The notorious Lazarus advanced persistent threat (APT) organization, which Qi’anxin internally tracks as APT-Q-1, has been seen using the ClickFix technique to penetrate Windows 11 and macOS systems in a sophisticated progression of social engineering attacks. Known for high-profile incidents like the 2014 Sony Pictures hack, Lazarus has shifted from intelligence theft to financial asset […]
ShadowSilk first surfaced in late 2023 as a sophisticated threat cluster targeting government entities across Central Asia and the broader APAC region.
Exploiting known public vulnerabilities and widely available penetration-testing frameworks, the group orchestrates data exfiltration campaigns with a high degree of automation and stealth.
Initial deliveries were achieved via phishing emails containing password-protected archives; upon execution, these dropped a Telegram-based backdoor that established a covert command-and-control channel.
The rapid proliferation of ShadowSilk operations prompted heightened scrutiny across regional security teams.
In early 2025, Group-IB analysts identified renewed ShadowSilk infrastructure and a burst of new indicators of compromise, including updated Telegram bots and repurposed public exploits such as CVE-2024-27956 and CVE-2018-7602.
Researchers noted that the adversary’s toolkit blended open-source scanners like sqlmap and fscan with custom Telegram bot scripts, creating a versatile platform capable of reconnaissance, lateral movement, and bulk data theft.
This hybrid approach allowed ShadowSilk to alternate seamlessly between freely available tools and bespoke malware, complicating detection and response efforts.
By mid-2025, the group’s impact was undeniable: at least 35 government networks had suffered data breaches, while forensic captures of ShadowSilk’s server image revealed multilingual operators and intricate web-panel control suites.
Victims observed stolen mail server dumps, administrative credentials, and critical intelligence exfiltrated in daily ZIP archives.
The sophistication of these campaigns underscores ShadowSilk’s deliberate evolution from a small phishing-based actor into a persistent, multi-stage threat capable of sustaining prolonged intrusions.
A screenshot of a phishing email from ShadowSilk (Source – Group-IB)
Group-IB researchers noted that ShadowSilk’s operators maintain two sub-groups—one primarily Russian-speaking and the other Chinese-speaking—working in parallel yet sharing virtual assets.
Analysis of keyboard layouts, desktop screenshots, and Telegram command histories confirmed this bi-lingual operational model. Despite different tooling preferences, both factions converge on a consistent objective: covertly harvest sensitive information and evade traditional security controls.
Infection Mechanism and Persistence
ShadowSilk’s infection chain begins with a lure email delivering a ZIP archive that masquerades as an official report or vendor bulletin.
Upon extraction and execution of rev.exe, the PowerShell-based payload connects to a hardcoded URL such as https://tpp.tj/BossMaster.txt, invoking:-
This snippet not only loads the primary backdoor but also writes a registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to ensure persistence after reboot.
The contents of the file /www/html/gramm.ps1 (Source – Group-IB)
The second stage script, /www/html/gramm.ps1, implements a Telegram bot loop that reads incoming commands via the Bot API, executes arbitrary shell instructions, and uploads results or files directly to the attacker’s Telegram chat.
The persistence mechanism leverages both registry autoruns and scheduled tasks. ShadowSilk routinely deploys a minimalistic downloader that fetches additional modules—Metasploit payloads, Cobalt Strike beacons, or custom RAT executables—through the same Telegram channel.
By interweaving social messaging infrastructure with conventional malware callbacks, ShadowSilk sidesteps network security tools that normally flag unknown TCP or HTTPS connections, blending malicious traffic into legitimate bot interactions.
Through this dual-stage infection and persistent backdoor, ShadowSilk maintains long-term access, enabling data collection, credential dumping, and systematic exfiltration of archived user documents to attacker-controlled endpoints.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Cybersecurity experts discovered an advanced persistent threat (APT) cluster called ShadowSilk in a thorough research published by Group-IB. Since at least 2023, this group has been actively breaching government institutions in Central Asia and the Asia-Pacific area. The group’s operations, ongoing as of July 2025, focus primarily on data exfiltration, leveraging a sophisticated blend of […]
FreePBX administrators worldwide have been urged to immediately disable public internet access to their systems after a critical 0-day vulnerability was discovered in the commercial Endpoint Manager module. The Sangoma FreePBX Security Team confirmed that attacker-controlled exploit code can gain unauthenticated remote code execution on systems with the Administrator Control Panel exposed to hostile networks, […]
A critical zero-day exploit targeting exposed FreePBX 16 and 17 systems. Threat actors are abusing an unauthenticated privilege escalation vulnerability in the commercial Endpoint Manager module, allowing remote code execution (RCE) when the Administrator Control Panel is reachable from the public internet.
With active compromises detected since August 21, 2025, admins must act immediately to contain the threat.
Key Takeaways 1. Zero-day RCE in FreePBX Endpoint Manager targeting internet-exposed Admin UIs. 2. Immediately block external access and install EDGE/tagged endpoint updates. 3. Check for compromise indicators, isolate/rebuild systems, and restore from pre-August 21 backups.
Firewall Lockdown
FreePBX stated that organizations should first verify whether their FreePBX/PBXAct instance is accessible externally.
If the Administrator Control Panel (ACP) is reachable on ports 80 or 443, block all external traffic at the network perimeter.
Alternatively, employ the FreePBX Firewall module to restrict the Internet/External zone to known trusted hosts only.
After lockdown, confirm local-only access by testing ACP connectivity from an untrusted network (e.g., cellular data).
Next, update the Endpoint module to the provided EDGE builds for testing. FreePBX v16/v17 users can execute:
PBXAct v16 and v17 users should specify stable tags:
A full QA-tested release will follow within 12 hours; perform a standard module update once available via Admin → Module Admin.
Mitigations
To detect potential infection, administrators must perform the following checks:
Ensure /etc/freepbx.conf still exists.
Look for the malicious dropper script /var/www/html/.clean.sh
Scan Apache logs for POST requests to modular.php since August 21.
Inspect Asterisk logs for calls to extension 9998.
Query MySQL for suspicious ampusers.
If any indicators are present, isolate the system and plan restoration. Preserve backups older than August 21, deploy a clean FreePBX install with hardened firewall settings, restore data, and rotate all credentials (system, SIP trunks, extensions, voicemail, UCP).
Forensic collection can be automated using the community’s collect_forensics_freepbx.sh script under AGPLv3 to snapshot logs, configuration files, and process states for analysis.
Users running FreePBX versions prior to v16 should remain vigilant; Sangoma continues to investigate the root cause and will publish a CVE once the vulnerability has been fully assessed.
Until then, disabling internet access to ACP and applying the Edge or Stable Endpoint module updates remain the most effective defenses.
Tired of Filling Forms for security & Compliance questionnaires? Automate them in minutes with 1up! Start Your Free Trial Now!
A sophisticated malware campaign that weaponizes a seemingly legitimate PDF editor to steal sensitive data and login credentials from unsuspecting users across Europe.
The attack uncovered by Truesec, dubbed “TamperedChef,” represents a new evolution in social engineering tactics that leverage trusted software categories to deploy information-stealing malware.
The malicious campaign centers around AppSuite PDF Editor, a free PDF editing tool promoted across multiple websites and distributed through Google advertising campaigns.
Malicious PDF Editor Setup
What makes this attack particularly insidious is its patient approach. The software initially appears harmless, functioning as advertised while secretly establishing persistence mechanisms and awaiting activation commands.
The campaign’s sophistication is evident in its execution timeline. Beginning on June 26, 2025, threat actors registered multiple domains and began promoting the PDF editor through at least five different Google advertising campaigns.
The malware remained dormant for 56 days strategically timed to coincide with typical Google advertising campaign durations—before activating its malicious capabilities on August 21, 2025.
Upon installation, the software establishes communication with command-and-control servers through specific URLs, including inst.productivity-tools.ai and vault.appsuites.ai.
The malware’s persistence mechanism involves creating registry entries that execute with various command-line arguments, including --install, --enableupdate, --fullupdate, and others.
When the --fullupdate argument is triggered, the software downloads and executes an obfuscated JavaScript file containing the core TamperedChef payload.
Data Theft Capabilities
Once activated, TamperedChef demonstrates sophisticated information-stealing capabilities. The malware queries web browser databases using Windows Data Protection API (DPAPI) to extract stored credentials and sensitive information.
It systematically terminates browser processes to access locked data files, ensuring comprehensive data harvesting from popular web browsers, Truesec said.
The malware also conducts system reconnaissance, identifying installed security products before proceeding with its data exfiltration operations. This behavior suggests the threat actors have invested significant effort in developing evasion techniques to bypass common security solutions.
The campaign’s legitimacy facade is reinforced through the abuse of digital certificates from multiple companies, including ECHO InfiniSDN BHD, GLINT By J SDN. BHD, and SUMMIT NEXUS Holdings LLC.
Code Signed Signature Check.
Investigation reveals these companies share suspicious characteristics, including generic websites with potentially AI-generated content and shared business addresses.
Particularly concerning is the discovery that certificates from these entities have been used to sign other malicious software, including the Epibrowser malware, indicating a broader certificate abuse operation supporting multiple malware families.
Campaign Scope and Impact
The threat actors behind TamperedChef have addressed long-term persistence in the threat landscape, with evidence suggesting activity dating back to August 2024.
For the company BYTE Media, there are also digital certificates used to sign malware, but another one called Epibrowser.
In several cases, we have observed a file called elevate.exe being installed together with the PDF Editor bundle.
Their operations extend beyond the PDF editor to include other potentially unwanted programs like OneStart browser, all sharing common command-and-control infrastructure.
European organizations have been significantly impacted, with multiple companies reporting employee infections after downloading the malicious PDF editor.
The campaign’s success highlights the effectiveness of disguising malware as legitimate productivity tools—a category users typically trust and readily install.
This campaign represents a concerning evolution in malware distribution tactics. By leveraging legitimate advertising platforms and maintaining extended dormancy periods, threat actors can achieve widespread distribution before revealing malicious intent.
The use of AI-generated code and generic business fronts further demonstrates the industrialization of cybercrime operations.
The TamperedChef campaign serves as a stark reminder that even seemingly innocuous productivity tools can pose significant security risks. Organizations must implement robust software vetting procedures and maintain heightened awareness of free utilities from unknown sources, as today’s helpful application could become tomorrow’s security nightmare.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
New findings from Lares Labs underscore the importance of realistic threat emulation exercises that mirror the sophisticated tactics of the Scattered Spider APT group.
By integrating real-world incident data into controlled simulations, organizations can proactively assess defenses across networks, endpoints, and cloud environments, bolstering resilience against advanced persistent threats.
Lares’s research centers on recreating the full attack lifecycle employed by Scattered Spider from initial access via social engineering through lateral movement, privilege escalation, and eventual exfiltration.
Unlike traditional red teaming, which often focuses on isolated technical exploits, Lares combines ethical hacking, tailored social engineering, and threat emulation to replicate the subtle interplay of human manipulation and technical tradecraft observed in recent high-profile breaches.
Scattered Spider Attack Across Industries
Scattered Spider, active since May 2022, has targeted telecommunications, BPO, hospitality, retail, healthcare, and aviation sectors. The group’s young, English-speaking operatives leverage SIM swapping, phishing, and push-bombing to circumvent MFA, then install legitimate remote access tools for persistence.
Their operations also include bespoke cloud credential theft using utilities like AWS console or MicroBurst and Bring Your Own Vulnerable Driver (BYOVD) attacks, deploying Microsoft-signed vulnerable drivers such as POORTRY via a custom loader named STONESTOP to disable endpoint defenses.
Lares Lab simulations begin with open-source reconnaissance, harvesting corporate data from LinkedIn and breached credential repositories, then crafting realistic phishing lures through look-alike domains (e.g., targetsname-sso[.]com).
Participants experience the pressure of repeated MFA pushes and SIM swap scenarios, forcing defenders to react in real time. Subsequent stages emulate privilege escalation tactics, including ADCS abuse, DACL misconfiguration exploitation, and LSASS or NTDS.dit credential dumping via Mimikatz and Jetcretz.
Privilege escalation.
During lateral movement exercises, defenders confront genuine SSO session hijacking and Proxifier-linked traffic redirection, mirroring Scattered Spider’s use of cloud-based pivot points.
In cloud environments, simulations exploit IAM misconfigurations such as overly permissive assume-role policies to traverse EC2 instances and compromise additional user accounts. These exercises challenge teams to detect anomalous API calls and unusual credential usage patterns.
Exfiltration scenarios utilize encrypted messaging platforms like Telegram for small, high-value files and tools like Rclone or MEGAsync for bulk data transfer to attacker-controlled cloud storage.
Participants must identify stealthy data flows and intercept covert channels, refining both monitoring rules and incident response playbooks.
Lares’s approach delivers actionable intelligence: customized debriefs highlight detection blind spots, misaligned processes, and training gaps. Security teams leave with prioritized recommendations, ranging from tightening MFA policies and hardening AD configurations to refining cloud security posture and enhancing phishing resilience.
Other common tools, such as ManageEngine and Amazon Web Services inventory, always aim, whenever possible, to use legitimate tools native to the target environment to reduce detection by security solutions and maintain a low-profile attack.
Lateral movement.
As Scattered Spider’s tactics continue evolving, organizations face a dual challenge: bridging technology gaps and fortifying human defenses.
Lares’s research demonstrates that emulating real-world adversaries within a safe, controlled environment accelerates preparedness more effectively than theoretical exercises.
By testing controls against the actual TTPs of APT groups, such as Scattered Spider, enterprises shift from a reactive to a proactive stance, ultimately reducing dwell time and mitigating potential financial and reputational impacts.
Lares Labs recommends that organizations adopt regular threat emulation cycles, updating scenarios with the latest intelligence on groups such as Scattered Spider, UNC3944, Octo Tempest, and others. Through continuous adversarial collaboration and iterative testing, defenders can ensure their security posture evolves as rapidly as the threats they face.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Cloudflare today launched MCP Server Portals in open beta, a groundbreaking capability designed to centralize, secure, and observe all Model Context Protocol (MCP) connections in an organization.
By routing every MCP request through a single portal endpoint, Cloudflare One customers can now enforce Zero Trust policies, gain comprehensive visibility, and dramatically reduce the attack surface exposed by AI-driven integrations.
Key Takeaways 1. Centralized MCP connections via a single portal with Zero Trust policies. 2. Enforced SASE controls and unified logging for real-time security and visibility. 3. Curated least-privilege access to eliminate unmanaged AI endpoints.
Model Context Protocol
The Model Context Protocol (MCP) is rapidly becoming the universal standard for connecting large language models (LLMs) such as ChatGPT, Claude, and Gemini to enterprise applications. MCP defines two core components:
MCP Client: The LLM front-end requesting context or invoking actions.
MCP Server: The application endpoint exposing Resources, Prompts, and Tools to the client.
Architecture Overview
A minimal MCP Server configuration in YAML illustrates the simplicity of integration:
This open-source protocol transforms isolated LLMs into collaborative teammates by allowing structured API calls, dynamic prompts, and secure context retrieval.
Enhancing Security
While MCP unlocks integration, it also creates a sprawling new attack surface prone to prompt injection, supply chain exploits (e.g., CVE-2025-6514 in npm authentication libraries), and “confused deputy” privilege escalations.
MCP Server Portals address these risks by acting as a single front door:
Integrate directly with Cloudflare One’s Secure Access Service Edge (SASE) to apply multi-factor authentication, device posture checks, and geofencing on MCP traffic mirroring controls used for human users.
MCP servers
Aggregate every MCP request, prompt invocation, and tool execution into a unified audit log. Security teams can now detect anomalous behaviors such as unusual data-exfiltration patterns or unauthorized tool usage in real time.
Administrators register MCP servers with the portal, approve them, and assign permissions. Users only see the resources and tools explicitly authorized for their role, eliminating shadow AI endpoints.
Rather than distributing multiple endpoint URLs, users configure a single Portal URL in their MCP client. New servers become instantly available through the portal without manual updates, according to Cloudflare’s advisory.
MCP Server Portals integrate with Cloudflare Access for seamless OAuth-based authorization, whether applications are hosted on Cloudflare or external domains.
Future enhancements will include AI-powered WAF rules to block prompt-injection attacks, managed MCP server hosting via Cloudflare’s AI Gateway, and built-in machine learning models for anomaly detection.
Get started today by visiting the Access > AI Controls page in your Zero Trust Dashboard. MCP Server Portals are now in open beta for all Cloudflare One customers, offering a secure path to empower AI innovation without compromising safety.
Tired of Filling Forms for security & Compliance questionnaires? Automate them in minutes with 1up! Start Your Free Trial Now!
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on Russian national Vitaliy Sergeyevich Andreyev, DPRK official Kim Ung Sun, Chinese entity Shenyang Geumpungri Network Technology Co., Ltd. DPRK-based Korea Sinjin Trading Corporation for their involvement in a sophisticated fraudulent scheme involving information technology workers orchestrated by the Democratic […]
Picture this: Your team rolls out some new code, thinking everything’s fine. But hidden in there is a tiny flaw that explodes into a huge problem once it hits the cloud. Next thing you know, hackers are in, and your company is dealing with a mess that costs millions.
Scary, right? In 2025, the average data breach hits businesses with a whopping $4.44 million bill globally. And guess what? A big
.webp)
.webp)
