Luka zero-day w Adobe Reader: wystarczy otworzyć zainfekowany plik PDF, aby przejąć kontrolę nad systemem

Badacze bezpieczeństwa z EXPMON przedstawili analizę podatności typu zero-day wymierzonej w użytkowników Adobe Reader. Próbka o nazwie yummy_adobe_exploit_uwu.pdf zawierająca malware została wgrana do systemu EXPMON pod koniec marca 2026 r. TLDR: Wyniki analizy przeprowadzonej przez system potwierdziły, że próbka posiada cechy potencjalnie złośliwego oprogramowania. Nie udało się jednoznacznie przypisać jej...

#Aktualności #AdobeReader #Malware #Pdf #Rce

https://sekurak.pl/luka-zero-day-w-adobe-reader-wystarczy-otworzyc-zainfekowany-plik-pdf-aby-przejac-kontrole-nad-systemem/

59 Victims, Zero Authentication: A ClickFix Campaign Force-Installs a Chrome Extension Banking Stealer and Leaves the Entire C2 Wide Open

A Brazilian banking fraud operation leveraging ClickFix social engineering was discovered through a community tip, exposing a completely unauthenticated command-and-control infrastructure. The campaign deploys a malicious Chrome extension masquerading as a Banco Central do Brasil tool, force-installed via Chrome Cloud Management enrollment tokens. The extension achieves zero antivirus detections while targeting eight Brazilian financial institutions. At investigation time, 59 machines were compromised with seven active connections. The operator's C2 server exposed all endpoints without authentication, including admin panels, live victim screenshots, stolen credentials in cleartext, and intercepted Pix payment data. Attribution was established through WHOIS records revealing the operator's real name, CPF, and email address. The operation specifically targeted Northern Brazilian regional banks and credit cooperatives, with evidence of compromising a school fund account.

Pulse ID: 69de47aacc631b04e06bae89
Pulse Link: https://otx.alienvault.com/pulse/69de47aacc631b04e06bae89
Pulse Author: AlienVault
Created: 2026-04-14 13:56:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #Brazil #Chrome #ChromeExtension #Cloud #CyberSecurity #Email #Endpoint #InfoSec #Mac #OTX #OpenThreatExchange #RAT #RCE #SocialEngineering #bot #AlienVault

Q1 2026 malware statistics report for Windows web servers

Analysis of Windows web server attacks during Q1 2026 reveals that Internet Information Services (IIS) and Apache Tomcat servers face persistent threats through web shell exploitation. The Larva-26001 threat actor has been targeting domestic IIS servers for several years, deploying privilege escalation tools including JuicyPotato, BadPotato, and exploiting CVE-2019-1458. Following privilege escalation, attackers utilize port-forwarding tools like HTran and PortTranC to redirect traffic to RDP port 3389, enabling remote control of compromised systems. Attack vectors include file upload vulnerabilities, Web Framework-WAS vulnerabilities, and unpatched RCE services. Additional malicious activities involve deployment of backdoors, CoinMiners, and proxy tools for internal network compromise.

Pulse ID: 69de008da466f2dc89165990
Pulse Link: https://otx.alienvault.com/pulse/69de008da466f2dc89165990
Pulse Author: AlienVault
Created: 2026-04-14 08:53:33

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APAC #Apache #BackDoor #CoinMiner #CyberSecurity #ICS #InfoSec #Malware #OTX #OpenThreatExchange #Proxy #RCE #RDP #Tomcat #Windows #bot #AlienVault

Q1 2026 Malware Statistics Report for Windows Database Servers

During the first quarter of 2026, Windows-based MS-SQL and MySQL database servers experienced consistent malicious attacks with a temporary decrease in February before rising again in March. The primary threat actor, Larva-26002, leveraged various utilities including BCP, curl, bitsadmin, and PowerShell to deploy a Go-based scanner called ICE Cloud, which contained Turkish language strings and C&C-based scanning capabilities. This tool attempted MS-SQL authentication using predefined credentials. Attack methods primarily consisted of brute force attacks, dictionary attacks, and exploitation of unpatched systems with misconfigured accounts stemming from inadequate account management practices.

Pulse ID: 69de00aae91f11a6bf2fbe68
Pulse Link: https://otx.alienvault.com/pulse/69de00aae91f11a6bf2fbe68
Pulse Author: AlienVault
Created: 2026-04-14 08:54:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BruteForce #CandC #Cloud #CyberSecurity #ICS #InfoSec #MSSQL #Malware #MySQL #OTX #OpenThreatExchange #PowerShell #RCE #SQL #Turkish #Windows #bot #AlienVault

Q1 2026 Malware Statistics Report for Linux SSH Servers

Analysis of attacks against Linux SSH servers during Q1 2026 reveals P2PInfect worm as the dominant threat, representing 70.3% of all attack sources. DDoS botnets including Mirai, XMRig, Prometei, and CoinMiner were identified as primary threats. A notable campaign involved installing V2Ray proxy tools on compromised systems, attributed to a suspected Chinese threat actor. Attackers employed SSH brute-force techniques to gain access, executed reconnaissance commands to assess system information, and deployed V2Ray for proxy node operations. The campaign targeted poorly secured SSH servers with weak credentials, emphasizing the need for strong password policies, access controls, and network monitoring to detect unusual outbound connections and proxy-related activities.

Pulse ID: 69de00c30406a5cbb6ba9eef
Pulse Link: https://otx.alienvault.com/pulse/69de00c30406a5cbb6ba9eef
Pulse Author: AlienVault
Created: 2026-04-14 08:54:27

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Chinese #CoinMiner #CyberSecurity #DDoS #DoS #ICS #InfoSec #Linux #Malware #Mirai #OTX #OpenThreatExchange #Password #Proxy #RAT #RCE #SSH #Word #Worm #bot #botnet #AlienVault

Live C2 Dump Recovering Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger

On April 11, 2026, researchers analyzed a CHM file (api_reference.chm) tagged as Kimsuky that initiated a three-stage attack chain. The C2 server at check[.]nid-log[.]com had directory listing enabled, allowing recovery of complete source code for all payload stages: a 6,338-byte VBScript performing system reconnaissance and establishing persistence via scheduled task, a 449-byte VBScript bridge to PowerShell, and a 6,234-byte PowerShell keylogger with clipboard monitoring and timed exfiltration. The infrastructure included 79+ domains across 5 C2 IPs spanning Korean VPS providers. The server responded with "Million OK !!!!" signature, matching previously documented Kimsuky infrastructure while showing upgraded Apache/PHP stack. The operation targeted Korean Naver users through credential phishing and tax authority impersonation, with infrastructure linked to previously documented Kimsuky campaigns via shared DAOU Technology subnets.

Pulse ID: 69dd07742196e34ee1615b73
Pulse Link: https://otx.alienvault.com/pulse/69dd07742196e34ee1615b73
Pulse Author: AlienVault
Created: 2026-04-13 15:10:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APAC #Apache #Clipboard #CyberSecurity #InfoSec #KeyLogger #Kimsuky #Korea #OTX #OpenThreatExchange #PHP #Phishing #PowerShell #RAT #RCE #UK #VBS #bot #AlienVault

Polymarket Trader Funds at Risk: DPRK npm Package Steals Wallet Keys and Installs SSH Backdoor

On April 10, 2026, a malicious npm package named [email protected] was published, targeting developers running automated trading bots on Polymarket, a prediction market platform with $477 million in open interest. The package executes four attack chains upon import: system fingerprinting, SSH backdoor installation on Linux hosts, filesystem exfiltration, and targeted theft of Polymarket CLOB API credentials and Ethereum/Polygon wallet private keys. The payload runs at require() time without install hooks and specifically hunts SDK source files like createClobClient.ts and clob.ts. An SSH public key is written to authorized_keys for persistent access. The attacker can drain USDC balances directly using stolen L1 private keys. Attribution points to DPRK's Famous Chollima (Lazarus Group) based on TTPs matching the TraderTraitor campaign and publisher email correlation with known DPRK infrastructure.

Pulse ID: 69dd07b82c8afdcdfda7a898
Pulse Link: https://otx.alienvault.com/pulse/69dd07b82c8afdcdfda7a898
Pulse Author: AlienVault
Created: 2026-04-13 15:11:52

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #DPRK #Email #InfoSec #Lazarus #Linux #NPM #OTX #OpenThreatExchange #RAT #RCE #SSH #bot #developers #AlienVault

Tracking an OtterCookie Infostealer Campaign Across npm

Between April 6-9, 2026, multiple obfuscated malicious npm packages were identified as variants of the OtterCookie infostealer attributed to North Korean threat actors. The campaign employs a two-layer distribution strategy where benign wrapper packages clone legitimate libraries like big.js while pulling malicious dependencies containing the actual payload. Five malicious packages were identified, each containing obfuscated JavaScript files that execute via postinstall hooks. The toolchain steals credentials, files including Solana wallets and environment configurations, and exfiltrates data to Vercel-hosted C2 infrastructure. On Linux systems, it establishes persistence through SSH backdoor installation. The infrastructure overlaps with documented OtterCookie operations and connects to broader DPRK campaigns including Contagious Interview and Contagious Trader, demonstrating continued evolution in North Korean software supply chain attacks targeting developers.

Pulse ID: 69dd05a672cf30caf5d26e06
Pulse Link: https://otx.alienvault.com/pulse/69dd05a672cf30caf5d26e06
Pulse Author: AlienVault
Created: 2026-04-13 15:03:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #DPRK #InfoSec #InfoStealer #Java #JavaScript #Korea #Linux #NPM #NorthKorea #OTX #OpenThreatExchange #RAT #RCE #SSH #SupplyChain #bot #developers #AlienVault