Researchers observed the campaign throughout 2025 and into 2026, with most targets including government agencies, diplomatic entities, and commercial organizations in Russia and Belarus. The operation combines phishing attacks, legacy vulnerabilities, custom malware, and stealthy persistence techniques to maintain long-term access inside victim environments.

The campaign demonstrates how attackers are increasingly blending legitimate administration tools with advanced malware techniques to avoid detection and maintain covert remote access.

Initial Access Through Phishing and Exploits

Cloud Atlas APT continues to rely heavily on phishing emails as its primary entry point. Attackers distribute ZIP archives containing malicious LNK shortcut files designed to silently execute PowerShell commands from attacker-controlled infrastructure.

At the same time, the threat actors also weaponize Microsoft Office documents exploiting the Equation Editor vulnerability, CVE-2018-0802, to download additional payloads onto infected systems.

Once executed, the PowerShell scripts establish persistence by saving a secondary script named fixed.ps1 in the Windows temporary directory and creating autorun entries through the Windows Registry.

To distract victims and reduce suspicion, the malware downloads a decoy archive, extracts a PDF document, and displays it on the screen while malicious activities continue in the background. During this stage, forensic traces are deleted and the primary payloads are launched.

VBCloud and PowerShower Backdoors

The fixed.ps1 script functions as a loader for two major malware components named VBCloud and PowerShower.

VBCloud File-Stealing Malware

VBCloud is mainly used for data theft. The malware deploys an encrypted payload named video.mds, which is decrypted in memory using RC4 encryption and executed through a Visual Basic Script (VBS) loader.

The malware searches for and exfiltrates sensitive files, including:

• DOC and DOCX documents
• PDF files
• XLS and spreadsheet data
• Other confidential business documents

Collected data is transmitted to attacker-controlled servers for further analysis and espionage purposes.

PowerShower for Reconnaissance and Lateral Movement

PowerShower focuses on reconnaissance, credential harvesting, and internal network movement. The malware gathers system and domain information, executes remote PowerShell commands, and supports lateral movement across enterprise environments.

Researchers observed the malware performing Kerberoasting attacks to extract Active Directory service account credentials. It also includes a credential harvesting module that abuses the fodhelper.exe UAC bypass technique to gain elevated privileges.

With administrative access, attackers can retrieve sensitive data from the SAM and SECURITY registry hives through Windows shadow copies.

Modification of termsrv.dll Enables Multiple RDP Sessions

A significant evolution in this campaign is the use of a PowerShell script called rdp_new.ps1, which directly modifies the Windows termsrv.dll library.

The termsrv.dll component controls Remote Desktop session management and normally prevents multiple simultaneous user logins. Cloud Atlas bypasses this restriction by taking ownership of the DLL file, patching specific byte sequences, and restarting the RDP service.

After modification, multiple concurrent RDP sessions become possible on the infected machine. This allows attackers to maintain hidden remote access without disconnecting legitimate users, significantly lowering the risk of detection.

This technique provides threat actors with stealthy persistence while blending malicious activity with normal administrator behavior.

Reverse SSH Tunnels and Stealth Persistence

To strengthen persistence and ensure continued remote access, Cloud Atlas deploys multiple tunneling and proxy mechanisms.

The attackers establish reverse SSH tunnels from compromised systems to remote servers under their control. These tunnels bypass inbound firewall restrictions and provide continuous access into internal networks.

The operation also uses:

• VBS scripts executed through PsExec
• Scheduled tasks for automatic tunnel recovery
• Modified file permissions to protect SSH keys
• Customized OpenSSH builds with altered cryptographic libraries
• RevSocks tunneling utilities written in Go
• Tor hidden services for anonymous RDP connectivity

These layered persistence mechanisms make incident response and remediation significantly more difficult.

PowerCloud Malware Uses Google Sheets for Data Exfiltration

Researchers also identified a newer tool called PowerCloud that collects administrative user information and exfiltrates the data to Google Sheets using Base64-encoded content.

The use of legitimate cloud services highlights Cloud Atlas’ growing focus on blending malicious traffic with normal enterprise activity, making traditional security monitoring more challenging.

Ongoing Threat to Government and Enterprise Networks

Telemetry linked to the campaign shows a strong focus on government, diplomatic, and high-value enterprise organizations, consistent with Cloud Atlas’ long-standing espionage objectives.

Although some infrastructure overlaps with activity associated with the Head Mare group have been observed, researchers noted that the malware families, techniques, and operational behavior remain distinct.

The continued use of publicly available tools such as SSH, Tor, PsExec, and RevSocks alongside advanced techniques like RDP manipulation demonstrates the group’s evolving capabilities and operational maturity.

Security teams are advised to closely monitor:

• Unauthorized changes to termsrv.dll
• Suspicious PowerShell execution
• Unexpected RDP configuration changes
• Reverse SSH connections
• Scheduled tasks linked to remote access tools
• Unusual use of cloud platforms for data transfers

The campaign highlights the increasing sophistication of modern cyber espionage operations and the importance of continuous monitoring for stealthy persistence mechanisms inside enterprise networks.

The post Cloud Atlas APT Uses Modified termsrv.dll to Enable Hidden RDP Access appeared first on First Hackers News.

By hosting phishing content on legitimate Google-owned domains, the attackers are able to bypass many email security filters and web gateways. Because the links appear trustworthy, they are less likely to raise suspicion.

Victims are redirected to realistic login pages that imitate well-known brands. After entering their credentials, they are quietly sent to the real website, making the attack difficult to detect.

Global Impact and Scale

The campaign is widespread. Investigators uncovered attacker-controlled servers containing thousands of stolen credentials linked to more than 1,000 organizations across 100+ countries and over 200 industries.

Mexico has the highest number of confirmed victims, particularly in manufacturing, education, and government sectors. The United States, Spain, India, and Argentina are also significantly affected.

The use of trusted cloud services makes this campaign especially effective and harder to block using traditional security controls.

Group-IB researchers describe GTFire as a structured, large-scale credential theft operation.

Attackers reuse the same phishing templates across multiple brands and store stolen data on centralized servers, organized by date, language, and targeted servic

More than 120 phishing domains were discovered, using similar naming patterns to quickly rotate infrastructure and avoid detection.

Attackers customize each fake login page to closely match real brands. After victims enter their credentials, they are redirected to the legitimate website, delaying suspicion.

Because the campaign uses trusted Google domains, traditional URL filtering and blocklists struggle to detect it — showing how easily legitimate infrastructure can be misused for phishing.

How the Attack Works

The attack starts with a phishing email that contains a Google Translate link. This link quietly routes the victim through Google’s translation service before redirecting them to a fake login page hosted on Firebase.

Because the link uses a Google domain, many email filters and web gateways do not block it.

Attackers create many random *.web.app subdomains to host phishing pages and rotate them frequently to avoid detection. Each page is designed to look like a real brand login portal.

When victims enter their credentials, they are shown a fake “wrong password” message and asked to try again. Both login attempts are secretly captured and sent to attacker-controlled servers, along with basic details like location and browser language.

The stolen data is collected using simple, ready-made backend tools, making the campaign easy to scale.

Mitigation Measures

Organizations should:

• Enforce phishing-resistant multi-factor authentication (MFA)
• Train employees to recognize suspicious Google-based links
• Monitor for unusual use of translate.goog and *.web.app domains
• Watch for brand impersonation hosted on trusted cloud platforms
• Share indicators of compromise with security communities and CERT teams

Trusted services can be misused, so detection strategies must go beyond basic domain reputation check

The post GTFire Phishing Attack Hides Behind Google Services appeared first on First Hackers News.

According to a new analysis by Palo Alto Networks Unit 42 researchers Stav Setty and Shachar Roitman, the attackers use phishing and smishing campaigns to steal employee credentials from companies that issue or manage gift cards. Once inside, they escalate privileges and issue unauthorized cards for financial gain — often reselling them on gray markets.

Gift cards remain a preferred target for cybercriminals due to their ease of redemption, anonymity, and traceability challenges, making such fraud difficult to investigate.

A Seasonal Threat with Long-Term Persistence

The group’s name, Jingle Thief, stems from its pattern of ramping up fraud campaigns around holiday and festive seasons, when gift card transactions surge. Palo Alto Networks tracks the operation internally under the identifier CL-CRI-1032, with “CL” representing cluster and “CRI” indicating criminal motivation.

Researchers have linked Jingle Thief with moderate confidence to financially motivated actors Atlas Lion and Storm-0539, groups previously associated with operations traced back to Morocco. The threat cluster is believed to have been active since late 2021.

One of the most concerning traits of Jingle Thief is its long-term persistence within compromised environments — in some cases, maintaining access for over a year. During this period, attackers conduct extensive reconnaissance, map cloud infrastructures, move laterally, and implement methods to avoid detection.

Recent Global Campaigns

Unit 42 reported a surge in coordinated Jingle Thief campaigns between April and May 2025, targeting multiple global enterprises. In one notable incident, the attackers compromised 60 user accounts within a single organization and maintained access for approximately 10 months.

By exploiting stolen credentials, Jingle Thief operators impersonate legitimate users to infiltrate Microsoft 365 environments, steal sensitive data, and execute high-value gift card fraud at scale. They also modify log settings and forensic trails to conceal unauthorized issuance activities.

Phishing Tactics and Cloud Abuse

The group employs highly tailored phishing pages mimicking Microsoft 365 login portals, distributed via email or SMS, to harvest credentials. Once credentials are obtained, the attackers perform a second round of reconnaissance inside the organization, focusing on SharePoint, OneDrive, and internal documentation.

Targets include:

• Gift card issuance workflows
• VPN configuration guides
• Access credentials for Citrix or cloud systems
• Financial process documentation

Jingle Thief further leverages compromised accounts to send internal phishing emails, often disguised as IT service notifications or ticketing updates, exploiting the trust of corporate communication systems.

To maintain persistence, the group creates malicious inbox rules to forward emails, deletes sent messages, and even registers rogue authenticator apps to bypass multi-factor authentication (MFA). In some cases, attackers enroll their own devices in Entra ID, ensuring continued access even after password resets.

Unlike many threat actors that deploy custom malware, Jingle Thief relies heavily on identity misuse and cloud-native exploitation techniques. This stealthy approach allows them to blend in with legitimate activity and evade detection tools focused on endpoint-based threats.

The post “Jingle Thief” Cybercrime Group Targets Cloud Gift Card Systems in Retail Sector appeared first on First Hackers News.

• SSRF (Server-Side Request Forgery) to coerce backend servers into making arbitrary requests.
• CRLF injection to insert custom headers into requests.
• Request smuggling to access internal endpoints and upload malicious templates.

This attack abuses the ability of JSP files to load untrusted stylesheets, allowing arbitrary code execution. Persistent HTTP connections are used to chain multiple requests, increasing reliability and reducing detection.

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-61882 to its Known Exploited Vulnerabilities (KEV) catalog. The agency has warned that the vulnerability has already been used in ransomware campaigns. All federal agencies have been ordered to apply security patches by October 27, 2025.

Security experts have raised alarms that mass exploitation is expected within days. Cl0p has already targeted multiple organizations since August, stealing sensitive data and issuing extortion emails.

Organizations using Oracle EBS are being strongly advised to patch immediately, conduct threat hunts, and strengthen access controls. Delays in remediation could lead to significant data breaches, financial loss, and operational disruption.

SEO Keywords included: Oracle E-Business Suite, CVE-2025-61882, Cl0p ransomware, remote code execution, SSRF, CRLF injection, WatchTowr Labs, CrowdStrike, CISA KEV, cybersecurity vulnerability, patch advisory.

The post Critical Oracle EBS Vulnerability CVE-2025-61882 Actively Exploited by Cl0p Ransomware Group appeared first on First Hackers News.

Arctic Wolf observed multiple incidents where SonicWall Secure Mobile Access (SMA) appliances were accessed despite OTP-based MFA being active. In each case, multiple OTP challenges were issued, but attackers still authenticated successfully, suggesting they had access to the correct OTP codes.

Background: Zero-Day Vulnerability and CVE-2024-40766

These incidents follow a wave of Akira ransomware attacks earlier this year that exploited an unknown vulnerability in SonicWall’s SMA VPN appliances. At the time, the method of initial access was unclear. However, SonicWall later confirmed the attackers were exploiting a zero-day vulnerability, now tracked as CVE-2024-40766, involving improper access control in the web management interface.

A patch was released in August 2024, and SonicWall urged customers to upgrade to the latest versions of SonicOS 7.1.1-7040 / 7.0.1-5146 and SMA 100 firmware to mitigate the issue. They also advised administrators to reset all user credentials for impacted VPN portals, particularly those not integrated with Active Directory.

However, Arctic Wolf’s new findings indicate that the threat actors may have already harvested OTP seed data during prior compromises—making even patched devices vulnerable if credentials were not rotated.

OTP MFA Bypass: What Researchers Observed

According to Arctic Wolf’s investigation:

• In multiple breach incidents, VPN user logins occurred with OTP MFA enabled.
• Multiple OTP prompts were issued, yet the login was ultimately successful.
• This behavior suggests that the attackers possessed valid OTP secrets or were able to generate valid tokens at will.
• The exploitation was not due to a new vulnerability, but likely stemmed from previously compromised credentials and OTP seeds.

This theory is supported by a June 2024 report from Google’s Threat Analysis Group (TAG) and Mandiant, which detailed how another threat group, UNC6148, used stolen OTP seeds to bypass MFA on SonicWall SMA 100 series devices—even when those systems were fully patched.

Post-Breach Activity: Fast and Aggressive Lateral Movement

Once initial access was achieved, Akira operators wasted no time escalating privileges and moving laterally within victim networks. Arctic Wolf reports that:

• Internal network scanning typically began within 5 minutes of VPN login.
• Attackers used tools like Impacket, RDP, and Active Directory enumeration utilities including:

• dsquery
• SharpShares
• BloodHound

• A high-priority target was the Veeam Backup & Replication server, a critical system used for managing backup infrastructure.The threat actors deployed custom PowerShell scripts to:
• Extract and decrypt credentials from Veeam, MSSQL, and PostgreSQL databases.
• Retrieve Data Protection API (DPAPI) secrets to further compromise systems.

The post Akira Ransomware Now Breaches MFA‑Protected SonicWall VPNs, Researchers Warn appeared first on First Hackers News.

The campaigns highlight a sophisticated blend of social engineering and technical evasion tactics. ComicForm, a previously undocumented group, has focused on organizations in Belarus, Kazakhstan, and Russia since April 2025, targeting industries such as industrial operations, finance, tourism, biotechnology, research, and trade. Meanwhile, SectorJ149—also tracked as UAC-0050—has shifted from financial cybercrime to hacktivist-style operations against South Korean entities in manufacturing, energy, and semiconductors. Both groups leverage Formbook, an infostealer malware capable of harvesting credentials, sensitive data, and system information, often alongside tools like Lumma Stealer and Remcos RAT.

Security researchers from F6 and NSHC’s ThreatRecon Team have uncovered these operations, noting the groups’ use of obfuscated loaders, scheduled tasks, and phishing lures to bypass defenses like Microsoft Defender.

ComicForm’s Phishing Onslaught

ComicForm’s attacks kick off with tailored phishing emails in Russian or English, using innocuous subject lines such as “Waiting for the signed document,” “INvoice for Payment,” or “Reconciliation Act for Signature.” These messages originate from domains in .ru, .by, and .kz, containing RAR archives disguised as PDFs—files like “Акт_сверки pdf 010.exe.”

Once executed, the .NET-based loader deploys a chain of malicious DLLs (“MechMatrix Pro.dll” and “Montero.dll”), ultimately installing Formbook. The malware sets up persistence via scheduled tasks and adds exclusions in antivirus software to avoid detection. A quirky hallmark: embedded Tumblr links to superhero comic GIFs (e.g., Batman), which inspired the group’s name but play no active role in attacks. As F6 researcher Vladislav Kugan explained, “These images were not used in any attack, but were merely part of the malware code.”

Recent escalations include fake login pages mimicking document management services. In July 2025, emails from a Kazakhstan industrial firm redirected victims to credential-harvesting sites. JavaScript on these pages auto-fills email fields from URL parameters, pulls domain screenshots via screenshotapi.net for realism, and sends stolen data via HTTP POST. Earlier hits targeted a Belarusian bank in April and a Kazakhstan company in June, with lures like invoice-themed forms capturing emails and phone numbers.

The use of English emails signals ComicForm’s potential expansion beyond Russian-speaking regions, per F6 analysis: “The group attacks Russian, Belarusian, and Kazakh companies from various sectors, and the use of English-language emails suggests that the attackers are also targeting organizations in other countries.”

SectorJ149’s Spear-Phishing Shift

Operating since November 2024, SectorJ149 employs spear-phishing against South Korean executives, baiting them with emails about production facility purchases or quotation requests. Attachments come as Microsoft CAB archives containing Visual Basic Scripts that trigger PowerShell commands to download disguised JPG files from Bitbucket or GitHub repositories.

These files unpack loaders that fetch, decrypt, and execute additional payloads from remote URLs—disguised as .txt files—leading to in-memory deployment of Formbook, Lumma Stealer, and Remcos RAT. NSHC’s ThreatRecon Team detailed the process: “The PE Malware executed directly in the memory area is a loader-type Malware that downloads additional malicious data disguised as a text file (.txt) through a URL included in the provided parameter values, decrypts it, and then generates and executes the PE Malware.”

What sets SectorJ149 apart is its evolving motive. Previously profit-driven, recent activities carry a “strong hacktivist nature,” using hacks to push political, social, or ideological messages against Korean targets.

Broader Impact and Implications

These campaigns underscore the risks to Eurasian infrastructure, with Formbook’s credential theft enabling further espionage or ransomware. No specific victim disclosures beyond general sectors have surfaced, but the attacks’ precision suggests insider knowledge or reconnaissance.

Experts warn of rising state-affiliated threats in the region, exacerbated by geopolitical tensions. While ComicForm appears opportunistic, SectorJ149’s hacktivist leanings could signal broader hybrid warfare tactics.

The post ComicForm and SectorJ149 Hackers Ramp Up Eurasian Cyberattacks with Formbook Malware Deployment appeared first on First Hackers News.