|
Detour Dog’s DNS Hijacking Infects 30,000 Websites with Strela Stealer
Summary:
A DNS hijacking campaign tracked as Detour Dog has been used to compromise an estimated 30,000 websites and silently deliver the Strela infostealer to site visitors. The attackers altered DNS records for vulnerable hosting providers and content delivery configurations so that legitimate sites resolved to attacker-controlled infrastructure. Visitors to those sites were then served malicious JavaScript that fingerprinted browsers and pushed Strela payloads designed to harvest credentials, cookies, and stored form data. The campaign focused on high-traffic and niche sites to maximize reach while keeping individual compromises quiet, which helped the campaign evade rapid detection for an extended period. In addition to direct credential theft, Strela’s capabilities include scraping browser-stored payment details and session tokens, enabling subsequent account takeover and fraud at scale. The operation combined infrastructure manipulation with supply-chain tactics, exploiting weak DNS controls and lax hosting configurations to convert trusted web properties into distribution points.
Analyst comments:
This attack highlights the manner in which attackers are employing fundamental internet services as weapons, not just vulnerable web applications. Under fire by DNS and hosting controls, Detour Dog can make many otherwise healthy websites into one-off delivery vehicles for malware without leaving the noisy signs of bulk phishing. The browser-side injection is difficult to detect because the initial landing pages are real and the malicious activity is only inside client-side scripts. Firms that outsource DNS management or use shared hosting have to consider chain-of-trust attacks: an exploit at one provider can spread to thousands of downstream customers and sites. Defenders need to watch the involved business model. The performers blend opportunistic distribution with patient reconnaissance to suggest a profitable venture in harvesting huge amounts of reusable credentials rather than a single payment.
Mitigation:
- Audit and harden DNS and hosting provider accounts by enforcing multi-factor authentication, using provider-specific security controls, and rotating management credentials regularly.
- Implement DNS monitoring and alerting for unexpected record changes and use automated validation to detect unauthorized zone edits.
- Employ Subresource Integrity (SRI), content security policies, and strict script whitelisting to limit the impact of injected client-side code.
- Use endpoint protection with browser behavior analysis to detect and block credential-stealing activity and unusual outbound connections.
- Work with content delivery and security partners to maintain rapid takedown and remediation workflows when supply-chain or DNS compromises are discovered.
Source:
https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/
https://hackread.com/detour-dog-dns-hijacking-websites-strela-stealer/
_______________________________________________________________________
Ukraine Warns of CABINETRAT Backdoor + XLL Add-ins Spread via Signal ZIPs
Summary:
Ukraine’s Computer Emergency Response Team (CERT-UA) has issued a warning about a new cyber campaign deploying the previously unknown backdoor “CABINETRAT,” which is being distributed through malicious ZIP archives sent over Signal messenger. The archives contain weaponized XLL add-ins, a common tactic in financially motivated and espionage campaigns, that deliver the backdoor once executed. CABINETRAT is designed to exfiltrate files, capture system data, and provide remote command execution, granting attackers persistent access to infected machines. CERT-UA has linked the operation to threat actors suspected of targeting both Ukrainian government organizations and private companies. The campaign reflects a broader trend of attackers abusing trusted communication platforms like Signal to evade detection and bypass traditional email security filters. Early reports suggest that CABINETRAT’s operators are experimenting with multiple infection vectors and evolving techniques to improve persistence and evade signature-based defenses.
Analyst comments:
Use of Signal for initial delivery is a novel strategy that escapes detection using traditional email-based methods. By exploiting trust in end-to-end encrypted messaging applications, attackers are able to evade perimeter controls and exploit social engineering in order to trick victims into opening spear-phished documents. Use of XLL add-ins is particularly notable as the majority of companies allow Excel add-ins for business purposes, thus exposing an attractive vector with relatively low visibility. CABINETRAT's feature set implies a convergence of finance and espionage interests, complicating attribution. This activity is merely a subset of a broader trend where attackers are converging messaging apps, business software features, and custom backdoors into end-to-end attack chains. For defenders, relying solely on legacy malware signatures or spam filtering will not be enough.
Mitigation:
- Restrict or disable XLL add-in execution within Microsoft Excel unless specifically required for business use.
- Train users on the risks of opening files from messaging apps, even if they appear to come from trusted contacts.
- Deploy behavior-based endpoint detection capable of flagging backdoor activity, such as unusual command execution or outbound C2 traffic.
- Monitor for unauthorized use of Signal or other messaging platforms as vectors for file delivery in enterprise environments.
- Establish rapid reporting and incident response workflows for suspicious file-based activity delivered outside normal email channels.
Source:
https://thehackernews.com/2025/10/ukraine-warns-of-cabinetrat-backdoor.html
_______________________________________________________________________
North Korea’s IT Workers Expand Beyond US Big Tech
Summary:
Okta Threat Intelligence’s recent research reveals that North Korea’s IT worker scheme now spans nearly every global industry that hires remote technical talent, not just U.S. technology companies. Their analysis of over 130 identities linked to DPRK facilitators and more than 6,500 job interviews across 5,000 companies shows that half of the targeted entities were outside the tech sector and over a quarter were based outside the United States. These actors infiltrate organizations by posing as legitimate remote workers, often progressing through multiple interviews and even post-onboarding activities. Their efforts are supported by identity fraud, skilled facilitators, and a “scatter-gun” approach to global job applications.
Over the past five years, North Korea has mobilized thousands of workers into neighboring countries to secure illicit employment, generating significant revenue for the regime and, in some cases, enabling data theft and extortion. Okta notes increasing evidence that the ITW operation has evolved into a dual-use campaign: while primarily focused on wage generation, some actors exploit access for espionage and ransomware activity. Industries such as finance, healthcare, AI development, public administration, and professional services have all been targeted, alongside traditional technology roles.
Analyst comments:
Okta’s research shows that North Korea’s IT worker program has grown well beyond a simple money-making operation. It now functions as a coordinated effort to quietly place skilled operatives inside companies across multiple industries. These workers are trained, organized, and capable of passing as legitimate remote employees, often with well-prepared resumes and convincing technical skills. The campaign reflects a long-term strategy by the DPRK to bypass international sanctions, generate revenue, and position itself to collect sensitive data or disrupt operations if needed. This shift highlights how hiring processes, especially for remote or contract roles, have become a key entry point for threat actors. Organizations should strengthen identity verification, background checks, and sanctions screening to reduce the risk of inadvertently employing DPRK-linked workers.
Mitigation:
Okta Threat Intelligence assesses that organizations across all verticals, particularly those advertising remote or contract roles, should adopt a layered and proactive approach to recruitment, onboarding, and insider-threat monitoring. Okta recommends:
1. Strengthen applicant identity verification
- Require verifiable government-issued ID checks at multiple stages of recruitment and employment
- Cross-check stated locations with IP addresses (include VPN usage detection), time-zone behaviour, and payroll banking information.
- Use accredited third-party services to authenticate identity documents, prior employment, and academic credentials
2. Tighten recruitment and screening processes
- Train HR and recruiters to identify red flags. Encourage processes that would identify whether a candidate is swapped out between rounds of interviews. Teach them to identify behavioural cues such as poor knowledge of the area they claim to reside in, a refusal to meet in person, a refusal to turn on camera or remove background filters during interviews, or interviewing using a very poor internet connection. Identify duplicated résumés, inconsistent timelines, mismatched time zones and unverifiable references. Assess the candidate’s online footprint and social media presence against the information provided. Where evidence of previous work is provided, investigate whether these projects were simply cloned from the repositories of legitimate user profiles.
- Verify the history of edits to CVs and PDFs in document metadata and other technical “tells” associated with duplication and reuse.
- Add structured technical and behavioural verification (live coding or writing performed under recruiter observation).
- Require corporate email references (not free webmail) and confirm via outbound call to the main switchboard numbers of the reference organization.
3. Enforce role-based and segregated access controls
- Default new or contingent workers to least-privilege profiles and unlock additional access once probationary checks are complete.
- Segment development, testing and production; require peer review and approval workflows for code merges and deployments.
- Monitor for anomalous access patterns (large data pulls, off-hours logins from unexpected geos/VPNs, credential sharing).
4. Monitor contractors and third-party service providers
- Where possible, contractually mandate ongoing identity verification standards, background checks, strong authentication policies, device-security baselines and rights to audit.
- Require named-user accounts (no shared logins or internal service accounts where possible) and separate tenant/project access for each client environment.
5. Implement insider-threat and security awareness programs
- Establish a dedicated insider-risk function or at least a working group spanning HR, Legal, Security, and IT.
- Provide targeted training for recruiters, hiring managers, and technical leads on ITW tradecraft and screening controls.
- Educate and empower hiring managers and staff members to observe and submit reports of potentially strange behaviour by their peers that raise questions as to their identity, goals, and locations.
- Create safer reporting channels for suspicious behaviour or candidate concerns.
6. Coordinate with law enforcement and industry peers
- Share indicators of compromise and suspicious candidate patterns with national cybercrime units and ISAC/ISAO groups.
- Develop methods for the “insider-risk” group to receive and action indicators (email addresses, IP addresses, VPN providers, document creation, and behavioural indicators) and be prepared to “share back” relevant findings.
- Actively participate in information-sharing forums to track evolving ITW tactics and tooling.
7. Conduct regular risk assessments and red-team exercises
- Model insider and malicious contractor attack paths; quantify potential business impact.
- Perform red team exercises that test the hiring pipeline (simulated DPRK application and interviews) to assess identity verification processes.
- Update incident response plans to include scenarios involving malicious insiders, compromised contractors, and expedited access revocation.
Source:
https://www.okta.com/newsroom/articles/north-korea-s-it-workers-expand-beyond-us-big-tech/
_______________________________________________________________________
Olymp Loader: A new Malware-as-a-Service written in Assembly
Summary:
Olymp Loader is a new Malware-as-a-Service offering that surfaced on underground forums and Telegram in June 2025, marketed by a developer known as “OLYMPO.” Initially introduced as a botnet, it has since evolved into a loader and crypter platform built entirely in assembly language. Olymp Loader is promoted as Fully UnDetectable (FUD) and has gained quick traction among low- to mid-tier cybercriminals due to its ease of use, regular feature updates, and marketing on major underground forums such as Hackforums, BHF, and Lolz Guru. Its advertised capabilities include executing other malware, embedding stealer modules for browsers, Telegram, and cryptocurrency wallets, employing deep XOR encryption, and using anti-analysis and privilege escalation techniques to evade detection. OLYMPO and their small team, claiming over ten years of experience in assembly development, have positioned Olymp as a full crimeware ecosystem, with modules supporting 32- and 64-bit payloads, .NET, and Java. The malware frequently abuses legitimate software names like Node.js, PuTTY, OpenSSL, and Zoom to disguise infections and gain user trust. Infection chains have been traced through GitHub repositories, Pay-Per-Install (PPI) campaigns, and fake software downloads. Post-infection, Olymp Loader has delivered well-known malware such as LummaC2, WebRAT, QasarRAT, and Raccoon Stealer, with nearly half of all deployments focused on credential theft.
Analyst comments:
Since August 2025, Olymp Loader’s focus has shifted more toward crypter functionality, offering unique shellcode customization and automated certificate signing for added stealth. The developers maintain an active presence on Telegram to advertise updates, provide customer support, and share samples on VirusTotal to demonstrate the loader’s claimed undetectability. The platform’s evolution reflects a growing trend of MaaS services lowering technical barriers for attackers by bundling loaders, stealers, and crypters into turnkey tools for fast monetization. Olymp Loader highlights the ongoing professionalization of the underground cybercrime economy, where developers now market their tools with product roadmaps, technical articles, and customer support channels. The project’s rapid growth, combined with consistent feature updates and a focus on anti-analysis, shows a maturing ecosystem designed to attract paying clients and sustain long-term operations.
Mitigation:
Defenders should watch for early indicators of Olymp Loader infection, such as suspicious PowerShell executions creating persistence in %AppData% or %Startup%, or binaries masquerading as well-known software. Given its modular nature and use as a delivery vehicle for infostealers and RATs, detection efforts should focus on loader behavior, network exfiltration attempts, and connections to known Olymp infrastructure or proxy URLs. Monitoring underground forums and Telegram channels for Olymp-related activity can also provide valuable early warning before new variants are deployed at scale.
Source:
https://outpost24.com/blog/olymp-loader-a-new-malware-as-a-service/
_______________________________________________________________________
Silent Smishing: The Hidden Abuse of Cellular Router APIs
Summary:
A report by Sekoia’s Threat Detection & Research (TDR) team details a widespread smishing campaign across Europe where threat actors are weaponizing industrial cellular routers to distribute malicious SMS messages containing phishing URLs. The TDR team confirmed this exploitation has been ongoing since at least February 2022. The attacks exploit a systemic weakness in Milesight Industrial Cellular Routers, where a Shodan search revealed over 19,000 exposed devices, with 572 allowing unauthenticated access to their SMS APIs, often due to outdated firmware. Attackers leverage these routers as a decentralized infrastructure solely for sending smishing messages, complicating detection and takedown efforts.
Belgium has been the primary and most consistently targeted nation, with smishing lures impersonating well-known Belgian government platforms like CSAM (Belgium’s official authentication portal) and eBox (Belgium’s centralized digital mailbox), and message content in the lures written in both Dutch and French. For instance, a July 2025 lure impersonated eBox, urging victims to submit their tax declaration. France, Sweden, and Italy also experienced large-scale campaigns impersonating institutions like Ameli and various banking services. The attacker’s infrastructure frequently relies on registering domains through NameSilo and hosting them on Podaon SIA, a Lithuanian VPS provider. Technical analysis led to the discovery of additional artifacts, like evidence of obfuscated scripts, Telegram bot logging, and the continuity of infrastructure that link the operation to the "Grooza cluster," an existing phishing operation.
Analyst comments:
Sekoia warns that this campaign highlights the potential impact of low-barrier smishing operations that weaponize simple, high-volume attack infrastructure, as it can be globally scaled for an adversary’s operations. The use of over 500 routers with unauthenticated SMS APIs as throwaway phishing platforms is highly effective for evading traditional EDR detections. The primary targeting of key national platforms in Belgium (CSAM, eBox) confirms a focus on bountiful identity and credential theft for access to privileged data. Organizations are advised to urgently upgrade to up-to-date industrial router firmware and implement stringent API authentication, as the TDR team predicts that this highly scalable method for weaponizing simple, strategic equipment will be exploited in future campaigns.
Mitigation:
IOCs are available here.
Users should be cautious of unsolicited messages, especially those containing shortened or suspicious URLs, spelling or grammatical errors, or urgent calls to action. Awareness and scepticism are among the most effective defences against smishing attempts, which increasingly target both individuals and organizations on a global scale.
Source:
https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/
|
