Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Windows Remote Desktop Protocol: Remote to Rogue
Source: Google Cloud
Evidence suggests this campaign may have involved the use of an RDP proxy tool like PyRDP to automate malicious activities like file exfiltration and clipboard capture. This technique has been previously dubbed as “Rogue RDP.” Read more.
Malicious VSCode extensions infect Windows with cryptominers
Source: BLEEPINGCOMPUTER
Nine VSCode extensions on Microsoft’s Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero. Read more.
How ToddyCat tried to hide behind AV software
Source: SECURELIST
Attackers get round this protection mechanism by using legitimate drivers that have the right signature, but contain vulnerable functions that allow malicious actions in the context of the kernel. Monitoring tools track the installation of such drivers and check applications that perform it. But what if a security solution performs unsafe activity? Read more.
Someone hacked ransomware gang Everest’s leak site
Source: TechCrunch
The leak site, which the ransomware gang uses to publish stolen files to extort its victims into paying a ransom demand, was replaced with a brief text note: “Don’t do crime CRIME IS BAD xoxo from Prague.” Read more.
OH-MY-DC: OIDC Misconfigurations in CI/CD
Source: Unit 42
In the course of investigating the use of OpenID Connect (OIDC) within continuous integration and continuous deployment (CI/CD) environments, Unit 42 researchers discovered problematic patterns and implementations that could be leveraged by threat actors to gain access to restricted resources. One instance of such an implementation was identified in CircleCI’s OIDC. Read more.
The Rising Threat of Cyberwarfare: Extreme Cyber Weapons and Their Potential to Disrupt Critical Infrastructure
Source: IDST
Cyber warfare is the use of technology to launch covert attacks on nations, governments, and even citizens, causing harm comparable to that of conventional warfare. This new battleground allows adversaries to disrupt or destroy critical infrastructure—power grids, telecommunications, banking systems—by targeting the computer networks that control them. Read more.
Same Russian-Speaking Threat Actor, New Tactics: Abuse of Cloudflare Services for Phishing and Telegram to Filter Victim IPs
Source: Hunt.io
The lure abuses the ms-search protocol to download a malicious LNK file disguised as a PDF via a double extension. Once executed, the malware checks in with an attacker-operated Telegram bot-sending the victim’s IP address-before transitioning to Pyramid C2 to control the infected host. Read more.
Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream
Source: Sophos News
Late in January 2025, a Managed Service Provider (MSP) administrator received a well-crafted phishing email containing what appeared to be an authentication alert for their ScreenConnect RMM tool. That email resulted in Qilin ransomware actors gaining access to the administrator’s credentials—and launching ransomware attacks on the MSP’s customers. Read more.
RolandSkimmer: Silent Credit Card Thief Uncovered
Source: Fortinet
FortiGuard Labs recently observed a sophisticated campaign dubbed “RolandSkimmer,” named after the unique string “Rol@and4You” found embedded in its payload. This threat actor targets users in Bulgaria and represents a new wave of credit card skimming attacks leveraging malicious browser extensions across Chrome, Edge, and Firefox. Read more.
Emulating the Sophisticated Russian Adversary Seashell Blizzard
Source: ATTACKIQ
The BadPilot campaign is a sophisticated, long-running operation primarily focused on gaining initial access to targeted networks. The campaign is attributed to a Seashell Blizzard subgroup and is known for its strategic use of spear-phishing emails and exploiting vulnerabilities in software to breach networks. Read more.