Briefs

A comprehensive analysis of Mac malware discovered in 2017, detailing infection vectors, persistence mechanisms, features, and goals, including FruitFly, MacDownloader (iKitten), and others.

A remote SQL injection vulnerability (CVE-2026-7555) exists in itsourcecode Electronic Judging System 1.0 via manipulation of the Username argument in the /intrams/login.php file, potentially leading to unauthorized data access and modification.

The Mac Malware of 2019 report details various Mac malware specimens and variants, including CookieMiner, a cryptominer that steals user cookies and passwords, likely to give attackers access to victims' online accounts and wallets; CookieMiner persists via launch agents and exfiltrates browser cookies to a remote C2 server.

Detects PowerShell scripts employing Base64 decoding combined with .NET decompression (Deflate/GZip) to deobfuscate and reconstruct malicious payloads in memory, evading traditional defenses.

This rule identifies execution of suspicious programs via scheduled tasks by looking at process lineage and command line usage, detecting processes such as cscript.exe, powershell.exe, and cmd.exe when executed from suspicious paths like C:\Users\ and C:\ProgramData\.

Detects execution of JavaScript via Deno with suspicious command-line patterns (base64, eval, http, or import in a JavaScript context), which adversaries may abuse to run malicious JavaScript for execution or staging.

The analytic detects suspicious PowerShell script execution involving the cryptography namespace (excluding SHA and MD5) via EventCode 4104, often associated with malware that decrypts or decodes additional malicious payloads leading to further code execution, privilege escalation, or persistence.

A machine learning job combination has identified a host with one or more suspicious Windows processes that exhibit unusually high malicious probability scores, potentially indicating masquerading and defense evasion tactics.

Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability (CVE-2018-25318) that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation, potentially redirecting user traffic to malicious sites.

Attackers may delete or disable AWS GuardDuty detectors to impair defenses and evade detection of malicious activities within the AWS environment.

This brief analyzes Mac malware discovered in 2018, including OSX.Mami, a DNS hijacker distributed via browser popups, and CrossRAT, a cross-platform Java-based backdoor likely spread through phishing, highlighting infection vectors, persistence mechanisms, and capabilities.

CrossRAT is a Java-based, multi-platform surveillance tool targeting Windows, macOS, and Linux systems, capable of file system manipulation, screenshot capture, and persistence.

Detection of suspicious LSASS handle access via DuplicateHandle from an unknown call trace module, indicating a potential attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.

A command injection vulnerability, identified as CVE-2026-44590, exists in the `validate_modified_targets.yml` GitHub Actions workflow of sherlock-project/sherlock. A malicious pull request can trigger arbitrary command execution in the privileged CI context, allowing attackers to exfiltrate the GITHUB_TOKEN and auto-approve the malicious PR without human interaction, effectively leading to a supply chain compromise.

Detection of configuration changes to an application's AppID URI in Azure, potentially indicating malicious activity related to initial access, persistence, credential access, privilege escalation, or stealth.

Detection of the assignment of the SeEnableDelegationPrivilege user right to a principal can indicate potential Active Directory compromise and privilege elevation by attackers.

An unauthenticated network attacker can claim the initial administrator account on a fresh Nginx-UI instance during the first-run setup window by exploiting the publicly accessible /api/install endpoint.

This detection identifies PowerShell scripts that directly call the TabExpansion internal function, which is uncommon and may indicate malicious activity, such as TabShell, potentially bypassing sandboxes by loading PowerShell functions via directory traversal.

Adversaries may execute the `net.exe` or `wmic.exe` commands to enumerate administrator accounts or groups, both locally and within the domain, to gather information for follow-on actions.

Detection of oversized command lines used by Python, PowerShell, Node.js, or Deno interpreters containing base64 decoding or encoded-command patterns, indicating potential evasion and malicious execution.

This rule detects the creation of the default Mimikatz MemSSP credential log file, mimilsa.log, which is created after the misc::memssp module injects a malicious Security Support Provider into LSASS, potentially capturing credentials from subsequent logons.

This rule detects network connections initiated by hh.exe, the HTML Help executable, which may indicate the execution of malicious code embedded in compiled HTML files (.chm) to deliver malicious payloads, bypass security controls, and gain initial access via social engineering.

Gotenberg version 8.29.1 is vulnerable to unauthenticated remote code execution (RCE) due to newline injection in metadata keys passed to ExifTool, allowing arbitrary command execution via the `-if` flag.

This rule detects registry modifications indicative of a new Windows Subsystem for Linux (WSL) distribution installation, a technique adversaries may leverage to evade detection by utilizing Linux environments within Windows.

A machine learning job has identified an unusually high median command line entropy for privileged commands executed by a user on Linux systems, suggesting possible privileged access activity through command lines, indicating potential obfuscation or unauthorized use of privileged access.

The Lazarus APT group is distributing a macOS backdoor named AppleJeus via a fake cryptocurrency trading application called JMT Trader, persisting through a launch daemon and communicating with the C&C server beastgoc.com.

An adversary can exploit Kubernetes Admission Controllers in Azure to achieve persistence, privilege escalation, or credential access by manipulating webhook configurations.

Adversaries may exploit MSBuild to execute malicious scripts or compile code, bypassing security controls; this rule detects unusual processes initiated by MSBuild, such as PowerShell or C# compiler, signaling potential misuse for executing unauthorized or harmful actions.

A machine learning job has detected a spike in bytes of data written to an external device via Airdrop, potentially indicating illicit data copying or transfer activities.

Adversaries may use abused web services such as paste sites, VoIP, and file hosting to host malicious payloads or facilitate command and control, detected via DNS queries from Windows hosts to these services.