| IP |
185.245.82.81 |
Oracle Identity Manager RCE flaw |
TA0011 - Command and Control |
Oracle Identity Manager |
CVE-2025-61757 |
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has urged government organizations to immediately patch a critical flaw in Oracle Identity Manager, tracked as CVE-2025-61757, which is already being exploited—possibly as a zero-day. The vulnerability, a pre-authentication remote code execution (RCE) bug, was identified by Searchlight Cyber researchers Adam Kues and Shubham Shah. It arises from an authentication bypass in Oracle Identity Manager’s REST APIs, where attackers can manipulate a security filter by appending strings such as ?WSDL or ;.wadl to URL paths, causing protected endpoints to be mistakenly treated as publicly accessible. |
2025-11-23 15:59 |
| IP |
89.238.132.76 |
Oracle Identity Manager RCE flaw |
TA0011 - Command and Control |
Oracle Identity Manager |
CVE-2025-61757 |
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has urged government organizations to immediately patch a critical flaw in Oracle Identity Manager, tracked as CVE-2025-61757, which is already being exploited—possibly as a zero-day.
The vulnerability, a pre-authentication remote code execution (RCE) bug, was identified by Searchlight Cyber researchers Adam Kues and Shubham Shah. It arises from an authentication bypass in Oracle Identity Manager’s REST APIs, where attackers can manipulate a security filter by appending strings such as ?WSDL or ;.wadl to URL paths, causing protected endpoints to be mistakenly treated as publicly accessible. |
2025-11-23 15:48 |
| HASH |
80552ce00e5d271da870e96207541a4f82a782e7b7f4690baeca5d411ed71edb |
NPM Infostealer |
T1059 - Command and Scripting Interpreter, TA0002 - Execution |
Nodejs NPM Server & Package Repository |
NA |
File:data_extracter, Security researchers discovered 10 dangerous, fake software packages on the npm registry that have been actively stealing user login information for over four months, accumulating nearly 10,000 downloads. These packages use an incredibly sophisticated, multi-step malware to avoid detection and harvest credentials from system keyrings and browsers across all major operating systems (Windows, Linux, and macOS). |
2025-11-01 19:31 |
| IP |
195.133.79.43 |
NPM Infostealer |
T1059 - Command and Scripting Interpreter, TA0002 - Execution |
Nodejs NPM Server & Package Repository |
NA |
Security researchers discovered 10 dangerous, fake software packages on the npm registry that have been actively stealing user login information for over four months, accumulating nearly 10,000 downloads. These packages use an incredibly sophisticated, multi-step malware to avoid detection and harvest credentials from system keyrings and browsers across all major operating systems (Windows, Linux, and macOS). |
2025-11-01 19:16 |
| DOMAIN |
jrntuvksdkm.top |
Trojan NSEC - Backdoor |
T1566 - Phishing |
Corporate Systems and Endpoints |
NA |
This domain acts as a download link for the Trojan NSEC WinRAR payload which comes as a part of a phishing campaign initiated from an IP hosted in Hong-Kong (AliBaba Cloud). The email reads of a legal notice enticing recipients to open a WinRAR attachment which in-turn consists of a MSI installer depicted as a legal document (.docx.msi). The installer loads multiple files inside directory "C:\Program Files (x86)\Common Files\NSEC\" namely NSecRTS.exe, NSecDS.exe, NSec.exe, client.exe & fixit.exe. End users are advised to stay wary of such legal notices and ensure the authenticity of the sender before open such emails. |
2025-10-31 19:24 |
| IP |
8.217.123.252 |
Trojan NSEC - Backdoor |
T1566 - Phishing |
Corporate Systems and Endpoints |
NA |
This IP acts as a command center for the Trojan NSEC which comes as a part of a phishing campaign initiated from the IP hosted in Hong-Kong (AliBaba Cloud). The email reads of a legal notice enticing recipients to open a WinRAR attachment which in-turn consists of a MSI installer depicted as a legal document (.docx.msi). The installer loads multiple files inside directory "C:\Program Files (x86)\Common Files\NSEC\" namely NSecRTS.exe, NSecDS.exe, NSec.exe, client.exe & fixit.exe. End users are advised to stay wary of such legal notices and ensure the authenticity of the sender before open such emails. |
2025-10-31 17:43 |
| IP |
57bb53175ebddf9dfbb1bfe5dc15dfaeed5a317b32b66202f3e5f0dba99266f5 |
Trojan NSEC - Backdoor |
T1566 - Phishing |
Corporate Systems and Endpoints |
NA |
Primary File: NSecDS.exe, This Trojan comes as a part of a phishing campaign initiated from an IP hosted in Hong-Kong. The email reads of a legal notice enticing recipients to open a WinRAR attachment which in-turn consists of a MSI installer depicted as a legal document (.docx.msi). The installer loads multiple files inside directory "C:\Program Files (x86)\Common Files\NSEC\" namely NSecRTS.exe, NSecDS.exe, NSec.exe, client.exe & fixit.exe. End users are advised to stay wary of such legal notices and ensure the authenticity of the sender before open such emails. |
2025-10-31 17:32 |
| HASH |
7c013cc480892c3000f52cc118523d07a5a2e4319989f29eb256e1e383ec4006 |
Trojan NSEC - Backdoor |
T1566 - Phishing |
Corporate Systems and Endpoints |
NA |
Primary File: fixit.exe, This Trojan comes as a part of a phishing campaign initiated from an IP hosted in Hong-Kong. The email reads of a legal notice enticing recipients to open a WinRAR attachment which in-turn consists of a MSI installer depicted as a legal document (.docx.msi). The installer loads multiple files inside directory "C:\Program Files (x86)\Common Files\NSEC\" namely NSecRTS.exe, NSecDS.exe, NSec.exe, client.exe & fixit.exe. End users are advised to stay wary of such legal notices and ensure the authenticity of the sender before open such emails. |
2025-10-31 17:29 |
| HASH |
ae8d6030d92d4c14754a17507edad2d9de8b38cb8eee3fcf60ccad3c7ad984e2 |
Trojan NSEC - Backdoor |
T1566 - Phishing |
Corporate Systems and Endpoints |
NA |
Primary File: NSecRTS.exe, This Trojan comes as a part of a phishing campaign initiated from an IP hosted in Hong-Kong. The email reads of a legal notice enticing recipients to open a WinRAR attachment which in-turn consists of a MSI installer depicted as a legal document (.docx.msi). The installer loads multiple files inside directory "C:\Program Files (x86)\Common Files\NSEC\" namely NSecRTS.exe, NSecDS.exe, NSec.exe, client.exe & fixit.exe. End users are advised to stay wary of such legal notices and ensure the authenticity of the sender before open such emails. |
2025-10-31 15:42 |
| HASH |
be6663a5e76b6b9490316dcd2149699fa20a529819a4889c67e9dc65864531a2 |
Trojan NSEC - Backdoor |
T1566 - Phishing |
Corporate Systems and Endpoints |
NA |
This Trojan comes as a part of a phishing campaign initiated from an IP hosted in Hong-Kong. The email reads of a legal notice enticing recipients to open a WinRAR attachment which in-turn consists of a MSI installer depicted as a legal document (.docx.msi). The installer loads multiple files inside directory "C:\Program Files (x86)\Common Files\NSEC\" namely NSecRTS.exe, NSecDS.exe, NSec.exe, client.exe & fixit.exe. End users are advised to stay wary of such legal notices and ensure the authenticity of the sender before open such emails. |
2025-10-31 15:39 |
| IP |
74.194.191.52 |
RondoDox & Mirai Botnet |
T1059 - Command and Scripting Interpreter, TA0011 - Command & Control, |
TBK DVR-4104. TBK DVR-4216 - Video Recorder. Four-Faith router models F3x24. Four-Faith router models F3x36 |
CVE-2024-3721 and CVE-2024-12856 |
RondoDox Botnet Exploiting Critical Vulnerabilities -
Over the past month, a new botnet named RondoDox has been exploiting two high-risk vulnerabilities, CVE-2024-3721 and CVE-2024-12856. Both of these flaws are publicly known and are being actively targeted, posing a serious threat to devices and network security. Unlike more common threats like Mirai or Gafgyt, RondoDox is a newer, less-known botnet.
CVE-2024-3721 is a critical vulnerability affecting TBK DVR models, including DVR-4104 and DVR-4216, as of April 12, 2024. The flaw stems from improper handling of the /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___ path, where the mdb and mdc parameters can be manipulated to inject OS commands. Successful exploitation allows remote attackers to execute arbitrary commands on affected devices. |
2025-10-14 15:21 |
| IP |
94.154.35.154 |
Mirai Botnet |
TA0011 - Command & Control |
TBK DVR Video Recording ARM based devices |
CVE-2024-3721 |
A malicious Mirai botnet sample designed to infect devices that use an ARM7 processor. The name is a combination of the processor type (arm7) and a string used by the malware (urbotnetisass).
Breakdown of the string
arm7: This specifies that the malware executable is compiled to run on the ARM7 CPU architecture. This architecture is used in many older and low-power embedded systems, such as routers, IoT devices, and certain mobile phones.
urbotnetisass: This appears to be a name chosen by the malware authors. It is a variant used in the widely known Mirai botnet. The Mirai botnet is designed to infect internet-connected devices to carry out distributed denial-of-service (DDoS) attacks.
.elf: In some automated analysis reports, the string is followed by .elf. An ELF (Executable and Linkable Format) file is a standard executable format used on Unix-like operating systems, which many embedded systems run.
Malware functionality -
Analysis of the malware sample shows it performs common botnet-related actions:
Downloads itself: It uses commands like curl and wget to download its own executable from a remote server.
Changes file permissions: It uses the chmod 777 command to give itself full read, write, and execute permissions on the infected device.
Spreads to other devices: After taking control, it scans the internet for other vulnerable devices to spread to and increase the size of the botnet. |
2025-10-14 14:49 |
| IP |
94.154.35.154 |
Mirai Botnet |
TA0011 - Command & Control |
TBK DVR Video Recording ARM based devices |
CVE-2024 |
|
2025-10-14 14:45 |
| DOMAIN |
firebase.su |
Shai Hulud - Scavenger Malware |
TA0011 - Command and Control |
CrowdStrike NPM package maintainer |
CVE-2025-54313 |
Scavenger C2 domain, CrowdStrike NPM Vulnerability - Event: NPM Package Supply Chain Attack Date: July 18, 2025 Attack Vector: A maintainer's account was compromised through a credential phishing campaign using a fake NPM login page. Description: Following the account takeover, the adversary modified five NPM packages, embedding a malicious install.js script and a DLL payload (node-gyp.dll). Upon installation of a compromised package, the script executes the DLL, which initiates a two-stage attack: Stage 1: It steals the contents of the user's .npmrc file, exfiltrating sensitive NPM access tokens. Stage 2: It deploys a secondary infostealer payload that targets and exfiltrates browser data like history and cache. Impacted Packages and Versions: eslint-config-prettier: 8.10.1, 9.1.1, 10.1.6, 10.1.7 (CVE-2025-54313, CVSS: High) eslint-plugin-prettier: 4.2.2, 4.2.3 synckit: 0.11.9 @pkgr/core: 0.2.8 napi-postinstall: 0.3.1 Resolution: The malicious package versions have been deprecated on the NPM repository, and the maintainer has published updated, secure versions. |
2025-10-09 09:12 |
| IP |
c68e42f416f482d43653f36cd14384270b54b68d6496a8e34ce887687de5b441 |
Scavenger Malware |
T1189-drive by compromise followed by command and scripting then Interpreter - execution |
Crowdstrike NPM package maintainer |
CVE 2025-54313 |
|
2025-09-21 16:43 |
| HASH |
32d0dbdfef0e5520ba96a2673244267e204b94a49716ea13bf635fa9af6f66bf |
Scavenger Malware |
T1189 - Drive By Compromise - Initial Access, T1059 - Command and Scripting Interpreter - Execution |
CrowdStrike NPM package maintainer |
CVE-2025-54313 |
CrowdStrike NPM Vulnerability -
Event: NPM Package Supply Chain Attack
Date: July 18, 2025
Attack Vector: A maintainer's account was compromised through a credential phishing campaign using a fake NPM login page.
Description:
Following the account takeover, the adversary modified five NPM packages, embedding a malicious install.js script and a DLL payload (node-gyp.dll). Upon installation of a compromised package, the script executes the DLL, which initiates a two-stage attack:
Stage 1: It steals the contents of the user's .npmrc file, exfiltrating sensitive NPM access tokens.
Stage 2: It deploys a secondary infostealer payload that targets and exfiltrates browser data like history and cache.
Impacted Packages and Versions:
eslint-config-prettier: 8.10.1, 9.1.1, 10.1.6, 10.1.7 (CVE-2025-54313, CVSS: High)
eslint-plugin-prettier: 4.2.2, 4.2.3
synckit: 0.11.9
@pkgr/core: 0.2.8
napi-postinstall: 0.3.1
Resolution: The malicious package versions have been deprecated on the NPM repository, and the maintainer has published updated, secure versions. |
2025-09-21 14:47 |
| DOMAIN |
pmtslpbnkremadv.vercel.app |
Phishing |
T1566 - Phishing - Initial Access |
Fortune 500 Companies |
None |
Observed in phishing and malicious activity attacks |
2025-09-17 10:46 |
| HASH |
2d1e93d28bf349a412bda7668536c4dc197cb12e020a5355f2d305ecac3ba458 |
Black Basta Ransomware Group - QakBot Loader |
T1189 - Initial Access - Drive By Compromise |
Banking and Big Tech Companies mostly in Europe APAC and North America |
PrintNightmare CVE-2021-34527 and Follina CVE-2022-30190 |
In recent months Black Basta ransomware has garnered significant attention for allegedly targeting high-profile organizations across Europe and North America. Victims span various industries including outsourcing technology and manufacturing. Black Basta first emerged around April 2022 with one of its earliest known attacks affecting a professional services company in the United States. Since then the group has gradually expanded its operations reportedly compromising sensitive data from a U.S. government contractor and an aerospace and defense company by the end of 2022. Often regarded as a successor to the now-defunct Conti ransomware Black Basta is believed to include former Conti affiliates. Additionally similarities in Tactics Techniques and Procedures (TTPs) have led to speculation about a potential link between Black Basta and the Fin7 threat group |
2025-09-15 01:21 |
| HASH |
ab88d558ff0ae35860f6ba1ceab6ec3302ace9dc7e957940c053f85b4dc17e78 |
Black Basta Ransomware Group - Cobalt Strike DLL |
T1059 - Execution - Command and Scripting Interpreter |
Banking and Big Tech Companies mostly in Europe and North America |
PrintNightmare CVE-2021-34527 and Follina CVE-2022-30190 |
In recent months Black Basta ransomware has garnered significant attention for allegedly targeting high-profile organizations across Europe and North America. Victims span various industries including outsourcing technology and manufacturing. Black Basta first emerged around April 2022 with one of its earliest known attacks affecting a professional services company in the United States. Since then the group has gradually expanded its operations reportedly compromising sensitive data from a U.S. government contractor and an aerospace and defense company by the end of 2022. Often regarded as a successor to the now-defunct Conti ransomware Black Basta is believed to include former Conti affiliates. Additionally similarities in Tactics Techniques and Procedures (TTPs) have led to speculation about a potential link |
2025-09-15 01:21 |
| HASH |
01fd6e0c8393a5f4112ea19a26bedffb31d6a01f4d3fe5721ca20f479766208f |
Black Basta - QAKBOT Loader |
T1189 - Initial Access - Drive By Compromise |
Banking and Big Tech Companies mostly in Europe and North America |
PrintNightmare (CVE-2021-34527) and Follina (CVE-2022-30190) |
In recent months, Black Basta ransomware has garnered significant attention for allegedly targeting high-profile organizations across Europe and North America. Victims span various industries, including outsourcing, technology, and manufacturing.
Black Basta first emerged around April 2022, with one of its earliest known attacks affecting a professional services company in the United States. Since then, the group has gradually expanded its operations, reportedly compromising sensitive data from a U.S. government contractor and an aerospace and defense company by the end of 2022.
Often regarded as a successor to the now-defunct Conti ransomware, Black Basta is believed to include former Conti affiliates. Additionally, similarities in Tactics, Techniques, and Procedures (TTPs) have led to speculation about a potential link between Black Basta and the Fin7 threat group. |
2025-09-11 18:51 |
| HASH |
60a37499f9b02c203af24c2dfd7fdb3834cea707c4c56b410a7e68376938c4b7 |
ToolShell |
T1190 - Exploit Public-Facing Application - Initial Access |
MicroSoft Sharepoint |
CVE-2025-49704, 2025-49706, CVE-2025-53770, CVE-2025-53771 |
Detects Encoded .Net DLL samples |
2025-09-06 10:40 |