Active Directory (AD) remains the foundation of authentication and authorization in Windows environments. Threat actors targeting the NTDS.dit database can harvest every domain credential, unlock lateral movement, and achieve full domain compromise.
Attackers leveraged native Windows utilities to dump and exfiltrate NTDS.dit, bypassing standard defenses.
The adversary in this case obtained DOMAIN ADMIN privileges via a successful phishing campaign and subsequent privilege escalation. Once elevated, they executed:
To create a Volume Shadow Copy and extract NTDS.dit, silently bypassing file locks. With the SYSTEM hive obtained, attackers decrypted the database offline using secretsdump.py from Impacket:
This chain enabled harvesting of NTLM and AES hashes for all domain accounts without triggering traditional endpoint alarms.
Full Kill Chain
After archiving and compressing the dump with tar -czf ntds.tar.gz c:\temp\ntds.dit c:\temp\SYSTEM, the attackers exfiltrated data over SMB to a compromised file share.
NTDS.dit file dump
Trellix detected this activity via two high-fidelity signatures: anomalous SMB write patterns exceeding baseline volume and a custom exfiltration signature for large NTDS file transfers.
Behavioral detection flagged unexpected esentutl processes running outside maintenance windows, and protocol anomaly alerts triggered on shadow copy reads to C:\$VolumeShadowCopy.
Through Trellix Wise, AI-driven alert correlation highlighted the progression from VSS creation to SMB upload, reducing analyst workload by 60% and cutting mean time to detect (MTTD) by 45%.
The theft of NTDS.dit poses an existential threat to Windows domains, providing attackers complete control over all credentials.
NTDS.dit archived for exfiltration
Traditional defenses often miss the low-and-slow techniques employed during shadow copy creation and offline decryption.
A loosely connected cybercrime supergroup is exploiting social engineering to compromise Fortune 100 organizations and government agencies. LAPSUS$, Scattered Spider, and ShinyHunters—three of the most notorious English-speaking cybercrime groups—have increasingly blurred their lines through shared tactics, overlapping membership, and joint public channels. From 2023 through 2025, evidence has emerged of direct collaboration on high-profile breaches […]
Cybersecurity company watchTowr Labs has disclosed that it has “credible evidence” of active exploitation of the recently disclosed security flaw in Fortra GoAnywhere Managed File Transfer (MFT) software as early as September 10, 2025, a whole week before it was publicly disclosed.
“This is not ‘just’ a CVSS 10.0 flaw in a solution long favored by APT groups and ransomware operators – it is a
Cybercriminals have launched a sophisticated supply chain attack targeting cryptocurrency developers through malicious Rust crates designed to steal digital wallet keys.
Two fraudulent packages, faster_log and async_println, have infiltrated the Rust package registry by impersonating the legitimate fast_log logging library, embedding malicious code that scans source files for Solana and Ethereum private keys before exfiltrating them to attacker-controlled servers.
The malicious crates were published on May 25, 2025, under the aliases rustguruman and dumbnbased, accumulating 8,424 combined downloads before their discovery.
These packages maintained functional logging capabilities to evade detection while secretly harvesting cryptocurrency credentials from developers’ source code and project files.
The attackers employed typosquatting techniques, copying the original fast_log’s README documentation and repository metadata to create convincing imposters that could pass casual review processes.
Socket.dev analysts identified the malicious packages during routine threat monitoring, discovering their sophisticated credential theft mechanisms.
The researchers found that both crates implemented identical exfiltration workflows, scanning for three specific patterns: Ethereum private keys formatted as 64-character hexadecimal strings with 0x prefixes, Base58-encoded Solana addresses and keys ranging from 32 to 44 characters, and bracketed byte arrays that could contain encoded key material.
Center shows the legitimate fast_log, while left (faster_log) and right (async_println) are malicious (Source – Socket.dev)
Upon detection of any matching patterns, the malware immediately transmits the stolen credentials to a hardcoded command and control endpoint hosted at mainnet.solana-rpc-pool.workers.dev, cleverly disguised to resemble legitimate Solana RPC infrastructure.
The attack vector exploits developer trust in package repositories, demonstrating how minimal code modifications can create significant security risks.
The threat actors maintained the original logging functionality while embedding their credential harvesting routines, ensuring the packages would function as expected during initial testing and integration phases.
This approach allowed the malicious code to operate undetected within development environments and continuous integration pipelines.
Technical Implementation and Exfiltration Mechanism
The malware’s core functionality revolves around a sophisticated scanning engine implemented in Rust that recursively processes project directories.
The malicious code utilizes regular expressions to identify cryptocurrency-related secrets embedded in source files, focusing specifically on patterns commonly used by blockchain developers.
The implementation employs three targeted regular expressions for pattern matching. The first targets Ethereum private keys using the pattern "0x[0-9a-fA-F]{64}" to capture 64-character hexadecimal strings prefixed with 0x, which represent standard Ethereum private key formats.
The second regex "[1-9A-HJ-NP-Za-km-z]{32,44}" identifies Base58-encoded strings typical of Solana addresses and public keys, with length constraints matching Solana’s cryptographic specifications.
The third pattern captures bracketed byte arrays in formats like [0x12, 0xAB, ...] or [1,2,...] that could contain raw key bytes or embedded seed phrases.
Crates.io search for fast_log showed the legitimate fast_log alongside two imposters, faster_log and async_println (Source – Socket.dev)
When the scanning function identifies matching patterns, it constructs detailed forensic records that include the exact file path, line number, matched value, and pattern type.
This precise location tracking suggests the attackers may have intended to conduct follow-up operations or provide detailed intelligence to buyers of the stolen credentials.
The malware batches multiple discoveries into JSON payloads before transmitting them via HTTP POST requests to the attacker’s command and control infrastructure, utilizing standard HTTPS encryption to blend with legitimate network traffic.
The exfiltration mechanism operates through a Rust reqwest client that sends structured data to the Cloudflare Workers-hosted endpoint.
This hosting choice provides the attackers with anonymity, scalability, and the ability to rapidly modify their collection infrastructure without maintaining dedicated servers.
The malicious crates process files at application runtime rather than during compilation, ensuring the scanning occurs within developers’ active working environments where cryptocurrency credentials are most likely to be present and accessible.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Cybersecurity researchers have discovered an updated version of a known Apple macOS malware called XCSSET that has been observed in limited attacks.
“This new variant of XCSSET brings key changes related to browser targeting, clipboard hijacking, and persistence mechanisms,” the Microsoft Threat Intelligence team said in a Thursday report.
“It employs sophisticated encryption and obfuscation
Threat actors recently infiltrated a corporate environment, dumped the AD database file NTDS.dit, and nearly achieved full domain control. AD acts as the backbone of Windows domains, storing account data, group policies, and password hashes. Compromise of its core file effectively hands attackers the keys to the kingdom. Attack Overview The breach began when attackers […]
In early 2025, LummaStealer was in widespread use by cybercriminals targeting victims throughout the world in multiple industry verticals, including telecom, healthcare, banking, and marketing. A sweeping law enforcement operation in May brought this all to an abrupt halt. After a quiet period, we are now seeing new variants of LummaStealer emerge. In light of […]
A critical zero-day vulnerability in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software is being actively exploited in the wild. Tracked as CVE-2025-20333, this remote code execution flaw allows an authenticated attacker to execute arbitrary code as root on affected devices. Cisco published an advisory on September […]
Cisco warns of a Critical remote code execution flaw in web services across multiple Cisco platforms. Tracked as CVE-2025-20363 (CWE-122), this vulnerability carries a CVSS 3.1 Base Score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) and impacts ASA, FTD, IOS, IOS XE, and IOS XR Software.
Cisco Input Validation Flaw (CVE-2025-20363)
The flaw stems from improper validation of user-supplied input in HTTP requests. Attackers can craft malicious HTTP packets to bypass exploit mitigations and execute arbitrary shell commands as root.
For Cisco Secure Firewall ASA and FTD, no authentication is required; for IOS, IOS XE, and IOS XR, only low-privileged authenticated access is needed.
Affected services listen on SSL or HTTP ports when features such as webvpn, AnyConnect SSL VPN, or the HTTP server are enabled. Example CLI checks:
Successful exploitation yields a root shell, potentially leading to full device compromise.
Cisco acknowledges Keane O’Kelley of Cisco ASIG for discovering the defect. Coordination with ASD, CSE, NCSC, and CISA contributed to the advisory.
All ASA Series (5500-X, ASAv, Firepower 1000/2100/4100/9000, Secure Firewall 1200/3100/4200), FTD platforms, IOS routers with SSL VPN, IOS XE routers, and ASR 9001 running 32-bit IOS XR with HTTP enabled are vulnerable.
No workarounds exist. Customers must upgrade to fixed releases immediately. The advisory provides detailed fixed versions per platform under the Fixed Software section.
Risk Factors
Details
Affected Products
Cisco Secure Firewall ASA & FTD Software, Cisco IOS Software & IOS XE Software, Cisco IOS XR Software (32-bit on ASR 9001 with HTTP server enabled)
Impact
Remote unauthenticated code execution as root
Exploit Prerequisites
SSL VPN (webvpn) or AnyConnect SSL VPN enabled
CVSS 3.1 Score
9.0 (Critical)
Cisco recommends using the Cisco Software Checker to identify vulnerable releases and the earliest patches. Administrators should audit device configurations to confirm SSL VPN or HTTP server status.
For ASA/FTD, verify webvpn or AnyConnect SSL VPN settings; for IOS XR, ensure run uname -s returns Linux or disable HTTP via no http server. Cisco PSIRT confirms no active exploitation in the wild.
Security teams worldwide have been warned after attackers began exploiting a newly discovered zero-day vulnerability in Cisco Adaptive Security Appliance (ASA) 5500-X Series firewalls. The breach allows hackers to deploy sophisticated malware, dubbed RayInitiator and LINE VIPER, potentially giving them full control of affected devices. Today, the National Cyber Security Centre (NCSC), part of GCHQ, issued detailed guidance […]
%20and%20right%20(async_println)%20are%20malicious%20(Source%20-%20Socket.dev).webp)
.webp)
