Search results for cmd-shell-commands | Breaking Cybersecurity News | The Hacker News

The threat actor known as Tomiris has been attributed to attacks targeting foreign ministries, intergovernmental organizations, and government entities in Russia with an aim to establish remote access and deploy additional tools. "These attacks highlight a notable shift in Tomiris's tactics, namely the increased use of implants that leverage public services (e.g., Telegram and Discord) as command-and-control (C2) servers," Kaspersky researchers Oleg Kupreev and Artem Ushkov said in an analysis. "This approach likely aims to blend malicious traffic with legitimate service activity to evade detection by security tools." The cybersecurity company said more than 50% of the spear-phishing emails and decoy files used in the campaign used Russian names and contained Russian text, indicating that Russian-speaking users or entities were the primary focus. The spear-phishing emails have also targeted Turkmenistan, Kyrgyzstan, Tajikistan, and Uzbekistan using tailored...

Tactics, techniques, and procedures (TTPs) form the foundation of modern defense strategies. Unlike indicators of compromise (IOCs), TTPs are more stable, making them a reliable way to identify specific cyber threats. Here are some of the most commonly used techniques, according to ANY.RUN's Q3 2024 report on malware trends, complete with real-world examples. Disabling of Windows Event Logging (T1562.002) Disrupting Windows Event Logging helps attackers prevent the system from recording crucial information about their malicious actions. Without event logs, important details such as login attempts, file modifications, and system changes go unrecorded, leaving security solutions and analysts with incomplete or missing data. Windows Event Logging can be manipulated in different ways, including by changing registry keys or using commands like "net stop eventlog". Altering group policies is another common method. Since many detection mechanisms rely on log analysis to identify s...

The Chinese threat actor known as FamousSparrow has been linked to a cyber attack targeting a trade group in the United States and a research institute in Mexico to deliver its flagship backdoor SparrowDoor and ShadowPad. The activity, observed in July 2024, marks the first time the hacking crew has deployed ShadowPad , a malware widely shared by Chinese state-sponsored actors. "FamousSparrow deployed two previously undocumented versions of the SparrowDoor backdoor, one of them modular," ESET said in a report shared with The Hacker News. "Both versions constitute considerable progress over previous ones and implement parallelization of commands." FamousSparrow was first documented by the Slovak cybersecurity company in September 2021 in connection with a series of cyber attacks aimed at hotels, governments, engineering companies, and law firms with SparrowDoor, an implant exclusively used by the group. Since then, there have been reports of the adversarial...

An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) entity in the Middle East that lasted nearly two years. The activity, which lasted from at least May 2023 to February 2025, entailed "extensive espionage operations and suspected network prepositioning – a tactic often used to maintain persistent access for future strategic advantage," the FortiGuard Incident Response (FGIR) team said in a report. The network security company noted that the attack exhibits tradecraft overlaps with a known Iranian nation-state threat actor called Lemon Sandstorm (formerly Rubidium), which is also tracked as Parisite, Pioneer Kitten, and UNC757. It's been assessed to be active since at least 2017, striking aerospace, oil and gas, water, and electric sectors across the United States, the Middle East, Europe, and Australia. According to industrial cybersecurity company Dragos, the adversary has lev...

Microsoft has revealed that one of the threat actors behind the active exploitation of SharePoint flaws is deploying Warlock ransomware on targeted systems. The tech giant, in an update shared Wednesday, said the findings are based on an "expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603 ." The threat actor attributed to the financially motivated activity is a suspected China-based threat actor that's known to drop Warlock and LockBit ransomware in the past. The attack chains entail the exploitation of CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability, targeting unpatched on-premises SharePoint servers to deploy the spinstall0.aspx web shell payload. "This initial access is used to conduct command execution using the w3wp.exe process that supports SharePoint," Microsoft said. "Storm-2603 then initiates a series of discovery commands, incl...

The China-linked cyber espionage group tracked as APT41 has been attributed to a new campaign targeting government IT services in the African region. "The attackers used hardcoded names of internal services, IP addresses, and proxy servers embedded within their malware," Kaspersky researchers Denis Kulik and Daniil Pogorelov said . "One of the C2s [command-and-control servers] was a captive SharePoint server within the victim's infrastructure." APT41 is the moniker assigned to a prolific Chinese nation-state hacking group that's known for targeting organizations spanning multiple sectors, including telecom and energy providers, educational institutions, healthcare organizations and IT energy companies in more than three dozen countries. What makes the campaign noteworthy is its focus on Africa, which, as the Russian cybersecurity vendor noted, "had experienced the least activity" from this specific threat actor. That said, the findings line u...

The recently disclosed critical Microsoft SharePoint vulnerability has been under exploitation as early as July 7, 2025, according to findings from Check Point Research. The cybersecurity company said it observed first exploitation attempts targeting an unnamed major Western government, with the activity intensifying on July 18 and 19, spanning government, telecommunications, and software sectors in North America and Western Europe. Check Point also said the exploitation efforts originated from three different IP addresses – 104.238.159[.]149, 107.191.58[.]76, and 96.9.125[.]147 – one of which was previously tied to the weaponization of security flaws in Ivanti Endpoint Manager Mobile (EPMM) appliances ( CVE-2025-4427 and CVE-2025-4428 ). "We're witnessing an urgent and active threat: a critical zero-day in SharePoint on-prem is being exploited in the wild, putting thousands of global organizations at risk," Lotem Finkelstein, Director of Threat Intelligence at Chec...

A critical security flaw in the Rust standard library could be exploited to target Windows users and stage command injection attacks. The vulnerability, tracked as  CVE-2024-24576 , has a CVSS score of 10.0, indicating maximum severity. That said, it only impacts scenarios where batch files are invoked on Windows with untrusted arguments. "The Rust standard library did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on Windows using the Command API," the Rust Security Response working group  said  in an advisory released on April 9, 2024. "An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping." The flaw impacts all versions of Rust before 1.77.2. Security researcher  RyotaK  has been credited with discovering and reporting the bug to the CERT Coordination Center ( CERT/CC ). RyotaK said the vulnerability – codenamed BatBadBut – impa...

An Iran-aligned hacking group has been attributed to a new set of cyber attacks targeting Kurdish and Iraqi government officials in early 2024. The activity is tied to a threat group ESET tracks as BladedFeline , which is assessed with medium confidence to be a sub-cluster within OilRig , a known Iranian nation-state cyber actor. It's said to be active since September 2017, when it targeted officials associated with the Kurdistan Regional Government (KRG). "This group develops malware for maintaining and expanding access within organizations in Iraq and the KRG," the Slovak cybersecurity company said in a technical report shared with The Hacker News. "BladedFeline has worked consistently to maintain illicit access to Kurdish diplomatic officials, while simultaneously exploiting a regional telecommunications provider in Uzbekistan, and developing and maintaining access to officials in the government of Iraq." BladedFeline was first documented by ESET in Ma...

Self-extracting archive (SFX) as Creative Virus Handler Yesterday I Found and interesting article about " Self-extracting archive (SFX) " on Unremote.org by DarkCoderSc. SFX is a little application that contains compressed files. Creating a customized WinRAR SFX archives is a very easy task, but not all people know how to do it.  It is therefore exactly the same as a .ZIP or .RAR archive. The only difference is that, when you execute it, will automatically extract the files. However, if you add some parameters, you can execute them after extraction or execute a shell command before extraction. So this feature can be used as good virus handler. Let's See how? DarkCoderSc shared his experience with us using a Video Demonstration as shown Below. Start up the WinRAR application; click 'Browse for folder' under the 'File' menu and browse to the location of the file. With the file highlighted, clicking on the 'Add' button will kickoff the archiving process and sele...

Misconfigured and poorly secured Apache Tomcat servers are being targeted as part of a new campaign designed to deliver the  Mirai botnet malware  and cryptocurrency miners. The findings come courtesy of Aqua, which detected more than 800 attacks against its Tomcat server honeypots over a two-year time period, with 96% of the attacks linked to the Mirai botnet. Of these attack attempts, 20% (or 152) entailed the use of a web shell script dubbed "neww" that originated from 24 unique IP addresses, with 68% of them originating from a single IP address (104.248.157[.]218). "The threat actor scanned for Tomcat servers and launched a brute force attack against it, attempting to gain access to the Tomcat web application manager by trying different combinations of credentials associated with it," Aqua security researcher Nitzan Yaakov  said . Upon gaining a successful foothold, the threat actors have been observed deploying a  WAR file  that contains a malicious w...

The threat actor known as Mysterious Elephant has been observed using an advanced version of malware called Asyncshell. The attack campaign is said to have used Hajj -themed lures to trick victims into executing a malicious payload under the guise of a Microsoft Compiled HTML Help (CHM) file, the Knownsec 404 team said in an analysis published today. Mysterious Elephant, which is also known as APT-K-47, is a threat actor of South Asian origin that has been active since at least 2022, primarily targeting Pakistani entities. The group's tactics and tooling have been found to share similarities with those of other threat actors operating in the regions, such as SideWinder, Confucius, and Bitter. In October 2023, the group was linked to a spear-phishing campaign that delivered a backdoor called ORPCBackdoor as part of attacks directed against Pakistan and other countries. The exact initial access vector employed by Mysterious Elephant in the latest campaign is not known, but ...