor is an initial access broker (IAB) abusing the free trial periods of these RMM tools.
Talos recently observed a spam campaign targeting Portuguese-speaking users in Brazil with the intention of installing commercial remote monitoring and management (RMM) tools. The initial infection occurs via specially crafted spam messages purporting to be from financial institutions or cell phone carriers with an overdue bill or electronic receipt of payment issued as an NF-e (see Figures 1 and 2).
Figure 1. Spam message purporting to be from a cell phone provider. Figure 2. Spam message masquerading as a bill from a financial institution.
Both messages link to a Dropbox file, which contains the malicious binary installer for the RMM tool. The file names also contain references to NF-e in their names:
AGENT_NFe_<random>.exe
Boleto_NFe_<random>.exe
Eletronica_NFe_<random>.exe
Nf-e<random>.exe
NFE_<random>.exe
NOTA_FISCAL_NFe_<random>.exe
Note: <random> means the filename uses a random sequence of letters and numbers in that position.
The victims targeted in this campaign are mostly C-level executives and financial and human resources accounts across several industries, including some educational and government institutions. This assessment is based on the most common recipients found in the messages Talos observed during this campaign.
Figure 3. Targeted recipients.
Abusing RMM tools for profit
This campaign's objective is to lure the victims into installing an RMM tool, which allows the threat actor to take complete control of the target machine. N-able RMM Remote Access is the most common tool distributed in this campaign and is developed by N-able, Inc., previously known as SolarWinds. N-able is aware of this abuse and took action to disable the affected trial accounts. Another tool Talos observed in some cases is PDQ Connect, a similar RMM application. Both provide a 15-day free trial period.
To assess whether these actors were using a trial version rather than stolen credentials to create these accounts, Talos checked samples older than 15 days and confirmed all of them returned errors that the accounts were disabled, while newer samples found in the last 15 days were all active.
Talos also examined the email accounts used to register for the service. They all use free email services such as Gmail or Proton Mail, as well as usernames following the theme of the spam campaign, with few exceptions where the threat actors used personal accounts. These exceptions are potentially compromised accounts which are being abused by the threat actors to create additional trial accounts. Talos did not find any samples in which the registered account was issued by a private company, so we can assess with high confidence these agents were created using trial accounts instead of stolen credentials.
N-able is aware of this abuse and took action to disable the affected trial accounts.
Talos found no evidence of a common post-infection behavior for the affected machines, with most machines staying infected for days before any other malicious activity was executed by the tool. However, in some cases, we observed the threat actor installing an additional RMM tool and removing all security tools from the machine a few days after the initial compromise. This is consistent with actions of initial access broker (IAB) groups.
An IAB's main objective is to rapidly create a network of compromised machines and then sell access to the network to third parties. Threat actors commonly use IABs when looking for specific target companies to deploy ransomware on. However, IABs have varied priorities and may sell their services to any threat actors, including state-sponsored actors.
Adversaries’ abuse of commercial RMM tools has steadily increased in recent years. These tools are of interest to threat actors because they are usually digitally signed by recognized entities and are a fully featured backdoor. They also have little to no cost in software or infrastructure, as all of this is generally provided by the trial version application.
Talos created a trial account to test what features were available for a trial user. In the case of the N-able remote access tool, the trial version offers a full set of features only limited by the 15-day trial period. Talos was able to confirm that by using a trial account, the threat actor has full access to the machine, including remote desktop like access, remote command execution, screen streaming, keystroke capture and remote shell access.
Figure 4. N-able management interface showing available remote access tools. Figure 5. Administrative shell executed on a remote machine.
The threat actor also has access to a fully featured file manager to easily read and write files to the remote file system.
Figure 6. N-able file manager.
The network traffic these tools create is also disguised as regular traffic, with many tools using communication over HTTPS and connecting to resources which are part of the infrastructure provided by the application provider. For example, N-able Remote Access uses a domain associated with its management interface, hosted on Amazon Web Services (AWS):
hxxps://upload1[.]am[.]remote[.]management/
hxxps://upload2[.]am[.]remote[.]management/
hxxps://upload3[.]am[.]remote[.]management/
hxxps://upload4[.]am[.]remote[.]management/
Disclaimer: The URLs above are part of the management infrastructure for the RMM tools described in this blog and are not controlled by the threat actor. Customers must complete an assessment before enabling block signatures for these domains.
The domain the agent uses is the same for any customer using the tool, with only the username and API key differentiating which customer the agent belongs to, as can be seen in Figure 7. This makes it even more difficult to identify the origin of the attacks and perform threat actor attribution.
Figure 7. Example configuration file.
By extracting the configuration files inside the agent installer files still available on Dropbox, we can see some email addresses follow the same theme of the spam emails, using names of finance-related users and domains, while others could be potentially compromised accounts being used to create trial accounts for N-able Remote Access.
With these trial versions being limited only by time and providing full remote-control features with little to no cost to the threat actors, Talos expects these tools to become even more common in attacks.
Cisco Secure Firewall Application control is able to detect the unintended usage of RMM tools in customer's networks. Instructions on how to set up Application control can be found at Cisco Secure Firewall documentation.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
ClamAV detections are also available for this threat:
Disclaimer: The URLs below are part of the management infrastructure for the RMM tools described in this blog and are not controlled by the threat actor. An assessment must be done by customers before enabling block signatures for these domains.
IOCs for this threat can be found on our GitHub repository here.
The Russia-linked threat actor known as COLDRIVER has been observed distributing a new malware called LOSTKEYS as part of an espionage-focused campaign using ClickFix-like social engineering lures.
"LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker," the Google Threat Intelligence Group (GTIG) said.
The malware, the company said, was observed in January, March, and April 2025 in attacks on current and former advisors to Western governments and militaries, as well as journalists, think tanks, and NGOs. In addition, individuals connected to Ukraine have also been singled out.
LOSTKEYS is the second custom malware attributed to COLDRIVER after SPICA, marking a continued departure from the credential phishing campaigns the threat actor has been known for. The hacking group is also tracked under the names Callisto, Star Blizzard, and UNC4057.
"They are known for stealing credentials and after gaining access to a target's account they exfiltrate emails and steal contact lists from the compromised account," security researcher Wesley Shields said. "In select cases, COLDRIVER also delivers malware to target devices and may attempt to access files on the system."
The latest set of attacks commences with a decoy website containing a fake CAPTCHA verification prompt, where victims are instructed to open the Windows Run dialog and paste a PowerShell command copied to the clipboard, a widely popular social engineering technique dubbed ClickFix.
The PowerShell command is designed to download and execute the next payload from a remote server ("165.227.148[.]68"), which acts as a downloader for a third-stage but not before performing checks in a likely effort to evade execution in virtual machines.
A Base64-encoded blob, the third-stage payload is decoded into a PowerShell script that's responsible for executing LOSTKEYS on the compromised host, allowing the threat actor to harvest system information, running processes, and files from a hard-coded list of extensions and directories.
Like in the case of SPICA, it's been assessed that the malware is only deployed selectively, indicative of the highly-targeted nature of these attacks.
Google also said it uncovered additional LOSTKEYS artifacts going back to December 2023 that masqueraded as binaries related to the Maltego open-source investigation platform. It's not known if these samples have any ties to COLDRIVER, or if the malware was repurposed by the threat actors starting January 2025.
ClickFix Adoption Continues to Grow
The development comes as ClickFix continues to be steadily adopted by multiple threat actors to distribute a wide range of malware families, including a banking trojan called Lampion and Atomic Stealer.
Attacks propagating Lampion, per Palo Alto Networks Unit 42, use phishing emails bearing ZIP file attachments as lures. Present within the ZIP archive is an HTML file that redirects the message recipient to a fake landing page with ClickFix instructions to launch the multi-stage infection process.
"Another interesting aspect of Lampion's infection chain is that it is divided into several non-consecutive stages, executed as separate processes," Unit 42 said. "This dispersed execution complicates detection, as the attack flow does not form a readily identifiable process tree. Instead, it comprises a complex chain of individual events, some of which could appear benign in isolation."
The malicious campaign targeted Portuguese-speaking individuals and organizations in various sectors, including government, finance, and transportation, the company added.
In recent months, the ClickFix strategy has also been combined with another sneaky tactic called EtherHiding, which involves using Binance's Smart Chain (BSC) contracts to conceal the next-stage payload, ultimately leading to the delivery of a macOS information stealer called Atomic Stealer.
"Clicking 'I'm not a robot' triggers a Binance Smart Contract, using an EtherHiding technique, to deliver a Base64-encoded command to the clipboard, which users are prompted to run in Terminal via macOS-specific shortcuts (⌘ + Space, ⌘ + V)," an independent researcher who goes by the alias Badbyte said. "This command downloads a script that retrieves and executes a signed Mach-O binary, confirmed as Atomic Stealer."
Further investigation has found that the campaign has likely compromised about 2,800 legitimate websites to serve fake CAPTCHA prompts. The large-scale watering hole attack has been codenamed MacReaper by the researcher.
"The attack leverages obfuscated JavaScript, three full-screen iframes, and blockchain-based command infrastructure to maximize infections," the researcher added.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/Yg6QwRA
via IFTTT
Cisco has released software fixes to address a maximum-severity security flaw in its IOS XE Wireless Controller that could enable an unauthenticated, remote attacker to upload arbitrary files to a susceptible system.
The vulnerability, tracked as CVE-2025-20188, has been rated 10.0 on the CVSS scoring system.
"This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system," the company said in a Wednesday advisory.
"An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges."
That said, in order for the exploitation to be successful, the Out-of-Band AP Image Download feature must be enabled on the device. It's disabled by default.
The following products are affected, if they have a vulnerable release running and have the Out-of-Band AP Image Download feature turned on -
Catalyst 9800-CL Wireless Controllers for Cloud
Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
Catalyst 9800 Series Wireless Controllers
Embedded Wireless Controller on Catalyst APs
While updating to the latest version is the best course of action, as temporary mitigations, users can disable the feature until an upgrade can be performed.
"With this feature disabled, AP image download will use the CAPWAP method for the AP image update feature, and this does not impact the AP client state," Cisco added.
The networking equipment major credited X.B. of the Cisco Advanced Security Initiatives Group (ASIG) for discovering the reporting the bug during internal security testing. There is no evidence that the vulnerability has been maliciously exploited in the wild.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/Bv8sicp
via IFTTT
The Terraform AWS provider serves as the bridge between Terraform configurations and AWS, enabling users to define and manage AWS resources as code. We are excited to share that version 6.0 of the Terraform AWS provider is now available in public beta. Along with bugfixes, the latest update brings enhanced multi-region support and other workflow improvements.
This post will explore the enhanced mult-region support features and announce the provider’s latest downloads milestone.
We are excited to announce that this release coincides with a new milestone: The Terraform AWS provider has surpassed 4 billion downloads.
As we approach 5 billion downloads, AWS and HashiCorp continue to expand their partnership — delivering new integrations that help customers move faster, adopt more AWS services and features, and deploy infrastructure with developer-friendly workflows. For example, we recently partnered to develop pre-written Sentinel policy sets for AWS to simplify policy adoption and provide a turnkey governance solution for our customers.
With Terraform, HashiCorp aims to provide launch-day support for all AWS services, ensuring immediate access to the latest innovations. We also recommend you learn about the AWSCC provider and compare it to the AWS provider.
Enhanced region support
Previously in the Terraform AWS provider, each provider configuration targeted a single AWS region. With this limitation, practitioners had to update every configuration file individually if they wanted to change a particular resource’s configuration. For global companies, this could mean editing the same parameter in up to 32 separate configuration files for each region.
With 6.0, the AWS provider now supports multiple regions all within a single configuration file. This new approach leverages an injected region attribute at the resource level to simplify configuration efforts. This method also reduces the need to load multiple instances of the AWS provider, lowering memory usage overall.
Here are some more key highlights in this feature:
Single provider configuration: Reduces the need to load multiple instances of the AWS provider, lowering memory usage.
Region attribute injection: The region argument is added to all resources (except global resources) without requiring explicit schema changes.
Global resources exclusion: Services like IAM, CloudFront, and Route 53 remain unaffected as they operate globally.
Terraform plugin framework updates: Adjustments to the AWS API client mechanism support per-region API client mappings.
Resource import enhancements: A new @<regionID> suffix allows importing of resources from different regions.
Documentation and testing: Changes are documented at the provider level and tested to ensure backward compatibility.
This example shows how to use the new region attribute for the aws\vpc\peering\connection\accepter in your Terraform configuration:
provider "aws" {
region = "us-east-1"
}
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
}
resource "aws_vpc" "peer" {
region = "us-west-2"
cidr_block = "10.1.0.0/16"
}
# Requester's side of the connection.
resource "aws_vpc_peering_connection" "main" {
vpc_id = aws_vpc.main.id
peer_vpc_id = aws_vpc.peer.id
peer_region = "us-west-2"
auto_accept = false
}
# Accepter's side of the connection.
resource "aws_vpc_peering_connection_accepter" "peer" {
region = "us-west-2"
vpc_peering_connection_id = aws_vpc_peering_connection.main.id
auto_accept = true
}
This is an example of how to use the new region attribute for the aws\kms\replica\key in your Terraform configuration:
The Terraform AWS provider 6.0 pre-release is labeled "beta" and uploaded to the Terraform Registry as usual. It is important to note that users with permissive version constraints will not automatically use the new beta version. Instead, they will need to opt in by specifying the pre-release version in their provider requirements:
When upgrading to version 6.0 of the Terraform AWS provider, please consult the upgrade guide on the Terraform Registry as it contains not only a list of changes but also examples. Because this release introduces breaking changes, we recommend pinning your provider version to protect against unexpected results.
For the full list of updates in version 6.0, please refer to the summary of changes on GitHub. The beta will run for six weeks. Please submit any feedback by creating an issue in the provider using the beta-feedback form.
May 07, 2025Ravie LakshmananDark Web / Cybercrime
Europol has announced the takedown of distributed denial of service (DDoS)-for-hire services that were used to launch thousands of cyber-attacks across the world.
In connection with the operation, Polish authorities have arrested four individuals and the United States has seized nine domains that are associated with the now-defunct platforms.
"The suspects are believed to be behind six separate stresser/booter services that enabled paying customers to flood websites and servers with malicious traffic — knocking them offline for as little as EUR 10," Europol said in a statement.
The services, named cfxapi, cfxsecurity, neostress, jetstress, quickdown and zapcut, are said to have been instrumental in launching widespread attacks on schools, government services, businesses, and gaming platforms between 2022 and 2025.
Europol said the platforms offered "slick user interfaces," enabling malicious actors with little to no technical expertise to orchestrate DDoS attacks by simply entering a target IP address, choosing the type of attack, and paying a fee.
Stresser services, typically advertised on underground forums, are often disguised as legitimate stress-testing tools but are designed to disrupt access to web resources by letting their customers unleash a flood of fake traffic against a target site, making them inaccessible to real users.
"Unlike traditional botnets, which require the control of large numbers of infected devices, stresser/booter services industrialise DDoS attacks through centralised, rented infrastructure," Europol noted.
According to snapshots captured on the Internet Archive, cfxsecurity, hosted on the domains cfxsecurity[.]bet and "cfxsecurity.cc," marketed itself as the "#1 stress testing service" and that it provided "comprehensive stress test, ensuring your website and services are ready to weather any storm."
The service offered three plans, Starter for $20/month, Premium for $50/month, and Enterprise for $130/month. QuickDown ("quickdown[.]pro"), likewise, priced its kit for anywhere between $20/month to $379/month.
Cloud security company Radware, in a report published in August 2024, revealed that QuickDown is among a new crop of stresser services that have adopted a hybrid architecture combining both botnets and dedicated servers. QuickDown is said to have introduced a "Botnet addon and new plans related to the Botnet network" in September 2023.
The latest action, conducted in collaboration with Dutch and German authorities, is part of an ongoing effort called Operation PowerOFF that aims to dismantle infrastructure facilitating DDoS-for-hire activity.
In December 2024, a set of 27 stresser services were taken offline, alongside announcing charges against six different individuals in the Netherlands and the U.S.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/UcitZRM
via IFTTT
May 07, 2025Ravie LakshmananVulnerability / Web Security
A second security flaw impacting the OttoKit (formerly SureTriggers) WordPress plugin has come under active exploitation in the wild.
The vulnerability, tracked as CVE-2025-27007 (CVSS score: 9.8), is a privilege escalation bug impacting all versions of the plugin prior to and including version 1.0.82.
"This is due to the create_wp_connection() function missing a capability check and insufficiently verifying a user's authentication credentials," Wordfence said. "This makes it possible for unauthenticated attackers to establish a connection, which ultimately can make privilege escalation possible."
That said, the vulnerability is exploitable only in two possible scenarios -
When a site has never enabled or used an application password, and OttoKit has never been connected to the website using an application password before
When an attacker has authenticated access to a site and can generate a valid application password
Wordfence revealed that it observed the threat actors attempting to exploit the initial connection vulnerability to establish a connection with the site, followed by using it to create an administrative user account via the automation/action endpoint.
Furthermore, the attack attempts simultaneously aim for CVE-2025-3102 (CVSS score: 8.1), another flaw in the same plugin that has also been exploited in the wild since last month.
This has raised the possibility that the threat actors are opportunistically scanning WordPress installations to see if they are susceptible to either of the two flaws. The IP addresses that have been observed targeting the vulnerabilities are listed below -
2a0b:4141:820:1f4::2
41.216.188.205
144.91.119.115
194.87.29.57
196.251.69.118
107.189.29.12
205.185.123.102
198.98.51.24
198.98.52.226
199.195.248.147
Given that the plugin has over 100,000 active installations, it's essential that users move quickly to apply the latest patches (version 1.0.83).
"Attackers may have started actively targeting this vulnerability as early as May 2, 2025 with mass exploitation starting on May 4, 2025," Wordfence said.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/7cD9ePu
via IFTTT
Google Threat Intelligence Group (GTIG) has identified a new piece of malware called LOSTKEYS, attributed to the Russian government-backed threat group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto). LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker. Observed in January, March, and April 2025, LOSTKEYS marks a new development in the toolset of COLDRIVER, a group primarily known for credential phishing against high-profile targets like NATO governments, non-governmental organizations (NGOs), and former intelligence and diplomatic officers. GTIG has been tracking COLDRIVER for many years, including theirSPICA malware in 2024.
COLDRIVER typically targets high-profile individuals at their personal email addresses or at NGO addresses. They are known for stealing credentials and after gaining access to a target’s account they exfiltrate emails and steal contact lists from the compromised account. In select cases, COLDRIVER also delivers malware to target devices and may attempt to access files on the system.
Recent targets in COLDRIVER’s campaigns have included current and former advisors to Western governments and militaries, as well as journalists, think tanks, and NGOs. The group has also continued targeting individuals connected to Ukraine. We believe the primary goal of COLDRIVER’s operations is intelligence collection in support of Russia’s strategic interests. In a small number of cases, the group has been linked to hack-and-leak campaigns targetingofficials in the UKand anNGO.
To safeguard at-risk users, we use our research on serious threat actors like COLDRIVER to improve the safety and security of Google’s products. We encourage potential targets to enroll in Google'sAdvanced Protection Program, enableEnhanced Safe Browsingfor Chrome, and ensure that all devices are updated.
Stage 1 — It Starts With A Fake CAPTCHA
LOSTKEYS is delivered at the end of a multi-step infection chain that starts with a lure website with a fake CAPTCHA on it. Once the CAPTCHA has been “verified,” PowerShell is copied to the users clipboard and the page prompts the user to execute the PowerShell via the “run” prompt in Windows:
The first stage PowerShell that is pasted in will fetch and execute the second stage. In multiple observed cases, the second stage was retrieved from 165.227.148[.]68.
COLDRIVER is not the only threat actor to deliver malware by socially engineering their targets to copy, paste, and then execute PowerShell commands—a technique commonly called “ClickFix.” We have observed multiple APT and financially motivated actors use this technique, which has also beenwidelyreportedpublicly. Users should exercise caution when encountering a site that prompts them to exit the browser and run commands on their device, and enterprise policies should implement least privilege and disallow users from executing scripts by default.
Stage 2 — Device Evasion
The second stage calculates the MD5 hash of the display resolution of the device and if the MD5 is one of three specific values it will stop execution, otherwise it will retrieve the third stage. This step is likely done to evade execution in VMs. Each observed instance of this chain uses different, unique identifiers that must be present in the request to retrieve the next stage. In all observed instances the third stage is retrieved from the same host as the previous stages.
Stage 3 — Retrieval of the Final Payload
The third stage is a Base64-encoded blob, which decodes to more PowerShell. This stage retrieves and decodes the final payload. To do this it pulls down two more files, from the same host as the others, and again using different unique identifiers per infection chain.
The first is a Visual Basic Script (VBS) file, which we call the “decoder” that is responsible for decoding the second one. The decoding process uses two keys, which are unique per infection chain. The decoder has one of the unique keys and the second key is stored in stage 3. The keys are used in a substitution cipher on the encoded blob, and are unique to each infection chain. A Python script to decode the final payload is:
# Args: encoded_file Ah90pE3b 4z7Klx1V
import base64
import sys
if len(sys.argv) != 4:
print("Usage: decode.py file key1 key2")
sys.exit(1)
if len(sys.argv[2]) != len(sys.argv[3]):
print("Keys must be the same length")
sys.exit(1)
with open(sys.argv[1], 'r') as f:
data = f.read()
x = sys.argv[2]
y = sys.argv[3]
for i in range(len(x)):
data = data.replace(x[i], '!').replace(y[i], x[i]).replace('!', y[i])
with open(sys.argv[1] + '.out', 'wb') as f:
f.write(base64.b64decode(data))
The Final Payload (LOSTKEYS)
The end result of this is a VBS that we call LOSTKEYS. It is a piece of malware that is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker. The typical behavior of COLDRIVER is to steal credentials and then use them to steal emails and contacts from the target, but as we havepreviously documentedthey will also deploy malware called SPICA to select targets if they want to access documents on the target system. LOSTKEYS is designed to achieve a similar goal and is only deployed in highly selective cases.
A Link To December 2023
As part of the investigation into this activity, we discovered two additional samples, hashes of which are available IOCs section, dating back as early as December 2023. In each case, the samples end up executing LOSTKEYS but are distinctly different from the execution chain mentioned here in that they are Portable Executable (PE) files pretending to be related to the software package Maltego.
It is currently unclear if these samples from December 2023 are related to COLDRIVER, or if the malware was repurposed from a different developer or operation into the activity seen starting in January 2025.
Protecting the Community
As part of our efforts to combat threat actors, we use the results of our research to improve the safety and security of Google’s products. Upon discovery, all identified malicious websites, domains and files are added to Safe Browsing to protect users from further exploitation. We also send targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity and encouraging potential targets to enable Enhanced Safe Browsing for Chrome and ensure that all devices are updated.
We are committed to sharing our findings with the security community to raise awareness and with companies and individuals that might have been targeted by these activities. We hope that improved understanding of tactics and techniques will enhance threat hunting capabilities and lead to stronger user protections across the industry.
Indicators of compromise (IOCs) and YARA rules are included in this post, and are also available as a GTI collection and rule pack.
YARA Rules
rule LOSTKEYS__Strings {
meta:
author = "Google Threat Intelligence"
description = "wscript that steals documents and becaons system
information out to a hardcoded address"
hash = "28a0596b9c62b7b7aca9cac2a07b067109f27d327581a60e8cb4fab92f8f4fa9"
strings:
$rep0 = "my_str = replace(my_str,a1,\"!\" )"
$rep1 = "my_str = replace(my_str,b1 ,a1 )"
$rep2 = "my_str = replace(my_str,\"!\" ,b1 )"
$mid0 = "a1 = Mid(ch_a,ina+1,1)"
$mid1 = "b1 = Mid(ch_b,ina+1,1)"
$req0 = "ReqStr = base64encode( z & \";\" &
ws.ExpandEnvironmentStrings(\"%COMPUTERNAME%\") & \";\" &
ws.ExpandEnvironmentStrings(\"%USERNAME%\") & \";\" &
fso.GetDrive(\"C:\\\").SerialNumber)"
$req1 = "ReqStr = Chain(ReqStr,\"=+/\",\",-_\")"
$cap0 = "CapIN \"systeminfo > \"\"\" & TmpF & \"\"\"\", 1, True"
$cap1 = "CapIN \"ipconfig /all >> \"\"\" & TmpF & \"\"\"\", 1, True"
$cap2 = "CapIN \"net view >> \"\"\" & TmpF & \"\"\"\", 1, True"
$cap3 = "CapIN \"tasklist >> \"\"\" & TmpF & \"\"\"\", 1, True"
condition:
all of ($rep*) or all of ($mid*) or all of ($req*) or all of ($cap*)
}
