Threat actors are leveraging the trusted brand of Indonesia’s state pension fund, PT Dana Tabungan dan Asuransi Pegawai Negeri (Persero), or TASPEN, to deploy a malicious Android application disguised as an official portal. This banking trojan and spyware targets pensioners and civil servants, exploiting legacy systems and digital transformation vulnerabilities to steal sensitive data including […]
Employees are experimenting with AI at record speed. They are drafting emails, analyzing data, and transforming the workplace. The problem is not the pace of AI adoption, but the lack of control and safeguards in place.
For CISOs and security leaders like you, the challenge is clear: you don’t want to slow AI adoption down, but you must make it safe. A policy sent company-wide will not cut it.
Spotify this week unveiled a new Direct Messaging feature, enabling users to share songs, podcasts and audiobooks within the app. While the move promises streamlined recommendations and deeper engagement among friends, it also raises fresh security and privacy considerations. Rolling out to Free and Premium users aged 16 and older in select markets on mobile devices, the […]
Nagios has addressed a significant cross-site scripting (XSS) vulnerability in its enterprise monitoring platform Nagios XI that could allow remote attackers to execute arbitrary JavaScript code in users’ browsers. The security flaw, discovered in the Graph Explorer feature, was patched in the 2024R2.1 release on August 12, 2024. The vulnerability was responsibly disclosed by security […]
The Underground ransomware gang has been coordinating recurring attacks on enterprises throughout the globe in a worrying increase in cyber risks. They have demonstrated sophisticated malware engineering that blends cutting-edge encryption techniques with focused penetration measures. First detected in July 2023, the group resurfaced in May 2024 with a revamped Dedicated Leak Site (DLS), where […]
In recent weeks, a sophisticated phishing operation known as the ZipLine campaign has targeted U.S.-based manufacturing firms, leveraging supply-chain criticality and legitimate-seeming business communications to deploy an advanced in-memory implant dubbed MixShell.
This threat actor reverses traditional phishing workflows by initiating contact through corporate “Contact Us” web forms, prompting victims to reach out first.
Once dialogue is established, attackers pose as potential partners and engage the target in protracted email correspondence, often spanning two weeks, before delivering a weaponized ZIP archive hosted on a trusted Platform-as-a-Service domain.
The ZIP archive conceals a malicious .lnk file and embedded PowerShell script, which obfuscates its true purpose by including harmless PDF and DOCX lure files alongside the payload.
Upon execution, the .lnk file triggers a loader that scans common directories for the archive, extracts a marker-delimited PowerShell script, and injects it directly into memory, bypassing AMSI checks by forcing AmsiUtils.amsiInitFailed = $true.
Picus Security analysts identified this memory-resident approach as a key factor in MixShell’s stealth, enabling rapid, fileless execution without touching disk.
MixShell’s custom shellcode is unwrapped in memory using reflection and the System.Reflection.Emit API, dynamically resolving Windows API functions via a custom ROR4-based hashing algorithm.
ZipLine infection chain (Source – CheckPoint)
The implant’s configuration, stored immediately after the code section in an XOR-encrypted, hex-encoded block, provides DNS TXT tunnel parameters for command and control (C2).
These parameters include prepend and append markers, an XOR key, and domain information, all of which facilitate covert data exchange over DNS queries.
If DNS fails after six attempts, the implant shifts to HTTP fallback, maintaining the same encryption and framing format to blend malicious traffic with legitimate web requests.
Beyond initial execution, MixShell establishes persistence by hijacking a COM object’s TypeLib registry entry.
The PowerShell script writes a malicious XML scriptlet named Udate_Srv.sct to the ProgramData directory and points the CLSID {EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}—associated with Internet Explorer’s Web Browser control—to this file.
On every system restart or when Explorer.exe triggers the hijacked COM object, the scriptlet launches cmd[.]exe /K set X=1&{shortcut}, re-running the payload without further user interaction.
Infection Mechanism Deep Dive
The infection chain of ZipLine is a masterclass in social engineering and technical evasion.
Attackers first submit a form-based inquiry—often with an “AI Impact Assessment” pretext—to the target’s website. Once the victim responds, the attackers request an NDA and provide a link to a ZIP file on a legitimate Herokuapp subdomain.
Delivery of the malicious NDA ZIP file (Source – CheckPoint)
Within the archive, the PowerShell script locates the embedded payload marker xFIQCV, extracts the shellcode blob, and uses in-memory methods to allocate executable pages via VirtualAlloc and invoke the payload directly.
MixShell’s ROR4 hash routine (def api_hash and def ror4) iterates over uppercase-converted API names, generating identifiers to resolve function pointers at runtime.
MixShell’s configuration (Source – CheckPoint)
This dynamic resolution avoids static imports, rendering common signature-based detections ineffective.
By maintaining all malicious actions in volatile memory, MixShell leaves only minimal forensic artifacts, challenging incident responders to detect and remediate infected hosts before data exfiltration or lateral movement can occur.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
A large-scale cybercrime conspiracy known as ShadowCaptcha was made public by cybersecurity researchers at Israel’s National Digital Agency. This campaign exploits the ClickFix technique, deploying deceptive CAPTCHA interfaces mimicking legitimate services like Cloudflare or Google to manipulate users into running malicious commands. The operation, traced through compromised WordPress websites, represents a sophisticated blend of social […]
A whistleblower disclosure filed today alleges that the Department of Government Efficiency (DOGE) within the Social Security Administration (SSA) covertly created a live copy of the nation’s entire Social Security dataset in an unsecured cloud environment.
Chief Data Officer Charles Borges warned that, if malicious actors gain access, over 300 million Americans could face identity theft, loss of critical benefits, and the monumental task of re-issuing every Social Security number.
Key Takeaways 1. DOGE copied 300M SSNs into an unsecured AWS cloud. 2. An automated ETL pipeline synced live SSN data despite a court order. 3. The lapse risks mass identity theft and demands zero-trust security.
Allegations of Unsecured Cloud Storage
According to the protected disclosure submitted to the U.S. Office of Special Counsel, DOGE officials bypassed standard Information Security and Compliance (ISC) controls, including encryption-at-rest, role-based access control (RBAC), and continuous audit logging, when provisioning a cloud instance containing live Social Security Number (SSN) records.
Borges notes that neither independent vulnerability assessments nor penetration tests were conducted before spinning up the Amazon Web Services (AWS) S3 bucket storing PII, nor were strict Identity and Access Management (IAM) policies enforced.
The cloud environment lacked multi-factor authentication (MFA) on API endpoints and did not employ a secure key management service (KMS), rendering the SSN repository vulnerable to credential stuffing or API key leakage.
Court records show that a lawsuit filed in March 2025 resulted in a temporary restraining order preventing DOGE from accessing production SSN systems until June 6, 2025.
However, internal logs reviewed by Borges indicate that DOGE engineers continued to synchronize data via an automated ETL pipeline—using Python scripts and the SSA’s internal RESTful APIs, effectively cloning the live database outside SSA’s Security Operations Center (SOC).
Borges claims that DOGE’s actions constitute serious mismanagement and abuse of authority by bypassing the SSA’s Change Management Board (CMB) and violating federal Cloud Security advice (NIST SP 800-144).
“This operation not only breaches the Privacy Act but also exposes the public to a significant cyber-attack surface,” Borges wrote in his internal memo.
One SSA executive reportedly acknowledged the risk, stating that the agency might need to re-issue SSNs en masse should the data be compromised.
Andrea Meza, counsel for the whistleblower, urged Congress and the Office of Special Counsel to launch immediate oversight.
She emphasized that mitigation measures such as enforcing zero-trust architecture, rotating access keys, and deploying real-time intrusion detection systems (IDS) must be implemented without delay to protect Americans’ most sensitive identifiers.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
A widespread data theft campaign has allowed hackers to breach sales automation platform Salesloft to steal OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat agent.
The activity, assessed to be opportunistic in nature, has been attributed to a threat actor tracked by Google Threat Intelligence Group and Mandiant, tracked as UNC6395.
“Beginning as early as
Cybersecurity researchers have discovered five distinct activity clusters linked to a persistent threat actor known as Blind Eagle between May 2024 and July 2025.
These attacks, observed by Recorded Future Insikt Group, targeted various victims, but primarily within the Colombian government across local, municipal, and federal levels. The threat intelligence firm is tracking the activity under
.webp)
.webp)
.webp)