US-designated terrorist organization ELN oversees a vast digital operation that promotes pro-Kremlin and anti-US content.
The National Liberation Army (ELN), a Colombian armed group that also holds influence in Venezuela, has built a digital strategy that involves branding themselves as media outlets to build credibility, overseeing a diffuse cross-platform operation, and using these wide-ranging digital assets to amplify Russian, Iranian, Venezuelan, and Cuban narratives that attack the interests of the United States, the European Union (EU), and their allies.
In the 1960s, the ELN emerged as a Colombian nationalist armed movement ideologically rooted in Marxism-Leninism, liberation theology, and the Cuban revolution. With an army estimated to have 2,500 to 6,000 members, the ELN is Colombia’s oldest and largest active guerrilla group, with its operation extending into Venezuela. The ELN has maintained a strategic online presence for over a decade to advance its propaganda and maintain operational legitimacy.
The organization, which has previously engaged in peace talks with the Colombian state, has carried out criminal activities in Colombia and Venezuela, such as killings, kidnappings, extortions, and the recruitment of minors. After successive military and financial crises in the 1990s, the armed group abandoned its historical reluctance to participate in drug trafficking. The diversification into illegal funding has meant that their armed clashes target criminal groups, in addition to their primary ideological enemy, the state forces.
In the north-eastern Catatumbo area, considered one of the enclaves of international cocaine trafficking, the group has been involved in one of the bloodiest confrontations seen in Colombia in 2025. Since January 15, the violence has left 126 people dead, at least 66,000 displaced, and has further strained the group’s engagement with the latest round of peace talks initiated by the current Colombian government. In that region, the ELN has battled with the state and other criminal groups, such as paramilitaries and other guerrilla groups, for extended control of the area bordering Venezuela, an effort to connect the ELN’s other territories of influence to Colombia, such as the north and, at the other extreme, the western regions of Choco and Antioquia.
The US Department of State reaffirmed the ELN’s designation as a terrorist organization in its March 5, 2025, update of the Foreign Terrorist Organizations (FTOs) list. This classification theoretically prevents the group from operating on major social media platforms, as US social media platforms, such as Meta, YouTube, and X, maintain policies prohibiting terrorist organizations from using their services. However, the DFRLab found that the group’s substantial digital footprint spans over one hundred entities across websites, social media, closed messaging apps, and podcast services.
Today was an eventful day thanks to many interesting blog posts, e.g. from my friends at watchTowr. So I thought, why not publish a small quick-and-dirty blog post myself about a story from last week? This blog post may not be of the usual quality, but it was a good time to write it.
On May 7, 2025, the LockBit admin panel was hacked by an anonymous actor who replaced their TOR website with the text ‘Don’t do crime CRIME IS BAD xoxo from Prague’ and shared a SQL dump of their admin panel database in an archived file ‘paneldb_dump.zip’:
There is not much information available regarding the individual identified as 'xoxo from Prague' whose objective seems to be the apprehension of malicious ransomware threat actors. It is uncommon for a major ransomware organization's website to be defaced; more so for its administrative panel to be compromised. This leaked SQL database dump is significant as it offers insight into the operational methods of LockBit affiliates and the negotiation tactics they employ to secure ransom payments from their victims.
Trellix Advanced Research Center’s investigations into the leaked SQL database confirmed with high confidence that the database originates from LockBit's affiliates admin panel. This panel allows the generation of ransomware builds for victims, utilizing LockBit Black 4.0 and LockBit Green 4.0, compatible with Linux, Windows and ESXi systems, and provides access to victim negotiation chats.
The leaked SQL database dump encompasses data from December 18, 2024 to April 29, 2025, including details pertaining to LockBit adverts (aka ransomware affiliates), victim organizations, chat logs, cryptocurrency wallets and ransomware build configurations.
On April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware. Among the group were two journalists who consented to the technical analysis of their cases. In this report, we discuss key findings from our forensic analyses of their devices.
Trend Research has identified Earth Lamia as an APT threat actor that exploits vulnerabilities in web applications to gain access to organizations, using various techniques for data exfiltration.
Earth Lamia develops and customizes hacking tools to evade detection, such as PULSEPACK and BypassBoss.
Earth Lamia has primarily targeted organizations in Brazil, India, and Southeast Asia since 2023. Initially focused on financial services, the group shifted to logistics and online retail, most recently focusing on IT companies, universities, and government organizations.
Trend Vision One™ detects and blocks the IOCs discussed in this blog. Trend Vision One also provides hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on Earth Lamia.
Introduction
We have been tracking an active intrusion set that primarily targets organizations located in countries including Brazil, India, and Southeast Asia since 2023. The threat actor mainly targets the SQL injection vulnerabilities discovered on web applications to access the SQL servers of targeted organizations. The actor also takes advantage of various known vulnerabilities to exploit public-facing servers. Research reports have also mentioned their aggressive operations, including REF0657, STAC6451, and CL-STA-0048. Evidence we collected during our research indicates this group is a China-nexus intrusion set, which we now track as Earth Lamia.
Earth Lamia is highly active, but our observation found that its targets have shifted over different time periods. They targeted many organizations but focused only on a few specific industries during each time period. In early 2024 and prior, we observed that most of their targets were organizations within the financial industry, specifically related to securities and brokerage. In the second half of 2024, they shifted their targets to organizations mainly in the logistics and online retail industries. Recently, we noticed that their targets have shifted again to IT companies, universities, and government organizations.
Map of targeted countries
Figure 1. Map of targeted countries
download
Earth Lamia continuously develops customized hacking tools and backdoors to improve their operations. While the actor highly leverages open-source hacking tools to conduct their attacks, they also customized these hacking tools to reduce the risk of being detected by security software. We also discovered they have developed a previously unseen backdoor, which we named PULSEPACK. The first version of PULSEPACK was identified in Earth Lamia's attacks during August 2024. In 2025, we found an upgraded version of PULSEPACK, which uses a different protocol for C&C communication, showing they are actively developing this backdoor. In this report, we will reveal the details of Earth Lamia’s operations and share the analysis of their customized hacking tools and backdoors.
Initial access and post-exploitation TTPs
We found that Earth Lamia frequently conducted vulnerability scans to identify possible SQL injection vulnerabilities on the targets' websites. With an identified vulnerability, the actor tried to open a system shell through it to gain remote access to the victims' SQL servers. We suspect they are likely using tools like "sqlmap" to carry out these attacks against their targets. Besides the SQL injection attempts, our telemetry shows the actor also exploited the following vulnerabilities on different public-facing servers:
CVE-2017-9805: Apache Struts2 remote code execution vulnerability
CVE-2021-22205: GitLab remote code execution vulnerability
CVE-2024-9047: WordPress File Upload plugin arbitrary file access vulnerability
CVE-2024-27198: JetBrains TeamCity authentication bypass vulnerability
CVE-2024-27199: JetBrains TeamCity path traversal vulnerability
CVE-2024-51378: CyberPanel remote code execution vulnerability
CVE-2024-51567: CyberPanel remote code execution vulnerability
CVE-2024-56145: Craft CMS remote code execution vulnerability
organizations.
TCC on macOS isn't just an annoying prompt—it's the last line of defense between malware and your private data. Read this article to learn why.
Lately, I have been reporting many vulnerabilities in third-party applications that allowed for TCC bypass, and I have discovered that most vendors do not understand why they should care. For them, it seems like just an annoying and unnecessary prompt. Even security professionals tasked with vulnerability triage frequently struggle to understand TCC’s role in protecting macOS users’ privacy against malware.
Honestly, I don’t blame them for that because, two years ago, I also didn’t understand the purpose of those “irritating” pop-up notifications. It wasn’t until I started writing malware for macOS. I realized how much trouble an attacker faces because of TCC in actually harming a victim. I wrote this article for Application Developers in mind so that, after reading it, they do not underestimate the vulnerabilities that allow bypassing TCC. It is also intended for Vulnerability Researchers to illustrate an attack vector for further research.
Join Ido Kringel and the Deep Instinct Threat Research Team in this deep dive into a recently discovered, Office-based regex evasion technique
Microsoft Office-based attacks have long been a favored tactic amongst cybercriminals— and for good reason. Attackers frequently use Office documents in cyberattacks because they are widely trusted. These files, such as Word or Excel docs, are commonly exchanged in business and personal settings. They are also capable of carrying hidden malicious code, embedded macros, and external links that execute code when opened, especially if users are tricked into enabling features like macros.
Moreover, Office documents support advanced techniques like remote template injection, obfuscated macros, and legacy features like Excel 4.0 macros. These allow attackers to bypass antivirus detection and trigger multi-stage payloads such as ransomware or information-stealing malware.
Since Office files are familiar to users and often appear legitimate (e.g., invoices, resumes, or reports), they’re also highly effective tools in phishing and social engineering attacks.
This mixture of social credit and advanced attack characteristics unique to Office files, as well as compatibility across platforms and integration with scripting languages, makes them ideal for initiating sophisticated attacks with minimal user suspicion.
Last year, Microsoft announced the availability of three new functions that use Regular Expressions (regex) to help parse text more easily:
Regex are sequences of characters that define search patterns, primarily used for string matching and manipulation. They enable efficient text processing by allowing complex searches, replacements, and validations based on specific criteria.
Computer scientists at ETH Zurich discover new class of vulnerabilities in Intel processors, allowing them to break down barriers between different users of a processor using carefully crafted instruction sequences. Entire processor memory can be read by employing quick, repeated attacks.
All Intel processors since 2018 are affected by Branch Privilege Injection.
In brief
Socket's research uncovers three dangerous Go modules that contain obfuscated disk-wiping malware, threatening complete data loss.
The Go ecosystem, valued for its simplicity, transparency, and flexibility, has exploded in popularity. With over 2 million modules available, developers rely heavily on public repositories like GitHub. However, this openness is precisely what attackers exploit.
No Central Gatekeeping: Developers freely source modules directly from GitHub repositories, trusting the naming conventions implicitly.
Prime Target for Typosquatting: Minimal namespace validation enables attackers to masquerade malicious modules as popular libraries.
Introduction: The Silent Threat#
In April 2025, we detected an attack involving three malicious Go modules which employ similar obfuscation techniques:
github[.]com/truthfulpharm/prototransform
github[.]com/blankloggia/go-mcp
github[.]com/steelpoor/tlsproxy
Despite appearing legitimate, these modules contained highly obfuscated code designed to fetch and execute remote payloads. Socket’s scanners flagged the suspicious behaviors, leading us to a deeper investigation.
Kandji researchers uncovered and disclosed key macOS vulnerabilities over the past year. Learn how we protect customers through detection and patching.
When we discover weaknesses before attackers do, everyone wins. History has shown that vulnerabilities like Gatekeeper bypass and TCC bypass zero-days don't remain theoretical for long—both of these recent vulnerabilities were exploited in the wild by macOS malware. By investing heavily in new security research, we're helping strengthen macOS for everyone.
Once reported to Apple, the fix for these vulnerabilities is not always obvious. Depending on the complexity, it can take a few months to over a year, especially if it requires major architectural changes to the operating system. Apple’s vulnerability disclosure program has been responsive and effective.
Of course, we don't just report issues and walk away. We ensure our products can detect these vulnerabilities and protect our customers from potential exploitation while waiting for official patches.
MCP tools are implicated in several new attack techniques. Here's a look at how they can be manipulated for good, such as logging tool usage and filtering unauthorized commands.
Over the last few months, there has been a lot of activity in the Model Context Protocol (MCP) space, both in terms of adoption as well as security. Developed by Anthropic, MCP has been rapidly gaining traction across the AI ecosystem. MCP allows Large Language Models (LLMs) to interface with tools and for those interfaces to be rapidly created. MCP tools allow for the rapid development of “agentic” systems, or AI systems that autonomously perform tasks.
Beyond adoption, new attack techniques have been shown to allow prompt injection via MCP tool descriptions and responses, MCP tool poisoning, rug pulls and more.
Prompt Injection is a weakness in LLMs that can be used to elicit unintended behavior, circumvent safeguards and produce potentially malicious responses. Prompt injection occurs when an attacker instructs the LLM to disregard other rules and do the attacker’s bidding. In this blog, I show how to use techniques similar to prompt injection to change the LLM’s interaction with MCP tools. Anyone conducting MCP research may find these techniques useful.
The Sysdig Threat Research Team (TRT) has discovered CVE-2025-32955, a now-patched vulnerability in Harden-Runner, one of the most popular GitHub Action CI/CD security tools. Exploiting this vulnerability allows an attacker to bypass Harden-Runner’s disable-sudo security mechanism, effectively evading detection within the continuous integration/continuous delivery (CI/CD) pipeline under certain conditions. To mitigate this risk, users are strongly advised to update to the latest version.
The CVE has been assigned a CVSS v3.1 base score of 6.0.
We dive into one of the most sophisticated and impactful ecosystems within the global cybercrime landscape. Our research looks at tools and techniques, specialized forums, popular services, plus a deeply ingrained culture of secrecy and collaboration.
After the release of the Secure Annex ‘Monitor’ feature, I wanted to help evaluate a list of extensions an organization I was working with had configured for monitoring. Notifications when new changes occur is great, but in security, baselines are everything!
To cut down a list of 132 extensions in use, I identified a couple extensions that stuck out because they were ‘unlisted’ in the Chrome Web Store. Unlisted extensions are not indexed by search engines and do not show up when searching the Chrome Web Store. The only way to access the extension is by knowing the URL.
A new NCSC research paper aims to reduce the presence of ‘unforgivable’ vulnerabilities.
Since the end of 2024, we have been continuously monitoring large-scale DDoS attacks orchestrated by an IoT botnet exploiting vulnerable IoT devices such as wireless routers and IP cameras.
Despite both technical exposure by researchers and law enforcement disruption, this infrastructure has remained uncharacteristically consistent, only changing hosting providers. Given the contrasting high level of sophistication between Volt Typhoon’s activity within target organizations and their proxy network, it is possible the KV Botnet is operated by a party other than Volt Typhoon.
