FlipSwitch: a Novel Syscall Hooking Technique

FlipSwitch introduces a new syscall hooking technique for Linux kernel 6.9+, bypassing traditional methods rendered obsolete by changes in the syscall dispatch mechanism. The technique locates the original syscall function, scans the x64_sys_call function's machine code for a specific call instruction, and modifies its offset to redirect to a malicious function. This precise method leaves minimal traces and can be fully reverted. FlipSwitch demonstrates the ongoing evolution of attack techniques in response to kernel hardening efforts, highlighting the cat-and-mouse game between attackers and defenders in cybersecurity.

Pulse ID: 68dbd4d29f6ebf19ffe79f50
Pulse Link: https://otx.alienvault.com/pulse/68dbd4d29f6ebf19ffe79f50
Pulse Author: AlienVault
Created: 2025-09-30 13:02:10

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Linux #Mac #Nim #OTX #OpenThreatExchange #RAT #bot #AlienVault

Datzbro: RAT Hiding Behind Senior Travel Scams

A new Android Trojan named Datzbro has been discovered targeting seniors through fake Facebook groups promoting travel and social activities. The malware, which combines spyware and banking Trojan capabilities, is distributed via malicious APKs disguised as community apps. Datzbro features remote access, screen sharing, black overlay attacks, and keylogging, allowing attackers to perform financial fraud. It specifically targets banking and crypto-related apps, stealing credentials and sensitive information. The malware's origin appears to be Chinese-speaking developers, and its command-and-control application has been leaked, potentially making it a global threat. The campaign demonstrates the evolving sophistication of mobile threats, blending social engineering with advanced technical capabilities.

Pulse ID: 68dbc723efac718f1d90b6de
Pulse Link: https://otx.alienvault.com/pulse/68dbc723efac718f1d90b6de
Pulse Author: AlienVault
Created: 2025-09-30 12:03:47

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APK #Android #Bank #BankingTrojan #Chinese #CyberSecurity #Facebook #FinancialFraud #InfoSec #Malware #OTX #OpenThreatExchange #RAT #SocialEngineering #SpyWare #Trojan #bot #developers #AlienVault

Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite

Phantom Taurus, a newly identified Chinese state-sponsored threat actor, has been conducting espionage operations targeting government and telecommunications organizations across Africa, the Middle East, and Asia. The group's primary focus includes ministries of foreign affairs, embassies, and military operations, with the objective of gathering sensitive information. Phantom Taurus employs distinctive tactics, techniques, and procedures, including a new malware suite called NET-STAR. This suite consists of three web-based backdoors designed to target Internet Information Services (IIS) web servers. The group has recently shifted from targeting emails to directly accessing databases, demonstrating their ability to adapt and evolve their methods. Phantom Taurus' activities align with Chinese strategic interests, and their infrastructure overlaps with other known Chinese APT groups.

Pulse ID: 68dc119747c51064f96051fc
Pulse Link: https://otx.alienvault.com/pulse/68dc119747c51064f96051fc
Pulse Author: AlienVault
Created: 2025-09-30 17:21:27

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Africa #Asia #BackDoor #Chinese #CyberSecurity #Email #Espionage #Government #ICS #InfoSec #Malware #MiddleEast #Military #OTX #OpenThreatExchange #RAT #Taurus #Telecom #Telecommunication #bot #AlienVault

Disallow: /security-research? Crypto Phishing Sites' Failed Attempt to Block Investigators

An analysis of robots.txt files revealed over 60 cryptocurrency phishing pages impersonating hardware wallet brands Trezor and Ledger. The actor behind these pages attempted to block phishing reporting sites by including their endpoints in the robots.txt file, demonstrating a misunderstanding of its function. Most sites were hosted on Cloudflare Pages, with a few on custom domains. The campaign's unusual robots.txt pattern was also found in GitHub repositories containing crypto-themed spoof pages. Merge conflicts in README files suggest the actor may lack web development expertise. Various free web hosting providers were used for similar spoofed pages. The campaign highlights the ongoing targeting of cryptocurrency users and the potential effectiveness of even poorly executed phishing attempts.

Pulse ID: 68dc1d57df2b39428324e2b6
Pulse Link: https://otx.alienvault.com/pulse/68dc1d57df2b39428324e2b6
Pulse Author: AlienVault
Created: 2025-09-30 18:11:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #Edge #Endpoint #GitHub #InfoSec #OTX #OpenThreatExchange #Phishing #RAT #bot #cryptocurrency #AlienVault

Eye of the Storm: Analyzing DarkCloud's Latest Capabilities

eSentire's Threat Response Unit detected a spear-phishing campaign targeting a manufacturing customer, attempting to deliver the DarkCloud information-stealing malware. The malware, distributed through a malicious zip archive, has undergone significant updates including a VB6 rewrite and enhanced evasion techniques. DarkCloud targets various data types including browser credentials, keystrokes, FTP credentials, and cryptocurrency wallets. The malware employs sophisticated evasion methods to avoid detection by sandboxes and security researchers. It supports multiple exfiltration methods including SMTP, Telegram, FTP, and Web Panel. The report provides detailed technical analysis of DarkCloud's functionality, distribution methods, and evasion techniques.

Pulse ID: 68da52920ea4c26c967e296b
Pulse Link: https://otx.alienvault.com/pulse/68da52920ea4c26c967e296b
Pulse Author: AlienVault
Created: 2025-09-29 09:34:10

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #InfoSec #Malware #Manufacturing #OTX #OpenThreatExchange #Phishing #RAT #SpearPhishing #Telegram #ThreatResponseUnit #ZIP #bot #cryptocurrency #eSentire #AlienVault

From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

A user executed a malicious JavaScript file linked to Lunar Spider, initiating a two-month intrusion. The file downloaded a Brute Ratel DLL, which then injected Latrodectus malware. The threat actor used various tools including Cobalt Strike, BackConnect, and a custom .NET backdoor for persistence and lateral movement. They harvested credentials from multiple sources and exfiltrated data using Rclone. The intrusion lasted nearly two months with intermittent C2 connections, discovery, lateral movement, and data theft. Despite comprehensive access to critical infrastructure, no ransomware deployment was observed.

Pulse ID: 68dab5b611126784770068b5
Pulse Link: https://otx.alienvault.com/pulse/68dab5b611126784770068b5
Pulse Author: AlienVault
Created: 2025-09-29 16:37:10

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CobaltStrike #CyberSecurity #DataTheft #InfoSec #Java #JavaScript #Malware #NET #OTX #OpenThreatExchange #RAT #RCE #RansomWare #Rclone #bot #AlienVault

Threat Profile: Conti Ransomware Group

Conti, a notorious ransomware operation identified in 2019, quickly gained infamy for its advanced encryption, rapid lateral movement, and double extortion tactics. Operated by the Russia-based Wizard Spider group, Conti evolved from Ryuk ransomware and maintained suspected ties to Russian state interests. Between 2019 and 2022, Conti targeted healthcare providers, governments, educational institutions, critical infrastructure, and private businesses, earning an estimated $180 million in 2021. Their aggressive tactics highlighted the urgent need for strong cybersecurity defenses. In 2022, internal divisions arose following leaked private chats. Conti's operations mimicked legitimate businesses, showcasing the industrialization of cybercrime and its devastating impact on critical sectors.

Pulse ID: 68db677b189fbc5307a5a270
Pulse Link: https://otx.alienvault.com/pulse/68db677b189fbc5307a5a270
Pulse Author: AlienVault
Created: 2025-09-30 05:15:39

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberCrime #CyberSecurity #Education #Encryption #Extortion #Government #Healthcare #ICS #InfoSec #Mimic #OTX #OpenThreatExchange #RAT #RansomWare #Russia #UK #bot #AlienVault