Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Ukrainian Government ...

 Cyber News

Russia-linked hackers are back at it again, this time with upgraded tools and a stealthier playbook targeting Ukrainian government systems. Ukraine’s national Computer Emergency Response Team has linked a recent cyberattack campaign against the information and communication system (ICS) of a government entity to   show more ...

UAC-0001—also known as APT28 or Fancy Bear—the infamous hacking group believed to be operated by Russia’s GRU military intelligence service. Also read: Russian GRU Is Hacking IP Cameras and Logistics Firms to Spy on Aid Deliveries from Western Allies to Ukraine In an investigation conducted between March and May 2024, cybersecurity responders uncovered two previously unseen malware strains—BEARDSHELL and SLIMAGENT—lurking inside government systems. The attackers also deployed a component of the widely known COVENANT command-and-control framework, hidden inside a document titled “Act.doc” and sent via the encrypted messaging app Signal. While the initial infection vector wasn’t immediately clear, analysts later discovered the malware reached its target using a macro-laced Word document that installed multiple payloads—each designed to fly under the radar, exploit trusted services, and maintain persistence through registry hijacking and scheduled tasks. How the Intrusion Worked Against Ukrainian Government Systems The attackers disguised their malware inside a seemingly benign Word file delivered over Signal. [caption id="attachment_103328" align="aligncenter" width="650"] Sample of communication with an attacker in Signal (Source: CERT-UA)[/caption] If a user enabled macros, the document executed code that placed two files on the system and set up a COM-hijacking registry entry that hijacked explorer.exe to silently launch a malicious DLL. That DLL then decrypted another file (windows.png) containing shellcode that finally triggered the launch of the COVENANT malware framework—all without dropping anything directly visible to the user. COVENANT, a .NET-based red team tool popular in the post-exploitation phase of cyberattacks, was used here to download and execute PlaySndSrv.dll and a WAV file (sample-03.wav), which contained encoded instructions to ultimately launch BEARDSHELL—a custom-built backdoor. Persistence? Also covered. BEARDSHELL maintained access through a separate registry entry tied to a scheduled task under Microsoft’s SystemSoundsService. Classic APT28. What Do BEARDSHELL and SLIMAGENT Actually Do? Both malware tools were written in C++ and designed for stealth and data collection: BEARDSHELL connects to the attacker using the API of Icedrive, a legitimate cloud storage provider, allowing the malware to receive encrypted PowerShell scripts and exfiltrate data without triggering traditional security tools. Each infected system gets its own directory, named using a unique hash derived from hardware and system identifiers. SLIMAGENT takes periodic screenshots and encrypts them using AES + RSA, saving them locally in a time-stamped format. It’s the visual spy in the room, quietly recording the screen without alerting the user. What’s particularly clever—and dangerous—about both tools is their use of legitimate services (Koofr and Icedrive) as command-and-control (C2) infrastructure. This means they avoid sketchy IP addresses and domains, making traditional threat intel blacklists nearly useless. Why It Matters This latest campaign isn’t just another cyberattack—it’s part of an escalating pattern of hybrid warfare tactics employed by Russia since the start of its war in Ukraine. APT28, which has been tied to the DNC email leaks in 2016, Olympic Destroyer in 2018, and countless attacks on NATO and EU institutions, is one of the Kremlin’s most active cyber units. Also read: ‘I’m not a Robot’ reCAPTCHA Trojanized by Russian Hackers to Target Local Ukrainian Government Their tactics have evolved. Instead of brute-forcing their way into systems, they now leverage phishing documents, encrypted messaging apps like Signal for payload delivery, and trusted APIs for communication. And they’re still targeting the same kind of critical government infrastructure they’ve always sought to undermine. According to CERT-UA, the malware was identified inside a central government executive body’s information systems—a clear sign that the group is targeting the upper echelons of Ukraine’s state apparatus. Defense, Detection, and the Cloud API Problem CERT-UA is urging security teams—particularly within governments and critical infrastructure—to closely monitor traffic to app.koofr.net and api.icedrive.net, as these are being used as C2 endpoints. The advisory also noted that success of the attack hinged on: Users enabling macros in Office documents Host security tools failing to monitor Signal-based delivery The abuse of trusted services like Icedrive and Koofr as “invisible” control channels It’s another wake-up call: endpoint defenses can’t rely on static indicators. Malware is now using your everyday apps, cloud platforms, and registry entries to hide in plain sight. The Bigger Picture APT28 has always stayed ahead of the curve—and this campaign is no exception. By chaining together macro payloads, registry hijacking, cloud C2, and multi-stage execution, the group isn’t just adapting. It’s evolving. And while these attacks may seem targeted at Ukraine, the tactics, techniques, and procedures (TTPs) on display should concern every government and enterprise organization in the West. Because if a Word doc, a PNG, and a WAV file can bypass your defenses, what else is already lurking inside?

image for SparkKitty: a new st ...

 News

Your snapshots are, quite literally, the keys to your private life. Your gallery holds your future plans, financial secrets, cat pictures, and sometimes even things youd never share with anyone. But how often do you truly think about protecting those images? We hope that ever since you heard about the SparkCat   show more ...

cross-platform stealer, youve been pondering it more often than usual. Now weve discovered that Trojans little sibling, which weve affectionately named SparkKitty. But dont let the cute name fool you — behind it lies a spy that, like its older brother, aims to steal photos from its victims smartphones. What makes this threat unique, and why should both Android and iPhone users prick up their ears? How SparkKitty makes its way onto devices The stealer spreads in two ways: (i) in the wild — that is, across the untamed parts of the internet; and (ii) through official app stores like the App Store and Google Play. Lets break this down. Official app stores In Apples App Store, the malware was lurking inside the ?coin app — designed for tracking cryptocurrency rates and trading signals. Were not sure exactly how this suspicious spy activity ended up in the app. Its possible there was a supply-chain compromise, and the developers themselves werent aware of SparkKitty until we notified them. But theres also a second possibility: the developers deliberately embedded the stealer into the app. Regardless, this is the second time weve seen a Trojan sneak into the App Store, and weve alerted Apple about it. SparkCat was the first instance. Infected application in the App Store Its a different story with Google Play: malicious apps pop up on a regular basis, and we frequently cover these threats on Kaspersky Daily. This time, we detected malicious activity in a messaging app that includes crypto-exchange features. This is a popular app thats been installed more than 10 000 times, and was removed from Google Play at the time of the study. Suspicious links in the wild That said, the attackers have been much more creative this time in spreading the malware out in the wild. Once, during a routine review of suspicious links (we click them so you dont have to!) our experts uncovered several similar pages distributing a TikTok mod for Android. One of the main things this mod did was call additional code. That looks suspicious, we thought. And we were right. The code contained links displayed as buttons within the app, all directing users to an online store called TikToki Mall, which sold a variety of items. Unfortunately, we couldnt determine if the store was legitimate or just a big trap — but one interesting fact stood out: TikToki Mall accepts cryptocurrency payments, and you need an invitation code to sign up and pay for any item. We didnt find any further suspicious activity at this stage, and no traces of SparkKitty or other malware. So we decided to take a different approach and see what happened when we tapped these same suspicious links from an iPhone. This led us to a page that vaguely resembled the App Store, which immediately prompted us to download the TikTok app. iOS doesnt allow users to download and run applications from third-party sources. However, Apple provides so-called provisioning profiles to every member of the Apple Developer Program. These allow installing custom applications not available in the App Store on user devices, such as beta versions or apps developed for internal corporate use. Attackers exploit these profiles to distribute apps that contain malware. The installation process differed slightly from the usual procedure. Typically, in the App Store, you only need to tap Install once, but in this case, installing the fake TikTok required additional steps: downloading and installing a developer provisioning profile. Installing an app from an unknown source on an iPhone Naturally, this version of TikTok didnt have any funny videos; it was just another store, similar to the Android version. While seemingly harmless, the iOS version requested access to the users gallery every time it launched — and that was the catch. This led us to discover a malicious module that sent images from the infected phones gallery, along with device information, to the attackers. We also found its traces in other Android applications. For the technical details of the story, check out our full report on Securelist. Whos at risk? Our data shows that this campaign primarily targets users in Southeast Asia and China. That doesnt mean, however, that other countries are beyond the reach of SparkKittys claws. The malware has been spreading since at least early 2024, and over the past year and a half attackers have likely considered upscaling their operation to other countries and continents. Theres nothing stopping them. Whats more, its not just the TikTok mod you should worry about; weve also found malicious activity inside various gambling and adult games, and even crypto-related apps. If you think these attackers are just interested in admiring your vacation photos, think again. SparkKitty uploads each and every one of your snapshots to its command-and-control server. Those images could easily include screenshots of sensitive information like crypto wallet seed phrases, allowing these bad actors to steal your cryptocurrency. How to protect yourself from SparkKitty This Trojan spreads in many ways, and protecting yourself from every single one is a tough challenge. While the golden rule of download apps from official sources only still applies, weve found traces of this stealer in both Google Play and the App Store — places where apps are supposedly vetted and 100% safe. So what can you do about that? We recommend focusing on securing your smartphones gallery. Naturally, the most foolproof method would be to never take photos or screenshots of sensitive information, but thats virtually impossible nowadays. Theres a solution: store valuable photos in a secure vault. With Kaspersky Password Manager, you can only view and send protected, important photos after entering the main password, which only you know. Note that the protected content is not confined to just one device. The password manager can sync information between smartphones and computers. This includes bank-card data, two-factor authentication tokens, and anything else you choose to store in Kaspersky Password Manager – including your photos. Its also crucial to check your smartphone right now for any of the infected apps weve discovered; the extended list is available on Securelist. For Android, Kaspersky for Android can help with this — itll find and remove malware for you. On iPhone, due to the closed architecture of iOS, our security solution cant scan for and delete previously installed infected apps, but it will prevent any attempts to send data to the attackers servers and warn you about them. And if you opt for a Kaspersky Premium or Kaspersky Plus subscription, you get Kaspersky Password Manager along with your security solution. Follow our Telegram channel to stay up to date on the latest cyberthreats, and make sure youre storing your photos safely. Learn about other malware you need to watch out for to keep your smartphone safe: How the Necro Trojan attacked 11 million Android users Beware of stealers disguised as… wedding invitations Trojan embedded in fake Android smartphones SparkCat trojan stealer infiltrates App Store and Google Play, steals data from photos LianSpy: new mobile spyware for Android

image for A CISO

 Feed

In a market where security budgets flatten while threats accelerate, improving analyst throughput is fiscal stewardship.

 Feed

Cybersecurity researchers have uncovered a Go-based malware called XDigo that has been used in attacks targeting Eastern European governmental entities in March 2025. The attack chains are said to have leveraged a collection of Windows shortcut (LNK) files as part of a multi-stage procedure to deploy the malware, French cybersecurity company HarfangLab said. XDSpy is the name assigned to a cyber

 Feed

It sure is a hard time to be a SOC analyst. Every day, they are expected to solve high-consequence problems with half the data and twice the pressure. Analysts are overwhelmed—not just by threats, but by the systems and processes in place that are meant to help them respond. Tooling is fragmented. Workflows are heavy. Context lives in five places, and alerts never slow down. What started as a

 Feed

Google has revealed the various safety measures that are being incorporated into its generative artificial intelligence (AI) systems to mitigate emerging attack vectors like indirect prompt injections and improve the overall security posture for agentic AI systems. "Unlike direct prompt injections, where an attacker directly inputs malicious commands into a prompt, indirect prompt injections

 Feed

Not every risk looks like an attack. Some problems start as small glitches, strange logs, or quiet delays that don’t seem urgent—until they are. What if your environment is already being tested, just not in ways you expected? Some of the most dangerous moves are hidden in plain sight. It’s worth asking: what patterns are we missing, and what signals are we ignoring because they don’t match old

 Feed

Cybersecurity researchers are calling attention to a new jailbreaking method called Echo Chamber that could be leveraged to trick popular large language models (LLMs) into generating undesirable responses, irrespective of the safeguards put in place. "Unlike traditional jailbreaks that rely on adversarial phrasing or character obfuscation, Echo Chamber weaponizes indirect references, semantic

 Feed

The United States government has warned of cyber attacks mounted by pro-Iranian groups after it launched airstrikes on Iranian nuclear sites as part of the Iran–Israel war that commenced on June 13, 2025. Stating that the ongoing conflict has created a "heightened threat environment" in the country, the Department of Homeland Security (DHS) said in a bulletin that cyber actors are likely to

 0CISO2CISO

Source: securelist.com – Author: Sergey Puzan, Dmitry Kalinin In January 2025, we uncovered the SparkCat spyware campaign, which was aimed at gaining access to victims’ crypto wallets. The threat actor distributed apps containing a malicious SDK/framework. This component would wait for a user to open a   show more ...

specific screen (typically a support chat), then request access […] La entrada SparkKitty, SparkCat’s little brother: A new Trojan spy found in the App Store and Google Play – Source: securelist.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 cognectcon

Source: securityboulevard.com – Author: Matthew Rosenquist During exercises at CognectCon2025 a number of cyberattack scenarios were discussed that highlighted the risks of cyber attackers leveraging cognitive vulnerabilities to cause major impacts to nation critical infrastructures. This video is a short   show more ...

report-out on one such possible scenario, before we began discussing how to prevent, detect, and […] La entrada Threat Casting a Nation State Attack on Critical Infrastructure Scenario at CognectCon2025 – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cloud Security

Source: securityboulevard.com – Author: Alison Mack Are You Ready for the Future of Cybersecurity? Cybersecurity is not just about human identities anymore. A rising segment of digital focuses on non-human identities (NHIs) – a crucial feature in any contemporary cybersecurity strategy. But what are NHIs, and   show more ...

why should we be paying attention to them? Navigating […] La entrada Feel Reassured with Advanced Secrets Scanning Technologies – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cloud Security

Source: securityboulevard.com – Author: Jeffrey Burt Fresh off a series of recent attacks targeting major retail companies in the United States and the UK, the notorious Scattered Spider cybercrime group is now targeting insurance companies and earlier this month apparently bagged a high-profile victim in Aflac.   show more ...

The intrusion in Aflac, which was detected June 12 […] La entrada Scattered Spider Targets Aflac, Other Insurance Companies – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Application Security

Source: securityboulevard.com – Author: Marc Handelman Author/Presenter: Jon “maddog” Hall, (Board Chair Emeritus: Linux Professional Institute, Founder: Project Cauã, Co-Founder: Caninos Loucos, Technical Advisor: QSentinel, Executive Director: Linux® International®) Our sincere appreciation to   show more ...

LinuxFest Northwest (Now Celebrating Their Organizational 25th Anniversary Of Community Excellence), and the Presenters/Authors for publishing their superb LinuxFest Northwest 2025 video […] La entrada LinuxFest Northwest: Project Caua: Start Your Own Business, Be Your Own Boss – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 BEC attacks

Source: securityboulevard.com – Author: Jeffrey Burt The information about the 16 billion stolen records that were leaked on the internet is becoming clearer a couple of days after news of the exposed data was first released by Cybernews security researchers. The initial report by the researchers sparked news   show more ...

accounts of a new data breach. However, […] La entrada 16 Billion Leaked Records May Not Be a New Breach, But They’re a Threat – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 AI and Machine Learning in Security

Source: securityboulevard.com – Author: Michael Vizard Amazon Web Services (AWS) this week revealed it has added new categories for describing offerings provided by partners offering managed services security providers (MSSP) as part of an effort to ensure a more consistent customer experience. Announced at the   show more ...

AWS re:Inforce 2025 conference, this update to the AWS MSSP […] La entrada AWS Raises Expertise Bar for MSSP Partners – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: securityboulevard.com – Author: Lohrmann on Cybersecurity Lohrmann on Cybersecurity What can public- and private-sector staff do to stay relevant and grow their career in the midst of AI-driven tech layoffs? Here’s a roundup of recent stories and solutions to help. June 22, 2025 •  Dan Lohrmann   show more ...

Generated by ChatGPT with a prompt by Dan Lohrmann. […] La entrada Will AI Replace You — or Promote You? How to Stay Ahead – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.cyberdefensemagazine.com – Author: News team In today’s rapidly evolving and complex threat environment, the cybersecurity industry is reaching a point where scale, comprehensive capabilities, and agility have become essential for protecting businesses. Cyberfort’s recent acquisition of ZDL   show more ...

Group demonstrates more than just business expansion – it points to a fundamental shift in how cybersecurity […] La entrada Why Scale Matters in Today’s Cybersecurity Landscape Futureproofing for Better Outcomes – Source: www.cyberdefensemagazine.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.cyberdefensemagazine.com – Author: News team Organizations worldwide rely on technology to function. By 2027, global spending on digital transformation is projected to reach nearly $4 trillion, driven by remote working initiatives, international operations, and the continuing popularity of   show more ...

e-commerce. While these advancements create new opportunities, they also introduce significant risks. Digital business tools require the […] La entrada Why Network Disaster Recovery Solutions Are a Non-negotiable for Modern Businesses – Source: www.cyberdefensemagazine.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: thehackernews.com – Author: . Not every risk looks like an attack. Some problems start as small glitches, strange logs, or quiet delays that don’t seem urgent—until they are. What if your environment is already being tested, just not in ways you expected? Some of the most dangerous moves are hidden   show more ...

in plain sight. It’s […] La entrada ⚡ Weekly Recap: Chrome 0-Day, 7.3 Tbps DDoS, MFA Bypass Tricks, Banking Trojan and More – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2025-06
Aggregator history
Monday, June 23
SUN
MON
TUE
WED
THU
FRI
SAT
JuneJulyAugust