The Good

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code.

• Google announced its plan to implement NIST’s new post-quantum cryptography standards by adding quantum-resistant digital signature support to its Cloud KMS. The new PQC feature is now in preview as software-based, customer-managed encryption keys. This enhancement allows customers to perform PQC migrations and ensures that quantum computers cannot decrypt the new digital signatures. To aid organizations in adapting to these standards, Google is releasing open-source implementations through its crypto libraries BoringCrypto and Tink. 
• Apiiro's security researchers introduced two open-source tools to detect and prevent malicious code in software projects, aiming to mitigate supply chain attacks. The first tool is a comprehensive ruleset for Semgrep and Opengrep, designed to identify harmful code patterns with low false positives. The second tool, PRevent, is a GitHub-integrated scanner that detects and alerts on suspicious code in pull requests. The ruleset boasts a 94.3% detection accuracy for PyPI packages and 88.4% for npm packages, while PRevent successfully flags 91.5% of malicious pull requests. 
• Researchers at Imperial College London developed EARLYCROW, a new method for detecting APT command-and-control activities over HTTP(S). EARLYCROW identifies malicious network traffic using summaries derived from network packet captures. It introduces a new format called PAIRFLOW, which collects various attributes of network traffic to spot malicious patterns, even in encrypted communications. 
• The Dutch Police shut down the ZServers/XHost bulletproof hosting operation by taking offline 127 servers used for illegal activities. Authorities in the U.S., Australia, and the U.K also imposed sanctions on this provider for its role in cybercrime. Zservers was accused of enabling LockBit ransomware attacks and assisting in money laundering. Run by Russian nationals, it supported botnets and malware distribution. 
• A global law enforcement operation, Phobos Aetor, targeting the Phobos ransomware gang resulted in the arrest of two suspected hackers in Phuket, Thailand, and the seizure of dark web sites belonging to the 8Base operation. The suspects, two Russian men, are accused of hacking over 1,000 victims worldwide and extorting $16 million in Bitcoin. 
• PyPI launched Project Archival, a system for project publishers to indicate that no further updates will be made. Archived projects will remain available for download, but users will see a warning about their maintenance status to help them choose their dependencies wisely. This feature aims to boost supply-chain security by reducing the risk of attackers hijacking developer accounts and pushing harmful updates to abandoned projects. It also helps decrease user support requests by clearly stating the project's lifecycle status. 
• U.S. and Dutch authorities seized 39 domains and servers belonging to the HeartSender cybercrime group, based in Pakistan. This operation targeted a group known for selling hacking and fraud tools since 2020, causing losses of over $3 million in the U.S. HeartSender, also called Saim Raza and Manipulators Team, ran multiple marketplaces that sold key items like malware, phishing kits, and email extractors, along with providing training for using these tools.
• Five Eyes cybersecurity agencies from the U.K, Australia, Canada, New Zealand, and the U.S. published a guidance, recommending that manufacturers of network edge devices improve forensic visibility to help detect attacks and investigate breaches. They urged manufacturers to include robust logging and forensic features. Additionally, they recommended that organizations review minimum forensic visibility requirements before selecting network devices. 
• The U.K launched a new Cyber Monitoring Centre (CMC) to better measure cyber incidents with improved clarity and precision. This center uses methods similar to those used for natural disasters, like the Richter scale for earthquakes. The CMC has developed a specific methodology for evaluating cyber events, which includes gathering diverse data and categorizing incidents based on the affected population and financial impacts. Overall, the CMC strives to provide a comprehensive assessment of cyber incidents to improve understanding and responses in the cybersecurity landscape.

The Bad

China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. 

• The China-linked cyber espionage group, Salt Typhoon, used a custom-built utility called JumbledPath to spy on U.S. telecommunication providers, according to a report by Cisco Talos researchers. The group breached multiple telecom networks, including ISPs in the U.S. and Italy, a U.K-affiliated U.S. telecom, and providers in South Africa and Thailand. The group has also manipulated network settings and used JumbledPath to remotely capture packets, clear logs, and exfiltrate encrypted data.
• Trend Micro detected a series of cybersecurity incidents in Europe involving the Shadowpad malware, which is associated with various Chinese threat actors. The malware targeted at least 21 companies across 15 countries, with more than half of the targets being in the manufacturing industry. In some cases, the threat actor also deployed ransomware from an unreported family. The threat actors gained access through remote network attacks, exploiting weak passwords and bypassing multi-factor authentication mechanisms. The malware is modular and has been updated with features such as anti-debugging techniques, encryption of the payload in the registry, and usage of DNS over HTTPS.
• The Ghost ransomware group has been exploiting software and firmware vulnerabilities as recently as January, according to an alert from the FBI and CISA. This group, also known as Cring and operating from China, targets internet-facing services with unpatched issues. They have compromised organizations in over 70 countries, including China. Vulnerabilities include unpatched Fortinet appliances, Adobe ColdFusion servers, and exposed Microsoft Exchange servers. Victims have included critical infrastructure, schools, healthcare, and small businesses. Ghost typically spends only days on victim networks, using common hacking tools and malware.
• The threat actors UNC5792 and UNC4221 were identified as two Russian cyber-espionage groups targeting Signal, focusing on individuals likely involved in sensitive military and government communications related to the war in Ukraine. UNC5792 uses malicious QR codes in invitations to Signal groups, while UNC4221 employs a phishing kit mimicking a military app to deceive users. Google also mentioned that similar tactics were directed at Telegram and WhatsApp, where Russian groups, including Star Blizzard, have targeted accounts of government officials.
• ASEC observed an increase in the distribution of the ACRStealer info-stealer, which is often disguised as illegal software such as cracks and keygens. This malware uses a technique called Dead Drop Resolver (DDR) to obtain the actual C2 domain address, with Google Docs being a common intermediary C2 platform. The malware targets various data including browser data, cryptocurrency wallet files, and VPN information, which are then transmitted to the C2.
• The Sandworm Russian military cyber-espionage group targeted Windows users in Ukraine by using trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates. The attackers used a BACKORDER loader to deploy DarkCrystal RAT (DcRAT) malware, connected to previous Sandworm activities. Researchers identified seven malware distribution campaigns with similar tactics. 
• Cybersecurity researchers found two malicious ML models on Hugging Face, which used unusual "broken" pickle files to avoid detection. These files contained malicious Python content at the start, creating a reverse shell connection to a specific IP address. This method, called nullifAI, tries to bypass security measures against malicious models. The models are believed to be proof-of-concept rather than part of an active attack. The detected models are in PyTorch format, compressed with 7z, avoiding detection by security tools.
• A sophisticated cyberattack abused vulnerabilities in SimpleHelp RMM software. Attackers exploited these bugs to access target networks and deploy the Sliver backdoor. The attack involved fast execution of various tactics, such as discovering the network and creating administrator accounts. It started with a threat actor breaching a SimpleHelp RMM client called JWrapper-Remote Access from an IP address in Estonia, which avoided detection by standard security measures. 
• Sucuri identified a cybersecurity incident involving credit card data theft from a Magento-based eCommerce website, and traced the malware to a Google Tag Manager (GTM) script. The malware was found in the website's database and included obfuscated code that appeared legitimate but was actually designed to steal sensitive information during checkout. A backdoor was discovered in the website's media folder and At least six websites were infected with the same GTM ID.
• The CISA added several vulnerabilities to its KEV catalog, including issues in Microsoft Outlook and Sophos XG Firewall. Notable flaws include CVE-2024-21413 in Outlook, which has a CVSS score of 9.8 and allows remote code execution, and CVE-2020-15069 in Sophos XG Firewall, also with a CVSS score of 9.8. Federal agencies must address these by February 27, and private organizations are advised to review and fix these vulnerabilities as well.

New Threats

A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

• A new, highly sophisticated payment card skimming campaign was discovered, which exploits Stripe's deprecated API to verify card details before stealing them, ensuring only valid information is taken while maintaining a normal user experience to evade detection. The attack begins with a compromised first-party script that uses two known malicious domains as initial distribution points for the skimming payload. The attack is notable for its selective validation process, which intercepts legitimate payment form submissions, creates a perfect visual replica of the Stripe payment elements, validates captured card data through Stripe’s API before exfiltration, and maintains the original purchase flow to avoid detection.
• ASEC discovered a new distribution method for the LummaC2 malware, which is disguised as a cracked version of the Total Commander file management tool for Windows. The malware is distributed through a series of page transitions on Google Collab Drive and Reddit, with the attack specifically targeting users looking to download cracked software. The malware is heavily obfuscated and compressed using NSIS and AutoIt scripts. When executed, it infects the system with LummaC2. The malware is primarily disguised as illegal programs such as cracks and serials, and when a system is infected, sensitive information such as browser-stored account credentials and email credentials are sent to the threat actor's C&C server.
• A new ransomware called NailaoLocker has been found in attacks on European healthcare organizations from June to October 2024. These attacks used a vulnerability in Check Point Security Gateway (CVE-2024-24919) to access networks and deploy ShadowPad and PlugX malware, linked to Chinese state-sponsored threat groups. NailaoLocker is considered basic because it doesn't shut down security processes and lacks advanced evasion techniques.The malware is delivered through DLL sideloading and encrypts files with the AES-256-CTR method.
• A newly identified malware called Ratatouille (or I2PRAT) raised concerns due to its clever ways of bypassing UAC and using I2P for anonymous communications. The malware spreads through phishing emails or fake CAPTCHA pages. When a victim runs an embedded PowerShell script, a loader is activated, using advanced techniques to raise privileges and evade defenses. Although it initially exploited a Windows RPC mechanism, recent security patches have needed it to switch to other methods like process migration.
• A new, advanced version of the Snake Keylogger malware has been discovered, which has led to over 280 million blocked infection attempts globally. The malware is primarily spread through phishing emails with malicious links or attachments, collects data by capturing keystrokes and extracting credentials from popular browsers, and transmits this data to C2 servers via encrypted channels. It also uses AutoIt scripting to bypass antivirus. The threat is global, with the highest concentrations of infection reported in China, Turkey, Indonesia, Taiwan, and Spain.
• Trend Micro spotted a new Earth Preta campaign that has been using a tool called Microsoft Application Virtualization Injector to inject malicious payloads into a program called waitfor.exe when ESET antivirus is detected. The attack drops multiple files, including both legitimate and malicious programs, and uses a fake PDF to mislead the victim. The malware, which is a modified version of a backdoor called TONESHELL, is disguised as a legitimate Electronic Arts application and connects with a command-and-control server to send out data.
• The China-linked threat actor known as Winnti started a new campaign called RevivalStone that targeted Japanese companies in manufacturing, materials, and energy sectors in March 2024. The latest attack chain exploited an SQL injection vulnerability in an ERP system to drop web shells and deliver an improved version of the Winnti malware. The intrusion was expanded to breach a managed service provider and propagate the malware further. The new Winnti malware has been updated with obfuscation, updated encryption algorithms, and evasion by security products.
• Proofpoint discovered a new malware campaign that distributes a new Apple macOS malware called FrigidStealer. This campaign is attributed to a previously undocumented threat actor known as TA2727, which also distributes malware for other platforms such as Windows and Android. The malware campaign targets users based on their geography or device, serving different payloads accordingly. FrigidStealer is installed on macOS devices and requires users to explicitly launch the unsigned app to bypass Gatekeeper protections. It then steals sensitive information from web browsers, Apple Notes, and cryptocurrency related apps.
• Threat hunters discovered a new attack targeting the foreign ministry of an unnamed South American country using custom malware for remote access. Detected in November 2024, this activity is linked to a group called REF7707, which also targeted a telecommunications firm and a university in Southeast Asia. The first executed file, known as PATHLOADER, allows for running encrypted commands from an external server. The injected malware, FINALDRAFT, is a sophisticated remote administration tool that utilizes Microsoft's Outlook for communication and can execute PowerShell commands discreetly.
• A new Android RAT called BTMOB RAT has been discovered, targeting users through phishing sites. This malware is an upgraded version of SpySolr RAT, focusing on remote control, credential theft, and data exfiltration, posing a serious risk to Android users. BTMOB RAT is spread mainly through fake sites mimicking popular services, like iNat TV and bogus cryptocurrency platforms. A malicious APK named lnat-tv-pro.apk was found on the phishing site hxxps://tvipguncelpro[.]com/. The malware features live screen sharing, file management, audio recording, keylogging, and credential theft via web injections, utilizing Android’s Accessibility Service for control.
• A new gang called Triplestrength has been found infecting computers with ransomware and taking over cloud accounts to mine cryptocurrency. Triplestrength has been involved in ransomware attacks since at least 2020, targeting on-premises systems instead of cloud infrastructure. The team has used Windows malware such as LokiLocker, Phobos, and RCRU64, which are leased under a RaaS model. The group also uses tools like Mimikatz and NetScan. 
• Threat analysts have discovered a new risk: a version of the SystemBC RAT that is now targeting Linux-based systems. The updated SystemBC RAT is designed to be stealthy and hard to detect, using encrypted communication to avoid detection and allow attackers to navigate compromised systems freely. The SystemBC RAT acts as a proxy implant, facilitating lateral movement within a network without needing easily detectable tools. It typically works alongside other malware, raising the risk of ransomware attacks and data theft in Linux environments.
• A new cybersecurity threat called FinStealer emerged, targeting customers of a major Indian bank through fake mobile applications. This malware uses advanced methods to steal sensitive financial and personal information, including banking login details and credit card numbers. It spreads through phishing links and unofficial app stores, mimicking real banking apps to trick users. The goal of this campaign is financial gain through credential theft and unauthorized transactions. Researchers have found connections to a website hosting fake bank apps, enhancing the risks to users.
• Morphisec found a new version of the ValleyRAT malware, which uses advanced evasion tactics and targets computer systems. This malware is distributed through phishing emails, messaging apps, and hacked websites, focusing on high-profile individuals in finance, accounting, and sales to steal sensitive information. The new variant spreads through a fake download of a Chrome browser from a fraudulent Chinese telecom website. It uses a .NET executable to check for admin rights and download more malware components. The malware injects itself into legitimate processes to operate secretly, using names that seem normal to avoid attracting attention. 
• SentinelOne found new variants of a macOS malware family, named FlexibleFerret, used by North Korean threat actors in schemes centered around fake job interviews. This malware is part of the Contagious Interview campaign. Typically, targets are directed to click a link which gives an error message and prompts them to install software like VCam or CameraAccess for virtual meetings. FlexibleFerret is particularly deceptive, as it was signed with a valid Apple Developer signature, although this signature has since been revoked. The ongoing campaign targets employers and developers on job search platforms. 
• A new malware called ELF/Sshdinjector.A!tr has been linked to the DaggerFly espionage group, targeting Linux-based network devices for data theft. The dropper checks for existing infections and deploys malicious files if none are found. It replaces essential binaries with infected versions to maintain access. Key features include overwriting system binaries, remote control through an altered SSH library, extracting sensitive information, executing commands from attackers, and encrypted communication. 
• Forcepoint’s X-Labs research team discovered a new malware campaign using AsyncRAT with Python scripting and TryCloudflare tunnels to stealthily deliver harmful payloads. The campaign starts with a phishing email that contains a Dropbox link, leading to a ZIP file. This file has a shortcut that redirects to a TryCloudflare link. The attack involves several steps: the shortcut leads to an LNK file, which triggers PowerShell scripts to get an obfuscated JavaScript file. This links to a ZIP file with a Python script that runs malicious code.