Npav Lab

Threat actors use in-memory PE loaders to download and run malicious executables (e.g., RATs) via Windows APIs like VirtualAlloc and LoadLibraryA, evading file-based EDR like Microsoft Defender/Sophos. Learn the technique's steps, red team success, and need for memory/behavioral defenses.

Microsoft's September 2025 Patch Tuesday updates disrupt SMBv1 connectivity over NetBT in Windows 11/10 and Servers (2022/2025), exposing legacy risks like EternalBlue/WannaCry. Learn affected systems, security dangers, PowerShell fixes, and migration tips to SMBv2/3.

Since August 2024, BankBot.Remo variants use WebSocket chunked downloads on spoofed Google Play pages to deliver malware as fake payment/identity apps like IdentitasKependudukanDigital.apk; over 100 Alibaba/Gname domains evade filters—monitor WebSockets and block C2 for defense.

TA415 (APT41) uses Google Sheets, Calendar, and VS Code Remote Tunnels for stealthy C2 in spearphishing attacks targeting U.S. policy entities on trade/sanctions. From July-August 2025, WhirlCoil loader evades detection; evolve defenses with cloud anomaly monitoring.

CISA details threat actors exploiting CVE-2024-36401 in GeoServer for initial access to a U.S. federal network on July 11, 2024, using webshells, dirtycow escalation, and lateral movement—undetected until July 31. Key lessons: Immediate KEV patching, enhanced IR plans, and continuous EDR monitoring.

Average breakout time drops to 18 minutes (June-August 2025, per ReliaQuest), fueled by automation and Oyster malware's abuse of rundll32.exe for DLL loading via scheduled tasks. Learn about Gamarue USB attacks, AI-driven malvertising, and defenses like behavioral monitoring.

The npm package "fezbox" (alias janedu) disguises as a JS/TS utility library but hides credential-stealing code in a Cloudinary QR image. Discovered by Socket Threat Research, it uses reversed strings and obfuscation to evade detection—learn risks and defenses like CI/CD scanning and zero-trust dependencies.

Malicious fake online speedtest tools, uncovered September 21, 2025, use obfuscated JavaScript, Node.js, and Inno Setup to exfiltrate system data to C2 servers like cloud.appusagestats[.]com. Learn about XOR-encoded commands, execution risks, and key mitigations like EDR and app whitelisting.

Rajya Sabha MP Sudha Murty faces cyber scam call impersonating Telecom Ministry, alleging obscene video misuse and Aadhaar linking threats. FIR under IT Act filed in Bengaluru; police trace fraudster amid rising "digital arrest" tactics targeting high-profile figures.

Iranian threat group Nimbus Manticore (UNC1549) targets job seekers with phishing via fake recruitment sites mimicking Boeing and Airbus, delivering evasive malware like MiniJunk and MiniBrowse. Explore tactics, expansion to Western Europe, and essential mitigations for defense and telecom sectors.