threat actor Archives

AppWizard

April 19, 2025

Urgent Android Warning: Major Security Flaw Allows Hackers Full Access—Here Are the Apps You Must Delete Now

A vulnerability known as “Dirty Stream” was discovered by Microsoft, allowing malicious applications to hijack trusted apps on high-end Android devices. Although the flaw has been patched, any data accessed before the patch remains vulnerable. The vulnerability exploited the ContentProvider system in Android, enabling harmful apps to send deceptive files that could overwrite critical data in secure storage. Microsoft noted that this could lead to arbitrary code execution, giving attackers full control over applications and access to sensitive user data. Several popular Android apps were found to be vulnerable, with over four billion installations affected. It is crucial to promptly install security updates and maintain app vigilance to protect personal data.

AppWizard

April 10, 2025

SpyNote Android malware resurfaces in campaign using spoofed app install pages

A report from DomainTools LLC reveals that cybercriminals are using newly registered domains to distribute the SpyNote Android remote access trojan (RAT) by creating fake websites that resemble legitimate Google Play app installation pages. These counterfeit pages often include familiar visual elements to deceive users into downloading harmful APK files, such as a site mimicking the TikTok installation page. The downloaded files typically contain variants of SpyNote, which can conduct surveillance, harvest sensitive information, and execute remote commands on compromised devices. The delivery mechanism involves a two-stage process where a dropper APK installs a secondary APK with core spyware functionalities, utilizing JavaScript to trigger downloads from fake install buttons. Common characteristics of the domains distributing SpyNote include registration with NameSilo LLC and XinNet Technology Corp., hosting on infrastructure linked to Lightnode Ltd and Vultr Holdings LLC, and the presence of SSL certificates. The malware delivery sites contain code in both English and Chinese, suggesting a Chinese-speaking threat actor may be involved. SpyNote has been associated with advanced persistent threat groups targeting individuals in South Asia, including those in the Indian defense sector. Once installed, SpyNote requests intrusive permissions to access SMS, contacts, call logs, camera, microphone, and location services, and employs persistence mechanisms that make it difficult to remove. DomainTools advises users to be vigilant against spoofed app pages and avoid sideloading APKs from unverified sources.

Winsage

April 9, 2025

Exploitation of CLFS zero-day leads to ransomware activity

The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) identified a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS), designated as CVE-2025-29824. This vulnerability has been exploited by the PipeMagic malware, attributed to the group Storm-2460, affecting organizations in various sectors across the U.S., Venezuela, Spain, and Saudi Arabia. Microsoft released security updates on April 8, 2025, to address this vulnerability. The exploit allows attackers with standard user privileges to escalate their access, and it was executed from a dllhost.exe process. The exploit utilizes memory corruption techniques and the RtlSetAllBits API to gain all privileges and inject processes into SYSTEM processes. Post-exploitation, the attackers injected a payload into winlogon.exe, leading to ransomware activity characterized by file encryption and the creation of ransom notes. Indicators of compromise include the creation of a CLFS BLF file at C:ProgramDataSkyPDFPDUDrv.blf, command lines associated with ransomware activities, and specific domains linked to PipeMagic. Microsoft advises applying security updates promptly and recommends strategies for mitigating ransomware threats, including enabling cloud-delivered protection and utilizing device discovery.

Winsage

April 8, 2025

Report: EncryptHub moonlighting in vulnerability research

A new threat actor named EncryptHub, or SkorikARI, has been recognized by Microsoft for identifying two significant security vulnerabilities in Windows: a high-severity bypass of the Windows Mark of the Web security feature (CVE-2025-24061) and a medium-severity spoofing issue in Windows File Explorer (CVE-2025-24071). EncryptHub, based in Romania and of Ukrainian origin, has a background in vishing and ransomware attacks and shifted to vulnerability research due to financial difficulties and the threat of imprisonment. The KrakenLabs report notes EncryptHub's skill in identifying vulnerabilities but warns that his creations are not foolproof, and users following basic security protocols are likely to remain safe.

Winsage

April 8, 2025

EncryptHub plays dual role as cybercriminal and Windows researcher

EncryptHub, a threat actor linked to intrusions at 618 organizations, reported two Windows zero-day vulnerabilities, CVE-2025-24061 and CVE-2025-24071, to Microsoft, which were resolved in March 2025. The vulnerabilities were reported by an individual named SkorikARI, who has been connected to EncryptHub after the threat actor exposed its login credentials. Researchers at Outpost24 identified this link through multiple pieces of evidence, including exfiltrated password files and a GitHub login associated with SkorikARI. EncryptHub has a history of selling zero-days on hacking forums and has been involved in both freelance development and cybercriminal activities. Despite his expertise, the hacker fell victim to poor security practices, leading to the exposure of personal information and interactions with ChatGPT regarding malware development and self-assessment as a hacker.

Winsage

April 7, 2025

EncryptHub’s dual life: Cybercriminal vs Windows bug-bounty researcher

EncryptHub has been linked to breaches affecting 618 organizations and is associated with the disclosure of two Windows zero-day vulnerabilities, CVE-2025-24061 and CVE-2025-24071, to Microsoft. The vulnerabilities were addressed during the March 2025 Patch Tuesday updates, and the reporter was acknowledged as 'SkorikARI with SkorikARI.' Investigations revealed a connection between EncryptHub and SkorikARI, following an incident where EncryptHub exposed their credentials. SkorikARI's accounts were used to report the vulnerabilities, contributing to Windows security. Evidence linking SkorikARI to EncryptHub includes password files exfiltrated from EncryptHub's system and a GitHub account associated with SkorikARI. EncryptHub has previously attempted to market zero-day vulnerabilities on underground forums and is believed to have affiliations with ransomware groups. The threat actor has executed social engineering campaigns, phishing attacks, and developed a custom infostealer known as Fickle Stealer. They created fictitious social media profiles and websites, such as a fake project management application called GartoriSpace, which installed malicious files on unsuspecting users. EncryptHub has also been implicated in exploiting a Microsoft Management Console vulnerability, CVE-2025-26633.

Tech Optimizer

April 3, 2025

1,500+ PostgreSQL Servers Compromised With Fileless Malware Attack

A cryptojacking campaign has targeted over 1,500 organizations by exploiting inadequately secured PostgreSQL database servers. The attackers, identified as JINX-0126, use advanced techniques including credential brute-forcing and fileless execution to deploy Monero (XMR)-mining malware. Approximately 30% of cloud-hosted PostgreSQL servers are affected due to weak or default credentials. The attackers execute commands using PostgreSQL’s COPY FROM PROGRAM function, bypassing standard detection mechanisms. They have been linked to three cryptocurrency wallets with around 550 active mining workers, generating a hashrate of 4.04 GH/s and approximately €10.40 per hour in XMR revenue. The attack begins with credential spraying against default accounts, followed by an SQL injection to fetch the payload. The malware operates in memory, modifies PostgreSQL’s configuration to maintain persistence, and creates cron jobs for reactivation. The campaign reveals significant security gaps in cloud environments, with recommendations for improved access controls and monitoring.

Tech Optimizer

April 2, 2025

Over 1,500 PostgreSQL Servers Hit by Fileless Malware Attack

A malware campaign has compromised over 1,500 PostgreSQL servers using fileless techniques to deploy cryptomining payloads. The attack, linked to the threat actor group JINX-0126, exploits publicly exposed PostgreSQL instances with weak or default credentials. The attackers utilize advanced evasion tactics, including unique hashes for binaries and fileless execution of the miner payload, making detection difficult. They exploit PostgreSQL’s COPY ... FROM PROGRAM function to execute malicious payloads and perform system discovery commands. The malware includes a binary named “postmaster,” which mimics legitimate processes, and a secondary binary named “cpu_hu” for cryptomining operations. Nearly 90% of cloud environments host PostgreSQL databases, with about one-third being publicly exposed, providing easy entry points for attackers. Each wallet associated with the campaign had around 550 active mining workers, indicating the extensive scale of the attack. Organizations are advised to implement strong security configurations to protect their PostgreSQL instances.

Tech Optimizer

March 31, 2025

Fileless XMRig-C3 Cryptominer Targets PostgreSQL Servers

Wiz Threat Research has reported a new variant of a malicious campaign targeting misconfigured and publicly exposed PostgreSQL servers, attributed to the threat actor JINX-0126. This actor exploits vulnerable PostgreSQL instances with weak login credentials to gain unauthorized access and deploy XMRig-C3 cryptominers. The campaign has evolved to include advanced evasion techniques, such as using unique hashes for binaries and executing payloads in a fileless manner to avoid detection. The analysis indicates that the threat actor assigns unique mining workers to each victim, with three distinct wallets identified, suggesting over 1,500 affected victims. Nearly 90% of cloud environments host PostgreSQL instances, with about one-third publicly exposed. The threat actor scans for poorly configured services, exploiting default weak credentials to gain access and execute malicious payloads. Upon successful login, the actor performs reconnaissance and executes a dropper script to deploy an obfuscated Golang binary, which contains an encrypted configuration with critical system information. The malware establishes persistence by creating cron jobs and modifying access controls. The actor also creates high-privilege roles for continued access and weakens the default admin user. The analysis identified three wallets associated with the campaign, with each wallet having around 550 workers. The Wiz Dynamic Scanner can identify exposed PostgreSQL services, while the Wiz Runtime Sensor detects malicious activities associated with this threat. The report includes specific wallet addresses, a file hosting service, and file hashes related to the malware. Techniques used by the malware align with various MITRE ATT&CK® techniques, including credential access, defense evasion, and resource hijacking.

AppWizard

March 28, 2025

PJobRAT Android RAT as Dating & Instant Messaging Apps Attacking Military Personnel

PJobRAT is an Android Remote Access Trojan (RAT) that re-emerged in 2023 with improved capabilities and a refined targeting strategy, previously known for attacking Indian military personnel in 2021. It is now targeting users in Taiwan through social engineering tactics, disguising itself as legitimate dating and messaging apps. The malware is distributed via compromised WordPress sites hosting fake applications like “SaangalLite” and “CChat.” The infection footprint is small, indicating highly targeted attacks rather than widespread campaigns. PJobRAT retains its core functionality of exfiltrating sensitive information, including SMS messages, contacts, and media files, while enhancing command execution capabilities. Upon installation, the malicious apps request extensive permissions to operate continuously in the background. The malware uses a dual-channel communication infrastructure, with Firebase Cloud Messaging (FCM) as the primary command channel and a secondary HTTP-based channel for data exfiltration to a command-and-control server. The campaign appears to have concluded, but the evolution of PJobRAT highlights the ongoing threat of sophisticated mobile malware targeting high-value individuals.