- in Europe
- in Europe
- in Europe
- within Antitrust/Competition Law topic(s)
Malware Activity
How Cyber Attacks Are Evolving from Stealing Credentials to Quietly Manipulating Systems
Recent research highlights two (2) major shifts in cyber threats, showing how attackers are becoming more sophisticated and harder to detect. One article explains how the Tycoon2FA phishing kit now tricks Microsoft 365 users into unknowingly granting account access through a legitimate login process, rather than stealing passwords, making the attack more believable and able to bypass traditional defenses like MFA. At the same time, another study reveals “fast16,” an early form of malware developed around 2005, designed not to steal data but to subtly alter complex engineering and scientific calculations, potentially disrupting critical research without being noticed. Together, these examples show a clear evolution in attacker tactics, from directly taking credentials to exploiting trusted systems and quietly manipulating outcomes. In both cases, the attacks rely on blending into normal processes, whether it’s a real login page or legitimate simulation software, making them especially difficult to detect. This shift signals a growing risk for organizations, where the threat is no longer just unauthorized access, but also hidden manipulation of data and systems that organizations rely on for decision-making and operations. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Tycoon2FA Hijacks Microsoft 365 Accounts Via Device-Code Phishing article
- TheHackerNews: Pre-Stuxnet Fast16 Malware Tampered with Nuclear Weapons Simulations article
Threat Actor Activity
Russian-linked Secret Blizzard Using Kazuar Malware as P2P Botnet
Secret Blizzard, a group attributed to Russia by Microsoft, has evolved its Kazuar malware into a modular peer-to-peer (P2P) botnet designed for stealth, persistence, and intelligence gathering. Active since at least 2017, with roots tracing back to 2005, Kazuar is tied to the FSB-linked Turla group and has targeted government, diplomatic, and defense entities across Europe, Asia, and Ukraine. The latest version uses three (3) modules: a Kernel that coordinates operations and elects a single “leader” system to communicate with command-and-control (C2) infrastructure, a Bridge that handles external communications, and Workers that perform espionage tasks like keylogging, file theft, and email collection. By limiting external communication to one node and using encrypted internal messaging, Kazuar significantly reduces detection risk. With extensive configuration options and multiple security bypass techniques, Kazuar is highly adaptable, and CTIX Analysts recommend organizations implement behavioral detection over signature-based defenses for this reason.
Vulnerabilities
MiniPlasma Rekindles Concerns Over Windows Privilege Escalation Flaws
Security researcher Chaotic Eclipse, also known as Nightmare Eclipse, has released a proof-of-concept exploit for a Windows local privilege escalation zero-day dubbed “MiniPlasma,” which allows attackers to gain SYSTEM privileges on fully patched Windows systems by abusing the Windows Cloud Files Mini Filter Driver (cldflt.sys). The flaw, tracked as
CVE-2020-17103
, affects the HsmOsBlockPlaceholderAccess routine and was originally reported by James Forshaw of Google Project Zero in 2020, which Microsoft claimed to have patched in December of that year. However, Chaotic Eclipse alleges the vulnerability was never fully remediated or may have been reintroduced, noting that Forshaw’s original proof-of-concept reportedly still functions without modification. The exploit abuses the undocumented CfAbortHydration API to manipulate registry key creation within the .DEFAULT user hive, enabling privilege escalation from a standard user account to SYSTEM. Testing by BleepingComputer and security researcher Will Dormann confirmed the exploit works reliably on fully updated Windows 11 systems running the May 2026 Patch Tuesday updates, although it reportedly fails on the latest Windows Insider Canary builds, suggesting Microsoft may already be testing a fix. The disclosure also highlights ongoing concerns surrounding the Cloud Filter driver, as Microsoft patched another actively exploited privilege escalation flaw in the same component,
CVE-2025-62221
, in late 2025. MiniPlasma is the latest in a broader string of public Windows zero-day disclosures from Chaotic Eclipse, following BlueHammer, RedSun, UnDefend, YellowKey, and GreenPlasma, several of which were later observed being exploited in the wild.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]