Claim OwnershipCYFIRMA Research
Subscribed: 5Played: 66
Subscribe
© 2026 CYFIRMA Research
Description
Cyber defenders, listen up! The CYFIRMA Research podcast has some juicy intel on the latest cyber threats that are lurking in the shadows. Tune in to this security briefing to stay on top of emerging threats and be ready to tackle digital risk like never before.
284 Episodes
Reverse
Malware Spotlight: LTX Stealer CYFIRMA researchers uncovered a sophisticated Windows info-stealer hidden in a legit Inno Setup installer. Key takeaways: 🔹 Node.js stealer with Bytenode bytecode obfuscation 🔹 Targets Chromium browsers & crypto wallets 🔹 Persists in hidden/system folders under Program Files(x86) 🔹 Uses Supabase for operator auth + Cloudflare to mask backend 🔹 Commercial-grade Malware-as-a-Service (MaaS) Modern attackers are using...
CYFIRMA has identified an active Telegram phishing campaign that abuses Telegram’s legitimate login and in-app authorization workflows to fully compromise user accounts without malware or exploits. By leveraging QR codes and manual login flows tied to attacker-controlled Telegram API credentials, victims are tricked into approving genuine authorization prompts inside the Telegram app under false security pretexts. This abuse-of-function approach increases victim trust, enables large-scale glo...
Critical Alert: CVE-2026-23760 – SmarterMail Pre-Auth Bypass Leading to Full System Compromise Organizations running SmarterTools SmarterMail email servers—widely deployed across SMBs, MSPs, educational institutions, and healthcare environments—must take immediate action. This actively exploited authentication bypass vulnerability allows unauthenticated attackers to reset system administrator passwords and gain complete control over email infrastructure without any credentials. ACTIVE EXPLO...
Threat Research Alert | Android Loan Scam Our analysis uncovered an Android application, Hicas, distributed via the Google Play Store and marketed as a Smart Travel Packing Companion, which covertly operates as a region-targeted fraudulent loan platform. Key Findings: • Play Store app masquerading as a travel utility • Region-based cloaking activates loan flow on IN devices • Remote WebView delivers full lending workflow • Runtime behavior controlled via external JSON config • No app update...
WinRAR CVE-2025-8088 is a path validation vulnerability that allows a crafted RAR archive to write files outside the intended extraction directory during unpacking. In the observed attack chain, this behavior is abused to silently drop a malicious script into the Windows Startup folder, establishing persistence without requiring administrative privileges or explicit execution by the user. Once triggered, execution continues through an obfuscated Batch script and a PowerShell loader, ultimate...
Mamba 2FA illustrates the evolution of phishing into highly automated adversary-in-the-middle attacks that can bypass traditional MFA by closely emulating legitimate cloud authentication experiences. As part of a broader phishing-as-a-service ecosystem, these tools enable scalable, low-effort campaigns with high impact across cloud environments. Addressing this threat requires MFA-resistant authentication, layered identity controls, and continuous monitoring of emerging phishing techniques. ...
Emerging Threat Model: SOLYXIMMORTAL Malware Recent analysis highlights how modern commodity malware continues to evolve by abusing legitimate system functionality rather than relying on exploits or vulnerabilities. The malware demonstrates how attackers can achieve persistent access, credential theft, and user surveillance entirely within the user space, leveraging trusted operating system features and third-party services. Key observations: User-level persistence via AppData and registry R...
Stay ahead with CYFIRMA’s December 2025 Ransomware Report. December marked the most active month of 2025 with 801 global ransomware victims, signaling a strong year-end escalation. Qilin surged to 175 victims, reinforcing its dominance, while Safepay and Sinobi posted sharp month-over-month growth, highlighting shifting group momentum. Ransomware operations increasingly adopted cartel-style, access-driven models, abusing trusted security tools, hypervisors, and enterprise file-sharing platfo...
The threat landscape just got more complex. The Scattered LAPSUS$ Hunters-alliance has re-emerged, merging the tactics of notorious groups. This isn’t just a name change; it’s a shift toward professionalized, identity-centric extortion. What you need to know: High-Value Targets: Focused on enterprises with $500M+ revenue, specifically in Cloud, Telecom, and Finance.Identity is the Perimeter: They specialize in "logging in" rather than "hacking in," using advanced vishing (voice phishing) a...
APT36 Targets Indian Entities Using Weaponized Windows Shortcut Files CYFIRMA has identified a coordinated cyber-espionage campaign attributed to APT36 (Transparent Tribe), a Pakistan-aligned threat actor persistently targeting Indian government entities and strategic sectors. This campaign highlights APT36’s evolving tradecraft, leveraging malicious Windows shortcut (.LNK) files and multi-stage payload delivery to stealthily compromise victim systems while masquerading as legitimate docume...
Hacktivist activity is often dismissed as low-sophistication noise, website defacements, DDoS attacks, or online activism. Our latest research argues that this view is increasingly outdated. The report introduces Hacktivist Proxy Operations as a repeatable model of deniable cyber pressure, where ideologically aligned non-state groups apply disruption, narrative amplification, and psychological pressure in ways that align with state geopolitical interests without formal sponsorship or direct...
Threat Alert: APT 36 CYFIRMA has identified a targeted malware campaign abusing fake NCERT WhatsApp advisory PDFs to compromise Windows systems. Link to the Research Report: APT36 LNK-BASED MALWARE CAMPAIGN LEVERAGING MSI PAYLOAD DELIVERY - CYFIRMA #APT36 #Cyberthreatintelligence #Malware analysis #Threathunting #Cybersecurity #ETLM #CYFIRMA https://www.cyfirma.com/
A sophisticated QR-code phishing (“quishing”) campaign is targeting employees with payroll-themed lures, bypassing email security and harvesting credentials via obfuscated, per-victim infrastructure. This trend underscores the growing risk of mobile-based phishing and the need for stronger user awareness and behavior-driven defenses. Link to the Research Report: Quishing Campaigns : Advanced QR-Code Phishing Evaluation and Insights - CYFIRMA #Quishing #Phishing #CyberThreats #...
New Research Alert: NexusRoute Campaign Uncovered We’ve uncovered a large-scale Android malware and phishing operation impersonating Indian government services like mParivahan and e-Challan. Threat actors are abusing GitHub to host malicious APKs and fake payment portals, tricking users into sharing OTPs, UPI PINs, and financial details. The malware uses advanced techniques—dynamic loaders, native code, SMS hijacking, screen capture, and persistent background services—to monitor ...
Mobile Threat Alert: Crypto Mnemonic Phrase Stealer SeedSnatcher is a newly uncovered Android malware family targeting the crypto ecosystem, built to steal users’ mnemonic recovery phrases using a sophisticated DisplayOverlay attack Capabilities: Intercepts and exfiltrates seed phrases and private keys from major cryptocurrency walletsPresents deceptive wallet-import screens to lure users into entering their recovery phrasesCommunicates with its command-and-control servers via encrypted Web...
CYFIRMA researchers have identified a sophisticated Android malware operation spreading via fake RTO Challan/e-Challan notifications shared over WhatsApp. The malicious APK uses two-stage installation, NP-based code obfuscation, and a custom VPN layer to evade detection and maintain persistent control over infected devices. C2 Infrastructure Exposed. Our analysis uncovered two domains used as the campaign’s Command-and-Control (C2) backend: Jsonserv[.]xyz jsonserv[.]biz Both domains ...
CYFIRMA | November 2025 Ransomware Snapshot Ransomware activity shifted fast in November—Akira and INC Ransom surged; AI-driven tools accelerated attacks, and critical sectors like Manufacturing, IT, and Professional Services took the heaviest hits. North America remained the top target as threat actors expanded into virtualization platforms and even official software marketplaces. The ransomware ecosystem is evolving rapidly—speed, automation, and precision are defining the new threat land...
APT36 Targets Indian Government Entities with a New Python-Based ELF Malware. CYFIRMA has uncovered a new cyber-espionage campaign by APT36 (Transparent Tribe), a Pakistan-based threat actor long known for targeting Indian government entities and strategic sectors. This campaign showcases a major leap in the group’s technical sophistication — delivering custom Python-based ELF malware through weaponized .desktop shortcut files distributed via spear-phishing. 📌 Key Highlights: The campaign ...
After Russia’s veto of the UN Panel of Experts and increased military cooperation over the war in Ukraine, North Korea is ramping up sanctions evasion—deepening its military ties with Moscow and stealing billions in cryptocurrency to finance its WMD programs. Link to the Research Report: NORTH KOREAN CYBER CRIME AS A STATECRAFT TOOL - CYFIRMA #NorthKorea #Russia #sanctions #cryptoheist #Geopolitics #CYFIRMAResearch#ThreatIntelligence #cybersecurity #ETLM&nbs...
Black Friday & Cyber Monday Cyber Threats Are Already Here As festive shopping surges, so does cybercrime. CYFIRMA’s latest analysis reveals a spike in fake websites, phishing campaigns, malicious ZIP downloads, UPI-based payment scams, and dark-web-powered phishing kits—all engineered to exploit the 2025 holiday rush. Our researchers uncovered multiple spoofed retail domains, automated malware downloads, and dynamic UPI-ID switching techniques used by scammers to evade detection. With ...
Comments
Download from Google Play
Download from App Store
United States