Google uncovered an #iPhone exploit kit called Coruna containing 23 iOS exploits targeting versions 13–17.2.1.
The framework fingerprints devices and automatically loads the matching WebKit exploit chain. Researchers say it moved from #surveillance vendors to nation-state operators and later cybercrime groups.
The framework fingerprints devices and automatically loads the matching WebKit exploit chain. Researchers say it moved from #surveillance vendors to nation-state operators and later cybercrime groups.
A wave of cyberattacks followed the U.S.-Israel strikes on Iran, with researchers documenting over 1,000 DDoS attacks on 500+ organizations in 16 countries.
A coalition of cybersecurity firms—including Radware, Orange Cyberdefense, Flashpoint, Palo Alto Networks Unit 42, and CloudSEK—has reported a wave of hacktivist attacks following the U.S.-Israel campaign against Iran.
The Statistics:
Between February 28 and March 4, researchers documented 1,000 DDoS attack claims targeting organizations across 16 countries. While the total number of claims may appear high, Radware notes that the activity is "highly lopsided." Just three groups drove the volume: Keymous+ and DieNet (together accounting for nearly 15% of activity), alongside NoName057(16), which alone accounted for 25% of the total.
Geographic Distribution:
The Middle East was the primary theater, absorbing over 1,000 attacks, which accounted for 77.2% of global activity. Within the region, the concentration was as follows:
· Israel: 49%
· Kuwait: 25%
· Jordan: 20%
· Other Middle Eastern countries: 6%
Europe was the next most targeted region, receiving 22.8% of the global activity.
Attack Methods and Notable Groups:
Attack methods included DDoS, website defacements, and hack-and-leak operations. The initial attack was launched by Hider Nex (Tunisian Maskers Cyber Force). Other active groups mentioned in the reports include Nation of Saviors (NOS), Conquerors Electronic Army (CEA), Sylhet Gang, 313 Team, Handala Hack, APT Iran, Cyber Islamic Resistance, Dark Storm Team, FAD Team, Evil Markhors, and PalachPro. Pro-Russian groups such as Cardinal and Russian Legion also claimed breaches against Israeli networks.
A coalition of cybersecurity firms—including Radware, Orange Cyberdefense, Flashpoint, Palo Alto Networks Unit 42, and CloudSEK—has reported a wave of hacktivist attacks following the U.S.-Israel campaign against Iran.
The Statistics:
Between February 28 and March 4, researchers documented 1,000 DDoS attack claims targeting organizations across 16 countries. While the total number of claims may appear high, Radware notes that the activity is "highly lopsided." Just three groups drove the volume: Keymous+ and DieNet (together accounting for nearly 15% of activity), alongside NoName057(16), which alone accounted for 25% of the total.
Geographic Distribution:
The Middle East was the primary theater, absorbing over 1,000 attacks, which accounted for 77.2% of global activity. Within the region, the concentration was as follows:
· Israel: 49%
· Kuwait: 25%
· Jordan: 20%
· Other Middle Eastern countries: 6%
Europe was the next most targeted region, receiving 22.8% of the global activity.
Attack Methods and Notable Groups:
Attack methods included DDoS, website defacements, and hack-and-leak operations. The initial attack was launched by Hider Nex (Tunisian Maskers Cyber Force). Other active groups mentioned in the reports include Nation of Saviors (NOS), Conquerors Electronic Army (CEA), Sylhet Gang, 313 Team, Handala Hack, APT Iran, Cyber Islamic Resistance, Dark Storm Team, FAD Team, Evil Markhors, and PalachPro. Pro-Russian groups such as Cardinal and Russian Legion also claimed breaches against Israeli networks.
❤3
An attack group hacked the company "Haled."
The company "Haled," an Israeli company, is engaged in the transportation and delivery of fuels.
The company "Haled," an Israeli company, is engaged in the transportation and delivery of fuels.
Europol, in cooperation with other law enforcement agencies, is shutting down the leak site Leakbase.
2,622 Valid Certificates Exposed: A Google-GitGuardian Study Maps Private Key Leaks to Real-World Risk.
APT28-Linked Campaign Deploys BadPaw Loader and MeowMeow Backdoor in Ukraine.
Forwarded from ᴛʜᴇ ɢʜᴏꜱᴛ ɪɴ ᴛʜᴇ ᴍᴀᴄʜɪɴᴇ
Hackers Exploit Israel Camera Vulnerabilities to Surveil
Multiple hacking groups have been targeting internet-connected surveillance cameras across Israel and other Middle Eastern countries since the war began on February 28.
The countries targeted in these digital intrusions—Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus, and Lebanon—are the same ones that have witnessed significant missile activity linked to hackers as part of an ongoing operation targeting Israel.
Compromised servers contained live CCTV feeds from Jerusalem, allowing the groups to surveil Tel Aviv, Haifa, and Jerusalem.
This recent camera targeting by several hackers serves as an early indicator of potential follow-on
The exploited vulnerabilities include:
· An improper authentication vulnerability in Hikvision IP camera firmware (CVE-2017-7921)
· A command injection vulnerability in the Hikvision web server component (CVE-2021-36260)
· An OS command injection vulnerability in the Hikvision Intercom Broadcasting System (CVE-2023-6895)
· An unauthenticated remote code execution vulnerability in the Hikvision Integrated Security Management Platform (CVE-2025-34067)
· An authentication bypass vulnerability in multiple Dahua products (CVE-2021-33044)
@TheGhostITM
Multiple hacking groups have been targeting internet-connected surveillance cameras across Israel and other Middle Eastern countries since the war began on February 28.
The countries targeted in these digital intrusions—Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus, and Lebanon—are the same ones that have witnessed significant missile activity linked to hackers as part of an ongoing operation targeting Israel.
Compromised servers contained live CCTV feeds from Jerusalem, allowing the groups to surveil Tel Aviv, Haifa, and Jerusalem.
This recent camera targeting by several hackers serves as an early indicator of potential follow-on
The exploited vulnerabilities include:
· An improper authentication vulnerability in Hikvision IP camera firmware (CVE-2017-7921)
· A command injection vulnerability in the Hikvision web server component (CVE-2021-36260)
· An OS command injection vulnerability in the Hikvision Intercom Broadcasting System (CVE-2023-6895)
· An unauthenticated remote code execution vulnerability in the Hikvision Integrated Security Management Platform (CVE-2025-34067)
· An authentication bypass vulnerability in multiple Dahua products (CVE-2021-33044)
@TheGhostITM
ClickFix has moved to Windows Terminal.
Microsoft says victims are told to open wt.exe and paste a command from fake CAPTCHA pages.
That launches PowerShell, pulls payloads, and injects Lumma Stealer into Chrome and Edge to steal saved credentials.
Microsoft says victims are told to open wt.exe and paste a command from fake CAPTCHA pages.
That launches PowerShell, pulls payloads, and injects Lumma Stealer into Chrome and Edge to steal saved credentials.
Forwarded from ᴛʜᴇ ɢʜᴏꜱᴛ ɪɴ ᴛʜᴇ ᴍᴀᴄʜɪɴᴇ
Forwarded from ᴛʜᴇ ɢʜᴏꜱᴛ ɪɴ ᴛʜᴇ ᴍᴀᴄʜɪɴᴇ
Forwarded from MAD GHOST
Israel ranks 1st among countries targeted by geopolitical cyberattacks in 2025 — report
Among the top three hacktivist groups targeting Israel in 2025 were the pro-Iran group Arabian Ghosts, followed by Black Ember, pro-Palestinian Mr Hamza, and pro-Russian group NoName057(16).
#OpIsraelTeam
Among the top three hacktivist groups targeting Israel in 2025 were the pro-Iran group Arabian Ghosts, followed by Black Ember, pro-Palestinian Mr Hamza, and pro-Russian group NoName057(16).
#OpIsraelTeam
Forwarded from ᴛʜᴇ ɢʜᴏꜱᴛ ɪɴ ᴛʜᴇ ᴍᴀᴄʜɪɴᴇ
The FBI reports that they are investigating a suspected cyber incident in the organization's networks.
According to the report, unauthorized access was detected to sensitive systems in the organization dealing with wiretapping and intelligence surveillance orders.
@TheGhostITM
According to the report, unauthorized access was detected to sensitive systems in the organization dealing with wiretapping and intelligence surveillance orders.
@TheGhostITM
Forwarded from ᴛʜᴇ ɢʜᴏꜱᴛ ɪɴ ᴛʜᴇ ᴍᴀᴄʜɪɴᴇ
Forwarded from ᴛʜᴇ ɢʜᴏꜱᴛ ɪɴ ᴛʜᴇ ᴍᴀᴄʜɪɴᴇ
MuddyWater Launches New Intrusion Campaign Using Custom “Dindoor” Backdoor
The group 'MuddyWater' has launched a new wave of intrusions targeting U.S. and allied networks, deploying a custom backdoor dubbed Dindoor as regional tensions continue to spill into cyberspace. The campaign has impacted a U.S. bank, a U.S. airport, a Canadian non-profit, and the Israeli operations of a software supplier serving the defense and aerospace sectors. Activity began in February and escalated through March.
Dindoor is notable for leveraging the Deno JavaScript runtime, providing operators with a flexible framework to execute cross‑platform JavaScript payloads on compromised systems. During the operation, the attackers attempted data exfiltration from the targeted software company using the Rclone utility to transfer files to a Wasabi cloud storage bucket. Additionally, they deployed Fakeset, a separate Python-based backdoor downloaded from Backblaze-hosted infrastructure and signed with a digital certificate previously linked to other MuddyWater malware families, including Stagecomp and Darkcomp.
This activity is part of a broader surge in pro‑Palestinian and Iranian cyber operations linked to the ongoing Middle East conflict. The hacktivist collective 'Handala Hack' has been abusing Starlink IP ranges to probe internet‑facing systems for misconfigurations and weak credentials.
The region’s evolving cyber ecosystem now operates as a sustained instrument of influence and capability, favoring repeatable access techniques—such as credential theft, password spraying, and social engineering—over the use of rare zero‑day exploits. Both APT groups and hacktivist collectives preparing for espionage and information operations toward more disruptive or destructive activities in the coming days.
@TheGhostITM
The group 'MuddyWater' has launched a new wave of intrusions targeting U.S. and allied networks, deploying a custom backdoor dubbed Dindoor as regional tensions continue to spill into cyberspace. The campaign has impacted a U.S. bank, a U.S. airport, a Canadian non-profit, and the Israeli operations of a software supplier serving the defense and aerospace sectors. Activity began in February and escalated through March.
Dindoor is notable for leveraging the Deno JavaScript runtime, providing operators with a flexible framework to execute cross‑platform JavaScript payloads on compromised systems. During the operation, the attackers attempted data exfiltration from the targeted software company using the Rclone utility to transfer files to a Wasabi cloud storage bucket. Additionally, they deployed Fakeset, a separate Python-based backdoor downloaded from Backblaze-hosted infrastructure and signed with a digital certificate previously linked to other MuddyWater malware families, including Stagecomp and Darkcomp.
This activity is part of a broader surge in pro‑Palestinian and Iranian cyber operations linked to the ongoing Middle East conflict. The hacktivist collective 'Handala Hack' has been abusing Starlink IP ranges to probe internet‑facing systems for misconfigurations and weak credentials.
The region’s evolving cyber ecosystem now operates as a sustained instrument of influence and capability, favoring repeatable access techniques—such as credential theft, password spraying, and social engineering—over the use of rare zero‑day exploits. Both APT groups and hacktivist collectives preparing for espionage and information operations toward more disruptive or destructive activities in the coming days.
@TheGhostITM
Forwarded from ᴛʜᴇ ɢʜᴏꜱᴛ ɪɴ ᴛʜᴇ ᴍᴀᴄʜɪɴᴇ
Void Manticore (aka Storm-0842), an APT specializing in destructive wiper attacks (BiBi wiper), data exfiltration, and RDP lateral movement, is active again.
@TheGhostITM
@TheGhostITM
Forwarded from ᴛʜᴇ ɢʜᴏꜱᴛ ɪɴ ᴛʜᴇ ᴍᴀᴄʜɪɴᴇ
Iran just struck Microsoft data centers in the Gulf. Microsoft — whose Azure platform runs the operational backbone of NATO, the US Department of Defense, and every major Western financial institution that has expanded into the Gulf over the last five years.
This is categorically different from the AWS strikes earlier in the war.
Microsoft Azure is not simply a commercial cloud product. It is a defense-grade infrastructure platform operating under FedRAMP High and DoD Impact Level 5 and 6 authorizations, the highest security classifications available to a commercial provider. Azure GovCloud runs classified US government workloads. Azure for Operators runs 5G military communications infrastructure. The Gulf Azure availability zones, built under billions of dollars of sovereign cloud commitments to UAE, Saudi Arabia, and Qatar, sit at the intersection of commercial enterprise and military-adjacent operations in a way no other cloud platform does. When Iran fires missiles at Microsoft data centers in the Gulf, it is not attacking a commercial storage facility. It is attacking the digital connective tissue between American defense architecture and Gulf sovereign AI ambitions.
The mechanism Iran is applying across every domain of this war is now operating at the infrastructure layer of the global digital economy. Hormuz for maritime insurance. BAPCO and Ras Tanura for oil infrastructure insurance. Manama hotels for corporate presence insurance. AWS for basic cloud insurability. Microsoft for the tier of cloud infrastructure that carries defense-adjacent and government workloads. Each successive target has moved one layer deeper into the critical infrastructure stack.
Microsoft has not yet confirmed the extent of damage or the impact on service continuity. That silence is itself data. When AWS facilities were struck earlier in the war, the company posted status updates within hours. The Microsoft situation is being handled with a different communication posture, which is consistent with facilities that carry sovereign and defense-adjacent contractual obligations that restrict what can be publicly disclosed about operational status.
The Gulf was supposed to be the proving ground for the sovereign AI thesis. Every major hyperscaler made the bet simultaneously: Gulf governments want their data onshore, under their own regulatory frameworks, close to their own populations, contributing to their own AI capability development. Microsoft, Google, AWS, Oracle, all committed multi-billion dollar buildouts to that thesis in the last three years. The thesis assumed physical security. The thesis assumed the Gulf was a stable operating environment for long-term digital infrastructure. That assumption was always geopolitically contingent. It is now empirically falsified.
Every CTO and every procurement officer running a sovereign cloud negotiation anywhere in the world is looking at the Microsoft strike footage right now and running the same calculation: if the Gulf is a ballistic missile target range, where does the sovereign AI buildout go instead?
The American-aligned economic order made about the Gulf as a safe jurisdiction for permanent infrastructure.
The missiles hitting Microsoft data centers today are not attacking cloud storage. They are attacking the confidence interval on a decade of digital infrastructure investment.
@TheGhostITM
This is categorically different from the AWS strikes earlier in the war.
Microsoft Azure is not simply a commercial cloud product. It is a defense-grade infrastructure platform operating under FedRAMP High and DoD Impact Level 5 and 6 authorizations, the highest security classifications available to a commercial provider. Azure GovCloud runs classified US government workloads. Azure for Operators runs 5G military communications infrastructure. The Gulf Azure availability zones, built under billions of dollars of sovereign cloud commitments to UAE, Saudi Arabia, and Qatar, sit at the intersection of commercial enterprise and military-adjacent operations in a way no other cloud platform does. When Iran fires missiles at Microsoft data centers in the Gulf, it is not attacking a commercial storage facility. It is attacking the digital connective tissue between American defense architecture and Gulf sovereign AI ambitions.
The mechanism Iran is applying across every domain of this war is now operating at the infrastructure layer of the global digital economy. Hormuz for maritime insurance. BAPCO and Ras Tanura for oil infrastructure insurance. Manama hotels for corporate presence insurance. AWS for basic cloud insurability. Microsoft for the tier of cloud infrastructure that carries defense-adjacent and government workloads. Each successive target has moved one layer deeper into the critical infrastructure stack.
Microsoft has not yet confirmed the extent of damage or the impact on service continuity. That silence is itself data. When AWS facilities were struck earlier in the war, the company posted status updates within hours. The Microsoft situation is being handled with a different communication posture, which is consistent with facilities that carry sovereign and defense-adjacent contractual obligations that restrict what can be publicly disclosed about operational status.
The Gulf was supposed to be the proving ground for the sovereign AI thesis. Every major hyperscaler made the bet simultaneously: Gulf governments want their data onshore, under their own regulatory frameworks, close to their own populations, contributing to their own AI capability development. Microsoft, Google, AWS, Oracle, all committed multi-billion dollar buildouts to that thesis in the last three years. The thesis assumed physical security. The thesis assumed the Gulf was a stable operating environment for long-term digital infrastructure. That assumption was always geopolitically contingent. It is now empirically falsified.
Every CTO and every procurement officer running a sovereign cloud negotiation anywhere in the world is looking at the Microsoft strike footage right now and running the same calculation: if the Gulf is a ballistic missile target range, where does the sovereign AI buildout go instead?
The American-aligned economic order made about the Gulf as a safe jurisdiction for permanent infrastructure.
The missiles hitting Microsoft data centers today are not attacking cloud storage. They are attacking the confidence interval on a decade of digital infrastructure investment.
@TheGhostITM
Getting a Shell on the Tapo C260 Webcam (CVE-2026-0651, CVE-2026-0652, CVE-2026-0653).
China-Linked Hackers Use TernDoor, PeerTime, BruteEntry in South American Telecom Attacks.
Hackers are using fake Claude Code download pages to deploy a fileless infostealer via mshta.exe.
Forwarded from ᴛʜᴇ ɢʜᴏꜱᴛ ɪɴ ᴛʜᴇ ᴍᴀᴄʜɪɴᴇ
Hackers hit Israel's Shefa Berkat Hashem supermarket chain overnight, remotely triggering fridge defrosts. The supermarket chain "Shefa Berkat Hashem" is an Israeli kosher chain with branches in cities like Tel Aviv and other Israeli localities.
@TheGhostITM
@TheGhostITM
Bitdefender says Pakistan-aligned Transparent Tribe (APT36) is targeting Indian government entities with AI-generated malware.
The campaign spreads polyglot implants in Nim, Zig, and Crystal and hides C2 inside Slack, Supabase, and Google Sheets.
The campaign spreads polyglot implants in Nim, Zig, and Crystal and hides C2 inside Slack, Supabase, and Google Sheets.