CybserSecurity News

Tag: InfoSec 2026

  • Edge of Extinction: How FortiGate Flaws Open the Gates to Active Directory Subjugation

    The compromise of a perimeter network appliance can swiftly shepherd a malefactor toward domain controllers and the enterprise’s most critical data repositories. In the nascent months of 2026, cybersecurity sentinels chronicled a sequence of incursions wherein assailants weaponized vulnerabilities within FortiGate firewalls to breach corporate networks and subsequently orchestrate lateral movement deep within the infrastructure.

    The vanguard at SentinelOne meticulously dissected several such crucibles. Across all episodes, the malefactors initially usurped access to FortiGate Next-Generation Firewalls, whereupon they commenced their lateral traversal of the network. These kinetic sieges were successfully detected precisely during this phase of internal proliferation.

    Amidst these forensic inquiries, Fortinet definitively sealed several perilous vulnerabilities. CVE-2025-59718 and CVE-2025-59719 afflicted the Single Sign-On (SSO) architecture. Owing to a profound absence of cryptographic signature validation, an adversary possessed the capacity to dispatch a meticulously forged SSO token, thereby plundering unauthenticated administrative dominion. An auxiliary vulnerability, designated CVE-2026-24858, facilitated unauthorized ingress into FortiGate appliances whilst FortiCloud authentication was actively engaged. In certain instances, the assailants infiltrated the perimeter leveraging their proprietary FortiCloud credentials. Furthermore, inquisitors recorded systematic ingress attempts utilizing ubiquitous, feeble passwords.

    Subsequent to securing this foothold, the malefactor systematically exfiltrated the appliance’s configuration ledger via the show full-configuration directive. Such a dossier intrinsically harbors the network’s topological architecture alongside the credentials for vital service accounts. Given that the FortiOS architecture employs reversible encryption, the assailant can effortlessly decipher the ledger to harvest usernames and cryptographic keys.

    One specific incursion germinated in November 2025 and languished utterly undetected until February 2026. The assailant forged a localized administrative account christened support upon the FortiGate appliance, subsequently inscribing firewall edicts that empowered this rogue credential to seamlessly traverse all sequestered network zones. Thereafter, kinetic activity precipitously evaporated—a hallmark choreography reminiscent of an Initial Access Broker (IAB) who jealously guards a point of ingress, only to subsequently bequeath this access to auxiliary syndicates.

    At a later juncture, the malefactor excavated the credentials for the fortidcagent LDAP account from the configuration ledger, executing an authentication into the Active Directory from the IP coordinate 193.24.211[.]61. Following this triumphant ingress, the assailant conscripted two phantom workstations—WIN-X8WRBOSK0OF and WIN-YRSXLEONJY2—into the domain. This was orchestrated via the exploitation of the mS-DS-MachineAccountQuota attribute, a systemic parameter that permits a pedestrian account to tether up to ten computational hosts to the domain infrastructure.

    Thereafter commenced a relentless reconnaissance of the network and a barrage of brute-force password attacks. The systemic architecture chronicled a multitude of failed authentication endeavors, the provenance of which unequivocally aligned with the FortiGate appliance’s IP address. Forensic sentinels also unearthed the digital footprints of the SoftPerfect Network Scanner utility upon the subjugated systems. Concurrently, auxiliary ingress attempts were recorded emanating from the IP coordinates 185.156.73[.]62 and 185.242.246[.]127.

    Within a secondary incident, the adversary operated with profoundly terrifying celerity. Having usurped dominion over the FortiGate, the malefactor minted an administrative account dubbed ssl-admin, exfiltrated the appliance’s configuration, and plundered the sanctified credentials of a Domain Administrator. Within a mere ten minutes, the assailant had triumphantly logged into a multitude of servers masquerading beneath the aegis of the built-in Domain Admin credential.

    Upon these compromised servers, the assailant sequestered malignant artifacts within the C:\ProgramData\USOShared directory and entrenched the Pulseway and MeshAgent Remote Monitoring and Management (RMM) instruments. The installation payload for Pulseway was strategically staged within a Google Cloud Storage repository, whilst MeshAgent was covertly deployed upon the domain controller and the primary file server, meticulously obfuscated from the ledger of installed applications.

    Additionally, the malefactor retrieved a venomous archive from an Amazon S3 bucket. This malignant architecture masqueraded as benign Java components, surreptitiously invoking malicious libraries via the sophisticated artifice of DLL side-loading. Post-execution, the parasitic software established communications with the domains ndibstersoft[.]com and neremedysoft[.]com, subsequently proliferating across auxiliary servers via the PsExec utility.

    Progressing to the subsequent phase, the adversary forged a Volume Shadow Copy of the domain controller, ruthlessly extracting the sacrosanct NTDS.dit Active Directory database in tandem with the SYSTEM registry hive. These artifacts were systematically compressed and exfiltrated to an external nexus via a connection tethered to the IP coordinate 172.67.196[.]232—an address nested within the Cloudflare architecture. This illicit data hemorrhage persisted for approximately eight minutes, whereupon the purloined archives were meticulously purged from the host.

    Sieges of this nature are profoundly catastrophic, given that FortiGate appliances inherently possess privileged access to the foundational pillars of the infrastructure, unequivocally including the Active Directory. Compounding this vulnerability is the stark reality that such perimeter appliances cannot accommodate endpoint-level defensive agents. Consequently, the paramount defensive posture is inexorably reduced to the hyper-vigilant application of software remediations, the draconian governance of administrative access, and the protracted retention of systemic event ledgers. Security savants vehemently advocate for the preservation of these logs for a minimum of 14 days—ideally spanning 60 to 90 days—and their seamless transmission into centralized Security Information and Event Management (SIEM) architectures.

  • CISA’s “Grim Ledger”: Warlock Ransomware and Critical Zero-Days Strike Enterprise Management Tools

    The Cybersecurity and Infrastructure Security Agency (CISA) of the United States has concurrently appended a triad of vulnerabilities to its Known Exploited Vulnerabilities catalog—a repository exclusively reserved for security aberrations actively weaponized by digital malefactors. Inclusion within this grim ledger invariably signifies one stark reality: kinetic sieges are presently underway, and the custodians of these architectures would do well to instate the requisite remediations with utmost alacrity.

    The peril at hand concerns security anomalies festering within the Omnissa Workspace One UEM, SolarWinds Web Help Desk, and Ivanti Endpoint Manager architectures. Each distinct vulnerability empowers adversaries to either usurp access to deeply confidential telemetry or to arbitrarily execute commands upon the host server.

    The inaugural vulnerability, designated CVE-2021-22054 (bearing a CVSS severity score of 7.5), is inextricably linked to an aberration in the processing of server-side requests within Omnissa Workspace One UEM (formerly christened VMware Workspace One UEM). Provided they possess network ingress to the architecture, an assailant can dispatch unauthenticated inquiries, thereby plundering access to profoundly sensitive intelligence.

    The secondary anomaly, CVE-2025-26399 (commanding a devastating CVSS score of 9.8), was unearthed within the AjaxProxy constituent of the SolarWinds Web Help Desk framework. An egregious failure to properly deserialize untrusted data bestows upon a malefactor the terrifying capacity to execute arbitrary commands across the server. Both Microsoft and the Huntress vanguard have recently illuminated that digital assailants are already actively weaponizing these SolarWinds vulnerabilities to secure initial footholds within target infrastructures. Extant intelligence suggests these incursions are orchestrated by the ransomware syndicate known as Warlock.

    The tertiary vulnerability has been formally chronicled as CVE-2026-1603 (registering a CVSS score of 8.6). A critical failing within the Ivanti Endpoint Manager empowers an assailant to completely circumvent authentication matrices via an alternative access conduit, thereby remotely extracting a cache of archived credentials. Granular details concerning kinetic incursions leveraging this specific affliction remain presently elusive. As of this promulgation, Ivanti has similarly abstained from updating its security bulletin to officially acknowledge active exploitation.

    As early as March 2025, the enterprise GreyNoise chronicled that CVE-2021-22054 was being actively deployed in concert with homologous SSRF anomalies across disparate products, forming the vanguard of a highly orchestrated, coordinated offensive.

    CISA has issued a draconian mandate, compelling federal agencies to instate the restorative patch for the SolarWinds Web Help Desk no later than March 12, 2026. The requisite updates for the remaining twain of vulnerabilities must be unequivocally applied by March 23. The agency emphatically underscores that such security frailties frequently serve as the foundational ingress point for devastating sieges, thereby manifesting a profound and existential peril to the integrity of federal information architectures.

  • Hacking the Basics: A 17-Flag Guide to the MBPTL Pen Testing Lab

    Most Basic Penetration Testing Lab (MBPTL)

    A comprehensive, hands-on penetration testing lab designed to teach cybersecurity fundamentals through practical exercises.

    This document outlines the complete process for discovering and collecting all 17 flags across the MBPTL environment. The lab is designed to simulate real-world penetration testing scenarios and demonstrate various attack vectors and techniques.

    Flag Checklist

    Phase 1: Reconnaissance (Flags 1-3)

    • Flag 1: Page source analysis (HTML comments)
    • Flag 2: HTTP header analysis (curl -I)
    • Flag 3: Alternative web service discovery (port 8080)

    Phase 2: Web Enumeration (Flag 4)

    • Flag 4: Administrator panel discovery (/administrator/)

    Phase 3: SQL Injection (Flags 5-7)

    • Flag 5: SQL injection vulnerability discovery (details.php?id=1')
    • Flag 6: Database flag extraction (SQLMap)
    • Flag 7: Admin panel access (credentials)

    Phase 4: Post-Exploitation (Flags 8-9)

    • Flag 8: User-level flag (/flag/user.txt)
    • Flag 9: Root-level flag (/flag/root.txt)

    Phase 5: SOC Analysis (Flags 10-12)

    • Flag 10: Web access log analysis (/var/log/apache2/access.log)
    • Flag 11: Command history analysis (/root/.bash_history)
    • Flag 12: Shell configuration analysis (/root/.bashrc)

    Phase 6: Network Pivoting (Flags 13-14)

    • Flag 13: Internal application discovery (port 5000, reachable only from the compromised container)
    • Flag 14: Server-Side Template Injection (SSTI)

    Phase 7: Binary Exploitation (Flags 15-17)

    • Flag 15: Binary analysis and reverse engineering
    • Flag 16: Internal service discovery (port 31337, reachable only from the compromised container)
    • Flag 17: Buffer overflow exploitation

    What You’ll Learn

    This lab covers complete penetration testing methodology with 17 hands-on flags. Complete the lab in this order:

    1. Reconnaissance → Information gathering and target enumeration
    2. Vulnerability Assessment → Identifying security weaknesses
    3. Exploitation → Exploiting vulnerable applications and services
    4. Password Cracking → Breaking authentication mechanisms
    5. Post-Exploitation → Maintaining access and privilege escalation
    6. Network Pivoting → Moving between networks and accessing internal systems
    7. Binary Exploitation → Exploiting memory corruption vulnerabilities in compiled programs
    8. Reverse Engineering → Analyzing software to understand its functionality and identify vulnerabilities
    9. SOC Analysis → Log analysis and forensic techniques

    Lab Architecture

    The lab simulates a realistic network environment with 3 interconnected containers:

    Main Container (mbptl-main)

    Primary target with web applications

    • Port 80: Web application with SQL injection vulnerability
    • Port 8080: Administrator panel with file upload vulnerability
    • Port 3306: MySQL database (internal-only, reachable from other containers)
    • Objective: Initial compromise and privilege escalation

    Internal Container (mbptl-internal)

    Internal service for binary exploitation

    • Port 31337: Custom binary service with buffer overflow vulnerability (internal-only)
    • Objective: Binary exploitation and reverse engineering
    • Access: Only accessible after compromising main container

    Web Internal Container (mbptl-app)

    Internal web application for pivoting

    • Port 5000: Flask application with template injection vulnerability (internal-only)
    • Objective: Advanced web application exploitation
    • Access: Only accessible after compromising main container

    Install

  • The Persistence of WinRAR: Google Warns of Widespread CVE-2025-8088 Attacks

    The Google Threat Intelligence Group (GTIG) has disclosed the extensive exploitation of a critical vulnerability, designated CVE-2025-8088, residing within the ubiquitous WinRAR archiving utility. Although the defect was remediated in the summer of 2025, adversaries persist in weaponizing it globally, integrating the flaw into both financially motivated incursions and state-sponsored espionage operations.

    The crux of the issue is a path traversal anomaly, which empowers an attacker to deposit files into arbitrary Windows directories—most notably the Startup folder—via meticulously crafted RAR archives. This maneuver leverages Alternative Data Streams (ADS) to conceal a malicious payload within a seemingly benign document, such as a PDF. Upon the simple act of opening the archive, the surreptitious object is silently committed to a system directory, ensuring its automatic execution during the subsequent user login and facilitating persistent access to the host environment.

    Forensic telemetry from GTIG indicates that exploitation of CVE-2025-8088 commenced as early as July 18, 2025. While RARLAB disseminated a patch on July 30 with the release of WinRAR version 7.13, the sluggish cadence of software updates among users and enterprises has rendered this vulnerability a perennial favorite for widespread offensives.

    These campaigns typically manifest as phishing dispatches, utilizing archives containing geopolitical lures alongside malicious shortcuts, scripts, and HTA files designed to retrieve auxiliary components. Such operations have been observed deploying malware families like NESTPACKER and STOCKSTAY, in addition to various reconnaissance and remote administration tools.

    The vulnerability is being exploited by a diverse array of actors, ranging from state-aligned syndicates to private mercenary hackers. Documented incursions have targeted organizations in Indonesia, Latin America, and Brazil, where WinRAR serves as a conduit for Remote Access Trojans (RATs), infostealers, backdoors, and even deleterious Chrome extensions engineered to inject phishing scripts into financial portals.

    A significant portion of the GTIG report highlights the flourishing underground exploit market. Analysts have identified a prominent actor operating under the pseudonym zeroplayer, who, since 2025, has been purveying high-value exploits for Microsoft Office, Windows, VPN solutions, and security frameworks. Such commercialization accelerates the industrialization of cyberattacks, lowering the barrier to entry for disparate criminal collectives.

    Google emphasizes that the enduring threat of CVE-2025-8088 serves as a poignant testament to the lethality of “n-day” vulnerabilities once they are absorbed into the criminal ecosystem. Even following the availability of official remedies, these flaws remain viable vectors for initial systemic penetration for years to come.

  • Memory Under Siege: OpenSSL Releases Urgent Patches for Critical Buffer Overflows

    The OpenSSL team has disseminated a comprehensive security advisory detailing a constellation of vulnerabilities afflicting the ubiquitous cryptographic library. The update, dated January 27, 2026, delineates a spectrum of issues varying in severity, ranging from perilous buffer overflows to errors precipitating application failures. While certain flaws may be utilized for remote code execution and others incite denial of service, all demand the immediate and urgent attention of administrators and developers alike.

    Deemed the most critical is vulnerability CVE-2025-15467, linked to a stack buffer overflow during the parsing of CMS AuthEnvelopedData. The error manifests during the processing of messages utilizing AEAD ciphers, such as AES-GCM, wherein a malicious actor transmits a specially crafted, enlarged initialization vector. This precipitates an out-of-bounds memory write prior to message authentication, potentially culminating in either a denial of service or arbitrary code execution, contingent upon the platform.

    Particular emphasis is placed on CVE-2025-11187, a defect within the PKCS#12 file verification mechanism employing PBMAC1. Incorrect parameters may trigger a stack buffer overflow and references to invalid pointers. This results in application crashes and could theoretically establish conditions ripe for exploitation. Although such files are typically regarded as trusted, the developers have nonetheless classified the risk as significant.

    The bulletin also enumerates a litany of vulnerabilities of low to moderate severity. Among these are an error in the “openssl dgst” utility (CVE-2025-15469), whereby data exceeding 16 MB is silently truncated during signing; a memory exhaustion issue in TLS 1.3 involving compressed certificates (CVE-2025-66199); as well as vulnerabilities involving out-of-bounds reads and NULL pointer dereferences across various components. These include CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2025-15468, and nascent issues in PKCS#12 and PKCS#7 parsing, registered as CVE-2026-22795 and CVE-2026-22796.

    According to the developers, these vulnerabilities afflict various OpenSSL branches, including versions 3.6, 3.5, 3.4, 3.3, and 3.0, depending on the specific error. Patches have already been released, and users are exhorted to upgrade to current releases—such as OpenSSL 3.6.1, 3.5.5, 3.4.4, 3.3.6, and 3.0.19—with all due haste. For certain deprecated branches, updates are available within the framework of paid support.

    The publication of this bulletin underscores once again the complexity and fragility inherent in cryptographic infrastructure, even within mature and widely utilized projects. For enterprises and developers, this serves as a poignant reminder of the necessity for regular updates and vigilant version control, particularly for systems interacting with external certificates, PKCS#12 containers, and cryptographic messages.

  • Shadow Bankers of the Blockchain: The $16B Rise of Chinese Crypto-Laundering

    The cryptocurrency realm has imperceptibly acquired new “shadow bankers,” with a substantial portion of illicit digital assets now traversing Chinese-speaking subterranean networks. According to Chainalysis analysts, these syndicates have evolved into pivotal operators within the global crypto-laundering industry, currently processing approximately 20% of all documented illicit fund legalization operations on the blockchain.

    This pertains to the so-called Chinese-speaking money laundering networks, which began to coalesce actively at the onset of the pandemic and swiftly ascended to a dominant position within the criminal crypto-economy. While the volume of illicit funds circulating through the blockchain was estimated at approximately $10 billion in 2020, it had surged to exceed $82 billion by 2025. Against this backdrop, Chinese networks demonstrated explosive expansion. Since 2020, capital inflows into such structures have escalated at a rate 7,325 times faster than the volume of illicit operations conducted via centralized cryptocurrency exchanges.

    In 2025 alone, these networks facilitated the movement of approximately $16.1 billion, equating to roughly $44 million daily. The ecosystem employs over 1,799 active crypto-wallets, with operations characterized by exceptional velocity and scalability. Certain services achieve turnovers reaching a billion dollars in under a year, indicative of intimate ties with offline criminal syndicates and the possession of substantial financial resources.

    Analysts delineate several categories of services within this ecosystem. Some fragment large transfers into thousands of minute transactions to obfuscate the funds’ provenance, while others conversely amalgamate small sums into substantial bundles for integration into the legitimate financial system. The methodologies employed include schemes involving straw men, informal OTC desks, clandestine exchange services, online gambling, and specialized platforms for cryptocurrency mixing and exchange. A distinct niche is occupied by “Black U” services, which openly transact in criminally derived cryptocurrency, vending it at a discount of 10–20% below market value.

    Guarantee platforms such as Huione and Xinbi play a pivotal role, functioning as storefronts and intermediaries between purveyors and purchasers of services. Technically, they do not manage the monetary flows themselves but serve as aggregation points for the entire infrastructure. Even following blockades and sanctions, such venues suffer only a transient loss of their audience, as vendors simply migrate to alternative communication channels, predominantly within messaging applications.

    Money laundering is increasingly assuming an automated character. In certain services, a client need only specify the amount and wallet address, and the system executes the exchange and transfer of funds within mere minutes. For instance, large transactions in “Black U” services at the close of 2025 were processed in an average of 1.6 minutes. This drastically diminishes the risks of blockage and enhances the efficacy of the schemes.

    Experts attribute the meteoric rise of such networks not merely to the growth of the crypto market, but also to stringent currency controls in China. Attempts to expatriate capital created a demand for alternative financial channels, which ultimately came to service international criminal groups as well. Cryptocurrency proved to be a convenient instrument for the cross-border movement of funds, devoid of complex networks of intermediaries or paper trails.

    Despite sanctions, investigations, and international law enforcement operations, the structure of these networks remains resilient. Strikes against individual platforms or services yield only a temporary effect, after which ecosystem participants swiftly reorganize and resume operations through other channels. Analysts emphasize that a tangible impact is achievable only through targeted action against the operators and organizers of the schemes, rather than merely the venues where they advertise their services.

    The Chainalysis report demonstrates that Chinese-speaking networks have become not merely a component of crypto-crime, but a fully-fledged infrastructure of global magnitude. Although they play a particularly conspicuous role in money laundering, this is but one instance of how criminal communities worldwide are adapting to digital financial technologies, transforming the blockchain into a novel instrument of the shadow economy.

  • The Heart of Downing Street: China’s Salt Typhoon Infiltrates UK PMs’ Phones

    Chinese state-affiliated hackers maintained illicit access to mobile devices belonging to personnel within the British Prime Minister’s residence at Downing Street for several years, intercepting both personal and official communications. An investigation by The Telegraph reveals that this expansive cyber-espionage operation compromised high-ranking government officials and their inner circles, effectively penetrating the very heart of the nation’s political apparatus.

    These incursions persisted from at least 2021 through 2024 and have been attributed to the Chinese state-sponsored hacking collective known as Salt Typhoon. The targeted devices included those of aides to Boris Johnson, Liz Truss, and Rishi Sunak. While it remains unconfirmed whether the Prime Ministers’ personal devices were directly compromised, sources assert that the attackers’ access extended to pivotal communications within Downing Street.

    American intelligence agencies suspect the operation may have endured beyond this timeframe, posing a potential risk of data exfiltration during the tenure of Keir Starmer’s administration. In November, MI5 cautioned Parliament regarding the threat of Chinese espionage, echoing earlier warnings from the FBI and other Western intelligence services that Chinese entities had infiltrated telecommunications networks globally.

    The implications extend beyond the mere interception of calls and messages to include the harvesting of metadata. This encompasses information regarding whom officials contact, the frequency and origin of such communications, and geolocation data. Even absent direct access to conversation content, such intelligence provides a potent instrument for analyzing associations, movements, and decision-making processes.

    Operation Salt Typhoon was global in scope. Beyond the United Kingdom, the attacks impacted the United States, Australia, Canada, and New Zealand—members of the Five Eyes intelligence alliance. The magnitude of the breaches only came to light in 2024, when the US disclosed the compromise of telecommunications companies, which facilitated access to the data of millions of users worldwide.

    Former American officials contend that the hackers possessed the capability to record telephone conversations and track users in near real-time. Indeed, a senior US representative characterized this campaign as “one of the most successful espionage operations in history.”

    Predictably, Beijing has repudiated these accusations, dismissing them as unsubstantiated and politically motivated. Representatives from the Chinese embassy maintain that China itself is a victim of cyberattacks and advocates for adherence to international cybersecurity norms.

    Cybersecurity experts note that China has long demonstrated a keen interest in acquiring political intelligence regarding British politicians and decision-making processes in London. They describe the attacks as surgical and meticulously orchestrated, with the primary objective being the telecommunications infrastructure through which key government communications traverse.

    Against the backdrop of this investigation, British intelligence agencies acknowledge that the threat posed by state-sponsored cyber operations is becoming increasingly systemic and enduring. A report by the Intelligence and Security Committee of Parliament previously highlighted the United Kingdom’s lack of a cohesive strategy regarding China, despite escalating risks to national security.

    The UK government has declined to offer official comment on the leaks; nevertheless, the Downing Street breach serves as yet another alarming indication of the vulnerability of even the most fortified centers of power in an era of pervasive global cyber-espionage.

  • The Botnet Merger: Kimwolf Hijacks 10 Million Badbox 2.0 Devices

    The cybercriminals orchestrating the Kimwolf botnet appear intent on flaunting a truly monumental acquisition. A screenshot has surfaced online purportedly demonstrating their infiltration of the control panel for Badbox 2.0, one of the world’s most extensive botnets, encompassing millions of infected, Chinese-manufactured Android TV set-top boxes. According to the FBI and Google, Badbox 2.0 has long been a target of pursuit; this leak now illuminates the potential architects behind this sprawling infrastructure.

    Kimwolf has already compromised over two million devices, gaining notoriety for its aggressive propagation tactics. Its primary vectors are illicit Android TV boxes marketed as “set-top boxes with free access to movies and series” for a single, one-time payment. The malware is either pre-installed prior to sale or introduced during initial configuration via counterfeit applications and third-party marketplaces.

    Researchers have previously identified the Kimwolf administrators by the aliases Dort and Snow. A former associate has now provided journalists with a screenshot allegedly captured from the Badbox 2.0 control panel. The image displays seven authorized accounts; according to the source, one bearing the name “ABCD” belongs to Dort. It is surmised that he successfully added his email as a legitimate user within the botnet’s management system.

    Badbox possesses a lengthy lineage. The initial botnet bearing this name was identified in 2023, and its infrastructure was partially disrupted in 2024. However, 2025 witnessed the emergence of a new iteration, Badbox 2.0, which Google estimates comprised over 10 million uncertified Android devices, utilized for ad fraud and home network infections. At the time, the FBI warned that such devices could grant malicious actors direct access to users’ local networks.

    An analysis of the email addresses from the leaked screenshot led researchers to several Chinese IT firms and specific individuals linked to mobile application development and domain infrastructure previously cited in Badbox 2.0 reports. Specifically, the names Chen Daihai and Zhu Zhiyu were connected to the registration of domains, companies, and addresses already mentioned in investigations dedicated to this botnet.

    The paramount danger lies elsewhere. Kimwolf propagates through vulnerable IoT devices within home networks, utilizing residential proxy services. Following the closure of this loophole by numerous proxy providers, Kimwolf’s rate of spread began to decelerate. However, if Kimwolf’s administrators indeed possess unauthorized access to the Badbox 2.0 control panel, they acquire a direct conduit for installing malware onto the millions of Android TV boxes already ensnared within that botnet.

    according to the source, this was precisely the “secret trump card” of the Kimwolf operators: the capacity to directly upload malware onto Badbox 2.0 boxes, circumventing the proxy infrastructure. The precise method by which access to the control panel was obtained remains obscure. Nevertheless, researchers have already notified all account holders listed in the screenshot, implying that Dort’s access may be revoked imminently.

    Should this information be corroborated, it would signify a rare intersection of two major botnet ecosystems and a severe escalation of the threat to home networks globally, particularly for those utilizing inexpensive, unofficial Android TV boxes.

  • Red Teaming at Scale: GHARF Automates the Attack Lifecycle via CI/CD

    GHARF is an efficient support framework for Red Team exercises that applies the concept of CI/CD (Continuous Integration / Continuous Delivery). It can be used for exercises aimed at security assessment, research, and human resource development.

    This tool automates various phases of Red Team operations from the development and preparation of simulated attacks to their execution by applying the build and delivery mechanisms of CI/CD. As a result, Red Team operations become significantly more efficient, enabling rapid iteration of operational cycles. We refer to this concept as “Continuous Attack Integration / Continuous Attack Delivery (CAI/CAD).”

    Features

    Continuous Attack Integration / Continuous Attack Delivery

    • Fully Automated Red Team Operations

      • Automates the entire process of Red Team operations from attack development to preparation and execution
      • Allows Red Team to focus on scenario development rather than operational overhead
      • Connects each operation as a pipeline, enabling seamless handoff of obtained capabilities between phases
        • For example: an attack tool can be built, automatically executed in the target environment, and then analyzed, with results output all without manual intervention

    • Red Team Operations as Code

      • Operations can be structurally defined as workflow files
      • Workflow files serve as documentation for the operation itself
      • Enables repeatable execution of operations
      • Supports version control of operational logic
      • Makes operations portable and transferable across environments

    • Resource-Less

      • Uses the Runner Application as a C2 agent eliminating the need to develop one from scratch
      • Leverages GitHub repositories as C2 servers no need to build a separate C2 infrastructure
      • Enables attack tool building using GitHub-hosted runners no dedicated build environment required
      • Supports result analysis and processing (e.g., password cracking) using GitHub-hosted runners again, no separate environment needed

    • Easy and Fast Setup

      • Quick and simple process to get started with the minimum requirements:
        • Create a GitHub account
        • Set up a GitHub repository for attack development
        • Run the Runner Application in the target environment

    Install & Use