A critical security flaw has been discovered in Greenshot, a popular open-source screenshot utility for Windows.
The vulnerability allows a local attacker to execute arbitrary code within the Greenshot process, potentially enabling them to bypass security measures and carry out further attacks.
A proof-of-concept (PoC) exploit has been released, demonstrating the severity of the issue. The vulnerability affects Greenshot version 1.3.300, released on August 20, 2025, and all earlier versions.
The flaw has been addressed in the newly released version 1.3.301, and all users are strongly urged to update their software immediately to protect against potential exploitation.
Windows Screenshot Utility Greenshot Vulnerability
The vulnerability lies in the way Greenshot handles inter-process communication. Specifically, it improperly processes data received via the Windows WM_COPYDATA message system.
The application uses BinaryFormatter.Deserialize to process incoming data without first validating its origin or integrity. This oversight means that any local process running with the same user privileges can send a specially crafted message to the Greenshot main window, triggering the vulnerability.
The core of the problem is a logical error in the code’s execution flow. The application deserializes the received data before it checks whether the communication channel is authorized.
Consequently, any malicious code, or “gadget chain,” embedded in the serialized payload executes automatically, regardless of whether the sender is trusted.
This allows an attacker to run their own code under the guise of the legitimate, digitally signed Greenshot application.
The impact of this vulnerability is significant, as it allows for arbitrary code execution within a trusted process. By running malicious payloads inside Greenshot.exe, an attacker can potentially evade application control policies like AppLocker or Windows Defender Application Control (WDAC).
These security systems often work by restricting which executables can run, but they may not monitor the internal behavior of already-trusted applications.
The release of a PoC demonstrates this, showing how a simple payload can launch the Windows Command Prompt (cmd[.]exe) directly from the Greenshot process.
For enterprises, this poses a serious risk. If an attacker gains an initial low-privilege foothold on a workstation, they could leverage the installed Greenshot application to execute code stealthily.
This technique, sometimes referred to as “living inside a trusted app,” can be used for persistence, lateral movement, or as a staging point for more advanced in-process attacks without raising immediate alarms.
No known workarounds exist to mitigate this flaw, making the update to version 1.3.301 the only effective solution.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
In the face of an ever-increasing volume of security alerts, a critical shortage of skilled cybersecurity professionals, and the growing sophistication of cyber threats, Security Operations Centers (SOCs) are often overwhelmed.
This is where Security Orchestration, Automation, and Response (SOAR) tools become a game-changer.
A SOAR platform centralizes security alerts, orchestrates security tools to work together seamlessly, automates repetitive and time-consuming tasks, and enables rapid incident response.
By acting as the connective tissue for an organization’s security stack, SOAR platforms transform reactive security teams into proactive, efficient, and data-driven defenders.
The market for SOAR tools is dynamic and competitive, with vendors offering a wide range of capabilities, from simple, low-code automation to comprehensive, AI-powered incident management.
Choosing the right SOAR platform is a crucial decision that can significantly impact a security team’s efficiency, effectiveness, and overall morale.
This article provides a comprehensive review of the Top 10 Best SOAR tools for 2025, highlighting their unique features, specifications, and ideal use cases to help you make an informed decision.
Why SOAR Is Essential For Modern Security Operations
The need for SOAR is driven by several key challenges in modern cybersecurity:
Alert Fatigue: SOC teams are inundated with thousands of alerts daily, many of which are false positives. SOAR automates the triage and enrichment of these alerts, allowing analysts to focus on real threats.
Tool Sprawl: Security teams often use dozens of disparate tools that don’t communicate with each other. SOAR acts as a central hub, orchestrating these tools to execute a unified response.
Skill Gap: With a shortage of cybersecurity professionals, organizations must find ways to maximize the productivity of their existing teams. SOAR automates manual tasks, freeing up analysts for complex investigations.
Slow Response Times: The longer an attacker is in a network, the more damage they can do. SOAR drastically reduces the Mean Time to Respond (MTTR) to incidents, minimizing the impact of a breach.
The following SOAR platforms are leading the way in helping organizations overcome these challenges and build a more resilient and efficient security posture.
Splunk SOAR is a top choice because it offers one of the most comprehensive and flexible platforms for building security automation workflows.
We chose it for its best-in-class visual playbook editor, which allows teams to build complex automations without extensive coding.
Its ability to integrate with over 700 security tools and platforms makes it a powerful central hub for any security operations team, especially those already heavily invested in the Splunk ecosystem.
Specifications:
Splunk SOAR provides a visual playbook editor for codeless automation, comprehensive case management, and a vast library of app integrations.
Key features include automated playbooks, real-time collaboration with a “war room,” a visual case wall, and performance metrics to measure ROI. It can be deployed both on-premises and in the cloud.
Reason to Buy:
If your organization is already a Splunk customer or needs a highly flexible and customizable SOAR platform with a strong focus on automation, Splunk SOAR is an excellent choice.
It is ideal for mature SOC teams that want to build complex, multi-step workflows and streamline their incident response processes.
Features:
Visual Playbook Editor: Drag-and-drop interface for building complex workflows without code.
Extensive Integrations: Connects with over 700 security tools, including threat intelligence feeds.
Case Management: Centralized case management for tracking, documenting, and analyzing incidents.
Automation: Automates repetitive tasks like alert triage, enrichment, and containment.
Reporting: Provides dashboards and reports to track key metrics like MTTR and analyst productivity.
Pros:
Highly flexible and customizable.
Deep integration with the Splunk platform.
Powerful visual playbook editor.
Large community and a wealth of resources.
Cons:
Can be complex to set up and manage.
Pricing can be high, especially for small teams.
Best For: Organizations with a mature SOC and an existing investment in Splunk that require a highly customizable and robust automation platform.
Palo Alto Networks Cortex XSOAR is a top contender because it tightly integrates security orchestration with threat intelligence, which is a critical differentiator.
We chose it for its open and extensible platform, which allows security teams to automate and orchestrate across Palo Alto Networks and over 700 third-party products.
The platform’s ability to provide a centralized hub for data visibility and action makes it a powerful tool for any SOC.
Specifications:
Cortex XSOAR provides a visual playbook editor, over 700 integrations, and a marketplace with hundreds of pre-built content packs.
It includes a collaborative “war room,” robust case management, and machine learning capabilities for guided automation and incident classification. It supports both cloud and on-premises deployments.
Reason to Buy:
If your organization needs a SOAR platform that provides a single, unified view of security operations, integrates deeply with threat intelligence, and offers a vast library of pre-built content, Cortex XSOAR is an excellent choice.
It is ideal for teams that want to streamline workflows and improve their incident response with a powerful, all-in-one solution.
Features:
Threat Intelligence Management: Integrates threat intelligence into playbooks for informed, automated responses.
Visual Playbook Editor: Drag-and-drop interface with thousands of automatable actions.
Collaborative War Room: Real-time collaboration for incident response.
Extensive Integrations: Connects with over 700 security and IT tools.
AI Assistance: Provides machine learning-powered guidance and incident classification.
Pros:
Tight integration with threat intelligence.
Wide range of pre-built content packs.
Excellent for centralizing security operations.
Strong support for a variety of use cases.
Cons:
Can be a complex platform to learn.
The full feature set can be expensive.
Best For: Organizations that need a comprehensive SOAR platform that tightly integrates with threat intelligence and offers a robust marketplace of pre-built content.
We chose IBM Security QRadar SOAR because it excels in highly regulated environments where compliance and a structured, auditable incident response process are paramount.
The platform’s dynamic playbooks and detailed audit trails make it a top choice for organizations in finance, healthcare, and critical infrastructure.
Its ability to create a clear record of every step of an incident response, from detection to resolution, provides a high level of accountability and visibility.
Specifications:
QRadar SOAR offers dynamic playbooks that adapt to the incident, comprehensive case management, and a breach response module for managing regulatory requirements.
It provides a visual workflow builder, over 300 integrations, and a dashboard for tracking key performance indicators (KPIs). It can be deployed both on-premises and in the cloud.
Reason to Buy:
If your organization operates in a highly regulated industry and needs a SOAR platform that provides robust process management, detailed audit trails, and a strong focus on compliance, IBM Security QRadar SOAR is an excellent choice.
It is ideal for teams that need to standardize their incident response processes and ensure they can meet strict regulatory requirements.
Features:
Dynamic Playbooks: Playbooks that adapt to the specific details of an incident.
Breach Response Module: Manages the entire breach response process, including regulatory notifications.
Comprehensive Audit Trails: Provides a detailed, auditable record of every action taken during an incident.
Case Management: Centralized case management with customizable fields and workflows.
Compliance Automation: Automates tasks related to regulatory compliance and reporting.
Pros:
Strong focus on compliance and process management.
Excellent for creating an auditable record of incident response.
Robust case management and collaboration features.
Deep integration with the IBM Security QRadar ecosystem.
Cons:
Can be a more complex and formal solution.
Requires a significant investment.
Best For: Organizations in regulated industries that need a SOAR platform with a strong focus on compliance, process management, and auditable incident response.
We chose Google Security Operations for its ability to provide a cloud-native, AI-powered SOAR solution that leverages Google’s immense scale and threat intelligence.
The platform’s ability to ingest and analyze vast amounts of data quickly, combined with its AI-powered features for case enrichment and playbook creation, makes it a formidable tool for any modern SOC.
Its intuitive user interface and streamlined analyst experience also help reduce the cognitive load on security teams.
Specifications:
Google Security Operations SOAR provides a visual playbook editor, threat-centric case management, and AI-powered investigation assistants.
It integrates with over 300 security and IT tools and provides a built-in “case wall” for team collaboration. Being a cloud-native platform, it offers high scalability and a serverless architecture.
Reason to Buy:
If your organization is a heavy user of Google Cloud and needs a cloud-native SOAR solution that leverages AI and Google’s threat intelligence, Google Security Operations is an excellent choice.
It is ideal for teams that want to streamline their incident response with a powerful, scalable, and easy-to-use platform.
Features:
Cloud-Native Platform: Leverages Google’s infrastructure for speed and scale.
AI-Powered Assistance: AI assistants for case summaries, recommendations, and playbook creation.
Thread-Centric Case Management: Streamlined incident investigation and response.
Visual Playbook Editor: Intuitive, low-code interface for building automations.
Integration: Connects with over 300 security and IT tools.
Pros:
Excellent scalability and performance.
Powerful AI and machine learning capabilities.
Intuitive and easy-to-use interface.
Deep integration with Google’s security ecosystem.
Cons:
Only available as a cloud-native solution.
Can be a significant investment.
Best For: Cloud-native organizations, especially those using Google Cloud, that need a scalable, AI-powered SOAR solution with an intuitive interface.
We chose Microsoft Sentinel because it provides a highly integrated and cost-effective SOAR solution for organizations that are already using Microsoft Azure and Microsoft 365.
The platform’s tight integration with Azure Logic Apps for playbook creation and its ability to ingest data from across the Microsoft ecosystem make it a powerful and efficient tool for security teams.
Its cloud-native architecture also provides excellent scalability and a pay-as-you-go pricing model.
Specifications:
Microsoft Sentinel’s SOAR capabilities are powered by Azure Logic Apps, which provide a visual playbook editor.
It offers automated incident handling, a wide range of connectors for third-party tools, and a centralized hub for data collection and analysis.
Being a cloud-native platform, it provides excellent scalability and a pay-as-you-go pricing model.
Reason to Buy:
If your organization is a Microsoft-centric environment, Microsoft Sentinel is an excellent choice for a SOAR solution.
It provides seamless integration with your existing tools, a familiar interface, and a cost-effective way to automate your security operations.
It is ideal for teams that want to streamline their incident response and improve their security posture within the Microsoft ecosystem.
Features:
Cloud-Native SIEM/SOAR: Scalable, cloud-native solution with both SIEM and SOAR capabilities.
Azure Logic Apps: Powers playbooks with a visual, no-code/low-code interface.
Extensive Integrations: Connects with a wide range of Microsoft and third-party tools.
Automated Incident Handling: Automatically triggers playbooks based on predefined criteria.
Centralized Data: Ingests data from across the Microsoft ecosystem for a unified view.
Pros:
Cost-effective for Microsoft-centric organizations.
Deep integration with Microsoft’s product suite.
Excellent scalability and a pay-as-you-go model.
Familiar interface for Microsoft users.
Cons:
Less comprehensive for non-Microsoft environments.
The full feature set may require expertise in Azure Logic Apps.
Best For: Organizations with a Microsoft-centric environment that need a cost-effective and highly integrated SIEM and SOAR solution.
ServiceNow Security Operations is a unique SOAR solution because it is built on the ServiceNow platform, which is widely used for IT service management.
We chose it for its ability to automate the entire security incident lifecycle, from detection to resolution, by leveraging the IT workflows and a shared configuration management database (CMDB).
This integration is crucial for organizations that want to break down silos between their security and IT teams and improve collaboration.
Specifications:
ServiceNow SecOps offers security incident response, vulnerability response, threat intelligence, and a SOAR module.
It provides a visual workflow builder, a centralized dashboard for tracking incidents, and a robust CMDB for asset management. It can be deployed both on-premises and in the cloud.
Reason to Buy:
If your organization is already a ServiceNow customer and needs to align its security operations with its IT service management processes, ServiceNow Security Operations is an excellent choice.
It is ideal for teams that want to automate tasks like patching and configuration changes and improve communication and collaboration between security and IT.
Features:
IT/Security Integration: Aligns security incident response with IT workflows.
Vulnerability Response: Prioritizes and automates the remediation of vulnerabilities.
Case Management: Centralized case management with a focus on collaboration and task assignment.
Workflow Automation: Automates repetitive tasks across security and IT teams.
CMDB Integration: Leverages the CMDB to prioritize incidents based on business impact.
Pros:
Deep integration with the ServiceNow platform.
Excellent for breaking down silos between security and IT.
Provides a holistic view of security and IT incidents.
Improves collaboration and communication.
Cons:
Primarily for existing ServiceNow customers.
Can be a complex solution to implement fully.
Best For: Organizations that are already using ServiceNow and need to bridge the gap between their security and IT operations.
We chose Sumo Logic Cloud SOAR for its focus on a cloud-native, AI-powered approach to SOAR.
The platform’s ability to leverage machine learning to distinguish real threats from false positives is a significant advantage for security teams struggling with alert fatigue.
Its “War Room” collaboration feature and open integrations framework also make it a powerful tool for a modern, distributed SOC.
Specifications:
Sumo Logic Cloud SOAR offers an open integrations framework, a visual playbook editor, and a “War Room” for real-time collaboration.
It provides a machine learning-powered engine for threat qualification and a customizable dashboard for tracking performance metrics. As a cloud-native solution, it offers high scalability.
Reason to Buy:
If your organization needs a cloud-native SOAR platform that provides powerful machine learning capabilities for threat qualification and a strong focus on team collaboration, Sumo Logic Cloud SOAR is an excellent choice.
It is ideal for teams that want to reduce alert fatigue and improve their incident response time with a modern, scalable solution.
Features:
Cloud-Native Platform: A highly scalable, cloud-native SOAR solution.
Machine Learning: Distinguishes real threats from false positives to reduce alert fatigue.
Collaborative War Room: Provides a centralized hub for team collaboration.
Visual Playbook Editor: Intuitive, drag-and-drop interface for building automations.
Open Integrations Framework: Connects with a wide range of security tools.
Pros:
Strong focus on machine learning and AI.
Excellent for reducing alert fatigue.
Provides a robust platform for team collaboration.
Highly scalable and easy to deploy.
Cons:
Not available for on-premises deployment.
May be a less known brand compared to competitors.
Best For: Organizations that need a cloud-native SOAR platform with a strong focus on machine learning and team collaboration.
We chose Tines because it is a best-of-breed security automation platform that simplifies the process of getting security tools to communicate with each other.
Its unique, low-code/no-code interface and seven core “agent types” make it incredibly easy for security professionals to build powerful workflows in minutes, not days.
Its ability to solve complex automation challenges with minimal effort makes it an excellent choice for teams that want to start automating quickly without a steep learning curve.
Specifications:
Tines provides a visual “Story” builder with a low-code/no-code interface. It offers over 1,000 integrations with various security and IT tools and a flexible, agent-based architecture.
It can be deployed both on-premises and in the cloud.
Reason to Buy:
If your organization’s primary goal is to automate repetitive security tasks and streamline workflows, Tines is an excellent choice.
It is ideal for teams that need to quickly build and deploy automations for a wide range of use cases, from phishing email triage to endpoint containment.
Features:
Low-Code/No-Code Interface: Visual builder that allows for rapid automation development.
Seven Core Agents: Simplifies automation with a small, powerful set of components.
Extensive Integrations: Connects with over 1,000 security and IT tools.
Story-Based Workflows: Workflows that can be built and deployed in minutes.
Agent-Based Architecture: Flexible and scalable architecture.
Pros:
Incredibly easy and fast to use.
Excellent for building quick automations.
Very flexible and can solve a wide range of problems.
Large number of integrations.
Cons:
Lacks traditional case management.
Requires a different approach than a traditional SOAR platform.
Best For: Security teams that need a powerful, low-code/no-code platform to build and deploy security automations quickly.
Swimlane is a top choice because it goes beyond traditional SOAR by focusing on a holistic approach to security automation.
We chose it for its ability to automate a wide range of workflows, from security incident response to IT operations and HR-related tasks.
The platform’s commitment to empowering security professionals and its flexible, codeless automation platform make it a powerful tool for a modern, high-performing SOC.
Specifications:
Swimlane offers a visual playbook builder, comprehensive case management, and a wide range of integrations.
It provides a centralized dashboard for tracking incidents and a low-code interface for building automations. It can be deployed both on-premises and in the cloud.
Reason to Buy:
If your organization needs a SOAR platform that can automate a wide range of workflows and is designed to improve the efficiency and well-being of your security team, Swimlane is an excellent choice.
It is ideal for teams that want to go beyond simple incident response automation and streamline their entire security operations.
Features:
Holistic Automation: Automates a wide range of workflows, including security, IT, and HR.
Visual Playbook Builder: Drag-and-drop interface for codeless automation.
Comprehensive Case Management: Centralized case management with a focus on collaboration.
Extensive Integrations: Connects with over 500 security and IT tools.
Metrics and Reporting: Provides dashboards and reports to track key metrics.
Pros:
Automates a wide range of workflows beyond security.
Strong focus on improving team efficiency.
Flexible and scalable platform.
Good case management and collaboration features.
Cons:
May be more than what some organizations need.
The focus on a wide range of workflows may make it less specialized.
Best For: Organizations that want to automate a wide range of security and IT workflows to improve the overall efficiency and morale of their security team.
We chose FortiSOAR because it provides a seamless and integrated SOAR solution for organizations that are already using Fortinet products.
The platform’s ability to leverage the Fortinet Security Fabric for a unified view of security, combined with its robust automation capabilities, makes it a powerful tool for a modern SOC.
Its visual playbook editor and comprehensive case management also make it a strong standalone solution.
Specifications:
FortiSOAR offers a visual playbook designer, comprehensive case management, and over 300 integrations with security and IT tools.
It provides a dashboard for tracking key metrics and a wide range of pre-built playbooks. It can be deployed both on-premises and in the cloud.
Reason to Buy:
If your organization is a Fortinet customer and needs a SOAR platform that integrates deeply with your existing security infrastructure, FortiSOAR is an excellent choice.
It is ideal for teams that want to streamline their incident response and improve their security posture within the Fortinet ecosystem.
Features:
Fortinet Security Fabric Integration: Tightly integrated with the Fortinet ecosystem.
Visual Playbook Designer: Drag-and-drop interface for building automations.
Comprehensive Case Management: Centralized case management with a focus on collaboration.
Extensive Integrations: Connects with over 300 security and IT tools.
Threat Intelligence: Integrates with FortiGuard Labs for threat intelligence.
Pros:
Excellent integration with the Fortinet ecosystem.
Robust automation and case management features.
Good for standardizing incident response processes.
Provides a unified view of security.
Cons:
Less comprehensive for non-Fortinet environments.
Can be more expensive.
Best For: Organizations with a Fortinet-centric environment that need a highly integrated and robust SOAR solution.
In 2025, a modern and effective SOC is one that has embraced the principles of security orchestration, automation, and response.
The SOAR tools reviewed in this article represent the best in the industry, each with unique strengths and a clear value proposition.
Whether you need a highly customizable platform like Splunk SOAR, a comprehensive solution with integrated threat intelligence like Palo Alto Networks Cortex XSOAR, or a low-code automation engine like Tines, the right tool for your organization is on this list.
By carefully evaluating your team’s needs, budget, and existing technology stack, you can select a SOAR platform that will not only improve your security posture but also empower your security team to do more with less.
A critical vulnerability has been discovered in WatchGuard’s Firebox firewalls, which could allow a remote, unauthenticated attacker to execute arbitrary code on affected devices.
The flaw, tracked as CVE-2025-9242, has been assigned a critical severity rating with a CVSS score of 9.3 out of 10. WatchGuard disclosed the issue in an advisory, WGSA-2025-00015, released on September 17, 2025, and has already provided patches to resolve the vulnerability.
The vulnerability is an out-of-bounds write issue within the iked process of WatchGuard’s Fireware OS. This process is responsible for handling Internet Key Exchange (IKE), a protocol used to set up secure VPN connections.
An attacker can exploit this flaw without needing any authentication, sending specially crafted data to a vulnerable device.
Successful exploitation allows the threat actor to execute arbitrary code, potentially leading to a complete compromise of the firewall, allowing them to intercept network traffic, pivot to internal networks, or disrupt security operations.
The critical nature of this flaw is reflected in its high CVSS 4.0 score, which indicates a high impact on confidentiality, integrity, and availability.
Affected Configurations and Versions
The vulnerability specifically affects Firebox devices running certain versions of Fireware OS when configured with specific VPN setups. The primary affected configurations are the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 with a dynamic gateway peer.
The advisory also warns of a specific edge case: a Firebox may remain vulnerable if it was previously configured with one of these vulnerable VPN types, even if those configurations have since been deleted, as long as a branch office VPN to a static gateway peer is still active.
The affected Fireware OS versions include 11.10.2 up to 11.12.4_Update1, versions 12.0 up to 12.11.3, and the recent 2025.1 release.
WatchGuard has released patched versions of Fireware OS to address CVE-2025-9242. Administrators are strongly urged to upgrade their devices to the appropriate resolved version as soon as possible.
The recommended versions are 2025.1.1, 12.11.4, 12.5.13 (for T15 & T35 models), and 12.3.1_Update3 for the FIPS-certified release. For organizations that cannot immediately apply the updates, a temporary workaround is available.
This involves implementing WatchGuard’s security best practices for securing branch office VPNs that use IPSec and IKEv2, specifically when configured with static gateway peers. However, applying the official patches is the most effective way to mitigate the risk posed by this critical vulnerability fully.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
In recent weeks, cybersecurity researchers have observed the emergence of XillenStealer, a Python-based information stealer publicly hosted on GitHub and rapidly adopted by threat actors.
First reported in mid-September 2025, the stealer leverages a user-friendly builder GUI to lower the bar for malicious deployment.
Operators can configure exfiltration channels, such as a Telegram bot, and enable modules targeting browsers, cryptocurrency wallets, gaming applications, and messaging platforms.
Delivered as a PyInstaller-packaged executable or run directly with Python, XillenStealer has quickly become a commodity tool in underground markets, underscoring the ongoing professionalization of cybercrime.
Following its initial appearance, Cyfirma analysts noted that the builder interface (builder.py) is protected by a SHA-256 password hash, granting access only to authorized operators.
This design choice not only streamlines stealer customization but also embeds basic access control to prevent casual misuse.
The stealer’s modular architecture allows operators to toggle specific data harvesting capabilities, such as browser cookies, login credentials, system profiling, and screenshot capture.
By integrating native Windows APIs and Python libraries like psutil, browser-cookie3, and pyTelegramBotAPI, XillenStealer assembles a comprehensive snapshot of the compromised host before packaging data for exfiltration.
Upon execution, XillenStealer performs extensive reconnaissance to fingerprint the environment.
It invokes functions such as checkvmsandbox() to detect virtualization or sandbox environments through MAC address prefixes and known process names, invoking the Windows API IsDebuggerPresent to thwart analysis.
Systems that pass these checks proceed to data collection routines, including getbrowserdata(), which decrypts stored credentials from Chromium-based browsers, and getwallets(), which locates and exfiltrates cryptocurrency wallet files.
Once data is consolidated into reports (both HTML and plain text), the stealer segments large archives and uploads them to the attacker’s Telegram chat using the configured bot token.
Infection Mechanism Deep Dive
XillenStealer’s infection mechanism hinges on its integrated builder and persistence setup.
Operators use the GUI to compile malicious payloads into standalone executables via PyInstaller and UPX compression.
XillenStealer (Source – Cyfirma)
After initial execution, the stealer invokes the installpersistence() function to ensure survival across reboots:-
This persistence mechanism ensures that the stealer automatically executes at every user logon, reinforcing stealth by masquerading as a benign maintenance task.
By combining builder-driven payload creation with robust persistence tactics, XillenStealer maintains long-term presence on compromised systems and continues to siphon valuable data until eradicated.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
Since early 2025, cybersecurity analysts have witnessed a marked evolution in the tactics and tooling of MuddyWater, the Iranian state-sponsored Advanced Persistent Threat (APT) group. Historically known for broad Remote Monitoring and Management (RMM) campaigns, MuddyWater has pivoted to highly targeted spearphishing operations and bespoke backdoors. This shift underscores the group’s growing sophistication and its […]
A new report from Entro Labs reveals that one in five exposed secrets in large organizations can be traced back to SharePoint. Rather than a flaw in SharePoint itself, the real culprit is a simple convenience feature: OneDrive’s default auto-sync. When OneDrive silently backs up key folders like Desktop and Documents to SharePoint Online, it […]
Microsoft is set to roll out a new feature for its Teams platform called the Network Strength Indicator, designed to provide users with greater clarity on call quality and disruptions during meetings.
The update seeks to clarify technical issues by showing real-time network performance for all participants, which helps to minimize interruptions and enhance the overall meeting experience.
The feature is scheduled for a phased release. A targeted rollout will begin in mid-November 2025 and is expected to be completed by the end of the month.
Following this, the general availability for all users, including Worldwide and GCC customers, will commence in early December 2025, with completion anticipated by mid-December 2025.
Understanding Connectivity Issues
The core of the new feature is a simple, intuitive visual system that rates each user’s network connection. A three-bar icon will indicate network quality: three bars for a “Good” connection, two for “Poor,” and one for “Bad.”
This indicator will be visible to users, allowing them to quickly diagnose if their own network is causing issues like lagging video or choppy audio.
When Teams detects a poor or bad connection, it will proactively suggest actions to help conserve bandwidth and stabilize the call. For example, users might be prompted to turn off their camera or disable incoming video streams to reduce the load on their network.
This empowers users to take immediate steps to improve their meeting experience without having to guess the cause of the problem.
A key benefit of the Network Strength Indicator is its transparency across all participants in a meeting. Users will not only see their own connection status but will also be able to see when others are experiencing poor or bad network conditions.
This shared context is crucial for smoother collaboration, as it clarifies why a participant might have suddenly frozen or dropped off the call.
Instead of assuming a participant is disengaged or has left unexpectedly, team members will have a clear, visual cue indicating a technical difficulty.
This helps prevent misunderstandings and allows teams to adapt accordingly, perhaps by pausing the conversation or switching to audio-only until the affected user’s connection stabilizes.
The feature provides real-time feedback, such as “Connection is unstable” with suggestions like moving closer to the router, or “Connection restored” when the issue is resolved.
By providing actionable insights and clear visual indicators, the Network Strength Indicator is poised to make virtual meetings on Microsoft Teams more efficient and less frustrating.
The feature addresses a common pain point in remote collaboration by replacing ambiguity with clear, actionable information. As organizations increasingly rely on video conferencing for daily operations, this update offers a practical tool for managing the technical variables that can impact productivity.
The upcoming rollout will equip users with the tools they need to better understand and manage their connectivity, leading to more seamless and effective virtual interactions.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
A sophisticated cyberthreat campaign has emerged that represents a significant evolution in social engineering attacks, introducing the first real-world implementation of FileFix attack methodology beyond proof-of-concept demonstrations.
This advanced threat leverages steganography techniques to conceal malicious payloads within seemingly innocent JPG images, ultimately delivering the StealC information stealer to compromised systems.
The attack campaign represents a notable departure from traditional ClickFix methodologies, utilizing file upload functionality in HTML to trick victims into executing malicious PowerShell commands through Windows File Explorer address bars.
Unlike conventional approaches that rely on terminal access, this FileFix variant targets the more universally accessible file upload interface, potentially expanding the attack surface to users who may never have opened command-line interfaces.
A typical ClickFix attack may ask the victim to run malicious code for the attacker (Source – Acronis)
The threat actors behind this campaign have invested considerable resources in developing a multilingual phishing infrastructure that mimics Facebook security pages across 16 languages, including Arabic, Russian, Hindi, Japanese, Polish, German, Spanish, French, Malay, and Urdu.
The sophisticated social engineering pretext warns victims of imminent account suspension, urging them to access a purported incident report through a fabricated file path that serves as the attack vector.
The phishing site mimics the look of a Meta Help Support page (Source – Acronis)
Acronis researchers identified this campaign as the first sophisticated implementation of FileFix methodology that significantly deviates from the original proof-of-concept developed by researcher Mr. d0x in July 2025.
The attack demonstrates remarkable technical sophistication, incorporating multiple layers of obfuscation, anti-analysis mechanisms, and a complex multistage payload delivery system that sets new standards for evasion techniques in this category of threats.
The campaign’s global reach is evidenced by VirusTotal submissions from multiple countries including the United States, Bangladesh, Philippines, Tunisia, Nepal, Dominican Republic, Serbia, Peru, China, and Germany, suggesting a coordinated international targeting strategy designed to maximize victim exposure across diverse geographic regions.
Steganographic Payload Concealment and Multi-Stage Execution
The attack’s most innovative aspect lies in its sophisticated use of steganography to embed both second-stage PowerShell scripts and encrypted executable payloads within artificially generated landscape images featuring pastoral scenes.
These JPG files, hosted on legitimate platforms like BitBucket, contain malicious code at specific byte indices that are extracted and executed through a carefully orchestrated process.
The initial PowerShell payload employs extensive obfuscation techniques, fragmenting commands into variables and utilizing Base64 encoding to evade pattern-based detection systems.
The command structure demonstrates advanced evasion capabilities:-
PowerShell -noP -W H -ep Bypass -C "$if=[System.IO.File];$ifr=$if::ReadAllBytes;$ifw=$if::WriteAllBytes;$e=[System.Text.Encoding]::UTF8..."
Once executed, the payload downloads the steganographic image to the victim’s temporary directory and extracts the embedded second-stage script from predetermined byte ranges within the file structure.
This secondary script implements RC4 decryption and gzip decompression functions to process the concealed executable payload, which ultimately deploys a Go-based loader equipped with virtual machine detection capabilities and string encryption mechanisms.
The final payload delivers StealC malware, a comprehensive information stealer targeting browser credentials, cryptocurrency wallets, messaging applications, gaming platforms, VPN configurations, and cloud service credentials across popular applications including Chrome, Firefox, Telegram, Discord, various cryptocurrency wallets, and AWS/Azure authentication keys, establishing persistent access for ongoing data exfiltration operations.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
Tech Note – BeaverTail variant distributed via malicious repositories and ClickFix lure17 September 2025 – Oliver Smith, GitLab Threat Intelligence We have identified infrastructure distributing BeaverTail and InvisibleFerret malware since at least May 2025, operated by North Korean actors tracked as Contagious Interview and Famous Chollima. The campaign uses ClickFix lures to target marketing and […]
Quantum computing and AI working together will bring incredible opportunities. Together, the technologies will help us extend innovation further and faster than ever before. But, imagine the flip side, waking up to news that hackers have used a quantum computer to crack your company’s encryption overnight, exposing your most sensitive data, rendering much of it untrustworthy.
And with your
Yes
No
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)