AI特工时代,从摩萨德到军情五处的谍报新战略
写在XIE ZAIQIAN MIAN前面情报机构的传奇故事往往隐秘而精彩。
Aggregator
BugTrace-AI: The Comprehensive AI-Powered Suite for SAST, DAST, and Vulnerability Research
1 week ago
BugTrace-AI is a comprehensive web vulnerability analysis suite that leverages the power of Generative AI to assist developers,
The post BugTrace-AI: The Comprehensive AI-Powered Suite for SAST, DAST, and Vulnerability Research appeared first on Penetration Testing Tools.
ddos
Ashen Lepus (WIRTE) Targets Middle East Governments with Stealthy AshTag Malware Toolkit
1 week ago
The Unit 42 team at Palo Alto Networks has documented a prolonged and low-visibility campaign targeting government bodies
The post Ashen Lepus (WIRTE) Targets Middle East Governments with Stealthy AshTag Malware Toolkit appeared first on Penetration Testing Tools.
ddos
Deep Leak: APT35 Hackers’ Payroll, Kashef Surveillance System, and 2004 Nuclear Spy Document Exposed
1 week ago
In the autumn of 2025, files began circulating in the public domain that are attributed to the Iranian
The post Deep Leak: APT35 Hackers’ Payroll, Kashef Surveillance System, and 2004 Nuclear Spy Document Exposed appeared first on Penetration Testing Tools.
ddos
Invisible Surveillance: Tool Exploits WhatsApp/Signal Network Latency to Track User Activity
1 week ago
A tool has been released into the public domain that enables covert monitoring of user activity on WhatsApp
The post Invisible Surveillance: Tool Exploits WhatsApp/Signal Network Latency to Track User Activity appeared first on Penetration Testing Tools.
ddos
量产「中国版 FSD」后,地平线为何公开高阶智驾的「灵魂代码」?
1 week ago
地平线开放高阶智驾「灵魂代码」:自动驾驶迎来「安卓时刻」。
«Я видел логи, мне страшно». IT-профи стали самыми тревожными людьми сети
1 week ago
Цифровые технологии пугают людей сильнее, чем кажется, и это подтверждают данные по 30 странам.
Apple Emergency Patch: Two WebKit Zero-Days Actively Exploited in Targeted iOS Attacks
1 week ago
Apple has released out-of-band patches addressing two zero-day vulnerabilities that were already being exploited in real-world attacks. The
The post Apple Emergency Patch: Two WebKit Zero-Days Actively Exploited in Targeted iOS Attacks appeared first on Penetration Testing Tools.
ddos
勒索软件团伙滥用Shanya可执行文件打包器隐匿EDR禁用工具
1 week ago
多个勒索软件团伙正借助一款名为Shanya的打包即服务平台,为其恶意载荷进行封装,以便在受害设备上禁用终端检测与响应解决方案。
打包服务可为网络犯罪分子提供专用工具,其核心作用是对恶意载荷进行封装处理,通过混淆恶意代码的方式,规避多数主流安全工具及杀毒引擎的检测。
据Sophos Security的遥测数据显示,Shanya打包服务于2024年末开始出现,此后使用率大幅攀升,采用该服务的恶意软件样本已在突尼斯、阿联酋、哥斯达黎加、尼日利亚、巴基斯坦等国被监测到。
目前已确认使用该服务的勒索软件团伙包括Medusa、Qilin、Crytox及Akira,其中Akira是该打包服务的最频繁使用者。
在勒索软件攻击中使用的Shanya打包器
Shanya打包服务的工作机制
威胁者需先将其恶意载荷提交至Shanya平台,平台会返回经定制化封装的“打包版”载荷,该过程会同时采用加密与压缩技术。
该服务主打生成载荷的唯一性,其宣传内容强调自身具备非标准模块内存加载、系统加载器桩函数独立封装能力,且每位客户在购买后,均可获得专属(相对)独立的桩函数及独特的加密算法。
加载器中的垃圾代码
具体来看,恶意载荷会被植入Windows系统DLL文件shell32.dll的内存映射副本中。尽管该DLL文件的可执行区段与文件大小看似合规,文件路径也无异常,但其文件头与.text区段已被解密后的恶意载荷覆盖。
值得注意的是,载荷在打包文件内处于加密状态,而在执行阶段,它会在内存中完成解密与解压,随后直接注入shell32.dll副本,全程不会写入磁盘,以此降低被检测的概率。
研究人员还发现,Shanya会通过在无效上下文下调用RtlDeleteFunctionTable函数,对终端检测与响应解决方案进行探测。这一操作会在用户态调试器环境中触发未处理异常或程序崩溃,从而在载荷完全执行前干扰自动化分析流程。
对EDR系统的禁用流程
勒索软件团伙通常会在攻击的数据窃取与加密阶段前,先禁用目标设备上运行的EDR工具,其执行流程一般通过DLL侧加载实现:将合法Windows可执行文件(如consent.exe)与经Shanya打包的恶意DLL(如msimg32.dll、version.dll、rtworkq.dll或wmsgapi.dll)进行组合加载。
根据Sophos的分析,这款EDR禁用工具会释放两款驱动程序:
1. 一款是由TechPowerUp签名的合法驱动ThrottleStop.sys(又称rwdrv.sys),该驱动存在可实现任意内核内存写入的漏洞;
2. 另一款是未签名的hlpdrv.sys驱动。其中,签名驱动用于实现权限提升,而hlpdrv.sys则会根据用户态下发的指令,对各类安全产品实施禁用操作。其用户态组件会先枚举当前运行的进程及已安装的服务,再将结果与内置的庞大硬编码列表进行比对,一旦匹配成功,便会向恶意内核驱动发送“终止”指令。
目标服务的部分列表
除了专注于禁用EDR的勒索软件操作者外,研究人员近期还监测到ClickFix攻击活动也在利用Shanya服务对CastleRAT远控木马进行封装。勒索软件团伙往往依赖打包服务来实现EDR禁用工具的隐蔽部署。
胡金鱼
Geely Launches World’s Largest Safety Center in Ningbo, Targeting Zero Fatalities & Zero Data Leaks
1 week ago
Ningbo is a major port city on China’s eastern seaboard, a key industrial hub of Zhejiang Province and
The post Geely Launches World’s Largest Safety Center in Ningbo, Targeting Zero Fatalities & Zero Data Leaks appeared first on Penetration Testing Tools.
ddos
New Security Default: CERT-FR Urges Users to Fully Disable Wi-Fi When Not Active
1 week ago
If it already felt as though smartphone security advice had devolved into an endless catalogue of prohibitions, here
The post New Security Default: CERT-FR Urges Users to Fully Disable Wi-Fi When Not Active appeared first on Penetration Testing Tools.
ddos
Supply Chain Alert: MangaGamer Higurashi USB Installers Compromised with Possible Floxif Malware
1 week ago
MangaGamer has issued a warning about a potential supply-chain attack: in the latest print run of the physical
The post Supply Chain Alert: MangaGamer Higurashi USB Installers Compromised with Possible Floxif Malware appeared first on Penetration Testing Tools.
ddos
Quality Control: GNOME Extensions Catalog Rejects Submissions with Unvetted AI-Generated Code
1 week ago
The GNOME Shell Extensions team has decided to tighten moderation rules in the EGO catalog in response to
The post Quality Control: GNOME Extensions Catalog Rejects Submissions with Unvetted AI-Generated Code appeared first on Penetration Testing Tools.
ddos
会议预告 | 第五届数字取证与分析技术研讨会(DFA 2026)
1 week ago
第五届数字取证与分析技术研讨会(DFA 2026)定于2026年1月6日-7日在南京警察学院(仙林校区)举办。
内存免杀与无文件攻击深度解析
1 week ago
本文系统阐述内存免杀与无文件攻击原理、技术演进及防御策略,涵盖VEH异常处理、进程注入、Living Off the Land等核心技术。
Unpatched RasMan Zero-Day Allows Local System Takeover via DoS Crash and RPC Spoofing
1 week ago
The 0patch team has reported that while analyzing CVE-2025-59230 in the Windows Remote Access Connection Manager (RasMan)—a flaw
The post Unpatched RasMan Zero-Day Allows Local System Takeover via DoS Crash and RPC Spoofing appeared first on Penetration Testing Tools.
ddos
CVE-2025-66451 | danny-avila LibreChat up to 0.8.0 PATCH Endpoint /api/prompts/groups/ updatePromptGroup input validation
1 week ago
A vulnerability, which was classified as critical, has been found in danny-avila LibreChat up to 0.8.0. This affects the function updatePromptGroup of the file /api/prompts/groups/ of the component PATCH Endpoint. This manipulation causes improper input validation.
The identification of this vulnerability is CVE-2025-66451. It is possible to initiate the attack remotely. There is no exploit available.
It is advisable to upgrade the affected component.
vuldb.com
CVE-2024-58294 | FreePBX 16 API Module os command injection (Exploit 52031 / EDB-52031)
1 week ago
A vulnerability, which was classified as critical, was found in FreePBX 16. This impacts an unknown function of the component API Module. Such manipulation leads to os command injection.
This vulnerability is referenced as CVE-2024-58294. It is possible to launch the attack remotely. Furthermore, an exploit is available.
vuldb.com
CVE-2025-66446 | 1Panel-dev MaxKB up to 2.3.x race condition (GHSA-5xx2-3q9w-jpgf)
1 week ago
A vulnerability, which was classified as critical, was found in 1Panel-dev MaxKB up to 2.3.x. This issue affects some unknown processing. The manipulation results in race condition.
This vulnerability was named CVE-2025-66446. The attack may be performed from remote. There is no available exploit.
You should upgrade the affected component.
vuldb.com
CVE-2025-66450 | danny-avila LibreChat up to 0.8.0 POST Request iconURL cross site scripting (GHSA-84vx-vmcf-xgpp)
1 week ago
A vulnerability has been found in danny-avila LibreChat up to 0.8.0 and classified as problematic. Impacted is an unknown function of the component POST Request Handler. This manipulation of the argument iconURL causes basic cross site scripting.
The identification of this vulnerability is CVE-2025-66450. It is possible to initiate the attack remotely. There is no exploit available.
The affected component should be upgraded.
vuldb.com