Stay ahead of evolving ransomware threats with CYFIRMA’s Monthly Ransomware Report – February 2025. Ransomware activity surged by 87.45% in February month, with Cl0p witnessing an alarming 453% rise. Manufacturing, FMCG, and Transportation sectors faced the highest spike in attacks. The U.S. remained the top target, followed by Canada, the U.K., Ge…

Hacktivists often become active participants in cyber conflicts whenever geopolitical tensions arise. This has been evident during events like the Israel-Palestine conflict and the Russia-Ukraine war. Recently, tensions flared between Malaysia and Indonesia following the death of a migrant worker attempting to cross the Malaysian border with four o…

The CYFIRMA research has identified a new ransomware variant named LithiumWare, showcasing advanced capabilities designed to disrupt, encrypt, and steal. Key Features of LithiumWare: Data Theft: Exhibits activities indicative of stealing personal data, including detecting crypto-addresses. Persistence: Creates files in the startup directory, manipu…

China's DeepSeek recently shocked the AI world, challenging US dominance and raising serious security concerns. Did US export controls backfire, fuelling China's AI rise and a new era of cyber threats? Link to the Research Report: https://www.cyfirma.com/blogs/deepfake-or-the-sputnik-moment-in-the-ai-race/ #Geopolitics #CyfirmaResearch #ThreatIntel…

Cybercriminals have developed a new sophisticated method to distribute malware via fake CAPTCHA pages, tricking users into executing malicious scripts. Our investigation reveals that the Lumma Stealer is leveraging this tactic to harvest sensitive data, including credentials, cryptocurrency assets, and credit card info. Link to the Research Report:…

This report explores a fake financial management app on the Google Play Store named Finance Simplified, which has been downloaded over 100,000 times. The app reportedly downloads an additional fraudulent loan application targeting Indian users. Once installed, users attempting to secure loans are subjected to cyber blackmail and bullying. The malic…

The cyber threat landscape is evolving, with hackers deploying multi-stage malware using obfuscation, steganography, and covert communication channels to evade detection. Attacks start with an Obfuscated JavaScript, fetching encoded commands from a URL and executing an obfuscated PowerShell script, downloading a JPG image and obfuscated text file c…

Stay informed about the latest developments in cybersecurity with CYFIRMA's Tracking Ransomware – January 2025 Report. January witnessed 510 ransomware victims globally, with Akira emerging as the most active group while new threats like MORPHEUS surfaced. The Manufacturing, sector is the most targeted, and the USA remained the top victim region wi…

Our Q4 2024 APT Quarterly Highlights Report unveils a surge of dynamic and innovative cyber activities from APT groups across Iran, North Korea, Russia, and China. These groups intensified operations with a sharp focus on credential theft through phishing, MFA push-bombing, and fake job scams. RomCom (Russia) and Lazarus (North Korea) exploited zer…

A malware disguised as a banking app is spreading through phishing and unofficial app stores. Built with Kotlin, this malware steals personal info and card details, leaking everything to criminals via Telegram bots and hidden servers. Stay safe! Only download apps from official stores, check permissions and NEVER share sensitive info on unsecured p…

Flesh Stealer, a newly identified malware first observed in August 2024 and written in C#, targets browsers like Chrome, Firefox, and Edge to harvest saved passwords, cookies, and browsing history. It also extracts data from applications such as Telegram and Signal, including stored chats and databases. Interestingly, it avoids executing on systems…

Astral Stealer: A Sophisticated Threat! Our latest research uncovers Astral Stealer, a powerful malware designed to exfiltrate sensitive data using browser injections, credential dumping, and sophisticated evasion techniques. As a publicly available threat, it provides cybercriminals with the means to bypass security defenses and exploit vulnerable…

New Ransomware Alert: "Windows Locker" A new .NET-based ransomware strain, Windows Locker, is making waves with its advanced tactics, also read the CYFIRMA research team's full report for a comprehensive analysis: Encryption: Files are encrypted with the .winlocker extension. Ransom Note: Victims receive a Readme.txt file with instructions to conta…

A critical SQL injection vulnerability (CVE-2024-45387) has been discovered in Apache Traffic Control's Traffic Ops component, impacting versions 8.0.0 and 8.0.1. Attackers with high-level roles (admin, federation, operations, portal, steering) can execute malicious SQL queries, risking data compromise, privilege escalation, and service disruption.…

The CYFIRMA team has analyzed malware linked to the Indian APT group DONOT, uncovering its use of a deceptive app called “Tanzeem” to gather intelligence under the guise of a chat platform. The app shuts down after permissions are granted, suggesting a targeted approach. Two analyzed versions, from October and December, showed minimal differences, …

The swift fall of the Syrian regime caught major players off guard, including Russia and Iran, who heavily invested in propping up the state. While the USA considers withdrawal, Turkey is positioned to greatly increase its influence, while Iran and Russia suffer a significant strategic blow and might start relying more heavily on its cyber capabili…

Stay informed about the latest developments in cybersecurity with CYFIRMA's Tracking Ransomware-December 2024 Report. The report highlights key trends, including a 12.38% decrease in ransomware attacks compared to November, alongside the rise of new groups like Funksec, which targeted VMware ESXi hypervisors and Windows servers. Critical vulnerabil…

At CYFIRMA, we continuously analyze the tactics and techniques employed by threat actors. One such technique is Remote Template Injection, which exploits Microsoft Word's template functionality to bypass traditional defenses. Used by Advanced Persistent Threat (APT) groups, this method disguises malicious payloads in seemingly harmless documents, m…

At CYFIRMA, we continuously analyze the tactics and techniques employed by threat actors. One such technique is Remote Template Injection, which exploits Microsoft Word's template functionality to bypass traditional defenses. Used by Advanced Persistent Threat (APT) groups, this method disguises malicious payloads in seemingly harmless documents, m…

Introducing FireScam: A New Android Malware Threat The CYFIRMA research team have uncovered a new, sophisticated Android malware - FireScam, an advanced information-stealing malware with spyware capabilities. Disguised as a fake ‘Telegram Premium’ app, this malware is spread through phishing websites and targets users with the intent to steal sensi…

A critical vulnerability, CVE-2024-10914, has been discovered in unsupported D-Link devices, including DNS-320, DNS-320LW, DNS-325, and DNS-340L. With over 60,000 devices potentially exposed and nearly 1,100 actively exploited since Nov 12, 2024, attackers are leveraging this flaw to steal data, deploy ransomware, and compromise networks. If you’re…

The CYFIRMA research team is proud to offer insights into the increased cyber risks the holiday season brings! Stay alert, verify offers, and keep your information safe! As the year end of season approaches, watch out for scammers using advanced tactics. Phishing emails might offer irresistible deals but could contain malicious links - always verif…

Cybercriminals are stepping up their game with Bizfum Stealer, a highly sophisticated malware targeting sensitive data such as browser credentials, files, and Discord tokens. It utilizes advanced encryption techniques and Telegram bots for stealthy data exfiltration. 1. It extracts browser passwords, cookies, and saved credentials. 2. Screenshots a…

The UK faces an escalating cyber threat landscape dominated by sophisticated Russian actors, including state-affiliated groups like Sandworm and APT29, as well as privateer entities operating with Kremlin leniency. To learn more about the Russian cyber threat to the UK, read the full report. Link to the Research Report: RUSSIA AS A THREAT ACTOR IN …

Stay ahead of cybersecurity trends with CYFIRMA's November 2024 Ransomware Report. Ransomware incidents rose by 15.65%, affecting 606 victims worldwide. Emerging groups like Chort, Ymir, and SafePay deployed advanced techniques. Ransomware groups are seen exploiting critical vulnerabilities like Veeam Backup systems and targeting weekends for reduc…

Our team at CYFIRMA analyzed a malicious Android sample used in a targeted attack leveraging the Spynote Remote Administration Tool (RAT). We believe that the threat actor behind the targeted attack could be an APT. Delivered via WhatsApp with payloads disguised as apps like "Best Friend" and "Friend," the attack aimed to compromise high-value asse…

Taking control of the White House and Congress gives Republicans a rare opportunity to change the course of the country. How will Donald Trump wield that power during a second term, and will that impact cyber? The following blog post will try to summarize what we know so far, what we can likely expect, and what will be the fallout in the cyber real…

CYFIRMA's latest research highlights the emerging threat of the Parano Malware Family, which includes Parano Stealer, Ransomware, and Screen Locker. Developed by the cybercriminal group Paranodeus, these tools target sensitive data using advanced techniques for persistence and evasion. Despite bans on their initial distribution channels, Paranodeus…

Cyberattacks Hit Morocco: A Wake-Up Call for Cybersecurity! Morocco has been hit with a series of cyberattacks from groups like Anonymous Algeria and EvilBbyte, with motives rooted in the long-standing dispute over the Western Sahara region. These hackers are targeting everything from government websites to critical infrastructure, and it’s all tie…

Helldown ransomware is spreading fast, targeting key industries like Real Estate, IT, Manufacturing, and Healthcare. The ransomware targets both Windows and Linux systems, exploits known vulnerabilities, and encrypts files. First spotted in August 2024 by CYFIRMA, Helldown has already impacted businesses in 11 countries, with the USA and Germany be…

Hexon Stealer is a variant of Stealit Stealer, which itself is derived from Fewer Stealer. Rebranding and code reuse are common practices among malware developers. Stealer devs often create Telegram or Signal channels to market their stealers, attracting a significant user base by promoting them across various platforms. The CYFIRMA research team’s…

The CYFIRMA Research team provides insights into a severe flaw in Grafana (versions <11.0.5, 11.1.6, 11.2.1), which allows low-privilege users to execute arbitrary commands, risking sensitive data exposure and system compromise. Threat actors are also actively discussing and sharing exploits in underground forums. Link to the Research Report: CVE-2…

Our latest research has uncovered “Elpaco-team” ransomware, a new variant of the well-known Mimic ransomware. Elpaco employs similar tactics, primarily targeting Windows-based systems and leveraging legitimate tools. Once inside, Elpaco encrypts critical files with encryption algorithms, rendering them inaccessible to the user. The ransomware also …

Stay vigilant against Black Basta’s sophisticated ransomware tactics! In our latest analysis, Black Basta continues to be a leading threat in the cyber landscape, targeting industries, such as healthcare, finance, and manufacturing. Known for exploiting vulnerabilities and using double extortion, this ransomware group applies social engineering to …

Stay ahead of cybersecurity trends with CYFIRMA's October 2024 Ransomware Report! This month saw a 42.78% increase in ransomware, led by groups like RansomHub, and new threats emerging, such as Hellcat and Playboy. Manufacturing and Healthcare were heavily impacted, while DragonForce expanded its Ransomware-as-a-Service model. Tactics like “Bring Y…

CYFIRMA’s research team has uncovered a new strain of malware known as "Wish Stealer," a sophisticated Node.js-based program targeting Windows users. This malware is designed to steal sensitive information from popular platforms like Discord, various web browsers, and cryptocurrency wallets. It employs advanced techniques, including privilege escal…

A recently discovered variant of the SpyNote Remote Access Trojan (RAT) is posing as "Avast Mobile Security for Android." Upon installation, it gains extensive control over your device, silently granting itself permissions and displaying fake system update notifications. This sneaky malware operates in the background, restarts if stopped, and preve…

Quishing, a dangerous combination of QR codes and phishing, is emerging as a significant threat that can lead to unauthorized access to sensitive information. Cybercriminals exploit the increasing prevalence of QR codes to trick users into scanning malicious links, resulting in credential theft and data breaches. Given the rapid rise in QR code phi…

CYFIRMA's latest research highlights the G700 RAT, a potent malware targeting Android devices, especially in the cryptocurrency and finance sectors. With advanced techniques like privilege escalation, SMS hijacking, and phishing injection, G700 RAT can bypass security and compromise sensitive data. Strengthen your defenses to stay protected! Link t…

Critical Alert: Organizations using TeamViewer's Remote Client and Remote Host products on Windows must act now! CVE-2024-7479 and CVE-2024-7481 present a severe risk of privilege escalation. With millions of users potentially affected globally, immediate action is crucial. Both flaws involve improper cryptographic signature verification during dri…

Our Q3 2024 APT Quarterly Highlights Report reveals intensified cyber activities from APT groups in Iran, Russia, China, and North Korea, indicating heightened espionage efforts. Iran’s MuddyWater and APT34 leveraged custom malware like BugSleep, while Russia’s APT29 and APT28 capitalized on zero-day vulnerabilities for sophisticated infiltration. …

Ivanti Virtual Traffic Manager (vTM) users – A critical authentication bypass flaw (CVSS 9.8) is now being actively exploited! This vulnerability allows unauthenticated attackers to gain admin control over your systems. Patch now to prevent unauthorized access, data theft, or malware deployment. Public exploit code is already circulating. Stay secu…

CYFIRMA's investigation uncovered a major data breach at Cisco, led by the notorious threat actor IntelBroker. On October 14, 2024, IntelBroker posted on BreachForum, revealing that critical data such as source code, hard-coded credentials, SSL certificates, API tokens, and confidential documents were stolen. This breach impacts Cisco's B2B clients…

The proliferation of stealers, particularly those masquerading as open-source projects, poses significant risks to users. With capabilities to steal sensitive information, such as passwords, cryptocurrency wallets, and browser data, these malware variants not only threaten individual privacy but also create broader cybersecurity challenges. As deve…

The Israeli invasion of Lebanon began with the declared goal to remove Hezbollah's military infrastructure from the south of the country so that Israelis living in northern Israel could return to their homes, from which they have been driven by the low-intensity conflict raging on the border since Hamas' raid on Gaza last year. The Israeli army has…

Stay ahead of cybersecurity trends with CYFIRMA's September 2024 Ransomware Report. This month’s analysis highlights significant shifts among top ransomware groups like Medusa, which saw a 525% surge in victims, while others like RansomHub and Meow experienced declines. Key industries such as IT and transportation saw notable increases, while secto…

Immediate action is required for all organizations using iTunes for Windows! CVE-2024-44193 is a critical local privilege escalation vulnerability that could lead to unauthorized system access. Attackers exploit misconfigured permissions in the AppleMobileDeviceService.exe to elevate privileges and gain control. Given the widespread use of iTunes, …

Our latest research dives deep into Yunit Stealer, a sophisticated malware designed to steal sensitive data, such as credentials, cookies, and cryptocurrency wallets. This malware employs advanced evasion techniques, including obfuscation and persistence methods, making it a formidable threat to cybersecurity. Yunit Stealer can disable Windows Defe…

A new malware threat, Vilsa Stealer, has surfaced. Discovered on GitHub, this malware is designed to quietly steal your most sensitive information, everything from browser passwords to cryptocurrency wallets and even Discord credentials. What makes it particularly scary is its ability to sneak past security measures and hide in your system, all the…

CYFIRMA's latest report delves into a crucial investigation targeting the malicious infrastructure linked to the APT group "Transparent Tribe." Employing open-source intelligence (OSINT), we thoroughly tracked the command-and-control (C2) servers utilized by this persistent threat actor. By leveraging advanced techniques such as JARM fingerprinting…