Search results for run-cmd-commands-in-powershell | Breaking Cybersecurity News | The Hacker News

Tactics, techniques, and procedures (TTPs) form the foundation of modern defense strategies. Unlike indicators of compromise (IOCs), TTPs are more stable, making them a reliable way to identify specific cyber threats. Here are some of the most commonly used techniques, according to ANY.RUN's Q3 2024 report on malware trends, complete with real-world examples. Disabling of Windows Event Logging (T1562.002) Disrupting Windows Event Logging helps attackers prevent the system from recording crucial information about their malicious actions. Without event logs, important details such as login attempts, file modifications, and system changes go unrecorded, leaving security solutions and analysts with incomplete or missing data. Windows Event Logging can be manipulated in different ways, including by changing registry keys or using commands like “net stop eventlog”. Altering group policies is another common method. Since many detection mechanisms rely on log analysis to identify s...

A China-aligned threat actor codenamed UTA0388 has been attributed to a series of spear-phishing campaigns targeting North America, Asia, and Europe that are designed to deliver a Go-based implant known as GOVERSHELL . "The initially observed campaigns were tailored to the targets, and the messages purported to be sent by senior researchers and analysts from legitimate-sounding, completely fabricated organizations," Volexity said in a Wednesday report. "The goal of these spear phishing campaigns was to socially engineer targets into clicking links that led to a remotely hosted archive containing a malicious payload." Since then, the threat actor behind the attacks is said to have leveraged different lures and fictional identities, spanning several languages, including English, Chinese, Japanese, French, and German. Early iterations of the campaigns have been found to embed links to phishing content either hosted on a cloud-based service or their own infrastruc...

The threat actor known as Tomiris has been attributed to attacks targeting foreign ministries, intergovernmental organizations, and government entities in Russia with an aim to establish remote access and deploy additional tools. "These attacks highlight a notable shift in Tomiris's tactics, namely the increased use of implants that leverage public services (e.g., Telegram and Discord) as command-and-control (C2) servers," Kaspersky researchers Oleg Kupreev and Artem Ushkov said in an analysis. "This approach likely aims to blend malicious traffic with legitimate service activity to evade detection by security tools." The cybersecurity company said more than 50% of the spear-phishing emails and decoy files used in the campaign used Russian names and contained Russian text, indicating that Russian-speaking users or entities were the primary focus. The spear-phishing emails have also targeted Turkmenistan, Kyrgyzstan, Tajikistan, and Uzbekistan using tailored...

Indian government entities have been targeted in two campaigns undertaken by a threat actor that operates in Pakistan using previously undocumented tradecraft. The campaigns have been codenamed Gopher Strike and Sheet Attack by Zscaler ThreatLabz, which identified them in September 2025. "While these campaigns share some similarities with the Pakistan-linked Advanced Persistent Threat (APT) group, APT36 , we assess with medium confidence that the activity identified during this analysis might originate from a new subgroup or another Pakistan-linked group operating in parallel," researchers Sudeep Singh and Yin Hong Chang said . Sheet Attack gets its name from the use of legitimate services like Google Sheets, Firebase, and email for command-and-control (C2). On the other hand, Gopher Strike is assessed to have leveraged phishing emails as a starting point to deliver PDF documents containing a blurred image that's superimposed by a seemingly harmless pop-up instructi...

The Russian advanced persistent threat (APT) group known as COLDRIVER has been attributed to a fresh round of ClickFix-style attacks designed to deliver two new "lightweight" malware families tracked as BAITSWITCH and SIMPLEFIX. Zscaler ThreatLabz, which detected the new multi-stage ClickFix campaign earlier this month, described BAITSWITCH as a downloader that ultimately drops SIMPLEFIX, a PowerShell backdoor. COLDRIVER , also tracked as Callisto, Star Blizzard, and UNC4057, is the moniker assigned to a Russia-linked threat actor that's known to target a wide range of sectors since 2019. While early campaign waves were observed using spear-phishing lures to direct targets to credential harvesting pages, the group has been fleshing out its arsenal with custom tools like SPICA and LOSTKEYS , which underscores its technical sophistication. The adversary's use of ClickFix tactics was previously documented by the Google Threat Intelligence Group (GTIG) back in May 2...

Threat hunters have uncovered similarities between a banking malware called Coyote and a newly disclosed malicious program dubbed Maverick that has been propagated via WhatsApp. According to a report from CyberProof, both malware strains are written in .NET, target Brazilian users and banks, and feature identical functionality to decrypt, targeting banking URLs and monitor banking applications. More importantly, both include the ability to spread through WhatsApp Web . Maverick was first documented by Trend Micro early last month, attributing it to a threat actor dubbed Water Saci . The campaign involves two components: A self-propagating malware referred to as SORVEPOTEL that's spread via the desktop web version of WhatsApp and is used to deliver a ZIP archive containing the Maverick payload. The malware is designed to monitor active browser window tabs for URLs that match a hard-coded list of financial institutions in Latin America. Should the URLs match, it establishes con...

One of the most dangerous and infamous threats is back again. In January 2021, global officials took down the botnet. Law enforcement sent a destructive update to the Emotet's executables. And it looked like the end of the trojan's story.  But the malware never ceased to surprise.  November 2021, it was reported that TrickBot no longer works alone and delivers Emotet. And ANY.RUN with colleagues in the industry were among the first to notice the emergence of Emotet's malicious documents. First Emotet malicious documents And this February, we can see a very active wave with crooks running numerous attacks, hitting the top in the rankings. If you are interested in this topic or researching malware, you can make use of the special help of  ANY.RUN , the interactive sandbox for the detection and analysis of cyber threats. Let's look at the new version's changes that this disruptive malware brought this time.  Emotet history Emotet is a sophisticated, constantly ...

A new malware attributed to the Russia-linked hacking group known as COLDRIVER has undergone numerous developmental iterations since May 2025, suggesting an increased "operations tempo" from the threat actor. The findings come from Google Threat Intelligence Group (GTIG), which said the state-sponsored hacking crew has rapidly refined and retooled its malware arsenal merely five days following the publication of its LOSTKEYS malware around the same time. While it's currently not known for how long the new malware families have been under development, the tech giant's threat intelligence team said it has not observed a single instance of LOSTKEYS since disclosure. The new malware, codenamed NOROBOT, YESROBOT, and MAYBEROBOT, is "a collection of related malware families connected via a delivery chain," GTIG researcher Wesley Shields said in a Monday analysis. The latest attack waves are something of a departure from COLDRIVER's typical modus opera...

Threat actors have been observed distributing malicious payloads such as cryptocurrency miner and clipper malware via SourceForge , a popular software hosting service, under the guise of cracked versions of legitimate applications like Microsoft Office. "One such project, officepackage, on the main website sourceforge.net, appears harmless enough, containing Microsoft Office add-ins copied from a legitimate GitHub project," Kaspersky said in a report published today. "The description and contents of officepackage provided below were also taken from GitHub." While every project created on sourceforge.net gets assigned a "<project>.sourceforge.io" domain name, the Russian cybersecurity company found that the domain for officepackage, "officepackage.sourceforge[.]io," displays a long list of Microsoft Office applications and corresponding links to download them in Russian. On top of that, hovering over the download button reveals a seemi...

Cybersecurity researchers are calling attention to a new campaign that's leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT . "These repositories, often themed as development utilities or OSINT tools, contain only a few lines of code responsible for silently downloading a remote HTA file and executing it via 'mshta.exe,'" Morphisec researcher Yonatan Edri said in a report shared with The Hacker News. PyStoreRAT has been described as a "modular, multi-stage" implant that can execute EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. The malware also deploys an information stealer known as Rhadamanthys as a follow-on payload. Attack chains involve distributing the malware through Python or JavaScript loader stubs embedded in GitHub repositories masquerading as OSINT tools, DeFi bots, GPT wrappers, and security-themed utilities that are designed...

A threat actor that's known to share overlaps with a hacking group called YoroTrooper has been observed targeting the Russian public sector with malware families such as FoalShell and StallionRAT. Cybersecurity vendor BI.ZONE is tracking the activity under the moniker Cavalry Werewolf . It's also assessed to have commonalities with clusters tracked as SturgeonPhisher, Silent Lynx, Comrade Saiga, ShadowSilk, and Tomiris. "In order to gain initial access, the attackers sent out targeted phishing emails disguising them as official correspondence from Kyrgyz government officials," BI.ZONE said . "The main targets of the attacks were Russian state agencies, as well as energy, mining, and manufacturing enterprises." In August 2025, Group-IB revealed attacks mounted by ShadowSilk targeting government entities in Central Asia and Asia-Pacific (APAC), using reverse proxy tools and remote access trojans written in Python and subsequently ported to PowerShell. C...

Thai government officials have emerged as the target of a new campaign that leverages a technique called DLL side-loading to deliver a previously undocumented backdoor dubbed Yokai . "The target of the threat actors were Thailand officials based on the nature of the lures," Nikhil Hegde, senior engineer for Netskope's Security Efficacy team, told The Hacker News. "The Yokai backdoor itself is not limited and can be used against any potential target." The starting point of the attack chain is a RAR archive containing two Windows shortcut files named in Thai that translate to "United States Department of Justice.pdf" and "United States government requests international cooperation in criminal matters.docx." The exact initial vector used to deliver the payload is currently not known, although Hegde speculated that it would likely be spear-phishing due to the lures employed and the fact that RAR files have been used as malicious attachment...