CYFIRMA’s research team has conducted an in-depth investigation into Konni RAT, a sophisticated remote access trojan (RAT) that uses advanced evasion techniques to bypass detection. It exploits Windows features, such as file extension hiding and the 260-character limit for LNK files, to conceal malicious activity. After gaining access, Konni RAT maintains persistence through registry modifications and collects sensitive data from infected systems, and exfiltrates this information to rem...
Hackers are leveraging Python-based Discord RATs to exploit Discord’s API as a Command and Control (C2) platform. This sophisticated malware allows attackers to gain complete control over compromised systems, making it a serious cybersecurity risk. Steals credentials from browsersExecute remote system commandsCapture live screenshots for surveillanceManipulate Discord servers for persistenceWith Discord increasingly targeted by cybercriminals, awareness is key. Link to the Research Report: ht...
The CYFIRMA research team has identified a fake Indian Post Office website leveraging the Clickfix technique to target Indian users. The report details how a Pakistani threat actor is targeting both Windows and Android users by dropping APK files for Android devices, copying PowerShell commands to the clipboard, and dropping Clickfix instructions pdf file. Link to the Research Report: https://www.cyfirma.com/research/turning-aid-into-attack-exploitation-of-pakistans-youth-laptop-scheme-to-ta...
Critical Alert: Immediate action is required for all organizations using Apache Tomcat! CVE-2025-24813 is a critical Remote Code Execution (RCE) vulnerability that allows attackers to bypass security controls via a path equivalence flaw, leading to arbitrary code execution. Active exploitation has been observed, with public PoC exploits available, increasing the urgency for mitigation. Given Tomcat’s widespread use in enterprise and cloud environments, this poses a severe security risk. Stay...
Stay ahead of evolving ransomware threats with CYFIRMA’s Monthly Ransomware Report – February 2025. Ransomware activity surged by 87.45% in February month, with Cl0p witnessing an alarming 453% rise. Manufacturing, FMCG, and Transportation sectors faced the highest spike in attacks. The U.S. remained the top target, followed by Canada, the U.K., Germany, and France. Notably, China-linked actors exploited a Check Point vulnerability to deploy ShadowPad and ransomware. New ransomware gro...
Hacktivists often become active participants in cyber conflicts whenever geopolitical tensions arise. This has been evident during events like the Israel-Palestine conflict and the Russia-Ukraine war. Recently, tensions flared between Malaysia and Indonesia following the death of a migrant worker attempting to cross the Malaysian border with four others. This incident sparked public outrage against Malaysian authorities, prompting Indonesian hacktivists to launch cyberattacks on Malaysian web...
The CYFIRMA research has identified a new ransomware variant named LithiumWare, showcasing advanced capabilities designed to disrupt, encrypt, and steal. Key Features of LithiumWare: Data Theft: Exhibits activities indicative of stealing personal data, including detecting crypto-addresses.Persistence: Creates files in the startup directory, manipulates desktop.ini for cloaking, and executes services like svchost.exe.Reconnaissance: Reads machine GUIDs, security settings, and environmen...
China's DeepSeek recently shocked the AI world, challenging US dominance and raising serious security concerns. Did US export controls backfire, fuelling China's AI rise and a new era of cyber threats? Link to the Research Report: https://www.cyfirma.com/blogs/deepfake-or-the-sputnik-moment-in-the-ai-race/ #Geopolitics #CyfirmaResearch #ThreatIntelligence #cybersecurity #ETLM #currentaffairs #China #AIdominance #Nvidia #Datatheft ...
Cybercriminals have developed a new sophisticated method to distribute malware via fake CAPTCHA pages, tricking users into executing malicious scripts. Our investigation reveals that the Lumma Stealer is leveraging this tactic to harvest sensitive data, including credentials, cryptocurrency assets, and credit card info. Link to the Research Report: https://www.cyfirma.com/research/fake-captcha-malware-campaign-how-cybercriminals-use-deceptive-verifications-to-distribute-malware/ #CyberSecu...
This report explores a fake financial management app on the Google Play Store named Finance Simplified, which has been downloaded over 100,000 times. The app reportedly downloads an additional fraudulent loan application targeting Indian users. Once installed, users attempting to secure loans are subjected to cyber blackmail and bullying. The malicious app gains unauthorized access to sensitive user data, including Clipboard content, Files, SMS, Contacts, Camera, and more. The CYFIRMA r...
The cyber threat landscape is evolving, with hackers deploying multi-stage malware using obfuscation, steganography, and covert communication channels to evade detection. Attacks start with an Obfuscated JavaScript, fetching encoded commands from a URL and executing an obfuscated PowerShell script, downloading a JPG image and obfuscated text file concealing malicious MZ DOS executables. The Stealer malware is then deployed, extracting passwords, browser data, and system info. The stolen data...
Stay informed about the latest developments in cybersecurity with CYFIRMA's Tracking Ransomware – January 2025 Report. January witnessed 510 ransomware victims globally, with Akira emerging as the most active group while new threats like MORPHEUS surfaced. The Manufacturing, sector is the most targeted, and the USA remained the top victim region with 259 reported cases. Notably, Akira’s activity surged by 60%, while Lynx and Incransom saw exponential growth, rising b...
Our Q4 2024 APT Quarterly Highlights Report unveils a surge of dynamic and innovative cyber activities from APT groups across Iran, North Korea, Russia, and China. These groups intensified operations with a sharp focus on credential theft through phishing, MFA push-bombing, and fake job scams. RomCom (Russia) and Lazarus (North Korea) exploited zero-day vulnerabilities in Mozilla, Windows, and Google Chrome for stealthy malware deployment, while Jumpy Pisces (Andariel) partnered with Play ran...
A malware disguised as a banking app is spreading through phishing and unofficial app stores. Built with Kotlin, this malware steals personal info and card details, leaking everything to criminals via Telegram bots and hidden servers. Stay safe! Only download apps from official stores, check permissions and NEVER share sensitive info on unsecured platforms. Link to the Research Report: https://www.cyfirma.com/research/finstealer/ #Cybersecurity #MalwareAlert #BankingSecurity&...
Flesh Stealer, a newly identified malware first observed in August 2024 and written in C#, targets browsers like Chrome, Firefox, and Edge to harvest saved passwords, cookies, and browsing history. It also extracts data from applications such as Telegram and Signal, including stored chats and databases. Interestingly, it avoids executing on systems configured with regional settings for CIS (Commonwealth of Independent States) countries, likely to evade local detection. It is equipped wi...
Astral Stealer: A Sophisticated Threat! Our latest research uncovers Astral Stealer, a powerful malware designed to exfiltrate sensitive data using browser injections, credential dumping, and sophisticated evasion techniques. As a publicly available threat, it provides cybercriminals with the means to bypass security defenses and exploit vulnerable systems. The developer is potentially based in France with ties to multiple gaming platforms, suggesting a possible connection between gami...
New Ransomware Alert: "Windows Locker" A new .NET-based ransomware strain, Windows Locker, is making waves with its advanced tactics, also read the CYFIRMA research team's full report for a comprehensive analysis: Encryption: Files are encrypted with the .winlocker extension. Ransom Note: Victims receive a Readme.txt file with instructions to contact the attacker. Persistence: The ransomware modifies registry keys to stay active on compromised systems. No Recovery: It deletes shado...
A critical SQL injection vulnerability (CVE-2024-45387) has been discovered in Apache Traffic Control's Traffic Ops component, impacting versions 8.0.0 and 8.0.1. Attackers with high-level roles (admin, federation, operations, portal, steering) can execute malicious SQL queries, risking data compromise, privilege escalation, and service disruption. Link to the Research Report: https://www.cyfirma.com/research/cve-2024-45387-critical-vulnerability-in-apache-traffic-control/ #CVE20244538...
The CYFIRMA team has analyzed malware linked to the Indian APT group DONOT, uncovering its use of a deceptive app called “Tanzeem” to gather intelligence under the guise of a chat platform. The app shuts down after permissions are granted, suggesting a targeted approach. Two analyzed versions, from October and December, showed minimal differences, indicating consistent tactics. The misuse of the OneSignal platform, typically for legitimate notifications, to deliver phishing links highlights t...
The swift fall of the Syrian regime caught major players off guard, including Russia and Iran, who heavily invested in propping up the state. While the USA considers withdrawal, Turkey is positioned to greatly increase its influence, while Iran and Russia suffer a significant strategic blow and might start relying more heavily on its cyber capabilities and rocket forces including a potential push for nuclear weapons in the case of Tehran. Link to the Research Report: https://www.cyfirma.com/...