• Check Point Research uncovered an active malware campaign exploiting expired and released Discord invite links. > - Attackers hijacked the links through vanity link registration, allowing them to silently redirect users from trusted sources to malicious servers.
• The attackers combined the ClickFix phishing technique, multi-stage loaders, and time-based evasions to stealthily deliver AsyncRAT, and a customized Skuld Stealer targeting crypto wallets.
• Payload delivery and data exfiltration occur exclusively via trusted cloud services such as GitHub, Bitbucket, Pastebin, and Discord, helping the operation blend into normal traffic and avoid raising alarms. The operation continues to evolve, and threat actors can now bypass Chrome’s App Bound Encryption (ABE) by using adapted tools like ChromeKatz to steal cookies from new Chromium browser versions.

On April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware. Among the group were two journalists that consented for their cases described publicly. The key findings from our forensic analysis of their devices are summarized below:

• Our analysis finds forensic evidence confirming with high confidence that both a prominent European journalist (who requests anonymity), and Italian journalist Ciro Pellegrino, were targeted with Paragon’s Graphite mercenary spyware.
• We identify an indicator linking both cases to the same Paragon operator.
• Apple confirms to us that the zero-click attack deployed in these cases was mitigated as of iOS 18.3.1 and has assigned the vulnerability CVE-2025-43200. Our analysis is ongoing.

cross-posted from: https://scribe.disroot.org/post/3093548

Archived version

...

Russia’s subsequent efforts to destabilize and subjugate ... Ukraine have involved a combination of conventional military aggression, sabotage, cyberattacks, disinformation campaigns, and support for pro-Russian actors in Ukraine. Thanks to this prolonged exposure to Russian hybrid warfare, Ukraine has been able to develop countermeasures that have helped build resilience and reduce the impact of Russia’s hybrid operations.

Ukraine’s response has been a collaborative effort involving the Ukrainian government, civil society, and the private sector. In the cyber sphere, efforts to improve Ukraine’s digital security have played a key role, with the launch of the country’s popular Diia platform and the establishment of the Ministry of Digital Transformation helping to drive important digital governance reforms.

...

Ukraine has also benefited from a decentralized approach involving digital volunteers, civil society, and public-private partnerships. A wide range of civic tech groups and open-source investigators are active in Ukraine detecting and countering Russian disinformation. These measures have made it possible to expose Russian narratives efficiently, coordinate messaging across government and civil society, and maintain coherence during military operations.

...

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

cross-posted from: https://lemmy.sdf.org/post/36375283

Archived

Here is the technical report by SentinelOne.

An IT services company, a European media group, and a South Asian government entity are among the more than 75 companies where China-linked groups have planted malware to access strategic networks should a conflict break out.

SentinelLABS, the threat intel and research arm of security shop SentinelOne, uncovered these new clusters of malicious activity when the suspected Chinese spies tried to break into SentinelOne's own servers in October.

"We tend to prioritize China, and seeing them start to poke at our own products, our own infrastructure, that immediately raises the red flag for us," SentinelOne threat researcher Tom Hegel told The Register in a phone interview. While the attempted SentinelOne intrusion was unsuccessful, being the target of a Chinese reconnaissance campaign led the threat hunters into a deeper analysis of the broader campaign and malware used.

"We started to hunt for it globally, look at their infrastructure and identify those other victims," Hegel said.

[...]

SentinelLABS found more than 70 victims globally across manufacturing, government, finance, telecommunications, and research. One of these was an IT services and logistics company that manages hardware logistics for SentinelOne employees.

Additionally, the security outfit's research uncovered a September 2024 intrusion into a "leading European media organization."

It's a broad range of victims, but they all share one thing in common: they represent strategic targets as China prepares for war of the cyber or kinetic variety.

[...]

SentinelOne, as a security vendor for government and critical infrastructure organizations, makes an attractive starting point for a supply-chain attack along the lines of what Russian spies did to Mandiant during the SolarWinds fiasco.

[...]

• Check Point Research (CPR) discovered a new campaign conducted by the APT group Stealth Falcon. The attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server. CVE-2025-33053 allows remote code execution through manipulation of the working directory. Following CPR’s responsible disclosure, Microsoft today, June 10, 2025, released a patch as part of their June Patch Tuesday updates.
• Stealth Falcon’s activities are largely focused on the Middle East and Africa, with high-profile targets in the government and defense sectors observed in Turkey, Qatar, Egypt, and Yemen.
• Stealth Falcon continues to use spear-phishing emails as an infection method, often including links or attachments that utilize WebDAV and LOLBins to deploy malware.
• Stealth Falcon deploys custom implants based on open-source red team framework Mythic, which are either derived from existing agents or a private variant we dubbed Horus Agent. The customization not only introduce anti-analysis and anti-detection measures but also validate target systems before ultimately delivering more advanced payloads.
• In addition, the threat group employs multiple previously undisclosed custom payloads and modules, including keyloggers, passive backdoors, and a DC Credential Dumper.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!