Cisco Talos has identified a modularmalware campaignfeaturing the CloudZ remote access tool and a new plugin named Pheno. This threat intercepts one-time passwords and SMS messages by targeting the Microsoft Phone Link application to extract data from synchronized SQLite databases on the host PC. The infection chain utilizes a Rust-compiled loader and reflective .NET execution to bypass detection mechanisms.Another Venezuelan ATM jackpotter to be deportedVenezuelan national David Jose Gomez Cegarra wassentencedto time served for his role in anATM jackpotting operationthat stole nearly $300,000 from several banks. The group bypassed security by physically accessing ATM hard drives to install malware, allowing them to trigger cash dispensations. Following his conviction for bank larceny, Cegarra was ordered to pay $294,000 in restitution and was transferred to ICE for deportation.Train hacker arrested in TaiwanA 23-year-old student has beendetainedin Taiwan for allegedly infiltrating the high-speed rail network and transmitting fake General Alarm signals to the control center. By cloning Tetra radio signals to trigger manual emergency braking, the suspect forced several trains to stop. Authorities seized multiple radio and electronic devices during the investigation, and the suspect now faces several charges, including interference with public transportation safety.IBM security executive positioned as frontrunner for CISA directorTom Parker, a security services lead at IBM, has surfaced as a primary candidate to lead the Cybersecurity and Infrastructure Security Agency (CISA) following thewithdrawalof Sean Plankey. The Trump administration reportedly favors Parker’s extensive private sector background, which includes founding Hubble. If appointed, he will take over the agency currently overseen by acting directorNick Andersen.Drone forum participants targeted in Eurasian spy operationResearchers have identified a targeted spy operation calledOperation Silent Rotoraimed at the Eurasian drone industry. Attackers used spear-phishing emails disguised as orders from the Russian Aeronautical Information Center to trick victims into running malware that steals data. The campaign was specifically timed to hit attendees of the Unmanned Aviation 2026 forum in Moscow, allowing the hackers to compromise high-value targets in the sector.More US residents imprisoned for operating North Korean laptop farmsMatthew Isaac Knoot and Erick Ntekereze Prince were eachsentencedto 18 months in prison for enablingNorth Korean IT workersto infiltrate nearly 70 US companies and generate $1.2 million for the sanctioned regime. The defendants hosted corporate laptops at their homes and installed unauthorized remote access software to create the illusion that the overseas workers were operating from within the United States.Gaming platform exploited in North Korean spy campaignThe North Korea-linked threat actor ScarCruft conductedtargeted surveillanceagainst users in the Yanbian region of China by compromising a video game platform used by ethnic Koreans living there. By trojanizing Windows update files and Android game packages, the group deployed the BirdCall backdoor to exfiltrate personal documents and record audio from victim devices.New Linux backdoor PamDOORaA threat actor known as ‘darkworm’ is marketing the source code forPamDOORa, a sophisticated post-exploitation tool designed to compromise the Linux Pluggable Authentication Module (PAM) stack. This backdoor enables persistent SSH access while simultaneously harvesting plaintext credentials from legitimate users, potentially even from incident responders. The malware is currently being offered on a Russian cybercrime forum for $900.Hard power cycles required to eradicate Firestarter implant from Cisco firewallsThe ArcaneDoor cyber espionage group is using a persistent Linux-based malware calledFirestarterto compromise Cisco firewalls. According toEclypsium, this implant hooks the core LINA process to evade detection and remains active even after firmware patches by re-installing its persistence mechanism during the system’s reboot sequence. Performing a hard power cycle by physically disconnecting the hardware from all power sources for at least one minute is needed to fully purge the infection.Related:In Other News: Scattered Spider Hacker Arrested, SOC Effectiveness Metrics, NSA Tool VulnerabilityRelated:In Other News: Unauthorized Mythos Access, Plankey CISA Nomination Ends, New Display Security Device
Another Venezuelan ATM jackpotter to be deportedVenezuelan national David Jose Gomez Cegarra wassentencedto time served for his role in anATM jackpotting operationthat stole nearly $300,000 from several banks. The group bypassed security by physically accessing ATM hard drives to install malware, allowing them to trigger cash dispensations. Following his conviction for bank larceny, Cegarra was ordered to pay $294,000 in restitution and was transferred to ICE for deportation.Train hacker arrested in TaiwanA 23-year-old student has beendetainedin Taiwan for allegedly infiltrating the high-speed rail network and transmitting fake General Alarm signals to the control center. By cloning Tetra radio signals to trigger manual emergency braking, the suspect forced several trains to stop. Authorities seized multiple radio and electronic devices during the investigation, and the suspect now faces several charges, including interference with public transportation safety.IBM security executive positioned as frontrunner for CISA directorTom Parker, a security services lead at IBM, has surfaced as a primary candidate to lead the Cybersecurity and Infrastructure Security Agency (CISA) following thewithdrawalof Sean Plankey. The Trump administration reportedly favors Parker’s extensive private sector background, which includes founding Hubble. If appointed, he will take over the agency currently overseen by acting directorNick Andersen.Drone forum participants targeted in Eurasian spy operationResearchers have identified a targeted spy operation calledOperation Silent Rotoraimed at the Eurasian drone industry. Attackers used spear-phishing emails disguised as orders from the Russian Aeronautical Information Center to trick victims into running malware that steals data. The campaign was specifically timed to hit attendees of the Unmanned Aviation 2026 forum in Moscow, allowing the hackers to compromise high-value targets in the sector.More US residents imprisoned for operating North Korean laptop farmsMatthew Isaac Knoot and Erick Ntekereze Prince were eachsentencedto 18 months in prison for enablingNorth Korean IT workersto infiltrate nearly 70 US companies and generate $1.2 million for the sanctioned regime. The defendants hosted corporate laptops at their homes and installed unauthorized remote access software to create the illusion that the overseas workers were operating from within the United States.Gaming platform exploited in North Korean spy campaignThe North Korea-linked threat actor ScarCruft conductedtargeted surveillanceagainst users in the Yanbian region of China by compromising a video game platform used by ethnic Koreans living there. By trojanizing Windows update files and Android game packages, the group deployed the BirdCall backdoor to exfiltrate personal documents and record audio from victim devices.New Linux backdoor PamDOORaA threat actor known as ‘darkworm’ is marketing the source code forPamDOORa, a sophisticated post-exploitation tool designed to compromise the Linux Pluggable Authentication Module (PAM) stack. This backdoor enables persistent SSH access while simultaneously harvesting plaintext credentials from legitimate users, potentially even from incident responders. The malware is currently being offered on a Russian cybercrime forum for $900.Hard power cycles required to eradicate Firestarter implant from Cisco firewallsThe ArcaneDoor cyber espionage group is using a persistent Linux-based malware calledFirestarterto compromise Cisco firewalls. According toEclypsium, this implant hooks the core LINA process to evade detection and remains active even after firmware patches by re-installing its persistence mechanism during the system’s reboot sequence. Performing a hard power cycle by physically disconnecting the hardware from all power sources for at least one minute is needed to fully purge the infection.Related:In Other News: Scattered Spider Hacker Arrested, SOC Effectiveness Metrics, NSA Tool VulnerabilityRelated:In Other News: Unauthorized Mythos Access, Plankey CISA Nomination Ends, New Display Security Device
Venezuelan national David Jose Gomez Cegarra wassentencedto time served for his role in anATM jackpotting operationthat stole nearly $300,000 from several banks. The group bypassed security by physically accessing ATM hard drives to install malware, allowing them to trigger cash dispensations. Following his conviction for bank larceny, Cegarra was ordered to pay $294,000 in restitution and was transferred to ICE for deportation.Train hacker arrested in TaiwanA 23-year-old student has beendetainedin Taiwan for allegedly infiltrating the high-speed rail network and transmitting fake General Alarm signals to the control center. By cloning Tetra radio signals to trigger manual emergency braking, the suspect forced several trains to stop. Authorities seized multiple radio and electronic devices during the investigation, and the suspect now faces several charges, including interference with public transportation safety.IBM security executive positioned as frontrunner for CISA directorTom Parker, a security services lead at IBM, has surfaced as a primary candidate to lead the Cybersecurity and Infrastructure Security Agency (CISA) following thewithdrawalof Sean Plankey. The Trump administration reportedly favors Parker’s extensive private sector background, which includes founding Hubble. If appointed, he will take over the agency currently overseen by acting directorNick Andersen.Drone forum participants targeted in Eurasian spy operationResearchers have identified a targeted spy operation calledOperation Silent Rotoraimed at the Eurasian drone industry. Attackers used spear-phishing emails disguised as orders from the Russian Aeronautical Information Center to trick victims into running malware that steals data. The campaign was specifically timed to hit attendees of the Unmanned Aviation 2026 forum in Moscow, allowing the hackers to compromise high-value targets in the sector.More US residents imprisoned for operating North Korean laptop farmsMatthew Isaac Knoot and Erick Ntekereze Prince were eachsentencedto 18 months in prison for enablingNorth Korean IT workersto infiltrate nearly 70 US companies and generate $1.2 million for the sanctioned regime. The defendants hosted corporate laptops at their homes and installed unauthorized remote access software to create the illusion that the overseas workers were operating from within the United States.Gaming platform exploited in North Korean spy campaignThe North Korea-linked threat actor ScarCruft conductedtargeted surveillanceagainst users in the Yanbian region of China by compromising a video game platform used by ethnic Koreans living there. By trojanizing Windows update files and Android game packages, the group deployed the BirdCall backdoor to exfiltrate personal documents and record audio from victim devices.New Linux backdoor PamDOORaA threat actor known as ‘darkworm’ is marketing the source code forPamDOORa, a sophisticated post-exploitation tool designed to compromise the Linux Pluggable Authentication Module (PAM) stack. This backdoor enables persistent SSH access while simultaneously harvesting plaintext credentials from legitimate users, potentially even from incident responders. The malware is currently being offered on a Russian cybercrime forum for $900.Hard power cycles required to eradicate Firestarter implant from Cisco firewallsThe ArcaneDoor cyber espionage group is using a persistent Linux-based malware calledFirestarterto compromise Cisco firewalls. According toEclypsium, this implant hooks the core LINA process to evade detection and remains active even after firmware patches by re-installing its persistence mechanism during the system’s reboot sequence. Performing a hard power cycle by physically disconnecting the hardware from all power sources for at least one minute is needed to fully purge the infection.Related:In Other News: Scattered Spider Hacker Arrested, SOC Effectiveness Metrics, NSA Tool VulnerabilityRelated:In Other News: Unauthorized Mythos Access, Plankey CISA Nomination Ends, New Display Security Device
Train hacker arrested in TaiwanA 23-year-old student has beendetainedin Taiwan for allegedly infiltrating the high-speed rail network and transmitting fake General Alarm signals to the control center. By cloning Tetra radio signals to trigger manual emergency braking, the suspect forced several trains to stop. Authorities seized multiple radio and electronic devices during the investigation, and the suspect now faces several charges, including interference with public transportation safety.IBM security executive positioned as frontrunner for CISA directorTom Parker, a security services lead at IBM, has surfaced as a primary candidate to lead the Cybersecurity and Infrastructure Security Agency (CISA) following thewithdrawalof Sean Plankey. The Trump administration reportedly favors Parker’s extensive private sector background, which includes founding Hubble. If appointed, he will take over the agency currently overseen by acting directorNick Andersen.Drone forum participants targeted in Eurasian spy operationResearchers have identified a targeted spy operation calledOperation Silent Rotoraimed at the Eurasian drone industry. Attackers used spear-phishing emails disguised as orders from the Russian Aeronautical Information Center to trick victims into running malware that steals data. The campaign was specifically timed to hit attendees of the Unmanned Aviation 2026 forum in Moscow, allowing the hackers to compromise high-value targets in the sector.More US residents imprisoned for operating North Korean laptop farmsMatthew Isaac Knoot and Erick Ntekereze Prince were eachsentencedto 18 months in prison for enablingNorth Korean IT workersto infiltrate nearly 70 US companies and generate $1.2 million for the sanctioned regime. The defendants hosted corporate laptops at their homes and installed unauthorized remote access software to create the illusion that the overseas workers were operating from within the United States.Gaming platform exploited in North Korean spy campaignThe North Korea-linked threat actor ScarCruft conductedtargeted surveillanceagainst users in the Yanbian region of China by compromising a video game platform used by ethnic Koreans living there. By trojanizing Windows update files and Android game packages, the group deployed the BirdCall backdoor to exfiltrate personal documents and record audio from victim devices.New Linux backdoor PamDOORaA threat actor known as ‘darkworm’ is marketing the source code forPamDOORa, a sophisticated post-exploitation tool designed to compromise the Linux Pluggable Authentication Module (PAM) stack. This backdoor enables persistent SSH access while simultaneously harvesting plaintext credentials from legitimate users, potentially even from incident responders. The malware is currently being offered on a Russian cybercrime forum for $900.Hard power cycles required to eradicate Firestarter implant from Cisco firewallsThe ArcaneDoor cyber espionage group is using a persistent Linux-based malware calledFirestarterto compromise Cisco firewalls. According toEclypsium, this implant hooks the core LINA process to evade detection and remains active even after firmware patches by re-installing its persistence mechanism during the system’s reboot sequence. Performing a hard power cycle by physically disconnecting the hardware from all power sources for at least one minute is needed to fully purge the infection.Related:In Other News: Scattered Spider Hacker Arrested, SOC Effectiveness Metrics, NSA Tool VulnerabilityRelated:In Other News: Unauthorized Mythos Access, Plankey CISA Nomination Ends, New Display Security Device
A 23-year-old student has beendetainedin Taiwan for allegedly infiltrating the high-speed rail network and transmitting fake General Alarm signals to the control center. By cloning Tetra radio signals to trigger manual emergency braking, the suspect forced several trains to stop. Authorities seized multiple radio and electronic devices during the investigation, and the suspect now faces several charges, including interference with public transportation safety.IBM security executive positioned as frontrunner for CISA directorTom Parker, a security services lead at IBM, has surfaced as a primary candidate to lead the Cybersecurity and Infrastructure Security Agency (CISA) following thewithdrawalof Sean Plankey. The Trump administration reportedly favors Parker’s extensive private sector background, which includes founding Hubble. If appointed, he will take over the agency currently overseen by acting directorNick Andersen.Drone forum participants targeted in Eurasian spy operationResearchers have identified a targeted spy operation calledOperation Silent Rotoraimed at the Eurasian drone industry. Attackers used spear-phishing emails disguised as orders from the Russian Aeronautical Information Center to trick victims into running malware that steals data. The campaign was specifically timed to hit attendees of the Unmanned Aviation 2026 forum in Moscow, allowing the hackers to compromise high-value targets in the sector.More US residents imprisoned for operating North Korean laptop farmsMatthew Isaac Knoot and Erick Ntekereze Prince were eachsentencedto 18 months in prison for enablingNorth Korean IT workersto infiltrate nearly 70 US companies and generate $1.2 million for the sanctioned regime. The defendants hosted corporate laptops at their homes and installed unauthorized remote access software to create the illusion that the overseas workers were operating from within the United States.Gaming platform exploited in North Korean spy campaignThe North Korea-linked threat actor ScarCruft conductedtargeted surveillanceagainst users in the Yanbian region of China by compromising a video game platform used by ethnic Koreans living there. By trojanizing Windows update files and Android game packages, the group deployed the BirdCall backdoor to exfiltrate personal documents and record audio from victim devices.New Linux backdoor PamDOORaA threat actor known as ‘darkworm’ is marketing the source code forPamDOORa, a sophisticated post-exploitation tool designed to compromise the Linux Pluggable Authentication Module (PAM) stack. This backdoor enables persistent SSH access while simultaneously harvesting plaintext credentials from legitimate users, potentially even from incident responders. The malware is currently being offered on a Russian cybercrime forum for $900.Hard power cycles required to eradicate Firestarter implant from Cisco firewallsThe ArcaneDoor cyber espionage group is using a persistent Linux-based malware calledFirestarterto compromise Cisco firewalls. According toEclypsium, this implant hooks the core LINA process to evade detection and remains active even after firmware patches by re-installing its persistence mechanism during the system’s reboot sequence. Performing a hard power cycle by physically disconnecting the hardware from all power sources for at least one minute is needed to fully purge the infection.Related:In Other News: Scattered Spider Hacker Arrested, SOC Effectiveness Metrics, NSA Tool VulnerabilityRelated:In Other News: Unauthorized Mythos Access, Plankey CISA Nomination Ends, New Display Security Device
IBM security executive positioned as frontrunner for CISA directorTom Parker, a security services lead at IBM, has surfaced as a primary candidate to lead the Cybersecurity and Infrastructure Security Agency (CISA) following thewithdrawalof Sean Plankey. The Trump administration reportedly favors Parker’s extensive private sector background, which includes founding Hubble. If appointed, he will take over the agency currently overseen by acting directorNick Andersen.Drone forum participants targeted in Eurasian spy operationResearchers have identified a targeted spy operation calledOperation Silent Rotoraimed at the Eurasian drone industry. Attackers used spear-phishing emails disguised as orders from the Russian Aeronautical Information Center to trick victims into running malware that steals data. The campaign was specifically timed to hit attendees of the Unmanned Aviation 2026 forum in Moscow, allowing the hackers to compromise high-value targets in the sector.More US residents imprisoned for operating North Korean laptop farmsMatthew Isaac Knoot and Erick Ntekereze Prince were eachsentencedto 18 months in prison for enablingNorth Korean IT workersto infiltrate nearly 70 US companies and generate $1.2 million for the sanctioned regime. The defendants hosted corporate laptops at their homes and installed unauthorized remote access software to create the illusion that the overseas workers were operating from within the United States.Gaming platform exploited in North Korean spy campaignThe North Korea-linked threat actor ScarCruft conductedtargeted surveillanceagainst users in the Yanbian region of China by compromising a video game platform used by ethnic Koreans living there. By trojanizing Windows update files and Android game packages, the group deployed the BirdCall backdoor to exfiltrate personal documents and record audio from victim devices.New Linux backdoor PamDOORaA threat actor known as ‘darkworm’ is marketing the source code forPamDOORa, a sophisticated post-exploitation tool designed to compromise the Linux Pluggable Authentication Module (PAM) stack. This backdoor enables persistent SSH access while simultaneously harvesting plaintext credentials from legitimate users, potentially even from incident responders. The malware is currently being offered on a Russian cybercrime forum for $900.Hard power cycles required to eradicate Firestarter implant from Cisco firewallsThe ArcaneDoor cyber espionage group is using a persistent Linux-based malware calledFirestarterto compromise Cisco firewalls. According toEclypsium, this implant hooks the core LINA process to evade detection and remains active even after firmware patches by re-installing its persistence mechanism during the system’s reboot sequence. Performing a hard power cycle by physically disconnecting the hardware from all power sources for at least one minute is needed to fully purge the infection.Related:In Other News: Scattered Spider Hacker Arrested, SOC Effectiveness Metrics, NSA Tool VulnerabilityRelated:In Other News: Unauthorized Mythos Access, Plankey CISA Nomination Ends, New Display Security Device
Tom Parker, a security services lead at IBM, has surfaced as a primary candidate to lead the Cybersecurity and Infrastructure Security Agency (CISA) following thewithdrawalof Sean Plankey. The Trump administration reportedly favors Parker’s extensive private sector background, which includes founding Hubble. If appointed, he will take over the agency currently overseen by acting directorNick Andersen.Drone forum participants targeted in Eurasian spy operationResearchers have identified a targeted spy operation calledOperation Silent Rotoraimed at the Eurasian drone industry. Attackers used spear-phishing emails disguised as orders from the Russian Aeronautical Information Center to trick victims into running malware that steals data. The campaign was specifically timed to hit attendees of the Unmanned Aviation 2026 forum in Moscow, allowing the hackers to compromise high-value targets in the sector.More US residents imprisoned for operating North Korean laptop farmsMatthew Isaac Knoot and Erick Ntekereze Prince were eachsentencedto 18 months in prison for enablingNorth Korean IT workersto infiltrate nearly 70 US companies and generate $1.2 million for the sanctioned regime. The defendants hosted corporate laptops at their homes and installed unauthorized remote access software to create the illusion that the overseas workers were operating from within the United States.Gaming platform exploited in North Korean spy campaignThe North Korea-linked threat actor ScarCruft conductedtargeted surveillanceagainst users in the Yanbian region of China by compromising a video game platform used by ethnic Koreans living there. By trojanizing Windows update files and Android game packages, the group deployed the BirdCall backdoor to exfiltrate personal documents and record audio from victim devices.New Linux backdoor PamDOORaA threat actor known as ‘darkworm’ is marketing the source code forPamDOORa, a sophisticated post-exploitation tool designed to compromise the Linux Pluggable Authentication Module (PAM) stack. This backdoor enables persistent SSH access while simultaneously harvesting plaintext credentials from legitimate users, potentially even from incident responders. The malware is currently being offered on a Russian cybercrime forum for $900.Hard power cycles required to eradicate Firestarter implant from Cisco firewallsThe ArcaneDoor cyber espionage group is using a persistent Linux-based malware calledFirestarterto compromise Cisco firewalls. According toEclypsium, this implant hooks the core LINA process to evade detection and remains active even after firmware patches by re-installing its persistence mechanism during the system’s reboot sequence. Performing a hard power cycle by physically disconnecting the hardware from all power sources for at least one minute is needed to fully purge the infection.Related:In Other News: Scattered Spider Hacker Arrested, SOC Effectiveness Metrics, NSA Tool VulnerabilityRelated:In Other News: Unauthorized Mythos Access, Plankey CISA Nomination Ends, New Display Security Device
Drone forum participants targeted in Eurasian spy operationResearchers have identified a targeted spy operation calledOperation Silent Rotoraimed at the Eurasian drone industry. Attackers used spear-phishing emails disguised as orders from the Russian Aeronautical Information Center to trick victims into running malware that steals data. The campaign was specifically timed to hit attendees of the Unmanned Aviation 2026 forum in Moscow, allowing the hackers to compromise high-value targets in the sector.More US residents imprisoned for operating North Korean laptop farmsMatthew Isaac Knoot and Erick Ntekereze Prince were eachsentencedto 18 months in prison for enablingNorth Korean IT workersto infiltrate nearly 70 US companies and generate $1.2 million for the sanctioned regime. The defendants hosted corporate laptops at their homes and installed unauthorized remote access software to create the illusion that the overseas workers were operating from within the United States.Gaming platform exploited in North Korean spy campaignThe North Korea-linked threat actor ScarCruft conductedtargeted surveillanceagainst users in the Yanbian region of China by compromising a video game platform used by ethnic Koreans living there. By trojanizing Windows update files and Android game packages, the group deployed the BirdCall backdoor to exfiltrate personal documents and record audio from victim devices.New Linux backdoor PamDOORaA threat actor known as ‘darkworm’ is marketing the source code forPamDOORa, a sophisticated post-exploitation tool designed to compromise the Linux Pluggable Authentication Module (PAM) stack. This backdoor enables persistent SSH access while simultaneously harvesting plaintext credentials from legitimate users, potentially even from incident responders. The malware is currently being offered on a Russian cybercrime forum for $900.Hard power cycles required to eradicate Firestarter implant from Cisco firewallsThe ArcaneDoor cyber espionage group is using a persistent Linux-based malware calledFirestarterto compromise Cisco firewalls. According toEclypsium, this implant hooks the core LINA process to evade detection and remains active even after firmware patches by re-installing its persistence mechanism during the system’s reboot sequence. Performing a hard power cycle by physically disconnecting the hardware from all power sources for at least one minute is needed to fully purge the infection.Related:In Other News: Scattered Spider Hacker Arrested, SOC Effectiveness Metrics, NSA Tool VulnerabilityRelated:In Other News: Unauthorized Mythos Access, Plankey CISA Nomination Ends, New Display Security Device
Researchers have identified a targeted spy operation calledOperation Silent Rotoraimed at the Eurasian drone industry. Attackers used spear-phishing emails disguised as orders from the Russian Aeronautical Information Center to trick victims into running malware that steals data. The campaign was specifically timed to hit attendees of the Unmanned Aviation 2026 forum in Moscow, allowing the hackers to compromise high-value targets in the sector.More US residents imprisoned for operating North Korean laptop farmsMatthew Isaac Knoot and Erick Ntekereze Prince were eachsentencedto 18 months in prison for enablingNorth Korean IT workersto infiltrate nearly 70 US companies and generate $1.2 million for the sanctioned regime. The defendants hosted corporate laptops at their homes and installed unauthorized remote access software to create the illusion that the overseas workers were operating from within the United States.Gaming platform exploited in North Korean spy campaignThe North Korea-linked threat actor ScarCruft conductedtargeted surveillanceagainst users in the Yanbian region of China by compromising a video game platform used by ethnic Koreans living there. By trojanizing Windows update files and Android game packages, the group deployed the BirdCall backdoor to exfiltrate personal documents and record audio from victim devices.New Linux backdoor PamDOORaA threat actor known as ‘darkworm’ is marketing the source code forPamDOORa, a sophisticated post-exploitation tool designed to compromise the Linux Pluggable Authentication Module (PAM) stack. This backdoor enables persistent SSH access while simultaneously harvesting plaintext credentials from legitimate users, potentially even from incident responders. The malware is currently being offered on a Russian cybercrime forum for $900.Hard power cycles required to eradicate Firestarter implant from Cisco firewallsThe ArcaneDoor cyber espionage group is using a persistent Linux-based malware calledFirestarterto compromise Cisco firewalls. According toEclypsium, this implant hooks the core LINA process to evade detection and remains active even after firmware patches by re-installing its persistence mechanism during the system’s reboot sequence. Performing a hard power cycle by physically disconnecting the hardware from all power sources for at least one minute is needed to fully purge the infection.Related:In Other News: Scattered Spider Hacker Arrested, SOC Effectiveness Metrics, NSA Tool VulnerabilityRelated:In Other News: Unauthorized Mythos Access, Plankey CISA Nomination Ends, New Display Security Device
More US residents imprisoned for operating North Korean laptop farmsMatthew Isaac Knoot and Erick Ntekereze Prince were eachsentencedto 18 months in prison for enablingNorth Korean IT workersto infiltrate nearly 70 US companies and generate $1.2 million for the sanctioned regime. The defendants hosted corporate laptops at their homes and installed unauthorized remote access software to create the illusion that the overseas workers were operating from within the United States.Gaming platform exploited in North Korean spy campaignThe North Korea-linked threat actor ScarCruft conductedtargeted surveillanceagainst users in the Yanbian region of China by compromising a video game platform used by ethnic Koreans living there. By trojanizing Windows update files and Android game packages, the group deployed the BirdCall backdoor to exfiltrate personal documents and record audio from victim devices.New Linux backdoor PamDOORaA threat actor known as ‘darkworm’ is marketing the source code forPamDOORa, a sophisticated post-exploitation tool designed to compromise the Linux Pluggable Authentication Module (PAM) stack. This backdoor enables persistent SSH access while simultaneously harvesting plaintext credentials from legitimate users, potentially even from incident responders. The malware is currently being offered on a Russian cybercrime forum for $900.Hard power cycles required to eradicate Firestarter implant from Cisco firewallsThe ArcaneDoor cyber espionage group is using a persistent Linux-based malware calledFirestarterto compromise Cisco firewalls. According toEclypsium, this implant hooks the core LINA process to evade detection and remains active even after firmware patches by re-installing its persistence mechanism during the system’s reboot sequence. Performing a hard power cycle by physically disconnecting the hardware from all power sources for at least one minute is needed to fully purge the infection.Related:In Other News: Scattered Spider Hacker Arrested, SOC Effectiveness Metrics, NSA Tool VulnerabilityRelated:In Other News: Unauthorized Mythos Access, Plankey CISA Nomination Ends, New Display Security Device
Source: SecurityWeek
