Evasive Masjesu DDoS Botnet Targets IoT Devices The DDoS-capable Masjesu botnet focuses on evasion and persistence, but targets a broad range of IoT devices to spread.

Evasive Masjesu DDoS Botnet Targets IoT Devices

Focused on persistence, the botnet does not engage in widespread infection and avoids blacklisted IPs and critical infrastructure entities.
#Botnet #Iot #CyberAttacks #DDos

www.securityweek.com/evasive-masj...

& stop using #MITM #cyberattacks to stop My writing & steal My data on My property
@jahimes.bsky.social @schumer.senate.gov @klobuchar.senate.gov @kellymorrisonmn.bsky.social
No Trespass is always posted here.
#GTFO My lawn.

Anthropic’s Glasswing project employs Mythos to prevent AI cyberattacks AI models now surpass most humans at finding and exploiting software vulnerabilities, said Anthropic. Read more: Anthropic...

#Enterprise #AI #Anthropic #Claude #cyberattacks #cybersecurity

Origin | Interest | Match

How Stuxnet changed cyberwarfare - Negative PID For a long time, people have thought of the Internet as a completely separate world from reality. It was difficult to conceive that something that happened

How Stuxnet changed cyberwarfare

negativepid.blog/how...

#stuxnet #cyberwarfare #espionage #sabotage #hackers #PPT #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid

US warns of Iran-affiliated cyber-attacks on critical infrastructure across country Security agencies say municipalities should watch out for unusual activity, especially in water and energy sectors

US warns of Iran-affiliated cyber-attacks on critical infrastructure across country

Security agencies say
municipalities should watch out for unusual activity, especially in water and energy sectors
#CyberAttacks #Terrorism
www.theguardian.com/world/2026/a...

⚠️ Be aware of common cyberattacks. Knowledge is your first line of defense. #CyberAttacks #Awareness 👉 blog.promise.legal/types-of-cyberattacks-to...

Iranian hackers launching disruptive attacks at U.S. energy, water targets, feds warn U.S. agencies issued an urgent warning that Iran-linked hackers are disrupting PLC, HMI and SCADA systems at U.S. energy and water facilities, causing losses.

#PumpkinWar #2026 #Cyberattacks #CyberSecurity #War

cyberscoop.com/iranian-hack...

Threat Actors Exploit GitHub as C2 in Multi-Stage Attacks Attacking Organizations in South Korea GitHub attacked by state-sponsored hackers  Cyber criminals possibly linked with the Democratic People's Republic of Korea (DPRK) have been found using GitHub as a C2 infrastructure in multi-stage campaigns attacking organizations in South Korea.  The operation chain involves hidden Windows shortcut (LNK) files that work as a beginning point to deploy a fake PDF document and a PowerShell script that triggers another attack. Experts believe that these LNK files are circulated through phishing emails. Payload execution  Once the payloads are downloaded, the victim is shown as the PDF document, while the harmful PowerShell script operates covertly in the background.  The PowerShell script does checks to avoid analysis by looking for running processes associated with machines, forensic tools, and debuggers.  Successful exploit scenario  If successful, it retrieves a Visual Basic Script (VBScript) and builds persistence through a scheduled task that activates the PowerShell payload every 30 minutes in a covert window to escape security.  This allows the PowerShell script to deploy automatically after every system reboot. “Unlike previous attack chains that progressed from LNK-dropped BAT scripts to shellcode, this case confirms the use of newly developed dropper and downloader malware to deliver shellcode and the ROKRAT payload,” S2W reported.  The PowerShell script then classifies the attacked host, saves the response to a log file, and extracts it to a GitHub repository made under the account “motoralis” via a hard-coded access token. Few of the GitHub accounts made as part of the campaign consist of “Pigresy80,” "pandora0009”, “brandonleeodd93-blip” and “God0808RAMA.” After this, the script parses a particular file in the same GitHub repository to get more instructions or modules, therefore letting the threat actor to exploit the trust built with a platform such as GitHub to gain trust and build persistence over the compromised host.  Campaign history  According to Fortnet, LNK files were used in previous campaign iterations to propagate malware families such as Xeno RAT. Notably, last year, ENKI and Trellix demonstrated the usage of GitHub C2 to distribute Xeno RAT and its version MoonPeak.  Kimsuky, a North Korean state-sponsored organization, was blamed for these assaults. Instead of depending on complex custom malware, the threat actor uses native Windows tools for deployment, evasion, and persistence. By minimizing the use of dropped PE files and leveraging LolBins, the attacker can target a broad audience with a low detection rate,” said researcher Cara Lin. 

Threat Actors Exploit GitHub as C2 in Multi-Stage Attacks Attacking Organizations in South Korea #Cloud #CyberAttacks #Data

Inside Keymous+: An Exclusive Interview - Daily Dark Web Inside Keymous+: An Exclusive Interview Discover the latest security threats and database leaks, including unauthorized VPN access and email breaches, in the cyber underground world.Stay informed abou...

#Keymous+ claimed control of multiple sub-groups, persistent access to health systems across Africa and Asia, and thousands of compromised accounts, framing DDoS as peaceful demonstrations while asserting humanitarian objectives.
#Anonymous
#CyberAttacks
dailydarkweb.net/inside-keymo...

⚠️ Be aware of common cyberattacks. Knowledge is your first line of defense. #CyberAttacks #Awareness 👉 blog.promise.legal/types-of-cyberattacks-to...

What is the Lazarus group? - Negative PID At the beginning of December 2025, some of the members of the Lazarus group were caught on camera while conducting infiltration through a fake-job scheme. But

What is the Lazarus group?

negativepid.blog/wha...

#lazarus #cyberwarfare #organizedCrime #stateSponsoredCrime #cyberUnits #LazarusGroup #hackers #onlineRecruitment #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid

DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea a scheduled task to set up persistence read more about DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea

DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea reconbee.com/dprk-linked-...

#DPRK #hackers #GitHub #southkorea #multistageattacks #cyberattacks

Awakari App

#Artificial #Intelligence #Computers #and #the #Internet #Cyberattacks #and #Hackers #Computer #Security

Origin | Interest | Match

Armenian Suspect Extradited to US Over Role in RedLine Malware Operation  A man from Armenia now faces trial in the U.S., accused of helping run a major cybercriminal network recently uncovered. On March 23, authorities took Hambardzum Minasyan into custody; later that week, he stood before judges in Austin. Officials there detailed how he supposedly aided the RedLine scheme behind the scenes.   Minasyan faces accusations tied to overseeing parts of a malicious software network, say U.S. justice officials. Hosting setups involving virtual servers - central to directing attacks - are part of what he allegedly handled. Domain registrations connected to RedLine operations were reportedly arranged by him. File-sharing platforms built under his direction may have helped spread the program to users. Control mechanisms behind these actions remain outlined in official claims.  After deployment, RedLine grabs private details like banking records and passwords from compromised devices. This stolen data often ends up traded or misused by online criminals. One key figure, Minasyan, allegedly helped manage core infrastructure alongside others involved. Control dashboards used by partners in the scheme were reportedly maintained through their efforts.   Besides handling infrastructure tasks, Minasyan faces claims he helped run money flows for the network. A digital currency wallet tied to him supposedly managed transactions among members and moved profits from compromised information. Officials report that the team continuously assisted people deploying the malicious software, guiding attack methods while boosting earnings.   Facing several accusations today, Minasyan is charged with using unauthorized access devices, breaking rules under the Computer Fraud and Abuse Act, along with plotting ways to launder money. A guilty verdict might lead to a maximum penalty of three decades behind bars.   A wave of global actions has tightened pressure on RedLine operations. Early in 2024, teams from several countries joined forces - among them officers from the Dutch National Police - to strike key systems powering the malware network. This push formed what officials later called Operation Magnus, a synchronized disruption targeting how the service operated.  Instead of selling outright, its creators let hackers lease access; investigators focused sharply on this rental setup during their work. A federal indictment names Maxim Alexandrovich Rudometov, a citizen of Russia, as central to creating the malicious software. Should he be found guilty, extended penalties may apply due to further allegations tied to his role.  A closer look reveals persistent attempts worldwide to weaken structured hacking groups while targeting central figures for responsibility. Despite challenges, momentum builds as actions cross borders to undermine digital criminal systems.

Armenian Suspect Extradited to US Over Role in RedLine Malware Operation #Armenia #CyberCrime #Cyberattacks

Did you know 38% of #cyberattacks target infrastructure related with remote work, including home devices & #VPNs. Weak security measures expose users to a range of threats, including unauthorized access, interception of communications & theft of sensitive #data. Be safe! Reach out to us for help

The fall of Hydra - Negative PID In April 2022, German authorities announced the takedown of Hydra, the largest and most influential darknet marketplace to have ever operated in the

The fall of Hydra
negativepid.blog/the...

#hydra #blackMarkets #darkWeb #darkWebMarkets #illicitMarkets #takedownOps #cyberOps #cybercrime #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid

Open security and OffSec projects - Negative PID Security research is one of the areas where open source has had the deepest and most complex impact. Tools built openly are used to defend critical

Open security and OffSec projects
negativepid.blog/ope...

#openSource #cyberSecurity #offSec #openSourceProjects #openCode #applications #cyberattacks #cyberThreats #onlineSecurity #negativepid

Port of Vigo Operations Interrupted by Significant Cyberattack   Upon finding its digital backbone compromised by a calculated act of cyber extortion, the Port of Vigo found itself in the midst of the morning rhythms of one of Spain's most strategically located maritime gateways.  Early in the morning of Tuesday, March 25, 2026, port authority personnel identified that core servers responsible for orchestrating cargo movement and essential digital services had become inaccessible, with their data encrypted as a result of a ransomware attack which effectively immobilized the infrastructure of critical operations.  Despite mounting operational pressure, automated systems gave way to manual coordination, causing a technical disruption that did not end only with a technical disruption. Despite the fact that the attack exhibited the hallmarks of a financially motivated campaign, no threat actor claimed responsibility for the incident, leaving authorities to deal with both immediate logistical implications as well as the broader uncertainty surrounding the incident.  Technology teams at the port responded promptly by severing external network connections to contain the intrusion, whereas leadership maintained a cautious stance, emphasizing that restoration efforts would commence only as soon as system integrity had been established beyond doubt, with no definitive timeline for full recovery.  In light of this, port leadership has taken a cautious approach to restoring the system, emphasizing the importance of security over speed in the recovery process in the context of restoring the systems. According to President Carlos Botana, digital services will remain offline until exhaustive verification procedures have been completed and the integrity of all affected systems has been conclusively established, and that reconnection will only occur once operational environments are considered secure in a clear manner.  The port remains in a contingency-driven, constrained mode due to the absence of a defined recovery timeline. Even though the cyber incident has not affected the physical movement of vessels or cargo through the harbor, it has materially disrupted the orchestration layer underpinning modern port logistics operations.  Due to the lack of integration of digital platforms, core activities such as scheduling, documentation, and interagency coordination have been forced into manual processes. In an effort to maintain continuity of trade flows at critical checkpoints such as the Border Inspection Post, port users and operators are switching to paper-based processes. While these temporary measures have prevented a complete operational standstill from occurring, they have created procedural inefficiencies, extended turnaround times, and added additional stress on personnel, illustrating that resilient digital infrastructure is inextricably linked to contemporary maritime operations. In addition to the operational strain, Vigo Port's strategic and economic significance within the global fisheries ecosystem further exacerbates it.  The port, located on Spain's northern coastal coastline in Galicia, is one of Europe's leading fishing hubs and ranks among the most prominent in terms of shipments of fresh seafood worldwide. There are hundreds of local fishing enterprises that generate multibillion-euro revenues annually, supporting over thousands of direct jobs as well as a global distribution of fleets operating in the South Atlantic, southern Africa, and the Pacific Oceans. Aside from serving as a landing and processing center, the port also serves as an important distribution point, distributing high volumes of perishable goods to European markets and international destinations. Digital systems disrupt tightly synchronized supply chains, resulting in friction across tightly synchronized supply chains requiring precise timing and real-time data exchange, resulting in a disruption that goes beyond localized inconvenience.  Despite the physical availability of vessel traffic and cargo handling infrastructure, the absence of digital coordination layers has fundamentally altered the efficiency of execution. The allocation of berths, customs processing, cargo traceability, and stakeholder communication functions have reverted to manual oversight, which negatively impacts throughput.  It is particularly detrimental that the port is specialized in fresh fish, a product whose viability is acutely time-sensitive, since even marginal delays in documentation or clearance can compress market windows, increase spoilage risk, and result in financial loss. These findings highlight the importance of digital orchestration in maintaining both operational continuity and economic value in modern port environments.  Despite the apparent stabilization of the immediate threat due to containment measures, port authorities have indicated that system restoration will proceed with deliberate caution rather than urgency. Although teams have not been able to give a timeline for reactivating affected servers, they have emphasized that comprehensive security validations must precede any reconnection to operational networks. It has been confirmed by the port leadership that, although the port's physical infrastructure and core maritime services remain functional, digital platforms will not be accessible until all integrity checks have been successfully completed. Following ransomware incidents throughout the industry, there has been an increase in risk-averse recovery strategies.  The rationale behind such prudence is to recognize that premature restoration can inadvertently reintroduce latent threats or expose residual vulnerabilities, compounding the initial compromise by reintroducing latent threats. This incident is a good example of the rapidly evolving threat landscape that critical infrastructure operators must contend with in the digital age.  Cyberattacks are increasingly designed to disrupt operational processes in addition to exfiltrating data. The port by its very nature operates at the intersection of physical logistics and digital coordination, making it particularly susceptible to cascading inefficiencies when either layer is compromised.  Vigo's continued cargo movement under constrained, manual conditions illustrates both operational resilience and systemic fragility, since digital orchestration significantly reduces throughput efficiency and situational awareness in the absence of digital orchestration. It remains the priority of the investigation to secure the restoration of systems, as well as to fully assess the scope and entry vectors of the breach.  As a consequence, the port continues to operate within a limited operational envelope, maintaining trade flows despite lacking the technological infrastructure that normally supports its speed, precision, and global connectivity. With regard to a broader context, the incident at Vigo illustrates the increasing pattern of ransomware attacks targeting maritime and port infrastructure. These sectors are highly operational critical and extremely sensitive to time.  A number of similar disruptions have been observed in ports across multiple geographies over the past few years, demonstrating that threat actors are intentionally focusing on environments in which even brief outages can cause disproportionate economic damage. As is evident from the strategic calculus, ports operate on tightly synchronized schedules, where delays cascade rapidly through supply chains, resulting in increased financial consequences of a disruption in throughput, especially in the case of perishable cargo or just-in-time logistics.  The inherent pressure created by this dynamic increases the coercive leverage of ransomware demands, which, much like attacks against healthcare systems and municipal infrastructure, increases the coercive leverage of ransomware demands. As far as infrastructure resilience is concerned, the Vigo events reinforce a number of critical imperatives.  Even though cargo continues to be transported under constrained conditions, offline fallback mechanisms must be maintained and regularly tested to ensure that they can maintain core functions when no digital systems are available. It is also evident that system isolation demonstrates the importance of robust network segmentation by ensuring intrusions originating within an enterprise IT environment are prevented from propagating into operational technology layers that govern physical processes by achieving rapid containment through system isolation. This initial response highlights the necessity for well-defined and well-rehearsed incident response frameworks that are capable of enabling decisive action in the early stages of compromise when containment remains possible.  In addition, the situation reinforces the widely acknowledged risks associated with ransom payments, in which there is no guarantee that full recovery will be achieved or that future exposure will be mitigated, but instead contribute to the persistence of the threat ecosystem.  Together, these factors demonstrate that resilience in modern port operations cannot be achieved solely through physical capacity, but is increasingly reliant on the maturity and integration of cybersecurity practices across all operational domains, including security operations. When considered in its entirety, the disruption at the Port of Vigo exemplifies both the immediate operational fragility as well as the broader structural risks inherent in digitally dependent maritime infrastructure.  The first ransomware intrusion has evolved into a sustained test of resilience, demonstrating how efficiency, visibility, and coordination in modern port environments are anchored in continuous digital availability, despite the absence of integrated systems.  While physical throughput has been maintained, the degradation of orchestration capabilities has resulted in measurable inefficiencies, highlighting that operational continuity is no longer determined solely by mechanical functioning, but rather by the seamless interaction between logistics execution and information systems.  Despite this, port authorities have adopted a response posture based on a growing institutional recognition that recovery from cybersecurity incidents must be guided by assurance rather than urgency. The leadership has aligned with a doctrine that is increasingly established in incident response by prioritizing exhaustive validation over rapid reinstatement. This doctrine recognizes the risks associated with latent persistence mechanisms and the risk of reinfection if remediation is incomplete.  It is important for infrastructure operators to be aware that this measured stance is taking place in the context of increasing ransomware activity targeting ports and other critical sectors worldwide, in which adversaries exploit the economic sensitivity of time-bound operations to exert pressure and leverage. Consequently, the Vigo incident offers a number of implicit but consequential lessons.  Even though this is not an optimal solution, the ability to return to manual processes has demonstrated the value of maintaining functional continuity pathways outside digital systems. Additionally, the effectiveness of early containment highlights the importance of network architecture that limits lateral movement, particularly between enterprise and operational domains.  A pre-established and well-rehearsed response framework, which reduces decision latency during critical early phases of compromise, is also highlighted by this incident as an operational dividend. Despite the current constrained operating conditions at the port and the ongoing forensic investigations, the priority remains to restore systems with integrity and determine the extent to which the exposures are present.  In a broader sense, the episode is indicative of a shifting reality in which cyber resilience is no longer an additional concern but is becoming a key component of supply chain reliability, economic stability, and trust, as global supply chains become more interconnected.

Port of Vigo Operations Interrupted by Significant Cyberattack #CriticalInfrastructureSecurity #CyberAttacks #MaritimeCyberThreats

UNC1069 Uses Social Engineering to Hijack Axios npm Package via Maintainer   A sophisticated social engineering operation by UNC1069 has led to the compromise of the widely used Axios npm package, raising serious concerns across the JavaScript ecosystem. The attack targeted a member of the Axios project’s maintainer team by masquerading as a legitimate Apache Software Foundation representative, using forged email domains and a fake Jira‑style ticket management system to drive the victim into installing a malicious version of the Axios GitHub Assistant browser extension.  Once installed, the extension granted UNC1069 broad access to the maintainer’s GitHub account, enabling them to introduce a malicious update to the Axios package and push the compromised code to npm. The attack chain highlights how trusted communication channels—such as seemingly official emails and project‑related ticketing systems—can be weaponized to bypass technical safeguards. By impersonating Apache staff and leveraging the perceived legitimacy of the GitHub Assistant tool, the threat actors manipulated the maintainer into unintentionally installing a malicious browser extension.  The extension then captured the maintainer’s GitHub cookies and session tokens, which allowed UNC1069 to log in, survey the project, and ultimately publish a malicious version of Axios. This incident underscores that even projects with strong code‑review practices are vulnerable when human‑factor controls and identity‑verification steps are overlooked. Although the malicious Axios package was not directly downloaded more than a handful of times, the episode triggered a sharp spike in removals of older Axios releases from the npm registry.  This suggests that many developers likely removed the package from projects preemptively to mitigate potential supply‑chain exposure. The fact that the malicious package was quickly removed after detection indicates that npm’s monitoring and incident‑response mechanisms responded promptly; however, the broader damage lies in the erosion of trust and the disruption to downstream projects that depend on Axios. Maintainers and organizations are now forced to revisit their authentication workflows and rethink how they verify communications from partners or foundation staff. A xios has since published a security update and clarified that the malicious package was an isolated, short‑lived incident in the npm registry. The project’s team has emphasized the importance of using multi‑factor authentication, hardening account security, and limiting third‑party extension access to critical accounts. Security teams are also being advised to audit any browser extensions granted to corporate or critical‑project accounts and to treat unsolicited tools or utilities—especially those tied to “official” infrastructure—as potential red flags. Moving forward, the Axios team is expected to tighten collaboration rules with foundations and external organizations to reduce the risk of similar impersonation‑driven attacks.  The UNC1069‑Axios incident serves as a stark reminder that software supply‑chain security is only as strong as its weakest human link. Social engineering continues to be a highly effective vector for attackers, especially when paired with technical infrastructure that appears legitimate. For developers and organizations, this event reinforces the need for layered defenses: robust technical safeguards, strict identity‑verification protocols, and continuous security awareness training. As open‑source projects become increasingly central to modern software stacks, protecting maintainers’ accounts and communication channels must be treated with the same urgency as protecting the code itself.

UNC1069 Uses Social Engineering to Hijack Axios npm Package via Maintainer #Axios #CyberAttacks #NPMPackage

The Hack That Exposed Syria’s Sweeping Security Failures When Syrian government accounts were hijacked in March, the breach looked chaotic. But it revealed something more troubling: a state struggling with the most basic layer of cybersecurity.

#Security #Security #/ #National #Security #Security #/ #Cyberattacks #and #Hacks #Security

Origin | Interest | Match

Original post on wired.com

The Hack That Exposed Syria’s Sweeping Security Failures When Syrian government accounts were hijacked in March, the breach looked chaotic. But it revealed something more troubling: a state strug...

#Security #Security #/ #National #Security #Security #/ […]

[Original post on wired.com]

Cybersecurity in Germany - Negative PID Germany’s approach to cybersecurity is built on precision, structure, and accountability. As Europe’s largest economy and one of the EU’s most interconnected

Cybersecurity in Germany
negativepid.blog/cyb...

#Germany #Europe #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid

The TJX Data Breach - Negative PID The TJX Companies Inc. data breach of 2007 is one of the largest retail hacks in history. The cyberattack earned its place in cybersecurity history because it

The TJX data breach
negativepid.blog/the...

#TJX #dataBreach #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #dataSecurity #dataPrivacy #onlinePrivacy #negativepid

Anonymous: Hacktivism vs. cybercrime - Negative PID When Anonymous first appeared on the global stage, the world didn’t quite know what to make of it. Were they digital freedom fighters? Cybercriminals?

Anonymous: hactivism vs cybercrime
negativepid.blog/ano...

#anonymous #hackers #hackerCollectives #hackerCulture #cyberpunk #hacktivism #cybercrime #Cybersecurity #cyberattacks #behaviouralStudies #socialMedia #onlineForums #identity #negativepid

Chaos Computer Club (CCC) - Negative PID From the BBS Underground to the Bundestag, Germany’s Chaos Computer Club Became the World’s Most Respected Hacker Collective. 

Chaos Computer Club
negativepid.blog/cha...

#CCC #ChaosComputerClub #hackers #hackerCollectives #Germany #BBS #ethicalHacking
#Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid

When War Goes Digital: Spyware and Cyberattacks in the Iran Conflict https://www.osintinvestigate.com Cyber warfare in the Iran conflict: spyware attacks, hacked hospitals, AI-driven disinformation, and the growing role of digital threats in modern warfare.

📣 New Podcast! "When War Goes Digital: Spyware and Cyberattacks in the Iran Conflict" on @Spreaker #aidisinformation #artificialintelligence #conflict #cyberattack #cyberattacks #cybercriminals #cybersecurity #digital #digitalintelligence #hacker #hackerattack #hackers #hackersattack #iran #war

Microsoft Identifies Cookie Driven PHP Web Shells Maintaining Access on Linux Servers   Server-side intrusions are experiencing a subtle but consequential shift in their anatomy, where visibility is no longer obscured by complexity, but rather clearly visible. Based on recent findings from Microsoft Defender's Security Research Team, there is evidence of a refined tradecraft gaining traction across Linux environments, in which HTTP cookies are repurposed as covert command channels for PHP-based web shells.  HTTP cookies are normally regarded as a benign mechanism for session continuity. It is now possible for attackers to embed execution logic within cookie values rather than relying on overt indicators such as URL parameters or request payloads, enabling remote code execution only under carefully orchestrated conditions.  The method suppresses conventional detection signals as well as enabling malicious routines to remain inactive during normal application flows, activating selectively in response to web requests, scheduled cron executions, or trusted background processes during routine application flows.  Through PHP's runtime environment, threat actors are effectively able to blur the boundary between legitimate and malicious traffic through the use of native cookie access. This allows them to construct a persistence mechanism, which is both discreet and long-lasting. It is clear that the web shells continue to play a significant role in the evolving threat landscape, especially among Linux servers and containerized workloads, as one of the most effective methods of maintaining unauthorised access.  By deploying these lightweight but highly adaptable scripts, attackers can execute system-level commands, navigate file systems, and establish covert networks with minimal friction once they are deployed. These implants often evade detection for long periods of time, quietly embedding themselves within routine processes, causing considerable concern about their operational longevity.  A number of sophisticated evasion techniques, including code obfuscation, fileless execution patterns, and small modifications to legitimate application components, are further enhancing this persistence. One undetected web shell can have disproportionate consequences in environments that support critical web applications, facilitating the exfiltration of data, enabling lateral movement across interconnected systems, and, in more severe cases, enabling the deployment of large-scale ransomware.  In spite of the consistent execution model across observed intrusions, the practical implementations displayed notable variations in structure, layering, and operational sophistication, suggesting that threat actors are consciously tailoring their tooling according to the various runtime environments where they are deployed.  PHP loaders were incorporated with preliminary execution gating mechanisms in advanced instances, which evaluated request context prior to interacting with cookie-provided information. In order to prevent sensitive operations from being exposed in cleartext, core functions were not statically defined at runtime, but were dynamically constructed through arithmetic transformations and string manipulation at runtime. Although initial decoding phases were performed, the payloads avoided revealing immediate intent by embedding an additional layer of obfuscation during execution by gradually assembling functional logic and identifiers. Following the satisfaction of predefined conditions, the script interpreted structured cookie data, segmenting values to determine function calls, file paths, and decoding routines. Whenever necessary, secondary payloads were constructed from encoded fragments, stored at dynamically resolved locations, and executed via controlled inclusion. The separation of deployment, concealment, and activation into discrete phases was accomplished by maintaining a benign appearance in normal traffic conditions.  Conversely, lesser complex variants eliminated extensive gating, but retained cookie-driven orchestration as a fundamental principle. This implementation relied on structured cookie inputs to reconstruct operational components, including logic related to file handling and decoding, before conditionally staging secondary payloads and executing them.  The relatively straightforward nature of such approaches, however, proved equally effective when it comes to achieving controlled, low-visibility execution, illustrating that even minimally obfuscated techniques can maintain persistence in routine application behavior when embedded. According to the incidents examined, cookie-governed execution takes several distinct yet conceptually aligned forms, all balancing simplicity, stealth, and resilience while maintaining a balance between simplicity, stealth, and resilience. Some variants utilize highly layered loaders that delay execution until a series of runtime validations have been satisfied, after which structured cookie inputs are decoded in order to reassemble and trigger secondary payloads.  The more streamlined approach utilizes segmented cookie data directly to assemble functionality such as file operations and decoding routines, conditionally persisting additional payloads before executing. The technique, in its simplest form, is based on a single cookie-based marker, which, when present, activates attacker-defined behaviors, including executing commands or downloading files. These implementations have different levels of complexity, however they share a common operating philosophy that uses obfuscation to suppress static analysis while delegating execution control to externally supplied cookie values, resulting in reduced observable artifacts within conventional requests.  At least one observed intrusion involved gaining access to a target Linux environment by utilizing compromised credentials or exploiting a known vulnerability, followed by establishing persistence through the creation of a scheduled cron task after initial access. Invoking a shell routine to generate an obfuscated PHP loader periodically introduced an effective self-reinforcing mechanism that allowed the malicious foothold to continue even when partial remediation had taken place.  During routine operations, the loader remains dormant and only activates when crafted HTTP requests containing predefined cookie values trigger the use of a self-healing architecture, which ensures continuity of access. Threat actors can significantly reduce operational noise while ensuring that remote code execution channels remain reliable by decoupling persistence from execution by assigning the former to cron-based reconstitution and the latter to cookie-gated activation. In common with all of these approaches, they minimize interaction surfaces, where obfuscation conceals intent and cookie-driven triggers trigger activity only when certain conditions are met, thereby evading traditional monitoring mechanisms.  Microsoft emphasizes the importance of both access control and behavioral monitoring in order to mitigate this type of threat. There are several recommended measures, including implementing multifactor authentication across hosting control panels, SSH end points, and administrative interfaces, examining anomalous authentication patterns, restricting the execution of shell interpreters within web-accessible contexts, and conducting regular audits of cron jobs and scheduled tasks for unauthorized changes.  As additional safeguards, hosting control panels will be restricted from initiating shell-level commands or monitoring for irregular file creations within web directories. Collectively, these controls are designed to disrupt both persistence mechanisms as well as covert execution pathways that constitute an increasingly evasive intrusion strategy.  A more rigorous and multilayered validation strategy is necessary to confirm full remediation following containment, especially in light of the persistence mechanisms outlined by Microsoft. Changing the remediation equation fundamentally is the existence of self-healing routines that are driven by crons.  The removal of visible web shells alone does not guarantee eradication. It is therefore necessary to assume that malicious components may be programmatically reintroduced on an ongoing basis. To complete the comprehensive review, all PHP assets modified during the suspected compromise window will be inspected systematically, going beyond known indicators to identify anomalous patterns consistent with obfuscation techniques in addition to known indicators. The analysis consists of recursive analyses for code segments combining cookie references with decoding functions, detection of dynamically reconstructed function names, fragmented string assembly, and high-entropy strings that indicate attempts to obscure execution logic, as well as detection of high-entropy strings.  Taking steps to address the initial intrusion vector is equally important, since, if left unresolved, reinfection remains possible. A range of potential entry points need to be validated and hardened, regardless of whether access was gained via credential compromise, exploitation of a vulnerability that is unpatched, or insecure file handling mechanisms.  An examination of authentication logs should reveal irregular access patterns, including logins that originate from atypical geographies and unrecognized IP ranges. In addition, it is necessary to assess application components, particularly file upload functionality, to ensure that execution privileges are appropriately restricted in both the server configuration and directory policies.  Parallel to this, retrospective analysis of web server access logs is also a useful method of providing additional assurances, which can be used to identify residual or attempted activations through anomalous cookie patterns, usually long encoded values, or inconsistencies with legitimate session management behavior. Backup integrity introduces another dimension of risk that cannot be overlooked.  It is possible that restoration efforts without verification inadvertently reintroduce compromised artifacts buried within archival data. It is therefore recommended that backups-especially those created within a short period of time of the intrusion timeline-be mounted in secure, read-only environments and subjected to the same forensic examination as live systems.  The implementation of continuous file integrity monitoring across web-accessible directories is recommended over point-in-time validation, utilizing tools designed to detect unauthorized file creations, modifications, or permission changes in real-time.  In cron-based persistence mechanisms, rapid execution cycles can lead to increased exposure, making it essential to have immediate alerting capabilities. This discovery of an isolated cookie-controlled web shell should ultimately not be considered an isolated event, but rather an indication of a wider compromise. The most mature adversaries rarely employ a single access vector, often using multiple fallback mechanisms throughout their environment, such as dormant scripts embedded in less visible directories, database-resident payloads, or modified application components. As a result, effective remediation relies heavily on comprehensive verification and acknowledges that persistence is frequently distributed, adaptive, and purposely designed to withstand partial cleanup attempts.  Consequently, the increasing use of covert execution channels and resilient persistence mechanisms emphasizes the importance of embracing proactive defense engineering as an alternative to reactive cleanup. As a precautionary measure, organizations are urged to prioritize runtime visibility, rigorous access governance, and continuous behavioral analysis in order to reduce reliance on signature-based detection alone. It is possible to significantly reduce exposure to low-noise intrusion techniques by implementing hardening practices for applications, implementing least-privilege principles, and integrating anomaly detection across the web and system layers. A similar importance is attached to the institution of regular security audits and incident response readiness, ensuring environments are not only protected, but also verifiably clean. In order to maintain the integrity of modern Linux-based infrastructures, sustained vigilance and layered defensive controls remain essential as adversaries continue to refine methods that blend seamlessly with legitimate operations.

Microsoft Identifies Cookie Driven PHP Web Shells Maintaining Access on Linux Servers #CookieBasedAttacks #CronPersistence #CyberAttacks

Capturing traffic with ARP - Negative PID Whenever you walk into a coffee shop or a public place offering a free Wi-Fi connection, someone can capture your unencrypted web traffic through ARP

Capturing traffic with ARP
negativepid.blog/cap...

#ARP #ARPspoofing #hacking #linux #kali #webTraffic #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid

News brief: Iran cyberattacks escalate, U.S. targets named | TechTarget Learn how Iran's cyberattacks, including Pay2Key ransomware and hacktivist campaigns, threaten U.S. firms, tech giants and critical infrastructure worldwide.

Weekly news roundup: News brief: Iran #cyberattacks escalate, U.S. targets named https://bit.ly/4vb0PZF

Attackers Exploit Critical Flaw to Breach 766 Next.js Hosts and Steal Data Credential-stealing operation A massive credential-harvesting campaign was found abusing the React2Shell flaw as an initial infection vector to steal database credentials, shell command history, Amazon Web Services (AWS) secrets, GitHub, Stripe API keys.  Cisco Talos has linked the campaign to a threat cluster tracked as UAT-10608. At least 766 hosts around multiple geographic regions and cloud providers have been exploited as part of the operation.  About the attack vector According to experts, “Post-compromise, UAT-10608 leverages automated scripts for extracting and exfiltrating credentials from a variety of applications, which are then posted to its command-and-control (C2). The C2 hosts a web-based graphical user interface (GUI) titled 'NEXUS Listener' that can be used to view stolen information and gain analytical insights using precompiled statistics on credentials harvested and hosts compromised.” Who are the victims? The campaign targets Next.js instances that are vulnerable to CVE-2025-55182 (CVSS score: 10.0), a severe flaw in React Server Components and Next.js App Router that could enable remote code execution for access, and then deploy the NEXUS Listener collection framework. This is achieved by a dropper that continues to play a multi-phase harvesting script that stores various details from the victim system.  SSH private keys and authorized_keys JSON-parsed keys and authorized_keys Kubernetes service account tokens Environment variables API keys Docker container configurations  Running processes IAM role-associated temporary credentials Attack motive The victims and the indiscriminate targeting pattern are consistent with automated scanning. The key thing in the framework is an application (password-protected) that makes all stolen data public to the user through a geographical user interface that has search functions to browse through the information. The present Nexus Listener version is V3, meaning the tool has gone through significant changes. Talos managed to get data from an unknown NEXUS Listener incident. It had API keys linked with Stripe, AI platforms such as Anthropic, OpenAI, and NVIDIA NIM, communication services such as Brevo and SendGrid, webhook secrets, Telegram bot tokens, GitLab, and GitHub tokens, app secrets, and database connection strings. 

Attackers Exploit Critical Flaw to Breach 766 Next.js Hosts and Steal Data #AI #Cloud #CyberAttacks