CATEGORIES

Adversary Intelligence

Articles in Blog Posts

June 4, 2025

AMOS Variant Distributed Via Clickfix In Spectrum-Themed Dynamic Delivery Campaign By Russian Speaking Hackers

CloudSEK researchers have uncovered a sophisticated campaign leveraging typo-squatted “Spectrum” domains to spread a new Atomic macOS Stealer (AMOS) variant. Disguised as a CAPTCHA verification, the attack uses dynamic payloads tailored to the victim's OS—stealing passwords, bypassing macOS security, and executing malware. With Russian-language comments found in the code and flawed delivery logic, the campaign reflects both growing cross-platform ambitions and rushed execution. Dive into how this multi-platform threat operates—and why your organization should stay alert.

Written by

Koushik Pal

June 3, 2025

The Transparent Tribe Vibe: APT36 Returns With CapraRAT Impersonating Viber

CloudSEK’s latest investigation uncovers how APT36 (aka Transparent Tribe) is using VPS provider Contabo to host malicious infrastructure linked to CapraRAT and Crimson RAT. One of their latest tactics? Disguising spyware as the popular messaging app Viber—armed with permissions to record calls, read messages, track location, and more. Read how we traced the infrastructure, identified key Indicators of Compromise, and uncovered the full extent of this Android surveillance campaign.

Written by

Koushik Pal

May 11, 2025

Brief Disruptions, Bold Claims: The Tactical Reality Behind the India-Pakistan Hacktivist Surge

In May 2025, multiple Pakistan-linked hacktivist groups claimed over 100 cyberattacks on Indian government, education, and critical infrastructure websites. But CloudSEK’s investigation reveals most of these breaches were exaggerated or fake—ranging from recycled data leaks to defacements that left no real impact. While DDoS attacks barely caused a few minutes of disruption, the real threat came from APT36, which used Crimson RAT malware to target Indian defense networks after the Pahalgam terror attack. This report separates fact from fiction—unmasking the hype, tactics, and real risks behind the India-Pakistan cyber conflict. Read the full analysis to know what truly happened.

Written by

Pagilla Manohar Reddy

April 29, 2025

Inside the BWSSB Incident : How An Exposed Environment File Enabled the Sale of 290K+ Applicant Records and Database Root Access

A small security slip — an exposed file and an open admin panel — gave a hacker full access to BWSSB’s database, putting over 290,000 people’s personal details at risk. CloudSEK’s STRIKE Team breaks down how it happened, what went wrong, and what can be done to prevent such breaches.

Written by

Sourajeet Majumder

April 15, 2025

Byte Bandits: How Fake PDF Converters Are Stealing More Than Just Your Documents

What looks like a harmless online file conversion could be a trap set by cybercriminals. CloudSEK’s latest investigation uncovers a stealthy malware campaign where fake PDF-to-DOCX converters, mimicking the popular PDFCandy.com, trick users into running malicious PowerShell commands. The endgame? A powerful information stealer that hijacks browser credentials, crypto wallets, and more. Dive into our detailed breakdown of this social engineering scam, its technical anatomy, and how to stay a step ahead of such byte bandits.

Written by

Varun Ajmera

March 24, 2025

Part 2: Validating the Breach Oracle Cloud Denied – CloudSEK’s Follow-Up Analysis

On March 21, 2025, CloudSEK’s XVigil platform flagged a significant threat—a threat actor offering 6 million exfiltrated records from Oracle Cloud for sale. Despite Oracle’s public denial, our deep-dive investigation reveals a compromised production SSO endpoint, affecting over 140,000 tenants and exposing sensitive SSO and LDAP data. Our report outlines verified evidence of the breach. At CloudSEK, we prioritize transparency and preparedness. This detailed follow-up not only challenges initial denials but equips enterprises with actionable steps to assess and secure their environments. Read the full report to uncover the evidence, understand the impact, and strengthen your defenses.

Written by

Rahul Sasi

Articles in Threat Intelligence

November 15, 2023

Critical CSRF Vulnerability in IBM CICS TX - CVE-2023-42027 Demands Immediate Action

CVE-2023-42027 IBM CICS TX Standard 11.1, Advanced 10.1, 11.1, and TXSeries for Multi platforms 8.1, 8.2, 9.1 are vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts

November 6, 2023

CVE-2023-43792 baserCMS is a website development framework vulnerable to Code Injection attacks

CVE-2023-43792 is a code injection vulnerability in the mail form of baserCMS versions 4.6.0 to 4.7.6. This vulnerability allows an attacker to inject arbitrary code into the baserCMS application, which could then be executed by other users of the application.

November 6, 2023

CVE-2023-4197 Vulnerability in Dolibarr ERP CRM 18.0.1 Allows PHP Code Injection

CVE-2023-4197 Improper input validation in Dolibarr ERP CRM v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code

September 8, 2023

Hoze shell script dropped along with XMRig miners on misconfigured SSH Servers by Brute Forcing

CloudSEK’s Threat Intelligence Team uncovered a campaign, actively running from the past 1.8 years, that attacks and brute forces the SSH. 

September 4, 2023

3,20,000+ Patient Records From Ayush Jharkhand Gov. In Shared On Dark Web Hacking Forums

A hacker known as Tanaka has exposed over 320,000 patient records from ayush.jharkhand.gov.in, detailing personal and medical information. The 7.3 MB database leak includes sensitive data from the AYUSH ministry's site

August 28, 2023

Rogue Scripts Are Exploiting OTP Verification APIs To Send Heaps of OTP SMSes, Hold The Potential Of Triggering Service Disruptions.

Discover how CloudSEK's AI-powered XVigil platform identified concerning GitHub repositories mentioning Indian companies and their APIs.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.