Open-Source Python Script Drives Social Media Phishing Campaign
..In this particular campaign, attackers abused LinkedIn’s professional context to establish trust and familiarity, increasing their chances of success by targeting high-value individuals in corporate environments. This tactic, however, could be applied to any social media platform commonly accessed on business devices..:
https://reliaquest.com/blog/threat-spotlight-open-source-python-script-drives-social-media-phishing-campaign
..In this particular campaign, attackers abused LinkedIn’s professional context to establish trust and familiarity, increasing their chances of success by targeting high-value individuals in corporate environments. This tactic, however, could be applied to any social media platform commonly accessed on business devices..:
https://reliaquest.com/blog/threat-spotlight-open-source-python-script-drives-social-media-phishing-campaign
ReliaQuest
Threat Research: Open-Source Python Script Drives Social Media Phishing Campaign
A new phishing campaign exploits social media trust and open-source Python scripts to bypass email security and deploy remote access trojans.
Microsoft mishandling
https://tinyapps.org/blog/microsoft-mishandling-example-com.html
example.com
example.com to Sumitomo Electric Industries' mail servers at sei.co.jp, potentially sending test credentials there.https://tinyapps.org/blog/microsoft-mishandling-example-com.html
Docs
Autodiscover service in Exchange Server
Summary: Learn about the Autodiscover service in Exchange 2016 and Exchange 2019, which lets client applications and users configure themselves with minimal input.
Love? Actually: Fake dating app used as lure in targeted spyware campaign
https://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/
https://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/
Welivesecurity
Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan
ESET researchers discover an Android spyware campaign targeting users in Pakistan via romance scam tactics, revealing links to a broader spy operation.
PeckBirdy: A Versatile Script Framework for LOLBins Exploitation
https://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html
https://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html
Trend Micro
PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
PeckBirdy is a sophisticated JScript-based C&C framework used by China-aligned APT groups to exploit LOLBins across multiple environments, delivering advanced backdoors to target gambling industries and Asian government entities.
Notepad++ Hijacked by State-Sponsored Hackers
https://notepad-plus-plus.org/news/hijacked-incident-info-update/
https://notepad-plus-plus.org/news/hijacked-incident-info-update/
LookOut: Discovering RCE and Internal Access on Looker (Google Cloud & On-Prem)
https://www.tenable.com/blog/google-looker-vulnerabilities-rce-internal-access-lookout
https://www.tenable.com/blog/google-looker-vulnerabilities-rce-internal-access-lookout
Tenable®
LookOut: Discovering RCE and Internal Access on Looker (Google Cloud & On-Prem)
Tenable Research discovered two novel vulnerabilities in Google Looker that could allow an attacker to completely compromise a Looker instance. Google moved swiftly to patch these issues. Organizations running Looker on-prem should verify they have upgraded…
Web Traffic Hijacking: When Your Nginx Configuration Turns Malicious
https://securitylabs.datadoghq.com/articles/web-traffic-hijacking-nginx-configuration-malicious/
https://securitylabs.datadoghq.com/articles/web-traffic-hijacking-nginx-configuration-malicious/
Datadoghq
Web Traffic Hijacking: When Your Nginx Configuration Turns Malicious
Datadog Security Research has identified an active web traffic hijacking campaign that targets NGINX installations and management panels like Baota (BT). In this post, we provide our analysis of the techniques this campaign uses and share indicators of compromise…
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Fake 7-Zip downloads are turning home PCs into proxy nodes
https://www.malwarebytes.com/blog/threat-intel/2026/02/fake-7-zip-downloads-are-turning-home-pcs-into-proxy-nodes
https://www.malwarebytes.com/blog/threat-intel/2026/02/fake-7-zip-downloads-are-turning-home-pcs-into-proxy-nodes
Malwarebytes
Fake 7-Zip downloads are turning home PCs into proxy nodes
A convincing lookalike of the popular 7-Zip archiver site has been silently turning victims’ machines into residential proxy nodes.
Old-School IRC, New Victims: Inside The Newly Discovered SSHStalker Linux Botnet
https://flare.io/learn/resources/blog/old-school-irc-new-victims-inside-the-newly-discovered-sshstalker-linux-botnet
https://flare.io/learn/resources/blog/old-school-irc-new-victims-inside-the-newly-discovered-sshstalker-linux-botnet
Flare | Threat Exposure Management | Unmatched Visibility into Cybercrime
Old-School IRC, New Victims: Inside the Newly Discovered SSHStalker Linux Botnet
Flare’s research team has uncovered a previously undocumented Linux botnet operation we’re calling SSHStalker. To the best of our knowledge, no other research team has reported on this threat actor. Our SSH honeypot captured multiple attacks over two months…
AI in the Middle: Turning Web-Based AI Services into C2 Proxies & The Future Of AI Driven Attacks
https://research.checkpoint.com/2026/ai-in-the-middle-turning-web-based-ai-services-into-c2-proxies-the-future-of-ai-driven-attacks/
https://research.checkpoint.com/2026/ai-in-the-middle-turning-web-based-ai-services-into-c2-proxies-the-future-of-ai-driven-attacks/
Check Point Research
AI in the Middle: Turning Web-Based AI Services into C2 Proxies & The Future Of AI Driven Attacks - Check Point Research
Key Points Introduction AI is rapidly becoming embedded in day-to-day enterprise workflows, inside browsers, collaboration suites, and developer tooling. As a result, AI service domains increasingly blend into normal corporate traffic, often allowed by default…
PromptSpy ushers in the era of Android threats using GenAI
https://www.welivesecurity.com/en/eset-research/promptspy-ushers-in-era-android-threats-using-genai/
https://www.welivesecurity.com/en/eset-research/promptspy-ushers-in-era-android-threats-using-genai/
Welivesecurity
PromptSpy ushers in the era of Android threats using GenAI
ESET researchers discover PromptSpy, the first known Android malware to abuse generative AI in its execution flow.
Refund scam impersonates Avast to harvest credit card details
https://www.malwarebytes.com/blog/threat-intel/2026/02/refund-scam-impersonates-avast-to-harvest-credit-card-details
https://www.malwarebytes.com/blog/threat-intel/2026/02/refund-scam-impersonates-avast-to-harvest-credit-card-details
Malwarebytes
Refund scam impersonates Avast to harvest credit card details
A convincing fake Avast site displays a €499.99 charge and promises a refund. Instead, it harvests your name, address, and full credit card details.
Taming Agentic Browsers: Vulnerability in Chrome Allowed Extensions to Hijack New Gemini Panel
https://unit42.paloaltonetworks.com/gemini-live-in-chrome-hijacking/
https://unit42.paloaltonetworks.com/gemini-live-in-chrome-hijacking/
Unit 42
Taming Agentic Browsers: Vulnerability in Chrome Allowed Extensions to Hijack New Gemini Panel
A high-severity CVE-2026-0628 in Chrome's Gemini allowed local file access and privacy invasion. Google quickly patched the flaw.
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
The Forgotten Bug: How a Node.js Core Design Flaw Enables HTTP Request Splitting
https://r3verii.github.io/cve/2026/02/27/nodejs-toctou.html
https://r3verii.github.io/cve/2026/02/27/nodejs-toctou.html
CyberSec Notes
The Forgotten Bug: How a Node.js Core Design Flaw Enables HTTP Request Splitting
Deep dive into a TOCTOU vulnerability in Node.js’s ClientRequest.path that bypasses CRLF validation and enables Header Injection and HTTP Request Splitting across 7+ major HTTP libraries totaling 160M+ weekly downloads.
New A0Backdoor Linked to Teams Impersonation and Quick Assist Social Engineering
https://www.bluevoyant.com/blog/new-a0backdoor-linked-to-teams-impersonation-and-quick-assist-social-engineering
https://www.bluevoyant.com/blog/new-a0backdoor-linked-to-teams-impersonation-and-quick-assist-social-engineering
BlueVoyant
New A0Backdoor Linked to Teams Impersonation and Quick Assist Social…
BlueVoyant's Security Operations Center (SOC) recently uncovered a new A0Backdoor delivered through Teams impersonation.
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
blacksanta-edr-killer-threat-report.pdf
13.7 MB
BlackSanta EDR-Killer
A Silent Threat Targeting Recruitment Workflows. Aryaka Threat Labs has uncovered a sophisticated malware campaign:
The malware performs system reconnaissance and conducts environment checks to detect sandboxes, virtual machines, and debugging tools to evade analysis. A key component, BlackSanta, acts as an EDR-killer, disabling security solutions to ensure malicious payloads run undetected.
Once established, the malware communicates with command-and-control servers over encrypted HTTPS to exfiltrate sensitive data, demonstrating a persistent and highly sophisticated cyber threat..
A Silent Threat Targeting Recruitment Workflows. Aryaka Threat Labs has uncovered a sophisticated malware campaign:
The malware performs system reconnaissance and conducts environment checks to detect sandboxes, virtual machines, and debugging tools to evade analysis. A key component, BlackSanta, acts as an EDR-killer, disabling security solutions to ensure malicious payloads run undetected.
Once established, the malware communicates with command-and-control servers over encrypted HTTPS to exfiltrate sensitive data, demonstrating a persistent and highly sophisticated cyber threat..
Inside DarkSword: A New iOS Exploit Kit Delivered Via Compromised Legitimate Websites
https://iverify.io/blog/darksword-ios-exploit-kit-explained
https://iverify.io/blog/darksword-ios-exploit-kit-explained
iverify.io
Inside DarkSword: A New iOS Exploit Kit Delivered Via Compromised Legitimate Websites
Shortly after our publication on the Coruna exploit kit, a collaborating researcher at Lookout flagged a suspicious-looking URL possibly related to the threat actor from Russia linked with Coruna.
How TeamPCP's supply chain attack evolved
The malicious campaign that started with Trivy and Checkmarx has shifted to LiteLLM. Here's how — and what's different this time:
https://www.reversinglabs.com/blog/teampcp-supply-chain-attack-spreads
The malicious campaign that started with Trivy and Checkmarx has shifted to LiteLLM. Here's how — and what's different this time:
https://www.reversinglabs.com/blog/teampcp-supply-chain-attack-spreads
ReversingLabs
Inside the TeamPCP cascading supply chain attack | ReversingLabs
The malicious campaign that started with Trivy and Checkmarx has shifted to LiteLLM. Here's how — and what's different this time.
Operation NoVoice: Rootkit Tells No Tales
WhatsApp under attack *
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-research-operation-novoice-rootkit-malware-android/
WhatsApp under attack *
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-research-operation-novoice-rootkit-malware-android/
McAfee Blog
Operation NoVoice: Rootkit Tells No Tales | McAfee Blog
Authored By: Ahmad Zubair Zahid McAfee’s mobile research team identified and investigated an Android rootkit campaign tracked as Operation Novoice. The
SecuritySnack - OpenAI Anti-Ads Malware
This report details the discovery of a malicious Chrome extension, named "ChatGPT Ad Blocker", found on the Google Chrome Web Store.
https://dti.domaintools.com/securitysnacks/securitysnack-openai-anti-ads-malware
This report details the discovery of a malicious Chrome extension, named "ChatGPT Ad Blocker", found on the Google Chrome Web Store.
https://dti.domaintools.com/securitysnacks/securitysnack-openai-anti-ads-malware
Domaintools
DomainTools Investigations | SecuritySnack - OpenAI Anti-Ads Malware
Capitalizing on OpenAI's new ad policy, a malicious Chrome extension masked as a ChatGPT ad blocker was quietly stealing your conversations and sending them to a Discord channel.