The UK’s Information Commissioner’s Office has imposed a £14 million penalty on Capita following a major cyber attack in March 2023 that exposed the personal information of 6.6 million people. The fine was split between Capita plc, which received £8 million, and its subsidiary Capita Pension Solutions Limited, which was fined £6 million. The breach […]
In a recently uncovered campaign, the Mysterious Elephant advanced persistent threat (APT) group has executed a sophisticated series of intrusions against government and foreign policy agencies across the Asia-Pacific region. The latest operations, active since early 2025, rely on custom-built malware modules and modified open-source utilities to target and siphon off documents, images, and archives […]
Since its public debut in October 2025, nightmare has quickly become a vital tool for malware analysts seeking to streamline static and dynamic analysis workflows.
Developed by Elastic Security Labs, nightmare brings together mature open-source reverse engineering components under a unified Python API.
Rather than forcing users to juggle disparate dependencies, nightmare leverages Rizin via rz-pipe for disassembly and the Unicorn engine for lightweight emulation.
This cohesive design empowers researchers to rapidly craft configuration extractors, carve IoCs, and automate recurring analysis tasks.
Emerging from a need to reduce code duplication across Elastic’s internal tooling, nightmare builds on practices honed over thousands of sample analyses.
Elastic analysts noted that many proprietary scripts suffered from fragile dependency chains and inconsistent abstractions.
By encapsulating common patterns—such as pattern matching, instruction emulation, and cross-reference enumeration—within a robust library, nightMARE provides a stable foundation for both seasoned and novice reverse engineers.
Upon installation, nightmare exposes three main modules: analysis, core, and malware. The analysis module integrates Rizin to enable disassembly, hex-pattern searches, and function enumeration.
The core module offers utilities for bitwise operations, regex-based extraction, and data casting.
Finally, the malware module groups family-specific extractors—ranging from Smokeloader to LUMMA—into versioned sub-packages that demonstrate real-world uses of the API.
Elastic researchers identified a significant spike in LUMMA stealer campaigns in mid-2025, underscoring the value of rapid configuration extraction.
Through nightmare’s emulation capabilities, analysts can instantiate a WindowsEmulator, register Import Address Table (IAT) hooks on APIs such as Sleep, and execute targeted code sequences in seconds.
By intercepting decryption routines in-process, nightMARE automates the recovery of C2 domains without manual unpacking or debugger-driven tracing.
Infection Mechanism and Emulation-Driven Extraction
nightMARE’s emulation framework offers a lightweight alternative to full-scale sandboxing. Consider the common technique where malware invokes Sleep before proceeding to C2 decryption.
The following code snippet demonstrates how nightMARE’s WindowsEmulator hooks Sleep in a LUMMA sample, capturing timing behavior and enabling uninterrupted emulation:-
LUMMA manually pushes Steam profile data for decryption (Source – Elastic)
By intercepting the Sleep call, the emulator advances past timing obfuscation and resumes execution at the next instruction.
Combined with emu.get_data() and emu.get_xrefs_from(), analysts reconstruct decryption key and nonce addresses, allocate memory buffers, and invoke the malware’s ChaCha20 routine directly.
Ultimately, nightMARE outputs a decrypted list of C2 domains, ready for threat intelligence ingestion.
With version 0.16, Elastic Security Labs continues to expand nightMARE’s repertoire, adding emulation support for additional API hooks, enhancing pattern-matching accuracy, and refining malware module templates.
As emerging threats exploit novel obfuscation and packing schemes, nightMARE stands poised to accelerate analysis pipelines and empower the community’s collective defense.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The Apache Software Foundation has disclosed a critical vulnerability in its ActiveMQ NMS AMQP Client that could allow attackers to execute arbitrary code on vulnerable systems.
Tracked as CVE-2025-54539, this deserialization flaw poses a serious risk to applications relying on the client for messaging over AMQP protocols.
The issue was publicly detailed in an advisory on October 15, 2025, urging immediate upgrades to mitigate potential exploits.
The vulnerability stems from improper handling of untrusted data during connections to AMQP servers. Specifically, in versions up to and including 2.3.0, the client processes unbounded deserialization logic that malicious servers can abuse.
By crafting specially designed responses, attackers could trigger remote code execution on the client side, potentially compromising entire networks or applications.
This deserialization weakness has long been a vector for sophisticated attacks, as it bypasses typical input validation and directly manipulates object states in memory.
Apache ActiveMQVulnerability
Efforts to secure the client weren’t foolproof. Starting with version 2.1.0, Apache introduced allow and deny lists to restrict deserialization, aiming to limit what classes could be instantiated from incoming data.
However, security researchers at Endor Labs discovered that these controls could be circumvented under specific conditions, such as through cleverly nested objects or alternative serialization paths.
This bypass effectively nullified the protection, leaving users exposed to the full scope of the flaw. The discovery highlights the challenges in securing legacy serialization mechanisms, especially in .NET environments where binary formats have been a staple.
As .NET 9 deprecates binary serialization a move by Microsoft to curb similar risks Apache is now weighing the complete removal of this support from the NMS API in upcoming releases.
This shift aligns with broader industry trends toward safer alternatives like JSON or Protocol Buffers, reducing the attack surface for deserialization-based exploits.
Mitigations
To address CVE-2025-54539, Apache recommends upgrading to version 2.4.0 or later, where the deserialization logic has been fortified against these attacks.
For projects still tied to .NET binary serialization, migrating to modern formats is essential as a hardening measure.
Organizations using ActiveMQ in distributed systems, such as financial services or IoT infrastructures, should prioritize patching to prevent lateral movement by threat actors.
Discovered by Endor Labs’ Security Research Team, this vulnerability underscores the need for vigilant third-party dependency management.
With a CVSS score indicating important severity, unpatched instances could invite ransomware or data exfiltration.
Developers are advised to scan their supply chains and test connections to external AMQP brokers, ensuring no untrusted endpoints can influence client behavior.
An important security flaw in Apache ActiveMQ’s .NET client library has put developers at risk of remote code execution. The vulnerability, tracked as CVE-2025-54539, exists in the Apache ActiveMQ NMS AMQP Client and can be triggered when the client connects to a malicious AMQP server. Attackers can exploit this flaw to run arbitrary code on […]
Netcraft recently uncovered a suspicious URL targeting GMO Aozora Bank, a Japanese financial institution. The URL leveraged a legacy web technique—Basic Authentication URL formatting—to visually impersonate the bank and deceive customers. This discovery prompted a broader review of phishing activity that still relies on this old but effective technique, exposing how threat actors can reuse […]
Two newly disclosed vulnerabilities in Microsoft’s BitLocker drive encryption feature could allow attackers to bypass encryption safeguards on Windows systems. Tracked as CVE-2025-55333 and CVE-2025-55338, these flaws involve incomplete comparison logic and configuration weaknesses that may let a local, low-privileged user undermine BitLocker’s protection. BitLocker is designed to protect data at rest by encrypting entire […]
The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Adobe Experience Manager Forms vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, warning that the flaw is being actively exploited in the wild. The security issue, tracked as CVE-2025-54253, affects Adobe Experience Manager Forms in JEE and allows attackers to execute arbitrary code on vulnerable […]
The online world is changing fast. Every week, new scams, hacks, and tricks show how easy it’s become to turn everyday technology into a weapon. Tools made to help us work, connect, and stay safe are now being used to steal, spy, and deceive.
Hackers don’t always break systems anymore — they use them. They hide inside trusted apps, copy real websites, and trick people into giving up control
Tracked as CVE-2025-10230, the vulnerability stems from improper validation in the Windows Internet Name Service (WINS) hook mechanism, earning a perfect CVSS 3.1 score of 10.0 for its ease of exploitation and devastating potential impact.
Samba, the open-source implementation of the SMB/CIFS networking protocol widely used in Linux and Unix environments to mimic Windows file sharing and authentication, has long been a cornerstone for cross-platform enterprise networks.
However, this flaw exposes organizations relying on it as an Active Directory Domain Controller (AD DC) to unauthenticated attacks.
Discovered by security researcher Igor Morgenstern of Aisle Research, the issue affects all Samba versions since 4.0 when specific configurations are enabled, namely, WINS support and a custom ‘wins hook’ script in the smb.conf file.
Samba RCE Vulnerability
WINS, a deprecated Microsoft protocol from the pre-DNS era, resolves NetBIOS names in legacy Windows networks.
By default, WINS support is disabled in Samba, but when activated on an AD DC alongside the ‘wins hook’ parameter, which triggers an external script on name changes, the system becomes a sitting duck.
Attackers can send crafted WINS name registration requests containing shell metacharacters within the 15-character NetBIOS limit.
These inject arbitrary commands into the hook script, executed via a shell without any authentication or user interaction required.
The vulnerability’s scope is narrow but perilous: it only impacts Samba in AD DC mode (roles like ‘domain controller’ or ‘active directory domain controller’).
Standalone or member servers, which use a different WINS implementation, remain unaffected. In practice, this could let remote threat actors on the network pivot to full system compromise, exfiltrating sensitive data, deploying ransomware, or escalating privileges in hybrid Windows-Linux setups common in enterprises.
Mitigations
Samba maintainers acted swiftly, releasing patches to their security portal and issuing updated versions: 4.23.2, 4.22.5, and 4.21.9.
Administrators should prioritize upgrades, especially in environments with legacy WINS dependencies.
As a workaround, disable the ‘wins hook’ parameter entirely or set ‘wins support = no’ in smb.conf Samba’s default configuration already avoids this risky combo, making most setups safe out of the box.
Experts urge a broader review: WINS is obsolete, and its use on modern domain controllers is rare and inadvisable. Even post-patch, admins might disable hooks altogether, as future Samba releases could drop support.
With attack surfaces expanding in hybrid clouds, this incident underscores the need to audit and phase out antiquated protocols before they become entry points for nation-state actors or cybercriminals.
.webp)