New Malware Analysis Report

Our latest research uncovers Android/BankBot-YNRK, a mobile banking trojan disguised as a legitimate app such as Google News.

Key findings:
• Abuses Accessibility Services for remote control
• Uses C2 servers at ping.ynrkone[.]top for device commands
• Targets financial and cryptocurrency applications
• Employs code obfuscation via nmm-protect
• Capable of exfiltrating sensitive data and performing unauthorized transactions

Link to the Research Report: https://www.cyfirma.com/research/investigation-report-android-bankbot-ynrk-mobile-banking-trojan/

 #MalwareAnalysis #Android #BankBot #CyberSecurity #CYFIRMAResearch #ThreatResearch #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/

Mobile Threat Alert: GhostGrab Malware!
 
Cybercriminals are getting more sophisticated, and GhostGrab is a clear example. This Android malware doesn’t just steal banking credentials—it can also:

• Run hidden cryptocurrency mining that drains your battery and CPU
• Harvest debit card and online banking login information
• Intercept SMS messages, including one-time passwords (OTPs)
• Collect detailed device and SIM data
• Hide itself and resist removal
• Use phishing pages within apps to trick victims into revealing sensitive information
• Leverage Firebase as a Command & Control (C2) server, making traditional detection more difficult

How to Protect Yourself:

✅ Only download apps from official sources, such as the Google Play Store or, for iOS devices, the Apple App Store
 ✅ Avoid unknown APKs and suspicious links
 ✅ Monitor your bank accounts and SMS activity regularly
 ✅ Keep your device and apps updated
 
Mobile malware is evolving—stay informed, stay protected.

Link to the Research Report: https://www.cyfirma.com/research/ghostgrab-android-malware/

#CYFIRMA #CyfirmaResearch #CyberSecurity #MobileSecurity #AndroidMalware #GhostGrab #CyberThreats #ThreatAlert #ETLM   #ExternalThreatLandscapeManagement

https://www.cyfirma.com/

Stay ahead with CYFIRMA’s Monthly Ransomware Report – Aug 2025.

CYFIRMA’s August 2025 Ransomware Report recorded 522 global victims, a slight dip but still far above 2023–24 levels. Qilin led with 84 attacks, while Akira surged by 35% targeting SonicWall VPNs and abusing Intel drivers for BYOVD evasion. Charon adopted APT-grade stealth, and 4L4MD4R blended Chinese ToolShell exploits with ransomware deployment. AI abuse accelerated with Claude enabling RaaS and PromptLock showcasing LLM-powered ransomware. Emerging groups Yurei, Desolator, and Anubis expanded globally, with the U.S., Canada, and UK most affected, and professional services, consumer services, and manufacturing hit hardest.

Link to the Research Report: https://www.cyfirma.com/research/tracking-ransomware-august-2025/

#CyberSecurity #Ransomware #ThreatIntel #ETLM #CYFIRMA #Qilin #Akira #Charon #4L4MD4R #AIThreats

https://www.cyfirma.com/

Ivanti Virtual Traffic Manager (vTM) users – A critical authentication bypass flaw (CVSS 9.8) is now being actively exploited! This vulnerability allows unauthenticated attackers to gain admin control over your systems. Patch now to prevent unauthorized access, data theft, or malware deployment. Public exploit code is already circulating. Stay secure!

Link to the Research Report: CVE-2024-7593 Vulnerability in Ivanti Virtual Traffic Manager : Vulnerability Analysis and Exploitation - CYFIRMA

#Cybersecurity #Ivanti #CVE20247593 #PatchNow #InfoSec#CyberThreats #CYFIRMA #CyfirmaResearch #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/

CYFIRMA's investigation uncovered a major data breach at Cisco, led by the notorious threat actor IntelBroker. On October 14, 2024, IntelBroker posted on BreachForum, revealing that critical data such as source code, hard-coded credentials, SSL certificates, API tokens, and confidential documents were stolen. This breach impacts Cisco's B2B clients, with over 26 client source codes compromised.
 
Our investigation also found that despite Cisco’s efforts to block access, the hackers regained entry using hard-coded credentials found in previously exfiltrated data. This exposes serious security risks and highlights the need for immediate remediation.
 
Link to the Research Report: Data Breach Investigation on Cisco - CYFIRMA

#DataBreach #CyberSecurity #CYFIRMAInvestigation #CiscoBreach #ThreatIntel #SupplyChainRisk #HackerAlert #CyberDefense #Breachforum #DataLeak #CYFIRMA #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/

The proliferation of stealers, particularly those masquerading as open-source projects, poses significant risks to users. With capabilities to steal sensitive information, such as passwords, cryptocurrency wallets, and browser data, these malware variants not only threaten individual privacy but also create broader cybersecurity challenges.

As developers continue to leverage and modify existing stealers, users must remain vigilant and aware of the potential dangers associated with seemingly benign software, particularly those offered for free.

Link to the Research Report: The Will of D: A Deep Dive into Divulge Stealer, Dedsec Stealer, and Duck Stealer - CYFIRMA

#CyberSecurity #CyberThreat #DivulgeStealer #Dedsec #DuckStealer #CYFIRMA 

#CyfirmaResearch #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/

The Israeli invasion of Lebanon began with the declared goal to remove Hezbollah's military infrastructure from the south of the country so that Israelis living in northern Israel could return to their homes, from which they have been driven by the low-intensity conflict raging on the border since Hamas' raid on Gaza last year.

The Israeli army has hit thousands of Hezbollah targets in Lebanon and Syria and has eliminated Hezbollah’s leader Hassan Nasrallah. After a brief hesitation, Iran finally carried out a large-scale ballistic missile strike on Israel in retaliation, and the whole world is now waiting for Israel's response. The targets could be Iran's nuclear program and spark a war that would affect the whole region and have secondary consequences for the entire world.

Link to the Research Report: WORLD ON THE BRINK : WAR IN THE MIDDLE EAST THREATENS TO ENTER A NEW DESTRUCTIVE PHASE - CYFIRMA

#Geopolitics #CYFIRMAresearch #ThreatIntelligence #Cybersecurity #ETLM #currentaffairs #ExternalThreatLandscapeManagement #ETLM #CYFIRMA #HassanNasrallah

https://www.cyfirma.com/

Stay ahead of cybersecurity trends with CYFIRMA's September 2024 Ransomware Report. This month’s analysis highlights significant shifts among top ransomware groups like Medusa, which saw a 525% surge in victims, while others like RansomHub and Meow experienced declines.
 
Key industries such as IT and transportation saw notable increases, while sectors like manufacturing and finance recorded drops. The report also explores emerging threats like Kransom, a ransomware disguised as a popular game and highlights the impact of ransomware groups leveraging vulnerabilities in SonicWall systems. Don’t miss out—read the full report to understand the evolving threat landscape and how you can protect your organization.
 
Link to the Research Report: TRACKING RANSOMWARE - SEPTEMBER 2024 - CYFIRMA

#ThreatLandscape #StaySecure #CyberSecurity #RansomwareReport #ThreatIntelligence #Ransomware #DigitalDefense #Cyfirma #ETLM #Ransomhub #Medusa #orca #kransom #USA #Manufacturing #CyfirmaResearch #ExternalThreatLandscapeManagement #StayProtected #DataProtection

https://www.cyfirma.com/

Immediate action is required for all organizations using iTunes for Windows! CVE-2024-44193 is a critical local privilege escalation vulnerability that could lead to unauthorized system access. Attackers exploit misconfigured permissions in the AppleMobileDeviceService.exe to elevate privileges and gain control. Given the widespread use of iTunes, this poses a significant risk. Update iTunes to version 12.13.3 or later, monitor systems for anomalies, and review permissions to prevent exploitation. Stay proactive and secure your systems now! Check CYFIRMA Research's latest report. 

Link to the Research Report: iTunes Local Privilege Escalation (CVE-2024-44193) Vulnerability Analysis and Exploitation - CYFIRMA

#CyberSecurity #VulnerabilityManagement #iTunes #CVE202444193 #CYFIRMAResearch #VulnerabilitySummary #ExternalThreatLandscapeManagement #ETLM #Cyfirma

https://www.cyfirma.com/

Our latest research dives deep into Yunit Stealer, a sophisticated malware designed to steal sensitive data, such as credentials, cookies, and cryptocurrency wallets. This malware employs advanced evasion techniques, including obfuscation and persistence methods, making it a formidable threat to cybersecurity. Yunit Stealer can disable Windows Defender, modify registry keys, and use scheduled tasks to maintain its presence on infected systems. It exfiltrates data via Telegram and Discord webhooks, ensuring the stolen information reaches the attacker securely.
 
 The developer has connections to various gaming platforms, indicating a possible link between gaming interests and the creation of this malware. Our analysis highlights the importance of staying informed and vigilant to protect your systems from such threats. Stay informed and protect your systems with our comprehensive insights!

Link to the Research Report: YUNIT STEALER - CYFIRMA

#CyberSecurity #Malware #YunitStealer #DataProtection #CyberThreats #TechNews #CYFIRMA #StaySafe #CyberAwareness #CyfirmaResearch #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/

A new malware threat, Vilsa Stealer, has surfaced. Discovered on GitHub, this malware is designed to quietly steal your most sensitive information, everything from browser passwords to cryptocurrency wallets and even Discord credentials. What makes it particularly scary is its ability to sneak past security measures and hide in your system, all the while sending your stolen data to a remote server.
 
Stay vigilant, update your security tools, and educate your teams about recognizing and avoiding suspicious activity.

Link to the Research Report: VILSA STEALER - CYFIRMA

#CyberSecurity #MalwareAlert #DataProtection #CyberThreat #VilsaStealer #CYFIRMA #CyfirmaResearch #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/

CYFIRMA's latest report delves into a crucial investigation targeting the malicious infrastructure linked to the APT group "Transparent Tribe." Employing open-source intelligence (OSINT), we thoroughly tracked the command-and-control (C2) servers utilized by this persistent threat actor. By leveraging advanced techniques such as JARM fingerprinting, we identified a network of 15 servers hosted by DigitalOcean, primarily aimed at malicious activities against individuals in India, reflecting the group's historical focus on Indian government sectors.

This investigation reveals the group's innovative use of Linux desktop entry files as attack vectors, highlighting their continuous adaptation in the dynamic cyber landscape. Additionally, the report details their evolving tactics, including the deployment of Mythic Poseidon binaries as malicious payloads, underscoring the sophistication of this threat.
 
Link to the Research Report: OSINT Investigation: Hunting Malicious Infrastructure Linked to Transparent Tribe - CYFIRMA

#CyberThreat #OSINT #TransparentTribe #APT36 #CyfirmaResearch #MaliciousInfrastructure #ExternalThreatLandscapeManagement #ETLM #CYFIRMA   #CyfirmaResearch

https://www.cyfirma.com/

As the U.S. presidential election in November approaches and the campaigns of former President Trump and Vice President Harris ramp up, hackers from Washington's adversaries are intensifying their efforts to disrupt or influence voting. Among these adversaries, Iran is emerging as an increasingly significant player.

Link to the Research Report: IRAN STEPS UP EFFORTS IN U.S. ELECTION MEDDLING - CYFIRMA

  #Geopolitics #CYFIRMAresearch #ThreatIntelligence #Cybersecurity #ETLM #currentaffairs #ExternalThreatLandscapeManagement #ETLM #CYFIRMA

https://www.cyfirma.com/

China's South China Sea ambitions stalled: ASEAN Fights Back Amid U.S. Distractions – check out the latest CYFIRMA report on Beijing's ambitions hitting a wall in the South China Sea, and the fallout in cyberspace. 

Link to the Research Report: https://www.cyfirma.com/research/grey-zone-warfare-in-chinas-stalled-south-china-sea-ambitions/

#Geopolitics #CYFIRMAresearch #ThreatIntelligence #cybersecurity #ETLM #currentaffairs #MilitaryAffairs #GreyZoneCoertion #UNCLOS #MischiefReef #Spratlys #ExternalThreatLandscapeManagement

https://www.cyfirma.com/

Critical Alert: Organizations using Apache OFBiz must act now! 
 
CVE-2024-38856 presents a severe risk of remote code execution. With millions of users potentially affected globally, immediate action is crucial. This flaw allows unauthenticated users to bypass security restrictions and execute screen rendering code via specially crafted requests through unauthenticated endpoints if some pre-conditions are met, such as when the screen definitions fail to properly check user permissions. Users are urged to upgrade to version 18.12.15.
 
Link to the research Report: CVE 2024-38856 – Pre-authentication Remote Code Execution (RCE) - Vulnerability Analysis and Exploitation - CYFIRMA

#CyberSecurity #VulnerabilityManagement #RCE #CVE202438856   #CyfirmaResearch #VulnerabilitySummary   #ExternalThreatLandscapeManagement #ETLM #CYFIRMA

https://www.cyfirma.com/

The CYFIRMA research team has examined a variant of the Gomorrah stealer malware, a .NET-based malware that targets a range of sensitive data on infected systems. This report provides a comprehensive analysis of its operational methods and evasion techniques to remain undetected. This information-stealing malware operates within a malware-as-a-service (MaaS) framework and highlights the evolving strategies of cyber threat actors in the modern threat landscape. Stay vigilant, stay secure.

Link to the Research Report: Gomorrah Stealer v5.1: An In-Depth Analysis of a .NET-Based Malware - CYFIRMA
 
  #CYFIRMA #CyberSecurity #GomorrahStealer #MalwareasaService #MalwareAnalysis #CyfirmaResearch #ThreatIntelligence #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/

CVE-2024-40725 and CVE-2024-40898 are critical vulnerabilities in Apache’s HTTP Server. CVE-2024-40725 affects the mod_proxy module and enables HTTP Request Smuggling attacks, while CVE-2024-40898 allows authentication bypass due to improper SSL configuration. With widespread exposure, these vulnerabilities pose severe risks globally. Immediate patching is crucial to safeguard sensitive systems from potential exploitation.

Link to the Research Report: CVE-2024-40725 and CVE-2024-40898 Vulnerabilities in Apache’s HTTP Server : Vulnerability Analysis and Exploitation - CYFIRMA

#CyberSecurity #ApacheVulnerabilities #CVE202440725 #CVE202440898 #PatchNow #InfoSec #CyberThreats #CYFIRMA #CyfirmaResearch #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/

The CYFIRMA research team presents an analysis of a new malware, the BLX Stealer, also known as XLABB Stealer, which is targeting sensitive data like credentials, browser information, cryptocurrency wallets, and Discord tokens. Actively promoted on Telegram and Discord, this malware can persist through system reboots and even uses Discord Webhook for data exfiltration.
 
Stay protected by updating software, enabling multi-factor authentication, and monitoring for suspicious activities.

Link to the Research Report: BLX STEALER - CYFIRMA

#BLXStealer #CyberSecurity #MalwareAlert #XLABB #DataProtection #CyfirmaResearch #Stealer #CyberThreat #CYFIRMA #CyfirmaResearch #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/

Stay informed with CYFIRMA's Tracking Ransomware-August 2024 Report, highlighting critical shifts in ransomware activities. Emerging groups like RansomHub and Lynx surged, with RansomHub seeing a 57.78% rise in victims and Lynx skyrocketing by 900%. In contrast, established actors like LockBit3 faced a 23.68% decline. The Manufacturing, Finance, and FMCG sectors were hit the hardest, while the Healthcare and Government sectors saw a decline in attacks. Geographically, the U.S. remains the most impacted region.

It's crucial to remain vigilant against emerging cyber threats. Explore deeper into the full report to uncover actionable insights that can fortify your defenses and mitigate risks effectively.
 
Link to the Research Report: Tracking Ransomware - August 2024 - CYFIRMA

#ThreatLandscape #StaySecure #CyberSecurity #RansomwareReport #ThreatIntelligence #Ransomware #DigitalDefense #Cyfirma #ETLM #RansomHub #Play #BlackBasta #MADLIBERATOR #Lockbit #Lynx #CyfirmaResearch #ExternalThreatLandscapeManagement #StayProtected

https://www.cyfirma.com/

The CYFIRMA research team explores a new malware, dubbed "Ailurophile Stealer" that targets sensitive browser data, such as passwords, cookies, and browsing history. Distributed via GitHub, this threat uses advanced tactics like UPX packing and command-and-control communication via Telegram to evade detection. The attackers, likely operating from Vietnam, are using multiple platforms to spread this malware, posing significant risks to individuals and organizations.
 
Stay vigilant, update your security tools, and educate your teams about recognizing and avoiding suspicious activity.

Link to the Research Report: AILUROPHILE STEALER - CYFIRMA

#CyberSecurity #MalwareAlert #DataProtection #ETLM #ExternalThreatLandscapeManagement #AilurophileStealer #CYFIRMA #CyfirmaResearch

https://www.cyfirma.com/

The rise of Deepfake technology brings both opportunities and challenges. Our new report, Deepfake Defense: Strategic Solutions, explores the complex risks Deepfakes pose to privacy, security, and public trust and offers actionable strategies to defend against them. Discover how we can safeguard society in this new digital age. Read the full report now!

Link to the Research Report: DEEPFAKE DEFENSE STRATEGIC SOLUTIONS - CYFIRMA

#DeepfakeDefense #AI #DigitalSecurity #StrategicSolutions #ThreatIntelligence #ExternalThreatLandscapeManagement #ETLM #Cybersecurity #threatOverview #cyberthreats #CYFIRMA #CyfirmaResearch

https://www.cyfirma.com/

The CYFIRMA research team presents an analysis of a new keylogger that uses PowerShell scripts to silently capture sensitive information, such as passwords and credit card details. This sophisticated malware employs techniques, including system discovery, command execution, and encrypted C2 communication. The attackers also use anonymized networks like Tor, making it difficult to trace their activities.
 
Stay vigilant! Ensure your systems are updated and monitor for unusual activity to protect your data.

Link to the Research Report: CYFIRMA RESEARCH : POWERSHELL KEYLOGGER - CYFIRMA
 
#CyberSecurity #DataBreach #PowerShell #Keylogger #InfoSec #MalwareAlert #DigitalSafety #CyfirmaResearch #CYFIRMA #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/

Since Israel launched its invasion of Gaza following the October 7 Hamas attack on Israel, Israel, and Hezbollah have also traded blows on the southern border of Lebanon in a low-intensity conflict. Many Israeli officials see full-scale war as inevitable. The situation could quickly change and escalate into a war, inadvertently based on miscalculation in mutual attacks. It would not be the first time and there is a risk of serious repercussions in cyberspace. Read the full report to learn more!

Link to the Research Report: ISRAEL - HEZBOLLAH Explainer - CYFIRMA

#Geopolitics #CyfirmaResearch #ThreatIntelligence #cybersecurity #ETLM #currentaffairs #Israel #Hezbollah #ExternalThreatLandscapeManagement

https://www.cyfirma.com/

The CYFIRMA research team provides an analysis of the Mekotio Trojan. Our study uncovers how it conceals its operations, interacts with command-and-control servers, and maintains persistence on infected systems. Check out our full report to gain a better understanding and combat this evolving threat.
 
Link to the Research Report: Analyzing the Mekotio Trojan - CYFIRMA

#CyberSecurity #ThreatIntel #Malware
#MekotioTrojan #InfoSec #DataSecurity #CyberThreats #PowerShellDropper

https://www.cyfirma.com/

CYFIRMA researchers have uncovered a malware campaign exploiting a spoofed Telegram Premium site—telegrampremium[.]app—to distribute a new variant of Lumma Stealer.

Key Findings:

• Drive-by download delivers malicious start.exe without user interaction

• Targets browser credentials, crypto wallets, system info

• Employs obfuscation, DGA-based domains, public DNS evasion

• Uses legitimate platforms (e.g., t.me, Steam) for stealthy C2

• Windows-focused, written in C/C++, and uses advanced evasion techniques

Stay vigilant. Threat actors are innovating—brand impersonation and drive-by downloads are on the rise.

Link to the Research Report: https://www.cyfirma.com/research/fake-telegram-premium-site-distributes-new-lumma-stealer-variant/

#CyberSecurity #ThreatIntelligence #Malware #LummaStealer #Telegram #CYFIRMA #InfoStealer #CyberThreat #APT

https://www.cyfirma.com/

The CYFIRMA research team presents their latest report! Organizations using Microsoft Windows Wi-Fi Drivers must act now! CVE-2024-30078 presents a severe risk of remote code execution. With billions of Microsoft Windows Wi-Fi Drivers potentially affected globally, immediate action is crucial.
 
Learn more with insights into this vulnerability. Safeguard your systems to prevent exploitation.

Link to the Research Report: CVE-2024-30078 Remote Code Execution Vulnerability Analysis and Exploitation - CYFIRMA

#CyberSecurity #VulnerabilityManagement #MicrosoftWindowsWiFiDrivers #CVE202430078 #CYFIRMAResearch #VulnerabilitySummary #ExternalThreatLandscapeManagement #ETLM #CYFIRMA

https://www.cyfirma.com/

The CYFIRMA research team reveals a critical update in the malware landscape: We have recently identified a dropper binary that deploys an information-stealing malware known as "Angry Stealer." This malware is making its rounds on various platforms, including websites and Telegram, where it's being advertised. Angry Stealer is essentially a rebranded version of Rage Stealer. 

This malware is designed to exfiltrate a wide range of sensitive data from infected systems, including browser data (passwords, cookies, autofill info), cryptocurrency wallet details, VPN and application data, and more. It uses advanced techniques to evade security measures and sends stolen information to a Telegram channel controlled by the attacker. 

As cyber threats continue to evolve and repackage, it’s imperative to remain vigilant and enhance your security measures. Our findings emphasize the necessity of staying updated on these threats and implementing robust defenses to protect your data and systems.

For a detailed breakdown of how Angry Stealer operates and insights into countering this threat, check out our full report.

Link to the the Research Report: A Comprehensive Analysis of Angry Stealer : Rage Stealer in a New Disguise - CYFIRMA

#CyberSecurity #ThreatIntel #Malware #AngryStealer #RageStealer #InfoSec 

#DataSecurity #CyberThreats #CYFIRMA #CYFIRMAResearch #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/

CYFIRMA research team’s latest report explores the tactics of hacktivists - ransomware variants, stealer logs, and strategic alliances - and examines their motivations; be they geopolitical, financial, cultural, or racial. It also shows how social media is being leveraged for recruitment, coordination, and monetization via theft or extortion, what are the implications for cybersecurity, and what threats face our infrastructure?

Link to the Research Report: Tactics and Motivations of Modern Hacktivists - CYFIRMA

#Cyfirmaresearch #ThreatIntelligence #Cybersecurity #ETLM #Hacktivists #ExternalThreatLandscapeManagement #CYFIRMA #Hacktivism

https://www.cyfirma.com/

CYFIRMA’s research team have just published a new report on the QWERTY Info Stealer malware. Our analysis reveals how this malware collects and sends sensitive data from infected systems while using advanced techniques to avoid detection. Stay informed about this threat to better protect your data and systems.

Link to the Research Report: QWERTY INFORMATION STEALER - CYFIRMA

#Cyfirmaresearch #ThreatIntelligence #Cybersecurity #ETLM #Malware  #ExternalThreatLandscapeManagement #CYFIRMA #QWERTYInfoStealer

https://www.cyfirma.com/

U.S. water systems deliver safe and affordable drinking water to millions of people, while also supporting agriculture, industry, and power generation. However, this critical infrastructure faces significant challenges from aging facilities, increasing demand, and emerging cyberthreats. Our report outlines the key threats to water infrastructure, the potential consequences of cyberattacks, and the need for enhanced cyber security measures to protect this vital sector.
 
Link to the Research Report: U.S. Water Structure’s Vulnerability to Cyber Attacks - CYFIRMA

#Geopolitics #Cyfirmaresearch #ThreatIntelligence #cybersecurity #ETLM    #currentaffairs #waterinfrastructure #ExternalThreatLandscapeManagement  #CYFIRMA

https://www.cyfirma.com/

Stay informed with CYFIRMA's Tracking Ransomware-July 2024 Report, highlighting the latest cybersecurity trends. RansomHub and LockBit3 have seen significant surges in activity, with LockBit3 experiencing a remarkable 245.5% increase. While the manufacturing sector saw a 10.9% decline, Education faced a staggering 250% rise in attacks.
 
The US continues to be the primary target geographically. The report also covers the evolution of ransomware groups like Black Basta, Play, and Eldorado. Additionally, the newly emerged Vanir Group and MAD LIBERATOR are making aggressive moves. Key events include Russian dominance in ransomware, the release of a new decryptor for DoNex victims and more.
 
It's crucial to remain vigilant against emerging cyber threats. Explore our full report to uncover actionable insights that can fortify your defenses and mitigate risks effectively.

Link to the Research Report: TRACKING RANSOMWARE JULY 2024 - CYFIRMA
 
#ThreatLandscape #StaySecure #CyberSecurity #RansomwareReport #ThreatIntelligence #Ransomware #DigitalDefense #CYFIRMA #ETLM #RansomHub #Play #VanirGroup #BlackBasta #MADLIBERATOR #Lockbit #USA #UK #Manufacturing #CyfirmaRes

https://www.cyfirma.com/

The CYFIRMA research team is actively monitoring the ongoing fallout from the CrowdStrike Blue Screen of Death (BSOD) incident. Our updated report offers a comprehensive analysis of the tactics, techniques, and procedures (TTPs) used by threat actors exploiting this situation.

In this updated report, we provide further insights, including a detailed incident report, an examination of fraudulent attempts by unknown threat actors, phishing domain registrar details, information stealers, and malware campaigns.

As we continue our investigation, we will provide additional updates to keep you informed of this unfolding situation. Stay informed! 

Link to the Research Report: CrowdStrike Falcon Sensor Update: Worldwide Blue Screen of Death (BSOD) Incident Update – II - CYFIRMA

#CyberSecurity #Malware #ThreatDetection #CyberThreats #StaySafe #CYFIRMA 

#CYFIRMAResearch #ExternalThreatLandscapeManagement #ETLM #RemcosRAT 

#DataWiperMalware, #CommodityMalware

https://www.cyfirma.com/

CVE-2024-6387 Alert! A critical vulnerability in OpenSSH's server (sshd) allows unauthenticated remote code execution with root access, affecting over 4.8 million internet-exposed instances. This flaw poses a significant risk across various industries and geographies and is being actively exploited in the wild, as confirmed by CISA’s Known Exploited Vulnerabilities catalog. Immediate patching, reviewing and updating configurations, and enhancing monitoring are essential to mitigate this severe security threat. 
 
Link to the Research Report: OpenSSH RCE (CVE-2024-6387) : Vulnerability Analysis and Exploitation - CYFIRMA

#CyberSecurity #InfoSec #OpenSSH #CVE20246387 #CyberThreats #CYFIRMA 

#CyfirmaResearch #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/

The death of Hamas leader Ismail Haniyeh in Tehran, and the announcement of the death of Hamas military wing commander Muhammad Daif on the same day is likely to escalate the ongoing cyberwar as Iran vows revenge. The dire humanitarian situation in Gaza will continue to fuel pro-Palestinian sentiment and inspire further hacktivist action, while the actors in the international arena are weighing their options.

Link to the Research Report: Hamas Leadership Assassination Explainer - CYFIRMA

#Geopolitics #Cyfirmaresearch #ThreatIntelligence #cybersecurity #ETLM   #currentaffairs #hacktivistism #ExternalThreatLandscapeManagement

https://www.cyfirma.com/

Critical Alert: Organizations relying on ServiceNow must act now! 

CVE-2024-4879 poses a grave risk of remote code execution and unauthorized data access. With extensive global use, swift action is imperative. Attackers exploit Jelly template injections to trigger code execution, risking sensitive data and service disruptions. Update ServiceNow, monitor for anomalies, and implement access controls immediately. Proactive security is paramount. Protect your systems now to thwart exploitation. 

Link to the Research Report: ServiceNow RCE (CVE-2024-4879) Vulnerability Analysis and Exploitation - CYFIRMA

#CyberSecurity #VulnerabilityManagement #ServiceNow #CVE20244879 #CYFIRMAResearch #VulnerabilitySummary #ExternalThreatLandscapeManagement #ETLM #CYFIRMA #Cyfirmaresearch

https://www.cyfirma.com/

Critical Alert: CVE-2025-8671 – HTTP/2 “MadeYouReset” DoS Vulnerability

Organizations operating HTTP/2-enabled infrastructure—such as Apache Tomcat, Netty, F5 BIG-IP, Jetty, and other affected stacks—must act swiftly. This newly uncovered flaw enables attackers to bypass HTTP/2 stream-concurrency protections and trigger unbounded backend processing by exploiting mismatched stream reset handling, leading to severe Denial-of-Service (DoS) conditions.

This vulnerability demands urgent attention—its low-complexity technique and global exposure pose a high-priority threat to web infrastructure availability.

Link to the Research Report: https://www.cyfirma.com/research/cve-2025-8671-http-2-madeyoureset-vulnerability-ddos-attack/

#CyberSecurity #MadeYouReset #CVE20258671 #HTTP2 #DoS #ThreatIntel #ExternalThreatLandscapeManagement #VulnerabilityAlert #StreamResetAttack #InfrastructureSecurity #CYFIRMA CYFIRMAresearch #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/

The CYFIRMA research team has examined a variant of the Mint Stealer malware and provides a comprehensive analysis of this information-stealing malware operating within a malware-as-a-service (MaaS) framework. Designed to target sensitive data, Mint Stealer employs sophisticated techniques to evade detection. This report explores its evasion tactics, methods for concealing malicious activities, and highlights the evolving strategies of cyber threat actors in the modern threat landscape.
 
Mint-stealer is being sold on multiple dedicated websites and support is offered through Telegram for its subscribers.

To mitigate the risks associated with Mint Stealer, users are advised to exercise caution when accessing files from untrustworthy sources or clicking on unfamiliar links.

Link to the Research Report: Mint Stealer: A Comprehensive Study of a Python-Based Information Stealer - CYFIRMA

#CYFIRMA #CyberSecurity #MintStealer #MalwareasaService #MalwareAnalysis 

#CyfirmaResearch #ThreatIntelligence #ExternalThreatLandscapeManagement 

#ETLM

https://www.cyfirma.com/

The Cyfirma research team has investigated the Flame Stealer, which is maintaining a strong presence with predominantly Portuguese speakers. This malware is designed to stealthily extract data from a wide range of sources, including discord tokens, browser cookies, credentials, etc.

Flame Stealer employs advanced techniques such as covert data extraction, persistence mechanisms, detection evasion, and data exfiltration via Discord webhooks.

Link to the the Research Report:  FLAME STEALER - CYFIRMA

#CyberSecurity #InfoStealer #FlameStealer #ThreatDetection #CyberThreats 

#StaySafe #CYFIRMA #CYFIRMAResearch #ExternalThreatLandscapeManagement 

#ETLM

https://www.cyfirma.com/

 Our Q2 2024 APT Quarterly Highlights report reveals a surge of dynamic and innovative cyber activities from Iranian, Russian, Chinese, and North Korean APT groups, challenging the global cybersecurity landscape.

Detailed analysis reveals escalating cyber threats from Iran's Void Manticore and APT42 targeting critical sectors, to Russia's APT28 and Sandworm focusing on cyber-espionage and ransomware, China's RedJuliett and APT41 exploiting vulnerabilities, to North Korea's Kimsuky and Moonstone Sleet intensifying their espionage efforts. This highlights the urgent need for continuous vigilance, user education, and prompt software updates to bolster cybersecurity defenses.

Link to the Research Report: APT Quarterly Highlights : Q2 2024 - CYFIRMA

#CyberSecurity #APTHighlights #Q2APTReport #ThreatIntelligence #Cybersecurity #Q22024Report #APTActivities #cyberthreats #externalthreatlandscape #AdvancedPersistentThreat #Iran #Russia, #China, #NorthKorea #ETLM

https://www.cyfirma.com/

A critical vulnerability (CVE-2024-24919) with a CVSS score of 8.6 has been discovered in EOL Check Point devices, allowing remote attackers to read arbitrary files.

The Hacktivist group "Ghost Clan Malaysia" has shared affected IP addresses worldwide. Upgrade to supported versions and apply necessary hotfixes immediately to protect your data and infrastructure. CISA has added this to its Known Exploited Vulnerabilities catalog. Stay vigilant!

Link to the Research Report: Threat Actors Actively Exploiting CVE-2024-24919: Underground Forums Share IP Addresses of Vulnerable Check Point Security Gateway Devices - CYFIRMA

#CyberSecurity #DataProtection #CVE202424919 #Cybersecurity #ThreatAlert  #CyfirmaResearch #Cyfirma #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/

Braodo Info Stealer, a Python-based malware, is targeting users in Vietnam and several other countries. This sophisticated threat spreads possibly through phishing emails, uses GitHub for hosting malicious code, and exfiltrates stolen data via Telegram channels. Learn more about this emerging threat impacting global cybersecurity.

Link to the Research Report: Braodo Info Stealer Targeting Vietnam and Abroad - CYFIRMA

#CyberSecurity #InfoStealer #Malware #BraodoinfoStealer #ThreatDetection
#Vietnam #CyberThreats #Threatintelligence #StaySafe #CYFIRMA
#CYFIRMAResearch #ETLM #ExternalThreatLandscapeManagement

https://www.cyfirma.com/

Stay informed about the latest developments in cybersecurity with CYFIRMA's Tracking Ransomware-June 2024 Report.

This month's report highlights key trends, including a decrease in ransomware attacks by groups like Play and RansomHub, while Akira and Qilin increased their operations. Discover significant changes in targeted industries, with most sectors experiencing a decline in attacks. Notably, ransomware incidents were reduced by approximately 38.27% from May to June 2024.

Link to the Research Report: TRACKING RANSOMWARE - JUNE 2024 - CYFIRMA

#ThreatLandscape #StaySecure #CyberSecurity #RansomwareReport #ThreatIntelligence #Ransomware #DigitalDefense #Cyfirma #ETLM #Play #Lockbit #Akira #USA #UK#Manufacturing #CyfirmaResearch #ExternalThreatLandscapeManagement 

https://www.cyfirma.com/

Critical Alert: Organizations using PHP in CGI mode must act now! CVE-2024-4577 presents a severe risk of remote code execution. With millions of websites potentially affected globally, immediate action is crucial. Attackers can exploit CGI argument injection to execute arbitrary commands, leading to unauthorized access or server compromise.
 
Update PHP configurations, monitor for unusual activity, and enforce strict input validation immediately. Proactive security measures are essential. Safeguard your systems now to prevent exploitation. Check CYFIRMA Research's latest report.

Link to the Research Report: PHP CGI Argument Injection (CVE-2024-4577)- Vulnerability Analysis and Exploitation - CYFIRMA

#CyberSecurity#VulnerabilityManagement#PHP#CVE20244577#CYFIRMAResearch#VulnerabilitySummary#ExternalThreatLandscapeManagement#ETLM#Cyfirma

https://www.cyfirma.com/

The CYFIRMA team has uncovered "Kematian-Stealer," a sophisticated info stealer targeting Windows systems, hosted on GitHub. This open-source malware is designed to stealthily extract data from a wide range of sources, including browsers, cryptocurrency wallets, messaging apps, gaming platforms, VPNs, and email clients.
 
Kematian-Stealer employs advanced techniques such as covert data extraction, persistence mechanisms, detection evasion, in-memory execution, and data exfiltration via Discord webhooks. It can also download and execute additional scripts and payloads directly into memory. The builder for Kematian-Stealer, also hosted on GitHub, allows users to customize and deploy the malware. Features and C2 server details can be configured through a web interface.

Link to the Research Report: Kematian-Stealer : A Deep Dive into a New Information Stealer - CYFIRMA
 
#CyberSecurity#InfoStealer#KematianStealer#ThreatDetection#CyberThreats#StaySafe#CYFIRMA#CYFIRMAResearch

https://www.cyfirma.com/

This year’s Olympic games come at a heightened moment for international conflict & terrorism. The potential for a jihadi group or individuals inspired by one to take the world’s attention with a potential attack or for Russia to try to embarrass France with acts of sabotage are very high.

Link to the Research Report: Paris Olympics - CYFIRMA
 
#Geopolitics#Cyfirmaresearch#ThreatIntelligence#cybersecurity#ETLM#currentaffairs

https://www.cyfirma.com/

Cyfirma research team has examined a variant of Lumma Stealer malware, and this report provides a comprehensive analysis of this advanced information-stealing malware, explores the tactics employed by threat actor to evade detection on the system and over the network, as well as their techniques for concealing malicious code and activities. Lumma Stealer targets sensitive data by employing sophisticated techniques, and utilizes counterfeit websites posing as legitimate antivirus software for distribution and promotion.

Lumma Stealer, a potent malware written in C, is designed to surreptitiously steal a wide array of data from compromised systems. It has rapidly gained notoriety for its ability to target and steal critical data such as cryptocurrency wallets, web browser information, email credentials, financial data, sensitive files within user directories, personal data, FTP client data and more by employing sophisticated techniques including event-controlled write operations and encryption to evade detection and maximize its impact.

Link to the Research Report: Lumma Stealer: Tactics, Impact, and Defense Strategies - CYFIRMA

#Cyfirma #CyberSecurity #Lumma Stealer #Malware-as-a-Service #MalwareAnalysis #CyfirmaResearch #ThreatIntelligence #ExternalThreatLandscapeManagement #ETLM 

https://www.cyfirma.com/

Stay ahead with CYFIRMA’s Monthly Ransomware Report – July 2025.

CYFIRMA’s July 2025 Ransomware Report recorded 504 global victims, a 7.5% rise from June, reflecting sustained threat levels. Qilin remained the most active, while Incransom and SafePay surged. Interlock introduced FileFix, a stealthy Windows UI-based delivery method; GLOBAL GROUP launched an AI-powered RaaS; and Gunra expanded to Linux with multithreaded encryption. Emerging actors like Dire Wolf and D4RK4RMY focused on data leaks and ideological messaging, moving beyond traditional encryption. Scattered Spider escalated attacks on VMware ESXi through social engineering. The U.S., Canada, and the UK were top targets, with consumer services, professional services, and manufacturing sectors hit hardest. Attackers increasingly leverage native OS tools, cloud abuse, and MFA fatigue to evade detection.

Link to the Research Report: https://www.cyfirma.com/research/tracking-ransomware-july-2025/

#CyberSecurity #Ransomware #ThreatIntel #ETLM #CYFIRMA #Qilin #SafePay #Interlock #GLOBALGROUP #Gunra #DireWolf #D4RK4RMY #ScatteredSpider #CYFIRMAresearch #ExternalThreatLandscapeManagement #APT #LinuxRansomware

https://www.cyfirma.com/

CYFIRMA's latest investigation reveals how terrorist groups in Kashmir are still exploiting digital platforms to spread propaganda and influence people. Their psychological operations (Psy Ops) aim to manipulate public perception, spread fear, and destabilize the region. Despite a reduction in physical presence, groups like TRF and Kashmir Tigers are ramping up their digital efforts post Article 370 abrogation.

 Link to the Research Report: Digital Warfare: Pakistan-Based Terrorist Organizations Utilize Digital Platforms in J&K for Psy Ops - CYFIRMA

#CyberSecurity #CyfirmaResearch #ExternalThreatLandscapeManagement #ETLM #DigitalThreats #PsyOps #StaySafe #Telegram #Propaganda #Kashmir #Kashmirdispute #CYFIRMA #Terrorism #Terror #India

https://www.cyfirma.com/

Stay informed about the latest trends in the ransomware landscape with CYFIRMA's May 2024 Ransomware report. This edition highlights significant increases in ransomware activity, with LockBit3 surging tremendously and Play rising by 10.34%. Incransom's activity doubled, while RansomHub and Medusa also showed notable activity.
 
Manufacturing, real estate, banking, and healthcare sectors saw increased targeting. The US remains the top geographical target. Emerging groups like SpiderX, Fakepenny, and Arcusmedia present new threats. Stay vigilant and explore the full report for actionable insights.

Link to the Research Report: Tracking Ransomware May 2024 - CYFIRMA
 
#ThreatLandscape#StaySecure#CyberSecurity#RansomwareReport#ThreatIntelligence#Ransomware#DigitalDefense#Cyfirma#ETLM#Lockbit#Lockbit3#Incransom#Play#SpiderX#RansomHub#Medusa#Fakepenny#Arcusmedia#USA#UK#Manufacturing

https://www.cyfirma.com/

CYFIRMA research team has examined a variant of Vidar Stealer malware, and this in-depth examination explores the tactics employed by threat actor to evade detection on the system and over the network, as well as their techniques for concealing malicious code and activities. Additionally, it describes the use of social media platforms to procure command and control details for data exfiltration and updates. Vidar Stealer, a potent malware written in C++, is capable of stealing a wide range of data from compromised systems.

To mitigate the risks associated with Vidar Stealer, users are advised to exercise caution when accessing files from untrustworthy sources or clicking on unfamiliar links. Implementing robust cybersecurity measures, including reputable antivirus software, regular software updates, and awareness of social engineering tactics, is crucial in fortifying protection against such threats. Stay vigilant, stay secure. 

 Link to the Research Report: Vidar Stealer: An In-depth Analysis of an Information-Stealing Malware - CYFIRMA

#Cyfirma #CyberSecurity #Vidar Stealer #Malware-as-a-Service #MalwareAnalysis #CyfirmaResearch #ThreatIntelligence #ExternalThreatLandscapeManagement #ETLM 

https://www.cyfirma.com/