Cybercriminals are increasingly leveraging Virtual Private Server (VPS) infrastructure to orchestrate sophisticated attacks against Software-as-a-Service (SaaS) platforms, exploiting the anonymity and clean reputation of these hosting services to bypass traditional security controls.

A coordinated campaign identified in early 2025 demonstrated how threat actors systematically abuse VPS providers like Hyonix, Host Universal, Mevspace, and Hivelocity to compromise enterprise email accounts and establish persistent access to organizational systems.

The attack methodology centers on session hijacking techniques, where attackers utilize compromised credentials to log into SaaS accounts from VPS-hosted infrastructure.

This approach allows malicious actors to circumvent geolocation-based security measures by appearing as legitimate traffic from trusted hosting providers.

The clean IP reputation associated with newly provisioned VPS instances enables attackers to evade conventional blacklist-based detection systems, making their activities blend seamlessly with normal business operations.

Recent investigations spanning March through May 2025 revealed a surge in anomalous login activities originating from Hyonix’s Autonomous System Number (ASN AS931), with threat actors demonstrating remarkable consistency in their attack patterns across multiple victim environments.

Darktrace analysts identified suspicious activities including improbable travel scenarios where users appeared to access accounts simultaneously from distant geographical locations, indicating clear signs of credential compromise and session hijacking.

The campaign’s sophistication extends beyond initial access, incorporating Multi-Factor Authentication (MFA) bypass techniques through token manipulation and the systematic creation of obfuscated email rules designed to maintain stealth.

Attackers established persistence by creating inbox rules with minimal or generic names to avoid detection during routine security audits, automatically redirecting or deleting incoming emails to conceal their malicious activities.

Advanced Persistence and Evasion Mechanisms

The threat actors demonstrated advanced understanding of email security systems by implementing targeted inbox rule manipulation techniques that operate below the threshold of typical security monitoring.

The malicious rules specifically targeted emails containing sensitive organizational information, including communications from VIP personnel and financial documents.

Technical analysis revealed the use of MITRE ATT&CK technique T1098.002 (Exchange Email Rules) combined with T1071.001 (Web Protocols) for command and control operations.

Key indicators of compromise include IP addresses 38.240.42[.]160 and 194.49.68[.]244 associated with Hyonix infrastructure, alongside 91.223.3[.]147 from Mevspace Poland.

The attackers employed domain fluxing techniques for infrastructure resilience while maintaining operational security through carefully timed activities that coincided with legitimate user sessions, effectively masking their presence within normal business communications.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Hackers Abuse VPS Servers To Compromise Software-as-a-service (SaaS) Accounts appeared first on Cyber Security News.

A sophisticated traffic direction system known as Help TDS has been weaponizing compromised websites since 2017, transforming legitimate sites into gateways for elaborate tech support scams.

The operation specializes in deploying PHP code templates that redirect unsuspecting visitors to fraudulent Microsoft Windows security alert pages designed to deceive users into believing their systems are compromised.

The malicious infrastructure operates through a distinctive URL pattern using “/help/?d{14}” redirects, with examples including domains like gadbets[.]site/help/?29511696874942 and radiant.growsier[.]shop/help/?30721707351057.

These redirects lead victims to sophisticated scam pages that employ full-screen browser manipulation and exit prevention techniques, effectively trapping users within fabricated security warnings that mimic legitimate Microsoft alerts.

Help TDS has evolved into a comprehensive malware-as-a-service platform, providing standardized PHP injection templates and fully-featured malicious WordPress plugins to criminal affiliates.

The operation’s reach extends across multiple monetization channels, including dating, cryptocurrency, and sweepstakes scams for traffic that doesn’t meet tech support scam criteria.

GoDaddy researchers identified that the system has infected over 10,000 WordPress sites worldwide, with the malicious “woocommerce_inputs” plugin serving as the primary infection vector.

The campaign’s technical sophistication becomes evident through its integration with established malware operations, including DollyWay and Balada Injector.

After the disruption of the LosPollos affiliate network, Help TDS positioned itself as the dominant monetization platform, utilizing a Telegram channel called “trafficredirect” for distributing fresh redirect domains alongside fallback infrastructure through pinkfels[.]shop servers.

Advanced Plugin Evolution and Persistence Mechanisms

The malicious woocommerce_inputs plugin represents the pinnacle of Help TDS’s technical evolution, progressing through multiple versions with increasingly sophisticated capabilities.

Version 1.4 introduced advanced traffic filtering mechanisms, creating database tables such as “wp_ip_tracking” to monitor visitor IP addresses and prevent multiple redirections.

The malware implements temporal evasion by avoiding redirects on Sundays, geographic targeting focusing on USA, Canada, and Japan, and device filtering that exclusively targets desktop computers while ignoring mobile traffic.

The plugin’s persistence strategy involves delayed activation, waiting 24 hours post-installation before initiating redirects to obscure the connection between plugin installation and malicious activity.

Cookie management through “redirect” and “partner_” identifiers ensures visitors aren’t redirected multiple times within a 24-hour period, maintaining operational stealth while maximizing victim conversion rates.

Version 2.0.0 introduced autonomous update capabilities through the Help TDS command-and-control infrastructure, enabling dynamic plugin modifications via API endpoints at pinkfels[.]shop/wp-plugin.

The system generates customized plugin versions for each campaign identifier, demonstrating the operation’s sophisticated infrastructure management.

Threat actors gain initial access through stolen WordPress administrator credentials, with server logs revealing swift 22-second attack sequences from login to plugin activation.

The redirect mechanism employs dual JavaScript methods for browser compatibility: window.location.replace('$redirectUrl'); window.location.href='$redirectUrl'; ensuring reliable traffic redirection regardless of browser security settings.

This technical approach, combined with credential harvesting functionality that exfiltrates WordPress user data bi-weekly, creates a self-perpetuating cycle of compromise where stolen credentials facilitate further infections across the WordPress ecosystem.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Help TDS Weaponize Legitimate Sites’ PHP Code Templates With Fake Microsoft Windows Security Alert Pages appeared first on Cyber Security News.

A sophisticated cryptojacking campaign has emerged, exploiting misconfigured Redis servers across multiple continents to deploy cryptocurrency miners while systematically dismantling security defenses.

The threat actor behind this operation, designated TA-NATALSTATUS, has been active since 2020 but has significantly escalated their activities throughout 2025, targeting exposed Redis instances with alarming success rates across major economies.

The campaign demonstrates unprecedented scale and technical sophistication, with infection rates reaching alarming levels across affected regions.

In Finland, 41% of Redis servers have been compromised, while Russia shows 39% infection rates. Germany faces a 33% compromise rate, with the United Kingdom at 27%, France at 23%, and the United States reporting 17% of Redis servers affected.

The geographic distribution spans from Asia-Pacific regions including China, which hosts over 140,000 exposed Redis instances, to European and North American infrastructure.

CloudSEK analysts identified this advanced persistent threat through their BeVigil platform monitoring, revealing that TA-NATALSTATUS has evolved from a simple cryptojacking operation into a comprehensive rootkit-style attack framework.

The threat actors have systematically upgraded their stealth capabilities, incorporating process hijacking, command obfuscation, and timestomping techniques that transform compromised servers into long-term mining assets while remaining virtually undetectable to standard monitoring tools.

The attack methodology exploits a fundamental security weakness known as the “Root by Inheritance” technique, where Redis servers running with elevated privileges become immediate targets for privilege escalation.

Rather than exploiting traditional vulnerabilities, the attackers leverage legitimate Redis operations to achieve persistent access and control.

Advanced Persistence and Evasion Mechanisms*

The malware’s persistence strategy represents a masterclass in system manipulation and defensive evasion. TA-NATALSTATUS employs a multi-layered approach that begins with binary hijacking, where critical system utilities are systematically replaced with malicious wrappers.

The attackers rename legitimate binaries like ps and top to ps.original and top.original, then install custom scripts that execute the original commands while filtering out evidence of their mining processes.

The attack sequence involves sophisticated Redis manipulation through a series of CONFIG SET commands. Attackers redirect Redis database output to /var/spool/cron/root and inject malicious cron jobs that trigger automatic payload downloads.

The technique exploits Redis’s ability to write arbitrary files when running with root privileges, effectively turning the database service into a delivery mechanism for persistent malware installation.

To ensure long-term persistence, the malware implements immutable file protection using the chattr +i command, making core malware components undeletable even by root users.

This technique, combined with SSH backdoor installation using the distinctive key comment “uc1”, creates multiple redundant access paths that survive system restarts and basic cleanup attempts.

The comprehensive approach transforms infected systems into resilient mining platforms that actively defend against both competing malware and administrator remediation efforts.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post New Cryptojacking Attack Exploits Redis Servers to Install Miners and Disable Defenses appeared first on Cyber Security News.

The Lumma information stealer has evolved from its 2022 origins into one of the most sophisticated malware-as-a-service (MaaS) ecosystems in the cybercriminal landscape.

Operating through a vast network of affiliates, Lumma has established itself as the dominant infostealer platform, accounting for approximately 92% of stolen credential listings on major underground marketplaces by late 2024.

The malware’s success stems not from technical innovation alone, but from its comprehensive ecosystem of operational enablers designed to maximize stealth, ensure operational continuity, and facilitate rapid adaptation to security countermeasures.

Unlike traditional malware operations that rely on single-vector attacks, Lumma affiliates employ a multi-layered approach that integrates proxy networks, virtual private networks, anti-detect browsers, exploit services, and crypting tools.

This interconnected infrastructure enables affiliates to simultaneously operate multiple criminal schemes, including rental fraud and cryptocurrency theft, while maintaining operational security across diverse attack vectors.

The ecosystem’s resilience was demonstrated following major law enforcement takedowns in May 2025, when Lumma infrastructure was reestablished within days, showcasing the platform’s operational discipline and distributed architecture.

The malware’s attack methodology centers on credential harvesting from Chromium and Mozilla-based browsers, targeting approximately 70 browser cryptocurrency extensions and two-factor authentication plugins.

Lumma’s technical sophistication includes server-side log decryption, adaptive file grabbing capabilities, and integrated reverse proxy functionality, all packaged in builds weighing between 150-300 KB to minimize detection signatures.

Recorded Future analysts identified previously undocumented tools circulating within Lumma affiliate networks, including a cracked email credential validation utility and AI-powered phishing page generators.

These discoveries highlight the ecosystem’s continuous evolution and the collaborative nature of modern cybercriminal operations, where specialized service providers enhance affiliate capabilities through dedicated toolkits and infrastructure services.

Advanced Evasion Infrastructure: The GhostSocks Integration

The most significant advancement in Lumma’s evasion capabilities emerged through its partnership with the GhostSocks team in early 2024.

This collaboration introduced residential proxy functionality that transforms infected victim machines into SOCKS5 proxy endpoints, enabling affiliates to route malicious traffic through compromised systems.

The integration creates a self-sustaining proxy network where each successful infection potentially becomes a relay point for future operations.

# Example SOCKS5 proxy configuration used by Lumma affiliates
proxy_config = {
    "type": "socks5",
    "host": "infected_victim_ip",
    "port": 1080,
    "authentication": "none",
    "tunnel_traffic": "all_http_https"
}

By 2025, Lumma expanded this offering to include backconnect proxy access, allowing threat actors to conduct attacks that appear to originate directly from victim devices.

This capability proves particularly effective against Google’s cookie-based protection mechanisms, as attacks launched through victim machines can bypass location-based security controls and refresh expired authentication tokens seamlessly.

The system’s sophistication lies in its ability to maintain persistent connections to compromised machines, creating a distributed anonymization network that complicates attribution efforts.

Complementing the proxy infrastructure, Lumma affiliates extensively utilize anti-detect browsers, particularly Dolphin, which facilitates multi-account management without triggering platform security measures.

These browsers generate unique digital fingerprints for each session, enabling affiliates to operate dozens of fraudulent accounts simultaneously across different platforms while maintaining apparent legitimacy through consistent behavioral patterns and device characteristics.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Lumma Affiliates Using Advanced Evasion Tools Designed to Ensure Stealth and Continuity appeared first on Cyber Security News.