emergency response Archives

Tech Optimizer

November 5, 2025

Hackers Are Using Linux Malware to Invisibly Bypass Windows Security

Hackers are refining tactics to evade detection by EDR systems and antivirus software, with a notable strategy being the use of Linux malware to infiltrate Windows systems. Investigations by Bitdefender and CERT-GE revealed a campaign by the Russian hacker group Curly COMrades, which exploits the Hyper-V virtualization platform on Windows 10 to create covert access channels. They utilize Alpine Linux for lightweight virtual machines that are difficult to detect, requiring only 120 MB of disk space and 256 MB of RAM. The attackers maintain persistent access using tools like Resocks and Stunnel, starting their activities in early July 2024 by activating Hyper-V on compromised systems and deploying misleading virtual machines labeled “WSL.” They introduced custom malware, CurlyShell and CurlCat, for communication and remote access. This trend of using Linux malware against Windows systems is growing, as seen in recent Qilin ransomware attacks documented by Trend Micro.

Winsage

November 4, 2025

Russian hackers abuse Hyper-V to hide malware in Linux VMs

The Russian hacker group Curly COMrades has been using Microsoft Hyper-V to bypass endpoint detection and response (EDR) solutions by creating a concealed Alpine Linux-based virtual machine for running malware. They have deployed proprietary tools, CurlyShell and CurlCat, within this virtual environment to maintain operational stealth and secure communication. Active since mid-2024, the group targets government and judicial entities in Georgia and energy companies in Moldova. In early July, they gained remote access to two machines, activated Hyper-V, and disabled its management interface to deploy a minimalistic virtual machine that hosted their malware. This tactic allowed them to evade traditional host-based EDR detections. The virtual machine was configured to use the Default Switch network adapter, making malicious traffic appear to originate from the legitimate host's IP address. CurlyShell executes commands and maintains persistence, while CurlCat facilitates covert traffic tunneling. The group also utilized PowerShell scripts for persistence and pivoting to remote systems, including injecting Kerberos tickets into LSASS and creating local accounts via Group Policy. Bitdefender advises organizations to monitor for abnormal Hyper-V activation, LSASS access, and suspicious PowerShell scripts.

Winsage

November 4, 2025

Russian spies pack custom malware into hidden VMs on Windows

Bitdefender's senior security researcher, Victor Vrabie, reported that the Russian cyber group Curly COMrades is using Microsoft's Hyper-V hypervisor to conduct sophisticated attacks on compromised Windows machines. They create a concealed Alpine Linux-based virtual machine (VM) that bypasses traditional endpoint security, allowing prolonged access for espionage and malware deployment. This VM is lightweight, requiring only 120MB of disk space and 256MB of memory, and hosts a reverse shell called CurlyShell and a reverse proxy named CurlCat. The group's operations have targeted judicial and governmental institutions in Georgia and an energy company in Moldova. Their current campaign, starting in July, involved activating Hyper-V and downloading the VM with custom malware. The VM uses the Default Switch network adaptor, making malicious traffic appear to originate from the legitimate host's IP address. CurlyShell maintains root-level persistence and communicates with a command-and-control server over HTTPS, while CurlCat manages an SSH reverse proxy tunnel disguised as standard HTTP traffic. Additionally, two PowerShell scripts linked to the group enable remote authentication and establish persistent access across domain-joined machines. Vrabie highlighted the evolving tactics of cybercriminals to bypass endpoint detection and response (EDR) systems, emphasizing the need for a multi-layered security strategy.

AppWizard

October 10, 2025

Four months after its second delay, Cities Skylines 2’s big bridges DLC finally has a new date, and a lot to prove

Cities Skylines 2 has a 'mixed' rating of 53% on Steam two years after its launch. The Bridges and Ports expansion, which has faced two delays, is set to release on October 29, priced at .99/£16.99. This DLC will enhance water-based construction with new features such as customizable harbors, new coastal maps, and facilities like ore yards and passenger terminals. It will introduce 20 variants of drawbridges and lift bridges for improved connectivity and new transportation options like ferries. The expansion includes over 100 new assets, including lighthouses and leisure piers. Performance issues and traffic patterns remain concerns, and the asset editor is still pending release. A bundle option with the 'Cold Wave Channel' radio station will be available for .89/£18.89. Players are encouraged to discuss their expectations for the DLC online.

AppWizard

August 15, 2025

911 emergency calls now possible through messaging apps in these LGUs

Residents and visitors in Morong, Rizal, and Mambajao, Camiguin Island can now make emergency calls through messaging apps and social media platforms as part of a modernization initiative for emergency response systems. Mambajao activated its local 911 emergency hotline on February 27, becoming the first next-generation 911-enabled command center in Northern Mindanao, reducing response times to three to seven minutes. The Next Generation Advanced (NGA) 911 Philippines launched the NEXiS Message platform, allowing emergency calls via traditional voice methods, text messages, video calls, and popular applications like Facebook Messenger. This system consolidates incoming messages into a single platform, improving efficiency and response times while ensuring the security of shared information through encryption. NEXiS Message integrates with legacy and modern communication technologies and facilitates inter-agency collaboration. NGA 911 Philippines aims to expand next-generation 911 technology to more communities in the country and has received certification from the National Emergency Number Association (NENA).

AppWizard

March 20, 2025

Signal Messenger Exploited in Targeted Attacks on Defense Industry Employees

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned about targeted cyberattacks against employees in the defense-industrial complex and members of the Defense Forces of Ukraine, which have been ongoing since at least summer 2024 and have intensified recently. Attackers are using the Signal messenger app to distribute malicious files by compromising trusted contacts' accounts. In March 2025, CERT-UA observed that attackers were sending archived messages through Signal, which included a PDF and an executable file called DarkTortilla, designed to activate the DarkCrystal RAT (DCRAT) software. The focus of these deceptive messages has shifted to critical topics like unmanned aerial vehicles (UAVs) and electronic warfare equipment. CERT-UA has labeled this activity UAC-0200 and advises reporting any suspicious messages immediately. They have also compiled indicators related to the attacks, including specific file hashes, IP addresses, and URLs linked to the attackers' infrastructure.

AppWizard

November 22, 2024

Android app will help deploy first responders faster

The RapidDeploy app is a tool for dispatchers and first responders that enhances emergency response by providing real-time assistance. In a specific incident in Walton County, Florida, Louise Barthel used the app's video feature to share live footage with 911 responders when her husband fell off a boat. This allowed responders to visualize the situation and navigate to her location more efficiently. The app's mapping functionality also helped ensure a swift route to the scene, and responders guided Louise in restarting the boat through the video feed. The RapidDeploy app is currently available for Android users and is offered free of charge.

Winsage

November 14, 2024

Microsoft patches Windows zero-day exploited in attacks on Ukraine

Suspected Russian hackers are exploiting a zero-day vulnerability in Windows, identified as CVE-2024-43451, which is an NTLM Hash Disclosure spoofing vulnerability. ClearSky security researchers discovered that the vulnerability allows attackers to steal a logged-in user's NTLMv2 hash by manipulating connections to a server they control. The malicious campaign was first detected in June, using phishing emails with links that download an Internet shortcut file from a compromised server. User interaction with the URL file can trigger the vulnerability, enabling the download of malware like SparkRAT. ClearSky reported the findings to Ukraine's Computer Emergency Response Team (CERT-UA), linking the attacks to a Russian-affiliated threat group known as UAC-0194. Microsoft patched the vulnerability during the November 2024 Patch Tuesday and confirmed that user interaction is necessary for exploitation. The vulnerability affects all supported versions of Windows, including Windows 10 and later. The Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities Catalog, requiring organizations to secure affected systems by December 3.

Winsage

October 26, 2024

Russia’s APT29 Mimics AWS to Steal Windows Credentials

APT29, a Russian advanced persistent threat group, has been targeting military, governmental, and corporate organizations through phishing campaigns. This group, associated with the Russian Federation's Foreign Intelligence Service (SVR), is known for significant breaches, including those involving SolarWinds and the Democratic National Committee. Recently, APT29 breached Microsoft's codebase and targeted political entities across Europe and Africa. The Computer Emergency Response Team of Ukraine (CERT-UA) discovered APT29's phishing attempts aimed at extracting Windows credentials from various sectors in Ukraine. The phishing campaign, which began in August, used malicious domain names resembling Amazon Web Services (AWS) to send emails with attachments that contained configuration files for Remote Desktop, enabling attackers to establish connections to compromised systems. Although APT29 did not use legitimate AWS domains, Amazon disrupted the campaign by taking down the malicious imitations. CERT-UA recommends organizations monitor network logs for APT29-related IP addresses and block RDP files at email gateways to mitigate risks.

Winsage

September 30, 2024

JPCERT shares Windows Event Log tips to detect ransomware attacks

Japan's Computer Emergency Response Center (JPCERT/CC) has identified specific Windows Event Logs that can help detect ransomware attacks. The four types of logs analyzed are Application, Security, System, and Setup logs. Notable ransomware variants and their associated event IDs include: - Conti: Detected through event IDs 10000 and 10001. - Phobos: Leaves traces when deleting system backups via event IDs 612, 524, and 753. - Midas: Alters network settings, leaving event ID 7040. - BadRabbit: Records event ID 7045 during encryption installation. - Bisamware: Logs the start (event ID 1040) and end (event ID 1042) of a Windows Installer transaction. Other ransomware variants such as Shade, GandCrab, AKO, AvosLocker, BLACKBASTA, and Vice Society leave behind event IDs 13 and 10016, linked to permission issues when accessing COM applications to delete Volume Shadow Copies. JPCERT/CC notes that while older ransomware like WannaCry and Petya did not leave traces in Windows logs, modern strains do exhibit detectable patterns. In 2022, the SANS Institute published a guide on detecting ransomware using Windows Event Logs.