CTO at NCSC Summary: week ending July 20th
Cyber threat group APT 28 has been responsible for deploying a sophisticated malware against user email accounts as part of its operations..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note..
In the high-level this week:
UK calls out Russian military intelligence for use of espionage tool - NCSC UK calls out - “Cyber threat group APT 28 has been responsible for deploying a sophisticated malware against user email accounts as part of its operations.”
Getting your organisation ready for Windows 11 upgrade before Autumn 2025 - NCSC UK reminds - “I want to use this opportunity to remind you about updating your devices in light of the nearing end of life date for Windows 10, on 14 October 2025.”
UK sanctions Russian spies at the heart of Putin’s malicious regime - Foreign, Commonwealth & Development Office and The Rt Hon David Lammy MP sanction - “Today’s measures target three units of the Russian military intelligence agency (GRU) and 18 military intelligence officers who are responsible for conducting a sustained campaign of malicious cyber activity over many years, including in the UK.”
Foreign Secretary Speech: Diplomacy in the Digital Age - Foreign, Commonwealth & Development Office and The Rt Hon David Lammy MP outlines - “Deep bilateral partnerships will be at the core of Britain’s approach. For us, our special relationship with the United States will remain foundational rooted in particular on our deep security links.”
Call for views on the cyber security of enterprise connected devices - Feryal Clark, Parliamentary Under-Secretary of State for AI and Digital Government outlines - “The government is proposing a two-part intervention, including the publication of a Code of Practice and several policy interventions that are being considered to boost uptake of important security requirements.”
Chronic risks analysis - Cabinet Office and Government Office for Science publish - “Capability uplift, such as AI or commercially available cyber intrusion tools, could allow opportunistic actors to quickly strengthen their cyber attack capabilities, resulting in more severe and widespread impacts.”
Data incident affecting applicants to the Afghan Relocations and Assistance Policy Scheme and Afghanistan Locally Employed Staff Ex-Gratia Scheme - Ministry of Defence publishes guidance - “If you are considering changing your email address, you should maintain access to the email address linked to your application, in case we need to contact you with further information.”
One Big Beautiful Bill Act - Congress details - “$1,000,000,000 for offensive cyber operations;”
National Telecommunications and Information Administration Organization Act - House of Representatives publishes, heads to Senate - “To amend the National Telecommunications and Information Administration Organization Act to establish the Office of Policy Development and Cybersecurity, and for other purposes.”
Senate Armed Services Committee wants DOD to explore 'tactical' cyber employment - DefenseScoop scoops - “Senior congressional officials that briefed reporters Friday pointed to the fact that to date, cyber operations and forces have largely been focused on the strategic level. More and more, there are other avenues to conduct digital actions, officials said, to include tactical cyber.”
Revue nationale stratégique 2025 - The General Secretariat for Defence and National Security (SGDSN) of France publishes - “China is exploiting an unprecedented range of hybrid actions, including cyber operations and scientific and technological predation.”
BSI enables more efficient certification of safety-critical 5G components - Federal Office for Information Security of Germany publishes - “BSI NESAS 2.0 integrates new concepts for systematic vulnerability assessment, the consideration of existing testing environments, and the adaptation of the testing scope to the security features provided by the product.”
KT to invest $724 mil. in cybersecurity, anti-phishing measures over 5 years - The Korea Times reports - “The company also plans to nearly double its in-house security personnel from 162 to 300, with about 50 billion won earmarked for talent expansion.” - post breach investment appears..
Rules to Accelerate Submarine Cable Buildout, Secure Cables Against Foreign Adversaries - Chairman Carr of the Federal Communications Commission announces - “We are therefore taking action here to guard our submarine cables against foreign adversary ownership, and access as well as cyber and physical threats.”
Ukraine’s Kyivstar CEO Says Russian Hackers Target Network Often - Bloomberg reports - “Ukrainian telecommunications infrastructure is coming under constant cyberattacks from Russia as part of the war, according to the chief executive officer of the country’s largest mobile operator.”
Africa's IPv4 war threatens global internet governance - NEXT reports - “AfriNIC, the regional IP address registry serving Africa, has just seen its board elections canceled at the end of June and postponed until September. Doubts about the integrity of certain proxies, the influence of IP brokers, and a legal guerrilla war have been highlighted.”
In Depth: Trump’s Stablecoin Embrace Ups Pressure on China to Join Race - Caixin Global reports - “The embrace of stablecoins by the U.S. and other jurisdictions, including the European Union, Singapore and South Korea, means these digital tokens, which are typically issued by private companies, not the state, are likely to play an increasingly significant and potentially pivotal role in international and domestic financial systems.”
Reporting on/from China
How China’s Patriotic ‘Honkers’ Became the Nation’s Elite Cyberspies - Wired reports - “The Honker community largely began when China joined the internet in 1994, and a network connecting universities and research centers across the country for knowledge-sharing put Chinese students online before the rest of the country. Like US hackers, the Honkers were self-taught tech enthusiasts who flocked to electronic bulletin boards (dial-up forums) to share programming and computer hacking tips. They soon formed groups like Xfocus, China Eagle Union, and The Honker Union of China and came to be known as Red Hackers or Honkers, a name derived from the Mandarin word “hong,” for red, and “heike,” for dark visitor—the Chinese term for hacker.“
America is coming after Chinese it accuses of hacking - The Economist reports - “For over a decade, America’s justice department has been indicting Chinese government hackers. Almost all of them have remained beyond the reach of the law. The aim has been to expose and embarrass, rather than to arrest. Now that is changing. On July 3rd Italian police in Milan arrested Xu Zewei, who is alleged to have worked on behalf of the Shanghai branch of the Ministry of State Security (MSS), China’s main spy agency. America wants to extradite him for wire fraud, identity theft and hacking.”
Chinese Group Hacks ‘Edge’ Devices in Ongoing Telecom Targeting - Bloomberg reports - “A Chinese hacking group has continued to target phone and wireless providers around the world, compromising devices tied to seven telecommunications companies since February, according to a bulletin that a cybersecurity company recently sent to clients.”
Chinese hackers suspected in breach of powerful DC law firm - CNN reports - “Suspected Chinese hackers have broken into the email accounts of attorneys and advisers at a powerful Washington, DC, law firm in an apparent intelligence-gathering operation, the firm, Wiley Rein, told clients this week in a memo reviewed by CNN.”
China-linked hackers target Taiwan's chip industry with increasing attacks, researchers say - Reuters reports - “The previously unreported hacking campaigns were carried out by at least three distinct Chinese-linked groups primarily between March and June of this year, with some activity likely ongoing,”
US National Guard unit was 'extensively' hacked by Salt Typhoon in 2024, memo says - Reuters reports - “A U.S. state's Army National Guard network was thoroughly hacked by a Chinese cyberespionage group nicknamed "Salt Typhoon," according to a Department of Homeland Security memo.”
China’s cyber sector amplifies Beijing’s hacking of U.S. targets - Washington Post reports - “Chinese intelligence, military and security agencies previously selected targets and tasked their own employees with breaking in, they said. But the Chinese government decided to take a more aggressive approach by allowing private industry to conduct cyberattacks and hacking campaigns on their own, U.S. officials said.”
To Understand The Nature of Modern Chinese Influence Operations, Study Russia First - Cyfluence Research Center publishes - “While China’s economic and military power often takes center stage, the piece shows that Beijing is increasingly drawing on Russian expertise in psychological warfare to target foreign audiences more effectively.”
China's first big data exchange registers 5.4b yuan in transactions - China Daily reports - “Launched in 2015 in Guiyang, the capital of southwest China's Guizhou province, the exchange has grown to include over 1,000 trading entities.”
China’s cloud services spending hits US$11.6 billion in first quarter on AI-related demand - South China Morning Post reports - “Alibaba leads the market with a 33 per cent share, followed by Huawei and Tencent with shares of 18 per cent and 10 per cent, respectively”
Meet some of the Chinese AI scientists dominating the field’s global top 100 - South China Morning Post reports - ”A study of nearly 200,000 researchers and 100,000 high-impact papers has revealed that the vast majority of the world’s top 100 brains in the field of artificial intelligence are of Chinese origin.”
Stanford-educated expert leads China’s new semiconductor school with YMTC support - South China Morning Post reports - “Wuhan University has become the latest institution to join China’s push for self-reliance in semiconductors by establishing the School of Integrated Circuits, led by a scientist educated at Stanford University.”
Huawei Seeks AI Chip Clients in Middle East, Southeast Asia - Bloomberg reports - “Huawei is offering 910B volumes in the low thousands, according to the people, though the exact number for any particular pitch remains unclear. The company is also trying to woo customers with remote access to CloudMatrix 384, the people said.”
AI
L’IA au service de la détection et de la réponse à incident - AI for incident detection and response - ANSSI publish
Artificial Intelligence, Cybersecurity, and National Security - RAND Corporation publishes - “the author warns national security decisionmakers that to accomplish their missions they urgently need to better prepare for the impact of artificial intelligence (AI) on cybersecurity.”
Domestic frontier AI regulation, an IAEA for AI, an NPT for AI, and a US-led Allied Public-Private Partnership for AI: Four institutions for governing and developing frontier AI - University of Cambridge publishes - “an International Atomic Energy Agency (IAEA) for AI. This could be backed up by a Secure Chips Agreement - a NonProliferation Treaty (NPT) for AI. This would be a non-proliferation regime for advanced chips, building on the chip export controls - states that do not have an IAIA-certified frontier regulation regime would not be allowed to import advanced chips.”
European Union Unveils Rules for Powerful A.I. Systems - New York Times reports - “The European Commission said the code of practice is meant to help companies comply with the A.I. Act. Companies that agreed to the voluntary code would benefit from a “reduced administrative burden and increased legal certainty.”
Evidence that LLMs are not as good for coding as people think - METR publishes - “We conduct a randomized controlled trial (RCT) to understand how early-2025 AI tools affect the productivity of experienced open-source developers working on their own repositories. Surprisingly, we find that when developers use AI tools, they take 19% longer than without—AI makes them slower.”
WPP turns to Microsoft executive as AI threatens ‘Kodak moment’ - Financial Times reports - “Others disagree. Several WPP executives said Rose’s predecessor, Mark Read, had laid the groundwork for a recovery by restructuring and simplifying a once sprawling organisation.”
There aren’t enough AI chips to support data center projections, report says - Utility Drive reports - “Projected data center demand from the U.S. power market would require 90% of global chip supply through 2030, according to London Economics.”
Cyber proliferation
NGOs demand NSO sanctions and pension fund exit from Gaza-linked firms - Luxembourg Times reports - “A coalition of NGOs has urged the Luxembourg government to impose sanctions on Israeli spyware firm NSO Group and called on the country’s sovereign pension fund to divest from companies allegedly linked to human rights abuses in Gaza.”
Law firm Dechert says lawsuits accusing it of using hired hackers have been resolved - Reuters reports - “Philadelphia-based law firm Dechert said on Thursday that a pair of U.S. lawsuits accusing it of using hired hackers to win in court have been resolved without any admission of liability.”
Bounty Hunting
Chinese Tourist Caught Driving Smishing SMS Blaster around Oman - CommsRisk reports - “A Chinese woman has been arrested in Oman after she was found driving a rented car that carried a fake base station. The vehicle had reportedly circled the Muscat Governorate, the province that includes Muscat City, Oman’s most populous city. The radio equipment allegedly was used to send SMS messages containing links to phishing websites.”
Armenian National Extradited to the United States Faces Federal Charges for Ransomware Extortion Conspiracy - US Department of Justice announces - ”An Armenian national extradited from Ukraine to the United States faces federal charges for his role in Ryuk ransomware attacks and extortion conspiracy targeting companies throughout the United States, including a technology company operating in Oregon.”
Global operation targets NoName057(16) pro-Russian cybercrime network - Europol announces - “Law enforcement and judicial authorities from Czechia, France, Finland, Germany, Italy, Lithuania, Poland, Spain, Sweden, Switzerland, the Netherlands and the United States took simultaneous actions against offenders and infrastructure belonging to the pro-Russian cybercrime network. The investigation was also supported by ENISA, as well as Belgium, Canada, Estonia, Denmark, Latvia, Romania and Ukraine.”
No reflections this week..
Not getting this via email? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday…
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
UAC-0001 cyberattacks on the security and defense sector using the LAMEHUG software tool, which uses LLM (large language model)]
CERT Ukraine details the use of LLMs as a subversion technique by this alleged Russian actor. If you don’t use Huggingface or even if you do monitoring for expected calls to the API is likely worthwhile.
An obvious feature of LAMEHUG is the use of LLM (large language model), used to generate commands based on their textual representation (description).
With a moderate level of confidence, the activity is associated with the activity of UAC-0001 (APT28).
LAMEHUG is a program developed using the Python programming language. It uses LLM Qwen 2.5-Coder-32B-Instruct via the huggingface[.]co service API to generate commands based on statically entered text (description) for their subsequent execution on a computer.
https://cert.gov.ua/article/6284730
Likely Belarus-Nexus Threat Actor Delivers Downloader to Poland
dmpdump details a rather basic campaign which they allege is Belarusian in origin. The executable hidden in an MP3 is the only notable element.
These CHM files are very likely associated with a threat actor tracked as
FrostyNeighborandUNC1151, historically attributed to Belarus. Previous targeting documented in reports such as the following suggest an interest in Ukraine, Lithuania, Latvia, Poland, and Germany, which is consistent with the upload geography for these malicious CHM files.
https://dmpdump.github.io/posts/Belarus-nexus_Threat_Actor_Target_Poland/
Reporting on China
Phish and Chips: China-Aligned Espionage Actors Ramp Up Taiwan Semiconductor Industry Targeting
Mark Kelly et al detail an alleged Chinese campaign which is suggested was in response to sanctions. Emails and password protected zip show this was at the rather clumsy end of the tradecraft scale.
Between March and June 2025, Proofpoint Threat Research observed three Chinese state-sponsored threat actors conduct targeted phishing campaigns against the Taiwanese semiconductor industry. In all cases, the motive was most likely espionage.
Targets of these campaigns ranged from organizations involved in the manufacturing, design, and testing of semiconductors and integrated circuits, wider equipment and services supply chain entities within this sector, as well as financial investment analysts specializing in the Taiwanese semiconductor market.
This activity likely reflects China’s strategic priority to achieve semiconductor self-sufficiency and decrease reliance on international supply chains and technologies, particularly in light of US and Taiwanese export controls.
Malware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities
増渕 維摩 (Yuma Masubuchi) details this attack chain which has alleged links to Chinese and was in part precluded from succeeded due to poor release testing in their implants.
we have continued to observe active exploitation of these vulnerabilities. In this report, we explain the following malware, tools, and penetration tactics used by attackers leveraging CVE-2025-0282 and CVE-2025-22457 in attacks observed from December 2024 to the present, July 2025.
It starts with the activation of a legitimate file, triggered by a pre-configured task. This executes a loader (hereafter referred to as MDifyLoader) through DLL side-loading. MDifyLoader then loads an encrypted data file, decodes Cobalt Strike Beacon, and runs it on memory.
..
The used vshell has a function to check whether the system language is set to Chinese. A portion of the code is shown in Figure 4. The attackers repeatedly failed to execute vshell, and it was confirmed that each time they had installed a new version and attempted execution again. This behavior suggests that the language-checking function, likely intended for internal testing, was left enabled during deployment.
https://blogs.jpcert.or.jp/en/2025/07/ivanti_cs.html
DeedRAT Backdoor Enhanced by Chinese APTs with Advanced Capabilities
Lab52 detail this alleged Chinese capability showing continued evolution and investment.
DeedRAT is a modular backdoor that allows the attacker to perform various actions on the victim’s computer, such as creating and modifying files, listing directories or executing additional code, among others. The analysed sample communicates with the C2 via TCP protocol, but it has been observed that the backdoor allows other protocols such as HTTP, DNS, UDP, PIPE or TLS. This campaign includes a new module called NetAgent that adds new capabilities to the sample, suggesting that the group behind the malware continues to actively update the artefact and add new functionality.
..
This article analyses how the actors behind DeedRAT continue to abuse legitimate antivirus binaries vulnerable to the DLL Side-Loading technique as a means to deploy the DeedRAT malware, thus largely evading detection by security systems. In addition, the increased use of loader obfuscation techniques suggests that attackers are going to increasing lengths to protect their binaries. The presence of the new NetAgent module also indicates that the malware is still actively developing, constantly adding new capabilities and increasing the sophistication of its campaigns.
https://lab52.io/blog/deedrat-backdoor-enhanced-by-chinese-apts-with-advanced-capabilities/
Massistant Chinese Mobile Forensic Tooling
Lookout details what appears an alleged crude mobile forensics capability. Noteworthy as it exists and has continued to evolve..
Massistant is the presumed successor to Chinese forensics tool, “MFSocket”, reported in 2019 and attributed to publicly traded cybersecurity company, Meiya Pico
The forensics tool works in tandem with a corresponding desktop software.
Massistant gains access to device GPS location data, SMS messages, images, audio, contacts and phone services.
Meiya Pico maintains partnerships with domestic and international law enforcement partners, both as a surveillance hardware and software provider, as well as through training programs for law enforcement personnel.
Travel to and within mainland China carries with it the potential for tourists, business travelers, and persons of interest to have their confidential mobile data acquired as part of lawful intercept initiatives by state police.
https://www.lookout.com/threat-intelligence/article/massistant-chinese-mobile-forensics
Reporting on North Korea
Hangro: Investigating North Korean VPN Infrastructure Part 2
North Korea Internet details their journey…
From this it looks like Hangro uses mTLS to support authentication as part of the VPN service and requires a valid certificate signed by hrra2024. I haven’t been able to find if the cert requested on the client on port 6279 is part of Hangro or a different service that needs to be running.
Based on what has been discovered so far and looking through some of the other files and a few packet captures it looks like Hangro is derived from SoftEther an open source VPN project maintained by the University of Tsukuba. The included driver that is installed matches with SoftEther and the traffic seems to be similar to the Ethernet over SSL option in SoftEther.
Reporting on Iran
Nothing overly of note this week
Reporting on Other Actors
Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor
Josh Goddard, Zander Work and Dimiter Andonov
an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor's malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities.
UNG0002: Regional Threat Operations Tracked Across Multiple Asian Jurisdictions
Subhajeet Singha
[We] identified and tracked UNG0002 also known as Unknown Group 0002, a bunch of espionage-oriented operations which has been grouped under the same cluster conducting campaigns across multiple Asian jurisdictions including China, Hong Kong, and Pakistan. This threat entity demonstrates a strong preference for using shortcut files (LNK), VBScript, and post-exploitation tools such as Cobalt Strike and Metasploit, while consistently deploying CV-themed decoy documents to lure victims.
https://www.seqrite.com/blog/ung0002-espionage-campaigns-south-asia/
Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication
Lior Rochberger details a Windows implant which uses lambda for the C2.
[We] have been tracking a cluster of suspicious activity as CL-STA-1020, targeting governmental entities in Southeast Asia. The threat actors behind this cluster of activity have been collecting sensitive information from government agencies, including information about recent tariffs and trade disputes.
This backdoor leverages AWS Lambda URLs as command and control (C2) infrastructure.
Once the malware started beaconing to the actor-controlled Lambda URL endpoint at <redacted>.lambda-url.ap-southeast-1.on[.]aws, it began receiving commands to execute and additional payloads to download.
https://unit42.paloaltonetworks.com/windows-backdoor-for-novel-c2-communication/
LARVA-208’s New Campaign Targets Web3 Developers
As Malpedia describes them LARVA-208 is a financially motivated threat actor employing sophisticated phishing campaigns to harvest credentials and deploy ransomware. The fact they are pivoting to go after Web3 developers would appear they have taken inspiration from alleged North Korean modus operandi.
IT staff through phone calls, has adopted a new technique in its operations. In recent months, LARVA-208 used multiple domains to contact IT employees, gather their VPN credentials, and subsequently harvest usernames and passwords from victims. The group is now applying a similar method to Web3 developers by sending them job offers (T1566.002 - Spearphishing Link) or requests for portfolio reviews, directing them to fake AI Company/Workspace applications.
https://catalyst.prodaft.com/public/report/larva-208s-new-campaign-targets-web3-developers/overview
A new loader running TorNet and PureHVNC
Naoki Takayama details an interesting loader for the assembled components and the distinctive hash algorithm. Which wil provide a signature opportunity..
This loader had several characteristics not often seen in conventional loaders, such as the execution of two types of malware (TorNet and PureHVNC) and the implementation of API Hashing using a distinctive algorithm (MurmurHash2). In this article, we will share the information obtained from malware analysis of the loader.
https://sect.iij.ad.jp/blog/2025/07/loader-executing-tornet-and-purehvnc/
Discovery
How we find and understand the latent compromises within our environments.
Evaluating NetScaler logs for indicators of attempted exploitation of CVE-2025-5777
Anil Shetty provides a practical indicator-of-compromise..
Search for log lines containing
/\"Authentication is rejected for / AND /AAA Message/AND bytes containing non-ASCII characters (range 128-255). Note these bytes may be escaped when viewed through a log viewer. The strings between the opening and closing ‘/’s can be treated as a regular expression.
Forensic journey: Breaking down the UserAssist artifact structure
Awad Aljuaid provides a detailed breakdown which will help teams gain an understanding.
In the forensics community, UserAssist is a well-known Windows artifact used to register the execution of GUI programs. This artifact stores various data about every GUI application that’s run on a machine:
Program name: full program path.
Run count: number of times the program was executed.
Focus count: number of times the program was set in focus, either by switching to it from other applications, or by otherwise making it active in the foreground.
Focus time: total time the program was in focus.
Last execution time: date and time of the last program execution.
The UserAssist artifact is a registry key under each NTUSER.DAT hive located at Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\.
https://securelist.com/userassist-artifact-forensic-value-for-incident-response/116911/
KubeForenSys - Kubernetes Data Collection Tool
Floris van Stal and Korstiaan releases a work aid to support teams in their collection activities.
A tool for collecting Kubernetes cluster data and ingesting it into Azure Log Analytics workspace for analysis post-compromise.
https://github.com/invictus-ir/KubeForenSys
Haunted by Legacy: Discovering and Exploiting Vulnerable Tunnelling Hosts
Angelos Beitis and Mathy Vanhoef shows there are still traffic amplification opportunities but also masking opportunities.
We first scan the Internet for vulnerable IPv4 and IPv6 hosts, using 7 different scan methods, revealing more than 4 million vulnerable hosts which accept unauthenticated IP in IP (IPIP), Generic Routing Encapsulation (GRE), IPv4 in IPv6 (4in6), or IPv6 in IPv4 (6in4) traffic. These hosts can be abused as one-way proxies, can enable an adversary to spoof the source address of packets, or can permit access to an organization’s private network. The discovered hosts also facilitate new Denial-of-service (DoS) attacks. Two new DoS attacks amplify traffic: one concentrates traffic in time, and another loops packets between vulnerable hosts, resulting in an amplification factor of at least 16 and 75, respectively. Additionally, we present an Economic Denial of Sustainability (EDoS) attack, where the outgoing bandwidth of a host is drained. Finally, we discuss countermeasures and hope our findings will motivate people to better secure tunnelling hosts.
https://papers.mathyvanhoef.com/usenix2025-tunnels.pdf
https://github.com/vanhoefm/tunneltester
A Hybrid Feature Selection Method for Advanced Persistent Threat Detection
Adam Khalid , Anazida Zainal , Fuad A. Ghaleb , Bander Ali Saleh Al-rimy and Yussuf Ahmed hint that there is still value in data science approaches when applied to APT detection.
This study presents a novel, hybrid feature selection method designed to improve APT detection by reducing dimensionality while preserving the informative characteristics of the data. It combines Mutual Information (MI), Symmetric Uncertainty (SU) and Minimum Redundancy Maximum Relevance (mRMR) to enhance feature selection. MI and SU assess feature relevance, while mRMR maximises relevance and minimises redundancy, ensuring that the most impactful features are prioritised. This method addresses redundancy among selected features, improving the overall efficiency and effectiveness of the detection model. Experiments on a real-world APT datasets were conducted to evaluate the proposed method. Multiple classifiers including, Random Forest, Support Vector Machine (SVM), Gradient Boosting, and Neural Networks were used to assess classification performance. The results demonstrate that the proposed feature selection method significantly enhances detection accuracy compared to baseline models trained on the full feature set. The Random Forest algorithm achieved the highest performance, with near-perfect accuracy, precision, recall, and F1 scores (99.97%). The proposed adaptive thresholding algorithm within the selection method allows each classifier to benefit from a reduced and optimised feature space, resulting in improved training and predictive performance. This research offers a scalable and classifier-agnostic solution for dimensionality reduction in cybersecurity applications
https://www.open-access.bcu.ac.uk/16509/
Defence
How we proactively defend our environments.
Fix the Click: Preventing the ClickFix Attack Vector
Rem Dudas and Noa Dekel provide some practical mitigation here, some of which has been covered here in previous weeks.
Reviewing RunMRU Artifacts
Windows maintains a registry key that stores the most recently executed commands from the Run window (Win + R), called RunMRU:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
This registry key saves any commands that are executed from the Run window, enabling analysts to parse these entries to look for signs of suspicious usage.
Some key indicators for suspicious RunMRU contents could be:
Obfuscated content
Keywords related to the download and execution of payloads from unknown or suspicious domains
Keywords indicating calls to administrative interfaces
These entries indicate that someone might have manually triggered such commands, which is consistent with a ClickFix infection flow.
Detecting Win + X ClickFix
Some attackers aim to avoid exposing their activity in the RunMRU registry key. They instead present instructions to launch a terminal for PowerShell (Windows 11) or Command Prompt (Windows 10) via Win+X for the Quick Access Menu. A March 2025 report reveals that attackers distributing Havoc used this Win+X variation of ClickFix.
Threat hunters can look for signs of this Win+X ClickFix technique using EDR telemetry or Windows Event Logs — specifically:
Security event ID 4688 (Process Creation): Look for powershell.exe spawned by explorer.exe, in correlation with Event ID 4663 (Object Access) of files under the %LocalAppData%\Microsoft\Windows\WinX\ folder.
Shell usage patterns: Elevated PowerShell sessions invoked shortly after interactive logins, followed by network connections or suspicious child processes (e.g., certutil.exe, mshta.exe and rundll32.exe), are often red flags.
Clipboard monitoring: Since ClickFix lures rely on potential victims pasting malicious content from the clipboard, we can correlate paste activity with PowerShell execution shortly after the user types Win+X.
https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
EntraFalcon
zh54321 releases a work aid which which help tighten up those Microsoft Entra ID environments.
EntraFalcon is a PowerShell-based assessment tool for pentesters, security analysts, and system administrators to evaluate the security posture of a Microsoft Entra ID environment.
The tool helps uncover privileged objects, potentially risky assignments and Conditional Access misconfigurations that are often overlooked, such as:
Users with control over high-privilege groups or applications
External or internal enterprise applications with excessive permissions (e.g., Microsoft Graph API, Azure roles)
Users with Azure IAM role assignments directly on resources
Privileged accounts synced from on-premises
Inactive users or users without MFA capability
Unprotected groups used in sensitive assignments (e.g., Conditional Access exclusions, Subscription Owner, or eligible member of a privileged group)
https://github.com/CompassSecurity/EntraFalcon
Getting started with Quick Machine Recovery
Peter van der Woude details a feature we all got post CrowdStrike. This is how to enable and deploy to the enterprise.
This week is all about a relatively new recovery functionality in Windows. And that functionality is Quick Machine Recovery, which is also known as Cloud Remediation. Quick Machine Recovery is focused on the recovery of Windows devices when encountering critical errors that prevent the device from booting. A huge strength of Quick Machine Recovery is that it can automatically search for remediations online and use that to recover from widespread boot failures.
https://petervanderwoude.nl/post/getting-started-with-quick-machine-recovery/
Isolation Exclusion Rules: Fixing Microsoft Teams & Outlook Communication During Isolation
Louis details a feature which will encourage threat actors to build contingency C2 via Teams and Outlook..
RedirectionGuard: Mitigating unsafe junction traversal in Windows
Mike Macelletti details the latest chess move to mitigate against this prevalent technique.
o mitigate file redirection vulnerabilities within the defined threat model, RedirectionGuard, a new junction mitigation, must block junction traversal when an attacker is attempting to maliciously redirect a file operation. However, it must also minimize regressions by allowing as many safe junction traversals as possible.
Therefore, junction traversal is only blocked when both of the following conditions are met:
The junction is being followed by a process that has opted in to the RedirectionGuard mitigation AND
The junction was created by a non-admin user account.
When junctions are created or modified, the privilege level of the creator/modifier is stored in an admin-only alternate data stream with the file. When Redirection Guard is enabled by a process, the process will only follow “trusted” junctions, which are junctions that are one of the following:
Were created by an Administrator OR
Do not contain the privilege metadata (indicating the junction was last modified prior to the mitigation being available).
Incident Writeups & Disclosures
How they got in and what they did.
Code highlighting with Cursor AI for $500,000
Georgy Kucherin details further crypto asset targeting which started with search engine optimisation.
In June 2025, a blockchain developer from Russia reached out to us after falling victim to a cyberattack. He’d had around $500,000 in crypto assets stolen from him. Surprisingly, the victim’s operating system had been installed only a few days prior. Nothing but essential and popular apps had been downloaded to the machine.
..
Therefore, the search results displayed two seemingly identical extensions: the legitimate one with 61,000 downloads and the malicious one with two million downloads. Which one would the user choose to install? Making the right choice becomes a real challenge.
https://securelist.com/open-source-package-for-cursor-ai-turned-into-a-crypto-heist/116908/
Vulnerability
Our attack surface.
GPUHammer: Rowhammer Attacks on GPU Memories are Practical
Chris S. Lin, Joyce Qu and Gururaj Saileshwar show physics applies to GPUs too..
We introduce GPUHammer, the first Rowhammer attack on NVIDIA GPUs with GDDR6 DRAM. GPUHammer proposes novel techniques to reverse-engineer GDDR DRAM row mappings, and employs GPU-specific memory access optimizations to amplify hammering intensity and bypass mitigations. Thus, we demonstrate the first successful Rowhammer attack on a discrete GPU, injecting up to 8 bit-flips across 4 DRAM banks on an NVIDIA A6000 with GDDR6 memory. We also show how an attacker can use these to tamper with ML models, causing significant accuracy drops (up to 80%).
SharePoint Unknown CVE Unveiled: RCE via WebPart Properties Deserialization
khoadha shows that sometimes there are indeed silently patched critical vulnerabilities..
This is a bug I discovered by accident, and it has already been resolved. I don’t even know which CVE it corresponds to or which version it was patched. It looks like someone found it and kept it for red teaming purposes. If you know any information about this bug, please feel free to leave a comment.
https://blog.viettelcybersecurity.com/sharepoint_properties_deser/
Laravel: APP_KEY leakage analysis
Rémi Matasse shows again that low hanging fruit can get you quite some access.
Even though knowledge of this secret is necessary to exploit the vulnerabilities presented in this blog post, unfortunately, those secrets remain unchanged in many cases. This is why we will also address an analysis conducted using open sources to determine the robustness of the secrets used in publicly exposed applications on the internet.
A few days later, GitGuardian gave us access to a first list of
APP_KEYs they fetched from 2018 to the 20th of December 2024 containing a stunning number of 212 540APP_KEYs.
https://www.synacktiv.com/en/publications/laravel-appkey-leakage-analysis
NVIDIAScape - CVE-2025-23266 - Escape in NVIDIA Container Toolkit
Nir Ohfeld and Shir Tamari use some explosive language to describe an escape which uses a well known technique. However if these containers in managed environments there is exposure..
When this container is run on a vulnerable system, the
nvidia-ctk createContainerhook inherits theLD_PRELOADvariable. Since the hook's working directory is the container's filesystem, it loads the attacker'spoc.sofile into its own privileged process, instantly achieving a container escape.
https://www.wiz.io/blog/nvidia-ai-vulnerability-cve-2025-23266-nvidiascape
Offense
Attack capability, techniques and trade-craft.
Breaking Disassembly — Abusing symbol resolution in Linux programs to obfuscate library calls ️
Elma details some techniques which if ever employed should act as a strong signal of threat.
This research will dive into how symbol resolution works (in ELF), and how common tooling such as decompilers and disassemblers parses the symbol resolution metadata to identify imported/library functions. Finally, we will see how we can easily modify some of these metadata to break such tools while maintaining the full functionality of ELF programs.
https://blog.elmo.sg/posts/breaking-disassembly-through-symbol-resolution/
https://github.com/caprinux/rel-fuscate
I SPy: Escalating to Entra ID's Global Admin with a first-party app
Katie Knowles detail a misconfiguration (not a vulnerability) we need to ensure gets eradicated.
Service principals (SPs) that are assigned the Cloud Application Administrator role, Application Administrator role, or
Application.ReadWrite.Allpermission can escalate their privileges by taking over any hybrid Entra ID user, including users with the Global Administrator role.This privilege escalation works when an SP is used to hijack the built-in Office 365 Exchange Online SP. The Office 365 Exchange Online SP's
Domain.ReadWrite.Allpermission is then used to add a new federated domain to the tenant. It is then possible to forge a SAML token as any hybrid tenant user synced between on-premises Active Directory (AD) and an Entra ID tenant.We reported this vulnerability to the Microsoft Security Response Center (MSRC) on January 14, 2025, along with proof of concept (POC) code to replicate the issue.
MSRC responded that "the scenario described reflects misconfiguration, not a security bypass." MSRC stated that this issue is consistent with documented risk of the Application Administrator role and the Application.ReadWrite.All Microsoft Graph permission.
https://securitylabs.datadoghq.com/articles/i-spy-escalating-to-entra-id-global-admin/
High-Profile Cloud Privesc
Leonidas Tsaousis details the .bashrc attack of Windows. There is a anecdote from a gig in 2001 in a foreign land where the on premises of this technique was used to compromise a cellular network.
Got “OneDrive Admin”-equivalent permissions on a cloud-native estate? You can escalate to a Privileged Entra role by backdooring the administrator’s PowerShell Profile. T&Cs apply.
https://labs.reversec.com/posts/2025/07/high-profile-cloud-privesc
ExfilServer
Vincent Yiu releases a tool which you can see being used by adversaries. May want to see if its use can be signatured.
ExfilServer is a secure file upload server that provides client-side encryption and automatic upload functionality. It features a modern web interface with drag-and-drop support, real-time file status indicators, and XOR-based encryption for file obfuscation during transmission.
https://github.com/vysecurity/ExfilServer
Exploitation
What is being exploited..
The Good, the Bad, and the Encoding: An SS7 Bypass Attack
Cathal McDaid details adversarial commercial capability be used in cellular signalling.
This matches what we have observed in real life. We observed attacks using PSIs with this Tag code set, and subsequent PSI responses being sent back containing the subscriber’s location. We believe that the presence of the extended Tag caused the IMSI field to be ignored by elements that were doing signaling security checks – the targeted IMSI was essentially “hidden” – and so it couldn’t be used in any checks. The end result is that location tracking attacks for home networks subscribers were allowed through.
The source of the attacks matched a surveillance company that we have tracked for many years, and we believe that this was identified and used by them. Subsequent retrospective analysis confirmed that this technique was being used at least as far back as Q4 2024, and it seems to have formed part of their “suite” of tests since then that they try to use to bypass signaling security defences in targeted mobile operators.
https://www.enea.com/insights/the-good-the-bad-and-the-encoding-an-ss7-bypass-attack/
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
CMASan: Custom Memory Allocator-aware Address Sanitizer
Junwha Hong; Wonil Jang; Mijung Kim; Lei Yu; Yonghwi Kwon and Yuseok Jeon show there is still opportunities for innovation and performance improvements in address sanitization.
CMASan successfully identifies 19 previously unknown CMA memory bugs undetected by ASan, including some undetected for 9 years. Compared to ASan, CMASan incurs only an additional 9.63% overhead.
https://www.computer.org/csdl/proceedings-article/sp/2025/223600a074/21B7RisjQY0
Practical Object-Level Sanitizer with Aggregated Memory Access and Custom Allocator
Xiaolei Wang; Ruilin Li; Bin Zhang; Chao Feng and Chaojing Tang shows a compiler based approach which could be used in selective high-risk use cases.
In this paper, we propose a novel Object-Level Address Sanitizer OLASan to reduce performance overhead further while implementing accurate memory violations (including intra-object overflow) detection. Unlike previous sanitizers ignoring the correlation between memory access and objects, OLASan aggregates multiple memory accesses of same object at function level to perform on-demand targeted sanitization, thus avoiding examining most memory accesses at runtime. Specifically, OLASan characterizes various memory access patterns to identify those which can be aggregated, and implements memory safety checks with customized memory tagging.
..
We implement OLASan atop the LLVM framework and evaluate it on SPEC CPU benchmarks. Evaluations show that OLASan outperforms the state-of-the-art methods with 51.18%, 25.20% and 6.52% less runtime overhead than ASan, ASan-- and GiantSan respectively. Moreover, aided by customized memory tagging, OLASan achieves zero false negatives for the first time when testing Juliet suites. Finally, we confirm that OLASan also offers comparable detection capabilities on real bugs.
https://www.computer.org/csdl/proceedings-article/icse/2025/056900a749/251mHpwGM3S
NovaHypervisor
Ido Veltzman shows what a 10x engineer can achieve..
NovaHypervisor is a defensive x64 Intel host based hypervisor. The goal of this project is to protect against kernel based attacks (either via Bring Your Own Vulnerable Driver (BYOVD) or other means) by safeguarding defense products (AntiVirus / Endpoint Protection) and kernel memory structures and preventing unauthorized access to kernel memory.
NovaHypervisor is written in C++ and Assembly, and is designed to be compatible with Hyper-V and run on Windows 10 and later versions.
https://github.com/Idov31/NovaHypervisor
UCPD.sys – UserChoice Protection Driver Part 2
Christoph Kolbicz details the capabilities of this driver.
UCPD.sys has become quite a sophisticated protection system in the meantime. There are other features that I won’t describe in detail, as they target specific regions or publishers and therefore don’t apply to everyone anyway.
Currently, UCPD.sys blocks the following types of attacks on Windows 11 Pro:
Write, delete, rename, and ACL changes to the keys listed above
File type associations for all the extensions mentioned above
Injection attacks for a defined list of publishers
UI automation attacks, also for a set of publishers
Unknown file type registry key modifications
RegRenameKey attacks
https://kolbi.cz/blog/2025/07/15/ucpd-sys-userchoice-protection-driver-part-2/
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Annual, quarterly and monthly reports
Addressing State-Linked Cyber Threats to Critical Maritime Port Infrastructure
Access to data for law enforcement: Digital forensics - European Parliament publishes
Silicon Valley eyes a governance-lite gold rush - Financial Times reports - “Scholars have long debated to what extent corporate governance standards impact a company’s valuation. Musk and Andreessen are two among many tech titans conducting real life tests that may help answer that question. Investors and fund managers, for now at least, seem prepared to let them.”
Intel’s CEO: ‘We are not in the top 10’ of leading chip companies - Oregon Live reports - “Tan said Intel will focus on “edge” artificial intelligence, which brings AI capabilities directly to PCs and other devices instead of operating in centralized computers.”
Artificial intelligence
Books
The Psychology of Emoji Processing - 2024 - “this book extracts insights from a range of psychology sub-disciplines to provide a comprehensive review of current research on how we process emoji.”
Events
Nothing overly of note this week
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.