Resta aggiornato sui cyber attacchi più recenti e sulle minacce emergenti che stanno interessando aziende, istituzioni e utenti privati. La nostra pagina ti offre una panoramica dettagliata degli eventi più rilevanti nel mondo della sicurezza informatica, con focus su:
- Tipologie di attacco: malware, ransomware, phishing, DDoS e intrusioni avanzate.
- Target colpiti: settori critici come finanza, sanità, infrastrutture e servizi digitali.
- Impatto e diffusione: analisi dei danni, dei dati compromessi e delle eventuali conseguenze legali o operative.
- Trend e prevenzione: suggerimenti su come proteggersi e strumenti per monitorare le minacce in tempo reale.
Watchlist Minacce
La nostra Watchlist monitora in continuo le fonti affidabili di cybersecurity, individuando le vulnerabilità più pericolose e le attività sospette a livello globale. È uno strumento essenziale per aziende e professionisti IT che vogliono prevenire gli attacchi prima che accadano.
Kaspersky researchers uncovered new malicious operations by the Tomiris threat actor targeting foreign ministries, intergovernmental organizations, and government entities. The attacks, which began in early 2025, show a shift in tactics with increased use of implants leveraging public services like Telegram and Discord as command-and-control servers. The group employs various programming languages including Go, Rust, C/C#/C++, and Python to develop reverse shell tools. Some infections lead to the deployment of open-source post-exploitation frameworks such as Havoc and AdaptixC2. The campaign primarily focuses on Russian-speaking users and entities, with additional targets in Central Asian countries.
This report details the activities of two hacker groups, QuietCrabs and Thor, targeting Russian companies. QuietCrabs exploited RCE vulnerabilities in Microsoft SharePoint and Ivanti Endpoint Manager Mobile, using KrustyLoader and Sliver malware. Thor employed more common tools and techniques, attacking around 110 Russian companies across various sectors. Both groups utilized recent vulnerabilities, with QuietCrabs acting within hours of exploit publications. The report highlights the groups' tactics, tools, and targeted industries, emphasizing the need for robust cybersecurity measures to counter such sophisticated attacks.
A long-running, attacker-operated OAST service on Google Cloud has been observed driving a focused exploit operation. The actor combines stock Nuclei templates with custom payloads to expand their reach. All observed activity targeted canaries deployed in Brazil, indicating a deliberate regional focus. The operation involves roughly 1,400 exploit attempts spanning more than 200 CVEs. The attacker uses a private OAST domain, detectors-testing.com, which has been active for at least a year. The infrastructure is hosted on US-based Google Cloud, providing practical benefits for the attacker. The actor demonstrates willingness to modify common exploit components, as evidenced by a custom Fastjson payload. This sustained scanning effort suggests a more structured operation than typical exploit spraying.
The Lumma infostealer is a sophisticated malware distributed as Malware-as-a-Service, targeting Windows systems. It primarily steals sensitive data such as browser credentials, cryptocurrency wallets, and VPN/RDP accounts. Lumma is often used in the initial stages of multi-vector attacks, including ransomware and network breaches. The malware is distributed through phishing sites, disguised as pirated software, and uses complex techniques like NSIS packaging, AutoIt scripts, and process hollowing to evade detection. To combat this threat, organizations should implement behavior-based detection systems and integrate threat intelligence into their security strategies.
A new Mirai variant called ShadowV2 has been observed spreading through IoT vulnerabilities during a global AWS disruption. The malware targeted multiple countries and industries worldwide, exploiting vulnerabilities in devices from vendors like DD-WRT, D-Link, Digiever, TBK, and TP-Link. ShadowV2 is designed for IoT devices and uses a XOR-encoded configuration to connect to a C2 server for receiving DDoS attack commands. The malware supports various attack methods, including UDP floods, TCP-based floods, and HTTP-level floods. This incident highlights the ongoing vulnerability of IoT devices and the need for timely firmware updates, robust security practices, and continuous threat monitoring.
