Cybersecurity researchers have identified a potential connection between two Yemen-based cybercriminal organizations, the Belsen Group and ZeroSevenGroup, following an extensive investigation into their operational patterns and attack methodologies.
The discovery comes amid growing concerns about sophisticated network intrusion campaigns targeting critical infrastructure and enterprise systems across multiple continents.
The Belsen Group first emerged in January 2025, making headlines with the leak of 1.6 GB of sensitive data from over 15,000 vulnerable Fortinet FortiGate devices.
The compromised information included IP addresses, system configurations, and VPN credentials, which the group initially shared freely on BreachForums and their dedicated TOR-based blog to establish credibility within cybercriminal communities.
The group’s attack vector centered on exploiting CVE-2022-40684, a critical authentication bypass vulnerability in FortiGate firewalls, suggesting they maintained access to victim systems for over two years before the public disclosure.
ZeroSevenGroup, the more established of the two entities, has been active since July 2024, initially operating on platforms including NulledTo before expanding to BreachForums, CrackedTo, and Leakbase.
The group specialized in data monetization strategies, targeting organizations across Poland, Israel, the United States, UAE, Russia, and Brazil.
Their most notable breach involved Toyota’s US operations in August 2024, where they claimed responsibility for exfiltrating 240GB of sensitive corporate data.
KELA Cyber Team analysts noted significant operational similarities between the groups through forensic analysis of their posting patterns and communication styles.
The investigation revealed that both organizations employed identical title formatting conventions, specifically using “[ Access ]” with square brackets and spaces in their forum posts and victim announcements.
This distinctive formatting pattern was unique to these two actors within KELA’s comprehensive threat intelligence database.
Tactical Convergence and Attribution Analysis
The technical analysis revealed deeper connections through OSINT investigation of the groups’ digital footprints. Researchers identified matching stylistic patterns in their social media presence, particularly consistent hashtag usage including #hack across their Twitter profiles.
Both groups demonstrated similar operational security practices, maintaining multiple communication channels including Tox, XMPP, Telegram, and X for victim negotiations and data sales.
Belsen Group’s Onion Website (Source – Kela)
The Belsen Group’s operational infrastructure included a sophisticated onion site for victim listings and contact information, registered under the partially redacted email address ad@gmail.com.
Their Telegram administrator account (@BelsenAdmin, ID 6161097506) revealed additional intelligence through subscription patterns to cybersecurity certification groups, regional Arabic-speaking communities in Yemen, and technical training channels.
The account’s previous usernames (@m_kyan0, @mmmkkk000000) provided additional attribution markers for ongoing investigations.
ZeroSevenGroup’s technical profile showed evolution from their earlier incarnation as “ZeroXGroup” on RaidForums under username zerox296.
The group’s password reuse patterns across leaked databases and infostealers provided crucial attribution links, connecting their operations to Yemen-based threat actors associated with the Yemen Shield hacking group.
Their transition to exclusive operations on Exploit Forum since January 2025 demonstrated tactical adaptation following exposure of their scamming activities against the Medusa Ransomware group.
While definitive attribution remains challenging, the convergence of operational patterns, geographic origins, and tactical preferences strongly suggests coordination or shared resources between these cybercriminal entities, representing an evolving threat landscape requiring enhanced defensive measures.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The emergence of the SystemBC botnet marks a significant evolution in proxy-based criminal infrastructure.
Rather than co-opt residential devices for proxying, SystemBC operators have shifted to compromising large commercial Virtual Private Servers (VPS), enabling high-volume proxy services with minimal disruption to end users.
In recent months, Lumen Technologies has observed an average of 1,500 newly compromised VPS systems daily, each enlisted to relay malicious traffic on behalf of criminal threat groups.
These compromised servers function as robust, high-bandwidth proxies, delivering an unprecedented level of throughput that traditional residential botnets cannot sustain.
Initially documented by Proofpoint in 2019, SystemBC functionality has expanded beyond simple proxy operations.
After successful infiltration, the loader decrypts a hard-coded configuration and establishes a connection to one of over 80 command-and-control (C2) servers.
The payload leverages a combination of XOR and RC4 encryption to secure its communication channel, ensuring that detection and analysis by defenders remains challenging.
Lumen analysts identified this encryption pipeline during dynamic analysis of a Linux variant sample, revealing a three-stage process for both outbound beaconing and C2 responses.
This constant cat-and-mouse game between evasion and detection has underscored the resilience of SystemBC over multiple years.
The impact of this botnet has been felt across the cybercrime ecosystem. In addition to supplying proxies for renting, SystemBC’s network has been integrated into larger offerings such as REM Proxy, a tiered commercial service catering to multiple criminal enterprises.
REM Proxy system overview (Source – Lumen)
REM Proxy’s high-end “Mix-Speed” tier comprises numerous SystemBC-infected servers, prized for their volume and stability.
Meanwhile, lower-quality proxies are relegated to brute-force campaigns and credential harvesting. This dual-use of compromised VPS assets highlights how threat actors optimize distinct infection and exploitation stages under a single unified architecture.
Infection Mechanism and Decryption Workflow
The infection mechanism often begins with opportunistic scanning of internet-facing services on port 443. Once a vulnerable VPS is identified, the malware download is initiated via HTTP over port 80.
SystemBC proxy pipeline (Source – Lumen)
The retrieved shell script, annotated with Russian comments, automates the parallel download and execution of over 180 SystemBC samples.
Each sample shares a 40-byte XOR key embedded in its binary. Upon execution, the loader performs the following pseudocode to reconstruct its C2 configuration:-
Once decrypted, the configuration yields a list of C2 endpoints and operational parameters. The loader then crafts an initial beacon packet—composed of the key, padding bytes, and a 0xFFFF header—encrypted in the same pipeline before transmission.
Known users of the SystemBC botnet (Source – Lumen)
The response from the C2 server contains a four-byte header indicating commands: new proxy creation, proxy data injection, or termination.
Lumen researchers noted that this symmetric encryption approach effectively evades signature-based detection while maintaining low computational overhead on compromised servers.
Through its blend of scalable infection tactics, robust encryption, and integration into commercial proxy services, SystemBC exemplifies a modern malware-as-a-service model.
Continuous monitoring and rapid sharing of indicators of compromise remain critical to mitigate its widespread threat.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
With a maximum CVSS v4 base score of 10.0, these vulnerabilities could be exploited remotely with low attack complexity to bypass authentication and gain unauthorized access to critical manufacturing environments.
Delta Electronics Path Traversal Flaws
Delta Electronics DIALink versions V1.6.0.0 and prior contain an Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability, tracked as CVE-2025-58320.
This flaw allows an attacker to craft specially encoded API or HTTP requests to traverse outside the intended application directory and access sensitive files.
With a CVSS v3.1 Base Score: 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and CVSS v4 Base Score: 6.9 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N), the successful exploitation permits an unauthenticated adversary to read or modify configuration files such as credential stores or control logic scripts without triggering login prompts.
Although code execution is not directly achievable via this CVE alone, unauthorized access to sensitive files can facilitate subsequent attacks or data exfiltration.
CVE-2025-58321 is a more severe Path Traversal issue in the same DIALink product versions. Unlike CVE-2025-58320, this flaw enables both read and write access to arbitrary filesystem locations.
The vulnerability carries a CVSS v3.1 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and CVSS v4 Base Score: 10.0 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
An attacker can bypass authentication entirely, upload malicious files or scripts, and potentially execute code with the privileges of the DIALink service.
This full control over file creation, deletion, and execution dramatically elevates the risk of disruption, ransomware deployment, or persistent backdoors in industrial environments.
These vulnerabilities were privately reported by an anonymous researcher collaborating with Trend Micro’s Zero Day Initiative.
CVE
Title
CVSS v3.1 Score
Severity
CVE-2025-58320
Improper Limitation of a Pathname to a Restricted Directory (Path Traversal,) allowing full authentication bypass and code execution
7.3
High
CVE-2025-58321
Improper Limitation of a Pathname to a Restricted Directory (Path Traversal), allowing full authentication bypass and code execution
10.0
Critical
Mitigation
Both CVEs are remotely exploitable with low attack complexity, posing severe risks to critical manufacturing operations worldwide.
Delta Electronics urges immediate upgrade to DIALink v1.8.0.0 or later, available via the Delta Download Center. Organizations should also:
Segment OT networks behind firewalls and avoid direct Internet exposure of control systems.
Use VPNs or secure gateways for all remote connections.
Enforce strict separation between business and operational technology networks.
Audit file system permissions and restrict directory access controls.
CISA recommends thorough impact analysis and risk assessments prior to patch deployment and encourages reporting of any suspicious activity to support collective threat intelligence.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
A critical security vulnerability has been discovered in HubSpot’s Jinjava template engine, potentially exposing thousands of websites and applications to remote code execution attacks. The flaw, tracked as CVE-2025-59340, carries the maximum CVSS score of 10.0, indicating the severity of the security risk. Sandbox Bypass Enables Dangerous Exploits The vulnerability stems from a sandbox bypass mechanism […]
Since January, Trend Micro has tracked a surge in phishing campaigns using AI-powered platforms (Lovable, Netlify, Vercel) to host fake captcha pages that lead to phishing websites. This ploy misleads users and evades security tools. Victims are first shown a captcha, lowering suspicion, while automated scanners only detect the challenge page, missing the hidden credential-harvesting […]
Remote Desktop Protocol (RDP) and Secure Shell (SSH) have changed how organizations manage their IT systems. These tools allow employees to access and control their computers from anywhere, which helps teams work together better.
By enabling secure connections to work environments, RDP and SSH support flexibility and productivity in today’s digital world.
These two protocols have emerged as cornerstones of remote connectivity: Remote Desktop Protocol (RDP) and Secure Shell (SSH).
While both facilitate remote access, they serve distinct purposes and offer different capabilities, making the choice between them critical for security, efficiency, and operational success.
Market growth and adoption trends for remote desktop technologies and SSH/RDP usage from 2023-2032
RDP vs SSHProtocol Architecture
Remote Desktop Protocol (RDP) Architecture
RDP operates as an application layer protocol within the OSI model, specifically designed to transmit graphical desktop environments over network connections.
Microsoft’s implementation utilizes a sophisticated multi-layered architecture comprising the Transport Layer Protocol, User Authentication Layer, and Connection Protocol.
The protocol supports up to 64,000 independent virtual channels for data transmission, enabling complex multimedia and peripheral redirection.
The RDP transport mechanism relies on TCP port 3389 by default, though recent versions support UDP transport through RDPEUDP for improved performance in high-latency environments.
This dual-transport capability represents a significant advancement in RDP’s evolution, particularly benefiting remote desktop sessions over WAN connections.
SSH Protocol Structure
SSH operates at the transport and session layers, providing a secure foundation for multiple network services.
The current SSH-2 protocol employs a three-layer architecture: the Transport Layer handles initial key exchange and encryption setup, the User Authentication Layer manages client authentication, and the Connection Layer multiplexes multiple channels over a single SSH connection.
Unlike RDP’s graphics-focused design, SSH prioritizes secure command execution and data transmission through encrypted channels. The protocol’s lightweight nature allows for efficient operation over low-bandwidth connections while maintaining robust security standards.
Comprehensive security comparison between RDP and SSH protocols across multiple security metrics
Security Analysis And Vulnerability Assessment
RDP Security Challenges
RDP faces significant security challenges, with over 35 critical vulnerabilities documented since 2019, including the notorious BlueKeep family of exploits.
The protocol’s default configuration often employs RC4 encryption with 128-bit keys, which security experts consider outdated by modern standards.
Common attack vectors include brute force attacks against the exposed port 3389, credential theft through man-in-the-middle attacks, and session hijacking.
The implementation of Network Level Authentication (NLA) has improved RDP security by requiring user authentication before establishing connections, but many deployments still operate without this protection.
Microsoft has responded to security concerns by introducing enhanced security modes utilizing TLS encryption and CredSSP authentication protocols.
SSH Security Architecture
SSH demonstrates superior security design with fewer than 12 critical vulnerabilities in the same timeframe, primarily related to implementation issues rather than protocol flaws.
The protocol employs modern encryption algorithms, including AES-256, ChaCha20, and Ed25519, providing robust protection against contemporary threats.
SSH’s security model includes perfect forward secrecy, ensuring that session keys remain secure even if long-term keys are compromised.
The protocol’s authentication mechanisms extend beyond simple passwords to include public key authentication, host-based authentication, and multi-factor authentication options.
These diverse authentication methods significantly reduce susceptibility to brute force attacks and credential stuffing attempts.
Radar chart comparing RDP and SSH protocols across 8 key feature categories on a 1-10 rating scale
Feature/Aspect
RDP (Remote Desktop Protocol)
SSH (Secure Shell)
Protocol Type
Application Layer Protocol
Transport/Session Layer Protocol
Primary Purpose
Remote desktop access with GUI
Secure remote command execution
User Interface
Graphical User Interface (GUI)
Command Line Interface (CLI)
Default Port
3389 (TCP/UDP)
22 (TCP)
Operating System Support
Windows-centric, limited cross-platform
Cross-platform (Linux, Unix, Windows, macOS)
Authentication Methods
Password, Smart card, NLA
Password, Public key, Host-based, Keyboard-interactive
RDP’s graphics-intensive nature requires substantial bandwidth for optimal performance, particularly when transmitting high-resolution displays or multimedia content.
The protocol includes compression algorithms and bitmap caching to reduce network load, but fundamental limitations persist for low-bandwidth scenarios.
Performance degradation becomes noticeable with network latency exceeding 150ms, significantly impacting user experience.
SSH’s text-based communication model consumes minimal network resources, making it ideal for bandwidth-constrained environments.
The protocol’s compression capabilities and efficient data handling enable reliable operation over connections as slow as dialup, maintaining functionality where graphical protocols fail.
RDP excels in session persistence, allowing users to disconnect and reconnect without losing their desktop state. This feature proves invaluable for long-running applications or when network interruptions occur frequently.
The protocol supports multiple concurrent user sessions on server platforms, enabling shared resource utilization.
SSH operates on a connection-per-session model but supports multiplexing multiple channels within a single connection.
While lacking RDP’s session persistence, SSH provides superior flexibility for automated processes and scripting applications.
Use Cases And Application Scenarios
RDP dominates scenarios requiring graphical interface access, particularly for Windows-centric environments where administrators need full desktop functionality.
IT support teams leverage RDP for troubleshooting user workstations, software installations, and complex administrative tasks requiring visual feedback.
The protocol’s integration with Microsoft’s ecosystem provides seamless access to applications, printers, and local resources. SSH serves as the primary choice for Unix/Linux server administration, automated deployment scripts, and secure file transfers.
System administrators rely on SSH for configuration management, log analysis, and remote maintenance tasks where command-line interfaces suffice.
The protocol’s tunneling capabilities enable secure access to internal services and database administration. Organizations with stringent security requirements increasingly favor SSH due to its proven track record and robust encryption standards.
Financial institutions, healthcare providers, and government agencies often mandate SSH for sensitive system access, leveraging its strong authentication mechanisms and audit capabilities. RDP requires careful configuration and additional security measures to meet compliance standards.
Implementation of NLA, certificate-based authentication, and network segmentation helps mitigate inherent risks, but requires ongoing vigilance and regular security updates.
SSH demonstrates superior cross-platform compatibility, with native support across Windows, macOS, Linux, and Unix systems.
This universality makes SSH the preferred choice for heterogeneous environments where consistent access methods are essential.
RDP’s Windows-centric design limits cross-platform functionality, though client applications exist for other operating systems.
However, optimal performance and feature support remain tied to Windows environments. The remote desktop software market continues to expand rapidly, with projections indicating growth from $3.74 billion in 2025 to $9.46 billion by 2032.
SSH adoption rates show steady increases, reaching projected 96% usage among enterprises by 2032, while RDP usage stabilizes around 87% primarily within Windows-centric organizations.
The choice between RDP and SSH depends fundamentally on organizational requirements, security priorities, and operational contexts.
RDP excels in scenarios demanding graphical interface access, user support, and Windows ecosystem integration, but requires careful security hardening and ongoing vulnerability management.
SSH provides superior security, cross-platform compatibility, and network efficiency for command-line administration and automated processes.
Organizations should implement both protocols strategically: SSH for secure server administration and automated processes, RDP for end-user support and graphical application access.
Proper configuration, regular updates, and comprehensive monitoring remain essential for both protocols to maintain security and operational effectiveness.
The evolving threat landscape demands continuous evaluation of remote access strategies, with security considerations taking precedence over convenience in critical infrastructure environments.
As remote work patterns solidify and cyber threats intensify, the fundamental differences between these protocols will continue shaping enterprise IT security architectures and operational methodologies.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Luxury jeweler Tiffany and Company has confirmed a data breach that exposed the personal information of 2,590 customers. The company discovered unauthorized access to an external system on September 9, 2025, but determined the incident first occurred on May 12, 2025. Tiffany notified affected customers in writing on September 16, 2025, and filed a breach notification […]
A deserialization flaw in the License Servlet component of Fortra GoAnywhere Managed File Transfer (MFT) platform.
Identified as CVE-2025-10035, this vulnerability permits an unauthenticated attacker who can deliver a forged license response signature to trigger Java deserialization of attacker-supplied objects, potentially resulting in arbitrary command execution and full system compromise.
Deserialization Flaw (CVE-2025-10035)
GoAnywhere MFT’s License Servlet fails to handle serialized data in license responses safely. The servlet deserializes data without validating object types, leading to a classic CWE-502: Deserialization of Untrusted Data scenario.
When combined with CWE-77: Command Injection, the issue allows remote code execution with Network Attack Vector (AV:N), Low Attack Complexity (AC:L), No Privileges Required (PR:N), No User Interaction (UI:N), High Scope Impact (S:C), and total loss of Confidentiality (C:H), Integrity (I:H), and Availability (A:H), with a CVSS v3.1 score of 10.0.
An attacker who can craft a malicious license response that passes signature verification can inject commands via the deserialized object’s methods.
A crafted serialized payload referencing java.lang.Runtime.exec() could appear as:
This code snippet illustrates how deserialized objects can be weaponized to execute arbitrary shell commands on the server hosting the GoAnywhere Admin Console.
Risk Factors
Details
Affected Products
GoAnywhere MFT
Impact
Remote code execution (RCE)
Exploit Prerequisites
Forged license response signature
CVSS 3.1 Score
10.0 (Critical)
Mitigations
Fortra stated that successful exploitation is contingent upon the GoAnywhere Admin Console being accessible over the Internet. To mitigate immediate risk, administrators should:
Restrict Admin Console access by firewall rules or network ACLs so it is not publicly reachable.
Verify that only trusted IP addresses may connect to the GoAnywhere management interface.
Permanent remediation requires upgrading GoAnywhere MFT to a patched release. Affected customers must update to version 7.8.4 or, if on the Sustain Release branch, version 7.6.3.
The updates include validation routines in the License Servlet to enforce class whitelisting and signature checks, eliminating unsafe deserialization. Security teams are urged to prioritize this update immediately, given the exploit’s ease and devastating potential impact.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Run by the team at workflow orchestration and AI platform Tines, the Tines library features over 1,000 pre-built workflows shared by security practitioners from across the community – all free to import and deploy through the platform’s Community Edition.
The workflow we are highlighting streamlines security alert handling by automatically identifying and executing the appropriate Standard
UK law enforcement agencies have arrested two individuals linked to the notorious Scattered Spider cybercriminal group. The arrests, announced on Tuesday, pertain to a sophisticated attack on London’s transport systems. Authorities say the suspects infiltrated critical infrastructure networks, demanding ransom payments and causing widespread disruption. Details of the Arrests and Charges On Sept. 16, officers […]
.webp)
.webp)
.webp)
.webp)
.webp)
