The Middle East observes a fragile ceasefire, but Iran’s escalating cyberattacks could potentially threaten to unravel the region’s shaky peace. Link to the Research Report: Regional Stability on Shaky Ground : Cyber Threat Escalation in the Middle East - CYFIRMA #Geopolitics #CYFIRMAaResearch #ThreatIntelligence #cybersecurity #ETLM #currentaffairs #MuddyWater #IRGC #Iran #CYFIRMA #ExternalThreatLandscapeManagement https://www.cyfirma.com/

CYFIRMA Research's latest report: “Telemetry Relay”, describes logic-abuse attacks that trick telemetry/crash processors into fetching attacker-controlled resources. Instead of compromising clients, attackers get vendor or enterprise systems to reveal internal metadata (IPs, hostnames, cluster/tenant IDs) — and sometimes enable deeper server-side attacks. The technique is low-noise and broadly relevant across SaaS and modern apps. Link to the Research Report: TELEMETRY RELAY : WHEN DI...

Stay ahead with CYFIRMA’s Monthly Ransomware Report – October 2025. CYFIRMA’s October 2025 Ransomware Report reveals a strong resurgence in global ransomware activity, with 738 victims recorded marking one of the highest monthly volumes this year. The spike was led by Qilin, which more than doubled its attacks, and Sinobi, which surged sixfold, while new actors such as Black Shrantac, Coinbase Cartel, and GENESIS intensified the threat landscape. Adversaries increasingly exploited kernel v...

New Malware Analysis Report Our latest research uncovers Android/BankBot-YNRK, a mobile banking trojan disguised as a legitimate app such as Google News. Key findings: • Abuses Accessibility Services for remote control • Uses C2 servers at ping.ynrkone[.]top for device commands • Targets financial and cryptocurrency applications • Employs code obfuscation via nmm-protect • Capable of exfiltrating sensitive data and performing unauthorized transactions Link to the Research Report: https://w...

Mobile Threat Alert: GhostGrab Malware! Cybercriminals are getting more sophisticated, and GhostGrab is a clear example. This Android malware doesn’t just steal banking credentials—it can also: Run hidden cryptocurrency mining that drains your battery and CPUHarvest debit card and online banking login informationIntercept SMS messages, including one-time passwords (OTPs)Collect detailed device and SIM dataHide itself and resist removalUse phishing pages within apps to trick victims int...

Critical Alert: CVE-2025-6541 – TP-Link Omada Gateway Remote Command Injection Organizations using TP-Link Omada Gateway devices must act immediately. This critical vulnerability allows attackers to execute arbitrary OS-level commands via the device web management interface. Exploitation can lead to full device compromise, exposure of credentials, configuration changes, and potential lateral movement within enterprise networks. Link to the Research Report: https://www.cyfirma.com/research/...

North Korea’s cyber operations are evolving into one of the most significant global sanctions-evasion threats. CYFIRMA's new report, DPRK Sanctions Violations in Cyber Operations Post UN Panel Demise, highlights escalating multi-billion-dollar crypto heists, advanced laundering through cross-chain bridges, widespread IT worker infiltration schemes, direct targeting of defense technologies, and the deepening DPRK–Russia cyber nexus. The findings highlight how geopolitical shifts and fragmented...

CYFIRMA’s Sept 2025 Ransomware Report highlights major evolutions across the ransomware landscape. Akira advanced by bypassing MFA on SonicWall VPNs through OTP seed theft, signalling a move beyond patchable flaws. MalTerminal broke new ground with AI-powered, runtime-generated ransomware payloads, while Scattered Spider reemerged to target financial workflows via AI-driven vishing and VMware ESXi exploits. CountLoader reinforced Russia’s ecosystem with modular, multi-language loaders distrib...

CYFIRMA has identified Yurei Ransomware, a Go-based strain engineered for speed, stealth, and irreversible impact. It encrypts files with ChaCha20 + ECIES, appends a .Yurei extension, and drops ransom notes _README_Yurei.txt with Tor-based communication channels. Yurei destroys backups, wipes logs, manipulates timestamps, and even self-destructs to erase traces, leaving defenders blind. It spreads laterally via SMB shares, USBs, and PsExec/CIM-based credential execution, while adopting ...

Malware Alert: New DeerStealer Campaign A new variant of sophisticated information-stealing malware, DeerStealer, has been identified targeting personal and financial data across infected systems. Using signed binaries, rootkit-like techniques, and deceptive installers (like Adobe Acrobat Reader), it evades detection while maintaining persistence via scheduled tasks. Key highlights: Steals system info, credentials, crypto wallets, browser & app data.Uses obfuscated files and hidde...

Defence Industry Cyber Threats: Espionage Meets Monetization CYFIRMA observed sustained cyber campaigns targeting the global defence sector. Key Highlights from the report: China: Long-term persistence in telecom & enterprise networks via router/switch compromises, harvesting IP and credentials.Russia: Disrupting logistics & transport contractors supporting Ukraine, aiming to destabilize defence supply chains.North Korea: Blending IP theft with aggressive financial operations, tre...

🚨 Threat Intelligence Alert – XillenStealer 🚨 CYFIRMA research identifies XillenStealer, a Python-based open-source information stealer circulating on GitHub, built to exfiltrate: 🔹 Browser credentials & cookies 🔹 Cryptocurrency wallets 🔹 Discord, Steam, Telegram sessions 🔹 System & network data + screenshots Key insights: ⚙️ Builder GUI lowers entry barriers, enabling even low-skilled actors to deploy the malware. 📤 Data exfiltration is rout...

India faced a wave of coordinated cyberattacks in July-August 2025 from multiple countries targeting government and public systems. Notably, a sophisticated malware campaign impersonated the Income Tax Department, tricking users into downloading a malicious file linked to a Chinese-operated server for data theft. Other attacks included data breaches, DDoS, defacements, and phishing scams. This rise in multi-nation hacktivism highlights the urgent need for strong cyber defenses and vigilance. ...

Stay ahead with CYFIRMA’s Monthly Ransomware Report – Aug 2025. CYFIRMA’s August 2025 Ransomware Report recorded 522 global victims, a slight dip but still far above 2023–24 levels. Qilin led with 84 attacks, while Akira surged by 35% targeting SonicWall VPNs and abusing Intel drivers for BYOVD evasion. Charon adopted APT-grade stealth, and 4L4MD4R blended Chinese ToolShell exploits with ransomware deployment. AI abuse accelerated with Claude enabling RaaS and PromptLock showcasing LLM-powere...

China's South China Sea ambitions stalled: ASEAN Fights Back Amid U.S. Distractions – check out the latest CYFIRMA report on Beijing's ambitions hitting a wall in the South China Sea, and the fallout in cyberspace. Link to the Research Report: https://www.cyfirma.com/research/grey-zone-warfare-in-chinas-stalled-south-china-sea-ambitions/ #Geopolitics #CYFIRMAresearch #ThreatIntelligence #cybersecurity #ETLM #currentaffairs #MilitaryAffairs #GreyZoneCoertion #UNCLOS #MischiefReef #Spratl...

CYFIRMA researchers have uncovered a malware campaign exploiting a spoofed Telegram Premium site—telegrampremium[.]app—to distribute a new variant of Lumma Stealer. Key Findings: • Drive-by download delivers malicious start.exe without user interaction • Targets browser credentials, crypto wallets, system info • Employs obfuscation, DGA-based domains, public DNS evasion • Uses legitimate platforms (e.g., t.me, Steam) for stealthy C2 • Windows-focused, written in C/C++, and uses advanced evasi...

Critical Alert: CVE-2025-8671 – HTTP/2 “MadeYouReset” DoS Vulnerability Organizations operating HTTP/2-enabled infrastructure—such as Apache Tomcat, Netty, F5 BIG-IP, Jetty, and other affected stacks—must act swiftly. This newly uncovered flaw enables attackers to bypass HTTP/2 stream-concurrency protections and trigger unbounded backend processing by exploiting mismatched stream reset handling, leading to severe Denial-of-Service (DoS) conditions. This vulnerability demands urgent attention—...

Stay ahead with CYFIRMA’s Monthly Ransomware Report – July 2025. CYFIRMA’s July 2025 Ransomware Report recorded 504 global victims, a 7.5% rise from June, reflecting sustained threat levels. Qilin remained the most active, while Incransom and SafePay surged. Interlock introduced FileFix, a stealthy Windows UI-based delivery method; GLOBAL GROUP launched an AI-powered RaaS; and Gunra expanded to Linux with multithreaded encryption. Emerging actors like Dire Wolf and D4RK4RMY focused on data l...

CYFIRMA’s latest report explores Infos3c Grabber Stealer, a Python-based grabber malware that steals passwords, wallets, gaming accounts & Discord/Telegram data, captures screenshots, and exfiltrates via Discord. Use endpoint security + traffic monitoring to stay safe. Link to the Research Report: https://www.cyfirma.com/research/unveiling-a-python-stealer-inf0s3c-stealer/ #CyberSecurity #ThreatIntel #Malware #DataTheft #InfoStealer #WindowsSecurity #EndpointProtection #ThreatHuntin...

New Threat Model: Executionless Persistence Across Endpoints & AI Layers REVENANT introduces a forward-looking multi-stage attack framework that chains stealthy, executionless techniques to persist not just on systems, but in the operational memory of AI assistants. Key Highlights: Executionless delivery via fonts, clipboard state, and localization strings, no exploits, macros, or dropped binaries.AI-layer manipulation (inspired by real-world prompt injection research) to misclassify or s...