Forem: Mark0

JDownloader site hacked to replace installers with Python RAT malware

Mark0 — Tue, 12 May 2026 05:01:24 +0000

The official JDownloader website was recently compromised in a supply chain attack, resulting in the distribution of malicious Windows and Linux installers between May 6 and May 7, 2026. Attackers exploited an unpatched vulnerability in the site's content management system (CMS) to modify download links, redirecting users to third-party payloads. The breach specifically targeted the Windows 'Alternative Installer' and the Linux shell installer links, while other distribution methods like macOS packages and Flatpaks remained unaffected.

Technical analysis revealed that the malicious Windows payload deploys an obfuscated Python-based remote access trojan (RAT) capable of executing modular code from command and control servers. On Linux, the installer was found to inject malicious code that downloads ELF binaries and establishes persistence by masquerading as system services. Given the level of access granted to the malware, researchers recommend that affected users perform a full operating system reinstallation and reset all credentials.

Read Full Article

Google: Hackers used AI to develop zero-day exploit for web admin tool

Mark0 — Tue, 12 May 2026 05:00:11 +0000

Google Threat Intelligence Group (GTIG) has identified a zero-day exploit for an unnamed open-source web administration tool that was likely developed using AI. The exploit, designed to bypass two-factor authentication (2FA), featured Python code with characteristics typical of large language models (LLMs), such as educational docstrings and hallucinated CVSS scores. This discovery highlights a shift in threat actor methodology, moving towards AI-assisted vulnerability discovery for complex logic-based flaws.

Beyond this specific incident, Google's report notes that state-sponsored actors from China, North Korea, and Russia are increasingly industrializing AI use. This includes generating decoy code to obfuscate malware like CANFAIL, utilizing voice cloning for social engineering, and integrating Gemini APIs into Android malware like PromptSpy for autonomous device interaction. To scale these operations, attackers are building automated infrastructure to manage access to premium AI models.

Read Full Article

Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware

Mark0 — Tue, 12 May 2026 04:58:54 +0000

In April, a sophisticated cyber intrusion was identified involving the deployment of EtherRAT via a malicious MSI installer masquerading as a Sysinternals tool. This campaign utilized the Ethereum blockchain through EtherHiding to dynamically update command-and-control (C2) configurations, effectively bypassing traditional network defenses. The attackers further deployed TukTuk, an AI-generated malware framework that leverages an array of SaaS platforms including ClickHouse, Supabase, and Arweave for resilient communication and dead-drop resolution.

Following initial access, the threat actor engaged in extensive lateral movement using GoTo Resolve RMM and tools like NetExec. Sensitive data was exfiltrated to Wasabi cloud storage using Rclone before the intrusion culminated in the environment-wide deployment of The Gentleman ransomware via Group Policy Objects (GPO). The incident underscores a trend of threat actors adopting decentralized infrastructure and legitimate SaaS tools to mask malicious activities and complicate attribution.

Read Full Article

TrickMo Android banker adopts TON blockchain for covert comms

Mark0 — Tue, 12 May 2026 04:57:38 +0000

TrickMo, a long-standing Android banking malware, has evolved with a new variant labeled 'Trickmo.C' targeting users across Europe. Disguised as popular applications like TikTok, the malware aims to steal sensitive banking credentials and cryptocurrency wallet data. This version introduces sophisticated evasion techniques, including the use of The Open Network (TON) for decentralized command-and-control (C2) communications.

By leveraging .ADNL addresses and an embedded TON proxy, the malware obscures its server infrastructure, making traditional domain takedowns and traffic analysis significantly harder. In addition to its core capabilities like screen recording and SMS interception, the new variant adds advanced networking tools such as SSH tunneling and SOCKS5 proxy support, marking a significant step up in its operational complexity.

Read Full Article

The Accidental C2 - Exploring Dev Tunnels for Remote Access

Mark0 — Tue, 12 May 2026 04:56:52 +0000

This article explores the security implications of VS Code Dev Tunnels, demonstrating how they can be repurposed as an unintended Command and Control (C2) infrastructure. By deconstructing the multi-layered protocol—spanning REST management, WebSocket tunneling, SSH, and MsgPack-encoded RPC—the research reveals how an attacker can execute remote commands and manipulate files on a target system using legitimate Microsoft developer tools.

The author introduces "Ouroboros," a custom Rust-based tool designed to list, interact with, and exploit existing dev tunnels. The research further highlights advanced attack paths, including the use of Entra ID Family of Client IDs (FOCI) and Broker-based Nested App Authentication (BroCI) to pivot from standard application tokens to dev tunnel access, providing a potent vector for initial access and lateral movement.

Read Full Article

GTIG AI Threat Tracker: Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access

Mark0 — Tue, 12 May 2026 04:55:52 +0000

Google Threat Intelligence Group (GTIG) reports a significant maturation in how adversaries leverage AI, shifting from initial experimentation to industrial-scale application in cyber operations. This report, based on insights from Mandiant, Gemini, and GTIG research, highlights AI's dual role: it serves as a sophisticated engine for adversary operations and concurrently as a high-value target for attacks. Key developments include AI-augmented vulnerability discovery, advanced defense evasion techniques, and autonomous malware operations.

Adversaries are now using AI for zero-day exploit development, accelerating polymorphic malware creation, and orchestrating autonomous attacks like PROMPTSPY for system navigation and decision-making. AI also enhances reconnaissance, information operations (e.g., deepfakes), and provides obfuscated, scalable access to LLMs for malicious activities. Furthermore, the AI ecosystem itself is a target, with supply chain attacks leveraging compromised components and malicious AI agent skills. Google actively counters these threats through product safeguards, AI-powered defenses like Big Sleep and CodeMender, and industry collaboration via the Secure AI Framework (SAIF) and Coalition for Secure AI (CoSAI).

Read Full Article

2026-05-08: macOS Shub Stealer infection

Mark0 — Mon, 11 May 2026 04:54:48 +0000

This technical analysis outlines a macOS Shub Stealer infection occurring on May 8, 2026. The compromise follows a social engineering path where a Google search leads users to a malicious Google Drive document, which then redirects to a fraudulent "Download for macOS" landing page. The victim is then prompted to manually execute a script via their terminal, initiating the malware's deployment.

The report highlights key forensic artifacts, including specific log files generated during the infection and network traffic captured in Wireshark. For deep-dive investigation, the author has provided associated IOCs, packet captures (pcap), and the malware samples themselves, allowing analysts to examine the exfiltration methods used by this infostealer.

Read Full Article

What Is the Instructure Canvas Breach? Impact, Risks, and What Institutions Should Do

Mark0 — Mon, 11 May 2026 04:53:51 +0000

⚠️ Region Alert: UAE/Middle East

In May 2026, the threat group SHADOW-AETHER-015 breached Instructure's Canvas platform, exposing data from over 8,800 institutions across 50 countries. The breach affects a wide range of educational and medical organizations, including all eight Ivy League universities and over 1,600 K-12 districts. The leak originated from backend infrastructure, potentially compromising highly sensitive student disclosures, medical accommodation requests, and private academic conversations.

The primary concern following this incident is the risk of sophisticated spear-phishing and social engineering attacks. Because the stolen data includes specific institutional context and private message histories, threat actors can craft highly convincing fraudulent communications. Organizations are advised to re-authorize API integrations, enforce multi-factor authentication, and prepare for potential regulatory implications under FERPA, COPPA, and HIPAA.

Read Full Article

CVE-2025-68670: discovering an RCE vulnerability in xrdp

Mark0 — Mon, 11 May 2026 04:52:54 +0000

Kaspersky researchers have identified a critical remote code execution (RCE) vulnerability in the xrdp open-source remote desktop server, tracked as CVE-2025-68670. The vulnerability occurs during the Secure Settings Exchange phase, specifically within the xrdp_wm_parse_domain_information function. Because the flaw is triggered before the authentication process is completed, it presents a significant risk by allowing unauthenticated attackers to potentially compromise the server process.

The technical root cause is a stack buffer overflow. While the xrdp server converts domain strings from UTF-16 to UTF-8, it fails to properly validate the length of the domain name before copying it into a 256-byte stack buffer. Although modern compiler mitigations like stack canaries can hinder exploitation, researchers demonstrated a successful proof-of-concept. Maintainers have patched the issue in version 0.10.5 and backported security fixes to versions 0.9.27 and 0.10.4.1.

Read Full Article

The Good, the Bad and the Ugly in Cybersecurity – Week 19

Mark0 — Mon, 11 May 2026 04:51:54 +0000

Federal authorities have successfully sentenced Deniss Zolotarjovs, a key negotiator for the Karakurt extortion syndicate, to nearly nine years in prison for his role in coercing victims using stolen sensitive data. In a related crackdown on state-sponsored activities, two American nationals were also sentenced for facilitating laptop farms that allowed North Korean IT workers to infiltrate U.S. companies and siphon funds to the sanctioned regime.

Technically, SentinelLABS researchers uncovered PCPJack, a sophisticated cloud worm designed to harvest a wide range of credentials and evict competing threat actors from compromised infrastructure. Additionally, a critical zero-day vulnerability (CVE-2026-0300) in Palo Alto Networks' PAN-OS is currently under active exploitation, posing a significant risk of remote code execution across thousands of exposed edge devices.

Read Full Article

Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise

Mark0 — Mon, 11 May 2026 04:51:00 +0000

Quasar Linux RAT (QLNX) is a sophisticated Linux implant designed to target developers and DevOps infrastructure. It focuses on stealing credentials from sensitive files like .npmrc, .aws/credentials, and Kubernetes configs, potentially allowing attackers to poison software registries or access cloud environments. The malware operates with high stealth, using fileless execution and masquerading as kernel threads to establish a silent foothold.

Technically, QLNX employs a multi-layered approach for persistence and evasion, utilizing seven different methods including systemd, crontab, and .bashrc injection. It features a two-tiered rootkit architecture combining userland LD_PRELOAD and kernel-level eBPF components to hide its presence from standard system tools. With support for 58 commands and PAM-based credential interception, it provides operators with comprehensive control over compromised hosts while maintaining long-term stealth.

Read Full Article

CISA gives feds four days to patch Ivanti flaw exploited as zero-day

Mark0 — Mon, 11 May 2026 04:50:19 +0000

CISA has issued an urgent directive for U.S. federal agencies to secure Ivanti Endpoint Manager Mobile (EPMM) systems against CVE-2026-6973. This high-severity vulnerability enables remote code execution (RCE) for attackers with administrative privileges. The security flaw is currently being exploited in zero-day attacks, prompting a rapid patching mandate with a deadline of May 10.

Ivanti has released updates for versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 to address the issue. This latest vulnerability follows a series of critical flaws in the EPMM product line targeted by attackers earlier this year. Security organizations report that over 800 appliances remain exposed online, and administrators are advised to rotate credentials and audit accounts with administrative rights.

Read Full Article