The vulnerability was internally discovered and reported by SonicWall’s security team. The flaw, tracked as CVE-2025-40601, carries a CVSS score of 7.5 and affects multiple generations of SonicWall firewall products.

Understanding the Vulnerability

The vulnerability exists in the SSLVPN service component of SonicOS and stems from a stack-based buffer overflow weakness (CWE-121).

When exploited, an attacker can send specially crafted requests to the vulnerable SSLVPN interface without authentication, causing the affected firewall to crash and interrupting services.

SonicWall states that this vulnerability only impacts devices with the SSLVPN interface or service enabled on the firewall. Organizations that do not use this feature remain unaffected.

Currently, SonicWall PSIRT reports no active exploitation in the wild, and no proof-of-concept code has been publicly released.

The vulnerability impacts both Gen7 and Gen8 SonicWall firewalls across hardware and virtual platforms.

Gen7 devices running firmware versions 7.3.0-7012 and older are vulnerable, while Gen8 firewalls with versions 8.0.2-8011 and earlier are affected. SonicWall Gen6 firewalls and SMA 1000/100 series SSL VPN products are not impacted.

SonicWall strongly urges organizations to update to the patched firmware versions immediately.

Until patches can be applied, administrators should restrict SSLVPN access to trusted source IP addresses only or disable the service from untrusted internet sources by modifying existing access rules.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post SonicOS SSLVPN Vulnerability Let Attackers Crash the Firewall Remotely appeared first on Cyber Security News.

This Russia-based bulletproof hosting company provides infrastructure to ransomware and other cybercriminals.

The U.S. Federal Bureau of Investigation also coordinated the action targeting the company’s leadership team and related entities.

Bulletproof hosting providers offer specialized servers designed to help criminals hide their activities and avoid law enforcement.

These services give ransomware gangs, hackers, and other cybercriminals the infrastructure they need to launch attacks against businesses and critical infrastructure.

Media Land’s Criminal Operations

Media Land, headquartered in St. Petersburg, Russia, supplied hosting services to major ransomware groups, including LockBit, BlackSuit, and Play.

The company’s infrastructure was also used for distributed denial-of-service (DDoS attacks targeting U.S. companies and critical systems. Company leadership played direct roles in the criminal operation.

Aleksandr Volosovik, Media Land’s general director, advertised the company’s services on cybercriminal forums under the alias “Yalishanda” and provided servers to ransomware actors.

Kirill Zatolokin, an employee, collected payments from customers and coordinated with other cyber actors. Yulia Pankova assisted Volosovik with legal matters and financial management.

The Treasury also designated Hypercore Ltd., a UK-registered company created by the Aeza Group after it was sanctioned in July 2025. Aeza attempted to rebrand and hide its connections to avoid sanctions.

Treasury officials designated new companies and individuals involved in the evasion effort, including directors Maksim Makarov and Ilya Zakirov. Related entities in Serbia and Uzbekistan were also targeted.

All property and assets belonging to the designated individuals and companies in the United States are now frozen.

U.S. persons and businesses are prohibited from conducting transactions with these entities. Financial institutions engaging with sanctioned parties risk enforcement actions.

The U.S. Treasury emphasized that these coordinated international actions demonstrate a commitment to preventing ransomware and protecting citizens from cybercrime.

The Cybersecurity and Infrastructure Security Agency released additional guidance on protecting against bulletproof hosting providers.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Authorities Sanctioned Russia-based Bulletproof Hosting Provider for Supporting Ransomware Operations appeared first on Cyber Security News.

The CRM giant’s investigation indicates that this activity may have enabled unauthorized access to Salesforce data through the applications’ external connections.

In an immediate response to contain the threat, Salesforce has revoked all active access and refresh tokens associated with the affected Gainsight apps and temporarily removed them from the AppExchange.​

Salesforce explicitly stated that this incident does not stem from a vulnerability within the Salesforce platform itself. Instead, it exploits the trust relationship between the platform and third-party integrations.

The attack leverages compromised OAuth tokens and digital keys that allow apps to access data without sharing user credentials.

Salesforce Gainsight Breach

This mirrors the tactics used in the August 2025 campaign involving Salesloft Drift, in which attackers used stolen OAuth tokens to bypass authentication and access CRM-layer data, such as business contacts and case logs, across hundreds of organizations.​

Gainsight had previously acknowledged its exposure to the Salesloft Drift incident, confirming that stolen secrets from that breach were the likely root cause. Now, threat actors appear to be replaying the same playbook: combining stolen OAuth tokens with over-permissioned applications to create a “perfect attack chain” that bypasses traditional perimeter defenses.​

Security researchers have linked this campaign to ShinyHunters (also tracked as UNC6040), a threat group notorious for targeting SaaS ecosystems. This group typically employs social engineering to trick users into approving malicious apps or, as seen here, pivots from one compromised vendor to another.

From a Third-Party Risk Management (TPRM) perspective, this incident exemplifies a “supply-chain blast radius” event, where a single compromised vendor serves as a gateway into dozens of downstream environments.

Risk in modern SaaS ecosystems no longer travels linearly; it fans out, creating exponential exposure from a single point of failure.​

Organizations using Gainsight integrations must assume their current connections are compromised until re-authenticated. Teams should immediately audit every connected app in their Salesforce instance, removing or restricting any integration that does not require wide API access.

It is critical to rotate vendor OAuth tokens immediately and treat any token with broad permissions as high-risk. Furthermore, security teams should harden their approval processes for new integrations, as threat actors have previously used social engineering to get malicious apps approved.

Ferhat Dikbiyik, Chief Research and Intelligence Officer (CRIO) at Black Kite, said to cybersecuritynews.com “that this wasn’t a breach of Salesforce’s core platform. Instead, attackers linked to ShinyHunters (ScatteredSpider Lapsu$ Hunters) exploited a third-party integration, using access from a compromised vendor to pull customer data out of Salesforce environments. And there’s an important pattern here”.

“Gainsight has already acknowledged exposure in a previous campaign involving Salesloft Drift, where stolen OAuth tokens were used to access Salesforce data across many organizations. In that earlier case, Gainsight disconnected the Salesloft app and confirmed that only CRM-layer data, mostly business contact info and some Salesforce case text, had been accessed”.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Salesforce Confirms that Customers’ Data Was Accessed Following the Gainsight Breach appeared first on Cyber Security News.

This development is part of a massive extortion campaign exploiting a critical zero-day vulnerability in Oracle E-Business Suite (EBS), designated as CVE-2025-61882.

The group, tracked as Graceful Spider, claims to have exfiltrated sensitive data from Oracle and dozens of its high-profile customers, marking a significant escalation in supply chain attacks reminiscent of the MOVEit incident.​

The Zero-Day Exploit: CVE-2025-61882

The attack vector centers on a critical, unauthenticated remote code execution (RCE) vulnerability in Oracle E-Business Suite.

Security researchers indicate that Clop affiliates began exploiting this flaw as early as August 2025, months before Oracle released a patch in October 2025.

The exploit chain specifically targets the OA_HTML/SyncServlet endpoint to bypass authentication, followed by malicious XSLT template injection via OA_HTML/RF.jsp to execute arbitrary commands.

This “pre-auth” nature allowed attackers to compromise servers without valid credentials, granting them full control over sensitive ERP data.​

Extortion Campaign and High-Profile Victims

Evidence from Clop’s leak site displays a “PAGE CREATED” status for ORACLE.COM, appearing alongside major entities such as MAZDA.COM, HUMANA.COM, and the Washington Post.

The listing of Oracle Corporation itself suggests the vendor may have fallen victim to its own software flaw, potentially exposing internal corporate data.

Victims report receiving extortion emails from addresses like support@pubstorm[.]com, threatening the release of financial and personal records if ransom demands are not met.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Oracle Allegedly Breached by Clop Ransomware via E-Business Suite 0-Day Hack appeared first on Cyber Security News.

With a CVSS score of 9.8, this vulnerability poses a severe threat to Windows users worldwide, as it requires no user interaction for exploitation.

Discovered in May 2025 and patched by Microsoft on August 12, 2025, the issue stems from an untrusted pointer dereference in the windowscodecs.dll library, affecting core image processing functions.​

Attackers can embed the malicious JPEG in everyday files like Microsoft Office documents, enabling silent compromise when the file is opened or previewed.

This flaw highlights ongoing risks in legacy graphics handling, where seemingly innocuous image decoding can result in a complete system takeover. As Windows powers billions of devices, unpatched systems remain highly exposed to phishing campaigns or drive-by downloads.​

Zscaler ThreatLabz identified the vulnerability through targeted fuzzing of the Windows Imaging Component, focusing on JPEG encoding and decoding paths in windowscodecs.dll.

The entry point for exploitation lies in the GpReadOnlyMemoryStream::InitFile function, where manipulated buffer sizes allow attackers to control memory snapshots during file mapping.

Fuzzing revealed a crash triggered by dereferencing an uninitialized pointer at jpeg_finish_compress+0xcc, exposing user-controllable data via heap spraying.​

Stack traces from WinDbg analysis pointed to key functions like CJpegTurboFrameEncode::HrWriteSource and CFrameEncodeBase::WriteSource, confirming the flaw in JPEG metadata encoding processes.

This uninitialized resource issue enables arbitrary code execution without privileges, making it exploitable over networks. Microsoft confirmed the vulnerability affects automatic image rendering in applications reliant on the Graphics Component.​

Affected Versions and Patching

The vulnerability impacts recent Windows releases, particularly those using vulnerable builds of windowscodecs.dll. Organizations must prioritize updates to mitigate risks, as exploitation could chain with other attacks for lateral movement in networks.

Exploitation Mechanics and Proof-of-Concept

Exploiting CVE-2025-50165 involves crafting a JPEG that triggers the pointer dereference during decoding, often via embedded files in Office or third-party apps.

For 64-bit systems, attackers bypass Control Flow Guard using Return-Oriented Programming (ROP) chains in sprayed heap chunks of size 0x3ef7. This pivots execution by creating read-write-execute memory with VirtualAlloc and loading shellcode for persistent access.​

Zscaler’s proof-of-concept demonstrates heap manipulation through an example app that allocates, frees, and processes Base64-encoded JPEGs, achieving RIP control.

While no in-the-wild exploits have been reported, the low complexity and wide network reach make it a prime target for ransomware or espionage. CFG is disabled by default in 32-bit versions, easing attacks on older setups.​

Users should immediately apply the August 2025 Patch Tuesday updates via Windows Update, targeting high-value assets first. Disable automatic image previews in email clients and enforce sandboxing for untrusted files. Zscaler has implemented cloud-based protections to block exploit attempts.​

This incident underscores the perils of unpatched graphics libraries in enterprise environments, where JPEGs are ubiquitous in workflows.

As threat actors evolve tactics, timely patching remains the strongest defense against such pixel-perfect poisons. With no observed active exploitation yet, proactive measures can prevent widespread damage.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Windows Graphics Vulnerability Lets Hackers Seize Control with a Single Image appeared first on Cyber Security News.

First identified around mid-2025 by Kaspersky GReAT researchers, this botnet demonstrates the evolving sophistication of supply chain attacks.

The threat originates from activity first observed in October 2024, where attackers created 287 malicious npm packages using typosquatting—mimicking the names of popular libraries like Puppeteer and Bignum.js to deceive developers into installation.

The infection vector has evolved considerably since then. Tsundere spreads through multiple pathways, including Remote Monitoring and Management tools and disguised game installers that capitalize on piracy communities.

Samples discovered in the wild bear names like “valorant,” “cs2,” and “r6x,” specifically targeting first-person shooter enthusiasts.

This approach proves highly effective at evading traditional security awareness since users expect these applications anyway.

The botnet particularly threatens Windows users, though the initial campaign exposed systems across Windows, Linux, and macOS platforms when it operated through npm package deployment.

The infrastructure behind Tsundere reveals a sophisticated understanding of modern attack methods. Rather than relying on traditional centralized command-and-control infrastructure, the botnet utilizes Ethereum blockchain smart contracts to store and retrieve C2 addresses.

This approach adds resilience by making servers difficult to take down through conventional means. The threat actor, identified as koneko—a Russian-speaking operative—operates a professional marketplace where other cybercriminals can purchase botnet services or deploy their own functionality.

Securelist security analysts identified the malware after discovering connections between the current campaign and earlier supply chain attacks.

Their investigation revealed that the threat actor has since resurfaced with enhanced capabilities, launching Tsundere as an evolution of previous malware efforts.

The panel supports both MSI installer and PowerShell script delivery mechanisms, giving attackers flexibility in deployment strategies across different network environments and defenses.

How Tsundere Maintains Persistence Through Node.js Abuse

The infection mechanism begins when an MSI installer or PowerShell script executes on the victim’s system, dropping legitimate Node.js runtime files into AppData alongside malicious JavaScript.

The setup uses a hidden PowerShell command that spawns a Node.js process executing obfuscated loader code.

This loader script decrypts the main bot using AES-256-CBC encryption before establishing the botnet environment. The bot automatically installs three critical npm packages: ws for WebSocket communication, ethers for Ethereum blockchain interaction, and pm2 for process persistence.

The pm2 package plays a crucial role in maintaining presence on compromised machines. It creates registry entries that ensure the bot restarts automatically whenever a user logs in, achieving effective persistence.

The bot then queries Ethereum blockchain nodes through public RPC providers, retrieving the current C2 server address from a smart contract variable.

This clever approach means defenders cannot simply block a known IP address—the attackers rotate C2 infrastructure at will through blockchain transactions, rendering traditional IP-based blocking ineffective.

Once connected, the bot establishes encrypted communication and awaits commands from operators, which arrive as dynamic JavaScript code for execution.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Tsundere Botnet Abusing Popular Node.js and Cryptocurrency Packages to Attack Windows, Linux, and macOS Users appeared first on Cyber Security News.

Security researchers have discovered that this sophisticated Android trojan can capture encrypted messages from popular messaging apps like WhatsApp, Telegram, and Signal by accessing content directly from the device screen after decryption.

The malware’s ability to monitor these communications marks a serious advancement in mobile banking threats, combining credential theft with extensive remote access capabilities.

The malware operates by harvesting banking credentials through convincing fake login screens that perfectly replicate legitimate banking applications.

What makes Sturnus particularly dangerous is its capacity to provide attackers with full device takeover, allowing them to observe all user activity without physical interaction.

Attackers can inject text messages, intercept communications, and even black out the device screen while conducting fraudulent transactions in the background, leaving victims completely unaware of the theft occurring on their compromised devices.

Threat Fabric security analysts identified Sturnus as a privately operated trojan currently in its early testing phase, with targeted campaigns already configured against financial institutions across Southern and Central Europe.

Although the malware remains in limited deployment, researchers emphasize that Sturnus is fully functional and more advanced than several established malware families in certain aspects, particularly regarding its communication protocol and device support capabilities.

This combination of sophisticated features and targeted geographic focus suggests attackers are refining their tools before launching broader operations.

The current threat landscape indicates that Sturnus.A operates with region-specific targeting, using tailored overlay templates designed for Southern and Central European victims.

The malware’s operators demonstrate clear focus on compromising secure messaging platforms, testing the trojan’s ability to capture sensitive communications across different environments.

The relatively few samples detected so far, combined with short intermittent campaigns rather than sustained large-scale activity, indicate the operation remains in evaluation and tuning phases.

Understanding the Communication Protocol

The malware’s complex communication structure inspired its name, drawing parallels to the Sturnus vulgaris bird, whose rapid and irregular chatter jumps between whistles, clicks, and imitations.

Sturnus mirrors this chaotic pattern through its layered mix of plaintext, RSA, and AES communications that switch unpredictably between simple and complex messages.

The malware establishes a connection with its command-and-control server using both WebSocket (WSS) and HTTP channels, transmitting a combination of encrypted and plaintext data primarily over WebSocket connections.

The technical handshake begins with an HTTP POST request where the malware registers the device using a placeholder payload. The server responds with a UUID client identifier and an RSA public key.

The malware then generates a 256-bit AES key locally, encrypts it using RSA/ECB/OAEPWithSHA-1AndMGF1Padding, and transmits the encrypted key back while storing the plaintext AES key on the device in Base64 format.

Once key exchange completes, all subsequent communication receives protection through AES/CBC/PKCS5Padding with a 256-bit encryption key.

The trojan generates fresh 16-byte initialization vectors for each message, prepends them to encrypted payloads, and wraps results in custom binary protocols containing message type headers, message length data, and client UUIDs.

This sophisticated encryption scheme demonstrates the developers’ expertise in secure communications while maintaining malicious functionality.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Sturnus Banking Malware Steals Communications from Signal and WhatsApp, Gaining Full Control of The Device appeared first on Cyber Security News.

Rodriguez, who served as the Chief Executive Officer, received a five-year prison sentence on November 6, 2025, while Hill, the Chief Technology Officer, was sentenced to four years on November 19, 2025.

Their criminal enterprise facilitated the laundering of over $237 million in illicit funds through their mobile application platform.

Starting around 2015, Rodriguez and Hill developed Samourai with the explicit purpose of concealing criminal proceeds.

The application’s architecture centered on two core services built specifically to obstruct law enforcement investigations and prevent financial tracing.

Over 80,000 Bitcoin, valued at more than $2 billion at the time, flowed through their services, generating approximately $6 million in fees for the operators.

The U.S. Attorney’s Office, Southern District of New York security analysts identified that the criminal proceeds originated from multiple sources including drug trafficking, darknet marketplaces, cyber-intrusions, frauds, sanctioned jurisdictions, murder-for-hire schemes, and child pornography operations.

How Samourai’s Technical Infrastructure Enabled Money Laundering

The mixing service functioned through two primary obfuscation mechanisms. The first, known as “Whirlpool,” coordinated Bitcoin exchanges among user groups, effectively scrambling the blockchain record and making fund origins virtually untraceable to law enforcement and cryptocurrency exchanges.

The second service, called “Ricochet,” inserted unnecessary intermediate transactions referred to as “hops” between sending and receiving addresses, significantly complicating the ability of monitoring entities to establish connections between transfers and criminal activities.

Beyond the technical infrastructure, Rodriguez and Hill actively promoted their service to criminal communities.

Hill marketed Samourai on Dread, a darknet forum, explicitly recommending Whirlpool as the optimal method to “clean dirty BTC.”

Similarly, Rodriguez personally encouraged social media platform hackers via Twitter to route their stolen proceeds into Samourai’s Whirlpool service in July 2020, demonstrating direct knowledge and intentional facilitation of criminal activity.

The sentencing reflects the serious consequences of operating money laundering services, regardless of the technology employed, signaling law enforcement’s commitment to pursuing cryptocurrency-based financial crime.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Samourai Wallet Cryptocurrency Mixing Founders Jailed for Laundering Over $237 Million appeared first on Cyber Security News.

Unlike traditional ransomware that encrypts files using malicious software, these attacks exploit weak access controls and configuration mistakes in cloud environments to lock organizations out of their own data.

As more businesses move their operations to the cloud, attackers are adapting their methods, shifting away from on-premises systems to cloud-based resources where valuable information is stored.

These attacks can result in complete data loss, operational disruptions, and significant financial damage if organizations lack proper backup and recovery systems.

The threat actors behind these campaigns gain unauthorized access through stolen credentials, leaked access keys found in public code repositories, or compromised AWS accounts with excessive permissions.

Once inside, they identify vulnerable S3 buckets by checking for specific weaknesses such as disabled versioning, missing object lock protection, and improper write permissions.

The attackers then proceed to encrypt data using various encryption techniques, delete original files, or exfiltrate sensitive information before demanding ransom payments.

What makes these attacks particularly dangerous is their ability to use native cloud features to conduct malicious activities while remaining hidden from traditional security monitoring tools.

Trend Micro security researchers identified five distinct ransomware variants that specifically target S3 storage environments, each using different attack methods to achieve data encryption or deletion.

These variants range from using customer-managed encryption keys with scheduled deletion timelines to leveraging server-side encryption with customer-provided keys that AWS cannot recover.

The researchers documented both observed attack techniques used in real-world incidents and potential future attack vectors that organizations should prepare to defend against.

Their analysis provides detailed technical breakdowns of how each variant operates and what security measures can prevent these attacks.

Attack Mechanism and Technical Execution

The Server-Side Encryption with Customer-Provided Keys (SSE-C) variant represents one of the most dangerous attack methods because it creates permanently unrecoverable encrypted data.

In this approach, threat actors first gain write-level access to victim S3 buckets through compromised credentials or leaked IAM roles from public GitHub repositories.

After identifying target buckets without proper protections, attackers initiate encryption by providing a locally stored AES-256 encryption key through specific HTTP request headers or AWS command-line tools.

The critical aspect of this technique is that AWS uses the attacker’s encryption key to secure the data but never stores the actual key in its systems.

AWS only logs a Hash-based Message Authentication Code (HMAC) of the encryption key in CloudTrail logs, which cannot be reversed or used to decrypt the protected data.

This means neither the victim organization nor AWS support teams can recover the encrypted information once the attacker completes the encryption process.

After encrypting all target files, the attackers deposit ransom notes in the affected buckets, typically naming them “ransom-note.txt” or similar variations, which contain instructions for payment and communication.

The entire attack can be executed rapidly, and because the encryption key exists only on the attacker’s systems, victims face a permanent lockout unless they pay the ransom or have separate backup copies stored securely.

Organizations can protect against this variant by implementing specific policy controls that block SSE-C encryption requests at the bucket level or through organization-wide resource control policies.

Security teams should monitor CloudTrail logs for unusual SSE-C encryption activities and enforce policies that deny PutObject requests containing customer-provided encryption algorithm headers, effectively eliminating this attack vector from their cloud environments.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Ransomware Variants Targeting Amazon S3 Services Leveraging Misconfigurations and Access Controls appeared first on Cyber Security News.

The campaign uses fake installers disguised as common programs like manual readers, PDF editors, and games, all equipped with valid code-signing certificates to appear legitimate.

These applications are distributed through malvertising and search engine optimization techniques, making them easily discoverable by unsuspecting users searching for everyday tools or product manuals online.

The attackers behind TamperedChef have built an industrial-scale operation using a network of U.S.-registered shell companies to acquire Extended Validation certificates.

These disposable fronts allow the threat actors to sign their fake applications with trusted certificates, which helps them bypass security defenses and gain user trust.

Once a certificate is flagged or revoked, operators quickly register new shell companies under generic names like “Digital Marketing” to maintain continuous operations and keep their malicious software appearing legitimate.

Acronis security researchers identified the campaign in June 2025, though evidence suggests earlier activity. The operation primarily affects victims in the Americas, with roughly 80 percent concentrated in the United States, though the global infrastructure indicates a broad reach rather than targeted regional focus.

Healthcare, construction, and manufacturing sectors show the highest concentration of infections, likely because users in these industries frequently search online for specialized equipment manuals, one of the behaviors TamperedChef exploits.

The malware’s attack chain begins when users download fake applications from malicious websites that appear in search results or advertisements.

After installation, these applications drop an XML configuration file used to create a scheduled task for persistence. This task executes a heavily obfuscated JavaScript payload that functions as a backdoor, establishing communication with command-and-control servers over HTTPS.

The JavaScript payload encrypts data using XOR encryption with a random 16-byte key before encoding it with base64 for transmission.

Infection Chain and Persistence Mechanism

The TamperedChef infection process follows a multi-stage execution chain designed to evade detection while maintaining persistent access.

When users execute the downloaded installer, they encounter a standard license agreement window that mimics legitimate software installation.

During installation, the malware places a file named “task.xml” either in the installer’s temporary directory or the program installation directory at %APPDATA%\Programs\[Fake Application Name].

This XML file serves as the configuration for creating a scheduled task using the command: schtasks /Create /tn "Scheduled Daily Task" /xml "%APPDATA%\Local\Programs\AnyProductManual\task.xml".

The task executes immediately after creation and repeats every 24 hours with a random delay of up to 30 minutes.

This configuration allows extended runtimes, blocks multiple simultaneous instances, and automatically runs any missed schedules, ensuring the JavaScript payload executes consistently without raising suspicion.

The JavaScript payload itself is heavily obfuscated using tools from obfuscator.io, applying multiple techniques including string and function renaming, control flow flattening, and dead code injection.

Once executed, the malware establishes communication with hard-coded command-and-control servers that evolved from random domain-generated strings to more recognizable domain names to blend with normal network traffic.

The payload generates a machine ID to fingerprint devices and performs registry operations for system reconnaissance.

The malware sends encrypted JSON objects containing event names, session IDs, machine IDs, and metadata to the C2 server. It also possesses remote code execution capabilities, allowing attackers to run commands on compromised systems.

The campaign’s infrastructure relies on NameCheap for domain registration with one-year registration periods and domain privacy protection to hide ownership, enabling quick infrastructure rebuilding following takedowns.

Recent discoveries show the operation continues expanding with new shell company signers including Stratus Core Digital LLC, DataX Engine LLC, and Nova Sphere Systems LLC, all following identical attack patterns.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post TamperedChef Hacking Campaign Leverages Common Apps to Deliver Payloads and Gain Remote Access appeared first on Cyber Security News.