espionage Archives

AppWizard

June 9, 2025

New ‘Game of Thrones’ PC Game ‘War for Westeros’ Arrives 2026

A new strategy game titled Game of Thrones: War for Westeros has been announced, set to launch in 2026. Developed by Paradox Interactive, known for grand strategy games, it will allow players to control the great houses of Westeros, manage armies, form alliances, and engage in espionage. The game will feature a detailed map of Westeros and include iconic characters and events from the series. It is expected to be a PC exclusive, with more details on the release date to come.

AppWizard

May 28, 2025

Can Your PC Run Metal Gear Solid Delta: Snake Eater?

Hideo Kojima's latest project, Death Stranding 2: On the Beach, is upcoming, while Konami will release a remake of Metal Gear Solid 3: Snake Eater, titled Metal Gear Solid Delta: Snake Eater, on August 28, 2025. The retail price will be .99, and it will be available on PC (via Steam), PS5, and Xbox Series X/S. A Deluxe Edition with additional content will cost .99. Minimum system requirements for PC include Windows 10 (64-bit), AMD Ryzen 5 3600 or Intel Core i5-8600 CPU, 16GB RAM, Nvidia GeForce RTX 2060 Super GPU, and 100GB SSD storage. Recommended specs include Windows 11 (64-bit), AMD Ryzen 5 3600 or Intel Core i7-8700K CPU, 16GB RAM, Nvidia GeForce GTX 3080 GPU, and 100GB SSD storage. The game will support DualShock and Xbox controllers, and will include Steam features like achievements and cloud support. Compatibility with Steam Deck is uncertain.

AppWizard

May 23, 2025

This hacking sim is like if Uplink was more of a puzzle game, and if you live for snooping through other people’s emails you’re going to be well-served

Cyber Warrior is a hacking simulation game developed by Dunke Games, where players assume the role of a cybersecurity professional for a fictional agency. The game features a modern gameplay style reminiscent of classic titles like Uplink, utilizing a VNC client. It includes a virtual desktop with a music player featuring hacker-themed tracks. Cyber Warrior is currently available on Steam with a 10% discount.

AppWizard

May 14, 2025

Marbled Dust leverages zero-day in Output Messenger for regional espionage

Since April 2024, the threat actor Marbled Dust has been exploiting a zero-day vulnerability (CVE-2025-27920) in the Output Messenger chat application, targeting user accounts that have not applied necessary fixes. This exploitation has resulted in the collection of sensitive data from users in Iraq, specifically linked to the Kurdish military. Microsoft has high confidence in this assessment and notes that Marbled Dust conducts reconnaissance to identify potential targets using Output Messenger. Marbled Dust has successfully utilized this vulnerability to deploy malicious files and exfiltrate data. Microsoft notified the application’s developer, Srimax, about the vulnerability, leading to the release of a software update. A second vulnerability (CVE-2025-27921) was also found, but no exploitation of this second flaw has been observed. The zero-day vulnerability allows an authenticated user to upload malicious files to the server's startup directory. Marbled Dust has exploited this flaw to place a backdoor file, OMServerService.vbs, in the startup folder, enabling them to access communications and sensitive data indiscriminately. The attack chain begins with Marbled Dust gaining access to the Output Messenger Server Manager, likely through DNS hijacking or other credential interception techniques. Once inside, they exploit the vulnerability to drop malicious files, including a GoLang backdoor, which connects to a Marbled Dust command-and-control domain for data exfiltration. To mitigate this threat, Microsoft recommends updating to the latest version of Output Messenger, activating various security protections, and implementing rigorous vulnerability management strategies. Microsoft Defender XDR customers can identify potential threat activity through specific alerts related to Marbled Dust and utilize advanced hunting queries for detection. Indicators of compromise include traffic to the domain api.wordinfos[.]com, associated with Marbled Dust activities.

Winsage

May 14, 2025

Microsoft’s Patch Tuesday closes 72 vulnerabilities, including 5 zero-days

Microsoft has addressed 72 vulnerabilities in a recent update, including five classified as zero-days. This is the eighth consecutive month that Microsoft has tackled zero-day vulnerabilities without any being categorized as critical at the time of disclosure. The identified zero-days include CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, and CVE-2025-32709, with CVSS scores ranging from 7.5 to 7.8. Two of these vulnerabilities are related to the Windows Common Log File Driver System (CLFS), which has been frequently targeted for exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) has added all five zero-days to its Known Exploited Vulnerabilities (KEV) list. Experts suggest that some zero-day exploits may be linked to targeted espionage or financially motivated activities, including ransomware deployment. Additionally, Microsoft's update includes five critical vulnerabilities and 50 high-severity defects, with 18 vulnerabilities impacting Microsoft Office and three deemed “more likely” to be exploited. Eight vulnerabilities patched this month are considered “more likely” to be exploited, including two high-severity defects in Microsoft SharePoint Server.

AppWizard

May 13, 2025

Turkish spies caught exploiting zero-day for over a year

Microsoft reported that Turkish espionage operatives have been exploiting a zero-day vulnerability (CVE-2025-27920) in the Output Messenger app to gather intelligence on the Kurdish military in Iraq. This operation, attributed to the group Marbled Dust, began in April 2024. The vulnerability is a directory traversal flaw in version 2.0.62 of the app, and many users have not yet updated to the patched version released in December. Marbled Dust has used this flaw to access sensitive user data and deploy malicious files within the Output Messenger server. The group has a history of targeting entities opposing Turkish interests and has evolved its tactics by leveraging this vulnerability for unauthorized access. Srimax and Microsoft are advising users to upgrade to version V2.0.63 to mitigate the risks associated with the exploit.

Winsage

April 17, 2025

Hackers Exploiting NTLM Spoofing Vulnerability in Wild to Compromise Systems

Cybercriminals are exploiting a vulnerability in Windows systems known as CVE-2025-24054, which involves NTLM hash disclosure through spoofing techniques. This flaw allows attackers to leak NTLM hashes, leading to privilege escalation and lateral movement within networks. It is triggered when a user extracts a ZIP archive containing a malicious .library-ms file, causing Windows Explorer to initiate SMB authentication requests that expose NTLMv2-SSP hashes. Exploitation of this vulnerability began shortly after a security patch was released on March 11, 2025, with campaigns targeting government and private institutions in Poland and Romania. These campaigns utilized spear-phishing emails containing malicious ZIP archives, which, when interacted with, leaked NTLM hashes. The malicious files included various types designed to initiate SMB connections to attacker-controlled servers, allowing for pass-the-hash attacks and privilege escalation. The stolen hashes were sent to servers in several countries, indicating potential links to state-sponsored groups. One campaign involved Dropbox links that exploited the vulnerability upon user interaction. Microsoft has recommended immediate patching, enhancing network defenses, user education, network segmentation, and regular security audits to mitigate risks associated with this vulnerability.

AppWizard

April 9, 2025

Austrian government plans surveillance of WhatsApp, Telegram messaging apps

The Austrian government has introduced a draft law to increase oversight of messaging apps like WhatsApp and Telegram, aiming to aid law enforcement in monitoring potential terrorist and extremist activities. Interior Minister Gerhard Karner stated that police currently lack visibility into the actions of such individuals on these platforms, highlighting the need for specific measures that would only apply to a limited number of cases annually. Access to messaging services would be granted only in situations that suggest terrorist-related or constitution-threatening activities. The initiative received support from State Secretary Jorg Leichtfried of the Social Democratic Party, who assured that it would not lead to mass surveillance. However, there are concerns from the liberal NEOS party regarding the proposal, indicating the need for further discussions. An eight-week review period has been established for the draft law, during which the involved parties will engage with each other.

Winsage

April 8, 2025

Neptune RAT malware is hijacking Windows PCs, holding them for ransom and stealing passwords

Cybercriminals have released a new malware strain called Neptune RAT, which targets Windows PCs and is capable of stealing cryptocurrencies and passwords, as well as holding data for ransom. It features a crypto clipper that can alter cryptocurrency wallet addresses, a password-stealing function affecting over 270 applications, and ransomware capabilities that lock files until a ransom is paid. The malware can disable antivirus software, monitor victims' screens in real-time, and has the ability to wipe a PC. It is distributed through platforms like GitHub, Telegram, and YouTube, making it difficult for cybersecurity researchers to analyze. Users are advised to be cautious with downloads, consider identity theft protection services, and practice safe browsing habits to mitigate risks.

AppWizard

March 28, 2025

Hackers target Taiwan with malware delivered via fake messaging apps

Recent research from cybersecurity firm Sophos has identified the use of PJobRAT malware targeting users in Taiwan through instant messaging applications SangaalLite and CChat, which mimic legitimate platforms. These malicious apps were available for download on various WordPress sites, now taken offline. PJobRAT, an Android remote access trojan first identified in 2019, has been used to steal SMS messages, contacts, device information, documents, and media files. The recent cyber-espionage initiative lasted nearly two years, affecting a limited number of users, indicating a targeted approach by the attackers. The latest version of PJobRAT lacks the ability to steal WhatsApp messages but allows attackers greater control over infected devices. The distribution method for these apps remains unclear, but previous campaigns involved third-party app stores and phishing pages. Upon installation, the apps request extensive permissions and provide basic chat functionalities. Sophos researchers note that threat actors often refine their strategies after campaigns, suggesting ongoing risks.