In October 2025, a significant breach exposed the internal workings of APT35, also known as Charming Kitten, a cyber unit operating within Iran’s Islamic Revolutionary Guard Corps Intelligence Organization.

Thousands of leaked documents revealed the group’s systematic approach to targeting governments and businesses across the Middle East and Asia.

The exposure included performance reports, technical guides, and operational records that paint a clear picture of how this state-sponsored group conducts cyber espionage on a large scale.

The leaked materials show that APT35 operates like a traditional military organization rather than a casual hacker collective.

DomainTools security analysts identified that the group maintains detailed performance tracking systems, where operators report their work hours, completed tasks, and success rates to supervisors who then compile comprehensive campaign summaries.

This bureaucratic structure reveals operators working from a centralized facility with badge-in entry systems, fixed work schedules, and formal oversight mechanisms.

The organization includes specialized teams focused on exploit development, credential harvesting, phishing operations, and real-time mailbox monitoring to gather human intelligence. The attack methods documented in the leaked files are methodical and highly organized.

DomainTools security researchers noted that APT35 primarily targets Microsoft Exchange servers through ProxyShell exploitation chains combined with Autodiscover and EWS services to extract Global Address Lists containing employee contact information.

These contact lists become the foundation for targeted phishing campaigns that harvest credentials. Once initial access is gained, the group uses custom-developed tools to establish persistent access and steal additional credentials from computer memory using techniques similar to Mimikatz.

The stolen information enables the attackers to move laterally through networks and maintain long-term access.

The geographic scope of the campaign extends across multiple critical regions. Targeted entities include government ministries, telecommunications companies, customs agencies, and energy firms in Turkey, Lebanon, Kuwait, Saudi Arabia, South Korea, and Iran.

The leaked documents contain annotated target lists with notes indicating which attacks succeeded and which failed, along with webshell paths used to maintain access.

The operational focus reveals strategic intelligence collection priorities aligned with Iranian government objectives rather than random opportunistic attacks.

Access to diplomatic communications, telecom infrastructure, and critical energy sectors provides Tehran with valuable information for geopolitical negotiations and threat assessment.

Exchange Exploitation and Credential Harvesting Pipeline

The technical infrastructure supporting APT35’s operations demonstrates sophisticated understanding of enterprise email systems.

The group weaponizes Exchange vulnerabilities through a coordinated exploitation sequence that begins with reconnaissance scanning to identify vulnerable servers. Once suitable targets are identified, operators deploy webshells disguised as legitimate system files to establish remote command execution capabilities.

These webshells, commonly named with the m0s.* pattern, provide interactive command shells that operators access through specially crafted HTTP headers.

The Python-based client tools used by operators encode commands within Accept-Language headers and use a static token for authentication, creating a covert communication channel that blends with legitimate network traffic.

Following initial access, the group extracts the Global Address List from Exchange servers, converting email contact information into structured data for subsequent phishing operations.

Harvested credentials are immediately validated and reused across other systems in the target network.

The leaked documents describe automated scripts that validate shells and extract mailbox contents without human intervention, demonstrating capability development maturity.

The entire process follows standardized templates documented in internal playbooks, with success metrics recorded in monthly performance reports.

This systematic approach to Exchange compromise, credential extraction, and phishing integration illustrates how APT35 transforms technical vulnerabilities into sustainable intelligence collection operations measured by quantifiable output rather than random opportunity.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post APT35 Hacker Groups Internal Documents Leak Exposes their Targets and Attack Methods appeared first on Cyber Security News.

Large language models like GPT-3.5-Turbo and GPT-4 are transforming how we work, but they are also opening doors for cybercriminals to create a new generation of malware.

Researchers have demonstrated that these advanced AI tools can be manipulated to generate malicious code, fundamentally changing how attackers operate.

Unlike traditional malware that relies on hardcoded instructions within the program itself, this new approach uses AI to create instructions on the fly, making detection far more challenging for security teams.

The threat landscape has shifted significantly. Cybercriminals can now use simple tricks called prompt injection to bypass the safety measures built into these AI models.

By framing requests in specific ways, such as pretending to be a penetration testing tool, attackers convince the models to generate code for dangerous operations like injecting malware into system processes and disabling antivirus software.

This means future malware could contain almost no detectable code within the binary itself, instead relying on the AI to generate new instructions each time it runs.

Netskope security analysts identified and documented this emerging threat after conducting comprehensive testing of both GPT-3.5-Turbo and GPT-4.

Their research revealed that while these language models can indeed be coerced into generating malicious code, there are still significant obstacles preventing fully functional autonomous attacks.

The security team systematically tested whether the generated code actually works in real environments, uncovering critical limitations that currently protect systems from widespread exploitation.

Defense Evasion Mechanisms and Code Generation Reliability

The core challenge for attackers isn’t simply generating malicious code anymore, it’s ensuring that code actually functions reliably on victim machines.

Netskope researchers specifically examined defense evasion techniques, testing whether GPT models could create scripts to detect virtual environments and sandbox systems where malware analysis typically occurs.

These scripts are essential because they help malware determine whether it’s running in a controlled testing environment or on a real user’s computer.

When researchers asked GPT-3.5-Turbo to generate a Python script for process injection and AV termination, the model complied immediately and provided working code.

However, GPT-4 initially refused this request because its safety guards recognized the harmful intent. The breakthrough came when researchers used role-based prompt injection, essentially asking GPT-4 to assume the role of a defensive security tool.

Under this framing, the model generated functional code for executing injection and termination commands.

The practical implication is clear: attackers no longer need to write these dangerous functions manually or risk detection by hiding them in compiled binaries. They can simply request the AI generate them during runtime.

However, when Netskope researchers tested whether GPT models could create reliable virtualization detection scripts, the results were disappointing for attackers.

The AI-generated code performed poorly across different environments, including VMware Workstation, AWS Workspace VDI, and physical systems. Scripts either crashed or returned incorrect results, failing to meet the strict requirements for operational malware.

This fundamental weakness currently limits the viability of fully autonomous LLM-powered attacks. As AI models continue improving, particularly with emerging versions like GPT-5, these reliability issues will likely diminish, shifting the primary obstacle from code functionality to overcoming increasingly sophisticated safety guardrails within AI systems.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post LLMs Tools Like GPT-3.5-Turbo and GPT-4 Fuels the Development of Fully Autonomous Malware appeared first on Cyber Security News.

A dangerous malware campaign has surfaced targeting cryptocurrency users through a deceptive Python package hosted on the PyPI repository.

The threat actors disguised their malicious code within a fake spell-checking tool, mimicking the legitimate pyspellchecker package that boasts over 18 million downloads.

This supply chain attack represents an evolving threat landscape where attackers exploit trusted software repositories to distribute remote access trojans and credential harvesting tools to unsuspecting developers worldwide.

The malicious package, designed to steal sensitive cryptocurrency information, employs sophisticated obfuscation techniques and multiple encryption layers to evade detection.

HelixGuard security researchers identified that the command-and-control infrastructure linked to this operation matches servers previously used in elaborate social engineering campaigns impersonating recruiters.

This connection reveals a coordinated attack strategy in which threat actors have expanded from direct social engineering to automated distribution via open-source platforms, significantly amplifying their reach and effectiveness within the development community.

The package has already been downloaded more than 950 times since its deployment. HelixGuard security analysts identified that the malware operates through a staged delivery mechanism, with each phase designed to maintain stealth while progressively gaining deeper control over compromised systems.

The attackers maintain a particularly troubling focus on extracting cryptocurrency information, reflecting the high financial incentives driving modern malware development and the continued targeting of digital asset holders regardless of their technical expertise.

Understanding the Multi-Stage Infection Process

The infection mechanism reveals meticulous engineering aimed at bypassing security detection systems at each step.

When users install and execute the malicious package, the malware first triggers through a Base64-encoded hidden index file called ma_IN.index.

This encoded payload gets decoded and executed directly using Python’s exec() function, a technique that avoids writing suspicious code to disk.

The initial payload connects to an attacker-controlled command and control server at dothebest.store, where it downloads the second-stage malicious code.

The second-stage payload is the full remote access trojan, capable of executing arbitrary Python commands remotely.

This backdoor uses XOR encryption for network communications and custom protocol formats to conceal its activities from network monitoring tools.

The malware suppresses exceptions throughout execution, preventing error messages that might alert security tools or the user.

Once activated, the backdoor enables complete remote control over the victim’s computer, allowing attackers to harvest cryptocurrency wallets, authentication credentials, and other sensitive data stored on the system.

Security researchers recommend users immediately review their installed Python packages, update their dependency lists, and remove any suspicious packages.

Organizations should implement strict dependency scanning in their development pipelines and monitor for connections to the identified command and control addresses at dothebest.store.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Leverage Malicious PyPI Package to Attack Users and Steal Cryptocurrency Details appeared first on Cyber Security News.

A new threat known as EtherHiding is reshaping how malware spreads through the internet. Unlike older methods that rely on traditional servers to deliver harmful code, this attack uses blockchain smart contracts to store and update malware payloads.

The approach makes it harder for security teams to track and stop attackers because the payloads can be changed without modifying the websites where the attack begins.

The attack starts when a hacker injects malicious code into a legitimate website. This injected code displays a fake CAPTCHA page that looks like a real security check, asking visitors to prove they are human.

However, instead of clicking a simple checkbox, victims are tricked into copying and pasting code into their terminal or command prompt.

When they follow these instructions, malware quietly installs onto their computer. The technique takes advantage of user trust and shifts the work of running the code to the victim, which helps the malware avoid detection by security tools that watch for automatic malware execution.

Censys security analysts identified this attack pattern while monitoring websites that hosted fake CAPTCHA lures across multiple domains.

During their investigation, researchers discovered an EtherHiding chain that combined blockchain storage, platform-specific malware selection, and social engineering into a complete attack workflow.

The findings revealed how this new approach creates a more flexible and harder-to-track delivery system compared to older methods that used fixed server addresses.

The malware payloads delivered through EtherHiding campaigns typically include commodity stealers like Amos Stealer and Vidar, which are designed to harvest credentials and sensitive information from infected machines.

By combining decentralized staging infrastructure, fake security overlays, and manual user execution, the attackers remove many predictable patterns that defenders traditionally rely on to identify threats.

Blockchain-Powered Payload Delivery Mechanics

The way EtherHiding delivers malware shows how decentralized technology changes attack infrastructure. When a victim visits a compromised website, their browser automatically loads a Base64-encoded JavaScript snippet hidden in the HTML.

This snippet decodes into obfuscated code that contacts smart contracts on the Binance Smart Chain testnet using a function named load_().

The contracts return hex-encoded data that the browser decodes into executable JavaScript, which then determines the victim’s operating system and fetches the appropriate malware version.

The attack uses two distinct contracts to fetch Windows or macOS-specific payloads. For Windows systems, the code connects to contract 0x46790e2Ac7F3CA5a7D1bfCe312d11E91d23383Ff, while macOS victims are directed to 0x68DcE15C1002a2689E19D33A3aE509DD1fEb11A5.

Before delivering the final payload, the attack passes through a control contract at 0xf4a32588b50a59a82fbA148d436081A48d80832A that validates each victim using a unique identifier stored in a persistent cookie.

This gating mechanism allows attackers to selectively enable or disable malware delivery for specific victims simply by changing blockchain data, without touching the compromised website.

Once cleared by the gating contract, the victim sees a platform-specific fake CAPTCHA with instructions tailored to their operating system.

The JavaScript automatically copies malicious commands to the clipboard, and victims are instructed to paste the commands into Terminal on macOS or the Run dialog on Windows.

This manual execution step creates a significant detection gap because no automatic malware behavior occurs—the victim themselves triggers the installation process.

On macOS, the payload uses AppleScript and curl commands to download and execute a full-featured agent. This agent creates persistence using LaunchAgent plist files and retrieves its command-and-control server address from Telegram or Steam profiles by scraping specific HTML elements.

The malware then harvests the user’s plaintext password by displaying a fake System Preferences dialog, synchronizes the stolen credentials with the attacker’s server, and enters a polling loop to receive and execute arbitrary shell commands every thirty seconds.

The combination of blockchain smart contracts, fake CAPTCHA social engineering, and local code execution represents a significant shift in attacker tactics.

By moving payload storage onto decentralized infrastructure and removing the need for automatic execution, EtherHiding creates an attack model that is flexible, difficult to predict, and resistant to many traditional security detection methods.

Organizations should monitor for websites displaying fake CAPTCHA overlays and remain vigilant about clipboard activity linked to terminal commands, as these warning signs can help catch this emerging threat before installation occurs.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New EtherHiding Attack Uses Web-Based Attacks to Deliver Malware and Rotate Payloads appeared first on Cyber Security News.

The ToddyCat APT group has developed new ways to access corporate email communications at target organizations.

Email remains the main way companies handle business communications, whether through their own servers like Microsoft Exchange or through cloud services such as Microsoft 365 and Gmail.

Many believe that cloud services provide better protection for company communications. Even when attackers break into a company’s network, email data stays in the cloud and appears safe.

However, the ToddyCat group has found ways around this assumption.

The group has evolved its methods to secretly access internal employee communications at targeted companies. Recent attacks took place during the second half of 2024 and early 2025.

These operations show how the attackers moved from traditional methods to new approaches that help them avoid detection.

Their latest technique uses a user’s browser to steal tokens for the OAuth 2.0 system, which then allows access to corporate email from outside the breached network.

Securelist security researchers identified these new attack methods and documented how ToddyCat changed its approach over time.

The group created tools that work quietly in the background, stealing authentication information and email data without triggering many security alerts.

The researchers found that ToddyCat has been constantly testing and improving its techniques to stay ahead of security teams.

Browser Data Theft Through Network Connections

The group updated its TomBerBil tool with a PowerShell version that works differently from earlier models. This new version runs on domain controllers with high-level access and reaches out to browser files across the network using the SMB protocol.

The tool collects data from Chrome, Edge, and Firefox browsers. It starts by reading a list of computer names from a file and then connects to each one through network shares.

The script creates folders to organize the stolen data and copies important browser files including Login Data, which stores saved passwords, Local State with encryption keys, Cookies files, and browsing History.

For Firefox, it grabs similar files like key3.db, signons.sqlite, key4.db, and logins.json from user profile folders. The tool also copies DPAPI encryption keys that Windows uses to protect user data.

The command to launch the tool looks like this:-

powershell -exec bypass -command "c:\programdata\ip445.ps1"

The PowerShell script builds paths to files using this approach:-

$cpath = "\{0}\c$\users\" -f $myhost
$loginDataPath = $item.FullName + "\AppData\Local\Google\Chrome\User Data\Default\Login Data"
copy-item -Force -Path $loginDataPath -Destination $dstFileName

With these stolen keys and user information, attackers can decrypt all the browser data on their own systems. The SMB protocol connections make the theft harder to spot because network file access appears normal in many environments.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post ToddyCat APT Accessing Organizations Internal Communications of Employees at Target Companies appeared first on Cyber Security News.