Claim OwnershipCYFIRMA Research
Subscribed: 5Played: 66
Subscribe
© 2026 CYFIRMA Research
Description
Cyber defenders, listen up! The CYFIRMA Research podcast has some juicy intel on the latest cyber threats that are lurking in the shadows. Tune in to this security briefing to stay on top of emerging threats and be ready to tackle digital risk like never before.
289 Episodes
Reverse
New Research: Dead Infrastructure Hijacking — The Attack That Doesn't Need a Vulnerability Most breaches start with an exploit. This one starts with a domain registration. We've published a full threat intelligence report on Dead Infrastructure Hijacking (DIH) — a threat class that exploits residual trust relationships left behind when digital infrastructure is decommissioned, migrated, or abandoned. No intrusion. No CVE. No malware. The attacker simply owns an address that your systems ar...
APT36 Multi-Vector Execution Malware Campaign Targeting Indian Government Entities Researchers at CYFIRMA have identified and analyzed a sophisticated malware campaign attributed to APT36 targeting Indian government entities. The campaign demonstrates a structured, multi-stage infection chain designed for stealth, persistence, and long-term remote access. This campaign reflects a targeted espionage operation leveraging multi-layered execution paths, macro-based staging, and robust RAT func...
The Telegram ecosystem. Ransomware groups, Initial Access Brokers, malware operators, and leak channels are converging on a single platform for coordination, recruitment, validation, and amplification. This isn’t a migration from darknet forums — it’s an operational upgrade. Link to the Research Report: Telegram as the New Operational Layer of Cyber Threat Activity - CYFIRMA #CyberSecurity #ThreatIntelligence #Ransomware #OSINT #CyberCrime #Telegram #C...
Emerging Threat Model: Python-Based Credential Stealer (CharlieKirk Grabber): Recent analysis of a Python-based information stealer highlights the continued growth of modular, builder-driven malware targeting Windows environments. The sample demonstrates how commodity stealers are evolving to combine credential harvesting, system profiling, and cloud-based exfiltration using legitimate services and scripting frameworks. Key observations: • Browser credentials and cookie extraction from Chrom...
Stay ahead with CYFIRMA’s January 2026 Ransomware Threat Report. January 2026 opened with sustained high ransomware activity and sharp operational volatility across major groups. Qilin remained one of the most active actors despite a post-surge decline, while Cl0p executed a dramatic rebound after a December pause, highlighting how quickly campaigns can reactivate at scale. Thegentlemen and Sinobi recorded rapid growth, reinforcing the fluid, affiliate-driven nature of the ecosystem. ...
Malware Spotlight: LTX Stealer CYFIRMA researchers uncovered a sophisticated Windows info-stealer hidden in a legit Inno Setup installer. Key takeaways: 🔹 Node.js stealer with Bytenode bytecode obfuscation 🔹 Targets Chromium browsers & crypto wallets 🔹 Persists in hidden/system folders under Program Files(x86) 🔹 Uses Supabase for operator auth + Cloudflare to mask backend 🔹 Commercial-grade Malware-as-a-Service (MaaS) Modern attackers are using...
CYFIRMA has identified an active Telegram phishing campaign that abuses Telegram’s legitimate login and in-app authorization workflows to fully compromise user accounts without malware or exploits. By leveraging QR codes and manual login flows tied to attacker-controlled Telegram API credentials, victims are tricked into approving genuine authorization prompts inside the Telegram app under false security pretexts. This abuse-of-function approach increases victim trust, enables large-scale glo...
Critical Alert: CVE-2026-23760 – SmarterMail Pre-Auth Bypass Leading to Full System Compromise Organizations running SmarterTools SmarterMail email servers—widely deployed across SMBs, MSPs, educational institutions, and healthcare environments—must take immediate action. This actively exploited authentication bypass vulnerability allows unauthenticated attackers to reset system administrator passwords and gain complete control over email infrastructure without any credentials. ACTIVE EXPLO...
Threat Research Alert | Android Loan Scam Our analysis uncovered an Android application, Hicas, distributed via the Google Play Store and marketed as a Smart Travel Packing Companion, which covertly operates as a region-targeted fraudulent loan platform. Key Findings: • Play Store app masquerading as a travel utility • Region-based cloaking activates loan flow on IN devices • Remote WebView delivers full lending workflow • Runtime behavior controlled via external JSON config • No app update...
WinRAR CVE-2025-8088 is a path validation vulnerability that allows a crafted RAR archive to write files outside the intended extraction directory during unpacking. In the observed attack chain, this behavior is abused to silently drop a malicious script into the Windows Startup folder, establishing persistence without requiring administrative privileges or explicit execution by the user. Once triggered, execution continues through an obfuscated Batch script and a PowerShell loader, ultimate...
Mamba 2FA illustrates the evolution of phishing into highly automated adversary-in-the-middle attacks that can bypass traditional MFA by closely emulating legitimate cloud authentication experiences. As part of a broader phishing-as-a-service ecosystem, these tools enable scalable, low-effort campaigns with high impact across cloud environments. Addressing this threat requires MFA-resistant authentication, layered identity controls, and continuous monitoring of emerging phishing techniques. ...
Emerging Threat Model: SOLYXIMMORTAL Malware Recent analysis highlights how modern commodity malware continues to evolve by abusing legitimate system functionality rather than relying on exploits or vulnerabilities. The malware demonstrates how attackers can achieve persistent access, credential theft, and user surveillance entirely within the user space, leveraging trusted operating system features and third-party services. Key observations: User-level persistence via AppData and registry R...
Stay ahead with CYFIRMA’s December 2025 Ransomware Report. December marked the most active month of 2025 with 801 global ransomware victims, signaling a strong year-end escalation. Qilin surged to 175 victims, reinforcing its dominance, while Safepay and Sinobi posted sharp month-over-month growth, highlighting shifting group momentum. Ransomware operations increasingly adopted cartel-style, access-driven models, abusing trusted security tools, hypervisors, and enterprise file-sharing platfo...
The threat landscape just got more complex. The Scattered LAPSUS$ Hunters-alliance has re-emerged, merging the tactics of notorious groups. This isn’t just a name change; it’s a shift toward professionalized, identity-centric extortion. What you need to know: High-Value Targets: Focused on enterprises with $500M+ revenue, specifically in Cloud, Telecom, and Finance.Identity is the Perimeter: They specialize in "logging in" rather than "hacking in," using advanced vishing (voice phishing) a...
APT36 Targets Indian Entities Using Weaponized Windows Shortcut Files CYFIRMA has identified a coordinated cyber-espionage campaign attributed to APT36 (Transparent Tribe), a Pakistan-aligned threat actor persistently targeting Indian government entities and strategic sectors. This campaign highlights APT36’s evolving tradecraft, leveraging malicious Windows shortcut (.LNK) files and multi-stage payload delivery to stealthily compromise victim systems while masquerading as legitimate docume...
Hacktivist activity is often dismissed as low-sophistication noise, website defacements, DDoS attacks, or online activism. Our latest research argues that this view is increasingly outdated. The report introduces Hacktivist Proxy Operations as a repeatable model of deniable cyber pressure, where ideologically aligned non-state groups apply disruption, narrative amplification, and psychological pressure in ways that align with state geopolitical interests without formal sponsorship or direct...
Threat Alert: APT 36 CYFIRMA has identified a targeted malware campaign abusing fake NCERT WhatsApp advisory PDFs to compromise Windows systems. Link to the Research Report: APT36 LNK-BASED MALWARE CAMPAIGN LEVERAGING MSI PAYLOAD DELIVERY - CYFIRMA #APT36 #Cyberthreatintelligence #Malware analysis #Threathunting #Cybersecurity #ETLM #CYFIRMA https://www.cyfirma.com/
A sophisticated QR-code phishing (“quishing”) campaign is targeting employees with payroll-themed lures, bypassing email security and harvesting credentials via obfuscated, per-victim infrastructure. This trend underscores the growing risk of mobile-based phishing and the need for stronger user awareness and behavior-driven defenses. Link to the Research Report: Quishing Campaigns : Advanced QR-Code Phishing Evaluation and Insights - CYFIRMA #Quishing #Phishing #CyberThreats #...
New Research Alert: NexusRoute Campaign Uncovered We’ve uncovered a large-scale Android malware and phishing operation impersonating Indian government services like mParivahan and e-Challan. Threat actors are abusing GitHub to host malicious APKs and fake payment portals, tricking users into sharing OTPs, UPI PINs, and financial details. The malware uses advanced techniques—dynamic loaders, native code, SMS hijacking, screen capture, and persistent background services—to monitor ...
Mobile Threat Alert: Crypto Mnemonic Phrase Stealer SeedSnatcher is a newly uncovered Android malware family targeting the crypto ecosystem, built to steal users’ mnemonic recovery phrases using a sophisticated DisplayOverlay attack Capabilities: Intercepts and exfiltrates seed phrases and private keys from major cryptocurrency walletsPresents deceptive wallet-import screens to lure users into entering their recovery phrasesCommunicates with its command-and-control servers via encrypted Web...
Comments
Download from Google Play
Download from App Store
United States