Scams and threats circulating on messaging apps like WhatsApp demonstrate how easily trusted platforms can be weaponized against users. One deceptive tactic gaining traction involves tricking people into sharing their phone screens during WhatsApp video calls. The screen-sharing feature, available since 2023, is increasingly being turned against users to steal data, identities, and money. Cases […]
Remcos, a commercial remote access tool distributed by Breaking-Security and marketed as administrative software, has become a serious threat in the cybersecurity landscape.
Developed in the mid-2010s, this malware enables attackers to execute remote commands, steal files, capture screens, log keystrokes, and collect user credentials through command-and-control servers using HTTP or HTTPS channels.
Despite being positioned as legitimate software with both free and paid versions, unauthorized copies are actively used in the wild for data theft and unauthorized system access.
The malware spreads through email campaigns containing malicious attachments and files hosted on compromised websites.
Attackers also use specialized loaders such as GuLoader and Reverse Loader to deliver Remcos as a second-stage payload, allowing them to bypass initial detection systems.
Once installed, the malware establishes persistence and maintains continuous communication with its control infrastructure, creating a reliable backdoor for ongoing attacks.
Censys security analysts noted that between October 14 and November 14, 2025, they consistently tracked over 150 active Remcos command-and-control servers worldwide.
Infrastructure
This substantial infrastructure demonstrates the tool’s widespread adoption among threat actors.
The servers typically operated on port 2404, the default choice for Remcos, with additional activity observed on ports 5000, 5060, 5061, 8268, and 8808, showing operators’ flexibility in deployment strategies.
Understanding C2 Communication Networks reveals how Remcos maintains control. The malware communicates through HTTP and HTTPS protocols on predictable ports, with network traffic frequently containing encoded POST requests and unusual TLS configurations that create distinctive patterns.
Operators typically reuse certificates across multiple servers, employ template-based setups, and leverage inexpensive hosting providers like COLOCROSSING, RAILNET, and CONTABO across the United States, Netherlands, Germany, and other countries.
This infrastructure pattern enables network defenders to identify and block communications at detection points.
The detected persistence mechanisms include Scheduled Tasks and Registry Run-key entries, allowing attackers to maintain access even after system restarts.
This combination of command execution, file transfer capabilities, and resilient persistence makes Remcos particularly dangerous for organizations with weak security controls, requiring immediate network monitoring and endpoint detection measures.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Quantum devices that measure Earth's magnetic fields could help replace GPS—if researchers can figure out how to tell when such devices are working well, or even at all. A Pentagon contract suggests one company is solving that key problem.
On Tuesday, SandboxAQ announced an agreement with the Defense Innovation Unit to join the Transition of Quantum Sensing program, or TQS, which allows the military to test the company’s AQNav software aboard a range of aircraft under a variety of conditions, according to a release viewed exclusively by Defense One. The deal builds on the company’s previous agreement with the Air Force, which tested the company’s software on C-17 Globemaster IIIs during exercises in May and July 2023.
Luca Ferrara, general manager of AQNav at SandboxAQ, said the agreement, coupled with recent research breakthroughs, has set the stage for rapid development in magnetic navigation. It will still take years before small, cheap, self-piloting one-way attack drones are able to find their way to targets, he said, but the DIU contract shows confidence that researchers are now asking the right questions.
Magnetic sensing is not exactly new. A patchwork of magnetic fields across the Earth’s crust is what makes a compass point north. But “north” doesn’t offer the level of precision a commander would want to chart a course for a plane or a drone.
High-tech and expensive quantum sensors can pick up information about magnetic fields far more accurately than old compasses. But the variation in those magnetic fields across the Earth’s crust, the very feature that makes them useful as a location tool, also means that quantum sensors will work well in some places and not in others. Maps that show different magnetic fields are limited, and the testing of magnetic sensors is similarly constrained.
“The way those maps get made at scale is, you have a plane that's specially outfitted with a lot of sensors. You can get down to like tens of meters of accuracy … That’s what we would call a very well-sampled map, and you have a very clean signal, meaning your magnetometer is in a clean part of the plane,” Ferrara said. In other words, it works well under scripted conditions.
To make magnetic navigation useful where GPS is under attack, researchi is building out an understanding of how it will or will not work under a much wider set of conditions.
But that is a huge challenge, since the standard metrics that researchers use to certify navigation performance, like Required Navigation Performance or the U.S. military’s Circular Error Probable, can be misleading when dealing with magnetic navigation. A lot of what the company does is employ AI to figure out how to fill in those gaps.
A paper by SandboxAQ’s chief navigation engineer, Prasenjit Sengupta, in the December 2025 scientific journal Navigation, discusses a new method to compute the degree to which the error rate stays within certain knowable bounds. It’s a bit like a weather report to tell you how clear or cloudy it is outside, but instead it offers a reliable statistic to indicate how “cloudy” your magnetically sensed position is.
Magnetic navigation isn’t going to be a perfect replacement for GPS, Ferrara said. But if you can understand the conditions under which it will perform better or worse and to what degree—or, as he described it, “Knowing what the limitations are and working around them with the user”—then you have at least some of the essential building blocks to decide what other positioning systems to include in a GPS-backup scheme.
“Just to be clear, it’s also about having the sensors on board that platform be able to reliably, scalably create clean measurements so that it can know where it is in the moment reliably and well, to the best of our ability, every time,” he said, underscoring that even a GPS alternative has to know its own limits.
Identity security fabric (ISF) is a unified architectural framework that brings together disparate identity capabilities. Through ISF, identity governance and administration (IGA), access management (AM), privileged access management (PAM), and identity threat detection and response (ITDR) are all integrated into a single, cohesive control plane.
Building on Gartner’s definition of “identity
Cybersecurity researchers have discovered a set of seven npm packages published by a single threat actor that leverages a cloaking service called Adspect to differentiate between real victims and security researchers to ultimately redirect them to sketchy crypto-themed sites.
The malicious npm packages, published by a threat actor named “dino_reborn” between September and November 2025, are
The Lazarus APT Group has unveiled a new Remote Access Trojan called ScoringMathTea, representing a significant advancement in their cyberattack capabilities.
This C++ based malware was identified as part of Operation DreamJob, a campaign aligned with the North Korean government.
The threat actors have been targeting companies that provide Unmanned Aerial Vehicle technology to Ukraine, aiming to steal critical production knowledge and intellectual property.
ScoringMathTea is distributed through two distinct kill chains and provides operators with comprehensive control over compromised systems.
The malware enables remote command execution, in-memory plugin loading, and various persistence mechanisms that allow attackers to maintain long-term access to infected networks.
What makes this threat particularly dangerous is its sophisticated architecture designed specifically to evade detection across both network and endpoint security systems.
A security analyst and researcher, 0x0d4y, noted that ScoringMathTea implements multiple layers of obfuscation and evasion techniques.
The malware employs a custom polyalphabetic substitution cipher with chaining to deobfuscate strings at runtime, making static analysis significantly more challenging for security teams.
Execution chains (Source – 0x0d4y)
The decryption mechanism uses a 64-character lookup table and maintains a dynamic key state that changes with each character, effectively preventing simple string extraction tools from revealing its configuration details.
Advanced Detection Evasion Through Dynamic API Resolution
The malware’s most notable defensive feature involves its implementation of API hashing for dynamic resolution. Rather than calling Windows APIs directly, ScoringMathTea resolves APIs at runtime using a custom hashing algorithm.
The algorithm operates with a fixed seed value of 0x2DBB955 and combines character ASCII values with bit-shifted hash operations.
This technique, combined with PEB Walking to locate kernel32.dll independently, enables the malware to bypass traditional API hooking mechanisms employed by security software.
Communication with the command and control server occurs over HTTP or HTTPS using multi-layered encryption. The malware first compresses payloads, then encrypts them using a TEA or XTEA algorithm in CBC mode, and finally applies Base64 encoding.
Additionally, ScoringMathTea spoofs a legitimate Microsoft Edge browser user agent to blend its traffic with normal network activity, making detection through network signatures extremely difficult.
The malware’s core strength lies in its reflective plugin loading capability, which allows operators to download and execute arbitrary code entirely within memory without ever writing files to disk.
This technique manually implements the Windows Loader and includes an inline CRC32 checksum verification to detect debugger tampering.
Through these sophisticated mechanisms, ScoringMathTea represents a mature threat that demands immediate attention from security teams monitoring advanced persistent threats.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
A critical command injection vulnerability has been discovered in the W3 Total Cache plugin, one of WordPress’s most popular caching solutions used by approximately 1 million websites.
The vulnerability, tracked as CVE-2025-9501 with a CVSS severity score of 9.0 (Critical), allows unauthenticated attackers to execute arbitrary PHP commands directly on vulnerable servers.
W3 Total Cache Vulnerability
The flaw exists in the _parse_dynamic_mfunc function, which processes dynamic function calls without proper input validation.
Attackers can exploit this weakness by submitting a malicious payload through WordPress comment submissions on any post.
Field
Details
CVE ID
CVE-2025-9501
Plugin
W3 Total Cache
Vulnerability Type
Command Injection
Fixed Version
2.8.13
CVSS Score
9.0 (Critical)
CWE
CWE-78
Attack Vector
Comment submission with malicious payload
Because the vulnerability requires no authentication and minimal user interaction, it poses an immediate and severe threat to all unpatched installations.
The vulnerability belongs to the Injection category (OWASP A1). It is classified as CWE-78: Improper Blocking of Special Elements used in an OS Command.
This means attackers can execute arbitrary operating system commands with the privileges of the web server process.
W3 Total Cache maintains a critical role in WordPress infrastructure, providing advanced caching functionality that site administrators rely on for performance optimization.
The broad adoption makes this vulnerability particularly concerning, as each affected installation represents a potential entry point for Remote Code Execution (RCE) attacks.
Attackers exploiting this vulnerability could achieve complete server compromise, including data theft, malware installation, ransomware deployment, and website defacement.
The vulnerability’s public disclosure on October 27, 2025, increases the urgency for immediate remediation.
The W3 Total Cache development team released a patch in version 2.8.13 to address the command injection flaw. WordPress site administrators must immediately update to this patched version or later.
Security teams should review server logs for suspicious comment submissions and unusual PHP execution patterns that may indicate exploitation attempts.
WordPress website administrators should prioritize this update as critical. Organizations managing multiple WordPress installations should implement automated patching systems.
Security monitoring should be heightened for any signs of unauthorized command execution, file modifications, or unexpected outbound connections that may indicate successful exploitation.
A serious security flaw was discovered in the AI-Bolit component of Imunify products. This vulnerability allows attackers to run arbitrary code and even become root on a server.
Imunify released a fix on October 23, 2025, and most servers have already received the automatic update. Currently, there are no reports of hackers exploiting this security flaw.
The flaw was found in the AI-Bolit scanner’s deobfuscation. Attackers could create a special file or database entry.
When AI-Bolit scans this, it could make the scanner run malicious PHP functions, leading to arbitrary code execution as the root user. The issue happened because the scanner used unfiltered input from files and databases.
Imunify AI-Bolit Vulnerability
This unsafe logic allowed hackers to abuse the scanning process if they managed to upload a crafted payload onto a protected server.
The danger came from two PHP functions within AI-Bolit’s code: deobfuscateDeltaOrd and deobfuscateEvalHexFunc.
They passed possibly unsafe strings to Helpers::executeWrapper(), which called those strings directly as PHP functions. Malicious input could run arbitrary code, escalating a hacker’s privileges to root.
The new patch adds strict controls so only safe functions can be called by the deobfuscator. Imunify confirms that there are no signs of this flaw being exploited in real-world attacks.
Imunify security process involves quietly fixing issues first, deploying fixes to users, and publishing advisories like this when it is safe to do so. If you use Imunify products, update the AI-Bolit component as soon as possible.
This will protect you against potential attacks that could allow hackers to run code or become root via crafted files or databases. Always keep automatic updates turned on for maximum safety.
Google is taking decisive action against apps that drain excessive battery power, introducing a new warning system that will alert users before they download power-hungry applications. Starting March 1, 2026, apps that fail to meet Google’s battery-efficiency standards may see reduced visibility on the Play Store and display warnings on their listing pages. The tech […]
The notorious Everest ransomware group has claimed responsibility for a major cyber breach against Under Armour, the global sportswear giant, alleging the theft of 343 GB of internal data that could impact millions of customers and employees worldwide.
The announcement, posted on the group’s dark web leak site on November 16, 2025, includes a sample of stolen records to substantiate the claims, escalating concerns over potential identity theft and phishing risks.
According to Everest, the compromised dataset encompasses a vast array of personal and corporate information from Under Armour’s systems.
Everest Ransomware Group Armour Breach
This includes millions of client records with transaction histories, user IDs, email addresses, physical addresses, phone numbers, passport details, gender information, and both work and personal email contacts.
Employee data from various countries is also implicated, alongside internal company documents. The sample provided by the hackers reveals sensitive customer shopping histories, product catalogs with SKUs, prices, and availability, as well as marketing logs and user behavior analytics.
These details suggest the breach targeted Under Armour’s customer relationship management, personalization, or e-commerce databases, potentially originating from marketing or product registration systems.
Everest, active since 2021, has a track record of high-profile attacks, including claims against AT&T’s carrier database, which exposed over 500,000 users, 1.5 million passenger records from Dublin Airport, and internal files from Coca-Cola.
The group issued a seven-day ultimatum to Under Armour via Tox messenger, demanding contact before the countdown timer expires and threatening to leak the data if the demand is not fully met. No ransom amount was specified in the initial post, but Everest’s pattern involves escalating leaks for non-compliant victims.
Under Armour, headquartered in Baltimore, Maryland, has not yet publicly confirmed or denied the breach as of November 18. The company, which serves over 190 countries and boasts brands like MyFitnessPal (previously hit in a 2018 incident affecting 150 million users), could face significant fallout.
Past breaches at the firm exposed usernames, emails, and hashed passwords, but spared financial data; this incident appears far broader, potentially including passports and transaction logs that enable targeted fraud.
Cybersecurity experts warn that such exposures heighten the risk of supply chain attacks and social engineering. “Ransomware groups like Everest are pivoting to data exfiltration over encryption, turning breaches into intelligence goldmines,” noted a Mandiant analyst.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has not yet listed this in its Known Exploited Vulnerabilities catalog, but similar incidents have prompted federal alerts.
Customers are urged to monitor accounts for unusual activity, change passwords on Under Armour-linked services, enable multi-factor authentication, and watch for phishing emails masquerading as breach notifications.
Enterprises should scan for Everest indicators of compromise, such as Qakbot malware or Cobalt Strike beacons, which the group often uses. Under Armour has been contacted for comment; until verified, these remain allegations, but the sample’s detail lends credibility.
.webp)
.webp)
