Hijack Loader released a new module that implements call stack spoofing to hide the origin of function calls (e.g., API and system calls). The attack chain involves the use of a phishing email as a starting point.

FIN7 has been linked to a Python-based backdoor called Anubis that can grant them remote access to compromised Windows systems. This malware allows attackers to execute remote shell commands and other system operations.

The attack chains involve the use of provisioning packages (.ppkg), signed Microsoft Windows Installer files (.msi), and .msc files to deliver information stealers and backdoors that are capable of persistence and data theft.

As with other banking trojans of its kind, the malware is designed to facilitate device takeover (DTO) and ultimately conduct fraudulent transactions. An analysis of the source code and the debug messages revealed that the author is Turkish-speaking.

A Pakistan-linked APT group has been found creating a fake website masquerading as India's public sector postal system as part of a campaign designed to infect both Windows and Android users in the country.

A new analysis has uncovered connections between affiliates of RansomHub and other ransomware groups like Medusa, BianLian, and Play. The connection stems from the use of EDRKillShifter to disable endpoint security software, according to ESET.

The redirections have been found to occur via JavaScript hosted on five different domains (e.g., "zuizhongyj[.]com") that, in turn, serve the main payload responsible for performing the redirects.

Morphing Meerkat likely delivered thousands of spam emails, with the phishing messages using compromised WordPress websites and open redirect vulnerabilities on advertising platforms like Google-owned DoubleClick to bypass security filters.

The Chinese threat actor known as FamousSparrow has been linked to a cyber attack targeting a trade group in the United States and a research institute in Mexico to deliver its flagship backdoor SparrowDoor and ShadowPad.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two six-year-old security flaws impacting Sitecore CMS and Experience Platform to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.