The incident, tracked internally under MO1329446 in the Microsoft 365 Admin Center, began with widespread user reports of file-access failures across web-based Office experiences.

Users attempting to open documents, spreadsheets, or presentations via the browser-based Office suite or Teams encountered errors, disrupting collaboration workflows for potentially millions of enterprise users globally.

Microsoft’s engineering team initially acknowledged the issue, stating they were “investigating reports that some users are unable to open files in Office for the Web or Microsoft Teams.” Shortly after, the team confirmed detection of elevated error rates spanning multiple Office for the Web services.

Engineers conducted service telemetry analysis to identify the failure scope, correlating error patterns across service dependencies to determine the root cause and remediation path.

The cross-dependency investigation suggests the disruption may have stemmed from a shared backend component or infrastructure layer serving multiple Microsoft 365 services simultaneously, a pattern consistent with prior Azure-backed service incidents.

Microsoft has not yet publicly disclosed whether the incident originated from a code deployment, configuration change, or underlying infrastructure fault.

Microsoft confirmed that the impact is no longer occurring and has published final incident details under MO1329446 in the Microsoft 365 Admin Center. Affected organizations with active Microsoft 365 subscriptions can review the post-incident report through their admin portals for detailed timelines and remediation steps.

Enterprises relying on Microsoft 365 for critical workflows are advised to monitor the Microsoft 365 Service Health Dashboard for real-time status updates and configure admin center alerts to receive proactive notifications during future service disruptions.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post Microsoft Office for the Web and Teams Hit by File Access Outage appeared first on Cyber Security News.

What was once a niche concern has grown into a serious and escalating threat, with attackers running multi-stage operations that extend well beyond a single compromised container.

Modern container platforms are designed to isolate applications from one another and from the host. But that isolation is only as strong as the configuration behind it.

When settings are applied carelessly or left at insecure defaults, the wall between a container and its host becomes dangerously thin, giving attackers a direct path to escalate privileges.

Researchers at Securelist said in a report shared with Cyber Security News (CSN) that these attacks have evolved into multi-stage scenarios involving supply chain compromises, Kubernetes secrets theft, orchestration API abuse, and container escape attempts.

In one notable case, the APT group TeamPCP compromised Checkmarx KICS across multiple attack chains, poisoning a Docker Hub repository to steal Kubernetes secrets.

The threat is not limited to exotic zero-day exploits. Misconfigurations are far more common as the root cause of successful breaches than complex kernel vulnerabilities. Attackers look for the low-hanging fruit first, and insecure container configurations remain plentiful across enterprise environments.

Once inside a compromised container, an attacker rarely needs to do much to find something valuable. Containers routinely hold API keys, SSH keys, access tokens, service credentials, and Kubernetes ServiceAccount tokens.

These assets alone can be enough to pivot into cloud infrastructure or establish long-term persistence without ever escaping the container.

Attackers Abuse Docker and Kubernetes Misconfigurations

The most dangerous configuration a container operator can enable is the privileged flag. When a container runs with this setting, it receives all Linux capabilities and direct access to host devices, making it functionally equivalent to root access on the host machine.

Using a utility like nsenter, an attacker can spawn a shell outside the container and move freely on the underlying system.

Specific Linux capabilities also open the door to escapes when improperly assigned. The CAP_SYS_ADMIN capability allows a container to mount file systems and interact with kernel parameters.

Combined with access to host directories through the hostPath parameter, an attacker can mount the host disk inside the container and overwrite critical system files. CAP_SYS_MODULE lets an attacker load a malicious kernel module that triggers a reverse shell from kernel space.

CAP_SYS_PTRACE becomes dangerous when the host PID namespace is shared via hostPID: true.

An attacker can then attach to host processes, inject code, and extract sensitive data from memory. CAP_NET_ADMIN enables network stack manipulation and, when combined with hostNetwork: true, opens the door to traffic interception across the environment.

Orchestration APIs present an equally serious risk. An exposed Docker API accessible over TCP without authentication gives an attacker remote administrative access to the host.

A compromised Kubernetes token with weak RBAC policies can allow deployment of privileged pods and a full cluster takeover with just a few API calls.

Supply Chain Attacks Targeting Container Infrastructure

Beyond runtime misconfigurations, attackers are going after containers before they are even deployed. Supply chain attacks target the image build and delivery process, injecting malicious code at stages where organizations are least likely to look.

Developers who pull public images from Docker Hub without checking their origin are especially vulnerable, since threat actors regularly publish tainted images that mimic legitimate tools.

CI/CD pipelines are another high-value target. These systems hold elevated privileges and broad infrastructure access.

By compromising a single pipeline stage, an attacker can modify Docker image builds, quietly adding hidden scripts or remote management tools, while the container appears legitimate on the outside.

To defend against these threats, teams should audit container configurations regularly and avoid running containers with the privileged flag.

All images should be verified before use, RBAC policies should be tightened, and CI/CD pipelines treated as critical infrastructure with strict access controls. Runtime monitoring and supply chain validation are essential parts of any secure container deployment.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Attackers Abuse Docker and Kubernetes Misconfigurations to Compromise Host Systems appeared first on Cyber Security News.

The campaign lures victims through fake verification pages that trick them into running a malicious script without realizing the full damage it causes.

What makes this wave especially concerning is that the attack does not stop at one piece of malware. It delivers a second, more powerful tool once it gains a foothold inside the system.

The infection chain starts when a user visits a compromised or malicious website displaying a fake “verification” page. This page instructs the visitor to copy and run a PowerShell or similar script, which is the ClickFix technique.

Once the script runs, it silently reaches out to attacker-controlled servers and pulls down the first stage of the infection. The victim sees nothing unusual on their screen, while the attacker gains quiet and persistent access to the machine.

Internet Storm Center said in a report shared with Cyber Security News (CSN) that they identified the campaign after observing a suspicious infection on May 27, 2026.

Researcher Brad Duncan noted that an unidentified RAT had been generating encoded traffic to a command and control server since at least April 2026.

The discovery confirmed that this campaign had been quietly running for several weeks before it was formally documented and published.

What sets this attack apart is its deliberate two-stage design. The first stage drops an unidentified RAT that sends encoded traffic to its C2 server over TCP port 443, making it blend in with regular web traffic.

Once the initial RAT is in place, it pulls in a second payload: a malicious package of NetSupport Manager RAT, a legitimate remote access tool that attackers have repurposed to take unauthorized control of infected machines.

The entire process is built to stay quiet and survive reboots. After the NetSupport RAT is installed and made persistent on the host, the scripts used to set it up are deleted automatically, removing traces of the initial compromise.

This cleanup step makes forensic investigation harder and reveals the careful level of planning behind the campaign.

SmartApeSG Campaign Uses ClickFix Scripts

The SmartApeSG campaign uses a fake browser verification page as its entry point, a tactic that has grown increasingly popular among threat actors.

Visitors are told to run a script to “verify” their identity, which instead executes the ClickFix payload. The script then contacts attacker infrastructure to fetch a ZIP archive containing the initial RAT package from a remote server.

Once extracted and executed, the initial RAT begins sending encoded traffic to its C2 server at a fixed IP address over port 443.

The use of encoded, non-SSL traffic on that port is unusual and helps the malware avoid detection tools that expect standard HTTPS on that port. The RAT then pulls down follow-up files through the same C2 channel to prepare the system for the next stage of the attack.

NetSupport RAT Deployed as Persistent Follow-Up Payload

The second stage delivers a malicious NetSupport Manager RAT package via a CAB file that is fetched and extracted to the system.

A batch script called token.bat handles the extraction and installation, while a VBScript file called processor.vbs triggers the batch script. Together, these components install the NetSupport RAT and configure it to run automatically whenever the system restarts.

Defenders are advised to monitor for unusual PowerShell execution tied to browser events, as this is a clear sign of the ClickFix technique being abused. Blocking access to suspicious or newly registered domains can also reduce the overall risk.

Security teams should watch for encoded traffic over port 443 that does not follow normal SSL/TLS patterns, as this is a known behavior of the initial RAT in this chain. Since the domains and file hashes used in this campaign rotate daily, checking the @monitorsg feed on Mastodon is recommended for the latest indicators.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post SmartApeSG Campaign Uses ClickFix Scripts to Infect Windows Hosts With RAT Malware appeared first on Cyber Security News.

The campaign, dubbed “Miasma: The Spreading Blight,” is a new variant of the Mini Shai-Hulud malware family a sophisticated credential-stealing worm previously linked to threat actor group TeamPCP.

This is not a typosquatting campaign. The attackers hijacked a legitimate, trusted npm namespace and published backdoored versions of widely-used frontend components, API clients, and developer tooling.

According to Aikido and JFrog detections, the malicious packages were published via GitHub Actions OIDC tokens, indicating the CI/CD pipeline itself was compromised, not individual developer accounts.

Each poisoned package embeds a preinstall lifecycle hook in its package.json:

json"scripts": { "preinstall": "node index.js" }

This executes a 4.2 MB obfuscated payload automatically during every npm install, before any application code runs. The loader uses a multi-stage decryption chain — numeric character arrays, a ROT-style transform, and AES-128-GCM blobs — to evade static detection, before dropping a transient Bun-based payload to /tmp/p*.js for execution.

Once active, the malware performs a sweeping credential collection targeting:

• GitHub tokens — classic, fine-grained, and GitHub Actions OIDC tokens
• Cloud credentials — AWS access keys, GCP service account files, Azure service principal and managed identity tokens
• Infrastructure secrets — Kubernetes service account tokens and kubeconfig files, HashiCorp Vault tokens
• Developer tooling — npm and PyPI publish tokens, SSH private keys, Docker registry credentials, GPG keys, .env files across the filesystem

In cloud environments, the malware goes beyond static files. It actively queries AWS Secrets Manager, SSM Parameter Store, Azure Key Vault, and GCP Secret Manager when permissions allow. GitHub Actions runners are a prime target: the payload reads secrets directly from runtime process memory, bypassing workflow log masking entirely.

A notable evasion technique in this wave involves disguising exfiltration traffic to api.anthropic.com/v1/api — a legitimate-looking domain that blends into network logs at organizations using Anthropic services.

The /v1/api path is not a valid Anthropic route, suggesting attackers chose it purely for camouflage. Defenders should hunt for node or Bun processes contacting this host from CI runners or developer machines.

The malware also uses a GitHub dead-drop model, creating public repositories under victim accounts with the description Miasma: The Spreading Blight and committing stolen credentials as JSON result files.

The malware installs persistent monitoring services — kitty-monitor.service on Linux and com.user.kitty-monitor.plist on macOS — that poll for remote instructions. It also injects hooks into AI developer tools including Claude, Codex, Gemini, Copilot, Kiro, and opencode, and adds VS Code folder-open tasks that re-execute the payload.

Most critically, a destructive token monitor (gh-token-monitor) watches stolen GitHub tokens. If a token is revoked before persistence is removed, it can execute destructive commands such as wiping the user’s home directory.

Incident responders must isolate machines and remove persistence before revoking any tokens.

Indicators of Compromise

Any project that installed the following package versions on or after June 1, 2026 should be treated as compromised: Here is the complete IOC table for all 31 compromised @redhat-cloud-services npm packages:

Mitigation Steps

• Run npm uninstall on all affected packages and regenerate lockfiles from trusted metadata
• Use npm ci --ignore-scripts in CI pipelines as a temporary safeguard
• Remove kitty-monitor and gh-token-monitor persistence files from all affected machines before revoking tokens
• Inspect .claude/settings.json, .vscode/tasks.json, and ~/.config/index.js for injected hooks
• Audit npm and GitHub accounts for unexpected patch-version publishes or newly created repositories matching the Miasma: The Spreading Blight description
• Rotate all exposed credentials — GitHub tokens, npm tokens, cloud keys, SSH keys, Vault tokens, and Kubernetes service account tokens — only after persistence is confirmed removed
• Rebuild affected CI runners and developer workstations from clean images

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post Multiple Red Hat Cloud Services npm Packages Compromised to Deploy Credential-Stealing Malware appeared first on Cyber Security News.

The campaign intensified following a regional conflict that began on February 28, 2026, attributed to an Iran-linked advanced persistent threat group operating under several known aliases.

Security researchers have been tracking a rapid surge in activity that shows no signs of stopping. The threat group, known as Screening Serpens and also identified as UNC1549, Smoke Sandstorm, and Iranian Dream Job, has been active since at least 2022.

Historically focused on Middle Eastern targets, the group expanded into Western Europe in late 2025. Their preferred targets sit inside high-value sectors including aerospace, defense manufacturing, and telecommunications.

They reach victims through personalized social engineering, using fake job listings and spoofed meeting invitations to lure professionals into downloading malicious files.

Unit 42 researchers identified six new remote access Trojan (RAT) variants deployed between February and April 2026, grouped into two distinct malware families named MiniUpdate and MiniJunk V2.

Unit 42 said in a report shared with Cyber Security News (CSN) that the campaigns align closely with the conflict timeline, with coordinated attacks hitting entities in the U.S. and Israel in late March, followed by targets in the UAE and another Middle Eastern country in mid-April 2026.

Both malware families begin their infection chains through spear phishing. Victims receive what appears to be a recruitment portal or a video conferencing app installer.

Once they interact with the file, a silent multi-stage infection chain kicks off in the background, and the attacker quietly gains full control over the compromised machine.

AppDomainManager Hijacking

The most significant technical leap in this campaign is the use of a technique called AppDomainManager hijacking.

This method targets the initialization phase of .NET applications by modifying a legitimate configuration file, allowing malicious code to run before the host application even finishes loading. Since this happens so early, most security tools do not get a chance to detect it.

By adding a few targeted XML lines to the application’s config file, attackers instruct the .NET runtime to disable its own security features.

They turn off Event Tracing for Windows (ETW), the primary data source that modern endpoint detection and response (EDR) platforms rely on to monitor .NET activity.

They also bypass strong-name signature validation, ensuring that unsigned DLL files load without triggering security exceptions.

This approach is described as a mature living-off-the-land technique because it requires no complex shellcode or memory patching.

The attacker simply asks the system to turn off its own defenses using a file that looks entirely legitimate. The result is a payload running in a completely unmonitored, highly privileged environment with no alerts raised.

Infection Chain and Social Engineering Tactics

The MiniUpdate family was delivered through archives impersonating a global airline and a popular video conferencing platform.

One archive contained six fake job description PDFs with believable job IDs and titles such as Senior Software Engineer, targeting IT and engineering professionals.

A nested payload inside a file named Hiring Portal.zip launched a fake error window while the malware quietly installed itself.

For persistence, the malware used Windows Task Scheduler, creating a daily trigger at 09:30 local time. The MiniJunk V2 family used an older configuration method but added heavy code obfuscation and file size inflation to bypass automated scanning limits.

Command-and-control traffic was routed through Azure-hosted domains that mimicked legitimate Windows service names, making network-level detection significantly harder.

Researchers recommend that defenders tune EDR platforms specifically to flag DLL sideloading and AppDomainManager hijacking behaviors, rather than relying solely on signature-based detection.

Treating trusted, signed binaries that load unsigned modules as high-risk will help security teams catch these attacks much earlier. Organizations in aerospace, defense, and technology should stay alert to fake job offers or meeting invitations arriving through unofficial channels.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Iranian Hackers Abuse AppDomainManager Hijacking to Evade EDR Detection appeared first on Cyber Security News.

The campaign, dubbed Operation XENOFISCAL, targeted provincial finance officials across all 34 Afghan Mustoufiats — regional revenue and finance directorates that form the fiscal backbone of the country.

The attack began with a spear phishing email carrying a ZIP archive. Inside was a malicious shortcut file disguised with a PDF icon and a filename written in Pashto — the dominant language used by Afghan government workers.

The lure posed as a list of employees invited to a seminar on psychological and intellectual warfare, showing that the attackers had precise knowledge of their targets’ working environment.

Analysts from Seqrite, in a report shared with Cyber Security News, identified this campaign and attributed it to the SideCopy APT cluster with medium-to-high confidence.

SideCopy operates under the broader Transparent Tribe, also known as APT36, umbrella — a group with a documented history of targeting South Asian government institutions.

Seqrite Labs has been tracking this threat cluster for years as part of its global spear phishing monitoring program.

Once the victim opened the shortcut file, the malware silently used mshta.exe — a legitimate Windows utility — to reach out to a compromised Afghan education domain and pull a remote payload.

This technique is called Living-off-the-Land, where attackers abuse built-in system tools to avoid triggering security alerts. The malware then decoded obfuscated JavaScript in memory and embedded itself in the Windows Registry, disguising its persistence entry as a Microsoft Edge process.

The final stage deployed XenoRAT 1.8.7, an open-source Remote Access Trojan available on GitHub, which established an encrypted connection to a bulletproof server in Frankfurt, Germany.

This command-and-control infrastructure was entirely separate from the delivery domain — a deliberate design to ensure long-term access even if the delivery layer was discovered and shut down.

SideCopy Hackers Deploy Persistent XenoRAT Malware

The malware chain ran across five stages, each built to pass control to the next without triggering detection. After the shortcut file launched mshta.exe, it pulled an HTML Application payload from abimj.edu.af, a compromised Afghan education website.

That payload contained obfuscated JavaScript which decoded itself in memory and dropped a .NET-based loader DLL to continue the infection.

That loader DLL downloaded an encoded, GZIP-compressed blob from attacker-controlled URLs and unpacked it entirely in memory.

The shellcode that followed used reflective loading — allocating executable memory and injecting itself without writing the main payload to disk. This fileless approach makes the malware far harder to catch with conventional antivirus scanning.

XenoRAT is a capable surveillance tool once active. It connects to a hard-coded IP address using encrypted TCP traffic and registers itself through both a Windows Scheduled Task named “XenoUpdateManager” and a Registry Run key.

The malware runs a mutex called “clouda” to prevent duplicate instances, and it queries installed antivirus products before reporting back to its operators.

Persistence Mechanisms and Infrastructure Exposure

The decoy document dropped during execution was a real Afghan Ministry of Finance internal staff directory, listing Finance Directors, Revenue Chiefs, and Secretaries from all 34 provinces — complete with mobile numbers.

This level of detail indicates the attackers conducted prior intelligence gathering, likely through earlier compromises of Afghan government networks.

The delivery domain abimj.edu.af resolved to IPs 103.132.98.224 and 103.132.98.226, both on a subnet belonging to Afghanistan’s own Ministry of Communication.

Staging malicious payloads on local Afghan infrastructure allowed traffic to blend with legitimate government communications, bypassing network monitoring tools.

The RAT’s C2 server at 185.235.137.106 was hosted on AS59711, a Bulgaria-registered provider with Frankfurt data center presence previously linked to SideCopy activity.

Security teams should monitor for unusual mshta.exe executions, unexpected Registry Run keys mimicking Windows processes, and outbound traffic to unrecognized European hosting providers.

Enforcing application allow-listing, auditing scheduled tasks regularly, and restricting HTA execution from public directories are effective mitigations. Seqrite released detections under signatures including Link.Downloader.50744.GC and Script.Netloader.50745.GC to help identify compromised systems.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post SideCopy Hackers Deploy Persistent XenoRAT Malware to Target Afghanistan Finance Ministry appeared first on Cyber Security News.

The issue, published in the National Vulnerability Database and GitHub Advisory Database, affects the APS Application Catalog component and has been assigned a critical CVSS score due to its high impact on confidentiality, integrity, and availability.

The vulnerability stems from an XPath injection flaw in the APS Catalog search functionality.

Plesk Command Execution Vulnerability

Specifically, user-supplied input is improperly handled and directly incorporated into XPath queries without adequate sanitization.

This weakness, categorized under CWE-643, allows attackers to manipulate query logic and control how data is retrieved from XML-based storage.

In practice, a low-privileged, authenticated user can exploit this flaw to escalate privileges and execute arbitrary commands on the underlying server.

Because the attack requires only network access and minimal privileges and does not depend on user interaction, it significantly lowers the barrier for exploitation in real-world environments.

The vulnerability also operates with a changed scope, meaning it can impact resources beyond its original security boundary.

Security researchers note that XPath injection vulnerabilities are particularly dangerous in web applications that rely on XML data processing, as they can bypass traditional input validation controls.

In this case, the improper neutralization of input enables attackers to craft malicious queries that effectively alter backend execution behavior.

Plesk has acknowledged the issue and released patched versions to address the flaw. The vulnerability has been fixed in Plesk versions 18.0.76.2 and 18.0.75.1, which were made available in late February 2026.

Users are strongly advised to update their installations immediately to mitigate the risk of exploitation. For environments where immediate patching is not feasible, Plesk has provided a temporary workaround.

Administrators can turn off the APS Catalog functionality by modifying the panel configuration file at /usr/local/psa/admin/conf/panel.ini.

While this reduces exposure, it is not a substitute for applying the official security update. The vulnerability was responsibly disclosed by security researcher Georgii Shutiaev, who collaborated with Plesk to ensure coordinated remediation.

At the time of publication, there is no public evidence of active exploitation. However, given the attack’s simplicity and high impact, threat actors could rapidly weaponize it.

Organizations using Plesk, particularly in shared hosting or multi-tenant environments, should treat this vulnerability as a priority.

Immediate patching, access control review, and monitoring for suspicious command execution activity are critical steps to prevent potential compromise.

This incident highlights the ongoing risks of improper input handling in web applications. It reinforces the importance of secure coding practices and timely patch management in reducing the attack surface.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post Critical Plesk Vulnerability Let Users Execute Arbitrary Commands on the Server appeared first on Cyber Security News.

The attacks, carried out under a pro-Iranian persona called “Ababil of Minab,” went far beyond data theft, leaving victims with little ability to restore their systems.

The campaign first surfaced in late March and early April 2026, when Ababil of Minab claimed responsibility for breaching the Los Angeles County Metropolitan Transportation Authority (LA Metro) and destroying its data.

LA Metro confirmed the breach on April 2, 2026. Hours after attackers deleted virtual machines from inside the agency’s management console, the transit authority reported that riders could not load fare on the TAP Mobile App.

Analysts at Gambit Security found that Ababil of Minab is not an independent hacktivist group as they claim.

Forensic evidence links the operation to Black Shadow, an Iran-linked group attributed by the Israel National Cyber Directorate to Iran’s Ministry of Intelligence and Security.

Gambit Security said in a report shared with Cyber Security News that attackers used scripted automation and hands-on keyboard techniques to destroy IT, virtualization, and backup infrastructure.

Beyond LA Metro, the campaign hit the South Florida Regional Transportation Authority, a company called UNIMAC, and a consumer GPS tracking service named Vyncs.

Investigators identified additional victims in Israel and Turkey across the media, higher education, and insurance sectors. The breadth of the operation signals a deliberate, coordinated effort rather than opportunistic hacking.

What makes this campaign stand out is how methodically the attackers eliminated any chance of recovery. They hunted down backup systems, dropped entire database chains, and deleted operating system files to prevent restoration.

In one incident, the attacker used an AI chatbot to refine a custom destruction script, adding an unsettling dimension to state-linked cyber activity.

Iran-Linked Hackers Destroy IT, Backups, and Recovery Systems

The attackers relied on two core methods: automated scripts and direct, manual interaction with system tools. At LA Metro, they powered off and deleted virtual machines through the organization’s own virtualization platform.

At UNIMAC, they wiped three storage volumes and renamed new partitions “Minab” as a calling card. At Vyncs, the group ran a custom Python script called main.py that iterated through 58 SQL Server targets and dropped every database.

All 58 executions succeeded with zero failures. While the script ran, the attacker manually deleted 16 daily SQL backup files, then destroyed core Windows system folders through Windows Explorer, causing their own remote session to drop and confirming total destruction.

At the South Florida Regional Transportation Authority, attackers gained access through a proxied remote desktop connection, took databases offline, and used a secure deletion tool to overwrite the web hosting directory, including a dedicated SQL backup folder.

Every step showed an attacker who understood exactly where critical data lived and how to ensure it could never be recovered.

Custom Tools and Attribution Evidence

Alongside the destruction, investigators uncovered two custom data theft tools. The first involved compressing stolen files and uploading them to the victim’s own public website, then pulling them back through an attacker-controlled server.

The second was a bespoke C++ tool called FileFiend, which scanned drives and network shares before sending stolen files to a hardcoded command-and-control server.

The attackers also built a Flask-based file receiver for accepting uploads from compromised environments. Although file transfers were encrypted, the key was sent in the same request as the data, making it readable to anyone monitoring traffic.

When visitors hit a nonexistent page on the attacker’s server, they were redirected to the FBI’s official website.

The strongest attribution link to Black Shadow came from a staging server that previously hosted a fake mental health support site targeting Israeli soldiers in August 2025.

That same server was found transferring stolen files into this campaign’s infrastructure. Organizations in critical infrastructure, transportation, and education should urgently review access controls, backup isolation practices, and incident response readiness.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Iran-Linked Hackers Destroy IT, Backups, and Recovery Systems in Cyberattack targeting Middle East appeared first on Cyber Security News.

Using a combination of fake browser update pages and a social engineering trick known as ClickFix, this operation ran largely undetected until now.

What makes DriveSurge especially dangerous is not just its scale, but the deep sophistication built into its infrastructure to automate malware delivery at massive scale.

DriveSurge works by injecting malicious code into high-reputation, legitimate websites without the knowledge of site owners or their visitors.

When someone visits one of these compromised sites, hidden code quietly routes them through a Traffic Distribution System, or TDS. This system profiles each visitor and decides what to serve them next, making the attack feel natural and highly targeted at the same time.

Silent Push researchers said in a report shared with Cyber Security News that they identified DriveSurge as the primary driver behind a massive surge in ClickFix and Fake Update campaigns across the web.

According to their analysis, DriveSurge operates as a specialized Initial Access Broker using a Pay-Per-Install model, where payment is collected each time a victim device is successfully infected. Those confirmed infection leads are then sold to other threat actors operating downstream.

Researchers uncovered eight distinct technical fingerprints that map out DriveSurge’s malicious infrastructure, from how scripts are injected into victim sites to the registration patterns used for its domains.

This level of operational detail points to a threat actor that has invested serious time into building a repeatable, scalable infection system. The group has compromised thousands of websites that redirect visitors to malware, all without site owners ever knowing.

The campaign targets a wide range of browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet, and UC Browser.

Victims encounter either a fake browser update page or a ClickFix prompt, both designed to look completely routine and trustworthy. That familiarity is exactly what makes both methods so effective against everyday users.

New DriveSurge Threat Actor Uses ClickFix and Fake Updates

DriveSurge deploys two main methods to trick users into installing malware on their own devices. In the Fake Update scenario, a compromised site displays a convincing browser update prompt that impersonates a well-known browser.

Clicking the update button triggers the download of a ZIP file containing multiple DLL files and a “Browser Update.exe” file that is actually malware.

The ClickFix method works differently. A fake error message instructs the victim to copy and paste a command into their terminal or PowerShell window, which then silently installs malware.

In one confirmed instance, the ClickFix prompt tried to pull malicious code from an IP address already flagged in active threat intelligence feeds. Both methods exploit the trust people naturally place in familiar websites and routine-looking browser prompts.

The underlying zTDS infrastructure uses obfuscation techniques, including Base64 encoding and string manipulation, to hide malicious redirect code inside normal-looking page elements.

A failover mechanism cycles through multiple backup servers to ensure the payload reaches the victim even if one delivery domain goes down. Researchers confirmed the TDS has been in active use since at least 2022.

MacOS Targeting and a Cross-Platform Victim Strategy

Analysis of obfuscated JavaScript files tied to DriveSurge revealed the attack chain does not only target Windows machines. One analyzed payload delivered macOS malware, showing that DriveSurge is actively building a cross-platform victim pool.

The payload used a multi-stage shell command that downloaded a secondary file, executed it, and then deleted itself immediately to reduce forensic traces.

Researchers also discovered a separate Advertisement Distribution System linked to the campaign. This system collects device metadata and uses behavioral signals like mouse movements, scrolls, and clicks to confirm human presence before delivering content.

Organizations are advised to monitor for unusual external JavaScript injections, audit third-party scripts loading from unrecognized domains, and ensure web-facing content management systems remain fully patched and access-controlled.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New DriveSurge Threat Actor Uses ClickFix and Fake Updates to Infect Website Visitors appeared first on Cyber Security News.

The company’s official statement read: “We’re investigating an issue where some users may be unable to setup MFA or access the mysignins.microsoft.com website.” Microsoft has directed affected organizations to reference incident tracking code MO1329260 in the Microsoft 365 Admin Center for real-time updates and remediation guidance.

The outage directly impacts users’ ability to enroll in or modify MFA settings, a critical security control for enterprise environments. The mysignins.microsoft.com portal allows end users to manage their authentication methods, review recent sign-in activity, and configure security info without requiring IT helpdesk intervention.

Disruption to this service can create bottlenecks in onboarding workflows, account recovery processes, and security policy enforcement.

Organizations enforcing Conditional Access policies that require MFA registration may find new or existing users temporarily locked out of Microsoft 365 services as a downstream effect of this outage.

What Administrators Should Do

• Navigate to the Microsoft 365 Admin Center and search for incident MO1329260 under Service Health for the latest status updates
• Temporarily consider adjusting Conditional Access policies to avoid locking out users who cannot complete MFA setup during the outage window
• Monitor the @MSFT365Status Twitter/X account for real-time incident updates
• Document affected users to prioritize MFA re-enrollment once the service is restored

Microsoft has not yet disclosed the root cause or an estimated time to resolution. The company routinely publishes post-incident reviews for significant service disruptions, which are made available through the Admin Center after resolution.

Administrators and security teams are advised to stay on alert, as outages affecting MFA infrastructure can create temporary security gaps if not properly managed.

Update:

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post Microsoft Investigates MFA Setup Failure and MySigns-In Portal Outage appeared first on Cyber Security News.