Menlo Park, California, USA, November 17th, 2025, CyberNewsWire AccuKnox, a global leader in Zero Trust Cloud-Native Application Protection Platforms (CNAPP), today announced its distributor partnership with Frentree, a leading cybersecurity solutions provider in South Korea. The collaboration aims to strengthen cloud, container, and AI workload security for enterprises across the region by combining Frentree’s strong […]
A new open-source security tool, TaskHound, helps penetration testers and security professionals identify high-risk Windows scheduled tasks that could expose systems to attacks.
The tool automatically discovers tasks running with privileged accounts and stored credentials, making it a valuable addition to security assessments.
What Makes TaskHound Different?
TaskHound stands out by automating the discovery of dangerous scheduled tasks across Windows networks.
Instead of manually searching through system logs, the tool scans remote machines over SMB and parses task XML files to identify security weaknesses.
Correlate tasks with attack paths for risk assessment
Password Analysis
Work with the existing BloodHound infrastructure
Offline Analysis
Analyze tasks in OPSEC-conscious environments
BOF Implementation
Beacon-based operations without direct network access
Credential Guard Detection
Evaluate DPAPI dump success likelihood
SID Resolution
Improve readability in mixed SID/username environments
Multi-format Support
Work with existing BloodHound infrastructure
Flexible Authentication
Flexible authentication for various network scenarios
Multiple Output Formats
Integrate findings into security workflows and reporting
It looks for tasks running as administrative accounts, privileged users, or Tier 0 accounts, typically the highest-value targets for attackers.
The tool integrates with BloodHound, a popular network security visualization platform.
This integration enables security teams to automatically correlate scheduled tasks with BloodHound’s attack path data, revealing which tasks pose the most significant risk in their environment.
TaskHound includes several powerful features for threat hunters. It automatically detects tasks assigned to Tier 0 users, such as Domain Admins and Enterprise Admins.
The tool analyzes when credentials were last changed compared to when tasks were created, helping identify old passwords that could be vulnerable to offline cracking.
The platform supports both modern BloodHound Community Edition and legacy BloodHound formats, making it compatible with existing security infrastructure.
TaskHound can also work offline, analyzing previously collected XML files without requiring direct network access.
For operators using AdaptixC2, the tool includes a Beacon Object File implementation. During a penetration test, TaskHound quickly identifies exploitation opportunities.
Tasks running under compromised accounts can be manipulated to gain system access.
The tool provides detailed reporting showing task locations, associated credentials, creation dates, and recommended next steps for each finding.
Taskhound tool output
The creator emphasizes strict OPSEC (operational security) considerations. Since the tool relies on standard SMB operations, network defenders could detect its activity.
For sensitive assessments, users can employ the standalone BOF version or manually collect tasks for offline analysis.
The project roadmap includes a direct BloodHound database connector and a dedicated NetExec module to expand integration with other popular security frameworks.
The GitHub developer also plans automated credential extraction for offline decryption.
TaskHound fills an essential gap in Windows privilege-escalation assessment, automating a tedious manual process while providing actionable intelligence to security teams protecting enterprise networks.
A critical logic flaw discovered in the widely used mPDF PHP library could expose internal networks and sensitive services on approximately 70 million devices worldwide. The vulnerability stems from improper regular expression parsing, which allows attackers to issue unauthorized web requests even when user input appears sanitized. mPDF, an open-source PHP library for generating PDFs […]
Cyber threats don’t always come with warning signs. Sometimes, they arrive as sponsored ads. Since mid-2023, a financially motivated network has been quietly hijacking payroll systems, credit unions, and trading platforms across the United States. Their method? Malvertising. Their goal? Money. Their name? Payroll Pirates. This isn’t a one-off campaign. It’s a coordinated operation that’s […]
A new phishing campaign has emerged that weaponizes Microsoft Entra guest user invitations to deceive recipients into making phone calls to attackers posing as Microsoft support.
The attack leverages a critical security gap in how Microsoft Entra communicates with external users, turning a legitimate collaboration feature into a delivery mechanism for sophisticated social engineering attacks.
This campaign represents an evolution in TOAD (Telephone Oriented Attack Delivery) tactics, combining cloud-based credential systems with traditional phone-based scams to compromise organizational security.
Michael Taggart, a security analyst and researcher, identified this novel attack vector after discovering multiple phishing campaigns exploiting the guest invitation system.
The malware campaign uses Microsoft Entra tenant invitations sent from the legitimate invites@microsoft[.]com address to bypass email filters and establish trust with targets.
Attackers register fake organizational tenants with names like “Unified Workspace Team,” “CloudSync,” and “Advanced Suite Services” to impersonate legitimate Microsoft entities.
The attack chain demonstrates sophisticated coordination between cloud infrastructure abuse and social engineering.
Once recipients receive the invitation email, they encounter a convincing message claiming their Microsoft 365 annual plan requires renewal processing, complete with fabricated transaction details including reference numbers, customer IDs, and billing amounts of approximately $446.46.
The message instructs users to contact a phone number listed as Microsoft Billing Support, which actually connects them directly to attackers who proceed with credential harvesting and account takeover attempts.
Detection Evasion Through Legitimate Infrastructure
The infection mechanism exploits a fundamental weakness in Entra’s design: the Message field in guest user invitations accepts arbitrarily long text, allowing attackers to embed extensive phishing content without triggering traditional security alerts.
Entra Guest user invitations (Source – Taggart-Tech)
Since the invitation originates from Microsoft’s legitimate infrastructure, email security systems rarely flag these communications as malicious.
The attackers register multiple fake tenant domains, including x44xfqf.onmicrosoft[.]com, woodedlif.onmicrosoft[.]com, and xeyi1ba.onmicrosoft[.]com, creating a network of persistent infrastructure for continuous campaign deployment.
Organizations should implement immediate detection measures by searching email logs for indicators, including the sender address invites@microsoft[.]com, subject line keywords like “invited you to access applications within their organization,” and known attacker tenant names.
Network administrators can block the phone numbers associated with these campaigns while educating users about verifying Microsoft communications through official support channels rather than responding to invitation-based requests.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
CISA has issued an urgent alert about a critical vulnerability in Fortinet’s FortiWeb Web Application Firewall (WAF), actively exploited by threat actors to seize administrative control of affected systems.
Tracked as CVE-2025-64446, the flaw stems from a relative path traversal issue (CWE-23) that enables unauthenticated attackers to execute arbitrary administrative commands through specially crafted HTTP or HTTPS requests.
Added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on November 14, 2025, the vulnerability carries a due date of November 21 for federal agencies to apply mitigations or discontinue use.
Fortinet’s advisory (FG-IR-25-910) confirms the issue affects multiple FortiWeb versions, including those running firmware up to 7.4.7 and 7.6.5. Attackers can exploit it without authentication, potentially leading to complete system compromise, data exfiltration, or deployment of malware.
While it’s unknown whether the vulnerability has been tied to ransomware campaigns, security researchers have reported real-world exploitation in the wild targeting organizations in sectors like finance and healthcare.
FortiWeb WAF Vulnerability Exploited in the Wild
“This path traversal bug is a classic but dangerous oversight in file handling,” said cybersecurity expert Maria Chen, a vulnerability researcher at a leading threat intelligence firm. “Unauthenticated access to admin functions turns a WAF meant to protect web apps into a backdoor for attackers.”
Fortinet urges immediate patching to the latest versions, such as 7.4.8 or 7.6.6, and recommends restricting administrative access via network segmentation.
For cloud-deployed instances, CISA advises adherence to Binding Operational Directive (BOD) 22-01, which mandates timely remediation of vulnerabilities in federal systems.
Organizations unable to patch should isolate affected devices and monitor for indicators of compromise, such as unusual HTTP traffic patterns or unauthorized command execution.
The flaw highlights ongoing risks in network security appliances, which are prime targets for advanced persistent threats (APTs). As exploitation ramps up, experts warn that unpatched FortiWeb deployments could amplify broader attack chains, such as lateral movement in enterprise networks. Fortinet has not disclosed the initial discovery method but emphasizes that no customer data was breached during its investigation.
With the patch deadline looming, affected users are racing to update. Delays could expose sensitive infrastructure to persistent threats, underscoring the need for proactive vulnerability management in an era of zero-day exploits.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical security alert regarding multiple vulnerabilities affecting General Industrial Controls’ Lynx+ Gateway device. Released on November 13, 2025, under alert code ICSA-25-317-08, these flaws pose significant risks to industrial control systems. They could enable remote attackers to access sensitive information or disrupt critical operations. CVE […]
This week showed just how fast things can go wrong when no one’s watching. Some attacks were silent and sneaky. Others used tools we trust every day — like AI, VPNs, or app stores — to cause damage without setting off alarms.
It’s not just about hacking anymore. Criminals are building systems to make money, spy, or spread malware like it’s a business. And in some cases, they’re using the same
In November 2025, a new malware campaign emerged that combines social engineering tricks with advanced stealing tools.
The attack starts when criminals trick users into running commands through the Windows Run window, a technique known as ClickFix.
Once users follow these instructions, their computers become infected with Amatera Stealer, an advanced piece of malware designed to steal sensitive information from browsers, wallets, and password managers.
Shortly after the initial infection, the attackers deploy NetSupport RAT, giving them full remote access to the victim’s computer.
eSentire security analysts identified the malware after the second paragraph, noting that this campaign represents a significant evolution in how attackers combine multiple tools for maximum damage.
The attack chain works through carefully crafted social engineering. Attackers convince users to open the Run prompt and execute specific commands.
These commands trigger a series of hidden stages that eventually deliver Amatera Stealer to the victim’s machine. What makes this particularly dangerous is how the malware hides its true purpose.
It uses obfuscated PowerShell code that has been deliberately made difficult to read and understand. The malware employs a special trick involving XOR encryption with the string “AMSI_RESULT_NOT_DETECTED” to decrypt the next stage while confusing security researchers.
Attack chain leading to Amatera and NetSupport RAT (Source – eSentire)
One of the most concerning aspects of this campaign involves the advanced evasion techniques used by Amatera Stealer. This malware was originally called ACR Stealer and was sold as a criminal service by a group called SheldIO.
Now rebranded as Amatera, the stealer uses WoW64 SysCalls to bypass common security tools like antivirus software and endpoint detection systems. This means even machines with strong security tools installed remain vulnerable.
The Infection Mechanism and Detection Evasion
The infection begins with a .NET-based downloader that retrieves and decrypts payloads using RC2 encryption from services like MediaFire.
This downloader is packed with Agile.net to make analysis harder for security teams. Once executed, it deploys a Pure Crypter-packed file that uses sophisticated process injection techniques.
The malware then disables AMSI (Anti-Malware Scan Interface) by overwriting the “AmsiScanBuffer” string in the system’s memory, effectively turning off Windows’ built-in security scanning for the rest of the attack.
Amatera communicates with its command servers using encrypted connections that bypass traditional security monitoring. It uses Windows APIs combined with WoW64 syscalls to encrypt all communications with AES-256-CBC, making traffic inspection nearly impossible.
The malware collects stolen data into zip files and sends them to criminal servers using these encrypted channels. Through its loader functionality, it can execute additional payloads selectively on valuable targets, such as computers containing cryptocurrency wallets or machines connected to business networks.
This selective approach helps attackers avoid wasting time on low-value targets and focus on organizations with real financial assets. The sophisticated nature of this campaign highlights why modern security requires multiple layers of protection.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
A newly identified ransomware group, Yurei, has emerged as a significant threat to organizations worldwide, with confirmed attacks targeting entities in Sri Lanka and Nigeria across multiple critical industries. First publicly identified in early September 2025, Yurei operates a traditional ransomware-as-extortion model, infiltrating corporate networks, encrypting sensitive data, destroying backup systems, and leveraging a dedicated […]
.webp)
.webp)