alt=Digital artwork of a human face with circuits and patterns in blue and red, evoking a futuristic, technological theme.
Cyber security
2025-05-17 Post a Comment

Government webmail hacked via XSS bugs in global spy campaign

By

Hackers are running a worldwide cyberespionage campaign dubbed ‘RoundPress,’ leveraging zero-day and n-day flaws in webmail servers to steal email from high-value government organizations.

ESET researchers who uncovered the operation attribute it with medium confidence to the Russian state-sponsored hackers APT28 (aka “Fancy Bear” or “Sednit”).

The campaign started in 2023 and continued with the adoption of new exploits in 2024, targeting Roundcube, Horde, MDaemon, and Zimbra.

Notable targets include governments in Greece, Ukraine, Serbia, and Cameroon, military units in Ukraine and Ecuador, defense companies in Ukraine, Bulgaria, and Romania, and critical infrastructure in Ukraine and Bulgaria.

RoundPress targets
RoundPress targets
Source: ESET

Open email, have data stolen

The attack starts with a spear-phishing email referencing current news or political events, often including excerpts from news articles to add legitimacy.

A malicious JavaScript payload embedded in the HTML body of the email triggers the exploitation of a cross-site scripting (XSS) vulnerability in the webmail browser page used by the recipient.

All that is needed from the victim is to open the email to view it, as no other interaction/clicks, redirections, or data input is required for the malicious JavaScript script to execute.

Attack chain overview
Attack chain overview
Source: ESET

The payload has no persistence mechanisms, so it only executes when the malicious email is opened.

The script creates invisible input fields to trick browsers or password managers into autofilling stored credentials for the victim’s email accounts.

Credential stealer function
Credential stealer function
Source: ESET

Additionally, it reads the DOM or sends HTTP requests to collect email message content, contacts, webmail settings, login history, two-factor authentication, and passwords.

The data is then exfiltrated to hardcoded command-and-control (C2) addresses using HTTP POST requests.

Each script has a slightly different set of capabilities, adjusted for the product it’s targeting.

Vulnerabilities targeted

Operation RoundPress targeted multiple XSS flaws in various webmail products that important organizations commonly use to inject their malicious JS scripts.

The exploitation ESET associated with this campaign involves the following flaws:

  • Roundcube – CVE-2020-35730: A stored XSS flaw the hackers used in 2023, by embedding JavaScript directly into the body of an email. When victims opened the email in a browser-based webmail session, the script executed in their context, enabling credential and data theft.
  • Roundcube – CVE-2023-43770: An XSS vulnerability in how Roundcube handled hyperlink text leveraged in early 2024. Improper sanitization allowed attackers to inject <script> tags into the email content, which would be executed when viewed.
  • MDaemon – CVE-2024-11182: A zero-day XSS flaw in the MDaemon Email Server’s HTML parser, exploited by the hackers in late 2024. By crafting a malformed title attribute with a noembed tag, attackers could render a hidden <img onerror> payload, executing JavaScript. This enabled credential theft, 2FA bypass, and persistent access via App Passwords.
  • Horde – Unknown XSS: APT28 attempted to exploit an old XSS vulnerability in Horde by placing a script in an <img onerror> handler. However, the attempt failed, likely due to built-in filtering in modern Horde versions. The exact flaw is unconfirmed but appears to have been patched in the meantime.
  • Zimbra – CVE-2024-27443: An XSS vulnerability in Zimbra’s calendar invite handling, which hasn’t been tagged as actively exploited before. Unsanitized input from the X-Zimbra-Calendar-Intended-For header allowed JavaScript injection into the calendar UI. APT28 embedded a hidden script that decoded and executed base64 JavaScript when the invite was viewed.

Although ESET does not report any RoundPress activity for 2025, the hackers’ methods could be easily applied to this year too, as there’s a constant supply of new XSS flaws in popular webmail products.

read more
alt=Close-up of a Social Security card beside a paycheck showing earnings, federal and Medicare with check numbers visible.
Cyber security
2025-05-06 Post a Comment

Fake Social Security Statement emails trick users into installing remote tool

by Pieter Arntz:

Fake emails pretending to come from the US Social Security Administration (SSA) try to get targets to install ScreenConnect, a remote access tool.

This campaign was flagged and investigated by the Malwarebytes Customer Support and Research teams.

ScreenConnect, formerly known as ConnectWise Control, is a remote support and remote access platform widely used by businesses to facilitate IT support and troubleshooting. It allows technicians to remotely connect to users’ computers to perform tasks such as software installation, system configuration, and to resolve issues.

Because ScreenConnect provides full remote control capabilities, an unauthorized user with access can operate your computer as if they were physically present. This includes running scripts, executing commands, transferring files, and even installing malware—all potentially without you realizing.

This makes ScreenConnect a dangerous tool in the hands of cybercriminals. A phishing group dubbed Molatori—because of the domains they use to host the ScreenConnect client—has been found to lure their targets into installing the ScreenConnect clients by sending emails pretending to come from the Social Security Administration (SSA):

example SSA email

“Your Social Security Statement is now available
Thank you for choosing to receive your statements electronically.
Your document is now ready for download:

  • Please download the attachment and follow the provided instructions.
  • NOTE: Statements & Documents are only compatible with PC/Windows systems.”

There are some variations to this mail in circulation but the example above shows how legitimate these emails look.

The link in the email leads to the ScreenConnect support.Client.exe, but was found under several misleading names like ReceiptApirl2025Pdfc.exe, and SSAstatment11April.exe.

After cybercriminals install the client on the target’s computer, they remotely connect to it and immediately begin their malicious activities. They access and exfiltrate sensitive information such as banking details, personal identification numbers, and confidential files. This stolen data can then be used to commit identity theft, financial fraud, and other harmful acts. Experts have identified financial fraud as the primary objective of the Molatori group.

There are several circumstances that make this campaign hard to detect:

  • The cybercriminals send phishing emails from compromised WordPress sites, so the domains themselves appear legitimate and not malicious.
  • They often embed the email content as an image, which prevents email filters from effectively scanning and blocking the message.
  • ScreenConnect is a legitimate application which happens to be abused because of its capabilities.

What we can do

When receiving unsolicited emails there are a few necessary precautions you can take to avoid falling for phishing:

  • Verify the source of the email through independent sources.
  • Don’t click on links until you are sure they are non-malicous.
  • Don’t open downloaded files or attachments until you are sure they are safe.
  • Use an up-to-date and active anti-malware solution.
  • If you suspect an email isn’t legitimate, take a name or some text from the message and put it into a search engine to see if any known phishing attacks exist using the same methods.

Malwarebytes users are protected

Malwarebytes will detect suspicious instances of the ScreenConnect client as RiskWare.ConnectWise.CST.

Malwarebytes blocks RiskWare.ConnectWise.CST

And blocks connections to these associated domains:

  • atmolatori[.]icu
  • gomolatori[.]cyou
  • molatoriby[.]cyou
  • molatorier[.]cyou
  • molatorier[.]icu
  • molatoriist[.]cyou
  • molatorila[.]cyou
  • molatoriora[.]cyou
  • molatoriora[.]icu
  • molatoripro[.]cyou
  • molatoripro[.]icu
  • molatorisy[.]cyou
  • molatorisy[.]icu
  • onmolatori[.]icu
  • promolatori[.]icu
  • samolatori[.]cyou
  • samolatori[.]icu
  • umolatori[.]icu

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

read more
alt=A hooded figure sits at a laptop, silhouetted against the red background of the Chinese flag featuring yellow stars.
Cyber security
2025-04-26 Post a Comment

FBI offers $10M for info on China’s Salt Typhoon hackers

Stefanie Schappert

Stefanie Schappert

Senior Journalist

The Federal Bureau of Investigation on Friday announces a $10 million reward for information on Salt Typhoon, the China-backed hacking group responsible for targeting several US telecoms, as well as the US Treasury.

The agency said it is especially interested in any information that could help identify the specific individuals behind the campaign or about its operations targeting the telecommunications sector.

“Investigation into these actors and their activity revealed a broad and significant cyber campaign to leverage access into these networks to target victims on a global scale,” the FBI said in its announcement.

Cybersecurity insiders have identified Salt Typhoon as a known nation-state adversary and Advanced Persistent Threat (APT) group sponsored by the Chinese government.

The nation-state threat actor made headlines last September after the US government discovered the group had breached the nation’s commercial telecoms infrastructure, including major companies such as Verizon, AT&T, T-Mobile, and Lumen Technologies.

The FBI said it is aggressively committed to identifying, mitigating, and disrupting Salt Typhoon’s malicious cyber activity. “If you have information about Salt Typhoon, we want to hear from you,” the FBI posted on X, in both English and Chinese.

The group was able to obtain “call data logs, a limited number of private communications, and select information subject to court-ordered US law enforcement requests,” the FBI said.

The phone records of then-President-elect Donald Trump and vice presidential running mate, Ohio Senator JD Vance, as well as some Kamala Harris campaign staffers, were all targeted by the group in the lead-up to the 2024 presidential election.

What’s more, the FBI said that the People’s Republic of China (PRC)-linked threat actors had been lurking in several of the telecom providers for an undetermined amount of time – and likely still remain.

Salt Typhoon is said to be highly sophisticated and uses anti-forensic and anti-analysis techniques, allowing the group to go undetected for months. The group is thought to have been operating in 2020.

Also known as GhostEmperor and FamousSparrow, experts warn the malicious campaign appears to be a part of China’s ongoing cyber efforts to infiltrate US critical infrastructure. China has repeatedly denied any allegations of its involvement.

Salt Typhoon is also believed to be behind the hack of the US Treasury Department, discovered in February, in which threat actors gained access to the laptops of some senior officials.

Anyone with information on Salt Typhoon can file a report with the FBI’s Internet Crime Complaint Center (IC3) or contact your local FBI field office.

In conjunction, the US State Department is also offering a $10 million reward for information about individuals engaging in cyber activities on behalf of foreign governments to target US critical infrastructure.

read more
alt=Silhouette of a figure at a laptop against the North Korean flag, symbolizing cyber activities and hacking threats.
Cyber security
2025-04-23 Post a Comment

North Korean hackers are using LinkedIn to entice developers to coding challenges

Story by Efosa Udinmwen

A hacker group from North Korea known as Slow Pisces has launched a sophisticated campaign targeting developers in the cryptocurrency sector through LinkedIn.

The group, also known as TraderTraitor or Jade Sleet, poses as recruiters to lure victims with seemingly genuine job offers and coding challenges, only to infect their systems with malicious Python and JavaScript code.

Thanks to this campaign, the group has been able to steal substantial amounts of cryptocurrency. In 2023 alone, they were linked to over $1 billion in stolen funds. A $1.5 billion hack at a Dubai exchange and a $308 million theft from a Japanese company are among the recent attacks.

Coders beware!

After initially sending PDF documents containing job descriptions, the malicious actors follow up with coding assignments hosted on GitHub.

Although these repositories appear to be based on legitimate open-source projects, they have been secretly altered to include hidden malware.

Victims, believing they are completing programming tests, unintentionally allow malware like RN Loader and RN Stealer onto their systems.

These booby-trapped projects mimic legitimate developer tools and applications. For instance, Python repositories might seem to analyze stock market trends using data from reputable sources, while secretly communicating with attacker-controlled domains.

The malware evades most detection tools by using YAML deserialization, avoiding commonly flagged functions like eval or exec. Once triggered, the loader fetches and executes additional payloads directly in memory, making it difficult to detect or remove.

One such payload, RN Stealer, is specifically designed to exfiltrate credentials, cloud configuration files, and stored SSH keys, particularly from macOS systems.

JavaScript variants of the malware operate similarly, using the Embedded JavaScript templating engine to hide malicious code, which activates only for targeted victims based on factors like IP addresses or browser headers.

Forensic analysis shows that the malware stores code in hidden directories and communicates over HTTPS using custom tokens. However, investigators were unable to recover the full JavaScript payload.

GitHub and LinkedIn have responded by removing the malicious accounts and repositories involved.

“GitHub and LinkedIn removed these malicious accounts for violating our respective terms of service. Across our products, we use automated technology, combined with teams of investigation experts and member reporting, to combat bad actors and enforce terms of service. We continue to evolve and improve our processes and encourage our customers and members to report any suspicious activity,” the companies said in a joint statement.

There is a growing need for caution when approached with remote job offers and coding tests. Developers are advised to use strong antivirus software and run unfamiliar code in secure environments, particularly when working in sensitive sectors like cryptocurrency.

Those concerned about security should verify they are using the best IDEs, which typically include integrated security features. Staying alert, and working on a secure, controlled setup, can significantly reduce the risk of falling prey to state-backed cyber threats.

read more
alt=Green text on a black screen displays a command line interface with options to deploy SMS, track clicks, and harvest data.
Cyber security
2025-04-19 Post a Comment

Chinese Smishing Kit Powers Widespread Toll Fraud Campaign Targeting U.S. Users in 8 States

î „Ravie Lakshmanan

Cybersecurity researchers are warning of a “widespread and ongoing” SMS phishing campaign that’s been targeting toll road users in the United States for financial theft since mid-October 2024.

“The toll road smishing attacks are being carried out by multiple financially motivated threat actors using the smishing kit developed by ‘Wang Duo Yu,'” Cisco Talos researchers Azim Khodjibaev, Chetan Raghuprasad, and Joey Chen assessed with moderate confidence.

The phishing campaigns, per the company, impersonate U.S. electronic toll collection systems like E-ZPass, sending SMS messages and Apple iMessages to individuals across Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas about an unpaid toll and clicking on a fake link sent in the chat.

It’s worth noting some aspects of the toll phishing campaign were previously highlighted by security journalist Brian Krebs in January 2025, with the activity traced back to a China-based SMS phishing service called Lighthouse that’s advertised on Telegram.

While Apple iMessage automatically disables links in messages received from unknown senders, the smishing texts urge recipients to respond with “Y” in order to activate the link – a tactic observed in phishing kits like Darcula and XiÅ« gÇ’u.

Should the victim click on the link and visit the domain, they are prompted to solve a fake image-based CAPTCHA challenge, after which they are redirected to a fake E-ZPass page (e.g., “ezp-va[.lcom” or “e-zpass[.]com-etcjr[.]xin”) where they are asked to enter their name and ZIP code to access the bill.

Targets are then asked to proceed further to make the payment on another fraudulent page, at which point all the entered personal and financial information is siphoned to the threat actors.

Talos noted that multiple threat actors are operating the toll road smishing campaigns by likely making use of a phishing kit developed by Wang Duo Yu, and that it has observed similar smishing kits being used by another Chinese organized cybercrime group known as the Smishing Triad.

Interestingly, Wang Duo Yu is also alleged to be the creator of the phishing kits used by Smishing Triad, per security researcher Grant Smith. “The creator is a current computer science student in China who is using the skills he’s learning to make a pretty penny on the side,” Smith revealed in an extensive analysis in August 2024.

Smishing Triad is known for conducting large-scale smishing attacks targeting postal services in at least 121 countries, using failed package delivery lures to coax message recipients into clicking on bogus links that request their personal and financial information under the guise of a supposed service fee for redelivery.

Furthermore, threat actors using these kits have attempted to enroll victims’ card details into a mobile wallet, allowing them to further cash out their funds at scale using a technique known as Ghost Tap.

The phishing kits have also been found to be backdoored in that the captured credit/debit card information is also exfiltrated to the creators, a technique known as double theft.

“Wang Duo Yu has crafted and designed specific smishing kits and has been selling access to these kits on their Telegram channels,” Talos said. “The kits are available with different infrastructure options, priced at US $50 each for a full-feature development, $30 each for proxy development (when the customer has a personal domain and server), $20 each for version updates, and $20 for all other miscellaneous support.”

As of March 2025, the e-crime group is believed to have focused their efforts on a new Lighthouse phishing kit that’s geared towards harvesting credentials from banks and financial organizations in Australia and the Asia-Pacific region, according to Silent Push.

The threat actors also claim to have “300+ front desk staff worldwide” to support various aspects of the fraud and cash-out schemes associated with the phishing kit.

“Smishing Triad is also selling its phishing kits to other maliciously aligned threat actors via Telegram and likely other channels,” the company said. “These sales make it difficult to attribute the kits to any one subgroup, so the sites are currently all attributed here under the Smishing Triad umbrella.”

In a report published last month, PRODAFT revealed that Lighthouse shares tactical overlaps with phishing kits such as Lucid and Darcula, and that it operates independently of the XinXin group, the cybercrime group behind the Lucid kit. The Swiss cybersecurity company is tracking Wang Duo Yu (aka Lao Wang) as LARVA-241.

“An analysis of attacks conducted using the Lucid and Darcula panels revealed that Lighthouse (Lao Wang / Wang Duo Yu) shares significant similarities with the XinXin group in terms of targeting, landing pages, and domain creation patterns,” PRODAFT noted.

Cybersecurity company Resecurity, which was the first to document Smishing Triad in 2023 and has also been tracking the scam toll campaigns, said the smishing syndicate has used over 60,000 domain names, making it challenging for Apple and Google to block the fraudulent activity in an effective manner.

“Using underground bulk SMS services enables cybercriminals to scale their operations, targeting millions of users simultaneously,” Resecurity said. “These services allow attackers to efficiently send thousands or millions of fraudulent IM messages, targeting users individually or groups of users based on specific demographics across various regions.”

read more
alt=A parachute delivers a box with a skull symbol labeled "Infected!" to a computer screen, symbolizing malware distribution.
Cyber security
2025-04-19 Post a Comment

Multi-Stage Malware Attack Uses .JSE and PowerShell to Deploy Agent Tesla and XLoader

î „Ravie Lakshmanan

A new multi-stage attack has been observed delivering malware families like Agent Tesla variants, Remcos RAT, and XLoader.

“Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution,” Palo Alto Networks Unit 42 researcher Saqib Khanzada said in a technical write-up of the campaign.

The starting point of the attack is a deceptive email that poses as an order request to deliver a malicious 7-zip archive attachment, which contains a JavaScript encoded (.JSE) file.

The phishing email, observed in December 2024, falsely claimed that a payment had been made and urged the recipient to review an attached order file. Launching the JavaScript payload triggers the infection sequence, with the file acting as a downloader for a PowerShell script from an external server.

The script, in turn, houses a Base64-encoded payload that’s subsequently deciphered, written to the Windows temporary directory, and executed. Here’s where something interesting happens: The attack leads to a next-stage dropper that is either compiled using .NET or AutoIt.

In case of a .NET executable, the encrypted embedded payload – an Agent Tesla variant suspected to be Snake Keylogger or XLoader – is decoded and injected into a running “RegAsm.exe” process, a technique observed in past Agent Tesla campaigns.

The AutoIt compiled executable, on the other hand, introduces an additional layer in an attempt to further complicate analysis efforts. The AutoIt script within the executable incorporates an encrypted payload that’s responsible for loading the final shellcode, causing .NET file to be injected into a “RegSvcs.exe” process, ultimately leading to Agent Tesla deployment.

Multi-Stage Malware Attack

“This suggests that the attacker employs multiple execution paths to increase resilience and evade detection,” Khanzada noted. “The attacker’s focus remains on a multi-layered attack chain rather than sophisticated obfuscation.”

“By stacking simple stages instead of focusing on highly sophisticated techniques, attackers can create resilient attack chains that complicate analysis and detection.”

IronHusky Delivers New Version of MysterySnail RAT#

The disclosure comes as Kaspersky detailed a campaign that targets government organizations located in Mongolia and Russia with a new version of a malware called MysterySnail RAT. The activity has been attributed to a Chinese-speaking threat actor dubbed IronHusky.

IronHusky, assessed to be active since at least 2017, was previously documented by the Russian cybersecurity company in October 2021 in connection with the zero-day exploitation of CVE-2021-40449, a Win32k privilege escalation flaw, to deliver MysterySnail.

The infections originate from a malicious Microsoft Management Console (MMC) script that mimics a Word document from the National Land Agency of Mongolia (“co-financing letter_alamgac”). The script is designed to retrieve a ZIP archive with a lure document, a legitimate binary (“CiscoCollabHost.exe”), and a malicious DLL (“CiscoSparkLauncher.dll”).

It’s not exactly known how the MMC script is distributed to targets of interest, although the nature of the lure document suggests that it may have been via a phishing campaign.

As observed in many attacks, “CiscoCollabHost.exe” is used to sideload the DLL, an intermediary backdoor capable of communicating with attacker-controlled infrastructure by taking advantage of the open-source piping-server project.

The backdoor supports capabilities to run command shells, download/upload files, enumerate directory content, delete files, create new processes, and terminate itself. These commands are then used to sideload MysterySnail RAT.

The latest version of the malware is capable of accepting nearly 40 commands, allowing it to perform file management operations, execute commands via cmd.exe, spawn and kill processes, manage services, and connect to network resources via dedicated DLL modules.

Kasperksy said it observed the attackers dropping a “repurposed and more lightweight version” of MysterySnail codenamed MysteryMonoSnail after preventive actions were taken by the affected companies to block the intrusions.

“This version doesn’t have as many capabilities as the version of MysterySnail RAT,” the company noted. “It was programmed to have only 13 basic commands, used to list directory contents, write data to files, and launch processes and remote shells.”

read more
Trustpilot
The rating of livingsafeonline.com at Trustprofile Reviews is 9.1/10 based on 13 reviews.
Verified by MonsterInsights