Saturday, March 29, 2025
Follow us On Linkedin
Home Blog

SquareX Discloses Browser-Native Ransomware that Puts Millions at Risk

By
CyberNewswire
-
s Browser-Native Ransomware

From WannaCry to the MGM Resorts Hack, ransomware remains one of the most damaging cyberthreats to plague enterprises. Chainalysis estimates that corporations spend nearly $1 billion dollars on ransom each year, but the greater cost often comes from the reputational damage and operational disruption caused by the attack.

Ransomware attacks typically involve tricking victims into downloading and installing the ransomware, which copies, encrypts, and/or deletes critical data on the device, only to be restored upon the ransom payment. Traditionally, the primary target of ransomware has been the victim’s device. However, thanks to the proliferation of the cloud and SaaS services, the device no longer holds the keys to the kingdom. Instead, the browser has become the primary way through which employees conduct work and interact with the internet. In other words, the browser is becoming the new endpoint.

SquareX has been disclosing major browser vulnerabilities like Polymorphic Extensions and Browser Syncjacking, and is now issuing a strong warning on the emergence of browser-native ransomware. 

SquareX’s founder, Vivek Ramachandran cautions, “With the recent surge in browser-based identity attacks like the one we saw with the Chrome Store OAuth attack, we are beginning to see evidence of the ‘ingredients’ of browser-native ransomwares being used by adversaries. It is only a matter of time before one smart attacker figures out how to put all the pieces together. While EDRs and Anti-Viruses have played an unquestionably vital role in defending against traditional ransomware, the future of ransomware will no longer involve file downloads, making a browser-native solution a necessity to combat browser-native ransomwares.”

Unlike traditional ransomware, browser-native ransomware requires no file download, rendering them completely undetectable by endpoint security solutions. Rather, this attack targets the victim’s digital identity, taking advantage of the widespread shift toward cloud-based enterprise storage and the fact that browser-based authentication is the primary gateway to accessing these resources. In the case studies demonstrated by SquareX, these attacks leverage AI agents to automate the majority of the attack sequence, requiring minimal social engineering and interference from the attacker.

One potential scenario involves social engineering a user into granting a fake productivity tool access to their email, through which it can identify all the SaaS applications the victim is registered with. It can then systematically reset the password of these apps with AI agents, logging the users out on their own and holding enterprise data stored on these applications hostage. 

Similarly, the attacker can also target file-sharing services like Google Drive, Dropbox and OneDrive, using the victim’s identity to copy out and delete all files stored under their account. Critically, attackers can also gain access to all shared drives, including those shared by colleagues, customers and other third parties. This significantly expands the attack surface of browser-native ransomware – where the impact of most traditional ransomware is confined to a single device, all it takes is one employee’s mistake for attackers to gain full access to enterprise-wide resources.

As fewer and fewer files are being downloaded, it is inevitable for attackers to follow where work and valuable data are being created and stored. As browsers become the new endpoint, it is crucial for enterprises to reconsider their browser security strategy – just as EDRs were critical to defend against file-based ransomware, a browser-native solution with a deep understanding of client-side application layer identity attacks will become essential in combating the next generation of ransomware attacks.

To learn more about this security research, users can visit https://sqrx.com/browser-native-ransomware

About SquareX

SquareX’s industry-first Browser Detection and Response (BDR) solution helps organizations detect, mitigate, and threat-hunt client-side web attacks happening against their users in real time. In addition to browser ransomware, SquareX also protects against various browser threats including identity attacks, malicious extensions, advanced spearphishing, GenAI DLP, and insider threats.

The browser-native ransomware disclosure is part of the Year of Browser Bugs project. Every month, SquareX’s research team releases a major web attack that focuses on architectural limitations of the browser and incumbent security solutions. Previously disclosed attacks include Browser Syncjacking and Polymorphic Extensions

To learn more about SquareX’s BDR, users can contact founder@sqrx.com.

For press inquiries on this disclosure or the Year of Browser Bugs, users can email junice@sqrx.com

Disclaimer: This is a sponsored press release distributed through CyberNewswire, PR syndication platform for cybersecurity companies. Cyber Security News does not endorse or take responsibility for its content, accuracy, quality, advertising, products, or any related materials.

Hackers Exploit DNS MX Records to Create Fake Logins Imitating 100+ Brands

By
Aman Mishra
-
DNS MX Records

Cybersecurity researchers have discovered a sophisticated phishing-as-a-service (PhaaS) platform, dubbed “Morphing Meerkat,” that leverages DNS mail exchange (MX) records to dynamically serve tailored phishing pages mimicking over 100 brands.

The platform, which has been operational since at least January 2020, employs a range of advanced techniques to evade detection and maximize the effectiveness of its phishing campaigns.

DNS Abuse and Dynamic Content Delivery

At the core of Morphing Meerkat’s operation is its innovative use of DNS MX records.

The platform queries the MX record of a victim’s email domain using DNS over HTTPS (DoH) services from providers like Cloudflare and Google.

It then uses this information to dynamically load a phishing template that closely matches the victim’s email service provider, creating a more convincing and personalized phishing experience.

Fake Logins
DHL Express email phishing page

The PhaaS platform maintains a library of at least 114 unique email brand and login designs, allowing it to accurately spoof a wide range of email services.

This technique enables the attackers to conduct highly targeted phishing campaigns at scale, increasing the likelihood of successful credential theft.

Evasion Techniques and Global Reach

Morphing Meerkat employs multiple security evasion features to hinder threat analysis and bypass phishing protection systems.

Fake Logins
Morphing Meerkat attack chain

According to the Report, these include code obfuscation, inflation of script size with non-functional code, and exploitation of open redirects on adtech infrastructure.

The platform also uses client-side email libraries and messaging app APIs to exfiltrate stolen credentials, making detection more challenging.

The PhaaS operation has a global reach, with the ability to dynamically translate phishing content into over a dozen languages based on the victim’s browser settings.

This multilingual capability, combined with the use of compromised WordPress sites and free web hosting services for distribution, allows the attackers to target users worldwide effectively.

The discovery of Morphing Meerkat highlights the evolving sophistication of phishing attacks and the need for enhanced DNS security measures.

Organizations are advised to implement strong DNS controls, limit access to non-essential services, and educate users about the risks of phishing attempts that may closely mimic legitimate login pages.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free

New Python-Based Discord RAT Targets Users to Steal Login Credentials

By
Aman Mishra
-
Discord RAT

A recently identified Remote Access Trojan (RAT) has raised alarms within the cybersecurity community due to its innovative use of Discord’s API as a Command and Control (C2) server.

This Python-based malware exploits Discord’s extensive user base to execute commands, steal sensitive information, and manipulate both local machines and Discord servers.

Bot Initialization and Functionality

The RAT operates by initializing a Discord bot with elevated permissions, which allows it to read all messages and execute predefined malicious commands.

The bot’s hardcoded token poses a significant vulnerability, making it susceptible to unauthorized access.

By employing message content intents, the RAT captures user messages, while its ability to extract stored passwords from Google Chrome’s local database is particularly concerning.

Stolen credentials are sent directly to the attacker via Discord, enhancing the malware’s effectiveness in credential theft.

In addition to stealing credentials, the RAT provides attackers with backdoor shell access, enabling them to execute arbitrary commands on the victim’s system.

The results of these commands are relayed back through Discord, granting full control over compromised machines.

Furthermore, the RAT can take screenshots of the victim’s screen using the mss library, significantly enhancing its surveillance capabilities.

Persistence Mechanisms and Server Manipulation

According to the Report, the RAT incorporates several persistence mechanisms, including an automatic reconnection feature that keeps the bot active unless manually terminated.

It can manipulate Discord servers by deleting and recreating channels, ensuring continued access and control over the compromised environment.

Attackers can also modify startup registry settings to maintain persistence across system reboots.

To combat this emerging threat, cybersecurity professionals are advised to implement robust endpoint security measures such as antivirus solutions and endpoint detection systems.

Monitoring network traffic for suspicious activity related to Discord is essential, as is educating users about the risks of downloading unverified bots.

Organizations should consider restricting or closely monitoring Discord usage in corporate environments to mitigate risks associated with unauthorized bot execution.

The implications of this analysis underscore the urgent need for enhanced security protocols as cybercriminals increasingly exploit trusted platforms like Discord for malicious purposes.

Proactive defenses will be critical in preventing unauthorized access and minimizing potential damage from these attacks.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free

PJobRAT Android Malware Masquerades as Dating and Messaging Apps to Target Military Personnel

By
Aman Mishra
-
PJobRAT Android Malware

PJobRAT, an Android Remote Access Trojan (RAT) first identified in 2019, has resurfaced in a new campaign targeting users in Taiwan.

Initially, PJobRAT was known for targeting Indian military personnel by disguising itself as dating and instant messaging apps.

The latest iteration of this malware has evolved, now masquerading as apps like ‘SangaalLite’ and ‘CChat’, which were distributed through defunct WordPress sites.

PJobRAT Android Malware
Screenshots from the interface of the malicious SaangalLite app

These sites were active from at least January 2023 to October 2024, although the domains were registered as early as April 2022.

Distribution and Infection Tactics

The malware was spread via fake apps that mimicked legitimate messaging services.

Once installed, these apps request extensive permissions, including the ability to bypass battery optimization, allowing them to run continuously in the background.

Users were likely directed to these malicious sites through various tactics such as SEO poisoning, malvertising, or phishing, although the exact methods used in this campaign are not confirmed.

The threat actors behind PJobRAT have historically used diverse distribution methods, including third-party app stores and compromised legitimate sites.

Enhanced Capabilities

The latest versions of PJobRAT have seen significant updates, particularly in their ability to execute shell commands.

PJobRAT Android Malware
Code to execute shell commands

According to the Report, this enhancement allows the malware to potentially steal data from any app on the device, root the device, or even silently remove itself after completing its objectives.

Unlike previous versions, the new PJobRAT does not specifically target WhatsApp messages but can access data from any app.

It communicates with command-and-control (C2) servers using Firebase Cloud Messaging (FCM) and HTTP, enabling it to upload stolen data such as SMS messages, contacts, and files.

The campaign appears to have concluded, with no recent activity observed. However, this resurgence highlights the adaptability of threat actors, who continually refine their tactics and malware to evade detection.

Android users are advised to avoid installing apps from untrusted sources and to use mobile threat detection software to protect against such threats.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free

Russian Hackers Impersonate CIA to Steal Ukrainian Defense Intelligence Data

By
Aman Mishra
-
Ukrainian Defense Intelligence

In a complex cyber operation discovered by Silent Push Threat Analysts, Russian hackers have launched a multi-pronged phishing campaign impersonating various organizations, including the CIA, to gather intelligence on individuals sympathetic to Ukraine’s defense efforts.

The campaign, believed to be orchestrated by Russian Intelligence Services or aligned actors, utilizes a network of fraudulent websites to collect personal information from unsuspecting victims.

Exploiting Anti-War Sentiment

The threat actors have created convincing replicas of websites belonging to the Russian Volunteer Corps (RVC), Legion Liberty, and “I Want to Live” (Hochuzhit), an appeals hotline for Russian service members in Ukraine.

These fake sites prompt visitors to submit personal data, ostensibly for recruitment or information-sharing purposes.

The campaign specifically targets Russian citizens involved in anti-war activities, which are illegal in the Russian Federation and can result in arrests.

Technical Infrastructure and Tactics

The phishing infrastructure spans multiple domains hosted on bulletproof providers, with a notable presence on Nybula LLC (ASN 401116).

The attackers employ sophisticated tactics, including the use of legitimate-looking Google Forms to capture victim information and the embedding of authentic Telegram channels to enhance credibility.

Russian Hackers
A Google Form requested site visitors’ personal information

One key domain in the CIA impersonation effort, ciagov[.]icu, was found to generate suspicious “Submission Reference IDs” when users attempted to report information.

According to the Report, this domain, along with others like jagotovoff[.]com, shared infrastructure with the fake RVC and Legion Liberty sites, indicating a coordinated effort.

The threat actors have also manipulated search engine results and created deceptive YouTube content to lure victims to their phishing pages.

Russian Hackers
Legionliberty[.]top phishing page

For instance, a YouTube channel (@contactciaofficial) was discovered referencing both ciagov[.]icu and a fake .onion domain, demonstrating the campaign’s multi-platform approach.

As of March 2025, the campaign remains active with new domains continually being registered.

Security researchers have identified several indicators of compromise, including specific IP addresses and domain naming patterns.

Organizations and individuals are advised to exercise caution when interacting with websites purporting to represent these entities and to verify the authenticity of any forms requesting personal information.

This sophisticated operation underscores the evolving nature of cyber threats in the context of geopolitical conflicts, highlighting the need for enhanced digital vigilance and robust cybersecurity measures.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free

SHELBY Malware Steals Data by Abusing GitHub as Command-and-Control Server

By
Aman Mishra
-
SHELBY Malware

Elastic Security Labs has uncovered a sophisticated malware campaign, dubbed REF8685, targeting the Iraqi telecommunications sector.

The campaign utilizes a novel malware family called SHELBY, which abuses GitHub for command-and-control (C2) operations, data exfiltration, and command retrieval.

Novel Malware Family Targets Iraqi Telecommunications Sector

The SHELBY malware family consists of two main components: SHELBYLOADER and SHELBYC2.

SHELBY Malware

SHELBYLOADER & SHELBYC2 Execution Chain

The attack chain begins with a phishing email containing a malicious attachment (details.zip) that, when executed, installs several files in the %AppData%\Local\Microsoft\HTTPApi directory.

These files include HTTPApi.dll (SHELBYC2) and HTTPService.dll (SHELBYLOADER).

SHELBYLOADER employs various sandbox detection techniques to evade analysis, including WMI queries, process enumeration, file system checks, and disk size analysis.

Once executed, it establishes persistence by adding an entry to the Windows Registry and generates a unique identifier for the infected machine based on system-specific information.

Innovative C2 Infrastructure Leverages GitHub API

The malware’s C2 infrastructure is built around GitHub’s API, using a private repository and a Personal Access Token (PAT) embedded within the binary.

This allows the malware to authenticate and perform actions on the repository without using standard Git tools.

SHELBYC2, the backdoor component, is loaded into memory using reflection after being decrypted with an AES key derived from a file downloaded from the C2 server.

It supports various commands, including file download, upload, and the ability to reflectively load additional .NET binaries.

SHELBY Malware
Powershell execution command

While innovative, the C2 design has a critical flaw: anyone with access to the PAT can potentially control infected machines or access sensitive data, exposing victims to additional risks.

The REF8685 campaign demonstrates sophisticated social engineering tactics, leveraging compromised internal email accounts to craft highly convincing phishing lures.

The attackers have also targeted other entities in the region, including an international airport in the United Arab Emirates.

Elastic Security Labs has released YARA rules to help detect SHELBY malware variants.

As the malware shows signs of ongoing development, including unused code and dynamic payload loading capabilities, future updates may address current vulnerabilities and expand its functionality.

This campaign highlights the evolving tactics of threat actors and the importance of robust email security, employee training, and continuous monitoring of network activities to defend against such advanced persistent threats.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free

46 New Vulnerabilities in Solar Inverter Systems Allow Attackers to Tamper with Settings

By
Aman Mishra
-
Solar Inverter Systems

Forescout Vedere Labs has uncovered 46 new vulnerabilities in solar power systems, primarily affecting inverters from three leading manufacturers Sungrow, Growatt, and SMA.

These flaws, if exploited, could enable attackers to manipulate inverter settings, disrupt power grids, and compromise user privacy.

The research highlights that 80% of vulnerabilities disclosed in solar systems over the past three years were rated high or critical severity, with 30% scoring the maximum CVSS severity (9.8–10), allowing full system takeover.

Attack Scenarios and Mitigation

Exploiting these vulnerabilities could lead to large-scale grid destabilization.

For instance, attackers could hijack Growatt inverters via cloud-based takeovers or compromise Sungrow devices by exploiting insecure communication dongles.

Coordinated attacks could force grid shutdowns or blackouts, impacting critical infrastructure like hospitals and businesses.

Vendors have patched the reported issues, but Forescout emphasizes the need for stricter procurement standards, network segmentation, and continuous monitoring to mitigate risks.

Over half of global solar inverter manufacturers (53%) and storage providers (58%) are based in China, raising concerns about foreign-made components’ dominance in critical infrastructure.

The report urges utilities and regulators to address these systemic security gaps to prevent potential nation-state threats.

The findings underscore the urgent need to prioritize cybersecurity in renewable energy systems as they become integral to global power grids.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free

DeBackdoor: A Framework for Detecting Backdoor Attacks in Deep Learning Models

By
Aman Mishra
-
Deep Learning Models

Deep learning models, increasingly integral to safety-critical systems like self-driving cars and medical devices, are vulnerable to stealthy backdoor attacks.

These attacks involve injecting hidden triggers into models, causing them to misbehave when triggered.

Researchers from the Qatar Computing Research Institute and the Mohamed bin Zayed University of Artificial Intelligence have developed DeBackdoor, a novel framework designed to detect such attacks under realistic constraints.

Addressing Realistic Constraints

In many scenarios, developers obtain deep models from third-party sources without access to the training data or the ability to inspect the model’s internals.

This creates a challenging environment for backdoor detection, as most existing techniques require access to the model’s architecture, training data, or multiple instances of the model.

DeBackdoor addresses these limitations by using a deductive approach to generate candidate triggers and employing a search technique to identify effective triggers.

The framework focuses on optimizing a continuous version of the Attack Success Rate (ASR), a key metric for evaluating backdoor effectiveness.

Detection Methodology

DeBackdoor’s detection methodology involves defining a search space of possible trigger templates based on the description of the attack.

According to the Report, it then uses Simulated Annealing (SA), a stochastic search technique, to iteratively construct and test candidate triggers.

SA is chosen for its ability to avoid local minima, ensuring a more comprehensive exploration of the trigger space compared to simpler methods like Hill Climbing.

By applying these triggers to a small set of clean inputs and evaluating the model’s responses, DeBackdoor can determine if a model is backdoored.

The DeBackdoor framework has demonstrated high detection performance across various attack scenarios, including different trigger types and label strategies such as All2One, All2All, and One2One.

It outperforms existing detection baselines like AEVA and B3D, which are limited in their scope and effectiveness.

The adaptability of DeBackdoor makes it particularly valuable in scenarios where the attack strategy is unknown or diverse, providing a robust solution for ensuring the security of deep learning models in critical applications.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free

Red Team Tactics Grow More Sophisticated with Advancements in Artificial Intelligence

By
Aman Mishra
-
Red Team Tactics

A recent scoping review has revealed that red team tactics are becoming increasingly sophisticated as artificial intelligence (AI) technologies advance.

The study, which analyzed 11 articles published between 2015 and 2023, identified a wide array of AI methods being employed in cyberattacks, including classification, regression, and clustering techniques.

Among the most prominent AI methods utilized in attacks were Long Short-Term Memory (LSTM) networks, Generative Adversarial Networks (GANs), and Support Vector Machines (SVMs).

These advanced algorithms enable attackers to automate and enhance various stages of the cyber kill chain, from reconnaissance to data exfiltration.

Targeted Assets and Attack Vectors

The review highlighted several key targets for AI-driven attacks, with general data emerging as the most frequent target, followed by URLs, social media user profiles, and passwords.

Artificial Intelligence
Review Process

Systems and their details were also identified as potential targets, underscoring the broad scope of AI-enabled threats.

Attackers leverage these AI methods to execute a range of sophisticated tactics.

For instance, GANs are employed to generate highly convincing phishing emails and fake social media profiles, while LSTMs and CNNs are used to analyze and exploit patterns in network traffic and user behavior.

The increasing use of AI in red team activities presents significant challenges for cybersecurity professionals.

As attack methods become more automated and capable of making complex decisions, traditional defense mechanisms may prove inadequate.

To counter these evolving threats, the cybersecurity community must adapt by incorporating AI into defensive strategies.

According to the Report, this includes developing AI-powered anomaly detection systems, predictive analytics for threat forecasting, and automated response mechanisms.

The findings of this review emphasize the need for continued research and collaboration among organizations, government agencies, and cybersecurity experts to stay ahead of AI-driven cyber threats.

As the threat landscape evolves, so too must the approaches to red teaming and cyber defense, ensuring that security measures can effectively identify and mitigate the risks posed by increasingly sophisticated AI-powered attacks.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free

Malicious Snow White Movie Download Targets Viewers with New Malware

By
Divya
-
Malicious Snow White Movie Download Targets Viewers with New Malware

As the latest adaptation of Snow White hits theaters with lukewarm reception, the absence of streaming options on platforms like Disney+ has led many viewers to seek pirated versions online.

This trend is not new; every major movie release without a digital option becomes a prime opportunity for attackers to exploit users eager to watch from home.

A recent campaign identified by Veriti’s research team highlights this risk, involving a sophisticated malware distributed via torrent sites.

Veriti researchers found that a blog post on the website “TeamEsteem” offered a download link for a pirated Snow White (2025) version.

However, this post was malicious, redirecting users to a torrent containing an infected file package. The attackers likely exploited an XSS vulnerability or used leaked admin credentials to access the site.

Screenshot of compromised TeamEsteem blog post offering the fake Snow White torrent
Screenshot of compromised TeamEsteem blog post offering the fake Snow White torrent 

This blog entry redirected users to download a torrent containing a three-file package, which included a malicious executable posing as a necessary codec installer.

Analysis of the Malware

Upon examining the torrent, Veriti analysts discovered a suspicious file named xmph_codec.exe, claiming to be a required video codec.

File breakdown inside the torrent package
File breakdown inside the torrent package 
Screenshot of the Video Codec installation
Screenshot of the Video Codec installation 

The file triggered a sophisticated malware deployment process when run. Key findings include:

  • Detection: Identified as malicious by 50 out of 73 security vendors on VirusTotal.
  • Compilation: Compiled on July 12, 2024, suggesting reuse from prior campaigns.
  • Unsigned Executable: Raises red flags about its origin.
  • Malicious Actions: Drops additional malicious files, silently installs the TOR browser, initiates communication with a Dark Web .onion domain, and disables Windows Defender and other security features.

The malware communicates with a C2 server on the Onion network:

  • http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion
  • http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion/route.php

This campaign leverages the anonymous nature of the TOR network to mask communications and evade detection.

The absence of digital streaming options for major movies like Snow White continues to drive users to illegal downloads, creating an ideal environment for attackers.

Users are advised to be cautious when seeking digital content online and to use reputable streaming services to avoid falling prey to such sophisticated malware campaigns.

This not only protects their devices but also supports legal content creators. As cybersecurity continues to evolve, staying informed about these tactics is crucial for maintaining digital safety.

Indicators of Compromise (IoCs) 

  • File hashes: 
  • 9c1a0608bae991af50096acaec9d979df9f9a3bb6e89d9d20972d6cfeb9582bb 
  • 2ec555c34f0af1514501ca5e4d999c843d5b9de7973467820fcf6034a517c4cc 
  • 8b81b0017c0e154c1fdea226f1ad0d3cfc0e301af05698bdbb7d0d6037d71a12 

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free. 

123...907Page 1 of 907

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2025 GBHackers On Security - All Rights Reserved