#CYBERATTACKS hashtag - Bluesky

Threat Actors Exploit GitHub as C2 in Multi-Stage Attacks Attacking Organizations in South Korea GitHub attacked by state-sponsored hackers Cyber criminals possibly linked with the Democratic People's Republic of Korea (DPRK) have been found using GitHub as a C2 infrastructure in multi-stage campaigns attacking organizations in South Korea. The operation chain involves hidden Windows shortcut (LNK) files that work as a beginning point to deploy a fake PDF document and a PowerShell script that triggers another attack. Experts believe that these LNK files are circulated through phishing emails. Payload execution Once the payloads are downloaded, the victim is shown as the PDF document, while the harmful PowerShell script operates covertly in the background. The PowerShell script does checks to avoid analysis by looking for running processes associated with machines, forensic tools, and debuggers. Successful exploit scenario If successful, it retrieves a Visual Basic Script (VBScript) and builds persistence through a scheduled task that activates the PowerShell payload every 30 minutes in a covert window to escape security. This allows the PowerShell script to deploy automatically after every system reboot. “Unlike previous attack chains that progressed from LNK-dropped BAT scripts to shellcode, this case confirms the use of newly developed dropper and downloader malware to deliver shellcode and the ROKRAT payload,” S2W reported. The PowerShell script then classifies the attacked host, saves the response to a log file, and extracts it to a GitHub repository made under the account “motoralis” via a hard-coded access token. Few of the GitHub accounts made as part of the campaign consist of “Pigresy80,” "pandora0009”, “brandonleeodd93-blip” and “God0808RAMA.” After this, the script parses a particular file in the same GitHub repository to get more instructions or modules, therefore letting the threat actor to exploit the trust built with a platform such as GitHub to gain trust and build persistence over the compromised host. Campaign history According to Fortnet, LNK files were used in previous campaign iterations to propagate malware families such as Xeno RAT. Notably, last year, ENKI and Trellix demonstrated the usage of GitHub C2 to distribute Xeno RAT and its version MoonPeak. Kimsuky, a North Korean state-sponsored organization, was blamed for these assaults. Instead of depending on complex custom malware, the threat actor uses native Windows tools for deployment, evasion, and persistence. By minimizing the use of dropped PE files and leveraging LolBins, the attacker can target a broad audience with a low detection rate,” said researcher Cara Lin.

5 hours ago

Threat Actors Exploit GitHub as C2 in Multi-Stage Attacks Attacking Organizations in South Korea #Cloud #CyberAttacks #Data

0 0 0 0

YourAnonRiots 🐈️🏴🇵🇸🇲🇲🦋

@youranonriots.bsky.social

7 hours ago

Inside Keymous+: An Exclusive Interview - Daily Dark Web Inside Keymous+: An Exclusive Interview Discover the latest security threats and database leaks, including unauthorized VPN access and email breaches, in the cyber underground world.Stay informed abou...

#Keymous+ claimed control of multiple sub-groups, persistent access to health systems across Africa and Asia, and thousands of compromised accounts, framing DDoS as peaceful demonstrations while asserting humanitarian objectives.
#Anonymous
#CyberAttacks
dailydarkweb.net/inside-keymo...

7 4 0 1

Promise Legal

@promise.legal

12 hours ago

⚠️ Be aware of common cyberattacks. Knowledge is your first line of defense. #CyberAttacks #Awareness 👉 blog.promise.legal/types-of-cyberattacks-to...

0 0 0 0

What is the Lazarus group? - Negative PID At the beginning of December 2025, some of the members of the Lazarus group were caught on camera while conducting infiltration through a fake-job scheme. But

14 hours ago

What is the Lazarus group?

negativepid.blog/wha...

#lazarus #cyberwarfare #organizedCrime #stateSponsoredCrime #cyberUnits #LazarusGroup #hackers #onlineRecruitment #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid

0 0 0 0

ReconBee

@reconbee.bsky.social

18 hours ago

DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea a scheduled task to set up persistence read more about DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea

DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea reconbee.com/dprk-linked-...

#DPRK #hackers #GitHub #southkorea #multistageattacks #cyberattacks

1 0 0 0

2rZiKKbOU3nTafniR2qMMSE0gwZ

@2rzikkbou3ntafnir2qmmse0gwz.activitypub.awakari.com.ap.brid.gy

1 day ago

Awakari App

#Artificial #Intelligence #Computers #and #the #Internet #Cyberattacks #and #Hackers #Computer #Security

Origin | Interest | Match

0 0 0 0

Armenian Suspect Extradited to US Over Role in RedLine Malware Operation A man from Armenia now faces trial in the U.S., accused of helping run a major cybercriminal network recently uncovered. On March 23, authorities took Hambardzum Minasyan into custody; later that week, he stood before judges in Austin. Officials there detailed how he supposedly aided the RedLine scheme behind the scenes. Minasyan faces accusations tied to overseeing parts of a malicious software network, say U.S. justice officials. Hosting setups involving virtual servers - central to directing attacks - are part of what he allegedly handled. Domain registrations connected to RedLine operations were reportedly arranged by him. File-sharing platforms built under his direction may have helped spread the program to users. Control mechanisms behind these actions remain outlined in official claims. After deployment, RedLine grabs private details like banking records and passwords from compromised devices. This stolen data often ends up traded or misused by online criminals. One key figure, Minasyan, allegedly helped manage core infrastructure alongside others involved. Control dashboards used by partners in the scheme were reportedly maintained through their efforts. Besides handling infrastructure tasks, Minasyan faces claims he helped run money flows for the network. A digital currency wallet tied to him supposedly managed transactions among members and moved profits from compromised information. Officials report that the team continuously assisted people deploying the malicious software, guiding attack methods while boosting earnings. Facing several accusations today, Minasyan is charged with using unauthorized access devices, breaking rules under the Computer Fraud and Abuse Act, along with plotting ways to launder money. A guilty verdict might lead to a maximum penalty of three decades behind bars. A wave of global actions has tightened pressure on RedLine operations. Early in 2024, teams from several countries joined forces - among them officers from the Dutch National Police - to strike key systems powering the malware network. This push formed what officials later called Operation Magnus, a synchronized disruption targeting how the service operated. Instead of selling outright, its creators let hackers lease access; investigators focused sharply on this rental setup during their work. A federal indictment names Maxim Alexandrovich Rudometov, a citizen of Russia, as central to creating the malicious software. Should he be found guilty, extended penalties may apply due to further allegations tied to his role. A closer look reveals persistent attempts worldwide to weaken structured hacking groups while targeting central figures for responsibility. Despite challenges, momentum builds as actions cross borders to undermine digital criminal systems.

1 day ago

Armenian Suspect Extradited to US Over Role in RedLine Malware Operation #Armenia #CyberCrime #Cyberattacks

0 0 0 0

@richardfreiberg.bsky.social

1 day ago

Did you know 38% of #cyberattacks target infrastructure related with remote work, including home devices & #VPNs. Weak security measures expose users to a range of threats, including unauthorized access, interception of communications & theft of sensitive #data. Be safe! Reach out to us for help

0 0 0 0

The fall of Hydra - Negative PID In April 2022, German authorities announced the takedown of Hydra, the largest and most influential darknet marketplace to have ever operated in the

2 days ago

The fall of Hydra
negativepid.blog/the...

#hydra #blackMarkets #darkWeb #darkWebMarkets #illicitMarkets #takedownOps #cyberOps #cybercrime #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid

0 0 0 0

Open security and OffSec projects - Negative PID Security research is one of the areas where open source has had the deepest and most complex impact. Tools built openly are used to defend critical

2 days ago

Open security and OffSec projects
negativepid.blog/ope...

#openSource #cyberSecurity #offSec #openSourceProjects #openCode #applications #cyberattacks #cyberThreats #onlineSecurity #negativepid

1 0 0 0

UNC1069 Uses Social Engineering to Hijack Axios npm Package via Maintainer A sophisticated social engineering operation by UNC1069 has led to the compromise of the widely used Axios npm package, raising serious concerns across the JavaScript ecosystem. The attack targeted a member of the Axios project’s maintainer team by masquerading as a legitimate Apache Software Foundation representative, using forged email domains and a fake Jira‑style ticket management system to drive the victim into installing a malicious version of the Axios GitHub Assistant browser extension. Once installed, the extension granted UNC1069 broad access to the maintainer’s GitHub account, enabling them to introduce a malicious update to the Axios package and push the compromised code to npm. The attack chain highlights how trusted communication channels—such as seemingly official emails and project‑related ticketing systems—can be weaponized to bypass technical safeguards. By impersonating Apache staff and leveraging the perceived legitimacy of the GitHub Assistant tool, the threat actors manipulated the maintainer into unintentionally installing a malicious browser extension. The extension then captured the maintainer’s GitHub cookies and session tokens, which allowed UNC1069 to log in, survey the project, and ultimately publish a malicious version of Axios. This incident underscores that even projects with strong code‑review practices are vulnerable when human‑factor controls and identity‑verification steps are overlooked. Although the malicious Axios package was not directly downloaded more than a handful of times, the episode triggered a sharp spike in removals of older Axios releases from the npm registry. This suggests that many developers likely removed the package from projects preemptively to mitigate potential supply‑chain exposure. The fact that the malicious package was quickly removed after detection indicates that npm’s monitoring and incident‑response mechanisms responded promptly; however, the broader damage lies in the erosion of trust and the disruption to downstream projects that depend on Axios. Maintainers and organizations are now forced to revisit their authentication workflows and rethink how they verify communications from partners or foundation staff. A xios has since published a security update and clarified that the malicious package was an isolated, short‑lived incident in the npm registry. The project’s team has emphasized the importance of using multi‑factor authentication, hardening account security, and limiting third‑party extension access to critical accounts. Security teams are also being advised to audit any browser extensions granted to corporate or critical‑project accounts and to treat unsolicited tools or utilities—especially those tied to “official” infrastructure—as potential red flags. Moving forward, the Axios team is expected to tighten collaboration rules with foundations and external organizations to reduce the risk of similar impersonation‑driven attacks. The UNC1069‑Axios incident serves as a stark reminder that software supply‑chain security is only as strong as its weakest human link. Social engineering continues to be a highly effective vector for attackers, especially when paired with technical infrastructure that appears legitimate. For developers and organizations, this event reinforces the need for layered defenses: robust technical safeguards, strict identity‑verification protocols, and continuous security awareness training. As open‑source projects become increasingly central to modern software stacks, protecting maintainers’ accounts and communication channels must be treated with the same urgency as protecting the code itself.

2 days ago

UNC1069 Uses Social Engineering to Hijack Axios npm Package via Maintainer #Axios #CyberAttacks #NPMPackage

1 0 1 0

2rZiKKbOU3nTafniR2qMMSE0gwZ

@2rzikkbou3ntafnir2qmmse0gwz.activitypub.awakari.com.ap.brid.gy

2 days ago

Original post on wired.com

The Hack That Exposed Syria’s Sweeping Security Failures When Syrian government accounts were hijacked in March, the breach looked chaotic. But it revealed something more troubling: a state strug...

#Security #Security #/ #National #Security #Security #/ […]

[Original post on wired.com]

0 0 0 0

2rZiKKbOU3nTafniR2qMMSE0gwZ

@2rzikkbou3ntafnir2qmmse0gwz.activitypub.awakari.com.ap.brid.gy

2 days ago

The Hack That Exposed Syria’s Sweeping Security Failures When Syrian government accounts were hijacked in March, the breach looked chaotic. But it revealed something more troubling: a state struggling with the most basic layer of cybersecurity.

#Security #Security #/ #National #Security #Security #/ #Cyberattacks #and #Hacks #Security

Origin | Interest | Match

0 0 0 0

Cybersecurity in Germany - Negative PID Germany’s approach to cybersecurity is built on precision, structure, and accountability. As Europe’s largest economy and one of the EU’s most interconnected

3 days ago

Cybersecurity in Germany
negativepid.blog/cyb...

#Germany #Europe #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid

0 0 0 0

The TJX Data Breach - Negative PID The TJX Companies Inc. data breach of 2007 is one of the largest retail hacks in history. The cyberattack earned its place in cybersecurity history because it

3 days ago

The TJX data breach
negativepid.blog/the...

#TJX #dataBreach #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #dataSecurity #dataPrivacy #onlinePrivacy #negativepid

1 0 1 0

Anonymous: Hacktivism vs. cybercrime - Negative PID When Anonymous first appeared on the global stage, the world didn’t quite know what to make of it. Were they digital freedom fighters? Cybercriminals?

3 days ago

Anonymous: hactivism vs cybercrime
negativepid.blog/ano...

#anonymous #hackers #hackerCollectives #hackerCulture #cyberpunk #hacktivism #cybercrime #Cybersecurity #cyberattacks #behaviouralStudies #socialMedia #onlineForums #identity #negativepid

0 0 0 0

Chaos Computer Club (CCC) - Negative PID From the BBS Underground to the Bundestag, Germany’s Chaos Computer Club Became the World’s Most Respected Hacker Collective.

3 days ago

Chaos Computer Club
negativepid.blog/cha...

#CCC #ChaosComputerClub #hackers #hackerCollectives #Germany #BBS #ethicalHacking
#Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid

0 0 0 0

@radiohack.bsky.social

3 days ago

When War Goes Digital: Spyware and Cyberattacks in the Iran Conflict https://www.osintinvestigate.com Cyber warfare in the Iran conflict: spyware attacks, hacked hospitals, AI-driven disinformation, and the growing role of digital threats in modern warfare.

📣 New Podcast! "When War Goes Digital: Spyware and Cyberattacks in the Iran Conflict" on @Spreaker #aidisinformation #artificialintelligence #conflict #cyberattack #cyberattacks #cybercriminals #cybersecurity #digital #digitalintelligence #hacker #hackerattack #hackers #hackersattack #iran #war

1 0 0 0

Microsoft Identifies Cookie Driven PHP Web Shells Maintaining Access on Linux Servers Server-side intrusions are experiencing a subtle but consequential shift in their anatomy, where visibility is no longer obscured by complexity, but rather clearly visible. Based on recent findings from Microsoft Defender's Security Research Team, there is evidence of a refined tradecraft gaining traction across Linux environments, in which HTTP cookies are repurposed as covert command channels for PHP-based web shells. HTTP cookies are normally regarded as a benign mechanism for session continuity. It is now possible for attackers to embed execution logic within cookie values rather than relying on overt indicators such as URL parameters or request payloads, enabling remote code execution only under carefully orchestrated conditions. The method suppresses conventional detection signals as well as enabling malicious routines to remain inactive during normal application flows, activating selectively in response to web requests, scheduled cron executions, or trusted background processes during routine application flows. Through PHP's runtime environment, threat actors are effectively able to blur the boundary between legitimate and malicious traffic through the use of native cookie access. This allows them to construct a persistence mechanism, which is both discreet and long-lasting. It is clear that the web shells continue to play a significant role in the evolving threat landscape, especially among Linux servers and containerized workloads, as one of the most effective methods of maintaining unauthorised access. By deploying these lightweight but highly adaptable scripts, attackers can execute system-level commands, navigate file systems, and establish covert networks with minimal friction once they are deployed. These implants often evade detection for long periods of time, quietly embedding themselves within routine processes, causing considerable concern about their operational longevity. A number of sophisticated evasion techniques, including code obfuscation, fileless execution patterns, and small modifications to legitimate application components, are further enhancing this persistence. One undetected web shell can have disproportionate consequences in environments that support critical web applications, facilitating the exfiltration of data, enabling lateral movement across interconnected systems, and, in more severe cases, enabling the deployment of large-scale ransomware. In spite of the consistent execution model across observed intrusions, the practical implementations displayed notable variations in structure, layering, and operational sophistication, suggesting that threat actors are consciously tailoring their tooling according to the various runtime environments where they are deployed. PHP loaders were incorporated with preliminary execution gating mechanisms in advanced instances, which evaluated request context prior to interacting with cookie-provided information. In order to prevent sensitive operations from being exposed in cleartext, core functions were not statically defined at runtime, but were dynamically constructed through arithmetic transformations and string manipulation at runtime. Although initial decoding phases were performed, the payloads avoided revealing immediate intent by embedding an additional layer of obfuscation during execution by gradually assembling functional logic and identifiers. Following the satisfaction of predefined conditions, the script interpreted structured cookie data, segmenting values to determine function calls, file paths, and decoding routines. Whenever necessary, secondary payloads were constructed from encoded fragments, stored at dynamically resolved locations, and executed via controlled inclusion. The separation of deployment, concealment, and activation into discrete phases was accomplished by maintaining a benign appearance in normal traffic conditions. Conversely, lesser complex variants eliminated extensive gating, but retained cookie-driven orchestration as a fundamental principle. This implementation relied on structured cookie inputs to reconstruct operational components, including logic related to file handling and decoding, before conditionally staging secondary payloads and executing them. The relatively straightforward nature of such approaches, however, proved equally effective when it comes to achieving controlled, low-visibility execution, illustrating that even minimally obfuscated techniques can maintain persistence in routine application behavior when embedded. According to the incidents examined, cookie-governed execution takes several distinct yet conceptually aligned forms, all balancing simplicity, stealth, and resilience while maintaining a balance between simplicity, stealth, and resilience. Some variants utilize highly layered loaders that delay execution until a series of runtime validations have been satisfied, after which structured cookie inputs are decoded in order to reassemble and trigger secondary payloads. The more streamlined approach utilizes segmented cookie data directly to assemble functionality such as file operations and decoding routines, conditionally persisting additional payloads before executing. The technique, in its simplest form, is based on a single cookie-based marker, which, when present, activates attacker-defined behaviors, including executing commands or downloading files. These implementations have different levels of complexity, however they share a common operating philosophy that uses obfuscation to suppress static analysis while delegating execution control to externally supplied cookie values, resulting in reduced observable artifacts within conventional requests. At least one observed intrusion involved gaining access to a target Linux environment by utilizing compromised credentials or exploiting a known vulnerability, followed by establishing persistence through the creation of a scheduled cron task after initial access. Invoking a shell routine to generate an obfuscated PHP loader periodically introduced an effective self-reinforcing mechanism that allowed the malicious foothold to continue even when partial remediation had taken place. During routine operations, the loader remains dormant and only activates when crafted HTTP requests containing predefined cookie values trigger the use of a self-healing architecture, which ensures continuity of access. Threat actors can significantly reduce operational noise while ensuring that remote code execution channels remain reliable by decoupling persistence from execution by assigning the former to cron-based reconstitution and the latter to cookie-gated activation. In common with all of these approaches, they minimize interaction surfaces, where obfuscation conceals intent and cookie-driven triggers trigger activity only when certain conditions are met, thereby evading traditional monitoring mechanisms. Microsoft emphasizes the importance of both access control and behavioral monitoring in order to mitigate this type of threat. There are several recommended measures, including implementing multifactor authentication across hosting control panels, SSH end points, and administrative interfaces, examining anomalous authentication patterns, restricting the execution of shell interpreters within web-accessible contexts, and conducting regular audits of cron jobs and scheduled tasks for unauthorized changes. As additional safeguards, hosting control panels will be restricted from initiating shell-level commands or monitoring for irregular file creations within web directories. Collectively, these controls are designed to disrupt both persistence mechanisms as well as covert execution pathways that constitute an increasingly evasive intrusion strategy. A more rigorous and multilayered validation strategy is necessary to confirm full remediation following containment, especially in light of the persistence mechanisms outlined by Microsoft. Changing the remediation equation fundamentally is the existence of self-healing routines that are driven by crons. The removal of visible web shells alone does not guarantee eradication. It is therefore necessary to assume that malicious components may be programmatically reintroduced on an ongoing basis. To complete the comprehensive review, all PHP assets modified during the suspected compromise window will be inspected systematically, going beyond known indicators to identify anomalous patterns consistent with obfuscation techniques in addition to known indicators. The analysis consists of recursive analyses for code segments combining cookie references with decoding functions, detection of dynamically reconstructed function names, fragmented string assembly, and high-entropy strings that indicate attempts to obscure execution logic, as well as detection of high-entropy strings. Taking steps to address the initial intrusion vector is equally important, since, if left unresolved, reinfection remains possible. A range of potential entry points need to be validated and hardened, regardless of whether access was gained via credential compromise, exploitation of a vulnerability that is unpatched, or insecure file handling mechanisms. An examination of authentication logs should reveal irregular access patterns, including logins that originate from atypical geographies and unrecognized IP ranges. In addition, it is necessary to assess application components, particularly file upload functionality, to ensure that execution privileges are appropriately restricted in both the server configuration and directory policies. Parallel to this, retrospective analysis of web server access logs is also a useful method of providing additional assurances, which can be used to identify residual or attempted activations through anomalous cookie patterns, usually long encoded values, or inconsistencies with legitimate session management behavior. Backup integrity introduces another dimension of risk that cannot be overlooked. It is possible that restoration efforts without verification inadvertently reintroduce compromised artifacts buried within archival data. It is therefore recommended that backups-especially those created within a short period of time of the intrusion timeline-be mounted in secure, read-only environments and subjected to the same forensic examination as live systems. The implementation of continuous file integrity monitoring across web-accessible directories is recommended over point-in-time validation, utilizing tools designed to detect unauthorized file creations, modifications, or permission changes in real-time. In cron-based persistence mechanisms, rapid execution cycles can lead to increased exposure, making it essential to have immediate alerting capabilities. This discovery of an isolated cookie-controlled web shell should ultimately not be considered an isolated event, but rather an indication of a wider compromise. The most mature adversaries rarely employ a single access vector, often using multiple fallback mechanisms throughout their environment, such as dormant scripts embedded in less visible directories, database-resident payloads, or modified application components. As a result, effective remediation relies heavily on comprehensive verification and acknowledges that persistence is frequently distributed, adaptive, and purposely designed to withstand partial cleanup attempts. Consequently, the increasing use of covert execution channels and resilient persistence mechanisms emphasizes the importance of embracing proactive defense engineering as an alternative to reactive cleanup. As a precautionary measure, organizations are urged to prioritize runtime visibility, rigorous access governance, and continuous behavioral analysis in order to reduce reliance on signature-based detection alone. It is possible to significantly reduce exposure to low-noise intrusion techniques by implementing hardening practices for applications, implementing least-privilege principles, and integrating anomaly detection across the web and system layers. A similar importance is attached to the institution of regular security audits and incident response readiness, ensuring environments are not only protected, but also verifiably clean. In order to maintain the integrity of modern Linux-based infrastructures, sustained vigilance and layered defensive controls remain essential as adversaries continue to refine methods that blend seamlessly with legitimate operations.

3 days ago

Microsoft Identifies Cookie Driven PHP Web Shells Maintaining Access on Linux Servers #CookieBasedAttacks #CronPersistence #CyberAttacks

0 1 0 0

Capturing traffic with ARP - Negative PID Whenever you walk into a coffee shop or a public place offering a free Wi-Fi connection, someone can capture your unencrypted web traffic through ARP

3 days ago

Capturing traffic with ARP
negativepid.blog/cap...

#ARP #ARPspoofing #hacking #linux #kali #webTraffic #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid

0 0 0 0

TechTarget Cybersecurity

@ttcybersecurity.bsky.social

4 days ago

News brief: Iran cyberattacks escalate, U.S. targets named | TechTarget Learn how Iran's cyberattacks, including Pay2Key ransomware and hacktivist campaigns, threaten U.S. firms, tech giants and critical infrastructure worldwide.

Weekly news roundup: News brief: Iran #cyberattacks escalate, U.S. targets named https://bit.ly/4vb0PZF

0 0 0 0

Attackers Exploit Critical Flaw to Breach 766 Next.js Hosts and Steal Data Credential-stealing operation A massive credential-harvesting campaign was found abusing the React2Shell flaw as an initial infection vector to steal database credentials, shell command history, Amazon Web Services (AWS) secrets, GitHub, Stripe API keys. Cisco Talos has linked the campaign to a threat cluster tracked as UAT-10608. At least 766 hosts around multiple geographic regions and cloud providers have been exploited as part of the operation. About the attack vector According to experts, “Post-compromise, UAT-10608 leverages automated scripts for extracting and exfiltrating credentials from a variety of applications, which are then posted to its command-and-control (C2). The C2 hosts a web-based graphical user interface (GUI) titled 'NEXUS Listener' that can be used to view stolen information and gain analytical insights using precompiled statistics on credentials harvested and hosts compromised.” Who are the victims? The campaign targets Next.js instances that are vulnerable to CVE-2025-55182 (CVSS score: 10.0), a severe flaw in React Server Components and Next.js App Router that could enable remote code execution for access, and then deploy the NEXUS Listener collection framework. This is achieved by a dropper that continues to play a multi-phase harvesting script that stores various details from the victim system. SSH private keys and authorized_keys JSON-parsed keys and authorized_keys Kubernetes service account tokens Environment variables API keys Docker container configurations Running processes IAM role-associated temporary credentials Attack motive The victims and the indiscriminate targeting pattern are consistent with automated scanning. The key thing in the framework is an application (password-protected) that makes all stolen data public to the user through a geographical user interface that has search functions to browse through the information. The present Nexus Listener version is V3, meaning the tool has gone through significant changes. Talos managed to get data from an unknown NEXUS Listener incident. It had API keys linked with Stripe, AI platforms such as Anthropic, OpenAI, and NVIDIA NIM, communication services such as Brevo and SendGrid, webhook secrets, Telegram bot tokens, GitLab, and GitHub tokens, app secrets, and database connection strings.

4 days ago

Attackers Exploit Critical Flaw to Breach 766 Next.js Hosts and Steal Data #AI #Cloud #CyberAttacks

0 0 0 0

Netherlands Ministry of Finance Cyberattack Exposes Gaps in Government Security Defenses A fresh wave of worry now surrounds how well government digital safeguards really hold up, after hackers struck the Dutch Ministry of Finance. Fast response by authorities limited immediate damage - yet the event peeled back layers on long-standing weak spots in public infrastructure security. Though control was regained swiftly, underlying flaws remain exposed. An official report noted signs of intrusion on March 19, targeting systems essential to daily operations in a policy division. Because these systems support central government tasks - instead of secondary ones - the impact carries greater weight. What sets this apart is how deeply embedded the compromised tools are in routine governance work. Early warning came not from within but outside the organization, setting off a chain of internal reviews. Once identified, security units verified unauthorized entry before cutting connections and removing compromised components from service. Fast intervention reduced exposure, yet exposed a deeper issue - detection often waits on others’ signals instead of acting independently. Services visible to the public - like tax, customs, and welfare - are still running normally. Even so, staff members face behind-the-scenes issues due to recent system problems. The degree of disruption inside government operations hasn’t been fully revealed. While probes continue, it remains unclear if private information was seen or taken. To date, nobody has stepped forward claiming they carried out the incident. Far from standing alone, this case fits patterns seen before. Following close behind come multiple digital intrusions targeting organizations throughout the Netherlands. One clear instance hit the Dutch Custodial Institutions Agency - hackers moved through internal networks undetected over several months, pulling out staff information like phone numbers and login codes. Behind that attack lay weak spots in Ivanti Endpoint Manager Mobile, software flaws later found echoing across state entities such as courts and privacy oversight offices. What stands out now is how deep-rooted flaws still go unchecked. Not just detection holes, but reliance on outside parties to spot intrusions shows vulnerability. When systems grow tangled over time - especially within public sector networks - the risk expands quietly. Older setups, slow to adapt, offer openings that skilled adversaries exploit without pause. Past patterns reveal something more troubling: once inside, many never really leave. Officials admit the issue carries weight, yet details remain limited while probes continue. Still, analysts stress openness matters more now - trust hinges on it should private information prove exposed. Beyond the breach itself lies an uncomfortable truth: protecting digital assets within public institutions demands more than software fixes - it hinges on smarter oversight, quicker response loops, early warning signals woven into daily operations, systems built to bend instead of break. Governance fails when firewalls stand alone without institutional awareness backing them up.

4 days ago

Netherlands Ministry of Finance Cyberattack Exposes Gaps in Government Security Defenses #CyberAttacks #CyberBreach #CyberFinance

0 0 0 0

@radiohack.bsky.social

4 days ago

OSINT Briefing April 3, 2026 – Global Security Trends, Cyber Threat Intelligence, and Geopolitical Analysis The episode explores emerging military movements detected through open-source data, the growing impact of disinformation campaigns, and the evolution of hybrid cyber threats targeting supply chains and critical infrastructure. It also highlights how artificial intelligence is transforming OSINT analysis while introducing new verification challenges such as deepfakes. Stay ahead with actionable insights and expert commentary fromhttps://www.osintinvestigate.com

📣 New Podcast! "OSINT Briefing April 3, 2026 – Global Security Trends, Cyber Threat Intelligence, and Geopolitical Analysis" on @Spreaker #cyberattacks #cybercrime #cybersecurity #cyberthreatintelligence #darknet #darkweb #deepfake #geopoliitcs #geopoliticalanalysis #globalsecurity #hacker

0 0 0 0

The TJX Data Breach - Negative PID The TJX Companies Inc. data breach of 2007 is one of the largest retail hacks in history. The cyberattack earned its place in cybersecurity history because it

4 days ago

The TJX data breach
negativepid.blog/the...

#TJX #dataBreach #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #dataSecurity #dataPrivacy #onlinePrivacy #negativepid

0 0 0 0

Eugene McParland 🇺🇦

@eugenemcparland.bsky.social

4 days ago

The EU is suffering a hacking crisis. Here’s what we know. Cyberattacks on EU phones and systems have officials scrambling to keep data secure.

The #EU is suffering a hacking crisis. Here's what we know.

🖊️ Sam Clark and Antoaneta Roussi

#Cyberattacks on EU phones and systems have officials scrambling to keep data secure.

www.politico.eu/article/eu-c...

19 7 1 1