🔐 Master Microsoft Intune Suite with confidence

Mastering Endpoint Management using Microsoft Intune Suite by Saurabh Sarkar and Rahul Singh is a hands-on guide to Intune’s premium features. Learn real-world implementation of Cloud PKI, EPM, EAM, Advanced Analytics, Remote Help, and Microsoft Tunnel with practical architecture insights and troubleshooting tips.

💸 15% OFF on Amazon.com

👉 Buy here: https://packt.link/X7oV7

#intune #Endpoint #ITSecurity #infosec #tech #technology #bot #books

Evasive SideWinder APT Campaign Detected

A sophisticated espionage campaign targeting Indian entities has been identified, masquerading as the Income Tax Department of India. The activity is associated with the SideWinder APT group, which has evolved its toolkit to evade detection by mimicking Chinese enterprise software. The campaign uses DLL side-loading techniques with legitimate Microsoft Defender binaries to bypass EDR, and utilizes public cloud storage and URL shorteners to evade reputation-based detections. The threat actors employ geofencing behavior, focusing on systems in South Asian timezones. The attack chain includes phishing emails, fraudulent websites, and malicious payloads delivered through file-sharing services. The final stage involves a resident agent that beacons to a command-and-control server, mimicking Chinese endpoint tool protocols.

Pulse ID: 6946da89fb6334ddbb8e3f5c
Pulse Link: https://otx.alienvault.com/pulse/6946da89fb6334ddbb8e3f5c
Pulse Author: AlienVault
Created: 2025-12-20 17:19:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Chinese #Cloud #CyberSecurity #EDR #Email #Endpoint #Espionage #FileSharing #India #InfoSec #Microsoft #MicrosoftDefender #Mimic #OTX #OpenThreatExchange #Phishing #Sidewinder #SouthAsia #bot #AlienVault

New BYOVD loader behind DeadLock ransomware attack

A new loader exploiting a Baidu Antivirus driver vulnerability (CVE-2024-51324) has been discovered in connection with DeadLock ransomware attacks. The threat actor uses the Bring Your Own Vulnerable Driver (BYOVD) technique to terminate endpoint detection and response processes. A PowerShell script is employed to bypass User Account Control, disable Windows Defender, terminate security services, and delete volume shadow copies. DeadLock ransomware targets Windows machines using a custom stream cipher encryption algorithm with time-based cryptographic keys. The attack involves initial access through compromised accounts, system registry modifications, remote access establishment, reconnaissance, lateral movement, and defense impairment. The ransomware's sophisticated encryption process includes recursive directory traversal, memory-mapped file I/O, and multi-threaded processing.

Pulse ID: 693940b7880240f017419d5c
Pulse Link: https://otx.alienvault.com/pulse/693940b7880240f017419d5c
Pulse Author: AlienVault
Created: 2025-12-10 09:43:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Encryption #Endpoint #EndpointDetectionandResponse #InfoSec #Mac #OTX #OpenThreatExchange #PowerShell #RansomWare #Vulnerability #Windows #bot #AlienVault

Threat Spotlight: Storm-0249 Moves from Mass Phishing to Precision EDR Exploitation

Storm-0249, a seasoned initial access broker, has evolved from mass phishing to sophisticated post-exploitation tactics. The group now abuses legitimate Endpoint Detection and Response processes, particularly SentinelOne's SentinelAgentWorker.exe, through DLL sideloading. This allows them to conceal malicious activity as routine operations, bypass defenses, and maintain persistence. Their new tactics include Microsoft domain spoofing, curl-to-PowerShell piping, and fileless execution. Storm-0249's ability to weaponize trusted processes and conduct stealthy reconnaissance poses significant challenges for security teams. The group's evolution represents a broader trend in the ransomware-as-a-service ecosystem, lowering the technical barrier for attackers and accelerating the spread of ransomware across sectors.

Pulse ID: 69393ab7f0d78ccb11a14d9a
Pulse Link: https://otx.alienvault.com/pulse/69393ab7f0d78ccb11a14d9a
Pulse Author: AlienVault
Created: 2025-12-10 09:17:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #EDR #Endpoint #EndpointDetectionandResponse #ICS #InfoSec #Microsoft #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RansomWare #RansomwareAsAService #Rust #SentinelOne #SideLoading #bot #AlienVault

North Korea’s Contagious Interview Campaign Escalates: 338 Malicious npm Packages, 50,000 Downloads

The Contagious Interview operation continues to weaponize the npm registry with a repeatable playbook. Since our July 14, 2025 update, we have identified and analyzed more than 338 malicious packages with over 50,000 cumulative downloads.

25 of these packages remain live on the npm registry at the time of writing. We have submitted takedown requests to the npm security team and petitioned for suspension of the associated publisher accounts.

In this latest wave, North Korean threat actors used more than 180 fake personas tied to new npm aliases and registration emails, and ran over a dozen command and control (C2) endpoints (see IOCs). Their tooling has evolved from direct BeaverTail malware droppers to HexEval, XORIndex, and encrypted loaders. Each executes at install or import, reconstructs obfuscated BeaverTail in memory, then typically fetches the InvisibleFerret backdoor for persistence. New malicious packages appear weekly, including this week.

Pulse ID: 6937a6785aada092d832512e
Pulse Link: https://otx.alienvault.com/pulse/6937a6785aada092d832512e
Pulse Author: Tr1sa111
Created: 2025-12-09 04:32:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Email #Endpoint #InfoSec #Korea #Malware #NPM #NorthKorea #OTX #OpenThreatExchange #RAT #bot #Tr1sa111

Dragons in Thunder

This report details the activities of two hacker groups, QuietCrabs and Thor, targeting Russian companies. QuietCrabs exploited RCE vulnerabilities in Microsoft SharePoint and Ivanti Endpoint Manager Mobile, using KrustyLoader and Sliver malware. Thor employed more common tools and techniques, attacking around 110 Russian companies across various sectors. Both groups utilized recent vulnerabilities, with QuietCrabs acting within hours of exploit publications. The report highlights the groups' tactics, tools, and targeted industries, emphasizing the need for robust cybersecurity measures to counter such sophisticated attacks.

Pulse ID: 69295039f12135a4c2de7692
Pulse Link: https://otx.alienvault.com/pulse/69295039f12135a4c2de7692
Pulse Author: AlienVault
Created: 2025-11-28 07:33:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Endpoint #ICS #InfoSec #Ivanti #Malware #Microsoft #OTX #OpenThreatExchange #RCE #Russia #Rust #Sliver #bot #AlienVault

Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine

Arctic Wolf Labs identified a U.S.-based company targeted by the Russian-aligned threat group RomCom via SocGholish, operated by TA569. This marks the first observed instance of a RomCom payload being distributed through SocGholish. The attack chain involved compromising legitimate websites, using fake update lures to deliver malware, and executing malicious JavaScript on victim hosts. The targeted company had ties to Ukraine, aligning with RomCom's focus on entities supporting Ukraine. Evidence suggests Russia's GRU unit 29155 is leveraging SocGholish for targeting. The attack was thwarted by Arctic Wolf's Aurora Endpoint Defense, which detected and quarantined the RomCom loader upon delivery.

Pulse ID: 6925f15de6ea757941c36353
Pulse Link: https://otx.alienvault.com/pulse/6925f15de6ea757941c36353
Pulse Author: AlienVault
Created: 2025-11-25 18:11:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Endpoint #InfoSec #Java #JavaScript #Malware #Mythic #OTX #OpenThreatExchange #RAT #RomCom #Russia #SocGholish #UK #Ukr #Ukraine #bot #AlienVault