Posts on Security, Cloud, DevOps, Citrix, VMware and others.
Words and views are my own and do not reflect on my companies views.
Disclaimer: some of the links on this site are affiliate links, if you click on them and make a purchase, I make a commission.
The malware known as Latrodectus has become the latest to embrace the widely-used social engineering technique called ClickFix as a distribution vector.
"The ClickFix technique is particularly risky because it allows the malware to execute in memory rather than being written to disk," Expel said in a report shared with The Hacker News. "This removes many opportunities for browsers or security tools to detect or block the malware."
Latrodectus, believed to be a successor to IcedID, is the name given to a malware that acts as a downloader for other payloads, such as ransomware. It was first documented by Proofpoint and Team Cymru in April 2024.
Incidentally, the malware is one among the many malicious software to suffer an operational setback as part of Operation Endgame, which took down 300 servers worldwide and neutralized 650 domains related to Bumblebee, Lactrodectus, QakBot, HijackLoader, DanaBot, TrickBot, and WARMCOOKIE between May 19 and 22, 2025.
In the latest set of Latrodectus attacks observed by Expel in May 2025, unsuspecting users are tricked into copying and executing a PowerShell command from an infected website, a tactic that has become a prevalent method to distribute a wide range of malware.
"When run by a user, these commands will attempt to install a file located at the remote URL using MSIExec, and then execute it in memory," Expel said. "This keeps the attacker from having to write the file to the computer and risk being detected by the browser or an antivirus that might detect it on disk."
The MSI installer contains a legitimate application from NVIDIA, which is used to sideload a malicious DLL, which then uses curl to download the main payload.
To mitigate attacks of this type, it's advised to disable the Windows Run program using Group Policy Objects (GPOs) or turn off the "Windows + R" hot key via a Windows Registry change.
From ClickFix to TikTok
The disclosure comes as Trend Micro revealed details of a new engineering campaign that instead of relying on fake CAPTCHA pages employs TikTok videos likely generated using artificial intelligence (AI) tools to deliver the Vidar and StealC information stealers by instructing users to run malicious commands on their systems to activate Windows, Microsoft Office, CapCut, and Spotify.
These videos have been posted from various TikTok accounts such as @gitallowed, @zane.houghton, @allaivo2, @sysglow.wow, @alexfixpc, and @digitaldreams771. These accounts are no longer active. One of the videos claiming to provide instructions on how to "boost your Spotify experience instantly" has amassed nearly 500,000 views, with over 20,000 likes and more than 100 comments.
The campaign marks a new escalation of ClickFix in that users searching for ways to activate pirated apps are verbally and visually guided to open the Windows Run dialog by pressing the "Windows + R" hot key, launch PowerShell, and run the command highlighted in the video, ultimately compromising their own systems.
"Threat actors are now using TikTok videos that are potentially generated using AI-powered tools to socially engineer users into executing PowerShell commands under the guise of guiding them to activate legitimate software or unlock premium features," security researcher Junestherry Dela Cruz said.
"This campaign highlights how attackers are ready to weaponize whichever social media platforms are currently popular to distribute malware."
Fake Ledger Apps Used to Steal Mac Users' Seed Phrases
The findings also follow the discovery of four different malware campaigns that leverage a cloned version of the Ledger Live app to steal sensitive data, including seed phrases, with the goal of draining victims' cryptocurrency wallets. The activity has been ongoing since August 2024.
The attacks make use of the malicious DMG files that, when launched, launches AppleScript to exfiltrate passwords and Apple Notes data, and then download a trojanized version of Ledger Live. Once the app is opened, it warns users of a supposed account problem and that it requires their seed phrase for recovery. The entered seed phrase is sent to an attacker-controlled server.
Moonlock Lab, which shed light on the campaign, said the rogue apps make use of macOS stealer malware like Atomic macOS Stealer (AMOS) and Odyssey, the latter of which introduced the novel phishing scheme in March 2025. It's worth noting that the activity overlaps with a macOS infostealer campaign that targets Ledger Live users through PyInstaller-packed binaries, as revealed by Jamf this month.
"On dark web forums, chatter around anti-Ledger schemes is growing. The next wave is already taking shape," MacPaw's cybersecurity division noted. "Hackers will continue to exploit the trust crypto owners place in Ledger Live."
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/cZ4JlzF
via IFTTT
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday revealed that Commvault is monitoring cyber threat activity targeting applications hosted in their Microsoft Azure cloud environment.
"Threat actors may have accessed client secrets for Commvault's (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure," the agency said.
"This provided the threat actors with unauthorized access to Commvault's customers' M365 environments that have application secrets stored by Commvault."
CISA further noted that the activity may be part of a broader campaign targeting various software-as-a-service (SaaS) providers' cloud infrastructures with default configurations and elevated permissions.
The advisory comes weeks after Commvault revealed that Microsoft notified the company in February 2025 of unauthorized activity by a nation-state threat actor within its Azure environment.
The incident led to the discovery that the threat actors had been exploiting a zero-day vulnerability (CVE-2025-3928), an unspecified flaw in the Commvault Web Server that enables a remote, authenticated attacker to create and execute web shells.
"Based on industry experts, this threat actor uses sophisticated techniques to try to gain access to customer M365 environments," Commvault said in an announcement. "This threat actor may have accessed a subset of app credentials that certain Commvault customers use to authenticate their M365 environments."
Commvault said it has taken several remedial actions, including rotating app credentials for M365, but emphasized that there has been no unauthorized access to customer backup data.
To mitigate such threats, CISA is recommending that users and administrators follow the below guidelines -
Monitor Entra audit logs for unauthorized modifications or additions of credentials to service principals initiated by Commvault applications/service principals
Review Microsoft logs (Entra audit, Entra sign-in, unified audit logs) and conduct internal threat hunting
For single tenant apps, implement a conditional access policy that limits authentication of an application service principal to an approved IP address that is listed within Commvault's allowlisted range of IP addresses
Review the list of Application Registrations and Service Principals in Entra with administrative consent for higher privileges than the business need
Restrict access to Commvault management interfaces to trusted networks and administrative systems
Detect and block path-traversal attempts and suspicious file uploads by deploying a Web Application Firewall and removing external access to Commvault applications
CISA, which added CVE-2025-3928 to its Known Exploited Vulnerabilities Catalog in late April 2025, said it's continuing to investigate the malicious activity in collaboration with partner organizations.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/0RP7Y8B
via IFTTT
Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's artificial intelligence (AI) assistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites.
GitLab Duo is an artificial intelligence (AI)-powered coding assistant that enables users to write, review, and edit code. Built using Anthropic's Claude models, the service was first launched in June 2023.
But as Legit Security found, GitLab Duo Chat has been susceptible to an indirect prompt injection flaw that permits attackers to "steal source code from private projects, manipulate code suggestions shown to other users, and even exfiltrate confidential, undisclosed zero-day vulnerabilities."
Prompt injection refers to a class of vulnerabilities common in AI systems that enable threat actors to weaponize large language models (LLMs) to manipulate responses to users' prompts and result in undesirable behavior.
Indirect prompt injections are a lot more trickier in that instead of providing an AI-crafted input directly, the rogue instructions are embedded within another context, such as a document or a web page, which the model is designed to process.
What's more, Prompt Leakage (PLeak) methods could be used to inadvertently reveal the preset system prompts or instructions that are meant to be followed by the model.
"For organizations, this means that private information such as internal rules, functionalities, filtering criteria, permissions, and user roles can be leaked," Trend Micro said in a report published earlier this month. "This could give attackers opportunities to exploit system weaknesses, potentially leading to data breaches, disclosure of trade secrets, regulatory violations, and other unfavorable outcomes."
The latest findings from the Israeli software supply chain security firm show that a hidden comment placed anywhere within merge requests, commit messages, issue descriptions or comments, and source code was enough to leak sensitive data or inject HTML into GitLab Duo's responses.
These prompts could be concealed further using encoding tricks like Base16-encoding, Unicode smuggling, and KaTeX rendering in white text in order to make them less detectable. The lack of input sanitization and the fact that GitLab did not treat any of these scenarios with any more scrutiny than it did source code could have enabled a bad actor to plant the prompts across the site.
"Duo analyzes the entire context of the page, including comments, descriptions, and the source code — making it vulnerable to injected instructions hidden anywhere in that context," security researcher Omer Mayraz said.
This also means that an attacker could deceive the AI system into including a malicious JavaScript package in a piece of synthesized code, or present a malicious URL as safe, causing the victim to be redirected to a fake login page that harvests their credentials.
On top of that, by taking advantage of GitLab Duo Chat's ability to access information about specific merge requests and the code changes inside of them, Legit Security found that it's possible to insert a hidden prompt in a merge request description for a project that, when processed by Duo, causes the private source code to be exfiltrated to an attacker-controlled server.
This, in turn, is made possible owing to its use of streaming markdown rendering to interpret and render the responses into HTML as the output is generated. In other words, feeding it HTML code via indirect prompt injection could cause the code segment to be executed on the user's browser.
Following responsible disclosure on February 12, 2025, the issues have been addressed by GitLab.
"This vulnerability highlights the double-edged nature of AI assistants like GitLab Duo: when deeply integrated into development workflows, they inherit not just context — but risk," Mayraz said.
"By embedding hidden instructions in seemingly harmless project content, we were able to manipulate Duo's behavior, exfiltrate private source code, and demonstrate how AI responses can be leveraged for unintended and harmful outcomes."
The disclosure comes as Pen Test Partners revealed how Microsoft Copilot for SharePoint, or SharePoint Agents, could be exploited by local attackers to access sensitive data and documentation, even from files that have the "Restricted View" privilege.
"One of the primary benefits is that we can search and trawl through massive datasets, such as the SharePoint sites of large organisations, in a short amount of time," the company said. "This can drastically increase the chances of finding information that will be useful to us."
The attack techniques follow new research that ElizaOS (formerly Ai16z), a nascent decentralized AI agent framework for automated Web3 operations, could be manipulated by injecting malicious instructions into prompts or historical interaction records, effectively corrupting the stored context and leading to unintended asset transfers.
"The implications of this vulnerability are particularly severe given that ElizaOSagents are designed to interact with multiple users simultaneously, relying on shared contextual inputs from all participants," a group of academics from Princeton University wrote in a paper.
"A single successful manipulation by a malicious actor can compromise the integrity of the entire system, creating cascading effects that are both difficult to detect and mitigate."
Prompt injections and jailbreaks aside, another significant issue ailing LLMs today is hallucination, which occurs when the models generate responses that are not based on the input data or are simply fabricated.
According to a new study published by AI testing company Giskard, instructing LLMs to be concise in their answers can negatively affect factuality and worsen hallucinations.
"This effect seems to occur because effective rebuttals generally require longer explanations," it said. "When forced to be concise, models face an impossible choice between fabricating short but inaccurate answers or appearing unhelpful by rejecting the question entirely."
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/K8WP1ef
via IFTTT
Cybersecurity researchers have uncovered multiple critical security vulnerabilities impacting the Versa Concerto network security and SD-WAN orchestration platform that could be exploited to take control of susceptible instances.
It's worth noting that the identified shortcomings remain unpatched despite responsible disclosure on February 13, 2025, prompting a public release of the issues following the end of the 90-day deadline.
"These vulnerabilities, when chained together, could allow an attacker to fully compromise both the application and the underlying host system," ProjectDiscovery researchers Harsh Jaiswal, Rahul Maini, and Parth Malhotra said in a report shared with The Hacker News.
The security defects are listed below -
CVE-2025-34025 (CVSS score: 8.6) - A privilege escalation and Docker container escape vulnerability that's caused by unsafe default mounting of host binary paths and could be exploited to gain code execution on the underlying host machine
CVE-2025-34026 (CVSS score: 9.2) - An authentication bypass vulnerability in the Traefik reverse proxy configuration that allows an attacker to access administrative endpoints, which could then be exploited to access heap dumps and trace logs by exploiting an internal Spring Boot Actuator endpoint via CVE-2024-45410
CVE-2025-34027 (CVSS score: 10.0) - An authentication bypass vulnerability in the Traefik reverse proxy configuration that allows an attacker to access administrative endpoints, which could then be exploited to achieve remote code execution by exploiting an endpoint related to package uploads ("/portalapi/v1/package/spack/upload") via arbitrary file writes
Successful exploitation of CVE-2025-34027 could allow an attacker to leverage a race condition and write malicious files to disk, ultimately resulting in remote code execution using LD_PRELOAD and a reverse shell.
"Our approach involved overwriting ../../../../../../etc/ld.so.preload with a path pointing to /tmp/hook.so," the researchers said. "Simultaneously, we uploaded /tmp/hook.so, which contained a compiled C binary for a reverse shell. Since our request triggered two file write operations, we leveraged this to ensure that both files were written within the same request."
"Once these files were successfully written, any command execution on the system while both persisted would result in the execution of /tmp/hook.so, thereby giving us a reverse shell."
In the absence of an official fix, users are advised to block semicolons in URL paths and drop requests where the Connection header contains the value X-Real-Ip. It's also recommended to monitor network traffic and logs for any suspicious activity.
The Hacker News has reached out to Versa Networks for comment, and we will update the story if we hear back.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/9Jvf2LU
via IFTTT
Welcome to this week’s edition of the Threat Source newsletter.
Talos recently published research into how threat actors are increasingly teaming up across the attack chain. Each group handles a slice of the operation, passing the breach along like a relay baton.
It’s a concerning trend — one that we believe calls for rethinking traditional threat modeling. But one thing stood out to me while reading: cybercriminals are often terrible at teamwork.
What if the ransomware affiliate is waiting on credentials that never arrive? The access broker sells a foothold, but the tooling meant to exploit it isn’t ready, doesn’t work in the target environment or never shows up at all?
Ghosting isn’t limited to dating apps or job interviews (and if you’ve been through six interview rounds and still heard nothing, I see you). Cybercriminals flake too — whether it’s bad timing, better targets, internal drama… or maybe they just went to get a haircut (an actual complaint that a Conti member made about a fellow actor not showing up).
In this compartmentalized model, the threat chain becomes a fragile supply line, stitched together in real time. Efficient, yes — but brittle. If one actor drops out, the whole operation can unravel. And let’s not pretend there’s honour among cybercriminals. They're opportunists. What’s to stop a broker from selling the same credentials to multiple buyers? Or backing out entirely if a better offer lands?
Of course, this ecosystem isn’t monolithic. Some groups run like structured businesses — access brokers, malware builders, “customer” (aka victim) services, the works. Others are looser, relying on whoever turns up in their DMs with access for sale. It’s the latter where ghosting seems more likely. In organised crews, a flaky broker risks reputational damage. In the freelance underworld, it’s just Tuesday.
Oof, I didn’t mean to knock freelancers there. Just, you know, those ones…
History suggests fallouts are inevitable. Conti's collapse, as Wired reported, started with a single angry post and spiraled into a full on leak about poor performance records:
“I have 100 people here, half of them, even 10 percent, do not do what they need.”
- Stern (or Demon), former Conti CEO
LAPSUS$ imploded under its own infighting. One REvil affiliate even ranted on a cybercrime forum like a scammed eBay buyer.
To twist a familiar phrase: compartmentalized threats are only as strong as their weakest link. What if that link has poor communication skills, no follow-through and a serious case of commitment issues?
The one big thing
In Talos’ most recent blog post, we shared that UAT-6382, Chinese-speaking threat actors, have exploited Cityworks, a widely-used asset management system, through a remote code execution vulnerability (CVE-2025-0994). The actors are deploying advanced malware for long-term persistence and control.
Why do I care?
UAT-6382 is not only exploiting this vulnerability, but they're also employing sophisticated tools like web shells, Rust-based malware loaders, and frameworks like Cobalt Strike to burrow deep into systems. This could lead to data breaches and operational downtime.
So now what?
While the intrusions we mentioned in the blog have been contained, exploitation may be continuing in the wild. Use the indicators of compromise (IOCs) listed in the blog to scan your environment.
Top security headlines of the week
NATO-Flagged Vulnerability Tops Latest VMware Security Patch Batch
VMware patches flaws that expose users to data leakage, command execution and denial-of-service attacks. No temporary workarounds available. (SecurityWeek)
NIST's 'LEV' Equation to Determine Likelihood a Bug Was Exploited
The new equation, introduced by the National Institute of Standards and Technology (NIST), aims to offer a mathematical likelihood index that could be a game-changer for SecOps teams and vulnerability patch prioritization. (Dark Reading)
Kettering Health hit by system-wide outage after ransomware attack
Kettering Health, a healthcare network that operates 14 medical centers in Ohio, was forced to cancel inpatient and outpatient procedures following a cyberattack that caused a system-wide technology outage. (BleepingComputer)
Before updating your production deployment, we highly recommend testing the upgrade process on a test deployment that closely matches your production deployment if possible. This is especially important for releases that update components like Salt and Elastic.
New Installations
If this is your first time installing Security Onion 2.4, then we highly recommend starting with an IMPORT installation as shown at:
Documentation is always a work in progress. If you find documentation that needs to be updated, please let us know as described in the Feedback section below.
Questions, Problems, and Feedback
If you have any questions or problems relating to Security Onion 2.4, please use the 2.4 category at our Discussions site:
We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!
Are you looking to securely connect to and protect your cloud infrastructure with a flexible, powerful solution? We're excited to share our latest tutorial video that guides you through the process of launching pfSense Plus directly from the AWS Marketplace.
Why pfSense Plus on AWS?
pfSense Plus is the world's leading firewall, router, and VPN solution for network edge and cloud secure networking. With millions of installations worldwide, pfSense Plus protects homes, businesses, governments, and educational institutions with business-grade security at a fraction of the cost of traditional solutions.
pfSense Plus on AWS gives you all the power and flexibility of pfSense Plus software with the scalability and convenience of the cloud. There are no artificial throughput limits or hidden feature licensing fees - you get access to all features at one simple price.
Unlike other cloud security solutions that charge extra for VPN tunnels, NAT connections, or advanced features, pfSense Plus includes everything in one transparent subscription. This can lead to significant cost savings for your organization, especially for VPN-intensive or NAT-heavy workloads.
If you're looking to implement a multi-cloud strategy, secure hybrid cloud environments, or need advanced routing capabilities for your cloud infrastructure, pfSense Plus on AWS provides an excellent solution.
Ready to Get Started?
Watch the full tutorial below to see how you can deploy pfSense Plus on AWS in just a few minutes. For additional guidance, please visit our documentation page or contact our Technical Assistance Center.
You can also contact our sales team at sales@netgate.com to set up a free Proof of Concept (POC) or discuss private offers with custom terms and pricing tailored to your business requirements.
A Chinese-speaking threat actor tracked as UAT-6382 has been linked to the exploitation of a now-patched remote-code-execution vulnerability in Trimble Cityworks to deliver Cobalt Strike and VShell.
"UAT-6382 successfully exploited CVE-2025-0944, conducted reconnaissance, and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access," Cisco Talos researchers Asheer Malhotra and Brandon White said in an analysis published today. "Upon gaining access, UAT-6382 expressed a clear interest in pivoting to systems related to utility management."
The network security company said it observed the attacks targeting enterprise networks of local governing bodies in the United States starting January 2025.
CVE-2025-0944 (CVSS score: 8.6) refers to the deserialization of untrusted data vulnerability affecting the GIS-centric asset management software that could enable remote code execution. The vulnerability, since patched, was added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in February 2025.
According to indicators of compromise (IoCs) released by Trimble, the vulnerability has been exploited to deliver a Rust-based loader that launches Cobalt Strike and a Go-based remote access tool named VShell in an attempt to maintain long-term access to infected systems.
Cisco Talos, which is tracking the Rust-based loader as TetraLoader, said it's built using MaLoader, a publicly available malware-building framework written in Simplified Chinese.
Successful exploitation of the vulnerable Cityworks application results in the threat actors conducting preliminary reconnaissance to identify and fingerprint the server, and then dropping web shells like AntSword, chinatso/Chopper, and Behinder that are widely put to use by Chinese hacking groups.
"UAT-6382 enumerated multiple directories on servers of interest to identify files of interest to them and then staged them in directories where they had deployed web shells for easy exfiltration," the researchers said. "UAT-6382 downloaded and deployed multiple backdoors on compromised systems via PowerShell."
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/3xpU6XI
via IFTTT
The CloudStack India User Group 2025 will be taking place on July 11th in the D1 Yotta Data Center in Greater Noida. ShapeBlue is proud to once again be sponsoring the User Group, alongside the local event host, Yotta. If you are based in or around India and are interested in open-source cloud technology, register today to take part and watch technical talks, live demos, and real-world user stories. Whether you’re experienced with Apache CloudStack or just starting to explore it, the User Group welcomes all participants.
Several of ShapeBlue’s employee-owners will be attending the User Group and contributing session proposals through the official Call for Presentations. You’re invited to do the same by clicking the button below!
While the community awaits the official User Group agenda, event host Yotta has announced it will offer a complimentary tour of its Data Center — the same facility where the User Group will take place.
Hear from the User Group Chair, Rohit Yadav
“The CloudStack India User Group (CSIUG) meetup brings together real users and developers to share practical insights, integrations, and success stories. With tech talks, live demos, and face-to-face networking, it’s a great space for anyone using or considering Apache CloudStack, to learn and connect with others.
If you’re building or running IaaS cloud infrastructure in India, CSIUG is where you want to be.”
– Rohit Yadav, ShapeBlue VP of Engineering, CSIUG Chairman & CloudStack PMC Member
Spread the Word
Help the CloudStack community build momentum for the User Group by sharing the event on social media. Use the registration and CFP links to spread the word across your network. Every share helps strengthen the reach and impact of the event.
Russian cyber threat actors have been attributed to a state-sponsored campaign targeting Western logistics entities and technology companies since 2022.
The activity has been assessed to be orchestrated by APT28 (aka BlueDelta, Fancy Bear, or Forest Blizzard), which is linked to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, Military Unit 26165.
Targets of the campaign include companies involved in the coordination, transport, and delivery of foreign assistance to Ukraine, according to a joint advisory released by agencies from Australia, Canada, Czechia, Denmark, Estonia, France, Germany, the Netherlands, Poland, the United Kingdom, and the United States.
"This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors' wide scale targeting of IP cameras in Ukraine and bordering NATO nations," the bulletin said.
The alert comes weeks after France's foreign ministry accused APT28 of mounting cyber attacks on a dozen entities including ministries, defense firms, research entities, and think tanks since 2021 in an attempt to destabilize the nation.
Then last week, ESET took the wraps off a campaign dubbed Operation RoundPress that it said has been ongoing since 2023 by exploiting cross-site scripting (XSS) vulnerabilities in various webmail services like Roundcube, Horde, MDaemon, and Zimbra to single out governmental entities and defense companies in Eastern Europe, as well as governments in Africa, Europe, and South America.
According to the latest advisory, cyber attacks orchestrated by APT28 are said to have involved a combination of password spraying, spear-phishing, and modifying Microsoft Exchange mailbox permissions for espionage purposes.
The primary targets of the campaign include organizations within NATO member states and Ukraine spanning defense, transportation, maritime, air traffic management, and IT services verticals. No less than dozens of entities in Bulgaria, Czechia, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States are estimated to have been targeted.
Initial access to targeted networks is said to have been facilitated by leveraging seven different methods -
Brute-force attacks to guess credentials
Spear-phishing attacks to harvest credentials using fake login pages impersonating government agencies and Western cloud email providers that were hosted on free third-party services or compromised SOHO devices
Spear-phishing attacks to deliver malware
Exploitation of Outlook NTLM vulnerability (CVE-2023-23397)
Once the Unit 26165 actors gain foothold using one of the above methods, the attacks proceed to the post-exploitation phase, which involves conducting reconnaissance to identify additional targets in key positions, individuals responsible for coordinating transport, and other companies cooperating with the victim entity.
The attackers have also been observed using tools like Impacket, PsExec, and Remote Desktop Protocol (RDP) for lateral movement, as well as Certipy and ADExplorer.exe to exfiltrate information from the Active Directory.
"The actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection," the agencies pointed out. "The actors used manipulation of mailbox permissions to establish sustained email collection at compromised logistics entities."
Another notable trait of the intrusions is the use of malware families like HeadLace and MASEPIE, to establish persistence on compromised hosts and harvest sensitive information. There is no evidence that malware variants like OCEANMAP and STEELHOOK have been used to directly target logistics or IT sectors.
During data exfiltration, the threat actors have relied on different methods based on the victim environment, often utilizing PowerShell commands to create ZIP archives to upload the collected data to their own infrastructure, or employing Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) to siphon information from email servers.
"As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine's territorial defense, Unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid," the agencies said. "These actors have also targeted internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments."
The disclosure comes as Cato Networks revealed that suspected Russian threat actors are leveraging Tigris Object Storage, Oracle Cloud Infrastructure (OCI) Object Storage, and Scaleway Object Storage to host fake reCAPTCHA pages that make use of ClickFix-style lures to trick users into downloading Lumma Stealer.
"The recent campaign leveraging Tigris Object Storage, OCI Object Storage, and Scaleway Object Storage builds upon earlier methods, introducing new delivery mechanisms aimed at evading detection and targeting technically proficient users," researchers Guile Domingo, Guy Waizel, and Tomer Agayev said.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/arcOJWQ
via IFTTT
Over the past year, Microsoft observed the persistent growth and operational sophistication of Lumma Stealer, an infostealer malware used by multiple financially motivated threat actors to target various industries. Our investigation into Lumma Stealer’s distribution infrastructure reveals a dynamic and resilient ecosystem that spans phishing, malvertising, abuse of trusted platforms, and traffic distribution systems. These findings underscore the importance of collaborative efforts to disrupt cybercrime. Microsoft, partnering with others across industry and international law enforcement, recently facilitated a disruption of Lumma infrastructure.
Lumma Stealer (also known as LummaC2) is a malware as a service (MaaS) offering that is capable of stealing data from various browsers and applications such as cryptocurrency wallets and installing other malware. Microsoft Threat Intelligence tracks the threat actor who developed and maintains the Lumma malware, command-and-control (C2) infrastructure, and the Lumma MaaS as Storm-2477. Affiliates who pay Storm-2477 for the service and operate their own Lumma campaigns access a panel to build the malware binary and manage the C2 communications and stolen information. We have observed ransomware threat actors like Octo Tempest, Storm-1607, Storm-1113, and Storm-1674 using Lumma Stealer in campaigns.
Unlike earlier infostealers that relied heavily on bulk spam or exploits, Lumma Stealer exemplifies a shift toward multi-vector delivery strategies. Its operators demonstrate resourcefulness and proficiency in impersonation tactics. The Lumma Stealer distribution infrastructure is flexible and adaptable. Operators continually refine their techniques, rotating malicious domains, exploiting ad networks, and leveraging legitimate cloud services to evade detection and maintain operational continuity. This dynamic structure enables operators to maximize the success of campaigns while complicating efforts to trace or dismantle their activities.
The growth and resilience of Lumma Stealer highlights the broader evolution of cybercrime and underscores the need for layered defenses and industry collaboration to counter threats. In this blog post, we share our analysis of Lumma Stealer and its infrastructure and provide guidance on how users and organizations can protect themselves from this threat. Microsoft remains committed to sharing insights, developing protections, and working with partners across industries to disrupt malicious ecosystems and safeguard users worldwide.
Figure 1. Heat map detailing global spread of Lumma Stealer malware infections and encounters across Windows devices.
Lumma Stealer delivery techniques
Lumma Stealer leverages a broad and evolving set of delivery vectors. Campaigns often combine multiple techniques, dynamically adapting to evade detection and increase infection success rates. Delivery infrastructure is designed to be ephemeral, shifting rapidly across domains, platforms, and geographies to avoid takedowns.
Phishing emails: Lumma Stealer emails impersonate known brands and services to deliver links or attachments. These campaigns involve expertly crafted emails designed to evoke urgency, often masquerading as urgent hotel reservation confirmations or pending cancellations. The emails lead victims to cloned websites or malicious servers that deploy the Lumma payload to the targets’ environment.
Malvertising: Threat actors inject fake advertisements into search engine results, targeting software-related queries such as “Notepad++ download” or “Chrome update.” Clicking these poisoned links leads users to cloned websites that closely mimic legitimate vendors but instead deliver the Lumma Stealer.
Drive-by download on compromised websites: Threat actors were observed compromising groups of legitimate websites, typically through a particular vulnerability or misconfiguration. They modify site content by inserting malicious JavaScript. The JavaScript runs when sites are visited by unsuspecting users, leading to delivery of a payload, intermediary script, or displaying further lures to convince users to perform an action.
Trojanized applications: In many campaigns, cracked or pirated versions of legitimate applications are bundled with Lumma binaries and distributed through file-sharing platforms. These modified installers often contain no visible payload during installation, executing the malware silently post-launch.
Abuse of legitimate services and ClickFix: Public repositories like GitHub are abused and populated with scripts and binaries, often disguised as tools or utilities. A particularly deceptive method involves fake CAPTCHA pages, commonly observed in the ClickFix ecosystem. Targets are instructed to copy malicious commands into their system’s Run utility under the pretense of passing a verification check. These commands often download and execute Lumma directly in memory, using Base64 encoding and stealthy delivery chains.
Dropped by other malware: Microsoft Threat Intelligence observed other loaders and malware such as DanaBot delivering Lumma Stealer as an additional payload.
All these mechanisms reflect threat actor behavior that prioritizes abuse of user trust, manipulation of legitimate infrastructure, and multi-layered distribution chains designed to evade both technical and human defenses. The following sections discuss some examples of campaigns where the mentioned distribution methods were used to deliver Lumma Stealer.
Drive-by download campaign leveraging EtherHiding and ClickFix to deliver Lumma
In early April 2025, Microsoft observed a cluster of compromised websites leveraging EtherHiding and ClickFix techniques to install Lumma Stealer. EtherHiding is a technique that involves leveraging smart contracts on blockchain platforms like Binance Smart Chain (BSC) to host parts of malicious code. Traditional methods of blocking malicious code, such as IP or domain blocking or content-based detections, are less effective against EtherHiding because the code is embedded in the blockchain. Meanwhile, in the ClickFix technique, a threat actor attempts to take advantage of human problem-solving tendencies by displaying fake error messages or prompts that instruct target users to fix issues by copying, pasting, and launching commands that eventually result in the download of malware.
Figure 2. Attack flow for ClickFix to Lumma Stealer
In this campaign, the JavaScript injected into compromised websites directly contacted BSC to retrieve the ClickFix code and lure, which was then presented to the target. Users needed to click the “I’m not a robot” prompt, at which point a command was copied into their clipboard. Users were then instructed to paste and launch this command via the Windows Run prompt. The command downloaded and initiated further code using mshta from check.foquh[.]icu.
Figure 3. Compromised website used EtherHiding and ClickFix techniques to present a fake CAPTCHA lure to visitorsFigure 4. Snippet of the injected JavaScript after Base64 decoding. It implements the EtherHiding technique and communicates with data-seed-prebsc-1-s1.bnbchain[.]org to fetch ClickFix code.Figure 5. This fake verification page is the final part of the ClickFix technique. It instructs users how to launch a malicious command. The command was silently copied into their clipboard during the previous step when they clicked “I’m not a robot”.
Email campaign targeting organizations in Canada to deliver Lumma Stealer
On April 7, 2025, Microsoft Threat Intelligence observed an email campaign consisting of thousands of emails targeting organizations in Canada. The emails used invoice lures for a fitness plan or an online education platform. The emails’ subject lines were personalized to include recipient-specific details such as “Invoice for [recipient email]”. Notably, the attack chain utilized multiple tools available for purchase on underground forums for traffic filtering and social engineering.
The emails contained URLs leading to the Prometheus traffic direction system (TDS) hosted on numerous compromised sites. The TDS in turn, redirected users to the attacker-controlled website binadata[.]com that hosted the ClickFix social engineering framework. Like the previous campaign, targets were instructed to click a “I’m not a robot” prompt and run malicious code via a multi-step process. The malicious code was an mshta command that downloaded and executed JavaScript from the IP address 185.147.125[.]174. The JavaScript ran a PowerShell command that downloaded more PowerShell code, which finally downloaded and launched a Lumma Stealer executable. Notably, Xworm malware was also bundled into this executable.
Figure 6. Attack flow for ClickFix leading to Lumma Stealer targeting users in CanadaFigure 7. Fitness plan subscription themed email lureFigure 8. Screenshot of the ClickFix landing after Prometheus TDS redirection
Lumma Stealer malware analysis
The core Lumma Stealer malware is written in a combination of C++ and ASM. The malware author designed it as a MaaS offering. Threat actors can access the panel to build the malware binary and manage the C2 communications and stolen information. The core binary is obfuscated with advanced protection such as low-level virtual machine (LLVM core), Control Flow Flattening (CFF), Control Flow Obfuscation, customized stack decryption, huge stack variables, and dead codes, among others. These techniques are implemented on the critical functions to make static analysis difficult, as these can cause tools like Hex-Rays’ IDA fail to produce equivalent decompiled codes. In addition, most of the critical APIs are implemented via low-level syscalls and Heavens Gate Technology.
Lumma Stealer is designed to steal from browsers based on Chromium and Mozilla technology, including Microsoft Edge. In addition, it has the capability to install other malware or plugins, including Clipboard stealer plugin and coin miners, either by downloading to disk or directly in memory.
Process injection and process hollowing
Lumma loader may use process hollowing to inject its malicious payload into legitimate system processes like msbuild.exe, regasm.exe, regsvcs.exe, and explorer.exe. This technique enables execution under the guise of a trusted binary to bypass behavioral detection and endpoint monitoring tools.
Information-stealing capabilities
Lumma Stealer targets a comprehensive set of user data using a specialized collection routine for each type of data. These capabilities have evolved over time, and Microsoft Threat Intelligence has recently observed that the instructions for the target credentials are specified in the configuration file retrieved from the active C2 server. The configuration file is divided into several parts: the “ex” section that pertains to the target list of apps for cryptocurrency wallets and extensions, and “c” sections that pertain to the list of applications and configuration details for browsers, user file’s locations, and other applications.
Browser credentials and cookies: Lumma Stealer extracts saved passwords, session cookies, and autofill data from Chromium (including Edge), Mozilla, and Gecko-based browsers.
Cryptocurrency wallets and extensions: Lumma Stealer actively searches for wallet files, browser extensions, and local keys associated with wallets like MetaMask, Electrum, and Exodus.
Various applications: Lumma Stealer targets data from various virtual private networks (VPNs) (.ovpn), email clients, FTP clients, and Telegram applications.
User documents: Lumma Stealer harvests files found on the user profiles and other common directories, especially those with .pdf, .docx, or .rtf extensions.
System metadata: Lumma Stealer collects host telemetry such as CPU information, OS version, system locale, and installed applications for tailoring future exploits or profiling victims.
Figure 9. Lumma Stealer configuration file
C2 communication
Lumma Stealer maintains a robust C2 infrastructure, using a combination of hardcoded tier 1 C2s that are regularly updated and reordered, and fallback C2s hosted as Steam profiles and Telegram channels that also point to the tier 1 C2s. The Telegram C2, if available, is always checked first, while the Steam C2 is checked only when all the hardcoded C2s are not active. To further hide the real C2 servers, all the C2 servers are hidden behind the Cloudflare proxy.
While Lumma Stealer affiliates share the tier 1 C2s, there is a capability to add a personal tier 1 C2 domain for an extra cost. The diagram below shows an overview of the Lumma Stealer infrastructure. All traffic is encrypted by HTTPS.
Figure 10. Lumma Stealer C2 communication
Different types of obfuscation are applied to each set of C2 servers. For example, the hardcoded list of C2s, and including the Telegram fallback C2 URL are protected with ChaCha20 crypto, while the Steam profile fallback C2 URL is encrypted using custom stack-based crypto algorithm that can change on each version of Lumma malware.
We have identified up to six versions of Lumma Stealer, and while each of these versions focuses on improving techniques to evade antivirus detections, there are also several changes in the C2 communication protocol and formats such as the C2 domains, URI path, POST data, and others. The core Lumma malware stores the build date as part of the embedded configuration to keep track of improvements, but in our investigation, we tracked major changes using the labels “version 1” through “version 6”.
Lumma Stealer keeps track of the active C2 for sending the succeeding commands. Each command is sent to a single C2 domain that is active at that point. In addition, each C2 command contains one or more C2 parameters specified as part of the POST data as form data. The parameters are:
act: Indicates the C2 command. Note: This C2 parameter no longer exists in Lumma version 6.
ver: Indicates C2 protocol version. This value is always set to 4.0 and has never changed since the first version Lumma.
lid (for version 5 and below)/uid (for version 6): This ID identifies the Lumma client/operator and its campaign.
j (for version 5 and below )/cid (for version 6): This is an optional field that identifies additional Lumma features.
hwid: Indicates the unique identifier for the victim machine.
pid: Used in SEND_MESSAGE command to identify the source of the stolen data. A value of 1, indicates it came from the Lumma core process.
The following are some of the most common Lumma Stealer C2 commands and associated parameters:
PING / LIFE: Initial command to check if the C2 is active. Note: This command does not exist in version 6.
act=life
RECEIVE_MESSAGE: Command to download the stealer’s configuration. As noted above, this contains the specifications on the list of targets.
version 3 and below: act=recive_message&ver=4.0&lid=[<lid_value>]&j=[<j_value>]
version 4 and 5: act=receive_message&ver=4.0&lid=[<lid_value>]&j=[<j_value>]
version 6: uid=<uid_value>&cid=[<cid_value>]
SEND_MESSAGE: Command to send back stolen data in chunks. The C2 parameters are specified as individual section in the whole POST data. The fields included are act=send_message, hwid, pid, lid/uid, and j/cid. The act field was removed in version 6.
GET_MESSAGE: Command to download the second configuration. This configuration contains information about the plugins and additional malware to install on the target systems. We have observed that in most cases this command will respond with valid but empty records “[]”, meaning nothing to download. So far, we have observed Lumma Stealer installing an updated version of the Clipboard stealer plugin and coin miners.
versions 5 and below: act=get_message&ver=4.0&lid=[<lid_value>]&j=[<j_value>]&hwid=<hwid_value>
version 6: uid=<uid_value>&cid=[<cid_value>]&hwid=<hwid_value>
Microsoft Digital Crimes Unit (DCU) engineered tools that identify and map the Lumma Stealer C2 infrastructure. As part of the disruption announced on May 21, Microsoft’s DCU has facilitated the takedown, suspension, and blocking of approximately 2,300 malicious domains that formed the backbone of the Lumma Stealer infrastructure. More details of this operation are presented in the DCU disruption announcement.
Recommendations
Microsoft Threat Intelligence recommends the following mitigations to reduce the impact of this threat.
Strengthen Microsoft Defender for Endpoint configuration
Ensure that tamper protection is enabled in Microsoft Defender for Endpoint.
Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume.
Microsoft Defender XDR customers can turn on the following attack surface reduction rules to prevent common attack techniques used by threat actors.
Block executable files from running unless they meet a prevalence, age, or trusted list criterion
Require multifactor authentication (MFA). While certain attacks such as adversary-in-the-middle (AiTM) phishing attempt to circumvent MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats.
Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
Enable Local Security Authority (LSA) protection to block credential stealing from the Windows local security authority subsystem.
AppLocker can restrict specific software tools prohibited within the organization, such as reconnaissance, fingerprinting, and RMM tools, or grant access to only specific users.
Detection details
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Microsoft Defender Antivirus
Microsoft Defender Antivirus detects this threat as the following malware:
The following Microsoft Defender for Endpoint alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity:
Suspicious command in RunMRU registry
Possible Lumma Stealer activity
Information stealing malware activity
Suspicious PowerShell command line
Use of living-off-the-land binary to run malicious code
Possible theft of passwords and other sensitive web browser information
Suspicious DPAPI Activity
Suspicious mshta process launched
Renamed AutoIt tool
Suspicious phishing activity detected
Suspicious implant process from a known emerging threat
A process was injected with potentially malicious code
Process hollowing detected
Suspicious PowerShell download or encoded command execution
A process was launched on a hidden desktop
Microsoft Defender for Office 365
Microsoft Defender for Office 365 identifies and blocks malicious emails. These alerts, however, can also be triggered by unrelated threat activity:
A potentially malicious URL click was detected
Email messages containing malicious URL removed after delivery
Email messages removed after delivery
A user clicked through to a potentially malicious URL
Suspicious email sending patterns detected
Email reported by user as malware or phish
Defender for Office 365 also detects and blocks Prometheus TDS, EtherHiding patterns, ClickFix landing pages.
Microsoft Security Copilot
Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:
Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Threat intelligence reports
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.
Hunting queries
Microsoft Defender XDR
Microsoft Defender XDR customers can run the following query to find related activity in their networks:
ClickFix commands execution
Identify ClickFix commands execution.
DeviceRegistryEvents
| where ActionType =~ "RegistryValueSet"
| where InitiatingProcessFileName =~ "explorer.exe"
| where RegistryKey has @"\CurrentVersion\Explorer\RunMRU"
| where RegistryValueData has "✅"
or (RegistryValueData has_any ("powershell", "mshta", "curl", "msiexec", "^")
and RegistryValueData matches regex "[\u0400-\u04FF\u0370-\u03FF\u0590-\u05FF\u0600-\u06FF\u0E00-\u0E7F\u2C80-\u2CFF\u13A0-\u13FF\u0530-\u058F\u10A0-\u10FF\u0900-\u097F]")
or (RegistryValueData has "mshta" and RegistryValueName !~ "MRUList" and RegistryValueData !in~ ("mshta.exe\\1", "mshta\\1"))
or (RegistryValueData has_any ("bitsadmin", "forfiles", "ProxyCommand=") and RegistryValueName !~ "MRUList")
or ((RegistryValueData startswith "cmd" or RegistryValueData startswith "powershell")
and (RegistryValueData has_any ("-W Hidden ", " -eC ", "curl", "E:jscript", "ssh", "Invoke-Expression", "UtcNow", "Floor", "DownloadString", "DownloadFile", "FromBase64String", "System.IO.Compression", "System.IO.MemoryStream", "iex", "Invoke-WebRequest", "iwr", "Get-ADDomainController", "InstallProduct", "-w h", "-X POST", "Invoke-RestMethod", "-NoP -W", ".InVOKe", "-useb", "irm ", "^", "[char]", "[scriptblock]", "-UserAgent", "UseBasicParsing", ".Content")
or RegistryValueData matches regex @"[-/–][Ee^]{1,2}[NnCcOoDdEeMmAa^]*\s[A-Za-z0-9+/=]{15,}"))
DPAPI decryption via AutoIT or .NET Framework processes
let browserDirs = pack_array(@"\Google\Chrome\User Data\", @"\Microsoft\Edge\User Data\", @"\Mozilla\Firefox\Profiles\");
let browserSensitiveFiles = pack_array("Web Data", "Login Data", "key4.db", "formhistory.sqlite", "cookies.sqlite", "logins.json", "places.sqlite", "cert9.db");
DeviceEvents
| where AdditionalFields has_any ("FileOpenSource") // Filter for "File Open" events.
| where InitiatingProcessVersionInfoInternalFileName == "AutoIt3.exe"
or InitiatingProcessImageFilePath has "\\windows\\microsoft.net\\framework\\"
or InitiatingProcessFileName =~ "powershell.exe"
| where (AdditionalFields has_any(browserDirs) or AdditionalFields has_any(browserSensitiveFiles))
| extend json = parse_json(AdditionalFields)
| extend File_Name = tostring(json.FileName.PropertyValue)
| where (File_Name has_any (browserDirs) and File_Name has_any (browserSensitiveFiles))
| project Timestamp, ReportId, DeviceId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, File_Name
Learn more
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.
