The campaign highlights a growing trend where threat actors abuse trusted administrative tools to blend into normal network activity, making detection significantly more difficult. Once access is established, attackers focus on identifying sensitive documents, privileged communications, intellectual property, and client-related information that can later be leaked or used for extortion.

Threat Actor Profile

Who is UNC3753?

UNC3753 is known for targeting organizations that handle valuable confidential information. Researchers observed the group using legitimate remote administration software instead of custom malware, reducing the likelihood of triggering traditional security controls.

Primary Targets

• Law firms
• Legal service providers
• Corporate legal departments
• Financial organizations
• Professional service firms

Primary Objectives

• Data theft
• Extortion
• Information brokerage
• Intelligence gathering

Initial Access Through Social Engineering

Unlike many ransomware groups that rely on vulnerability exploitation, UNC3753 often gains access through direct interaction with victims.

• Fake IT support requests
• Help desk impersonation
• Remote assistance invitations
• Phishing emails

Victims are convinced to join remote sessions or install legitimate RMM software under the assumption they are receiving technical support.

RMM Tools as an Attack Vector

After gaining initial trust, attackers deploy legitimate RMM software to maintain access.

• Persistent remote access
• File transfer capabilities
• Command execution
• Session monitoring

By leveraging legitimate software, attackers can avoid many traditional malware-based detections.

Data leak portal used by threat actors to advertise stolen information and pressure victims into complying with extortion demands.

Living-Off-The-Land Techniques

UNC3753 relies heavily on legitimate tools already trusted within enterprise environments.

• Remote access software
• File synchronization tools
• Screen-sharing applications
• Cloud storage platforms

Indicators of Compromise (IOCs)

The researchers identified multiple infrastructure indicators associated with UNC3753 operations, including attacker-controlled IP addresses, phishing support domains, and data leak platforms used for victim extortion and disclosure.

Security Recommendations

• Strengthen User Awareness
• Restrict RMM Usage
• Implement MFA
• Monitor Sensitive Data Repositories

The UNC3753 campaign demonstrates how threat actors can successfully compromise organizations without relying heavily on malware. By abusing screen-sharing sessions, legitimate RMM software, and social engineering techniques, attackers gain access to highly sensitive legal information while remaining difficult to detect. Organizations should focus on monitoring remote access activity, restricting unauthorized administrative tools, and strengthening employee awareness to reduce the risk of similar attacks.

The post UNC3753 Exploits Screen-Sharing Sessions and RMM Tools to Steal Sensitive Legal Data appeared first on First Hackers News.

The attacks have been linked to the threat group ShinyHunters, which has reportedly targeted more than 100 organizations, with a significant concentration in the education sector. Researchers observed exploitation activity before Oracle publicly released its security advisory, classifying the vulnerability as a true zero-day.

Because Oracle PeopleSoft is widely used for managing human resources, payroll, finance, and other business-critical functions, successful exploitation could expose highly sensitive organizational data and provide attackers with deep access into enterprise environments.

Technical Breakdown of the Attack

The vulnerability resides within Oracle PeopleSoft PeopleTools, specifically affecting components exposed to the internet. Security researchers indicate that attackers can exploit the flaw without valid credentials, enabling remote execution of arbitrary commands on affected servers. The vulnerability carries a critical severity rating and may lead to full system compromise if left unmitigated.

Researchers also reported that threat actors leveraged the flaw against Environment Management Hub (PSEMHUB) endpoints. Following successful exploitation, attackers can deploy malicious tools, execute administrative commands, and establish persistent access within the targeted environment.

The Attack Chain Can Involve :

• Reconnaissance of internet-facing PeopleSoft servers.
• Identification of vulnerable PeopleTools instances.
• Exploitation of CVE-2026-35273 without authentication.
• Remote code execution on the application server.
• Deployment of web shells or remote management tools.

Multiple Other Methods Threat Actors May Use

While the zero-day vulnerability serves as the initial access vector, attackers frequently combine additional techniques to strengthen their foothold and increase operational success.

• Web shell deployment
• Credential theft
• Authentication bypass attacks
• Exploitation of legacy vulnerabilities

Modern threat actors rarely rely on a single attack technique. Instead, they combine multiple methods to gain deeper access, maintain persistence, evade security monitoring, and ultimately achieve objectives such as data theft, extortion, or ransomware deployment.

Why Enterprise Applications Remain a High-Value Target

Enterprise platforms such as Oracle PeopleSoft store some of an organization’s most valuable information, including employee records, financial data, payroll details, and operational information. Because these systems often integrate with multiple business applications, a single compromise can provide attackers with extensive visibility across the enterprise.

Threat actors increasingly target business-critical applications because successful exploitation can deliver immediate access to large volumes of sensitive data. In many environments, these platforms are internet-facing and may not receive the same level of security monitoring as endpoints, making them attractive targets for advanced threat groups.

Security Experts Recommend That Organizations

• Apply Oracle Mitigations Immediately
• Audit Internet-Facing PeopleSoft Systems
• Strengthen Access Controls
• Conduct Threat Hunting Activities

The active exploitation of CVE-2026-35273 demonstrates how rapidly threat actors can weaponize critical enterprise software vulnerabilities. With ShinyHunters reportedly targeting organizations through Oracle PeopleSoft environments, security teams should prioritize mitigation efforts, strengthen monitoring capabilities, and review exposure of internet-facing enterprise applications to reduce the risk of compromise.

The post Critical Oracle PeopleSoft Zero-Day RCE Vulnerability Actively Exploited by ShinyHunters appeared first on First Hackers News.

This campaign involves a Linux version of the GoGra backdoor, showing that the group is expanding beyond its earlier Windows-based operations. By using trusted cloud services, the malware blends into normal network traffic, allowing it to bypass many standard security tools that typically look for suspicious external connections.

The attack appears to focus on espionage rather than financial gain. Evidence suggests that targets are mainly located in South Asia, with attackers using region-specific document names to make their phishing attempts more convincing. This level of targeting shows a carefully planned and strategic operation.

Outlook Mailbox Malware Explained

The attackers gain access through social engineering, tricking users into opening files that appear harmless. These files are often disguised as official documents, but they actually contain hidden malicious code.

Once the file is opened, the malware quietly installs itself in the background. It avoids drawing attention while setting up persistence, ensuring it can continue running even after the system is restarted.

Some key characteristics of the infection process include:

• Disguised files that look like PDFs or official documents
• Malware hidden inside Linux executable files
• Silent installation without visible signs
• Persistence mechanisms that allow it to survive reboots

This approach makes it difficult for users to realize they have been infected until much later.

How the Backdoor Uses Microsoft Infrastructure

What makes this attack particularly sophisticated is how it uses Microsoft’s own services as a communication channel. Instead of connecting to suspicious servers, the malware interacts with legitimate cloud infrastructure, which helps it stay hidden.

After installation, the backdoor uses Microsoft APIs to communicate with a real Outlook mailbox. It regularly checks for new messages that contain instructions from the attacker. These commands are processed on the infected system, and the results are sent back through email responses.

The malware is designed to clean up after itself, deleting messages once they are used. This reduces traces of the attack and makes forensic investigation more difficult.

The main capabilities of the backdoor include:

• Receiving commands through Outlook mailbox messages
• Executing those commands on the infected machine
• Sending results back via email
• Removing evidence after communication

Because all of this happens through trusted services, the activity can easily go unnoticed in normal network monitoring.

Why This Attack Is Concerning

This campaign highlights a growing trend where attackers abuse legitimate platforms to hide their operations. By using trusted services like Microsoft’s cloud, they can bypass many traditional defenses that rely on detecting suspicious traffic.

The impact of such an attack can be serious. Attackers may gain long-term access to systems, collect sensitive data, and monitor user activity without being detected. Since the malware operates quietly and removes traces of its actions, it can remain active for extended periods.

This also shows how threat actors are evolving their techniques, moving toward more stealthy and persistent methods. Organizations can no longer rely only on basic perimeter defenses and must adopt more advanced monitoring strategies.

To reduce risk, security teams should pay close attention to unusual system behavior, unexpected background services, and abnormal use of cloud APIs. Monitoring activity from endpoints that do not typically interact with such services can help identify potential threats early.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post Hackers Hide GoGra Backdoor in Outlook Mailboxes appeared first on First Hackers News.

This issue, identified as CVE-2024-3094, impacts versions 5.6.0 and 5.6.1. The injected code is designed to stay hidden during normal review processes and only becomes active during the software build stage. Once active, it can interfere with SSH authentication, potentially allowing attackers to gain unauthorized access to affected systems.

Technical Impact and Mitigation

The attack is highly sophisticated, as the malicious components are not fully visible in the main source code. Instead, they rely on additional build-time elements to assemble and execute the payload. This makes detection difficult using standard code inspection methods.

Once deployed, the compromised library can alter how SSH authentication behaves, creating an opportunity for attackers to bypass normal security checks and access systems remotely.

Key highlights:

• CVE-2024-3094 affects xz and xz-libs versions 5.6.0 and 5.6.1
• Malicious code is triggered during the build process
• Targets SSH authentication mechanisms
• Impacts Fedora Rawhide, Fedora 40 Beta, Debian unstable, and openSUSE
• Red Hat Enterprise Linux (RHEL) remains unaffected

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

Immediate Actions

• Downgrade to trusted xz version 5.4.x
• Stop using Fedora Rawhide until systems are secured
• Apply official patches and updates from Red Hat
• Monitor systems for unusual SSH behavior

Even though active exploitation has not been widely reported, the nature of this compromise makes it a high-risk issue. Prompt action is necessary to protect systems from potential unauthorized access.

The post xz Backdoor Vulnerability Exposes Linux Systems to Remote Access appeared first on First Hackers News.

Researchers observed over 21,000 command-and-control (C2) servers between July and December 2025. Along with this growth, attackers are increasingly using infected devices as residential proxies, not just for DDoS attacks.

This rise also aligns with a surge in massive DDoS campaigns. Reports highlight “hyper-volumetric” attacks, including one reaching 31.4 Tbps, showing how far these botnets have evolved. At the same time, botnet activity has sharply increased after a period of stability, indicating a renewed wave of large-scale operations.

Evolution of Mirai-Based Botnets

Mirai first appeared in 2016, targeting internet-connected devices such as routers and IoT systems that often rely on weak or default credentials. Once compromised, these devices are added to a botnet that can launch high-volume traffic floods across multiple layers.

The public release of Mirai’s source code played a major role in its growth. It allowed attackers to create multiple variants, each adding new capabilities while keeping the core attack techniques intact.

One well-known variant, Satori, rapidly spread by exploiting vulnerabilities in routers, especially through command injection flaws. It used automated scripts to download and execute malware across different device architectures, allowing infections to scale quickly without user interaction.

Expanding Capabilities and Abuse Techniques

Modern Mirai botnets are no longer limited to DDoS attacks. They are now being used in more advanced and flexible ways, increasing their overall impact.

Key capabilities seen in recent campaigns include:

• Large-scale DDoS attacks reaching record-breaking volumes
• Use of infected devices as residential proxy networks
• Automated exploitation of IoT vulnerabilities
• Multi-architecture malware deployment for wider coverage
• Stealthier operations to avoid detection

Aisuru-Kimwolf Expanding DDoS and Proxy Abuse

Newer botnet families like Aisuru and Kimwolf have taken Mirai-based threats to the next level. These botnets are now used not only for massive DDoS attacks but also as residential proxy networks that can be rented for cybercrime activities.

Security reports have linked Aisuru-Kimwolf to extremely large attacks, including one reaching 31.4 Tbps. These attacks often generate massive traffic with billions of packets per second, using random patterns to avoid basic detection and filtering systems.

At the same time, Kimwolf, which targets Android devices, is being used to exploit residential proxy services. Attackers use these networks to access internal systems, infect devices like smart TVs and smartphones, and then sell that access for activities such as fraud and credential stuffing.

Ongoing Threat and Defensive Focus

Law enforcement and tech companies have started taking action against these botnets by targeting their command-and-control infrastructure and disrupting the platforms used to manage proxy networks.

However, these efforts have not fully stopped the threat. Mirai-based botnets continue to survive and grow because many devices remain unpatched, especially routers and Android systems. Attackers can also quickly rebuild their infrastructure after disruptions.

For defenders, the focus should remain on strong basic security practices:

• Keep routers and IoT devices updated
• Monitor unusual outbound traffic
• Secure Android and edge devices
• Track indicators linked to Mirai variants

As these botnets continue to evolve, they are becoming more powerful and more versatile, combining large-scale disruption with stealthy abuse of network access.

The post Mirai Botnets Now Driving DDoS and Proxy Abuse appeared first on First Hackers News.

At the core of this attack is a malicious file named wp-index.php, which abuses WordPress’s must-use plugin functionality to ensure continuous operation that cannot be disabled via the standard admin dashboard.

The malware uses advanced obfuscation techniques, including ROT13 encoding, to conceal its communications with a remote command-and-control server.

Once executed, the malware fetches payloads from a hidden URL and stores them directly in the WordPress database under the option key _hdra_core. This tactic allows it to evade security solutions that focus mainly on filesystem changes.

Security researchers at Sucuri discovered this stealthy backdoor during routine investigations, highlighting its unusually effective persistence mechanisms across various infection vectors.

Notably, the malware creates a covert administrative user account named “officialwp” and uses WordPress filter functions to hide this account from the dashboard, masking its presence from site administrators.

The infection process is highly sophisticated, with the main loader script downloading base64-encoded payloads from hxxps://1870y4rr4y3d1k757673q[.]xyz/cron.php. When decoded, these payloads reveal a complete and robust malware framework.

The malware framework also incorporates a stealthy file manager, deceptively named “pricing-table-3.php”, which is placed within the active theme directory. This backdoor tool is shielded by a custom authentication token — “fsociety_OwnzU_4Evr_1337H4x!” — that must be sent via HTTP headers to gain access, adding an additional layer of concealment and control for the attackers.

Database-Centric Persistence Strategy

The most alarming aspect of this malware is its database-centric persistence strategy. Instead of depending on traditional file-based infections—often detectable through file integrity monitoring—the backdoor embeds its payload within WordPress’s options table. It then executes this stored code and swiftly removes any temporary files created during the process, effectively minimizing forensic traces and making detection significantly more difficult.

This technique enables the malware to withstand typical cleanup procedures, ensuring its continued presence even after superficial disinfection attempts. By storing and executing its payload from the database, the attackers retain remote code execution capabilities and full administrative control over the compromised WordPress site, making the infection both resilient and deeply embedded.

The post Stealthy Backdoor Discovered in WordPress Plugins Grants Hackers Long-Term Website Access appeared first on First Hackers News.

All about DeBackdoor

In many cases, developers acquire deep learning models from third-party sources without access to training data or the ability to inspect the model’s internals, making backdoor detection difficult. Most existing methods require access to the model’s architecture, training data, or multiple instances.

DeBackdoor overcomes these challenges by using a deductive approach to generate potential triggers and a search technique to identify the most effective ones. It focuses on optimizing the Attack Success Rate (ASR), a key metric for evaluating the success of backdoor attacks.

How it detects

DeBackdoor’s detection methodology involves defining a search space for potential trigger templates based on the attack’s description. It then applies Simulated Annealing (SA), a stochastic search technique, to iteratively generate and test candidate triggers.

SA is chosen for its ability to avoid local minima, allowing for a more thorough exploration of the trigger space compared to simpler methods like Hill Climbing.

By applying these triggers to a small set of clean inputs and assessing the model’s responses, DeBackdoor can identify if the model is backdoored.

The framework has shown high detection performance across various attack scenarios, including different trigger types and label strategies such as All2One, All2All, and One2One.

DeBackdoor outperforms existing detection baselines like AEVA and B3D, which are limited in scope and effectiveness.

Its adaptability makes it especially valuable in situations where the attack strategy is unknown or varies, offering a strong solution for securing deep learning models in critical applications.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Detecting Deep Learning Backdoors: The DeBackdoor Approach appeared first on First Hackers News.

FakeUpdate Spreads WarmCookie as Chrome, Edge Updates

Researchers at Gen Threat Labs have found a campaign spreading the WarmCookie backdoor. This campaign uses a known tactic called FakeUpdate, which tricks victims into downloading fake web browser updates.

Currently, the attacks are targeting users in France. In addition to popular browsers like Google Chrome, Mozilla Firefox, and Microsoft Edge, the campaign also offers “updates” for applications like Java, VMware Workstation, Proton VPN, and WebEx. Attackers either hack or create websites that display fake update requests. Following these requests leads to the download of a malicious program disguised as a browser update.

The FakeUpdate campaign is not new, as similar ones have existed before. WarmCookie has also previously used deceptive methods for distribution, such as job offers.

This updated version now enables data theft, device profiling, program enumeration, command execution, screenshot capture, and installation of additional malware.

The FakeUpdate site closely resembles a legitimate one, with a convincing URL. Currently, the site edgeupgrade[.]com is still active. Clicking the “Update” button downloads the file “Install_x64.exe,” which is the WarmCookie backdoor. Once launched, the malware checks for a virtual environment. If none is found, it collects the system fingerprint and sends it to the attackers’ command and control server.

The WarmCookie backdoor gives attackers full access to compromised systems, with new features like running DLLs from the temp folder and executing EXE and PowerShell files. This allows for basic data theft and the delivery of payloads like ransomware. All modern browsers on Windows now auto-update, removing the need for manual downloads; users just need to restart the browser.

How to stay protected from malware and online threats:

• Keep Software Updated: Regularly update your operating system, web browsers, and applications to patch vulnerabilities.
• Use Antivirus Software: Install reputable antivirus or anti-malware programs and keep them updated to detect and remove threats.
• Enable Firewalls: Use a firewall to monitor incoming and outgoing network traffic and block suspicious activity.
• Avoid Suspicious Links: Be cautious when clicking on links or downloading files from unknown sources, especially in emails or pop-ups.
• Use Strong Passwords: Create complex passwords and consider using a password manager to keep track of them.
• Enable Two-Factor Authentication (2FA): Use 2FA wherever possible for an added layer of security on your accounts.
• Backup Data: Regularly back up important files to an external drive or cloud storage to prevent data loss in case of an attack.
• Educate Yourself: Stay informed about the latest threats and learn how to recognize phishing attempts and other scams.
• Limit Privileges: Run applications with the least privilege necessary and avoid using administrative accounts for everyday tasks.
• Monitor System Behavior: Keep an eye on system performance for unusual activity, such as unexpected slowdowns or unauthorized changes.

The post WarmCookie malware spreads via fake update campaign in France appeared first on First Hackers News.

Loki Backdoor

Mythic offers a unified interface for managing agents across platforms, allowing flexibility and customization to create agents with specific features.

The official Mythic repository now has over two dozen agents, including the Loki agent, which uses a modified djb2 hashing algorithm to obscure API functions and commands, differing from the original Havoc agent by using a different magic number (2231).

The hash is calculated by shifting the value left by 5 bits, adding the original hash and current character, making the agent’s behavior harder to analyze and detect.

The Loki loader malware sends encrypted data about the infected system to a command-and-control server. The server responds by sending a DLL, which the loader runs in the device’s memory to handle further communication.

Both the May and July versions use similar encryption methods, but differ slightly in how they handle data and UUIDs. The May version sends a plaintext UUID, while the July version encodes it. After connecting, the loader passes control to the DLL, which carries out the malicious tasks.

The malware, stagger_1.1.dll, is a Windows x64 executable based on the Havoc agent, using hashed commands for file transfer, process management, and environment control. While it lacks native traffic tunneling, attackers use tools like ngrok or gTunnel to access private networks, loading them in memory to avoid detection.

According to Securelist, Russian companies across various industries have been targeted by a sophisticated malware campaign, likely delivered through email attachments. Attackers, using publicly available tools, have compromised over a dozen organizations.

Victims were tricked into opening malicious files, leading to the installation of Loki malware. Attribution remains difficult due to the use of common tools and evasive tactics.

Open-source post-exploitation frameworks like the July and May loaders are increasingly used to remotely control victim devices, often evading detection. Indicators of compromise include specific file hashes, network traffic, and C2 addresses. gTunnel and ngrok are key tools for tunneling and communication.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post New Loki Backdoor Targets macOS Systems appeared first on First Hackers News.

ToddyCat APT 

In 2023, Kaspersky GERT uncovered a major internal fraud in a government organization, where threat actors used an internal service to steal over $20 million.

GERT’s DFIR analysis uncovered several attack vectors:

• A debugging interface vulnerability for cookie theft and user impersonation.
• Privilege escalation and account manipulation for fraudulent transactions.
• Unauthorized VPN access from external and internal networks.

The team connected user activities across different systems, including both local and remote IDs, to confirm that internal actors were working together.

This case highlights the critical need for strong internal controls, effective privileged access management, and comprehensive logging to identify and address insider threats in financial systems. Additionally, Kaspersky uncovered a sophisticated attack that had been ongoing in a customer’s infrastructure for over two years, revealing the depth and persistence of the intrusion.

The Flax Typhoon APT group used living-off-the-land techniques, misusing SoftEther VPN and Zabbix agent for unintended purposes. They deployed malware via Windows LOLBins like certutil and disguised services to avoid detection.

The attack involved NTDS dumping, Mimikatz, and CobaltStrike, including creating firewall rules for hidden communication. As a result, the client successfully sued the insider employee and accomplices, highlighting the critical need for APT detection solutions to identify and eliminate long-term threats.

GERT’s assessment confirmed the attack timeline, compromised users, and execution methods. The investigation revealed SMB abuse, IKEEXT service persistence, and the CVE-2021-26855 vulnerability in Microsoft Exchange Servers.

A malicious wlbsctrl.dll was used for persistence and lateral movement via SMB. An ICMP backdoor was found embedded in an application, featuring mutex checking, registry manipulation, and encrypted payload execution.

The backdoor used AES encryption with the C drive’s volume serial number as a key parameter. Payloads were injected into dllhost.exe, creating ICMP sockets, receiving Base64 data, and using encrypted shellcodes.

While the attack shows ToddyCat’s TTPs, full attribution is unclear. The case underscores the importance of asset surveillance, threat intelligence, and MDR services.

The post ToddyCat APT Exploits SMB and IKEEXT RCE to Deploy ICMP Backdoor appeared first on First Hackers News.