Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
The Forgotten Bug: How a Node.js Core Design Flaw Enables HTTP Request Splitting
https://r3verii.github.io/cve/2026/02/27/nodejs-toctou.html
https://r3verii.github.io/cve/2026/02/27/nodejs-toctou.html
CyberSec Notes
The Forgotten Bug: How a Node.js Core Design Flaw Enables HTTP Request Splitting
Deep dive into a TOCTOU vulnerability in Node.js’s ClientRequest.path that bypasses CRLF validation and enables Header Injection and HTTP Request Splitting across 7+ major HTTP libraries totaling 160M+ weekly downloads.
New A0Backdoor Linked to Teams Impersonation and Quick Assist Social Engineering
https://www.bluevoyant.com/blog/new-a0backdoor-linked-to-teams-impersonation-and-quick-assist-social-engineering
https://www.bluevoyant.com/blog/new-a0backdoor-linked-to-teams-impersonation-and-quick-assist-social-engineering
BlueVoyant
New A0Backdoor Linked to Teams Impersonation and Quick Assist Social…
BlueVoyant's Security Operations Center (SOC) recently uncovered a new A0Backdoor delivered through Teams impersonation.
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
blacksanta-edr-killer-threat-report.pdf
13.7 MB
BlackSanta EDR-Killer
A Silent Threat Targeting Recruitment Workflows. Aryaka Threat Labs has uncovered a sophisticated malware campaign:
The malware performs system reconnaissance and conducts environment checks to detect sandboxes, virtual machines, and debugging tools to evade analysis. A key component, BlackSanta, acts as an EDR-killer, disabling security solutions to ensure malicious payloads run undetected.
Once established, the malware communicates with command-and-control servers over encrypted HTTPS to exfiltrate sensitive data, demonstrating a persistent and highly sophisticated cyber threat..
A Silent Threat Targeting Recruitment Workflows. Aryaka Threat Labs has uncovered a sophisticated malware campaign:
The malware performs system reconnaissance and conducts environment checks to detect sandboxes, virtual machines, and debugging tools to evade analysis. A key component, BlackSanta, acts as an EDR-killer, disabling security solutions to ensure malicious payloads run undetected.
Once established, the malware communicates with command-and-control servers over encrypted HTTPS to exfiltrate sensitive data, demonstrating a persistent and highly sophisticated cyber threat..
Inside DarkSword: A New iOS Exploit Kit Delivered Via Compromised Legitimate Websites
https://iverify.io/blog/darksword-ios-exploit-kit-explained
https://iverify.io/blog/darksword-ios-exploit-kit-explained
iverify.io
Inside DarkSword: A New iOS Exploit Kit Delivered Via Compromised Legitimate Websites
Shortly after our publication on the Coruna exploit kit, a collaborating researcher at Lookout flagged a suspicious-looking URL possibly related to the threat actor from Russia linked with Coruna.
How TeamPCP's supply chain attack evolved
The malicious campaign that started with Trivy and Checkmarx has shifted to LiteLLM. Here's how — and what's different this time:
https://www.reversinglabs.com/blog/teampcp-supply-chain-attack-spreads
The malicious campaign that started with Trivy and Checkmarx has shifted to LiteLLM. Here's how — and what's different this time:
https://www.reversinglabs.com/blog/teampcp-supply-chain-attack-spreads
ReversingLabs
Inside the TeamPCP cascading supply chain attack | ReversingLabs
The malicious campaign that started with Trivy and Checkmarx has shifted to LiteLLM. Here's how — and what's different this time.
Operation NoVoice: Rootkit Tells No Tales
WhatsApp under attack *
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-research-operation-novoice-rootkit-malware-android/
WhatsApp under attack *
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-research-operation-novoice-rootkit-malware-android/
McAfee Blog
Operation NoVoice: Rootkit Tells No Tales | McAfee Blog
Authored By: Ahmad Zubair Zahid McAfee’s mobile research team identified and investigated an Android rootkit campaign tracked as Operation Novoice. The
SecuritySnack - OpenAI Anti-Ads Malware
This report details the discovery of a malicious Chrome extension, named "ChatGPT Ad Blocker", found on the Google Chrome Web Store.
https://dti.domaintools.com/securitysnacks/securitysnack-openai-anti-ads-malware
This report details the discovery of a malicious Chrome extension, named "ChatGPT Ad Blocker", found on the Google Chrome Web Store.
https://dti.domaintools.com/securitysnacks/securitysnack-openai-anti-ads-malware
Domaintools
DomainTools Investigations | SecuritySnack - OpenAI Anti-Ads Malware
Stay protected against the "ChatGPT Ad Blocker" malware. This investigation reveals how a malicious Chrome extension uses Discord webhooks to steal private ChatGPT conversations, prompts, and metadata.
MCPwn: A CVSS 9.8 One-Line MCP Bug That Hands Over Your Nginx to Anyone on the Network – Actively Exploited in the Wild
https://pluto.security/blog/mcp-bug-nginx-security-vulnerability-cvss-9-8/
Unauthenticated MCP Endpoint Allows Remote Nginx Takeover PoC:
https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf
https://pluto.security/blog/mcp-bug-nginx-security-vulnerability-cvss-9-8/
Unauthenticated MCP Endpoint Allows Remote Nginx Takeover PoC:
https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
www.ietf.org
Internet Protocol Version 8 (IPv8)
Internet Protocol Version 8 (IPv8) is a managed network protocol
suite that transforms how networks of every scale -- from home
networks to the global internet -- are operated, secured, and
monitored. Every manageable element in an IPv8 network is
authorised…
suite that transforms how networks of every scale -- from home
networks to the global internet -- are operated, secured, and
monitored. Every manageable element in an IPv8 network is
authorised…
FakeWallet crypto stealer spreading through iOS apps in the App Store
During our investigation, we identified 26 phishing apps in the App Store mimicking the following major wallets:
• MetaMask
• Ledger
• Trust Wallet
• Coinbase
• TokenPocket
• imToken
• Bitpie
https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/
During our investigation, we identified 26 phishing apps in the App Store mimicking the following major wallets:
• MetaMask
• Ledger
• Trust Wallet
• Coinbase
• TokenPocket
• imToken
• Bitpie
https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/
Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained
https://www.rapid7.com/blog/post/tr-kyber-ransomware-double-trouble-windows-esxi-attacks-explained/
https://www.rapid7.com/blog/post/tr-kyber-ransomware-double-trouble-windows-esxi-attacks-explained/
Rapid7
Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained
Securing the git push pipeline: Responding to a critical remote code execution vulnerability
https://github.blog/security/securing-the-git-push-pipeline-responding-to-a-critical-remote-code-execution-vulnerability/
https://github.blog/security/securing-the-git-push-pipeline-responding-to-a-critical-remote-code-execution-vulnerability/
The GitHub Blog
Securing the git push pipeline: Responding to a critical remote code execution vulnerability
How we validated, fixed, and investigated a critical vulnerability in under two hours, and confirmed no exploitation.
BlueNoroff Uses ClickFix, Fileless PowerShell, and AI-Generated Fake Zoom Meetings to Target Web3 Sector
https://arcticwolf.com/resources/blog-uk/bluenoroff-uses-clickfix-fileless-powershell-ai-generated-fake-zoom-meetings-to-target-web3-sector/
https://arcticwolf.com/resources/blog-uk/bluenoroff-uses-clickfix-fileless-powershell-ai-generated-fake-zoom-meetings-to-target-web3-sector/
Arctic Wolf
BlueNoroff Uses ClickFix, Fileless PowerShell, and AI-Generated Fake Zoom Meetings to Target Web3 Sector - Arctic Wolf
Arctic Wolf has identified a targeted intrusion against a North American Web3/cryptocurrency company, which we attribute with a high confidence level to BlueNoroff, a financially motivated subgroup of DPRK’s Lazarus Group.
Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise
https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/
https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/
Microsoft News
Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise
Microsoft Defender Research observed a large-scale credential theft campaign that exemplifies this trend, using code of conduct-themed lures, a multi-step attack chain, and legitimate email services to distribute fully authenticated messages from attacker…
TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook
Trojan that contains a dynamic infection chain with a heavy anti-analysis loading component that can deploy two embedded payloads (worm, banker). The observed infection chain bundles a malicious MSI installer inside a ZIP file. These MSI installer packages are abusing a signed Logitech program called Logi AI Prompt Builder..:
https://www.elastic.co/security-labs/tclbanker-brazilian-banking-trojan
Trojan that contains a dynamic infection chain with a heavy anti-analysis loading component that can deploy two embedded payloads (worm, banker). The observed infection chain bundles a malicious MSI installer inside a ZIP file. These MSI installer packages are abusing a signed Logitech program called Logi AI Prompt Builder..:
https://www.elastic.co/security-labs/tclbanker-brazilian-banking-trojan
PamDOORa: Analyzing a New Linux PAM-Based Backdoor for Sale on the Dark Web
https://flare.io/learn/resources/blog/pamdoora-new-linux-pam-based-backdoor-sale-dark-web
https://flare.io/learn/resources/blog/pamdoora-new-linux-pam-based-backdoor-sale-dark-web
Ping, Payload, PowerShell: Active Exploitation of CVE-2026-22679 in Weaver E-cology
https://blog.vega.io/posts/cve-2026-22679-weaver-ecology-exploitation/
https://blog.vega.io/posts/cve-2026-22679-weaver-ecology-exploitation/
Vega Blog
Ping, Payload, PowerShell: Active Exploitation of CVE-2026-22679 in Weaver E-cology
The Vega Threat Research team identified active exploitation of CVE-2026-22679, a critical unauthenticated RCE in Weaver E-cology, 14 days before public in-the-wild reporting. This report details real-world exploitation and post-compromise behavior.
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps
..The malware’s primary command-and-control channel has been migrated onto The Open Network (TON) using .adnl endpoints routed through an embedded local TON proxy..:
https://www.threatfabric.com/blogs/new-trickmo-variant-device-take-over-malware-targeting-banking-fintech-wallet-auth-app
..The malware’s primary command-and-control channel has been migrated onto The Open Network (TON) using .adnl endpoints routed through an embedded local TON proxy..:
https://www.threatfabric.com/blogs/new-trickmo-variant-device-take-over-malware-targeting-banking-fintech-wallet-auth-app
ThreatFabric
New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps
Perseus is a new Device Takeover (DTO) malware family that specifically looks for user-generated content stored in note taking applications.
AppSecFest 2026 - В эту пятницу в Алматы, Farabi Hub
Будут экспертные эксперты, тимлиды, специалисты, представители IT-индустрии, AppSec/DevSecOps-практики, инженеры по безопасности.
+ будет открытое CTF-соревнование от команды mimicats – где можно пропробовать свои скиллы в реальных задачах по ИБ (максимум практики, никакой теории)
+ Воркшопы с живое общением на темы AppSec, DevSecOps, инженерной культуры, процессы, и даже факапы
• Начало: 15 мая, 09:00, Farabi Hub
Все спикеры заслуживают внимания, многих знаю лично, все детали здесь: appsecfest.kz
Будут экспертные эксперты, тимлиды, специалисты, представители IT-индустрии, AppSec/DevSecOps-практики, инженеры по безопасности.
+ будет открытое CTF-соревнование от команды mimicats – где можно пропробовать свои скиллы в реальных задачах по ИБ (максимум практики, никакой теории)
+ Воркшопы с живое общением на темы AppSec, DevSecOps, инженерной культуры, процессы, и даже факапы
• Начало: 15 мая, 09:00, Farabi Hub
Все спикеры заслуживают внимания, многих знаю лично, все детали здесь: appsecfest.kz
Dead.Letter (CVE-2026-45185) How XBOW Found an Unauthenticated RCE on Exim
https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim
https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim