Tag: powershell

Threat Actors Abuse Browser Extensions to Deliver Fake Warning Messages

Jan 19, 2026 8:13 AM

Tags: access, cyber, group, intelligence, malicious, powershell, threat

Threat intelligence researchers at Huntress have uncovered a sophisticated browser extension campaign orchestrated by the KongTuke threat actor group, featuring a malicious ad blocker impersonating the legitimate uBlock Origin Lite extension. The campaign weaponizes fake browser crash warnings to trick users into executing malicious PowerShell commands, ultimately delivering ModeloRAT, a previously undocumented Python-based remote access…
PowerShell-Driven Multi-Stage Windows Malware Using Text Payloads

Jan 13, 2026 8:02 PM

Tags: cyber, detection, infection, malicious, malware, powershell, rat, windows

Security researchers have identified a sophisticated multi-stage malware campaign dubbed SHADOW#REACTOR that chains together obfuscated Visual Basic Script (VBS) execution, resilient PowerShell stagers, text-only payload delivery mechanisms, and .NET Reactorprotected in-memory loaders to deploy Remcos RAT while evading detection and analysis reliably. Initial infection begins when users execute a malicious VBS script, typically delivered through…
RustyWater Rising: MuddyWater Drops PowerShell for Stealthy Rust Implants

Jan 12, 2026 5:02 AM

Tags: powershell, rust

The post RustyWater Rising: MuddyWater Drops PowerShell for Stealthy Rust Implants appeared first on Daily CyberSecurity. First seen on securityonline.info Jump to article: securityonline.info/rustywater-rising-muddywater-drops-powershell-for-stealthy-rust-implants/
Malicious NPM Packages Deliver NodeCordRAT

Jan 7, 2026 9:02 PM

Tags: access, api, attack, breach, browser, chrome, cloud, control, credentials, crypto, data, email, endpoint, infrastructure, linux, login, macOS, malicious, malware, network, open-source, password, powershell, rat, service, software, supply-chain, theft, threat, vulnerability, windows

IntroductionZscaler ThreatLabz regularly monitors the npm database for suspicious packages. In November 2025, ThreatLabz identified three malicious packages: bitcoin-main-lib, bitcoin-lib-js, and bip40. The bitcoin-main-lib and bitcoin-lib-js packages execute a postinstall.cjs script during installation, which installs bip40, the package that contains the malicious payload. This final payload, named NodeCordRAT by ThreatLabz, is a remote access trojan (RAT) with data-stealing capabilities. It is also possible to download bip40…
Malicious NPM Packages Deliver NodeCordRAT

Jan 7, 2026 9:02 PM

Tags: access, api, attack, breach, browser, chrome, cloud, control, credentials, crypto, data, email, endpoint, infrastructure, linux, login, macOS, malicious, malware, network, open-source, password, powershell, rat, service, software, supply-chain, theft, threat, vulnerability, windows

IntroductionZscaler ThreatLabz regularly monitors the npm database for suspicious packages. In November 2025, ThreatLabz identified three malicious packages: bitcoin-main-lib, bitcoin-lib-js, and bip40. The bitcoin-main-lib and bitcoin-lib-js packages execute a postinstall.cjs script during installation, which installs bip40, the package that contains the malicious payload. This final payload, named NodeCordRAT by ThreatLabz, is a remote access trojan (RAT) with data-stealing capabilities. It is also possible to download bip40…
Fake MAS Windows activation domain used to spread PowerShell malware

Dec 25, 2025 12:19 AM

Tags: malware, microsoft, powershell, tool, windows

A typosquatted domain impersonating the Microsoft Activation Scripts (MAS) tool was used to distribute malicious PowerShell scripts that infect Windows systems with the ‘Cosmali Loader’. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/fake-mas-windows-activation-domain-used-to-spread-powershell-malware/
Blind Eagle Hackers Target Government Agencies Using PowerShell Scripts

Dec 22, 2025 3:18 PM

Tags: access, cyber, cyberattack, cybersecurity, email, government, group, hacker, phishing, powershell, spear-phishing, threat

Colombian government institutions are facing a sophisticated multi-stage cyberattack campaign orchestrated by the BlindEagle threat group, which leveraged compromised internal email accounts, PowerShell scripts, and steganography to deploy remote access trojans on target systems, according to Zscaler ThreatLabz researchers. The cybersecurity firm discovered the spear-phishing operation in early September 2025, revealing that BlindEagle targeted agencies…
React2Shell is the Log4j moment for front end development

Dec 19, 2025 5:19 AM

Tags: access, advisory, ai, antivirus, attack, backdoor, backup, control, crypto, detection, endpoint, exploit, malicious, network, powershell, ransomware, risk, technology, threat, update, vulnerability, windows, zero-day

What to look for: In an attack tracked by S-RM, immediately after the threat actor gained access to a targeted company’s network, they ran a hidden PowerShell command, establishing command and control (C2) by downloading a Cobalt Strike PowerShell stager, a tactic regularly used by red teamers, and installing a beacon to allow them to…
React2Shell is the Log4j moment for front end development

Dec 19, 2025 5:19 AM

Tags: access, advisory, ai, antivirus, attack, backdoor, backup, control, crypto, detection, endpoint, exploit, malicious, network, powershell, ransomware, risk, technology, threat, update, vulnerability, windows, zero-day

What to look for: In an attack tracked by S-RM, immediately after the threat actor gained access to a targeted company’s network, they ran a hidden PowerShell command, establishing command and control (C2) by downloading a Cobalt Strike PowerShell stager, a tactic regularly used by red teamers, and installing a beacon to allow them to…
BlindEagle Targets Colombian Government Agency with Caminho and DCRAT

Dec 17, 2025 10:19 AM

Tags: access, attack, authentication, cloud, communications, control, cybercrime, defense, detection, dkim, dmarc, dns, email, encryption, flaw, government, group, infrastructure, injection, Internet, malicious, malware, microsoft, open-source, phishing, powershell, rat, service, spear-phishing, startup, tactics, threat, tool, update, usa, windows

IntroductionIn early September 2025, Zscaler ThreatLabz discovered a new spear phishing campaign attributed to BlindEagle, a threat actor who operates in South America and targets users in Spanish-speaking countries, such as Colombia. In this campaign, BlindEagle targeted a government agency under the control of the Ministry of Commerce, Industry and Tourism (MCIT) in Colombia using…
Neuer Banking-Trojaner ‘Maverick”: BlueVoyant deckt raffinierte WhatsApp-Angriffe auf

Dec 11, 2025 4:32 PM

Tags: banking, cyberattack, powershell

Der Angriff beginnt typischerweise mit einer ZIP-Datei, die das Ziel per WhatsApp erhält. Darin versteckt sich eine vermeintliche Verknüpfung (.lnk), die beim Öffnen automatisch eine PowerShell-Routine startet. First seen on infopoint-security.de Jump to article: www.infopoint-security.de/neuer-banking-trojaner-maverick-bluevoyant-deckt-raffinierte-whatsapp-angriffe-auf/a43167/
Hidden .NET HTTP proxy behavior can open RCE flaws in apps, a security issue Microsoft won’t fix

Dec 11, 2025 5:32 AM

Tags: api, control, credentials, cve, endpoint, exploit, flaw, framework, ivanti, leak, microsoft, monitoring, ntlm, powershell, programming, rce, remote-code-execution, service, vulnerability

ServiceDescriptionImporter class,” he said. “That mechanism alone enabled successful exploitation in products from Barracuda, Ivanti, Microsoft and Umbraco, and it took only a few days of review to find working cases.” The .NET Framework and ASP.NET are among the most popular programming languages for enterprise applications. When a developer wants their application to communicate with…
PowerShell 5.1 zeigt nach Dez. 2025 Update Sicherheitsabfrage bei Webseiten

Dec 11, 2025 12:32 AM

Tags: cve, powershell, update, vulnerability, windows

Es ist in den Support-Beiträgen zum Dezember 2025-Patchday mit angegeben. Nach Installation der Windows-Updates zeigt die PowerShell 5.1 eine Sicherheitsabfrage, wenn auf den Inhalt von Webseiten zugegriffen werden soll. Mit dieser Maßnahme soll die Sicherheitslücke CVE-2025-54100 abgeschwächt werden. PowerShell-Schwachstelle CVE-2025-54100 … First seen on borncity.com Jump to article: www.borncity.com/blog/2025/12/11/powershell-5-1-zeigt-nach-dez-2025-update-sicherheitsabfrage-bei-webseiten/
Microsoft Patch Tuesday security updates for December 2025 fixed an actively exploited zero-day

Dec 10, 2025 11:32 AM

Tags: exploit, microsoft, office, powershell, update, vulnerability, windows, zero-day

Microsoft Patch Tuesday security updates for December 2025 address 57 vulnerabilities, including three critical flaws. Microsoft Patch Tuesday security updates for December 2025 addressed 57 vulnerabilities in Windows and Windows components, Office and Office Components, Microsoft Edge (Chromium-based), Exchange Server, Azure, Copilot, PowerShell, and Windows Defender. Three vulnerabilities are rated Critical, while the rest are…
Windows PowerShell now warns when running Invoke-WebRequest scripts

Dec 9, 2025 10:33 PM

Tags: microsoft, powershell, windows

Microsoft says Windows PowerShell now warns when running scripts that use the Invoke-WebRequest cmdlet to download web content, aiming to prevent potentially risky code from executing. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/microsoft-windows-powershell-now-warns-when-running-invoke-webrequest-scripts/
Storm-0249 Escalates Ransomware Attacks with ClickFix, Fileless PowerShell, and DLL Sideloading

Dec 9, 2025 4:32 PM

Tags: access, attack, defense, network, powershell, ransomware, tactics, threat

The threat actor known as Storm-0249 is likely shifting from its role as an initial access broker to adopt a combination of more advanced tactics like domain spoofing, DLL side-loading, and fileless PowerShell execution to facilitate ransomware attacks.”These methods allow them to bypass defenses, infiltrate networks, maintain persistence, and operate undetected, raising serious concerns for…
Windows shortcuts’ use as a vector for malware may be cut short

Dec 4, 2025 4:32 PM

Tags: cve, cvss, malicious, malware, microsoft, powershell, update, vulnerability, windows

Windows shortcut files (.lnk) have long been a convenient hiding place for attackers because Windows Explorer only displayed the first 260 characters of the command in a shortcut’s properties. Anything appended after a long string of spaces stayed invisible to the user.The issue is tracked as CVE-2025-9491, with security analysts assigning a high-severity CVSS rating…
Neues ToddyCat-Toolkit greift Outlook und Microsoft-Token an

Nov 27, 2025 2:49 PM

Tags: access, apt, backdoor, browser, chrome, cloud, cyberattack, exploit, governance, government, Internet, kaspersky, mail, microsoft, open-source, powershell, tool, update, vulnerability, windows

Die APT-Gruppe ToddyCat hat ihren Fokus auf den Diebstahl von Outlook-E-Mail-Daten und Microsoft 365-Zugriffstoken verlagert.Forscher von Kaspersky Labs haben festgestellt, dass sich die APT-Gruppe (Advanced Persistent Threat) ToddyCat jetzt darauf spezialisiert hat, Outlook-E-Mail-Daten und Microsoft 365-Zugriffstoken zu stehlen.Demnachhat die Hackerbande ihr Toolkit Ende 2024 und Anfang 2025 weiterentwickelt, um nicht nur wie bisher Browser-Anmeldedaten zu…
Neue ClickFix-Kampagne nutzt Fake-Windows-Updates

Nov 26, 2025 3:50 PM

Tags: captcha, cyberattack, endpoint, group, malware, monitoring, phishing, powershell, social-engineering, update, windows

Cyberkriminelle nutzen eine gefälschte Windows-Update-Seite, um Mitarbeiter anzugreifen.Forscher des Security-Anbieters Huntress sind kürzlich auf eine neue ClickFix-Kampagne gestoßen, die auf Mitarbeiter in Unternehmen zielt. Laut Forschungsbericht haben die Angreifer ihre Malware dabei in den Pixeln eines Bildes versteckt, das eine Windows-Update-Seite vortäuscht. Dort werden die Benutzer aufgefordert, auf Ausführen zu klicken, um einen bösartigen Befehl…
Gamayun APT Exploits New MSC EvilTwin Vulnerability to Deliver Malicious Payloads

Nov 26, 2025 7:49 AM

Tags: apt, cyber, exploit, group, infrastructure, malicious, microsoft, powershell, social-engineering, threat, vulnerability, windows

Water Gamayun, a Russia”‘aligned advanced persistent threat (APT) group, has launched a new multi”‘stage intrusion campaign that weaponizes the recently disclosed MSC EvilTwin vulnerability in Windows Microsoft Management Console (MMC). Leveraging a blend of compromised infrastructure, social engineering, and heavily obfuscated PowerShell, the attackers exploited CVE”‘2025″‘26633 to inject malicious code into mmc.exe, ultimately delivering hidden…
New ClickFix attacks use fake Windows Update screens to fool employees

Nov 26, 2025 5:49 AM

Tags: access, attack, awareness, captcha, computer, control, data, defense, detection, edr, email, endpoint, exploit, group, infection, intelligence, malicious, malware, monitoring, network, okta, phishing, powershell, russia, tactics, threat, tool, training, update, windows

Run dialog box, Windows Terminal, or Windows PowerShell. This leads to the downloading of scripts that launch malware.Two new tactics are used in the latest ClickFix campaign, says Huntress:the use since early October of a fake blue Windows Update splash page in full-screen, displaying realistic “Working on updates” animations that eventually conclude by prompting the user to…
Zscaler Threat Hunting Discovers and Reconstructs a Sophisticated Water Gamayun APT Group Attack

Nov 26, 2025 12:49 AM

Tags: access, apt, attack, backdoor, cloud, control, credentials, cve, data, detection, exploit, government, group, infrastructure, intelligence, malicious, malware, network, open-source, password, powershell, risk, russia, social-engineering, supply-chain, tactics, theft, threat, tool, vulnerability, windows, zero-day, zero-trust

This blog is intended to share an in-depth analysis of a recent multi-stage attack attributed to the Water Gamayun advanced persistent threat group (APT). Drawing on telemetry, forensic reconstruction, and known threat intelligence, the Zscaler Threat Hunting team reconstructed how a seemingly innocuous web search led to a sophisticated exploitation of a Windows MMC vulnerability,…
Zscaler Threat Hunting Discovers and Reconstructs a Sophisticated Water Gamayun APT Group Attack

Nov 26, 2025 12:49 AM

Tags: access, apt, attack, backdoor, cloud, control, credentials, cve, data, detection, exploit, government, group, infrastructure, intelligence, malicious, malware, network, open-source, password, powershell, risk, russia, social-engineering, supply-chain, tactics, theft, threat, tool, vulnerability, windows, zero-day, zero-trust

This blog is intended to share an in-depth analysis of a recent multi-stage attack attributed to the Water Gamayun advanced persistent threat group (APT). Drawing on telemetry, forensic reconstruction, and known threat intelligence, the Zscaler Threat Hunting team reconstructed how a seemingly innocuous web search led to a sophisticated exploitation of a Windows MMC vulnerability,…
Nach Entlassung: Exmitarbeiter sperrt ehemalige Kollegen aus IT-Systemen aus

Nov 21, 2025 7:49 PM

Tags: password, powershell

Nach seiner Entlassung hat ein Mann in der IT-Umgebung seines Ex-Arbeitgebers mittels Powershell-Skript mehr als 2.500 Passwörter zurückgesetzt. First seen on golem.de Jump to article: www.golem.de/news/nach-entlassung-exmitarbeiter-sperrt-ehemalige-kollegen-aus-it-systemen-aus-2511-202435.html
Fired techie admits sabotaging ex-employer, causing $862K in damage

Nov 20, 2025 6:49 PM

Tags: powershell

PowerShell script locked thousands of workers out of their accounts First seen on theregister.com Jump to article: www.theregister.com/2025/11/20/it_contractor_sabotage/
Fired techie admits sabotaging ex-employer, causing $862K in damage

Nov 20, 2025 6:49 PM

Tags: powershell

PowerShell script locked thousands of workers out of their accounts First seen on theregister.com Jump to article: www.theregister.com/2025/11/20/it_contractor_sabotage/
Active Directory Trust Misclassification: Why Old Trusts Look Like Insecure External Trusts

Nov 19, 2025 6:49 PM

Tags: data, identity, microsoft, powershell, service, tool, update, windows

Tenable Research reveals an Active Directory anomaly: intra-forest trusts created under Windows 2000 lack a key identifying flag, even after domain and forest upgrades. Learn how to find this legacy behavior persisting to this day, and use crossRef objects to correctly distinguish these trust types. Key takeaways: If your organization has an Active Directory environment…
The nexus of risk and intelligence: How vulnerability-informed hunting uncovers what everything else misses

Nov 19, 2025 3:49 PM

Tags: access, attack, authentication, business, cisa, compliance, cve, cvss, dark-web, data, defense, detection, dns, edr, endpoint, exploit, framework, intelligence, kev, linux, malicious, mitigation, mitre, monitoring, ntlm, nvd, open-source, password, powershell, remote-code-execution, risk, risk-management, siem, soc, strategy, tactics, technology, threat, update, vulnerability, vulnerability-management

Turning vulnerability data into intelligence: Once vulnerabilities are contextualized, they can be turned into actionable intelligence. Every significant CVE tells a story, known exploit activity, actor interest, proof-of-concept code or links to MITRE ATT&CK techniques. This external intelligence gives us the who and how behind potential exploitation.For example, when a privilege escalation vulnerability in Linux…
Why you should purple team your SOC

Nov 10, 2025 10:20 AM

Tags: attack, blueteam, breach, compliance, detection, metric, penetration-testing, phishing, powershell, PurpleTeam, service, soc, threat, tool, training

. In theory, it’s about collaboration and continual improvement. In practice, it’s often a transactional service run by penetration testing firms focused on two things: proving they can bypass defences and producing a report that looks good in a board pack.That mindset doesn’t help with SOC effectiveness. A single purple team engagement doesn’t build real…
Why you should purple team your SOC

Nov 10, 2025 10:20 AM

Tags: attack, blueteam, breach, compliance, detection, metric, penetration-testing, phishing, powershell, PurpleTeam, service, soc, threat, tool, training

. In theory, it’s about collaboration and continual improvement. In practice, it’s often a transactional service run by penetration testing firms focused on two things: proving they can bypass defences and producing a report that looks good in a board pack.That mindset doesn’t help with SOC effectiveness. A single purple team engagement doesn’t build real…