These “zombie bugs” show attackers reuse long-patched flaws alongside new ones. CVE-2023-21529 is tied to ransomware, proving poor patching keeps legacy exploits alive and dangerous today.

🚨CISA flags 4 exploited Microsoft bugs—including a 14-year-old “zombie” flaw still used in attacks. Agencies have 2 weeks to patch. Old vulnerabilities remain active threats. #CyberSecurity #Infosec #zombiebugs #microsoft #CVE

🚨Rockstar confirms a breach via a third-party flaw, with no player data impacted. ShinyHunters claims access and issues an extortion deadline. Stolen data likely includes internal corporate intel. #GTAV #SHINYHUNTERS #DATABREACH

Once active, it performs reconnaissance, encrypts stolen data with RSA, and exfiltrates via FTP. A related tool, LucidKnight, uses Gmail for exfiltration—highlighting a flexible toolkit. Full post-infection activity remains unclear due to missing Lua payloads.

Two infection chains observed:
• LNK shortcut → LucidPawn dropper → DLL sideloading
• Fake AV EXE posing as Trend Micro software
LucidRook embeds a Lua interpreter, allowing attackers to dynamically load second-stage payloads while staying stealthy and hard to analyze.

🚨A new Lua-based malware, LucidRook, is targeting NGOs and universities in Taiwan via spear-phishing. Attributed to UAT-10362, a capable threat actor, the campaign uses password-protected archives and decoy government-themed lures to initiate infection. #malware #APT #cybersecurity

The Contractor Leaks: Mapping China’s Cyber-Espionage Industry One Breach at a Time For years, China’s cyber operations were attributed to shadowy APT names—clusters of activity without clear structure.

New Article

#i-Soon #Topsec #Knownsec #BJIT #Geedge #NSCC #Venustech #GoLaxy

open.substack.com/pub/malwhere...

The campaign abuses developer trust, embedding malware in tools and workflows. Activity overlaps with broader DPRK ops targeting crypto sectors, showing evolving tactics across open-source ecosystems and social engineering campaigns.
#APT #DevSecOps #CryptoSecurity

StoatWaffle installs Node.js if needed, then deploys stealer + RAT modules to extract browser data and execute remote commands. Attacks are delivered via fake job interviews, GitHub repos, npm packages, and coding tests targeting senior Web3 developers.

🚨 North Korean-linked “Contagious Interview” campaign (WaterPlum) is using malicious VS Code projects to deploy StoatWaffle malware. Auto-executing tasks.json files trigger payloads when opened, marking a new tactic targeting developers.
#CyberSecurity #ThreatIntel #NorthKorea #Malware

Crunchyroll has not confirmed the full scope, stating it is investigating. Reports suggest exposed data may include PII and partial card details, though claims remain unverified as attacker disclosures outpace confirmed findings.
#DataLeak

The breach allegedly began after malware on a vendor employee system enabled access to internal tools, including ticketing systems. Attackers reportedly extracted customer analytics and support data, highlighting risks tied to outsourced infrastructure.

🚨 Reports of a potential Crunchyroll data breach claim ~100GB of user data was exfiltrated via a third-party vendor. The alleged March 2026 incident may involve emails, IPs, passwords, and payment data, raising concerns across the anime streaming community.
#CyberSecurity #DataBreach #Crunchyroll

Slopoly shows clear AI traits: structured code, comments, and unused functions. Though labeled “polymorphic,” it lacks true self-modification. The case highlights growing AI use in malware development across ransomware campaigns.
#CyberSecurity #AIThreats #Malware #ThreatIntel

Hive0163 used Slopoly as a C2 persistence client, deployed after initial access via ClickFix attacks. The chain included NodeSnake and InterlockRAT, enabling long-term access, data theft, and ransomware deployment across compromised systems.

🚨 IBM X-Force uncovered “Slopoly,” likely AI-generated malware used by ransomware group Hive0163. The strain appeared in a live attack, signaling a shift as threat actors leverage AI to rapidly build tools and scale operations at lower cost.
#CyberSecurity #Ransomware #AI #ThreatIntel #Slopoly

China rejected the accusations and asked Costa Rica to provide evidence for legal review. Beijing says it previously sought cyber cooperation since 2024 and warns against politicizing cyber incidents, urging dialogue #UNC2814

Costa Rica says attackers breached the Costa Rican Electricity Institute (ICE) email systems, stealing ~9GB of internal data. The intrusion, first detected in January, did not disrupt electricity or telecom services. Attribution to UNC2814 came via intelligence shared by Mandiant.

🚨China–Costa Rica tensions rise after Costa Rica linked an ICE cyberattack to suspected PRC-linked group UNC2814. Beijing denies involvement and demands technical evidence, turning the incident from a cyber investigation into a diplomatic dispute.
#CyberSecurity #CyberEspionage #China #CostaRica

Post-exploitation tools include SilverScreen (screen capture), SSHcmd, and the GearDoor backdoor. GearDoor uses Google Drive for C2, disguising tasks via file extensions (.png, .pdf, .cab, .rar, .7z). Tradecraft overlaps tie the group to APT41.

Silver Dragon deploys multiple Cobalt Strike infection chains: AppDomain hijacking, Service DLL abuse, and phishing with weaponized LNK files. Custom loaders like MonikerLoader and BambooLoader decrypt payloads in memory and inject them into legitimate Windows processes.

🚨 APT group “Silver Dragon” targeting Europe & Southeast Asia since mid-2024. Linked to the APT41 umbrella, the China-nexus threat actor focuses mainly on government entities, using server exploits and phishing to gain initial access.
#APT #CyberEspionage #ThreatIntel #CyberSecurity

The phishing sites request 12-, 20-, or 24-word recovery phrases, transmitting them to attacker-controlled infrastructure via backend API endpoints. With the seed phrase captured, threat actors can import wallets and drain funds.

The letters cite urgent deadlines (Oct 2025 / Feb 2026) and warn of lost functionality. QR codes direct recipients to spoofed Trezor and Ledger setup pages designed to mimic official security and compliance communications.

🚨 Snail-mail phishing targets crypto hardware wallet users. Fake letters posing as Trezor & Ledger claim mandatory “Authentication” or “Transaction” checks. Victims are pressured to scan QR codes tied to recovery-phrase theft campaigns.
#Crypto #Phishing #HardwareWallet #CyberSecurity

The loader retrieves encrypted payloads hidden in fake icon files via steganography, installs persistent DLLs via Task Scheduler, and exfiltrates system data. Linked to Rhysida and possibly Wizard Spider, it delivers ransomware & stealers—an evolving threat into 2026.

OysterLoader uses a 4-stage infection chain: TextShell packer, API flooding, anti-debug checks, custom API hashing, and modified LZMA compression. It dynamically resolves Windows functions and evades AV detection while testing sandbox conditions before contacting C2 over HTTPS.

🚨 Researchers uncovered OysterLoader, a stealthy multi-stage loader powering Rhysida ransomware attacks. Active since 2024, it spreads via fake downloads of PuTTY, WinSCP & AI tools, deploying malware through signed MSI files. A major enterprise threat. #CyberSecurity #Malware #ThreatIntel

CrowdStrike: Labyrinth Chollima split into espionage & crypto-theft units (Golden & Pressure Chollima), linked to Lazarus. Shared HR lures, trojanized apps & rootkits show centralized coordination across DPRK ops. #ThreatHunting #APT #Lazarus #CyberEspionage

The scheme acts as a high-volume revenue engine. Operatives gain admin access to repos, steal data, and convert salaries to crypto using chain-hopping. “Contagious Interview” lures deploy npm malware, VS Code payloads, BeaverTail & Koalemos RAT for full remote control.