Cisco Talos has uncovered a sophisticated, long-running campaign active since 2022 that leverages DLL search order hijacking to deliver a novel PlugX variant with overlapping characteristics of the RainyDay and Turian backdoors. This operation, targeting telecommunications and manufacturing organizations across Central and South Asia, demonstrates a remarkable convergence of malware functionality and shared infrastructure that […]
A sophisticated new malware family dubbed YiBackdoor has emerged in the cybersecurity landscape, posing a significant threat to organizations worldwide.
First observed in June 2025, this malicious software represents a concerning evolution in backdoor technology, featuring advanced capabilities that enable threat actors to execute arbitrary commands, capture screenshots, collect sensitive system information, and deploy additional malicious plugins on compromised hosts.
The malware’s architecture demonstrates significant code overlaps with established threats IcedID and Latrodectus, suggesting potential collaboration between threat actor groups or shared development resources.
Similar to notorious banking trojans like Zloader and Qakbot, IcedID was originally designed for facilitating financial fraud but has since evolved into a primary tool for providing initial access to ransomware operators.
YiBackdoor appears to follow this same trajectory, potentially serving as a gateway for more destructive cyberattacks.
Zscaler analysts identified YiBackdoor through comprehensive threat hunting activities and noted its sophisticated anti-analysis capabilities designed to evade detection by security researchers and automated sandbox environments.
Network dynamic key derivation function for YiBackdoor (Source – Zscaler)
The malware demonstrates advanced virtual environment detection techniques, including hypervisor identification for VMware, Xen, KVM, VirtualBox, Microsoft Hyper-V, and Parallels systems.
The malware’s limited deployment patterns suggest it may currently be in a development or testing phase, according to security researchers.
However, its advanced capabilities and connection to established malware families indicate that broader deployment campaigns could emerge as development progresses.
The threat actor’s use of local IP addresses in configuration files further supports the assessment that YiBackdoor remains in active development.
Code Injection and Persistence Mechanisms
YiBackdoor employs a sophisticated process injection technique that sets it apart from conventional malware families.
The malware utilizes a unique approach to achieve code execution within legitimate system processes, specifically targeting svchost.exe for its injection operations.
During the initialization phase, YiBackdoor performs a critical check to determine whether it is already running within an injected process by examining its current memory address against loaded DLL ranges.
If the malware detects it is not yet injected, it creates a new svchost.exe process and begins the injection sequence.
The malware allocates memory within the target process and copies its malicious code into the newly created memory region.
Comparison of YiBackdoor and IcedID GZIP decryption routines (Source – Zscaler)
The most notable aspect of YiBackdoor’s injection technique involves patching the Windows API function RtlExitUserProcess with custom assembly code.
This patch redirects execution flow to YiBackdoor’s entry point when the function is called, effectively hijacking the process termination sequence.
The following code demonstrates the hypervisor detection mechanism used by the malware:-
Persistence establishment occurs through Windows Registry manipulation, where YiBackdoor copies itself to a randomly named directory and creates registry entries using regsvr32.exe for automatic execution upon system startup.
The malware generates pseudo-random values for registry key names using Microsoft’s Linear Congruential Generator algorithm, making detection through static signatures more challenging for security products.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a high-severity zero-day vulnerability in Google Chrome that is being actively exploited in attacks.
The vulnerability, tracked as CVE-2025-10585, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling an urgent need for users and administrators to take action.
Google has confirmed it is aware that an exploit for this flaw exists in the wild and has released security updates to address the threat.
Understanding the V8 Type Confusion Flaw
The vulnerability is a type confusion weakness within Chrome’s V8 JavaScript and WebAssembly engine. A type confusion flaw (CWE-843) occurs when a program attempts to access a resource with an incompatible type, causing it to misinterpret the data.
This can lead to memory corruption, which an attacker can leverage to crash the browser or, more critically, execute arbitrary code on the affected system.
The flaw was discovered and reported by Google’s own Threat Analysis Group (TAG) on September 16, 2025.
While Google has not disclosed technical details about the specific attacks or the threat actors involved, this is a standard practice to prevent wider exploitation before users have a chance to apply the necessary patches.
This marks the sixth Chrome zero-day vulnerability that has been actively exploited in 2025, highlighting a persistent trend of attackers targeting browser vulnerabilities.
In 2025, Google addressed multiple zero-day vulnerabilities in its Chrome web browser that were actively exploited in the wild. These flaws required urgent updates to protect users from potential attacks.
The table below details the Chrome zero-day vulnerabilities that have been discovered and patched throughout the year.
This vulnerability was addressed by Google as a zero-day, but it is unclear if it was actively exploited in malicious attacks.
Insufficient validation of untrusted input in the ANGLE and GPU components allows a remote attacker to perform a sandbox escape.
CISA Directive and Recommended Actions
In response to the active exploitation, CISA has directed Federal Civilian Executive Branch (FCEB) agencies to apply the necessary security updates by October 14, 2025, in accordance with Binding Operational Directive (BOD) 22-01.
While this directive is mandatory for federal agencies, CISA strongly urges all organizations and individual users to prioritize patching their systems to defend against potential attacks.
To mitigate the vulnerability, users should update their Chrome browser to the latest version:
Windows and macOS: 140.0.7339.185/.186
Linux: 140.0.7339.185
Users can initiate the update by navigating to Chrome’s menu, selecting “Help,” and then “About Google Chrome,” which will trigger an automatic check for and installation of the latest version.
Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply security updates as soon as they become available from their respective vendors.
Enabling automatic updates is highly recommended to ensure prompt protection against future threats.
Threat actors are leveraging the legacy Windows error‐reporting utility WerFaultSecure.exe to extract the memory region of the Local Security Authority Subsystem Service (LSASS.EXE) and harvest cached credentials from fully patched Windows 11 24H2 systems.
After gaining initial access to a host, adversaries frequently seek to dump LSASS memory to escalate privileges and move laterally across the network.
Modern Windows severely restricts direct memory access to LSASS by enforcing Protected Process Light (PPL), requiring kernel privilege or a peer PPL process for interaction.
Zero Salarium researchers have now demonstrated how to bypass these defenses by running a vulnerable WerFaultSecure.exe binary compiled for Windows 8.1 under Windows 11, thereby obtaining an unencrypted memory dump of LSASS.
Leveraging WerFaultSecure.exe’s PPL Privilege
WerFaultSecure.exe is part of the Windows Error Reporting (WER) framework and normally executes with the highest PPL label, WinTCB, to collect crash dumps from protected processes.
Its protected status allows it to access LSASS memory under the guise of a crash handler.
In Windows 8.1, a flaw existed whereby WerFaultSecure.exe could be imposed into writing crash dumps without applying its built‐in encryption routines, resulting in unencrypted dump files on disk.
Exploiting WerFaultSecure.exe
By copying the vulnerable WerFaultSecure.exe from Windows 8.1 onto a Windows 11 24H2 machine and launching it with PPL elevation, attackers can trick the tool into capturing LSASS memory and writing a raw dump.
Zero Salarium reports that the exploit sequence involves running WerFaultSecure.exe with undocumented switches discovered through reverse engineering: /h to invoke secure hidden crash mode, /pid [pid] to target the LSASS process, /tid [tid] to specify its main thread, and /file [handle] to designate an unencrypted output handle.
The attacker uses a custom loader named WSASS to spawn WerFaultSecure.exe via the CreateProcessAsPPL API, inheriting handles for the crash dump and event objects.
WSASS waits for dump completion, then replaces the first four bytes of the generated file (from the PNG magic header) with the MDMP signature (0x4D,0x44,0x4D,0x50) so it masquerades as a benign image device and evades antivirus checks.
MDMP replaced
Finally, the loader resumes any suspended threads in LSASS by issuing minimal PROCESS_SUSPEND_RESUME rights to restore system stability.
Once the attacker restores the MDMP header, the resulting minidump can be loaded into standard tools, such as pypykatz or Mimikatz, to extract NTLM hashes and plaintext credentials, facilitating further lateral movement.
This technique underscores the importance of monitoring WerFaultSecure.exe binaries outside the System32 directory and validating PPL‐protected process invocations to detect anomalous behavior early.
This exploit demonstrates how backward compatibility in Windows can be leveraged against modern defenses, highlighting the need for defenders to monitor both file locations and invocation contexts of error-reporting tools.
In today’s complex threat landscape, adversaries increasingly favor “malware-less” intrusion methods that slip past traditional defenses. One particularly insidious scheme involves North Korean operatives posing as legitimate remote IT professionals to infiltrate corporate networks. Trellix researchers recently uncovered a campaign in which a fake applicant seamlessly advanced through hiring stages at a major U.S. healthcare […]
CISA has issued an urgent security Alert in response to a large-scale software supply chain attack on npmjs.com, the world’s largest JavaScript package registry.
A self-replicating worm, dubbed Shai-Hulud, has infiltrated more than 500 npm packages and injected malicious code that aggressively spreads by abusing developer credentials and npm publish workflows.
Self-Replicating npm Supply Chain Threat
After securing initial access presumably via a compromised maintainer account, Shai-Hulud deploys a sophisticated payload that scans for sensitive credentials stored in environment variables and local configuration files.
The malware targets GitHub Personal Access Tokens (PATs) and API keys for AWS, GCP, and Azure, exploiting common CI/CD practices where tokens are inadvertently persisted.
Once harvested, credentials are exfiltrated to an actor-controlled endpoint and simultaneously uploaded to a public GitHub repository named Shai-Hulud via the GitHub/user/repos API.
Shai-Hulud then uses an automated loop to authenticate to the npm registry with stolen tokens. Leveraging the npm CLI, it injects malicious JavaScript into the entry point file often index.js of other packages in the compromised developer’s dependency tree.
Following the injection, the worm executes’ npm version patch && npm publish –access public’ to publish a trojanized version, thereby perpetuating its spread.
The worm’s self-replication mechanism exploits transitive dependencies: any project depending on one of the compromised packages can inadvertently become a new host.
Mitigations
CISA recommends immediate action to detect and remediate this compromise:
Examine all package-lock.json and yarn.lock files to identify packages released after September 16, 2025. Use npm audit and static analysis tools to flag unexpected code changes or additional postinstall scripts.
Rotate all developer credentials and revoke exposed GitHub PATs. Enforce phishing-resistant multi-factor authentication (MFA) on every developer account, particularly for GitHub and npm registry logins.
Implement IDS/IPS rules to monitor anomalous SSH and HTTPS connections. Block outbound traffic to known suspicious endpoints, including webhook.site domains, and audit firewall logs for unexpected DNS queries and egress to unfamiliar IP ranges.
Remove unnecessary GitHub Apps and OAuth permissions. Enable branch protection rules, secret scanning, and Dependabot security updates. Audit webhooks and repository-level secrets for unauthorized changes.
Pin dependencies to known safe versions published prior to September 16, 2025. Set strict semver ranges (e.g., “lodash”: “4.17.21”) in package.json to prevent inadvertent updates to compromised releases.
Enhanced vigilance across the development pipeline is crucial to stem the worm’s propagation and safeguard the integrity of the npm ecosystem.
Kali Linux 2025.3 has arrived, bringing a wave of improvements, updated firmware support, and a suite of ten new security tools. This release builds on the June 2025.2 update by refining core workflows, extending wireless capabilities, and preparing the distribution for emerging architectures. Whether you rely on virtual machines, Raspberry Pi devices, or mobile pentesting […]
Cloud security company Wiz has revealed that it uncovered in-the-wild exploitation of a security flaw in a Linux utility called Pandoc as part of attacks designed to infiltrate Amazon Web Services (AWS) Instance Metadata Service (IMDS).
The vulnerability in question is CVE-2025-51591 (CVSS score: 6.5), which refers to a case of Server-Side Request Forgery (SSRF) that allows attackers to
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent security alert regarding an actively exploited zero-day vulnerability in Google Chrome. The vulnerability, designated as CVE-2025-10585, affects the V8 JavaScript and WebAssembly engine within Google Chromium, creating significant security risks for users worldwide. Critical Type Confusion Flaw Discovered The newly identified vulnerability represents a […]
Kali team has released Kali Linux 2025.3, the third major update of the year for the popular penetration testing and ethical hacking distribution.
This release introduces 10 new tools, brings significant updates to its mobile platform, Kali NetHunter, and enhances wireless capabilities for Raspberry Pi devices
Key updates in this version include a refresh of HashiCorp Packer and Vagrant integration, the reintroduction of Nexmon support, and various improvements to the user experience and underlying system architecture.
Major Features and Enhancements
The Kali Linux 2025.3 release comes with several notable improvements and changes since the June 2025.2 version.
Nexmon Support for Raspberry Pi: One of the headline features is the return of Nexmon support, a patched firmware that enables monitor mode and frame injection on certain wireless chips. This update brings these advanced Wi-Fi capabilities to the Raspberry Pi’s built-in wireless card, including for the Raspberry Pi 5. This allows security professionals to sniff wireless packets and inject custom raw packets, which is crucial for wireless security assessments. The 64-bit (arm64) image is now recommended for Raspberry Pi devices, and it includes support for the Pi 5, eliminating the need for a separate image.
HashiCorp Packer & Vagrant Refresh: The development team has streamlined how it builds Virtual Machine (VM) images by revamping its use of HashiCorp’s Packer and Vagrant tools. To improve the build process, Kali’s Vagrant images are no longer generated using Packer. Instead, the modifications are now part of the existing VM build scripts, and the team has upgraded its Packer build scripts to v2 standards.
Dropping ARMel Support: Following in Debian’s footsteps, Kali Linux is discontinuing support for the ARMel architecture. This change affects a small number of older devices, such as the original Raspberry Pi 1 and Raspberry Pi Zero W. The team stated that the resources required to maintain this legacy architecture are better spent on newer platforms like RISC-V.
Configurable Xfce VPN IP Plugin: The Xfce desktop environment’s VPN IP plugin has been updated. Users can now configure which network interface the plugin monitors, an improvement for those using multiple VPN connections or non-standard interfaces.
10 New Hacking Tools
As with every release, Kali 2025.3 adds a fresh set of tools to its arsenal. This version includes 10 new packages:
Caido & Caido-cli: A web security auditing toolkit with a graphical client and command-line server.
Detect It Easy (DiE): A utility for identifying file types.
Gemini CLI: An open-source AI agent that integrates Google’s Gemini into the command line.
krbrelayx: A toolkit for Kerberos relaying and abusing unconstrained delegation.
ligolo-mp: A solution for creating multi-user pivoting tunnels.
llm-tools-nmap: A tool that allows Large Language Models (LLMs) to use nmap for network scanning.
mcp-kali-server: A configuration tool for connecting AI agents to Kali.
patchleaks: A tool designed to quickly identify and detail security fixes in software patches.
vwifi-dkms: A module for creating virtual “dummy” Wi-Fi networks.
Kali NetHunter and ARM Updates
The Kali NetHunter platform for mobile devices received significant updates. A major announcement is the support for the Samsung Galaxy S10 as a new budget-friendly device capable of internal Wi-Fi monitor mode and injection on both 2.4Ghz and 5Ghz bands.
The CARsenal car hacking suite has also been heavily updated with a new user interface, refactored code, expanded tools, and improved simulation capabilities with the addition of UDSim.
How to Get Kali Linux 2025.3
For new installations, fresh images are available for download from the official Kali website. Existing Kali Linux users can upgrade their system to version 2025.3 by running the following commands in their terminal:
bashsudo apt update && sudo apt -y full-upgrade
After the update, users can verify the new version by checking the /etc/os-release file.
.webp)
.webp)
