Unlike traditional phishing operations that rely on a small number of malicious domains, this campaign uses a distributed network of GitHub Pages repositories. This approach allows attackers to quickly replace removed pages, maintain operational continuity, and reduce the effectiveness of takedown efforts.

Security researchers observed phishing pages impersonating multiple financial institutions, with customized interfaces optimized for both desktop and mobile users.

Multi-Stage Infrastructure Designed for Scale

At the core of the campaign is a modular phishing kit that enables operators to generate institution-specific phishing pages with minimal effort. Victims are first directed to professionally crafted landing pages that closely mimic legitimate banking portals before being prompted to enter sensitive information.

The attack infrastructure uses client-side scripts to capture submitted data and transmit it to attacker-controlled platforms in real time. Rather than operating traditional command-and-control servers, the threat actors utilize third-party services to collect stolen information, reducing their infrastructure footprint and making detection more challenging.

Researchers also identified the use of obfuscated JavaScript loaded from external sources, allowing attackers to modify payloads and update functionality without altering the visible phishing pages. In some instances, stolen credentials were forwarded directly through Telegram, providing operators with immediate access to harvested data.

Evidence gathered from repository activity suggests the campaign has been actively maintained for more than a year, with continuous updates, infrastructure changes, and deployment improvements. The operation also utilizes automated deployment mechanisms and carefully crafted link previews to increase engagement across messaging and social media platforms.

Abuse of Trusted Platforms Continues to Grow

The campaign highlights a growing trend in which threat actors abuse reputable cloud and hosting services to conduct phishing operations. By leveraging GitHub Pages, attackers benefit from trusted infrastructure, HTTPS encryption, and simplified deployment capabilities, making malicious pages appear more legitimate to potential victims.

Researchers noted that the phishing pages were specifically designed for targeted distribution through channels such as SMS, WhatsApp, Telegram, and social media rather than search engine discovery. This targeted approach helps maximize victim engagement while reducing unwanted visibility.

The findings demonstrate that traditional domain-based blocking and blacklist approaches are becoming less effective against modern phishing operations. As attackers increasingly rely on legitimate platforms to host malicious content, organizations must adopt stronger behavioral detection strategies, continuously monitor for brand impersonation, and improve collaboration across the security community.

The campaign serves as a reminder that phishing remains one of the most effective cybercrime techniques, particularly when combined with trusted platforms and scalable infrastructure designed to withstand disruption.

Indicators of Compromise (IOCs)

The post Hackers Use GitHub Pages for Phishing Attacks appeared first on First Hackers News.

The campaign relies on AppleScript files that appear harmless at first glance but secretly execute multiple stages of malware in the background. By using built-in macOS tools, the attackers can avoid several security protections and quietly deploy additional payloads.

How the Attack Works

The infection begins when a user opens a malicious AppleScript (.scpt) file disguised as a software update.

The script displays a large block of harmless-looking text while hidden code runs in the background. Once executed, it uses the curl command to download additional AppleScript payloads from attacker-controlled servers and immediately executes them through osascript.

This multi-stage approach allows attackers to:

• Download additional malware
• Communicate with command-and-control servers
• Establish persistence on the device
• Deploy backdoors
• Harvest credentials
• Collect sensitive information

Researchers noted that this technique helps the attackers bypass several macOS security checks because the execution appears to be initiated by the user.

Credential Theft and Data Collection

The malware includes several components designed to steal valuable information from infected systems.

Capabilities observed in the campaign include:

• Stealing macOS passwords
• Harvesting browser data
• Collecting cryptocurrency wallet information
• Accessing Telegram session data
• Extracting SSH keys
• Gathering Apple Notes data
• Capturing system information
• Uploading stolen files to attacker infrastructure

One component displays a legitimate-looking password prompt to trick users into entering their system credentials. Once verified, the credentials are sent to the attackers.

Researchers also found attempts to manipulate macOS Transparency, Consent, and Control (TCC) settings, allowing the malware to gain broader access to files and applications without generating additional security warnings.

Security Recommendations

Microsoft and Apple have released protections to help detect and block this activity. Apple updated XProtect and Safe Browsing protections, while Microsoft added new detection capabilities to Microsoft Defender.

Security teams are encouraged to:

• Avoid running unsolicited .scpt files
• Verify software updates through official vendor websites
• Monitor suspicious curl and osascript activity
• Restrict execution of unsigned applications
• Watch for unusual TCC database modifications
• Rotate credentials if compromise is suspected
• Use hardware wallets for cryptocurrency storage

The campaign highlights how threat actors continue to abuse trusted macOS tools and social engineering techniques to bypass security controls and gain access to sensitive user data.

Indicators of compromise

Malicious file hashes

The post Sapphire Sleet Targets macOS With Multi-Stage Malware appeared first on First Hackers News.

The issue is significant because BitLocker is widely used by enterprises and government organizations to protect sensitive data. If exploited successfully, attackers could gain access to encrypted information without requiring the BitLocker recovery key, reducing the effectiveness of one of Windows’ most important security controls.

How It Works

The GreatXML exploit reportedly abuses the way Windows Recovery Environment processes configuration files during recovery operations. Researchers observed that specially crafted XML files, including an unattend.xml file and modified recovery configuration files, can be placed within the recovery partition.

When the affected system enters Recovery Mode, these files are processed automatically. Instead of loading the expected recovery interface, the manipulated configuration may trigger a command shell running with elevated SYSTEM privileges, granting access to the unlocked BitLocker-protected volume. The exploit appears to leverage trusted recovery mechanisms rather than traditional memory corruption or kernel vulnerabilities.

The Attack Chain Can Involve

1. Initial Device Access

• Physical access to a workstation or laptop.
• Administrative access obtained through another compromise.

2. Recovery Partition Modification

• Placement of malicious XML files within the recovery partition.
• Modification of recovery configuration settings.

3. Privilege Escalation

• Launch of a SYSTEM-level command shell.
• Access to BitLocker-protected storage.

4. Data Access and Collection

• Viewing sensitive files.
• Extraction of credentials and corporate information.
• Offline forensic evasion activities.

Multiple Other Methods Threat Actors May Use

Although GreatXML focuses on recovery partition XML files, attackers frequently target BitLocker through additional techniques, including:

• indows Recovery Environment abuse
• Boot Manager manipulation
• Privilege escalation vulnerabilities
• Offline disk analysis after system theft

Modern attackers often combine multiple vulnerabilities to increase the likelihood of success and evade detection.

Why Legacy Components Remain a Risk

Many organizations focus heavily on operating system patching and endpoint detection while overlooking legacy recovery components and boot infrastructure. Recovery partitions, WinRE configurations, deployment scripts, unattended setup files, and offline maintenance tools often receive less monitoring than standard system files.

Attackers increasingly target these trusted components because they operate outside traditional security controls. Since recovery environments are designed to help administrators regain access to systems, they frequently possess elevated privileges and trusted execution paths. When abused, these features can become powerful attack vectors.

Security Experts Recommend That Organizations

To reduce exposure to GreatXML and similar recovery-environment attacks, security teams should:

Harden BitLocker Deployments

• Enable TPM + PIN authentication.
• Enforce strong recovery key management.
• Monitor BitLocker policy compliance.

Secure Recovery Environments

• Restrict unauthorized access to WinRE.
• Monitor changes to recovery partitions.
• Audit recovery-related files and configurations.

Maintain Patch Management

• Apply Microsoft security updates promptly.
• Track new advisories related to BitLocker, WinRE, and Defender Offline Scan.
• Review recovery partition configurations after major updates.

The GreatXML vulnerability serves as a reminder that encryption alone does not guarantee complete protection. Recovery environments, boot processes, and trusted system components can become attractive targets for attackers seeking to bypass traditional security controls. Organizations should adopt a layered security strategy that includes BitLocker hardening, recovery environment monitoring, physical security controls, and continuous threat detection to reduce the risk of compromise.

The post Critical GreatXML Vulnerability Enables Windows BitLocker Bypass via Recovery Partition XML Files appeared first on First Hackers News.

The vulnerabilities, tracked as CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724, were published under security advisory VMSA-2026-0004 on June 8, 2026. The flaws carry a CVSS score of 8.0, highlighting the potential risk to enterprise environments running affected versions of VCF Operations.

Because these vulnerabilities involve stored cross-site scripting (XSS), attackers may be able to plant malicious code that executes whenever administrators access compromised sections of the platform.

How the Vulnerabilities Work

According to VMware, the flaws stem from improper handling of user-supplied input within VCF Operations management interfaces.

The platform fails to properly validate and sanitize certain data before displaying it to users. As a result, attackers can store malicious JavaScript code within the application. When an administrator or another privileged user later views the affected page, the malicious script automatically executes in their browser.

Unlike reflected XSS attacks, stored XSS remains embedded in the application until removed, increasing the chances of successful exploitation.

A successful attack could allow threat actors to:

• Hijack administrator sessions
• Steal authentication tokens
• Access sensitive information
• Modify configuration settings
• Perform unauthorized actions
• Maintain persistence within the environment
• Potentially move deeper into connected infrastructure

Why Organizations Should Take This Seriously

VCF Operations often serves as a central management platform for virtualization, cloud resources, and infrastructure operations. In many organizations, it integrates with other VMware services, including vCenter and cloud automation environments.

Because of this connectivity, a successful compromise could have broader consequences beyond a single application.

Security experts warn that attackers may attempt to combine these vulnerabilities with other weaknesses or misconfigurations to gain additional access and privileges across enterprise environments.

The risk is especially high in organizations where multiple administrators regularly access shared management consoles, as any authorized user visiting a compromised interface could unknowingly trigger the malicious code.

No Workarounds Available

VMware has confirmed that there are currently no workarounds for these vulnerabilities.

Organizations are strongly advised to install the latest security updates as soon as possible. Delaying remediation could increase the risk of exploitation, particularly if proof-of-concept code becomes publicly available.

Administrators should also consider the following security measures:

• Apply VMware security patches immediately
• Restrict access to VCF Operations interfaces
• Monitor logs for unusual activity
• Review administrator account permissions
• Watch for suspicious session behavior
• Investigate unexpected script execution events
• Strengthen overall access controls

While web application firewalls and browser security controls may provide limited protection, VMware emphasizes that these measures should not replace patching.

The disclosure of these vulnerabilities serves as another reminder that enterprise management platforms remain valuable targets for attackers. Securing these critical control systems is essential for protecting modern virtualized and cloud-based environments.

The post VMware Stored XSS Flaws Put Enterprise Environments at Risk appeared first on First Hackers News.

Security researchers demonstrated that the flaws can be chained together to achieve remote code execution with root privileges through a single specially crafted request. The vulnerabilities affect UniFi OS Server installations and pose a significant risk to organizations using exposed management interfaces, highlighting the importance of addressing UniFi OS Vulnerabilities.

Because the attack requires no authentication, security experts are urging administrators to patch affected systems immediately.

How the Attack Works

The exploit begins with vulnerabilities that allow attackers to bypass UniFi OS authentication protections.

Researchers discovered that inconsistencies in how requests are processed can allow specially crafted URLs to access internal functions that should normally require authentication. Once inside, attackers can target a separate command injection flaw within the system’s update mechanism.

The attack chain allows threat actors to:

• Bypass authentication controls
• Execute commands remotely
• Gain root-level access
• Install malicious software
• Maintain long-term access to the system

Researchers confirmed that the exploit can be executed remotely against vulnerable devices running affected versions of UniFi OS.

Potential Impact on Organizations

A successful compromise gives attackers complete control over the UniFi management platform.

With root access, attackers may be able to:

• Create persistent administrator accounts
• Access sensitive network data
• Steal encryption and authentication keys
• Extract database information
• Modify system configurations
• Maintain access even after password changes

In environments using UniFi Access and UniFi Protect, the risks extend beyond traditional IT systems.

Researchers warn that attackers could potentially:

• Unlock connected doors
• Access surveillance systems
• Monitor live camera feeds
• Delete security footage
• Access stored credential information

This makes the vulnerabilities especially concerning for organizations that rely on UniFi products for both network and physical security management.

Recommended Mitigation Steps

Administrators should immediately upgrade to the latest patched UniFi OS versions provided by Ubiquiti.

Additional security measures include:

• Restrict management interfaces from internet access
• Rotate authentication and signing keys
• Change administrative credentials
• Review systems for suspicious activity
• Rebuild potentially compromised servers
• Audit access logs and configurations

Security experts advise treating any internet-exposed, unpatched UniFi OS instance as potentially compromised due to the severity of the vulnerabilities and the ease of exploitation.

The post Critical UniFi OS Vulnerabilities Allow Root RCE appeared first on First Hackers News.

The flaw, tracked as CVE-2026-45247, has received a critical severity rating and can be exploited without authentication. Security researchers warn that thousands of Magento and Adobe Commerce stores may be at risk if the vulnerable plugin remains unpatched.

The issue affects the Mirasvit Cache Warmer extension, a tool commonly used to improve website performance by preloading cached pages for visitors.

How the Vulnerability Works

The vulnerability is caused by the plugin’s unsafe handling of data stored inside a cookie called CacheWarmer.

When a visitor sends a request to the website, the extension reads information from the cookie and rebuilds session data using PHP’s unserialize() function. Because the cookie data is controlled by the user and is not properly validated, attackers can supply specially crafted payloads that trigger malicious object creation on the server.

Researchers found that this behavior opens the door to PHP Object Injection attacks, which can eventually lead to remote code execution.

An attacker can potentially:

• Execute malicious code on the server
• Install webshells or backdoors
• Access sensitive store data
• Take control of the Magento environment
• Launch automated attacks against multiple stores

The vulnerability affects all Mirasvit Cache Warmer versions released before 1.11.12.

Thousands of Stores Potentially Affected

According to researchers, the extension is frequently bundled with other Mirasvit products, meaning some store owners may not even realize it is installed on their systems.

Security experts estimate that more than 6,000 Magento stores may be running vulnerable components, although the actual number could be higher.

The vendor was notified about the issue and quickly released version 1.11.12, which addresses the vulnerability.

Security teams should monitor web traffic for suspicious CacheWarmer cookie values containing unusual encoded data. Such activity could indicate attempted exploitation.

Recommended Actions

Organizations using Magento or Adobe Commerce should act immediately to reduce risk.

Recommended steps include:

• Upgrade Mirasvit Cache Warmer to version 1.11.12 or later
• Review web server logs for suspicious requests
• Scan systems for webshells and backdoors
• Inspect public-facing directories for unauthorized PHP files
• Deploy a web application firewall for additional protection
• Conduct a full compromise assessment if exploitation is suspected

Because the flaw can be exploited remotely without authentication, researchers expect attack attempts to increase following public disclosure.

Store administrators are strongly encouraged to patch affected systems as soon as possible to prevent potential compromise and data theft.

The post Magento Cache Plugin Vulnerability Enables RCE Attacks appeared first on First Hackers News.

The attack works by abusing modern browser storage features and measuring tiny changes in SSD response times. Researchers warned that simply visiting a malicious website could allow attackers to observe activity happening in other browser tabs, applications, or even different browsers running on the same system.

The FROST SSD Timing Attack works by abusing modern browser storage features and measuring tiny changes in SSD response times. Researchers warned that simply visiting a malicious website could allow attackers to observe activity happening in other browser tabs, applications, or even different browsers running on the same system.

The findings highlight growing concerns around browser APIs and performance features that may unintentionally expose sensitive system behavior.

How the FROST Attack Works

The technique relies on the Origin Private File System (OPFS), a browser storage feature designed to improve web application performance.

Researchers found that a malicious website can create a large file inside the browser’s storage sandbox and continuously perform random disk reads. These operations force the SSD to handle real disk activity instead of using cached memory.

When other applications or browser tabs access the same SSD, small delays and latency spikes occur due to resource contention. The malicious page measures these timing differences using high-resolution browser timers.

To improve accuracy, attackers can enable cross-origin isolation settings that unlock more precise timing measurements through APIs such as performance.now().

The collected timing data is then analyzed using machine learning models to identify patterns linked to specific websites or applications.

Researchers Demonstrated Cross-Browser Tracking

During testing, researchers showed that the attack could monitor user activity across multiple browser instances on macOS systems.

In one experiment:

• A malicious Chrome tab monitored SSD timing activity
• A victim opened websites in Safari
• The timing patterns were analyzed using a neural network model
• The system successfully identified visited websites with high accuracy

The researchers reported strong detection results while testing against popular websites.

They also demonstrated a covert communication channel on Linux and macOS systems where SSD contention signals were used to transfer information between applications.

Privacy and Security Concerns

The research shows how modern browser performance features may weaken traditional browser isolation protections.

Unlike traditional malware, the attack does not require installing software on the victim’s device. Instead, a single visit to a malicious webpage may be enough to begin collecting timing information silently in the background.

Researchers warned that the technique could potentially be used for:

• Cross-browser activity tracking
• User behavior monitoring
• Website fingerprinting
• Covert communication channels
• Privacy-invasive surveillance techniques

The findings also raise concerns about how high-resolution timers and advanced browser storage APIs can unintentionally create new side-channel attack surfaces.

While the attack currently requires specific conditions and technical expertise, the research demonstrates how low-level hardware behavior can increasingly be abused for remote tracking and surveillance purposes.

The post New FROST Technique Lets Websites Monitor SSD Activity appeared first on First Hackers News.

The issue was initially noticed by a Motorola Razr 60 Ultra user who observed unusual behavior when opening the Amazon app. Instead of launching normally, the device briefly opened a web browser before redirecting back to Amazon with a tracking identifier attached.

Further investigation revealed that a preinstalled background application named Smart Feed was responsible for the redirects.

Hidden App Injects Affiliate Tracking Codes

Researchers found that the hidden app communicates with an external server identified as devicenative[.]com. The server appears to provide affiliate-related settings and redirect instructions used by the application.

When users tap shopping apps from the launcher, the hidden service intercepts the request and inserts affiliate tracking data before sending users to the final destination.

The observed behavior includes:

• Intercepting Amazon app launches
• Opening browser-based redirect links
• Injecting affiliate tracking parameters
• Connecting to remote servers for configuration updates
• Running silently in the background

Because Android automatically handles supported links inside apps, most users are unlikely to notice the redirection process.

Researchers Warn About Potential Risks

Security experts noted that the technique shares similarities with behaviors commonly seen in adware and mobile malware.

The concerns go beyond affiliate monetization because the same infrastructure could theoretically be modified to redirect users toward malicious websites, phishing pages, or credential theft portals.

Researchers also highlighted several worrying characteristics:

• Hidden system-level persistence
• External server-controlled behavior
• Intent interception techniques
• Limited user visibility or control
• Difficulty removing the application

Since the application relies on remote configuration from external servers, its behavior could potentially change without any operating system update.

The issue has currently been confirmed on the Motorola Razr 60 Ultra, although it is still unclear whether other Motorola devices are affected.

While reports suggest a third-party monetization partner may be involved, researchers argue that smartphone manufacturers remain responsible for software bundled with their devices.

Motorola has not publicly commented on the findings at the time of reporting.

The post Hidden Motorola App Redirects Amazon Traffic appeared first on First Hackers News.

EU regulators accuse Google of favoring its own services in search results, including Google Shopping, Google Maps, and Google Flights. Officials believe this practice reduces visibility for competing platforms and limits user choice.

The investigation began in March 2025 and could lead to one of the largest penalties issued under the DMA so far.

Google Faces Scrutiny Over Search Practices

The Digital Markets Act was introduced to prevent dominant technology platforms from abusing their market power. Under the regulation, companies classified as “gatekeepers” must maintain fair competition and avoid giving unfair advantages to their own services.

According to reports, regulators are concerned that Google’s search engine may be prioritizing internal products over rival platforms.

The DMA requires major platforms to:

• Maintain fair search rankings
• Avoid self-preferencing practices
• Improve platform transparency
• Support interoperability
• Prevent unfair use of competitor data

Violations under the DMA can result in fines reaching up to 10% of a company’s global annual revenue.

Possible Record DMA Penalty

Reports suggest the upcoming penalty could reach several hundred million euros, making it the biggest DMA-related fine issued to date. The final decision is expected before the EU summer recess.

This is not the first time Google has faced regulatory action in Europe. The company has previously received multi-billion-euro fines related to Google Shopping, Android dominance, and online advertising practices.

Recent investigations also focused on adtech self-preferencing and concerns around digital market competition.

Beyond competition issues, the case highlights broader concerns about algorithm transparency and platform control. Regulators increasingly view fair ranking systems as important for maintaining trust, information visibility, and a balanced digital ecosystem.

The enforcement action may also create political tension between the EU and the United States, especially as debates around Big Tech regulation continue globally.

If confirmed, the case will become a major milestone in enforcing the Digital Markets Act and signal stronger EU action against powerful technology companies.

The post EU Moves Closer to Major Fine Against Google appeared first on First Hackers News.

Researchers observed the campaign throughout 2025 and into 2026, with most targets including government agencies, diplomatic entities, and commercial organizations in Russia and Belarus. The operation combines phishing attacks, legacy vulnerabilities, custom malware, and stealthy persistence techniques to maintain long-term access inside victim environments.

The campaign demonstrates how attackers are increasingly blending legitimate administration tools with advanced malware techniques to avoid detection and maintain covert remote access.

Initial Access Through Phishing and Exploits

Cloud Atlas APT continues to rely heavily on phishing emails as its primary entry point. Attackers distribute ZIP archives containing malicious LNK shortcut files designed to silently execute PowerShell commands from attacker-controlled infrastructure.

At the same time, the threat actors also weaponize Microsoft Office documents exploiting the Equation Editor vulnerability, CVE-2018-0802, to download additional payloads onto infected systems.

Once executed, the PowerShell scripts establish persistence by saving a secondary script named fixed.ps1 in the Windows temporary directory and creating autorun entries through the Windows Registry.

To distract victims and reduce suspicion, the malware downloads a decoy archive, extracts a PDF document, and displays it on the screen while malicious activities continue in the background. During this stage, forensic traces are deleted and the primary payloads are launched.

VBCloud and PowerShower Backdoors

The fixed.ps1 script functions as a loader for two major malware components named VBCloud and PowerShower.

VBCloud File-Stealing Malware

VBCloud is mainly used for data theft. The malware deploys an encrypted payload named video.mds, which is decrypted in memory using RC4 encryption and executed through a Visual Basic Script (VBS) loader.

The malware searches for and exfiltrates sensitive files, including:

• DOC and DOCX documents
• PDF files
• XLS and spreadsheet data
• Other confidential business documents

Collected data is transmitted to attacker-controlled servers for further analysis and espionage purposes.

PowerShower for Reconnaissance and Lateral Movement

PowerShower focuses on reconnaissance, credential harvesting, and internal network movement. The malware gathers system and domain information, executes remote PowerShell commands, and supports lateral movement across enterprise environments.

Researchers observed the malware performing Kerberoasting attacks to extract Active Directory service account credentials. It also includes a credential harvesting module that abuses the fodhelper.exe UAC bypass technique to gain elevated privileges.

With administrative access, attackers can retrieve sensitive data from the SAM and SECURITY registry hives through Windows shadow copies.

Modification of termsrv.dll Enables Multiple RDP Sessions

A significant evolution in this campaign is the use of a PowerShell script called rdp_new.ps1, which directly modifies the Windows termsrv.dll library.

The termsrv.dll component controls Remote Desktop session management and normally prevents multiple simultaneous user logins. Cloud Atlas bypasses this restriction by taking ownership of the DLL file, patching specific byte sequences, and restarting the RDP service.

After modification, multiple concurrent RDP sessions become possible on the infected machine. This allows attackers to maintain hidden remote access without disconnecting legitimate users, significantly lowering the risk of detection.

This technique provides threat actors with stealthy persistence while blending malicious activity with normal administrator behavior.

Reverse SSH Tunnels and Stealth Persistence

To strengthen persistence and ensure continued remote access, Cloud Atlas deploys multiple tunneling and proxy mechanisms.

The attackers establish reverse SSH tunnels from compromised systems to remote servers under their control. These tunnels bypass inbound firewall restrictions and provide continuous access into internal networks.

The operation also uses:

• VBS scripts executed through PsExec
• Scheduled tasks for automatic tunnel recovery
• Modified file permissions to protect SSH keys
• Customized OpenSSH builds with altered cryptographic libraries
• RevSocks tunneling utilities written in Go
• Tor hidden services for anonymous RDP connectivity

These layered persistence mechanisms make incident response and remediation significantly more difficult.

PowerCloud Malware Uses Google Sheets for Data Exfiltration

Researchers also identified a newer tool called PowerCloud that collects administrative user information and exfiltrates the data to Google Sheets using Base64-encoded content.

The use of legitimate cloud services highlights Cloud Atlas’ growing focus on blending malicious traffic with normal enterprise activity, making traditional security monitoring more challenging.

Ongoing Threat to Government and Enterprise Networks

Telemetry linked to the campaign shows a strong focus on government, diplomatic, and high-value enterprise organizations, consistent with Cloud Atlas’ long-standing espionage objectives.

Although some infrastructure overlaps with activity associated with the Head Mare group have been observed, researchers noted that the malware families, techniques, and operational behavior remain distinct.

The continued use of publicly available tools such as SSH, Tor, PsExec, and RevSocks alongside advanced techniques like RDP manipulation demonstrates the group’s evolving capabilities and operational maturity.

Security teams are advised to closely monitor:

• Unauthorized changes to termsrv.dll
• Suspicious PowerShell execution
• Unexpected RDP configuration changes
• Reverse SSH connections
• Scheduled tasks linked to remote access tools
• Unusual use of cloud platforms for data transfers

The campaign highlights the increasing sophistication of modern cyber espionage operations and the importance of continuous monitoring for stealthy persistence mechanisms inside enterprise networks.

The post Cloud Atlas APT Uses Modified termsrv.dll to Enable Hidden RDP Access appeared first on First Hackers News.