Hack To Root

 Security researchers have uncovered a sophisticated phishing campaign that’s been active since July 2024, targeting Russian enterprises with Batavia , a previously undocumented Windows spyware designed for document theft and internal reconnaissance 🎣 Infection Begins with Phishing Fake contract emails arrive from domains like oblast-ru[.]com , used by the attackers. Victims click a link and download an archive containing a malicious .vbe script disguised as a contract 🧩 Multi‑Stage Malware Chain 1. VBE Downloader The Visual Basic‑encoded script profiles the host—collecting OS and system information—and submits it to the C2 server. It then pulls down WebView.exe , saving it to the %TEMP% folder. 2. Delphi‑Based WebView.exe This executable displays a fake contract to distract users while: Collecting documents (*.doc, *.pdf, .xls ), screenshots, system logs, and files from connected devices. Exfiltrating data to ru‑exchange[.]com and pulling another payload, java...

Security researchers at SentinelOne have uncovered a sophisticated attack campaign involving North Korean threat actors—linked to the BlueNoroff/Lazarus APT group—targeting Web3 and cryptocurrency firms. The attackers are using fake Zoom SDK update scripts to trick macOS users into installing a rare Nim‑compiled backdoor dubbed NimDoor 🧠 The Social Engineering Setup Victims are contacted on Telegram by someone posing as a trusted peer and invited to schedule a meeting via Calendly. They then receive an email with a “Zoom meeting” link and instructions to run a Zoom SDK update. The script is heavily obfuscated , padded with thousands of blank lines to disguise its true purpose. 🛠 Infection Chain & Techniques AppleScript Downloader A malicious AppleScript triggers the download of a second-stage payload from a spoofed Zoom domain Dual‑Channel Loaders A C++ loader ( InjectWithDyldArm64 ) uses process injection on macOS to deploy trojan payloads like trojan1_arm64 that...

In early July 2025, cybersecurity experts at HUMAN's Satori Threat Intelligence team and others revealed a massive ad-fraud operation on Android— IconAds —comprising 352 malicious apps on Google Play. These apps cleverly hid themselves to generate 1.2 billion fraudulent ad bid requests per day at their peak 🔍 How IconAds Works Icon‑Hiding Stealth Tactics Uses Android's activity-alias feature to swap legitimate app icons with invisible placeholders—presenting blank or Google-branded icons—making detection nearly impossible Some variants impersonate Google Play, Google Maps, or Gmail, leading users to unknowingly open the malicious app Out-of-Context Full-Screen Ads Apps launch intrusive ads on user screens independently of user action—disrupting user experience while secretly monetizing ad impressions Layered Obfuscation Code is heavily obfuscated using tools like O-MVLL and native libraries. Network traffic masks OS version, device model, and language using r...