Tag: powershell
-
NoisyBear Exploits ZIP Files for PowerShell Loaders and Data Exfiltration
The threat actor known as NoisyBear has launched a sophisticated cyber-espionage effort called Operation BarrelFire, using specially designed phishing lures that imitate internal correspondence to target Kazakhstan’s energy sector, particularly workers of the state oil and gas major KazMunaiGas. Security researchers at Seqrite Labs first observed the campaign in April 2025 and noted its rapid…
-
New ClickFix Attack Deploys Fake BBC News Page and Fake Cloudflare Verification to Deceive Users
Cybersecurity researchers have uncovered a novel ClickFix attack variant that impersonates trusted BBC news content while leveraging counterfeit Cloudflare Turnstile verification interfaces to coerce users into executing malicious PowerShell commands. This campaign, detailed in recent analyses from sources like Cybersecurity News and ESET, exploits user familiarity with legitimate web security protocols to deliver a range…
-
USB Malware Campaign Spreads Cryptominer Worldwide
A multi-stage attack delivered via USB devices has been observed installing cryptomining malware using DLL hijacking and PowerShell First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/usb-malware-spreads-cryptominer/
-
Hackers Exploit ClickFix Technique to Compromise Windows and Run PowerShell Commands
Threat actors have begun a geographically focused campaign against Israeli infrastructure and corporate entities in a sophisticated cyber incursion discovered by Fortinet’s FortiGuard Labs. Delivered exclusively through Windows systems via PowerShell scripts, the attack chain enables remote access, facilitating data exfiltration, persistent surveillance, and lateral movement within compromised networks. Classified as high severity, this operation…
-
UAC-0099 Tactics, Techniques, Procedures and Attack Methods Revealed
Tags: attack, cyber, defense, email, espionage, government, malicious, military, phishing, powershell, spear-phishing, tactics, threat, ukraineUAC-0099, a persistent threat actor active since at least 2022, has conducted sophisticated cyber-espionage operations against Ukrainian government, military, and defense entities, evolving its toolkit across three major campaigns documented in CERT-UA alerts from June 2023, December 2024, and August 2025. Initially relying on the PowerShell-based LONEPAGE loader delivered via spear-phishing emails with malicious attachments…
-
Silent Watcher Targets Windows Systems, Steals Data via Discord Webhooks
K7 Labs investigated the Cmimai Stealer, a Visual Basic Script (VBS)-based infostealer that surfaced in June 2025 and uses PowerShell and native Windows scripting to secretly exfiltrate data. This is a recent development in the cybersecurity environment. This malware, first highlighted in a tweet, operates as a lightweight threat actor tool that circumvents execution policies,…
-
How Machine Learning Detects Living off the Land (LotL) Attacks
Elite cybercriminals prefer LotL attacks because they’re incredibly hard to spot. Instead of deploying obvious malware, attackers use the same trusted tools that an IT team relies on daily, such as PowerShell, Windows Management Instrumentation (WMI) and various integrated utilities on almost every computer. When attackers use legitimate system tools, traditional security software thinks everything…
-
The role of the cybersecurity PM in incident-driven development
From PowerShell abuse to USB data theft, modern threats hit fast”, and hard.vSee how security-minded PMs are responding with real-time controls, smarter policies, and tools like ThreatLocker Patch Management. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/the-role-of-the-cybersecurity-pm-in-incident-driven-development/
-
Malicious LNK File Posing as Credit Card Security Email Steals User Data
Tags: authentication, credit-card, cyber, data, email, exploit, finance, malicious, powershell, threatThreat actors have deployed a malicious LNK file masquerading as a credit card company’s security email authentication pop-up to pilfer sensitive user information. The file, named >>card_detail_20250610.html.lnk,
-
Video-Tipp #71: Harden Windows Security – Windows 11 härten mit PowerShell-Modul ‘Harden Windows Security”
First seen on security-insider.de Jump to article: www.security-insider.de/harden-windows-security-tool-tipps-a-a07c534dead5f34edae6082e2dfa3270/
-
Microsoft to Remove PowerShell 2.0 from Windows 11 Due to Security Risks
Microsoft has announced a significant change for Windows 11 users: the removal of Windows PowerShell 2.0, a legacy scripting platform, from upcoming builds. This move, first revealed in the Windows 11 Insider Preview Build 27891 released to the Canary Channel, is part of the company’s ongoing efforts to enhance system security and streamline the operating…
-
Microsoft finally bids farewell to PowerShell 2.0
Venerable command line tool to depart Windows First seen on theregister.com Jump to article: www.theregister.com/2025/07/04/microsoft_finally_bids_farewell_to/
-
Sixfold surge of ClickFix attacks threatens corporate defenses
Countermeasures: ClickFix attacks often bypass many security tools because the approach relies on user interaction. Training users to recognize suspicious prompts and avoid copying and running code from untrusted sources is a critical first step in defending against the growing threat.Tightening up technical controls such as endpoint protection, web filtering, and email security technologies to…
-
PowerShell überwachen so geht’s
Tags: access, cloud, cyberattack, detection, hacker, login, mail, microsoft, monitoring, powershell, tool, windowsWird PowerShell nicht richtig überwacht, ist das Security-Debakel meist nicht weit.Kriminelle Hacker setzen mitunter auf raffinierte Techniken, um sich über ausgedehnte Zeiträume in den Netzwerken von Unternehmen einzunisten und still und heimlich sensible Daten oder Logins abzugreifen. Dabei missbrauchen die Cyberkriminellen in vielen Fällen auch vom jeweiligen Zielunternehmen freigegebene Tools, um sich initial Zugang zu…
-
Microsoft-Lücke ermöglicht E-Mail-Versand ohne Authentifizierung
Tags: access, authentication, ciso, cyberattack, data, defense, dkim, dmarc, exploit, framework, hacker, infrastructure, mail, microsoft, phishing, powershell, qr, risk, tool, usa, vulnerability, zero-dayDrucker und Scanner werden dank einer Schwachstelle in der Microsoft 365 Direct Send-Funktion zunehmend zu Mitteln für Hacker, um Phishing-Angriffe durchzuführen.Das Forensik-Team von Varonis hat eine Schwachstelle entdeckt, die es internen Geräten wie Druckern ermöglicht, E-Mails ohne Authentifizierung zu versenden. Dem Bericht zufolgewurde die Lücke bereits genutzt, um mehr als 70 Unternehmen, vorwiegend in den…
-
Don’t trust that email: It could be from a hacker using your printer to scam you
Tags: authentication, control, credentials, data, defense, dkim, dmarc, email, endpoint, exploit, framework, hacker, infrastructure, iot, login, mail, microsoft, monitoring, network, phishing, powershell, qr, risk, scam, tactics, tool, vulnerability, zero-daytenantname.mail.protection.outlook.com, and companies’ internal email address formats can be trivial to figure out or easy to scrape from public sources or social media. Once an attacker has the domain and a valid email address, they are able to send emails that appear to come from inside the organization.In the campaign observed by Varonis’ forensics experts,…
-
APT28 Uses Signal Chat to Deploy BEARDSHELL Malware and COVENANT in Ukraine
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new cyber attack campaign by the Russia-linked APT28 (aka UAC-0001) threat actors using Signal chat messages to deliver two new malware families dubbed BEARDSHELL and COVENANT.BEARDSHELL, per CERT-UA, is written in C++ and offers the ability to download and execute PowerShell scripts, as…
-
North Korean Hackers Weaponize GitHub Infrastructure to Distribute Malware
Tags: attack, cyber, cybersecurity, github, group, hacker, infrastructure, malicious, malware, north-korea, powershell, threatCybersecurity researchers have uncovered a sophisticated spearphishing campaign orchestrated by the North Korean threat group Kimsuky, leveraging GitHub as a critical piece of attack infrastructure to distribute malware since March 2025. This operation, identified through analysis of a malicious PowerShell script posted on X, showcases an alarming abuse of legitimate platforms like GitHub and Dropbox…
-
PowerShell Loaders Use In-Memory Execution to Evade Disk-Based Detection
A recent threat hunting session has revealed a sophisticated PowerShell script, named y1.ps1, hosted in an open directory on a Chinese server (IP: 123.207.215.76). First detected on June 1, 2025, this script operates as a shellcode loader, employing advanced in-memory execution techniques to bypass traditional disk-based detection mechanisms. The discovery, attributed to Shenzhen Tencent Computer…
-
Azure Misconfiguration Lets Attackers Take Over Cloud Infrastructure
A recent security analysis has revealed how a chain of misconfigurations in Microsoft Azure can allow attackers to gain complete control over an organization’s cloud infrastructure, from initial access to full tenant takeover. The attack path, demonstrated using real-world tools and PowerShell scripts, highlights the urgent need for organizations to harden their Azure deployments and…
-
New KimJongRAT Stealer Uses Weaponized LNK File to Deploy PowerShell-Based Dropper
The two new variants of the KimJongRAT stealer have emerged, showcasing the persistent and evolving nature of this malicious tool first identified in 2013. Detailed research by Palo Alto Networks’ Unit 42 reveals that these variants, one employing a Portable Executable (PE) file and the other a PowerShell implementation, leverage a weaponized Windows shortcut (LNK)…
-
New Sophisticated Multi-Stage Malware Campaign Uses VBS Files to Execute PowerShell Script
A recently uncovered malware campaign has revealed a highly sophisticated, multi-stage infection process utilizing heavily obfuscated Visual Basic Script (VBS) files to deploy remote access trojans (RATs) such as Remcos, LimeRAT, DCRat, and AsyncRAT. Discovered across a cluster of 16 open directories on various hosts, this campaign relies on a file named “sostener.vbs” (Spanish for…
-
GrayAlpha Hackers Group Exploits Browser Updates to Deploy PowerNet Loader and NetSupport RAT
Tags: attack, cyber, cybercrime, exploit, finance, group, hacker, infrastructure, malware, powershell, rat, threat, updateA new infrastructure linked to GrayAlpha, a cybercriminal entity overlapping with the notorious FIN7 group, has been exposed. This financially motivated threat actor, active since at least 2013, is known for its sophisticated attacks targeting retail, hospitality, and financial sectors. Custom Malware Uncovered The latest findings reveal GrayAlpha’s use of custom malware, including a PowerShell…
-
How to log and monitor PowerShell activity for suspicious scripts and commands
Block executable content from email client and webmailBlock executable files from running unless they meet a prevalence, age, or trusted list criterionBlock execution of potentially obfuscated scriptsBlock JavaScript or VBScript from launching downloaded executable contentBlock process creations originating from PSExec and WMI commands Log workstation PowerShell commands: Even without Microsoft Defender resources you need to…
-
Windows Defender Bypass Using PowerShell and Registry Edits in CyberEYE RAT
A newly discovered remote access trojan (RAT) named CyberEye is making waves in the cybersecurity community for its sophisticated capabilities and its reliance on Telegram, the popular messaging platform, as its command-and-control (C2) infrastructure. First detected in the wild in May 2025, CyberEye is distributed under various names, including TelegramRAT, and is rapidly gaining traction among cybercriminals…
-
Microsoft shares script to restore inetpub folder you shouldn’t delete
Microsoft has released a PowerShell script to help restore an empty ‘inetpub’ folder created by the April 2025 Windows security updates if deleted. As Microsoft previously warned, this folder helps mitigate a high-severity Windows Process Activation privilege escalation vulnerability. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/microsoft/microsoft-shares-script-to-restore-inetpub-folder-you-shouldnt-delete/