Windows - Cybersec Sentinel

Windows

A collection of 20 posts

Atroposia RAT Redefines Remote Access Malware-as-a-Service

Atroposia RAT Redefines Remote Access Malware-as-a-Service

Threat Group – Unknown actor likely a financially motivated Malware as a Service operator Threat Type – Remote Access Trojan and Malware as a Service Exploited Vulnerabilities – No specific CVEs publicly linked at time of writing. Built in UAC bypass and a Local Vulnerability Scanner enable dynamic post infection exploitation Malware Used

NET-STAR Backdoor Exploits IIS Modules for Persistent Access

NET-STAR Backdoor Exploits IIS Modules for Persistent Access

Threat Group – Phantom Taurus (China-linked APT) Threat Type – In-process web server backdoor for IIS (.NET managed and native module tradecraft) Exploited Vulnerabilities – ViewState abuse via compromised ASP.NET machineKey, insecure file write to application bin directory, misconfigured IIS extensibility, weak CI/CD controls, stolen deployment credentials (no CVEs assigned at

LockBit 5.0 Variant Expands Attacks on Windows Linux and Virtual Infrastructure

LockBit 5.0 Variant Expands Attacks on Windows Linux and Virtual Infrastructure

Threat Group – LockBit operators Threat Type – Ransomware as a Service Exploited Vulnerabilities – Exposed remote access services, unpatched internet facing infrastructure, valid credential reuse, weak virtualisation hardening Malware Used – LockBit 5.0 Windows Linux and ESXi variants Threat Score – 7.5 🔴 High – Cross platform impact with ESXi targeting, rapid encryption, and

Sandworm Launches Stealth Attack with PathWiper Malware Against Ukraine’s Critical Networks

Sandworm Launches Stealth Attack with PathWiper Malware Against Ukraine’s Critical Networks

Threat Group: Sandworm (APT44 / Seashell Blizzard / Iridium / Voodoo Bear) Threat Type: Wiper Malware Exploited Vulnerabilities: Abuse of legitimate endpoint administration frameworks (initial access suspected via phishing, credential harvesting, or exploitation of edge infrastructure) Malware Used: PathWiper Threat Score: 🔥 Critical (9.1/10) – Due to targeted data destruction across infrastructure, stealthy

EDDIESTEALER Infostealer Targets Windows Systems with Fake CAPTCHA Campaigns

EDDIESTEALER Infostealer Targets Windows Systems with Fake CAPTCHA Campaigns

Threat Group: Unknown Threat Type: Infostealer Malware Exploited Vulnerabilities: None (Relies on social engineering and fake CAPTCHA delivery) Malware Used: EDDIESTEALER Threat Score: 🔴 High (7.8/10) – Due to its novel Rust implementation, evasive delivery methods, and rapid credential exfiltration techniques. Last Threat Observation: May 30, 2025 Overview EDDIESTEALER is

DefenderNot Tool Disables Microsoft Defender Using Taskmgr Injection and WSC Abuse

DefenderNot Tool Disables Microsoft Defender Using Taskmgr Injection and WSC Abuse

Threat Group: Independent Researcher "es3n1n" Threat Type: Defense Evasion / Security Bypass Utility Exploited Vulnerabilities: None (Abuse of undocumented WSC API functionality) Malware Used: None (Standalone Tool with modular components) Threat Score: 🔴 High (7.3/10) – Due to DLL injection into Taskmgr.exe, WSC spoofing, and reliable persistence mechanisms

Active Exploitation of NTLM Hash Theft in Windows via CVE-2025-24054

Vulnerabilities

Active Exploitation of NTLM Hash Theft in Windows via CVE-2025-24054

Threat Group: Unattributed (suspected infrastructure overlap with APT28); prior similar CVE exploited by UAC-0194 and Blind Eagle (APT-C-36) Threat Type: NTLM Hash Theft, Relay Attack Vector Exploited Vulnerabilities: CVE-2025-24054 (NTLM Hash Disclosure via .library-ms), variant of CVE-2024-43451 Malware Used: None directly tied; secondary payloads possible (RATs, e.g., SparkRAT in

Credential Theft and MBR Wipe Drive Severe Impact Rating for Neptune RAT

Credential Theft and MBR Wipe Drive Severe Impact Rating for Neptune RAT

Threat Group – Individuals using the aliases ABOLHB and Rino, operating as the Mason Team / FreeMasonry group and distributing the malware through a freemium Malware‑as‑a‑Service model. Threat Type – Remote Access Trojan with credential theft, ransomware, destructive wipe, and clipboard hijacking plug‑ins. Exploited Vulnerabilities – Social‑engineering of users

PipeMagic Trojan and the Zero-Day Exploits Targeting Windows CLFS

PipeMagic Trojan and the Zero-Day Exploits Targeting Windows CLFS

Threat Group: Storm-2460 Threat Type: Modular Malware, Zero-Day Exploitation, Ransomware Deployment Exploited Vulnerabilities: CVE-2025-29824 (CLFS Use-After-Free), CVE-2025-24983 (Win32k Use-After-Free), CVE-2023-28252 (CLFS Out-of-Bounds Write) Malware Used: PipeMagic Trojan Threat Score: 8.4/10 – 🔴 High (due to exploitation of multiple zero-days, advanced evasion techniques, and association with ransomware families like RansomEXX and