Topic: indicators of compromise
-
PlushDaemon Hackers Hijack Software Updates in Supply Chain Attacks
The China-linked hacking group PlushDaemon hijacks legitimate software update channels to deploy custom malware in global cyberespionage campaigns, targeting entities across multiple countries and sectors. Their attack involves compromising routers to install the EdgeStepper implant, which redire...
Read More » -
Cl0p Gang Hits Oracle in Major Data Theft Campaign
The Cl0p ransomware gang exploited a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite to exfiltrate data and send extortion emails to victims in August 2025. Oracle issued a security advisory for the vulnerability, which allows unauthenticated remote attackers to execute code vi...
Read More » -
Fortra GoAnywhere Zero-Day Exploited: Critical Flaw CVE-2025-10035
A critical vulnerability (CVE-2025-10035) in Fortra's GoAnywhere platform, scoring 10.0 in severity, was exploited in zero-day attacks due to a deserialization flaw, with patches released on September 15, 2025. Evidence shows exploitation began as early as September 10, 2025, giving attackers an ...
Read More » -
Hackers Exploit Gladinet CentreStack Flaw for RCE Attacks
A critical security flaw in Gladinet's CentreStack and Triofox platforms, due to hardcoded AES encryption keys, allows attackers to forge authentication tickets and gain remote code execution on servers. Attackers are actively exploiting this vulnerability, combining it with a known local file in...
Read More » -
Fortra GoAnywhere MFT Zero-Day Actively Exploited
A critical vulnerability (CVE-2025-10035) in Fortra's GoAnywhere MFT was exploited for over a week before a patch was released on September 18, 2025, allowing attackers to achieve remote code execution. The flaw, a deserialization vulnerability with a CVSS score of 10.0, enabled threat actors to ...
Read More » -
SystemBC Malware Hijacks VPS Servers as Proxy Gateways
The SystemBC proxy botnet targets vulnerable commercial virtual private servers, maintaining around 1,500 daily compromised systems to route malicious traffic and mask cybercriminal activities. It is widely used by ransomware groups and other threat actors, leveraging unpatched security flaws in ...
Read More » -
Major Cybersecurity Firms Impacted by Salesloft Data Breach
A data breach at Salesloft impacted over 700 organizations, including major cybersecurity firms, by compromising OAuth tokens to access Salesforce databases and Google Workspace accounts. Attackers, identified as UNC6395, targeted AWS access keys, passwords, and Snowflake tokens, posing risks for...
Read More » -
Ransomware Gangs Now Use Shanya EXE Packer to Evade EDR
Cybersecurity threat groups are increasingly using the commercial **Shanya packer service** to encrypt and obfuscate ransomware payloads, making them difficult for traditional security tools to detect and block. The packer's unique, customized output for each customer helps bypass signature-based...
Read More » -
North Korean Hackers Target React2Shell Flaw in EtherRAT Malware
A sophisticated malware implant called EtherRAT exploits the critical React2Shell vulnerability, using Ethereum smart contracts for command-and-control and establishing five persistence mechanisms on Linux systems, with links to North Korean threat actors. The React2Shell vulnerability is a sever...
Read More » -
Russian Hackers Hide Malware in CAPTCHA Tests
Star Blizzard, a Russian state-sponsored hacking group, has escalated cyber-espionage by hiding malware like NoRobot, YesRobot, and MaybeRobot within fake CAPTCHA pages, using social engineering tactics to trick targets into executing harmful code. The group rapidly abandoned its previous LostKey...
Read More » -
Ransomware Hackers Weaponize Velociraptor DFIR Tool
Malicious actors are misusing the Velociraptor digital forensics tool to deploy LockBit and Babuk ransomware, with the Chinese threat group Storm-2603 identified as responsible. Attackers exploited a privilege escalation vulnerability in Velociraptor to maintain persistent access, using technique...
Read More » -
Clop Hackers Use Oracle Zero-Day to Steal Executive Data
Oracle has patched a critical zero-day vulnerability (CVE-2025-61882) in its E-Business Suite, which hackers exploited to steal sensitive personal data from corporate executives without needing login credentials. The hacking group Clop has been linked to this mass exploitation campaign, sending e...
Read More » -
Sitecore Zero-Day Exploit Actively Attacked (CVE-2025-53690)
A critical zero-day vulnerability (CVE-2025-53690) in Sitecore on-premises deployments is being actively exploited, allowing unauthorized access and remote code execution. Attackers leverage a known sample ASP.NET machine key to exploit ViewState deserialization, enabling them to deploy malware, ...
Read More » -
New Gladinet Triofox Flaw Exploited by Attackers (CVE-2025-12480)
A critical security flaw (CVE-2025-12480) in Gladinet Triofox allows unauthenticated attackers to bypass access controls and gain administrative privileges, which has been exploited by the threat group UNC6485 since late August 2025. Attackers used an HTTP Host header attack to access the configu...
Read More » -
Oracle Quietly Patches Critical Zero-Day Exposed by Hackers
Oracle urgently patched a critical pre-authentication SSRF vulnerability (CVE-2025-61884) in its E-Business Suite after the ShinyHunters group leaked a working exploit, enabling unauthorized access without login credentials. Two separate threat actors, Clop and ShinyHunters, exploited distinct Or...
Read More » -
Cyber Attackers Target Retail Gift Cards with Cloud-Only Tactics
The "Jingle Thief" cyber campaign targets retailers by exploiting cloud environments using stolen credentials from phishing, bypassing traditional malware and endpoint security. Attackers gain access to gift-card systems by manipulating inboxes, enrolling rogue devices, and bypassing multi-factor...
Read More » -
Cisco Hackers Use SNMP Flaw to Install Rootkit on Switches
Cybersecurity experts warn of a serious threat exploiting a recently patched remote code execution vulnerability (CVE-2025-20352) in Cisco networking hardware, allowing attackers with root access to install persistent rootkits. The campaign, named 'Operation Zero Disco', targets Cisco switches li...
Read More » -
ShadowV2 Botnet Exploited AWS Outage in Malware Test
ShadowV2 is a new botnet based on the Mirai framework that compromises IoT devices from brands like D-Link and TP-Link, exploiting at least eight security vulnerabilities to spread. The botnet targets routers, NAS systems, and DVRs globally across sectors including government and technology, and ...
Read More »