The campaign primarily focused on compromising REDCap (Research Electronic Data Capture) servers, a widely used platform for managing clinical research databases and surveys. After gaining access, the attackers deployed custom malware called INFINITERED, harvested credentials, established persistence, and later abused enterprise email compliance rules to exfiltrate sensitive communications.

Campaign Overview

The operation demonstrates a sophisticated attack chain combining exploitation of public-facing applications, credential theft, malware deployment, persistence mechanisms, and stealthy data exfiltration.

Key Objectives

• Medical research intelligence
• Artificial Intelligence research
• Defense-related information
• Military health research Public health policy data

Researchers observed the activity from September 2023 through November 2025, indicating a highly patient and well-resourced espionage operation.

High-level attack flow used by UNC6508 to compromise research institutions and steal sensitive information.

Initial Access Through REDCap Servers

Why REDCap Was Targeted

REDCap is extensively used across:

• Hospitals
• Clinical research organizations
• Universities
• Government research programs
• Military health institutions

Because REDCap stores large volumes of research and patient-related information, it provides an attractive entry point for espionage-focused threat actors.

Researchers observed the attackers probing and exploiting vulnerable or legacy REDCap deployments exposed to the internet. Once access was obtained, they began internal reconnaissance and credential discovery activities.

Web Shell Deployment and Persistence

Following successful compromise, UNC6508 deployed a web shell identified as:

help.php

The web shell served multiple purposes:

• Persistent access
• File uploads
• Command execution
• Further malware deployment

This allowed the attackers to maintain long-term access even if passwords were changed or some security controls were implemented.

INFINITERED Malware Analysis

Three months after the initial intrusion, researchers observed deployment of a custom malware family called INFINITERED. This malware was specifically engineered to operate inside REDCap environments.

Modular architecture of INFINITERED malware used by UNC6508 to maintain persistence, harvest credentials, and execute commands within compromised REDCap environments.

Component 1 – Upgrade Interceptor

The malware monitors REDCap upgrade activities.

When administrators update REDCap, the malware automatically injects itself into newer versions, ensuring persistence across software upgrades

Component 2 – Credential Harvester

This module captures usernames and passwords entered into REDCap login pages.

Stolen credentials are stored within REDCap database tables and later retrieved by attackers.

Component 3 – Command-and-Control Backdoor

The third module acts as a fully functional backdoor.

Researchers found it could:

• Execute shell commands
• Upload files
• Download files
• Run SQL queries

Communication was hidden within HTTP cookie values, helping evade traditional detection mechanisms.

Abuse of Google Workspace for Data Exfiltration

One of the most interesting aspects of the campaign was the attackers’ use of legitimate Google Workspace functionality.

After obtaining administrative access, UNC6508 created a content compliance rule named:

Patroit

The rule automatically monitored emails containing specific keywords and forwarded matching messages to attacker-controlled Gmail accounts.

Attack Chain Breakdown

• External Reconnaissance
• Initial Compromise
• Persistence
• Privilege Escalation
• Intelligence Gathering

Potential Impact on Organizations

Organizations affected by this campaign could experience:

Research Theft

Loss of valuable intellectual property and scientific research.

Strategic Intelligence Exposure

Disclosure of defense and geopolitical information.

Credential Compromise

Unauthorized access to enterprise systems.

Regulatory Risks

Exposure of regulated healthcare and research data.

Alternative Indicators of Compromise (IOCs)

Security Recommendations

Upgrade REDCap Immediately

Remove legacy versions and apply the latest security updates.

Conduct Threat Hunting

Search for:

• help.php
• INFINITERED artifacts
• Unauthorized admin activity
• Credential harvesting indicators

The UNC6508 campaign highlights how modern nation-state threat actors are increasingly targeting research ecosystems to obtain strategic intelligence. By exploiting REDCap servers, deploying INFINITERED malware, and abusing legitimate cloud email features, the attackers maintained access for more than a year while collecting sensitive medical, defense, and technology research data. Organizations operating research platforms should prioritize patching, continuous monitoring, and proactive threat hunting to defend against similar espionage campaigns.

The post PRC-Linked Threat Actors Target REDCap Servers to Spy on U.S. Medical Research Organizations appeared first on First Hackers News.

The vulnerability carries a maximum severity rating and impacts organizations running vulnerable versions of the LiteSpeed User-End cPanel Plugin. Because cPanel is widely used across hosting environments, a successful attack could affect multiple websites, customer accounts, databases, and server resources hosted on the same infrastructure.

Vulnerability Details

CVE Information

The vulnerability stems from an incorrect privilege assignment issue within the plugin, enabling authenticated cPanel users or compromised accounts to execute scripts with elevated privileges.

Technical Analysis of the Exploit

Researchers found that attackers can abuse the plugin’s lsws.redisAble functionality to execute arbitrary commands as the root user. In a shared hosting environment, this effectively breaks the isolation between users and grants attackers complete control over the server.

Because many hosting providers rely on LiteSpeed and cPanel for website management, exploitation could allow attackers to:

• Execute arbitrary scripts
• Modify server configurations
• Access customer data
• Create backdoors Deploy malware
• Pivot to other hosted accounts

Unlike many privilege escalation flaws that require complex attack chains, this vulnerability can be abused by any authenticated cPanel user account, including accounts already compromised through phishing, credential theft, or web application attacks.

Potential Attack Chain

• Initial Access
• Vulnerability Exploitation
• Root Access
• Post-Exploitation Activities

Indicator of Compromise (IOC) Detection

LiteSpeed provided a log analysis command that administrators can use to identify potential exploitation attempts.

Detection Command

grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null

What This Command Does

The command searches:

• /usr/local/cpanel/logs/
• /var/cpanel/logs/

for suspicious API requests and activity patterns associated with exploitation attempts.

If the command returns no results, there may be no evidence of exploitation within the available logs.

Why This Vulnerability Matters

Shared hosting environments depend heavily on privilege separation between users. Once an attacker obtains root access, they can potentially compromise every website and account hosted on the affected server.

The widespread adoption of LiteSpeed across hosting providers significantly increases the potential impact of this vulnerability. A single successful exploitation could expose customer data, website files, SSL certificates, configuration settings, and administrative credentials.

Security Recommendations

Update Immediately

Upgrade to:

• LiteSpeed cPanel Plugin 2.4.7 or later
• LiteSpeed WHM Plugin 5.3.1.0 or later

Review Logs

Run the IOC detection command and investigate any suspicious results.

Audit User Accounts

• cPanel users
• Administrative accounts
• Recently created users
• Failed login attempts

Restrict Access

• Multi-Factor Authentication (MFA)
• IP restrictions
• Least privilege access controls

The active exploitation of CVE-2026-48172 highlights the risks posed by privilege escalation vulnerabilities in widely deployed hosting software. Since the flaw can allow attackers to obtain root-level access from a standard cPanel account, organizations and hosting providers should prioritize patching, review logs for indicators of compromise, and continuously monitor their environments for signs of malicious activity.

The post Critical LiteSpeed cPanel Plugin Vulnerability Enables Root Privilege Escalation Attacks appeared first on First Hackers News.

Unlike traditional phishing attacks that immediately request credentials, Sniper Dz employs a multi-stage social engineering process designed to gradually build trust before redirecting users into malicious advertising and scam ecosystems. The campaign demonstrates how threat actors are increasingly combining social media platforms, legitimate web services, and browser features to maximize victim engagement.

Technical Analysis of the Campaign

Researchers found that the operation relies heavily on social engineering techniques rather than malware deployment. Victims are initially exposed to attractive Facebook advertisements promising prizes, discounts, giveaways, or exclusive offers.

The campaign then guides users through a series of seemingly legitimate web pages before ultimately triggering browser notification permissions and redirecting users into fraudulent content networks. By abusing trusted platforms and legitimate web services, the attackers are able to reduce suspicion and improve campaign effectiveness.

Sniper Dz Attack Flow

The attack follows a structured victim funnel designed to maximize conversion rates while minimizing detection.

Phase 1 – Social Media Lures

Attackers publish fraudulent advertisements and impersonation posts across social media platforms.

• Free gift offers
• Discount promotions
• Prize giveaways
• Mobile device rewards

Phase 2 – Legitimate-Looking Bridge Pages

Instead of immediately redirecting victims to malicious content, the campaign utilizes intermediary pages hosted on legitimate services.

• Link aggregation platforms
• Landing page builders
• Redirect services
• Social media profile pages

These bridge pages help bypass security filters and increase the perceived legitimacy of the campaign.

Simplified representation of the Sniper Dz victim funnel showing how users are guided from social media lures through trusted bridge pages before being exposed to browser notification abuse and scam content.

Phase 3 – Browser Notification Abuse

Once users reach the final stage, they are encouraged to allow browser notifications through deceptive prompts.

• Fake CAPTCHA pages
• “Click Allow to Continue”
• “Verify You’re Human”

After notification permissions are granted, attackers gain a persistent channel to deliver scam advertisements and fraudulent alerts directly to the victim’s browser.

Potential Risks to Users

• Financial Fraud
• Privacy Exposure
• Continuous Scam Exposure
• Credential Theft

Why Social Engineering Remains Effective

Modern scam campaigns increasingly rely on psychological manipulation rather than technical exploitation. By leveraging trusted platforms such as Facebook and legitimate web services, attackers can make fraudulent content appear authentic.

The use of multiple redirection stages also helps threat actors evade automated detection systems while increasing the likelihood that victims will complete the entire attack flow.

As users become more aware of traditional phishing techniques, attackers continue to evolve their tactics by combining social media abuse, browser notification exploitation, and deceptive marketing strategies.

Security Recommendations

• Verify Promotional Offers
• Review Browser Notifications
• Exercise Caution with Redirects
• Implement Security Awareness Training

The Sniper Dz campaign demonstrates how modern threat actors are leveraging social media impersonation, trusted bridge pages, and browser notification abuse to target users across the MENA region. Rather than relying on malware, the operation exploits user trust and social engineering tactics to drive victims toward fraudulent content, making awareness and browser security practices critical defenses against these evolving threats.

The post New Sniper Dz Scam Operation Exploits MENA Users with Fraudulent Facebook Offers appeared first on First Hackers News.

The investigation revealed a coordinated infrastructure designed to manipulate advertising ecosystems while remaining largely hidden from users. Although the extensions appeared benign on the surface, researchers found embedded mechanisms capable of tracking browsing behavior, generating artificial search activity, and redirecting traffic for monetization purposes.

Technical Analysis of the Campaign

Researchers discovered that the operation was spread across multiple publisher accounts and domains, with over 140 live wallpaper extensions sharing a nearly identical codebase and infrastructure. Despite using separate hosting environments and advertising accounts, the extensions followed the same operational model, indicating a centralized campaign.

The extensions leveraged hidden scripts and remote communication channels to receive instructions and perform actions that were not disclosed in their public descriptions. This allowed operators to modify behavior dynamically while maintaining the appearance of legitimate browser tools.

Campaign Infrastructure

The diagram below illustrates how multiple Chrome Web Store publisher accounts and extension clusters were connected to a shared monetization infrastructure.

How the Extensions Operated

Once installed, the extensions requested browser permissions that appeared reasonable for their advertised functionality. Behind the scenes, however, additional code executed in the background to monitor user activity and interact with external servers.

The collected information was then used to generate advertising-related events and search requests that appeared legitimate. Because the activity originated from real user browsers, it became more difficult for traditional fraud detection systems to distinguish between genuine and manipulated traffic.

Key Activities Observed :

• Hidden user tracking
• Search traffic manipulation
• Browser activity monitoring
• Communication with remote infrastructure

Hidden Tracking and Traffic Manipulation Techniques

The campaign employed several techniques commonly associated with browser-based threats and advertising fraud operations.

Concealed Ad Tracking

The extensions monitored browsing behavior and collected information related to user interactions, allowing operators to analyze traffic patterns and advertising engagement.

Fake Search Traffic Generation

Researchers observed mechanisms designed to create artificial search requests that appeared to originate from legitimate users. This allowed operators to inflate search metrics and potentially increase advertising revenue.

Obfuscated Code

Parts of the extension code were intentionally concealed, making analysis more difficult and reducing the likelihood of detection during routine reviews.

Potential Risks to Users

While the campaign primarily focused on advertising fraud, the broader security implications are significant.

Privacy Exposure

User browsing behavior may be monitored without clear consent or awareness.

Browser Manipulation

Extensions can alter browser activity, search behavior, and website interactions behind the scenes.

Why Browser Extensions Remain a Security Challenge

Browser extensions operate with a level of trust that many users underestimate. Once installed, they can access web pages, monitor browser activity, modify content, and communicate with external servers.

Threat actors increasingly abuse this trust because browser extensions provide persistent access to user activity while often avoiding traditional endpoint security monitoring. As browser ecosystems continue to grow, malicious actors are likely to use similar techniques to conduct tracking, fraud, and data collection operations.

Security Recommendations

Organizations and individual users should take proactive measures to reduce the risks associated with browser extension abuse.

• Review Installed Extensions
• Audit Extension Permissions
• Monitor Browser Activity
• Implement Security Controls
• Conduct Regular Reviews

The discovery of 152 Chrome browser extensions involved in hidden ad tracking and fake search traffic generation demonstrates how browser extensions can be abused for large-scale advertising fraud and user monitoring. While these extensions may appear legitimate, hidden functionality can transform them into powerful tools for tracking, traffic manipulation, and monetization. Organizations should treat browser extensions as part of their attack surface and continuously monitor them as part of a broader security strategy.

The post Hidden Ad Tracking Operations Found Across 152 Chrome Browser Extensions appeared first on First Hackers News.

The attacks have been linked to the threat group ShinyHunters, which has reportedly targeted more than 100 organizations, with a significant concentration in the education sector. Researchers observed exploitation activity before Oracle publicly released its security advisory, classifying the vulnerability as a true zero-day.

Because Oracle PeopleSoft is widely used for managing human resources, payroll, finance, and other business-critical functions, successful exploitation could expose highly sensitive organizational data and provide attackers with deep access into enterprise environments.

Technical Breakdown of the Attack

The vulnerability resides within Oracle PeopleSoft PeopleTools, specifically affecting components exposed to the internet. Security researchers indicate that attackers can exploit the flaw without valid credentials, enabling remote execution of arbitrary commands on affected servers. The vulnerability carries a critical severity rating and may lead to full system compromise if left unmitigated.

Researchers also reported that threat actors leveraged the flaw against Environment Management Hub (PSEMHUB) endpoints. Following successful exploitation, attackers can deploy malicious tools, execute administrative commands, and establish persistent access within the targeted environment.

The Attack Chain Can Involve :

• Reconnaissance of internet-facing PeopleSoft servers.
• Identification of vulnerable PeopleTools instances.
• Exploitation of CVE-2026-35273 without authentication.
• Remote code execution on the application server.
• Deployment of web shells or remote management tools.

Multiple Other Methods Threat Actors May Use

While the zero-day vulnerability serves as the initial access vector, attackers frequently combine additional techniques to strengthen their foothold and increase operational success.

• Web shell deployment
• Credential theft
• Authentication bypass attacks
• Exploitation of legacy vulnerabilities

Modern threat actors rarely rely on a single attack technique. Instead, they combine multiple methods to gain deeper access, maintain persistence, evade security monitoring, and ultimately achieve objectives such as data theft, extortion, or ransomware deployment.

Why Enterprise Applications Remain a High-Value Target

Enterprise platforms such as Oracle PeopleSoft store some of an organization’s most valuable information, including employee records, financial data, payroll details, and operational information. Because these systems often integrate with multiple business applications, a single compromise can provide attackers with extensive visibility across the enterprise.

Threat actors increasingly target business-critical applications because successful exploitation can deliver immediate access to large volumes of sensitive data. In many environments, these platforms are internet-facing and may not receive the same level of security monitoring as endpoints, making them attractive targets for advanced threat groups.

Security Experts Recommend That Organizations

• Apply Oracle Mitigations Immediately
• Audit Internet-Facing PeopleSoft Systems
• Strengthen Access Controls
• Conduct Threat Hunting Activities

The active exploitation of CVE-2026-35273 demonstrates how rapidly threat actors can weaponize critical enterprise software vulnerabilities. With ShinyHunters reportedly targeting organizations through Oracle PeopleSoft environments, security teams should prioritize mitigation efforts, strengthen monitoring capabilities, and review exposure of internet-facing enterprise applications to reduce the risk of compromise.

The post Critical Oracle PeopleSoft Zero-Day RCE Vulnerability Actively Exploited by ShinyHunters appeared first on First Hackers News.

The issue is significant because BitLocker is widely used by enterprises and government organizations to protect sensitive data. If exploited successfully, attackers could gain access to encrypted information without requiring the BitLocker recovery key, reducing the effectiveness of one of Windows’ most important security controls.

How It Works

The GreatXML exploit reportedly abuses the way Windows Recovery Environment processes configuration files during recovery operations. Researchers observed that specially crafted XML files, including an unattend.xml file and modified recovery configuration files, can be placed within the recovery partition.

When the affected system enters Recovery Mode, these files are processed automatically. Instead of loading the expected recovery interface, the manipulated configuration may trigger a command shell running with elevated SYSTEM privileges, granting access to the unlocked BitLocker-protected volume. The exploit appears to leverage trusted recovery mechanisms rather than traditional memory corruption or kernel vulnerabilities.

The Attack Chain Can Involve

1. Initial Device Access

• Physical access to a workstation or laptop.
• Administrative access obtained through another compromise.

2. Recovery Partition Modification

• Placement of malicious XML files within the recovery partition.
• Modification of recovery configuration settings.

3. Privilege Escalation

• Launch of a SYSTEM-level command shell.
• Access to BitLocker-protected storage.

4. Data Access and Collection

• Viewing sensitive files.
• Extraction of credentials and corporate information.
• Offline forensic evasion activities.

Multiple Other Methods Threat Actors May Use

Although GreatXML focuses on recovery partition XML files, attackers frequently target BitLocker through additional techniques, including:

• indows Recovery Environment abuse
• Boot Manager manipulation
• Privilege escalation vulnerabilities
• Offline disk analysis after system theft

Modern attackers often combine multiple vulnerabilities to increase the likelihood of success and evade detection.

Why Legacy Components Remain a Risk

Many organizations focus heavily on operating system patching and endpoint detection while overlooking legacy recovery components and boot infrastructure. Recovery partitions, WinRE configurations, deployment scripts, unattended setup files, and offline maintenance tools often receive less monitoring than standard system files.

Attackers increasingly target these trusted components because they operate outside traditional security controls. Since recovery environments are designed to help administrators regain access to systems, they frequently possess elevated privileges and trusted execution paths. When abused, these features can become powerful attack vectors.

Security Experts Recommend That Organizations

To reduce exposure to GreatXML and similar recovery-environment attacks, security teams should:

Harden BitLocker Deployments

• Enable TPM + PIN authentication.
• Enforce strong recovery key management.
• Monitor BitLocker policy compliance.

Secure Recovery Environments

• Restrict unauthorized access to WinRE.
• Monitor changes to recovery partitions.
• Audit recovery-related files and configurations.

Maintain Patch Management

• Apply Microsoft security updates promptly.
• Track new advisories related to BitLocker, WinRE, and Defender Offline Scan.
• Review recovery partition configurations after major updates.

The GreatXML vulnerability serves as a reminder that encryption alone does not guarantee complete protection. Recovery environments, boot processes, and trusted system components can become attractive targets for attackers seeking to bypass traditional security controls. Organizations should adopt a layered security strategy that includes BitLocker hardening, recovery environment monitoring, physical security controls, and continuous threat detection to reduce the risk of compromise.

The post Critical GreatXML Vulnerability Enables Windows BitLocker Bypass via Recovery Partition XML Files appeared first on First Hackers News.

The issue involves the Internet Explorer WebBrowser control, a component still embedded in various applications built with technologies such as .NET, Visual Basic, and C++. Because it continues to inherit Internet Explorer’s security behavior, attackers may be able to abuse it to execute malicious code on a victim’s system.

How the Attack Works

Researchers found that the WebBrowser control still follows Internet Explorer’s security zone model, which grants additional privileges to trusted locations such as localhost and local files.

This becomes dangerous when desktop applications expose web interfaces through localhost. If an attacker finds a vulnerability such as cross-site scripting (XSS) in one of these applications, they may be able to move from a remote web page into a more trusted local environment.

The attack chain can involve:

• Exploiting a vulnerable localhost application
• Downloading malicious files without standard security warnings
• Opening local files through the WebBrowser control
• Executing scripts in a trusted local context
• Launching commands through insecure ActiveX components

Researchers demonstrated that malicious files downloaded through certain localhost scenarios may not receive Microsoft’s Mark-of-the-Web (MOTW) protection. Without this security label, Windows may not display its usual warnings when potentially dangerous content is executed.

Multiple Paths to Code Execution

The research also revealed several additional techniques that attackers could use to increase the chances of compromise.

Potential attack methods include:

• Abusing ActiveX components to launch programs
• Using media playlist files to leak NTLM hashes
• Exploiting ClickOnce and Office-related file formats
• Using clickjacking to trick users into opening malicious files
• Abusing drag-and-drop functionality to execute shortcuts

In some proof-of-concept demonstrations, attackers used invisible frames to disguise malicious file interactions. A victim might believe they are clicking on a normal webpage when they are actually interacting with local files or applications.

Researchers also showed how malicious shortcuts could be disguised with trusted-looking icons and placed in locations where users are likely to interact with them.

Why Legacy Components Remain a Risk

The findings highlight a common cybersecurity challenge: retired software components can continue creating security risks long after the original product is no longer supported.

Many organizations still rely on applications that use the Internet Explorer WebBrowser control behind the scenes. As long as these components remain active, attackers may continue searching for ways to abuse them.

Security experts recommend that organizations:

• Identify applications using the WebBrowser control
• Remove unnecessary legacy dependencies
• Restrict risky ActiveX components
• Limit exposure of localhost web interfaces
• Monitor systems for unusual browser-based activity

The post Internet Explorer Component Flaw Enables RCE Attacks appeared first on First Hackers News.

The latest release includes security improvements across several Chrome components, including ANGLE, GPU, Network, Ozone, FileSystem, Password Manager, Chromecast, Cast Streaming, and Chromoting.

Given the number and severity of the fixes, users and organizations are strongly encouraged to update their browsers as soon as possible.

Critical Bugs Could Lead to Serious Attacks

Many of the critical vulnerabilities are related to memory safety issues such as use-after-free and out-of-bounds memory access errors.

These types of flaws are frequently targeted by attackers because they can sometimes be used to:

• Execute malicious code
• Crash the browser
• Bypass security protections
• Access sensitive information
• Escape browser restrictions

Several of the vulnerabilities affect Chrome’s GPU and ANGLE components, which handle graphics processing and hardware acceleration. Because these components interact closely with system hardware, they are often attractive targets for threat actors.

Google has not released full technical details for many of the vulnerabilities yet. The company commonly delays disclosure until most users have installed the updates, reducing the risk of attackers developing exploits before systems are patched.

Multiple Browser Components Affected

The security fixes span a wide range of Chrome functionality.

Affected areas include:

• ANGLE graphics framework
• GPU processing components
• Network services
• Ozone platform layer
• FileSystem functionality
• Password management features
• Chromecast services
• Cast Streaming technology
• Chrome Remote Desktop (Chromoting)

Researchers warn that vulnerabilities affecting network services, file handling, and password-related components could become particularly dangerous if combined with additional exploits.

Issues involving Chromecast and remote streaming features also highlight that browser-related risks extend beyond simple web browsing and may impact connected devices and remote-access capabilities.

Update Recommended Immediately

Google reports that many of the vulnerabilities were discovered by both internal security teams and external researchers. Some high-impact findings earned bug bounty rewards of up to $97,000.

Organizations should prioritize deploying the latest Chrome version as part of their patch management process. Regular browser updates remain one of the most effective ways to reduce exposure to web-based attacks.

The release serves as another reminder that browsers remain one of the most heavily targeted applications and require continuous security updates to defend against evolving threats.

22 Critical Vulnerabilities

The post Google Patches 429 Chrome Security Flaws appeared first on First Hackers News.

The vulnerabilities, tracked as CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724, were published under security advisory VMSA-2026-0004 on June 8, 2026. The flaws carry a CVSS score of 8.0, highlighting the potential risk to enterprise environments running affected versions of VCF Operations.

Because these vulnerabilities involve stored cross-site scripting (XSS), attackers may be able to plant malicious code that executes whenever administrators access compromised sections of the platform.

How the Vulnerabilities Work

According to VMware, the flaws stem from improper handling of user-supplied input within VCF Operations management interfaces.

The platform fails to properly validate and sanitize certain data before displaying it to users. As a result, attackers can store malicious JavaScript code within the application. When an administrator or another privileged user later views the affected page, the malicious script automatically executes in their browser.

Unlike reflected XSS attacks, stored XSS remains embedded in the application until removed, increasing the chances of successful exploitation.

A successful attack could allow threat actors to:

• Hijack administrator sessions
• Steal authentication tokens
• Access sensitive information
• Modify configuration settings
• Perform unauthorized actions
• Maintain persistence within the environment
• Potentially move deeper into connected infrastructure

Why Organizations Should Take This Seriously

VCF Operations often serves as a central management platform for virtualization, cloud resources, and infrastructure operations. In many organizations, it integrates with other VMware services, including vCenter and cloud automation environments.

Because of this connectivity, a successful compromise could have broader consequences beyond a single application.

Security experts warn that attackers may attempt to combine these vulnerabilities with other weaknesses or misconfigurations to gain additional access and privileges across enterprise environments.

The risk is especially high in organizations where multiple administrators regularly access shared management consoles, as any authorized user visiting a compromised interface could unknowingly trigger the malicious code.

No Workarounds Available

VMware has confirmed that there are currently no workarounds for these vulnerabilities.

Organizations are strongly advised to install the latest security updates as soon as possible. Delaying remediation could increase the risk of exploitation, particularly if proof-of-concept code becomes publicly available.

Administrators should also consider the following security measures:

• Apply VMware security patches immediately
• Restrict access to VCF Operations interfaces
• Monitor logs for unusual activity
• Review administrator account permissions
• Watch for suspicious session behavior
• Investigate unexpected script execution events
• Strengthen overall access controls

While web application firewalls and browser security controls may provide limited protection, VMware emphasizes that these measures should not replace patching.

The disclosure of these vulnerabilities serves as another reminder that enterprise management platforms remain valuable targets for attackers. Securing these critical control systems is essential for protecting modern virtualized and cloud-based environments.

The post VMware Stored XSS Flaws Put Enterprise Environments at Risk appeared first on First Hackers News.

Because these tools are already installed on most systems and commonly used by administrators, malicious activity can easily blend in with normal operations.

ANY.RUN Report Reveals Growing Threat

According to ANY.RUN’s analysis of more than 2 million malware and phishing investigations during the first quarter of 2026, threat actors are rapidly shifting toward stealthier attack techniques.

The report highlights:

• Loader-based attacks nearly doubled
• Credential theft increased significantly
• Living-off-the-Land (LotL) techniques grew by more than 58%
• Attackers increasingly abused trusted system utilities
• Malware campaigns became more automated and difficult to detect

Researchers noted that attackers often use tools such as PowerShell, WMI, Certutil, MSHTA, and JavaScript execution environments to perform malicious actions while appearing legitimate.

These trusted tools allow attackers to:

• Download malware payloads
• Execute fileless attacks
• Establish persistence
• Move laterally through networks
• Avoid traditional antivirus detection

Security experts warn that attackers can establish persistence within seconds, leaving defenders with very little time to respond.

Credential Theft Continues to Drive Attacks

ANY.RUN researchers found that credential theft remains one of the primary goals for modern threat actors.

Once attackers obtain valid credentials, they can access systems while appearing to be legitimate users. Combined with trusted tool abuse, this creates a dangerous scenario where malicious activity can remain hidden for extended periods.

Many attackers begin with lightweight loaders that quietly gain initial access before deploying more dangerous payloads such as:

• Ransomware
• Remote Access Trojans (RATs)
• Information stealers
• Credential theft tools

This approach allows cybercriminals to scale attacks while minimizing detection.

Strengthening Defenses Against Trusted Tool Abuse

Because legitimate tools generate normal-looking activity, ANY.RUN recommends focusing on behavioral monitoring rather than relying solely on traditional signature-based security solutions.

Organizations should monitor for:

• Unusual PowerShell commands
• Suspicious script execution
• Abnormal command-line arguments
• Unexpected network connections
• Unusual administrative activity
• Suspicious parent-child process relationships

Additional recommendations include:

• Enforcing least-privilege access
• Restricting script execution
• Using application control policies
• Leveraging threat intelligence
• Deploying sandbox analysis solutions
• Improving incident response capabilities

The findings show that attackers are becoming increasingly skilled at hiding in plain sight. As trusted tools continue to be weaponized, organizations must focus on behavior-based detection and rapid response strategies to identify threats before they can cause significant damage

The post Hackers Exploit Trusted Tools Malware for Attacks appeared first on First Hackers News.