Talos’ analysis, in coordination with CERT.NGO, reveals that Turla infected multiple systems in the compromised network of a European non-governmental organization (NGO).

Threat actors are exploiting legitimate digital document publishing (DDP) sites to host phishing lures, making it harder for traditional security controls to detect and block these attacks.

The vulnerability impacts Secure Client for Windows, Linux, and macOS, and has been addressed in specific versions, with Amazon security researcher Paulos Yibelo Mesfin credited with discovering and reporting the flaw.

The malware comes with embedded modules for orchestration, decryption, and protection, while also conducting checks to avoid sandbox environments and targeting specific industries like manufacturing and transportation sectors.

Google Cloud Run is being exploited by threat actors to distribute banking trojans, with a significant increase in malicious email campaigns observed since September 2023 targeting victims in Latin America, Europe, and North America.

The TinyTurla-NG backdoor uses compromised WordPress websites as command and control endpoints and deploys PowerShell scripts to exfiltrate key material used to secure password databases, indicating a concerted effort to steal login credentials.

The threat actor maintained long-term access to the victim's network, evading detection by using living-off-the-land binaries, side-loading backdoors, and leveraging open-source reverse proxy tools like Fast Reverse Proxy (FRP) and Venom.

Cisco Talos, in collaboration with Dutch Police and Avast, recovered a decryptor for the Babuk Tortilla ransomware variant, allowing users to quickly recover their encrypted files.

The campaign involves the use of Windows Shortcut files embedded with malicious JavaScript to deliver the components of the trojan, and there are indications that a Chinese-speaking threat actor is behind the attacks based on the samples.

The malware used by Arid Viper shares similarities with a non-malicious dating app called Skipped, indicating a possible connection between the APT group and the app's developers.