Cybersec Sentinel - Cybersec Sentinel

Cybersec Sentinel

Cybersec Sentinel: 30+ years of IT expertise, delivering clear, actionable cyber security insights.

Browser Notification Hijack via Matrix Push C2

Browser Notification Hijack via Matrix Push C2

Threat Group – Crimeware cluster similar to UNC5142 access brokers and web compromise crews using Matrix Push C2 Threat Type – Browser based C2 platform, phishing delivery system and malware loader sold as a MaaS service Exploited Vulnerabilities – Abuse of W3C Push API, Service Workers, notification prompts, clipboard and Run dialog through

Xillen Stealer v5 Advanced Credential Theft and Loader Platform

Xillen Stealer v5 Advanced Credential Theft and Loader Platform

Threat Group – Xillen Killers Threat Type – Information stealer and loader operating under a Malware as a Service model Exploited Vulnerabilities – Social engineering and opportunistic scanning for unpatched versions of Cisco AnyConnect, OpenVPN, FortiClient and Pulse Secure in order to access cached credentials Malware Used – Xillen Stealer version five using a

GootLoader New Evasion Methods Target Search Driven Workflows

GootLoader New Evasion Methods Target Search Driven Workflows

Threat Group – UNC2565 (also tracked as Storm-0494) Threat Type – Malware Loader and Initial Access Platform Exploited Vulnerabilities – No specific CVE confirmed. Campaign relies on SEO poisoning, compromised WordPress sites, archive format inconsistencies, Windows Script Host execution, and legacy filename behaviour. Malware Used – GootLoader, GootBot, secondary payloads such as Cobalt Strike

Atroposia RAT Redefines Remote Access Malware-as-a-Service

Atroposia RAT Redefines Remote Access Malware-as-a-Service

Threat Group – Unknown actor likely a financially motivated Malware as a Service operator Threat Type – Remote Access Trojan and Malware as a Service Exploited Vulnerabilities – No specific CVEs publicly linked at time of writing. Built in UAC bypass and a Local Vulnerability Scanner enable dynamic post infection exploitation Malware Used

GlassWorm Self-Propagating Malware Compromises VS Code Extensions

GlassWorm Self-Propagating Malware Compromises VS Code Extensions

Threat Group – Unknown (no confirmed attribution) Threat Type – Self-propagating software supply chain malware targeting VS Code and OpenVSX ecosystems Exploited Vulnerabilities – Abuse of trusted publisher credentials and the automated extension update pipeline; no CVE assigned for the platform itself Malware Used – GlassWorm loader and final-stage ZOMBI module (RAT with SOCKS

F5 Security Breach – Elevated Risk to Customers

Vulnerabilities

F5 Security Breach – Elevated Risk to Customers

Threat Group – Highly sophisticated nation state actor Threat Type – Data breach and supply chain compromise Exploited Vulnerabilities – Initial access vector undisclosed. CVE 2025 54500 is a separate HTTP2 data plane denial of service flaw, not the entry point for the breach. Malware Used – Not publicly disclosed Threat Score – 🔴 7.5

BatShadow launches Vampire Bot in fake job campaigns

BatShadow launches Vampire Bot in fake job campaigns

Threat Group – BatShadow Group Threat Type – Multi-stage info-stealer and remote access bot Exploited Vulnerabilities – Social engineering, Windows default “hide known file extensions,” LNK-launched encoded PowerShell, abuse of legitimate remote access software for persistence Malware Used – Vampire Bot (Go-compiled) Threat Score – 7.6 🔴 High — Multi-stage chain with LNK→PowerShell execution, behaviour-evasive

NET-STAR Backdoor Exploits IIS Modules for Persistent Access

NET-STAR Backdoor Exploits IIS Modules for Persistent Access

Threat Group – Phantom Taurus (China-linked APT) Threat Type – In-process web server backdoor for IIS (.NET managed and native module tradecraft) Exploited Vulnerabilities – ViewState abuse via compromised ASP.NET machineKey, insecure file write to application bin directory, misconfigured IIS extensibility, weak CI/CD controls, stolen deployment credentials (no CVEs assigned at

LockBit 5.0 Variant Expands Attacks on Windows Linux and Virtual Infrastructure

LockBit 5.0 Variant Expands Attacks on Windows Linux and Virtual Infrastructure

Threat Group – LockBit operators Threat Type – Ransomware as a Service Exploited Vulnerabilities – Exposed remote access services, unpatched internet facing infrastructure, valid credential reuse, weak virtualisation hardening Malware Used – LockBit 5.0 Windows Linux and ESXi variants Threat Score – 7.5 🔴 High – Cross platform impact with ESXi targeting, rapid encryption, and