Hackers Abuse Microsoft Fondue.exe
Overview A newly uncovered campaign has turned a rarely noticed Windows utility — Fondue.exe — into a stealthy malware delivery mechanism. Threat actors are exploiting […]
Overview A newly uncovered campaign has turned a rarely noticed Windows utility — Fondue.exe — into a stealthy malware delivery mechanism. Threat actors are exploiting […]
Overview Microsoft’s SQL Server 2025 was designed to bring AI into enterprise databases — but research from SpecterOps shows that these same features can be weaponized for data exfiltration and command‑and‑control (C2) operations. The findings reveal how legitimate AI functions can be repurposed by attackers to steal data and establish persistent backdoors without deploying traditional malware. How Attackers Exploit SQL Server AI Features At the core of the research is the stored procedure sp_invoke_external_rest_endpoint, which allows SQL Server to send HTTPS requests to external endpoints directly from the database engine. Originally intended for API integration, this feature can be abused to exfiltrate sensitive data over encrypted channels. Feature Legitimate Purpose Abuse Scenario sp_invoke_external_rest_endpoint Enables secure API calls from SQL Server Sends data to attacker‑controlled servers via HTTPS CREATE EXTERNAL MODEL Integrates AI models for RAG workloads Establishes covert C2 channels through AI embeddings AI_GENERATE_EMBEDDINGS Generates structured AI responses Encodes commands and responses within AI traffic Because the traffic originates from the database engine and uses HTTPS, it can bypass traditional security tools that monitor for PowerShell or xp_cmdshell execution. Real‑World Attack Scenarios SpecterOps demonstrated how a compromised SQL Server instance with sysadmin privileges can query sensitive tables, convert data to JSON, and transmit it to an external server using the REST endpoint procedure. Attackers can also use AI model calls to create persistent C2 channels: In advanced cases, attackers can abuse UNC paths in AI model configurations to trigger NTLM authentication attempts over SMB, capturing or relaying hashes within the network. Microsoft did not classify this behavior as a vulnerability, leaving it exploitable in current deployments. Persistence and Continuous Data Leakage Attackers can create database triggers that automatically exfiltrate newly inserted or updated records. For example, any new user credentials added to a table can be instantly sent to an external server — turning the database into a continuous data leakage point. This approach blurs the line between legitimate AI workloads and malicious activity, making traditional detection methods ineffective. Defensive Recommendations […]
Overview F5 has released urgent security updates for two critical vulnerabilities in NGINX Open Source, both rated CVSS 9.2, that could allow remote unauthenticated attackers to execute code on affected systems. These flaws impact multiple NGINX modules and products across the F5 ecosystem, making patching a top priority for cloud and network administrators. Vulnerability Breakdown CVE ID Module Affected Attack Vector Impact CVE‑2026‑42530 ngx_http_v3_module (HTTP/3 QUIC) Crafted HTTP/3 session reopens QPACK encoder stream Use‑after‑free → Remote Code Execution (RCE) CVE‑2026‑42055 ngx_http_proxy_v2_module, ngx_http_grpc_module Malicious HTTP/2 traffic via proxy directives Heap overflow → Remote Code Execution (RCE) Both vulnerabilities can be exploited when Address Space Layout Randomization (ASLR) is disabled or bypassed, giving attackers direct memory control over NGINX processes. Technical Context CVE‑2026‑42530 targets the HTTP/3 QUIC module by manipulating QPACK encoder streams to trigger a use‑after‑free condition. This lets attackers inject malicious payloads into memory and execute arbitrary code. CVE‑2026‑42055 affects HTTP/2 proxy and gRPC modules when specific directives are enabled (proxy_http_version 2, grpc_pass, ignore_invalid_headers off, and large_client_header_buffers > 2 MB). The resulting heap overflow can overwrite critical memory structures and lead to system compromise. Affected Versions Product Vulnerable Versions Fixed Version NGINX Open Source […]
Overview A newly discovered BootROM vulnerability, dubbed usbliter8, has shaken Apple’s hardware security foundations. Affecting devices powered by A12, S4/S5, and A13 SoCs, the flaw enables […]
Overview The Gentlemen ransomware‑as‑a‑service (RaaS) operation is evolving fast. Researchers report the group maintains a modular suite of EDR‑killing tools—most notably a family dubbed GentleKiller—designed […]
Overview Nintendo of America has confirmed that threat actors stole internal survey data from TinyPulse, a third‑party employee engagement platform owned by WebMD Health Services. While Nintendo’s own systems remain secure, the incident highlights how supply‑chain vulnerabilities can expose corporate information even when core infrastructure is unaffected. What Happened Nintendo acknowledged that the breach originated from TinyPulse, a service used for anonymous employee surveys and feedback analytics. The company stated that no customer or financial data was accessed and that the compromised information was limited to older survey records from a small subset of employees. “Nintendo’s systems have not been compromised, and no personal customer or financial data has been accessed,” the company told BleepingComputer. Nintendo is now working closely with WebMD Health Services to investigate and contain the incident. The Threat Actor: Shadowbyt3$ The attack was claimed by Shadowbyt3$, a relatively new “extortion‑as‑a‑service” group active since October 2025. The gang allegedly stole close to 1 GB of data and demanded a $2 million ransom, giving Nintendo 48 hours to negotiate before leaking the information. Shadowbyt3$ Claims: The group posted messages on dark‑web forums offering to delete the data “permanently” if the ransom was paid. However, law enforcement and cybersecurity experts warn that paying ransom demands only encourages future attacks and offers no guarantee that data won’t be sold privately. Understanding the Supply‑Chain Risk This incident illustrates how third‑party platforms can become entry points for data exfiltration even when primary systems are secure. Vector Description Impact Third‑Party Service Compromise Attackers target vendors with weaker security controls. Indirect exposure of corporate data. Extortion‑as‑a‑Service Criminal groups offer ransom operations as subscription services. Expands reach and frequency of attacks. Data Leak Amplification Stolen data used to pressure multiple organizations in the same supply chain. Multi‑company reputational damage. Nintendo’s case shows that even non‑technical data like employee surveys can be weaponized for extortion and social engineering. […]
Overview In a major international cybercrime takedown, law enforcement agencies have cleaned nearly 15,000 WordPress websites infected with the SocGholish malware downloader, a JavaScript‑based tool linked to the notorious Evil Corp Russian cybercrime group. The operation — code‑named Operation Endgame — marks a significant step toward disrupting one of the most persistent infection chains in modern cybercrime. Operation Endgame in Action Authorities from the Netherlands (NHCTU), Canada (RCMP), the United States (FBI), and Germany (BKA) worked with Europol and Eurojust to remove malware and backdoors from 14,971 compromised WordPress sites and take 106 servers and domains offline. Agency Role in Operation NHCTU (Netherlands) Led malware removal and site restoration. FBI (United States) Coordinated server takedowns and evidence collection. RCMP (Canada) Assisted in cross‑border data tracking. BKA (Germany) Executed domain seizures and infrastructure shutdowns. Dutch police also advised website owners to change credentials, enable MFA, delete unknown WordPress accounts, and keep sites updated to prevent reinfection. “With these actions we deprive cybercriminals of access to infected systems and limit the spread of malware,” said Maikel Rollman of the Netherlands’ National High Tech Crime Unit. Understanding SocGholish SocGholish — also known as FakeUpdates or GhoLoader — has been active since 2017. It hijacks legitimate websites and tricks visitors into downloading malicious payloads disguised as browser updates. Attack Flow: SocGholish has been used to deliver malware families such as Dridex, Doppelpaymer, Empire, Koadic, Chtonic, and Azorult — all linked to Evil Corp’s criminal operations. Evil Corp Connection Evil Corp has been active since 2007 and is associated with the Zeus and Dridex malware families, as well as ransomware operations like WastedLocker, Hades, Macaw Locker, and Phoenix CryptoLocker. By cleaning SocGholish‑infected sites, Operation Endgame has effectively cut off a key distribution channel used by Evil Corp to spread its payloads and launch ransomware attacks against businesses and critical infrastructure. Preventive Measures for Website Owners Law enforcement recommendations serve as a blueprint for WordPress security hardening: […]
Overview A new wave of adversary‑in‑the‑middle (AiTM) phishing attacks is targeting Microsoft users worldwide, and the tool behind it — Evilginx — is far more advanced than traditional phishing kits. Security researchers have confirmed that Evilginx can steal usernames, passwords, multi‑factor authentication (MFA) tokens, and authenticated session cookies simultaneously, effectively bypassing MFA entirely. How Evilginx Works Evilginx acts as a transparent proxy between the victim and the real Microsoft login page. When a user clicks a phishing link, they see a perfect replica of the legitimate login portal because it is actually the real page being mirrored live through the attacker’s server. Step Action Result Phishing Link Clicked Victim visits a lookalike domain controlled by the attacker. Connection redirected through Evilginx proxy. Credentials Entered User inputs username and password on the mirrored Microsoft page. Data captured in real time. MFA Approved Victim approves MFA prompt as usual. MFA token and session cookie intercepted. Session Hijacked Attacker imports the session cookie into their browser. Full account access without password or MFA. Once the authenticated session cookie is captured, the attacker can replay it from any device anywhere in the world, gaining complete access to Microsoft accounts without triggering another MFA challenge. Real‑World Case Study Researchers at NetSPI documented a live engagement where Evilginx was used against a corporate executive team. They registered a lookalike domain and pointed an Evilginx server directly at the client’s Microsoft login flow. The attack was wrapped in a social‑engineering scenario that made the phishing email appear urgent and legitimate. Once executives clicked the link and approved their MFA prompts, Evilginx captured their authenticated session cookies instantly. “Even users who follow best practices and enable multi‑factor authentication are not fully protected from this attack,” NetSPI warned. In one case, an executive forwarded the phishing link to two external contractors, nearly turning a single‑company breach into a multi‑organization incident — a stark reminder of how quickly AiTM attacks can spread. […]
Overview A new malware operation is rewriting the rules of social engineering. According to Check Point Research, an unknown threat actor is using fake reviews, AI‑generated videos, and coordinated reputation manipulation to promote malicious software disguised as popular crypto tools. The campaign targets cryptocurrency holders and online gamblers, luring them with promises of “sniper bots” and “crash‑game predictors” that secretly install a Rust‑based clipboard hijacker. The Fake Reputation Machine The threat actor has built a multi‑platform ecosystem to make their malware look legitimate. Platform Manipulation Tactic Purpose WordPress Phishing hub hosting malicious downloads Central distribution point GitHub Six fake developer accounts cross‑promoting repositories Synthetic trust signals SourceForge Artificially inflated download counts (44,485 downloads) False popularity metrics YouTube AI‑generated tutorial videos and positive comments Influencer‑style promotion VirusTotal Coordinated upvotes and fake “safe” comments Reputation poisoning to evade detection The campaign even used a press‑release distribution service to syndicate its fake tool across legitimate news sites like the USA TODAY Network — a tactic rarely seen in malware operations. The Malware Payload At the core of the operation is a Rust‑based crypto clipper that targets both Windows and macOS. […]
Overview A newly uncovered data leak dubbed “FortiBleed” has exposed Fortinet and FortiGate VPN credentials belonging to 73,932 firewall URLs across organizations worldwide. Security researcher Bob Diachenko discovered a server containing […]
Copyright © 2026 | WordPress Theme by MH Themes