CoffeeLoader Emerges with Advanced Obfuscation and Payload Delivery Capabilities
Malware Developments
CoffeeLoader Emerges with Advanced Obfuscation and Payload Delivery Capabilities
CoffeeLoader is a newly identified, highly sophisticated malware loader observed in the wild. Designed to download and execute secondary payloads while evading detection, it exhibits notable behavioral similarities to SmokeLoader, with indications of potential code-level overlap between the two families. Its core functionality revolves around stealth and persistence, making it a potent tool for adversaries engaged in multi-stage attack campaigns. READ MORE.
Stealthy npm Malware Infects Local Packages, Delivers Reverse Shell
Researchers have identified a sophisticated npm supply chain attack where the ethers-provider2 and ethers-providerz packages compromised locally installed ethers packages by injecting a stealthy reverse shell. Unlike conventional malware that directly targets repositories, this attack covertly modified an existing package on developers' systems, allowing persistent remote access even after the original malicious package was removed. The attackers cleverly mimicked the widely used ssh2 package, adding subtle modifications to disguise the payload. READ MORE.
Phishing Developments
Morphing Meerkat Campaign Abuses DNS MX Records and Phishing-as-a-Service Infrastructure
A sophisticated and long-running phishing operation, tracked as Morphing Meerkat, has been observed distributing large-scale phishing campaigns through a phishing-as-a-service (PhaaS) platform. The threat actor sends thousands of spoofed emails that lead to credential harvesting pages tailored to each victim’s email provider. The campaign employs advanced detection evasion techniques and abuses DNS infrastructure to dynamically generate targeted phishing content. This campaign shows signs of centralized management and ongoing development. READ MORE.
Ransomware Developments
Russian Ransomware Group Exploits Zero-Day Vulnerability in Microsoft Management Console
Researchers have uncovered a campaign by the Russian threat actor Water Gamayun that exploits a zero-day vulnerability in the Microsoft Management Console framework, named MSC EvilTwin (CVE-2025-26633, CVSS 7.0). This attack manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payloads, maintain persistence, and steal sensitive data from infected systems. Organizations that heavily use Microsoft's administrative tools are particularly at risk, potentially facing data breaches and significant financial losses. READ MORE.
Recommended by LinkedIn
Vulnerabilities and Exploitation Attempts
Threat Actor Claims Oracle Cloud Breach Amid Conflicting Statements
A threat actor recently claimed to have breached Oracle Cloud’s login servers, offering for sale sensitive information including SSO and LDAP credentials, OAuth2 keys, and customer tenant data. Oracle, however, has publicly denied any breach, stating. Despite this, independent researchers were able to verify leaked files and link exposed data to real Oracle Cloud customer domains, suggesting a possible compromise of production systems. READ MORE.
Chrome Zero-Day Vulnerability Exploited in Espionage Campaign
Google has patched a high-severity zero-day vulnerability in Chrome that has been exploited in targeted attacks to bypass sandbox protections and deploy malware. The flaw is being actively used in an ongoing espionage campaign known as Operation ForumTroll, which targets Russian media, educational, and government entities through phishing emails disguised as forum invitations. READ MORE.
Mozilla Fixes Critical Privilege Escalation Flaw in Firefox for Windows
Mozilla has patched a critical vulnerability (CVE-2025-2857, CVSS 10.0) in Firefox and Firefox ESR for Windows that could allow attackers to escape the browser’s sandbox. The flaw affects both standard and Extended Support Release versions and is closely related to a recently exploited Chrome zero-day (CVE-2025-2783). The issue has been resolved in Firefox 136.0.4 and ESR versions 115.21.1 and 128.8.1. READ MORE.
Gain deeper Cyber Threat Intelligence insights
CyberProof’s CTI service offers comprehensive threat intelligence coverage, ensuring that your organization stays ahead of active threats that pose the greatest risk to your assets.
Our advanced CTI team investigates the threat landscape, providing you with detailed reports, related Indicators of Compromise (IOCs), technical recommendations, and MITRE ATT&CK mapping.