CYFIRMA's latest report delves into a crucial investigation targeting the malicious infrastructure linked to the APT group "Transparent Tribe." Employing open-source intelligence (OSINT), we thoroughly tracked the command-and-control (C2) servers utilized by this persistent threat actor. By leveraging advanced techniques such as JARM fingerprinting…

As the U.S. presidential election in November approaches and the campaigns of former President Trump and Vice President Harris ramp up, hackers from Washington's adversaries are intensifying their efforts to disrupt or influence voting. Among these adversaries, Iran is emerging as an increasingly significant player. Link to the Research Report: IRA…

Critical Alert: Organizations using Apache OFBiz must act now! CVE-2024-38856 presents a severe risk of remote code execution. With millions of users potentially affected globally, immediate action is crucial. This flaw allows unauthenticated users to bypass security restrictions and execute screen rendering code via specially crafted requests thro…

The CYFIRMA research team has examined a variant of the Gomorrah stealer malware, a .NET-based malware that targets a range of sensitive data on infected systems. This report provides a comprehensive analysis of its operational methods and evasion techniques to remain undetected. This information-stealing malware operates within a malware-as-a-serv…

CVE-2024-40725 and CVE-2024-40898 are critical vulnerabilities in Apache’s HTTP Server. CVE-2024-40725 affects the mod_proxy module and enables HTTP Request Smuggling attacks, while CVE-2024-40898 allows authentication bypass due to improper SSL configuration. With widespread exposure, these vulnerabilities pose severe risks globally. Immediate pat…

The CYFIRMA research team presents an analysis of a new malware, the BLX Stealer, also known as XLABB Stealer, which is targeting sensitive data like credentials, browser information, cryptocurrency wallets, and Discord tokens. Actively promoted on Telegram and Discord, this malware can persist through system reboots and even uses Discord Webhook f…

Stay informed with CYFIRMA's Tracking Ransomware-August 2024 Report, highlighting critical shifts in ransomware activities. Emerging groups like RansomHub and Lynx surged, with RansomHub seeing a 57.78% rise in victims and Lynx skyrocketing by 900%. In contrast, established actors like LockBit3 faced a 23.68% decline. The Manufacturing, Finance, an…

The CYFIRMA research team explores a new malware, dubbed "Ailurophile Stealer" that targets sensitive browser data, such as passwords, cookies, and browsing history. Distributed via GitHub, this threat uses advanced tactics like UPX packing and command-and-control communication via Telegram to evade detection. The attackers, likely operating from V…

The rise of Deepfake technology brings both opportunities and challenges. Our new report, Deepfake Defense: Strategic Solutions, explores the complex risks Deepfakes pose to privacy, security, and public trust and offers actionable strategies to defend against them. Discover how we can safeguard society in this new digital age. Read the full report…

The CYFIRMA research team presents an analysis of a new keylogger that uses PowerShell scripts to silently capture sensitive information, such as passwords and credit card details. This sophisticated malware employs techniques, including system discovery, command execution, and encrypted C2 communication. The attackers also use anonymized networks …

Since Israel launched its invasion of Gaza following the October 7 Hamas attack on Israel, Israel, and Hezbollah have also traded blows on the southern border of Lebanon in a low-intensity conflict. Many Israeli officials see full-scale war as inevitable. The situation could quickly change and escalate into a war, inadvertently based on miscalculat…

The CYFIRMA research team provides an analysis of the Mekotio Trojan. Our study uncovers how it conceals its operations, interacts with command-and-control servers, and maintains persistence on infected systems. Check out our full report to gain a better understanding and combat this evolving threat. Link to the Research Report: Analyzing the Mekot…

The CYFIRMA research team presents their latest report! Organizations using Microsoft Windows Wi-Fi Drivers must act now! CVE-2024-30078 presents a severe risk of remote code execution. With billions of Microsoft Windows Wi-Fi Drivers potentially affected globally, immediate action is crucial. Learn more with insights into this vulnerability. Safeg…

The CYFIRMA research team reveals a critical update in the malware landscape: We have recently identified a dropper binary that deploys an information-stealing malware known as "Angry Stealer." This malware is making its rounds on various platforms, including websites and Telegram, where it's being advertised. Angry Stealer is essentially a rebrand…

CYFIRMA research team’s latest report explores the tactics of hacktivists - ransomware variants, stealer logs, and strategic alliances - and examines their motivations; be they geopolitical, financial, cultural, or racial. It also shows how social media is being leveraged for recruitment, coordination, and monetization via theft or extortion, what …

CYFIRMA’s research team have just published a new report on the QWERTY Info Stealer malware. Our analysis reveals how this malware collects and sends sensitive data from infected systems while using advanced techniques to avoid detection. Stay informed about this threat to better protect your data and systems. Link to the Research Report: QWERTY IN…

U.S. water systems deliver safe and affordable drinking water to millions of people, while also supporting agriculture, industry, and power generation. However, this critical infrastructure faces significant challenges from aging facilities, increasing demand, and emerging cyberthreats. Our report outlines the key threats to water infrastructure, t…

Stay informed with CYFIRMA's Tracking Ransomware-July 2024 Report, highlighting the latest cybersecurity trends. RansomHub and LockBit3 have seen significant surges in activity, with LockBit3 experiencing a remarkable 245.5% increase. While the manufacturing sector saw a 10.9% decline, Education faced a staggering 250% rise in attacks. The US conti…

The CYFIRMA research team is actively monitoring the ongoing fallout from the CrowdStrike Blue Screen of Death (BSOD) incident. Our updated report offers a comprehensive analysis of the tactics, techniques, and procedures (TTPs) used by threat actors exploiting this situation. In this updated report, we provide further insights, including a detaile…

CVE-2024-6387 Alert! A critical vulnerability in OpenSSH's server (sshd) allows unauthenticated remote code execution with root access, affecting over 4.8 million internet-exposed instances. This flaw poses a significant risk across various industries and geographies and is being actively exploited in the wild, as confirmed by CISA’s Known Exploite…

The death of Hamas leader Ismail Haniyeh in Tehran, and the announcement of the death of Hamas military wing commander Muhammad Daif on the same day is likely to escalate the ongoing cyberwar as Iran vows revenge. The dire humanitarian situation in Gaza will continue to fuel pro-Palestinian sentiment and inspire further hacktivist action, while the…

Critical Alert: Organizations relying on ServiceNow must act now! CVE-2024-4879 poses a grave risk of remote code execution and unauthorized data access. With extensive global use, swift action is imperative. Attackers exploit Jelly template injections to trigger code execution, risking sensitive data and service disruptions. Update ServiceNow, mon…

The CYFIRMA research team has examined a variant of the Mint Stealer malware and provides a comprehensive analysis of this information-stealing malware operating within a malware-as-a-service (MaaS) framework. Designed to target sensitive data, Mint Stealer employs sophisticated techniques to evade detection. This report explores its evasion tactic…

The Cyfirma research team has investigated the Flame Stealer, which is maintaining a strong presence with predominantly Portuguese speakers. This malware is designed to stealthily extract data from a wide range of sources, including discord tokens, browser cookies, credentials, etc. Flame Stealer employs advanced techniques such as covert data extr…

Our Q2 2024 APT Quarterly Highlights report reveals a surge of dynamic and innovative cyber activities from Iranian, Russian, Chinese, and North Korean APT groups, challenging the global cybersecurity landscape. Detailed analysis reveals escalating cyber threats from Iran's Void Manticore and APT42 targeting critical sectors, to Russia's APT28 and …

A critical vulnerability (CVE-2024-24919) with a CVSS score of 8.6 has been discovered in EOL Check Point devices, allowing remote attackers to read arbitrary files. The Hacktivist group "Ghost Clan Malaysia" has shared affected IP addresses worldwide. Upgrade to supported versions and apply necessary hotfixes immediately to protect your data and i…

Braodo Info Stealer, a Python-based malware, is targeting users in Vietnam and several other countries. This sophisticated threat spreads possibly through phishing emails, uses GitHub for hosting malicious code, and exfiltrates stolen data via Telegram channels. Learn more about this emerging threat impacting global cybersecurity. Link to the Resea…

Stay informed about the latest developments in cybersecurity with CYFIRMA's Tracking Ransomware-June 2024 Report. This month's report highlights key trends, including a decrease in ransomware attacks by groups like Play and RansomHub, while Akira and Qilin increased their operations. Discover significant changes in targeted industries, with most se…

Critical Alert: Organizations using PHP in CGI mode must act now! CVE-2024-4577 presents a severe risk of remote code execution. With millions of websites potentially affected globally, immediate action is crucial. Attackers can exploit CGI argument injection to execute arbitrary commands, leading to unauthorized access or server compromise. Update…

The CYFIRMA team has uncovered "Kematian-Stealer," a sophisticated info stealer targeting Windows systems, hosted on GitHub. This open-source malware is designed to stealthily extract data from a wide range of sources, including browsers, cryptocurrency wallets, messaging apps, gaming platforms, VPNs, and email clients. Kematian-Stealer employs adv…

This year’s Olympic games come at a heightened moment for international conflict & terrorism. The potential for a jihadi group or individuals inspired by one to take the world’s attention with a potential attack or for Russia to try to embarrass France with acts of sabotage are very high. Link to the Research Report: Paris Olympics - CYFIRMA #Geopo…

Cyfirma research team has examined a variant of Lumma Stealer malware, and this report provides a comprehensive analysis of this advanced information-stealing malware, explores the tactics employed by threat actor to evade detection on the system and over the network, as well as their techniques for concealing malicious code and activities. Lumma S…

CYFIRMA's latest investigation reveals how terrorist groups in Kashmir are still exploiting digital platforms to spread propaganda and influence people. Their psychological operations (Psy Ops) aim to manipulate public perception, spread fear, and destabilize the region. Despite a reduction in physical presence, groups like TRF and Kashmir Tigers a…

Stay informed about the latest trends in the ransomware landscape with CYFIRMA's May 2024 Ransomware report. This edition highlights significant increases in ransomware activity, with LockBit3 surging tremendously and Play rising by 10.34%. Incransom's activity doubled, while RansomHub and Medusa also showed notable activity. Manufacturing, real es…

CYFIRMA research team has examined a variant of Vidar Stealer malware, and this in-depth examination explores the tactics employed by threat actor to evade detection on the system and over the network, as well as their techniques for concealing malicious code and activities. Additionally, it describes the use of social media platforms to procure co…

Urgent Alert: Hackers are actively exploiting CVE-2024-3273, a critical vulnerability in D-Link NAS devices, with affected device IP addresses being shared on underground forums. With over 90,000 potentially impacted devices globally and inclusion in CISA's Known Exploited Vulnerabilities list, immediate action is crucial to secure data and prevent…

The notorious Nikki Stealer group has transitioned into the Iluria Stealer group, maintaining a strong presence with a predominantly Portuguese-speaking user base. Both their websites are hosted by Hostinger, and the current owner, as per his Discord bio, claims to be the former CEO of Nikki Stealer. Dynamic analysis reveals that Iluria Stealer has…

Meet Synapse ransomware, the newest digital threat on the block. This latest threat, emerging in February 2024, operates under a Ransomware-as-a-Service model, distributing its malicious payload via the dark web. Our research sheds light on the internal working of this malware. Discover how it selectively avoids encrypting Iranian systems, raising …

Critical Alert: Organizations relying on Tinyproxy must act now! CVE-2023-49606 poses a grave risk of remote code execution. With 1.6M+ servers potentially affected globally; swift action is imperative. Attackers exploit HTTP requests to trigger memory corruption, risking unauthorized access or service disruptions. Update Tinyproxy, monitor for ano…

Our latest report dives into the information stealer SamsStealer, a newly identified information stealer targeting Windows systems. This stealer is written in .NET, is designed to extract sensitive data stealthily from a variety of browsers and applications, including Chrome, Microsoft Edge, Discord, and cryptocurrency wallets. Once it has gathered…

India's Loksabha Elections 2024 hold immense significance, not only for the nation but also for the global democratic landscape. The scale and complexity of the electoral process make it susceptible to cyberattacks, especially with the proliferation of generative AI and deepfake technologies. Link to the Research Report: The Indian Election : The G…

Stay informed about the latest developments in cybersecurity with CYFIRMA's April 2024 Ransomware Report. This edition highlights a shift in the ransomware landscape, with Hunter group now dominating while LockBit's influence declined. The manufacturing sector emerges as a prime target globally, with the USA, Canada, the UK, Germany, and Brazil exp…

CYFIRMA’s Research team embarked on a mission to uncover a targeted attack on Indian defense personnel via WhatsApp Messenger. Suspected to originate from Pakistan, the threat actor deployed malicious Android apps disguised as "MNS NH Contact" and "Posted out off," aiming to gain unauthorized access to sensitive information. Our Investigation revea…

Palo Alto Networks has uncovered CVE-2024-3400, a critical vulnerability exploited by threat actor 'UTA0218' in a sophisticated two-stage attack. This flaw allows unauthorized command execution on vulnerable PAN-OS devices via a backdoor mechanism. Adding to the urgency, CISA has promptly listed CVE-2024-3400 in its Known Exploited Vulnerabilities …

At CYFIRMA, we provide timely insights into prevalent threats and malicious tactics affecting organizations and individuals. Our research team have identified an open directory listing URLs containing highly obfuscated malicious Windows batch scripts in the wild, which executes a stealthy Monero (XMR) crypto miner as the final payload. This payload…

Cyfirma research team discovered a new information stealer named Fletchen Stealer. It is a sophisticated information-stealing malware, offered by its creator as stealer-as-a-service for free that poses a significant threat to cybersecurity. A potent malware written in Rust which boasts advanced anti-analysis capabilities exhibits a high degree of r…

Our Q1 2024 APT Quarterly Highlights Report unveils a surge of dynamic and innovative cyber activities from APT groups from Iran, Russia, China, and North Korea, challenging the global cybersecurity landscape. Detailed analysis reveals escalating cyber threats, with Iranian groups like Homeland Justice and Mint Sandstorm targeting governmental and …

A shadow war between Israel and Iran is escalating, but despite unprecedented attacks, both sides are so far trying to keep the conflict below the level of an all-out-war. Israel has vowed to respond to Iran's unprecedented attack; however, the war cabinet seems to be divided over the issue of retaliation. Political considerations are increasingly …

A critical vulnerability, CVE-2024-21894, has been discovered in Ivanti's Connect Secure and Policy Secure gateways, posing a severe global threat to digital security. CYFIRMA’s research team have conducted a thorough analysis of this vulnerability. Immediate action is strongly advised: apply the latest patches provided by Ivanti to secure your sys…

The most important evolving threat to the electric grids is cyber threats and physical security. The power grid in the US and more so in Europe is experiencing a transformation, as the world shifts to sustainable energy, which entails increased reliance on offshore wind farms and undersea infrastructure that are going to supply large chunks of the …