Remcos, a commercial remote access tool distributed by Breaking-Security and marketed as “Remote Administration Software,” continues to pose a significant threat to organizations worldwide. Despite its administrative positioning, the tool’s capabilities are routinely weaponized for unauthorized access and data theft, with recent analysis revealing extensive C2 infrastructure operating across multiple continents. Recent Censys research tracking […]
Google has released an urgent security update for its Chrome browser to address a critical zero-day vulnerability actively exploited by threat actors. The flaw, tracked as CVE-2025-13223, affects the V8 JavaScript engine and poses a significant risk to millions of Chrome users worldwide. Critical Zero-Day Under Active Attack The vulnerability was discovered by Clément Lecigne of […]
Lynx ransomware has emerged as a significant threat to enterprise environments, with recent intrusions demonstrating sophisticated attack strategies that prioritize data exfiltration and infrastructure destruction.
The malware campaign combines compromised credentials with careful planning to ensure maximum impact on target networks.
Security researchers continue to monitor this evolving threat as attackers refine their techniques and expand their targeting scope across various industries.
The attack chain reveals a methodical approach where threat actors gain initial access through compromised Remote Desktop Protocol credentials, likely sourced from infostealer malware, data breaches, or initial access brokers.
What distinguishes this campaign is the extended preparation phase before ransomware deployment. Attackers spend days conducting reconnaissance, mapping network infrastructure, and establishing persistent backdoors rather than rushing to encrypt systems immediately.
This calculated approach significantly increases their chances of success by identifying high-value targets and securing escape routes before triggering detection alarms.
The DFIR Report security analysts identified that the intrusion began in early March 2025 when an unknown threat actor successfully logged into an internet-facing RDP endpoint using valid credentials.
Notably, no evidence of credential stuffing or brute force attempts preceded this access, indicating the attackers possessed legitimate account credentials from the start.
Within minutes of initial access, the threat actor began conducting system reconnaissance using command prompt utilities and deployed SoftPerfect Network Scanner for wider network enumeration.
The attack evolved rapidly as the threat actor moved laterally to the domain controller within just ten minutes using a separate compromised administrator account.
Lateral Movement (Source – The DFIR Report)
Once positioned on the domain controller, the attacker created multiple fake accounts designed to mimic legitimate users, such as administratr, adding them to privileged groups including Domain Administrators.
The attackers also installed AnyDesk remote access software to establish persistence, ensuring continued access even if their original credentials were discovered.
Understanding Backup Destruction as an Attack Vector
A particularly concerning aspect of this Lynx ransomware campaign is the deliberate destruction of backup infrastructure before deploying the malware. After six days of dormancy, the threat actor returned and resumed operations by conducting password spray attacks using NetExec.
They systematically collected sensitive data from network shares, compressing these files using 7-Zip before exfiltrating the archives via temp.sh, a temporary file-sharing service.
This data collection phase served as a double extortion preparation method, allowing attackers to threaten victims with data publication if ransoms went unpaid.
The critical final phase involved connecting directly to backup servers and systematically deleting backup jobs. By removing backup recovery points before deploying Lynx ransomware, the attackers eliminated the victims’ ability to restore encrypted files through alternative means.
Temporary file sharing site (Source – The DFIR Report)
This strategy transforms the ransomware into a more effective extortion tool since organizations cannot simply restore from backups.
The overall time from initial compromise to ransomware deployment reached approximately 178 hours across nine days, allowing the attackers to carefully stage their attack and maximize organizational disruption when Lynx finally encrypted critical systems across multiple backup and file servers.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The Lazarus APT Group, an advanced persistent threat (APT) attributed to North Korea, has deployed a sophisticated new Remote Access Trojan (RAT) called ScoringMathTea as part of its ongoing Operation DreamJob cyberespionage campaign. ScoringMathTea represents a significant evolution in Lazarus’s malware toolkit, implementing a modular architecture designed specifically to evade detection across both network and […]
Microsoft Azure successfully defended against a record-breaking distributed denial-of-service (DDoS) attack that peaked at 15.72 terabits per second (Tbps), making it the most significant DDoS attack ever observed in the cloud. On October 24, 2025, Azure’s DDoS Protection system automatically detected and mitigated a massive multi-vector attack targeting a single endpoint in Australia. The assault generated […]
The Iran-nexus cyber espionage group UNC1549 has significantly expanded its arsenal of custom tools and sophisticated attack techniques in an ongoing campaign targeting aerospace, aviation, and defense industries since mid-2024, according to new findings from Mandiant. The threat actor, which overlaps with Tortoiseshell and has suspected links to Iran’s Islamic Revolutionary Guard Corps (IRGC), demonstrates […]
Google on Monday released security updates for its Chrome browser to address two security flaws, including one that has come under active exploitation in the wild.
The vulnerability in question is CVE-2025-13223 (CVSS score: 8.8), a type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could be exploited to achieve arbitrary code execution or program crashes.
“Type
The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Fortinet FortiWeb vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, warning that the flaw is being actively exploited in the wild. The vulnerability, tracked as CVE-2025-64446, allows unauthenticated attackers to gain administrative access to affected systems via a path-traversal vulnerability. Critical Path Traversal Flaw […]
IBM has released critical security updates addressing two severe vulnerabilities in its AIX operating system that could allow remote attackers to execute arbitrary commands on affected systems.
Both vulnerabilities stem from improper process controls in essential IBM AIX services.
Critical Flaws in IBM AIX Services
The first vulnerability, CVE-2025-36251, affects the Nimsh service and its SSL/TLS implementations. This critical flaw could enable remote attackers to bypass security controls and execute unauthorized commands.
The vulnerability carries a CVSS base score of 9.6, indicating severe risk across network-accessible systems. The attack requires network access but no authentication or user interaction, making it particularly dangerous for exposed systems.
The second vulnerability, CVE-2025-36250, impacts the NIM server service (nimesis), formerly known as NIM master. This flaw is even more critical, receiving a perfect CVSS score of 10.0.
CVE ID
CVE-2025-36251
CVE-2025-36250
Affected Service
IBM AIX nimsh service
IBM AIX NIM server (nimesis)
Vulnerability Type
SSL/TLS implementation flaw
Improper process controls
CWE Classification
CWE-114: Process Control
CWE-114: Process Control
CVSS Base Score
9.6
10.0
Attack Vector (AV)
Network
Network
Like the first vulnerability, it stems from improper process controls that fail to properly restrict command execution.
Attackers can exploit this remotely without requiring authentication or user interaction, potentially compromising the entire infrastructure.
Both vulnerabilities represent additional attack vectors for issues previously addressed in CVE-2024-56347 and CVE-2024-56346.
This indicates that IBM’s earlier patches may not have comprehensively eliminated all exploitation paths, necessitating these additional security updates.
The vulnerabilities are classified under CWE-114: Process Control, a weakness category focusing on improper management of processes and their permissions.
Exploitation could result in complete system compromise, including unauthorized data access, modification, and denial-of-service attacks.
IBM AIX administrators should prioritize patching these vulnerabilities immediately. The NIM services are critical components used for managing and deploying IBM AIX systems across enterprise environments.
Exploitation could allow attackers to gain control over multiple systems simultaneously. Organizations running IBM AIX should review their current patch levels and apply the latest security updates from IBM.
Additionally, implementing network segmentation and restricting access to NIM and nimsh services to trusted networks can provide temporary mitigation.
Security teams should look for unusual activity and use tools to detect attacks. These vulnerabilities underscore the importance of maintaining current patch levels on critical infrastructure components.
Organizations dependent on IBM AIX should establish regular security update procedures and closely monitor IBM security advisories for emerging threats.
Google has rushed out a critical update for its Chrome browser to address a zero-day vulnerability actively exploited in the wild, urging users to update immediately to mitigate the risk posed by sophisticated attackers.
The patch, rolled out in Chrome Stable version 142.0.7444.175 for Windows and Linux, and 142.0.7444.176 for Mac, fixes two high-severity type confusion bugs in the V8 JavaScript engine.
The most alarming is CVE-2025-13223, reported on November 12, 2025, by Clément Lecigne of Google’s Threat Analysis Group (TAG).
Google confirmed an exploit for this flaw is already circulating, potentially allowing remote attackers to execute arbitrary code on victims’ systems without interaction.
Type confusion vulnerabilities, a staple in browser exploits, occur when the V8 engine misinterprets data types, leading to memory corruption. This can enable attackers to bypass Chrome’s sandbox protections, steal sensitive information, or install malware.
The second fix, CVE-2025-13224, was identified earlier on October 9, 2025, by Google’s internal Big Sleep fuzzing tool, highlighting the company’s proactive defense layers, reads the advisory.
TAG’s involvement suggests possible ties to advanced persistent threats (APTs), as the group often tracks state-sponsored operations using such flaws for espionage or supply chain attacks.
This incident underscores Chrome’s dominance as a target, as over 65% of global browsers run the engine, making timely patches essential.
Google credits tools like AddressSanitizer and libFuzzer for early detection, but the rapid exploitation timeline, from report to wild use in under a week, raises questions about attribution. Users should enable automatic updates and avoid suspicious links.
.webp)
.webp)