-
The threat actors behind a large-scale, ongoing smishing campaign have been attributed to more than 194,000 malicious domains since January 1, 2024, targeting a broad range of services across the world, according to new findings from Palo Alto Networks Unit 42. “Although these domains are registered through a Hong Kong-based registrar and use Chinese nameservers, the attack infrastructure is
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The cybersecurity landscape experienced a significant shift in July 2025 when threat actors associated with Warlock ransomware began exploiting a critical zero-day vulnerability in Microsoft SharePoint.
Discovered on July 19, 2025, the ToolShell vulnerability, tracked as CVE-2025-53770, became a primary vector for deploying the notorious Warlock ransomware across multiple organizations globally.
This exploitation marked a notable escalation in the threat landscape, introducing a sophisticated attack methodology that combines known exploitation techniques with emerging malware tactics.
Warlock’s emergence traces back to June 2025, though its initial prominence remained limited until the ToolShell zero-day attacks commenced.
The ransomware distinguishes itself through its China-based operational framework, a departure from the traditional Russian-centric ransomware ecosystem.
What began as a localized threat rapidly evolved into a coordinated attack campaign targeting organizations across diverse sectors, from engineering firms in the Middle East to financial institutions in the United States.
Symantec analysts and Carbon Black researchers identified a sophisticated operational structure behind Warlock’s deployment.
The investigation revealed that the threat group, known as Storm-2603 to Microsoft threat intelligence teams, deployed Warlock alongside multiple ransomware payloads including LockBit 3.0.
This polyglot approach demonstrated operational flexibility and suggested a broader arsenal of cyber-attack capabilities.
Understanding the Infection Mechanism and Persistence Tactics
The infection mechanism employed by Warlock actors showcases considerable technical sophistication.
The attackers utilized DLL sideloading as their primary execution method, leveraging the legitimate 7-Zip application (7z.exe) to load a malicious payload named 7z.dll.
This technique, widely adopted by Chinese threat actors, bypassed conventional security detections by disguising malicious code within legitimate application processes.
Once executed, Warlock implemented aggressive file encryption using the .x2anylock extension for encrypted files.
Security researchers observed that Warlock appeared to be a rebrand of the older Anylock payload, though it incorporated modifications derived from LockBit 3.0 source code.
The ransomware deployed a custom command and control framework designated ak47c2, enabling the attackers to maintain persistent communication channels with infected systems.
Additionally, the threat actors deployed custom defense evasion tools signed with a stolen certificate from coolschool, utilizing Bring Your Own Vulnerable Driver (BYOVD) techniques to disable security software and establish system dominance.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Warlock Ransomware Actors Exploiting Sharepoint ToolShell Zero-Day Vulnerability in New Attack Wave appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Put your furloughed nuclear-security staff back to work, 27 lawmakers urged Energy Department leaders in a Thursday letter.
The Oct. 20 idling of nearly 80% of National Nuclear Security Administration personnel encourages foreign enemies and endangers the United States, the House members said in a letter written by Rep. Dina Titus, D-Nev., to Energy Secretary Chris Wright and National Nuclear Security Administrator Brandon Williams.
“These federal employees play a critical oversight role in ensuring that the work required to maintain nuclear security is carried out in accordance with long-standing policy and the law", Titus said in the letter, who’s state is home to the Nevada National Security Site. “Undermining the agency’s workforce at such a challenging time for U.S. global leadership diminishes our credible deterrence, emboldens our international adversaries, and makes the world a more dangerous place.”
Wright announced the furloughs Monday while visiting the Nevada National Security Site, which conducts subcritical experiments and manages stockpile stewardship programs for the nation’s nuclear arsenal. The Energy Secretary said the NNSA expended its funding for federal personnel this week, though the agency was “able to do some gymnastics” to help maintain funding for contractors.
“This has never happened before,” he said. “The NNSA, our umbrella organization, it’s been grouped together for 25 years. We’ve never furloughed workers in the NNSA, this should not happen, but this was a long as we could stretch the funding for the federal workers.”
In her letter, Titus asserted that while the NNSA did not deem the bulk of its workforce as excepted, its collaborators in the Defense Department have maintained “nearly every program associated with nuclear modernization, leaving the Navy and Air Force without counterparts to continue this critical work.”
She alluded to the potential that the furloughs were more a political calculation by the White House rather than the result of a budget shortfall, noting that the NNSA already faced the wrath of the Department of Government Efficiency earlier this year, when more than 300 NNSA probationary employees were laid off before the agency rescinded most of the dismissals.
“This is the fourth shutdown President Trump has presided over, but the NNSA has never furloughed employees during prior shutdowns. It begs the question why this step was necessary now and why more NNSA employees were not deemed essential, given the gravity of their duties,” she said.
Titus requested that Wright and Williams provide answers to Congress regarding the legal basis for declaring nearly 1,400 NNSA employees as not excepted, as well as information on how many employees were furloughed in total, how many remain on duty and which offices were impacted by Nov. 7.
]]>¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A sophisticated Python-based remote access trojan has emerged in the gaming community, disguising itself as a legitimate Minecraft client to compromise unsuspecting users.
The malware, identified as a multi-function RAT, leverages the Telegram Bot API as its command and control infrastructure, enabling attackers to exfiltrate stolen data and remotely interact with victim machines.
By masquerading as “Nursultan Client,” a name associated with a legitimate Minecraft modification popular among Eastern-European and Russian gaming communities, the threat successfully deceives users into executing the malicious payload.
The malware was packaged using PyInstaller, resulting in an unusually large 68.5 MB executable file.
This inflation serves a dual purpose: accommodating Python dependencies while evading security tools configured to bypass files exceeding certain size thresholds.
Upon execution, the sample immediately conceals its presence by hiding the console window on Windows systems while displaying a fake installation progress bar to maintain the illusion of legitimate software installation.
.webp)
Fake installation progress bar (Source – Netskope) Netskope researchers identified the threat during routine threat hunting activities, discovering the executable with SHA256 hash 847ef096af4226f657cdd5c8b9c9e2c924d0dbab24bb9804d4b3afaf2ddf5a61.
The analysis revealed that the malware attempts to establish persistence by creating a registry key named “NursultanClient” in the Windows startup path. However, this persistence mechanism contains critical flaws that will likely cause it to fail.
The malware incorrectly constructs the startup command for the compiled executable, as it was designed for a raw Python script rather than a PyInstaller application.
Additionally, the temporary directory created during execution is deleted once the process exits, preventing the malware from running on subsequent system startups.
Telegram-Based Command and Control Infrastructure
The malware’s core operation centers on its abuse of Telegram as a covert command and control channel.
The script contains a hardcoded Telegram Bot Token (8362039368:AAGj_jyw6oYftV2QQYiYoUslJOmXq6bsAYs) and a restricted list of allowed Telegram user IDs (6804277757), ensuring only the authorized attacker can issue commands to infected machines.
This design suggests a Malware-as-a-Service distribution model, where the hardcoded user ID functions as a basic licensing mechanism.
The threat actor can easily modify this single identifier for each buyer, recompile the executable, and distribute personalized copies that only individual purchasers can control.
The malware signature “by fifetka” embedded within system reconnaissance reports further supports this commercialized approach, indicating an operation designed to attract low-level threat actors rather than representing a single attacker’s campaign.
The RAT includes extensive information-stealing capabilities targeting Discord authentication tokens across multiple platforms, including stable, PTB, and Canary builds.
It scans local storage files and user data directories of major web browsers such as Chrome, Edge, Firefox, Opera, and Brave, extracting tokens from both LevelDB and SQLite databases.
Beyond credential theft, the malware provides comprehensive surveillance features, including screenshot capture, webcam photography, and system reconnaissance capabilities that collect detailed profiles containing computer names, usernames, operating system versions, processor specifications, memory usage, and both local and external IP addresses.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New Python RAT Mimic as Legitimate Minecraft App Steals Sensitive Data from Users Computer appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
In 2025, the digital landscape is more complex and perilous than ever. Organizations face an unrelenting barrage of sophisticated cyber threats, from advanced ransomware campaigns to nation-state-backed attacks. As a result, many are turning to SOC as a Service Providers to gain around-the-clock security monitoring, threat detection, and incident response without the overhead of building […]
The post Top 10 Best Security Operations Center (SOC) as a Service Providers in 2025 appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The SideWinder advanced persistent threat group has emerged with a sophisticated new attack methodology that leverages ClickOnce applications to deploy StealerBot malware against diplomatic and governmental targets across South Asia.
In September 2025, security researchers detected a targeted campaign affecting institutions in Sri Lanka, Pakistan, Bangladesh, and diplomatic missions based in India.
The attacks represent a notable evolution in the threat actor’s tradecraft, moving beyond traditional Microsoft Word-based exploits to embrace a more complex PDF and ClickOnce infection chain designed to circumvent modern security controls.
The campaign unfolded through multiple waves of spear-phishing emails, each carefully crafted with region-specific themes to manipulate victims into executing malicious payloads.
Attack lures included documents titled “Inter-ministerial meeting Credentials.pdf” and “Relieving order New Delhi.pdf,” which prompted targets to download what appeared to be an updated version of Adobe Reader.
When victims clicked the embedded button, they unknowingly initiated a ClickOnce application download from attacker-controlled infrastructure.
These applications bore valid digital signatures from MagTek Inc., not through certificate theft but via DLL side-loading of legitimate MagTek binaries—a technique that allowed the malware to bypass Windows security warnings and execute without raising immediate suspicion.
Trellix analysts identified the malware’s sophisticated evasion mechanisms after detecting the fourth wave of attacks through their SecondSight hunting capabilities on Trellix Email Security.
The researchers noted that SideWinder implemented advanced operational security measures including geofencing, which restricted payload delivery to IP addresses originating from targeted regions.
This geographic restriction prevented security researchers outside South Asia from accessing live malware samples, significantly complicating analysis efforts.
Additionally, the threat actors employed dynamically generated URLs with random numeric components and time-limited payload availability, ensuring that malicious components remained accessible only during narrow windows immediately following initial compromise.
The technical sophistication extends to the malware’s persistence and execution mechanisms.
Once the ClickOnce application executes, it drops DEVOBJ.dll alongside an encrypted payload file with randomized extensions such as .ns5 or .1ym.
The DLL performs XOR decryption using the first 42 bytes of the encrypted file as the key, revealing a .NET loader (App.dll) that downloads ModuleInstaller from the command-and-control server.
ModuleInstaller then profiles the compromised system and retrieves configuration files, including TapiUnattend.exe—a legitimate Windows binary—and wdscore.dll, which side-loads to execute the final-stage StealerBot malware.
The malware demonstrates adaptive behavior by detecting installed antivirus products and adjusting its execution path accordingly, using mshta.exe for Avast or AVG detections and pcalua.exe when Kaspersky is present.
ClickOnce Application Structure and DLL Side-Loading
The infection chain’s core strength lies in its abuse of ClickOnce’s trusted application deployment framework.
SideWinder weaponized legitimate MagTek Reader Configuration application (version 1.5.13.2) by preserving its structural integrity while replacing critical components.
.webp)
SideWinder’s PDF version execution chain (Source – Trellix) The attackers substituted the authentic MagTek public key token (7ee65bc326f1c13a) with null values (0000000000000000) in the manifest, maintaining valid certificate chains to evade detection.
The application’s branding was modified from MagTek to “Adobe Compatibility Suite,” complete with an Adobe Reader icon replacement, perfectly aligning with the phishing lure’s premise.
<!-- Malicious ClickOnce Manifest Excerpt --> <dependency> <dependentAssembly> <assemblyIdentity name="ReaderConfiguration" version="1.5.13.2" publicKeyToken="0000000000000000" /> </dependentAssembly> </dependency>The payload delivery mechanism substituted legitimate JSON configuration files (DeviceImages.json and EmvVendorConfig.json) with malicious DEVOBJ.dll (SHA256: c1093860c1e5e04412d8509ce90568713fc56a0d5993bfdb7386d8dc5e2487b6).
This DLL serves as the side-loading vector for subsequent stages. The manifest included useLegacyV2RuntimeActivationPolicy=”true” to enable compatibility with older .NET Framework versions, facilitating execution of legacy malware components.
After execution, a decoy PDF document displays to victims, maintaining the illusion of legitimate document processing while malware establishes persistence and begins data exfiltration operations in the background.
The StealerBot malware represents the campaign’s ultimate objective, designed for comprehensive espionage operations.
While researchers successfully identified the core infection chain components, geofencing restrictions prevented the acquisition of additional plugin modules beyond IPHelper.dll, which manages proxy communications within the malware ecosystem.
The campaign’s infrastructure—spanning domains like mofa-gov-bd[.]filenest[.]live and mod-gov-bd[.]snagdrive[.]com—demonstrates deliberate impersonation of government ministries to enhance social engineering effectiveness.
This combination of technical sophistication and operational security reflects an adversary committed to long-term espionage objectives against strategic regional targets.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post SideWinder Hacking Group Uses ClickOnce-Based Infection Chain to Deploy StealerBot Malware appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Microsoft on Thursday released out-of-band security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with a proof-of-concept (Poc) exploit publicly available and has come under active exploitation in the wild. The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
·
AmericasB-1 bombers fly off Venezuelan coast. Two supersonic B-1 Lancers took off from Dyess Air Force Base in rural Texas on Thursday and traveled upwards of 2,000 miles to fly within several miles of Venezuela, the Wall Street Journal reported. B-1 bombers seldom fly near South America but more missions “could be carried out soon,” two U.S. officials told WSJ.
President Trump said at the White House the story was “not accurate,” even though the B-1s’ flight paths were revealed by publicly available flight tracking data. Defense Secretary Pete Hegseth, who was at the Q&A session with reporters, did not correct the president, Fox reported.
The demonstration marks the latest use of the U.S. military to increase pressure on President Nicolás Maduro. Last week, B-52 bombers and F-35Bs staged an “attack demonstration" on an island off the Venezuelan coast. Other recent military activity in the region has included flights by MQ-9 Reaper drones and P-8 maritime patrol aircraft and even an Air Force Special Operations exercise.
Welcome to this Friday edition of The D Brief, a newsletter dedicated to developments affecting the future of U.S. national security, brought to you by Thomas Novelly and Bradley Peniston. It’s more important than ever to stay informed, so thank you for reading. Share your tips and feedback here. And if you’re not already subscribed, you can do that here. On this day in 1944, the USS Princeton (CVL-23) sank in the Philippines after being hit by a Japanese bomb during the World War II Battle of Leyte Gulf.
Shutdown
Trump says a “friend of mine” donated $130 million for military pay to cover potential paycheck shortfalls during the government shutdown. The president declined to name the donor, Reuters reported. That personal check is, ultimately, a drop in the bucket compared to the $236 billion requested for troops’ pay in the fiscal 2025 budget, and it’s not clear whether the money will cover troops’ Oct. 31 paychecks.
ICYMI: Payroll funding for service members, like that of other federal employees, is frozen during the shutdown, but Trump directed some money—reportedly, $8 billion—be diverted from research pools to pay troops. It’s not clear whether that was legal.
Gridlock continues after Senate Democrats blocked a Republican-sponsored bill Thursday to pay active-duty service members and essential federal workers in a nearly party-line vote of 54-45, the Hill reports. On Friday, the shutdown marked its 23rd day, marking the second-longest federal funding lapse in history.
Europe
Russian aircraft violated Lithuanian airspace on Thursday, officials said. An Su-30 fighter jet and an Il-78 refueling tanker flew over the Baltic nation for about 18 seconds, the country’s military said on X. Russia’s Defense Ministry disputed the claim, the Associated Press reported.
Lithuania’s foreign ministry announced plans to summon Russian diplomats. “This is a blatant breach of international law and territorial integrity of Lithuania,” President Gitanas Nausėda wrote on X. “Once again, it confirms the importance of strengthening European air defence readiness.”
The incident is Russia’s latest aerial incursion into NATO allies’ territory. Last month, Moscow sent around two dozen unarmed drones into Polish airspace and days later Russian fighters swept across the Estonian border. Defense One’s Patrick Tucker recently detailed varying responses to air incursions have led to rare public disagreements between treaty allies.
Around the Defense Department
What is homeland defense? Budget experts said a new national security strategy could redefine what homeland defense operations entail including border-security, coutner-drug enforcement, and law enforcement. Budget experts at a Center for New American Security Event on Thursday wondered if the next defense budget would reflect those shifts. Defense One’s Meghann Myers has more from the event.
But as budget experts await the release of the National Defense Strategy, some question whether it will actually change how the Trump administration prioritizes its military spending. “At the end of the day, the National Defense Strategy is a piece of paper, and it's not worth anything unless the administration actually intends to follow it, to use it as a guiding framework,” said Todd Harrison, a senior fellow at the American Enterprise Institute.
Acting USAF JAG steps down. Eight months after SecDef Hegseth fired the Air Force’s top lawyer, the judge advocate general tasked with those duties has stepped down. Maj. Gen. Rebecca Vernon, who had served as deputy Air Force JAG, became acting JAG after Hegseth’s widespread purge of military leaders and top lawyers.
Former military attorneys are worried what the lack of top legal leadership will mean for the Air Force. “It’s tough to make any long-term plans without that position filled,”one lawyer said. “There’s a ripple effect throughout the [JAG] Corps that hurts morale, retention, budgets, hiring, and every major policy decision.” Defense One’s Thomas Novelly has more.
The Air Force wants private AI data centers on its bases. A lease proposal from the service is offering up more than 3,000 acres of “underutilized land” across five of its military bases, according to a new proposal posted online. The Air Force’s pitch follows a late July executive order in which Trump promised a “golden age for American manufacturing and technological dominance” by giving up public land for private use.
Experts are worried by the unprecedented move and fear the government may not get use of the land back. “I have never heard of something like this before, where some of the public land was going to be leased to private companies to use,” said Stacie Pettyjohn, a senior fellow and director of the Defense Program at the Center for a New American Security think tank. “I think it is noteworthy…because it is potentially ceding land that the U.S. government will actually never get control over again.” Novelly has more here.
“Neighborhood watch.” Satellite imaging company Vantor signed a contract with the U.S. Space Force to monitor for satellites and debris that ground-based sensors might miss. The company, formerly Maxar Intelligence, will use existing satellites it has in orbit to protect U.S. assets in low earth orbit, Susanne Hake, Vantor’s general manager for U.S. government said. Tucker has more for Defense One, here.
Lastly today: Dissenting judges issued scathing warnings after the 9th Circuit Court of Appeals declined to revisit a panel decision to reject a legal challenge to the federalized deployment of California National Guard troops to Los Angeles this summer, Talking Points Memo reported. “The democratic ideals our nation has consistently promoted for the last quarter millennium will be gravely undercut by allowing military force and weapons of war to be deployed against American citizens on U.S. soil on the flimsy grounds asserted here for this use of Executive power,” wrote Judge Ronald Gould, a Clinton appointee.
]]>¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The Advanced Persistent Threat group MuddyWater, widely recognized as an Iran-linked espionage actor, has orchestrated a sophisticated phishing campaign targeting more than 100 government entities and international organizations across the Middle East, North Africa, and beyond.
The operation, which became active in mid-August 2025, represents a significant escalation in the group’s tradecraft, introducing version 4 of the Phoenix backdoor malware alongside newly developed tools designed to evade traditional security defenses.
The campaign gained momentum through a deceptively simple yet effective technique: a compromised mailbox accessed via NordVPN.
MuddyWater leveraged this access point to send phishing emails to high-value targets, impersonating legitimate correspondence from trusted organizations.
The emails contained Microsoft Word attachments that appeared innocuous, prompting recipients to “enable content” to view the document.
This social engineering approach exploited the inherent trust users place in familiar communication channels, significantly increasing the likelihood of successful infections.
Once recipients enabled macros within the Word documents, malicious Visual Basic for Application code executed on their systems, initiating a multi-stage attack chain.
.webp)
An overview of the execution killchain (Source – Group-IB) The embedded macros functioned as a dropper, retrieving and executing the FakeUpdate loader—an injector-style component that decrypts and injects encrypted payloads directly into its own process memory, bypassing traditional file-based detection mechanisms.
Group-IB analysts identified the second-stage payload as Phoenix backdoor version 4, a custom malware exclusively tied to MuddyWater operations.
This latest iteration demonstrates technological refinement, employing registry-based persistence through modifications to the Winlogon shell value while simultaneously creating mutex objects for coordination.
The backdoor registers infected hosts with attacker command-and-control infrastructure, establishing continuous beaconing relationships that enable remote command execution, data exfiltration, and post-exploitation activities.
Technical Evolution and Persistence Mechanisms
The Phoenix v4 variant introduces sophisticated persistence tactics beyond traditional registry manipulation.
Analysis revealed embedded Component Object Model Dynamic Link Library artifacts designed to launch additional malware, such as Mononoke.exe, through alternative execution pathways.
The malware systematically gathers comprehensive system information—computer names, domain configurations, Windows versions, and user credentials—before initiating communication with C2 servers via WinHTTP protocols.
Command mappings indicate support for file uploads, shell execution, and sleep interval modifications, providing attackers granular control over compromised systems.
Infrastructure investigation uncovered the hardcoded C2 domain screenai[.]online, registered on August 17, 2025, and operational for approximately five days.
The real server address, 159.198.36.115, hosted additional tools including a custom Chromium browser credential stealer and legitimate Remote Monitoring and Management utilities like PDQ and Action1.
The credential stealer specifically targets stored passwords from Chrome, Opera, Brave, and Microsoft Edge by extracting encrypted master keys and writing harvested credentials to staging files for exfiltration.
MuddyWater’s deployment of this integrated toolkit—combining custom malware with legitimate RMM solutions—demonstrates sophisticated understanding of operational security and persistence mechanisms, underscoring the group’s commitment to long-term espionage objectives rather than opportunistic campaigns.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post MuddyWater Using New Malware Toolkit to Deliver Phoenix Backdoor Malware to International Organizations appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
RedTiger is an open-source red-teaming tool repurposed by attackers to steal sensitive data from Discord users and gamers.
Released in 2025 on GitHub, RedTiger bundles penetration-testing utilities, including network scanners and OSINT tools. But its infostealer module has gone rogue, with malicious payloads circulating online since early 2025.
Netskope Threat Labs reported multiple variants targeting French-speaking gamers, based on sample filenames and custom warnings like “Attention, ton PC est infecté!” (Warning, your PC is infected!).
This marks the second gamer-focused infostealer Netskope has tracked this month, following a Python RAT aimed at Minecraft players.
RedTiger Tool Abused
Attackers favor RedTiger for its modularity and ease of customization, much like the abused Cobalt Strike framework. Distributed as PyInstaller-compiled binaries, these samples masquerade as game cheats or mods, tricking users into execution.
Malicious RedTiger based infostealer zeroes in on Discord accounts, injecting JavaScript into the app’s core files to hijack API traffic.
It snags tokens via regex searches in Discord’s databases, validates them through API calls, and extracts user details like emails, MFA status, and subscription levels.
Even password changes don’t escape; the malware intercepts updates to billing endpoints for Stripe and Braintree, capturing card info, PayPal details, and Nitro purchases.
Beyond social platforms, it raids browsers Chrome, Firefox, Edge, and niche ones like Opera GX for cookies, passwords, history, and credit cards.
Game files from Roblox and crypto wallets like MetaMask are copied wholesale, while .txt, .sql, and .zip files matching keywords (e.g., “passwords”) get archived.
Roblox-specific cookie extraction via browser_cookie3 reveals account info through API queries. The malware adds persistence on Windows by dropping into startup folders, though Linux and macOS implementations falter without manual tweaks.
For evasion, it scans for sandbox indicators usernames like “sandbox” or hardware IDs tied to analysis tools and self-terminates, Netskope said.
It also edits the hosts file to block security vendors and spawns hundreds of junk files and processes to clog forensics.
Exfiltration is clever: Stolen data zips up and uploads to anonymous GoFile storage, with links pinged to attackers via Discord webhooks, including victim IP and geolocation.
RedTiger’s webcam snaps and screenshots round out its espionage kit, using OpenCV and Pillow libraries. Netskope detects it as Win64.Trojan.RedTiger, urging gamers to scan downloads and enable two-factor authentication.
As infostealers evolve, experts warn of more variants. “Gamers’ shared files and Discord reliance make them prime targets,” said Netskope’s Rayudu Venkateswara Reddy. Victims should monitor accounts and use antivirus with behavioral detection to stay ahead.
The post New Red Teaming Tool RedTiger Attacking Gamers and Discord Accounts in the Wild appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
