Introduction Today’s diary is an example of KongTuke activity using fake CAPTCHA pages for a ClickFix-style lure. Also known as LandUpdate808 or TAG-124 and described as a sophisticated TDS system, KongTuke has been active since at least May 2024. I keep track of this campaign through the infosec.exchange Mastodon instance, which is mostly information from…
ISC Stormcast For Tuesday, November 18th, 2025 https://isc.sans.edu/podcastdetail/9704, (Tue, Nov 18th) Source link
This is a guest post from our friends at Global Voices. Across at least the last two six-year presidential terms in Mexico, and through the first year of the current administration, access to the federal government’s primary websites for information and public services over the Tor network was blocked. A study by the authors of…
How disciplined design turns Amazon EventBridge from an open event bus into a system of verified trust. Event-driven architecture has become essential for achieving agility in the cloud. Yet as integrations multiply, so do the hidden pathways that adversaries can exploit. Amazon EventBridge helps unify these distributed systems, but its very flexibility demands disciplined…
For the latest discoveries in cyber research for the week of 17th November, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Cl0p’s Oracle E-Business Suite (CVE-2025-61882) zero-day campaign continues to expand. There are new confirmed breaches at The Washington Post, Logitech, Allianz UK, and GlobalLogic, as well as a newly listed but unconfirmed…
In diary entry “Formbook Delivered Through Multiple Scripts“, Xavier mentions that the following line: Nestlers= array(79+1,79,80+7,60+9,82,83,72,69,76,76) decodes to the string POWERSHELL. My tool numbers-to-hex.py is a tool that extracts numbers from text files, and converts them to hexadecimal. Like this: I can then use another tool, hex-to-bin.py to convert the hexadecimal numbers to binary,…
ISC Stormcast For Monday, November 17th, 2025 https://isc.sans.edu/podcastdetail/9702, (Mon, Nov 17th) Source link
The SANS Holiday Hack Challenge™ 2025 is available. Source link
The finger.exe command is used in ClickFix attacks. finger is a very old UNIX command, that was converted to a Windows executable years ago, and is part of Windows since then. In the ClickFix attacks, it is used to retrieve a malicious script via the finger protocol. We wrote about finger.exe about 3 years ago:…
Like many have reported, we too noticed exploit attempts for CVE-2025-64446 in our honeypots. These are POST requests to this path: With this User Agent String: And this is the data of the POST request: This creates a new admin user (profile: prof_admin). You can find this JSON data back in this PoC. Didier Stevens …
