South Korean internet users are being targeted by a sophisticated phishing campaign attributed to the North Korean threat actor known as Kimsuky. The malicious emails, masquerading as official notices from the National Tax Service (NTS), inform recipients of a “September Tax Return Payment Due Notice” and urge them to click a link to view an […]
Microsoft is rolling out AI-powered actions in File Explorer, allowing users to interact with files more deeply without leaving the folder view. By right-clicking any supported file, a new “AI actions” menu entry will appear. From there, users can choose various editing and Copilot-powered features, all while staying in their workflow. Seamless AI Actions on Right-Click […]
A recent analysis of a Windows kernel-memory dump has provided a detailed look into a DRIVER_POWER_STATE_FAILURE, a critical error that results in a Blue Screen of Death (BSOD).
The investigation reveals how a single malfunctioning driver can cause a system-wide deadlock, ultimately forcing the operating system to crash.
The failure, identified by the bugcheck code 0x9F, was traced back to the rassstp.sys driver, a component responsible for handling Secure Socket Tunneling Protocol (SSTP) VPN connections.
The debugging session began by examining the system state at the time of the crash. The !analyze -v command, a powerful diagnostic tool in the Windows Debugger, quickly identified the DRIVER_POWER_STATE_FAILURE.
This error signifies that a driver failed to respond to a power-related I/O Request Packet (IRP) within the designated time frame. In this case, the timeout was set to 300 seconds.
The first argument of the bugcheck indicated that the timeout occurred while the system was waiting to synchronize with the Plug and Play (PnP) subsystem.
The PnP manager is responsible for coordinating the addition, removal, and management of hardware and drivers. The third argument pointed to the specific thread that was holding onto the PnP lock, preventing other system processes from proceeding.
Tracing The Root Cause
Further investigation from the researcher into the faulting thread revealed that it was a PnP device event worker operating within the System process.
This worker thread was tasked with processing a “surprise removal” of the WAN Miniport (SSTP)network adapter. During this process, the thread acquired an exclusive lock on the PnP engine (PiEngineLock) to ensure the removal could proceed without interference.
However, the process stalled when the worker thread called upon the rassstp.sys driver to perform its part of the device removal. The driver failed to complete the operation and never signaled back to the worker thread that it was finished.
As a result, the worker thread remained in a waiting state, holding the critical PiEngineLock for the entire 300-second timeout period. The failure of the rassstp.sys driver to release the worker thread created a domino effect across the system.
With the PiEngineLock held indefinitely, other essential system operations that required access to the PnP subsystem were blocked. The analysis identified three other threads that were waiting for this lock.
Most critically, one of the waiting threads belonged to wininit.exe, a core Windows process responsible for system startup and shutdown.
This thread was attempting to execute a system shutdown by transitioning the system’s power state. To do this, it needed to acquire the PiEngineLock to notify all devices of the impending power change.
Since the stalled PnP worker already held the lock, the shutdown process was completely halted. This deadlock scenario, where the system could neither complete the device removal nor initiate a shutdown, left the operating system with no choice but to trigger a bugcheck to prevent further instability.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
A sophisticated cyber attack has emerged targeting organizations through a malicious impersonation of DeskSoft’s legitimate EarthTime application, deploying multiple malware families in a coordinated ransomware operation.
The attack represents a concerning evolution in threat actor tactics, demonstrating how legitimate software can be weaponized to establish persistent access across enterprise networks.
The intrusion begins when unsuspecting users download and execute what appears to be the genuine EarthTime world clock utility by DeskSoft. However, the malicious executable instead deploys SectopRAT malware, establishing an initial command and control channel.
EarthTime malicious version (Source – The DFIR Report)
This deceptive approach exploits users’ familiarity with legitimate software, making the attack particularly effective at bypassing initial security awareness measures.
The attack demonstrates remarkable technical sophistication, with threat actors deploying multiple malware families including SystemBC for proxy tunneling and the Betruger backdoor for additional capabilities.
The DFIR Report analysts identified connections to three major ransomware operations – Play, RansomHub, and DragonForce – suggesting the involvement of a cross-group affiliate operating across multiple ransomware-as-a-service platforms.
Following initial compromise, the attackers establish persistence through startup folder shortcuts and create local administrative accounts for sustained access.
Attack chain (Source – The DFIR Report)
The malware chain includes reconnaissance tools such as AdFind, SharpHound, and SoftPerfect NetScan, enabling comprehensive environment mapping before lateral movement activities commence.
The attack’s primary lateral movement mechanism relies heavily on Remote Desktop Protocol connections, supplemented by Impacket’s wmiexec utility.
This combination allows attackers to traverse network segments while maintaining operational security through SystemBC’s proxy capabilities, effectively masking their true network origins.
Advanced Persistence and Evasion Mechanisms
The malware demonstrates sophisticated defense evasion techniques that significantly complicate detection and remediation efforts.
The initial EarthTime.exe executable employs process injection to compromise legitimate Windows processes, specifically targeting MSBuild.exe for payload execution.
This technique allows the malware to execute within the context of a trusted Microsoft binary, potentially evading security solutions that rely on process reputation.
The persistence mechanism operates through a multi-stage approach using Windows Background Intelligent Transfer Service.
The malware relocates itself to C:\Users\<USER>\AppData\Roaming\QuickAgent2\ChromeAlt_dbg.exe, masquerading as a Chrome debugging utility.
Simultaneously, it creates a startup shortcut at C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChromeAlt_dbg.lnk, ensuring execution persistence across system reboots.
The attack incorporates timestamp manipulation techniques, automatically modifying file creation timestamps to complicate forensic analysis.
Researchers observed the GT_NET.exe binary setting future dates as far as 2037 on generated files, potentially disrupting timeline reconstruction during incident response activities.
Registry modifications target Windows Defender’s core functionality, systematically disabling real-time scanning, behavior monitoring, and network protection features.
These changes occur at the policy level within HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\, ensuring system-wide impact that persists through reboots and affects all user accounts.
The malware employs metadata spoofing to impersonate legitimate security products, with binaries containing falsified version information referencing SentinelOne and Avast Antivirus.
This sophisticated masquerading technique aims to reduce suspicion from both users and automated security systems that may encounter the malicious executables during routine operations.
Data exfiltration occurs through unencrypted FTP connections, enabling network monitoring solutions to capture credentials and transfer details in clear text, providing valuable intelligence for incident response teams investigating similar attacks.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Silver Spring, USA, September 9th, 2025, CyberNewsWire Fast Company today announced its seventh-annual Best Workplaces for Innovators list, recognizing businesses that foster a culture of innovation across all levels. Aembit, the non-human IAM company, earned the No. 43 spot for its breakthroughs in securing workload identities and its pioneering work at the intersection of agentic AI and identity. […]
The security and integrity of police body camera footage underpin the validity of evidence presented in court proceedings. However, a recent investigation into a budget-friendly body camera system revealed that its companion mobile application—Viidure—transmits sensitive device identifiers and user data to cloud servers based in China over a nonstandard TLS port. Such behavior raises pressing […]
Jaguar Land Rover (JLR) has extended the shutdown of its UK factories until at least Wednesday, more than a week after a significant cyber attack crippled its operations.
The production halt, which began after the company detected the breach on August 31, affects its primary car plants in Halewood and Solihull, as well as its Wolverhampton engine facility, with knock-on effects for international sites in Slovakia, China, and India.
In an effort to contain the attack and protect its infrastructure, JLR made the critical decision to shut down its IT systems. While this was a necessary defensive measure, it caused major disruption, immediately halting all vehicle production.
Under normal operating conditions, JLR produces approximately 1,000 vehicles per day, meaning the stoppage has already resulted in a significant loss of output.
Global Production Grinds To A Halt
Production line staff have been instructed to remain at home as the company navigates the crisis. JLR stated it is working around the clock with third-party cybersecurity specialists and law enforcement to restore its networks in a controlled and secure manner.
The company, owned by India’s Tata Motors, has not officially commented on reports suggesting the disruption could extend for several more weeks.
The effects of the shutdown have rippled throughout JLR’s extensive supply chain. Some suppliers have reportedly been forced to tell their own staff not to come into work due to the pause in production orders.
Shaun Adams, who manages car parts supplier Qualplast, previously expressed concern that a lengthy shutdown would force his business to take drastic measures to “future-proof” its operations.
Beyond manufacturing, the attack initially left JLR dealerships unable to register new vehicles or order essential maintenance parts.
Although workarounds are now understood to be in place, the timing was particularly damaging, as the attack coincided with the release of new registration plates on September 1, a traditionally busy period for new car sales.
A group of young, English-speaking hackers has claimed responsibility for the attack on the messaging platform Telegram. This same group was reportedly behind a similar incident involving UK retailer M&S earlier this year.
Security experts told the BBC that, according to reviewed screenshots shared by the hackers, the criminals had gained access to sensitive company information.
It is understood that the group is attempting to extort money from the automotive giant. JLR has acknowledged awareness of the claims and confirmed that an investigation is underway.
The incident highlights the growing threat of financially motivated cyber attacks against major industrial targets.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Dubbed RatOn, that combines traditional overlay attacks with NFC relay tactics to hijack bank accounts and initiate automated money transfers. Developed from scratch by a threat actor group observed since July 2025, RatOn represents a significant evolution in mobile fraud capabilities. Security researchers have uncovered a new Android banking trojan Unlike standalone NFC relay tools […]
External penetration testing is a crucial practice for any organization aiming to validate its security posture against real-world threats.
In 2025, with the proliferation of cloud services, SaaS applications, and remote work, an organization’s external attack surface is larger and more complex than ever.
An external penetration test simulates a real-world cyber attack, targeting public-facing assets like websites, firewalls, and mail servers, to find and exploit vulnerabilities before attackers do.
The best companies in this field combine the expertise of highly skilled human testers with advanced, scalable technology to provide actionable, continuous security insights.
Why We Choose It
External penetration testing is not a “check-the-box” compliance exercise. It’s a proactive security measure that directly addresses the most common initial access vectors for attackers: publicly accessible vulnerabilities and misconfigurations.
By simulating an attack from the perspective of an external adversary, these tests provide a realistic view of an organization’s most critical weaknesses.
A successful test can uncover gaps in a company’s defenses that automated scanners miss, such as a logical flaw in an application or an exploitable misconfiguration in a cloud service.
How We Choose It
To select the top 10 external penetration testing companies, we evaluated them based on the following criteria:
Experience & Expertise (E-E): We looked for companies with a proven track record, a team of highly certified and respected testers, and a deep understanding of modern attack techniques.
Authoritativeness & Trustworthiness (A-T): We considered market leadership, industry recognition, and the reputation of their proprietary research teams (e.g., X-Force Red, SpiderLabs).
Feature-Richness: We assessed the breadth of their offerings, looking for core capabilities in:
Human-Led Testing: The ability to perform manual, creative exploitation beyond automated scanning.
Platform/PtaaS Model: The use of a platform to provide real-time reporting, collaboration, and continuous testing.
Reconnaissance & Scoping: A robust methodology for discovering and mapping an organization’s entire external attack surface.
Reporting & Remediation: Clear, actionable reports with detailed remediation guidance and re-testing options.
IBM Security’s X-Force Red team is one of the most respected offensive security teams in the world. Composed of seasoned hackers and researchers, X-Force Red goes beyond standard testing by conducting advanced, objective-based engagements.
Their expertise is leveraged for high-stakes targets, including critical infrastructure and financial services. The team’s deep integration with IBM’s extensive threat intelligence and a centralized platform for real-time collaboration ensures a highly effective and data-driven approach to external testing.
Why You Want to Buy It:
IBM’s X-Force Red combines decades of real-world experience with top-tier threat intelligence. This allows them to simulate highly sophisticated, targeted attacks that go far beyond a typical vulnerability scan, providing a true measure of an organization’s resilience.
Feature
Yes/No
Specification
Human-Led Testing
Yes
Team of elite, full-time security experts.
Platform/PtaaS
Yes
Real-time collaboration and findings dashboard.
Reconnaissance
Yes
Advanced external asset discovery and mapping.
Reporting
Yes
Actionable reports with strategic recommendations.
Best For: Large, high-profile enterprises in regulated industries that require a strategic, objective-based approach to testing from a globally recognized and trusted security leader.
NetSPI is a top player in penetration testing, known for its innovative Penetration Testing as a Service (PTaaS) platform. The company’s platform provides continuous, on-demand testing, real-time results, and advanced analytics.
NetSPI’s team of dedicated pentesters is known for its rigorous, methodical approach and ability to uncover complex vulnerabilities.
The combination of expert human talent and a scalable, data-driven platform makes them a leader in the industry.
Why You Want to Buy It:
NetSPI’s PTaaS platform streamlines the entire testing process, from scoping to remediation. The ability to see and collaborate on findings in real-time dramatically reduces the time to fix vulnerabilities, making it a highly efficient solution.
Feature
Yes/No
Specification
Human-Led Testing
Yes
300+ in-house pentesters with deep expertise.
Platform/PtaaS
Yes
The NetSPI Platform offers continuous, on-demand testing.
Reconnaissance
Yes
Includes comprehensive external attack surface mapping.
Reporting
Yes
Real-time findings, integrations with Jira/ServiceNow, and clear reports.
Best For: Organizations that need a scalable, continuous approach to penetration testing and want a platform that provides real-time visibility and collaboration on findings.
Synack pioneered the Penetration Testing as a Service (PTaaS) model, blending the power of a global, vetted community of ethical hackers with a secure, on-demand platform.
Unlike traditional firms, Synack can deploy multiple researchers on a single engagement, providing broader coverage and finding more vulnerabilities in less time.
The platform provides a transparent view of findings and progress, with real-time patch verification and on-demand testing.
Why You Want to Buy It:
Synack’s model offers unmatched scalability and speed. The ability to engage a diverse team of researchers provides a more comprehensive test, and the platform simplifies management, allowing teams to quickly address vulnerabilities.
Feature
Yes/No
Specification
Human-Led Testing
Yes
A vetted community of 1,500+ ethical hackers.
Platform/PtaaS
Yes
On-demand PTaaS platform with continuous testing.
Reconnaissance
Yes
Continuous asset discovery and AI-powered risk validation.
Reporting
Yes
Real-time reporting, collaboration, and patch verification.
Best For: Organizations that need continuous, on-demand external testing and want to leverage the power of a crowdsourced community of elite ethical hackers.
Rapid7 offers a comprehensive suite of security services, including expert-led external penetration testing.
Leveraging its deep expertise in vulnerability management (via the InsightVM platform) and its contributions to the Metasploit project, Rapid7’s testing team is well-versed in the latest exploits.
Their tests are designed to find and validate vulnerabilities, providing clear, actionable insights to reduce risk and improve security posture.
Why You Want to Buy It:
Rapid7’s penetration testing services are tightly integrated with its threat intelligence and vulnerability management solutions.
This ensures that findings are not only discovered but also prioritized and managed effectively, providing a seamless path to remediation.
Feature
Yes/No
Specification
Human-Led Testing
Yes
A team of experienced pentesters.
Platform/PtaaS
Yes
Findings are managed within the Insight Platform.
Reconnaissance
Yes
Includes external asset and open-source intelligence (OSINT) gathering.
Reporting
Yes
Clear, prioritized reports with remediation advice.
Best For: Organizations that already use Rapid7’s security products and want to leverage the company’s in-house expertise for a holistic approach to vulnerability management and testing.
CrowdStrike, a leader in endpoint security, provides expert-led penetration testing services as part of its broader Falcon platform.
Their testing goes beyond traditional methods, focusing on simulating real-world adversary tactics, techniques, and procedures (TTPs).
The team, backed by CrowdStrike’s renowned threat intelligence, provides a realistic assessment of an organization’s defenses against today’s most sophisticated attackers.
Why You Want to Buy It:
CrowdStrike’s deep understanding of adversary behavior, derived from its Falcon platform, allows its testers to replicate the most current and dangerous attack techniques.
This provides a truly realistic and valuable assessment of an organization’s external defenses.
Feature
Yes/No
Specification
Human-Led Testing
Yes
A team with extensive experience in red teaming and incident response.
Platform/PtaaS
Yes
Findings are managed within the Falcon platform.
Reconnaissance
Yes
Focus on external system identification and enumeration.
Reporting
Yes
Detailed reports with strategic and technical recommendations.
Best For: Organizations that want a penetration test from a company with unrivaled threat intelligence and a focus on simulating modern, targeted attacks.
Offensive Security is the premier provider of hands-on, professional penetration testing training and certifications (OSCP, OSEP, etc.).
While primarily known for its educational offerings, its professional services division applies the same rigorous, hacker-minded methodology to client engagements.
The Offensive Security team is revered for its ability to find the most deeply hidden and creative vulnerabilities, a skill honed by its world-class training programs.
Why You Want to Buy It:
The caliber of Offensive Security’s testers is arguably the highest in the industry.
Their engagements are not about checking boxes; they are about proving a security posture through creative, persistent hacking. This provides an unmatched level of assurance and discovery.
Feature
Yes/No
Specification
Human-Led Testing
Yes
A team of highly certified and skilled hackers.
Platform/PtaaS
No
Focus is on traditional, deep-dive engagements.
Reconnaissance
Yes
Uses advanced, manual reconnaissance techniques.
Reporting
Yes
Detailed reports with reproduction steps and proof-of-concept exploits.
Best For: Organizations seeking a highly technical, deep-dive penetration test from a firm whose brand is synonymous with elite ethical hacking skills.
Trustwave, now a LevelBlue company, is a global cybersecurity firm with a renowned team of ethical hackers and researchers known as SpiderLabs.
Trustwave’s external penetration testing services leverage this team’s extensive threat intelligence and a systematic, multi-phase methodology to uncover and exploit vulnerabilities.
Their services are designed for organizations of all sizes, from small businesses to large enterprises, and are known for their thoroughness and detail.
Why You Want to Buy It:
Trustwave’s SpiderLabs is a highly respected group that combines real-world attack expertise with proactive threat research.
This allows their testers to simulate attacks that are not just theoretical but are based on actual, emerging threats.
Feature
Yes/No
Specification
Human-Led Testing
Yes
The expert Trustwave SpiderLabs team.
Platform/PtaaS
Yes
Findings are managed within the Trustwave Fusion platform.
Reconnaissance
Yes
Includes OSINT and automated scanning for initial discovery.
Reporting
Yes
Clear, prioritized reports with remediation guidance.
Best For: Companies that want a comprehensive, end-to-end security solution from a specialized MSSP with a dedicated, world-class research team.
Coalfire is a cybersecurity services firm with a strong focus on compliance and advisory services.
Its external penetration testing services are particularly well-regarded for their alignment with major security frameworks such as FedRAMP and PCI.
Coalfire’s expert teams conduct rigorous, compliance-driven tests to ensure that organizations not only meet regulatory requirements but also strengthen their security posture against real-world threats.
Why You Want to Buy It:
Coalfire’s dual expertise in technical security and compliance makes them an ideal partner for organizations navigating complex regulatory environments.
Their tests are designed to provide both the technical findings needed for remediation and the documentation required for audits.
Feature
Yes/No
Specification
Human-Led Testing
Yes
A team of experienced pentesters.
Platform/PtaaS
No
Focus is on traditional, project-based engagements.
Reconnaissance
Yes
In-depth asset discovery and enumeration.
Reporting
Yes
Detailed reports with a strong focus on compliance.
Best For: Regulated businesses in industries like financial services and healthcare that need a penetration test that is both technically robust and fully compliant with industry standards.
Bishop Fox is a pure-play offensive security firm renowned for its elite team of hackers and a creative, objective-based approach to testing. The company’s services range from standard penetration tests to full-scale red team exercises.
Bishop Fox’s team, known as the “Fox,” is highly respected for its ability to find and exploit the most obscure and complex vulnerabilities. The company also offers a hybrid PTaaS model called Continuous Attack Surface Testing (CAST).
Why You Want to Buy It:
Bishop Fox’s reputation for technical excellence is unmatched. Their testers are not only technically proficient but also creative, using innovative methods to breach defenses.
This provides a deep and thorough assessment that few other firms can replicate.
Feature
Yes/No
Specification
Human-Led Testing
Yes
The elite “Fox” team of security professionals.
Platform/PtaaS
Yes
Hybrid PTaaS model for continuous testing.
Reconnaissance
Yes
Comprehensive external asset discovery.
Reporting
Yes
Actionable, high-quality reports with clear findings.
Best For: Organizations that want a top-tier, white-glove security assessment from one of the most respected offensive security firms in the world.
HackerOne is the leading bug bounty platform, but it has expanded its offerings to include managed penetration testing services.
HackerOne’s platform provides a unique combination of a curated community of ethical hackers and a managed service that scopes, manages, and reports on the engagement.
This model offers the best of both worlds: the targeted, focused scope of a traditional pen test with the flexibility and scale of a bug bounty program.
Why You Want to Buy It:
HackerOne’s unique model allows a test to be launched quickly with a hand-picked team of specialists.
The platform provides continuous visibility into findings, and the company’s reputation as a bug bounty leader ensures the quality of the ethical hackers involved.
Feature
Yes/No
Specification
Human-Led Testing
Yes
A curated community of ethical hackers.
Platform/PtaaS
Yes
Managed penetration testing service on the HackerOne platform.
Reconnaissance
Yes
Scope-based asset discovery and management.
Reporting
Yes
Real-time reporting on the platform with re-testing.
Best For: Organizations that want to combine the benefits of a focused penetration test with the scale and flexibility of a crowdsourced bug bounty platform.
The best external penetration testing companies in 2025 are those that blend human expertise with a scalable, technology-driven platform.
While automated scanners can find common vulnerabilities, it is the creative, methodical work of human testers that uncovers the true, exploitable weaknesses.
For enterprises that prioritize a strategic and data-driven approach, firms like IBM Security and Rapid7 are excellent choices.
For those who value the flexibility and scale of a crowdsourced model, Synack and HackerOne offer compelling, modern alternatives.
And for a deep, technical dive into a system’s defenses, pure-play offensive firms like NetSPI, Bishop Fox, and Offensive Security stand out.
The right choice depends on your organization’s specific needs, but any of these top-tier companies will provide the insight needed to stay ahead of today’s most persistent cyber threats.
A sophisticated malware strain targeting exposed Docker APIs has emerged with enhanced infection capabilities that go beyond traditional cryptomining operations.
The threat, discovered in August 2025, demonstrates evolved tactics designed to establish persistent root access while denying other attackers access to compromised systems.
The malware represents a significant evolution from a variant originally reported by Trend Micro in June 2025.
While the initial strain focused primarily on cryptocurrency mining operations hidden behind Tor infrastructure, this new iteration exhibits more complex behavior patterns.
The attack begins by exploiting misconfigured Docker APIs accessible from the internet, specifically targeting port 2375 where administrators have inadvertently exposed their Docker daemon without proper authentication.
The infection process starts when attackers create malicious containers based on Alpine Linux images, mounting the host filesystem to gain privileged access.
Through a Base64-encoded payload, the malware downloads and executes a shell script from a Tor hidden service, establishing multiple persistence mechanisms across the compromised system.
Akamai analysts identified this variant during routine honeypot monitoring, noting distinct behavioral differences from previously documented attacks.
The researchers observed that unlike its predecessors, this strain implements superiority tactics designed to lock out competing threat actors from the same vulnerable systems.
Advanced Persistence and Defense Evasion Mechanisms
The malware’s most notable advancement lies in its comprehensive approach to maintaining exclusive access to compromised infrastructure.
After initial compromise, the attack deploys a script called docker-init.sh that implements multiple layers of persistence and defensive measures.
The persistence mechanism operates through several coordinated actions. First, the malware appends an attacker-controlled SSH public key to /root/.ssh/authorized_keys, enabling direct root access bypass normal authentication procedures.
Subsequently, it establishes a cron job that executes every minute, systematically blocking access to port 2375 across multiple firewall platforms including iptables, ufw, firewall-cmd, pfctl, and nft.
PORT=2375
PROTOCOL=tcp
for fw in firewall-cmd ufw pfctl iptables nft; do
if command -v "$fw" >/dev/null 2>&1; then
case "$fw" in
firewall-cmd)
firewall-cmd --permanent --zone=public --add-rich-rule="rule family='ipv4' port protocol='tcp' port='2375' reject"
firewall-cmd --reload
This defensive blocking represents a territorial approach rarely seen in container-based attacks.
By systematically closing the Docker API port that enabled their initial access, the attackers prevent other malicious actors from exploiting the same vulnerability while maintaining their established foothold through SSH access.
Binary initiating masscan (Source -Akamai)
The malware also installs reconnaissance tools including masscan for network scanning, along with torsocks for anonymous communications.
These components enable the malware to identify and compromise additional vulnerable Docker instances across the network, creating potential for large-scale botnet operations.
The combination of persistent access, competitive exclusion, and propagation capabilities positions this malware as a significant threat to containerized environments.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
.webp)
.webp)
Yes
No.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)