Mastodawn

Virus Bulletin 4h ago

A little taste of what’s coming up at VB2025 🎬

We can’t wait to see so many of you in Berlin this September.

If you haven’t registered yet, now’s the time: Early Bird ends this week 🎟️

Secure your place now 👉https://tinyurl.com/4ujjvf7v

#vb2025 #cybersecurity #berlin

Virus Bulletin 9h ago

Zscaler ThreatLabz researchers recently uncovered AI-themed websites designed to spread malware like Vidar, Lumma & Legion Loader. Threat actors are using Black Hat SEO to poison search engine rankings for AI keywords to spread malware. https://www.zscaler.com/blogs/security-research/black-hat-seo-poisoning-search-engine-results-ai-distribute-malware

Virus Bulletin 9h ago

Trellix researchers Nico Paulo Yturriaga & Pham Duy Phuc uncovered an APT malware campaign that targets the energy, oil and gas sector through phishing attacks and the exploitation of Microsoft ClickOnce. https://www.trellix.com/blogs/research/oneclik-a-clickonce-based-apt-campaign-targeting-energy-oil-and-gas-infrastructure/

Virus Bulletin 9h ago

IBM X-Force researchers Golo Mühr & Joshua Chung discovered China-aligned threat actor Hive0154 spreading Pubload malware, featuring lure documents and filenames targeting the Tibetan community. https://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor

Virus Bulletin 9h ago

G Data's Lance Go & Karsten Hahn show how threat actors abuse ConnectWise to build and distribute their own signed malware, and look at what security vendors can do to detect them. https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware

Virus Bulletin 9h ago

Stephan Berger 1d ago

A teammate of mine worked on an interesting incident where the attackers connected to the backup server via RDP, launched the Chrome browser, and searched on Google for "VirtualBox".

The VirtualBox installer was then downloaded to the home directory of the compromised user:
C:\Users\<user>\Downloads\VirtualBox-7.1.6-167084-Win.exe

This file is a Windows installation package that the attacker used to set up a VirtualBox environment, allowing them to create an operating system without endpoint protection. The newly created virtual machine had the hostname "WIN-D1V1F70QJLC".

The attacker then logged into this newly created virtual machine to carry out further tasks without logging, antivirus, or EDR monitoring.

Virus Bulletin 2d ago

Palo Alto Networks Unit 42 researchers identified a wave of Prometei Linux attacks. This malware family, which includes both Linux and Windows variants, allows attackers to remotely control compromised systems for cryptocurrency mining and credential theft. https://unit42.paloaltonetworks.com/prometei-botnet-2025-activity/

Virus Bulletin 2d ago

NICTER presents details from a paper presented by its CSRI Analysis Team at Botconf, in which they looked at the DVR botnet ecosystem, as well as the latest developments regarding RapperBot. https://blog.nicter.jp/2025/06/rapperbot_2025_2g/

Virus Bulletin 2d ago

Proofpoint researchers analyse Amatera Stealer, a rebranded ACR Stealer with improved anti-analysis features. Amatera Stealer, which is sold as a malware-as-a-service (MaaS), is actively in development. https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication

Virus Bulletin 2d ago

Catalin Cimpanu 2d ago

-CoinMarketCap hacked via animated logo
-White House rejects NSA & CyberCom nomination
-FCC probes US Cyber Trust Mark program
-Cyberattack disrupts Russian animal processing industry
-Iran hacks Albania's capital Tirana
-Breach at insurance company Aflac
-Oxford, UK breach
-Tonga hit by another cyberattack
-Salt Typhoon hacks Canadian telco
-BitoPro hack linked to North Korea
-Judge overturns HHS privacy rule

Podcast: https://risky.biz/RBNEWS441/
Newsletter: https://news.risky.biz/risky-bulletin-coinmarketcap-hacked-via-a-doodle-image/