threat intelligence Archives

Tech Optimizer

May 21, 2025

Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer

Microsoft has monitored Lumma Stealer, an infostealer malware used by financially motivated threat actors. Lumma Stealer, also known as LummaC2, functions as a malware-as-a-service (MaaS) solution that extracts data from browsers and applications, including cryptocurrency wallets. The entity behind Lumma is identified as Storm-2477, which maintains the malware and its command-and-control (C2) infrastructure. Affiliates can create malware binaries and manage C2 communications through a panel provided by Storm-2477. Ransomware groups have integrated Lumma Stealer into their operations. Lumma Stealer employs various delivery techniques, including phishing emails, malvertising, drive-by downloads, Trojanized applications, and abuse of legitimate services. Specific campaigns have been identified, such as one in April 2025 that used EtherHiding and ClickFix techniques to deliver Lumma Stealer via compromised websites. Another campaign on April 7, 2025, targeted Canadian organizations with emails containing invoice lures that led to malicious downloads. The malware is developed using C++ and ASM, employing advanced obfuscation techniques to evade detection. It can extract a wide range of user data, including browser credentials, cryptocurrency wallet information, and user documents. Lumma Stealer maintains a robust C2 infrastructure with multiple hardcoded and fallback C2 servers, utilizing encryption methods to secure communications. Microsoft's Digital Crimes Unit has disrupted Lumma Stealer's infrastructure by blocking approximately 2,300 malicious domains. Recommendations to mitigate the impact of Lumma Stealer include strengthening Microsoft Defender configurations, implementing multifactor authentication, and utilizing phishing-resistant authentication methods. Microsoft Defender products can detect and block activities associated with Lumma Stealer, providing alerts and insights for incident response.

Winsage

May 14, 2025

Microsoft’s ‘Patch Tuesday’ Update Fixes Seven Zero-Day Exploits

Microsoft's latest Patch Tuesday update addresses 72 security vulnerabilities, including five critical zero-day vulnerabilities. Four of these zero-days are elevation of privilege flaws: - CVE-2025-32701 and CVE-2025-32706 target the Windows Common Log File System Driver. - CVE-2025-30400 affects the Microsoft DWM Core Library. - CVE-2025-32709 involves the Windows Ancillary Function Driver for WinSock. These vulnerabilities allow attackers to gain SYSTEM privileges locally. The fifth zero-day, CVE-2025-30397, is a remote code execution vulnerability in the Microsoft Scripting Engine, which can be exploited through malicious links in Microsoft Edge or Internet Explorer. CVE-2025-30397, CVE-2025-32701, and CVE-2025-30400 were discovered by the Microsoft Threat Intelligence Center, while CVE-2025-32706 was disclosed by the Google Threat Intelligence Group and CrowdStrike, and CVE-2025-32709 was reported by an anonymous researcher. Additionally, a publicly disclosed spoofing flaw in Microsoft Defender, CVE-2025-26685, allows unauthenticated attackers with local network access to impersonate another account. The final zero-day, CVE-2025-32702, is a remote code execution vulnerability in Visual Studio.

Winsage

May 14, 2025

Microsoft Confirms Windows Is Under Attack — You Must Act Now

Microsoft has confirmed multiple zero-day vulnerabilities being actively targeted by malicious actors. One significant vulnerability is CVE-2025-30397, a memory corruption flaw in the Windows scripting engine that affects all versions of Windows and allows code execution over the network. It has a CVSS score of 7.8 and is considered critical. Successful exploitation requires the target to use Edge in Internet Explorer Mode and for the user to click a malicious link. Other vulnerabilities include: - CVE-2025-32709: An elevation of privilege vulnerability in the Windows ancillary function driver for WinSock, affecting Windows Server 12 and later. - CVE-2025-32701 and CVE-2025-32706: Vulnerabilities in the Windows Common Log File Driver System that could allow local attackers to gain system privileges, affecting all versions of Windows. - CVE-2025-30400: An elevation of privilege vulnerability in the Windows desktop window manager, affecting Windows 10, Server 2016, and later OS versions. Windows users are urged to update their systems with the latest security patches immediately.

Tech Optimizer

May 14, 2025

Best Antivirus Software (2025): ESET Recognized as Top Cybersecurity Solution by Software Experts

ESET is recognized as a leading antivirus provider in 2025, known for its robust security solutions that effectively combat rising cyber threats such as phishing, ransomware, and zero-day exploits. The company's offerings include heuristic and behavioral detection, ransomware and phishing protection, exploit blocker technology, and low resource usage, ensuring minimal impact on system performance. ESET provides various products for home users, including ESET HOME Security Essential, Premium, and Ultimate, as well as a Small Business Security package for up to 25 devices and scalable solutions for larger organizations. Pricing for home products starts at .99/year, with multi-device and multi-year discounts available. ESET operates in over 200 countries, utilizing a global network for real-time threat intelligence and maintaining a commitment to effective digital security since its establishment in 1992.

AppWizard

May 14, 2025

Marbled Dust leverages zero-day in Output Messenger for regional espionage

Since April 2024, the threat actor Marbled Dust has been exploiting a zero-day vulnerability (CVE-2025-27920) in the Output Messenger chat application, targeting user accounts that have not applied necessary fixes. This exploitation has resulted in the collection of sensitive data from users in Iraq, specifically linked to the Kurdish military. Microsoft has high confidence in this assessment and notes that Marbled Dust conducts reconnaissance to identify potential targets using Output Messenger. Marbled Dust has successfully utilized this vulnerability to deploy malicious files and exfiltrate data. Microsoft notified the application’s developer, Srimax, about the vulnerability, leading to the release of a software update. A second vulnerability (CVE-2025-27921) was also found, but no exploitation of this second flaw has been observed. The zero-day vulnerability allows an authenticated user to upload malicious files to the server's startup directory. Marbled Dust has exploited this flaw to place a backdoor file, OMServerService.vbs, in the startup folder, enabling them to access communications and sensitive data indiscriminately. The attack chain begins with Marbled Dust gaining access to the Output Messenger Server Manager, likely through DNS hijacking or other credential interception techniques. Once inside, they exploit the vulnerability to drop malicious files, including a GoLang backdoor, which connects to a Marbled Dust command-and-control domain for data exfiltration. To mitigate this threat, Microsoft recommends updating to the latest version of Output Messenger, activating various security protections, and implementing rigorous vulnerability management strategies. Microsoft Defender XDR customers can identify potential threat activity through specific alerts related to Marbled Dust and utilize advanced hunting queries for detection. Indicators of compromise include traffic to the domain api.wordinfos[.]com, associated with Marbled Dust activities.

Winsage

May 14, 2025

Windows DWM 0-Day Vulnerability Allows Attackers to Escalate Privileges

Microsoft has addressed a zero-day vulnerability in the Windows Desktop Window Manager (DWM) Core Library, identified as CVE-2025-30400, which allows attackers to gain SYSTEM-level privileges on affected systems. This "Elevation of Privilege" vulnerability, arising from a "use-after-free" memory corruption issue, was actively exploited prior to the release of a patch on May 13, 2025. The vulnerability permits an authorized attacker to execute code with SYSTEM privileges by exploiting improper memory management within the DWM process. Microsoft classified the severity of this vulnerability as "Important" and assigned it a CVSS score of 7.8. Users and administrators are strongly advised to apply the latest updates to mitigate the risk of exploitation.

AppWizard

May 13, 2025

Turkish spies caught exploiting zero-day for over a year

Microsoft reported that Turkish espionage operatives have been exploiting a zero-day vulnerability (CVE-2025-27920) in the Output Messenger app to gather intelligence on the Kurdish military in Iraq. This operation, attributed to the group Marbled Dust, began in April 2024. The vulnerability is a directory traversal flaw in version 2.0.62 of the app, and many users have not yet updated to the patched version released in December. Marbled Dust has used this flaw to access sensitive user data and deploy malicious files within the Output Messenger server. The group has a history of targeting entities opposing Turkish interests and has evolved its tactics by leveraging this vulnerability for unauthorized access. Srimax and Microsoft are advising users to upgrade to version V2.0.63 to mitigate the risks associated with the exploit.

Winsage

May 8, 2025

Windows 0-Day Vulnerability Exploited in Wild to Deploy Play ransomware

Threat actors associated with the Play ransomware operation exploited a zero-day vulnerability in Microsoft Windows, identified as CVE-2025-29824, before a patch was released on April 8, 2025. This vulnerability affects the Windows Common Log File System (CLFS) driver, allowing attackers to elevate their privileges to full system access. The Play ransomware group targeted an unnamed organization in the United States, likely gaining initial access through a public-facing Cisco Adaptive Security Appliance (ASA). During this intrusion, no ransomware payload was deployed; instead, the attackers used a custom information-stealing tool named Grixba. Microsoft attributed this activity to the threat group Storm-2460, known for deploying PipeMagic malware. The exploitation affected various sectors, including IT, real estate in the U.S., finance in Venezuela, software in Spain, and retail in Saudi Arabia. The vulnerability received a CVSS score of 7.8 and was addressed in Microsoft's April 2025 Patch Tuesday updates. The attack involved creating files in the path C:ProgramDataSkyPDF, injecting a DLL into the winlogon.exe process, extracting credentials from LSASS memory, creating new administrator users, and establishing persistence. The Play ransomware group has been active since June 2022 and employs double-extortion tactics. Organizations are urged to apply the security updates released on April 8, 2025, especially for vulnerable Windows versions, while Windows 11 version 24H2 is not affected due to existing security mitigations.

Tech Optimizer

May 5, 2025

VIPRE Advanced Security Awarded Highest Ranking in AV-Comparatives’ Malware Protection Test 2025

VIPRE® Advanced Security received the Advanced+ award from AV-Comparatives in the March 2025 Malware Protection Test for its effectiveness against cyber threats. The test evaluated 19 security products using 10,030 malware samples on a Windows 11 system, focusing on both online and offline threats. VIPRE achieved a 98.7% detection rate in all scenarios, a 99.93% overall protection rate during execution testing, and had one of the lowest false positive counts among the products tested. VIPRE's security solutions are integrated into other Ziff Davis products, enhancing their protection capabilities. VIPRE is a subsidiary of Ziff Davis, Inc., specializing in cybersecurity solutions with over 25 years of experience.

Tech Optimizer

May 4, 2025

5 reasons why I stopped using an antivirus on Windows 11

A growing number of users are reevaluating their reliance on traditional antivirus software, reflecting a deeper understanding of personal security needs. Many individuals are adopting strong cyber hygiene practices, taking personal responsibility for safe browsing and cautious online behavior. Modern browsers like Opera and Brave offer built-in security features and VPNs, emphasizing self-discipline in cybersecurity. Microsoft Defender Antivirus, integrated into Windows 11, provides real-time protection and frequent updates, making it a reliable choice for users who practice basic cyber hygiene. High-end antivirus packages often come with subscription fees, while open-source solutions can be cost-effective alternatives. Users have reported improved system performance after moving away from third-party antivirus programs, experiencing faster boot times and increased responsiveness. Essential security features are now recognized as not exclusive to antivirus software, with regular data backups, encryption, and password management enhancing overall protection. While some users find sufficient protection without traditional antivirus software, others with different threat models may still require it.