The Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert for a newly discovered zero-day vulnerability in the Android Runtime component. This “use-after-free” flaw could allow attackers to escape the Chrome sandbox and elevate privileges on an affected device. CISA warns that the vulnerability is under active exploitation and urges organizations and users […]
A critical, zero-click vulnerability that allows attackers to hijack online accounts by exploiting how web applications handle international email addresses.
The flaw, rooted in a technical discrepancy known as a “canonicalization mismatch,” affects password reset and “magic link” login systems, which are foundational to modern web security.
According to NullSecurityX, the attack requires no interaction from the victim, making it exceptionally dangerous. An attacker can gain full control of an account simply by requesting a password reset using a specially crafted email address that appears identical to the victim’s.
This method bypasses the need for phishing or tricking the user into clicking a malicious link.
The vulnerability stems from the interplay between Unicode, which allows for characters from various languages in domain names (Internationalized Domain Names or IDN), and Punycode, the system that converts these characters into the standard ASCII format used by internet infrastructure.
0-Click Vulnerability Using Punycode
Attackers can register a domain using Unicode characters that are visually indistinguishable from standard letters, such as a Cyrillic ‘o’ instead of a Latin ‘o’.
According to a technical analysis of the vulnerability, the attack unfolds when a web application’s backend processes a password reset request.
For example, an attacker might request a password reset for “victim@gmail.com” but submit the address using a “full-width” ‘m’ (gmail.com).
The application’s front-end or validation logic may fail to distinguish between the legitimate address and the visually confusable one, approving the request.
However, when the email system sends the reset link, it correctly routes it to the attacker-controlled Punycode version of the domain (e.g., xn--...). The attacker then receives the privileged link and takes over the account, while the legitimate user remains completely unaware.
This “0-click” nature is what makes the threat so severe. The compromise is not a result of user error but a fundamental flaw in how different layers of an application, from the user interface and validation rules to the database and mail servers, handle email addresses.
Each component may interpret the Unicode and Punycode versions differently, creating a gap that attackers can exploit, NullSecurityX said.
“The result is that two addresses that look the same to humans can be handled as different strings by the mail transport,” the research paper states.
Since email often serves as the ultimate “trust anchor” for recovering access to countless other online services, a compromise can have a cascading effect.
Experts are urging developers to immediately review and fortify their authentication systems. Mitigation requires implementing consistent normalization of email addresses across all system components, using robust validation libraries that understand Unicode confusables, and ensuring that database lookups are not susceptible to these visual tricks.
This silent but potent threat highlights the need for a deeper, code-level understanding of how seemingly simple data like an email address is processed and trusted.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Cybersecurity researchers have identified a sophisticated new command-and-control framework that exploits legitimate Google Calendar APIs to establish covert communication channels between attackers and compromised systems.
The MeetC2 framework, discovered in September 2025, represents a concerning evolution in adversarial tactics where threat actors abuse trusted cloud services to bypass traditional security controls and evade detection mechanisms.
The framework operates by masquerading malicious traffic as routine business communications through Google’s widely-trusted domains, specifically “oauth2.googleapis.com” and “www.googleapis.com”.
This approach allows malicious activities to blend seamlessly with normal organizational traffic, making detection significantly more challenging for security teams.
The cross-platform compatibility across macOS and Linux systems further amplifies its potential impact on diverse enterprise environments.
Deriv Tech researchers noted that the framework’s design demonstrates a sophisticated understanding of modern security architectures and cloud service abuse techniques.
The proof-of-concept implementation highlights how easily adversaries can leverage legitimate SaaS platforms for malicious purposes, exploiting the inherent trust organizations place in major cloud providers.
The attack methodology centers around a polling-based communication system where compromised agents send GET requests every 30 seconds to specific Google Calendar API endpoints.
When operators need to issue commands, they create calendar events with embedded instructions in the summary field, formatted as “Meeting from nobody: [COMMAND]”.
Attack chain (Source – Medium)
The victim agent identifies these command events during regular polling cycles, extracts the commands, executes them locally, and updates the same calendar event with execution results embedded within [OUTPUT] [/OUTPUT] parameters in the description field.
Technical Implementation and Evasion Mechanisms
The MeetC2 framework’s technical architecture reveals sophisticated evasion capabilities that exploit the ubiquity and trusted nature of Google services.
The authentication process utilizes standard OAuth2 flows, requiring attackers to create legitimate Google Cloud Console projects and service accounts with calendar access permissions.
This approach ensures all communications appear as authorized API interactions rather than suspicious network traffic.
The implementation requires minimal infrastructure, operating entirely through Google’s existing Calendar API infrastructure.
Operators authenticate through service accounts configured with “Make changes to events” permissions on shared calendars.
The polling mechanism employs a 30-second interval, striking a balance between operational responsiveness and avoiding excessive API requests that might trigger rate limiting or suspicious activity alerts.
Code execution occurs through command extraction from calendar event summaries, with results uploaded back to the same event’s description field.
This bidirectional communication model creates a complete command-and-control channel while maintaining the appearance of legitimate calendar synchronization activities.
The framework supports targeted command execution using host-specific syntax like “exec @host:command” or broadcast commands across multiple compromised systems simultaneously.
The persistence and stealth characteristics of MeetC2 make it particularly concerning for enterprise security teams, as the framework generates no suspicious network patterns and leverages services that organizations explicitly whitelist for business operations.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
A sophisticated cryptojacking campaign that hijacks Windows’ native Character Map utility (“charmap.exe”) to evade Windows Defender and covertly mine cryptocurrency on compromised machines. First detected in late August 2025, this attack exploits legitimate system binaries to load a custom cryptomining payload directly into memory, thwarting traditional antivirus signatures and curtailing forensic artifacts. Security researchers have […]
Security teams began observing a novel botnet strain slipping beneath the radar of standard Windows Defender defenses in early August 2025.
Dubbed NightshadeC2, this malware family leverages both C and Python-based payloads to establish persistent, remote-control access on compromised hosts.
Initial infection chains often start with customized “ClickFix” landing pages that trick users into executing commands via the Windows Run prompt, while secondary campaigns employ trojanized installers of popular utilities such as Advanced IP Scanner, CCleaner, and various VPN clients.
Once executed, NightshadeC2 rapidly escalates privileges, disables or excludes its components from Defender scans, and calls home to a dynamic command and control infrastructure.
As the campaign unfolded, eSentire analysts identified a distinctive loader component responsible for delivering the final payload.
This .NET-based loader executes in a tight loop, spawning PowerShell processes designed to add Defender exclusions for NightshadeC2 before allowing the payload to run.
Should Defender service checks fail or the user decline elevation, the loader repeats its prompts ad nauseam—a technique the researchers have termed “UAC Prompt Bombing.”
The relentless barrage of elevation requests not only frustrates malware sandbox environments but also coerces real users into granting the necessary permissions to proceed.
Upon securing Defender exclusions, the loader writes persistence entries into three separate registry locations—Winlogon, RunOnce, and Active Setup—to guarantee execution at system startup.
It then downloads and decrypts the core C variant over TCP ports typically reserved for web traffic (80 and 443) or high-numbered ports (7777, 33336, 33337).
The malware immediately collects victim system details via public geo-IP lookup services and registry queries to form a unique fingerprint, before negotiating an RC4-encrypted session key with its C2.
Through this clandestine channel, operators can issue an array of commands—ranging from reverse shell initiation to payload downloads, screen captures, and automated keylogging.
UAC Prompt Bombing: Bypassing Defender via Relentless Elevation Loops
Central to NightshadeC2’s stealth is its UAC Prompt Bombing routine. After loading the .NET module, the loader constructs a PowerShell command to add its as-yet-unwritten payload to Defender’s exclusion list:
The Second stage PowerShell loader illustrates how the loader concatenates the exclusion command.
Second stage PowerShell loader (Source – eSentire)
When Defender is disabled or non-responsive, the exit code remains nonzero, trapping sandbox analyses in an infinite loop.
This forced repetition of UAC dialogs effectively breaks automated defenses, the Evasion loop in malware sandbox.
‘Show details’ of UAC prompt (Source – eSentire)
Once a user finally approves the elevation or the service status changes, the loop breaks, and the final payload is delivered.
By leveraging this simple yet powerful mechanism, NightshadeC2 evades both automated and manual inspection, allowing its operators to perform credential theft from major browsers, establish hidden web browsers on victim desktops, and maintain long-term persistence across targeted networks.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
A sophisticated North Korean cyber operation has been exposed, revealing how state-sponsored hackers systematically monitor cybersecurity intelligence platforms to detect when their malicious infrastructure is discovered and rapidly deploy replacement assets to maintain operations. The analysis, conducted by SentinelLABS in collaboration with Validin, provides unprecedented insight into the operational practices of threat actors behind the […]
Cybercriminals are increasingly exploiting the trust organizations place in artificial intelligence platforms to conduct sophisticated phishing attacks, according to a new report from cybersecurity firm Cato Networks.
The company’s Managed Detection and Response (MDR) service recently uncovered a campaign where threat actors leveraged Simplified AI, a popular marketing platform, to steal Microsoft 365 credentials from US-based organizations.
The attack, discovered in July 2025, successfully compromised at least one US investment firm before being detected and contained.
While the campaign is no longer active, security experts warn it represents a dangerous evolution in cybercrime tactics that could affect organizations across all industries.
Weaponizing Trusted AI Platforms
“Threat actors are no longer relying on suspicious servers or cheap lookalike domains,” the Cato Networks report states.
“Instead, they abuse the reputation and infrastructure of trusted AI platforms that employees already rely on, allowing them to bypass defenses and slip into organizations under the cover of legitimacy.”
Weaponizing Trusted AI Platforms
The sophisticated attack began with emails impersonating executives from a global pharmaceutical distributor, complete with authentic company logos and executive names verified through LinkedIn.
The emails contained password-protected PDF attachments designed to evade automated security scanners that cannot inspect encrypted files.
The phishing campaign employed a multi-layered approach that exploited both social engineering and technical evasion tactics:
Initial Contact: Victims received emails appearing to be from pharmaceutical company executives, with passwords for attached PDFs conveniently included in the message body.
PDF Lure: The documents displayed legitimate company branding and contained links directing users to Simplified AI’s platform at app.simplified.com.
Trusted Redirect: Users were taken to what appeared to be a legitimate Simplified AI page, displaying the impersonated company’s name alongside Microsoft 365 imagery.
Credential Harvest: The final step redirected victims to a convincing fake Microsoft 365 login portal designed to steal enterprise credentials.
The attack highlights how cybercriminals are adapting to the rapid adoption of AI tools in corporate environments.
AI marketing platforms like Simplified AI have become commonplace in enterprises, with IT departments routinely whitelisting their domains and allowing employee access.
sample malware document
“For CISOs and IT leaders, approving such services often seems straightforward: allow access, whitelist the domain, and enable the marketing team to innovate,” the report notes.
“But what if the very same platform is leveraged by threat actors to steal from you?”
This incident reflects broader concerns about “shadow AI” usage in enterprises, where employees increasingly rely on AI tools without proper security oversight.
The attackers’ use of established platforms makes detection significantly more challenging for traditional security measures.
Mitigations
Security experts recommend several protective measures:
Implementing multi-factor authentication on all critical services
Training employees to carefully handle password-protected attachments
Monitoring all AI platform usage, including unauthorized applications
Maintaining continuous inspection of AI traffic rather than implicitly trusting it
Deploying advanced threat detection capabilities that can identify suspicious behavior patterns
The attack serves as a wake-up call for organizations to reassess their approach to AI platform security, treating AI traffic with the same scrutiny applied to unknown domains while balancing security needs with business innovation requirements.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
A new technique that allows attackers to read highly sensitive files on Windows systems, bypassing many of the modern security tools designed to prevent such breaches.
A report from Workday’s Offensive Security team explains how, by reading data directly from a computer’s raw disk, a malicious actor can sidestep Endpoint Detection and Response (EDR) solutions, file permissions, and other critical protections to steal credential files.
The method avoids standard file-access procedures that are typically monitored by security software. Instead of opening a file by name, the attack involves communicating directly with low-level disk drivers.
An attacker with administrator rights can use built-in Windows drivers, or a user with fewer privileges could exploit a vulnerable third-party driver, to request raw data from a specific location on the physical disk.
This approach is particularly stealthy because the attack never requests a sensitive file like the SAM hive by name. Instead, it asks for the data at a particular sector address.
raw disk read request
This means many security systems, which look for malicious file access by name, are blind to the activity. The EDR solution might see a request to “read sector 12345” instead of an alert-worthy attempt to “open the system’s password file.
” This allows the technique to evade file access controls, exclusive file locks, and even advanced defenses like Virtualization-Based Security (VBS). Furthermore, it leaves no trace in the default system logs.
How the Attack Works
After an attacker obtains the raw disk data, they must parse it to reconstruct the target file.
This process involves interpreting the NTFS file system structure, starting from the Master Boot Record to find the disk partition, then locating the Master File Table (MFT), which serves as a directory for the entire volume.
By reading the MFT, the attacker can pinpoint the exact physical location of any file’s data, read it in clusters, and reassemble it—all without ever officially “opening” the file through the operating system.
The Workday team demonstrated this attack by leveraging a vulnerability (assigned CVE-2025–50892) in a driver that improperly exposed this raw read capability.
However, they emphasize that any user with administrative privileges can perform this attack without needing a vulnerable driver, making it a relevant threat in many corporate environments.
Protecting against such a low-level attack is challenging, as it bypasses security layers that many organizations depend on. The researchers recommend a “defense in depth” strategy incorporating several measures:
Full Disk Encryption: Using tools like BitLocker makes the raw data on the disk unreadable without the encryption key, significantly hampering this attack.
Restrict Privileges: Limiting administrative access makes it harder for attackers to interact directly with disk drivers or install new malicious ones.
Monitor for Raw Access: Advanced monitoring with tools like Microsoft’s Sysmon can be configured to detect raw disk read events (Event ID 9), though this may require careful filtering to manage alerts.
Driver Vetting: Organizations should actively monitor for the installation of unsigned or known-vulnerable drivers using resources like Microsoft’s recommended driver blocklist.
The researchers conclude that while the concept of raw disk access is not new, its proven effectiveness against modern EDRs highlights a significant gap in security visibility.
As sophisticated hacking techniques become more accessible, organizations must understand and defend against threats that operate below the surface of the typical operating system.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Pentesting remains one of the most effective ways to identify real-world security weaknesses before adversaries do. But as the threat landscape has evolved, the way we deliver pentest results hasn’t kept pace.
Most organizations still rely on traditional reporting methods—static PDFs, emailed documents, and spreadsheet-based tracking. The problem? These outdated workflows introduce delays,
A novel serverless command-and-control (C2) technique that abuses Google Calendar APIs to obscure malicious traffic inside trusted cloud services. Dubbed MeetC2, this lightweight, cross-platform proof-of-concept demonstrates how adversaries can seamlessly blend C2 communications into everyday SaaS usage, presenting fresh detection, telemetry, and response challenges for red and blue teams alike. In a recent internal purple-team […]
.webp)
.webp)
.webp)
.webp)
