cybersecurity

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

• Check Point Research (CPR) discovered a new campaign conducted by the APT group Stealth Falcon. The attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server. CVE-2025-33053 allows remote code execution through manipulation of the working directory. Following CPR’s responsible disclosure, Microsoft today, June 10, 2025, released a patch as part of their June Patch Tuesday updates.
• Stealth Falcon’s activities are largely focused on the Middle East and Africa, with high-profile targets in the government and defense sectors observed in Turkey, Qatar, Egypt, and Yemen.
• Stealth Falcon continues to use spear-phishing emails as an infection method, often including links or attachments that utilize WebDAV and LOLBins to deploy malware.
• Stealth Falcon deploys custom implants based on open-source red team framework Mythic, which are either derived from existing agents or a private variant we dubbed Horus Agent. The customization not only introduce anti-analysis and anti-detection measures but also validate target systems before ultimately delivering more advanced payloads.
• In addition, the threat group employs multiple previously undisclosed custom payloads and modules, including keyloggers, passive backdoors, and a DC Credential Dumper.

cross-posted from: https://lemmy.sdf.org/post/36375283

Archived

Here is the technical report by SentinelOne.

An IT services company, a European media group, and a South Asian government entity are among the more than 75 companies where China-linked groups have planted malware to access strategic networks should a conflict break out.

SentinelLABS, the threat intel and research arm of security shop SentinelOne, uncovered these new clusters of malicious activity when the suspected Chinese spies tried to break into SentinelOne's own servers in October.

"We tend to prioritize China, and seeing them start to poke at our own products, our own infrastructure, that immediately raises the red flag for us," SentinelOne threat researcher Tom Hegel told The Register in a phone interview. While the attempted SentinelOne intrusion was unsuccessful, being the target of a Chinese reconnaissance campaign led the threat hunters into a deeper analysis of the broader campaign and malware used.

"We started to hunt for it globally, look at their infrastructure and identify those other victims," Hegel said.

[...]

SentinelLABS found more than 70 victims globally across manufacturing, government, finance, telecommunications, and research. One of these was an IT services and logistics company that manages hardware logistics for SentinelOne employees.

Additionally, the security outfit's research uncovered a September 2024 intrusion into a "leading European media organization."

It's a broad range of victims, but they all share one thing in common: they represent strategic targets as China prepares for war of the cyber or kinetic variety.

[...]

SentinelOne, as a security vendor for government and critical infrastructure organizations, makes an attractive starting point for a supply-chain attack along the lines of what Russian spies did to Mandiant during the SolarWinds fiasco.

[...]

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

A customer wanted to know if we had protections for ‘Sakura RAT,’ an open-source malware project hosted on GitHub, because of media claims that it had “sophisticated anti-detection capabilities.”

When we looked into Sakura RAT, we quickly realized two things. First, the RAT itself was likely of little threat to our customer. Second, while the repository did indeed contain malicious code, that code was intended to target people who compiled the RAT, with infostealers and other RATs. In other words, Sakura RAT was backdoored.

Given our previous explorations of the niche world of threat actors targeting each other, we thought we’d investigate further, and that’s where things got odd. We found a link between the Sakura RAT ‘developer’ and over a hundred other backdoored repositories – some purporting to be malware and attack tools, others gaming cheats.

When we analyzed the backdoors, we ended up down a rabbit hole of obfuscation, convoluted infection chains, identifiers, and multiple backdoor variants. The upshot is that a threat actor is creating backdoored repositories at scale, predominantly targeting game cheaters and inexperienced threat actors – and has likely been doing so for some time.

Our research suggests a link to a Distribution-as-a-Service operation previously reported on in 2024-2025 (see Prior work), but which may have existed in some form as early as 2022.

We have reported all the backdoored repositories still active at the time of our research to GitHub, as well as a repository hosting a malicious 7z archive. We also contacted the owners/operators of relevant paste sites hosting obfuscated malicious code. As of this writing, the repository hosting the malicious 7z archive, the vast majority of the backdoored repositories, and many of the malicious pastes, have been taken down.