Welcome to your daily cybersecurity briefing π΅οΈββοΈπ₯
π Rhysida β Malvertising Campaign and Code-Signing Abuse
The Rhysida ransomware gang continues its campaign using OysterLoader β also known as Broomstick or CleanUpLoader β as an initial access tool.
Expel reports more than 40 abused code-signing certificates since June 2025, including several issued through Microsoft Trusted Signing.
These certificates are used to disguise malicious binaries and achieve low antivirus detection rates.
π BIND 9 β Thousands of Servers Still Unpatched
The Shadowserver Foundation warns that over 8,200 DNS servers remain vulnerable to CVE-2025-40778 and CVE-2025-40780, including about 100 in the Netherlands.
These flaws enable cache poisoning attacks, redirecting users to malicious IP addresses.
The Dutch NCSC expects active exploitation of both vulnerabilities.
𧩠Open VSX Registry β Leaked Tokens and Malicious Extensions
The Eclipse Foundation confirmed a security incident involving leaked developer publishing tokens.
Attackers used these credentials to upload malicious extensions to the Open VSX marketplace.
All infected extensions have been removed, and new protections are in place β including shorter token lifetimes, faster revocations, and automated code scans at publication.
π― Cyber-Espionage β Targeting Russian and Belarusian Military
Researchers from Cyble and Seqrite uncovered a spear-phishing campaign using fake military documents in LNK format.
Once opened, the files deploy PowerShell scripts that install a local OpenSSH service on port 20321 and a hidden Tor service, enabling remote access and data exfiltration.
The techniques resemble those of the Sandworm group, but attribution remains unconfirmed.
π» Jabber Zeus β βMrICQβ Arrested and Extradited to the U.S.
Ukrainian national Yuriy Igorevich Rybtsov, known online as MrICQ, has been extradited from Italy to the United States.
Indicted in 2012, he is accused of helping the Jabber Zeus group steal tens of millions of dollars through the Zeus banking trojan.
His associate Vyacheslav βTankβ Penchukov is already serving an 18-year prison sentence.
π§ Kimsuky β New HttpTroy Backdoor Identified
Gen Digital has detailed a North Korean-linked campaign using a fake VPN invoice to deliver the HttpTroy backdoor.
The malware allows full system control β including file transfers, screenshot capture, and command execution β and uses multiple obfuscation layers to evade analysis.
β‘οΈ Donβt think, just patch! π
π Sources:
https://expel.com/blog/certified-oysterloader-tracking-rhysida-ransomware-gang-activity-via-code-signing-certificates/
https://www.security.nl/posting/911521/%27Duizenden+dns-servers+missen+belangrijke+update+voor+BIND+9-lekken?channel=rss
https://cyberpress.org/open-vsx-registry/
https://www.helpnetsecurity.com/2025/11/03/russian-belarusian-military-spear-phishing/
https://krebsonsecurity.com/2025/11/alleged-jabber-zeus-coder-mricq-in-u-s-custody/
https://thehackernews.com/2025/11/new-httptroy-backdoor-poses-as-vpn.html
π Share your feedback:
π§ radiocsirt@gmail.com
π www.radiocsirt.com
π° radiocsirtintl.substack.com