A sophisticated new breed of ransomware attacks is leveraging legitimate database commands to compromise organizations worldwide, bypassing traditional security measures through “malware-less” operations.

Unlike conventional ransomware that encrypts files using malicious binaries, threat actors are exploiting exposed database services by abusing standard database functionality to steal, wipe, and ransom critical data.

The attack methodology represents a significant evolution in cybercriminal tactics, with attackers targeting Internet-facing database servers configured with weak passwords or no authentication.

This malicious activity has been observed across multiple database platforms, including MySQL, PostgreSQL, MongoDB, Hadoop, CouchDB, and Elasticsearch. Attackers connect remotely to these servers, copy data to external locations, execute destructive commands to wipe databases, and leave ransom notes stored directly within the compromised database structures.

This approach has proven particularly effective at evading detection because no malicious binary is ever deployed on the target system.

The damage is accomplished entirely through legitimate database commands, making it difficult for conventional endpoint security solutions to identify the compromise.

The ransom tactic has evolved from isolated incidents into full-scale automated campaigns, with specialized bots continuously scanning the Internet for misconfigured databases.

Wiz.io researchers identified that these attacks have grown exponentially since their initial observation in February 2017, when researchers from Rapid7 first documented thousands of open databases being hijacked in bulk operations.

Today’s threat actors operate sophisticated automated systems capable of compromising newly exposed targets within hours or minutes of them coming online.

The ease of automation and potential for immediate profits has made malware-less database ransomware a persistent and growing threat to organizations globally.

Attack Execution and Command Exploitation

The technical execution of these attacks follows a methodical approach that maximizes both stealth and effectiveness.

Attackers begin operations with Internet-wide scanning for exposed database ports, specifically targeting port 3306 for MySQL and port 5432 for PostgreSQL servers.

Once potential targets are identified, they employ fingerprinting techniques to confirm the services are genuine database servers rather than honeypots or other decoy systems.

Authentication bypass represents a critical phase where attackers test for missing authentication controls, attempt default username and password combinations, and execute brute-force attacks against weak credentials.

Upon successful authentication, the attack proceeds with data extraction where attackers sample small portions of data to assess value and confirm database access.

The destructive phase utilizes legitimate SQL commands such as DROP DATABASE for complete database removal or bulk DELETE operations to systematically erase data.

In relational databases like PostgreSQL, attackers create new tables with names such as RECOVER_YOUR_DATA or README_TO_RECOVER and insert ransom notes as table rows.

For NoSQL databases like MongoDB, the process involves creating new collections with indicative names and inserting ransom notes as documents.

A captured MongoDB session demonstrates the attack progression: mongosh "mongodb://target:27017/" followed by database enumeration commands like show dbs to identify valuable targets.

The ransom note insertion typically contains messages such as “All your data is backed up. You must pay 0.043 BTC to recover it.

After 48 hours expiration we will leak and expose all your data.” These legitimate database operations make detection challenging, as the commands appear as normal administrative activities to monitoring systems.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Actively Compromising Databases Using Legitimate Commands appeared first on Cyber Security News.

The notorious cybercriminal collective known as Scattered Lapsus$ Hunters has escalated their extortion campaign by launching a dedicated leak site to threaten organizations with the exposure of stolen Salesforce data.

This supergroup, comprised of established threat actors including ShinyHunters, Scattered Spider, and Lapsus$, represents a sophisticated evolution in ransomware-as-a-service operations that targets one of the world’s most widely used customer relationship management platforms.

The group’s emergence signifies a dangerous consolidation of cybercriminal expertise, combining the technical capabilities and operational knowledge of multiple established threat actors.

Their coordinated approach demonstrates how modern cybercriminal organizations are becoming increasingly organized and specialized, focusing on high-value targets that can yield substantial ransom payments.

The collective’s decision to specifically target Salesforce instances reflects their understanding of the platform’s critical business value and the sensitive customer data it contains.

Operating through the TOR Onion network, their extortionware portal lists compromised Salesforce customers alongside claims of how much data the group has allegedly exfiltrated during their attacks.

UpGuard analysts noted that the website threatens affected organizations with public data exposure unless payment demands are met, with an initial deadline set for October 10th, 2025.

The site’s existence marks a troubling milestone in the commercialization of data theft, transforming stolen information into leverage for systematic extortion operations.

The attack campaign demonstrates sophisticated technical execution across multiple vectors, beginning with social engineering attacks that exploited human vulnerabilities rather than technical flaws.

The threat actors employed vishing techniques, impersonating IT support personnel to manipulate authorized users into installing malicious Salesforce integrations, providing the attackers with API-level access to target systems.

OAuth Token Exploitation and Persistence Mechanisms

The group’s most sophisticated attack vector involved compromising Salesloft’s GitHub repositories and leveraging valid OAuth integration tokens to maintain persistent access to connected Salesforce environments.

After gaining initial access to Salesloft’s corporate GitHub account through suspected social engineering, the attackers methodically downloaded repository contents, created unauthorized user accounts within the organization, and established custom workflows to facilitate ongoing access.

The attack progression followed a calculated approach where the threat actors discovered embedded AWS credentials within the compromised repositories, enabling them to access Salesloft Drift’s cloud infrastructure.

Within this environment, they successfully identified and exfiltrated OAuth tokens belonging to Salesloft Drift clients, effectively transforming legitimate integration credentials into weapons for widespread data theft.

This technique demonstrates how attackers can leverage the interconnected nature of modern SaaS platforms to achieve lateral movement across multiple organizations through a single compromised integration provider.

The persistence mechanism relied heavily on the legitimate OAuth authorization framework, making detection particularly challenging for security teams who might not immediately recognize malicious activity disguised as authorized API calls.

By utilizing valid integration tokens, the attackers could maintain access even if initial entry points were discovered and remediated, highlighting the critical importance of comprehensive token management and monitoring within enterprise environments.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Scattered Lapsus$ Hunters Launched a New Leak Site to Release Data Stolen from Salesforce Instances appeared first on Cyber Security News.

In recent weeks, cybersecurity analysts have observed a resurgence of the Mustang Panda threat actor deploying a novel DLL side-loading approach to deliver malicious payloads.

Emerging in June 2025, this campaign leverages politically themed lures targeting Tibetan advocacy groups.

Victims receive a ZIP archive containing a decoy executable named Voice for the Voiceless Photos.exe alongside a hidden dynamic-link library, libjyy.dll, marked with system and hidden attributes to evade casual inspection.

When executed, the decoy loads this concealed library via LoadLibraryW, triggering the obscure malware routine beneath the guise of legitimate software.

Mustang Panda’s attack chain begins with a phishing email carrying the ZIP container. Once opened, Explorer hides the malicious DLL due to its combined “hidden” and “system” flags.

The decoy executable then dynamically loads libjyy.dll by resolving the ProcessMain entry point and invoking it.

At this stage, 0x0d4y Malware Researcher noted that this loader employs dynamic API resolution and string decryption routines to obscure its behavior, making static detection far more challenging.

After initializing, the malicious DLL decrypts its core payloads, sets up persistence via multiple techniques (registry run keys and scheduled tasks), and finally extracts shellcode for execution.

The persistence logic first renames both the decoy and the loader to %SystemRoot%\Adobe\licensinghelper.exe and registers a run key named AdobeLicensingHelper under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

It then creates a scheduled task, executed every two minutes, to relaunch the loader with the required Licensing argument.

Infection Mechanism

Mustang Panda’s infection mechanism hinges on the DLL side-loading T1574.006 technique, dubbed “ClaimLoader.”

The loader executable contains minimal import references, instead dynamically decrypting API names at runtime.

A simple XOR routine with key 0x19 decodes encrypted strings before invoking LoadLibraryW and GetProcAddress.

For example:-

mov edx, <encrypted_length>
mov ecx, <encrypted_string_address>
; XOR decryption loop
decrypt_loop:
  mov al, [ecx]
  xor al, 0x19
  mov [ecx], al
  inc ecx
  dec edx
  jnz decrypt_loop
; After decryption, load API dynamically
push <decrypted_string_address>
call decryptstrloadapi
call eax  ; resolved API call

This code snippet illustrates how the loader avoids static imports and hides its true intentions until execution.

Once the real payload library is loaded, it uses a secondary custom XOR algorithm—cycling through a four-byte key array [0x01, 0x02, 0x03, 0x04]—to decrypt a Schtasks command string in memory.

The decoded command schedules the loader to run periodically:-

schtasks /Create /TN AdobeExperienceManager /SC MINUTE /MO 2 /TR "C:\Windows\Adobe\licensinghelper.exe Licensing" /F

Following these steps, the loader allocates executable memory via VirtualAlloc, copies shellcode, and abuses the EnumFontsW callback mechanism to execute it.

The shellcode then performs API hashing to resolve network functions and exfiltrate system data to a command-and-control server.

Through these layered techniques, Mustang Panda remains especially elusive, blending well-known Windows APIs with dynamic loading and obfuscation to thwart traditional endpoint defenses.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Mustang Panda Using New DLL Side-Loading Technique to Deliver Malware appeared first on Cyber Security News.