A new malware campaign abuses Azure Functions as a command and control backend. It uses a malicious ISO image with DLL side-loading for payload injection. The payload sends encrypted system metadata to an Azure-hosted server, profiling compromised hosts. The campaign spans multiple regions, with ongoing analysis uncovering advanced evasion and persistence techniques. https://lnkd.in/geAwKbGY
Malware uses Azure Functions as C2 backend
More Relevant Posts
-
A strain of a cryptomining malware, first reported in June 2025, has evolved to target exposed Docker APIs. Akamai Technologies researchers say the new variant has also shifted focus towards setting up backdoors and persistence, along with efforts to block API access. (Story by Shweta Sharma) https://lnkd.in/ecPEpacR
-
Professor at Sheridan College: Cyber Security, IPV6 Hall of fame Winner, AWS/Azure/GCP Clouds, AI/Data Science, AI Educator; Trainer, Public Speaker, mentor, Teacher at Heart, & Learner for Life
Alert: Internet Archive Abused for Hosting Stealthy JScript Loader Malware: A novel malware delivery chain in recent weeks that leverages the Internet Archive’s legitimate infrastructure to host obfuscated payloads. The attack begins with a seemingly innocuous JScript file delivered via malspam, which in turn invokes a PowerShell loader. This PowerShell script reaches out to the Internet Archive (archive.org) to retrieve a benign-looking PNG image that, upon closer inspection, houses a hidden .NET loader encoded within its pixel data. Read: https://lnkd.in/gY_yrMb9
-
🚨 NEW APP SECURITY ALERT:🚨 Shai-Hulud npm supply chain attack – 164 new compromised packages detected by JFrog Security Researchers. Following the recent compromise of the nx packages and another wave targeting popular packages, the npm registry was once again attacked - marking its 3rd large-scale attack in recent weeks. At the time of this post, JFrog’s malware scanners have identified 164 unique malicious npm packages across 338 infected versions, containing multiple variations of the same data-stealer payload. Learn more and see the full list of compromised packages in our blog: https://lnkd.in/gjwgJjEB
-
Product Management @ JFrog | Ex-VMware | Customer Advocate | Data Driven | DevOps | DevSecOps | Cloud FinOps | SaaS | ITAM | AI/ML - Gen AI | BFS . Talks about #Leadership | #Product Management | #Product Strategy
🚨 SECURITY ALERT: This is an active and unfolding attack. The largest npm compromise in history is currently underway, and it's a major wake-up call for the entire open-source ecosystem. The fact that a phishing attack on a developer's token could compromise 164 unique packages with a data-stealer payload is a stark reminder of the risks. Check the link for the full list of compromised packages and the latest updates.
🚨 NEW APP SECURITY ALERT:🚨 Shai-Hulud npm supply chain attack – 164 new compromised packages detected by JFrog Security Researchers. Following the recent compromise of the nx packages and another wave targeting popular packages, the npm registry was once again attacked - marking its 3rd large-scale attack in recent weeks. At the time of this post, JFrog’s malware scanners have identified 164 unique malicious npm packages across 338 infected versions, containing multiple variations of the same data-stealer payload. Learn more and see the full list of compromised packages in our blog: https://lnkd.in/gjwgJjEB
-
3X CyberSecurity CMO, SVP Marketing, Growth, B2B Strategist, Cyber, DevSecOps, Advisory Board, Forbes Communications Council, G-CMO Member
A self-replicating malware is on the loose in the npm ecosystem. Over 180 packages and 700+ versions were compromised, leaking developer tokens, exposing private GitHub repos, and automatically publishing new malicious packages. This attack, called Shai-Hulud, is one of the most advanced supply chain threats we’ve seen in open source to date. Our security research team breaks down how it spreads, what’s at risk, and, most importantly, what you should do now.
🚨 NEW APP SECURITY ALERT:🚨 Shai-Hulud npm supply chain attack – 164 new compromised packages detected by JFrog Security Researchers. Following the recent compromise of the nx packages and another wave targeting popular packages, the npm registry was once again attacked - marking its 3rd large-scale attack in recent weeks. At the time of this post, JFrog’s malware scanners have identified 164 unique malicious npm packages across 338 infected versions, containing multiple variations of the same data-stealer payload. Learn more and see the full list of compromised packages in our blog: https://lnkd.in/gjwgJjEB
-
Yet again, we see that if you've created a mechanism to monitor and archive SBOMs and dependencies, you are better equiped to mitigate bad stuff, when it happens.
You’ve probably already heard about Shai-Hulud, the latest supply chain attack—a worm that drops data-stealing malware. It’s managed to compromise some big-name library distributors, including CrowdStrike and a few of the most widely used Angular packages. As of the past hour, 558 library versions have been flagged as infected, all running in production. We decided to get ahead of it and went on a quick “hunt.” The good news: we were able to let all our customers know tonight that their software isn’t pulling in any compromised dependencies. Win! When your systems are continuously scanned for dependencies by Scribe, answering a basic question like “Was I pwned?” becomes trivial. https://lnkd.in/dUknSec4
-
Sharing this important update on Shai-Hulud, the latest supply chain attack compromising hundreds of library versions across major distributors. This is exactly why we built Scribe: when your software supply chain is continuously monitored, a question like “Was I pwned?” can be answered in real time, with evidence. Within hours, we were able to notify our customers that none of their pipelines had pulled in compromised dependencies. That’s the power of continuous evidence, provenance verification, and policy-as-code guardrails in action. Supply chain threats aren’t slowing down. With AI-driven code growth and ever-expanding dependencies, continuous assurance is no longer optional. #SoftwareSupplyChain #ContinuousAssurance #DevSecOps #AppSec #WasIPwned
You’ve probably already heard about Shai-Hulud, the latest supply chain attack—a worm that drops data-stealing malware. It’s managed to compromise some big-name library distributors, including CrowdStrike and a few of the most widely used Angular packages. As of the past hour, 558 library versions have been flagged as infected, all running in production. We decided to get ahead of it and went on a quick “hunt.” The good news: we were able to let all our customers know tonight that their software isn’t pulling in any compromised dependencies. Win! When your systems are continuously scanned for dependencies by Scribe, answering a basic question like “Was I pwned?” becomes trivial. https://lnkd.in/dUknSec4
-
HybridPetya is a ransomware variant resembling Petya/NotPetya, capable of compromising UEFI-based systems and exploiting CVE-2024-7344 to bypass UEFI Secure Boot on outdated systems. While not observed in active campaigns, its advanced capabilities warrant close monitoring by security teams. ESET recently reported on HybridPetya. Check out our blog for more info and PolySwarm’s HybridPetya samples. https://lnkd.in/eE7eQ5EN #HybridPetya #Ransomware #Petya #NotPetya #UEFI #SecureBoot #FirmwareSecurity #Bootkit #CVE20247344 #Cybersecurity #InfoSec #ThreatIntel #ThreatResearch #ThreatHunting #Malware #MalwareAnalysis #DFIR #BlueTeam #IncidentResponse #SOC #CTI #ESET #PolySwarm #Web3Security #NCT
-
📣 ⚠️ WinRAR Faces Actively Exploited Zero-Day Vulnerability A critical zero-day flaw (CVE-2025-8088) in the widely-used WinRAR archive utility has been actively exploited by attackers using malicious archive files to gain code execution on Windows systems. This vulnerability enables a path traversal attack that could drop malware onto compromised systems. The issue has been patched in WinRAR version 7.13, but as WinRAR doesn’t auto-update, users must manually install the patch. 🛡️ Update to WinRAR 7.13 now to block active attacks. 🔗 https://lnkd.in/giAmvR9e 📅 Published by The Hacker News | August 11, 2025 #XplicitTech #CyberSecurity #WinRAR #ZeroDay #PatchNow #SoftwareSecurity #ThreatAlert
-
I just read about a new malware strain targeting exposed Docker APIs, and it’s a serious wake-up call for anyone working with containerized environments. Discovered in August 2025, this attack goes far beyond simple cryptomining. It exploits misconfigured Docker daemons (commonly exposed on port 2375) to spin up malicious containers, gain privileged access, and then establish persistent SSH root access. What’s unique is how it doesn’t just compromise a system — it also locks out competing attackers by closing the very Docker API port it used to get in. Researchers even found it deploying reconnaissance tools like masscan and torsocks, suggesting the potential for botnet-style expansion. Reflecting on this, it really underscores the shared responsibility of security in cloud-native environments. Misconfigurations are often the “open doors” attackers need, and once they’re inside, persistence techniques like adding SSH keys make recovery much harder. For me, this is another reminder that secure-by-default setups, strict API access controls, and continuous monitoring are non-negotiable in today’s landscape. As always, I have left the link below for anyone who would like to read the article. #cybersecurity #blueteam https://lnkd.in/dbzcz5Kq
