Reddit NetSec

AlienVault OTX General

CVE Database V5

Reddit InfoSec News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

The SourceCodester Android application "Corona Virus Tracker App India" 1.0 uses MD5 for digest authentication in `OkHttpClientWrapper.java`. The `handleDigest()` function employs `MessageDigest.getInstance("MD5")` to hash credentials. MD5 is a broken cryptographic algorithm known to allow hash collisions. This makes the authentication mechanism vulnerable to replay, spoofing, or brute-force attacks, potentially leading to unauthorized access. The vulnerability corresponds to CWE-327 and aligns with OWASP M5: Insufficient Cryptography and MASVS MSTG-CRYPTO-4.

CVE-2025-56608 identifies a cryptographic weakness in the Android application "Corona Virus Tracker App India" version 1.0, developed by SourceCodester. The vulnerability stems from the use of the MD5 hashing algorithm within the app's digest authentication mechanism, specifically in the `OkHttpClientWrapper.java` file's `handleDigest()` function. The function uses `MessageDigest.getInstance("MD5")` to hash user credentials for authentication purposes. MD5 is a deprecated cryptographic hash function known for its susceptibility to collision attacks, where two different inputs produce the same hash output. This fundamental weakness undermines the integrity of the authentication process, making it vulnerable to replay attacks, spoofing, and brute-force attempts. An attacker could exploit these weaknesses to gain unauthorized access to the application or its backend services by crafting malicious authentication tokens or replaying intercepted credentials. This vulnerability is categorized under CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and aligns with OWASP Mobile Top 10 risk M5 (Insufficient Cryptography) and MASVS MSTG-CRYPTO-4, which emphasize the importance of using strong, modern cryptographic primitives. The lack of a CVSS score indicates that the vulnerability has not yet been formally scored, but the technical details confirm its presence and potential impact. No known exploits are currently reported in the wild, but the inherent weaknesses of MD5 make exploitation feasible with moderate effort. The vulnerability affects the authentication mechanism of a mobile application that may handle sensitive health-related data, increasing the risk profile.

Detailed information about CVE-2025-56608: n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2025-56608: n/a - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-56608: n/a

APT36, a Pakistan-based threat actor, is conducting a cyber-espionage campaign against Indian Government entities, targeting BOSS Linux systems with weaponized .desktop files. The group uses spear-phishing emails to deliver malicious payloads, exploiting the Linux environment to maintain persistent access and evade security controls. The campaign involves sophisticated tactics, including the use of custom malware, command and control servers, and data exfiltration techniques. The attackers leverage newly registered domains and employ various MITRE ATT&CK techniques to execute their operations. This activity demonstrates APT36's increasing sophistication and adaptability in targeting critical government infrastructure.

APT36, a Pakistan-based advanced persistent threat (APT) group, is conducting a targeted cyber-espionage campaign against Indian government entities by exploiting BOSS Linux systems. BOSS Linux is a Linux distribution developed and promoted by the Indian government for use in government offices and institutions. The attackers employ spear-phishing emails containing weaponized .desktop files, which are native Linux shortcut files capable of executing commands when opened. These malicious .desktop files serve as the initial infection vector, allowing the attackers to deploy custom ELF (Executable and Linkable Format) malware tailored for the Linux environment. Once executed, the malware establishes persistence on the compromised systems by leveraging autostart mechanisms inherent to Linux desktop environments, enabling the threat actor to maintain long-term access. The campaign uses sophisticated tactics including the use of newly registered domains (e.g., modgovindia.space, securestore.cv) and command and control (C2) servers to receive commands and exfiltrate sensitive data. The attackers employ a wide range of MITRE ATT&CK techniques such as T1037 (Boot or Logon Autostart Execution), T1014 (Rootkit), T1025 (Data from Removable Media), T1082 (System Information Discovery), T1071 (Application Layer Protocol), T1053 (Scheduled Task), T1005 (Data from Local System), T1011.001 (Exfiltration Over C2 Channel), T1222 (File and Directory Permissions Modification), T1003.001 (OS Credential Dumping), T1090 (Proxy), T1083 (File and Directory Discovery), T1064 (Scripting), T1048 (Exfiltration Over Alternative Protocol), T1571 (Non-Standard Port), T1546.004 (Event Triggered Execution), T1095 (Non-Application Layer Protocol), T1498 (Network Denial of Service), T1543.002 (Windows Service), T1105 (Ingress Tool Transfer), T1564.001 (Hidden Files and Directories), and T1001.001 (Data Obfuscation). These techniques demonstrate the group’s adaptability and sophistication in evading detection and maintaining stealthy operations. The campaign’s focus on BOSS Linux systems highlights a strategic targeting of Indian government infrastructure, aiming to gather intelligence and maintain persistent surveillance. Indicators of compromise include multiple malware hashes, IP addresses, and malicious domains associated with the campaign. No known public exploits or CVEs are currently linked to this threat, and the severity is assessed as medium by the source.

Detailed information about APT36: Targets Indian BOSS Linux Systems with Weaponized AutoStart Files. Get real-time updates, technical details, and mitigation st

APT36: Targets Indian BOSS Linux Systems with Weaponized AutoStart Files - Live Threat Intelligence - Threat Radar | OffSeq.com

APT36: Targets Indian BOSS Linux Systems with Weaponized AutoStart Files

The Efimer Trojan is spreading through compromised WordPress sites, malicious torrents, and email campaigns impersonating lawyers. It steals cryptocurrency by replacing wallet addresses in the clipboard and can execute additional malicious scripts. The Trojan communicates with its command-and-control server via the Tor network. It has additional capabilities to brute-force WordPress sites and harvest email addresses for further distribution. The malware primarily targeted users in Brazil, India, Spain, Russia, Italy, and Germany between October 2024 and July 2025, affecting over 5,000 Kaspersky users.

The Efimer Trojan is a multifaceted malware strain actively spreading through compromised WordPress websites, malicious torrent files, and targeted email campaigns impersonating legal professionals. Its primary malicious function is to steal cryptocurrency by intercepting and replacing wallet addresses copied to the clipboard, a technique known as clipboard hijacking. Beyond this, Efimer can execute additional malicious scripts, enhancing its persistence and capabilities. Communication with its command-and-control (C2) infrastructure is conducted over the Tor network, which anonymizes traffic and complicates detection and takedown efforts. The Trojan also incorporates brute-force attack capabilities aimed at WordPress sites, attempting to gain unauthorized access by guessing credentials. Additionally, it harvests email addresses from infected systems to expand its distribution via phishing campaigns. The malware has been observed targeting users predominantly in Brazil, India, Spain, Russia, Italy, and Germany from October 2024 through July 2025, impacting over 5,000 users monitored by Kaspersky. The attack vectors leverage common web application vulnerabilities and social engineering, exploiting WordPress’s widespread deployment and the trust users place in email communications from purported legal entities. The use of the Tor network for C2 communication and the combination of multiple infection and propagation methods make Efimer a persistent and evasive threat. Although no specific affected software versions are listed, the brute-force attacks on WordPress suggest exploitation of weak credentials or unpatched installations. The malware’s tactics align with several MITRE ATT&CK techniques, including clipboard data theft (T1115), command execution (T1059.007), phishing (T1566.002), brute forcing (T1110), and use of anonymizing networks (T1571).

Detailed information about Efimer Trojan delivered via email and hacked WordPress websites. Get real-time updates, technical details, and mitigation strategies.

Efimer Trojan delivered via email and hacked WordPress websites - Live Threat Intelligence - Threat Radar | OffSeq.com

Efimer Trojan delivered via email and hacked WordPress websites

APT36, a Pakistan-linked threat group, has expanded its operations to target Indian government and civilian infrastructure, including railways, oil & gas, and the Ministry of External Affairs. The group employs sophisticated phishing techniques and novel payload strategies, using .desktop files disguised as PDF documents to execute malicious scripts. Two attack variants were identified, utilizing single and redundant command and control server setups. The Poseidon backdoor, built on the Mythic framework, is deployed for persistent access and lateral movement. Over 100 phishing domains impersonating Indian government organizations were discovered, primarily hosted by AlexHost. The campaign, active since early July 2025, poses a significant threat to Indian public sector and critical infrastructure.

The threat involves APT36, a Pakistan-linked advanced persistent threat group, targeting Indian government and civilian infrastructure sectors such as railways, oil & gas, and the Ministry of External Affairs. The group employs sophisticated phishing campaigns using deceptive .desktop files disguised as PDF documents to execute malicious scripts on victim machines. These files exploit user trust and social engineering to bypass security controls and initiate payload execution. Two variants of the attack have been identified, differing in their command and control (C2) server architecture—one using a single C2 server and another employing redundant C2 servers to enhance resilience and persistence. The primary malware deployed is the Poseidon backdoor, which is built on the Mythic framework, a modular and flexible post-exploitation toolset. Poseidon enables persistent access, lateral movement within networks, credential theft, and data exfiltration. The campaign also involves over 100 phishing domains impersonating Indian government organizations, primarily hosted by AlexHost, to increase the credibility of phishing lures and facilitate credential harvesting or malware delivery. The campaign has been active since early July 2025 and represents a significant threat to Indian public sector entities and critical infrastructure. The attack techniques align with multiple MITRE ATT&CK tactics and techniques including phishing (T1566), execution via user execution (T1204), persistence (T1547), lateral movement (T1071), and defense evasion (T1070, T1027). The use of .desktop files as lures is novel and leverages Linux desktop environments, indicating targeting of systems running Linux or Unix-like OSes, which are common in infrastructure environments. The absence of known exploits in the wild suggests the threat relies heavily on social engineering and custom malware deployment rather than exploiting publicly known vulnerabilities.

Detailed information about Indian Infrastructure Targeted with Desktop Lures and Poseidon Backdoor. Get real-time updates, technical details, and mitigation str

Indian Infrastructure Targeted with Desktop Lures and Poseidon Backdoor - Live Threat Intelligence - Threat Radar | OffSeq.com

Indian Infrastructure Targeted with Desktop Lures and Poseidon Backdoor

An issue in the OTP mechanism of Chavara Family Welfare Centre Chavara Matrimony Site v2.0 allows attackers to bypass authentication via supplying a crafted request.

CVE-2025-45777 describes a vulnerability in the One-Time Password (OTP) authentication mechanism of the Chavara Family Welfare Centre's Chavara Matrimony Site version 2.0. The flaw allows an attacker to bypass the authentication process by submitting a specially crafted request. OTP mechanisms are typically used to enhance security by requiring users to provide a temporary, unique code sent to them, often via SMS or email, to verify their identity. A bypass in this mechanism implies that an attacker can gain unauthorized access without possessing the valid OTP, effectively circumventing a critical layer of security. The vulnerability details do not specify the exact technical nature of the crafted request or the underlying cause (e.g., logic flaw, improper validation, or cryptographic weakness). No affected versions are explicitly listed beyond version 2.0, and no patches or known exploits in the wild have been reported as of the publication date. The absence of a CVSS score indicates that the vulnerability has not yet been fully assessed for severity. However, bypassing OTP authentication typically represents a significant security risk as it undermines user identity verification and can lead to unauthorized account access.

Detailed information about CVE-2025-45777: n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2025-45777: n/a - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-45777: n/a

A Pakistan-linked APT group, Transparent Tribe (APT36), is targeting Indian Government and Defense personnel using 'Pahalgam Terror Attack' themed documents. The campaign involves credential phishing and deployment of malicious payloads, with fake domains impersonating Jammu & Kashmir Police and Indian Air Force. The phishing PDF documents contain embedded links leading to fake login pages. A PowerPoint add-on file with malicious macros has been identified, which drops the Crimson RAT payload. The campaign exploits sensitive geopolitical issues to maximize impact and extract intelligence. Multiple phishing domains were created shortly after the attack, impersonating various Indian government entities. The potential impact includes disruption of sensitive operations, information manipulation, and data breaches.

The threat involves a targeted cyber espionage campaign conducted by the Pakistan-linked Advanced Persistent Threat (APT) group known as Transparent Tribe or APT36. This campaign specifically targets Indian Government and Defense personnel by leveraging geopolitical tensions surrounding the Pahalgam terror attack. The attackers employ social engineering techniques, primarily credential phishing, using decoy documents themed around the Pahalgam attack to lure victims. These documents include phishing PDFs embedding links that redirect to counterfeit login portals impersonating official Indian government entities such as the Jammu & Kashmir Police and the Indian Air Force. Additionally, malicious PowerPoint add-on files containing macros are used to deploy the Crimson Remote Access Trojan (RAT), a sophisticated malware capable of persistent access and data exfiltration. The campaign uses multiple fake domains created shortly after the real-world attack to increase credibility and maximize victim engagement. The attack chain involves several tactics and techniques, including spear-phishing (T1566.001), use of malicious macros (T1204.001), credential harvesting (T1113), reconnaissance (T1083, T1082), and establishing persistence (T1547.001). The Crimson RAT payload allows attackers to manipulate information, disrupt sensitive operations, and exfiltrate confidential data, posing significant risks to national security and intelligence confidentiality. While no known exploits are reported in the wild beyond this campaign, the sophistication and targeted nature of the attack highlight the advanced capabilities of APT36 and their focus on exploiting geopolitical events for intelligence gathering.

Detailed information about Advisory: Pahalgam Attack themed decoys used by APT36 to target the Indian Government. Get real-time updates, technical details, and 

Advisory: Pahalgam Attack themed decoys used by APT36 to target the Indian Government - Live Threat Intelligence - Threat Radar | OffSeq.com

Advisory: Pahalgam Attack themed decoys used by APT36 to target the Indian Government

A vulnerability, which was classified as critical, has been found in PHPGurukul Land Record System 1.0. This issue affects some unknown processing of the file /admin/aboutus.php. The manipulation of the argument pagetitle leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

CVE-2025-4163 is a SQL Injection vulnerability identified in version 1.0 of the PHPGurukul Land Record System, specifically affecting the /admin/aboutus.php file. The vulnerability arises from improper sanitization or validation of the 'pagetitle' parameter, which can be manipulated by an attacker to inject malicious SQL queries. This flaw allows an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database without requiring user interaction or prior authentication, due to the vulnerability's network accessibility and low attack complexity. The injection can potentially lead to unauthorized data disclosure, modification, or deletion, impacting the confidentiality, integrity, and availability of the land record data managed by the system. Although the CVSS 4.0 base score is 5.3 (medium severity), the vulnerability is classified as critical in the description, indicating a discrepancy likely due to the potential impact on sensitive land record information. No known exploits are currently reported in the wild, but the public disclosure of the exploit code increases the risk of exploitation. The vulnerability may also affect other parameters beyond 'pagetitle', suggesting a broader input validation issue within the application. The Land Record System is typically used by government or municipal agencies to manage property and land ownership records, making the integrity and confidentiality of this data critical. The lack of available patches or vendor advisories at the time of publication further elevates the risk for organizations using this software version.

Detailed information about CVE-2025-4163: SQL Injection in PHPGurukul Land Record System affecting PHPGurukul Land Record System. Get real-time updates, technic

CVE-2025-4163: SQL Injection in PHPGurukul Land Record System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-4163: SQL Injection in PHPGurukul Land Record System

A vulnerability was found in PHPGurukul Curfew e-Pass Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/pass-bwdates-reports-details.php. The manipulation of the argument fromdate leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

CVE-2025-4151 is a critical SQL Injection vulnerability identified in version 1.0 of the PHPGurukul Curfew e-Pass Management System, specifically affecting the /admin/pass-bwdates-reports-details.php file. The vulnerability arises from improper sanitization and validation of the 'fromdate' parameter, which is directly used in SQL queries without adequate escaping or parameterization. This flaw allows an unauthenticated remote attacker to inject arbitrary SQL commands by manipulating the 'fromdate' argument, potentially leading to unauthorized data access, data modification, or deletion within the backend database. The vulnerability does not require any user interaction or privileges to exploit, making it remotely exploitable over the network. Although the CVSS 4.0 score is rated as 6.9 (medium severity), the nature of SQL injection vulnerabilities often implies a high risk due to the potential for data breach and system compromise. The description also suggests that other parameters might be vulnerable, indicating a broader issue with input validation in the application. No patches or fixes have been publicly disclosed yet, and there are no known exploits in the wild at this time. The vulnerability was published on May 1, 2025, and has been enriched by CISA, highlighting its relevance for cybersecurity monitoring. Given that the affected product is a specialized e-pass management system used to regulate curfew passes, the vulnerability could be leveraged to disrupt administrative operations or leak sensitive citizen data if exploited.

Detailed information about CVE-2025-4151: SQL Injection in PHPGurukul Curfew e-Pass Management System affecting PHPGurukul Curfew e-Pass Management System. Get 

CVE-2025-4151: SQL Injection in PHPGurukul Curfew e-Pass Management System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-4151: SQL Injection in PHPGurukul Curfew e-Pass Management System

This analysis explores the detection of malicious .desktop files used by threat actors to infect Linux systems. It explains the structure of these files and how they are manipulated to obfuscate malicious content. The report details the execution process of these files, which often involve opening PDF files from Google Drive as a distraction while downloading malware. Various threat hunting techniques are presented, including searching for specific processes, command lines, and file contents. The article provides several Google Threat Intelligence queries for identifying suspicious .desktop files and related malicious activities. It also includes a list of recently discovered samples potentially linked to a campaign reported by Zscaler.

This threat involves the use of malicious .desktop files to compromise Linux systems. .desktop files are configuration files used by Linux desktop environments such as GNOME, KDE, and XFCE to define how applications are launched, including their icons, names, and execution commands. Threat actors manipulate these files to embed obfuscated malicious commands that execute malware payloads when the user interacts with them. A common tactic observed is the use of these .desktop files to open seemingly benign PDF documents hosted on Google Drive, serving as a distraction or social engineering lure. Meanwhile, in the background, the malicious .desktop file initiates the download and execution of malware, effectively bypassing casual user scrutiny. The obfuscation techniques employed in these files complicate detection, as the malicious commands are hidden within legitimate-looking desktop entry syntax. The report outlines various threat hunting methodologies, including searching for suspicious process names, command-line arguments, and specific file content patterns associated with these malicious .desktop files. It also provides Google Threat Intelligence queries to identify such files and related malicious activities. The campaign appears to be ongoing, with recently discovered samples linked to a Zscaler-reported campaign, although no known exploits are currently in the wild. The threat primarily targets Linux desktop environments, leveraging common user behaviors and trusted cloud services like Google Drive to facilitate infection.

MD5 of b6170fd0a1a75e043cd412300db4c67a351f71a6

MD5 of 040711b2e577fcdba8dc130f72475935893e8471

SHA256 of b6170fd0a1a75e043cd412300db4c67a351f71a6

SHA256 of 040711b2e577fcdba8dc130f72475935893e8471

Detailed information about Actionable threat hunting with Threat Intelligence (I) - Hunting malicious desktop files. Get real-time updates, technical details, a

Actionable threat hunting with Threat Intelligence (I) - Hunting malicious desktop files - Live Threat Intelligence - Threat Radar | OffSeq.com

Actionable threat hunting with Threat Intelligence (I) - Hunting malicious desktop files

The XorDDoS trojan, a DDoS malware targeting Linux machines, continues to spread globally with over 70% of attacks targeting the United States from Nov 2023 to Feb 2025. The operators are believed to be Chinese-speaking individuals based on language settings. A new 'VIP version' of the XorDDoS controller and central controller have been discovered, enabling more sophisticated and widespread attacks. The malware uses SSH brute-force attacks to gain access and implements persistence mechanisms. A new central controller allows threat actors to manage multiple sub-controllers simultaneously, enhancing attack coordination. The infection chain, decryption methods, and network communication patterns between the trojan, sub-controller, and central controller are analyzed in detail.

The XorDDoS trojan is a Linux-targeting malware designed to conduct distributed denial-of-service (DDoS) attacks by compromising vulnerable Linux machines primarily through SSH brute-force attacks. The malware attempts to gain unauthorized access by systematically guessing SSH credentials, exploiting weak or default passwords. Upon successful compromise, XorDDoS establishes persistence mechanisms on the infected host, ensuring continued control even after system reboots or removal attempts. A recent discovery revealed a new 'VIP version' of the XorDDoS controller infrastructure, introducing a hierarchical command-and-control (C2) architecture consisting of a central controller managing multiple sub-controllers. This design significantly enhances the attackers' ability to coordinate large-scale and sophisticated DDoS campaigns. The infection chain involves initial brute-force access, deployment of the trojan, and encrypted communication between the trojan, sub-controllers, and the central controller. The malware uses specific network communication patterns and encryption methods to evade detection and maintain stealth. Indicators of compromise include several known malicious file hashes and domains used for C2 communication, such as 'ppp.gggatat456.com' and 'ppp.xxxatat456.com'. Although over 70% of observed attacks from November 2023 to February 2025 targeted the United States, the global spread and modular infrastructure of XorDDoS suggest potential for broader impact. The operators are believed to be Chinese-speaking based on language settings observed in the malware, but no direct attribution beyond this linguistic indicator is confirmed. No known public exploits are currently reported, and the overall severity is assessed as medium, reflecting the malware's capability to disrupt services but also the availability of mitigation strategies.

Detailed information about Unmasking the new XorDDoS controller and infrastructure. Get real-time updates, technical details, and mitigation strategies.

Title	Severity	Type	Source	Date

Threats Affecting India

Filter Threats

Threats Affecting India

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility