SideWinder’s 2025 phishing attacks used fake PDFs and ClickOnce apps to target South Asian embassies.
Category: cybercrime/malcode
Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack
To sidestep detection, the attack chain involves the execution of PowerShell commands to disable AMSI, turn off TLS certificate validation, and enable Restricted Admin, in addition to running tools such as dark-kill and HRSword to terminate security software. Also deployed on the host are Cobalt Strike and SystemBC for persistent remote access.
The infection culminates with the launch of the Qilin ransomware, which encrypts files and drops a ransom note in each encrypted folder, but not before wiping event logs and deleting all shadow copies maintained by the Windows Volume Shadow Copy Service (VSS).
The findings coincide with the discovery of a sophisticated Qilin attack that deployed their Linux ransomware variant on Windows systems and combined it with legitimate IT tools and the bring your own vulnerable driver (BYOVD) technique to bypass security barriers.
To fight cybercrime, student unravels the layers of 3D printing
To most people, a 3D printer is a cool piece of technology that can make toys, tools or parts in minutes. But for Hala Ali, it can be a partner in crime, and the doctoral student at Virginia Commonwealth University earned national honors recently for her work exploring one of the fastest-growing frontiers in cybercrime.
Ali, a computer science student in the College of Engineering, won best paper at this summer’s 25th annual Digital Forensics Research Conference in Chicago. The paper, “Leveraging Memory Forensics to Investigate and Detect Illegal 3D Printing Activities,” reflects her research into how digital forensics can help investigators uncover whether a 3D printer was used to create weapons or other illegal objects.
“3D printing is a process of creating a physical object from a digital design by laying down successive layers of material until the object is created,” Ali said.
Digital ID cards could be a disaster in the UK and beyond
The British government isn’t the only one looking to introduce digital ID cards. There is so much to worry about here, not least the threat of hacks, says Annalee Newitz
Smishing Triad Linked to 194,000 Malicious Domains in Global Phishing Operation
In a report published earlier this week, Fortra said phishing kits associated with the Smishing Triad are being used to increasingly target brokerage accounts to obtain banking credentials and authentication codes, with attacks targeting these accounts witnessing a fivefold jump in the second quarter of 2025 compared to the same period last year.
“Once compromised, attackers manipulate stock market prices using ‘ramp and dump’ tactics,” security researcher Alexis Ober said. “These methods leave almost no paper trail, further heightening the financial risks that arise from this threat.”
The adversarial collective is said to have evolved from a dedicated phishing kit purveyor into a “highly active community” that brings together disparate threat actors, each of whom plays a crucial role in the phishing-as-a-service (PhaaS) ecosystem.
APT36 Targets Indian Government with Golang-Based DeskRAT Malware Campaign
A Pakistan-nexus threat actor has been observed targeting Indian government entities as part of spear-phishing attacks designed to deliver a Golang-based malware known as DeskRAT.
The activity, observed in August and September 2025 by Sekoia, has been attributed to Transparent Tribe (aka APT36), a state-sponsored hacking group known to be active since at least 2013. It also builds upon a prior campaign disclosed by CYFIRMA in August 2025.
The attack chains involve sending phishing emails containing a ZIP file attachment, or in some cases, a link pointing to an archive hosted on legitimate cloud services like Google Drive. Present within the ZIP file is a malicious Desktop file embedding commands to display a decoy PDF (“CDS_Directive_Armed_Forces.pdf”) using Mozilla Firefox while simultaneously executing the main payload.
Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files
Cybersecurity researchers have disclosed details of a coordinated spear-phishing campaign dubbed PhantomCaptcha targeting organizations associated with Ukraine’s war relief efforts to deliver a remote access trojan that uses a WebSocket for command-and-control (C2).
The activity, which took place on October 8, 2025, targeted individual members of the International Red Cross, Norwegian Refugee Council, United Nations Children’s Fund (UNICEF) Ukraine office, Norwegian Refugee Council, Council of Europe’s Register of Damage for Ukraine, and Ukrainian regional government administrations in the Donetsk, Dnipropetrovsk, Poltava, and Mikolaevsk regions, SentinelOne said in a new report published today.
The phishing emails have been found to impersonate the Ukrainian President’s Office, carrying a booby-trapped PDF document that contains an embedded link, which, when clicked, redirects victims to a fake Zoom site (“zoomconference[.]app”) and tricks them into running a malicious PowerShell command via a ClickFix-style fake Cloudflare CAPTCHA page under the guise of a browser check.