Sygnia investigates Weaver Ant, a stealthy China-nexus threat actor targeting telecom providers. Learn how web shells enable persistence and espionage.

In our first investigation into Israel-based spyware company, Paragon Solutions, we begin to untangle multiple threads connected to the proliferation of Paragon's mercenary spyware operations across the globe. This report includes an infrastructure analysis of Paragon’s spyware product, called Graphite; a forensic analysis of infected devices belonging to members of civil society; and a closer look at the use of Paragon spyware in both Canada and Italy.

An investigation into buying access to browsers through extensions

One of the challenges with investigating cybercrime is the infrastructure the adversaries leverage to conduct attacks. Cybercriminal infrastructure has evolved drastically over the last 25 years, which now involves hijacking web services, content distribution networks (CDNs), residential proxies, fast flux DNS, domain generation algorithms (DGAs), botnets of IoT devices, the Tor network, and all sorts of nested services.

This blog shall investigate a small UK-based hosting provider known as BitLaunch as an example of how challenging it can be to tackle cybercriminal infrastructure. Research into this hosting provider revealed that they appear to have a multi-year history of cybercriminals using BitLaunch to host command-and-control (C2) servers via their Anonymous VPS service.

India's Tata Technologies has disclosed a ransomware attack affecting its IT assets.

ICAO says the incident was allegedly linked to a hacker 'known for targeting international organizations'

BeyondTrust identified a security incident that involved a limited number of Remote Support SaaS customers. On December 5th, 2024, a root cause analysis into a Remote Support SaaS issue identified an API key for Remote Support SaaS had been compromised. BeyondTrust immediately revoked the API key, notified known impacted customers, and suspended those instances the same day while providing alternative Remote Support SaaS instances for those customers.
12/12/24 While the security incident forensics investigation remains ongoing, there are no material updates to provide at this time. We continue to pursue all possible paths as part of the forensic analysis, with the assistance of external forensic parties, to ensure we conduct as thorough an investigation as possible. We continue to communicate, and work closely with, all known affected customers. We will continue to provide updates here until our investigation is concluded.

Smartphone apps downloaded from Apple and Google can allow parents and other abusers to connect with pedophiles who pay to watch — and direct — criminal behavior.

iVerify’s Mobile Threat Hunting finds Pegasus spyware is more prevalent and capable of infecting a wide range of devices, not just devices of high-risk users.

Sophos X-Ops unveils five-year investigation tracking China-based groups targeting perimeter devices

Austrian security authorities have identified a Swiss man as the suspect in a series of emails containing bomb threats.

One of Russia’s most prominent pro-democracy organisations, the Free Russia Foundation, announced that it was investigating a potential cyberattack on Friday, following a leak of thousands of emails and documents related to its work.

First and foremost, our thanks go to the threat research team at Silent Push and the security team at Stark Industries Solutions (referred to as “Stark” from this point forwards) for their enthusiastic cooperation in the ‘behind the scenes’ efforts of this blog post.IntroductionIn our opening statement, we also introduce the subject of this post: the cross-team and cross-organization collaborative efforts of Silent Push, Stark, and Team Cymru in taking action against a common and well-known adve

• Check Point Research (CPR) recently uncovered Styx Stealer, a new malware capable of stealing browser data, instant messenger sessions from Telegram and Discord, and cryptocurrency. Even though it only recently appeared, it has already been noticed in attacks, including those targeting our customers.
• The developer of Styx Stealer was found to be linked to one of Agent Tesla threat actors, Fucosreal, who was involved in a spam campaign also targeting our customers.
• During the debugging of Styx Stealer, the developer made a fatal error and leaked data from his computer, which allowed CPR to obtain a large amount of intelligence, including the number of clients, profit information, nicknames, phone numbers, and email addresses, as well as similar data about the actor behind the Agent Tesla campaign.

people frequently reach out to me with companies to look into. usually it takes me about 10 minutes before i move on for one reason or another—it's not interesting for a story or has good security, for example. i didnt expect anything different when an acquaintance told me about Tracki, a self-proclaimed "world leader in GPS tracking" that they suspected could be used nefariously.

at first glance, Tracki appeared to be a serious company, maybe even one that cared about security. we could never have guessed what was about to unfold before us.

half a year into our investigation, we'd found it all: a hidden conglomerate posing as five independent companies, masked from governments and customers alike through the use of dozens of false identities, US letterbox companies, and an undeclared owner. a 90s phone sex scheme that, through targeting by one of hollywood's most notorious fixers, spiraled into a collection of almost a hundred domains advertising everything from online dating to sore throat remedies. a slew of device-assisted murder cases, on top of potential data breaches affecting almost 12 million users, ranging from federal government officials to literal infants. and most importantly, a little-known Snoop Dogg song. how in the world did we get here?

starting our descent

• In early December of 2023, we discovered an open directory filled with batch scripts, primarily designed for defense evasion and executing command and control payloads. These scripts execute various actions, including disabling antivirus processes and stopping services related to SQL, Hyper-V, security tools, and Exchange servers.
• This report also highlights scripts responsible for erasing backups, wiping event logs, and managing the installation or removal of remote monitoring tools like Atera.
• Our investigation uncovered the use of additional tools, including Ngrok for proxy services, SystemBC, and two well-known command and control frameworks: Sliver and PoshC2.
• The observed servers show long term usage by the threat actors, appearing in The DFIR Report Threat Feeds as far back as September 2023. They have been active intermittently since then, with the most recent activity detected in August 2024.
• Ten new sigma rules were created from this report and added to our private sigma ruleset

Two years ago, something very strange happened to me while working from my home network. I was exploiting a blind XXE vulnerability that required an external HTTP server to smuggle out files, so I spun up an AWS box and ran a simple Python webserver to receive the traffic from the vulnerable server:

the European Commission will open an investigation into TikTok in the coming weeks over concerns that changes the firm made to comply with the bloc's Digital Services Act (DSA) were not enough to protect under-age users, Bloomberg News reported on Friday.
TikTok has not received notice from the European Commission of an investigation and is in regular dialogue with European Union authorities, a spokesperson told Reuters when asked about the Bloomberg report. The EC declined to comment.

1password detected suspicious activity following the Okta support system breach. After investigation, they determined no user data was accessed.

Sony has launched an investigation after a ransomware group claimed to have compromised all systems and offered to sell stolen data.