Tag: powershell
-
PureHVNC RAT Uses Fake Job Offers and PowerShell to Evade Security Defenses
A new and highly evasive malware campaign delivering the PureHVNC Remote Access Trojan (RAT) has been identified by Netskope Threat Labs, showcasing a complex multi-layer infection chain designed to bypass modern security defenses. This campaign, active in 2024, leverages fake job offers from well-known global brands like Bershka, Fragrance Du Bois, John Hardy, and Dear…
-
Cybercriminals Target AI Users with Malware-Loaded Installers Posing as Popular Tools
Tags: ai, chatgpt, cisco, cybercrime, intelligence, malware, openai, powershell, ransomware, threat, toolFake installers for popular artificial intelligence (AI) tools like OpenAI ChatGPT and InVideo AI are being used as lures to propagate various threats, such as the CyberLock and Lucky_Gh0$t ransomware families, and a new malware dubbed Numero.”CyberLock ransomware, developed using PowerShell, primarily focuses on encrypting specific files on the victim’s system,” Cisco Talos researcher Chetan…
-
Fake software activation videos on TikTok spread Vidar, StealC
Crooks use TikTok videos with fake tips to trick users into running commands that install Vidar and StealC malware in ClickFix attacks. Cybercriminals leverage AI-generated TikTok videos in ClickFix attacks to spread Vidar and StealC malware, reports Trend Micro. These videos trick users into running PowerShell commands disguised as software activation steps for tools like…
-
Scarcity signals: Are rare activities red flags?
Talos analyzed six months of PowerShell network telemetry and found that rare domains are over three times more likely to be malicious compared to frequently contacted ones. First seen on blog.talosintelligence.com Jump to article: blog.talosintelligence.com/scarcity-signals-are-rare-activities-red-flags/
-
Russian APT28 compromised Western logistics and IT firms to track aid to Ukraine
Tags: access, advisory, api, authentication, cctv, cloud, computer, container, credentials, cve, cybersecurity, data, detection, email, exploit, flaw, government, hacker, identity, infrastructure, Internet, login, malicious, malware, mfa, military, network, ntlm, office, open-source, password, phishing, powershell, russia, service, software, threat, tool, ukraine, vulnerabilityCredential guessing and spearphishing: The attackers used brute-force credential guessing techniques, also known as password spraying, to gain initial access to accounts. This was complemented with targeted phishing emails that directed recipients to fake login pages for government entities or Western cloud email providers. These phishing pages were stored on free web hosting services or…
-
How Identity Plays a Part in 5 Stages of a Cyber Attack
Tags: access, attack, authentication, breach, cloud, computer, container, control, credentials, cyber, data, data-breach, detection, endpoint, exploit, group, iam, identity, intelligence, malicious, malware, mfa, microsoft, monitoring, password, powershell, ransomware, risk, technology, threat, tool, vulnerabilityWhile credential abuse is a primary initial access vector, identity compromise plays a key role in most stages of a cyber attack. Here’s what you need to know, and how Tenable can help. Identity compromise plays a pivotal role in how attackers move laterally through an organization. Credential abuse is the top initial access vector,…
-
BadSuccessor: Unpatched Microsoft Active Directory attack enables domain takeover
Tags: access, attack, authentication, computer, container, control, credentials, group, microsoft, network, password, powershell, service, updatemsDS-DelegatedMSAState, which indicates whether the migration process is unknown, in progress, or completed; msDS-ManagedAccountPrecededByLink, which indicates the superseded account; and msDS-GroupMSAMembership, which indicates which principals (users, groups, and computers) can authenticate as the account.Once migration to a dMSA account is complete, any machine that authenticates as the superseded service account will receive from Domain Controller…
-
Ransomware-Bande BlackBasta hat neuen Malware-Favoriten
Modularität für verschiedene Zwecke: Die Malware Skitnet verfügt über separate Plug-ins umAnmeldeinformationen zu sammeln,Berechtigungen auszuweiten,sich im Netzwerk lateral zu bewegen undRansomware bereitzustellen.Sie nutzt die Programmiersprachen Rust und Nim, um eine verdeckte Reverse Shell über das DNS-Protokoll zu realisieren. Dadurch ist eine unauffällige C2-Kommunikation möglich.Zusätzlich verwendet Skitnet Verschlüsselung, manuelles Mapping und dynamische API-Auflösung, um nicht entdeckt…
-
Kimsuky APT Group Deploys PowerShell Payloads to Deliver XWorm RAT
Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by the notorious Kimsuky Advanced Persistent Threat (APT) group, deploying intricately crafted PowerShell payloads to deliver the XWorm Remote Access Trojan (RAT). This operation showcases the group’s advanced tactics, leveraging encoded scripts and multi-stage attack chains to infiltrate systems, bypass traditional security mechanisms, and establish covert…
-
Skitnet malware: The new ransomware favorite
Tags: access, api, awareness, cybersecurity, data, detection, dns, encryption, malware, phishing, powershell, programming, ransomware, risk, rust, tool, trainingMalware employs advanced obfuscation: According to a Prodaft description, Skitnet uses Rust and Nim programming languages to execute a stealthy reverse shell over DNS, which is a method of covert C2 Communication using the DNS protocol instead of HTTP or other typical channels.Additionally, the malware leverages encryption, manual mapping, and dynamic API resolution to evade…
-
Investigating Cobalt Strike Beacons Using Shodan: A Researcher’s Guide
Security researcher has revealed a robust method for gathering threat intelligence on Cobalt Strike beacons using Shodan and PowerShell, filling the gap left by the popular @cobaltstrikebot Twitter account that went offline in June 2023. The technique allows security professionals to independently collect valuable configuration data from active Cobalt Strike servers, specifically focusing on beacon…
-
Überwachungsrichtlinien in Active Directory implementieren – Defender for Identity mit der PowerShell verwalten
First seen on security-insider.de Jump to article: www.security-insider.de/defender-for-identity-mit-der-powershell-verwalten-a-2d15a74f331ec8fadd08e2fcb0990e22/
-
Fileless PowerShell Loader Deploys Remcos RAT
Attack Chain Uses LNK Files, MSHTA and Memory Injection. PowerShell is becoming hackers’ new favorite tool since they can load code directly into computer memory and evade traditional file-based detection methods, warn security researchers. A combination of LNK-MSHTA-PowerShell offers a stealthy and effective path to execution. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/fileless-powershell-loader-deploys-remcos-rat-a-28420
-
New Ransomware Attack Targets Elon Musk Supporters Using PowerShell to Deploy Payloads
A newly identified ransomware campaign has emerged, seemingly targeting supporters of Elon Musk through a highly sophisticated phishing-based attack. Cybersecurity researchers have uncovered a multi-stage infection chain that begins with a deceptive PDF document titled “Pay Adjustment.” This document lures victims into downloading a malicious ZIP file hosted on Netlify, a popular web hosting platform.…
-
Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks
Cybersecurity researchers have shed light on a new malware campaign that makes use of a PowerShell-based shellcode loader to deploy a remote access trojan called Remcos RAT.”Threat actors delivered malicious LNK files embedded within ZIP archives, often disguised as Office documents,” Qualys security researcher Akshay Thorve said in a technical report. “The attack chain leverages…
-
Hackers Leveraging PowerShell to Bypass Antivirus and EDR Defenses
Cybersecurity researchers have uncovered a growing trend in which threat actors are exploiting Microsoft PowerShell a legitimate Windows command-line interface to bypass advanced antivirus and Endpoint Detection and Response (EDR) defenses. This technique, often termed as “Living off the Land” (LotL), allows attackers to leverage built-in system utilities, reducing their reliance on external malicious payloads…
-
Fileless Remcos RAT Attack Evades Antivirus Using PowerShell Scripts
A new wave of attacks uses PowerShell and LNK files to secretly install Remcos RAT, enabling full remote… First seen on hackread.com Jump to article: hackread.com/fileless-remcos-rat-attack-antivirus-powershell-scripts/
-
PowerShell-Based Loader Deploys Remcos RAT in New Fileless Attack
A stealthy fileless PowerShell attack using Remcos RAT bypassed antivirus by operating in memory First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/powershell-loader-deploys-remcos/
-
Stealth RAT uses a PowerShell loader for fileless attacks
Threat actors have been spotted using a PowerShell-based shellcode loader to stealthily deploy Remcos RAT, a popular espionage-ready tool in line with a broader shift toward fileless techniques.As discovered by Qualys, the campaign executes a number of steps to phish an obfuscated .HTA (HTML Application) file that runs layered PowerShell scripts entirely in memory.”The attackers…
-
Chihuahua Stealer Exploits Google Drive Document to Harvest Browser Login Credentials
A .NET-based infostealer named >>Chihuahua Stealer
-
Windows flaw exploited as zero-day by more groups than previously thought
Attackers managed to deploy infostealer: In this attack, the Balloonfly group didn’t get to the stage of deploying the Play ransomware, as that is usually one of the final stages when attackers have control over significant parts of the network for maximum damage. However, the group did deploy an infostealer called Grixba that’s usually part…
-
New StealC V2 Upgrade Targets Microsoft Installer Packages and PowerShell Scripts
StealC, a notorious information stealer and malware downloader first sold in January 2023, has rolled out its version 2 (V2) in March 2025 with sophisticated enhancements. This latest iteration introduces a range of new capabilities, focusing on advanced payload delivery methods that include Microsoft Software Installer (MSI) packages and PowerShell scripts alongside traditional executable (EXE)…
-
MintsLoader Drops GhostWeaver via Phishing, ClickFix, Uses DGA, TLS for Stealth Attacks
The malware loader known as MintsLoader has been used to deliver a PowerShell-based remote access trojan called GhostWeaver.”MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and PowerShell scripts,” Recorded Future’s Insikt Group said in a report shared with The Hacker News.”The malware employs sandbox and virtual machine evasion techniques, a domain First seen…
-
Despite Recent Security Hardening, Entra ID Synchronization Feature Remains Open for Abuse
Microsoft synchronization capabilities for managing identities in hybrid environments are not without their risks. In this blog, Tenable Research explores how potential weaknesses in these synchronization options can be exploited. Synchronizing identity accounts between Microsoft Active Directory (AD) and Entra ID is important for user experience, as it seamlessly synchronizes user identities, credentials and groups…
-
Multi-Stage Malware Attack Uses .JSE and PowerShell to Deploy Agent Tesla and XLoader
A new multi-stage attack has been observed delivering malware families like Agent Tesla variants, Remcos RAT, and XLoader.”Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution,” Palo Alto Networks Unit 42 researcher Saqib Khanzada said in a technical write-up of the campaign.The First…
-
Agent Tesla Malware Uses Multi-Stage Attacks with PowerShell Scripts
Researchers from Palo Alto Networks have uncovered a series of malicious spam campaigns leveraging the notorious Agent Tesla malware through intricate, multi-stage infection vectors. The attack begins innocuously enough with the receipt of a socially engineered email, often crafted to appear legitimate and relevant to the recipient. These emails carry an archive attachment, which typically…