{ "id": "8978f85e-2ec5-4b62-a2e3-1cd630d2a802", "created_at": "2026-04-06T00:12:32.853329Z", "updated_at": "2026-04-10T03:26:40.173283Z", "deleted_at": null, "sha1_hash": "7eef6353b62e03583044f6d23154ecaf53a2bbca", "title": "Cyble Chronicles: Feb 1 Cybersecurity Insights", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2361006, "plain_text": "Cyble Chronicles: Feb 1 Cybersecurity Insights\r\nPublished: 2024-02-01 · Archived: 2026-04-05 15:39:35 UTC\r\nUncovering Atomic Stealer (AMOS) Strikes and the Rise of Dead Cookies\r\nRestoration\r\nCyble Research and Intelligence Labs (CRIL) has recently uncovered a series of phishing websites masquerading\r\nas popular Mac applications, which are distributing the Atomic Stealer (AMOS), a potent InfoStealer malware.\r\nDespite being identified, these deceptive sites remain active, posing a significant threat to unsuspecting users.\r\nAMOS is noted for its rapid evolution and frequent updates, showcasing the developers’ dedication to enhancing\r\nits malicious capabilities. Among its latest advancements is the ability to rejuvenate expired Google Chrome\r\ncookies, marking a concerning development in the InfoStealer arena. \r\nThis innovation in AMOS’s functionality coincides with the discovery of a free code on a cybercrime forum\r\ncapable of reviving “dead” cookies—a technique that was rumored to be sold for $500 as of October 2023. This\r\nrevelation has catalyzed a new trend among InfoStealers to adopt this cookie revival feature. For instance, the\r\nXehook Stealer, launched on January 20, 2024, quickly incorporated this feature within days, highlighting a swift\r\nadaptation among Threat Actors (TAs). Furthermore, the Command and Control (C\u0026C) centers utilized by AMOS\r\npayloads were discussed in a report from early January, suggesting a broader network of connected campaigns or\r\nTAs exploiting this technique. \r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://cyble.com/blog/cyble-chronicles-february-1-latest-findings-recommendations-for-the-cybersecurity-community/\r\nPage 1 of 5\n\nRead Cyble’s detailed analysis of this here. \r\nActive Exploitation of Atlassian Confluence RCE Vulnerability (CVE-2023-22527) \r\nOn January 26, 2024, Cyble’s Global Sensor Intelligence (CGSI) network detected scanning attempts targeting a\r\ncritical vulnerability in Atlassian Confluence, identified as CVE-2023-22527. This vulnerability, disclosed by\r\nAtlassian on January 16, 2024, affects outdated versions of Confluence Data Center and Server. It involves an\r\nObject-Graph Navigation Language (OGNL) injection, rated with a maximum CVSS score of 10, indicating its\r\nsevere impact. OGNL injection vulnerabilities arise when applications like Atlassian Confluence fail to properly\r\nvalidate and sanitize user input before its incorporation into OGNL expressions, allowing Threat Actors (TAs) to\r\nexecute remote code on the affected systems. \r\nhttps://cyble.com/blog/cyble-chronicles-february-1-latest-findings-recommendations-for-the-cybersecurity-community/\r\nPage 2 of 5\n\nThe CGSI network observed these exploitation attempts across various countries, highlighting the global interest\r\nof attackers in exploiting this vulnerability. Additionally, Cyble ODIN’s scanners have identified over 4,000\r\ninternet-exposed instances of Confluence in the past three months, with a significant concentration in the United\r\nStates, Germany, China, and Russia. This vulnerability, resulting from a template injection flaw in specific\r\nConfluence versions, allows unauthenticated attackers to achieve remote code execution. ProjectDiscovery’s\r\nresearch further underscores the technical nuances of exploiting this vulnerability, including methods to bypass the\r\n200-character limit in OGNL expressions. This situation underscores the critical need for organizations to\r\npromptly address and secure their systems against such vulnerabilities to protect against unauthorized access and\r\npotential compromise. \r\nRead CRIL’s detailed findings here.  \r\nGhostSec Continues to Extend their Support for Cyber Threat Actors and\r\nHacktivists \r\nCyble Research and Intelligence Labs (CRIL) has raised alarms about the increasing activities of the hacktivist\r\ngroup GhostSec, particularly their recent initiative aimed at enhancing the anonymity of threat actors and\r\nhacktivists. GhostSec’s new project, dubbed Low-Cost-Database, seeks to gather funds to assist activists and\r\nhacktivists in concealing their identities, especially those operating under false identities or seeking asylum for\r\ntheir actions, which they justify as fighting for noble causes. This initiative is significant because the group claims\r\nto source databases from collaborators, rather than relying on publicly leaked ones and has even set up a Telegram\r\nhandle for coordination. \r\nThe project has gained traction quickly, with the Telegram channel amassing 2,676 subscribers and offering 28\r\ndatasets for sale, impacting organizations across multiple countries. This move is part of a broader trend of\r\nGhostSec’s involvement in supporting hacktivism and online anonymity. Previous projects include NewBlood,\r\naimed at educating newcomers on hacking skills, and WeFreeInternet, which provided free VPN services to\r\nIranian activists, with plans to expand to other countries facing internet restrictions by their governments. \r\nhttps://cyble.com/blog/cyble-chronicles-february-1-latest-findings-recommendations-for-the-cybersecurity-community/\r\nPage 3 of 5\n\nThe anonymity provided by groups like GhostSec poses significant challenges for law enforcement agencies and\r\ncybersecurity professionals in attributing and tracking contemporary threat activities. As threat actors may switch\r\nidentities at any time, this complicates threat assessments and leaves organizations vulnerable to attacks. The\r\nsupport for concealing identities, as offered by well-funded hacktivist groups, exacerbates these challenges,\r\npotentially enabling malicious activities by state-sponsored groups and others. Addressing the anonymity of threat\r\nactors requires a concerted international effort from both law enforcement and the cybersecurity community to\r\nmitigate risks effectively. \r\nRead Cyble’s detailed breakdown of this Threat Actor here. \r\nGreenbean: Latest Android Banking Trojan Leveraging Simple RealTime Server\r\n(SRS) for C\u0026C Communication \r\nCyble has recently unveiled its analysis of “GreenBean,” a new Android Banking Trojan that poses a significant\r\nthreat to users of cryptocurrency, payment, and banking applications. This malware, spread through a phishing site\r\npromoting a cryptocurrency scheme, specifically targets five applications, with its activities predominantly\r\nfocused on Android users in China and Vietnam. This regional specificity is deduced from the application’s\r\nnaming conventions and the presence of Chinese and Vietnamese characters within the target code.  \r\nGreenBean exploits the Accessibility service on Android devices to harvest credentials from the targeted\r\napplications. A distinctive feature of this malware is its use of video streaming capabilities facilitated through\r\nWebRTC technology. This allows the attackers not only to collect data but also to potentially observe and record\r\nthe screen of the infected device, adding a layer of sophistication to their espionage capabilities. Moreover, the\r\nmalware employs an open-source project, the Simple Realtime Server (SRS), for its Command and Control\r\n(C\u0026C) communications. This choice of C\u0026C infrastructure is notable for its support of WebRTC streaming,\r\nindicating the malware developers’ preference for leveraging robust and versatile technologies to manage their\r\noperations. \r\nAt the time Cyble published their findings, the phishing site used to disseminate GreenBean was still operational,\r\nsignaling that the malware continues to be a live threat. The continued activity of this phishing site underscores\r\nhttps://cyble.com/blog/cyble-chronicles-february-1-latest-findings-recommendations-for-the-cybersecurity-community/\r\nPage 4 of 5\n\nthe importance of ongoing vigilance and the need for users to be cautious of phishing schemes, especially those\r\npromoting too-good-to-be-true cryptocurrency opportunities. This analysis by Cyble sheds light on the evolving\r\nlandscape of Android banking Trojans and the increasing complexity of threats facing users in the digital finance\r\nspace. \r\nRead CRIL’s detailed analysis of this here.  \r\nMalaysian Telecom Provider, Aminia Hit by Pro-Israeli Cyberattack, Website\r\nInaccessible \r\nThe Malaysian telecom provider Aminia was recently targeted by the pro-Israeli hacktivist group R00TK1T ISC\r\nCyber Team, marking their first attack against the company amidst threats to Malaysian internet infrastructure.\r\nThe attack resulted in the internal defacement of Aminia’s billing and Managed WiFi services portals, potentially\r\nindicating a data breach. Following the cyberattack, Aminia’s website became inaccessible, showing an “Index of\r\n/” error, typical of cyberattack aftermaths where server settings are altered or files are deleted. \r\nR00TK1T ISC Cyber Team’s actions included leaving a warning message on the compromised portal and sharing\r\nscreenshots exposing sensitive information from Aminia’s systems. The group accused Malaysia of supporting\r\ncyber threats related to the Middle East conflict and threatened further exposures. This attack is part of a broader\r\nthreat to target Malaysian organizations, as indicated by the group’s explicit threats made on January 26. The\r\nhacktivists also exploited vulnerabilities in the Controlled Access Point System Manager (CAPsMAN) panel\r\nmanufactured by MicroTik, revealing a critical security flaw (CVE-2023-41570). The incident raises significant\r\nconcerns over the cybersecurity of Malaysian telecom networks and underscores the need for enhanced security\r\nprotocols and vigilance. \r\nRead The Cyber Express’ detailed coverage here.  \r\nSource: https://cyble.com/blog/cyble-chronicles-february-1-latest-findings-recommendations-for-the-cybersecurity-community/\r\nhttps://cyble.com/blog/cyble-chronicles-february-1-latest-findings-recommendations-for-the-cybersecurity-community/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://cyble.com/blog/cyble-chronicles-february-1-latest-findings-recommendations-for-the-cybersecurity-community/" ], "report_names": [ "cyble-chronicles-february-1-latest-findings-recommendations-for-the-cybersecurity-community" ], "threat_actors": [ { "id": "93b7776d-9b37-496d-94a5-30bc36fd8800", "created_at": "2023-11-07T02:00:07.10019Z", "updated_at": "2026-04-10T02:00:03.407781Z", "deleted_at": null, "main_name": "GhostSec", "aliases": [ "Ghost Security" ], "source_name": "MISPGALAXY:GhostSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8ee6bddb-cd53-4ccf-b33f-f8af06f729d0", "created_at": "2024-03-02T02:00:03.838391Z", "updated_at": "2026-04-10T02:00:03.600479Z", "deleted_at": null, "main_name": "R00tK1T", "aliases": [], "source_name": "MISPGALAXY:R00tK1T", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434352, "ts_updated_at": 1775791600, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7eef6353b62e03583044f6d23154ecaf53a2bbca.pdf", "text": "https://archive.orkl.eu/7eef6353b62e03583044f6d23154ecaf53a2bbca.txt", "img": "https://archive.orkl.eu/7eef6353b62e03583044f6d23154ecaf53a2bbca.jpg" } }