-
The North Korea-linked threat actor known as Kimsuky has distributed a previously undocumented backdoor codenamed HttpTroy as part of a likely spear-phishing attack targeting a single victim in South Korea. Gen Digital, which disclosed details of the activity, did not reveal any details on when the incident occurred, but noted that the phishing email contained a ZIP file (“250908_A_HK이노션
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A sophisticated campaign targeting military personnel across Russia and Belarus has emerged, deploying a complex multi-stage infection chain that establishes covert remote access through Tor-based infrastructure.
Operation SkyCloak represents a stealth-oriented intrusion effort aimed at the Russian Airborne Forces and Belarusian Special Forces, utilizing legitimate OpenSSH binaries and obfs4 bridges to mask communication channels while maintaining persistence on compromised systems.
The attack begins with phishing archives containing shortcut files disguised with double extensions, masquerading as official military documents.
The first lure mimics a nomination letter from Military Unit 71289, referencing the 83rd Separate Guards Airborne Assault Brigade stationed in Ussuriysk.
The second decoy targets Belarusian Special Forces personnel with training notifications for Military Unit 89417, the 5th Separate Spetsnaz Brigade located near Minsk.
These carefully crafted documents were weaponized in late September 2025, with archive files uploaded from Belarus between October 15 and October 21.
Once executed, the shortcut files trigger PowerShell commands that initiate a sophisticated dropper mechanism.
The malware extracts nested archive files into directories with cryptic naming schemes such as
%APPDATA%\dynamicUpdatingHashingScalingContextand%USERPROFILE%\Downloads\incrementalStreamingMerging.The multi-stage extraction process deploys payloads into hidden folders including
$env:APPDATA\logicproor$env:APPDATA\reaper, containing multiple executables, XML configuration files, decoy PDFs, and supporting DLLs..webp)
Infection Chain (Source – Seqrite) Seqrite analysts identified this campaign as part of a broader pattern of operations targeting Russian defense infrastructure, noting similarities to previous attacks such as HollowQuill and CargoTalon.
The researchers observed that the malware employs sophisticated anti-analysis techniques to evade sandbox detection, including checks for legitimate user activity by verifying the presence of more than ten shortcut files in the Windows Recent folder and ensuring process counts exceed 50 before proceeding with execution.
PowerShell Execution and Persistence Mechanisms
The PowerShell stage implements multiple evasion and persistence tactics to ensure long-term access to compromised systems.
The script creates a mutex to prevent multiple instances from running simultaneously, then registers scheduled tasks through XML configuration files that establish daily execution triggers starting at 2025-09-25T01:41:00-08:00.
These tasks are configured to run hidden, even when the computer is idle, without network connectivity, and with no execution time limits.
The malware deploys legitimate “OpenSSH for Windows” binaries compiled on December 13, 2023, including
githubdesktop.exeandgooglemaps.exeas SSH daemons, along withssh-shellhost.exefor interactive sessions andlibcrypto.dllfor encryption functions.Configuration files specify non-standard port 20321 for SSH services, disable password authentication, and require public key authentication using files with obfuscated names like
redundantOptimizingInstanceVariableLoggingandincrementalMergingIncrementalImmutableProtocol.The campaign exposes multiple services through Tor hidden services, including SSH on port 20322, SMB on port 11435, RDP on port 13893, and additional custom ports.
Communication occurs through obfs4 pluggable transports using binaries named
confluence.exeandrider.exe, which connect to bridge endpoints at 77.20.116.133:8080 and 156.67.24.239:33333.The malware generates identification beacons formatted as
<username>:<onion-address>:3-yeeifyemand transmits them through the local Tor SOCKS listener on port 9050, waiting for the onion addressyuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd.onionto become available before establishing persistent communication channels.Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New Operation SkyCloak Uses Powershell Tools and Hidden SSH Service to Unblock Traffic appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Cybersecurity researchers at Tier Zero Security have released a specialised Beacon Object File (BOF) tool that exploits a critical weakness in Microsoft Teams cookie encryption, enabling attackers to steal user chat messages and other sensitive communications. The vulnerability stems from how Microsoft Teams handles cookie encryption compared to modern Chromium-based browsers. While contemporary browsers like […]
The post New BOF Tool Bypasses Microsoft Teams Cookie Encryption to Steal User Chats appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Multiple vulnerabilities in Microsoft’s Graphics Device Interface (GDI), a core component of the Windows operating system responsible for rendering graphics.
These flaws, discovered by Check Point through an intensive fuzzing campaign targeting Enhanced Metafile (EMF) formats, could enable remote attackers to execute arbitrary code or steal sensitive data.
The issues were responsibly disclosed to Microsoft and patched across multiple Patch Tuesday updates in 2025, but they underscore ongoing risks in legacy graphics processing.
The vulnerabilities stem from improper handling of EMF+ records, which are used in documents and images processed by applications like Microsoft Office and web browsers.
Attackers could exploit them by tricking users into opening malicious files, such as rigged Word documents or image thumbnails, potentially leading to full system compromise without user interaction.
Check Point’s analysis, detailed in a recent blog post, emphasizes how these bugs arose from invalid rectangle objects, buffer overflows, and incomplete prior fixes, highlighting the challenges of securing deeply embedded system libraries.
Windows Graphics Vulnerabilities
CVE-2025-30388, rated Important with a CVSS score of 8.8, involves out-of-bounds memory operations during the processing of records like EmfPlusDrawString and EmfPlusFillRects.
Triggered by malformed EmfPlusSetTSClip records, it allows attackers to read or write beyond allocated heap buffers, potentially leaking data or enabling code execution.
This flaw affects Windows 10 and 11, as well as Office for Mac and Android, and Microsoft deems it “Exploitation More Likely” due to its accessibility via common file formats.
The most severe, CVE-2025-53766 (Critical, CVSS 9.8), permits remote code execution through out-of-bounds writes in the ScanOperation::AlphaDivide_sRGB function.
By crafting EmfPlusDrawRects records with oversized rectangles, attackers can overflow scan-line buffers in bitmap rendering, bypassing boundaries in thumbnail generation. No privileges are required, making it ideal for network-based attacks on services parsing EMF files.
CVE-2025-47984 (Important, CVSS 7.5), an information disclosure bug, exploits a lingering flaw in EMR_STARTDOC record handling, tied to an incomplete fix for CVE-2022-35837.
It causes over-reads in string length calculations, exposing adjacent heap memory. Classified as a protection mechanism failure (CWE-693), this could aid further attacks by revealing system secrets.
CVE ID Severity CVSS v3.1 Score Affected Products Impact Patch KB CVE-2025-30388 Important 8.8 Windows 10/11, Office (Mac/Android) RCE, Info Disclosure KB5058411 (May) CVE-2025-53766 Critical 9.8 Windows 10/11 Remote Code Execution KB5063878 (Aug) CVE-2025-47984 Important 7.5 Windows 10/11 Information Disclosure KB5062553 (Jul) Mitigations
Microsoft addressed these in GdiPlus.dll and gdi32full.dll updates, adding validations for rectangles, scan-lines, and offsets to prevent overflows. Users should apply patches immediately and enable automatic updates.
Check Point recommends disabling EMF rendering in untrusted contexts, using sandboxed viewers for documents, and monitoring for anomalous graphics processing.
These discoveries, part of a fuzzing effort on Windows kernel graphics, reveal how subtle errors in file parsing can evade detection for years. As remote work and cloud services proliferate, such vulnerabilities pose escalating threats to enterprises.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Windows Graphics Vulnerabilities Allow Remote Attackers to Execute Arbitrary Code appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A Ukrainian national accused of participating in one of the most damaging ransomware campaigns in history has been extradited from Ireland to face charges in the United States. Oleksii Oleksiyovych Lytvynenko, 43, appeared in federal court in Tennessee following his transfer from Irish custody, where he had been held since his arrest in July 2023. […]
The post Conti Ransomware Operator Extradited to the United States appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Microsoft has acknowledged a persistent bug affecting Windows 11 versions 24H2 and 25H2 that prevents Task Manager from properly terminating when users close the application. The issue causes multiple instances of the system monitoring tool to accumulate in the background, potentially degrading device performance over time. Background Processes Pile Up Unnoticed The problem occurs when […]
The post Windows 11 24H2/25H2 Flaw Keeps Task Manager Running After You Close It appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A specialized Beacon Object File (BOF) designed to extract authentication cookies from Microsoft Teams without disrupting the application.
This development builds on recent findings that expose how Teams stores sensitive access tokens, potentially allowing attackers to impersonate users and access chats, emails, and documents.
The tool, released by Tier Zero Security, adapts an existing browser exploitation technique to bypass Teams’ file-locking mechanisms, raising fresh concerns about endpoint security in enterprise environments.
The innovation stems from a detailed analysis of Teams’ authentication process. As outlined in a recent research post by RandoriSec, Microsoft Teams embeds a browser window using the msedgewebview2.exe process, a Chromium-based component that handles login via Microsoft’s online services.
During authentication, this process writes cookies to a SQLite database in a manner similar to traditional web browsers.
These cookies contain access tokens that grant entry to Teams conversations, Skype features, and even the Microsoft Graph API for broader Office 365 interactions.
However, modern Chromium browsers have bolstered their defenses. They now protect encryption keys through a COM-based IElevator service that runs with SYSTEM privileges, verifying the caller’s legitimacy by checking the executable’s secure installation path.
This setup demands either execution within the browser process or elevated administrator access to decrypt cookie values.
In contrast, Teams relies on the simpler Data Protection API (DPAPI) tied to the current user’s master key, making its cookies comparatively easier to target once the encryption key is obtained.
Overcoming File Locks With Process Injection
A key hurdle in the original research was Teams’ runtime behavior: the application locks its Cookies database file while running, even in the background, preventing direct reads or copies.
Killing the MS-Teams.exe process, as suggested in the post, would alert users and trigger security monitoring.
To address this, the researchers drew inspiration from the Cookie-Monster-BOF, an open-source tool that extracts cookies from live browser processes by duplicating file handles and invoking the IElevator service.
The new Teams-Cookies-BOF repurposes this logic for the messaging app. Instead of terminating Teams, it runs directly within the ms-teams.exe process, potentially via DLL or COM hijacking, to identify child webview processes holding open handles to the Cookies file.
It duplicates these handles, reads the file contents on the fly, and decrypts the values using the user’s DPAPI master key. This approach ensures stealth, as the tool mimics legitimate process activity without file system disruptions.
Notably, the BOF’s flexibility extends beyond Teams injection. It can execute in any process sharing the same user privileges, querying webview children across the system to download relevant cookies.
While this broadens its applicability, it also introduces detectable indicators, such as unusual handle operations on unrelated processes.
For demonstration, the researchers shared a Gist script that achieves similar results from a neutral context, though it risks pulling non-Teams cookies as collateral.
Implications For Red Teamers And Defenders
The decryption mechanism mirrors Cookie-Monster-BOF exactly, employing AES-256-GCM after extracting the nonce and encrypted payload from the “v10”-tagged values in the database.
Once obtained, the tokens enable API calls to fetch conversation histories, read messages, or send phishing content on behalf of victims, escalating risks in lateral movement or social engineering campaigns.
Tier Zero Security has made the BOF publicly available on GitHub, compatible with any C2 framework supporting Beacon payloads, and it requires no arguments for basic use.
This release underscores a persistent gap in Teams’ security model compared to hardened browsers. Organizations should prioritize behavioral monitoring for process injection, enforce least-privilege execution, and consider endpoint detection rules targeting DPAPI accesses or webview handle manipulations.
As hybrid work relies heavily on Teams, such vulnerabilities highlight the need for ongoing scrutiny of embedded browser components in productivity apps.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post New BOF Tool Exploits Microsoft Teams’ Cookie Encryption allowing Attackers to Access User Chats appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Security researcher TwoSevenOneT has released EDR-Redir V2, an upgraded evasion tool that exploits Windows bind link technology to bypass endpoint detection and response solutions on Windows 11. The new version demonstrates a sophisticated approach to redirecting security software by manipulating parent directories rather than directly targeting protected EDR folders. Novel Attack Methodology Targets Parent Folders […]
The post EDR-Redir V2 Evades Detection on Windows 11 by Faking Program Files appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
OpenAI has announced the launch of Aardvark, an autonomous AI security agent powered by GPT-5 that aims to revolutionize how organizations discover and fix software vulnerabilities. The new tool, currently available in private beta, represents a significant advancement in automated security research and threatens to shift the balance of power in favor of cyber defenders. […]
The post OpenAI Introduces Aardvark, an AI Security Agent Powered by GPT-5 appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Privacy-focused technology company Proton has issued a warning about the escalating data breach crisis, revealing that hundreds of millions of stolen login credentials are actively circulating on the dark web. Through its Data Breach Observatory initiative, Proton is directly monitoring underground cybercriminal forums to identify and report data leaks in real time, helping businesses protect […]
The post Proton Warns of 300 Million Stolen Login Details Circulating on Dark Web appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
