VARGEIT offers the ability to load tools directly from its command-and-control (C&C) server to a newly spawned process of Microsoft Paint ("mspaint.exe") to facilitate reconnaissance, collection, and exfiltration.

Cybersecurity researchers are warning of a spike in suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways, with nearly 24,000 unique IP addresses attempting to access these portals.

Hijack Loader released a new module that implements call stack spoofing to hide the origin of function calls (e.g., API and system calls). The attack chain involves the use of a phishing email as a starting point.

FIN7 has been linked to a Python-based backdoor called Anubis that can grant them remote access to compromised Windows systems. This malware allows attackers to execute remote shell commands and other system operations.

The attack chains involve the use of provisioning packages (.ppkg), signed Microsoft Windows Installer files (.msi), and .msc files to deliver information stealers and backdoors that are capable of persistence and data theft.

As with other banking trojans of its kind, the malware is designed to facilitate device takeover (DTO) and ultimately conduct fraudulent transactions. An analysis of the source code and the debug messages revealed that the author is Turkish-speaking.

A Pakistan-linked APT group has been found creating a fake website masquerading as India's public sector postal system as part of a campaign designed to infect both Windows and Android users in the country.

A new analysis has uncovered connections between affiliates of RansomHub and other ransomware groups like Medusa, BianLian, and Play. The connection stems from the use of EDRKillShifter to disable endpoint security software, according to ESET.

The redirections have been found to occur via JavaScript hosted on five different domains (e.g., "zuizhongyj[.]com") that, in turn, serve the main payload responsible for performing the redirects.

Morphing Meerkat likely delivered thousands of spam emails, with the phishing messages using compromised WordPress websites and open redirect vulnerabilities on advertising platforms like Google-owned DoubleClick to bypass security filters.