لرن سرا

دسته: هسته اصلی سیستم‌عامل

  • How Seqrite Endpoint Protection Blocks Bots, Scripts, and Malware


    In today’s hyper-connected digital world, the cybersecurity landscape is shifting dramatically. Gone are the days when cyberattacks primarily relied on human intervention. We’re now facing a new breed of silent, swift adversaries: non-human threats. These automated entities—bots, malicious scripts, and sophisticated malware—are designed to operate at machine speed, exploiting vulnerabilities, bypassing traditional defenses, and often remaining undetected until significant damage has occurred. So, how do you defend against something you can’t see, something that moves faster than human reaction? The answer lies in intelligent, automated endpoint security. Enter Seqrite Endpoint Protection (EPP), your robust shield against these invisible invaders. Available for both cloud-based and on-premise deployments, Seqrite EPP is engineered with cutting-edge technologies specifically designed to identify and neutralize these stealthy, non-human threats.

    Understanding the Enigma: What Exactly Are Non-Human Cyber Threats?

    When we talk about “non-human cyber threats,” we’re referring to automated programs and code snippets that launch attacks without requiring direct human interaction. These include:

    • Bots: Automated programs designed to perform repetitive tasks at scale. Think credential stuffing attacks where bots try thousands of username/password combinations, or Distributed Denial of Service (DDoS) attacks that flood a server with traffic.
    • Malicious Scripts: These are pieces of automated code, often hidden within legitimate-looking files or web pages, designed to exploit system weaknesses, exfiltrate sensitive data, or spread malware across your network.
    • Exploit Kits: These are sophisticated toolkits that automatically scan systems for unpatched vulnerabilities and then deploy exploits to gain unauthorized access or deliver payloads like ransomware.

    The key characteristic of these threats is their autonomy and speed. They operate under the radar, making traditional, reactive security measures largely ineffective. This is precisely why proactive, automated detection and prevention mechanisms are absolutely critical for modern businesses.

    Seqrite Endpoint Protection: Your Multi-Layered Defense Against Automation

    Seqrite’s EPP doesn’t just offer a single line of defense; it deploys a comprehensive, multi-layered security framework. This framework is specifically engineered to detect and block automation-driven threats using a powerful combination of intelligent rule-based systems, behavioral analysis, and advanced AI-powered capabilities.

    Let’s dive into the key features that make Seqrite EPP a formidable opponent against non-human threats:

    1. Advanced Device Control: Many non-human threats, especially scripts and certain types of malware, are delivered via external devices like USB drives. Seqrite’s Advanced Device Control enforces strict usage policies, allowing you to define what devices can connect to your endpoints and how they can be used. By controlling storage, network, and wireless interfaces, you effectively close off a major entry point for automated attacks.
    2. Application Control with Zero Trust: Imagine only allowing approved applications and scripts to run on your systems. That’s the power of Seqrite’s Application Control. By implementing a Zero Trust model, it blocks unknown or unapproved applications and scripts from executing. Through meticulous allowlisting and blocklisting, only trusted applications can operate, making it incredibly effective against stealthy automation tools that attempt to execute malicious code.
    3. Behavior-Based Detection (GoDeep.AI): This is where Seqrite truly shines. Leveraging cutting-edge AI and machine learning, GoDeep.AI continuously monitors endpoint activity to identify abnormal and suspicious behaviors that indicate a non-human threat. This includes detecting:
      • Repetitive access patterns: A hallmark of bots attempting to brute-force accounts or scan for vulnerabilities.
      • Scripted encryption behavior: Instantly flags the tell-tale signs of ransomware encrypting files.
      • Silent data exfiltration attempts: Catches automated processes trying to siphon off sensitive information. The system doesn’t just detect; it actively stops suspicious activity in its tracks before it can cause any harm.
    4. Intrusion Detection & Prevention System (IDS/IPS): Seqrite’s integrated IDS/IPS actively monitors network traffic for known exploit patterns and anomalous behavior. This robust system is crucial for blocking automation-based threats that attempt to infiltrate your network through known vulnerabilities or launch network-based attacks like port scanning.
    5. File Sandboxing: When a suspicious file or script enters your environment, Seqrite doesn’t let it run directly on your system. Instead, it’s whisked away to a secure, isolated virtual sandbox environment for deep analysis. Here, the file is allowed to execute and its behavior is meticulously observed. If it exhibits any malicious traits—like attempting to mimic user behavior, access restricted resources, or encrypt files—it’s immediately flagged and stopped, preventing any potential damage to your actual endpoints.
    6. Web Protection & Phishing Control: Many non-human threats, particularly bots and sophisticated malware, rely on communication with remote command-and-control (C2) servers. Seqrite’s Web Protection proactively blocks:
      • Access to known malicious domains.
      • Phishing sites designed to steal credentials.
      • Unauthorized web access that could lead to malware downloads.
      • Crucially, it cuts off botnet callbacks, effectively severing the communication lines between bots and their command centers, rendering them inert.

    Enhancing Your Defense: Essential Supporting Features

    Beyond its core capabilities, Seqrite Endpoint Protection is bolstered by a suite of supporting features that further strengthen your organization’s resilience against non-human threats and beyond:

    Feature Benefit
    Patch Management Automatically identifies and fixes software vulnerabilities that bots and scripts often exploit to gain entry. Proactive patching is key to prevention.
    Firewall Provides a critical layer of defense by filtering unauthorized network traffic and blocking communication with known botnet IP addresses.
    Data Loss Prevention (DLP) Prevents automated data theft by monitoring and controlling data in transit, ensuring sensitive information doesn’t leave your network without authorization.
    Centralized Log Management Offers a unified view of security events, allowing for rapid detection and auditing of unusual or suspicious behaviors across all endpoints.
    Disk Encryption Management Safeguards your data by encrypting entire disks, stopping automated decryption attempts even if data is stolen, and protecting against ransomware.

     

    The Future of Endpoint Security: Why Non-Human Threat Detection is Non-Negotiable

    As we move deeper into 2025 and beyond, cyber threats are becoming increasingly automated, sophisticated, and often, AI-driven. Relying on traditional, signature-based security solutions is no longer enough to match the speed, stealth, and evolving tactics of automation-based attacks.

    Seqrite Endpoint Protection is built for this future. It leverages intelligent automation to effectively combat automation—blocking bots, malicious scripts, advanced ransomware, and other non-human threats before they can execute and wreak havoc on your systems and data.

    Final Takeaway: Don’t Let Invisible Threats Compromise Your Business

    In a world where cyberattacks are increasingly executed by machines, your defense must be equally advanced. With its comprehensive suite of features—including cutting-edge device and application control, AI-driven behavioral detection (GoDeep.AI), robust network-level protection, and secure sandboxing—Seqrite Endpoint Protection ensures your endpoints remain locked down and secure.

    Whether your organization operates with a cloud-first strategy or relies on a traditional on-premise infrastructure, Seqrite provides the adaptable and powerful security solutions you need.

    Ready to Fortify Your Defenses?

    It’s time to upgrade your endpoint security and protect your organization from both human-initiated and the ever-growing wave of non-human cyber threats.

    Explore how Seqrite can secure your business today. Request a Free Trial or Schedule a Demo.

     



    Source link

  • Chinese Telecom Targeted by VELETRIX & VShell Malware

    Chinese Telecom Targeted by VELETRIX & VShell Malware


    Contents

    • Introduction
    • Initial Findings
    • Infection Chain.
    • Technical Analysis
      • Stage 0 – Malicious ZIP File.
      • Stage 1 – Malicious VELETRIX implant.
      • Stage 2 – Malicious V-Shell implant.
    • Hunting and Infrastructure.
    • Attribution
    • Conclusion
    • Seqrite Protection.
    • IOCs
    • MITRE ATT&CK.

    Authors: Subhajeet Singha and Sathwik Ram Prakki

    Introduction

    Seqrite Labs APT-Team has recently found a campaign, which has been targeting the Chinese Telecom Industry. The campaign is aimed at targeting China Mobile Tietong Co., Ltd. which is a well-known subsidiary of China Mobile, one of the major telecom companies in China. The entire malware ecosystem involved in this campaign is based on usage of VELETRIX malware and VShell malware a very well-known adversary simulation tool, which is also known for widely being adopted by threat actors from China to target various western entities in-the-wild.

    In this blog, we will explore the technical sophistication of the campaign, we encountered during our analysis. We will examine the various stages of this campaign, starting with deep dive into the initial infection stage to implants used in this campaign, ending with a final overview covering the campaign.

    Initial Findings

    Recently, on 13th of May, our team found a malicious ZIP file, which surfaced both on various sources like VirusTotal, where ZIP file has been used as preliminary source of infection, containing multiple EXE and DLLs inside the ZIP folder. The same file was also found by other threat researchers the very same day.

    The ZIP contains an interesting executable file known as 2025 China Mobile Tietong Co., Ltd. Internal Training Program is about to launch, please register as soon as possible.exewhich loads a bunch of interesting DLLs such as drstat.dll and much more. Then, we decided to look into the workings of these bunch of files.

    Infection Chain

    Technical Analysis

    We will break down analysis into three different parts, starting with looking into the malicious ZIP attachment, followed by malicious Veletrix implant and then we will look into some brief analysis into the VShell malware.

    Stage 0 – Malicious ZIP File.

    Initially, we found a malicious ZIP file, known as 附件.zip, also known as attachment.zip. Upon, looking into the contents of the ZIP file.

    We found a set of interesting EXE and DLL and XML files, amongst them most of them were legitimately Microsoft Signed binaries, whereas some of them had have code-signing certificate by Shenzhen Thunder Networking Technologies Ltd , while an interesting DLL file drstat.dll which is often associated with WonderShare RepairIt software.

    Upon confirming from an official website of Wondershare Repairit , we can confirm that an executable known as drstat.exe which have been renamed and packaged thrice with three different names, which are:

    • China Mobile Limited’s 2025 internal training program is about to begin. Please register as soon as possible.
    • Uninstall.
    • Registration-link.

    Next, we decided to confirm further that, either Wondershare does sign the actual binary, which is officially available from their website.

    Finally, we could confirm, that the threat entity used the same file, which is available for download from Wondershare’s official website. Looking into this code-signing maneuver from Wondershare, and post-analyzing this malicious we can confirm that the threat actor used DLL-Sideloading against the target to launch the implant, which we have decided to term as VELETRIX .

    Before, diving into the next section, we also confirm that the other code signing certificate packed into this compressed executable by ‘Shenzhen Thunder Networking Technologies Ltd’ has frequently been associated with malicious executables in various reports and discussions as abused by Chinese-origin threat entities.

    Stage 1 – Malicious VELETRIX Implant.

    Initially, looking into the implant, we figured out a few basic information about the implant, that is it is a 64-bit binary along with which it contains a few interesting export functions. Next, we will focus on the code analysis of this malicious implant.

    Upon checking into all the exports, out of all the exports, we found dr_data_stop to be the one containing interesting malicious code.

    Initially, the implant starts with a little anti-analysis trick, which uses a combination of Sleep & Beep Windows API, which basically runs inside a do-while loop, which basically runs inside a do-while loop that delays execution for ~10 seconds and plays a Beep noise to evade automated sandbox analysis. The loop sleeps for 1 second and beeps 10 times, this entire mechanism is caused to delay the analysis of the analyst or confuse the automated sandbox.

    This technique leverages NtDelayExecution at the system level – Beep internally call NtDelayExecution, which accepts a “DelayInterval” parameter specifying milliseconds to delay. When executed, NtDelayExecution pauses the calling thread, which causes sandbox timeouts or loss of debugger control making it a not so harmful, yet effective anti-sandbox technique. The Beep API is particularly clever because it serves dual purposes: creating execution delays through its internal NtDelayExecution calls while also generating audio artifacts that may trigger different behavior in analysis environments or alert researchers to active code execution.

    Then, it moves ahead with loading kernel32.dll , further once the DLL is being loaded using LoadLibraryA, once the DLL is loaded, further GetProcAddress is used to resolve some interesting set of APIs, which are VirtualAllocExNuma, VirtualProtect & EnumCalendarInfo.

    Similarly, it loads the ADVAPI32.dll and once the DLL is loaded, it resolves using the same technique, which are SystemFunction036, HeapAlloc and HeapFree.

    Finally, the ntdll.dll is loaded, and an interesting Windows API is resolved which is known as RtlIpV4StringToAddressA.

    Next, this malicious loader, uses a technique called IPFuscation, which basically converts the malicious shellcode into a list of IPV4 address.

    Further, a while-loop along with using the RtlIpv4StringToAddressA API is used to decode the obfuscated shellcode, which is done by converting the ASCII IP string to binary, where the binary further executes as a shellcode.

    Once the shellcode is extracted in form of binary, then VirtualAllocExNuma API is used to allocate a fresh memory block with only Read & Write permission into the current process.

    Now, once the memory is allocated, further using a simple XOR operation, the encoded blob which was de-obfuscated from the IpFuscation technique via the windows API, is used to further decode via XOR-operation and copied to the allocated memory.

    Then, it uses VirtualProtect to change the memory protection of the allocated memory to Execute-Read-Write.

    Then, finally, it uses a slightly innovative technique of shellcode execution via callback function, that is by using EnumCalendarInfoA API to execute the shellcode. This technique leverages the fact that EnumCalendarInfoA expects a callback function pointer as a parameter – the malware passes its shellcode address as this callback, causing Windows to unknowingly execute the malicious code when the API tries to call what it thinks is a legitimate calendar enumeration function, whereas in our case the shellcode, which is basically an windows implant of the VShell OST framework, is being executed.

    Finally, we can conclude that the Veletrix implant which performs code injection via callback mechanism. In, the next section, we will look into the Vshell implant, which is pretty well known, and look into the workings of it.

    Stage 2 – Malicious Vshell Implant.

    Well, VShell, is pretty well-known cross-platform OST framework developed in Golang, initially developed by a researcher, which was later taken-down mysteriously as mentioned in multiple research blogs by various researchers who have tracked various campaigns such as UNC5174 and similar have been used by threat actors originating from Chinese geosphere.

    As mentioned, in the previous section VELETRIX loads this windows implant into memory. Looking inside the file, we found that the specific implant, which have been dropped goes by the name tcp_windows_amd64.dll .As, this framework is well-researched, we will only look into the key-artefacts and more of a basic overview of the implant.

    Upon, looking into the implant, we have multiple functionalities of this implant such as connect, send, receive which is used to interact with the operator. All these functions use underlying code from multiple Windows APIs from WinSock library.

    Further, analyzing we uncovered the command-and-control server along with an import config I.e., the salt which is qwe123qwe . In, the next section, we will look into further, hunting and infrastructural artefacts.

    Hunting and Infrastructure.

    Upon looking into the previous implants, we hunted and found some interesting artefacts.

    Based on the analysis and extraction of the salt used in the campaign mentioned in this research, we found a total number of 44 implants, using the exact similar salt, that is qwe123qwe. Along, with that as Vshell is a cross-platform tool, we found, multiple EXEs, ELF, DLLs both signed and unsigned.

    We, also found a few samples whose C2s range from multiple locations such as US, Hong Kong and much more, along with which, we found that a few samples out of 44 implants using same salt, have co-relations with the APT group Earth Lamia which has targeted Indian entities in few cases. While, upon hunting, we also found, that a lot of similar implants, have multiple overlaps with UNC5174’s campaign abusing ScreenConnect CVE-2024-1709 reported by researchers.

    Now, looking into the infrastructural overlaps, the similar indicator has been attributed to the cluster of China-Nexus-State-Sponsored threat actor which have been abusing CVE-2025-31324 to target SAP NetWeaver Visual Composer.

    We also found that on the same infrastructure, a login-based webpage has been hosted which is related to the Asset Lighthouse System — an open-source asset discovery and reconnaissance platform developed by Tophant Competence Center (TCC). It is primarily used for mapping external attack surfaces by identifying exposed IPs, domains, ports, and web services. Therefore, we decided to pivot using these artefacts and found few interesting overlaps.

    Post-pivoting, we discovered multiple malicious webservers with similar port-configurations such as running ASL over port 5003, have had hosted Cobalt Strike and SuperShell, which have been known as go-to implants used by UNC5174 aka Uteus and along with that we also uncovered multiple webservers with similar port-configurations related to Earth Lamia.

    Well, the last but not the least, we also saw that the command-and-control server, has also been hosting Cobalt Strike to be used against the targets making it the second post-exploitation framework used by this threat entity.

    Attribution.

    Through analysis of implant usage and overlapping infrastructure patterns, we identified the threat actor leveraging VELETRIX, a relatively new loader designed to execute VShell in memory. Although VShell was initially released as an open-source project and later taken down by its original developer, it has since been widely abused by China-aligned threat groups.

    Further threat hunting revealed similar behavioral patterns that align with known activity from UNC5174 (Uteus) and Earth Lamia, as recently documented by researchers. The current infrastructure associated with this actor exhibits consistent use of tools such as SuperShell, Cobalt Strike, VShell, and the Asset Lighthouse System—an open-source platform for asset discovery and reconnaissance. These tools have previously been attributed to various China-based APT clusters and observed actively deployed in-the-wild (ITW).

    Given the technical and infrastructural overlaps, we assess with high confidence that this threat actor is part of threat entity belong to China-Nexus cluster.

    Conclusion.

    Upon carefully researching the campaign, we found that the China-nexus threat entity which we have termed as Operation DRAGONCLONE has been using DLL-Sideloading technique against Wondershare Recoverit software, along with loading VELETRIX DLL implant, which uses interesting techniques such as anti-sandbox, IPFuscation technique along with callback technique to execute Vshell malware, along with having multiple overlaps with UNC5174 and Earth Lamia and the recent campaign have been active since March 2025.

    Seqrite Protection.

    IOCs

    SHA-256 Filenames
    40450b4212481492d2213d109a0cd0f42de8e813de42d53360da7efac7249df4 \附件.zip
    ac6e0ee1328cfb1b6ca0541e4dfe7ba6398ea79a300c4019253bd908ab6a3dc0 drstat.dll
    645f9f81eb83e52bbbd0726e5bf418f8235dd81ba01b6a945f8d6a31bf406992 drstat.exe
    ba4f9b324809876f906f3cb9b90f8af2f97487167beead549a8cddfd9a7c2fdc tcp_windows_amd64.dll
    bb6ab67ddbb74e7afb82bb063744a91f3fecf5fd0f453a179c0776727f6870c7 mscoree.dll
    2206cc6bd9d15cf898f175ab845b3deb4b8627102b74e1accefe7a3ff0017112 tcp_windows_amd64.exe
    a0f4ee6ea58a8896d2914176d2bfbdb9e16b700f52d2df1f77fe6ce663c1426a memfd:a(deleted)

     

     

    IP/Domains

    IP
    62.234.24.38
    47.115.51.44
    47.123.7.206

    MITRE ATT&CK

    Tactic Technique ID Technique Name Sub-technique ID Sub-Technique Name
    Reconnaissance T1595 Active Scanning T1595.002 Vulnerability Scanning
    Reconnaissance T1588 Obtain Capabilities T1588.002 Tool
    Initial Access T1566 Phishing T1566.001 Spear phishing Attachment
    Execution T1204 User Execution T1204.002 Malicious File.
    Persistence
    Defense Evasion T1140 Deobfuscate/Decode Files or Information
    Defense Evasion T1574 Hijack Execution Flow T1574.001 DLL
    Defense Evasion T1027 Obfuscation Files or Information T1027.007 Dynamic API Resolution
    Defense Evasion T1027 Obfuscation Files or Information T1027.013 Encrypted/Encoded File
    Defense Evasion T1055 Process Injection
    Defense Evasion T1497 Virtualization/Sandbox Evasion T1497.003 Time Based Evasion
    Discovery T1046 Network Service Discovery

     



    Source link

  • Rethinking Design: Why Privacy Shouldn’t Be an Afterthought

    Rethinking Design: Why Privacy Shouldn’t Be an Afterthought


    As organizations continue to embrace digital transformation, how we think about personal data has changed fundamentally. Data is no longer just a by-product of business processes; it is often the product itself. This shift brings a pressing responsibility: privacy cannot be treated as an after-the-fact fix. It must be part of the architecture from the outset.

    This is the thinking behind Privacy by Design. This concept is gaining renewed attention not just because regulators endorse it but also because it is increasingly seen as a marker of digital maturity.

    So, what is Privacy by Design?

    At a basic level, Privacy by Design (often abbreviated as PbD) means designing systems, products, and processes with privacy built into them from the start. It’s not a tool or a checklist; it’s a way of thinking.

    Rather than waiting until the end of the development cycle to address privacy risks, teams proactively factor privacy into the design, architecture, and decision-making stages. This means asking the right questions early:

    • Do we need to collect this data?
    • How will it be stored, shared, and eventually deleted?
    • Are there less invasive ways to achieve the same business goal?

    This mindset goes beyond technology. It is as much about product strategy and organizational alignment as it is about encryption or access controls.

    Why It’s Becoming Non-Negotiable

    The global regulatory environment is a key driver here. GDPR, for instance, formalized this approach in Article 25, which explicitly calls for “data protection by design and by default.” However, the need for privacy by design is not just about staying compliant.

    Customers today are more aware than ever of how their data is used. Organizations that respect that reality – minimizing collection, improving transparency, and offering control – tend to earn more trust. And in a landscape where trust is hard to gain and easy to lose, that’s a competitive advantage.

    Moreover, designing with privacy in mind from an engineering perspective reduces technical debt. Fixing privacy issues after launch usually means expensive rework and rushed patches. Building it right from day one leads to better outcomes.

    Turning Principles into Practice

    For many teams, the challenge is not agreeing with the idea but knowing how to apply it. Here’s what implementation often looks like in practice:

    1. Product & Engineering Collaboration

    Product teams define what data is needed and why. Engineering teams determine how it’s collected, stored, and protected. Early conversations between both help identify red flags and trade-offs before anything goes live.

    1. Embedding Privacy into Architecture

    This includes designing data flows with limitations, such as separating identifiers, encrypting sensitive attributes at rest, and ensuring role-based access to personal data. These aren’t just compliance tasks; they are innovative design practices that also improve security posture.

    1. Privacy as a Default Setting

    Instead of asking users to configure privacy settings after onboarding, PbD insists on secure defaults. If a feature collects data, users should have to opt in, not find a buried toggle to opt out.

    1. Periodic Reviews, Not Just One-Time Checks

    Privacy by Design isn’t a one-and-done activity. As systems evolve and new features roll out, periodic reviews help ensure that decisions made early on still hold up in practice.

    1. Cross-Functional Awareness

    Not every developer needs to be a privacy expert, but everyone in the development lifecycle—from analysts to QA—should be familiar with core privacy principles. A shared vocabulary goes a long way toward spotting and resolving issues early.

    Going Beyond Compliance

    A common mistake is to treat Privacy by Design as a box to tick. However, the organizations that do it well tend to treat it differently.

    They don’t ask, “What’s the minimum we need to do to comply?” Instead, they ask, “How do we build responsibly?”

    They don’t design features and then layer privacy on top. They create privacy into the feature.

    They don’t stop at policies. They create workflows and tooling that enforce those policies consistently.

    This mindset fosters resilience, reduces risk, and, over time, becomes part of the organization’s culture. In this mindset, product ideas are evaluated for feasibility and market fit and ethical and privacy alignment.

    Final Thoughts

    Privacy by Design is about intent. When teams build with privacy in mind, they send a message that the organization values the people behind the data.

    This approach is very much expected in an era where privacy concerns are at the centre of digital discourse. For those leading security, compliance, or product teams, the real opportunity lies in making privacy a requirement and a differentiator.

    Seqrite brings Privacy by Design to life with automated tools for data discovery, classification, and protection—right from the start. Our solutions embed privacy into every layer of your IT infrastructure, ensuring compliance and building trust. Explore how Seqrite can simplify your privacy journey.

     



    Source link

  • Trapped by a Call: Understanding the Digital Arrest Scam

    Trapped by a Call: Understanding the Digital Arrest Scam


    Digital Arrest Scam:

    It all starts with a phone call that seems routine at first—measured, official-sounding, and unexpectedly serious. On the other end is someone claiming to represent a government body, calmly accusing you of crimes you’ve never committed—drug trafficking, money laundering, or something just as alarming. They mention your name, address, and other personal details with unnerving accuracy, making the whole exchange feel disturbingly real. This is the unsettling face of what is now known as the “digital arrest” scam—a new and fast-evolving form of cyber fraud that feeds fear and trust.

     

    Data Aquisition:

    Scammers are capitalizing on massive data breaches to obtain IMSI numbers and SIM details, leveraging Home Location Register data to create meticulously crafted victim profiles. This precise profiling lends digital arrest scams an air of authenticity, making them disturbingly plausible. The April 2024 BoAt breach exposed a staggering 7.5 million customers’ data, including names and contact information, which subsequently surfaced on the dark web. Similarly, Hathway’s system was compromised via a Laravel vulnerability, resulting in the leak of sensitive customer data, including Aadhaar numbers, passport details, and KYC documents. As this personal data circulates, the threat of identity theft and targeted scams becomes increasingly palpable.


    PHYSICAL DATA SUBMISSION and LOCAL LEAKS:

    You submit your passport, it gets digitized and stored without proper security. Later, those exact documents are emailed back to you with fake police letterheads, claiming they were found in a drug bust. It’s a terrifying scam, turning your own physically submitted, insecurely stored data into a weapon used to threaten and coerce you.

    Medium of Communication:

    Scammers hit you via voice calls, spoofing numbers to look like “Delhi Police” or “Govt of India” with high-pressure scripts. They also use video calls on platforms like WhatsApp or Zoom, complete with fake police station backgrounds and uniforms to appear legitimate. Beyond that, watch out for fake SMS with tricky links, and especially emails impersonating government domains with forged court summons or FIRs attached—often even showing your own leaked ID. It’s all designed to look incredibly official and scare you into compliance.

    FAKE KYC UPDATES

    FAKE ARREST WARRANT MAILED TO VICTIM

        

    Payment Reference Number is always unique to a transaction !

    PAN Updating!! Must Come from Income Tax Authority, India

     

    Different Age Groups Victims of the Scam:

    Scammers target all ages, but differently. Elderly folks often fall victim due to less familiarity with cyber tricks and more trust in digital authority. Young adults and students are hit hard too, fearing career defamation, especially since their strong social media presence makes their digital footprints easy to trace. Finally, working professionals are exploited through fears of job loss or social humiliation, playing on their reputation.

    Common Payment Methods and Measures to Claim Authentic Payment:

    Scammers ensure payment authenticity by mimicking well-known Indian bank gateways, even accepting card or UPI details. They go as far as buying valid SSL certificates for that “secure lock” icon. Plus, they manipulate domain names with typosquatting, making fake sites look almost identical to real government URLs. It’s all designed to trick you into believing their payment methods are legitimate.

    It’s  a Fake Website:  Non- Government Email Address

    cscsarkaripariksha[@]gmail[.]com    info[@]sarkaripariksha[.]com

    Official government websites always use   @gov.in   or   @nic.in domains.

    How Quick Heal AntiFraud.AI Detects & Blocks Digital Arrest Scams

    1. Scam Call Detection (Before You Pick Up)

    🔔 Feature: Fraud Call Alert + Scam Protection

    • AI uses AI and global scam databases to flag known fraud numbers.
    • If a scammer is spoofing a number (e.g., police, government, bank), you’ll see an on-screen Fraud Risk Alert before answering—helping you avoid the trap early.

    2. Preventing Remote Access Tools

    🖥️ Feature: Screen Share Alert + Fraud App Detector

    • Detects if the scammer persuades you to install screen-sharing apps like Anydesk, TeamViewer, or any malicious APK.
    • AI immediately sends a high-risk alert:
      “⚠️ Screen sharing detected. This may be a scam.”
    • If unauthorized apps are found, they are flagged and disabled.

     

    3. Banking Activity Monitoring in Real-Time

    💳 Feature: Banking Fraud Alert + Unauthorized Access Alert

    • If a scammer gets access and initiates a money transfer, AntiFraud.AI monitors banking behavior using AI.
    • It identifies suspicious patterns (large transfers, new payees, unusual logins) and immediately alerts you to block or verify them.

     

    4. Payment Verification Interception

    🔐 Feature: Payee Name Announcer + Secure Payments

    • Before completing any transaction, the system reads out the payee’s name, warning you if it’s not a verified recipient.
    • Safe Banking mode blocks unsafe payment pages, fake links, or phishing apps often used by scammers.

     

    5. SIM Swap & Call Forwarding Detection

    📞 Feature: Call Forwarding Alert

    • Scammers sometimes redirect calls and SMS to capture OTPs or bypass security layers.
    • AI instantly notifies you of any SIM manipulation or call forwarding activity—giving you time to stop fraud before it starts.

    6. Post-Incident Protection & Guidance

    🆘 Feature: Victim of a Fraud? + Fraud Protect Buddy

    • If you’re caught mid-scam or realize too late, AntiFraud.AI helps you take action:
    • Block transactions
    • Notify your bank
    • Report the scam to authorities
    • Access recovery support

     

            Ending the Trap: Your Cyber Safety Checklist :

    • Stay alert, don’t panic, and always double-check before you act.
    • Never share your OTP, Bank Details over calls or messages.
    • Never post personal information on social media, as victim profile begins from here.
    • An arrest can’t be made digitally, irrespective of cognizable and non-cognizable offences.
    • Never answer video/audio calls from unknown numbers.
    • No law enforcement agency demands money over audio/ video/ SMS platforms.
    • An arrest warrant shall be presented physically, can never be emailed.
    • Don’t blindly click to any link, it may be fraudulent/ phishing threat.
    • All check the email domains- genuine government emails end in @gov.in or @nic.in.
    • Regularly check in government websites for release of fraudulent web notices/ user digests for awareness.
    • Install security tools like Antifraud.AI that can easily detect fraudulent activities and alert you and ensure your digital security.

    Report to the following Government websites:

    • https://cybercrime.gov.in – Report cybercrime complaints (National Cyber Crime Reporting Portal)
    • https://www.cert-in.org.in – Indian Computer Emergency Response Team
    • Call 1930 – Cybercrime Helpline Number
    • Visit your nearest cyber police station for support

     Stay alert. Prevention is the best protection.



    Source link

  •   Explained (With Code Snippets Included)



      Explained (With Code Snippets Included)



    Source link

  • The Quick Guide to Dijkstra's Algorithm



    The Quick Guide to Dijkstra's Algorithm



    Source link

  • Prim's Algorithm: Quick Guide with Examples



    Prim's Algorithm: Quick Guide with Examples



    Source link

  • 5 Benefits of Generative AI in XDR: Revolutionizing Cybersecurity

    5 Benefits of Generative AI in XDR: Revolutionizing Cybersecurity


    Generative Artificial Intelligence (GenAI) is transforming cybersecurity by enhancing Extended Detection and Response (XDR) systems, which integrate data from multiple security layers to provide comprehensive threat detection and response. By leveraging Generative AI, XDR solutions offer advanced capabilities that streamline operations, improve accuracy, and bolster organizational security. Below are five key benefits of integrating GenAI into XDR systems.

    Enhanced Threat Detection and Contextual Analysis

    1. GenAI significantly improves threat detection by analyzing vast datasets across endpoints, networks, and cloud environments. Unlike traditional systems, GenAI-powered XDR can identify complex patterns and anomalies, such as subtle indicators of advanced persistent threats (APTs). By correlating data from multiple sources, it provides contextual insights, enabling security teams to understand the scope and impact of threats more effectively. For instance, GenAI can detect unusual login patterns or malware behavior in real-time, reducing false positives and ensuring precise threat identification.
    2. Automation for Faster Incident Response
      GenAI automates repetitive tasks, such as alert triage and incident investigation, allowing security teams to focus on strategic decision-making. By employing machine learning and natural language processing (NLP), GenAI can prioritize alerts based on severity, suggest mitigation steps, and even execute automated responses to contain threats. This reduces response times, minimizes human error, and ensures rapid remediation, which is critical in preventing data breaches or system compromises.
    3. Improved Accessibility for Analysts
      GenAI enables conversational interfaces that allow analysts, regardless of technical expertise, to interact with complex security data using natural language. This eliminates the need for specialized query languages or extensive training, making XDR tools more accessible. Analysts can quickly retrieve incident details, aggregate alerts, or access product documentation without navigating intricate dashboards, thereby reducing the learning curve and improving operational efficiency.
    4. Proactive Threat Intelligence and Prediction
      GenAI enhances XDR’s ability to predict and prevent threats by building behavioural models from historical data. For example, it can establish baseline user activity and flag deviations, such as multiple failed login attempts from unusual IP addresses, as potential account compromises. This predictive capability allows organizations to address vulnerabilities before they are exploited, shifting cybersecurity from reactive to proactive.
    5. Streamlined Reporting and Compliance
      GenAI simplifies the generation of reports and ensures compliance with regulatory requirements. By extracting key metrics and summarizing findings in natural language, it facilitates clear communication with stakeholders. Additionally, GenAI supports near real-time monitoring and audit logging, helping organizations meet compliance standards efficiently while reducing manual effort.

    Seqrite XDR: A Leader in GenAI driven XDR

    Seqrite XDR exemplifies the power of GenAI through its Seqrite Intelligent Assistant (SIA), a prompt-based, conversational interface designed to empower analysts. SIA offers 14 pre-defined prompt questions to kickstart investigations, enabling quick access to incident details, summarized analyses, and tailored mitigation steps. Analysts can query alert data without complex syntax, aggregate alerts by severity or MITRE techniques, and identify patterns across incidents. SIA also provides conversational access to Seqrite XDR documentation, security best practices, and step-by-step task guidance. Its contextual follow-up feature allows analysts to drill down into details or clarify technical terms effortlessly. By reducing the learning curve, saving time, and improving accessibility, SIA enables faster incident response and streamlined reporting, making Seqrite XDR an essential tool for modern cybersecurity strategies.

    Connect with us to see Seqrite XDR + SIA in action

     



    Source link

  • Create PDF in PHP Using FPDF.

    Create PDF in PHP Using FPDF.


    Create PDF in PHP Using FPDF.

    In this post, I  will explain how to create a pdf file in php. To create a PDF file in PHP we will use the FPDF library. It is a PHP library that is used to generate a PDF. FPDF is an open-source library. It is the best server-side PDF generation PHP library. It has rich features right from adding a PDF page to creating grids and more.

    Example:

    <?Php
require('fpdf/fpdf.php');
$pdf = new FPDF(); 
$pdf->AddPage();
$pdf->SetFont('Arial','B',16);
$pdf->Cell(80,10,'Hello World From FPDF!');
$pdf->Output('test.pdf','I'); // Send to browser and display
?>

    Output:

     

     



    Source link

  • Operation Sindoor: Anatomy of a High-Stakes Cyber Siege

    Operation Sindoor: Anatomy of a High-Stakes Cyber Siege


    Overview

    Seqrite Labs,  India’s largest Malware Analysis lab, has identified multiple cyber events linked to Operation Sindoor, involving state-sponsored APT activity and coordinated hacktivist operations. Observed tactics included spear phishing, deployment of malicious scripts, website defacements, and unauthorized data leaks. The campaign exhibited a combination of cyber espionage tactics, hacktivist-driven disruptions, and elements of hybrid warfare. It targeted high-value Indian sectors, including defense, government IT infrastructure, healthcare, telecom, and education. Some of the activities were attributed to APT36 and Sidecopy, Pakistan-aligned threat groups known for leveraging spoofed domains, malware payloads, and credential harvesting techniques against Indian military and government entities.

    Trigger Point: Initial Access Vector

    On April 17, 2025, Indian cyber telemetry started to light up. Across the threat detection landscape, anomalies directed towards government mail servers and defence infrastructures. Lure files carried names that mimicked urgency and legitimacy:

    These weren’t ordinary files. They were precision-guided attacks—documents laden with macros, shortcuts, and scripts that triggered covert command-and-control (C2) communications and malware deployments. Each lure played on public fear and national tragedy, weaponizing recent headlines like the Pahalgam Terror Attack. Further technical details can be found at :

    Following the initiation of Operation Sindoor on May 7th, a surge in hacktivist activities was observed, including coordinated defacements, data leaks, and disruptive cyber campaigns.

    Activity Timeline Graph – Operation Sindoor

    APT36: Evolution of a Digital Predator

    APT36, long associated with the use of Crimson RAT and social engineering, had evolved. Gone were the older Poseidon loaders—Ares, a modular, evasive malware framework, now formed the new spearhead.

    Tools & File Types:

    • .ppam, .xlam, .lnk, .xlsb, .msi
    • Macros triggering web queries:
      fogomyart[.]com/random.php
    • Payload delivery through spoofed Indian entities:
      zohidsindia[.]com, nationaldefensecollege[.]com, nationaldefencebackup[.]xyz
    • Callback C2 IP: 86.97[.]58:17854

    APT36 used advanced TTPs during Operation Sindoor for stealthy infection, persistence, and command and control. Initial access was via spear phishing attachments (T1566.001) using malicious file types (.ppam, .xlam, .lnk, .xlsb, .msi). These triggered macros executed web queries (T1059.005) to domains like fogomyart[.]com. Payloads were delivered through spoofed Indian domains such as zohidsindia[.]com and nationaldefensecollege[.]com, with C2 communication via application layer protocols (T1071.001) to 167.86.97[.]58:17854. For execution and persistence, APT36 leveraged LOLBins (T1218), scheduled tasks (T1053.005), UAC bypasses (T1548.002), and obfuscated PowerShell scripts (T1059.001, T1027), enabling prolonged access while evading detection.

    Ares RAT grants full control over the compromised host, offering capabilities such as keylogging, screen capturing, file manipulation, credential theft, and remote command execution—similar to commercial RATs but tailored for stealth and evasion.

    Digital Infrastructure: Domains of Deception

    The operation’s domain arsenal resembled a covert intelligence operation:

    • pahalgamattack[.]com
    • operationsindoor2025[.]in
    • sindoor[.]website
    • sindoor[.]live

    These domains mimicked military and government entities, exploiting user trust and leveraging geo-political narratives for social engineering.

    Hacktivism in Tandem: The Shadow Battalion

    APT36 did not act alone. In parallel, hacktivist collectives coordinated disruptive attacks—DDoS, defacements, and data leaks—across key Indian sectors. Telegram groups synchronized actions under hashtags like #OpIndia, #OperationSindoor, and #PahalgamAttack, as portrayed in the image below.

     

    A quick timeline recap

    Most Targeted Sectors:

    The Operation Sindoor campaign strategically targeted India’s critical sectors, focusing on Defense entities like the MoD, Army, Navy, and DRDO. The hactivists claimed to have disrupted Government IT infrastructure, including NIC and GSTN with evidences of DDoS and data leak, while attempting breaches in healthcare institutions such as AIIMS and DRDO Hospitals. Telecom giants like Jio and BSNL were probed, alongside multiple state-level educational and government portals, showcasing the breadth and coordination of the cyber offensive.

    Post-Campaign Threat Landscape

    From May 7–10, Seqrite telemetry reported:

    • 650+ confirmed DDoS/defacement events
    • 35+ hacktivist groups involved, 7 newly emerged
    • 26 custom detection signatures deployed across XDR

    Detection Signatures:

    Signature Name Description
    BAT.Sidecopy.49534.GC SideCopy loader script
    LNK.Sidecopy.49535.GC Macro-enabled shortcut
    MSI.Trojan.49537.GC MSI-based Trojan dropper
    HTML.Trojan.49539.GC HTML credential phisher
    Bat.downloader.49517 Download utility for RAT
    Txt.Enc.Sidecopy.49538.GC Obfuscated loader

     

    IOCs: Indicators of Compromise

    Malicious Domains:

    • pahalgamattack[.]com
    • sindoor[.]live
    • operationsindoor2025[.]in
    • nationaldefensecollege[.]com
    • fogomyart[.]com/random.php

    Malicious Files:

    Callback IP:

    • 86.97[.]58:17854 (Crimson RAT C2)

    VPS Traffic Origination:

    • Russia 🇷🇺
    • Germany 🇩🇪
    • Indonesia 🇮🇩
    • Singapore 🇸🇬

    The Mind Map of Chaos: Coordinated Disruption

    The hierarchy of the campaign looked more like a digital alliance than a lone operation:

    Seqrite’s Response

    To counteract the operation, Seqrite Labs deployed:

    • 26 detection rules across product lines
    • YARA signatures and correlation into STIP/MISP
    • XDR-wide alerting for SideCopy and Ares variants
    • Dark web and Telegram monitoring
    • Threat advisory dissemination to Indian entities

     

    Researcher’s Reflection

    Operation Sindoor revealed the blueprint of modern cyber warfare. It showcased how nation-state actors now collaborate with non-state hacktivists, merging technical intrusion with psychological operations. The evolution of APT36—especially the move from Poseidon to Ares—and the simultaneous hacktivist attacks signal a deliberate convergence of cyber espionage and ideological warfare.

    Instead of isolated malware campaigns, we now face digitally coordinated war games. The tools may change—macros, MSI files, DDoS scripts—but the objectives remain: destabilize, disinform, and disrupt.

    Conclusion

    Operation Sindoor represents a significant escalation in the cyber conflict landscape between India and Pakistan. The campaign, orchestrated by APT36 and allied hacktivist groups, leveraged a blend of advanced malware, spoofed infrastructure, and deceptive social engineering to infiltrate key Indian sectors.

    The strategic targeting of defense, government IT, healthcare, education, and telecom sectors underscores an intent to not just gather intelligence but also disrupt national operations. With the deployment of tools like Ares RAT, attackers gained complete remote access to infected systems—opening the door to surveillance, data theft, and potential sabotage of critical services.

    From an impact standpoint, this operation has:

    • Undermined trust in official digital communication by spoofing credible Indian domains.
    • Increased operational risks for sensitive departments by exposing infrastructure weaknesses.
    • Compromised public perception of cybersecurity readiness in government and defense.
    • Amplified geopolitical tension by using cyber means to project influence and provoke instability.

    The impact of this campaign on national cybersecurity and trust has been significant:

    • Data Exfiltration: Sensitive internal documents, credentials, and user information were exfiltrated from key organizations. This compromises operational security, strategic decision-making, and opens pathways for follow-up intrusions.
    • DDoS Attacks: Targeted denial-of-service attacks disrupted availability of critical government and public-facing services, affecting both internal workflows and citizen access during sensitive geopolitical periods.
    • Website Defacement: Several Indian government and institutional websites were defaced, undermining public confidence and serving as a psychological warfare tactic to project influence and cyber superiority.

    These developments highlight the urgent need for enhanced threat intelligence capabilities, robust incident response frameworks, and strategic public-private collaboration to counter such evolving hybrid threats.



    Source link