A sophisticated cryptojacking campaign that hijacks Windows’ native Character Map utility (“charmap.exe”) to evade Windows Defender and covertly mine cryptocurrency on compromised machines. First detected in late August 2025, this attack exploits legitimate system binaries to load a custom cryptomining payload directly into memory, thwarting traditional antivirus signatures and curtailing forensic artifacts. Security researchers have […]
Security teams began observing a novel botnet strain slipping beneath the radar of standard Windows Defender defenses in early August 2025.
Dubbed NightshadeC2, this malware family leverages both C and Python-based payloads to establish persistent, remote-control access on compromised hosts.
Initial infection chains often start with customized “ClickFix” landing pages that trick users into executing commands via the Windows Run prompt, while secondary campaigns employ trojanized installers of popular utilities such as Advanced IP Scanner, CCleaner, and various VPN clients.
Once executed, NightshadeC2 rapidly escalates privileges, disables or excludes its components from Defender scans, and calls home to a dynamic command and control infrastructure.
As the campaign unfolded, eSentire analysts identified a distinctive loader component responsible for delivering the final payload.
This .NET-based loader executes in a tight loop, spawning PowerShell processes designed to add Defender exclusions for NightshadeC2 before allowing the payload to run.
Should Defender service checks fail or the user decline elevation, the loader repeats its prompts ad nauseam—a technique the researchers have termed “UAC Prompt Bombing.”
The relentless barrage of elevation requests not only frustrates malware sandbox environments but also coerces real users into granting the necessary permissions to proceed.
Upon securing Defender exclusions, the loader writes persistence entries into three separate registry locations—Winlogon, RunOnce, and Active Setup—to guarantee execution at system startup.
It then downloads and decrypts the core C variant over TCP ports typically reserved for web traffic (80 and 443) or high-numbered ports (7777, 33336, 33337).
The malware immediately collects victim system details via public geo-IP lookup services and registry queries to form a unique fingerprint, before negotiating an RC4-encrypted session key with its C2.
Through this clandestine channel, operators can issue an array of commands—ranging from reverse shell initiation to payload downloads, screen captures, and automated keylogging.
UAC Prompt Bombing: Bypassing Defender via Relentless Elevation Loops
Central to NightshadeC2’s stealth is its UAC Prompt Bombing routine. After loading the .NET module, the loader constructs a PowerShell command to add its as-yet-unwritten payload to Defender’s exclusion list:
The Second stage PowerShell loader illustrates how the loader concatenates the exclusion command.
Second stage PowerShell loader (Source – eSentire)
When Defender is disabled or non-responsive, the exit code remains nonzero, trapping sandbox analyses in an infinite loop.
This forced repetition of UAC dialogs effectively breaks automated defenses, the Evasion loop in malware sandbox.
‘Show details’ of UAC prompt (Source – eSentire)
Once a user finally approves the elevation or the service status changes, the loop breaks, and the final payload is delivered.
By leveraging this simple yet powerful mechanism, NightshadeC2 evades both automated and manual inspection, allowing its operators to perform credential theft from major browsers, establish hidden web browsers on victim desktops, and maintain long-term persistence across targeted networks.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
A sophisticated North Korean cyber operation has been exposed, revealing how state-sponsored hackers systematically monitor cybersecurity intelligence platforms to detect when their malicious infrastructure is discovered and rapidly deploy replacement assets to maintain operations. The analysis, conducted by SentinelLABS in collaboration with Validin, provides unprecedented insight into the operational practices of threat actors behind the […]
Cybercriminals are increasingly exploiting the trust organizations place in artificial intelligence platforms to conduct sophisticated phishing attacks, according to a new report from cybersecurity firm Cato Networks.
The company’s Managed Detection and Response (MDR) service recently uncovered a campaign where threat actors leveraged Simplified AI, a popular marketing platform, to steal Microsoft 365 credentials from US-based organizations.
The attack, discovered in July 2025, successfully compromised at least one US investment firm before being detected and contained.
While the campaign is no longer active, security experts warn it represents a dangerous evolution in cybercrime tactics that could affect organizations across all industries.
Weaponizing Trusted AI Platforms
“Threat actors are no longer relying on suspicious servers or cheap lookalike domains,” the Cato Networks report states.
“Instead, they abuse the reputation and infrastructure of trusted AI platforms that employees already rely on, allowing them to bypass defenses and slip into organizations under the cover of legitimacy.”
Weaponizing Trusted AI Platforms
The sophisticated attack began with emails impersonating executives from a global pharmaceutical distributor, complete with authentic company logos and executive names verified through LinkedIn.
The emails contained password-protected PDF attachments designed to evade automated security scanners that cannot inspect encrypted files.
The phishing campaign employed a multi-layered approach that exploited both social engineering and technical evasion tactics:
Initial Contact: Victims received emails appearing to be from pharmaceutical company executives, with passwords for attached PDFs conveniently included in the message body.
PDF Lure: The documents displayed legitimate company branding and contained links directing users to Simplified AI’s platform at app.simplified.com.
Trusted Redirect: Users were taken to what appeared to be a legitimate Simplified AI page, displaying the impersonated company’s name alongside Microsoft 365 imagery.
Credential Harvest: The final step redirected victims to a convincing fake Microsoft 365 login portal designed to steal enterprise credentials.
The attack highlights how cybercriminals are adapting to the rapid adoption of AI tools in corporate environments.
AI marketing platforms like Simplified AI have become commonplace in enterprises, with IT departments routinely whitelisting their domains and allowing employee access.
sample malware document
“For CISOs and IT leaders, approving such services often seems straightforward: allow access, whitelist the domain, and enable the marketing team to innovate,” the report notes.
“But what if the very same platform is leveraged by threat actors to steal from you?”
This incident reflects broader concerns about “shadow AI” usage in enterprises, where employees increasingly rely on AI tools without proper security oversight.
The attackers’ use of established platforms makes detection significantly more challenging for traditional security measures.
Mitigations
Security experts recommend several protective measures:
Implementing multi-factor authentication on all critical services
Training employees to carefully handle password-protected attachments
Monitoring all AI platform usage, including unauthorized applications
Maintaining continuous inspection of AI traffic rather than implicitly trusting it
Deploying advanced threat detection capabilities that can identify suspicious behavior patterns
The attack serves as a wake-up call for organizations to reassess their approach to AI platform security, treating AI traffic with the same scrutiny applied to unknown domains while balancing security needs with business innovation requirements.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
A new technique that allows attackers to read highly sensitive files on Windows systems, bypassing many of the modern security tools designed to prevent such breaches.
A report from Workday’s Offensive Security team explains how, by reading data directly from a computer’s raw disk, a malicious actor can sidestep Endpoint Detection and Response (EDR) solutions, file permissions, and other critical protections to steal credential files.
The method avoids standard file-access procedures that are typically monitored by security software. Instead of opening a file by name, the attack involves communicating directly with low-level disk drivers.
An attacker with administrator rights can use built-in Windows drivers, or a user with fewer privileges could exploit a vulnerable third-party driver, to request raw data from a specific location on the physical disk.
This approach is particularly stealthy because the attack never requests a sensitive file like the SAM hive by name. Instead, it asks for the data at a particular sector address.
raw disk read request
This means many security systems, which look for malicious file access by name, are blind to the activity. The EDR solution might see a request to “read sector 12345” instead of an alert-worthy attempt to “open the system’s password file.
” This allows the technique to evade file access controls, exclusive file locks, and even advanced defenses like Virtualization-Based Security (VBS). Furthermore, it leaves no trace in the default system logs.
How the Attack Works
After an attacker obtains the raw disk data, they must parse it to reconstruct the target file.
This process involves interpreting the NTFS file system structure, starting from the Master Boot Record to find the disk partition, then locating the Master File Table (MFT), which serves as a directory for the entire volume.
By reading the MFT, the attacker can pinpoint the exact physical location of any file’s data, read it in clusters, and reassemble it—all without ever officially “opening” the file through the operating system.
The Workday team demonstrated this attack by leveraging a vulnerability (assigned CVE-2025–50892) in a driver that improperly exposed this raw read capability.
However, they emphasize that any user with administrative privileges can perform this attack without needing a vulnerable driver, making it a relevant threat in many corporate environments.
Protecting against such a low-level attack is challenging, as it bypasses security layers that many organizations depend on. The researchers recommend a “defense in depth” strategy incorporating several measures:
Full Disk Encryption: Using tools like BitLocker makes the raw data on the disk unreadable without the encryption key, significantly hampering this attack.
Restrict Privileges: Limiting administrative access makes it harder for attackers to interact directly with disk drivers or install new malicious ones.
Monitor for Raw Access: Advanced monitoring with tools like Microsoft’s Sysmon can be configured to detect raw disk read events (Event ID 9), though this may require careful filtering to manage alerts.
Driver Vetting: Organizations should actively monitor for the installation of unsigned or known-vulnerable drivers using resources like Microsoft’s recommended driver blocklist.
The researchers conclude that while the concept of raw disk access is not new, its proven effectiveness against modern EDRs highlights a significant gap in security visibility.
As sophisticated hacking techniques become more accessible, organizations must understand and defend against threats that operate below the surface of the typical operating system.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Artificial intelligence is reshaping cybersecurity on both sides of the battlefield. Cybercriminals are using AI-powered tools to accelerate and automate attacks at a scale defenders have never faced before. Security teams are overwhelmed by an explosion of vulnerability data, tool outputs, and alerts, all while operating with finite human resources. The irony is that while AI has become a
A novel serverless command-and-control (C2) technique that abuses Google Calendar APIs to obscure malicious traffic inside trusted cloud services. Dubbed MeetC2, this lightweight, cross-platform proof-of-concept demonstrates how adversaries can seamlessly blend C2 communications into everyday SaaS usage, presenting fresh detection, telemetry, and response challenges for red and blue teams alike. In a recent internal purple-team […]
A previously unseen malware campaign began circulating in early August 2025, through email attachments and web downloads, targeting users in Colombia and beyond.
By leveraging two distinct vector-based file formats—Adobe Flash SWF and Scalable Vector Graphics (SVG)—the attackers crafted a multiphase operation that evaded traditional antivirus detection.
Initial reports surfaced when a benign-looking SWF file named Sequester.swf triggered alerts in only a handful of antivirus engines, prompting deeper investigation.
Within days, a companion SVG file emerged, embedding sophisticated JavaScript payloads designed to impersonate the Colombian Fiscalía General de la Nación portal.
The seamless pivot between legacy and modern formats caught many security teams off guard.
The SWF component masqueraded as a legitimate 3D puzzle game, complete with ActionScript modules for rendering, pathfinding, and cryptographic routines.
While antivirus engines flagged obfuscated classes and AES routines, they failed to recognize that this code served legitimate game mechanics rather than malicious behavior.
Malicious file (Source – VirusTotal)
Meanwhile, the SVG variant contained inline JavaScript that decoded a Base64 phishing page and silently dropped a ZIP archive containing additional payloads.
The combination of these two vectors created a multiheaded threat that slipped past detection barriers with alarming ease.
VirusTotal analysts noted that upon expanding support for SWF and SVG analysis in Code Insight, they were able to uncover dozens of related samples within hours of the initial submissions.
By searching for Spanish-language comments left by the attackers—strings such as "POLIFORMISMO_MASIVO_SEGURO" and "Funciones dummy MASIVAS"—researchers identified a cohesive campaign spanning more than 40 unique SVG files, none of which had raised flags in standard antivirus scans.
The early presence of these markers allowed rapid signature creation and retrohunt jobs, yielding over 500 matches when applied to submissions from the previous year.
The heart of the operation lay in its evasion tactics. By distributing large, obfuscated SWF files that blended game code with encryption routines, the attackers exploited heuristic thresholds.
At the same time, the SVG files embedded encrypted JavaScript in CDATA sections, evading simple pattern matching.
This SVG file executes an embedded JavaScript payload upon rendering (Source – VirusTotal)
When rendered in a browser, the script would decode and inject an HTML phishing interface, complete with progress bars and authentic-looking forms that mimicked official government communications .
Detection Evasion Techniques
Central to this campaign’s success was the layering of obfuscation and polymorphism. Each SWF sample employed variable renaming, garbage code insertion, and custom packing routines to defeat static analysis.
The following excerpt illustrates how the SVG payload concealed its primary logic within nested Base64 strings:-
// POLIFORMISMO_MASIVO_SEGURO: 2025-09-01T16:39:16.808557
var payload = atob("UE...VUM+Cg==");
document. Write(payload);
Meanwhile, the YARA rule crafted by VirusTotal researchers targeted the consistent Spanish comments:-
rule svg_colombian_campaign {
strings:
$c1 = "Funciones dummy MASIVAS"
$c2 = "POLIFORMISMO_MASIVO_SEGURO"
condition:
uint16(0) == 0x3C3F and any of ($c*)
}
This rule achieved over 523 detections when retrohunted against a year’s worth of submissions.
By combining heuristic bypasses, encrypted payloads, and intentional misdirection, the attackers demonstrated a refined understanding of both legacy and modern file formats—underscoring the urgent need for context-aware analysis in contemporary threat defense.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a new high-severity vulnerability in the Linux kernel to its Known Exploited Vulnerabilities (KEV) catalog, signaling that it is being actively exploited in attacks.
The warning, issued on September 4, 2025, calls for urgent action from federal agencies and private sector organizations to mitigate the threat.
The vulnerability, tracked as CVE-2025-38352, is a Time-of-Check Time-of-Use (TOCTOU) race condition.
This type of flaw creates a small window of opportunity for an attacker to maliciously alter a system resource between the time the system checks for its security status and the time it actually uses that resource.
Linux Kernel Race Condition Vulnerability
A successful exploit could allow an attacker to gain elevated privileges, manipulate sensitive data, or cause a system to crash, leading to a high impact on confidentiality, integrity, and availability.
In response to confirmed “in-the-wild” exploitation, CISA’s addition to the KEV catalog triggers a binding operational directive for federal agencies.
Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to apply vendor-provided mitigations or discontinue use of the product by the due date of September 25, 2025.
While the directive is mandatory for federal agencies, CISA strongly urges all organizations to prioritize patching this vulnerability due to the widespread use of the Linux kernel.
Linux serves as the foundation for a vast array of systems, including web servers, cloud infrastructure, Android devices, and Internet of Things (IoT) gadgets, making the potential attack surface enormous.
“A flaw in the Linux kernel is a foundational risk that can impact countless technologies across the globe,” a security analyst noted.
At present, it is unknown if this vulnerability is being used in specific ransomware campaigns. However, attackers often use such kernel-level exploits to gain deeper access and persistence within a network before deploying ransomware or exfiltrating data.
CISA recommends applying patches and mitigations from Linux distribution vendors as soon as they become available.
If mitigations are not available for a specific product, organizations should follow applicable guidance for cloud services or discontinue the product’s use to remove the threat.
System administrators are advised to check with their specific Linux distribution providers, such as Red Hat, Canonical (Ubuntu), and SUSE, for security updates and patching instructions.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Attackers can bypass Endpoint Detection and Response (EDR) tools and file locks by reading raw disk sectors directly, highlighting the urgent need for organizations to audit and secure the drivers installed on their Windows systems. In modern Windows environments, drivers provide low-level access to hardware and disk functions. A recent investigation by Workday’s Offensive Security […]
.webp)
.webp)
.webp)
.webp)
.webp)