(blacklanternsecurity.com) CVE-2026-2931: Amelia Booking Pro Authenticated IDOR Enables Customer-to-Admin WordPress Account Takeover

(blacklanternsecurity.com) CVE-2026-2931: Amelia Booking Pro Authenticated IDOR Enables Customer-to-Admin WordPress Account Takeover

CVE-2026-2931: Critical authenticated privilege escalation in Amelia Booking Pro (≤9.1.2) enables customer-to-admin WordPress account takeover via IDOR (CWE-639) + mass assignment (CWE-915). Attackers manipulate the 'externalId' field in profile updates to reset arbitrary WordPress passwords (incl. admin) via wp_set_password(). Exploitation grants full site compromise, RCE potential. No patch available at disclosure. Over 50K active installs affected.

Source: https://blog.blacklanternsecurity.com/p/amelia-booking-pro-912-authenticated

#Cybersecurity

(socket.dev) TeamPCP and Vect Ransomware Group Unite to Weaponize Open Source Supply Chain Compromises

TeamPCP partners with Vect RaaS to weaponize open-source supply chain compromises for ransomware ops. Targets include Trivy, LiteLLM, GitHub Actions, npm/PyPI packages, and Docker images. 300GB+ of CI/CD credentials exfiltrated, with LiteLLM breach yielding hundreds of thousands of tokens. Vect offers 80-88% affiliate revenue via BreachForums (300K+ users). Attack chain exploits trusted pipeline components for initial access and ransomware deployment.

Source: https://socket.dev/blog/teampcp-partners-with-vect-targeting-oss-supply-chains

#Cybersecurity #ThreatIntel

(safebreach.com) Iranian Cyber Operations: Escalating Threat Landscape, Expanded Targeting, and Evolving TTPs

Iranian cyber ops surge: 700% spike in attacks vs Israel, IRGC-affiliated CyberAv3ngers exploit Unitronics PLCs/HMIs (default creds, LOTL) in OT/ICS. No Justice wiper (e2531f) deployed via T1566/T1534. Cotton Sandstorm uses ASPX webshells, fake-ransomware; Pioneer Kitten abuses cloud for lateral movement. CISA advisories AA25-239A/AA25-343A highlight expanded targeting (DIB, water, energy). Hybrid state-criminal ransomware collab observed.

Source: https://www.safebreach.com/blog/an-update-on-the-heightened-threat-of-iranian-cyber-attacks/

#Cybersecurity #ThreatIntel

(quarkslab.com) Web Application Firewall Bypass Techniques: From Misconfiguration Exploitation to Polymorphic Payload Obfuscation

WAF bypass techniques exploit misconfigurations & parsing discrepancies between WAFs and backends. Key vectors: direct origin exposure (passive DNS, favicon hashes), header spoofing (X-Forwarded-For), request body size limits (8KB–1GB), ASN trust exclusions. Obfuscation methods include lexical (JSFuck, Unicode), structural (HTTP param pollution), and protocol (charset switching, multipart parsing—see WAFFLED). Polymorphic payloads combine techniques to evade ModSecurity/OWASP CRS, Cloudflare, AWS WAF. WAFs ≠ secure coding; validate via offensive testing.

Source: http://blog.quarkslab.com/in-waf-we-should-not-trust.html

#Cybersecurity

(infoblox.com) Keitaro Abuse Exposed: How Threat Actors Weaponize Commercial Adtech Across a Broad Spectrum of Cybercrime

Keitaro TDS abuse drives surge in malvertising, cryptocurrency theft, and phishing. 20%+ of tracked threat actors (TilapiaParabens, HircusPircus, TheNovosti) exploit Keitaro for malware delivery (DonutLoader → StealC v2, RustyStealer), wallet drainers (96% of spam campaigns), and phishing. Bulletproof hosting AS214351 (FEMO IT) fronts C2s; JA4+ fingerprinting exposes admin consoles. RDGA, Sitting Ducks hijacking, and obfuscated JS enable evasion. Targets: Canadian banks, Brazilian PII, NFT scams.

Source: https://www.infoblox.com/blog/threat-intelligence/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution/

#Cybersecurity #ThreatIntel

(redcanary.com) Scarlet Goldfinch Threat Actor Evolves Paste-and-Run Techniques Across Multiple Attack Epochs

Scarlet Goldfinch (SmartApeSG/ZPHP) evolves paste-and-run TTPs across 7 epochs, leveraging T1204.004 (Malicious Copy-Paste) for initial access. Recent campaigns use cmd.exe /v:on for delayed env var expansion, ^ escape obfuscation, and substring indexing. End-stage payloads remain NetSupport Manager (via Remcos), with StealC/ArechClient2 observed. DLL sideloading chain: curl-delivered HTA → AppData\Local staging → tar extraction → legitimate EXE abuse. Defenders: signature-based detection alone insufficient.

Source: https://redcanary.com/blog/threat-intelligence/scarlet-goldfinch-clickfix/

#Cybersecurity #ThreatIntel

(rapid7.com) Red Menshen: China-Nexus Threat Actor Deploys Evolved BPFdoor Implants as Telecom Backbone Sleeper Cells

Red Menshen (China-nexus APT) deploys evolved BPFdoor Linux backdoor in global telecoms, targeting 4G/5G core signaling via SCTP. New variants use HTTPS-embedded 'magic ruler' triggers (9999 marker) and ICMP C2 (0xFFFFFFFF sentinel) for stealth lateral movement. RC4-MD5 encryption, process masquerading (hpasmlited, Docker), and kernel-level eBPF abuse enable persistent access. Initial access via Ivanti/Cisco/Fortinet/VMware/Palo Alto exploits. Enables IMSI harvesting and subscriber tracking.

Source: https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report

#Cybersecurity #ThreatIntel

(welivesecurity.com) Inside the EDR Killer Ecosystem: How Ransomware Affiliates Disrupt Endpoint Defenses

ESET researchers analyzed nearly 90 EDR killers actively used in ransomware intrusions, finding that affiliates rather than operators select these tools, which drives significant tooling diversity across RaaS ecosystems. The study documents 54 BYOVD based tools abusing 35 vulnerable drivers, 15 anti rootkit or freely available tools, and 7 script based killers, with defense evasion techniques including commercial packers, encrypted embedded drivers, and control flow flattening. Driver reuse across unrelated codebases and frequent driver switching within individual tools undermine driver centric attribution. Driverless approaches like EDRSilencer bypass kernel interaction entirely.

Source: https://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/

Fediverse: @ESETresearch

#ThreatIntel #Cybersecurity

(google.com) DarkSword iOS Full-Chain Exploit Adopted by Multiple Threat Actors Across Distinct Campaigns

Google Threat Intelligence Group has identified DarkSword, a full chain iOS exploit kit leveraging six zero day vulnerabilities across iOS 18.4 through 18.7, deployed by three threat actors including UNC6748, PARS Defense, and suspected Russian group UNC6353. Active since at least November 2025, campaigns targeted users in Saudi Arabia, Turkey, Malaysia, and Ukraine. The chain exploits flaws in JavaScriptCore, ANGLE WebGL, XNU memory management, and XNU VFS for full kernel compromise, delivering three post exploitation malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. All vulnerabilities have been patched by Apple.

IOCs in the article.

Source: https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/

#ThreatIntel #Cybersecurity

(sygnia.co) SafePay Ransomware Group Leverages Microsoft OneDrive for Covert Data Exfiltration in Double Extortion Campaign

Sygnia documented a double extortion ransomware operation by SafePay, active since September 2024, in which the attackers exploited a misconfigured FortiGate SSL VPN and a weak administrative account lacking MFA to gain initial access. After escalating to domain administrator via RDP, the group enumerated the environment using native Windows utilities and open source tools, then exfiltrated data over seven days by installing the OneDrive sync client on a compromised server and synchronizing staged archives to an attacker controlled Microsoft 365 tenant, blending exfiltration traffic with legitimate Microsoft cloud communications. The ransomware payload locker.dll was executed via regsvr32.exe for network wide encryption.

IOCs in the article.

Source: https://www.sygnia.co/blog/safepay-onedrive-exfiltration-technique/

Fediverse: Not known

#ThreatIntel #Cybersecurity

(checkpoint.com) Iranian MOIS-Linked Cyber Actors Increasingly Leverage Criminal Ecosystems for State-Directed Operations

Iranian threat actors linked to MOIS, including MuddyWater and Void Manticore, are actively integrating criminal ecosystem resources into state directed operations, employing commercial infostealers like Rhadamanthys, RaaS affiliate programs such as Qilin, and shared MaaS infrastructure like CastleLoader. Shared code signing certificates tying FakeSet, StageComp, and DinDoor variants suggest a common procurement source across these groups. The attack on Israel's Shamir Medical Center illustrates this convergence, where operators appeared to use the Qilin RaaS model to disguise a strategically motivated attack as criminal activity.

IOCs in the article.

Source: https://research.checkpoint.com/2026/iranian-mois-actors-the-cyber-crime-connection/

Fediverse: Not known

#ThreatIntel #Cybersecurity

(welivesecurity.com) Sednit APT28 Resurfaces with Modern BeardShell and Covenant Implants Rooted in 2010s Codebase

ESET researchers document the reemergence of Sednit (APT28/GRU Unit 26165) with a new toolkit targeting Ukrainian military personnel in prolonged espionage operations. The group deployed BeardShell, a .NET implant using Icedrive's API for C2, and a modified Covenant framework leveraging pCloud, Koofr, and Filen as command and control channels. A keylogger named SlimAgent was traced as a direct descendant of the group's Xagent backdoor through shared code structures. A specific Diophantine equation obfuscation technique links these tools to Sednit's older Xtunnel implant, reinforcing attribution to the group's development team, largely dormant since 2019.

IOCs in the article.

Source: https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/

Fediverse: @ESETresearch @ESET

#ThreatIntel #Cybersecurity

(zscaler.com) Dust Specter APT: Iran-Nexus Threat Actor Deploys Novel Malware Against Iraqi Government Officials

Zscaler ThreatLabz uncovered "Dust Specter," a suspected Iran nexus campaign targeting Iraqi government officials by impersonating Iraq's Ministry of Foreign Affairs. The operation deployed four previously undocumented malware families, SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM, delivered through password protected archives and ClickFix style lures hosted on compromised Iraqi government infrastructure. The malware uses DLL sideloading, AES 256 CBC encryption, JWT based bot identification, and randomized C2 URI paths with embedded checksums to evade detection. Evidence of generative AI use in malware development was also identified.

IOCs in the article.

https://www.zscaler.com/blogs/security-research/dust-specter-apt-targets-government-officials-iraq

Fediverse: Not known

#ThreatIntel #Cybersecurity

(krebsonsecurity.com) Unmasking Dort: The Threat Actor Behind the Kimwolf Botnet

OSINT investigators have linked the operator of the Kimwolf botnet, known as "Dort," to Jacob Butler, a young Canadian from Ottawa, following a sustained retaliation campaign of doxing, swatting, and DDoS attacks against the researcher and journalist who publicly exposed the botnet. Kimwolf exploited vulnerabilities in residential proxy services to infect consumer IoT devices on internal networks. The attribution pivoted across breach tracking data from Constella Intelligence and Spycloud, domain records via DomainTools, cybercrime forum accounts indexed by Intel 471, and Telegram posts indexed by Flashpoint. Butler's prior activity includes ties to LAPSUS$, SIM swapping services, and CAPTCHA bypass tooling.

Source: https://krebsonsecurity.com/2026/02/who-is-the-kimwolf-botmaster-dort/

@briankrebs

#Cybersecurity #ThreatIntel

(socket.dev) StegaBin: North Korean-Linked npm Supply Chain Campaign Uses Pastebin Steganography to Deploy Nine-Module Infostealer and RAT

Socket researchers identified 26 malicious npm packages tied to North Korea's Contagious Interview campaign (FAMOUS CHOLLIMA / Lazarus Group), using a technique dubbed "StegaBin" that embeds C2 addresses via character level steganography in Pastebin pastes. The typosquatted packages deploy an RC4 encrypted loader that resolves C2 infrastructure through 31 Vercel deployments, ultimately delivering a WebSocket RAT and a nine module infostealer toolkit targeting developer credentials, SSH keys, browser passwords, cryptocurrency wallets, and VSCode configurations, with FTP based exfiltration on a secondary port.

IOCs in the article.

Source: https://socket.dev/blog/stegabin-26-malicious-npm-packages-use-pastebin-steganography

#ThreatIntel #Cybersecurity