Posts on Security, Cloud, DevOps, Citrix, VMware and others.
Words and views are my own and do not reflect on my companies views.
Disclaimer: some of the links on this site are affiliate links, if you click on them and make a purchase, I make a commission.
Microsoft closed out 2025 with patches for 56 security flaws in various products across the Windows platform, including one vulnerability that has been actively exploited in the wild.
Of the 56 flaws, three are rated Critical, and 53 are rated Important in severity. Two other defects are listed as publicly known at the time of the release. These include 29 privilege escalation, 18 remote code execution, four information disclosure, three denial-of-service, and two spoofing vulnerabilities.
In total, Microsoft has addressed a total of 1,275 CVEs in 2025, according to data compiled by Fortra. Tenable's Satnam Narang said 2025 also marks the second consecutive year where the Windows maker has patched over 1,000 CVEs. It's the third time it has done so since Patch Tuesday's inception.
The update is in addition to 17 shortcomings the tech giant patched in its Chromium-based Edge browser since the release of the November 2025 Patch Tuesday update. This also consists of a spoofing vulnerability in Edge for iOS (CVE-2025-62223, CVSS score: 4.3).
The vulnerability that has come under active exploitation is CVE-2025-62221 (CVSS score: 7.8), a use-after-free in Windows Cloud Files Mini Filter Driver that could allow an authorized attacker to elevate privileges locally and obtain SYSTEM permissions.
"File system filter drivers, aka minifilters, attach to the system software stack, and intercept requests targeted at a file system, and extend or replace the functionality provided by the original target," Adam Barnett, lead software engineer at Rapid7, said in a statement. "Typical use cases include data encryption, automated backup, on-the-fly compression, and cloud storage."
"The Cloud Files minifilter is used by OneDrive, Google Drive, iCloud, and others, although as a core Windows component, it would still be present on a system where none of those apps were installed."
It's currently not known how the vulnerability is being abused in the wild and in what context, but successful exploitation requires an attacker to obtain access to a susceptible system through some other means. Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have been credited with discovering and reporting the flaw.
According to Mike Walters, president and co-founder of Action1, a threat actor could gain low-privileged access through methods like phishing, web browser exploits, or another known remote code execution flaw, and then chain it with CVE-2025-62221 to seize control of the host.
Armed with this access, the attacker could deploy kernel components or abuse signed drivers to evade defenses and maintain persistence, and can be weaponized to achieve a domain-wide compromise when coupled with credential theft scenarios.
The exploitation of CVE-2025-62221 has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to apply the patch by December 30, 2025.
The remaining two zero-days are listed below -
CVE-2025-54100 (CVSS score: 7.8) - A command injection vulnerability in Windows PowerShell that allows an unauthorized attacker to execute code locally
CVE-2025-64671 (CVSS score: 8.4) - A command injection vulnerability in GitHub Copilot for JetBrains that allows an unauthorized attacker to execute code locally
"This is a command injection flaw in how Windows PowerShell processes web content," Action1's Alex Vovk said about CVE-2025-54100. "It lets an unauthenticated attacker execute arbitrary code in the security context of a user who runs a crafted PowerShell command, such as Invoke-WebRequest."
"The threat becomes significant when this vulnerability is combined with common attack patterns. For example, an attacker can use social engineering to persuade a user or admin to run a PowerShell snippet using Invoke-WebRequest, allowing a remote server to return crafted content that triggers the parsing flaw and leads to code execution and implant deployment."
It's worth noting that CVE-2025-64671 comes in the wake of a broader set of security vulnerabilities collectively named IDEsaster that was recently disclosed by security researcher Ari Marzouk. The issues arise as a result of adding agentic capabilities to an integrated development environment (IDE), exposing new security risks in the process.
These attacks leverage prompt injections against the artificial intelligence (AI) agents embedded into IDEs and combine them with the base IDE layer to result in information disclosure or command execution.
"This uses an 'old' attack chain of using a vulnerable tool, so not exactly part of the IDEsaster novel attack chain," Marzouk, who is credited with discovering and reporting the flaw, told The Hacker News. "Specifically, a vulnerable 'execute command' tool where you can bypass the user-configured allow list."
Marzouk also said multiple IDEs were found vulnerable to the same attack, including Kiro.dev, Cursor (CVE-2025-54131), JetBrains Junie (CVE-2025-59458), Gemini CLI, Windsurf, and Roo Code (CVE-2025-54377, CVE-2025-57771, and CVE-2025-65946). Furthermore, the same vulnerability has also been discovered in GitHub Copilot for VS Code.
"The vulnerability states that it's possible to gain code execution on affected hosts by tricking the LLM into running commands that bypass the guardrails and appending instructions in the user's 'auto-approve' settings," Kev Breen, senior director of cyber threat research at Immersive, said.
"This can be achieved through 'Cross Prompt Injection,' which is where the prompt is modified not by the user but by the LLM agents as they craft their own prompts based on the content of files or data retrieved from a Model Context Protocol (MCP) server that has risen in popularity with agent-based LLMs."
In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify multiple vulnerabilities, including —
The threat actor known as Storm-0249 is likely shifting from its role as an initial access broker to adopt a combination of more advanced tactics like domain spoofing, DLL side-loading, and fileless PowerShell execution to facilitate ransomware attacks.
"These methods allow them to bypass defenses, infiltrate networks, maintain persistence, and operate undetected, raising serious concerns for security teams," ReliaQuest said in a report shared with The Hacker News.
Storm-0249 is the moniker assigned by Microsoft to an initial access broker that has sold footholds into organizations to other cybercrime groups, including ransomware and extortion actors like Storm-0501. It was first highlighted by the tech giant in September 2024.
Then, earlier this year, Microsoft also revealed details of a phishing campaign mounted by the threat actor that used tax-related themes to target users in the U.S. ahead of the tax filing season and infect them with Latrodectus and the BruteRatel C4 (BRc4) post-exploitation framework.
The end goal of these infections is to obtain persistent access to various enterprise networks and monetize them by selling them to ransomware gangs, providing them with a ready supply of targets, and accelerating the pace of such attacks.
The latest findings from ReliaQuest demonstrate a tactical shift, where Storm-0249 has resorted to using the infamous ClickFix social engineering tactic to trick prospective targets into running malicious commands via the Windows Run dialog under the pretext of resolving a technical issue.
In this case, the command copied and executed leverages the legitimate "curl.exe" to fetch a PowerShell script from a URL that mimics a Microsoft domain to give victims a false sense of trust ("sgcipl[.]com/us.microsoft.com/bdo/") and execute it in a fileless manner via PowerShell.
This, in turn, results in the execution of a malicious MSI package with SYSTEM privileges, which drops a trojanized DLL associated with SentinelOne's endpoint security solution ("SentinelAgentCore.dll") into the user's AppData folder along with the legitimate "SentinelAgentWorker.exe" executable.
In doing so, the idea is to sideload the rogue DLL when the "SentinelAgentWorker.exe" process is launched, thereby allowing the activity to stay undetected. The DLL then establishes encrypted communication with a command-and-control (C2) server.
Storm-0249 has also been observed making use of legitimate Windows administrative utilities like reg.exe and findstr.exe to extract unique system identifiers like MachineGuid to lay the groundwork for follow-on ransomware attacks. The use of living-off-the-land (LotL) tactics, coupled with the fact that these commands are run under the trusted "SentinelAgentWorker.exe" process, means the activity is unlikely to raise any red flags.
The findings indicate a departure from mass phishing campaigns to precision attacks that weaponize the trust associated with signed processes for added stealth.
"This isn't just generic reconnaissance – it's preparation for ransomware affiliates," ReliaQuest said. "Ransomware groups like LockBit and ALPHV use MachineGuid to bind encryption keys to individual victim systems."
"By tying encryption keys to MachineGuid, attackers ensure that even if defenders capture the ransomware binary or attempt to reverse-engineer the encryption algorithm, they cannot decrypt files without the attacker-controlled key."
from The Hacker News https://ift.tt/u3l5EOr
via IFTTT
Managing Hyper-V virtual switches is an integral part of working with virtual machines in Windows. These switches control how VMs communicate with each other, with the host system, and with external networks.
In this guide, we’ll walk through all the methods you can use to create and configure virtual switches in Hyper-V.
There are two primary ways to create a virtual switch: through the Hyper-V Manager interface or by using PowerShell. You can use any method that suits your workflow best.
1. Create a Virtual Switch Using Hyper-V Manager
To create a Virtual switch using Hyper-V Manager is the most straightforward method, especially for beginners. Follow these steps:
1. Launch Hyper-V Manager on your Windows machine.
2. In the right-side Actions panel, click Virtual Switch Manager.
3. When the Virtual Switch Manager window opens, select New virtual network switch.
4. Choose the type of switch you want to create. Hyper-V offers three switch types:
Private Switch – Only VMs connected to this switch can communicate with each other. No communication with the host or external network.
Internal Switch – Allows communication between VMs and the host operating system, but not the external network.
External Switch – Connects VMs to the physical network. This allows internet access or communication with other devices on the network.
5. After selecting a switch type, click Create Virtual Switch.
6. Enter a name for your new switch.
7. If you chose an External switch, select the physical network adapter from the drop-down list.
8. You may also check the Allow management operating system to share this network adapter, depending on your needs.
9. VLAN ID settings can be configured here, but they should be left untouched unless you’re working with VLANs.
10. Click Apply, then OK to finish the setup.
Before creating virtual switches, make sure Hyper-V is installed and running correctly.
2. Create a Hyper-V Virtual Switch Using PowerShell
PowerShell is a great option if you want to automate switch creation or work faster through command-line operations.
Right-click the Start button and choose Windows PowerShell (Admin).
To view available network adapters, run:
> Get-NetAdapter
Based on the type of switch you want, run one of the following commands:
Replace <switch name> and <adapter name> with your preferred names.
Once the command executes, your virtual switch will be created instantly.
How to Remove Virtual Switch in Hyper-V?
To remove a Hyper-V Virtual switch perform the following steps:
1. Open Hyper-V Manager by pressing the Windows key, typing Hyper-V Manager, and opening it.
2. In the left panel, click on your host machine name.
3. In the right Actions panel, click Virtual Switch Manager.
4. In the Virtual Switches list, select the switch you want to remove (for example: ExternalSwitch, vEthernet, etc.).
5. Click the Remove button at the bottom.
6. When the confirmation prompt appears, click Yes.
7. The virtual switch will be removed successfully.
To remove a Hyper-V Virtual switch using powershell, list all Virtual switches using this command:
To remove a Virtual Switch use:
> Remove-VMSwitch -Name "switchname"
Replace “switchname” with your vSwitch name.
Conclusion
We demonstrated two most effective ways to create virtual switches in Hyper-V. Whether you prefer the graphical interface or the speed of PowerShell, setting up virtual networking in your Hyper-V environment is quick and simple. Feel free to share your experiences or questions in the comments.
from StarWind Blog https://ift.tt/D49wzKi
via IFTTT
Google on Monday announced a set of new security features in Chrome, following the company's addition of agentic artificial intelligence (AI) capabilities to the web browser.
To that end, the tech giant said it has implemented layered defenses to make it harder for bad actors to exploit indirect prompt injections that arise as a result of exposure to untrusted web content and inflict harm.
Chief among the features is a User Alignment Critic, which uses a second model to independently evaluate the agent's actions in a manner that's isolated from malicious prompts. This approach complements Google's existing techniques, like spotlighting, which instruct the model to stick to user and system instructions rather than abiding by what's embedded in a web page.
"The User Alignment Critic runs after the planning is complete to double-check each proposed action," Google said. "Its primary focus is task alignment: determining whether the proposed action serves the user's stated goal. If the action is misaligned, the Alignment Critic will veto it."
The component is designed to view only metadata about the proposed action and is prevented from accessing any untrustworthy web content, thereby ensuring that it is not poisoned through malicious prompts that may be included in a website. With the User Alignment Critic, the idea is to provide safeguards against any malicious attempts to exfiltrate data or hijack the intended goals to carry out the attacker's bidding.
"When an action is rejected, the Critic provides feedback to the planning model to re-formulate its plan, and the planner can return control to the user if there are repeated failures," Nathan Parker from the Chrome security team said.
Google is also enforcing what's called Agent Origin Sets to ensure that the agent only has access to data from origins that are relevant to the task at hand or data sources the user has opted to share with the agent. This aims to address site isolation bypasses where a compromised agent can interact with arbitrary sites and enable it to exfiltrate data from logged-in sites.
This is implemented by means of a gating function that determines which origins are related to the task and categorizes them into two sets -
Read-only origins, from which Google's Gemini AI model is permitted to consume content
Read-writable origins, to which the agent can type or click on in addition to reading from
"This delineation enforces that only data from a limited set of origins is available to the agent, and this data can only be passed on to the writable origins," Google explained. "This bounds the threat vector of cross-origin data leaks."
Similar to the User Alignment Critic, the gating function is not exposed to untrusted web content. The planner is also required to obtain the gating function's approval before adding new origins, although it can use context from the web pages a user has explicitly shared in a session.
Another key pillar underpinning the new security architecture relates to transparency and user control, allowing the agent to create a work log for user observability and request their explicit approval before navigating to sensitive sites, such as banking and healthcare portals, permitting sign-ins via Google Password Manager, or completing web actions like purchases, payments, or sending messages.
Lastly, the agent also checks each page for indirect prompt injections and operates alongside Safe Browsing and on-device scam detection to block potentially suspicious content.
"This prompt-injection classifier runs in parallel to the planning model's inference, and will prevent actions from being taken based on content that the classifier determined has intentionally targeted the model to do something unaligned with the user's goal," Google said.
To further incentivize research and poke holes in the system, the company said it will pay up to $20,000 for demonstrations that result in a breach of the security boundaries. These include indirect prompt injections that allow an attacker to -
Carry out rogue actions without confirmation
Exfiltrate sensitive data without an effective opportunity for user approval
Bypass a mitigation that should have ideally prevented the attack from succeeding in the first place
"By extending some core principles like origin-isolation and layered defenses, and introducing a trusted-model architecture, we're building a secure foundation for Gemini's agentic experiences in Chrome," Google said. "We remain committed to continuous innovation and collaboration with the security community to ensure Chrome users can explore this new era of the web safely."
The announcement follows research from Gartner that called on enterprises to block the use of agentic AI browsers until the associated risks, such as indirect prompt injections, erroneous agent actions, and data loss, can be appropriately managed.
The research also warns of a possible scenario where employees "might be tempted to use AI browsers and automate certain tasks that are mandatory, repetitive, and less interesting." This could cover cases where an individual dodges mandatory cybersecurity training by instructing the AI browser to complete it on their behalf.
"Agentic browsers, or what many call AI browsers, have the potential to transform how users interact with websites and automate transactions while introducing critical cybersecurity risks," the advisory firm said. "CISOs must block all AI browsers in the foreseeable future to minimize risk exposure."
The development comes as the U.S. National Cyber Security Centre (NCSC) said that large language models (LLMs) may suffer from a persistent class of vulnerability known as prompt injection and that the problem can never be resolved in its entirety.
"Current large language models (LLMs) simply do not enforce a security boundary between instructions and data inside a prompt," said David C, NCSC technical director for Platforms Research. "Design protections need to therefore focus more on deterministic (non-LLM) safeguards that constrain the actions of the system, rather than just attempting to prevent malicious content reaching the LLM."
from The Hacker News https://ift.tt/Ow1IQta
via IFTTT
While tracking ransomware activities, Cisco Talos uncovered new tactics, techniques, and procedures (TTPs) linked to a financially motivated threat actor targeting victims with DeadLock ransomware.
The actor used the Bring Your Own Vulnerable Driver (BYOVD) technique with a previously unknown loader to exploit the Baidu Antivirus driver vulnerability (CVE-2024-51324), enabling the termination of endpoint detection and response (EDR) processes.
The actor ran a PowerShell script that bypasses User Account Control (UAC), disables Windows Defender, terminates various security, backup, and database services, and deletes all volume shadow copies to prevent system recovery.
The DeadLock ransomware targets Windows machines with a custom stream cipher encryption algorithm that uses time-based cryptographic keys to encrypt files.
This custom encryption method allows DeadLock ransomware to effectively encrypt different file types in enterprise environments while preventing system corruption through selective targeting and anti-forensics techniques, which complicate recovery.
Talos observed a threat actor leveraging a BYOVD technique to disable endpoint detection and escalate privileges in an attack that eventually delivered DeadLock ransomware as the payload.
The attack relied on “BdApiUtil.sys”, a legitimate Baidu Antivirus driver containing an Improper Privilege Management vulnerability with CVE-2024-51324 — which the actor disguised using the file name “DriverGay.sys”. This Improper Privilege Management vulnerability exposes a critical function in the driver program that allows unprivileged users to terminate any process on the system at the kernel level.
The attack began when the actor dropped the loader (using the file name “EDRGay.exe”) and the vulnerable driver into the victim's Videos folder and ran the loader. The loader, running in user mode, initializes the driver and establishes a connection via the CreateFile() Windows API. It specifies the driver's real device name (“\\.\BdApiUtil”) to obtain a handle which essentially acts as a "ticket" to authorize future communication between the loader and the driver.
Once connected, the loader enumerates running system processes to identify the process ID (PID) of the target antivirus or EDR solution. To trigger the exploit, it calls the DeviceIOControl() function, passing the target PID along with the specific I/O Control Code (IOCTL) 0x800024b4.
This 32-bit IOCTL value is structured to instruct the driver exactly how to operate:
Device Type: 0x8000
Access: 0x0 (FILE_ANY_ACCESS)
Method: 0x0 (METHOD_BUFFERED)
Function Code: 0x92D
Figure 1. Function snippet of the loader, EDRGay, loading the driver and sending the IOCTL command.
Upon receiving the request, the driver decodes the function code 0x92D as a "terminate process" command. Due to the CVE-2024-51324 vulnerability, the driver fails to validate if the user-mode program has the necessary permissions to make this request. Because the driver operates in kernel mode with the highest system privileges, it blindly accepts the command and executes ZwTerminateProcess(), instantly killing the targeted security service.
Figure 2. Function snippets of vulnerable drivers for terminating the targeted processes.
Talos observed that the threat actor executed a PowerShell script in the victim’s machine before the encryption process. The PowerShell script is a pre-encryption preparation component of the attack that the actor used to bypass the UAC, disable the detection services, and inhibit the system recovery of the victim machine.
The script implements a privilege escalation mechanism through the Test-Admin function that automatically detects current user permissions and re-launches itself with administrative privileges using the Verb RunAs parameter, ensuring it operates with the necessary system-level access required for service manipulation and shadow copy deletion. This elevation technique bypasses UAC prompts through the exec bypass execution policy override, allowing the script to execute without standard PowerShell security restrictions.
Figure 3. Snippet of the PowerShell script escalating the privilege.
The main functionality of the script centers around service termination, designed to disable security software, backup systems, and database applications that could affect the ransomware encryption process. It includes an extensive exclusion list of Windows services that must remain operational to maintain basic functionality of the system for ransom payment discussions and processing, including core networking services (Winrm, Dns, Dhcp), authentication mechanisms (Kdc, Netlogon, Lsm), and essential system components (Rpcss, Plugplay, Eventlog).
The script targets the running services outside the exclusion list, which not only terminates active services but permanently disables their startup configuration to prevent automatic recovery during system reboots.
The script executes commands to delete all volume shadow copy snapshots, eliminating the victim’s ability to recover the system. It has a self-deletion mechanism that removes the traces of its existence in the victim machine, hindering the forensic analysis efforts.
Figure 4. Snippet of the PowerShell script deleting the shadowcopy.
Talos found that the threat actor disabled several other commands in the script that are designed to eliminate network shares and terminate system process and services through alternative methods. The network share deletion commands target specific Windows file sharing infrastructure through Windows Management Instrumentation (WMI) queries, removing all standard network shares while preserving administrative and domain controller shares, effectively isolating the infected system from network file sharing capabilities that could be used for lateral movement or data exfiltration activities. Subsequently, there are commands that target print-related shares by removing print$ and prnproc$ administrative shares, disrupting network printing services that could potentially be used as communication channels or recovery mechanisms.
There are also process termination commands which are designed to directly kill the PIDs associated with the running services that are not on the exclusion list, bypassing standard service shutdown procedures that would trigger alerts before termination.
Talos spotted a service startup modification command in the script that shows the advanced Windows service management techniques used to permanently alter service startup configurations, ensuring that even after system reboots, targeted services remain disabled.
We also observed a file-based exclusion technique in the final section of the script where it reads the exclusion service names from an external file “run[.]txt”, indicating the dynamic control of the service exclusion list depending upon the targeted environments.
Figure 5. Snippet of PowerShell script with alternative methods of terminating the targeted services.
Other notable TTPs
Talos discovered several other notable TTPs of the DeadLock ransomware attacks from the telemetry data. Our assessment revealed that the actor had access to the victim’s network five days prior to the ransomware deployment.
Talos suspects that the threat actor leverages the compromised valid accounts to gain access to the victim's machine based on telemetry data.
Upon gaining the system access, we observed that the threat actor attempted to enable and expose remote access services on the victim machine by using the reg add command to modify the fDenyTSConnections registry value, which directly enables the machine to accept Remote Desktop Protocol (RDP) connections. Then, the actor executed the netsh advfirewall command to create a new inbound firewall rule, opening TCP port 3389 to ensure RDP traffic isn't blocked. Finally, they used sc config and sc start to change the RemoteRegistry service to on-demand and immediately start it, allowing them to query and modify the system's registry from another machine for further reconnaissance and configuration modifications.
We assess that the threat actor, operating from a compromised user account, installed a new instance of AnyDesk on a specific host one day prior to an encryption event. This action was likely taken to establish persistent, remote access.
While other instances of AnyDesk were already present in the environment, this new installation was suspicious. The actor used a specific sequence of commands to silently install the software, configure it to start with Windows, and set up a password for unattended access, while disabling updates that might terminate the actor’s connection to the victim’s machine.
Talos observed several commands the actor executed for internal reconnaissance and lateral movement within the victim environment following the AnyDesk installation, highlighting their intent to discover and move to high-value targets.
The actor attempted to discover domain controllers, query the domain structure, and enumerate the privileged groups and their members. They performed a connectivity test using a ping command to see if a target machine was reachable and checked the logged-on user details by executing the Quser command.
Then, with the discovered internal IP addresses, the actor moved laterally by executing the mstsc command to start the Remote Desktop Protocol (RDP) session. They also executed the mmc.exe compmgmt.msc command, which is an alternative remote computer management command without a full interactive RDP session. Finally, the actor executed iexplore.exe, likely to access an internal web resource.
Talos observed that the actor modified the Windows Defender settings using legitimate Windows executable SystemSettingsAdminFlows.exe. By executing the following commands, the actor disabled Real-Time Protection (RTP) in Windows Defender. They subsequently disabled cloud-based protections through the command SpynetReporting 0, which stops the machine from sending threat reports to Microsoft. The command SubmitSamplesConsent 0 prevents Windows Defender from automatically submitting suspicious files for analysis.
Talos observed that the threat actor deployed DeadLock ransomware as the payload in their attack. DeadLock ransomware has been active since as early as July 2025 and, unlike other ransomware actors, this threat actor does not operate a data leak site. Instead, victims are persuaded to contact the threat actor operating the DeadLock ransomware via Session messenger.
The DeadLock ransomware encryptor is specifically designed to target the Windows environment. The encryptor binary was written in C++ and compiled in July 2025, indicating the start time of the threat actor's operation.
Upon execution, the DeadLock ransomware immediately drops and executes an embedded batch script (.cmd) in the victim's “ProgramData” folder. This script functions as a loader, first preparing the system by setting up the console code page to UTF-8 by executing the command chcp 65001. This step ensures that the ransom note can be displayed correctly, even with special or non-English characters. After configuring the environment, the script stealthily launches the main ransomware binary and then deletes itself to remove its tracks.
Figure 6. Malicious batch file that re-runs the ransomware binary.
The ransomware then uses a process hollowing technique to inject itself into the targeted process rundll32.exe, masquerading as a normal system process in the victim machine.
Ransomware configuration data
The DeadLock ransomware relies on a massive 8,888-byte configuration block embedded directly within its binary to dictate its entire operational strategy. Upon execution, the ransomware parses this data using pipe (|) delimiters and loads the structure into memory in the following format:
This key is coupled with specific timing parameters (1000, 0055242988), which are likely used to implement execution delays and initialize pseudo-random number generation seeds.
The configuration contains a comprehensive "kill list" designed to disable security controls, remote access tools, and file-locking applications.
The ransomware terminates standard Windows utilities (e.g., Explorer, PowerShell, Task Manager), alongside specific high-value targets:
Remote access: AnyDesk, RustDesk, Microsoft Remote Desktop connection (mstsc).
Cloud storage: Dropbox, OneDrive.
Security: Antimalware Service (msmpeng), SecurityHealthService, SmartScreen.
The ransomware targets services to release file handles and disable defenses, specifically:
Databases: Microsoft SQL Server (including named instances like MSSQL$VEEAMSQL2012), Sybase SQL Anywhere (dbsrv12), and MySQL (FishbowlMySQL).
Backup and recovery: Enterprise solutions including Veeam (VeeamTransportSvc), Veritas Backup Exec, Acronis, CA Arcserve, and Carbonite.
Security suites: Endpoint protection components from Symantec/Norton (ccEvtMgr, RTVscan), McAfee (MVArmor), and 360 Security defender (zhudongfangyu).
Business applications: Intuit QuickBooks, Microsoft Exchange, Apache Tomcat, and VMware tools (vmware-usbarbitator6s4).
To ensure the OS remains stable enough for the victim to pay the ransom, the configuration enforces strict exclusion lists:
Critical folders: $recycle.bin, Program Files, ProgramData, Windows, and System Volume Information.
File extensions: A vast list of executables, drivers, and system files, including .exe, .dll, .sys, .msi, .lnk, and .boot.
Critical files: Boot loaders and system configuration files, such as bootmgr, ntldr, ntuser.dat, and desktop.ini.
The configuration block also stores the full plaintext ransom note along with an HTML marker (<!doctype html>) indicates the ransomware is also capable of generating an HTML version of the note. Additionally, Talos observed a unique 64-character, SHA256-like hash value which likely serves as a specific campaign identifier or infection marker.
DeadLock ransomware encryption process
The Deadlock ransomware encryption operation is a sophisticated approach which includes recursive directory traversal, memory-mapped file I/O, custom stream cipher implementation, and multi-threaded processing to efficiently encrypt entire file systems while avoiding detections through custom cryptographic implementations rather than standard Windows cryptographic APIs.
Figure 8. DeadLock ransomware encryption process flow diagram.
The encryption orchestration function begins its operation with the recursive directory traversal to enumerate all accessible files on the target system while applying the exclusion filters from the parsed configuration data.
Then the encryption orchestration function executes another key generation function that relies on time-based seeding from system timers through the function GetSystemTimeAsFileTime along with complex mathematical operations producing 8-byte pseudo-random encryption key streams.
Finally, it executes the core encryption function which first performs a UTF-8 validation check on the file's content and processes file data in 16-byte blocks. For each byte it applies to the stream cipher using the generated pseudo-random key stream, ultimately encrypting the file data in the memory and writing the encrypted result back to the filesystem. Then the ransomware renames the encrypted file by appending the hexadecimal identifier and the file extension “.dlock” to the encrypted files.
Figure 9. DeadLock ransomware’s core encryption function applies to a stream cipher algorithm to encrypt the targeted files.
To evade the automated sandbox analysis, the ransomware executes a delay function, which implements a 50-second delay before it initiates the encryption action.
Figure 10. Execution delay inclusion function of DeadLock ransomware.
During its execution, the DeadLock ransomware drops an icon file, Windows batch script, and a bitmap image file in the ProgramData folder of the victim machine.
Figure 11. Dropped files of DeadLock ransomware in the ProgramData folder.
Talos observed that the ransomware replaces the icon of encrypted files with a custom icon file by configuring the path of the dropped icon file to the file extension .dlock in the “DefaultIcon” registry key of the victim machine Software registry hive.
Figure 12. DeadLock ransomware icon file.
After encryption, the actor also changed the victim machine's desktop wallpaper to a custom wallpaper and disabled the command line utilities in the victim machine.
Figure 13. DeadLock ransomware wallpaper.
The ransomware drops the ransom note in each of the folders in the victim machine where the targeted files have been encrypted.
Figure 14. DeadLock’s ransom note file.
The DeadLock ransom note displays an alarming claim of “military-grade encryption” followed by a six-step recovery process. The ransom note also describes the acceptance of ransom payment in Bitcoin or Monero and indicates warnings against file renaming or third-party decryption attempts. The personal identifier “READ ME.hex_identifier.txt” at the end of the ransom note is likely a victim identification marker.
The threat actor employs the Session messenger as their primary communication platform, leveraging its end-to-end encryption and anonymity features to evade law enforcement surveillance while maintaining victim contact through the session ID.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort SIDs for the threats are: 65576, 65575 and 301358.
ClamAV detections are also available for this threat:
Win.Tool.EDRKiller-10058432-0
Win.Tool.VulnBaiduDriver-10058431-1
Ps.Tool.DeleteShadowCopies-10058429-0
Win.Ransomware.Deadlock-10058428-0
Indicators of compromise (IOCs)
The IOCs can also be found in our GitHub repository here.
from Cisco Talos Blog https://ift.tt/40M8kbj
via IFTTT
Canadian organizations have emerged as the focus of a targeted cyber campaign orchestrated by a threat activity cluster known as STAC6565.
Cybersecurity company Sophos said it investigated almost 40 intrusions linked to the threat actor between February 2024 and August 2025. The campaign is assessed with high confidence to share overlaps with a hacking group known as Gold Blade, which is also known as Earth Kapre, RedCurl, and Red Wolf.
The financially motivated threat actor is believed to be active since late 2018, initially targeting entities in Russia, before expanding its focus to entities in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the U.K., and the U.S. The group has a history of using phishing emails to conduct commercial espionage.
However, recent attack waves have found RedCurl to have engaged in ransomware attacks using a bespoke malware strain dubbed QWCrypt. One of the notable tools in the threat actor's arsenal is RedLoader, which sends information about the infected host to a command-and-control (C2) server and executes PowerShell scripts to collect details related to the compromised Active Directory (AD) environment.
"This campaign reflects an unusually narrow geographic focus for the group, with almost 80% of the attacks targeting Canadian organizations," Sophos researcher Morgan Demboski said. "Once focused primarily on cyber espionage, Gold Blade has evolved its activity into a hybrid operation that blends data theft with selective ransomware deployment via a custom locker named QWCrypt."
Other prominent targets include the U.S., Australia, and the U.K., with services, manufacturing, retail, technology, non-governmental organizations, and transportation sectors hit the hardest during the time period.
The group is said to be operating under a "hack-for-hire" model, carrying out tailored intrusions on behalf of clients, while deploying ransomware on the side to monetize the intrusions. Although a 2020 report from Group-IB raised the possibility of it being a Russian-speaking group, there are currently no indications to confirm or deny this assessment.
Describing RedCurl as a "professionalized operation," Sophos said the threat actor stands apart from other cybercriminal groups owing to its ability to refine and evolve its tradecraft, as well as mount discreet extortion attacks. That said, there is no evidence to suggest it's state-sponsored or politically motivated.
The cybersecurity company also pointed out that the operational tempo is marked by periods of no activity, followed by sudden spikes in attacks using improved tactics, indicating that the hacking group could be using the downtime to refresh its toolset.
STAC6565 begins with spear-phishing emails targeting human resources (HR) personnel to trick them into opening malicious documents disguised as resumes or cover letters. Since at least November 2024, the activity has leveraged legitimate job search platforms like Indeed, JazzHR, and ADP WorkforceNow to upload the weaponized resumes as part of a job application process.
"As recruitment platforms enable HR staff to review all incoming resumes, hosting payloads on these platforms and delivering them via disposable email domains not only increases the likelihood that the documents will be opened but also evades detection by email-based protections," Demboski explained.
In one incident, a fake resume uploaded to Indeed has been found to redirect users to a booby-trapped URL that ultimately led to the deployment of QWCrypt ransomware by means of a RedLoader chain. At least three different RedLoader delivery sequences have been observed in September 2024, March/April 2025, and July 2025. Some aspects of the delivery chains were previously detailed by Huntress, eSentire, and Bitdefender.
The major change observed in July 2025 concerns the use of a ZIP archive that's dropped by the bogus resume. Present within the archive is a Windows shortcut (LNK) that impersonates a PDF. The LNK file uses "rundll32.exe" to fetch a renamed version of "ADNotificationManager.exe" from a WebDAV server hosted behind a Cloudflare Workers domain.
The attack then launches the legitimate Adobe executable to sideload the RedLoader DLL (named "srvcli.dll" or "netutils.dll") from the same WebDAV path. The DLL proceeds to connect to an external server to download and execute the second-stage payload, a standalone binary that's responsible for connecting to a different server and retrieving the third-stage standalone executable alongside a malicious DAT file and a renamed 7-Zip file.
Both stages rely on Microsoft's Program Compatibility Assistant ("pcalua.exe") for payload execution, an approach seen in previous campaigns as well. The only difference is that the format of the payloads transitioned in April 2025 to EXEs instead of DLLs.
"The payload parses the malicious .dat file and checks internet connectivity. It then connects to another attacker-controlled C2 server to create and run a .bat script that automates system discovery," Sophos said. "The script unpacks Sysinternals AD Explorer and runs commands to gather details such as host information, disks, processes, and installed antivirus (AV) products."
The results of the execution are packaged into an encrypted, password-protected 7-Zip archive and transferred to a WebDAV server controlled by the attacker. RedCurl has also been observed using RPivot, an open-source reverse proxy, and Chisel SOCKS5 for C2 communications.
Another tool used in the attacks is a customized version of the Terminator tool that leverages a signed Zemana AntiMalware driver to kill antivirus-related processes via what's called a Bring Your Own Vulnerable Driver (BYOVD) attack. In at least one case in April 2025, the threat actors renamed both the components before distributing them via SMB shares to all servers in the victim environment.
Sophos also noted that a majority of these attacks were detected and mitigated before the installation of QWCrypt. However, three of the attacks – one in April and two in July 2025 – led to a successful deployment.
"In the April incident, the threat actors manually browsed and collected sensitive files, then paused activity for over five days before deploying the locker," it added. "This delay may suggest the attackers turned to ransomware after trying to monetize the data or failing to secure a buyer."
The QWCrypt deployment scripts are tailored to the target environment, often containing a victim-specific ID in the file names. The script, once launched, checks whether the Terminator service is running before taking steps to disable recovery and execute the ransomware on endpoint devices across the network, including an organization's hypervisors.
In the last stage, the script runs a cleanup batch script to delete existing shadow copies and every PowerShell console history file to inhibit forensic recovery.
"Gold Blade's abuse of recruitment platforms, cycles of dormancy and bursts, and continual refinement of delivery methods demonstrate a level of operational maturity not typically associated with financially motivated actors," Sophos said. "The group maintains a comprehensive and well-organized attack toolkit, including modified versions of open-source tooling and custom binaries to facilitate a multi-stage malware delivery chain."
The disclosure comes as Huntress said it has noticed a huge spike in ransomware attacks on hypervisors, jumping from 3% in the first half of the year to 25% so far in the second half, primarily driven by the Akira group.
"Ransomware operators deploy ransomware payloads directly through hypervisors, bypassing traditional endpoint protections entirely. In some instances, attackers leverage built-in tools such as OpenSSL to perform encryption of the virtual machine volumes, avoiding the need to upload custom ransomware binaries," wrote researchers Anna Pham, Ben Bernstein, and Dray Agha.
"This shift underscores a growing and uncomfortable trend: attackers are targeting the infrastructure that controls all hosts, and with access to the hypervisor, adversaries dramatically amplify the impact of their intrusion."
Given the heightened focus of threat actors on hypervisors, it's advised to use local ESXi accounts, enforce multi-factor authentication (MFA), implement a strong password policy, segregate the hypervisor's management network from production and general user networks, deploy a jump box to audit admin access, limit access to the control plane, and restrict ESXi management interface access to specific administrative devices.
from The Hacker News https://ift.tt/BeyGjN9
via IFTTT
Cybersecurity researchers have discovered two new extensions on Microsoft Visual Studio Code (VS Code) Marketplace that are designed to infect developer machines with stealer malware.
The VS Code extensions masquerade as a premium dark theme and an artificial intelligence (AI)-powered coding assistant, but, in actuality, harbor covert functionality to download additional payloads, take screenshots, and siphon data. The captured information is then sent to an attacker-controlled server.
"Your code. Your emails. Your Slack DMs. Whatever's on your screen, they're seeing it too," Koi Security's Idan Dardikman said. "And that's just the start. It also steals your WiFi passwords, reads your clipboard, and hijacks your browser sessions."
The names of the extensions are below -
BigBlack.bitcoin-black (16 installs) - Removed by Microsoft on December 5, 2025
BigBlack.codo-ai (25 installs) - Removed by Microsoft on December 8, 2025
Microsoft's list of removed extensions from the Marketplace shows that the company also removed a third package named "BigBlack.mrbigblacktheme" from the same publisher for containing malware.
While "BigBlack.bitcoin-black" activates on every VS Code action, Codo AI embeds its malicious functionality within a working tool, thereby allowing it to bypass detection.
Earlier versions of the extensions came with the ability to execute a PowerShell script to download a password-protected ZIP archive from an external server ("syn1112223334445556667778889990[.]org") and extract from it the main payload using four different methods: Windows native Expand-Archive, .NET System.IO.Compression, DotNetZip, and 7-Zip (if installed).
That said, the attacker is said to have inadvertently shipped a version that created a visible PowerShell window and could have alerted the user. Subsequent iterations, however, have been found to hide the window and streamline the entire process by switching to a batch script that uses a curl command to download the executable and DLL.
The executable is the legitimate Lightshot binary that's used to load the rogue DLL ("Lightshot.dll") via DLL hijacking, which proceeds to gather clipboard contents, a list of installed apps, running processes, desktop screenshots, stored Wi-Fi credentials, and detailed system information. It also launches Google Chrome and Microsoft Edge in headless mode to grab stored cookies and hijack user sessions.
"A developer could install what looks like a harmless theme or a useful AI tool, and within seconds their WiFi passwords, clipboard contents, and browser sessions are being exfiltrated to a remote server," Dardikman said.
The disclosure comes as Socket said it identified malicious packages across the Go, npm, and Rust ecosystems that are capable of harvesting sensitive data -
Go packages named "github[.]com/bpoorman/uuid" and "github[.]com/bpoorman/uid" that have been available since 2021 and typosquat trusted UUID libraries ("github[.]com/google/uuid" and "github[.]com/pborman/uuid") to exfiltrate data to a paste site called dpaste when an application explicitly invokes a supposed helper function named "valid" along with the information to be validated.
A set of 420 unique npm packages published by a likely French-speaking threat actor that follows a consistent naming pattern including "elf-stats-*," some of which contain code to execute a reverse shell and exfiltrate files to a Pipedream endpoint.
A Rust crate named finch-rust published by faceless, that impersonates the legitimate bioinformatics tool "finch" and serves as a loader for a malicious payload through a credential-stealing package known as "sha-rust" when a developer uses the library's sketch serialization functionality.
"Finch-rust acts as a malware loader; it contains mostly legitimate code copied from the legitimate finch package but includes a single malicious line that loads and executes the sha-rust payload," Socket researcher Kush Pandya said. "This separation of concerns makes detection harder: finch-rust looks benign in isolation, while sha-rust contains the actual malware."
from The Hacker News https://ift.tt/5VQvwbA
via IFTTT
