CVE-2023-38831
published 2023-08-23CVE-2023-38831: RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because…
PriorityP190high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2023-09-14
Exploited in the wild
EPSS
97.80%
99.9th percentile
RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rarlab | winrar | < 6.23 | 6.23 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2023-38831 exploitation: A ZIP archive contains both a benign file (e.g., .JPG) and a same-named folder whose contents (executable) are processed when the user opens the benign file in WinRAR < 6.23 ↗
- →Pawn Storm NTLMv2 hash relay via CVE-2023-38831: monitor for WinRAR-spawned processes making outbound WebDAV/HTTP requests to localhost:8080 followed by exfiltration to mockbin.org ↗
- →Persistence indicator: info-stealer drops an internet shortcut (.url) into the Windows Startup folder at %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\search.url ↗
- →Exfiltration pattern: stealer uploads files via HTTP PUT to free.keep.sh, then creates TinyURL aliases via POST to tinyurl.com/app/api/create; look for PUT requests to free.keep.sh and POST requests to tinyurl.com/app/api/create ↗
- →Head Mare anti-forensics: PowerShell command history shows event log clearing and service removal after CVE-2023-38831 initial access; hunt for 'Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }' in PowerShell logs ↗
- →Bumblebee previously leveraged CVE-2023-38831 for payload delivery; ZIP archives with same-named folder/file pairs should be inspected at the mail gateway and endpoint ↗
- →Pawn Storm EdgeOS implant: look for open SOCKS5 proxy on port 56981, SMB listener on port 445, and non-standard SSH on ports 2222, 58749, 59417 on EdgeOS routers as indicators of compromise ↗
- ·CVE-2023-38831 affects WinRAR versions before 6.23 only; patched in WinRAR 6.23 ↗
- ·The NTLMv2 hash-stealing PowerShell payload uses a fixed (non-random) 8-byte challenge sequence in the NTLM CHALLENGE message, deviating from the legitimate random value — this fixed sequence can be used as a detection signature ↗
- ·Pawn Storm uses a robust filtering system to block security researchers and automated scripts from identifying malicious infrastructure, reducing the reliability of active scanning against their C2s ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft SmartScreen Prompt Security Feature Bypass Vulnerability
cisa·2024-04-30·CVSS 7.8
CVE-2024-29988 [HIGH] CWE-693 Microsoft SmartScreen Prompt Security Feature Bypass Vulnerability
Vulnerability: Microsoft SmartScreen Prompt Security Feature Bypass Vulnerability
Affected: Microsoft SmartScreen Prompt
Microsoft SmartScreen Prompt contains a security feature bypass vulnerability that allows an attacker to bypass the Mark of the Web (MotW) feature. This vulnerability can be chained with CVE-2023-38831 and CVE-2024-21412 to execute a malicious file.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29988; https://nvd.nist.gov/vuln/detail/CVE-2024-29988
Remediation Due Date: 2024-05-21
CISA
RARLAB WinRAR Code Execution Vulnerability
cisa·2023-08-24·CVSS 7.8
CVE-2023-38831 [HIGH] CWE-351 RARLAB WinRAR Code Execution Vulnerability
Vulnerability: RARLAB WinRAR Code Execution Vulnerability
Affected: RARLAB WinRAR
RARLAB WinRAR contains an unspecified vulnerability that allows an attacker to execute code when a user attempts to view a benign file within a ZIP archive.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: http://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=232&cHash=c5bf79590657e32554c6683296a8e8aa; https://nvd.nist.gov/vuln/detail/CVE-2023-38831
Remediation Due Date: 2023-09-14
VulnCheck
Microsoft SmartScreen Prompt Security Feature Bypass Vulnerability
vulncheck·2024·CVSS 7.8
CVE-2024-29988 [HIGH] CWE-693 Microsoft SmartScreen Prompt Security Feature Bypass Vulnerability
Microsoft SmartScreen Prompt Security Feature Bypass Vulnerability
Microsoft SmartScreen Prompt contains a security feature bypass vulnerability that allows an attacker to bypass the Mark of the Web (MotW) feature. This vulnerability can be chained with CVE-2023-38831 and CVE-2024-21412 to execute a malicious file.
Affected: Microsoft SmartScreen Prompt
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.zerodayinitiative.com/blog/2024/4/9/the-april-2024-security-updates-review; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.zerodayinitiative.com/blog/2024/8/14/cve-2024-38213-copy2pwn-exploit-evades-windows-web-protections; http
GHSA
GHSA-w5x7-vwr2-4x27: RARLabs WinRAR before 6
ghsa_unreviewed·2023-08-23
CVE-2023-38831 [HIGH] CWE-345 GHSA-w5x7-vwr2-4x27: RARLabs WinRAR before 6
RARLabs WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through August 2023.
VulnCheck
RARLAB WinRAR Code Execution Vulnerability
vulncheck·2023·CVSS 7.8
CVE-2023-38831 [HIGH] CWE-351 RARLAB WinRAR Code Execution Vulnerability
RARLAB WinRAR Code Execution Vulnerability
RARLAB WinRAR contains an unspecified vulnerability that allows an attacker to execute code when a user attempts to view a benign file within a ZIP archive.
Affected: RARLAB WinRAR
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cve.org/CVERecord?id=CVE-2023-38831; https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day; https://cert.gov.ua/article/5661411
Project0
Project Zero RCA: CVE-2023-38831: RARLAB WinRAR Code Execution Vulnerability
project_zero·CVSS 7.8
CVE-2023-38831 [HIGH] Project Zero RCA: CVE-2023-38831: RARLAB WinRAR Code Execution Vulnerability
# CVE-2023-38831: RARLAB WinRAR Code Execution Vulnerability
*Vlad Stolyarov, Google Threat Analysis Group*
## The Basics
**Disclosure or Patch Date:** July 20, 2023
**Product:** RARLAB WinRAR
**Advisory:** https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=230&cHash=d5b004cf8e13ffaf713f4ec6b604694e
**Affected Versions:** 6.22 and other versions prior
**First Patched Version:** 6.23 Beta 1
**Issue/Bug Report:** N/A
**Patch CL:** N/A
**Bug-Introducing CL:** N/A
**Reporter(s):**
- Andrey Polovinkin from Group-IB Threat Intelligence unit
## The Code
**Proof-of-concept:** https://github.com/b1tg/CVE-2023-38831-winrar-exploit
**Exploit sample:** See PoC
**Did you have access to the exploit sample when doing the analysis?** yes
## The Vulnerability
**Bug clas
No detection rules found.
Exploit-DB
WinRAR version 6.22 - Remote Code Execution via ZIP archive
exploitdb·2024-03-28·CVSS 7.8
CVE-2023-38831 [HIGH] WinRAR version 6.22 - Remote Code Execution via ZIP archive
WinRAR version 6.22 - Remote Code Execution via ZIP archive
---
################################################################################################
# Exploit Title : EXPLOIT WinRAR version 6.22 Vulnerability CVE-2023-38831 #
# #
# Author : E1.Coders #
# #
# Contact : E1.Coders [at] Mail [dot] RU #
# #
# Security Risk : High #
# #
# Description : All target's GOV & Military websites #
# #
################################################################################################
# #
# Expl0iTs: #
#include
#include
#include
#include "zip.h"
#define PDF_FILE "document.pdf"
#define FOLDER_NAME "document.pdf\\"
#define SCRIPT_FILE "script.bat"
#define ZIP_FILE "exploit.zip"
int main(void) {
zipFile zf = zipOpen(ZIP_FILE, APPEND_STATUS_CREATE);
if (zf == NULL) {
printf("Err
Metasploit
WinRAR CVE-2023-38831 Exploit
metasploit·CVSS 7.8
CVE-2023-38831 [HIGH] WinRAR CVE-2023-38831 Exploit
WinRAR CVE-2023-38831 Exploit
This module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its embedded document, the decoy document is executed, leading to code execution.
Hackernews
Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike
blogs_hackernews·2026-05-14·CVSS 7.8
CVE-2023-38831 [HIGH] Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike
The Belarus-aligned threat group known as Ghostwriter has been attributed to a fresh set of attacks targeting governmental organizations in Ukraine.
Active since at least 2016, Ghostwriter has been linked to both cyber espionage and influence operations targeting neighboring countries, particularly Ukraine. It's also tracked under the monikers FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC‑0057, Umbral Bison (formerly RepeatingUmbra), UNC1151, and White Lynx.
"FrostyNeighbor has been running continual cyber operations, changing and updating
Securelist
Exploits and vulnerabilities in Q1 2026
blogs_securelist·2026-05-07·CVSS 7.8
CVE-2026-21519 [HIGH] Exploits and vulnerabilities in Q1 2026
Alexander Kolesnikov
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Notable vulnerabilities
CVE-2026-21519: Desktop Window Manager vulnerability
RegPwn (CVE-2026-21533): a system settings access control vulnerability
CVE-2026-21514: a Microsoft Office vulnerability
Clawdbot (CVE-2026-25253): an OpenClaw vulnerability
CVE-2026-34070: LangChain framework vulnerability
CVE-2026-22812: an OpenCode vulnerability
Conclusion and advice
Authors
Alexander Kolesnikov
During Q1 2026, the exploit kits leveraged by threat actors to target user systems expanded once again, incorporating new exploits for the Microsoft Off
Securelist
Vulnerability landscape in Q4 2025
blogs_securelist·2026-03-06
Vulnerability landscape in Q4 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Notable vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vulnerability disclosures, hitting popular libraries and mainstream applications. Several of these vulnerabilities were picked up by attackers and exploited in the wild almost immediately.
In this report, we dive into the statistics on published vulnerabilities and exploits, as well as the known vulnerabilities leveraged with popular C2 frameworks throughout Q4 2025.
## Statistics on registered vulnerabilities
This section contains statistics on regis
Securelist
Exploits and vulnerabilities in Q4 2025
blogs_securelist·2026-03-06·CVSS 7.8
CVE-2025-55182 [HIGH] Exploits and vulnerabilities in Q4 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Notable vulnerabilities
React2Shell (CVE-2025-55182): a vulnerability in React Server Components
CVE-2025-54100: command injection during the execution of curl (Invoke-WebRequest)
CVE-2025-11001: a vulnerability in 7-Zip
RediShell (CVE-2025-49844): a vulnerability in Redis
CVE-2025-24990: a vulnerability in the ltmdm64.sys driver
CVE-2025-59287: a vulnerability in Windows Server Update Services (WSUS)
Conclusion and advice
Authors
Alexander Kolesnikov
The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vul
Mandiant
Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
blogs_mandiant·2026-01-27·CVSS 8.4
CVE-2025-8088 [HIGH] Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
Threat Intelligence
# Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
January 27, 2026
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
### Introduction
The Google Threat Intelligence Group (GTIG) has identified widespread, active exploitation of the critical vulnerability CVE-2025-8088 in WinRAR, a popular file archiver tool for Windows, to establish initial access and deliver diverse payloads. Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations. The consistent exploitation method, a path traversal flaw
Mandiant
Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
blogs_mandiant·2026-01-27·CVSS 8.4
CVE-2025-8088 [HIGH] Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
## Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
## Introduction
The Google Threat Intelligence Group (GTIG) has identified widespread, active exploitation of the critical vulnerability CVE-2025-8088 in WinRAR, a popular file archiver tool for Windows, to establish initial access and deliver diverse payloads. Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations. The consistent exploitation method, a path traversal flaw allowing files to be dropped into the Windows Startup folder for persi
Securelist
Exploits and vulnerabilities in Q3 2025
blogs_securelist·2025-12-03·CVSS 7.8
CVE-2025-49704 [HIGH] Exploits and vulnerabilities in Q3 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Interesting vulnerabilities
ToolShell (CVE-2025-49704 and CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771): insecure deserialization and an authentication bypass
CVE-2025-8088: a directory traversal vulnerability in WinRAR
CVE-2025-41244: a privilege escalation vulnerability in VMware Aria Operations and VMware Tools
Conclusion and advice
Authors
Alexander Kolesnikov
In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vuln
Securelist
Analyzing the vulnerability landscape in Q3 2025
blogs_securelist·2025-12-03
Analyzing the vulnerability landscape in Q3 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vulnerabilities and exploits, the most common security issues impacting Windows and Linux, and the vulnerabilities being leveraged in APT attacks that lead to the launch of widespread C2 frameworks. The report utilizes anonymized Kaspersky Security Network data, which was consensually provided by our users, as well as information from open sources.
## Statistics on
Securelist
Old tech, new vulnerabilities: NTLM abuse, ongoing exploitation in 2025
blogs_securelist·2025-11-26·CVSS 6.5
CVE-2024-43451 [MEDIUM] Old tech, new vulnerabilities: NTLM abuse, ongoing exploitation in 2025
Table of Contents
Just like the 2000s
How NTLM authentication works
NTLM is dead — long live NTLM
Persistent threats in NTLM-based authentication
Hash leakage
Coercion-based attacks
Credential forwarding
Man-in-the-Middle (MitM) attacks
NTLM exploitation in 2025
CVE-2024‑43451
BlindEagle campaign delivering Remcos RAT via CVE-2024-43451
Head Mare campaigns against Russian targets abusing CVE-2024-43451
CVE-2025-24054/CVE-2025-24071
Trojan distribution in Russia via CVE-2025-24054
CVE-2025-33073
Suspicious activity in Uzbekistan involving CVE-2025-33073
Protection and recommendations
Disable/Limit NTLM
Implement message signing
Enable Extended Protection for Authentication (EPA)
Monitor and audit NTLM traffic and authentication logs
Conclusions
Authors
Leandro Cuozzo
Securelist
How NTLM is being abused in 2025 cyberattacks
blogs_securelist·2025-11-26
How NTLM is being abused in 2025 cyberattacks
Table of Contents
- Just like the 2000s
- How NTLM authentication works
- NTLM is dead — long live NTLM
- Persistent threats in NTLM-based authentication
- NTLM exploitation in 2025
- Protection and recommendations
- Conclusions
Authors
- Leandro Cuozzo
## Just like the 2000s
Flip phones grew popular, Windows XP debuted on personal computers, Apple introduced the iPod, peer-to-peer file sharing via torrents was taking off, and MSN Messenger dominated online chat. That was the tech scene in 2001, the same year when Sir Dystic of Cult of the Dead Cow published SMBRelay, a proof-of-concept that brought NTLM relay attacks out of theory and into practice, demonstrating a powerful new class of authentication relay exploits.
Ever since that distant 2001, the weaknesses of the NTLM authenti
Securelist
Exploits and vulnerabilities in Q2 2025
blogs_securelist·2025-08-27·CVSS 8.2
CVE-2025-32433 [HIGH] Exploits and vulnerabilities in Q2 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Interesting vulnerabilities
CVE-2025-32433: vulnerability in the SSH server, part of the Erlang/OTP framework
CVE-2025-6218: directory traversal vulnerability in WinRAR
CVE-2025-3052: insecure data access vulnerability in NVRAM, allowing bypass of UEFI signature checks
CVE-2025-49113: insecure deserialization vulnerability in Roundcube Webmail
CVE-2025-1533: stack overflow vulnerability in the AsIO3.sys driver
Conclusion and advice
Authors
Alexander Kolesnikov
Vulnerability registrations in Q2 2025 proved to be quite dynamic. Vulnerabilities that were published i
Securelist
Vulnerability landscape analysis for Q2 2025
blogs_securelist·2025-08-27
Vulnerability landscape analysis for Q2 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
Vulnerability registrations in Q2 2025 proved to be quite dynamic. Vulnerabilities that were published impact the security of nearly every computer subsystem: UEFI, drivers, operating systems, browsers, as well as user and web applications. Based on our analysis, threat actors continue to leverage vulnerabilities in real-world attacks as a means of gaining access to user systems, just like in previous periods.
This report also describes known vulnerabilities used with popular C2 frameworks during the first half of 2025.
## Statistics on registered vulnera
Tenable
Frequently Asked Questions About Iranian Cyber Operations
blogs_tenable·2025-06-27
Frequently Asked Questions About Iranian Cyber Operations
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
Vulnerability landscape analysis for Q1 2025
blogs_securelist·2025-05-30
Vulnerability landscape analysis for Q1 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
The first quarter of 2025 saw the continued publication of vulnerabilities discovered and fixed in 2024, as some researchers were previously unable to disclose the details. This partially shifted the focus away from vulnerabilities that received new CVE-2025-NNNNN identifiers. The nature of the CVE assignment process can result in a notable delay between problem investigation and patch release, which is mitigated by reserving a CVE ID early in the process. As for trends in vulnerability exploitation, we are seeing increasing rates of attacks targeting older operating syste
Securelist
Exploits and vulnerabilities in Q1 2025
blogs_securelist·2025-05-30·CVSS 7.8
CVE-2025-21333 [HIGH] Exploits and vulnerabilities in Q1 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
Interesting vulnerabilities
ZDI-CAN-25373: a vulnerability in Windows that affects how LNK files are displayed
CVE-2025-21333: a heap buffer overflow vulnerability in the vkrnlintvsp.sys driver
CVE-2025-24071: a NetNTLM hash leakage vulnerability in the file system indexer
Conclusion and advice
Authors
Alexander Kolesnikov
The first quarter of 2025 saw the continued publication of vulnerabilities discovered and fixed in 2024, as some researchers were previously unable to disclose the details. This partially shifted the focus away from vulnerabilities that received new CVE-2025-NN
Bleepingcomputer
Russian hackers breach orgs to track aid routes to Ukraine
blogs_bleepingcomputer·2025-05-21·CVSS 9.8
[CRITICAL] Russian hackers breach orgs to track aid routes to Ukraine
## Russian hackers breach orgs to track aid routes to Ukraine
## Ionut Ilascu
A Russian state-sponsored cyberespionage campaign attributed to APT28 (Fancy Bear/Forest Blizzard) hackers has been targeting and compromising international organizations since 2022 to disrupt aid efforts to Ukraine.
The hackers targeted entities in the defense, transportation, IT services, air traffic, and maritime sectors in 12 European countries and the United States.
Additionally, the hackers have been tracking the movement of materials into Ukraine by compromising access to private cameras installed in key locations (e.g. border crossings, military installations, rail stations).
A joint advisory from 21 intelligence and cybersecurity agencies in nearly a dozen countries shares the tactics, techniques, a
Securelist
Head Mare and Twelve: Joint attacks on Russian entities
blogs_securelist·2025-03-13
Head Mare and Twelve: Joint attacks on Russian entities
Table of Contents
- Introduction
- Technical details
- Conclusion
- Indicators of compromise
Authors
- Kaspersky
## Introduction
In September 2024, a series of attacks targeted Russian companies, revealing indicators of compromise and tactics associated with two hacktivist groups: Head Mare and Twelve. Our investigation showed that Head Mare relied heavily on tools previously associated with Twelve. Additionally, Head Mare attacks utilized command-and-control (C2) servers exclusively linked to Twelve prior to these incidents. This suggests potential collaboration and joint campaigns between the two groups.
The attackers continue to refine their methods, employing both familiar tools from past Head Mare incidents and new PowerShell-based tools.
This report analyzes the software and
Securelist
Vulnerability landscape analysis for Q4 2024
blogs_securelist·2025-02-26
Vulnerability landscape analysis for Q4 2024
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
Q4 2024 saw fewer published exploits for Windows and Linux compared to the first three quarters. Although the number of registered vulnerabilities continued to rise, the total number of Proof of Concept (PoC) instances decreased compared to 2023. Among notable techniques in Q4, attackers leveraged undocumented RPC interfaces and targeted the Windows authentication mechanism.
## Statistics on registered vulnerabilities
This section contains statistics on registered vulnerabilities. Data is sourced from the CVE portal: cve.org.
Total number of registered vulnerabilities a
Securelist
Exploits and vulnerabilities in Q4 2024
blogs_securelist·2025-02-26·CVSS 6.5
CVE-2024-43572 [MEDIUM] Exploits and vulnerabilities in Q4 2024
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
Interesting vulnerabilities
CVE-2024-43572—Remote code execution vulnerability in Microsoft Management Console
CVE-2024-43451—NetNTLM hash disclosure vulnerability
CVE-2024-49039—Elevation of privilege vulnerability in Windows Task Scheduler
Conclusion and advice
Authors
Alexander Kolesnikov
Q4 2024 saw fewer published exploits for Windows and Linux compared to the first three quarters. Although the number of registered vulnerabilities continued to rise, the total number of Proof of Concept (PoC) instances decreased compared to 2023. Among notable techniques in Q4, attackers leve
Greynoiseio
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
blogs_greynoiseio·2025-02-26·CVSS 9.8
[CRITICAL] GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Defense Lessons From the Black Basta Ransomware Playbook
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook
## Table of Contents
Know Your Enemys Playbook
Attackers Move Fast
How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against evolving
Qualys
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
#### Table of Contents
- Know Your Enemys Playbook
- Attackers Move Fast
- How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against ev
Bleepingcomputer
Russian cyber spies hide behind other hackers to target Ukraine
blogs_bleepingcomputer·2024-12-11
Russian cyber spies hide behind other hackers to target Ukraine
## Russian cyber spies hide behind other hackers to target Ukraine
## Bill Toulas
Russian cyber-espionage group Turla, aka "Secret Blizzard," is utilizing other threat actors' infrastructure to target Ukrainian military devices connected via Starlink.
Microsoft and Lumen recently exposed how the nation-state actor, who is linked to Russia's Federal Security Service (FSB), is hijacking and using malware and servers of the Pakistani threat actor Storm-0156.
Microsoft released another report today focusing on separate Turla operations between March and April 2024, targeting devices in Ukraine used in military operations.
In the latest campaign, Turla utilized the infrastructure for the Amadey botnet and another Russian hacking group known as "Storm-1837." This infrastructure was used to
Securelist
Exploits and vulnerabilities in Q3 2024
blogs_securelist·2024-12-06·CVSS 8.1
CVE-2024-47177 [HIGH] Exploits and vulnerabilities in Q3 2024
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most prevalent exploits
Vulnerability exploitation in APT attacks
Interesting vulnerabilities
CVE-2024-47177 (CUPS filters)
CVE-2024-38112 (MSHTML Spoofing)
CVE-2024-6387 (regreSSHion)
CVE-2024-3183 (Free IPA)
CVE-2024-45519 (Zimbra)
CVE-2024-5290 (Ubuntu wpa_supplicant)
Conclusion and advice
Authors
Alexander Kolesnikov
Q3 2024 saw multiple vulnerabilities discovered in Windows and Linux subsystems that are not standard for cyberattacks. This is because operating system developers have been releasing new security mitigations for whole sets of vulnerabilities in commonly used subsystems. For example, a log integrity check is set to appear in the Co
Securelist
Analyzing the vulnerability landscape in Q3 2024
blogs_securelist·2024-12-06·CVSS 8.1
CVE-2024-47177 [HIGH] Analyzing the vulnerability landscape in Q3 2024
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Interesting vulnerabilities
- CVE-2024-47177 (CUPS filters)
- CVE-2024-38112 (MSHTML Spoofing)
- CVE-2024-6387 (regreSSHion)
- CVE-2024-3183 (Free IPA)
- CVE-2024-45519 (Zimbra)
- CVE-2024-5290 (Ubuntu wpa_supplicant)
- Conclusion and advice
Authors
- Alexander Kolesnikov
Q3 2024 saw multiple vulnerabilities discovered in Windows and Linux subsystems that are not standard for cyberattacks. This is because operating system developers have been releasing new security mitigations for whole sets of vulnerabilities in commonly used subsystems. For example, a log integrity check is set to appear in the Common Log Filing System (CLFS) in Windows, so the number
Securelist
Malware report for Q3 2024: threat overview
blogs_securelist·2024-11-29
Malware report for Q3 2024: threat overview
Table of Contents
- Targeted attacks
- Other malware
Authors
- David Emm
IT threat evolution in Q3 2024
IT threat evolution in Q3 2024. Non-mobile statistics
IT threat evolution in Q3 2024. Mobile statistics
## Targeted attacks
### New APT threat actor targets Russian government entities
In May 2024, we discovered a new APT targeting Russian government organizations. CloudSorcerer is a sophisticated cyber-espionage tool used for stealth monitoring, data collection and exfiltration via Microsoft, Yandex and Dropbox cloud infrastructures. The malware utilizes cloud resources for its C2 (command and control) servers, which it accesses via APIs using authentication tokens. CloudSorcerer also employs GitHub as its initial C2 server. CloudSorcerer functions as separate modules – for com
Securelist
Head Mare: adventures of a unicorn in Russia and Belarus
blogs_securelist·2024-09-02·CVSS 7.8
[HIGH] Head Mare: adventures of a unicorn in Russia and Belarus
Table of Contents
Key findings
Technical details
Historical context
Head Mare’s toolkit
Initial access
Persistence in the system
Detection evasion
Management and infrastructure
Pivoting
Network exploration
Credential harvesting
End goal: file encryption
Babuk
LockBit
Victimology
Samples similar to Head Mare’s toolkit
PhantomDL
PhantomCore
LockBit
Conclusions
Indicators of compromise
Authors
Kaspersky
Head Mare is a hacktivist group that first made itself known in 2023 on the social network X (formerly Twitter) [1] . In their public posts, the attackers reveal information about some of their victims, including organization names, internal documents stolen during attacks, and screenshots of desktops and administrative consoles.
By analyzing incidents in Russian compa
Securelist
Head Mare hacktivists: attacks on companies in Russia and Belarus
blogs_securelist·2024-09-02·CVSS 7.8
[HIGH] Head Mare hacktivists: attacks on companies in Russia and Belarus
Table of Contents
- Key findings
- Technical details
- Victimology
- Samples similar to Head Mare’s toolkit
- Conclusions
- Indicators of compromise
Authors
- Kaspersky
Head Mare is a hacktivist group that first made itself known in 2023 on the social network X (formerly Twitter)[1]. In their public posts, the attackers reveal information about some of their victims, including organization names, internal documents stolen during attacks, and screenshots of desktops and administrative consoles.
By analyzing incidents in Russian companies, we identified how Head Mare conducts its attacks, the tools it uses, and established the group’s connection with the PhantomDL malware (article in Russian).
## Key findings
- Head Mare exclusively targets companies in Russia and Belarus.
- For init
Securelist
Exploits and vulnerabilities in Q1 2024
blogs_securelist·2024-05-07·CVSS 7.8
CVE-2024-3094 [HIGH] Exploits and vulnerabilities in Q1 2024
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Public exploit statistics
Most prevalent exploits
Vulnerability exploitation in APT attacks
Notable Q1 2024 vulnerabilities
CVE-2024-3094 (XZ)
CVE-2024-20656 (Visual Studio)
CVE-2024-21626 (runc)
CVE-2024-1708 (ScreenConnect)
CVE-2024-21412 (Windows Defender)
CVE-2024-27198 (TeamCity)
CVE-2023-38831 (WinRAR)
Conclusions and advice
Authors
Alexander Kolesnikov
Vitaly Morgunov
We at Kaspersky continuously monitor the evolving cyberthreat landscape to ensure we respond promptly to emerging threats, equipping our products with detection logic and technology. Software vulnerabilities that threat actors can exploit or are already actively exploiting a
Securelist
Analyzing the vulnerability landscape in Q1 2024
blogs_securelist·2024-05-07
Analyzing the vulnerability landscape in Q1 2024
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Notable Q1 2024 vulnerabilities
- Conclusions and advice
Authors
- Alexander Kolesnikov
- Vitaly Morgunov
We at Kaspersky continuously monitor the evolving cyberthreat landscape to ensure we respond promptly to emerging threats, equipping our products with detection logic and technology. Software vulnerabilities that threat actors can exploit or are already actively exploiting are a critical component of that landscape. In this report, we present a series of insightful statistical and analytical snapshots relating to the trends in the emergence of new vulnerabilities and exploits, as well as the most prevalent vulnerabilities being used by attackers. Add
Wiz
Crying Out Cloud - May 2024 Newsletter | Wiz
blogs_wiz·2024-05-06·CVSS 10.0
[CRITICAL] Crying Out Cloud - May 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks of cloud security highlights!
## 🔎 Highlights
Architecture Risks that May Compromise AI-as-a-Service Providers
Wiz research recently performed a security audit of Hugging Face and discovered several security issues that would have allowed an actor running a specially-crafted malicious model on Hugging Face's infrastructure to achieve remote code execution and cross-tenant access to other customers' spaces or models. All these issues were remediated by Hugging Face and no customer action is required.
Learn more in our blog .
## 🐞 High Profile Vulnerabilities
DoS Vulnerability in HTTP/2 CONTINUATION Frames
Bleepingcomputer
Bumblebee malware attacks are back after 4-month break
blogs_bleepingcomputer·2024-02-13·CVSS 7.8
[HIGH] Bumblebee malware attacks are back after 4-month break
## Bumblebee malware attacks are back after 4-month break
## Bill Toulas
The Bumblebee malware has returned after a four-month vacation, targeting thousands of organizations in the United States in phishing campaigns.
Bumblebee is a malware loader discovered in April 2022 and is believed to have been developed by the Conti and Trickbot cybercrime syndicate as a replacement for the BazarLoader backdoor.
The malware is commonly distributed in phishing campaigns to drop additional payloads on infected devices, such as Cobalt Strike beacons, for initial network access and to conduct ransomware attacks .
In a new malware campaign observed by Proofpoint , the return of Bumblebee since October is significant as it could lead to a broader increase in cybercrime activities as we head into 2024
Bleepingcomputer
Hackers used new Windows Defender zero-day to drop DarkMe malware
blogs_bleepingcomputer·2024-02-13·CVSS 8.8
CVE-2024-21412 [HIGH] Hackers used new Windows Defender zero-day to drop DarkMe malware
## Hackers used new Windows Defender zero-day to drop DarkMe malware
## Sergiu Gatlan
"However, the attacker would have no way to force a user to view the attacker-controlled content. Instead, the attacker would have to convince them to take action by clicking on the file link."
Trend Micro security researcher Peter Girnus, credited for reporting this zero-day, revealed that the CVE-2024-21412 flaw bypasses another Defender SmartScreen vulnerability (CVE-2023-36025).
CVE-2023-36025 was patched during the November 2023 Patch Tuesday , and, as Trend Micro revealed last month, it was also exploited to bypass Windows security prompts when opening URL files to deploy the Phemedrone info-stealer malware .
## Zero-day used to target financial market traders
The zero-day that Microsoft patch
Trendmicro
CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
blogs_trendmicro·2024-02-13·CVSS 8.1
CVE-2024-21412 [HIGH] CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
Exploits & Vulnerabilities
# CVE-2024-21412: Water Hydra Targets Traders With Microsoft Defender SmartScreen Zero-Day
The APT group Water Hydra has been exploiting the Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) in its campaigns targeting financial market traders. This vulnerability, which has now been patched by Microsoft, was discovered and disclosed by the Trend Micro Zero Day Initiative.
By: Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun
2024/02/13
Read time: ( words)
Save to Folio
The Trend Micro Zero Day Initiative discovered the vulnerability CVE-2024-21412 which we track as ZDI-CAN-23100, and alerted Microsoft of a Microsoft Defender SmartScreen bypass used as part of a sophisticated zero-day attack chain by the advanced persistent threat (APT) group we t
Trendmicro
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
blogs_trendmicro·2024-01-31
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
APT & Targeted Attacks
## Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
To help defenders learn more about Pawn Storm's activities and adjust their defences, we offer a technical analysis of some of the threat actor's recent and updated techniques.
By: Feike Hacquebord, Fernando Merces Jan 31, 2024 Read time: ( words)
Save to Folio
Armed forces
Europe, South America
Central bank
Middle East
City council
Asia, Europe, Middle East, North America, Africa
Defence industry
Europe , North America, South America
Aerospace industry
Europe
Electricity authority
Europe, Middle East
Energy sector
Europe
Intellectual property authority
Middle East
Ministry of Agriculture
Europe, South America
Ministry of Energy
Europe
Ministry of Environment
Europe
Minis
Trendmicro
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
blogs_trendmicro·2024-01-31
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
APT & Targeted Attacks
## Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
To help defenders learn more about Pawn Storm's activities and adjust their defenses, we offer a technical analysis of some of the threat actor's recent and updated techniques.
By: Feike Hacquebord, Fernando Merces Jan 31, 2024 Read time: ( words)
Save to Folio
Armed forces
Europe, South America
Central bank
Middle East
City council
Asia, Europe, Middle East, North America, Africa
Defense industry
Europe , North America, South America
Aerospace industry
Europe
Electricity authority
Europe, Middle East
Energy sector
Europe
Intellectual property authority
Middle East
Ministry of Agriculture
Europe, South America
Ministry of Energy
Europe
Ministry of Environment
Europe
Minis
Trendmicro
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
blogs_trendmicro·2024-01-31
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
APT & Targeted Attacks
# Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
To help defenders learn more about Pawn Storm's activities and adjust their defenses, we offer a technical analysis of some of the threat actor's recent and updated techniques.
By: Feike Hacquebord, Fernando Merces
2024/01/31
Read time: ( words)
Save to Folio
Introduction
Pawn Storm (also known as APT28 and Forest Blizzard) is an advanced persistent threat (APT) actor that shows incessant and lasting repetitions in its tactics, techniques, and procedures (TTPs). Some of the group’s campaigns involve using the same kind of technical tricks repeatedly, sometimes targeting hundreds of people in a single organization at the same time.
The threat actor is known for still using its phishing email
Trendmicro
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
blogs_trendmicro·2024-01-31
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
APT y ataques dirigidos
## Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
To help defenders learn more about Pawn Storm's activities and adjust their defenses, we offer a technical analysis of some of the threat actor's recent and updated techniques.
By: Feike Hacquebord, Fernando Merces Jan 31, 2024 Read time: ( words)
Save to Folio
Armed forces
Europe, South America
Central bank
Middle East
City council
Asia, Europe, Middle East, North America, Africa
Defense industry
Europe , North America, South America
Aerospace industry
Europe
Electricity authority
Europe, Middle East
Energy sector
Europe
Intellectual property authority
Middle East
Ministry of Agriculture
Europe, South America
Ministry of Energy
Europe
Ministry of Environment
Europe
Mini
Trendmicro
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
blogs_trendmicro·2024-01-31
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
APT & Targeted Attacks
## Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
To help defenders learn more about Pawn Storm's activities and adjust their defenses, we offer a technical analysis of some of the threat actor's recent and updated techniques.
By: Feike Hacquebord, Fernando Merces 2024/01/31 Read time: ( words)
Save to Folio
Armed forces
Europe, South America
Central bank
Middle East
City council
Asia, Europe, Middle East, North America, Africa
Defense industry
Europe , North America, South America
Aerospace industry
Europe
Electricity authority
Europe, Middle East
Energy sector
Europe
Intellectual property authority
Middle East
Ministry of Agriculture
Europe, South America
Ministry of Energy
Europe
Ministry of Environment
Europe
Ministr
Bleepingcomputer
Russian hackers exploiting Outlook bug to hijack Exchange accounts
blogs_bleepingcomputer·2023-12-04·CVSS 9.8
CVE-2023-23397 [CRITICAL] Russian hackers exploiting Outlook bug to hijack Exchange accounts
## Russian hackers exploiting Outlook bug to hijack Exchange accounts
## Bill Toulas
## Outlook flaw exploitation background
CVE-2023-23397 is a critical elevation of privilege (EoP) vulnerability in Outlook on Windows, which Microsoft fixed as a zero-day on the March 2023 Path Tuesday .
The disclosure of the flaw came with the revelation that APT28 had been exploiting it since April 2022 via specially crafted Outlook notes designed to steal NTLM hashes, forcing the target devices to authenticate to attacker-controlled SMB shares without requiring user interaction.
By elevating their privileges on the system, which was proven uncomplicated , APT28 performed lateral movement in the victim's environment and changed Outlook mailbox permissions to perform targeted email theft.
Despite th
Securelist
PC malware statistics, Q3 2023
blogs_securelist·2023-12-01
PC malware statistics, Q3 2023
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used in cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks on IoT honeypots
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q3 2023
- IT threat evolution in Q3 2023. Non-mobile statistics
- IT threat evolution in Q3 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q3 2023:
- Kaspersky solutions blocked 694,400,301 attacks from online resources across the globe.
- A total of 169,194,807 unique links were recognized as malicious by Web Anti-Virus
Securelist
IT threat evolution in Q3 2023. Non-mobile statistics
blogs_securelist·2023-12-01
IT threat evolution in Q3 2023. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
Vulnerability exploitation
More attacks on healthcare
Most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used in cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks on IoT honeypots
Attacks via web resources
Countries and territories that serve as sourc
Checkpoint
20th November – Threat Intelligence Report
blogs_checkpoint·2023-11-20·CVSS 7.8
CVE-2023-38831 [HIGH] 20th November – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 20th November – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 20th November, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Russia-affiliated military intelligence group SandWorm is reportedly responsible for an attack against 22 critical infrastructure companies in Denmark. The attacks, most severe in Danish history, have compromised industrial control systems and forced companies from the energy sector to work offline.
Medusa ransomware g
Bleepingcomputer
Russian hackers use Ngrok feature and WinRAR exploit to attack embassies
blogs_bleepingcomputer·2023-11-19·CVSS 7.8
CVE-2023-38831 [HIGH] Russian hackers use Ngrok feature and WinRAR exploit to attack embassies
## Russian hackers use Ngrok feature and WinRAR exploit to attack embassies
## Ionut Ilascu
After Sandworm and APT28 (known as Fancy Bear), another state-sponsored Russian hacker group, APT29, is leveraging the CVE-2023-38831 vulnerability in WinRAR for cyberattacks.
APT29 is tracked under different names (UNC3524,/NobleBaron/Dark Halo/NOBELIUM/Cozy Bear/CozyDuke, SolarStorm) and has been targeting embassy entities with a BMW car sale lure.
The CVE-2023-38831 security flaw affects WinRAR versions before 6.23 and allows crafting .RAR and .ZIP archives that can execute in the background code prepared by the attacker for malicious purposes.
The vulnerability has been exploited as a zero-day since April by threat actors targeting cryptocurrency and stock trading forums.
## Ngrok static d
Bleepingcomputer
France says Russian state hackers breached numerous critical networks
blogs_bleepingcomputer·2023-10-26·CVSS 9.8
CVE-2023-38831 [CRITICAL] France says Russian state hackers breached numerous critical networks
## France says Russian state hackers breached numerous critical networks
## Bill Toulas
The Russian APT28 hacking group (aka 'Strontium' or 'Fancy Bear') has been targeting government entities, businesses, universities, research institutes, and think tanks in France since the second half of 2021.
The threat group, which is considered part of Russia's military intelligence service GRU, was recently linked to the exploitation of CVE-2023-38831 , a remote code execution vulnerability in WinRAR, and CVE-2023-23397 , a zero-day privilege elevation flaw in Microsoft Outlook.
The Russian hackers have been compromising peripheral devices on critical networks of French organizations and moving away from utilizing backdoors to evade detection.
This is according to a newly published report from
Google Tag
Government-backed actors exploiting WinRAR vulnerability
blogs_google_tag·2023-10-18·CVSS 7.8
CVE-2023-38831 [HIGH] Government-backed actors exploiting WinRAR vulnerability
Threat Analysis Group
## Government-backed actors exploiting WinRAR vulnerability
Oct 18, 2023
In recent weeks, Google’s Threat Analysis Group’s (TAG) has observed multiple government-backed hacking groups exploiting the known vulnerability, CVE-2023-38831, in WinRAR, which is a popular file archiver tool for Windows. Cybercrime groups began exploiting the vulnerability in early 2023, when the bug was still unknown to defenders. A patch is now available, but many users still seem to be vulnerable. TAG has observed government-backed actors from a number of countries exploiting the WinRAR vulnerability as part of their operations.
To ensure protection, we urge organizations and users to keep software fully up-to-date and to install security updates as soon as they become available. After
Bleepingcomputer
Google links WinRAR exploitation to Russian, Chinese state hackers
blogs_bleepingcomputer·2023-10-18·CVSS 7.8
[HIGH] Google links WinRAR exploitation to Russian, Chinese state hackers
## Google links WinRAR exploitation to Russian, Chinese state hackers
## Sergiu Gatlan
Google says that several state-backed hacking groups have joined ongoing attacks exploiting a high-severity vulnerability in WinRAR, a compression software used by over 500 million users, aiming to gain arbitrary code execution on targets' systems.
Google's Threat Analysis Group (TAG), a team of security experts who defend Google users from state-sponsored attacks, has detected state hackers from several countries targeting the bug, including the Sandworm, APT28, and APT40 threat groups from Russia and China.
"In recent weeks, Google's Threat Analysis Group's (TAG) has observed multiple government-backed hacking groups exploiting the known vulnerability, CVE-2023-38831, in WinRAR, which is a popular
Wiz
#9 - The collapse of LAPSUS$ and the risks of AI data poisoning | Wiz
blogs_wiz·2023-09-13·CVSS 7.8
[HIGH] #9 - The collapse of LAPSUS$ and the risks of AI data poisoning | Wiz
Podcast
## #9 - The collapse of LAPSUS$ and the risks of AI data poisoning
👀 Here's a sneak peek at today’s episode:
🔒 Stay ahead of the game! LAPSUS$ Hackers may be making waves. Two members of this notorious group faced consequences in the UK, but shockingly, they continued their hacking activities even while under house arrest.
🤖 Data Poisoning in AI Training is a growing concern. Hackers can manipulate the data used to train AI models, introducing risks and vulnerabilities. Validating data integrity and randomizing data ingestion times are useful mitigations against this threat.
💻 The WinRAR Vulnerability (CVE-2023-38831)! This flaw was exploited against crypto-traders to infect their devices with malware, but should be considered a low concern for cloud customers unless using v
Checkpoint
28th August – Threat Intelligence Report
blogs_checkpoint·2023-08-28
CVE-2023-38035 28th August – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 28th August – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 28th August, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
An ongoing espionage campaign targeting dozens of organizations in Taiwan has been discovered. Researchers have attributed the activity to a Chinese APT group dubbed Flax Typhoon, which overlaps with Ethereal Panda. The threat group minimizes the use of custom malware, and instead uses legitimate tools found in victims’ opera
Trendmicro
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
blogs_trendmicro
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
APT und gezielte Angriffe
## Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
Based on our estimates, from approximately April 2022 until November 2023, Pawn Storm attempted to launch NTLMv2 hash relay attacks through different methods, with huge peaks in the number of targets and variations in the government departments that it targeted.
By: Feike Hacquebord, Fernando Merces April 03, 2026 Read time: ( words)
Save to Folio
Armed forces
Europe, South America
Central bank
Middle East
City council
Asia, Europe, Middle East, North America, Africa
Defense industry
Europe , North America, South America
Aerospace industry
Europe
Electricity authority
Europe, Middle East
Energy sector
Europe
Intellectual property authority
Middle East
Ministry of Agriculture
Threat Intel
Opal Sleet
threat_intel·CVSS 7.8
CVE-2023-38831 [HIGH] Opal Sleet
# Threat Actor: Opal Sleet
## Description
Konni is a threat actor associated with APT37, a North Korean cyber crime group. They have been active since 2012 and are known for their cyber-espionage activities. Konni has targeted various sectors, including education, government, business organizations, and the cryptocurrency industry. They have exploited vulnerabilities such as CVE-2023-38831 and have used malware like KonniRAT to gain control of victim hosts and steal important information.
Threat Intel
DarkPink
threat_intel·CVSS 7.8
CVE-2023-38831 [HIGH] DarkPink
# Threat Actor: DarkPink
## Description
DarkPink is an APT group that has been active since mid-2021, primarily targeting government, military, and non-profit organizations in Southeast Asia and Europe. The group employs spear phishing techniques, utilizing ISO images and malicious PDF files to deliver custom Trojan programs like TelePowerBot and KamiKakaBot for information theft. They have exploited vulnerabilities such as CVE-2023-38831 to enhance their attack processes and maintain persistence through DLL side-loading and scheduled tasks. DarkPink's operations are characterized by stealth and precision, making them a significant threat in the cyber landscape.
Trendmicro
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
blogs_trendmicro
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
APT & Targeted Attacks
## Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
Based on our estimates, from approximately April 2022 until November 2023, Pawn Storm attempted to launch NTLMv2 hash relay attacks through different methods, with huge peaks in the number of targets and variations in the government departments that it targeted.
By: Feike Hacquebord, Fernando Merces September 22, 2025 Read time: ( words)
Save to Folio
Armed forces
Europe, South America
Central bank
Middle East
City council
Asia, Europe, Middle East, North America, Africa
Defense industry
Europe , North America, South America
Aerospace industry
Europe
Electricity authority
Europe, Middle East
Energy sector
Europe
Intellectual property authority
Middle East
Ministry of Agricultur
Threat Intel
DarkCasino
threat_intel·CVSS 7.8
CVE-2023-38831 [HIGH] DarkCasino
# Threat Actor: DarkCasino
## Description
DarkCasino is an economically motivated APT group that targets online trading platforms, including cryptocurrencies, online casinos, network banks, and online credit platforms. They are skilled at stealing passwords to access victims' online accounts and have been active for over a year. DarkCasino exploits vulnerabilities, such as the WinRAR vulnerability CVE-2023-38831, to launch phishing attacks and steal online property.
Trendmicro
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
blogs_trendmicro
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
APT y ataques dirigidos
## Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
Based on our estimates, from approximately April 2022 until November 2023, Pawn Storm attempted to launch NTLMv2 hash relay attacks through different methods, with huge peaks in the number of targets and variations in the government departments that it targeted.
By: Feike Hacquebord, Fernando Merces April 03, 2026 Read time: ( words)
Save to Folio
Armed forces
Europe, South America
Central bank
Middle East
City council
Asia, Europe, Middle East, North America, Africa
Defense industry
Europe , North America, South America
Aerospace industry
Europe
Electricity authority
Europe, Middle East
Energy sector
Europe
Intellectual property authority
Middle East
Ministry of Agriculture
Trendmicro
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
blogs_trendmicro
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
APT & Targeted Attacks
# Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
Based on our estimates, from approximately April 2022 until November 2023, Pawn Storm attempted to launch NTLMv2 hash relay attacks through different methods, with huge peaks in the number of targets and variations in the government departments that it targeted.
By: Feike Hacquebord, Fernando Merces
September 22, 2025
Read time: ( words)
Save to Folio
Introduction
Pawn Storm (also known as APT28 and Forest Blizzard) is an advanced persistent threat (APT) actor that shows incessant and lasting repetitions in its tactics, techniques, and procedures (TTPs). Some of the group’s campaigns involve using the same kind of technical tricks repeatedly, sometimes targeting hundreds of people in a singl
Threat Intel
FlyingYeti
threat_intel·CVSS 7.8
CVE-2023-38831 [HIGH] FlyingYeti
# Threat Actor: FlyingYeti
## Description
FlyingYeti is a Russia-aligned threat actor targeting Ukrainian military entities. They conduct reconnaissance activities and launch phishing campaigns using malware like COOKBOX. FlyingYeti exploits the WinRAR vulnerability CVE-2023-38831 to infect targets with malicious payloads. Cloudforce One has successfully disrupted their operations and provided recommendations for defense against their phishing campaigns.
arXiv
SAGA: Synthetic Audit Log Generation for APT Campaigns
arxiv_fulltext·2026-01-14
SAGA: Synthetic Audit Log Generation for APT Campaigns
CJK*UTF8bkai
SAGA: Synthetic Audit Log Generation for APT Campaigns
Yi-Ting Huang, Ying-Ren Guo, Yu-Sheng Yang, Guo-Wei Wong, Yu-Zih Jheng, Yeali Sun, Jessemyn Modini, Timothy Lynar, and Meng Chang Chen
Y.\ Huang is with National Taiwan University of Technology and Science.
Y.\ Guo and M.\ Chen are with Academia Sinica, Taiwan.
E-mail: [email protected]
J.\ Modini and T.\ Lynar are with University of New South Wales, Australia.
Y.\ Yang, Y.\ Jheng, G.\ Wong and Y.\ Sun are with National Taiwan University, Taiwan.
minipage \ \ 40pt]
2025 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collec
CTF
sloppy / README
ctf_writeups·2023·CVSS 7.8
[HIGH] sloppy / README
# sloppy
> So, I found an USB in my class, I took it and I put it in my laptop. Then i found interesting anime (the anime is in mp4) and rar file and I copied it on my laptop. When i tried to open the file it showed pop up that my computer has been comprimized and my laptop restared after 1 minutes and I immediately remove all file that've been copied to my computer. As an engineer i always capture usb traffic using wireshark. Please help me to figure out what's happening in my laptop.
> [download](https://drive.google.com/file/d/1JFQ2p1tRGp_s1rrHWX6glHP2r4nftjR7/view?usp=sharing)
> wrap your flag with STS23{``}
## About the Challenge
We were given a pcapng file (You can download the file using the link above), and we need to find the flag inside the packet capture file
As you can se
CTF
README
ctf_writeups
README
# CTF Writeups
Welcome to my CTF Writeups repository! Here, I document the solutions and methodologies used to solve various Capture The Flag (CTF) challenges. This repository is intended to serve as a learning resource for others interested in cybersecurity and CTF competitions.
Capture The Flag (CTF) competitions are a popular way to practice and improve cybersecurity skills. These competitions present various challenges that require problem-solving, creativity, and technical knowledge.
## Writeups
The writeups in this repository (located in the "writeups" folder) are categorised based on the nature of the challenge. Each writeup provides step-by-step solutions, along with explanations of the tools and techniques used. The difficulty rating associated with each challenge matches the dif
http://packetstormsecurity.com/files/174573/WinRAR-Remote-Code-Execution.htmlhttps://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/https://news.ycombinator.com/item?id=37236100https://www.bleepingcomputer.com/news/security/winrar-zero-day-exploited-since-april-to-hack-trading-accounts/https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/http://packetstormsecurity.com/files/174573/WinRAR-Remote-Code-Execution.htmlhttps://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/https://news.ycombinator.com/item?id=37236100https://www.bleepingcomputer.com/news/security/winrar-zero-day-exploited-since-april-to-hack-trading-accounts/https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-38831
2023-08-23
Published
2023-08-24
Added to CISA KEV
Exploited in the wild