In early 2025, security researchers unveiled a sophisticated botnet implant named PolarEdge, which relies on a bespoke TLS server and a proprietary binary protocol to carry out unauthenticated command-and-control operations. PolarEdge first emerged in January 2025 when honeypots monitoring Cisco routers captured suspicious traffic exploiting CVE-2023-20118. Attackers used a crafted HTTP request with the User-Agent […]
Tel Aviv, Israel, October 14th, 2025, CyberNewsWire Sweet Security, a leader in Runtime Cloud and AI security solutions, today announced that it has been recognized as both a Cloud Security Leader and a Cloud Application Detection & Response (CADR) Leader in the 2025 Cloud Security Report by James Berthoty of ‘Latio Tech.’ The 2025 Cloud […]
A novel phishing campaign has emerged targeting Colombian users by abusing judicial notifications and weaponizing Scalable Vector Graphics (SVG) files. This sophisticated attack begins with a carefully crafted Spanish-language email impersonating the “17th Municipal Civil Court of the Bogotá Circuit,” complete with formal legal language and institutional details. The .SVG attachment named “Fiscalia General De […]
In early October 2025, cybersecurity researcher Jeremiah Fowler discovered a publicly accessible database belonging to Invoicely, a Vienna-based invoicing and billing platform used by over 250,000 businesses worldwide.
The repository contained 178,519 files in XLSX, CSV, PDF, and image formats, each harboring sensitive personal and financial information.
Among the exposed documents were invoices, scanned checks, tax filings, and ride-sharing receipts, revealing names, addresses, phone numbers, tax ID numbers, routing, and account details for healthcare providers, contractors, and corporate partners.
Scanned check showing ABA routing and account numbers (Source – Website Planet)
The sheer volume and variety of records amplified the potential fallout, from identity theft and spear-phishing to invoice fraud and unauthorized financial transactions.
Initial investigation showed that the database lacked any form of encryption or password protection, leaving it wide open to anyone with basic knowledge of its URL structure.
Within hours of receiving Fowler’s responsible-disclosure notice via Invoicely’s support system, the company restricted public access.
However, the duration of exposure remains unknown, raising concerns over how many threat actors could have copied or monitored the data before containment.
Early risk scenarios include fraudulent invoice submission using genuine invoice templates, counterfeit tax filings leveraging stolen identifiers, and highly targeted phishing campaigns based on real transaction details.
Website Planet analysts noted that the database name itself—‘invoicely_backup_public’—suggested it may have been intended for internal backup or third-party migration but was misconfigured for public access.
This misstep underscores recurring lapses in cloud storage governance across SaaS providers, where rapid deployment and scaling often outpace security controls.
Fowler did not find evidence of active exploitation, yet the potential for undetected data harvesting remains significant given the window of exposure.
Data Exposure Mechanism
The misconfiguration stemmed from an unsecured Amazon S3 bucket, inadvertently set to “public-read” instead of restricted access. Attackers could enumerate buckets using tools like AWSBucketFinder or simple HTTP requests.
Below is a Python snippet illustrating how an adversary might list bucket contents:-
import boto3
s3 = boto3.client('s3', aws_access_key_id='', aws_secret_access_key='', config=boto3.session.Config(signature_version='s3v4'))
response = s3.list_objects_v2(Bucket='invoicely_backup_public')
for obj in response. Get('Contents', []):
print(obj['Key'])
This script highlights the lack of authentication checks and demonstrates how a few lines of code can expose hundreds of thousands of files.
To mitigate such risks, SaaS providers must enforce strict access policies, automate storage audits, and adopt least-privilege principles when provisioning cloud resources.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
A sophisticated new tool called IAmAntimalware, designed to inject malicious code directly into antivirus software processes, potentially turning protective defenses into hidden backdoors for attackers.
Released on October 11, 2025, by developer Two Seven One Three on GitHub, the tool exploits Windows service cloning and digital signature manipulation to bypass antivirus self-protection mechanisms.
This development raises alarms in the cybersecurity community, as it could enable stealthy persistence on compromised systems during penetration testing or malicious campaigns.
IAmAntimalware operates by cloning legitimate antivirus services, such as those from Bitdefender or Avast, to create identical processes that inherit elevated privileges without triggering alarms.
IAmAntimalware Tool
The tool modifies the Windows Cryptography API registry under HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider to hijack the cryptographic provider, loading a user-controlled DLL in place of trusted modules.
Users provide parameters like the original service name, new cloned name, certificate path for signature cloning, and absolute DLL path; an optional “P” flag enables Protected Process Light (PPL) support for enhanced evasion.
For scenarios avoiding cryptographic hijacking, the tool supports COM object CLSID manipulation, requiring TrustedInstaller privileges to spoof component loading.
Signature cloning relies on a companion tool, CertClone, which duplicates valid Windows certificates like those from Sysmon, ensuring the injected DLL appears legitimate to integrity checks.
This multi-layered approach circumvents common antivirus safeguards, including process introspection, elevated privilege monitoring, and code signing verification, allowing injected code to write files or execute commands in protected directories.
In demonstrations detailed by the creator, IAmAntimalware successfully injected a sample DLL into Bitdefender’s BDProtSrv process, enabling the creation of unauthorized files in the antivirus installation folder, a feat impossible for standard user processes.
Similar tests on Trend Micro and Avast confirmed effectiveness, though Avast required a GUI process targeting stability.
The injected code, such as a simple backdoor writing a marker file, evades detection by operating within whitelisted, unkillable processes that antivirus developers hesitate to terminate to avoid system instability.
Early reports indicate no widespread exploitation yet, but the tool’s open-source nature and simplicity, written entirely in C++, could accelerate adoption in red team exercises or by threat actors.
Security analysts rate the technique medium severity due to its reliance on system access and lack of zero-day exploits, yet it underscores vulnerabilities in antivirus trust models.
This tool highlights a critical irony: antivirus processes, granted SYSTEM-level privileges for threat hunting, become prime targets for subversion.
By injecting into these exceptions to normal security rules, attackers can disable alerts, exfiltrate data, or maintain persistence undetected, complicating incident response.
Mitigation strategies include monitoring unusual module loads in antivirus processes, enforcing strict certificate trust policies, and leveraging PPL more rigorously to isolate critical services.
Experts urge organizations to validate antivirus integrity regularly and consider endpoint detection tools with behavioral analytics beyond signature-based checks.
As the tool gains traction, evidenced by Reddit discussions and YouTube demos, vendors like Microsoft and antivirus providers face pressure to patch service cloning vectors.
While intended for ethical pentesting, IAmAntimalware exemplifies how defensive tools can be weaponized, demanding vigilant updates in an evolving threat landscape.
Malicious packages on popular registries are abusing Discord webhooks to exfiltrate sensitive files and host telemetry, bypassing traditional C2 infrastructure and blending into legitimate HTTPS traffic. Discord webhooks are simple HTTPS URLs that accept POST requests; they require no credentials beyond possession of the URL, and traffic appears as innocent JSON over port 443. Socket’s […]
Every October brings a familiar rhythm – pumpkin-spice everything in stores and cafés, alongside a wave of reminders, webinars, and checklists in my inbox. Halloween may be just around the corner, yet for those of us in cybersecurity, Security Awareness Month is the true seasonal milestone.
Make no mistake, as a security professional, I love this month. Launched by CISA and the National
Chipmaker AMD has released fixes to address a security flaw dubbed RMPocalypse that could be exploited to undermine confidential computing guarantees provided by Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP).
The attack, per ETH Zürich researchers Benedict Schlüter and Shweta Shinde, exploits AMD’s incomplete protections that make it possible to perform a single memory
Android devices from Google and Samsung have been found vulnerable to a side-channel attack that could be exploited to covertly steal two-factor authentication (2FA) codes, Google Maps timelines, and other sensitive data without the users’ knowledge pixel-by-pixel.
The attack has been codenamed Pixnapping by a group of academics from the University of California (Berkeley), University of
A newly disclosed vulnerability in SAP NetWeaver AS ABAP and ABAP Platform (CVE-2025-42902) allows unauthenticated attackers to crash server processes by sending malformed SAP Logon or SAP Assertion Tickets. Rated Medium severity with a 5.3 CVSS 3.1 score, the flaw stems from a NULL pointer dereference that triggers memory corruption and process termination. Affected versions include all supported releases […]
.webp)
