Tag: powershell
-
Active Directory Lab Setup for Penetration Testing Using PowerShell
This article provides a complete walkthrough of both phases, from clicking >>Create a New Virtual Machine<< in VMware all the way to a fully First seen on hackingarticles.in Jump to article: www.hackingarticles.in/active-directory-lab-setup-for-penetration-testing-using-powershell/
-
New Global Scam Uses Fake Meeting Links to Run PowerShell Malware
BlueNoroff hackers used fake Zoom calls, ClickFix prompts, and fileless PowerShell malware to steal credentials from Web3 and crypto targets. The post New Global Scam Uses Fake Meeting Links to Run PowerShell Malware appeared first on TechRepublic. First seen on techrepublic.com Jump to article: www.techrepublic.com/article/news-lazarus-bluenoroff-fake-video-call-malware/
-
North Korean Hackers Target Pharma Firms with Malware-Laced Excel Attacks
North Korean state-backed hackers are using weaponized Excel-themed files to infect pharmaceutical and life science companies with malware, abusing Windows shortcut files, PowerShell, and cloud storage for stealthy data theft. The campaign begins with highly tailored spear”‘phishing emails sent to drug manufacturers and related life science organizations. Messages typically reference legitimate”‘sounding topics such as ERP…
-
North Korean Hackers Target Pharma Firms with Malware-Laced Excel Attacks
North Korean state-backed hackers are using weaponized Excel-themed files to infect pharmaceutical and life science companies with malware, abusing Windows shortcut files, PowerShell, and cloud storage for stealthy data theft. The campaign begins with highly tailored spear”‘phishing emails sent to drug manufacturers and related life science organizations. Messages typically reference legitimate”‘sounding topics such as ERP…
-
ClickFix Attack Swaps PowerShell for Cmdkey, Remote Regsvr32 Payloads
A newly identified ClickFix attack variant is raising concerns among cybersecurity researchers after it was observed replacing traditional PowerShell-based delivery with a stealthier technique leveraging native Windows utilities. The infection begins with a familiar ClickFix tactic: a phishing page disguised as a CAPTCHA verification prompt. Victims are instructed to press Win + R, paste a…
-
Hackers Exploit Pastebin PowerShell Script to Hijack Telegram Sessions
Hackers are experimenting with a new Telegram”‘focused session stealer that hides in a Pastebin”‘hosted PowerShell script posing as a Windows telemetry update, giving defenders a rare view into how such tools are built and tested. The script does not attempt to grab passwords or browser credentials; instead, it focuses entirely on Telegram’s desktop client data…
-
Hackers Tie Iranian Espionage to CastleRAT and ChainShell
A direct operational link between Iran’s MuddyWater espionage group and the Russian TAG-150 CastleRAT malware-as-a-service (MaaS) platform, showing how state and criminal ecosystems are now tightly intertwined. Investigators recovered 15 malware samples, including at least two CastleRAT “builds” and a PowerShell script named reset.ps1 that deploys a previously undocumented JavaScript/Node.js agent dubbed ChainShell. On this server, two native…
-
PureRAT Hides PE Payloads in PNGs for Fileless Execution
A multi-stage PureRAT campaign that hides portable executable (PE) payloads inside PNG images and executes them almost entirely in memory, making detection and forensics significantly harder for defenders. The campaign combines steganography, PowerShell-based loaders, UAC bypass, process hollowing, and anti-virtualization checks to remain stealthy on compromised systems. The attack begins with a weaponized .LNK file…
-
Microsoft’s April 2026 Patch Tuesday Addresses 163 CVEs (CVE-2026-32201)
Tags: advisory, api, attack, best-practice, cloud, container, cve, cvss, cyber, data, exploit, firewall, firmware, flaw, framework, github, Internet, malicious, microsoft, mitigation, office, powershell, rce, remote-code-execution, service, software, sql, startup, tool, update, vulnerability, windows, zero-day8Critical 154Important 1Moderate 0Low Microsoft addresses 163 CVEs in the April 2026 Patch Tuesday release, including two zero-day vulnerabilities, one of which was exploited in the wild. Microsoft patched 163 CVEs in its April 2026 Patch Tuesday release, with eight rated critical, 154 rated as important and one rated as moderate. This is the second…
-
TDL 019 – The Psychology Behind a Cyber Breach and the Leaders Who Survive It – Nim Nadarajah
Tags: access, ai, apple, automation, breach, business, cctv, ceo, cio, ciso, cloud, computing, conference, control, corporate, crowdstrike, cve, cyber, cyberattack, cybersecurity, data, dns, edr, email, finance, firewall, governance, group, healthcare, incident, incident response, infrastructure, injection, insurance, Internet, jobs, law, LLM, metric, microsoft, msp, network, office, powershell, privacy, programming, psychology, risk, saas, service, siem, soar, soc, software, startup, strategy, supply-chain, switch, technology, threat, tool, training, usa, vulnerability, windows, zero-trustLeading Through the Cyber Abyss In Episode 019 of The Defender’s Log, host David Redekop sits down with Nim Nadarajah, CISO and Managing Partner of Critical Matrix, to explore the evolving landscape of cybersecurity leadership. From the “annual pilgrimage” of RSAC 2026 to the front lines of incident response, the conversation shifts from technical bits…
-
TDL 019 – The Psychology Behind a Cyber Breach and the Leaders Who Survive It – Nim Nadarajah
Tags: access, ai, apple, automation, breach, business, cctv, ceo, cio, ciso, cloud, computing, conference, control, corporate, crowdstrike, cve, cyber, cyberattack, cybersecurity, data, dns, edr, email, finance, firewall, governance, group, healthcare, incident, incident response, infrastructure, injection, insurance, Internet, jobs, law, LLM, metric, microsoft, msp, network, office, powershell, privacy, programming, psychology, risk, saas, service, siem, soar, soc, software, startup, strategy, supply-chain, switch, technology, threat, tool, training, usa, vulnerability, windows, zero-trustLeading Through the Cyber Abyss In Episode 019 of The Defender’s Log, host David Redekop sits down with Nim Nadarajah, CISO and Managing Partner of Critical Matrix, to explore the evolving landscape of cybersecurity leadership. From the “annual pilgrimage” of RSAC 2026 to the front lines of incident response, the conversation shifts from technical bits…
-
DesckVB RAT Uses Fileless .NET Loader to Evade Detection
DesckVB RAT is emerging as a highly active and stealthy malware threat in 2026, leveraging layered obfuscation and fileless execution techniques to bypass traditional security defenses. The attack chain begins with a malicious JavaScript file that hides its true intent through complex encoding and code replication. This script copies its own logic into PowerShell and…
-
In-Memory Loader Drops ScreenConnect
IntroductionIn February 2026, Zscaler ThreatLabz discovered an attack chain where attackers used a fake Adobe Acrobat Reader download to lure victims into installing ConnectWise’s ScreenConnect. While ScreenConnect is a legitimate remote access tool, it can be leveraged for malicious purposes. In this blog post, ThreatLabz examines the various stages of this attack, from the download lure to the…
-
Phishing LNK files and GitHub C2 power new DPRK cyber attacks
DPRK-linked hackers use GitHub C2s, starting attacks via phishing LNK files that drop a PDF and PowerShell script in South Korea. North Korea-linked threat actors target South Korean organizations using GitHub as C2 servers. The attack chain starts with phishing emails carrying obfuscated LNK files that drop a decoy PDF and a PowerShell script to…
-
North Korean hackers abuse LNKs and GitHub repos in ongoing campaign
GitHub as C2: Researchers also highlighted the campaign’s use of GitHub as a C2 layer. Rather than communicating with suspicious-looking or newly registered domains, the malware interacts with GitHub repositories and APIs to receive instructions and exfiltrate data.”The fact that this shortcut file creates a chain that ultimately reaches out to a GitHub repository, and…
-
North Korean hackers abuse LNKs and GitHub repos in ongoing campaign
GitHub as C2: Researchers also highlighted the campaign’s use of GitHub as a C2 layer. Rather than communicating with suspicious-looking or newly registered domains, the malware interacts with GitHub repositories and APIs to receive instructions and exfiltrate data.”The fact that this shortcut file creates a chain that ultimately reaches out to a GitHub repository, and…
-
GitHub-Backed Malware Spread via LNK Files in South Korea
Hackers are abusing Windows shortcut files and GitHub to run a stealthy, multi”‘stage malware campaign against organizations in South Korea. The operation chains LNK files, PowerShell, and GitHub APIs to deliver surveillance tools while blending into normal enterprise traffic.The campaign begins with weaponized LNK files that contain hidden scripts instead of simple shortcuts. These older…
-
GitHub Used as Covert Channel in Multi-Stage Malware Campaign
LNK files use GitHub C2, embedded decoders and PowerShell for persistence and data exfiltration First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/github-covert-multi-stage-malware/
-
RFQ Malware Campaign Uses DOCX, RTF, JS, and Python
Hackers are abusing DOCX, RTF, JavaScript, PowerShell, and Python to deliver an in”‘memory Cobalt Strike beacon in a stealthy spear”‘phishing campaign that impersonates Boeing procurement under the tag NKFZ5966PURCHASE. The operation chains six stages, relies heavily on living”‘off”‘the”‘land binaries, and reuses the same encryption keys across all known samples, creating both strong evasion and clear…
-
Attackers trojanize Axios HTTP library in highest-impact npm supply chain attack
Tags: ai, attack, breach, cloud, control, credentials, crypto, github, incident response, linux, LLM, macOS, malicious, malware, monitoring, open-source, openai, powershell, pypi, rat, spam, supply-chain, tool, windowspostinstall hook that would execute a dropper script when it was pulled in by a different package as a dependency.Shortly after midnight UTC on March 31 a new version of the Axios package, axios@1.14.1, was published on npm followed by axios@0.30.4 39 minutes later. Both listed plain-crypto-js@4.2.1 as a dependency in their package.json files, but…
-
Latest Xloader Obfuscation Methods and Network Protocol
Tags: api, automation, breach, cloud, communications, credentials, data, detection, email, encryption, framework, google, Internet, malicious, malware, microsoft, network, password, powershell, software, threat, tool, update, windowsIntroduction Xloader is an information stealing malware family that evolved from Formbook and targets web browsers, email clients, and File Transfer Protocol (FTP) applications. Additionally, Xloader may execute arbitrary commands and download second-stage payloads on an infected system. The author of Xloader continues to update the codebase, with the most recent observed version being 8.7. Since…
-
ClickFix Evades PowerShell Detection via Rundll32 and WebDAV
A new variant of the ClickFix attack technique that shifts execution away from commonly monitored tools like PowerShell and mshta, instead abusing native Windows components such as rundll32.exe and WebDAV. This evolution allows attackers to bypass traditional script-based detection mechanisms, increasing the likelihood of a successful, stealthy compromise. The attack begins similarly to earlier ClickFix…
-
Obfuscated VBS and PNG Loaders Power New Open Directory Malware Campaign with RAT Payloads
A sophisticated, multi-stage delivery framework leveraging obfuscated Visual Basic Script (VBS) files, fileless PowerShell loaders, and payloads hidden within PNG images. The activity was initially detected by LevelBlue’s Managed Detection and Response (MDR) SOC through a SentinelOne alert involving a suspicious VBS file. The file, identified as Name_File.vbs, was located in a public downloads directory…
-
PowerShell Is a Security Risk Here’s How to Fix It
If you run a Windows environment, you already know how critical PowerShell is. It’s the backbone of modern administration, used for automation, configuration, and day-to-day operations at scale. And it doesn’t stop at Windows. If you manage Azure, Microsoft 365, Entra ID, or Exchange Online, PowerShell is likely how you do it. A compromised session isn’t just an endpoint risk. It’s a path to……
-
Judicial Targets Hit by COVERT RAT via Court Docs and GitHub Payloads
Attackers are abusing fake court documents and GitHub”‘hosted payloads in a focused spear”‘phishing campaign that deploys a stealthy Rust”‘based COVERT RAT against Argentina’s judicial sector. This operation chains Windows LNK shortcuts, BAT loaders, and PowerShell to quietly fetch and execute a masqueraded payload, msedge_proxy.exe, from GitHub infrastructure. The operation, tracked as “Operation Covert Access,” uses…
-
Fileless Remcos RAT Attack Uses JavaScript and PowerShell to Slip Past Detection
A recent Remcos RAT campaign showcases how commodity malware has fully embraced fileless, multi”‘stage execution to bypass traditional defenses and remain stealthy on compromised Windows systems. Instead of dropping a static executable to disk, the operators rely on JavaScript, PowerShell, and a managed .NET injector to execute Remcos entirely in memory, dramatically reducing forensic artifacts…
-
ClickFix attackers using new tactic to evade detection, says Microsoft
AppData\Local that is then invoked through cmd.exe to write a VBScript to %Temp%. The batch script is executed via cmd.exe with the /launched command-line argument, and is then executed again through MSBuild.exe, resulting in LOLBin abuse. The script connects to Crypto Blockchain RPC endpoints, indicating etherhiding technique, and also performs QueueUserAPC()-based code injection into chrome.exe…