CTO at NCSC Summary: week ending April 27th
Time to say goodbye to passwords...
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note beyond a enterprise software zero-day being exploited in the wild..
In the high-level this week:
Ofcom takes world-leading action to crack down on exploitation of mobile networks by criminals - Ofcom announce - “Criminals can use Global Titles to intercept and divert calls and messages, and get their hands on information held by mobile networks. This could, for example, enable them to intercept security codes sent by banks to a customer via SMS message. In extreme cases they can be exploited by criminals and other harmful actors to track the physical location of individuals anywhere in the world.” - UK leading the globe here..
CyberAv3ngers: The Iranian Saboteurs Hacking Water and Gas Systems Worldwide - Wired reports - “Despite their hacktivist front, CyberAv3ngers is a rare state-sponsored hacker group bent on putting industrial infrastructure at risk—and has already caused global disruption.”
Statement from Matt Hartman on the CVE Program - CISA states - ”To set the record straight, there was no funding issue, but rather a contract administration issue that was resolved prior to a contract lapse. There has been no interruption to the CVE program and CISA is fully committed to sustaining and improving this critical cyber infrastructure.”
British firms urged to hold video or in-person interviews amid North Korea job scam - The Guardian reports - “North Korea is facing pressure in the US and it is particularly focused on the UK for extending its IT worker tactic. It is in the UK where you can see the most extensive operations in Europe.”
European Parliament’s Iran delegation chair victim of Tehran-linked hacking - Politico reports - “The office of Hannah Neumann, a member of the German Greens and head of the delegation spearheading work on European Union-Iran relations, was targeted by a hacking campaign that started in January, she said.”
FBI Releases Annual Internet Crime Report - FBI announces - “The top three cyber crimes, by number of complaints reported by victims in 2024, were phishing/spoofing, extortion, and personal data breaches. Victims of investment fraud, specifically those involving cryptocurrency, reported the most losses—totaling over $6.5 billion”
EU countries miss deadline on cybersecurity rules for critical sectors - EurActiv reports - “six months after the deadline to put the directive into law came and went on 17 October, a total of 13 countries still have not incorporated the NIS2 cybersecurity directive into domestic legislation as required.”
Policy Trends Towards the Introduction of Active Cyber Defense - Daiwa Institute of Research publishes - “The government aims to improve Japan's response capabilities in the field of cyber security to the same level as major European and American countries, and on February 7, a Cabinet decision was made on a bill to introduce active cyber defense. The bill is aimed at being enacted in the ordinary Diet session in 2025.”
Kamikamica: Cyber safety policy soon - The Fiji Times reports - ”A NATIONAL cybersecurity strategy that sets out Fiji’s vision for a cyber safe, secure and resilient nation will be released this year, said Minister for Trade, Cooperatives, MSMEs and Communications Manoa Kamikamica.”
Reporting on/from China
China/Pakistan : China to replicate its 'Great Digital Firewall' in Pakistan - Intelligence Online reports - “China is building an internet censorship system in Pakistan along the lines of its own Great Firewall. Beijing, which has forced Islamabad's hand on the matter and has enlisted the support of Chinese companies operating in the country, is intent on protecting its economic interests.”
China's humanoid robots make debut in power grid construction - ECNS reports - “Looking ahead, the company plans to further promote the application of innovative "robot plus" products across diverse power grid construction environments, fostering new quality productive forces and supporting the development of a new-type power system.”
China-Vietnam QR code payment cooperation advances - CGTN reports - “Under the guidance of the People's Bank of China and the State Bank of Vietnam, the signing of this agreement signifies that ICBC and other parties have entered a new phase in serving China-Vietnam bilateral local currency settlement and financial infrastructure interoperability.”
China announces rules to simplify cross-border financial data flow - CGTN reports - “A guideline has been jointly released by six departments to promote high-level openness in finance, focusing on personal information and key data sent overseas, according to the People's Bank of China.”
AI
Air Force Doctrine Note 25-1, Artificial Intelligence (AI) - US Air Force publishes - “In addition to investing in autonomous vehicles and intelligent robotic systems, China is focused on applying AI to command decision-making, logistics, cyber operations, swarms, missile guidance, and the cognitive domain”
Defence and artificial intelligence - European Parliament Think Tank publishes - “International cooperation is essential to AI governance, with shared ethical and safety standards to prevent misuse, such as misinformation and cyberattacks.”
Weapons of the Riders: Everyday Algorithmic Resistance of Migrant Food-Delivery Workers in China’s Gig Economy - Shanghai Jiao Tong University publishes - algorithmic resistance is a term I suspect we can expect to hear more of..
OpenAI and start-ups race to generate code and transform software industry - Financial Times reports - “The emphasis on programming as the next frontier for AI systems signals one of the most tangible examples of how the technology could transform industries, with thousands of software developers already using new models in their work.”
UAE Sees Progress on AI Chips Access After $1.4 Trillion Pledge - Bloomberg reports - “The United Arab Emirates is optimistic about securing access to cutting-edge chips currently under US export restrictions, after pledging $1.4 trillion to strengthen ties with Washington.”
Open Problems in Technical AI Governance - Various academics and think tanks publish - “Our work further highlights that technical work does not exist in isolation. Instead, addressing many of these problems will require cross-disciplinary collaboration among technical researchers, policymakers, industry stakeholders, and civil society. No single discipline can fully resolve AI governance challenges, necessitating integrated expertise across computer science, law, political science, ethics, and economics.”
Cyber proliferation
Judge limits evidence about NSO Group customers, victims in damages trial - Cyberscoop reports - “A federal judge last week placed strict limits on the kind of evidence NSO Group can raise during a trial on damages in the lawsuit WhatsApp brought against the spyware vendor over allegations it hacked 1,400 of the messaging platform’s users.”
Bounty Hunting
FBI Seeking Tips about PRC-Targeting of US Telecommunications - FBI solicits - “FBI is issuing this announcement to ask the public to report information about PRC-affiliated activity publicly tracked as "Salt Typhoon" and the compromise of multiple US telecommunications companies, especially information about specific individuals behind the campaign.”
Winter Garden Man Sentenced To 3 Years In Federal Prison For Conducting Series Of Cyber Intrusions Against Former Employer - US Department of Justice announces - “three years in federal prison for knowingly transmitting a program, code, or command to a protected computer and intentionally causing damage and for committing aggravated identity theft.”
Former FAA Contractor Pleads Guilty to Illegally Acting as an Agent of the Iranian Government - US Department of Justice announces - “Rahmati stored those files on removable media, which he took to Iran, where he provided sensitive documents to the Government of Iran in April 2022.”
No reflections this week. Instead here is a podcast where Google’s VP, Cyber Security Resilience Officer, Heather Adkins and I discuss passkeys, and whether it’s time to say goodbye to passwords (it is).
Not getting this via email? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows
Charlie Gardner, Josh Duke, Matthew Meltzer, Sean Koessel, Steven Adair and Tom Lancaster detail this alleged Russian campaign. It shows they continue to understand how cloud works and where the social engineering opportunities present themselves..
Since early March 2025, Volexity has observed multiple Russian threat actors aggressively targeting individuals and organizations with ties to Ukraine and human rights.
These recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows.
The attackers are impersonating officials from various European nations, and in one instance leveraged a compromised Ukrainian Government account.
Both Signal and WhatsApp are used to contact targets, inviting them to join or register for private meetings with various national European political officials or for upcoming events.
Some of the social engineering campaigns seek to fool victims into clicking links hosted on Microsoft 365 infrastructure
The primary tactics observed involve the attacker requesting victim's supply Microsoft Authorization codes, which grant the attacker with account access to then join attacker-controlled devices to Entra ID (previously Azure AD), and to download emails and other account-related data.
Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations
Feike Hacquebord and Stephen Hilt detail the alleged collab between Russia and North Korea.
Trend Research has identified multiple IP address ranges in Russia that are being used for cybercrime activities aligned with North Korea. These activities are associated with a cluster of campaigns related to the Void Dokkaebi intrusion set, also known as Famous Chollima.
The Russian IP address ranges, which are concealed by a large anonymization network that uses commercial VPN services, proxy servers, and numerous VPS servers with RDP, are assigned to two companies in Khasan and Khabarovsk. Khasan is a mile from the North Korea-Russia border, and Khabarovsk is known for its economic and cultural ties with North Korea.
Trend Research assesses that North Korea deployed IT workers who connect back to their home country through two IP addresses in the Russian IP ranges and two IP addresses in North Korea. Trend Micro’s telemetry strongly suggests these DPRK aligned IT workers work from China, Russia and Pakistan, among others.
Based on Trend Research’s assessment, North Korea-aligned actors use the Russian IP ranges to connect to dozens of VPS servers over RDP, then perform tasks like interacting on job recruitment sites and accessing cryptocurrency-related services. Some servers involved in their brute-force activity to crack cryptocurrency wallet passwords fall within one of the Russian IP ranges.
Instructional videos have also been found with what it looks like non-native English text, detailing how to set up a Beavertail malware command-and-control server and how to crack cryptocurrency wallet passwords. This makes it plausible that North Korea is also working with foreign conspirators.
IT professionals in Ukraine, US, and Germany have been targeted in these campaigns by fictitious companies that lure them into fraudulent job interviews. Trend Research assesses that the primary focus of Void Dokkaebi is to steal cryptocurrency from software professionals interested in cryptocurrency, Web3, and blockchain technologies.
https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html
Reporting on China
Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors
Nick Dai and Sunny Lu detail a campaign which they allege overlaps with some historic Chinese TTPs but are cautious in the linkage. The sectoral and regional targeting are of note..
Trend Research uncovered a sophisticated APT campaign targeting government and telecommunications sectors in Southeast Asia. Named Earth Kurma, the attackers use advanced custom malware, rootkits, and cloud storage services for data exfiltration. Earth Kurma demonstrates adaptive malware toolsets, strategic infrastructure abuse, and complex evasion techniques.
This campaign poses a high business risk due to targeted espionage, credential theft, persistent foothold established through kernel-level rootkits, and data exfiltration via trusted cloud platforms.
Organizations primarily in government and telecommunications sectors in Southeast Asia (particularly the Philippines, Vietnam, Thailand, Malaysia) are affected. Organizations face potential compromise of sensitive government and telecommunications data, with attackers maintaining prolonged, undetected access to their networks.
https://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html
DslogdRAT Malware Installed in Ivanti Connect Secure
Yuma Masubuchi details details the implant they found in these intrusions in what are a suspected Chinese operation.
we focus on another malware DslogdRAT and a web shell that were installed by exploiting a zero-day vulnerability at that time, CVE-2025-0282, during attacks against organizations in Japan around December 2024.
It is currently unknown whether the attacks using DslogdRAT is part of the same campaign involving SPAWN malware family operated by UNC5221
https://blogs.jpcert.or.jp/en/2025/04/dslogdrat.html
Reporting on North Korea
Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware: BeaverTail, InvisibleFerret, and OtterCookie
Silent Push allege that North Korea is going ‘big’ in crypto currency. Not anything we don’t know but shows a degree of persistence and further industrialisation if true..
Silent Push Threat Analysts have uncovered three cryptocurrency companies that are actually fronts for the North Korean advanced persistent threat (APT) group Contagious Interview: BlockNovas LLC, Angeloper Agency, and SoftGlide LLC.
Our malware analysts confirmed that three strains, BeaverTail, InvisibleFerret, and OtterCookie, are being used to spread malware via “interview malware lures” to unsuspecting cryptocurrency job applicants.
The threat actor heavily uses AI-generated images to create profiles of “employees” for the three front crypto companies, using “Remaker AI” (remaker[.]ai) for some of the AI images.
As part of the crypto attacks, the threat actors are heavily using Github, job listing, and freelancer websites.
https://www.silentpush.com/blog/contagious-interview-front-companies/
Operation SyncHole: Lazarus APT goes back to the well
Vasily Berdnikov details how North Korea allegedly exploit a one-day vulnerability via watering hole attacks. Brings a degree of early 2000s nostalgia through the using of watering holes..
At least six South Korean organizations were compromised by a watering hole attack combined with exploitation of vulnerabilities by the Lazarus group.
A one-day vulnerability in Innorix Agent was also used for lateral movement.
Variants of Lazarus’ malicious tools, such as ThreatNeedle, Agamemnon downloader, wAgent, SIGNBT, and COPPERHEDGE, were discovered with new features.
https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/
Reporting on Iran
Nothing overly of note this week..
Reporting on Other Actors
The Massive, Hidden Infrastructure Enabling Big Game Hunting at Scale
Megan Keeling shows that the criminal eco-system grows increasingly complex. Would appear that this infrastructure would make a good point for disruption by authorities..
Insikt Group has been tracking how cybercriminals use these tools and identified infrastructure linked to a highly active malicious TDS dubbed TAG-124. TAG-124 allows ransomware operators and other cybercriminals to maximize their chances of infecting their intended victims with their respective payloads.
https://www.recordedfuture.com/blog/massive-hidden-infrastructure-enabling-big-game-hunting-at-scale
PT-C-27 (Golden Rat) new attack weapon exposed
360 Threat Intelligence Center detail this alleged middle eastern originating operation. The implant itself is not overly noteworthy, but the source is if true..
This IP address belongs to the Syrian Telecommunication Private Closed Joint Stock Company, located in Damascus, the capital of Syria. In addition, the character replacement habits of this sample are also very similar to the usual methods of the organization[2]. Therefore, it can be inferred that this weapon belongs to the Golden Rat Organization.
https://mp.weixin.qq.com/s/z1uTLloc79Cnf5j2vgWdTw
Discovery
How we find and understand the latent compromises within our environments.
The Impact of Microsoft’s ReFS on DFIR
Mat Cyb3rF0x Fuchs details aspects of this file system and its impact on forensic capabilities..
Microsoft’s Resilient File System (ReFS) is the new kid on the block poised to complement or even supplant NTFS in some environments.
..
ReFS (Resilient File System) was designed with resilience, scalability, and integrity as primary goals. Unlike NTFS, which dates back to the early ’90s, ReFS was built to handle modern storage needs — think massive disks and Storage Spaces — while maximizing data uptime and protecting against corruption. To achieve this, ReFS uses B+‐tree structures for all on-disk data structures (metadata and file contents are organized in table-like B+trees). In essence, ReFS behaves a bit like a database: it can scale out the file system metadata without the bottlenecks of a fixed-size table (NTFS’s MFT is a fixed table), and it leverages 64-bit addressing to support enormous volumes and files (think petabytes).
https://medium.com/@mathias.fuchs/the-impact-of-microsofts-refs-on-dfir-cdb78f401bfd
Version identification technology practice in key equipment
Chinese analysis looking at approaches to network device version identification. Nothing that a lot of us haven’t done in former lives, but noteworthy due to the country of original the devices/technologies they looked at..
This article discusses the version identification technology practices of three mainstream devices (Citrix, Cisco RV and Fortinet). By analyzing information from multiple dimensions such as HTTP response headers, static resource features, and page hash values, we successfully built a set of reliable version identification methods. These methods not only provide important support for vulnerability impact assessment, but also provide valuable technical references for the field of device security research.
https://mp.weixin.qq.com/s/k74R7FcWcjIBqLJa0eTwRg
Defence
How we proactively defend our environments.
Entra ID Synchronization Feature Remains Open for Abuse
Clément Notin details what he sees as a residual attack surface from allowing bulk access to credentials..
the following synchronization options can introduce cybersecurity risk that extend beyond hybrid tenants:
the already known Directory Synchronization Accounts Entra role
the new On Premises Directory Sync Account Entra role
the new Microsoft Entra AD Synchronization Service application
..
Even after Microsoft’s 2024 hardening efforts, hybrid Entra ID synchronization remains a critical exposure point. The 'Directory Synchronization Accounts' and 'On Premises Directory Sync Account' roles still retain implicit access to sensitive synchronization APIs, and the new 'Microsoft Entra AD Synchronization Service' app introduces the powerful ADSynchronization.ReadWrite.All permission — creating additional risk if misused.
Security teams should proactively monitor for these roles and permissions in their environments, treat them as privileged and ensure they are continuously assessed for exposure risks. Tenable Identity Exposure accounts for these evolving exposures to help defenders stay ahead.
Smart Controller Security within National Security Systems
NSA publishes this guidance on OT in national security systems..
The growing dependence on IT technologies within OT systems and networks and the advancing capabilities of cyber adversaries have introduced significant cybersecurity risks to OT environments. The increased risk is of particular concern to mission-critical NSS OT systems, which are potentially high-value targets for hacking groups and nation-state adversaries. Thus, improving the overall security posture of NSS OT systems is of the utmost importance. The improvement requires robust security policies and procedures at an organizational level and the implementation of technical security features at the system and component levels, which includes OT smart controllers. Therefore, these OT systems and devices must be developed and tested against a robust set of technical requirements designed to meet these security needs, especially given the criticality of embedded devices in the operation and assurance of missioncritical national security functions.
Incident Writeups & Disclosures
How they got in and what they did.
Announcement from SK Telecom
Big breach here..
On April 19, 2025, at approximately 11:00 PM, SK Telecom discovered circumstances in which some SIM-related information of SK Telecom customers was suspected to have been leaked due to malware.
https://news.sktelecom.com/211423
XRP supply chain attack: Official NPM package infected with crypto stealing backdoor
Charlie Eriksen catch a supply chain attack going after crypto currency assets..
five new package version of the xrpl package. It is the official SDK for the XRP Ledger, with more than 140.000 weekly downloads. We quickly confirmed the official XPRL (Ripple) NPM package was compromised by sophisticated attackers who put in a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets. This package is used by hundreds of thousands of applications and websites making it a potentially catastrophic supply chain attack on the cryptocurrency ecosystem.
Vulnerability
Our attack surface.
Novel Universal Bypass for All Major LLMs
Conor McCauley, Kenneth Yeung, Jason Martin and Kasimir Schu show the fragility of current approaches of trying to block the giving of illicit knowledge..
the first, post-instruction hierarchy, universal, and transferable prompt injection technique that successfully bypasses instruction hierarchy and safety guardrails across all major frontier AI models. This includes models from OpenAI (ChatGPT 4o, 4o-mini, 4.1, 4.5, o3-mini, and o1), Google (Gemini 1.5, 2.0, and 2.5), Microsoft (Copilot), Anthropic (Claude 3.5 and 3.7), Meta (Llama 3 and 4 families), DeepSeek (V3 and R1), Qwen (2.5 72B) and Mistral (Mixtral 8x22B).
Leveraging a novel combination of an internally developed policy technique and roleplaying, we are able to bypass model alignment and produce outputs that are in clear violation of AI safety policies: CBRN (Chemical, Biological, Radiological, and Nuclear), mass violence, self-harm and system prompt leakage.
Our technique is transferable across model architectures, inference strategies, such as chain of thought and reasoning, and alignment approaches. A single prompt can be designed to work across all of the major frontier AI mode
..
The attacks in this blog leverage the Policy Puppetry Attack, a novel prompt attack technique created by HiddenLayer researchers. By reformulating prompts to look like one of a few types of policy files, such as XML, INI, or JSON, an LLM can be tricked into subverting alignments or instructions. As a result, attackers can easily bypass system prompts and any safety alignments trained into the models. Instructions do not need to be in any particular policy language. However, the prompt must be written in a way that the target LLM can interpret as policy. To further improve the attack’s strength, extra sections that control output format and/or override specific instructions given to the LLM in its system prompt can be added.
https://hiddenlayer.com/innovation-hub/novel-universal-bypass-for-all-major-llms/
SSL.com: DCV bypass and issue fake certificates for any MX hostname
A major implementation issue. Make you wonder if there are further gaps if you employed Splitting the email atom: exploiting parsers to bypass access controls
SSL.com failed to conduct accurate domain validation control when utilizing the BR 3.2.2.4.14 DCV method (Email to DNS TXT Contact). It incorrectly marks the hostname of the approver's email address as a verified domain, which is completely erroneous.
https://bugzilla.mozilla.org/show_bug.cgi?id=1961406
NVBleed: Covert and Side-Channel Attacks on NVIDIA Multi-GPU Interconnect
Yicheng Zhang, Ravan Nazaraliyev, Sankha Baran Dutta, Andres Marquez, Kevin Barker and Nael Abu-Ghazaleh do some excellent research and show real-world exploitation in cloud. True class on show here whilst highlighting that side channels do in fact exist everywhere..
Specifically, we reverse engineer the operations of NVlink and identify two primary sources of leakage: timing variations due to contention and accessible performance counters that disclose communication patterns. The leakage is visible remotely and even across VM instances in the cloud, enabling potentially dangerous attacks. Building on these observations, we develop two types of covert-channel attacks across two GPUs, achieving a bandwidth of over 70 Kbps with an error rate of 4.78% for the contention channel. We develop two end-to-end crossGPU side-channel attacks: application fingerprinting (including 18 high-performance computing and deep learning applications) and 3D graphics character identification within Blender, a multi-GPU rendering application. These attacks are highly effective, achieving F1 scores of up to 97.78% and 91.56%, respectively. We also discover that leakage surprisingly occurs across Virtual Machines on the Google Cloud Platform (GCP) and demonstrate a side-channel attack on Blender, achieving F1 scores exceeding 88%.
https://arxiv.org/abs/2503.17847
From CVE-2024-0012 to CVE-2024-9474: Analysis and Thoughts from Palo Alto
Chinese analysis of these vulnerabilities..
The research found that the vulnerability exploit chain can be triggered through commands such as "show chassis-ready". This process involves the interaction of multiple components, including Nginx, Apache, and the internal management server. The article also discusses the specific trigger points of the vulnerability, including multiple entry points such as export.file.php and change_password.php.
When trying to combine the newly discovered CVE-2025-0108 with CVE-2024-9474, it was found that direct combined exploitation was difficult due to Nginx's strict header processing mechanism. However, Palo Alto's latest security bulletin mentioned that attackers are trying to chain CVE-2025-0108, CVE-2024-9474, and CVE-2025-0111, which suggests that there may be a more complex exploit chain.
https://mp.weixin.qq.com/s/6kuuU0WcrWqI-hw2PSoYmA
Offense
Attack capability, techniques and trade-craft.
Phishing despite FIDO, leveraging a novel technique based on the Device Code Flow
Dennis Kniep details a technique which sounds worrisome, but has some prerequisites in practice.
This is a novel technique that leverages the well-known Device Code phishing approach. It dynamically initiates the flow as soon as the victim opens the phishing link and instantly redirects them to the authentication page. A headless browser automates this by directly entering the generated Device Code into the webpage behind the scenes. This defeats the 10-minute token validity limitation and eliminates the need for the victim to manually perform these steps, elevating the efficiency of the attack to a new level.
What makes Device Code phishing especially dangerous is that no authentication method, not even FIDO, is able to protect against this type of attack. Additionally, the victim interacts with the original website they expect, making it impossible to detect the attack based on a suspicious URL.
https://denniskniep.github.io/posts/09-device-code-phishing/
Curing
Amit Schendel releases a new Linux root kit that detection engineers will want to ensure they have coverage of technique wise. Noteworthy for how effective it was..
Curing is a POC of a rootkit that uses
io_uringto perform different tasks without using any syscalls, making it invisible to security tools which are only monitoring syscalls. The project was found effective against many of the most popular security tools such as Linux EDRs solutions and container security tools. The idea was born at the latest CCC conference #38c3, therefor the nameCuringwhich is a mix ofCandio_uring.
https://github.com/armosec/curing
https://www.armosec.io/blog/io_uring-rootkit-bypasses-linux-security/
Ghosting AMSI: Cutting RPC to disarm AV
Andrea Bocchetti details a new technique that detection will want to be developed around. Still relies on memory patching which means copy-on-write detection should still work..
This technique leverages the COM-level architecture of AMSI, which delegates scan requests to registered antivirus providers via RPC. By intercepting the arguments passed to
NdrClientCall3—a core RPC marshaling function, it's possible to suppress malicious payloads before they're serialized and dispatched to the AV engine.
https://medium.com/@andreabocchetti88/ghosting-amsi-cutting-rpc-to-disarm-av-04c26d67bb80
IoM
A Chinese reimagination of Cobalt Strike continues to evolve. One to ensure coverage for in terms of detection..
GUI client based on vscode extension
A plug-in system based on the Lua scripting language and a basic plug-in ecosystem that has migrated hundreds of plug-ins
Proxy/tunnel functional group based on rem
Dynamic function calls and Ollvm similar to BeaconGate
Of course, the current comparison with CobaltStrike is somewhat overestimating its capabilities (due to the lack of a lot of actual combat testing to fix various bugs). But this also represents the phased results of the main functions of IoM. IoM is no longer a demo in the laboratory, but a tool that can be initially used in actual combat.
https://mp.weixin.qq.com/s/REn1LIjwl5wFBAGZChV6lQ
https://chainreactors.github.io/wiki/IoM/
Nimhawk
Alejandro Parodi details a new implant framework to ensure coverage over. We can expect malicious use in 3..2..
A powerful, modular, lightweight and efficient command & control framework written in Nim.
https://github.com/hdbreaker/Nimhawk
Eset Unload
EvilBytecode releases a tool for Eset customers to contend with if they they want to ensure enduring protection…
Eset-Unload is a C++ tool that interacts with a process's loaded modules to identify and unload the ebehmoni.dll module, typically found in ESET security software. It attempts to safely unload or manually load and unload the module.
https://github.com/EvilBytecode/Eset-Unload
Exploitation
What is being exploited..
New Critical Vulnerability in SAP NetWeaver
For those that lived the SAP years of BlackHat talks this will cover as no surprise, but the fact it was being exploited in the wild as zero-day is noteworthy..
This vulnerability, which we identified during our investigation published on April 22, 2025, was initially suspected to be a remote file inclusion (RFI) issue. However, SAP later confirmed it as an unrestricted file upload vulnerability, allowing attackers to upload malicious files directly to the system without authorization.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Aiding reverse engineering with Rust and a local LLM
Marco Ivaldi shows that finely tuned model have valid utility in the domain of reverse engineering..
There’s a new entry in my ever-growing vulnerability divination tool suite, designed to assist with reverse engineering and vulnerability research against binary targets: oneiromancer.
It’s a reverse engineering assistant that uses a fine-tuned, locally running LLM to aid with code analysis. It can analyze a function or a smaller code snippet, returning a high-level description of what the code does, a recommended name for the function, and variable renaming suggestions based on the results of the analysis.
https://security.humanativaspa.it/aiding-reverse-engineering-with-rust-and-a-local-llm/
APK Tool MCP server
Jafar Pathan releases an agentic MCP server for Android reversers..
A MCP Server for APK Tool (Part of Android Reverse Engineering MCP Suites
https://github.com/zinja-coder/apktool-mcp-server
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Annual report
Nothing overly of note this week
Report published on oversight and use of investigatory powers - IPCO publishes
Artificial intelligence
The Agent Company: Benchmarking LLM Agents on Consequential Real World Tasks
Books
Nothing overly of note this week
Events
CyberUK starts May 7th in Manchester - you can watch online
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.