Evasion
Ransomware gangs turn to Shanya EXE packer to hide EDR killers
Multiple ransomware gangs are using a packer-as-a-service platform named Shanya to help them deploy payloads that disable endpoint detection and response solutions on victim systems. Packer services provide cybercriminals with specialized tools to package their payloads in a way that obfuscates malicious code to evade detection by most known security tools and antivirus engines. The Shanya packer […]
Crypto24 ransomware hits large orgs with custom EDR evasion tool
The Crypto24 ransomware group has been using custom utilities to evade security solutions on breached networks, exfiltrate data, and encrypt files. The threat group’s earliest activity was reported on GeekFeed forums in September 2024, though it never reached notable levels of notoriety. According to Trend Micro researchers tracking Crypto24’s operations, the hackers have hit several large organizations in the United […]
New EDR killer tool used by eight different ransomware groups
A new Endpoint Detection and Response (EDR) killer that is considered to be the evolution of ‘EDRKillShifter,’ developed by RansomHub, has been observed in attacks by eight different ransomware gangs. Such tools help ransomware operators turn off security products on breached systems so they can deploy payloads, escalate privileges, attempt lateral movement, and ultimately encrypt devices on […]
New Ghost Calls tactic abuses Zoom and Microsoft Teams for C2 operations
A new post-exploitation command-and-control (C2) evasion method called ‘Ghost Calls’ abuses TURN servers used by conferencing apps like Zoom and Microsoft Teams to tunnel traffic through trusted infrastructure. Ghost Calls uses legitimate credentials, WebRTC, and custom tooling to bypass most existing defenses and anti-abuse measures, without relying on an exploit. This new tactic was presented […]
Hackers exploit SAP NetWeaver bug to deploy Linux Auto-Color malware
Hackers were spotted exploiting a critical SAP NetWeaver vulnerability tracked as CVE-2025-31324 to deploy the Auto-Color Linux malware in a cyberattack on a U.S.-based chemicals company. Cybersecurity firm Darktrace discovered the attack during an incident response in April 2025, where an investigation revealed that the Auto-Color malware had evolved to include additional advanced evasion tactics. Darktrace reports […]
Android malware Konfety uses malformed APKs to evade detection
A new variant of the Konfety Android malware emerged with a malformed ZIP structure along with other obfuscation methods that allow it to evade analysis and detection. Konfety poses as a legitimate app, mimicking innocuous products available on Google Play, but features none of the promised functionality. The capabilities of the malware include redirecting users to […]
Hackers abuse leaked Shellter red team tool to deploy infostealers
Shellter Project, the vendor of a commercial AV/EDR evasion loader for penetration testing, confirmed that hackers used its Shellter Elite product in attacks after a customer leaked a copy of the software. The abuse has kept going for several months and even though security researchers caught the activity in the wild, Shellter did not receive a notification. […]
Godfather Android malware now uses virtualization to hijack banking apps
A new version of the Android malware “Godfather” creates isolated virtual environments on mobile devices to steal account data and transactions from legitimate banking apps. These malicious apps are executed inside a controlled virtual environment on the device, enabling real-time spying, credential theft, and transaction manipulation while maintaining perfect visual deception. The tactic resembles that seen in […]
Grinex exchange suspected rebrand of sanctioned Garantex crypto firm
A new cryptocurrency exchange named Grinex is believed to be a rebrand of Garantex, a Russian cryptocurrency exchange whose domains were seized by the U.S. authorities and an admin arrested. According to a new report by blockchain intelligence firm TRM Labs, Grinex shows strong ties to Garantex’s previous operations but has not determined if it’s […]
Linux ‘io_uring’ security blindspot allows stealthy rootkit attacks
A significant security gap in Linux runtime security caused by the ‘io_uring’ interface allows rootkits to operate undetected on systems while bypassing advanced Enterprise security software. The flaw was discovered by ARMO security researchers who developed a proof-of-concept rootkit called “Curing” to demonstrate the practicality and feasibility of attacks leveraging io_uring for evasion. io_uring is a Linux […]