Reddit NetSec

CVE Database V5

AlienVault OTX General

Reddit InfoSec News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

Uncontrolled resource consumption vulnerability in Cybozu Remote Service 4.0.0 to 4.0.3 allows a remote authenticated attacker to consume huge storage space, which may result in a denial-of-service (DoS) condition.

CVE-2022-44608 is a high-severity vulnerability affecting Cybozu Remote Service versions 4.0.0 through 4.0.3. This vulnerability is classified under CWE-400, which pertains to uncontrolled resource consumption. Specifically, the flaw allows a remote attacker who has authenticated access to the service to trigger excessive consumption of storage resources. The vulnerability does not require user interaction and can be exploited remotely without elevated privileges beyond authentication. The uncontrolled resource consumption can lead to a denial-of-service (DoS) condition by exhausting available storage space, potentially causing service disruption or failure. The CVSS 3.1 base score of 7.5 reflects the high impact on availability (A:H) with no impact on confidentiality or integrity, and the attack vector is network-based with low attack complexity and no user interaction required. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to organizations relying on Cybozu Remote Service for remote management or support functions. The lack of a patch link indicates that remediation may require vendor intervention or configuration changes. Given the nature of the vulnerability, attackers with valid credentials could repeatedly perform actions that consume storage, leading to resource exhaustion and service outages, which could disrupt business operations and impact dependent systems.

Detailed information about CVE-2022-44608: Uncontrolled Resource Consumption in Cybozu, Inc. Cybozu Remote Service affecting Cybozu, Inc. Cybozu Remote Service.

CVE-2022-44608: Uncontrolled Resource Consumption in Cybozu, Inc. Cybozu Remote Service - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2022-44608: Uncontrolled Resource Consumption in Cybozu, Inc. Cybozu Remote Service

A newly discovered APT campaign dubbed Swan Vector is targeting educational institutes and mechanical engineering industries in Taiwan and Japan. The attack uses a sophisticated multi-stage infection chain involving malicious LNK files, DLL implants (Pterois and Isurus), and Cobalt Strike payloads. The threat actor employs various evasion techniques including API hashing, direct syscalls, DLL sideloading, and self-deletion. Google Drive is abused as a command-and-control server. While attribution remains uncertain, similarities with Winnti, Lazarus, and APT10 techniques have been observed. The campaign has been active since December 2024 and is expected to continue with new implants targeting additional applications.

The Swan Vector campaign is a sophisticated Advanced Persistent Threat (APT) operation targeting educational institutions and mechanical engineering sectors primarily in Taiwan and Japan. The attack employs a multi-stage infection chain beginning with malicious LNK (Windows shortcut) files that serve as the initial infection vector. Upon execution, these LNK files trigger the loading of DLL implants named Pterois and Isurus. These implants leverage advanced evasion techniques such as API hashing, which obfuscates API calls to avoid detection by security tools; direct syscalls, which bypass user-mode hooks; DLL sideloading, where malicious DLLs are loaded by legitimate applications to evade detection; and self-deletion to remove traces post-execution. The implants facilitate the deployment of Cobalt Strike payloads, a well-known post-exploitation framework used for lateral movement, persistence, and command and control (C2). Notably, the threat actor abuses Google Drive as a C2 server, leveraging a trusted cloud service to evade network-based detection and filtering. Although attribution is uncertain, the tactics, techniques, and procedures (TTPs) share similarities with known APT groups such as Winnti, Lazarus, and APT10, indicating a high level of sophistication and potential state-sponsored backing. Active since December 2024, the campaign is expected to evolve with new implants targeting additional applications, suggesting ongoing and adaptive threat activity.

Detailed information about Targeting Taiwan & Japan with DLL Implants. Get real-time updates, technical details, and mitigation strategies.

Targeting Taiwan & Japan with DLL Implants - Live Threat Intelligence - Threat Radar | OffSeq.com

Targeting Taiwan & Japan with DLL Implants

Slow Pisces, a North Korean state-sponsored threat group, is targeting cryptocurrency developers through LinkedIn with malicious coding challenges. The group impersonates recruiters and sends malware disguised as project tasks, infecting systems with RN Loader and RN Stealer. Their campaign uses GitHub repositories containing adapted open-source projects in Python and JavaScript. The malware employs YAML deserialization and EJS rendering to execute arbitrary code from command-and-control servers. Slow Pisces has reportedly stolen over $1 billion from the cryptocurrency sector in 2023, using various methods including fake trading applications and supply chain compromises. The group's operational security is noteworthy, with payloads existing only in memory and deployed selectively.

Slow Pisces is a North Korean state-sponsored threat actor that has developed a sophisticated campaign targeting cryptocurrency developers, primarily via LinkedIn. The group impersonates recruiters and sends malicious coding challenges disguised as legitimate project tasks. These challenges contain malware payloads, specifically RN Loader and RN Stealer, which are designed to infect the victim's system stealthily. The malware is delivered through GitHub repositories that leverage adapted open-source projects written in Python and JavaScript. A notable technical aspect of the malware is its use of YAML deserialization and EJS (Embedded JavaScript) rendering techniques to execute arbitrary code fetched from command-and-control (C2) servers. This approach enables dynamic and flexible execution of malicious code, increasing the difficulty of detection and analysis. Slow Pisces has demonstrated operational security by ensuring that payloads exist only in memory and are deployed selectively, reducing forensic footprints and complicating incident response efforts. The group has reportedly stolen over $1 billion from the cryptocurrency sector in 2023 using multiple attack vectors, including fake trading applications and supply chain compromises. The campaign's focus on cryptocurrency developers suggests a targeted approach to compromise individuals with access to valuable digital assets or development environments that could be leveraged for further attacks.

Detailed information about Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware. Get real-time updates, technical 

Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware - Live Threat Intelligence - Threat Radar | OffSeq.com

Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware

The XorDDoS trojan, a DDoS malware targeting Linux machines, continues to spread globally with over 70% of attacks targeting the United States from Nov 2023 to Feb 2025. The operators are believed to be Chinese-speaking individuals based on language settings. A new 'VIP version' of the XorDDoS controller and central controller have been discovered, enabling more sophisticated and widespread attacks. The malware uses SSH brute-force attacks to gain access and implements persistence mechanisms. A new central controller allows threat actors to manage multiple sub-controllers simultaneously, enhancing attack coordination. The infection chain, decryption methods, and network communication patterns between the trojan, sub-controller, and central controller are analyzed in detail.

The XorDDoS trojan is a Linux-targeting malware designed to conduct distributed denial-of-service (DDoS) attacks by compromising vulnerable Linux machines primarily through SSH brute-force attacks. The malware attempts to gain unauthorized access by systematically guessing SSH credentials, exploiting weak or default passwords. Upon successful compromise, XorDDoS establishes persistence mechanisms on the infected host, ensuring continued control even after system reboots or removal attempts. A recent discovery revealed a new 'VIP version' of the XorDDoS controller infrastructure, introducing a hierarchical command-and-control (C2) architecture consisting of a central controller managing multiple sub-controllers. This design significantly enhances the attackers' ability to coordinate large-scale and sophisticated DDoS campaigns. The infection chain involves initial brute-force access, deployment of the trojan, and encrypted communication between the trojan, sub-controllers, and the central controller. The malware uses specific network communication patterns and encryption methods to evade detection and maintain stealth. Indicators of compromise include several known malicious file hashes and domains used for C2 communication, such as 'ppp.gggatat456.com' and 'ppp.xxxatat456.com'. Although over 70% of observed attacks from November 2023 to February 2025 targeted the United States, the global spread and modular infrastructure of XorDDoS suggest potential for broader impact. The operators are believed to be Chinese-speaking based on language settings observed in the malware, but no direct attribution beyond this linguistic indicator is confirmed. No known public exploits are currently reported, and the overall severity is assessed as medium, reflecting the malware's capability to disrupt services but also the availability of mitigation strategies.

Detailed information about Unmasking the new XorDDoS controller and infrastructure. Get real-time updates, technical details, and mitigation strategies.

Unmasking the new XorDDoS controller and infrastructure - Live Threat Intelligence - Threat Radar | OffSeq.com

Unmasking the new XorDDoS controller and infrastructure

A server linked to KeyPlug malware briefly exposed tooling used in active operations. The infrastructure, live for less than a day, revealed Fortinet firewall and VPN exploit scripts, a PHP webshell, and network reconnaissance tools targeting authentication and internal portals of a major Japanese company. The exposed directory provided insight into the attacker's workflow, from infrastructure reconnaissance to post-access session management. Notable files included Fortinet reconnaissance scripts, CDN fingerprinting tools, and encrypted command execution utilities. The server's brief exposure offers a rare glimpse into the operational staging and planning of a likely advanced adversary.

The KeyPlug-linked server incident involved the brief exposure of a malicious infrastructure associated with the KeyPlug malware family, revealing active tooling used by an advanced adversary, identified as RedGolf. This infrastructure was operational for less than a day but provided significant insight into the attacker’s operational workflow. The exposed server contained exploit scripts targeting Fortinet firewall and VPN products, specifically related to CVE-2024-23108 and CVE-2024-23109, which are recent vulnerabilities affecting Fortinet devices. Additionally, the server hosted a PHP webshell, network reconnaissance tools, CDN fingerprinting utilities, and encrypted command execution scripts. These tools collectively indicate a multi-stage attack process: initial reconnaissance to identify vulnerable Fortinet devices and internal portals, exploitation of these vulnerabilities to gain unauthorized access, deployment of webshells for persistent access, and post-compromise session management to maintain control over the victim environment. The presence of encrypted command execution utilities suggests attempts to evade detection and maintain stealth. The targeting of authentication and internal portals of a major Japanese company highlights a focused campaign likely aimed at high-value corporate or strategic assets. Although the server was exposed only briefly, the artifacts provide a rare and valuable glimpse into the tactics, techniques, and procedures (TTPs) of this threat actor, emphasizing the sophistication and targeted nature of the campaign. No known exploits in the wild have been reported yet, but the availability of these tools increases the risk of exploitation by other threat actors.

Detailed information about KeyPlug-Linked Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company. Get real-time updates, techni

KeyPlug-Linked Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company - Live Threat Intelligence - Threat Radar | OffSeq.com

KeyPlug-Linked Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company

Multiple state-sponsored threat actors from North Korea, Iran, and Russia have been observed adopting the ClickFix social engineering technique, previously associated with cybercriminal activities. Over a three-month period from late 2024 to early 2025, groups such as TA427, TA450, UNK_RemoteRogue, and TA422 incorporated ClickFix into their existing infection chains. The technique involves using dialogue boxes with instructions for targets to copy, paste, and run malicious commands on their machines. While the adoption of ClickFix hasn't revolutionized these groups' campaigns, it has replaced installation and execution stages in their existing processes. This trend highlights the fluidity of tactics among threat actors and the potential for wider adoption of ClickFix by other state-sponsored groups in the future.

The threat titled "Around the World in 90 Days: State-Sponsored Actors Try ClickFix" describes the observed adoption of the ClickFix social engineering technique by multiple state-sponsored threat actors originating from North Korea, Iran, and Russia. These groups, including TA427, TA450, UNK_RemoteRogue, and TA422, integrated ClickFix into their existing malware infection chains over a three-month period spanning late 2024 to early 2025. ClickFix is a social engineering method that relies on presenting targets with dialogue boxes containing instructions that prompt users to copy, paste, and execute malicious commands directly on their machines. This technique effectively replaces the traditional installation and execution stages of malware deployment, streamlining the infection process by leveraging user interaction to execute payloads. While ClickFix has been previously associated with cybercriminal groups, its adoption by state-sponsored actors marks a notable shift in tactics, demonstrating the fluidity and adaptability of these actors in evolving their operational methods. The technique is linked with tools such as Metasploit and QuasarRAT, indicating its use in deploying remote access trojans and exploitation frameworks. Despite the integration of ClickFix, the overall campaign strategies of these groups have not fundamentally changed, but the trend suggests a potential for broader adoption of this social engineering approach by other state-sponsored entities in the future. No specific affected software versions or patches are identified, and no known exploits in the wild have been reported. The threat is classified as medium severity, reflecting moderate risk based on current knowledge.

Detailed information about Around the World in 90 Days: State-Sponsored Actors Try ClickFix. Get real-time updates, technical details, and mitigation strategies

Around the World in 90 Days: State-Sponsored Actors Try ClickFix - Live Threat Intelligence - Threat Radar | OffSeq.com

Around the World in 90 Days: State-Sponsored Actors Try ClickFix

A sophisticated phishing kit named CoGUI is targeting Japanese organizations with high-volume campaigns, primarily impersonating consumer and finance brands to steal credentials and payment data. The kit employs advanced evasion techniques like geofencing and fingerprinting to avoid detection. Since October 2024, CoGUI campaigns have sent millions of messages monthly, peaking at 172 million in January 2025. While mainly focused on Japan, some campaigns have targeted other countries. The kit shares similarities with Darcula, another phishing framework used by Chinese-speaking actors. CoGUI's activity aligns with recent warnings from Japanese financial authorities about increased phishing attacks leading to financial theft.

The CoGUI phishing kit is a sophisticated and high-volume phishing framework primarily targeting Japanese organizations, with campaigns sending millions of messages monthly since October 2024 and peaking at 172 million messages in January 2025. This phishing kit impersonates well-known consumer and financial brands to deceive victims into divulging sensitive credentials and payment information. CoGUI employs advanced evasion techniques such as geofencing and device fingerprinting to avoid detection and limit exposure to unintended regions, which complicates defensive efforts. The kit shares technical and operational similarities with the Darcula phishing framework, historically linked to Chinese-speaking threat actors, suggesting a possible shared development lineage or actor overlap. Although the primary focus is Japan, some campaigns have extended to other countries, indicating potential for broader geographic impact. The timing and scale of CoGUI campaigns coincide with warnings from Japanese financial authorities about rising phishing attacks resulting in financial theft, underscoring the kit's operational effectiveness and threat to financial sector security. No known exploits or patches exist, as this is a phishing kit rather than a software vulnerability, and it relies on social engineering rather than technical exploitation. The threat is classified as medium severity, reflecting its high volume and sophistication but limited primarily to phishing and credential theft without direct system compromise or malware payloads.

Detailed information about CoGUI Phish Kit Targets Japan with Millions of Messages. Get real-time updates, technical details, and mitigation strategies.

CoGUI Phish Kit Targets Japan with Millions of Messages - Live Threat Intelligence - Threat Radar | OffSeq.com

CoGUI Phish Kit Targets Japan with Millions of Messages

OSINT Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets by Palo Alto Unit42

The DragonOK backdoor malware campaign identified by Palo Alto Unit42 targets Japanese entities and is attributed to an advanced persistent threat (APT) group known as DragonOK. This malware functions as a backdoor, enabling attackers to maintain persistent access to compromised systems, potentially allowing data exfiltration, espionage, or further network intrusion. The campaign was detected through open-source intelligence (OSINT) efforts and is characterized by low severity, indicating limited immediate impact or exploitation scope at the time of discovery. The malware's deployment against Japanese targets suggests a focused regional espionage operation rather than a widespread indiscriminate attack. Technical details are sparse, with no specific affected software versions or exploit mechanisms disclosed, and no known exploits in the wild reported. The threat level is moderate (threatLevel 4), with limited analysis (analysis 2), reflecting early-stage intelligence gathering rather than a fully developed attack profile. Given the backdoor nature, the malware likely compromises confidentiality and integrity by enabling unauthorized access and control over infected systems, but the low severity suggests limited availability impact or exploitation complexity.

Detailed information about OSINT Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets by Palo Alto Unit42. Get real-time updates, 

OSINT Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets by Palo Alto Unit42 - Live Threat Intelligence - Threat Radar | OffSeq.com

Title	Severity	Type	Source	Date

Threats Affecting Japan

Filter Threats

Threats Affecting Japan

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility