TransparentTribe, a Pakistani-nexus intrusion set active since at least 2013, has intensified its cyber espionage operations targeting Linux-based systems of Indian military and defense organizations.

The campaign, initially documented in July 2025 by CYFIRMA with activity traced back to June 2025, has evolved significantly with the development of a sophisticated Golang-based remote access trojan dubbed DeskRAT.

This malware represents a notable escalation in the group’s technical capabilities, demonstrating their commitment to maintaining strategic cyber dominance against Indian defense interests.

The attack campaign employs a deceptively simple yet effective multi-stage delivery mechanism that begins with phishing emails containing malicious ZIP archives.

These archives are disguised with innocuous-sounding names such as “MoM_regarding_Defence_Sectors_by_Secy_Defence” to evade initial detection.

Upon extraction, the archives reveal a DESKTOP file that masquerades as a legitimate PDF document, complete with a PDF icon to reinforce the deception.

When executed by unsuspecting users, the file triggers a complex infection chain that ultimately establishes persistent remote access to compromised systems.

Sekoia analysts identified and analyzed the evolution of this campaign through their threat detection systems, discovering new samples in August and September 2025 that revealed an updated infection chain.

The researchers implemented multiple YARA rules to track the activity and found samples that were previously unknown to other security vendors, indicating the group’s efforts to stay ahead of conventional detection mechanisms.

This discovery underscores the sophistication and evolving nature of TransparentTribe’s operations.

The technical infrastructure supporting this campaign has also undergone refinement. Initial phishing emails directed targets to ZIP files hosted on legitimate cloud services such as Google Drive, but the operation has since shifted to dedicated staging servers.

This evolution demonstrates operational security awareness and an attempt to avoid reliance on third-party platforms that could be more easily monitored or suspended by security teams.

Deceptive Infection Mechanism Through Embedded Obfuscation

The DESKTOP file employed in this campaign contains a particularly ingenious obfuscation technique that hides malicious Bash commands within thousands of lines of commented PNG image data.

The actual [Desktop Entry] section containing the malware execution instructions is strategically placed between two massive blocks of PNG data, effectively concealing the payload from casual inspection.

This layering technique exploits the fact that a typical user reviewing the file would encounter overwhelming amounts of image data before discovering the embedded commands.

The Bash one-liner executed upon file activation orchestrates a sophisticated multi-stage payload delivery.

The command first generates a unique filename in the /tmp/ directory using a timestamp, then downloads an encoded binary from the remote staging server using curl with specific error-handling flags.

The downloaded content undergoes dual decoding: initial hexadecimal conversion using xxd, followed by Base64 decryption.

Once decoded, the payload executes directly through eval, gaining immediate control of the system.

Simultaneously, the infection chain launches Firefox to display a decoy PDF document hosted on the attacker’s server, creating the illusion of a legitimate document opening while the RAT silently establishes its presence.

This coordinated execution provides social engineering cover for the malware installation.

DeskRAT itself maintains command and control communications through WebSocket connections, enabling real-time interaction between the attackers and compromised systems.

The malware’s Golang implementation provides cross-platform compatibility and enhanced persistence capabilities, making it particularly effective against the diverse Linux environments deployed throughout Indian military infrastructure.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post TransparentTribe Attack Linux-Based Systems of Indian Military Organizations to Deliver DeskRAT appeared first on Cyber Security News.

As the festive season approaches, organizations are witnessing a disturbing increase in targeted attacks on digital gift card systems.

The Jingle Thief campaign, orchestrated by financially motivated threat actors based in Morocco, has emerged as a notorious campaign exploiting seasonal vulnerabilities to steal and monetize gift cards at scale.

By leveraging tailored phishing and smishing campaigns, the attackers set their sights on major retailers and large enterprises operating cloud-based infrastructures, particularly those reliant on Microsoft 365 and similar services.

Their goal: compromise user credentials, gain unauthorized access, and exploit gift card systems during periods of heightened activity and reduced vigilance.

The operation begins with carefully crafted phishing emails and SMS messages that entice victims into providing their login details via deceptive portals mimicking legitimate Microsoft 365 interfaces.

These counterfeit sites, uniquely branded to mirror the targeted organization’s style, harvest credentials while evading routine detection.

Attackers often send out these lures using self-hosted PHP mailer scripts running from compromised WordPress servers, effectively obscuring their own infrastructure.

Once inside, they proceed with extensive reconnaissance, pivoting laterally through SharePoint and OneDrive accounts to locate internal documentation and gift card issuance workflows.

Their sophistication lies not merely in the initial compromise but in their ability to remain undetected—sometimes for months—while orchestrating repeated fraud attempts across multiple gift card issuance applications.

Palo Alto Networks analysts tracked the Jingle Thief campaign under cluster CLCRI1032, linking it to known threat entities such as Atlas Lion and STORM-0539.

Their research uncovered advanced operational tactics focused on maintaining persistence and operational patience.

Attacks observed in early 2025 saw over 60 user accounts compromised within a single global organization, with threat actors demonstrating adaptable methods to subvert defensive controls, including mailbox manipulation and identity infrastructure abuse.

The attack lifecycle showcases how initial access via phishing evolves toward long-term persistence through rogue device registration.

Infection Mechanism: Persistence through Device Registration

A striking element of the Jingle Thief campaign is its method of establishing persistent, malware-resistant access.

After credential theft, threat actors exploit Microsoft Entra ID’s self-service and device enrollment features, registering attacker-controlled devices and rogue authenticator apps.

This approach subverts multi-factor authentication (MFA), allowing them continuous access—even after password resets.

The attackers have been observed silently enrolling smartphones using the native onboarding process:-

# Example: Rogue Device Enrollment – Simulated Python workflow
import requests
url = "https://entra.microsoft.com/device/register"
data = {"user_id": compromised_id, "device_info": attacker_device}
requests.post(url, json=data)

This illustrating how the adversary leverages legitimate MFA onboarding to entrench in the environment, making detection extremely challenging.

Through these advanced techniques, Jingle Thief attackers reliably evade conventional security controls, rendering typical remediation measures ineffective until full identification and infrastructure clean-up are achieved.

Cybersecurity teams are urged to prioritize identity-based monitoring and behavioral anomaly detection, especially during festive seasons when such threats intensify.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Jingle Thief Attackers Exploiting Festive Season with Weaponized Gift Card Attacks appeared first on Cyber Security News.

The cybersecurity landscape experienced a significant shift in July 2025 when threat actors associated with Warlock ransomware began exploiting a critical zero-day vulnerability in Microsoft SharePoint.

Discovered on July 19, 2025, the ToolShell vulnerability, tracked as CVE-2025-53770, became a primary vector for deploying the notorious Warlock ransomware across multiple organizations globally.

This exploitation marked a notable escalation in the threat landscape, introducing a sophisticated attack methodology that combines known exploitation techniques with emerging malware tactics.

Warlock’s emergence traces back to June 2025, though its initial prominence remained limited until the ToolShell zero-day attacks commenced.

The ransomware distinguishes itself through its China-based operational framework, a departure from the traditional Russian-centric ransomware ecosystem.

What began as a localized threat rapidly evolved into a coordinated attack campaign targeting organizations across diverse sectors, from engineering firms in the Middle East to financial institutions in the United States.

Symantec analysts and Carbon Black researchers identified a sophisticated operational structure behind Warlock’s deployment.

The investigation revealed that the threat group, known as Storm-2603 to Microsoft threat intelligence teams, deployed Warlock alongside multiple ransomware payloads including LockBit 3.0.

This polyglot approach demonstrated operational flexibility and suggested a broader arsenal of cyber-attack capabilities.

Understanding the Infection Mechanism and Persistence Tactics

The infection mechanism employed by Warlock actors showcases considerable technical sophistication.

The attackers utilized DLL sideloading as their primary execution method, leveraging the legitimate 7-Zip application (7z.exe) to load a malicious payload named 7z.dll.

This technique, widely adopted by Chinese threat actors, bypassed conventional security detections by disguising malicious code within legitimate application processes.

Once executed, Warlock implemented aggressive file encryption using the .x2anylock extension for encrypted files.

Security researchers observed that Warlock appeared to be a rebrand of the older Anylock payload, though it incorporated modifications derived from LockBit 3.0 source code.

The ransomware deployed a custom command and control framework designated ak47c2, enabling the attackers to maintain persistent communication channels with infected systems.

Additionally, the threat actors deployed custom defense evasion tools signed with a stolen certificate from coolschool, utilizing Bring Your Own Vulnerable Driver (BYOVD) techniques to disable security software and establish system dominance.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Warlock Ransomware Actors Exploiting Sharepoint ToolShell Zero-Day Vulnerability in New Attack Wave appeared first on Cyber Security News.

A sophisticated Python-based remote access trojan has emerged in the gaming community, disguising itself as a legitimate Minecraft client to compromise unsuspecting users.

The malware, identified as a multi-function RAT, leverages the Telegram Bot API as its command and control infrastructure, enabling attackers to exfiltrate stolen data and remotely interact with victim machines.

By masquerading as “Nursultan Client,” a name associated with a legitimate Minecraft modification popular among Eastern-European and Russian gaming communities, the threat successfully deceives users into executing the malicious payload.

The malware was packaged using PyInstaller, resulting in an unusually large 68.5 MB executable file.

This inflation serves a dual purpose: accommodating Python dependencies while evading security tools configured to bypass files exceeding certain size thresholds.

Upon execution, the sample immediately conceals its presence by hiding the console window on Windows systems while displaying a fake installation progress bar to maintain the illusion of legitimate software installation.

Netskope researchers identified the threat during routine threat hunting activities, discovering the executable with SHA256 hash 847ef096af4226f657cdd5c8b9c9e2c924d0dbab24bb9804d4b3afaf2ddf5a61.

The analysis revealed that the malware attempts to establish persistence by creating a registry key named “NursultanClient” in the Windows startup path. However, this persistence mechanism contains critical flaws that will likely cause it to fail.

The malware incorrectly constructs the startup command for the compiled executable, as it was designed for a raw Python script rather than a PyInstaller application.

Additionally, the temporary directory created during execution is deleted once the process exits, preventing the malware from running on subsequent system startups.

Telegram-Based Command and Control Infrastructure

The malware’s core operation centers on its abuse of Telegram as a covert command and control channel.

The script contains a hardcoded Telegram Bot Token (8362039368:AAGj_jyw6oYftV2QQYiYoUslJOmXq6bsAYs) and a restricted list of allowed Telegram user IDs (6804277757), ensuring only the authorized attacker can issue commands to infected machines.

This design suggests a Malware-as-a-Service distribution model, where the hardcoded user ID functions as a basic licensing mechanism.

The threat actor can easily modify this single identifier for each buyer, recompile the executable, and distribute personalized copies that only individual purchasers can control.

The malware signature “by fifetka” embedded within system reconnaissance reports further supports this commercialized approach, indicating an operation designed to attract low-level threat actors rather than representing a single attacker’s campaign.

The RAT includes extensive information-stealing capabilities targeting Discord authentication tokens across multiple platforms, including stable, PTB, and Canary builds.

It scans local storage files and user data directories of major web browsers such as Chrome, Edge, Firefox, Opera, and Brave, extracting tokens from both LevelDB and SQLite databases.

Beyond credential theft, the malware provides comprehensive surveillance features, including screenshot capture, webcam photography, and system reconnaissance capabilities that collect detailed profiles containing computer names, usernames, operating system versions, processor specifications, memory usage, and both local and external IP addresses.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Python RAT Mimic as Legitimate Minecraft App Steals Sensitive Data from Users Computer appeared first on Cyber Security News.