Cyber Security Advisories
Xiū gǒu
Phishing Kit
The Xiū gǒu phishing kit represents a newly uncovered, highly sophisticated and global phishing threat, designed to deceive and exploit unsuspecting users across diverse sectors. Derived from Mandarin internet slang for “doggo,” this toolkit is distinguished by its refined branding and advanced evasion techniques, which collectively enhance its efficacy in targeting individuals across a wide array of industries, including public services, postal systems, banking, and digital platforms. Since its emergence in September 2024, the Xiū gǒu phishing kit has proliferated across over 2,000 known malicious websites, primarily affecting users in the UK, US, Spain, Australia, and Japan. The kit harnesses Rich Communication Services (RCS) messaging to distribute malicious, shortened URLs, which lure recipients with fraudulent alerts concerning government payments, postal fines, and other urgent notifications. These deceptive messages direct victims to counterfeit websites that closely mimic legitimate institutions, such as the UK Government, USPS, and Lloyds Bank. Once victims are compelled to enter sensitive personal or financial information, it is surreptitiously exfiltrated via a Telegram bot controlled by the attackers. Furthermore, the Xiū gǒu phishing kit leverages sophisticated anti-detection measures, including Cloudflare’s obfuscation technologies, to mask the malicious nature of the campaign and circumvent traditional security mechanisms, rendering it an exceptionally potent and evasive threat.
Corrupted ZIPs and Office Docs Bypass Security
A sophisticated phishing campaign, leveraging corrupted ZIP archives and Microsoft Office files, is successfully bypassing traditional security defenses, including antivirus systems, sandboxes, and email spam filters. Active since August 2024, this attack exploits vulnerabilities in file recovery mechanisms within widely used applications such as Microsoft Word, Outlook, and WinRAR. When users open seemingly legitimate business communications, the malicious payloads are triggered, executing harmful code. What makes this threat particularly concerning is its ability to target trusted tools, allowing attackers to bypass security layers that rely on detecting suspicious file types or behaviors. The sophistication of the campaign reflects a deep understanding of how modern security defenses operate, posing a significant risk to organizational integrity. By exploiting trusted file formats and recovery features, attackers can establish a foothold in corporate environments, potentially leading to data breaches, ransomware deployment, or the theft of sensitive information. This campaign underscores the urgent need for organizations to move beyond reliance on a single layer of threat detection, such as Microsoft Defender, which many businesses depend on without validating its effectiveness or assessing potential evasion. Relying solely on one security measure leaves organizations vulnerable to sophisticated attacks that can bypass traditional defenses. To mitigate these risks, organizations should implement multi-layered security strategies, including advanced, behavior-based detection systems, and ensure that employees are trained to identify and avoid increasingly sophisticated social engineering tactics.
Latrodectus Malware
The Black Widow Threat
SideWinder APT
StealerBot Campaign
SideWinder APT—also known as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, or T-APT-04—has been active since at least 2012 and is believed to support the strategic interests of the Indian state. Recently, the group has expanded its operations to include the Middle East, Africa, and Southeast Asia.
SideWinder primarily targets military, governmental, telecommunications, and critical infrastructure entities in these regions. The group typically initiates attacks through spear-phishing emails, followed by sophisticated multi-stage assaults that exploit well-documented vulnerabilities, such as CVE-2017-11882.
In its latest campaign, SideWinder has introduced a new variant of “StealerBot,” an advanced cyberespionage tool designed for data exfiltration, system compromise, and the facilitation of additional malicious activities. This evolution in their toolkit highlights their growing capabilities and intent, positioning them as a significant threat in the cyber landscape.
Pygmy Goat
Malware
“Pygmy Goat” malware is a highly sophisticated backdoor payload designed to provide unauthorized access to Linux-based network devices, with a particular focus on Sophos XG firewall appliances. Discovered as part of an ongoing series of cyber-espionage operations linked to Chinese state-sponsored threat actors, the malware is emblematic of the broader Pacific Rim campaign—a targeted assault on critical infrastructure and high-value entities. First identified by the UK’s National Cyber Security Centre (NCSC), these attacks exploit known vulnerabilities, such as CVE-2022-1040, in edge devices and network appliances, particularly those used by government agencies, critical infrastructure sectors, and private enterprises. Once deployed, “Pygmy Goat” grants attackers persistent, covert access to compromised systems, enabling the exfiltration of sensitive data and remote control of infected devices. The malware employs advanced evasion techniques, including the use of encrypted ICMP packets for stealthy communication and disguising malicious activity as legitimate SSH traffic, thereby circumventing traditional detection mechanisms
North Korean
Linked MISTPEN Malware
Latrodectus Malware
The Black Widow Threat
SideWinder APT
StealerBot Campaign
SideWinder APT—also known as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, or T-APT-04—has been active since at least 2012 and is believed to support the strategic interests of the Indian state. Recently, the group has expanded its operations to include the Middle East, Africa, and Southeast Asia.
SideWinder primarily targets military, governmental, telecommunications, and critical infrastructure entities in these regions. The group typically initiates attacks through spear-phishing emails, followed by sophisticated multi-stage assaults that exploit well-documented vulnerabilities, such as CVE-2017-11882.
In its latest campaign, SideWinder has introduced a new variant of “StealerBot,” an advanced cyberespionage tool designed for data exfiltration, system compromise, and the facilitation of additional malicious activities. This evolution in their toolkit highlights their growing capabilities and intent, positioning them as a significant threat in the cyber landscape.
Neutralizing Russian
Military Cyber Threats
Security Advisory -
VectorStealer Malware
Security Advisory -
Snake Implant Malware
Cicada3301: A Cross-Platform
Rust-Based Ransomware
CrowdStrike
Fallout
CyberStash Security Advisory -
Lockbit 3.0 Ransomware
Cuttlefish
Malware
Deadglyph
Malware
In a recent cyber espionage incident targeting the Middle Eastern Government entities, a newly emerged and highly sophisticated backdoor malware called ‘Deadglyph’ made its ominous debut.
The Deadglyph malware is designed with interchangeable parts, known as modules. These modules are like specialized tools that it can download from a central control center (C2). Each tool, or module, comes with specific instructions called shellcodes that the malware follows to carry out different tasks.
This modular approach gives threat actors the flexibility to create new tools whenever they need them. It’s like having a toolbox with the ability to craft custom tools for specific targets. These custom tools can then be sent to victims to carry out additional harmful actions.
Deep
Gosu
DEEP#GOSU Malware represents a highly sophisticated and elaborate cyber threat campaign observed recently, leveraging PowerShell and VBScript malware to compromise Windows systems. DEEP#GOSU malware is highly advanced and operates stealthily on Windows systems, especially when it comes to monitoring network activity.
Its abilities encompassed keylogging, monitoring clipboard activities, executing dynamic payloads, exfiltrating data, and maintaining persistence. This was achieved through a combination of Remote Access Trojan (RAT) software for complete remote control, scheduled tasks, and self-executing PowerShell scripts utilizing jobs.
Security Advisory -
DragonSpark
Exploiting
The regreSSHion Vulnerability
Emojis
Powered Malware Operations
3CX
Desktop App Report
BellaCiao
IRGC
An Iranian state-sponsored hacking group known as APT35/APT42 or Mint Sandstorm has been identified as deploying a new strain of malware named BellaCiao, which has targeted victims in various countries, including the U.S., Europe, India, Turkey, and others. The campaign aims to exploit vulnerabilities in Microsoft Exchange servers to gain unauthorized access and deploy malicious payloads for espionage, data theft, and potentially ransomware attacks.
BellaCiao is a dropper malware designed to deliver additional malicious payloads to compromised devices based on instructions from the threat actors. Its primary objective is to establish persistence and maintain stealth while awaiting further instructions. The malware is customized for each victim (including hardcoded information such as company name, specially crafted subdomains, or associated public IP address) ensuring tailored implants and evading detection mechanisms.
BiBi
Wiper Malware
In a recent surge of cyber threats, Israeli computers are increasingly facing data-wiping attacks perpetrated by variants of the BiBi malware family. Researchers have identified these destructive elements affecting both Linux and Windows systems. The attacks are part of a broader cyber offensive targeting various sectors in Israel, notably in education and technology.
The Security Joes’ Incident Response team recently uncovered ‘BiBi-Linux,’ a malware strain designed for irreversible data corruption and operational disruption. Following this discovery, ESET researchers confirmed on October 31,2023 that a Windows variant of the same malware, linked to a hacktivist group named BiBiGun, was identified. This group is associated with Hamas, indicating a coordinated effort in deploying the malware for potential cyber-attacks and disruptions.