How ToddyCat tried to hide behind AV software

The ToddyCat APT group has developed a sophisticated tool called TCESB to stealthily execute payloads and evade detection. This tool exploits a vulnerability (CVE-2024-11859) in ESET Command line scanner for DLL proxying, using a modified version of the open-source EDRSandBlast malware. TCESB employs techniques like DLL proxying, kernel memory manipulation, and Bring Your Own Vulnerable Driver (BYOVD) to bypass security solutions. It searches for kernel structure addresses using CSV or PDB files, installs a vulnerable Dell driver, and decrypts AES-128 encrypted payloads. The discovery highlights the need for monitoring driver installations and Windows kernel debug symbol loading events to detect such sophisticated attacks.

Pulse ID: 67f3cb12758e286216442770
Pulse Link: https://otx.alienvault.com/pulse/67f3cb12758e286216442770
Pulse Author: AlienVault
Created: 2025-04-07 12:54:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

ASN: AS4134
Location: Wuhan, CN
Added: 2025-04-05T14:22

Forget Signal. National Security Adviser Waltz now accused of using Gmail for work https://go.theregister.com/feed/www.theregister.com/2025/04/02/waltz_gmail_security/ #cybersecurity #infosec

This dumb password rule is from My Prepaid Center.

Only six legal special characters; maximum password length is 20 characters.

https://dumbpasswordrules.com/sites/my-prepaid-center/

Here's a somewhat novel #LinkedIn connection request scam.
I am not, actually, connected to the person named in the message sent with this connection request. In other words, "Notice you're connected with her," is simply a lie. Did they think I wouldn't notice, or what? I suppose maybe some people wouldn't.
Needless to say I blocked this person. I am careful in general about whom I connect with on LinkedIn, but I especially don't want to interact with dirtbag scammers.
#infosec #opsec #scam

I paid attention to the #InfoSec and #DataPrivacy news over the weekend so you wouldn't have to!

Read "What'd I Miss?" a Sherpa Intelligence weekend news roundup. Like, share, & subscribe!

Friday, April 4 - Sunday, April 6, 2025
https://sherpaintelligence.substack.com/p/whatd-i-miss-april-4-6-2025

"I am so surprised that American companies are ignoring consumers' privacy opt-out requests," said absolutely no one ever.
#privacy #infosec
Ref: https://innovation.consumerreports.org/new-report-many-companies-may-be-ignoring-opt-out-requests-under-state-privacy-laws/

ASN: AS4837
Location: Chengdu, CN
Added: 2025-04-04T11:53

ASN: AS15897
Location: Istanbul, TR
Added: 2025-04-06T07:25

ASN: AS6939
Location: San Jose, US
Added: 2025-04-05T21:27

Kent iemand een wachtwoordenmanager geschikt voor een overheidsorganisatie?

Dus:
- integreert met de bekende browsers en OSsen op desktop en mobiel (Windows, Android, iOS, MacOS, Linux)
- self hosted en/of
- digitaal autonome/soevereine dienst
- floss
- stuk centrale beheerbaarheid
- 100+ gebruikers moet gemakkelijk te beheren zijn

This is a good article about tracking the right #infosec metrics.

#cybersecurity #metrics #risk #riskmanagement #ciso

https://thehackernews.com/2025/04/security-theater-vanity-metrics-keep.html

"Cybersecurity experts’ warning: Denmark could be shut down by the U.S. in one hour.
Experts are sounding the alarm over an excessive dependence on products and services provided by American tech companies."

https://en.as.com/latest_news/cybersecurity-experts-warning-the-european-country-that-could-be-shut-down-by-the-us-in-one-hour-n/

Unveiling EncryptHub: Analysis of a multi-stage malware campaign

EncryptHub, an emerging cybercriminal entity, has been conducting multi-stage malware campaigns using trojanized applications and third-party distribution services. Their tactics include using PowerShell scripts for system data gathering, information exfiltration, and payload deployment. The threat actor prioritizes stolen credentials based on cryptocurrency ownership and corporate network affiliation. EncryptHub is developing a remote access tool called 'EncryptRAT' with plans for future distribution. Their evolving killchain involves multiple stages, including initial execution, data exfiltration, system information collection, and eventual deployment of the Rhadamanthys malware. Despite operational security mistakes, EncryptHub continues to refine their tactics, emphasizing the need for vigilant cybersecurity measures.

Pulse ID: 67f3aae3b4d4fbbfe08e7839
Pulse Link: https://otx.alienvault.com/pulse/67f3aae3b4d4fbbfe08e7839
Pulse Author: AlienVault
Created: 2025-04-07 10:37:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

ASN: AS12167
Location: Dallas, US
Added: 2025-04-04T16:24

Hacking the Call Records of Millions of Americans #infosec
https://evanconnelly.github.io/post/hacking-call-records/

Lazarus Group Targets Developers with New Malware

North Korean threat actors have intensified malicious activities on npm
ecosystem who are known for ‘Contagious Interview’ operation.

Pulse ID: 67f39d0e16d9fdedb66d1bc8
Pulse Link: https://otx.alienvault.com/pulse/67f39d0e16d9fdedb66d1bc8
Pulse Author: cryptocti
Created: 2025-04-07 09:38:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

ASN: AS24940
Location: Falkenstein, DE
Added: 2025-04-05T09:12

#infoSec question:
What is a safe tool to use for school students to reporting #safeguarding issues?
The current bar is a Google Form, so below ground level. A quick search shows a handful of e2e options - suggestions for what is safe and easy for students and admins (counsellors, not tech people)
Boosts welcome if it's not your speciality.