1010.cx

  • A killing at sea marks America’s descent into lawless power

    ·

    The United States has crossed a dangerous line.

    Last week, an American military platform destroyed a small vessel in the Caribbean, killing 11 people the Trump administration claims were drug traffickers. It was not an interception. It was not a boarding with Coast Guard legal authority. It was a strike—ordered from Washington, executed in international waters, and justified with little more than “trust us.” Defense Secretary Pete Hegseth told Fox that officials “knew exactly who was in that boat” and “exactly what they were doing.” He offered no evidence.

    This was not a counterdrug operation. It was not law enforcement. It was killing without process. And it was, to all appearances, against the letter and the spirit of the law.

    For decades, the U.S. military and Coast Guard have intercepted drug shipments in the Caribbean and Eastern Pacific under a careful legal framework: Coast Guard officers would tactically control Navy ships, invoke law enforcement authority, stop vessels, and detain crews for prosecution. The goal is not execution; it is interdiction within international law.

    This week’s strike ripped up that framework. The people on board were not given the chance to surrender. No evidence was presented. No rules of engagement were cited. The administration claimed authority to kill on suspicion alone.

    International law does not permit such action. A vessel in international waters is not a lawful target simply because officials say so. Contending that narcotics pose a long-term danger to Americans is at best a weak policy argument, not a legal justification for force. Unless this boat posed an imminent threat of attack—which no one has claimed—blowing it out of the water is not self-defense. It is killing at sea. A government that ignores these distinctions is not fighting cartels. It is discarding the rule of law.

    Beyond the gross violations of the law and the Constitution lies an enormous strategic danger. By redefining traffickers as legitimate military targets, the administration has plunged the United States into another war without limits.

    Who is the enemy? “Cartels,” we are told. But cartels are not armies. They are networks that span countries and blend with civilians. Declaring war on them is like declaring war on poverty or terrorism—a plunge into an endless campaign that cannot be “won.”

    Where is the battlefield? The Caribbean? Venezuela? Central America? Overnight, officials shifted their story about the destroyed vessel’s destination: first, it was “probably headed to Trinidad or some other country in the Caribbean,” then it was among “imminent threats to the United States.” If geography is that malleable, there is no limit to where the next strike may fall.

    And what is the objective? To “blow up and get rid of them,” in the words of Secretary of State Marco Rubio. That is not strategy; it is bravado. We have tried it before, in Iraq, Afghanistan, Yemen. Killing “high-value targets” didn’t end the war on terror.

    The U.S. is drifting into an undeclared war of assassination across half a hemisphere, led by unaccountable officials who equate explosions with effectiveness.

    Even more dangerous is the backdrop: the Supreme Court’s ruling that presidents are immune from prosecution for “official acts.” Experts warned this would give the commander-in-chief license to commit murder. The majority waved those fears away. Now the president has ordered killings in international waters.

    Eleven people are dead, not through due process but by fiat. The defense secretary boasts about it on television. And the president will face no consequences.

    This is no longer abstract. The law has been rewritten in real time: a president can kill, and there is no recourse. That is not strength. That is authoritarianism.

    What does this mean for the principle of civilian control, when those who wield it face no consequence for abuse? What does it mean for our military, when they are ordered to carry out missions that violate the standards they have sworn to uphold?

    What happens abroad does not stay abroad. A government that stretches legal authority overseas will not hesitate to do the same at home. The same commander-in-chief who ordered a strike on a boat in international waters has already ordered National Guard troops into American cities over the objections of local leaders. The logic is identical: redefine the threat, erase legal distinctions, and justify force as the first tool. Today it is “traffickers” in the Caribbean. Tomorrow it will be “criminals” in Chicago or “radicals” in Atlanta.

    This strike is not only about 11 lives lost at sea. It is about the precedent set when the military is unmoored from law, and when silence from senior leaders normalizes the abuse. 

    The cost will not be measured in a destroyed boat. It will be measured in the corrosion of law, strategy, and trust. Legally, the U.S. has abandoned the framework that distinguished interdiction from assassination. Constitutionally, presidential immunity has been laid bare: the commander-in-chief of the most destructive military power in history has been placed beyond the reach of law. Strategically, we have entered another endless war against a concept, not an enemy. Internally, the erosion of boundaries abroad feeds the erosion of boundaries at home.

    The laws of war, the principles of proportionality, the training drilled into every officer—all run counter to what happened in the Caribbean. Yet silence has prevailed. And silence is acquiescence. Each concession ratifies the misuse of force until it becomes routine. That is how institutions corrode. That is how democracies die.

    The strike in the Caribbean is not the action of a strong nation. It is a warning. This is about whether the U.S. military remains an institution of law and principle, or whether it becomes an obedient weapon in the hands of a lawless president.

    A republic that allows its leaders to kill without law, to wage war without strategy, and to deploy troops without limit is a republic in deep peril. Congress will not stop it. The courts will not stop it. That leaves those sworn not to a man, but to the Constitution.

    The oath is clear: unlawful orders—foreign or domestic—must be disobeyed. To stand silent as the military is misused is not restraint. It is betrayal. 

    Jon Duffy is a retired Navy captain. His active duty career included command at sea and national security roles. He writes about leadership and democracy.

    ]]>

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Progress OpenEdge AdminServer Vulnerability Let Attackers Execute Remote Code

    ·

    , , ,

    A critical security vulnerability has been discovered in Progress OpenEdge, a platform for developing and deploying business applications.

    The flaw, identified as CVE-2025-7388, allows for remote code execution (RCE) and affects multiple versions of the software, potentially enabling attackers to execute arbitrary commands with elevated system privileges.

    The vulnerability resides in the AdminServer component of OpenEdge, specifically within its Java Remote Method Invocation (RMI) interface, which is used for remote administrative tasks.

    According to a security notification, the flaw allows an authenticated but unauthorized user to manipulate configuration properties. This can lead to OS command injection through the workDir parameter.

    Attackers can exploit this by injecting malicious commands, which are then executed with the high-level privileges of the AdminServer process, often running as NT AUTHORITY/SYSTEM on Windows systems.

    Progress OpenEdge AdminServer Vulnerability

    Progress has addressed the vulnerability and released patches in OpenEdge Long-Term Support (LTS) Updates 12.2.18 and 12.8.9.

    The fix involves two key changes: first, it sanitizes the workDir parameter by enclosing values in double quotes to prevent command injection. Second, it disables the remote RMI capability by default to reduce the attack surface.

    All OpenEdge versions prior to these updates, including LTS Releases 12.2.17 and 12.8.8 and their earlier minor versions, are susceptible.

    Systems running unpatched versions remain exposed to significant risk, as weak authentication could allow attackers to compromise the entire system.

    For users who have applied the patch, remote RMI will be disabled by default. Administrators who relied on this feature for remote operations will find it no longer functions.

    While it is possible to re-enable remote RMI, Progress warns that doing so reintroduces security risks and should only be done if there is a compelling business reason, at the user’s own risk.

    For organizations unable to apply the updates immediately, temporary mitigations are recommended.

    These include restricting network access to the AdminServer RMI port (default 20931) using firewalls, running the AdminServer process with the lowest possible privileges, and removing any unused AdminServer plugins to minimize potential attack vectors.

    However, these measures are intended only for short-term use. Progress strongly advises all customers to upgrade to the patched versions to fully remediate the vulnerability.

    Users of retired OpenEdge versions must upgrade to a currently supported release to receive the fix.

    Find this Story Interesting! Follow us on Google NewsLinkedIn, and X to Get More Instant Updates.

    The post Progress OpenEdge AdminServer Vulnerability Let Attackers Execute Remote Code appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Windows Defender Vulnerability Allows Service Hijacking and Disablement via Symbolic Link Attack

    ·

    , , ,

    A severe vulnerability in Windows Defender’s update process allows attackers with administrator privileges to disable the security service and manipulate its core files.

    The technique, which leverages a flaw in how Defender selects its execution folder, can be carried out using tools already available on the Windows operating system.

    The vulnerability was detailed by Zero Salarium, who explored the continuous battle between attackers and endpoint protection systems.

    While red teams often focus on evading detection, this method allows for the outright neutralization of the defense software itself.

    Exploiting the Update Mechanism

    The core of the exploit lies in the way the WinDefend service handles version updates. Windows Defender stores its executable files in a version-numbered folder located within ProgramData\Microsoft\Windows Defender\Platform\.

    When the service starts or updates, it scans this Platform directory and selects the folder with the highest version number as its new operational path.

    While Microsoft protects these folders from being modified, the researcher discovered that a user with administrator rights can still create new folders within the Platform directory.

    This oversight allows an attacker to manipulate the update process. By creating a symbolic link (symlink) with a version number higher than the current one, an attacker can redirect the Defender service to an entirely different, attacker-controlled folder.

    The attack is carried out in a few steps:

    • First, the attacker copies the legitimate Windows Defender executable files to a new, unsecured location (e.g., C:\TMP\AV).
    • Next, using the mklink command, they create a symbolic link inside the protected Platform folder. This symlink is given a name that appears to be a newer version of Defender and points to the unsecured folder created in the first step.
    • Upon the next system restart, the WinDefend service identifies the symlink as the latest version and launches its processes from the attacker-controlled directory.

    Once control is established, the attacker has complete read/write access to the files Defender is running from. This enables several malicious outcomes.

    For instance, an attacker could plant a malicious DLL in the folder to perform a DLL side-loading attack, executing malicious code within the trusted Defender process.

    More simply, they could destroy the executable files, preventing the service from functioning.

    In a demonstration, the researcher showed that by simply deleting the symbolic link after the hijack, the Defender service fails to find its executable path on the next run.

    This effectively stops the service and disables all real-time virus and threat protection, leaving the machine vulnerable.

    Find this Story Interesting! Follow us on Google NewsLinkedIn, and X to Get More Instant Updates.

    The post Windows Defender Vulnerability Allows Service Hijacking and Disablement via Symbolic Link Attack appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies

    ·

    Salesloft has revealed that the data breach linked to its Drift application started with the compromise of its GitHub account. Google-owned Mandiant, which began an investigation into the incident, said the threat actor, tracked as UNC6395, accessed the Salesloft GitHub account from March through June 2025. So far, 22 companies have confirmed they were impacted by a supply chain breach. “With

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • The D Brief: ‘War’ on Chicago?; Unofficial name change; Russia’s biggest air raid; Undersea cables cut; And a bit more.

    ·

    The president of the United States threatened the city of Chicago with “war” on Saturday, writing on social media, “Chicago [is] about to find out why it’s called the Department of WAR,” along with an AI-generated image of Trump as Lt. Col. Bill Kilgore from the 1979 dystopian warfilm “Apocalypse Now.” 

    The image has Trump/Kilgore squatting in front of the Chicago skyline with Army cavalry helicopters leaving the scene of a napalm strike above the words “Chipocalypse Now”. In the Francis Ford Coppola film, Kilgore famously said, “I love the smell of napalm in the morning.” Trump’s social media post featured a variation, reading, “I love the smell of deportations in the morning.” 

    “This is not normal,” the Illinois governor responded on social media Saturday. “The President of the United States is threatening to go to war with an American city. This is not a joke,” said Democratic Gov. JB Pritzker. “Donald Trump isn’t a strongman, he’s a scared man. Illinois won’t be intimidated by a wannabe dictator.”

    Historian reax: “Although it has become trite to speculate about what Republicans would say if a Democratic president engaged in the behavior Trump exhibits daily, this open attack of the president on an American city is a new level of unhinged,” Boston College’s Heather Cox Richardson responded on Substack. 

    When asked about the threat on Sunday, the president told reporters, “We're not going to war. We're going to clean up our cities. We're going to clean them up so they don't kill five people every weekend. That's not war, that's common sense.” NPR and CNN have a bit more. 

    By the way: Sending the National Guard to Chicago could cost taxpayers nearly $1.6 million a day, the Sun-Times reported Friday—citing estimates from the National Priorities Project, which is part of the progressive nonprofit Institute for Policy Studies. That total comes from 2020 costs, which tallied up to about $530 per Guard soldier daily. 

    Also: Army vet and Illinois Democratic Sen. Tammy Duckworth visited the Naval Station Great Lakes last week. She was joined by her Democratic Senate colleague Dick Durbin and Rep. Brad Schneider because the White House is using the state’s largest military installation at Great Lakes as a training ground for upcoming deportation operations in and around Chicago. During their visit, Duckworth said, “The Navy cooperated and took the time to answer our questions.

”

    But Department of Homeland Security officials that “Trump sent to Naval Station Great Lakes didn’t just refuse to meet with us today, they actually locked their doors and fled the base,” Duckworth said in a statement Friday. 

    “If they were proud of what they are doing or if they believed it was legal, why would they be so secretive? Trump’s continued threats against Chicago are just another effort to distract us from his own scandals, and we shouldn’t let him do that, especially if it means also distracting our servicemembers from their core mission of protecting our nation,” she said. 

    While announcing his new “secondary” name for the U.S. military, Trump told reporters Friday inside the Oval Office, “Every war we would've won easily with just a couple changes.” He continued, “We won the First World War. We won the Second World War. We won everything before that and in between. And then we decided to go woke, and we changed the name to Department of Defense.” 

    According to the president, “We could have won every war, but we really chose to be very politically correct or woke.” And that’s at least partly why he wants the Defense Department changed to the “War Department,” which will require congressional approval. In the meantime, he’s signed an executive order authorizing the use of titles like “secretary of war” and changing the website from “defense.gov” to “war.gov.” Referring to the country’s post-World War II conflicts, Trump complained, “We wouldn’t lose, really. We’d just fight. Sort of tie. We never wanted to win—wars that, every one of them, we would’ve won easily with just a couple of little changes.”  

    His defense secretary agreed as he stood beside Trump. “Maximum lethality, not tepid legality. Violent effect, not politically correct,” Pete Hegseth said to cameras in a room that included Chairman of the Joint Chiefs of Staff Air Force Gen. Dan Caine. 

    Observation: “The amount of discomfort on the face and in the demeanor” of Chairman Caine during Trump and Hegseth’s remarks Friday “is really quite something and tells you everything you need to know about how most uniformed service members feel about this,” said former West Point history professor “Angry Staff Officer,” writing Monday on social media. 

    Second opinion: “It's well worth remembering that war is the failure state,” warns Princeton University Professor Jake Shapiro. “War is what happens when deterrence and diplomacy fail. It's what happens when your adversary is insufficiently cowed by the threat of fighting you.” 

    Coverage continues below…

    Welcome to this Monday edition of The D Brief, a newsletter dedicated to developments affecting the future of U.S. national security, brought to you by Ben Watson with Bradley Peniston. It’s more important than ever to stay informed, so thank you for reading. Share your tips and feedback here. And if you’re not already subscribed, you can do that here. On this day in 1974, President Gerald Ford pardoned his predecessor Richard Nixon for any crimes he may have committed before his resignation.

    Update: Trump’s nominee for the Air Force’s next vice chief has been withdrawn in a move that could leave the service without a chief or a vice chief this fall, Aviation Week reported Friday.

    Background: Gen. Thomas Bussiere was nominated in mid-July to replace former Vice Chief Gen. Jim Slife, who was fired in February along with several other officers. Headquarters staff director Lt. Gen. Scott Pleus has been serving as acting vice chief in the months since. 

    The twist: Last month, service chief Gen. David Allvin said he’d step down from that post two years early, effective in November. Some expected Bussiere “to step into the chief of staff role in an acting capacity” when Allvin leaves, but that’s up in the air now, Brian Everstine of Aviation Week reports. Read more, here.

    Developing: The Pentagon is reportedly considering leasing part of California’s Camp Pendleton to developers, with the money going toward the wildly ambitious Golden Dome missile defense system, NBC News reported last week.

    New: The U.S. is sending 10 F-35s to Puerto Rico to fight drug trafficking in the Caribbean, Fox reported Friday. Joseph Trevithick of The War Zone noted the deployment may sound unusual, but “The use of high-end air assets to support those missions in the region is actually very well established,” pointing to B-1B bombers based out of Key West six years ago.  

    Second opinion: “It looks to me like the US military is going to war,” said Fox’s longtime Pentagon correspondent Jennifer Griffin, writing Friday on social media. After all, she continued, “The F35s being sent to Puerto Rico are usually used for large bombing missions like the targeting of Iran’s nuclear facilities—a 5th generation supersonic fighter jet known for its lethality.” And there are “8 US Navy destroyers in the Caribbean near Venezuela[, which] is a first.” 

    Related: “Venezuela pledged on Sunday to sharply boost troops in coastal states to tackle drug trafficking,” Reuters reported Sunday from Caracas. “Some 25,000 troops are set to be deployed, up from the 10,000 which have been deployed in the states of Zulia and Tachira that border Colombia,” the wire service writes, citing remarks from Defense Minister Vladimir Padrino on Sunday. 

    Another thing: “Killing cartel members who poison our fellow citizens is the highest and best use of our military,” Vice President JD Vance wrote on social media this weekend. 

    Sen. Rand Paul, R-Kentucky replied: “What a despicable and thoughtless sentiment it is to glorify killing someone without a trial.”

    Additional reading: 

    Europe 

    Russia’s largest air raid of the Ukraine war killed four people and damaged a government building in Kyiv. Sites across the country were targeted by 810 drones and decoys and 13 missiles, according to Ukrainian air force officials who said they downed 747 drones and four missiles. “Hits from nine missiles and 54 drones were recorded at 33 locations across Ukraine,” AP writes. More, here.

    Elsewhere in Europe: “Berlin considers purchase of Eurofighters, modernisation of Taurus cruise missile,” Reuters reports.

    Around the world

    Three undersea cables were cut in the Red Sea, disrupting internet access in Asia and the Mideast. NetBlocks, which monitors internet access, noted “failures affecting the SMW4 and IMEWE cable systems near Jeddah, Saudi Arabia” that cut some internet service to India and Pakistan. In Kuwait, authorities said the FALCON GCX cable had been cut in the Red Sea had been cut.

    It’s not clear who cut the cables. AP: “There has been concern about the cables being targeted in a Red Sea campaign by Yemen’s Houthi rebels, which the rebels describe as an effort to pressure Israel to end its war on Hamas in the Gaza Strip. But the Houthis have denied attacking the lines in the past.” Read on, here.

    Israeli strikes killed more than 40 people overnight in Gaza, AP reports, citing local hospital officials: “At least 19 Palestinians were killed in three separate Israeli strikes, including six children and three women.”

    AP: “Officials at Gaza City’s Shifa Hospital reported that Israeli strikes on a school-turned-shelter and on tents and apartment buildings killed at least 13 Palestinians, including six children and three women. The Israeli military said it was targeting militants near the school and had warned civilians to evacuate.” Read on, here.

    A Houthi drone hit Israel’s southern airport, crashing into the passenger terminal of the Ramon International Airport near Eilat, the Israeli Airports Authority said. One person suffered shrapnel wounds.

    Background: “The attack follows Israeli strikes on Yemen’s rebel-held capital that killed the Houthi prime minister and other top officials in a major escalation of the nearly 2-year-old conflict between Israel and the Iran-backed militant group in Yemen,” AP reports.

    Lastly: South Korea, Japan pledge to work with the United States to deter North Korea. Reuters reports the first official trip to Seoul by a Japanese defence minister since 2015 “comes amid rising geopolitical tensions in the region and after a show of force by China during a military parade last week attended by North Korea's leader.” Read more, here.

    Also: Seoul is upset after hundreds of South Korean workers were handcuffed and detained during an ICE raid on Hyundai’s manufacturing campus in Georgia last week. 

    “The raid stunned many in South Korea because the country is a key U.S. ally. It agreed in July to purchase $100 billion in U.S. energy and make a $350 billion investment in the U.S. in return for the U.S lowering tariff rates. About two weeks ago, U.S. President Donald Trump and Lee held their first meeting in Washington,” AP writes.

    ]]>

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • GPUGate Malware Uses Google Ads and Fake GitHub Commits to Target IT Firms

    ·

    Cybersecurity researchers have detailed a new sophisticated malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop. While malvertising campaigns have become commonplace in recent years, the latest activity gives it a little twist of its own: Embedding a GitHub commit into a page URL containing

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Venezuela’s Maduro Says Huawei Mate X6 Gift From China is Unhackable by U.S. Spies

    ·

    , ,

    In Caracas this week, President Nicolás Maduro unveiled the Huawei Mate X6 gifted by China’s Xi Jinping, declaring the device impervious to U.S. espionage efforts.

    The announcement coincides with heightened tensions between Washington and Beijing, as the United States enforces stringent controls on Chinese telecom equipment.

    Beyond its political symbolism, the Mate X6 has become the focal point of a technical debate within cybersecurity circles regarding its purported resilience against sophisticated intrusion techniques.

    Initial reports describe a novel strain of firmware-level malware—codenamed SpecterShell—that emerged in early August and targets high-end Android devices.

    SpecterShell exploits a custom bootloader vulnerability, intercepting system calls before the operating system kernel initializes.

    By tampering with the boot sequence, the malware can implant a rootkit that remains invisible to standard antivirus solutions.

    Reuters analysts noted this capability allows SpecterShell to execute privileged code and bypass Android’s verified boot mechanism.

    SpecterShell’s attack vectors include compromised supply chain updates and malicious over-the-air packages.

    In a typical scenario, an adversary intercepts an update server request, replaces a legitimate firmware image with a tainted one, and signs it using a stolen developer certificate. Devices that accept the replacement image become permanently backdoored.

    The stealth and persistence of SpecterShell have prompted governments and private security firms to reassess trust in firmware signing infrastructures, as even encrypted channels can be subverted at this low level.

    The impact of SpecterShell extends beyond individual privacy. Compromised devices can be conscripted into botnets for distributed denial-of-service campaigns or leveraged for corporate espionage by exfiltrating sensitive communications.

    Despite Huawei’s insistence on rigorous internal security audits, external researchers have raised concerns about potential hidden capabilities, especially given the company’s history of state mandates to collaborate with national intelligence services if obligated.

    Infection Mechanism

    SpecterShell’s infection mechanism hinges on exploiting the Verified Boot chain of trust. Upon device startup, the bootloader normally verifies the integrity of each stage—bootloader, boot image, and system partitions—using cryptographic signatures.

    SpecterShell circumvents this by patching the bootloader’s verification routine in memory, redirecting signature checks to a malicious handler.

    A simplified pseudocode illustration of the patch is shown below:-

    // Simplified SpecterShell bootloader patch
int verify_partition(char* partition, uint8_t* signature) {
    if (strcmp(partition, "boot") == 0) {
        // Bypass signature check for boot partition
        return SUCCESS;
    }
    return original_verify(partition, signature);
}

    This snippet demonstrates how SpecterShell conditionally bypasses authentication only for critical partitions, preserving system functionality while embedding a durable rootkit.

    By intercepting partition verification at runtime, it leaves no forensic trace on disk, complicating detection and removal efforts.

    Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

    The post Venezuela’s Maduro Says Huawei Mate X6 Gift From China is Unhackable by U.S. Spies appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • LunaLock Ransomware Attacking Artists to Steal and Encrypt Data

    ·

    , ,

    Security researchers first observed LunaLock in early September 2025, a sophisticated ransomware strain targeting independent illustrators and digital artists.

    Leveraging compromised credentials and social engineering, the group behind LunaLock has zeroed in on a niche marketplace—Artists & Clients—where freelance creators exchange custom commissions.

    Initial intrusion involved spear-phishing campaigns disguised as royalty notifications, enticing victims to download trojanized ‘invoice’ attachments.

    Once executed, the payload establishes a foothold and begins reconnaissance of art assets and client databases, all while preparing for rapid encryption.

    VenariX analysts identified LunaLock’s multi-stage deployment after correlating unusual outbound HTTP requests from artist workstations with the timing of mass file encryption.

    Their telemetry revealed that the malware extracts user tokens from Microsoft Teams and Slack clients, allowing lateral movement across shared design repositories and project management platforms.

    Victims report encrypted source PSD and AI files with a unique “.lunalock” extension appended to filenames, accompanied by a ransom note demanding payment in Monero.

    Ransom page (Source – X)

    The ransomware’s impact extends beyond data encryption: stolen artwork is exfiltrated to a remote command-and-control server before victims receive decryption keys, creating dual leverage.

    Publicly disclosed samples show a modular architecture featuring plugins for network propagation, credential theft, and evasion of endpoint detection systems.

    A notable innovation is the integration of a minified JavaScript module that disables Windows Defender real-time scanning processes by injecting into the Service Control Manager.

    Infection Mechanism

    A deep dive into LunaLock’s infection mechanism uncovers a custom loader that dynamically resolves Win32 API calls to evade static analysis.

    Upon execution, the loader parses its own PE header to locate the IAT and reconstruct API names using an XOR-based obfuscation key. Once the resolve function is in place, the main payload is mapped into memory without ever touching the disk:

    // Dynamic API resolution snippet
BYTE obfName[] = {0x5F,0x23,0xA7,0x19}; // XOR key
for (DWORD i = 0; i < nameLen; ++i) {
    nameBuf[i] = obfName[i] ^ encName[i];
}
HMODULE hMod = LoadLibraryA("kernel32.dll");
FARPROC pFunc = GetProcAddress(hMod, nameBuf);

    Following resolution, LunaLock establishes persistence by creating a hidden Scheduled Task named “SysUpdate,” ensuring execution at every reboot.

    The loader then signals the C2 server via HTTPS, confirming successful deployment before initiating AES-256 encryption across mapped network drives.

    Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

    The post LunaLock Ransomware Attacking Artists to Steal and Encrypt Data appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Exposed ‘Kim’ Dump Exposes Kimsuky Hackers New Tactics, Techniques, and Infrastructure

    ·

    , ,

    A massive data breach in early September 2025 attributed to a cyber actor known simply as “Kim” laid bare an unprecedented view into the operational playbook of Kimsuky (APT43).

    The leak, comprising terminal history files, phishing domains, OCR workflows, compiled stagers, and a full Linux rootkit, revealed a credential-centric campaign that targeted South Korean government PKI systems and Taiwanese academic networks.

    The artifacts include bash histories that showcase iterative shellcode development with NASM, alongside OCR commands used to extract configurations from Korean-language PDF documents related to PKI and VPN deployments.

    The scope of the breach highlights an evolution in technique, blending old-school rootkit persistence with sophisticated adversary-in-the-middle phishing infrastructure.

    Adversary’s desktop VM (Source – Domaintools)

    Domaintools analysts identified evidence of domain telemetry pointing to a sprawling network of malicious sites mimicking official Korean portals, including nid-security.com and webcloud-notice.com.

    These sites employed real-time TLS proxies to intercept credentials, a marked shift from document-based harvesting toward active AiTM interception.

    The dump further contained PAM logs detailing administrative password rotations—tagged 변경완료 (“change complete”)—for high-privilege accounts such as oracle, svradmin, and app_adm01. Plaintext GPKI key files like 136백운규001_env.key confirmed direct compromise of South Korean government cryptographic assets.

    Beyond South Korea, Domaintools researchers noted that the actor conducted targeted reconnaissance of Taiwanese government and research institutions, accessing .git directories to enumerate exposed source repositories and harvest embedded secrets.

    Domain connections map (Source – Domaintools)

    IP addresses such as 163.29.3.119 and 118.163.30.45, registered to Taiwanese government backbones, underscore deliberate supply-chain probing.

    The presence of burner email addresses linked to phishing kits, alongside logs of reconnaissance against gitee.com and baidu.com, reflects a hybrid DPRK–PRC footprint that leverages Chinese infrastructure for staging and evasion.

    Infection Mechanism

    A closer examination of the malware’s infection mechanism reveals a two-stage loader that combines custom shellcode with publicly available frameworks.

    The initial payload is a handcrafted NASM shellcode stub compiled with flags like -f win32, designed to allocate memory via VirtualAlloc and resolve Win32 API calls through hashed import tables:-

    ; start.asm
BITS 32
extern VirtualAlloc
section .text
_start:
    push 0
    push 4096
    push 0x3000
    push -1
    call [VirtualAlloc]
    ; Hash API resolution and payload injection follows

    Once memory is allocated, the loader decrypts and patches a secondary payload—often a CobaltStrike-derived stager—into the process before transferring execution.

    This approach evades signature-based detection, as the shellcode is polymorphic and the API calls are obfuscated by simple XOR hashing routines.

    Persistence is achieved through a bespoke Linux rootkit, vmmisc.ko, which hooks syscalls such as read and getdents to conceal files, directories, and network sockets.

    Upon insertion via insmod /usr/lib64/tracker-fs/vmmisc.ko, the rootkit decompresses an embedded userland backdoor binary, then installs a SOCKS5 proxy and PTY-based reverse shell protected by a passphrase (testtest).

    Rootkit implant (Source – Domaintools)

    The rootkit’s dual-mode binary embedding technique merges the kernel module and userland executable, leaving only the .ko file on disk to thwart forensic discovery.

    Attack chain (Source – Domaintools)

    This infection chain underscores a blend of manual tool assembly and opportunistic use of open-source repositories such as TitanLdr and Blacklotus, demonstrating Kimsuky’s growing sophistication.

    Organizations across South Korea and Taiwan must now anticipate multi-stage, credential-first attacks that combine low-level shellcode engineering with stealthy kernel-mode implants.

    Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

    The post Exposed ‘Kim’ Dump Exposes Kimsuky Hackers New Tactics, Techniques, and Infrastructure appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • LunaLock Ransomware Attacking Artists to Steal and Encrypt Data

    ·

    , ,

    LunaLock, a newly surfaced ransomware strain, has launched a targeted campaign against independent artists and their clients, demanding a hefty ransom in exchange for stolen creative works and leaked personal data. Emerging in early September 2025, the LunaLock group claims responsibility for breaching Artists & Clients, a popular digital marketplace where illustrators connect with patrons […]

    The post LunaLock Ransomware Attacking Artists to Steal and Encrypt Data appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶