Infosec News
-
TMPN (Skuld) Stealer: Golang Malware Targets Discord & Crypto WalletsA threat dubbed TMPN Stealer, based on the open-source Skuld Stealer, has been making its rounds in the wild. It uses Discord webhooks, injects malicious JavaScript into Discord clients, and bypasses Windows protections like UAC and Defender. The malware also targets browser-stored credentials, cryptocurrency wallets (like Exodus and Atomic), and even exfiltrates game session data (Steam, Epic, Riot). It applies anti-VM, anti-debug, and persistence techniques, while stripping AV protections and replacing clipboard wallet addresses on the victim's PC with its own.
Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
New Android malware uses Microsoft’s .NET MAUI to evade detectionMcAfee researchers have discovered Android malware campaigns abusing Microsoft’s .NET MAUI framework to bypass traditional mobile security tools. Instead of using typical DEX-based code, the malware hides logic in C# blob files, which most scanners don’t inspect — making detection extremely difficult. These apps impersonate legit services (e.g., banking and social media), steal sensitive data, and use XOR+AES encryption, bloated manifests, and TCP sockets for stealthy C2 communication.
Apps like fake banking were found stealing login info, SMS, photos, and contact lists, targeting users mainly in India and China. This approach may spread rapidly as it's both stealthy and effective. Users are advised to avoid APKs from third-party sources and keep Google Play Protect enabled.
-
Oracle denies breach after hacker claims theft of 6 million data recordsA major breach of Oracle Cloud has potentially impacted over 140,000 enterprise tenants after a threat actor exploited a vulnerability in outdated Oracle Fusion Middleware (11G) components tied to login.us2.oraclecloud.com. The attacker, alias "rose87168", exfiltrated 6 million sensitive auth records, including SSO credentials, encrypted passwords, JKS files, and more. They're now extorting victims and marketing the data on underground forums.
The breach appears linked to CVE-2021-35587, a known critical vulnerability in Oracle Access Manager, still unpatched in the compromised systems. Oracle denies any customer impact, but forensic evidence suggests otherwise. CloudSEK warns this attack showcases the consequences of poor patch hygiene and highlights urgent action for all Oracle Cloud users.
Affected orgs are urged to rotate credentials, regenerate SSO/LDAP secrets, enforce MFA, and audit systems immediately.
-
FBI Warns: Fake File Converter Sites Spreading Malware & RansomwareThe FBI Denver Field Office has issued a warning about malicious "free online file converter" sites being used to distribute malware, steal sensitive data, and deploy ransomware. These sites appear legitimate, offering to convert or merge documents, but instead deliver malicious executables or JavaScript files hidden in ZIP archives.
Some of these tools, like docu-flex[.]com and pdfixers[.]com, have been tied to Gootloader, a known malware loader used for dropping banking trojans, Cobalt Strike, and ransomware. These campaigns exploit search engine ads and typosquatted domains to lure victims. Infected systems risk data theft, remote access, and full corporate breaches.
Users are advised to avoid sketchy converter sites, scan downloaded files, and avoid executing unknown JS/EXE payloads from these platforms.
FBI Denver Field Office Public Warning:
https://www.fbi.gov/contact-us/field-offices/denver/news/fbi-denver-warns-of-online-file-converter-scam -
Dozens of solar inverter flaws could be exploited to attack power gridsVedere Labs has disclosed a total of 46 vulnerabilities across PV inverters made by Sungrow, Growatt, and SMA — three of the world’s largest solar inverter manufacturers. These flaws enable attackers to perform remote code execution, device hijacking, credential theft, and even manipulate power output, posing a real threat to grid stability.
The report outlines how attackers can exploit cloud backend APIs, hardcoded credentials, IDORs, and buffer overflows to control inverter fleets. Coordinated manipulation of inverter output could destabilize energy grids or act as a physical layer botnet.
Vendors have begun patching, but the risks highlight severe supply chain and infrastructure security gaps in IoT energy tech. Threats range from grid disruption and physical damage to smart home hijacking and ransomware.
Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
IngressNightmare: 9.8 Critical RCE in Ingress NGINX Affects 40%+ of Cloud EnvironmentsWiz Research has disclosed a set of unauthenticated Remote Code Execution (RCE) vulnerabilities in Ingress NGINX Controller for Kubernetes, dubbed #IngressNightmare. These flaws (CVE-2025-1097, 1098, 24514, 1974) allow attackers to inject arbitrary NGINX configs via malicious admission requests, leading to code execution, cluster takeover, and full access to Kubernetes secrets across namespaces.
The vulnerable admission controller runs with high privileges and is often exposed without authentication. Exploits combine config injection, shared library tricks, and NGINX client-body buffer abuse to gain persistent RCE on pods, affecting over 6,500 clusters, including those from Fortune 500s.
Patch immediately:
- Upgrade to Ingress NGINX v1.12.1 or v1.11.5
- Lock down admission webhooks
- Apply Wiz or Nuclei-based scans for exposure
- Disable admissionWebhooks if patching isn't yet possible
This is a cluster-critical issue for Kubernetes users relying on Ingress-NGINX, especially those exposing controllers to the public internet.
Source:
https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities -
Rhysida Ransomware Hits PA Education Union – 500K+ ImpactedThe Pennsylvania State Education Association (PSEA), representing over 178,000 public-sector education professionals, confirmed a major data breach affecting 517,487 individuals. Attackers exfiltrated sensitive data including SSNs, financial info, driver’s licenses, passports, health data, and login credentials during a July 2024 intrusion, later attributed to the Rhysida ransomware gang.
Rhysida demanded 20 BTC in ransom and briefly listed the stolen data on its dark web leak site. Though the listing has since been removed, it's unclear if PSEA paid. Victims are being offered free IDX credit monitoring and are urged to monitor for identity fraud.
Rhysida continues its aggressive ransomware campaigns, having also hit major healthcare, government, and corporate targets globally, including Lurie Children’s Hospital, Insomniac Games, and the City of Columbus.
-
New StilachiRAT Malware Surfaces with Crypto Theft & RDP Monitoring CapabilitiesMicrosoft researchers have identified a new Remote Access Trojan (RAT) in the wild dubbed StilachiRAT — a stealthy malware tool capable of system reconnaissance, credential and crypto wallet theft, RDP session monitoring, clipboard scraping, and more. Though not yet tied to a specific threat group, the RAT shows signs of being built for persistent, multi-stage intrusions.
StilachiRAT includes watchdog persistence, anti-forensics features, and the ability to reinstall itself as a Windows service via SCM and registry manipulation. While currently not widespread, its advanced capabilities suggest it may become more common in targeted recon and exfiltration campaigns.
Microsoft has released IoCs and mitigation guidance, urging defenders to update signatures and monitor for anomalous DLL/service behavior.
Source:
https://www.bitdefender.com/en-us/blog/hotforsecurity/researchers-discover-new-stilachirat-malware -
CVE-2025-24813 – Apache Tomcat PUT Flaw Enables RCE, Data CorruptionA critical Apache Tomcat vulnerability (CVE-2025-24813) allows Remote Code Execution (RCE), data corruption, and information disclosure via improper handling of partial HTTP PUT requests. Affected versions include:
- Tomcat 11.0.0-M1 to 11.0.2
- Tomcat 10.1.0-M1 to 10.1.34
- Tomcat 9.0.0-M1 to 9.0.98
Exploitation requires non-default write-enabled servlets, partial PUT support (enabled by default), and deserialization-vulnerable libraries. Attackers can upload malicious JSPs, overwrite session files, or read server configs.
Mitigations:
- Upgrade to Tomcat 11.0.3, 10.1.35, or 9.0.98
- Disable allowPartialPut or ensure readonly="true" in DefaultServlet
- Remove unsafe deserialization libraries
- For Java 17, set -Dsun.io.useCanonCaches=false
Delay in patching = high risk of full server compromise.
Source:
https://cybersecuritynews.com/apache-tomcat-vulnerability-rce-attacks/Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
Google confirms cyber "espionage" attacks on Chrome users from "highly sophisticated malware"Google has confirmed a zero-click vulnerability in Chrome (CVE-2025-2783) actively exploited in the wild. Discovered by Kaspersky, the flaw was leveraged in a targeted cyber espionage campaign called Operation ForumTroll, infecting victims via phishing emails with malicious links — no user interaction required beyond viewing the message.
The exploit bypassed Chrome's sandbox protections entirely and infected systems upon launch. Targets included media, education, and government sectors. A security patch has been released, and all users are urged to update Chrome immediately and remain vigilant with email hygiene.
-
Active Exploit CVE-2024-4577 still in the wild: PHP RCE Vulnerability Targets Windows ServersSecurity researchers at Bitdefender have observed widespread exploitation of a critical PHP vulnerability (CVE-2024-4577), which affects Windows systems running PHP in CGI mode. The flaw allows remote code execution via argument injection, and attackers are using it to deploy cryptocurrency miners (like XMRig) and remote access tools such as Quasar RAT. Attack patterns include system reconnaissance, use of native Windows tools, and even cryptojacking rivalries, with attackers blocking each other’s IPs to maintain control. While Taiwan and Hong Kong are hit hardest, systems worldwide are at risk. The PHP team has released patches in versions 8.3.8, 8.2.20, and 8.1.29. Organizations using older or unsupported PHP versions are urged to upgrade immediately and move away from CGI configurations to safer alternatives like PHP-FPM or FastCGI.
Source:
https://cybersecuritynews.com/php-rce-vulnerability-actively-exploited-in-wild/Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
Windows 11 Trick Bypasses Microsoft Account Requirement
Microsoft continues pushing users toward Microsoft Accounts in Windows 11 by removing workarounds like the BypassNRO.cmd script. However, a newly discovered method makes bypassing this restriction easier than ever — and it still works as of April 2025.
Discovered by user Wither OrNot and confirmed by BleepingComputer, this method lets you create a local account during installation without modifying the registry or using external scripts.
Here’s how it works:
During setup, when Windows 11 prompts “Let’s connect you to a network,” press Shift+F10 to open Command Prompt.
Run the following command:
start ms-cxh:localonlyThis opens a hidden local user setup screen, allowing you to bypass Microsoft Account requirements entirely.
Complete setup as normal — the system will continue using your new local account.
After setup, you can verify this under the Start menu → account icon — it’ll show a local user, not a connected MS account.
-
ChatGPT Outage: Service Down Worldwide with “Something Went Wrong” Error
Bleeping Computer is reporting that ChatGPT is currently experiencing a global outage, affecting users across the U.S., Europe, Asia, and beyond. Users are reporting repeated "Something went wrong" errors when trying to interact with the AI. The issue persists despite retries and refresh attempts. OpenAI has not yet issued an official statement. This is a developing story — check the source link below for updates.
Downdetector:
https://downdetector.com/status/openai/
OpenAI Status Page:
https://status.openai.com/
-
State Bar of Texas Confirms Data Breach Following INC Ransomware ClaimThe State Bar of Texas has confirmed a data breach after the INC ransomware gang claimed responsibility and began leaking stolen data. The breach, which occurred between January 28 and February 9, 2025, involved unauthorized access to internal systems and the theft of unspecified personal and professional information.
The Bar, which serves over 100,000 licensed attorneys, issued notification letters to affected members and is offering free credit monitoring and identity protection through Experian. The INC gang listed the organization on its dark web leak site on March 9, publishing legal case documents as alleged proof.
While it remains unverified if the leaked data came directly from the Bar's systems, recipients are being urged to remain vigilant, consider a credit freeze or fraud alert, and enroll in protection services before July 31, 2025. The State Bar has yet to comment publicly on the extent of the damage or respond to inquiries about the legitimacy of the leaked documents.
-
Critical RCE Vulnerability Found in Apache Parquet – CVE-2025-30065
A maximum severity remote code execution (RCE) vulnerability has been discovered in Apache Parquet, impacting all versions up to 1.15.0. Tracked as CVE-2025-30065, the flaw has received a CVSS v4 score of 10.0, the highest possible.
The issue stems from unsafe deserialization in the Parquet-Avro module, allowing attackers to execute arbitrary code when a crafted Parquet file is imported into a vulnerable system. While exploitation requires a user to process a malicious file, the widespread use of Parquet across big data platforms like Hadoop, AWS, Azure, and GCP increases the attack surface significantly.
Apache has patched the issue in version 1.15.1, and all users are urged to upgrade immediately. Organizations unable to upgrade should avoid untrusted files, validate inputs rigorously, and increase monitoring around systems processing Parquet data.
This vulnerability was responsibly disclosed by Amazon researcher Keyi Li and highlights the ongoing risks posed by untrusted data ingestion in analytics and data engineering environments.
No active exploitation has been observed yet, but the potential impact is severe. Admins and developers using Parquet in any form should treat this as a high-priority fix.
-
Gmail Is Not a Secure Way to Send Sensitive Comms: A Friendly Reminder
New end-to-end Gmail encryption alone isn't secure enough for an enterprise's most sensitive and prized data, experts say.
On April 1, The Washington Post reported that US National Security advisers were using Gmail for official communications, including "highly technical conversations with colleagues at other government agencies involving sensitive military positions and powerful weapons systems relating to an ongoing conflict."The National Security Council pushed back, stressing Gmail was never used to send any classified materials. However, the news drew scrutiny in light of the recent revelations of the team's Signal leak of classified military information.
The same day, Google announced its email service would implement a new Google Workspace feature and provide end-to-end encryption in Gmail.
-
Coinbase to Fix Confusing 2FA Error Message Causing Security Panic
Coinbase is addressing a misleading error in its account activity logs that has alarmed users into thinking their accounts were under attack. The message — “2-step verification failed” — appears even when someone simply enters an incorrect password, leading many to believe their credentials were compromised.
The confusion escalated after phishing attempts, with users logging in to find failed 2FA entries from unknown locations. This triggered a wave of password resets, malware scans, and concern over a potential breach.
Coinbase has confirmed the message is misleading and is working on a fix, though no timeline has been provided. The issue is also being exploited in social engineering scams, reinforcing the need for vigilance. Coinbase reminds users: they will never contact you via call or text about account issues.
-
Hack The Box “Ghost” Challenge Cracked: Technical Walkthrough by 0xdf
Cybersecurity researcher 0xdf has successfully solved the “Ghost” challenge on Hack The Box and published a highly detailed exploit write-up. The post covers each phase of the attack — from initial reconnaissance using Nmap, to exploiting a directory traversal vulnerability, discovering hardcoded credentials, and escalating to root via a misconfigured cron job.
This real-world style scenario highlights serious security missteps like insecure input validation and writable root-level tasks. The challenge and exploit offer practical insights for both pentesters and sysadmins, showcasing how minor oversights can lead to full system compromise. A must-read for anyone interested in offensive security or infrastructure hardening.
Source:
https://gbhackers.com/hack-the-box-ghost-challenge-cracked-a-detailed-technical-exploit/Walkthrough:
https://0xdf.gitlab.io/2025/04/05/htb-ghost.html -
Google Launches "Sec-Gemini" AI to Supercharge Threat Intel and Incident Response
Google has unveiled Sec-Gemini v1, an experimental AI model that blends the power of its Gemini LLM with real-time security intelligence from Mandiant, GTI, and OSV. Designed to elevate threat detection and incident analysis workflows, Sec-Gemini outperforms rivals in benchmarks like CTI-MCQ and CWE mapping by over 10%.
The model can identify threat actors, assess vulnerabilities, and analyze root causes with high accuracy — and it’s being made available to vetted researchers and institutions for testing. A promising leap forward in AI-driven cybersecurity operations.
Source:
https://www.securityweek.com/google-pushing-sec-gemini-ai-model-for-threat-intel-workflows/Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
US OCC Alerts Congress to Major Email Breach Exposing Sensitive Financial Oversight Data
On April 8, 2025, the US Office of the Comptroller of the Currency (OCC) reported a major security incident to Congress involving unauthorized access to internal emails and attachments. Discovered in February, the breach exposed sensitive data used in financial institution oversight. Over 100 OCC employees’ inboxes were compromised, affecting more than 150,000 emails. The OCC is collaborating with the Treasury and third-party cybersecurity experts to assess the impact and remediate security weaknesses. No financial sector impact has been reported so far.
