Author: Bill Toulas

The Black Basta ransomware operation created an automated brute-forcing framework dubbed ‘BRUTED’ to breach edge networking devices like firewalls and VPNs. The framework has enabled BlackBasta to streamline initial network access and scale ransomware attacks on vulnerable internet-exposed endpoints. The discovery of BRUTED comes from EclecticIQ researcher Arda Büyükkaya following an in-depth examination of the ransomware gang’s leaked internal chat logs. Several reports of large-scale brute-forcing and password spray attacks against those devices throughout 2024, some of which might be linked to BRUTED or similar-origin operations. Automating brute-forcing Büyükkaya says Black Basta has been using the automated BRUTED platform since…

Read More

Microsoft has reinstated the ‘Material Theme – Free’ and ‘Material Theme Icons – Free’ extensions on the Visual Studio Marketplace after finding that the obfuscated code they contained wasn’t actually malicious. The two VSCode extensions, which count over 9 million installs, were pulled from the VSCode Marketplace in late February over security risks, and their publisher, Mattia Astorino (aka ‘equinusocio’) was banned from the platform. “A member of the community did a deep security analysis of the extension and found multiple red flags that indicate malicious intent and reported this to us,” stated a Microsoft employee at the time. “Our…

Read More

Facebook is warning that a FreeType vulnerability in all versions up to 2.13 can lead to arbitrary code execution, with reports that the flaw has been exploited in attacks. FreeType is a popular open-source font rendering library used to display text and programmatically add text to images. It provides functionality to load, rasterize, and render fonts in various formats, such as TrueType (TTF), OpenType (OTF), and others. The library is installed in millions of systems and services, including Linux, Android, game engines, GUI frameworks, and online platforms. The vulnerability, tracked under CVE-2025-27363 and given a CVSS v3 severity score of…

Read More

A new Android spyware named ‘KoSpy’ is linked to North Korean threat actors who have infiltrated Google Play and third-party app store APKPure through at least five malicious apps. According to Lookout researchers, the spyware is attributed to the North Korean threat group APT37 (aka ‘ScarCruft’). The campaign has been active since March 2022, with the threat actors actively developing the malware based on newer samples. The spyware campaign primarily targets Korean and English-speaking users by disguising itself as file managers, security tools, and software updaters. The five apps Lookout identified are 휴대폰 관리자 (Phone Manager), File Manager (com.file.exploer), 스마트 관리자 (Smart Manager), 카카오 보안…

Read More