Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for New Infostealer Camp ...

 Cyber News

Cyble threat intelligence researchers have uncovered an infostealer campaign that spreads the Maranhão Stealer through social engineering websites claiming to offer pirated software, cracked game launchers and cheats. The threat actors lure victims through sites such as derelictsgame[.]in with malicious files such as   show more ...

DerelictSetup.zip and Fnaf Doom.zip, Cyble researchers wrote in a blog post today. The malware is written in Node.js and packaged as an Inno Setup installer. It uses Run registry keys and scheduled tasks to establish persistence, hides its payloads as system and hidden attributes, conducts detailed host reconnaissance, and extracts sensitive information such as credentials, cookies, and cryptocurrency wallet data through reflective DLL injection into browsers to bypass protections like Chrome’s AppBound encryption. “The inclusion of reflective DLL injection and AppBound-aware data collection further underlines its sophistication,” Cyble said. “If successful, infections could lead to widespread credential compromise, account hijacking, theft of digital assets, and further malware deployment within victim environments.” Maranhão Infostealer Campaign Targets Credentials, Crypto The Maranhão Stealer has been active since May 2025 and continues to be actively developed, the researchers said, noting several evolutions in the malware. Once executed, the malware hides in a directory named “Microsoft Updater” under %localappdata%Programs. It creates Run registry keys and a scheduled task to gain persistence before launching updater.exe, its main component. “From this point, the malware conducts extensive system reconnaissance, screen capturing, and credential theft, with a particular focus on web browsers and cryptocurrency wallets,” the researchers wrote. The password-decrypting functionality is embedded in infoprocess.exe, written in Go and obfuscated for stealth. Instead of using PsExec to spawn child processes, as earlier versions did, the malware now creates child processes directly through Win32 API calls, “reflecting a clear evolution toward stealthier and more sophisticated execution techniques,” the researchers said. The core Maranhão Stealer functionality and objectives have remained consistent throughout the malware’s evolution, the researchers said. “The campaign demonstrates how threat actors blend social engineering, commodity tools, and modern development stacks to distribute sophisticated information-stealing malware at scale,” they wrote. Maranhão Stealer Malware Analysis Some of the malicious files identified by Cyble include: Fnafdoomlauncher.exe, Fnaf.exe, RootedTheGameSetup.zip, Slinkyhook.exe, and more. The researchers did a technical analysis of Fnafdoomlauncher.exe. The installer runs in “/VERYSILENT” mode for stealth, then drops components like updater.exe and crypto.key into the directory C:Users<username>AppDataLocalProgramsMicrosoft Updater. updater.exe establishes persistence by creating a Run registry key that is executed automatically at login. The malware then disguises its components to evade detection, marking files in the Microsoft Updater directory with both the System and Hidden attributes. The stealer also installs screen capture functionality, using inline C# code within PowerShell to capture the contents of each screen. After completing system reconnaissance, the stealer payload turns its attention to data theft from web browsers. The researchers said the malware actively collected data from Google Chrome, Microsoft Edge, Brave, and Opera in their analysis environment, enumerating user profiles and extracting browsing history, cookies, download records, and saved login credentials. Additional targets — including other browsers and cryptocurrency wallets — were identified in memory dump analysis, they said. “This suggests that the malware has broader capabilities and can adapt its behaviour depending on the victim’s environment,” they wrote. The full Cyble blog takes a deep dive into the malware and also includes recommendations and 45 Indicators of Compromise (IoCs) and file hashes.

image for China Imposes One-Ho ...

 Firewall Daily

China is ramping up its cybersecurity enforcement with new regulations requiring network operators to report severe cybersecurity incidents within one hour. The rules, announced by the Cyberspace Administration of China (CAC), will come into effect on November 1, 2025, and mark a significant escalation in how the   show more ...

country manages threats to its critical digital infrastructure.  These latest measures follow a cybersecurity incident involving luxury fashion brand Dior, whose Shanghai branch was recently fined for unlawfully transferring customer data overseas. The incident appears to have accelerated regulatory action.  Immediate Reporting for Cybersecurity Incidents  Under the new rules issued by the Cyberspace Administration of China, any “particularly serious” cybersecurity incident must be reported to relevant authorities within one hour. Authorities receiving the report must, in turn, notify the National Cyberspace Administration and the State Council within 30 minutes.  The regulation classifies incidents into four levels of severity, with "particularly serious" being the most critical. These include cyberattacks or system failures affecting government portals, critical infrastructure, or key national news websites for more than 24 hours. In cases where the entire infrastructure is affected, even a six-hour outage falls under the top tier.  Additionally, incidents that disrupt essential services for over 50% of a province’s population or affect the daily lives of more than 10 million people, including utilities, transportation, and healthcare, are also categorized as particularly serious. The leakage or theft of core or important data that threatens national security is likewise covered, as reported by the South China Morning Post.  Large-scale data breaches are included in this highest category as well, specifically those involving the personal information of more than 100 million citizens or causing financial damages exceeding 100 million yuan (approximately USD 14 million).  Specific Criteria for Cyber Threats  The CAC’s new rules also define large-scale hacking attacks as a top-tier threat if they result in the display of illegal or harmful content on the homepage of a government or major news website for over six hours, or if such content is viewed over one million times or shared more than 100,000 times on social media platforms.  The second tier of severity, labeled as “serious,” includes incidents affecting municipal government portals or provincial news sites for over six hours, or causing disruptions of more than three hours to key infrastructure systems. Data leaks involving the personal information of over 10 million citizens, or those impacting more than 1 million people in a city, are also placed in this category.  Once a cybersecurity incident is resolved, network operators are required to submit a detailed incident report within 30 days. This report must analyze the root cause, response measures, impact assessment, corrective actions, and lessons learned.  These new rules are an extension of China’s Cybersecurity Law, first enacted in 2017, and its supporting regulations on the protection of critical information infrastructure, introduced in 2016 and 2021 respectively.  Lawmakers Propose Stricter Penalties  Coinciding with these regulatory changes, the Standing Committee of the National People’s Congress has begun its first review of proposed amendments to the Cybersecurity Law. These amendments are aimed at strengthening penalties for violations, particularly those involving large-scale data breaches and critical infrastructure failures.  If passed, the updated law would impose fines ranging from 500,000 to 10 million yuan on operators of critical infrastructure who fail to meet cybersecurity obligations. Individuals directly responsible for such failures could face personal fines of up to 1 million yuan.  Moreover, the proposed amendments target network operators who neglect to prevent the spread of prohibited content. Failure to halt transmission, erase the content, retain relevant logs, or report incidents could result in fines ranging from 50,000 to 500,000 yuan. 

image for CVE-2025-58434: Crit ...

 Firewall Daily

A severe security vulnerability has been discovered in FlowiseAI, an open-source AI workflow automation tool, exposing users to the risk of complete account compromise. Tracked as CVE-2025-58434, this vulnerability affects both the cloud-hosted version of FlowiseAI and self-hosted deployments that expose the relevant   show more ...

API endpoints.  The FlowiseAI vulnerability centers on the application’s password reset functionality, specifically the /api/v1/account/forgot-password endpoint. The flaw is categorized as Unauthenticated Password Reset Token Disclosure, carrying a CVSS v3.1 score of 9.8, which qualifies as critical. The vector string assigned to the vulnerability is: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.  Disclosed by security researcher HenryHengZJ and published as GHSA-wgpv-6j63-x5ph, this issue affects all FlowiseAI versions below 3.0.5, and as of now, no official patch has been released.  CVE-2025-58434: FlowiseAI Password Reset Flaw The crux of the vulnerability lies in how FlowiseAI handles password reset requests. When a user initiates a password reset, instead of securely sending a reset token via email (as per standard best practices), the API directly returns a JSON response containing sensitive account information. This includes the user’s ID, name, email address, hashed credentials, account status, and most critically, a valid password reset token (tempToken) along with its expiration timestamp.  This implementation flaw allows unauthenticated attackers to supply any user’s email address, which may be guessable or publicly known, and receive a valid password reset token for that account. Using this token, an attacker can immediately reset the password through another endpoint (/api/v1/account/reset-password) and gain full access to the victim’s account, all without any form of verification or user interaction.  Exploitation Requires Minimal Effort  A proof-of-concept (PoC) shows how simple it is to exploit this vulnerability:  Submit a password reset request with the victim’s email.  Receive a response that includes the reset token (tempToken).  Use the token to change the password and gain access.  This flaw represents a complete authentication bypass and insecure direct object exposure, exposing every account, including those with administrative privileges, to potential compromise.  The vulnerability in FlowiseAI affects:  The cloud-hosted version at cloud.flowiseai.com  Any self-hosted deployment running a version below 3.0.5 that exposes the same API endpoints  Because no prior access or user action is required, and the only prerequisite is knowledge of a user’s email address, the risk of exploitation is extremely high.  Security Recommendations  Given the severity of CVE-2025-58434, organizations using FlowiseAI are urged to take immediate mitigation steps, including:  Disabling public access to the /api/v1/account/forgot-password endpoint until a patch is available.  Avoid direct return of reset tokens or account information via APIs.  Ensuring reset tokens are delivered securely through email, and only after validation steps.  Using generic responses to password reset requests to prevent user enumeration.  Implementing strong token validation with short expiry, origin tracking, and one-time use.  Monitoring logs for unusual or high-volume password reset activity.  Enforcing multi-factor authentication (MFA) for high-privilege accounts.  As of the latest update, no fix or patch is available from FlowiseAI maintainers. Organizations running affected versions must implement compensating controls immediately to avoid account takeover incidents. 

 Feed

Chinese-speaking users are the target of a search engine optimization (SEO) poisoning campaign that uses fake software sites to distribute malware. "The attackers manipulated search rankings with SEO plugins and registered lookalike domains that closely mimicked legitimate software sites," Fortinet FortiGuard Labs researcher Pei Han Liao said. "By using convincing language and small character

 Feed

A new artificial intelligence (AI)-powered penetration testing tool linked to a China-based company has attracted nearly 11,000 downloads on the Python Package Index (PyPI) repository, raising concerns that it could be repurposed by cybercriminals for malicious purposes. Dubbed Villager, the framework is assessed to be the work of Cyberspike, which has positioned the tools as a red teaming

 Feed

Attacks that target users in their web browsers have seen an unprecedented rise in recent years. In this article, we’ll explore what a “browser-based attack” is, and why they’re proving to be so effective.  What is a browser-based attack? First, it’s important to establish what a browser-based attack is. In most scenarios, attackers don’t think of themselves as attacking your web browser.

 Feed

In a world where threats are persistent, the modern CISO’s real job isn't just to secure technology—it's to preserve institutional trust and ensure business continuity. This week, we saw a clear pattern: adversaries are targeting the complex relationships that hold businesses together, from supply chains to strategic partnerships. With new regulations and the rise of AI-driven attacks, the

 Feed

The China-aligned threat actor known as Mustang Panda has been observed using an updated version of a backdoor called TONESHELL and a previously undocumented USB worm called SnakeDisk. "The worm only executes on devices with Thailand-based IP addresses and drops the Yokai backdoor," IBM X-Force researchers Golo Mühr and Joshua Chung said in an analysis published last week. The tech giant's

2025-09
Aggregator history
Monday, September 15
MON
TUE
WED
THU
FRI
SAT
SUN
September