Critical security flaws discovered in Mobile Security Framework (MobSF) version 4.4.0 enable authenticated attackers to exploit path traversal and arbitrary file write vulnerabilities, potentially compromising system integrity and exposing sensitive data. Two significant vulnerabilities have been identified in the popular Mobile Security Framework (MobSF), a widely-used open-source mobile application security testing platform. The flaws, tracked […]
The threat actor known as Silver Fox has been attributed to abuse of a previously unknown vulnerable driver associated with WatchDog Anti-malware as part of a Bring Your Own Vulnerable Driver (BYOVD) attack aimed at disarming security solutions installed on compromised hosts.
The vulnerable driver in question is “amsdk.sys” (version 1.0.600), a 64-bit, validly signed Windows kernel device driver
A sophisticated Windows-based keylogger known as TinkyWinkey began surfacing on underground forums in late June 2025, targeting enterprise and individual endpoints with unprecedented stealth.
Unlike traditional keylogging tools that rely on simple hooks or user-mode processes, TinkyWinkey leverages dual components—a Windows service and an injected DLL payload—to remain hidden while harvesting rich contextual data.
The malware’s emergence underscores a troubling evolution in threat actor tactics, blending deep system profiling with low-level keyboard capture to deliver a highly attractive target for espionage and credential theft.
TinkyWinkey’s attack vector typically begins with the installation of a malicious service named “Tinky.” Installed via SCM API calls, the service is configured for automatic startup, ensuring persistence even across system reboots.
Upon activation, the service worker thread spawns the primary keylogging module (winkey.exe) within the active user session by invoking CreateProcessAsUser on a duplicated user token.
Keylogging Storage (Source – Cyfirma)
This approach not only avoids visible console windows but also gains direct access to user-mode desktop contexts. Cyfirma analysts noted that this technique allows the malware to run seamlessly under standard user privileges while maintaining stealth within system processes.
Once loaded, the keylogger component employs low-level hooks (WH_KEYBOARD_LL) to intercept every keystroke, including media keys, modifier combinations, and Unicode characters.
The malware maintains a continuous message loop to dispatch captured events, correlating each keystroke with the foreground window title and the current keyboard layout.
Cyfirma researchers identified that TinkyWinkey dynamically detects layout changes through HKL handles, logging events whenever the victim switches between languages.
This ensures that attackers can accurately reconstruct multilingual inputs, a feature often overlooked by simpler keyloggers.
TinkyWinkey is a Windows-based project (Source – Cyfirma)
TinkyWinkey’s infection mechanism hinges on its service-based persistence and stealthy DLL injection. After establishing the “Tinky” service, the loader resolves the PID of a trusted process—most commonly explorer.exe—using a custom FindTargetPID routine.
Upon obtaining a handle with PROCESS_ALL_ACCESS, it allocates memory in the target process via VirtualAllocEx and writes the full path to keylogger.dll.
A subsequent CreateRemoteThread call, pointing at LoadLibraryW, forces the trusted process to load the malicious DLL.
Malicious Windows service named ‘Tinky’ (Source – Cyfirma)
This remote injection method not only conceals the keylogging code within a legitimate process but also evades many endpoint protection solutions that monitor standalone executables.
A final WaitForSingleObject call ensures the injection completes cleanly before handles are closed, preserving system stability and further masking the compromise from forensic analysis.
Through its combined service execution and precise DLL injection, TinkyWinkey achieves a level of stealth and resilience rarely seen in commodity malware, rendering traditional detection and removal strategies insufficient for defending modern Windows environments.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
The Space Force has been working closely with private investment firms to get a leg up on emerging technologies. The result is a “pool” of companies with products the service wants, a senior defense official says.
“Another innovation influence for us, which is new, is the introduction of the acquisition for the Space Force to the venture capital community and the investment community—not a community we interacted with in the past. And so this is a whole new community that we've been engaging with, learning with, going to their activities and understanding what their thinking is. In turn, we talk about what we're looking for in space companies,” said Maj. Gen. Stephen Purdy, who is the military deputy, acting assistant secretary of the Air Force and service acquisition executive for space, during the National Defense Industrial Association’s emerging technology conference on Thursday.
The U.S. Space Force has, through SpaceWERX, spent recent years working with the private investment community to foster relationships with newer companies and keep up with the rapid development of commercial space technology.
“We have been forming, over the last year, a pool of companies in space that have got a real product,” he said.
As a result, the service has re-evaluated more traditional acquisition programs.
“We've gone and looked at many of our acquisition programs that were on the more traditional route, and said, ‘Is there anything that we can do on the requirements side that's causing us not to go to commercial? Can we take advantage of this? In several, we found good avenues to propose to the Space Force requirements community,” Purdy said. “And some of those decided to take us up on our offer.”
“It started early this year [with] nothing in mind, and…We had an industry day, and it grew up to like 150 companies that are expressing interest in this activity. We had a gold mine of interest in this area,” Purdy said. “That shows you how vibrant that innovation market is for space.”
The Space Force has been pushing for more adoption of lower-cost commercial options for certain military missions. The service wants multiple companies to provide services rather than relying on a “one and done” approach, Purdy continued.
“We will fly multiple companies’ material. That's going to keep all those different lines and all those different companies active and hungry to go for that next tranche,” he said.
A critical vulnerability in HashiCorp Vault—tracked as CVE-2025-6203 and HCSEC-2025-24—has been disclosed that allows malicious actors to submit specially crafted payloads capable of exhausting server resources and rendering Vault instances unresponsive. The flaw affects both Vault Community and Enterprise editions, spanning versions 1.15.0 through 1.20.2 (with select earlier patch versions), and was publicly disclosed on […]
Exposing an ASP.NET Core appsettings.json file containing Azure Active Directory (Azure AD) credentials poses a critical attack vector, effectively handing adversaries the keys to an organization’s cloud environment. During a recent cybersecurity assessment by Resecurity’s HUNTER Team, researchers discovered that a publicly accessible appsettings.json file had exposed the ClientId and ClientSecret of an Azure AD application, […]
In a novel twist on the year-long trend of ClickFix scams, threat actors have blended human-verification social engineering with the Windows search protocol to deliver MetaStealer, a commodity infostealer notorious for harvesting credentials and exfiltrating sensitive files. While the attack superficially resembles classic ClickFix and FileFix techniques, its unique infection chain—from a fake AnyDesk installer […]
Multiple critical vulnerabilities in Qualcomm Technologies’ proprietary Data Network Stack and Multi-Mode Call Processor that permit remote attackers to execute arbitrary code.
These flaws, tracked as CVE-2025-21483 and CVE-2025-27034, each carry a CVSS score of 9.8 and exploit buffer-corruption weaknesses to compromise device security.
The most severe issue, CVE-2025-21483, resides in Qualcomm’s Real-time Transport Protocol (RTP) packet reassembly within the Data Network Stack & Connectivity module.
An attacker can send a malicious RTP packet that triggers a heap-based buffer overflow (CWE-119) by overrunning the NALU reassembly buffer.
With a remote access vector and no user interaction required, this vulnerability enables full control over affected chipsets, including Snapdragon 8 Gen1, Snapdragon 8 Gen2, FastConnect 7800, and dozens more.
Once exploited, arbitrary code execution at the kernel level can occur, compromising data confidentiality, integrity, and availability.
CVE-2025-27034: Improper Array Index Validation Flaw
Equally critical is CVE-2025-27034, which stems from an improper validation of an array index (CWE-129) in the Multi-Mode Call Processor.
Attackers can craft a malformed Public Land Mobile Network (PLMN) selection response that corrupts memory during index parsing.
The flaw’s remote access vector and lack of privilege requirements make it exploitable over the network.
Affected platforms include the Snapdragon X55 5G Modem-RF System, Snapdragon 8 Gen1, QCM5430, and numerous IoT and automotive modems. Successful exploitation leads to arbitrary code execution with escalated privileges.
CVE
Title
CVSS 3.1 Score
Severity
CVE-2025-21483
Improper Restriction of Operations within the Bounds of a Memory Buffer in Data Network Stack & Connectivity
9.8
Critical
CVE-2025-27034
Improper Validation of Array Index in Multi-Mode Call Processor
9.8
Critical
Mitigations
Qualcomm has issued patches for both vulnerabilities, distributing updates directly to OEMs and urging immediate deployment.
The recommended countermeasure is to integrate the proprietary software updates provided in the September 2025 Security Bulletin and verify the presence of hardened bounds-checking routines.
Device manufacturers must ensure timely firmware upgrades to eliminate attack vectors in CVE-2025-21483’s RTP parser and CVE-2025-27034’s array index logic.
Security researchers emphasize the necessity of monitoring CVSS strings and employing network filtering as an interim safeguard.
Administrators should block unexpected RTP streams and PLMN selection traffic until patched firmware is installed. Additionally, implementing strict SELinux policies on Android platforms can further constrain exploit attempts.
Stakeholders are advised to audit firmware versions, apply patches immediately, and maintain vigilant network monitoring to defend against these high-severity exploits.
Qualcomm customers and device end-users should contact their manufacturers or visit Qualcomm’s support portal for detailed patch instructions and chipset coverage details.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
A critical security vulnerability has emerged in Azure Active Directory (Azure AD) configurations that exposes sensitive application credentials, providing attackers with unprecedented access to cloud environments.
This vulnerability centers around the exposure of appsettings.json files containing ClientId and ClientSecret credentials, effectively handing adversaries the keys to entire Microsoft 365 tenants.
The vulnerability was identified during recent cybersecurity assessments, where Azure AD application credentials were discovered in publicly accessible configuration files.
Key Takeaways 1. Exposed Azure AD secrets in config files allow attackers to impersonate applications. 2. Enables data theft from Microsoft 365 and malicious app deployment. 3. Bypasses security controls and can compromise entire cloud tenants.
This exposure allows threat actors to authenticate directly against Microsoft’s OAuth 2.0 endpoints, masquerading as trusted applications and gaining unauthorized access to sensitive organizational data.
Client Credentials Flow Exploit
Resecurity reports that the attack vector exploits the Client Credentials Flow in OAuth 2.0, where attackers leverage exposed credentials to generate valid access tokens.
Using the leaked ClientId and ClientSecret, malicious actors can execute HTTP POST requests to Azure’s token endpoint:
Once authenticated, attackers can access the Microsoft Graph API to enumerate users, groups, and directory roles.
Enumerate Users
The vulnerability becomes particularly dangerous when applications have been granted excessive permissions such as Directory.Read.All or Mail.Read, allowing comprehensive data harvesting across SharePoint, OneDrive, and Exchange Online.
The exposed appsettings.json file typically contains critical Azure AD configuration parameters including the Instance URL (https://login.microsoftonline.com/), TenantId for directory identification, RedirectUri for callback handling, and most critically, the ClientSecret that serves as the application’s authentication password.
This vulnerability enables multiple attack scenarios that pose significant risks to organizational security.
Attackers can perform comprehensive reconnaissance by querying Microsoft Graph endpoints to map organizational structures, identify high-privilege accounts, and locate sensitive data repositories, reads the report.
The ability to enumerate OAuth2PermissionGrants reveals which applications have access to what resources, providing attackers with a roadmap for further exploitation.
More concerning is the potential for application impersonation, where threat actors can deploy malicious applications under the compromised tenant.
Using the legitimate application’s identity, attackers can request additional permissions, potentially escalating from limited read access to full administrative control.
This technique bypasses traditional security controls because the requests appear to originate from trusted, pre-approved applications.
The vulnerability also enables lateral movement across cloud resources. Suppose the exposed configuration file contains additional secrets such as storage account keys or database connection strings. In that case, attackers can directly access production data, modify critical business information, or establish persistent backdoors within the cloud infrastructure.
Organizations face severe compliance implications, as unauthorized access to user data can trigger GDPR, HIPAA, or SOX violations.
This Azure AD vulnerability underscores the critical importance of proper secrets management in cloud environments.
Organizations must immediately audit their configuration files, implement secure credential storage solutions like Azure Key Vault, and establish monitoring for suspicious authentication patterns.
The consequences of exposed application credentials extend far beyond simple data breaches, potentially compromising entire cloud ecosystems and enabling sophisticated, long-term attacks that can remain undetected for months.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Over the past two years, Fox-IT and NCC Group have tracked a sophisticated Lazarus subgroup targeting financial and cryptocurrency firms. This actor overlaps with AppleJeus, Citrine Sleet, UNC4736 and Gleaming Pisces campaigns and leverages three distinct remote access trojans (RATs)—PondRAT, ThemeForestRAT and RemotePE—to infiltrate and control compromised systems. In a 2024 incident response case, the […]
.webp)
.webp)
.webp)
