Read CYFIRMA’s latest geo-political analysis, regarding Trump’s continued disruption of the world order, calling U.S. alliances into question while an emboldened China prepares for war over Taiwan. Link to the Research Report: https://www.cyfirma.com/research/while-trump-disrupts-the-world-order-china-prepares-for-war-over-taiwan/ #Geopolitics #CYF…

A high-risk Android malware poses a serious threat by targeting banking apps, bypassing screenshot protections through UI reconstruction to steal sensitive financial data. It records live screen activity, captures video, and audio in real time, SMS, Contacts, Call logs, files and silently auto-grants all permissions. Once installed, it takes full c…

Stay ahead of evolving ransomware threats with CYFIRMA’s April 2025 Ransomware Report. Last month revealed shifting dynamics—Qilin surged by 71%, while Play and DragonForce increased by 75% and 25% respectively. Despite a 29% drop in total incidents from March, the Manufacturing, IT, and Consumer sectors remained heavily targeted. The U.S. topped t…

CYFIRMA’s latest threat report reveals the workings of PupkinStealer, a .NET-based information stealer designed to extract a focused set of sensitive data from victim systems. Targeting browser credentials, desktop files, Telegram and Discord sessions, and screenshots, the malware compresses all stolen content into a ZIP archive and exfiltrates it …

Geopolitical tensions between Algeria and Morocco have reignited over the Western Sahara issue. Hacktivist groups have exacerbated the situation by targeting each other’s critical infrastructure. Algerian hacktivists claimed to have breached Morocco's CNSS, while Moroccan hacktivists alleged, they had hacked and leaked data from Algeria's MGPTT. Ho…

A new threat is on the rise - Gunra Ransomware. This sophisticated ransomware not only encrypts files but also exfiltrates sensitive data, threatening to leak the data unless the ransom is paid. Read the latest report from the CYFIRMA research team to learn more! Stay informed and safeguard your systems! Link to the Research Report: https://www.cyf…

Donald Trump’s new tariff promises to revive American manufacturing, but evidence shows they are more likely to raise prices, reduce competitiveness, deter investment, and fuel geopolitical instability. The vision of millions of factory jobs ignores automation, labor shortages, and global supply chains. Instead of revitalizing the industry, tariffs…

Read CYFIRMA’s report on the Hannibal Stealer, a rebranded variant of SHARP and TX Stealers, which has re-emerged with expanded data exfiltration capabilities and an updated command-and-control infrastructure. Hannibal Stealer is built in C# on the .NET framework. It targets a wide range of data sources, including browsers, cryptocurrency wallets, …

A New Breed of Python-Based RATs is Abusing Discord for C2 The CYFIRMA research team has investigated an emerging class of Python malware that is turning popular platforms into weaponized control panels. One recent variant showcases just how accessible and disruptive these tools have become. This lightweight Remote Access Trojan (RAT) uses Discord …

Cybercriminals are impersonating trusted business executives and financial experts to trap unsuspecting investors. These scammers are creating fake investment firms with fraudulent registration details, professional-looking websites and manipulated social media engagement to appear legitimate. They are actively using Telegram channels, WhatsApp gro…

The CYFIRMA research team provides a comprehensive analysis of how diplomacy, defense, and digital strategy are colliding: As trade friction intensifies especially under the 2025 U.S. tariff regime, cyberspace is becoming the frontier of quiet competition between traditional allies. While full-scale cyber warfare remains unlikely, behind-the-scenes…

U.S. President Donald Trump, once a critic but now a supporter of TikTok, is granting the app’s China-based parent company, ByteDance, a second 75-day extension to finalize a deal that would transfer ownership of TikTok to an American entity. While the legislation allowed only one extension for a sale, the U.S. Congress has yet to push back against…

Stay ahead of evolving ransomware threats with CYFIRMA’s Monthly Ransomware Report – March 2025. The month of March saw shifting dynamics, with Safepay experiencing a huge surge of 223%, while RansomHub and Akira declined. Babuk2 has possibly leveraged fake extortion claims. Manufacturing, IT, and Consumer sectors remained prime targets as total in…

CYFIRMA researchers have identified a dangerous new version of Neptune RAT being actively shared online. This malware spreads through GitHub, Telegram, and YouTube, often advertised as the "Most Advanced RAT." The attack starts when victims run malicious PowerShell commands. First, the "irm" command downloads harmful code from the file hosting webs…

CYFIRMA’s research team has conducted an in-depth investigation into Konni RAT, a sophisticated remote access trojan (RAT) that uses advanced evasion techniques to bypass detection. It exploits Windows features, such as file extension hiding and the 260-character limit for LNK files, to conceal malicious activity. After gaining access, Konni RAT ma…

Hackers are leveraging Python-based Discord RATs to exploit Discord’s API as a Command and Control (C2) platform. This sophisticated malware allows attackers to gain complete control over compromised systems, making it a serious cybersecurity risk. Steals credentials from browsers Execute remote system commands Capture live screenshots for surveill…

The CYFIRMA research team has identified a fake Indian Post Office website leveraging the Clickfix technique to target Indian users. The report details how a Pakistani threat actor is targeting both Windows and Android users by dropping APK files for Android devices, copying PowerShell commands to the clipboard, and dropping Clickfix instructions p…

Critical Alert: Immediate action is required for all organizations using Apache Tomcat! CVE-2025-24813 is a critical Remote Code Execution (RCE) vulnerability that allows attackers to bypass security controls via a path equivalence flaw, leading to arbitrary code execution. Active exploitation has been observed, with public PoC exploits available, …

Stay ahead of evolving ransomware threats with CYFIRMA’s Monthly Ransomware Report – February 2025. Ransomware activity surged by 87.45% in February month, with Cl0p witnessing an alarming 453% rise. Manufacturing, FMCG, and Transportation sectors faced the highest spike in attacks. The U.S. remained the top target, followed by Canada, the U.K., Ge…

Hacktivists often become active participants in cyber conflicts whenever geopolitical tensions arise. This has been evident during events like the Israel-Palestine conflict and the Russia-Ukraine war. Recently, tensions flared between Malaysia and Indonesia following the death of a migrant worker attempting to cross the Malaysian border with four o…

The CYFIRMA research has identified a new ransomware variant named LithiumWare, showcasing advanced capabilities designed to disrupt, encrypt, and steal. Key Features of LithiumWare: Data Theft: Exhibits activities indicative of stealing personal data, including detecting crypto-addresses. Persistence: Creates files in the startup directory, manipu…

China's DeepSeek recently shocked the AI world, challenging US dominance and raising serious security concerns. Did US export controls backfire, fuelling China's AI rise and a new era of cyber threats? Link to the Research Report: https://www.cyfirma.com/blogs/deepfake-or-the-sputnik-moment-in-the-ai-race/ #Geopolitics #CyfirmaResearch #ThreatIntel…

Cybercriminals have developed a new sophisticated method to distribute malware via fake CAPTCHA pages, tricking users into executing malicious scripts. Our investigation reveals that the Lumma Stealer is leveraging this tactic to harvest sensitive data, including credentials, cryptocurrency assets, and credit card info. Link to the Research Report:…

This report explores a fake financial management app on the Google Play Store named Finance Simplified, which has been downloaded over 100,000 times. The app reportedly downloads an additional fraudulent loan application targeting Indian users. Once installed, users attempting to secure loans are subjected to cyber blackmail and bullying. The malic…

The cyber threat landscape is evolving, with hackers deploying multi-stage malware using obfuscation, steganography, and covert communication channels to evade detection. Attacks start with an Obfuscated JavaScript, fetching encoded commands from a URL and executing an obfuscated PowerShell script, downloading a JPG image and obfuscated text file c…

Stay informed about the latest developments in cybersecurity with CYFIRMA's Tracking Ransomware – January 2025 Report. January witnessed 510 ransomware victims globally, with Akira emerging as the most active group while new threats like MORPHEUS surfaced. The Manufacturing, sector is the most targeted, and the USA remained the top victim region wi…

Our Q4 2024 APT Quarterly Highlights Report unveils a surge of dynamic and innovative cyber activities from APT groups across Iran, North Korea, Russia, and China. These groups intensified operations with a sharp focus on credential theft through phishing, MFA push-bombing, and fake job scams. RomCom (Russia) and Lazarus (North Korea) exploited zer…

A malware disguised as a banking app is spreading through phishing and unofficial app stores. Built with Kotlin, this malware steals personal info and card details, leaking everything to criminals via Telegram bots and hidden servers. Stay safe! Only download apps from official stores, check permissions and NEVER share sensitive info on unsecured p…

Flesh Stealer, a newly identified malware first observed in August 2024 and written in C#, targets browsers like Chrome, Firefox, and Edge to harvest saved passwords, cookies, and browsing history. It also extracts data from applications such as Telegram and Signal, including stored chats and databases. Interestingly, it avoids executing on systems…

Astral Stealer: A Sophisticated Threat! Our latest research uncovers Astral Stealer, a powerful malware designed to exfiltrate sensitive data using browser injections, credential dumping, and sophisticated evasion techniques. As a publicly available threat, it provides cybercriminals with the means to bypass security defenses and exploit vulnerable…

New Ransomware Alert: "Windows Locker" A new .NET-based ransomware strain, Windows Locker, is making waves with its advanced tactics, also read the CYFIRMA research team's full report for a comprehensive analysis: Encryption: Files are encrypted with the .winlocker extension. Ransom Note: Victims receive a Readme.txt file with instructions to conta…

A critical SQL injection vulnerability (CVE-2024-45387) has been discovered in Apache Traffic Control's Traffic Ops component, impacting versions 8.0.0 and 8.0.1. Attackers with high-level roles (admin, federation, operations, portal, steering) can execute malicious SQL queries, risking data compromise, privilege escalation, and service disruption.…

The CYFIRMA team has analyzed malware linked to the Indian APT group DONOT, uncovering its use of a deceptive app called “Tanzeem” to gather intelligence under the guise of a chat platform. The app shuts down after permissions are granted, suggesting a targeted approach. Two analyzed versions, from October and December, showed minimal differences, …

The swift fall of the Syrian regime caught major players off guard, including Russia and Iran, who heavily invested in propping up the state. While the USA considers withdrawal, Turkey is positioned to greatly increase its influence, while Iran and Russia suffer a significant strategic blow and might start relying more heavily on its cyber capabili…

Stay informed about the latest developments in cybersecurity with CYFIRMA's Tracking Ransomware-December 2024 Report. The report highlights key trends, including a 12.38% decrease in ransomware attacks compared to November, alongside the rise of new groups like Funksec, which targeted VMware ESXi hypervisors and Windows servers. Critical vulnerabil…

At CYFIRMA, we continuously analyze the tactics and techniques employed by threat actors. One such technique is Remote Template Injection, which exploits Microsoft Word's template functionality to bypass traditional defenses. Used by Advanced Persistent Threat (APT) groups, this method disguises malicious payloads in seemingly harmless documents, m…

At CYFIRMA, we continuously analyze the tactics and techniques employed by threat actors. One such technique is Remote Template Injection, which exploits Microsoft Word's template functionality to bypass traditional defenses. Used by Advanced Persistent Threat (APT) groups, this method disguises malicious payloads in seemingly harmless documents, m…

Introducing FireScam: A New Android Malware Threat The CYFIRMA research team have uncovered a new, sophisticated Android malware - FireScam, an advanced information-stealing malware with spyware capabilities. Disguised as a fake ‘Telegram Premium’ app, this malware is spread through phishing websites and targets users with the intent to steal sensi…

A critical vulnerability, CVE-2024-10914, has been discovered in unsupported D-Link devices, including DNS-320, DNS-320LW, DNS-325, and DNS-340L. With over 60,000 devices potentially exposed and nearly 1,100 actively exploited since Nov 12, 2024, attackers are leveraging this flaw to steal data, deploy ransomware, and compromise networks. If you’re…

The CYFIRMA research team is proud to offer insights into the increased cyber risks the holiday season brings! Stay alert, verify offers, and keep your information safe! As the year end of season approaches, watch out for scammers using advanced tactics. Phishing emails might offer irresistible deals but could contain malicious links - always verif…

Cybercriminals are stepping up their game with Bizfum Stealer, a highly sophisticated malware targeting sensitive data such as browser credentials, files, and Discord tokens. It utilizes advanced encryption techniques and Telegram bots for stealthy data exfiltration. 1. It extracts browser passwords, cookies, and saved credentials. 2. Screenshots a…

The UK faces an escalating cyber threat landscape dominated by sophisticated Russian actors, including state-affiliated groups like Sandworm and APT29, as well as privateer entities operating with Kremlin leniency. To learn more about the Russian cyber threat to the UK, read the full report. Link to the Research Report: RUSSIA AS A THREAT ACTOR IN …

Stay ahead of cybersecurity trends with CYFIRMA's November 2024 Ransomware Report. Ransomware incidents rose by 15.65%, affecting 606 victims worldwide. Emerging groups like Chort, Ymir, and SafePay deployed advanced techniques. Ransomware groups are seen exploiting critical vulnerabilities like Veeam Backup systems and targeting weekends for reduc…

Our team at CYFIRMA analyzed a malicious Android sample used in a targeted attack leveraging the Spynote Remote Administration Tool (RAT). We believe that the threat actor behind the targeted attack could be an APT. Delivered via WhatsApp with payloads disguised as apps like "Best Friend" and "Friend," the attack aimed to compromise high-value asse…

Taking control of the White House and Congress gives Republicans a rare opportunity to change the course of the country. How will Donald Trump wield that power during a second term, and will that impact cyber? The following blog post will try to summarize what we know so far, what we can likely expect, and what will be the fallout in the cyber real…

CYFIRMA's latest research highlights the emerging threat of the Parano Malware Family, which includes Parano Stealer, Ransomware, and Screen Locker. Developed by the cybercriminal group Paranodeus, these tools target sensitive data using advanced techniques for persistence and evasion. Despite bans on their initial distribution channels, Paranodeus…

Cyberattacks Hit Morocco: A Wake-Up Call for Cybersecurity! Morocco has been hit with a series of cyberattacks from groups like Anonymous Algeria and EvilBbyte, with motives rooted in the long-standing dispute over the Western Sahara region. These hackers are targeting everything from government websites to critical infrastructure, and it’s all tie…

Helldown ransomware is spreading fast, targeting key industries like Real Estate, IT, Manufacturing, and Healthcare. The ransomware targets both Windows and Linux systems, exploits known vulnerabilities, and encrypts files. First spotted in August 2024 by CYFIRMA, Helldown has already impacted businesses in 11 countries, with the USA and Germany be…

Hexon Stealer is a variant of Stealit Stealer, which itself is derived from Fewer Stealer. Rebranding and code reuse are common practices among malware developers. Stealer devs often create Telegram or Signal channels to market their stealers, attracting a significant user base by promoting them across various platforms. The CYFIRMA research team’s…

The CYFIRMA Research team provides insights into a severe flaw in Grafana (versions <11.0.5, 11.1.6, 11.2.1), which allows low-privilege users to execute arbitrary commands, risking sensitive data exposure and system compromise. Threat actors are also actively discussing and sharing exploits in underground forums. Link to the Research Report: CVE-2…