DFIR Radar

Three lessons from DarkSword: inside a government-grade iPhone exploit kit

Wed, 22 Apr 2026 17:04:10 +0000

DarkSword iOS exploit kit leak exposes government-grade Safari exploitation framework targeting iOS 18.4-18.6.2. Source code reveals debugging artifacts, cryptocurrency theft targeting, and industrial-scale engineering behind nation-state mobile attacks. Key technical details: • Achieves one-click RCE with sandbox escape on unpatched devices (updates after Sept 15, 2025 required) • Implements addrof/fakeobj primitives, disables garbage collector, performs 100-step mitigation bypass • Supports 28 iPhone models across 156 firmware combinations with automated offset management • Contains legacy XNU 23 offsets indicating iOS 17 support and commented "Sandworm" kernel exploit Attack methodology: • Targets cryptocurrency apps including Coinbase, Binance, and Nicegram Telegram client • Russian 🇷🇺 language comments in deployment code, discovered on Ukrainian 🇺🇦 infrastructure • Development version leaked with unobfuscated JavaScript and extensive debug logging • Demonstrates <50% success rate in testing, uses retry mechanisms for reliability DFIR implications: • Production spyware now accessible to amateur operators due to unencrypted source leak • Debug artifacts in iOS unified logs and JavaScript console provide forensic evidence • Financial motivation contradicts law enforcement claims of commercial spyware vendors #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046998506145993139

Fun With volshell

Wed, 22 Apr 2026 16:03:38 +0000

New volshell technique eliminates Volatility startup overhead when running multiple plugins on same memory image. Uses dpo() method to execute plugins interactively, avoiding re-parsing costs each time. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046983274271055951

Bissa Scanner Exposed: AI-Assisted Mass Exploitation and Credential Harvesting

Wed, 22 Apr 2026 15:03:46 +0000

Exposed server reveals Bissa Scanner: AI-assisted mass exploitation platform using Claude and OpenClaw to automate victim targeting, credential harvesting, and attack orchestration across multiple organizations. Key technical details: • Modular platform integrates AI tools directly into exploitation workflow for troubleshooting and pipeline refinement • Large-scale multi-victim operation with automated collection capabilities • Server exposure provided rare visibility into attacker infrastructure and methodologies • AI assistance enables scalable attack orchestration beyond traditional manual operations DFIR artifacts: • Exposed server contained operational logs showing AI integration patterns • Evidence of automated credential harvesting workflows across victim networks • Attack pipeline artifacts demonstrate systematic multi-target approach • Infrastructure footprints reveal scope of compromise operations This represents evolution toward AI-augmented threat actors using LLMs for operational efficiency and scale. Hunt for automated scanning patterns, credential extraction tools, and unusual API calls to AI services in network logs. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046968204111888872

The Cost of Understanding: LLM-Driven Reverse Engineering vs Iterative LLM Obfuscation

Wed, 22 Apr 2026 14:03:42 +0000

New research shows LLM-driven reverse engineering can defeat most standard obfuscation but becomes prohibitively expensive with multi-layered transforms. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046953090100678884

Malicious trading website drops malware that hands your browser to attackers

Wed, 22 Apr 2026 13:04:12 +0000

New Needle Stealer campaign masquerades as AI trading tool "TradingClaw" to deliver modular Golang infostealer with malicious browser extensions that intercept downloads, inject scripts, and hijack cryptocurrency wallets. Technical breakdown: • Initial infection via fake tradingclaw[.]pro site using DLL hijacking (iviewers.dll) → process hollowing into RegAsm.exe • Modular stealer targets browsers, crypto wallets (MetaMask, Coinbase, Ledger), Telegram, with form grabbing and clipboard hijacking • Drops malicious browser extensions in %LOCALAPPDATA%\Packages\Extensions with full browser control capabilities • Extensions intercept downloads, replace legitimate files with malware, inject scripts into web pages (T1185, T1055.012) • C2 communication via multiple endpoints: /upload, /extension, /scripts, /backup-domains/active Key artifacts: • RegAsm.exe with network connections and Golang parent process • Suspicious extensions with permissions for "all_urls", tabs, storage, scripting • Config files: base.zip/meta.zip containing cfg.json with C2 URLs Hunt for unsigned DLLs named iviewers.dll and RegAsm.exe network activity to domains coretest[.]digital, reisen[.]work. Full IOC list with hashes and C2 IPs available. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046938116649537879

New GoGra malware for Linux uses Microsoft Graph API for comms

Wed, 22 Apr 2026 11:03:57 +0000

New Linux GoGra backdoor from state-backed Harvester APT uses Microsoft Graph API and Outlook "Zomato Pizza" folder for C2 communications. Malware checks inbox every 2 seconds for AES-encrypted commands and deletes evidence post-execution. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046907852401353187

IR Trends Q1 2026: Phishing reemerges as top initial access vector, as attacks targeting public administration persist

Wed, 22 Apr 2026 10:02:33 +0000

Phishing returns as top initial access vector in Q1 2026, accounting for 35% of cases while targeting public administration and healthcare. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046892403089711448

Threat hunting with YARA-X: a practical guide to the new standard

Wed, 22 Apr 2026 09:03:42 +0000

YARA-X 1.0.0 stable delivers 5-10x performance gains on complex regex rules and loops while maintaining 99% compatibility with existing YARA rules. New modules for .NET, macOS Mach-O, and LNK files expand threat hunting capabilities. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046877592150520155

Venezuela energy sector targeted by highly destructive Lotus wiper

Wed, 22 Apr 2026 08:03:52 +0000

Lotus Wiper devastates Venezuelan 🇻🇪 energy sector with coordinated multi-stage destruction campaign. Kaspersky analysis reveals attackers spent months preparing targeted infrastructure attack, disabling defenses before deploying custom wiper that left systems unrecoverable. Key technical details: • Initial vector: OhSyncNow.bat checks specific folders/shares, uses hidden XML trigger for execution coordination • Defense evasion: Disables user accounts, forces logoffs, blocks cached logins, shuts down network interfaces (T1529, T1562) • Destruction phase: diskpart clean all overwrites volumes, FindFirstVolumeW/FindNextVolumeW enumerate targets for systematic wiping • Anti-forensics: Fills remaining disk space with large files, removes Windows restore points, clears system logs and update journals • Timeline: Wiper compiled September 2025, uploaded December 2025, indicating months of preparation No ransom demand confirms purely destructive intent targeting critical infrastructure. Attackers had domain compromise and environment knowledge before deployment. Monitor NETLOGON shares for unauthorized changes, watch for unusual fsutil/robocopy/diskpart usage, and implement robust offline backup testing. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046862533924188418

New NGate variant hides in a trojanized NFC payment app

Wed, 22 Apr 2026 06:03:13 +0000

ESET discovers new NGate variant trojanizing legitimate HandyPay NFC app with AI-generated malicious code. Brazilian 🇧🇷 users targeted through fake lottery and Google Play sites for NFC payment card fraud since November 2025. Key technical details: • Targets HandyPay (legitimate NFC relay app) instead of NFCGate, patched with code showing AI-generated characteristics (emojis in logs typical of LLM output) • Two distribution vectors: fake Rio de Prêmios lottery site and phishing Google Play page for "Proteção Cartão" app • Steals payment card PINs via GUI input capture (T1417.002) and exfiltrates over HTTP to 108[.]165[.]230[.]223 • Relays NFC data to attacker-controlled devices for ATM cash-outs and unauthorized contactless payments • Uses hardcoded email addresses to route all NFC traffic exclusively to threat actors Attack methodology: • Victims manually install trojanized app outside Google Play after "winning" fake lottery • App requests default payment app status but doesn't require additional permissions • Captures PIN input and NFC card data when victim taps card to phone • Data forwarded through HandyPay infrastructure plus separate HTTP exfiltration channel Hunt for HandyPay installations from non-Play Store sources and monitor HTTP traffic to protecaocart[.]com domain. Full IOCs available in ESET's GitHub repository. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046832171126518119

Nightmare-Eclipse Tooling Seen in Real-World Intrusion

Wed, 22 Apr 2026 05:03:21 +0000

Huntress observes live deployment of Nightmare-Eclipse tools (BlueHammer, RedSun, UnDefend) following FortiGate VPN compromise. Attack chain includes reconnaissance and tunneling activity. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046817109267853662

SSRF Server-Side Request Forgery: Server Ko Apna Agent Banao, Internal Network Explore Karo!

Wed, 22 Apr 2026 04:03:56 +0000

New SSRF exploitation guide covers AWS/GCP/Azure metadata attacks, bypass techniques using IP encoding and DNS rebinding, and SSRF-to-RCE chains via Redis and Docker APIs. Includes automated testing workflow with Interactsh and SSRFmap. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046802154095096114

The Gentlemen Ransomware Expands With Rapid Affiliate Growth

Wed, 22 Apr 2026 03:03:04 +0000

The Gentlemen RaaS operation claims 320+ victims since early 2026, using Go-based cross-platform encryptors and SystemBC proxy malware. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046786837964874109

A .WAV With A Payload, (Tue, Apr 21st)

Wed, 22 Apr 2026 02:03:32 +0000

New campaign hides BASE64-encoded XOR'd PE payloads inside .wav audio files. Files play as noise while containing executable malware that bypasses traditional detection. SANS demonstrates extraction using standard tools. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046771854166089840

[Guest Diary] Beyond Cryptojacking: Telegram tdata as a Credential Harvesting Vector, Lessons from a Honeypot Incident, (Wed, Apr 22nd)

Wed, 22 Apr 2026 01:05:52 +0000

Honeypot analysis reveals sophisticated attack chain combining cryptomining reconnaissance with Telegram session theft. Threat actors now prioritize persistent credential access over simple resource hijacking. Key technical findings: • Attack began via weak SSH credentials, followed by system enumeration (ifconfig, uname -a, /proc/cpuinfo) • Threat actor searched for competing miners using `ps | grep '[Mm]iner'` before deployment • Primary target: Telegram Desktop tdata directory containing authentication tokens • Secondary reconnaissance: modem devices (/dev/ttyGSM*, /dev/ttyUSB-mod*) for SMS 2FA bypass • Session theft bypasses 2FA - copying tdata folder grants immediate account access on any system Attack progression follows clear MITRE ATT&CK chain: • T1110.001 (credential brute force) → T1082/T1083 (system discovery) → T1555/T1005 (credential harvesting) → T1078 (valid accounts) Critical artifacts for detection: • File access attempts to ~/.local/share/TelegramDesktop/tdata • Process enumeration with miner-specific regex patterns • Modem device enumeration indicating 2FA bypass preparation • Unusual directory traversal with wildcard searches (/home/*/...) Monitor for tdata directory access, implement file integrity monitoring on Telegram session folders, and audit active Telegram sessions regularly in Privacy & Security settings. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046757339647164780

CVE-2026-38526 in Krayin CRM Enables RCE

Wed, 22 Apr 2026 00:03:38 +0000

CVE-2026-38526 (CVSS 9.9) in Krayin CRM v2.2.x allows authenticated RCE via TinyMCE file upload. PoC circulating on Dark Web with Shodan dork targeting exposed instances. Disable PHP execution in upload directories immediately. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046741679596835063

Some notes on the security properties of the pipe_buffer kernel object

Tue, 21 Apr 2026 23:03:53 +0000

New Linux kernel pipe_buffer exploitation techniques revealed: 1024+ pipe limit triggers soft quota at 16384 pages, cached page pointers in tmp_page enable repeated AARW, and closing corrupted pipes can return arbitrary pages to allocator for r... #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046726645088919957

The Vercel Breach Explains Why Identity Attack Path Management Can’t Wait

Tue, 21 Apr 2026 22:02:47 +0000

Vercel breach shows how compromised AI tool (Context.ai) became attack path via OAuth token to corporate Google Workspace. Attacker moved laterally with "surprising velocity" after employee granted "Allow All" permissions. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046711267193184278

How a Compromised eScan Update Enabled Multi‑Stage Malware and Blockchain C2

Tue, 21 Apr 2026 21:04:10 +0000

Supply chain attack compromised eScan antivirus updates to deliver multi-stage malware using blockchain-based command and control infrastructure. Darktrace detected rare anomalous network patterns across multiple customer environments. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046696513510736366

IOCX v0.7.0 released — deterministic heuristics + adversarial testing

Tue, 21 Apr 2026 20:03:16 +0000

IOCX v0.7.0 adds deterministic heuristic engine for anti-debug APIs, TLS anomalies, and packer behavior detection. New adversarial testing layer validates extraction accuracy at ~28 MB/s processing speed. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046681189285851212

New Lotus data wiper used against Venezuelan energy, utility firms

Tue, 21 Apr 2026 19:03:22 +0000

New Lotus wiper targets Venezuelan 🇻🇪 energy and utilities with multi-stage deployment. Batch scripts disable defenses before final payload overwrites drives and eliminates recovery options. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046666115766464657

Same packet, different magic: Mustang Panda hits India's banking sector and Korea geopolitics

Tue, 21 Apr 2026 18:35:30 +0000

Mustang Panda evolves LOTUSLITE backdoor v1.1 for India 🇮🇳 banking sector and South Korean 🇰🇷 diplomatic targets. Campaign uses DLL sideloading with Microsoft-signed binaries, dynamic DNS C2, and impersonates Victor Cha for credential harvesting operations. Technical evolution from v1.0: • Changed magic packet value from 0x8899AABB to 0xB2EBCFDF to evade network detection • New export table with DnxMain→HDFCBankMain routing, mutex "mdseccoUK" • API resolution via ntdll.dll chain (LdrLoadDll) to avoid static analysis flagging • Execution flag rotated from --DATA to --ZoneMAX Attack chain specifics: • Initial vector: CHM file "Request for Support.chm" via spearphishing • JavaScript dropper music.js from cosmosmusic[.]com extracts Microsoft_DNX.exe + malicious DLL • DLL sideloading abuses legitimate signed Microsoft DNX binary (T1574.002) • C2: editor[.]gleeze[.]com over HTTPS port 443 using Dynu Systems infrastructure DFIR artifacts: • Persistence: HKCU Run key via SHSetValueA to C:\ProgramData\Microsoft_DNX\ • Residual KugouMain export links directly to original LOTUSLITE codebase • Developer message "goldenjackel12" references security researcher tracking them • Fake Gmail victorcha707@gmail.com impersonates CSIS Senior VP Victor Cha Hunt for Microsoft_DNX.exe with suspicious DLLs, outbound HTTPS to dynamic DNS providers, and registry Run keys under C:\ProgramData paths. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046659104739938685

Detection strategies across cloud and identities against infiltrating IT workers

Tue, 21 Apr 2026 18:03:46 +0000

Microsoft exposes North Korea's 🇰🇵 Jasper Sleet infiltration tactics: fraudulent IT workers use AI to craft fake personas, bypass hiring processes, and gain trusted organizational access through HR SaaS platforms. Comprehensive attack chain breakdown: • Pre-recruitment: Actors systematically query Workday hrrecruiting/* APIs from known infrastructure to discover open roles and extract job requirements using generative AI • Recruiting phase: Suspicious patterns include multiple external accounts accessing identical API endpoints in repeating sequences, plus communications via Teams/Zoom from malicious IPs • Post-recruitment: Legitimate accounts created during onboarding show payroll setup from Jasper Sleet infrastructure, followed by impossible travel alerts and anomalous M365 access • Key indicators: API calls to hrrecruiting/accounts/*, hrrecruiting/jobApplicationPackages/*, and hrrecruiting/validateJobApplication/* from external sources Microsoft Defender for Cloud Apps provides specific detections: "Possible Jasper Sleet threat actor activity in Workday Recruiting Web Service" and "Suspicious Payroll and Finance related activity in Workday." Hunt for external user API access patterns and cross-reference new hire impossible travel alerts with HR onboarding timelines. Full KQL hunting queries included in the report. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046651115773501581

Inside An AWS Cloud Threat Detection SOC Lab: Simulating and Detecting Real Cloud Attacks

Tue, 21 Apr 2026 17:03:50 +0000

Comprehensive AWS threat detection lab demonstrates how to simulate real cloud attacks using Stratus Red Team and detect them through CloudTrail, VPC Flow Logs, and Splunk SIEM integration. Key technical components: • Infrastructure deployed via Terraform: CloudTrail, VPC Flow Logs, S3 buckets, SQS queues for signal-based ingestion • Splunk indexes (aws_cloudtrail, aws_config, aws_vpcflow) with SQS-based S3 inputs for near real-time telemetry • Attack simulations target privilege escalation (CreateUser, AttachUserPolicy), S3 exposure (PutBucketPolicy), and defense evasion (DeleteFlowLogs) • Detection queries focus on IAM events: CreateAccessKey, AddUserToGroup, PutUserPolicy, AttachRolePolicy with 5-minute time bins DFIR artifacts generated: • CloudTrail captures API activity with src_user, src_ip, eventName, userAgent fields for timeline reconstruction • VPC Flow Logs provide network visibility for lateral movement detection • S3→SQS→Splunk pipeline ensures reliable ingestion without polling overhead Build detection rules for suspicious IAM activity clustering within short timeframes. Query: `index="aws_cloudtrail" eventName IN ("CreateUser","AttachUserPolicy","CreateAccessKey") | bin _time span=5m | stats count by _time src_user src_ip`. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046636035245809893

Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained

Tue, 21 Apr 2026 16:03:41 +0000

Kyber ransomware deploys coordinated dual-platform attacks targeting Windows and VMware ESXi simultaneously, using shared C2 infrastructure but different encryption schemes. March 2026 incident revealed both variants active in single environment. Key technical details: • ESXi variant (C++): Uses ChaCha8 + RSA-4096 despite claiming "post-quantum" Kyber1024, targets /vmfs/volumes datastores, gracefully terminates VMs via esxcli before encryption • Windows variant (Rust): Actually implements advertised AES-256-CTR + Kyber1024 hybrid scheme, includes "experimental" Hyper-V targeting via PowerShell Get-VM • Shared IOCs: Campaign ID 5176[REDACTED], Tor infrastructure mlnmlnnrdhcaddwll4zqvfd2vyqsgtgj473gjoehwna2v4sizdukheyd[.]onion • Anti-recovery arsenal: 11 elevated commands including VSS deletion, event log clearing, service termination (msexchange, vss, backup, veeam, sql patterns) Attack methodology: • ESXi: SSH access → esxcli vm process kill → recursive /vmfs/volumes encryption → defaces motd and web UI index pages • Windows: Terminates services → executes anti-recovery commands → modifies ACLs for file access → encrypts with .#~~~ extension • Mutex artifact: boomplay[.]com/songs/182988982 (Windows variant) Hunt for esxcli process kill commands, simultaneous VSS deletion + service termination patterns, and unusual entropy generation via RDRAND. Full MITRE ATT&CK mappings (T1486, T1485, T1489) and IOC list in report. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046620895330869542

Fake Google Antigravity downloads are stealing accounts in minutes

Tue, 21 Apr 2026 15:03:55 +0000

Sophisticated supply chain attack: Fake Google Antigravity installer delivers fully functional software while secretly deploying stealer malware. Campaign uses typosquat domains and genuine software repackaging to evade detection. Technical breakdown: • Trojanized installer (Antigravity_v1.22.2.0.exe) contains complete legitimate Google Antigravity app plus one malicious MSI custom action named "wefasgsdfg" • Drops PowerShell downloader cradle (scr5020.ps1) that contacts opus-dsn[.]com for second-stage payload • Stage 2 disables Windows Defender via Add-MpPreference exclusions for %ProgramData%, .exe/.dll files, and key processes • Deploys encrypted .NET stealer as fake PNG (C:\ProgramData\MicrosoftEdgeUpdate.png) with persistence via scheduled task mimicking Edge updater • Targets browser credentials, session cookies, Discord tokens, crypto wallets using reflective loading (T1055.001, T1539, T1552.001) Session cookie theft enables immediate account takeover without 2FA bypass. Hunt for MSI custom actions with random names and PowerShell connections to CDN infrastructure. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046605855752171956

Darktrace identifies ZionSiphon malware engineered for OT disruption in Israeli water sector environments

Tue, 21 Apr 2026 14:03:32 +0000

ZionSiphon malware targets Israeli 🇮🇱 water infrastructure with Modbus sabotage logic to manipulate chlorine dosing and pressure controls. Sample includes broken targeting code suggesting development build or intentionally defanged version. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046590658719125636

CISA warns organizations of supply chain compromise in Axios npm package delivering remote access trojan

Tue, 21 Apr 2026 13:02:53 +0000

CISA warns of supply chain compromise in Axios npm package (versions 1.14.1 & 0.30.4) delivering remote access trojan via malicious plain-crypto-js dependency. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046575396896796897

Exploiting Serial-to-Ethernet Converters in Critical Infrastructure

Tue, 21 Apr 2026 12:03:29 +0000

Forescout discovers 22 new vulnerabilities in serial-to-IP converters used across power grids, manufacturing, and healthcare. Research demonstrates data tampering attacks that could manipulate sensor readings and actuator commands in critical infrastructure. Key technical findings: • 8 CVEs in Lantronix EDS3000/5000 series, 14 in Silex SD330-AC devices • RCE via command injection, authentication bypass, hardcoded signing keys • Automated analysis found avg 2,255 kernel vulnerabilities + 89 public exploits per firmware • Attack chain: Internet-exposed edge device → converter compromise → serial data manipulation Attack scenarios demonstrated: • DoS attacks disrupting field communications (similar to 2015 Ukraine 🇺🇦, 2025 Poland 🇵🇱 grid attacks) • Lateral movement across non-routable OT networks via compromised converters • Real-time sensor tampering: lab demo showed temperature readings manipulated from 24°C to oscillating -40°C/+40°C • Potential impact on railway signaling, fire alarms, gas station ATGs, patient monitors Mitigation priority: Patch immediately (Lantronix 2.0.0R1/3.2.0.0R2, Silex updates available). Segment converters from internet, monitor for anomalous serial communications patterns. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046560449525584083

Vect formalizes BreachForums and TeamPCP alliance to push model for industrialized ransomware, scale RaaS operations

Tue, 21 Apr 2026 11:03:14 +0000

Vect ransomware group formalizes unprecedented alliance with BreachForums marketplace and TeamPCP hackers, creating industrialized RaaS model that mobilizes 300,000 forum users as affiliates while leveraging supply chain compromises for mass deployment. Key developments: • Vect distributes affiliate keys through BreachForums, converting entire cybercrime forum into ransomware distribution network - no prior operation attempted this scale • TeamPCP supplies access via poisoned open-source tools (Trivy, Checkmarx KICS, LiteLLM, Telnyx SDK) embedded in CI/CD pipelines during March 2026 • Custom C++ ransomware uses ChaCha20-Poly1305 encryption, targets Windows/Linux/ESXi, evades via Safe Mode manipulation and process termination • Confirmed victims: Guesty (700GB stolen), USHA International Limited, S&P Global listed on leak site • Multi-platform lateral movement via SMB/WinRM with automated LAN scanning capabilities Organizations using affected tools in March 2026 CI/CD pipelines: immediately rotate all credentials (cloud access keys, API tokens, SSH keys). Monitor for bcdedit execution and SafeBoot registry modifications - key Vect deployment indicators. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046545288488263698

Bad Apples: Weaponizing native macOS primitives for movement and execution

Tue, 21 Apr 2026 10:03:01 +0000

Cisco Talos unveils comprehensive macOS "living-off-the-land" attack techniques that bypass traditional security controls. Research documents weaponization of Remote Application Scripting, Spotlight metadata abuse, and native protocols for stealth execution and lateral movement. Technical findings: • Remote Application Scripting (RAS) bypasses -10016 Handler Error using Terminal.app as execution proxy with Base64 encoding (T1072) • Spotlight metadata abuse stores payloads in Finder comments field, evading static file analysis and EDR detection • Native protocol toolkit: SMB, Git, TFTP, SNMP traps, socat for tool transfer without SSH telemetry (T1570) • Process lineage detection signature: launchd → AppleEventsD → Terminal → sh/bash indicates suspicious activity Attack chain methodology: • Stage 1: Establish remote execution via "eppc://" protocol targeting Terminal.app • Stage 2: Deploy payloads through kMDItemFinderComment metadata field • Stage 3: Achieve persistence via LaunchAgent referencing metadata-stored scripts • Stage 4: Lateral movement using native macOS protocols operating outside SSH monitoring Key DFIR artifacts: • Monitor TCP port 3031 traffic (eppc protocol) and unusual SNMP/TFTP on internal segments • Hunt for base64 --decode commands from GUI applications • Track mdls calls and writes to com.apple.metadata:kMDItemFinderComment • Analyze osascript executions containing "of machine eppc://" strings #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046530130613522473

New Lazarus APT Campaign: “Mach-O Man” macOS Malware Kit Hits Businesses

Tue, 21 Apr 2026 09:03:16 +0000

Lazarus Group 🇰🇵 deploys "Mach-O Man" macOS malware kit via ClickFix social engineering campaign targeting business leaders through fake meeting invitations on Telegram. Active campaign breakdown: • Victims receive fake Zoom/Teams meeting links via compromised Telegram contacts, prompted to execute terminal commands to "fix" connection issues • Multi-stage Go-based Mach-O binary chain: teamsSDK.bin (stager) → D1YrHRTg.bin (profiler) → minst2.bin (persistence) → macrasv2 (stealer) • Steals macOS Keychain data, browser credentials/sessions, system info via sysctl queries (T1082, T1555) • LaunchAgent persistence at ~/Library/LaunchAgents/com.onedrive.launcher.plist (T1543.001) • Data exfiltrated via Telegram bot API (exposed token: operational security failure) Key forensic artifacts: Go HTTP client User-Agent strings, C2 traffic on ports 8888/9999, staged data in user_ext.zip archives, and ad-hoc code signatures bypassing macOS Gatekeeper. Hunt for unsigned Mach-O binaries with Go build artifacts, outbound connections to update-teams[.]live and 172[.]86[.]113[.]102, plus LaunchAgent plists with "onedrive.launcher" naming. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046515097284321324

Low-Level Extraction for M-Series iPads

Tue, 21 Apr 2026 08:02:56 +0000

New iOS Forensic Toolkit 10.01 extends low-level extraction to M-series iPads running iPadOS 18.7.1, with agent-based full filesystem and keychain acquisition at up to 200 MB/s. Support added for 16GB iPad Pro models but exploit remains unstable. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046499912297435160

Vercel Breach: Hacker Claims to Sell Stolen Data in Potential Global Supply Chain Attack

Tue, 21 Apr 2026 07:03:24 +0000

Vercel breach via compromised Context.ai OAuth app exposed environment variables and 580 employee records. Attacker claimed ability to inject malicious code into Next.js (6M weekly downloads), highlighting supply chain risk. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046484931849658754

Apple Watch forensics: acquisition techniques and evidentiary artifacts

Tue, 21 Apr 2026 06:02:44 +0000

New comprehensive guide reveals Apple Watch as critical forensic source with unique acquisition paths and artifacts that often exceed iPhone capabilities. Legacy models (Series 0-3) allow full filesystem extraction via checkm8 exploit. Key technical details: • Series 0-3: checkm8 bootrom exploit enables complete data extraction without passcode using Elcomsoft iOS Forensic Toolkit • Series 4+: Logical extraction only, requires unlocked device and established pairing trust • Primary data sources: watch device, paired iPhone's Health database (/private/var/mobile/Library/Health/healthdb_secure.sqlite), and iCloud Health container • Critical artifacts: GPS-precise workout routes, continuous heart rate data, ECG waveforms, sleep tracking, deleted messages retained ~30 days DFIR opportunities: • Health database in encrypted iPhone backups contains watch sensor data with device attribution • Workout route data stored in healthdb_secure.hdf with sub-second GPS coordinates • watchOS diagnostic logs (.logarchive format) include app launches and Siri interactions • Wrist detection creates automatic lock after removal - enable airplane mode immediately upon seizure Prioritize encrypted iPhone backup over direct watch extraction for most comprehensive data recovery. Full acquisition methodology and artifact locations detailed in source. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046469662729232784

(TLP:CLEAR) WaterISAC Notification – CISA Issues Cyber Alert for Supply Chain Compromise Impacting Axios Node Package Manager

Mon, 20 Apr 2026 22:02:42 +0000

CISA alerts on Axios npm supply chain compromise affecting versions 1.14.1 and 0.30.4. Malicious dependency plain-crypto-js@4.2.1 delivers multi-stage payloads including remote access trojan from threat actor infrastructure. Critical details: • Compromised versions: axios@1.14.1 and axios@0.30.4 (March 31, 2026) • Malicious dependency plain-crypto-js@4.2.1 downloads payloads from Sfrclak[.]com domains • Affects web applications, mobile apps, backend services, and CI/CD pipelines globally • Threat actors targeting developer credentials, VCS tokens, CI/CD secrets, cloud keys Attack methodology: • Supply chain injection via npm package manager during install/update operations • Multi-stage payload delivery from C2 infrastructure • Credential harvesting from compromised development environments • Persistence across build pipelines and artifact repositories DFIR actions: • Audit code repositories and CI/CD pipelines for compromised Axios versions • Hunt for cached plain-crypto-js@4.2.1 in dependency management tools • Monitor npm install processes for unexpected child processes and network connections • Rotate all exposed credentials: VCS tokens, SSH keys, npm tokens, cloud secrets Immediate remediation: Downgrade to axios@1.14.0/0.30.3, delete node_modules/plain-crypto-js/, block Sfrclak[.]com domains, and implement ignore-scripts=true in .npmrc configuration. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046348859685613873

The Vercel Breach: The Steps To Take Now to Protect Your Organization

Mon, 20 Apr 2026 19:02:52 +0000

Vercel breach via Context.ai OAuth token theft exposes customer environment variables including AWS keys and database credentials. ShinyHunters selling stolen data for $2M. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046303602428227775

CVE-2023-33538 under attack for a year, but exploitation still unsuccessful

Mon, 20 Apr 2026 18:03:00 +0000

Year-long exploitation attempts against CVE-2023-33538 (CVSS 8.8) in TP-Link routers fail due to flawed attack code targeting wrong parameters and missing authentication. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046288536626720957

Microsoft: Teams increasingly abused in helpdesk impersonation attacks

Mon, 20 Apr 2026 17:02:29 +0000

Microsoft warns of increasing attacks where threat actors impersonate IT staff via external Teams chats to trick employees into granting Quick Assist remote access, then use DLL side-loading and WinRM for lateral movement. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046273306379137425

ZionSiphon Malware Targets Water Infrastructure Systems

Mon, 20 Apr 2026 16:03:09 +0000

New ZionSiphon malware targets Israeli 🇮🇱 water treatment systems with Modbus manipulation capabilities and chlorine dosing parameters. Contains hardcoded checks for desalination plants but execution flaws prevent activation. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046258372756848828

From a Deceptive Purchase Order to Remcos RAT

Mon, 20 Apr 2026 15:03:10 +0000

Campaign analysis: Sustained email-borne attacks since November 2025 deliver Remcos RAT through deceptive purchase order lures. Hornetsecurity identifies this as part of broader operational pattern with consistent TTPs. Technical breakdown: • Initial vector: Malicious purchase order emails containing embedded payloads (T1566.001) • Multi-stage infection chain leading to Remcos RAT deployment for persistent access • Campaign shows operational consistency suggesting organized threat actor activity • Payload recovery process documented with forensic artifacts for detection DFIR considerations: • Email headers and attachment analysis reveal infection staging mechanisms • Remcos C2 infrastructure patterns enable network-based hunting opportunities • Attribution challenges noted due to overlapping public tools and reused infrastructure • Timeline spans 5+ months indicating sustained operational tempo Hunt for suspicious purchase order emails with executable attachments. Cross-reference Remcos IOCs against network logs for C2 beaconing patterns. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046243278635307238

DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy

Mon, 20 Apr 2026 14:03:01 +0000

The Gentlemen RaaS has surged to over 320 victims in early 2026, deploying multi-platform Go-based lockers with built-in lateral movement and GPO mass deployment. SystemBC proxy malware reveals a 1,570+ victim botnet likely targeting corporate environments. Key technical details: • Multi-OS lockers for Windows/Linux/NAS/BSD (Go) + ESXi (C) with XChaCha20 encryption using ephemeral X25519 keys • SystemBC C2 45[.]86[.]230[.]112 provides SOCKS5 tunneling; Cobalt Strike beacon 91[.]107[.]247[.]163 • Lateral movement via --spread flag: PsExec, WMI, remote sched tasks across AD-enumerated hosts • GPO deployment copies locker to NETLOGON share, creates domain-wide scheduled tasks for mass encryption • Defense evasion: PowerShell disables Defender, adds C:\ exclusions, stops firewall/mpssvc service Attack chain progression: • Initial DC compromise → credential validation → Cobalt Strike deployment via ADMIN$ shares • Failed SystemBC deployment blocked by EDR → AnyDesk persistence (password: Camry@12345) • Internal staging server hosts grand[.]exe → PowerShell download to c:\programdata\r[.]exe • GPO-based ransomware deployment with --password VvO8EtUh across domain Hunt for unsigned DLLs in system directories, monitor regsvr32[.]exe with suspicious parent processes, and detect PowerShell Set-MpPreference commands. Full IOC list and YARA rules available in the report. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046228140544962986

When the Defender Becomes the Door: BlueHammer, RedSun, and UnDefend in the Wild by Justin Howe

Mon, 20 Apr 2026 13:03:20 +0000

Three leaked Windows Defender exploits (BlueHammer, RedSun, UnDefend) now targeting enterprise networks in active campaigns. Endpoint-only detection strategies prove insufficient against these defense evasion techniques. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046213122378154427

AI Agents Think. They Just Don’t Know They’re Being Watched.

Mon, 20 Apr 2026 12:02:25 +0000

Security researcher exposes critical authentication bypass and system prompt leakage in AI trading platform, revealing how stream parameters and unauthenticated WebSockets can expose proprietary trading algorithms and real-time market signals. Key findings from crypto AI platform assessment: • Critical system prompt leakage (CVSS 7.5, CWE-200) via stream=false parameter exposed 14,000-token proprietary trading methodology, model details, and complete conversation history • Unauthenticated WebSocket access (CVSS 9.1, CWE-306) to wss://api[.]redacted[.]gg/graphql allowed anonymous extraction of premium trading signals, entry/exit prices, and historical data • GraphQL introspection enabled in production revealed full API schema to anonymous users • Eight AI attack vectors detailed: jailbreaks, prompt injection, indirect prompt injection, markdown exfiltration, SSRF via browsing, RAG poisoning, sandbox escape, multi-modal injection Always test stream parameters independently and verify WebSocket authentication separately from REST endpoints. GraphQL introspection in production hands attackers your complete API surface. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046197793229074598

FakeWallet crypto stealer spreading through iOS apps in the App Store

Mon, 20 Apr 2026 11:02:50 +0000

FakeWallet campaign infiltrates iOS App Store with 26+ phishing crypto wallet apps targeting Chinese users. Malware hijacks recovery phrases through sophisticated library injection and phishing overlays across major wallets including MetaMask, Ledger, and Coinbase. Technical breakdown: • 26 phishing apps identified masquerading as legitimate wallets using typosquatting tactics • Malicious library injection via load commands (libokexHook.dylib) hijacks viewDidLoad methods in RecoveryPhraseViewController classes • RSA PKCS encryption + Base64 encoding for mnemonic exfiltration to C2 servers • Enterprise provisioning profiles bypass App Store restrictions for trojanized wallet installation • Custom __hook section injection in Trust Wallet variant replaces standard initialization functions Attack methodology: • Initial vector: App Store phishing apps redirect to browser-based installation pages • Cold wallet targeting: Ledger variants use React Native phishing screens (MnemonicVerifyScreen) with realistic UI/UX including mnemonic autocomplete • Persistence: verify-wallet-status.json tracks exfiltration progress across app restarts • Data exfiltration via POST requests to endpoints like /api/open/postByTokenpocket DFIR artifacts: • IPA hashes and malicious dylib files provided for threat hunting • C2 domains: kkkhhhnnn[.]com, helllo2025[.]com, iosfc[.]com, sxsfcc[.]com • Configuration files in app directories: verify-wallet-config.json, verify-wallet-pending.json #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046182795635052595

FakeWallet crypto stealer spreading through iOS apps in the App Store

Mon, 20 Apr 2026 10:03:11 +0000

FakeWallet crypto stealer campaign infiltrates Apple App Store with 26 phishing apps targeting major crypto wallets. Malware hijacks seed phrases through iOS provisioning profiles and sophisticated injection techniques across hot and cold wallets. Key technical details: • 26 malicious apps identified mimicking MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie • Uses enterprise provisioning profiles for installation, bypassing App Store restrictions • Hot wallet attacks: dylib injection hijacks viewDidLoad methods in RecoveryPhraseViewController classes • Cold wallet attacks: custom phishing HTML with mnemonic autocomplete matching legitimate app UI • Data exfiltration via RSA PKCS encryption + Base64 encoding to C2 servers Attack methodology: • Phishing apps redirect to fake App Store pages hosting trojanized wallet versions • Malicious libraries injected via load commands into main executables • Custom __hook sections replace original methods with malicious wrappers (Trust Wallet variant) • React Native modifications for cross-platform deployment (Ledger variant) • BIP-39 dictionary validation to ensure seed phrase legitimacy before exfiltration DFIR artifacts: • Persistence files: verify-wallet-status.json, verify-wallet-config.json, verify-wallet-pending.json • POST requests to /api/open/postByTokenpocket and /ledger/ios/Rsakeycatch.php endpoints • Hardcoded C2 domains: kkkhhhnnn[.]com, helllo2025[.]com, sxsfcc[.]com, iosfc[.]com #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046167785730969981

Threat Hunting via InternetMessageId (+ KQL Queries)

Mon, 20 Apr 2026 08:02:48 +0000

New threat hunting methodology leverages InternetMessageId field parsing to detect phishing campaigns, MFA theft, and malicious file sharing across multilingual environments. Research reveals untapped forensic value in standard email headers. Key findings: • InternetMessageId contains embedded timestamps, process IDs, and routing info that persists across language barriers • Microsoft's "odspnotify" notification system enables detection of OneTimePasscode theft and malicious SharePoint sharing (T1566.002) • Date comparison between InternetMessageId creation vs email receipt timestamps identifies delayed delivery campaigns • Missing angle bracket enclosures (<>) in message IDs correlate with spam sources and non-compliant systems Technical artifacts: • Parse InternetMessageId local part before @ symbol for embedded metadata • Extract MessageTypeName patterns like "Share-[GUID]" for file sharing detection • Compare format_datetime(Timestamp, "yyyyMMdd") against embedded dates for timeline anomalies • Monitor SenderFromDomain exclusions for trusted SharePoint domains Hunt for emails with odspnotify containing "OneTimePasscode" sent to external domains - indicates potential MFA bypass attempts. Full KQL queries available in research. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2046137490768269371

CFITSIO Fuzzing: Memory Corruptions and a Codex-Assisted Pipeline

Sun, 19 Apr 2026 18:02:22 +0000

New fuzzing research reveals 16 memory corruption vulnerabilities in NASA's CFITSIO library, including stack/heap overflows in Extended Filename Syntax parser. CVEs pending - library widely used in astronomy software and satellite missions. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045925987515277621

Cyber attacks fuel surge in cargo theft across logistics industry

Sun, 19 Apr 2026 16:02:22 +0000

Organized crime groups target logistics firms with RMM tools and "signing-as-a-service" to steal cargo and divert payments. Attackers maintain month-long persistence, profiling victims for financial fraud. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045895789524713494

Ehx | LLMNR/NBT-NS Poisoning in Depth

Sun, 19 Apr 2026 06:02:26 +0000

Deep dive into LLMNR/NBT-NS poisoning reveals how attackers abuse default Windows name resolution to capture NTLMv2 hashes without exploiting vulnerabilities. Monitor for multicast queries to 224.0.0.252 and unexpected authentication attempts. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045744809034264916

Postman Secret Scanning: A Practical Guide to Finding Exposed APIs

Sun, 19 Apr 2026 05:02:19 +0000

New methodology exposes government and enterprise APIs through public Postman workspaces. Single search queries reveal live credentials, authentication flows, and complete API architectures - turning developer collaboration into reconnaissance goldmines. Comprehensive guide reveals systematic exposure pattern: • Microsoft login.microsoftonline.com queries surface Entra ID tenant credentials, client secrets, and Graph API tokens with enterprise-wide scopes • Okta *.oktapreview.com searches expose SSWS admin tokens and complete identity provider configurations across sandbox environments • Salesforce test.salesforce.com reveals username/password flows with connected app credentials often mirrored in production • Auth0 Management API tokens found with read:users/update:users scopes enabling customer database enumeration and account takeover • AWS sts.amazonaws.com exposes AssumeRole chains with hardcoded IAM keys and cross-account architecture mapping Real findings include municipal emergency services 🇹🇭 Power BI integration exposing citizen data dashboards, and IT vendor workspace revealing multiple government clients' chatbot infrastructure simultaneously. Unlike GitHub secret scanning's pattern-matching approach, Postman exposes full operational context - endpoints, auth flows, environment configs, and live tokens together. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045729682859970654

North Korea-Linked Hackers Use GitHub as C2 Infrastructure to Attack South Korea

Sun, 19 Apr 2026 04:02:37 +0000

North Korea's 🇰🇵 Kimsuky APT weaponizes GitHub as C2 infrastructure in multi-stage campaign targeting South Korean 🇰🇷 organizations. Attack chain uses obfuscated LNK files, PowerShell LOLBins, and legitimate cloud platforms to evade detection while maintaining persistent access. Technical breakdown: • Initial vector: Phishing emails with weaponized LNK files deploying decoy PDFs + hidden PowerShell execution (T1566.001, T1204.002) • Anti-analysis: VM/debugger detection with immediate termination if forensic tools detected • Persistence: VBScript extraction + scheduled task creation (every 30min execution in hidden window) (T1053.005) • Data exfiltration: Host recon results sent to attacker-controlled GitHub repos (motoralis, God0808RAMA, Pigresy80, entire73, pandora0009, brandonleeodd93-blip) • C2 infrastructure: Same GitHub repositories serve additional modules and commands (T1102.001) Related activity includes Python backdoor variants using Dropbox as interim C2 and downloading from quickcon[.]store. Connection to previous Xeno RAT and MoonPeak campaigns confirmed. Hunt for abnormal GitHub API calls from endpoints, PowerShell with network connections, and scheduled tasks with suspicious VBScript payloads. Enable PowerShell Script Block Logging. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045714658384892000

Re: lcms2 <= 2.18 CubeSize() integer overflow: stock Ubuntu 24.04 Poppler / evince-thumbnailer / OpenJDK crashers (different triggers), no CVE

Sat, 18 Apr 2026 18:02:27 +0000

CVE-2026-41254 assigned for lcms2 ≤2.18 integer overflow causing segfaults in Ubuntu 24.04 Poppler, evince-thumbnailer, OpenJDK, and other PDF processors. 992-byte crafted PDF triggers heap buffer underflow with potential info disclosure. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045563621787242587

Hidden VMs: how hackers leverage QEMU to stealthily steal data and spread malware

Sat, 18 Apr 2026 16:02:18 +0000

Sophos reports surge in QEMU abuse by GOLD ENCOUNTER group deploying PayoutsKing ransomware. Attackers hide malware in VMs to evade EDR detection, using scheduled tasks and SSH tunnels for persistence. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045533386609959398

Cross‑tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook

Sat, 18 Apr 2026 15:02:35 +0000

Microsoft details sophisticated cross-tenant Teams impersonation campaign where attackers pose as IT helpdesk staff to gain remote access via Quick Assist, then deploy trusted applications for DLL sideloading and lateral movement to domain controllers. • **Initial Vector**: External attackers initiate Teams chats impersonating helpdesk, convince users to ignore external warnings and grant Quick Assist remote access (T1566.003) • **Execution Chain**: DLL sideloading via legitimate signed apps (AcroServicesUpdater2_x64.exe, ADNotificationManager.exe, DlpUserAgent.exe) loading malicious modules (msi.dll, vcruntime140_1.dll, mpclient.dll) from ProgramData • **Persistence & C2**: Encrypted configuration stored in user registry locations, beaconing to cloud-hosted infrastructure over HTTPS port 443, resembling legitimate update traffic • **Lateral Movement**: WinRM (TCP 5985) used for credential-backed pivoting to high-value assets including domain controllers, followed by Level RMM deployment for persistent access • **Data Exfiltration**: Rclone utility transfers business documents to external cloud storage with file-type exclusions to minimize detection Hunt for Quick Assist processes followed immediately by cmd.exe within 30-120 seconds, registry writes to ASEP locations by non-installer processes, and unsigned DLLs in system directories with recent timestamps. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045518354153132430

Nexcorium Mirai variant exploits TBK DVR flaw to launch DDoS attacks

Sat, 18 Apr 2026 12:02:24 +0000

Nexcorium Mirai variant exploits CVE-2024-3721 in TBK DVRs and end-of-life TP-Link routers for DDoS botnet expansion. Multi-architecture malware uses XOR encoding and embeds CVE-2017-17215 exploits. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045473012422680626

The Iran War: What You Need to Know

Fri, 17 Apr 2026 23:02:15 +0000

Iranian 🇮🇷 GreenGolf (MuddyWater) exploits 5 new CVEs to exfiltrate passport records, payroll data, and credit cards from 12,000+ Middle Eastern systems across aviation and energy sectors. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045276681808629783

Walking Through an Attack Path with ForceHound

Fri, 17 Apr 2026 22:01:54 +0000

New ForceHound tool maps Salesforce privilege escalation paths through BloodHound graphs. Demonstrates how standard users with ManageUsers or AssignPermissionSets permissions can achieve ModifyAllData access via transitive escalation. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045261492019138875

Iran-Linked PLC Exploitation Expands Across US Critical Infrastructure

Fri, 17 Apr 2026 21:02:38 +0000

Iranian 🇮🇷 cyber actors actively exploit internet-facing Rockwell PLCs across US 🇺🇸 critical infrastructure, causing operational disruption and SCADA manipulation in water, energy, and government facilities. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045246580228263956

Payouts King ransomware uses QEMU VMs to bypass endpoint security

Fri, 17 Apr 2026 20:02:05 +0000

Payouts King ransomware deploys QEMU VMs running Alpine Linux to evade endpoint detection and establish covert SSH tunnels. Campaign exploits SonicWall VPNs and CVE-2025-26399, linked to GOLD ENCOUNTER group and former BlackBasta affiliates. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045231342259146976

Auditing Salesforce Permission Hierarchies with ForceHound

Fri, 17 Apr 2026 19:02:00 +0000

NetSPI releases ForceHound, an open-source Python tool that maps Salesforce permission hierarchies into BloodHound graphs. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045216218303373546

Containing a domain compromise: How predictive shielding shut down lateral movement

Fri, 17 Apr 2026 18:02:17 +0000

Microsoft's predictive shielding contained a domain compromise in progress by preemptively blocking high-privilege accounts during credential theft attempts, forcing the attacker to exhaust resources and eventually abandon the campaign. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045201191165153357

March 2026 Detection Highlights: 10 New VTIs, Expanded Config Extractors, and 30+ Fresh YARA Rules

Fri, 17 Apr 2026 17:01:48 +0000

VMRay releases 10 new threat identifiers, expanded malware config extractors, and 30+ YARA rules targeting RMM abuse, browser-based data theft, and advanced evasion techniques. Key technical updates: • New VTIs detect RMM tool deployment (T1219), IP geolocation queries for sandbox evasion (T1016), and App-Bound Encryption bypass in Chromium browsers • Enhanced detection for sensitive data discovery across RDP configs, password managers (KeePass, Bitwarden), developer tools (VS Code, DBeaver), and VPN profiles • Updated config extractors for PhantomStealer (.NET variant based on Stealerium), ParallaxRAT (COVID-themed campaigns), and Go-based SalatStealer • 30+ new YARA rules covering BluelineStealer, Vidar v18, AxolotlLoader, DesckVB-RAT, DarkTortilla crypter, and MuddyWater APT campaigns Key artifacts: Monitor for headless browser launches (`--headless` flag), RMM tools with deceptive filenames in %TEMP%, and queries to ip-api[.]com or similar IP geolocation services. Hunt for unsigned PE files with suspicious certificate issuers resembling DGA domains and non-standard section names beyond `.text/.data/.rdata`. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045185972531310815

Iran War Cyber Threat Outlook: Conflict Phases and What Comes Next

Fri, 17 Apr 2026 16:03:42 +0000

Iran 🇮🇷 War cyber campaign tracked 1,357 incidents across 25+ countries in first month, with DDoS comprising 82.9% of attacks. MuddyWater pre-positioned backdoors in US 🇺🇸 banks and critical infrastructure before conflict began. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045171350159950135

Incident Response in Lambda Cloud: A Neocloud IR Guide

Fri, 17 Apr 2026 15:03:22 +0000

New Lambda Cloud IR guide reveals critical audit log limitations — no usernames, IP addresses, or session data for attribution. Team-wide resource access means compromise = full tenant exposure. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045156167349879168

BlueHammer, RedSun, and UnDefend: Three Windows Defender Zero-Days Exploited in the Wild

Fri, 17 Apr 2026 14:03:29 +0000

Three Windows Defender zero-days disclosed as PoC exploits are now being actively exploited in the wild. BlueHammer enables privilege escalation via race conditions, RedSun abuses cloud file rollback, UnDefend silently degrades AV protection. Key technical details: • BlueHammer (CVE-2026-33825, CVSS 7.8) exploits race condition in threat remediation - uses oplock + NTFS junction to redirect privileged writes to C:\Windows\System32 (PATCHED April 2026) • RedSun abuses Defender's cloud file rollback mechanism, overwrites TieringEngineService.exe for SYSTEM access - affects all systems with cldapi.dll (UNPATCHED) • UnDefend blocks definition updates as standard user, gradually blinds AV over time (UNPATCHED) • All three confirmed in real attacks since April 10, observed via compromised SSLVPN credentials • Attack pattern: manual enumeration with `whoami /priv`, `cmdkey /list`, `net group` commands Huntress Labs confirmed active exploitation across Windows 10/11 and Server 2016-2025. Attackers chain these for initial SYSTEM access + persistent AV evasion. Hunt for suspicious oplock usage, unexpected writes to System32, and systems with stale Defender definitions. Prioritize SSLVPN credential monitoring and network isolation capabilities. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045141097291432117

The Invisible Footprint: How Anonymous S3 Requests Evade AWS Logging

Fri, 17 Apr 2026 13:03:07 +0000

Varonis discovered anonymous S3 requests via VPC endpoints bypassed AWS CloudTrail logging entirely, allowing attackers to exfiltrate data invisibly. AWS has patched the issue to log all anonymous API requests to external buckets. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045125904410829057

RedSun: Windows 0day when Defender becomes the attacker

Fri, 17 Apr 2026 11:03:28 +0000

RedSun 0-day exploits Windows Defender logic flaw to escalate standard user privileges to SYSTEM via missing reparse point validation during file restoration. Attack redirects Defender writes to System32 for arbitrary code execution. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045095792269054234

Inside ZionSiphon: politically driven malware aims at Israeli water systems

Fri, 17 Apr 2026 10:03:13 +0000

New ZionSiphon malware targets Israeli 🇮🇱 water systems to alter pressure and chlorine levels, but contains a critical flaw in its targeting logic that prevents payload execution. Hunt for svchost. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045080630640153039

Critical nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover

Fri, 17 Apr 2026 09:03:04 +0000

CVE-2026-33032 (CVSS 9.8) enables nginx-ui server takeover via authentication bypass in MCP endpoints. Researcher demonstrates full compromise in seconds using two HTTP requests. Patch to v2.3. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045065494664003675

“Your shipment has arrived” email hides remote access software

Fri, 17 Apr 2026 08:03:13 +0000

New DHL phishing campaign delivers preconfigured SimpleHelp RMM tool via PDF lure. PDF contains blurred image with fake Microsoft button that downloads .scr installer from compromised Vietnamese 🇻🇳 logistics domain longhungphatlogistics[.]vn. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2045050432234696959

What’s New in the BloodHound Query Library: BYOL, OpenGraph, Multi-Server, and More

Fri, 17 Apr 2026 03:02:26 +0000

BloodHound Query Library adds 34 new AD/Azure queries, multi-server support, and BYOL feature to import custom query sources. Includes PurpleKnight mapping coverage and built-in Cypher cheat sheet for AD enumeration. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044974737936310671

CVE-2026-3055 & CVE-2026-4368: Inside the NetScaler "CitrixBleed 3" Memory Overread

Fri, 17 Apr 2026 02:04:26 +0000

CVE-2026-3055 (CVSS 9.3) allows unauthenticated memory overread in Citrix NetScaler SAML IdPs, exposing session tokens and credentials via NSC_TASS cookies. Active exploitation confirmed since March 27. Patch immediately to 14.1-66.59+ or 13.1-62. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044960141582204961

Lumma Stealer infection with Sectop RAT (ArechClient2), (Fri, Apr 17th)

Fri, 17 Apr 2026 01:02:58 +0000

SANS ISC researcher documents Lumma Stealer infection chain leading to Sectop RAT deployment. Attack uses fake Adobe Premiere Pro 2026 crack distributed through password-protected archives with 806MB inflated executables. Technical breakdown: • Initial delivery via fake software crack sites impersonating MEGA cloud storage • Lumma Stealer packed in password-protected 7zip (password: 6919) with null-byte padding evasion • SHA256: c7489e3bf546c5f2d958ac833cc7dbca4368dfba03a792849bc99c48a6b2a14f (archive), 4849f76dafbef516df91fecfc23a72afffaf77ade51f805eae5ad552bed88923 (inflated EXE) • 9 Lumma C2 domains identified: cankgmr[.]cyou, carytui[.]vu, decrnoj[.]club, genugsq[.]best Follow-up payload: • Sectop RAT (ArechClient2) deployed as NetGui.dll via rundll32 LoadForm export • C2 traffic to 91.92.241[.]102:9000 and :443 with custom encryption • Persistence established on infected Windows hosts Hunt for oversized executables (>100MB) with high entropy ratios and rundll32 spawning network connections to non-standard ports. Full IOCs and sandbox analysis links available in SANS report. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044944672754217026

Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks

Fri, 17 Apr 2026 00:02:17 +0000

Novel campaign abuses Obsidian note-taking app to deliver PHANTOMPULSE RAT targeting finance and crypto sectors. Elastic Security Labs tracks this as REF6598 cluster. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044929399980491040

UAC-0247 Attack Detection: AGINGFLY Malware Targets Hospitals, Local Governments, and FPV Operators in Ukraine

Thu, 16 Apr 2026 23:02:41 +0000

UAC-0247 deploys AGINGFLY malware against Ukrainian 🇺🇦 hospitals and local governments via humanitarian-themed phishing. Campaign uses LNK→HTA→shellcode injection chain, abusing mshta.exe and legitimate processes for persistence. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044914403431133263

Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face

Thu, 16 Apr 2026 22:02:08 +0000

CVE-2026-39987 in Marimo Python notebook actively exploited to deploy NKAbuse malware via typosquatted Hugging Face Spaces. Attackers pivot to credential theft and lateral movement within hours of disclosure. Upgrade to v0.23. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044899163268059521

Void Stealer: The Infostealer Malware Quietly Targeting Organizations in 2026

Thu, 16 Apr 2026 21:02:38 +0000

Void Stealer infostealer bypasses EDR via syscall-level evasion and uses Steam profiles for C2 resolution, allowing infrastructure rotation without disrupting campaigns. IOCs and MITRE ATT&CK mappings available in the full report. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044884191943221251

APK Malformation Found in Thousands of Android Malware Samples

Thu, 16 Apr 2026 20:02:27 +0000

Android malware families including Teabot, TrickMo, Godfather deploy APK malformation to crash static analysis tools while preserving functionality. Cleafy releases open-source Malfixer tool to repair corrupted APKs for analysis. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044869045606887907

Into The Rainbow: Google’s NTLMv1 Rainbow Tables Explained in a Bit Too Much Detail

Thu, 16 Apr 2026 19:02:57 +0000

SpecterOps breaks down Google's 8.8TB NTLMv1 rainbow tables that enable offline NT hash recovery from legacy authentication responses. New tooling makes this attack accessible to more practitioners. Technical breakdown: • 4,096 rainbow tables (2.147GB each) cover 99.9% of DES key space using precompute-lookup-check methodology • Tables target static challenge 1122334455667788, splitting NT hash into three 7-byte DES keys for recovery • Recovery process: precompute generates endpoints, lookup finds candidates in tables, check verifies actual ciphertext presence • Works with DumpGuard to obtain NTLMv1 responses from Credential Guard-enabled systems • Performance: ~1 hour per ciphertext on RTX 3080 Ti + NVMe drives (12min precompute, 45min lookup, 12min check) New open-source tooling includes gpu_lookup, precompute, candidate_lookup, and candidate_check applications. Anonymous lookup possible by separating precompute/check phases from table lookup. Hunt for NTLMv1 authentication events in network traffic and Windows logs - this dramatically lowers the barrier for NT hash recovery from legacy protocols. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044854071228543017

Attackers Actively Exploiting Critical Vulnerability in Ninja Forms – File Upload Plugin

Thu, 16 Apr 2026 18:02:57 +0000

Critical file upload flaw in Ninja Forms WordPress plugin enables unauthenticated RCE. Mass exploitation began same day as disclosure with 118,600+ blocked attempts across 50,000 installations. Key technical details: • CVE-2026-0740, CVSS 9.8 - affects Ninja Forms File Upload ≤3.3.26, patched in 3.3.27 • Missing destination filename validation in NF_FU_AJAX_Controllers_Uploads::handle_upload function • Attackers upload disguised PHP webshells (PDF/JPG headers) + .htaccess files via path traversal • Exploitation via POST to /wp-admin/admin-ajax.php?action=nf_fu_upload with malicious multipart form data Attack methodology: • Valid file headers (PDF-1.4, GIF89a) bypass source validation while storing as .php extensions • Path traversal (../../) places shells in webroot outside upload directories • Webshells use php_uname(), shell_exec(), system() for reconnaissance and command execution • .htaccess modification forces .txt files to execute as PHP for steganography DFIR artifacts: • Check /wp-content/uploads/ and webroot for suspicious .php files with recent timestamps • Review access logs for nf_fu_upload action from IPs: 124[.]248[.]183[.]139, 152[.]42[.]221[.]239, 124[.]108[.]54[.]86 • Hunt multipart POST requests with mismatched Content-Type headers and destination filenames Hunt for recent PHP files in WordPress directories with minimal file sizes (<5KB) containing php_uname() or shell_exec() functions. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044838973504123277

Payouts King Takes Aim at the Ransomware Throne

Thu, 16 Apr 2026 17:03:01 +0000

Payouts King ransomware emerges from BlackBasta's ashes as former affiliates pivot to new operation. Analysis reveals sophisticated evasion techniques including direct syscalls, custom obfuscation algorithms, and selective file encryption targeting high-value data. Key technical details: • Uses 4,096-bit RSA + 256-bit AES-CTR encryption with custom CRC32 algorithm (poly: 0xBDC65592) for string obfuscation • Implements direct syscalls to bypass EDR hooks when terminating 131+ AV/EDR processes (ZwTerminateProcess, ZwOpenProcess) • Persistence via Mozilla-themed scheduled tasks: \Mozilla\UpdateTask and \Mozilla\ElevateTask (T1053.005) • Partial encryption strategy: files >10MB split into 13 blocks with 50% encrypted per block for performance • Anti-sandbox evasion requires -i parameter with valid CRC checksum to execute encryption Attack methodology: • Initial access via spam bombing + vishing calls impersonating IT staff (T1566.001) • Victims tricked into Microsoft Teams calls and Quick Assist remote access (T1219) • Drops .ZWIAAW extension on encrypted files, readme_locker.txt ransom note • Clears shadow copies, event logs, and recycle bin for anti-forensics (T1070) Hunt for schtasks.exe creating Mozilla-named tasks, SetFileInformationByHandle API calls for file renaming, and processes making direct syscalls to ntdll without standard API wrappers. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044823891101515794

Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise

Thu, 16 Apr 2026 16:03:27 +0000

Microsoft Threat Intelligence exposes North Korean 🇰🇵 Sapphire Sleet's sophisticated macOS campaign targeting crypto users through fake Zoom updates. Attack bypasses all native macOS protections via social engineering and user-initiated execution. Technical breakdown: • Initial access: Malicious .scpt file ("Zoom SDK Update.scpt") with hidden AppleScript payload below thousands of blank lines • Execution chain: Cascading curl-to-osascript commands with campaign tracking user-agents (mac-cur1 through mac-cur5) • TCC bypass: Manipulates ~/Library/Application Support/com.apple.TCC/TCC.db via Finder to grant AppleEvents permissions silently • Credential theft: Fake systemupdate.app presents authentic macOS password dialog, validates via dscl, exfiltrates to Telegram Bot API • Persistence: Multiple backdoors (com.apple.cli, services/icloudz, com.google.chromes.updaters) with launch daemon masquerading as legitimate services Data exfiltration targets: • Cryptocurrency wallets (Ledger, Exodus, browser extensions for Sui, Phantom, TronLink, Coinbase, OKX) • Browser credentials, cookies, keychains across Chrome/Brave/Arc • Telegram Desktop sessions enabling account takeover • SSH keys, shell history, Apple Notes for lateral movement Hunt for unsigned binaries in Library directories, monitor TCC database modifications, and block .scpt execution from untrusted sources. Full IOCs and hunting queries provided. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044808896146014454

Android Bankers: 4 Campaigns In A Row

Thu, 16 Apr 2026 15:02:51 +0000

Zimperium exposes four sophisticated Android banking trojan campaigns actively targeting 800+ financial, crypto, and social media apps with advanced multi-stage infection chains and near-zero detection rates. Key technical details: • RecruitRat, SaferRat, Astrinox, and Massiv families use Session Installation API abuse to bypass Android sideloading restrictions (T1626.001) • Multi-stage droppers hide payloads in res/assets directories, using DexClassLoader for runtime DEX loading • APK tampering at ZIP level with unsupported compression methods crashes standard analysis tools (APKTool, JADX) • Overlay attacks harvest device PINs and inject HTML phishing pages for 700+ targeted apps • Advanced evasion: AES/GCM encrypted payloads, RC4-encrypted C2 traffic, root/AV detection checks Attack methodology: • Initial access via phishing sites mimicking job platforms, streaming services, and app stores • Persistence through Accessibility Services abuse, invisible app icons, and anti-delete mechanisms • Real-time screen capture via MediaProjection API provides "virtual seat" access to attackers • Dynamic overlay injection synchronized with legitimate app launches intercepts credentials and 2FA tokens DFIR artifacts: • Monitor Session Installation API calls from non-system processes • Hunt for apps requesting Accessibility Services + SYSTEM_ALERT_WINDOW permissions • Detect WebView overlay activities with suspicious HTML injection patterns #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044793645463933236

ClickFix Phishing Campaign Masquerading as a Claude Installer

Thu, 16 Apr 2026 14:02:48 +0000

New ClickFix campaign targets EU/US organizations using fake Claude AI installer, delivering multi-stage PowerShell payload through sophisticated obfuscation layers. Rapid7 MDR detected initial compromise via Windows Run utility monitoring, preventing full infection chain. Key technical details: • Initial vector: mshta execution via `download-version[.]1-5-8[.]com/claude.msixbundle` • Masquerades as MSIX bundle but contains embedded HTA with VBS obfuscation • Multi-stage PowerShell chain: AMSI bypass → process injection → encrypted shellcode • Uses MD5 hash of COMPUTERNAME+USERNAME for C2 URL generation • Final payload: Information stealer targeting stored credentials Attack methodology: • Leverages ClickFix social engineering to trick users into running malicious commands • Commands stored in RunMRU registry key (tracks last 26 Run utility executions) • PowerShell stages progressively deobfuscate using custom routines and XOR encryption • Process injection via .NET interop: NtAllocateVirtualMemory → NtCreateThreadEx DFIR artifacts: • Monitor HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU • Look for mshta with suspicious URLs in process command lines • PowerShell execution with AMSI bypass attempts (amsiContext overwrite) IOCs: claude.msixbundle (SHA256: 2b99ade9...), domains oakenfjrod[.]ru, download-version[.]1-5-8[.]com. Hunt for mshta processes with external URLs and review user clipboard history for ClickFix indicators. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044778534581715177

From clinics to government: UAC-0247 expands cyber campaign across Ukraine

Thu, 16 Apr 2026 13:02:40 +0000

CERT-UA exposes UAC-0247's expanded campaign targeting Ukrainian 🇺🇦 clinics and government entities with multi-stage malware for data theft. Active March-April 2026 operation uses AI-generated phishing sites and deploys AGINGFLY, CHROMELEVATOR for browser credential theft. Attack chain breakdown: • Initial access: Phishing emails with humanitarian aid lures leading to HTA execution chains • AGINGFLY C# malware uses AES-CBC encrypted WebSockets, downloads/compiles functions on-the-fly (T1140, T1027) • CHROMELEVATOR steals Chromium browser credentials, ZAPIXDESK targets WhatsApp data • SILENTLOOP PowerShell script manages C2 via Telegram with backup mechanisms • Persistence through scheduled tasks, process injection into RuntimeBroker.exe (T1053.005, T1055) Lateral movement tools include RUSTSCAN for network scanning, LIGOLO-NG/CHISEL for covert tunneling. Modified WIREGUARD executable deployed XMRIG cryptocurrency miner in one incident. Block execution of LNK, HTA, JS files and restrict mshta.exe, powershell.exe, wscript.exe to reduce attack surface. Hunt for RuntimeBroker.exe with network connections. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044763404213329957

BlobPhish: The Phantom Phishing Campaign Hiding in Browser Memory

Thu, 16 Apr 2026 12:03:03 +0000

BlobPhish campaign uses browser blob objects to deliver phishing pages entirely in memory, evading traditional detection. Active since October 2024, targeting Microsoft 365 and major US 🇺🇸 financial institutions with sophisticated evasion techniques. Key technical details: • JavaScript loader decodes Base64 payload, creates blob object with `window.URL.createObjectURL()`, forces navigation via hidden anchor, then destroys evidence • Targets Chase, Capital One, E*TRADE, Charles Schwab, American Express alongside Microsoft 365/OneDrive/SharePoint • Exfiltration endpoints follow patterns: `/res.php`, `/tele.php`, `/panel.php` with form-data POST requests • Loader variants: `blob.html`, `blom.html`, `bloji.html`, `emailandpasssss.html` hosted on compromised WordPress sites Attack chain bypasses URL reputation, proxy logs, and cache-based detection since phishing page exists only as `blob:https://` scheme in browser memory. Campaign spans 18+ months with infrastructure rotation across compromised legitimate sites. Hunt for POST requests to `*/res.php` or `*/tele.php` endpoints with form-data containing credentials, and monitor for `blob:https://` URLs in browser history. Full YARA rules and IOC list available in report. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044748401846161769

PowMix botnet targets Czech workforce

Thu, 16 Apr 2026 11:03:08 +0000

Cisco Talos uncovers PowMix botnet targeting Czech 🇨🇿 workforce since December 2025. Uses AMSI bypass, randomized C2 beaconing, and mimics legitimate REST API calls to evade network detection. Technical breakdown: • Initial access via phishing ZIP containing malicious LNK file executing PowerShell loader • AMSI bypass through reflection technique targeting AmsiUtils.amsiInitFailed field • Persistence via scheduled task with randomized hex names (e.g., "289c2e236761") executing daily at 11:00 AM • C2 communication uses jittered intervals (0-261s, then 1075-1450s) with encrypted heartbeat data in URL paths • Bot ID generation via CRC32 checksum of Windows ProductID + config hash Attack artifacts: • ZIP marker delimiter "zAswKoK" for payload extraction • Registry query: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion (ProductID) • Mutex creation: "Global\[BotID]" prevents multiple instances • XOR keys: HpSWSb, qDQyxQE, bKUxmhyAe, HymzqLse, KsEYwmgSF, ujCPOEPU • Commands: (self-delete), (C2 migration) Hunt for scheduled tasks with hex-only names executing explorer.exe with LNK arguments, and PowerShell processes with AMSI bypass indicators. Full IOCs and detection rules available. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044733320651559042

A fake Slack download is giving attackers a hidden desktop on your machine

Thu, 16 Apr 2026 10:02:29 +0000

Fake Slack installer from typosquatting domain deploys invisible HVNC backdoor, creating hidden desktop session for financial fraud operations. Legitimate Slack installation runs as decoy while loader injects into explorer.exe. Technical breakdown: • Dropper `slack-4-49-81.exe` writes two files: `slack.tmp` (legitimate Squirrel installer) and `svc.tmp` (519KB loader with randomized PE sections) • Loader contacts C2 at `94[.]232[.]46[.]16:8081`, downloads encrypted HVNC payload to shared memory • Section-based injection into explorer.exe using NtCreateSection/NtCreateThreadEx APIs (T1055.011) • HVNC creates invisible desktop session for covert browser access and account manipulation • Anti-analysis via debugger detection, dynamic API resolution, minimal import table Forensic artifacts: • Registry persistence: `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\com.squirrel.slack.slack` (matches legitimate Slack) • Temp files: `loader_log.txt`, `wmiprvse_*.tmp` pattern for payload storage • Process injection into explorer.exe detectable via ETW or memory analysis Hunt for unsigned executables with randomized section names making network connections during Slack installation timeframe. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044718057847656466

MiningDropper Turns Android Apps Into Multi-Stage Malware Delivery Systems

Thu, 16 Apr 2026 09:03:12 +0000

New MiningDropper framework turns Android apps into multi-stage delivery systems for miners, RATs, and banking trojans. Over 1,500 samples observed with 50% showing minimal AV detection via XOR obfuscation and AES encryption. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044703141179031872

Micropatches released for Windows Shell Security Feature Bypass Vulnerability (CVE-2026-21510)

Thu, 16 Apr 2026 08:03:07 +0000

CVE-2026-21510 allowed malicious Windows shortcuts to execute remote DLLs without security warnings, bypassing mark-of-the-web protections. 0patch releases micropatches for legacy Windows systems after wild exploitation confirmed. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044688020171854168

CVE-2026-34486: Apache Tomcat Tribes Regression Creates Unauthenticated RCE Path

Thu, 16 Apr 2026 07:02:17 +0000

CVE-2026-34486 in Apache Tomcat Tribes creates unauthenticated RCE via regression in EncryptInterceptor - decryption failures now fail open, allowing Java deserialization bypass. Affects 9.0.116, 10.1.53, 11.0.20. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044672711474004367

From RAM to revelation: how Windows manages memory and how Volatility reads it

Thu, 16 Apr 2026 06:02:26 +0000

Deep dive into Windows memory management fundamentals reveals how kernel structures enable memory forensics and why Volatility can reconstruct system state from RAM dumps. Technical architecture breakdown: • Virtual memory uses multi-level page tables with CR3 register storing page directory base, enabling per-process address space isolation • Page Table Entries exist in multiple forensic states: valid (in RAM), transition (evicted but recoverable), demand-zero, pagefile, and prototype • VAD (Virtual Address Descriptor) trees track memory regions - private executable memory without file backing indicates code injection • Pool allocations tagged with 4-byte ASCII strings enable structure discovery via pool scanning (e.g., "Proc" for EPROCESS) Modern Windows complications: • Memory compression in Windows 10+ stores evicted pages in MemCompression pseudo-process using undocumented SMKM_STORE structures • KASLR randomizes kernel addresses, requiring heuristic scanning for kernel debugger data block (KDBG) signatures • Structure layouts change between versions, requiring symbol table updates from Microsoft PDB files Volatility 3 uses layered architecture with physical→translation→virtual memory mapping, enabling transparent address translation across multiple contexts. Compare windows.pslist vs windows.psscan output to detect process hiding - any EPROCESS visible in pool scan but missing from active list indicates rootkit activity. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044657647966630273

Critical Nginx-ui MCP Flaw Actively Exploited in the Wild

Thu, 16 Apr 2026 05:02:41 +0000

CVE-2026-33032 (CVSS 9.8) in nginx-ui allows unauthenticated attackers to fully compromise nginx servers via missing auth on /mcp_message endpoint. Over 2,600 public instances identified. Update to v2.3.4 immediately or disable MCP functionality. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044642612305404068

Credit Resources Vault: Why this credit email set off our scam alarms

Thu, 16 Apr 2026 04:02:15 +0000

Malwarebytes flags credit service email using phishing-style tactics: obfuscated JavaScript, excessive data collection (including full banking details), and $20/week PAD authorization buried in fine print. Targets financially vulnerable victims. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044627403478057245

Critical Nginx UI auth bypass flaw now actively exploited in the wild

Thu, 16 Apr 2026 03:02:14 +0000

CVE-2026-33032 in Nginx UI actively exploited for unauthenticated server takeover via unprotected MCP endpoint. 2,600+ exposed instances identified, mostly in China 🇨🇳, US 🇺🇸, Indonesia 🇮🇩, Germany 🇩🇪. Update to v2.3.6 immediately. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044612298644353423

Ababil of Minab claims cyberattack on LACMTA, exposing risks to rail control systems and critical transit infrastructure

Thu, 16 Apr 2026 02:04:41 +0000

Pro-Iranian 🇮🇷 group Ababil of Minab claims breach of LACMTA rail systems, showing screenshots of live train control displays and VMware infrastructure managing 1,421 VMs. Verify IT-OT segmentation immediately and audit privileged accounts. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044597815112864088

DVRIP/Sofia Protocol Dissector for Wireshark (Written in Lua)

Thu, 16 Apr 2026 01:02:43 +0000

New Wireshark dissector written in Lua analyzes DVRIP/Sofia protocol from Xiongmai IP cameras on port 34567/TCP. Tool reconstructs audio/video streams from packet captures and exports to files for analysis. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044582221764272307

[Guest Diary] Compromised DVRs and Finding Them in the Wild, (Thu, Apr 16th)

Thu, 16 Apr 2026 00:02:25 +0000

Massive botnet recruitment campaign targets 5,313 exposed Dahua DVRs globally with 2-second automated compromise chains. Research reveals 202+ confirmed compromised systems actively participating in malicious activity, with actual numbers likely far higher. Key findings: • Attack chain uses default credentials (root/root) via Telnet, escalates to Unix shell in ~2 seconds (T1110.001, T1078, T1059.004) • Staging script tests file systems, creates hidden files in /dev/shm memory filesystem, verifies download capabilities (T1082, T1564.001, T1105) • Compromised Spanish 🇪🇸 DVR (46[.]6[.]14[.]135) launching attacks since November 2025, firmware unpatched since 2014 • PowerShell reconnaissance script cross-references Shodan hash searches with AbuseIPDB reports to identify active botnet members • 3.8% infection rate in sample suggests 200+ compromised devices globally, conservative estimate due to 90-day reporting window Hunt for Telnet connections from DVR/IoT devices to internal networks, monitor for /dev/shm file creation, and baseline network utilities execution. Full PowerShell detection script available in the research. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044567047536054345

Using AI signals within malicious email for attack detection and threat hunting · Blog · Sublime Security

Wed, 15 Apr 2026 23:03:15 +0000

New research reveals AI-generated malicious emails contain detectable fingerprints including verbose code comments, rounded CSS styling, and yellow highlighting artifacts from LLM screenshot processing. #DFIR_Radar | View on X: https://x.com/DFIR_Radar/status/2044552155772948773

DFIR Radar

Three lessons from DarkSword: inside a government-grade iPhone exploit kit

Fun With volshell

Bissa Scanner Exposed: AI-Assisted Mass Exploitation and Credential Harvesting

The Cost of Understanding: LLM-Driven Reverse Engineering vs Iterative LLM Obfuscation

Malicious trading website drops malware that hands your browser to attackers

New GoGra malware for Linux uses Microsoft Graph API for comms

IR Trends Q1 2026: Phishing reemerges as top initial access vector, as attacks targeting public administration persist

Threat hunting with YARA-X: a practical guide to the new standard

Venezuela energy sector targeted by highly destructive Lotus wiper

New NGate variant hides in a trojanized NFC payment app

Nightmare-Eclipse Tooling Seen in Real-World Intrusion

SSRF Server-Side Request Forgery: Server Ko Apna Agent Banao, Internal Network Explore Karo!

The Gentlemen Ransomware Expands With Rapid Affiliate Growth

A .WAV With A Payload, (Tue, Apr 21st)

[Guest Diary] Beyond Cryptojacking: Telegram tdata as a Credential Harvesting Vector, Lessons from a Honeypot Incident, (Wed, Apr 22nd)

CVE-2026-38526 in Krayin CRM Enables RCE

Some notes on the security properties of the pipe_buffer kernel object

The Vercel Breach Explains Why Identity Attack Path Management Can’t Wait

How a Compromised eScan Update Enabled Multi‑Stage Malware and Blockchain C2

IOCX v0.7.0 released — deterministic heuristics + adversarial testing

New Lotus data wiper used against Venezuelan energy, utility firms

Same packet, different magic: Mustang Panda hits India's banking sector and Korea geopolitics

Detection strategies across cloud and identities against infiltrating IT workers

Inside An AWS Cloud Threat Detection SOC Lab: Simulating and Detecting Real Cloud Attacks

Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained

Fake Google Antigravity downloads are stealing accounts in minutes

Darktrace identifies ZionSiphon malware engineered for OT disruption in Israeli water sector environments

CISA warns organizations of supply chain compromise in Axios npm package delivering remote access trojan

Exploiting Serial-to-Ethernet Converters in Critical Infrastructure

Vect formalizes BreachForums and TeamPCP alliance to push model for industrialized ransomware, scale RaaS operations

Bad Apples: Weaponizing native macOS primitives for movement and execution

New Lazarus APT Campaign: “Mach-O Man” macOS Malware Kit Hits Businesses

Low-Level Extraction for M-Series iPads

Vercel Breach: Hacker Claims to Sell Stolen Data in Potential Global Supply Chain Attack

Apple Watch forensics: acquisition techniques and evidentiary artifacts

(TLP:CLEAR) WaterISAC Notification – CISA Issues Cyber Alert ​​for Supply Chain Compromise Impacting Axios Node Package Manager​

The Vercel Breach: The Steps To Take Now to Protect Your Organization

CVE-2023-33538 under attack for a year, but exploitation still unsuccessful

Microsoft: Teams increasingly abused in helpdesk impersonation attacks

ZionSiphon Malware Targets Water Infrastructure Systems

From a Deceptive Purchase Order to Remcos RAT

DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy

When the Defender Becomes the Door: BlueHammer, RedSun, and UnDefend in the Wild by Justin Howe

AI Agents Think. They Just Don’t Know They’re Being Watched.

FakeWallet crypto stealer spreading through iOS apps in the App Store

FakeWallet crypto stealer spreading through iOS apps in the App Store

Threat Hunting via InternetMessageId (+ KQL Queries)

CFITSIO Fuzzing: Memory Corruptions and a Codex-Assisted Pipeline

Cyber attacks fuel surge in cargo theft across logistics industry

Ehx | LLMNR/NBT-NS Poisoning in Depth

Postman Secret Scanning: A Practical Guide to Finding Exposed APIs

North Korea-Linked Hackers Use GitHub as C2 Infrastructure to Attack South Korea

Re: lcms2 <= 2.18 CubeSize() integer overflow: stock Ubuntu 24.04 Poppler / evince-thumbnailer / OpenJDK crashers (different triggers), no CVE

Hidden VMs: how hackers leverage QEMU to stealthily steal data and spread malware

Cross‑tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook

Nexcorium Mirai variant exploits TBK DVR flaw to launch DDoS attacks

The Iran War: What You Need to Know

Walking Through an Attack Path with ForceHound

Iran-Linked PLC Exploitation Expands Across US Critical Infrastructure

Payouts King ransomware uses QEMU VMs to bypass endpoint security

Auditing Salesforce Permission Hierarchies with ForceHound

Containing a domain compromise: How predictive shielding shut down lateral movement

March 2026 Detection Highlights: 10 New VTIs, Expanded Config Extractors, and 30+ Fresh YARA Rules

Iran War Cyber Threat Outlook: Conflict Phases and What Comes Next

Incident Response in Lambda Cloud: A Neocloud IR Guide

BlueHammer, RedSun, and UnDefend: Three Windows Defender Zero-Days Exploited in the Wild

The Invisible Footprint: How Anonymous S3 Requests Evade AWS Logging

RedSun: Windows 0day when Defender becomes the attacker

Inside ZionSiphon: politically driven malware aims at Israeli water systems

Critical nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover

“Your shipment has arrived” email hides remote access software

What’s New in the BloodHound Query Library: BYOL, OpenGraph, Multi-Server, and More

CVE-2026-3055 & CVE-2026-4368: Inside the NetScaler "CitrixBleed 3" Memory Overread

Lumma Stealer infection with Sectop RAT (ArechClient2), (Fri, Apr 17th)

Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks

UAC-0247 Attack Detection: AGINGFLY Malware Targets Hospitals, Local Governments, and FPV Operators in Ukraine

Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face

Void Stealer: The Infostealer Malware Quietly Targeting Organizations in 2026

APK Malformation Found in Thousands of Android Malware Samples

(TLP:CLEAR) WaterISAC Notification – CISA Issues Cyber Alert for Supply Chain Compromise Impacting Axios Node Package Manager