RE: https://infosec.exchange/@metacurity/115835737555766601

Also:

Ubisoft may want to take this MongoDB box offline ASAP or disable zlib, they appear to have people inside i3D.

https://beta.shodan.io/host/212.104.194.153

Volexity piggy backed on the (slightly crap) WSJ article about GenAI citing Anthropic for publicity over this, which isn't ideal, but I get it.

The leading take away for defenders, now there's some actual IOCs, I think is... keep defending. If your existing vendors and controls aren't picking this stuff up, you have a crap vendor.

You shouldn't really be getting owned by widely detected .exes in .rar files from random websites. It isn't advanced cyber warfare.

Volexity put out a report about likely GenAI being used in cyber attacks by China... and it contains IOCs! It's a good report.

It has all the low hanging fruit classics defenders have been aware of forever, e.g. .rar files with .exe files inside, all of the "GenAI malware" was detected out of the box across all leading vendors etc etc.

Also the payloads contain unique phrases (and Wav files, lol) which made them easy to detect.

https://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/

The decades-old "finger" command is making a comeback,, with threat actors using the protocol to retrieve remote commands to execute on Windows devices.

https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/

Wait, are you telling me that if I want a linked-cloneable Win11 VM, I need to create a Win10 VM and then upgrade it to Win11? That sounds silly. Can't I just use Rufus to achieve the same goal?

Of course it is silly. But also silly (IMO) is that Rufus doesn't have a "Save as ISO" option. You must have a physical USB drive. But fear not, we can achieve the same goal in a couple of steps:

1. Make a bootable Win11 thumb drive with Rufus. Note the default options of disabling TPM and removing Microsoft Account requirements. Make sure to select the MBR / BIOS (or UEFI-CSM) options in Rufus.
2. Copy the contents of the drive (e.g. mine is an E: drive):

robocopy E:\ C:\rufus_iso_root /E /XD "System Volume Information"

1. Make a bootable ISO using Microsoft's oscdimg.exe from the ADK.

oscdimg -m -o -u2 -udfver102 -bootdata:2#p0,e,bC:\rufus_iso_root\boot\etfsboot.com#pEF,e,bC:\rufus_iso_root\efi\microsoft\boot\efisys.bin C:\rufus_iso_root C:\tmp\Win11_25h2_noprereqs.iso

Enjoy your installable Windows 11 ISO without the requirements you don't want.

The latest releases of Cursor and Windsurf integrated development environments are vulnerable to more than 94 known and patched security issues in the Chromium browser and the V8 JavaScript engine.

https://www.bleepingcomputer.com/news/security/cursor-windsurf-ides-riddled-with-94-plus-n-day-chromium-vulnerabilities/

Vidar is back, baby!

Please note the specific callout for attacking Chrome's password store, which is still not hardened enough. Don't use the Chromium browsers' password stores!

https://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html

Great analysis from Will Thomas @bushidotoken on the Capita breach of 2023 and a stark reminder of the need to adequately staff and resource your SOCs to properly triage and escalate threats!

https://blog.bushidotoken.net/2025/10/lessons-from-blackbasta-ransomware.html

CISA has fallen.

Extremely valuable AI Red Teaming tool released by Jason Haddix. I'll definitely be using this on my tests:

https://arcanum-sec.github.io/P4RS3LT0NGV3

The details for the Oracle hack are as embarrassing as you'd imagine..

../

https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/

2025-10-06 (Monday): A collection of 200+ phishing emails in Japanese that were sent to my blog email addresses during the past 15 days.

Emails and a spreadsheet tracker available at https://www.malware-traffic-analysis.net/2025/10/06/index.html

Broadcom has stopped delivering automated updates to #VMware Fusion and Workstation. All updates have to be downloaded and installed manually from the Broadcom Support Portal (as a side note: This portal is one of the worst corporate "support" websites I've seen in the last decade).

This is terrible. It will lead to tens of thousands of VMware installations remaining vulnerable to trivially exploitable flaws, for example, local privilege escalation via CVE-2025-41244 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149

BTW, Please note that to fix CVE-2025-41244 you must now manually download the correct VMware Tools package from the support portal, unpack the zip, mount the ISO image, and then execute the setup.exe from the mounted ISO image. There is currently no VMware releases that include the fixed VMware Tools, so if you create any new VMs you MUST install the update manually to each new VM. Did I already mention this is terrible?

#enshittification #infosec #cybersecurity

Certificate from HackTheBox is a hard box with a bit of everything. There's upload / zip shenanigans (two ways), PCAP analysis and Kerberos cracking, ASCS ESC3, and Golden Certificate.

https://0xdf.gitlab.io/2025/10/04/htb-certificate.html

2025-09-24 (Wednesday): #LummaStealer infection with follow-up malware, possibly #Ghostsocks or #GoBackdoor.

A #pcap of the infection traffic, malware samples, and list of indicators are available at https://www.malware-traffic-analysis.net/2025/09/24/index.html

I hate buying a car. You’re not negotiating, you’re stuck with some guy who has the authority of a mall Santa. Every time you make an offer, he scurries off to “talk to his boss,”

This post is about Donald Trump

2025-08-20 (Wednesday): #SmartApeSG for fake #CAPTCHA page with #ClickFix instructions that led to an MSI file for #NetSupport #RAT and the #NetSupportRAT infection led to #StealCv2.

Malware samples, a #pcap, and indicators at www.malware-traffic-analysis.net/2025/08/20/index.html

Senior lawyer apologises after filing AI-generated submissions in Victorian murder case

“The lawyers explained they checked that the initial citations were accurate and wrongly assumed the others would also be correct.”

Disbar these clowns who can’t grasp the nature of AI slop.

https://www.abc.net.au/news/2025-08-15/victoria-lawyer-apologises-after-ai-generated-submissions/105661208

M&S still working on system recovery. https://www.bbc.com/news/articles/cewyyjdzql4o