CYFIRMA Research

CYFIRMA
  • 0.0 (0)
  • TECH NEWS
  • UPDATED WEEKLY

Cyber defenders, listen up! The CYFIRMA Research podcast has some juicy intel on the latest cyber threats that are lurking in the shadows. Tune in to this security briefing to stay on top of emerging threats and be ready to tackle digital risk like never before.

  1. 10H AGO

    CYFIRMA Research: CVE-2026-23760 – SmarterTools SmarterMail Authentication Bypass Vulnerability

    Critical Alert: CVE-2026-23760 – SmarterMail Pre-Auth Bypass Leading to Full System Compromise Organizations running SmarterTools SmarterMail email servers—widely deployed across SMBs, MSPs, educational institutions, and healthcare environments—must take immediate action. This actively exploited authentication bypass vulnerability allows unauthenticated attackers to reset system administrator passwords and gain complete control over email infrastructure without any credentials. ACTIVE EXPLOITATION CONFIRMED – Attacks began just 2 DAYS after patch release ~10000+ vulnerable instances identified globally Added to CISA's Known Exploited Vulnerabilities (KEV) catalog CVSS 9.8 Critical – Direct path to SYSTEM/root-level RCE Link to the Research Report: CVE-2026-23760 – SmarterTools SmarterMail Authentication Bypass Vulnerability - CYFIRMA #CyberSecurity #CVE202623760 #SmarterMail #AuthenticationBypass #ThreatIntel #ExternalThreatLandscapeManagement #VulnerabilityAlert #EmailSecurity #CriticalInfrastructure #CYFIRMA #CISA_KEV #RCE #PreAuthExploit https://www.cyfirma.com/

    8 min

  2. 2D AGO

    CYFIRMA Research- PlayCloak: A Play Store–Distributed Travel Utility Covertly Operating as a Financial Fraud and Cybercrime Platform

    Threat Research Alert | Android Loan Scam Our analysis uncovered an Android application, Hicas, distributed via the Google Play Store and marketed as a Smart Travel Packing Companion, which covertly operates as a region-targeted fraudulent loan platform. Key Findings: • Play Store app masquerading as a travel utility • Region-based cloaking activates loan flow on IN devices • Remote WebView delivers full lending workflow • Runtime behavior controlled via external JSON config • No app update required to alter logic or UI • Heavy obfuscation + XOR-based string decryption • Firebase FCM used for remote triggers/content • Excessive perms incl. contacts, camera, notifications • Explicit contact enumeration logic observed • Coercive repayment UI (urgency banners, coupons) • Offshore infra consistent with CN-linked loan ops • 500,000+ downloads, high potential user impact Link to the Research Report: PlayCloak: A Play Store–Distributed Travel Utility Covertly Operating as a Financial Fraud and Cybercrime Platform - CYFIRMA #CyberSecurity #MobileSecurity #AndroidMalware #LoanScam #PlayStore  #ThreatIntelligence #SeedSnatcher #ThreatAlert #CYFIRMA #CYFIRMAresearch https://www.cyfirma.com/

    5 min

  3. FEB 20

    CYFIRMA Research- Weaponized WinRAR Exploitation and Stealth Deployment of Fileless .NET RAT

    WinRAR CVE-2025-8088 is a path validation vulnerability that allows a crafted RAR archive to write files outside the intended extraction directory during unpacking. In the observed attack chain, this behavior is abused to silently drop a malicious script into the Windows Startup folder, establishing persistence without requiring administrative privileges or explicit execution by the user. Once triggered, execution continues through an obfuscated Batch script and a PowerShell loader, ultimately leading to in-memory execution of a .NET RAT, using process injection.  The key takeaway is that trusted software and normal user actions can be enough to achieve compromise. Monitoring archive extraction behavior and unexpected Startup folder writes is becoming increasingly important for detection. Link to the Research Report: Weaponized WinRAR Exploitation and Stealth Deployment of Fileless .NET RAT - CYFIRMA #CYFIRMA #CYFIRMAResearch #CyberSecurity #ThreatResearch  #MalwareAnalysis #CTI #WinRAR #CVE #ETLM  #ExternalThreatLandscapeManagement https://www.cyfirma.com/

    8 min

  4. FEB 9

    CYFIRMA Research- Mamba Phishing-as-a-Service Kit: How Modern adversary-in-the-middle (AiTM) Attacks Operate

    Mamba 2FA illustrates the evolution of phishing into highly automated adversary-in-the-middle attacks that can bypass traditional MFA by closely emulating legitimate cloud authentication experiences. As part of a broader phishing-as-a-service ecosystem, these tools enable scalable, low-effort campaigns with high impact across cloud environments. Addressing this threat requires MFA-resistant authentication, layered identity controls, and continuous monitoring of emerging phishing techniques. Link to the Research Report: Mamba Phishing-as-a-Service Kit: How Modern adversary-in-the-middle (AiTM) Attacks Operate - CYFIRMA #CyberSecurity #ThreatIntelligence #Phishing #AiTM #CloudSecurity  #MFABypass #DigitalRisk #CYFIRMA #CYFIRMAresearch  #ExternalThreatLandscapeManagement #ETLM https://www.cyfirma.com/

    6 min

  5. JAN 28

    CYFIRMA Research- SOLYXIMMORTAL: PYTHON MALWARE ANALYSIS

    Emerging Threat Model: SOLYXIMMORTAL Malware Recent analysis highlights how modern commodity malware continues to evolve by abusing legitimate system functionality rather than relying on exploits or vulnerabilities. The malware demonstrates how attackers can achieve persistent access, credential theft, and user surveillance entirely within the user space, leveraging trusted operating system features and third-party services. Key observations: User-level persistence via AppData and registry Run keysCredential extraction from browser stores using native OS APIsContext-aware surveillance through active window monitoring and screenshotsData exfiltration over legitimate platforms (e.g., Discord webhooks)No exploit chains or privilege escalation required Why this matters: These techniques evade many traditional security controls by blending into normal system behavior and trusted network traffic. When malware relies on standard scripting runtimes, user permissions, and widely used cloud services, detection becomes a behavioral problem, not a signature one. Effective defense requires visibility into user-space execution, browser credential access, and abuse of legitimate third-party services, alongside strong behavioral analytics. Link to the Research Report: SOLYXIMMORTAL : PYTHON MALWARE ANALYSIS - CYFIRMA #ThreatIntelligence #MalwareAnalysis #CyberSecurity #BlueTeam  #DetectionEngineering #OSINT #InfoSec #CYFIRMA #CYFIRMAresearch #ETLM #ExternalThreatLandscapeManagement https://www.cyfirma.com/

    7 min

  6. JAN 16

    CYFIRMA Research- Tracking Ransomware – December 2025

    Stay ahead with CYFIRMA’s December 2025 Ransomware Report. December marked the most active month of 2025 with 801 global ransomware victims, signaling a strong year-end escalation. Qilin surged to 175 victims, reinforcing its dominance, while Safepay and Sinobi posted sharp month-over-month growth, highlighting shifting group momentum. Ransomware operations increasingly adopted cartel-style, access-driven models, abusing trusted security tools, hypervisors, and enterprise file-sharing platforms to accelerate encryption and data-theft-only extortion.  The United States remained the primary target, followed by Western Europe, with expanding activity across Asia-Pacific and the Middle East. Professional services, manufacturing, IT, healthcare, and real estate were the most impacted sectors. Emerging groups like Nova continued to scale through data-centric extortion, signaling sustained threat expansion into 2026. Link to the Research Report: TRACKING RANSOMWARE : DEC 2025 - CYFIRMA #CyberSecurity #Ransomware #ThreatIntel #ETLM #CYFIRMA #Qilin #Safepay   #Sinobi #Nova #DataExtortion #ExternalThreatLandscapeManagement https://www.cyfirma.com/

    3 min

  7. JAN 9

    CYFIRMA Research- Resurgence of Scattered Lapsus$ Hunters

    The threat landscape just got more complex. The Scattered LAPSUS$ Hunters-alliance has re-emerged, merging the tactics of notorious groups. This isn’t just a name change; it’s a shift toward professionalized, identity-centric extortion. What you need to know: High-Value Targets: Focused on enterprises with $500M+ revenue, specifically in Cloud, Telecom, and Finance.Identity is the Perimeter: They specialize in "logging in" rather than "hacking in," using advanced vishing (voice phishing) and insider recruitment to bypass MFA.ShinySp1d3r RaaS: The group is launching its own "extortion-as-a-service" platform, moving away from third-party ransomware.Sector Limits: They currently avoid healthcare and specific geopolitical regions (Russia/China), keeping their focus on high-yield corporate data.The takeaway? If your security relies solely on "traditional" MFA without monitoring for suspicious identity behaviour, you could be at risk. Link to the Research Report: https://www.cyfirma.com/research/resurgence-of-scattered-lapsus-hunters/ #CyberSecurity #ThreatIntel #ScatteredSpider #Lapsus #CISO #DataProtection #CYFIRMA #CYFIRMAresearch #ExtrnalThreatLandscapeManagement #ETLM https://www.cyfirma.com/

    8 min

  8. JAN 6

    CYFIRMA Research- APT36: Multi-Stage LNK Malware Campaign Targeting Indian Government Entities

    APT36 Targets Indian Entities Using Weaponized Windows Shortcut Files CYFIRMA has identified a coordinated cyber-espionage campaign attributed to APT36 (Transparent Tribe), a Pakistan-aligned threat actor persistently targeting Indian government entities and strategic sectors. This campaign highlights APT36’s evolving tradecraft, leveraging malicious Windows shortcut (.LNK) files and multi-stage payload delivery to stealthily compromise victim systems while masquerading as legitimate documents. This activity underscores APT36’s increasing technical maturity and continued emphasis on espionage-driven operations against Indian interests. Link to the Research Report: https://www.cyfirma.com/research/apt36-multi-stage-lnk-malware-campaign-targeting-indian-government-entities/ #CyberSecurity #ThreatIntel #APT36 #TransparentTribe #MalwareAnalysis  #IndianGovernment #LNKMalware #CyberEspionage #ThreatResearch  #CYFIRMA #CYFIRMAresearch #ExternalThreatLandscapeManagement #ETLM https://www.cyfirma.com/

    5 min
See All (282)

About

Cyber defenders, listen up! The CYFIRMA Research podcast has some juicy intel on the latest cyber threats that are lurking in the shadows. Tune in to this security briefing to stay on top of emerging threats and be ready to tackle digital risk like never before.

Information

  • Creator
    CYFIRMA
  • Years Active
    2023 - 2026
  • Episodes
    282
  • Rating
    Clean
  • Copyright
    © 2026 CYFIRMA Research
  • Show Website
    CYFIRMA Research