Security & IT News

The Russian state-sponsored hacking group known as Turla has transformed its custom backdoor Kazuar into a modular peer-to-peer (P2P) botnet that's engineered for stealth and persistent access to compromised hosts. Turla, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA), is assessed to be affiliated with Center 16 of Russia's Federal Security Service (FSB)

Hackers are hiding XWorm malware in PyInstaller files to bypass Windows security, steal data and remotely control devices through ads.

Stolen browser sessions and authentication tokens are becoming more valuable than stolen passwords. Flare explains how the REMUS infostealer evolved around session theft and operational scalability. [...]

A suspected China-linked threat actor targeted the Indian branch of a global manufacturer leveraging an open source offensive toolkit

:root { --isc-maroon: #7a1f1f; --isc-maroon-dark: #5e1717; --isc-link: #0066cc; --isc-text: #1a1a1a; --isc-muted: #555; --isc-rule: #d0d0d0; --isc-code-bg: #f4f4f4; --isc-code-text: #c0392b; --isc-block-bg: #1e1e1e; --isc-block-text: #e6e6e6; --isc-callout-bg: #fafafa; --isc-table-header: #ececec; } * { box-sizing: border-box; } html, body { margin: 0; padding: 0; background: #ffffff; color: var(--isc-text); font-family: "Open Sans", "Source Sans Pro", -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif; font-size: 15px; line-height: 1.6; } .isc-header { background: var(--isc-maroon); color: #ffffff; padding: 14px 24px; border-bottom: 4px solid var(--isc-maroon-dark); } .isc-header .brand { font-family: Arial, Helvetica, sans-serif; font-size: 22px; font-weight: bold; letter-spacing: 0.3px; } .isc-header .brand a { color: #ffffff; text-decoration: none; } .isc-header .tagline { font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: #f3d6d6; margin-top: 2px; } main { max-width: 920px; margin: 0 auto; padding: 28px 32px 48px; } h1.diary-title { font-family: Arial, Helvetica, sans-serif; font-size: 26px; line-height: 1.25; color: var(--isc-maroon); margin: 8px 0 10px 0; border-bottom: 1px solid var(--isc-rule); padding-bottom: 12px; } .meta { font-family: Arial, Helvetica, sans-serif; font-size: 13px; color: var(--isc-muted); margin-bottom: 24px; } .meta strong { color: var(--isc-text); } .meta a { color: var(--isc-link); text-decoration: none; } .meta a:hover { text-decoration: underline; } h2 { font-family: Arial, Helvetica, sans-serif; font-size: 19px; color: var(--isc-maroon); margin-top: 32px; margin-bottom: 10px; padding-bottom: 4px; border-bottom: 1px solid var(--isc-rule); } h3 { font-family: Arial, Helvetica, sans-serif; font-size: 16px; color: var(--isc-text); margin-top: 22px; margin-bottom: 8px; } p { margin: 10px 0; } a { color: var(--isc-link); } a:hover { text-decoration: underline; } code, .inline-code { font-family: "SFMono-Regular", Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 13px; background: var(--isc-code-bg); color: var(--isc-code-text); padding: 1px 5px; border-radius: 3px; word-break: break-all; } .callout { background: var(--isc-callout-bg); border-left: 3px solid var(--isc-maroon); padding: 10px 16px; margin: 14px 0; font-family: "SFMono-Regular", Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 13px; color: var(--isc-text); } figure { margin: 22px 0; text-align: center; } figure img { max-width: 100%; height: auto; border: 1px solid #cccccc; display: block; margin: 0 auto; } figcaption { font-family: Arial, Helvetica, sans-serif; font-size: 13px; color: var(--isc-muted); margin-top: 8px; font-style: italic; } figcaption strong { color: var(--isc-text); font-style: normal; } table.diary-table { border-collapse: collapse; width: 100%; margin: 16px 0; font-family: Arial, Helvetica, sans-serif; font-size: 13.5px; } table.diary-table th, table.

Hackers are using Fake interview apps to spread JobStealer malware on macOS and Windows to steal crypto wallets, browser data, and passwords.

In this article Delivery Module types Botnet operations Who is Secret Blizzard? Mitigation and protection guidance Microsoft Defender detections Kazuar, a sophisticated malware family attributed to the Russian state actor Secret Blizzard , has been under constant development for years and continues to evolve in support of espionage-focused operations. Over time, Kazuar has expanded from a relatively traditional backdoor into a highly modular peer-to-peer (P2P) botnet ecosystem designed to enable persistent, covert access to target environments. This upgrade aligns with Secret Blizzard’s broader objective of gaining long-term access to systems for intelligence collection. The threat actor has historically targeted organizations in the government and diplomatic sector in Europe and Central Asia, as well as systems in Ukraine previously compromised by Aqua Blizzard, very likely for the purpose of obtaining information supporting Russia’s foreign policy and military objectives. While many threat actors rely on increasing usage of native tools (living-off-the-land binaries (LOLBins)) to avoid detection, Kazuar’s progression into a modular bot highlights how Secret Blizzard is engineering resilience and stealth directly into their tooling. By separating responsibilities across Kernel, Bridge, and Worker modules and restricting external communications to a single elected leader, Kazuar reduces its observable footprint. It also maintains flexible tasking, data staging, and multiple fallback channels for command and control (C2). Understanding this architecture helps defenders move beyond single sample analysis and instead focus on the behaviors that keep the botnet operational: leader election, inter-process communication (IPC) message routing, working directory staging, and periodic exfiltration. Kazuar’s capabilities and tradecraft have been widely documented by the security research community, and prior reporting, including Unit 42’s write-up and a recent deep dive into its loader capabilities , remains relevant today. This blog is an in-depth analysis of Kazuar’s progression from a single, monolithic framework into a modular bot ecosystem composed of three distinct module types, each with clearly defined roles. Together, these components distribute functionality across the P2P botnet, enabling flexible configuration, lower observability, and broad tasking while minimizing opportunities for detection. Delivery Kazuar is delivered through multiple dropper variants. In one observed method, the Pelmeni dropper embeds the encrypted second-stage payload directly within the dropper as an encrypted byte array. The payload is often bound to the target environment (for example, encrypted using the target hostname) so it only decrypts and executes on the intended host. In another method, the dropper deploys a small .NET loader alongside the final payload. The dropper then invokes the loader (often configured as a COM object) and supplies the decrypted pay

A group of likely Russian government hackers tried to hack a security researcher who investigates spyware attacks. He was then able to turn the tables on the hackers and reveal details of their espionage campaign.

Google’s Android Advanced Protection Mode is getting a new feature allowing trusted security experts to investigate potential spyware infections

What would some of the world's largest repositories of malware look like if they were stacked as hard drives, one on top of the other?

A ransomware group has claimed responsibility for hacking the electronics manufacturing giant Foxconn and is attempting to extort the company.

Research reveals that TeamPCP hijacked OIDC tokens to poison hundreds of TanStack, Mistral AI, and UiPath packages with the self-propagating Mini Shai-Hulud worm.

Instructure says it reached an agreement with ShinyHunters over the Canvas breach data

Foxconn, the world's largest electronics manufacturer, says some of its North American factories are now working to resume normal operations after a cyberattack. [...]

Survey of cybersecurity leaders suggests that majority would strongly consider paying cybercriminals, if that’s what it took to help restore encrypted systems

Google on Tuesday unveiled a new opt-in Android feature called Intrusion Logging for storing forensic logs to better analyze sophisticated spyware attacks. Intrusion Logging, available as part of Advanced Protection Mode, enables "persistent and privacy-preserving forensics logging to allow for investigation of devices in the event of a suspected compromise," the company said. The feature, it

Intrusion Logging is a new part of Android’s Advanced Protection Mode, which aims to help protect human rights activists, journalists, and dissidents from government spyware attack and law enforcement forensic devices.

Operation HumanitarianBait uses fake aid documents, GitHub-hosted payloads, and Python spyware to target Russian-speaking victims.

TeamPCP, the threat actor behind the recentsupply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a fresh Mini Shai-Hulud campaign. The affected npm packages have been modified to include an obfuscated JavaScript file ("router_init.js") that's designed to profile the execution

Checkmarx warned over the weekend that a rogue version of its Jenkins Application Security Testing (AST) plugin had been published on the Jenkins Marketplace. [...]