Unpacking APT38: Static and Dynamic Analysis of Lazarus Group Malware:
Recent searches
Search options
#apt
2 posts2 participants1 post today
A lot of offensive activity is originating from USA https://vuldb.com/?country.us #usa #country #cti #apt
APT 3.0 Package Manager Officially Launches, This Is What's New
—@linuxiac
「 APT 3.0 includes the finalized version of the so-called “solver3,” a full backtracking solver that promises enhanced conflict resolution. In previous incremental releases, the solver underwent intensive performance optimizations—ranging from improved version selection methods to sophisticated clause management 」
https://linuxiac.com/apt-3-0-package-manager-officially-launches/
Linuxiac · APT 3.0 Package Manager Officially Launches, This Is What's NewAPT 3.0 Debian's package manager gains a faster, smarter solver, better diagnostics, an improved human-readable UI, and more.
Paketverwalter #APT macht Versionssprung auf 3.0.0 | heise online https://www.heise.de/news/Paketverwalter-apt-macht-Versionssprung-auf-3-0-0-10342718.html #OpenSource #Debian 
#Linux 
#Ubuntu 
heise online · Paketverwalter apt macht Versionssprung auf 3.0.0
(google.com / Mandiant) Windows Remote Desktop Protocol: Remote to Rogue - Analysis of Novel Russian APT Campaign
https://cloud.google.com/blog/topics/threat-intelligence/windows-rogue-remote-desktop-protocol/
As always a very good write-up and detailed analysis of some novel use of RDP by Russian APTs. Involves signed RDP, and interesting proxy-behaviour.
Worth reading (as always!)
Google Cloud BlogWindows Remote Desktop Protocol: Remote to Rogue | Google Cloud BlogA novel phishing campaign by Russia-nexus espionage actors targeting European government and military organizations.
#Linux Weekly Roundup for April 6th, 2025: #APT 3.0, #Firefox 137, Linux 6.15 RC, #Thunderbird 137, #PorteuX 2.0, #KDE Plasma 6.3.4, #Calibre 8.2, Linux kernel 6.14 on #Ubuntu 24.10, new #Steam Client update, and more https://9to5linux.com/9to5linux-weekly-roundup-april-6th-2025
This week's Linux and FOSS news:
LINUX NEWS
APT 3.0 released with revamped interface, columnar display for package names and colored text for better readability, will be the default for Debian 13 and Ubuntu 25.04:
https://9to5linux.com/apt-3-0-debian-package-manager-released-with-revamped-command-line-interface
Tails 6.14.1 released with safe access for any directory in the Home directory or Persistent Storage via the Tor Browser (through the integration of XDG Desktop Portals of Flatpak), updated software, usability and accessibility fixes, bug fix for Welcome Screen:
https://alternativeto.net/news/2025/4/tails-6-14-1-released-with-enhanced-tor-browser-integration-software-updates-and-bug-fixes/
(Flatpak haters gonna drop Tails now lol)
Nitrux 3.9.1 released with MauiKit and Maui Apps update, Linux kernel 6.13, Mesa 25, new Fiery browser, default configuration files added for Bauh, udev rule for NTsync, module configuration for v4l2loopback, a PipeWire configuration file for wine64-preloade, automatic change of power profile, screen brightness and refresh rate on laptops depending on the power source, and more:
https://9to5linux.com/immutable-distro-nitrux-3-9-1-brings-new-convergent-web-browser-linux-6-13
CachyOS March 2025 snapshot available with new Limine bootloader, Linux kernel 6.14, KDE Plasma 6.3.3, new cachyos-samba-settings package, re-enabled GSP Firmware for the closed-source NVIDIA kernel module, support for the “ASUS Armoury” driver used by the ROG Ally and other devices for fan and power management, etc.:
https://9to5linux.com/cachyos-iso-snapshot-for-march-2025-brings-new-bootloader-linux-kernel-6-14
Archinstall 3.0.3 released with improved Limine bootloader support, Sway replaced with Hyprland in the profile seat selection, improved FAT12 and FAT16 ESP support, package selector that displays a multi-selection menu to let users add any available package, will no longer force install the GRUB bootloader on BIOS systems when the user has not chosen it as a bootloader etc.:
https://9to5linux.com/arch-linux-installer-archinstall-3-0-3-improves-limine-bootloader-support
Serious security bypasses are found in Ubuntu 24.04 and later:
https://alternativeto.net/news/2025/3/new-security-bypasses-in-ubuntu-s-user-namespace-restrictions-require-manual-mitigation/
(FOSS news in comment)
APT 3.0 Debian's package manager gains a faster, smarter solver, better diagnostics, an improved human-readable UI, and more.
https://linuxiac.com/apt-3-0-package-manager-officially-launches/
#APT 3.0 #Debian Package Manager Released with Revamped Command-Line Interface https://9to5linux.com/apt-3-0-debian-package-manager-released-with-revamped-command-line-interface
FIN7 *again*? Seriously, these guys just don't quit, do they? 
Heads up – they've cooked up an Anubis backdoor using Python. And nope, *it's not* the Android Trojan people know. It's pretty wild what this thing packs: we're talking remote shell capabilities, file uploads, messing with the registry... 
Basically, the keys to the kingdom!
And let me tell you from a pentester's perspective: Just relying on AV? That's *definitely* not gonna cut it anymore. We all know that, right?
Looks like they're slipping in through compromised SharePoint sites now? Yikes. The nasty part? A Python script decrypts the payload *directly in memory*, making it incredibly tough to spot! 
Plus, their command and control chats happen over a Base64-encoded TCP socket.
So, keep a *sharp eye* on those ZIP attachments! Double-check your SharePoint sites' integrity. You'll also want to monitor network traffic closely (especially that TCP activity!). And make sure your endpoint security is actually up to snuff – remember, they love finding ways to bypass defenses!
How are *you* tackling threats like this one? What are your go-to tools and strategies for defense? 
Let's share some knowledge!
(trendmicro.com) A Deep Dive into Water Gamayun's Arsenal and Infrastructure https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Executive Summary:
This research provides a comprehensive analysis of Water Gamayun (also known as EncryptHub and Larva-208), a suspected Russian threat actor exploiting the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) in Microsoft Management Console. The threat actor employs sophisticated delivery methods including malicious provisioning packages, signed MSI files, and Windows MSC files to deploy multiple custom payloads. Their arsenal includes custom backdoors (SilentPrism and DarkWisp), multiple variants of the EncryptHub Stealer, and known malware like Stealc and Rhadamanthys. The research details the C&C infrastructure, data exfiltration techniques, and persistence mechanisms used by the group. Trend Micro researchers gained access to the C&C server components, enabling them to analyze the architecture, functionality, and evasion techniques employed by the threat actor.
Trend Micro · A Deep Dive into Water Gamayun's Arsenal and InfrastructureTrend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.
(sygnia.co) Weaver Ant, the Web Shell Whisperer: Tracking a Live China-nexus Operation https://www.sygnia.co/threat-reports-and-advisories/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation/
Sygnia details their investigation of a sophisticated China-nexus threat actor dubbed 'Weaver Ant' that infiltrated a major Asian telecommunications provider. The threat actor maintained persistent access for over four years using web shells and tunneling techniques to facilitate cyber espionage. The attackers primarily utilized two types of web shells: an encrypted variant of China Chopper and a custom 'INMemory' web shell that executes malicious code entirely in memory. Weaver Ant employed sophisticated techniques including web shell tunneling (using web shells as proxy servers), defense evasion through ETW patching and AMSI bypass, PowerShell execution without using PowerShell.exe, and lateral movement over SMB. The group conducted extensive reconnaissance of Active Directory environments to identify high-privilege accounts and critical servers. Despite remediation efforts, the threat actor attempted to regain access, demonstrating their persistence and adaptability.
Sygnia · Weaver Ant: Tracking a China-Nexus Cyber Espionage OperationSygnia investigates Weaver Ant, a stealthy China-nexus threat actor targeting telecom providers. Learn how web shells enable persistence and espionage.
Reports on Operation Red Dragon (AkaiRyū) and concludes that the actor behind is a subgroup of APT10.
APT group MirrorFace targeted a Central European diplomatic institute in August 2024, marking the group's first known expansion to Europe. The campaign, named Operation AkaiRyū (Japanese for RedDragon), used the upcoming Expo 2025 in Osaka, Japan as a lure. MirrorFace has significantly refreshed its tactics, techniques, and procedures (TTPs), including the resurrection of ANEL (a backdoor previously associated exclusively with APT10), deployment of a customized AsyncRAT variant running inside Windows Sandbox, and abuse of Visual Studio Code remote tunnels. Based on these findings, ESET now considers MirrorFace to be a subgroup under the APT10 umbrella. The researchers collaborated with the affected institute to perform forensic analysis, providing unique insights into MirrorFace's post-compromise activities.
www.welivesecurity.comOperation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoorESET researchers uncovered MirrorFace activity that expanded beyond its usual focus on Japan and targeted a Central European diplomatic institute with the ANEL backdoor.
RFE I filed in #DNF just now: https://github.com/rpm-software-management/dnf/issues/2222
This lets apps like #Ptyxis do nice GUI progress indicators.
Someone who is a #Debian contributor, do yourself a favour: please file an enhancement request on #APT & apt-get to support this progress indication integration feature (like Flatpak can do, and hopefully DNF can do too, eventually). I'm not going to report an issue in Debian, given its bug reporting tooling.
I'd fully expect Arch's #pacman to already have this shipping BTW 
Continued thread
Morning song in my head? APT. is back.
That song is so catchy. https://song.link/y/ekr2nIex040
Songlink/OdesliROSÉ & Bruno Mars - APT. (Official Music Video) by ROSÉListen now on your favorite streaming service. Powered by Songlink/Odesli, an on-demand, customizable smart link service to help you share songs, albums, podcasts and more.
우분투에서 snap 으로 docker 를 설치했다가 후회한 얘기
https://hackers.pub/@arkjun/2025/ubuntu-regret-installing-docker-with-snap-korean-article
hackers.pub · 우분투에서 snap 으로 docker 를 설치했다가 후회한 얘기우분투를 쓸때는 apt 로만 패키지 관리를 해왔는데 작년 처음 snap 을 써봤다.
작년 사내 테스트용 (물리) 서버에 우분투 24.04.1 LTS 설치하고 snap 으로 docker 설치해서 여러 모니터링 올리고 어제까지도 잘 쓰고 있었는데, 갑자기 오늘 docker ps 명령이 오류가 나서 봤더니,
$ docker ps
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
docker -D ps # 디버깅
time="2025-03-12T11:22:58+09:00" level=debug msg="otel error" error="1 errors occurred detecting resource:\n\t* conflicting Schema URL: https://opentelemetry.io/schemas/1.21.0 and https://opentelemetry.io/schemas/1.26.0"
실행도 안되고, 모든 컨테이너는 날라간 상태이고 도커또한 동작하지 않는다.
디버깅 메시지 보면 스키마 버전 충돌이라고 나온다.
자세한 원인분석을 위해 ChatGPT 의 도움을 받았더니
Docker 데몬이 OTel(OpenTelemetry)과 충돌하여, 스키마 버전(1.21.0 vs. 1.26.0)이 일치하지 않아 발생하는 문제입니다.
주로 Snap의 자동 업데이트 중, Docker의 내부 OTel 설정이 깨졌을 때 나타나는 문제입니다.
snap 자동 업뎃중에 OTel 충돌로 스키마 버전 불일치 문제라고 한다.
스냅 방식 대신 apt 기반 설치가 더욱 안정적이라고 권장해주길래, (새로운 방식이라 일부러 snap 으로 선택했었는데) 다음부터는 그냥 apt 방식으로 설치하기로 했다. (docker 한정)
물론 이번에도 apt 방식으로 변경해서 설치.
sudo snap remove docker
sudo apt update
sudo apt install -y docker.io
sudo systemctl start docker
sudo systemctl enable docker
sudo systemctl status docker
테스트 서버 관리에 시간을 빼앗긴 후에야, 테스트 서버도 백업해 둬야겠다 싶다.
모니터링 설정이랑 빌드 설정이랑 도커 설정 다 백업해 놔야겠다.
#SideWinder #APT targets maritime and nuclear sectors with enhanced toolset
https://securityaffairs.com/175247/apt/sidewinder-apt-targets-maritime-nuclear-sectors.html
#securityaffairs #hacking
Security Affairs · SideWinder APT targets maritime and nuclear sectors with enhanced toolsetThe APT group SideWinder targets maritime and logistics companies across South and Southeast Asia, the Middle East, and Africa.
An Eye from above - new video extract and webpage.
For over 20 years, the three NOAA satellites have been crossing our sky at over 20,000 km/h, continuously scanning the Earth's clouds and radiant energies.
An Eye from above is a performance that attempts to receive a live signal from one of these satellites, using an adapted antenna and a radio tuned to 137 MHz. As the satellite rises above our horizon, its signal slowly emerges from the surrounding noise, giving rise to a characteristic pulsation. The antenna acts as a revealer, making perceptible the electrical energy that passes through our bodies and our environment amidst a crowd of other artificial signals.
Poetry of analog protocols: this pulsation can be decoded into an image. Slowly, line by line, a nephanalysis of the 2000 km that surround us appears. Clouds and infrared radiation from the ground are displayed, offering a shift from our point of view to that of a space object.
