China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access - Related to dcrat, deploying, initial, it, cyber

CERT-UA Warns of UAC-0173 Attacks Deploying DCRat to Compromise Ukrainian Notaries

The Computer Emergency Response Team of Ukraine (CERT-UA) on Tuesday warned of renewed activity from an organized criminal group it tracks as UAC-0173 that involves infecting computers with a remote access trojan named DCRat (aka DarkCrystal RAT).

The Ukrainian cybersecurity authority showcased it observed the latest attack wave starting in mid-January 2025. The activity is designed to target the Notary of Ukraine.

The infection chain leverages phishing emails that claim to be sent on behalf of the Ministry of Justice of Ukraine, urging recipients to download an executable, which, when launched, leads to the deployment of the DCRat malware. The binary is hosted in Cloudflare's R2 cloud storage service.

"Having thus provided primary access to the notary's automated workplace, the attackers take measures to install additional tools, in particular, RDPWRAPPER, which implements the functionality of parallel RDP sessions, which, in combination with the use of the BORE utility, allows you to establish RDP connections from the Internet directly to the computer," CERT-UA noted.

The attacks are also characterized by the use of other tools and malware families like FIDDLER for intercepting authentication data entered in the web interface of state registers, NMAP for network scanning, and XWorm for stealing sensitive data, such as credentials and clipboard content.

Furthermore, the compromised systems are used as a conduit to draft and send malicious emails using the SENDMAIL console utility in order to further propagate the attacks.

The development comes days after CERT-UA attributed a sub-cluster within the Sandworm hacking group (aka APT44, Seashell Blizzard, and UAC-0002) to the exploitation of a now-patched security flaw in Microsoft Windows (CVE-2024-38213, CVSS score: [website] in the second half of 2024 via booby-trapped documents.

The attack chains have been found to execute PowerShell commands responsible for displaying a decoy file, while simultaneously launching additional payloads in the background, including SECONDBEST (aka EMPIREPAST), SPARK, and a Golang loader named CROOKBAG.

The activity, attributed to UAC-0212, targeted supplier companies from Serbia, the Czech Republic, and Ukraine between July 2024 and February 2025, with some of them recorded against more than two dozen Ukrainian enterprises specializing in development of automated process control systems (ACST), electrical works, and freight transportation.

Some of these attacks have been documented by StrikeReady Labs and Microsoft, the latter of which is tracking the threat group under the moniker BadPilot.

[website] million people were affected, in a breach that could spell more trouble down the line.

EdFinancial and the Oklahoma Student Loan Authority (OSLA)......

Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.

The US Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that h......

China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access

The China-linked threat actor behind the zero-day exploitation of security flaws in Microsoft Exchange servers in January 2021 has shifted its tactics to target the information technology (IT) supply chain as a means to obtain initial access to corporate networks.

That's , which mentioned the Silk Typhoon (formerly Hafnium) hacking group is now targeting IT solutions like remote management tools and cloud applications to obtain a foothold.

"After successfully compromising a victim, Silk Typhoon uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives," the tech giant unveiled in a research .

The adversarial collective is assessed to be "well-resourced and technically efficient," swiftly putting to use exploits for zero-day vulnerabilities in edge devices for opportunistic attacks that allow them to scale their attacks across a wide range of sectors and regions.

This includes information technology (IT) services and infrastructure, remote monitoring and management (RMM) companies, managed service providers (MSPs) and affiliates, healthcare, legal services, higher education, defense, government, non-governmental organizations (NGOs), energy, and others located in the United States and throughout the world.

Silk Typhoon has also been observed relying on various web shells to achieve command execution, persistence, and data exfiltration from victim environments. It's also noted to have demonstrated a keen understanding of cloud infrastructure, further allowing it to move laterally and harvest data of interest.

At least since late 2024, the attackers have been linked to a new set of methods, chief among which concerns the abuse of stolen API keys and credentials associated with privilege access management (PAM), cloud app providers, and cloud data management companies to conduct supply chain compromises of downstream consumers.

"Leveraging access obtained via the API key, the actor performed reconnaissance and data collection on targeted devices via an admin account," Microsoft stated, adding targets of this activity mainly encompassed the state and local government, as well as the IT sector.

Some of the other initial access routes adopted by Silk Typhoon entail the zero-day exploitation of a security flaw in Ivanti Pulse Connect VPN (CVE-2025-0282) and the use of password spray attacks using enterprise credentials surfaced from leaked passwords on public repositories hosted on GitHub and others.

Also exploited by the threat actor as a zero-day are -.

CVE-2024-3400, a command injection flaw in Palo Alto Networks firewalls.

CVE-2023-3519, An unauthenticated remote code execution (RCE) vulnerability affecting Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway.

CVE-2021-26855 (aka ProxyLogon), CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, a set of vulnerabilities impacting Microsoft Exchange Server.

A successful initial access is followed by the threat actor taking steps to move laterally from on-premises environments to cloud environments, and leverage OAuth applications with administrative permissions to perform email, OneDrive, and SharePoint data exfiltration via the MSGraph API.

In an attempt to obfuscate the origin of their malicious activities, Silk Typhoon relies on a "CovertNetwork" comprising compromised Cyberoam appliances, Zyxel routers, and QNAP devices, a hallmark of several Chinese state-sponsored actors.

"During recent activities and historical exploitation of these appliances, Silk Typhoon utilized a variety of web shells to maintain persistence and to allow the actors to remotely access victim environments," Microsoft mentioned.

Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that resulted in 9,931 accounts at over 130 organizations ......

Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud serv......

A malicious Python Package Index (PyPI) package named.

Fake Reservation Links Prey on Weary Travelers

Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.

A longtime threat group identified as TA558 has ramped up efforts to target the travel and hospitality industries. After a lull in activity, believed tied to COVID-related travel restrictions, the threat group has ramped up campaigns to exploit an uptick in travel and related airline and hotel bookings.

What makes this most recent campaign unique, , is the use of RAR and ISO file attachments linked to messages. ISO and RAR are single compressed files, that if executed, decompress the file and folder data inside of them.

“TA558 began using URLs more frequently in 2022. TA558 conducted 27 campaigns with URLs in 2022, compared to just five campaigns total from 2018 through 2021. Typically, URLs led to container files such as ISOs or zip [RAR] files containing executables,” Proofpoint wrote.

To become infected, the targeted victim would have to be tricked into decompressing the file archive. “The reservation link… led to an ISO file and an embedded batch file. The execution of the BAT file led to a PowerShell helper script that downloaded a follow-on payload, AsyncRAT,” researchers wrote.

Upgrade Your Itinerary To Malware Infection Status.

Past TA558 campaigns, tracked by Palo Alto Networks (in 2018), Cisco Talos (in 2020 and 2021) and Uptycs (in 2020), have leveraged malicious Microsoft Word document attachments (CVE-2017-11882) or remote template URLs to download and install malware, .

The shift to ISO and RAR files “is likely due to Microsoft’s announcements in late 2021 and early 2022 about disabling macros [VBA and XL4] by default in Office products,” researchers mentioned.

“In 2022, campaign tempo increased significantly. Campaigns delivered a mixture of malware such as, Loda, Revenge RAT, and AsyncRAT. This actor used a variety of delivery mechanisms including URLs, RAR attachments, ISO attachments, and Office documents,” researchers wrote.

Malware payloads of recent campaigns typically include remote access trojans (RATs), that can enable reconnaissance, data theft and distribution of follow-on payloads, Proofpoint expressed.

Through all their evolutions, though, the goal of the group has always remained the same. The analysts concluded “with medium to high confidence” that TA558 is financially motivated, using stolen data to scale up and steal money. “Its possible compromises could impact both organizations in the travel industry as well as potentially consumers who have used them for vacations,” Sherrod DeGrippo, vice president of threat research and detection organizations at Proofpoint, wrote in a statement. “Organizations in these and related industries should be aware of this actor’s activities and take precautions to protect themselves.”.

Since at least 2018, TA558 has primarily targeted organizations in the fields of travel, hospitality, and related industries. Those organizations tend to be located in Latin America, and sometimes in North America or Western Europe.

In their early exploits, the group would leverage vulnerabilities in Microsoft Word’s Equation Editor – for example, CVE-2017-11882, a remote code execution bug. The goal was to download a RAT – most commonly Loda or Revenge RAT – to the target machine.

In 2019 the group expanded its arsenal, with malicious macro-laced Powerpoint attachments and template injections against Office documents. They also expanded to new demographics, utilizing English-language phishing lures for the first time.

Early 2020 was TA558’s most prolific period, as they churned out 25 malicious campaigns in January alone. They predominantly used macro-laden Office documents, or targeted known Office vulnerabilities during this period.

“Organizations, especially those operating in targeted sectors in Latin America, North America, and Western Europe should be aware of this actor’s tactics, techniques, and procedures,” researchers advise.

Passwords are rarely appreciated until a security breach occurs; suffice to say, the importance of a strong password becomes clear only when faced wit......

CISA is warning that Palo Alto Networks’ PAN-OS is under active attack and needs to be patched ASAP.

Software running Palo Alto Networks’ firewalls i......

Cybersecurity researchers have discovered an updated version of an Android malware called TgToxic (aka ToxicPanda), indicating that the threat actors ......