Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets

A zero-day vulnerability in the TrueConf client application, CVE-2026-3502, was exploited in a targeted campaign against government entities in Southeast Asia. The flaw allows attackers controlling an on-premises TrueConf server to distribute and execute arbitrary files across connected endpoints. The campaign, dubbed 'TrueChaos', abused the trusted update channel to deliver malware to multiple government agencies. The attack likely involved a Chinese-nexus threat actor and utilized the Havoc post-exploitation framework. The vulnerability stems from inadequate validation in the update process, enabling malicious updates to be distributed through a centrally managed server. TrueConf has since released a fix in version 8.5.3 of their Windows client.

Pulse ID: 69cbf7d955b9ee7f5f7ddfef
Pulse Link: https://otx.alienvault.com/pulse/69cbf7d955b9ee7f5f7ddfef
Pulse Author: AlienVault
Created: 2026-03-31 16:35:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#0Day #Asia #Chinese #CyberSecurity #Endpoint #Government #InfoSec #Malware #OTX #OpenThreatExchange #RAT #Rust #Troll #Vulnerability #Windows #ZeroDay #bot #AlienVault

Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets

A new supply chain attack targeting Trivy has compromised 75 out of 76 version tags in the aquasecurity/trivy-action GitHub repository. The attacker force-pushed these tags to serve malicious payloads, effectively turning trusted version references into a distribution mechanism for an infostealer. The malicious code executes within GitHub Actions runners, targeting sensitive data in CI/CD environments. It harvests secrets from runner process memory and the filesystem, encrypts the collected data, and exfiltrates it to an attacker-controlled endpoint or a fallback GitHub-based channel. The attack's scope is significant, potentially affecting over 10,000 workflow files on GitHub referencing this action.

Pulse ID: 69bd18a7cc27dfdfaf6f56a4
Pulse Link: https://otx.alienvault.com/pulse/69bd18a7cc27dfdfaf6f56a4
Pulse Author: AlienVault
Created: 2026-03-20 09:51:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ASEC #CyberSecurity #Endpoint #GitHub #InfoSec #InfoStealer #OTX #OpenThreatExchange #RAT #RCE #Rust #SupplyChain #Troll #bot #AlienVault

EDR killers explained: Beyond the drivers

This analysis explores the ecosystem of EDR (Endpoint Detection and Response) killers, tools used by ransomware attackers to disrupt security solutions before deploying encryptors. The research, based on almost 90 EDR killers tracked in the wild, reveals that these tools are fundamental in modern ransomware operations. Affiliates, not operators, typically choose EDR killers, leading to greater tooling diversity in larger affiliate pools. The same vulnerable driver can appear in unrelated tools, and tools can switch between drivers, making driver-based attribution unreliable. The landscape includes forked proofs of concept, professional implementations, and commercial offerings. While Bring Your Own Vulnerable Driver (BYOVD) technique dominates, custom scripts, anti-rootkits, and driverless approaches are also utilized. The analysis emphasizes the importance of looking beyond drivers to understand the full scope of EDR killer ecosystem and its implications for cybersecurity.

Pulse ID: 69bc161ca8746db879422810
Pulse Link: https://otx.alienvault.com/pulse/69bc161ca8746db879422810
Pulse Author: AlienVault
Created: 2026-03-19 15:28:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #EDR #Endpoint #EndpointDetectionandResponse #InfoSec #OTX #OpenThreatExchange #RAT #RansomWare #Rootkit #bot #AlienVault

Wide-scale, opportunistic SMS pumping attacks target customer sign-up pages

A widespread SMS pumping campaign has been identified, targeting customer sign-up pages. The attackers, designated as O-UNC-036, use disposable email infrastructure and proxy services to launch high-volume, automated attacks against public API endpoints. Their objective is to create numerous accounts and trigger SMS messages to actor-controlled phone numbers, generating significant financial costs for target organizations. The attack pattern involves reconnaissance, infrastructure setup, and high-volume requests using known high-cost phone country codes. The campaign has been active since at least March 2024, affecting multiple tenants and organizations. Recommended protective measures include implementing FIDO Authentication, blocking suspicious domains and ASNs, and enhancing monitoring and response capabilities.

Pulse ID: 69b4567b03ea40d6ffd8a0f7
Pulse Link: https://otx.alienvault.com/pulse/69b4567b03ea40d6ffd8a0f7
Pulse Author: AlienVault
Created: 2026-03-13 18:24:59

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #Endpoint #InfoSec #OTX #OpenThreatExchange #Proxy #RAT #SMS #Troll #bot #AlienVault

CastleRAT attack first to abuse Deno JavaScript runtime to evade enterprise security

A sophisticated infection chain has been discovered that installs CastleRAT malware without leaving traces on disk. The attack uniquely abuses the Deno runtime as a malicious framework, combining social engineering, steganography, and in-memory execution to evade detection. The process involves tricking users into executing a command, installing Deno, running obfuscated JavaScript, and decoding a payload hidden in a JPEG image. CastleRAT then gains total control, performing host fingerprinting, keylogging, clipboard hijacking, digital identity theft, and audio/video surveillance. This campaign demonstrates the evolution of malware towards invisibility and the need for advanced endpoint behavioral monitoring to detect such threats.

Pulse ID: 69b14da6cb1bf921c7ac6d22
Pulse Link: https://otx.alienvault.com/pulse/69b14da6cb1bf921c7ac6d22
Pulse Author: AlienVault
Created: 2026-03-11 11:10:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Clipboard #CyberSecurity #Endpoint #InfoSec #Java #JavaScript #Malware #OTX #OpenThreatExchange #RAT #SocialEngineering #Steganography #bot #AlienVault

My guide for endpoint security startups is out now.

The path between competing against entrenched platforms and becoming a feature they bundle is narrow. The guide walks through the questions that founders, buyers, and investors should answer to tell the difference.

I got to know this space when leading product at Minerva Labs (now part of Rapid7), but much has changed since then.

https://zeltser.com/endpoint-security-startup-questions

#cybersecurity #infosec #startups #productmanagement #endpoint

Cloudflare oznámil, že služba Browser Rendering nyní obsahuje nový endpoint /crawl, který umožňuje procházet (crawlovat) celý web jediným API voláním. Tento nástroj je nyní dostupný v otevřené beta verzi pro uživatele s bezplatnými i placenými plány.

Co umí /crawl:• Stačí poslat URL startovní stránky a Cloudflare automaticky objeví a zpracuje všechny stránky […]

Cloudflare Crawl Endpoint

https://developers.cloudflare.com/changelog/post/2026-03-10-br-crawl-endpoint/

#HackerNews #Cloudflare #Crawl #Endpoint #Cloudflare #Developers #Web #Development #Tech #News

CVE Alert: CVE-2026-1603 - Ivanti - Endpoint Manager - https://www.redpacketsecurity.com/cve-alert-cve-2026-1603-ivanti-endpoint-manager/

#OSINT #ThreatIntel #CyberSecurity #cve-2026-1603 #ivanti #endpoint-manager