Windows Stealers: How Modern Infostealers Harvest Credentials
https://deceptiq.com/blog/windows-stealers-technical-analysis
https://deceptiq.com/blog/windows-stealers-technical-analysis
DeceptIQ
Windows Stealers: How Modern Infostealers Harvest Credentials
Technical analysis of Windows infostealers using Sryxen as a case study. How they decrypt browser data via DPAPI and exfiltrate credentials.
December 2025 Security Updates
This release consists of the following 57 Microsoft CVEs:
https://msrc.microsoft.com/update-guide/releaseNote/2025-Dec
This release consists of the following 57 Microsoft CVEs:
https://msrc.microsoft.com/update-guide/releaseNote/2025-Dec
CyberVolk Returns | Flawed VolkLocker Brings New Features With Growing Pains
https://www.sentinelone.com/blog/cybervolk-returns-flawed-volklocker-brings-new-features-with-growing-pains/
https://www.sentinelone.com/blog/cybervolk-returns-flawed-volklocker-brings-new-features-with-growing-pains/
SentinelOne
CyberVolk Returns | Flawed VolkLocker Brings New Features With Growing Pains
Deep dive into CyberVolk’s new VolkLocker ransomware-as-a-service, its major design flaw, and what it signals for cyber defenders.
Inside GhostPoster: How a PNG Icon Infected 50,000 Firefox Users
https://www.koi.ai/blog/inside-ghostposter-how-a-png-icon-infected-50-000-firefox-browser-users
https://www.koi.ai/blog/inside-ghostposter-how-a-png-icon-infected-50-000-firefox-browser-users
www.koi.ai
Inside GhostPoster: How a PNG Icon Infected 50,000 Firefox Users
Discover how GhostPoster used a malicious PNG icon to infect 50,000 Firefox users and the risks behind seemingly harmless downloads.
Nezha: The Monitoring Tool That’s Also a Perfect RAT
https://www.ontinue.com/resource/nezha-the-monitoring-tool-thats-also-a-perfect-rat/
https://www.ontinue.com/resource/nezha-the-monitoring-tool-thats-also-a-perfect-rat/
Ontinue
Nezha: The Monitoring Tool That's Also a Perfect RAT
Research from Ontinue reveals how Nezha, a legitimate open-source monitoring tool, is being abused by attackers as a stealthy post-exploitation RAT.
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Time Nist Gov Incorrect Time
The affected servers are:
https://groups.google.com/a/list.nist.gov/g/internet-time-service/c/o0dDDcr1a8I
The affected servers are:
time-a-b.nist.gov
time-b-b.nist.gov
time-c-b.nist.gov
time-d-b.nist.gov
time-e-b.nist.gov
ntp-b.nist.gov (authenticated NTP)https://groups.google.com/a/list.nist.gov/g/internet-time-service/c/o0dDDcr1a8I
Bluetooth Headphone Jacking: Full Disclosure of Airoha RACE Vulnerabilities
https://insinuator.net/2025/12/bluetooth-headphone-jacking-full-disclosure-of-airoha-race-vulnerabilities/
https://insinuator.net/2025/12/bluetooth-headphone-jacking-full-disclosure-of-airoha-race-vulnerabilities/
VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion
https://unit42.paloaltonetworks.com/vvs-stealer/
https://unit42.paloaltonetworks.com/vvs-stealer/
Unit 42
VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion
VVS stealer (or VVS $tealer) is a Python-based infostealer targeting Discord users. It employs Pyarmor for obfuscation, contributing to its efficacy.
deVixor: An Evolving Android Banking RAT with Ransomware
https://cyble.com/blog/devixor-an-evolving-android-banking-rat-with-ransomware-capabilities-targeting-iran/
https://cyble.com/blog/devixor-an-evolving-android-banking-rat-with-ransomware-capabilities-targeting-iran/
Cyble
DeVixor Android Banking RAT Targeting Iran
Cyble analyzed deVixor, an advanced Android banking RAT with ransomware features actively targeting Iranian users.
UNVEILING VOIDLINK – A STEALTHY, CLOUD-NATIVE LINUX MALWARE FRAMEWORK
https://research.checkpoint.com/2026/voidlink-the-cloud-native-malware-framework/
https://research.checkpoint.com/2026/voidlink-the-cloud-native-malware-framework/
Check Point Research
VoidLink: The Cloud-Native Malware Framework
The new framework maintains long-term access to Linux systems while operating reliably in cloud and container environments
StackWarp is a security vulnerability that exploits a synchronization bug present in all AMD Zen 1–5 processors. In the context of SEV-SNP, this flaw allows malicious VM hosts to manipulate the guest VM’s stack pointer
https://stackwarpattack.com/
https://stackwarpattack.com/
Malware Peddlers Are Now Hijacking Snap Publisher Domains
There’s a relentless campaign by scammers to publish malware in the Canonical Snap Store. Some gets caught by automated filters, but plenty slips through. Recently, these miscreants have changed tactics - they’re now registering expired domains belonging to legitimate snap publishers, taking over their accounts, and pushing malicious updates to previously trustworthy applications..:
https://blog.popey.com/2026/01/malware-purveyors-taking-over-published-snap-email-domains/
There’s a relentless campaign by scammers to publish malware in the Canonical Snap Store. Some gets caught by automated filters, but plenty slips through. Recently, these miscreants have changed tactics - they’re now registering expired domains belonging to legitimate snap publishers, taking over their accounts, and pushing malicious updates to previously trustworthy applications..:
https://blog.popey.com/2026/01/malware-purveyors-taking-over-published-snap-email-domains/
Alan Pope's blog
Malware Peddlers Are Now Hijacking Snap Publisher Domains
tl;dr: There’s a relentless campaign by scammers to publish malware in the Canonical Snap Store. Some gets caught by automated filters, but plenty slips through. Recently, these miscreants have …
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
7 ваучеров на 100% скидку The Linux Foundation
+ 7 доступов к видеокурсу Kubernetes База
Ваучеры применимы к любому:
— онлайн-курсу
— сертификационному экзамену (CKA, CKS, CKAD и не только)
— или пакету (курс + сертификация)
29 января подведем итоги и выберем 7 победителей. Каждый победитель получит ваучер + доступ к курсу от Slurm.
Актививация активна до 07.01.2027, после будет 1 год и 2 попытки, чтобы завершить обучение и сдать экзамен.
Детали здесь - https://core247.kz/cncf
+ 7 доступов к видеокурсу Kubernetes База
Ваучеры применимы к любому:
— онлайн-курсу
— сертификационному экзамену (CKA, CKS, CKAD и не только)
— или пакету (курс + сертификация)
29 января подведем итоги и выберем 7 победителей. Каждый победитель получит ваучер + доступ к курсу от Slurm.
Актививация активна до 07.01.2027, после будет 1 год и 2 попытки, чтобы завершить обучение и сдать экзамен.
Детали здесь - https://core247.kz/cncf
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
UNO reverse card: stealing cookies from cookie stealers
https://www.cyberark.com/resources/threat-research-blog/uno-reverse-card-stealing-cookies-from-cookie-stealers
P.S. реклама даже в панели управления малвари присутствует 😁
https://www.cyberark.com/resources/threat-research-blog/uno-reverse-card-stealing-cookies-from-cookie-stealers
P.S. реклама даже в панели управления малвари присутствует 😁
Cyberark
UNO reverse card: stealing cookies from cookie stealers
Criminal infrastructure often fails for the same reasons it succeeds: it is rushed, reused, and poorly secured. In the case of StealC, the thin line between attacker and victim turned out to be...
Threat Actors Expand Abuse of Microsoft Visual Studio Code
This activity involved the deployment of a backdoor implant that provides remote code execution capabilities on the victim system:
https://www.jamf.com/blog/threat-actors-expand-abuse-of-visual-studio-code/
This activity involved the deployment of a backdoor implant that provides remote code execution capabilities on the victim system:
https://www.jamf.com/blog/threat-actors-expand-abuse-of-visual-studio-code/
Open-Source Python Script Drives Social Media Phishing Campaign
..In this particular campaign, attackers abused LinkedIn’s professional context to establish trust and familiarity, increasing their chances of success by targeting high-value individuals in corporate environments. This tactic, however, could be applied to any social media platform commonly accessed on business devices..:
https://reliaquest.com/blog/threat-spotlight-open-source-python-script-drives-social-media-phishing-campaign
..In this particular campaign, attackers abused LinkedIn’s professional context to establish trust and familiarity, increasing their chances of success by targeting high-value individuals in corporate environments. This tactic, however, could be applied to any social media platform commonly accessed on business devices..:
https://reliaquest.com/blog/threat-spotlight-open-source-python-script-drives-social-media-phishing-campaign
ReliaQuest
Threat Research: Open-Source Python Script Drives Social Media Phishing Campaign
A new phishing campaign exploits social media trust and open-source Python scripts to bypass email security and deploy remote access trojans.
Microsoft mishandling
https://tinyapps.org/blog/microsoft-mishandling-example-com.html
example.com
example.com to Sumitomo Electric Industries' mail servers at sei.co.jp, potentially sending test credentials there.https://tinyapps.org/blog/microsoft-mishandling-example-com.html
Docs
Autodiscover service in Exchange Server
Summary: Learn about the Autodiscover service in Exchange 2016 and Exchange 2019, which lets client applications and users configure themselves with minimal input.
Love? Actually: Fake dating app used as lure in targeted spyware campaign
https://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/
https://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/
Welivesecurity
Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan
ESET researchers discover an Android spyware campaign targeting users in Pakistan via romance scam tactics, revealing links to a broader spy operation.
PeckBirdy: A Versatile Script Framework for LOLBins Exploitation
https://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html
https://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html
Trend Micro
PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
PeckBirdy is a sophisticated JScript-based C&C framework used by China-aligned APT groups to exploit LOLBins across multiple environments, delivering advanced backdoors to target gambling industries and Asian government entities.