SharePoint 0-Day, Chrome Exploit, Macos Spyware, Nvidia Toolkit RCE, etc.

Table of Contents

Even in a well-resigned environment, attackers remain unprotected by quietly using weak configurations, obsolete encryption and trustworthy tools, rather than flashy exploits.

These attacks do not rely on zero-days. They work unnoticed and slip in cracks in what we assume is what we monitor. Modular techniques and automation to copy normal behavior make things blend in what once looked suspicious.

Real concern? Not only is the control being challenged, it is taken quietly. This week’s update highlights default settings, blurred trust boundaries, and exposed infrastructure transforming everyday systems into entry points.

⚡This week’s threat

Critical SharePoint Zero Day is actively being used (patch released today) – Microsoft has released fixes to address two security flaws in SharePoint servers that are undergoing active exploitation in the wild for violating dozens of organizations around the world. Details of exploitation emerged over the weekend, prompting Microsoft to issue an advisory for CVE-2025-53770 and CVE-2025-53771, which are now assessed to be patch bypasses for two other SharePoint flaws tracked as CVE-2025-49704 and CVE-2025-49706, an exploit chain dubbed ToolShell that could be leveraged to achieve remote Code execution on an on-premises SharePoint server. The two vulnerabilities were treated by Microsoft earlier this month as part of a patch for Tuesday’s update. It is currently unknown who is behind the mass exploitation activities.

🔔Top News

Google sends patches for aggressively utilized chrome defects – Google Outpatch resolves the high-strength vulnerability of the Chrome browser (CVE-2025-6558) and is undergoing active exploitation in the wild, so the fifth zero-day from the beginning of the year has been demonstrated as an aggressive abuse or proof of concept (POC). The vulnerability is incorrect verification of browser angles and untrusted input of GPU components, allowing an attacker to potentially perform sandbox escapes via the HTML page they have been created. This issue is explained in version 138.0.7204.157/.158 for Windows and Apple MacOS, and 138.0.7204.157 for Linux.
Important Nvidia Container Toolkit Flaws have been revealed – You can leverage a critical vulnerability in the Nvidia Container Toolkit (CVE-2025-23266) to increase permissions and enable code execution. “Successful use of this vulnerability can lead to privilege escalation, data tampering, information disclosure, and denial of service,” GPU manufacturers said. Uncovering the flaws, Wiz said the flaws could easily be exploited to access, steal or manipulate sensitive data and unique models of all other customers running on the same shared hardware by a three-row exploit.
New CrushFTP bugs are attacked – CrushFTP has revealed that a serious flaw in the file transfer software (CVE-2025-54309) is being exploited in the wild, and unknown threat actors reverse source engineering to discover bugs and target devices that have not been updated to the latest version. This issue affects all versions of CrushFTP 10 on 10.8.5 and earlier, 11.3.4_23 and earlier, and 11 CrushFTP 10. “The attack vector was HTTP about how we could leverage our servers,” CrushFTP said. “We fixed another issue related to AS2 in HTTP (S) (S) didn’t realize that previous bugs could be used like this exploit. The hackers obviously saw the code changes and found a way to exploit the previous bug.”
Golden DMSA attack on Windows Server 2025 enables cross-domain attacks – Cybersecurity researchers have disclosed “critical design flaws” in the Delegated Managed Service Account (DMSA) introduced in Windows Server 2025. “Attacks take advantage of important design flaws. The structure used for password generation calculations includes predictable time-based components, with only 1,024 combinations, making brute-force password generation computationally trivial.”
Google Big Sleep AI Agent flags important sqlite flaws before exploitation – Big Sleep, an AI (AI) agent launched by Google last year as a collaboration between DeepMind and Google Project Zero, previously known as an attacker only as Zero Day, has facilitated the discovery of a critical security flaw in SQLite (CVE-2025-6965), the opening of the exploitation. Google explained that it was the first time that AI agents were used to “directly block efforts to exploit wild vulnerabilities.”
Threat Actors Target EOL SonicWall SMA 100 Devices -Unknown Intruders are targeting CODENAMED UNC6148. Many important details about the campaign are currently unknown. First of all, Google said there was not enough data to determine where threat actors are based or what their motivations are. Second, the attack utilizes the local administrator credentials of the target device for initial access. However, it was not possible to determine how the attacker obtained the credentials used in the attack. It may have been sourced from the market for Infostealer logs and credentials, but the company noted that the attacker likely exploited a known vulnerability. It is also unknown exactly what the attacker is trying to achieve after controlling the device. The lack of information is primarily due to how Overwatch works, so attackers can selectively delete log entries to prevent forensic investigations. The investigation also found that UNC6148 could also deploy a reverse shell to infected devices. This was usually impossible and led to speculation that zero-days could be enacted. The findings once again show that network appliances are popular attacker targets. Because they provide a way to access high value networks.

Pean Trend CVE

Hackers jump quickly to a newly discovered software flaw. Sometimes within a few hours. Whether you missed an update or a hidden bug, even one unpatched CVE can open the door to serious damage. Below is how to create a wave of high-risk vulnerabilities this week. Check the list, patch quickly, and go one step ahead.

This week’s list includes CVE-2025-53770, CVE-2025-53771 (Microsoft SharePoint Server), CVE-2025-37103 (HPE Instant on Access Point), CVE-2025-54309 (crushFTP), CVE-2025-23266, CVE-2025-23267 (nvidias contatser CVE-2025-20337 (Cisco Identity Services Engine and ISE Passive Identity Connector), and CVE-2025-6558 (Google Chrome), CVE-2025-6965 (SQLite), CVE-5333 (Broadcom Symantec Endpoint Management Suite), CVE-2025-6965 (SQLITE) (Git CLI), CVE-2025-4919 (Mozilla Firefox), CVE-2025-53833 (Larecipe), CVE-2025-53506 (Apache Tomcat), CVE-2025-41236 (Broadcom Vmware ESXI, Workstation, and Fusion), CVE-2025-27211 (node.js), CVE-2025-53906 (VIM), CVE-2025-50067 (Oracle Application Express), CVE-2025-30751 (Oracle Database), CVE-2025-6230, CVE-2025-6231, CVE-20-2025-6232 (Lenovo2372 (Lenovo-vant), CVE-2025-7433, CVE-2025-7472 (Sophos Intercept X for Windows), CVE-2025-27212 (Ubiquiti Unifi Access), CVE-2025-4657 (Lenovo Protection Driver), CVE-2025-2500 (Hitachi Energy Suite) CVE-2025-6197 (Grafana), CVE-2025-40776, CVE-2025-40777 (Bind 9), CVE-2025-33043, CVE-2025-2884, CVE-2025-3052 (Gigabait), CVE-2025-31019 (Poscisk Manage Manager).

Cyber Around the world of cyber

The Russian was sentenced to three years in the Netherlands for sharing data – A Rotterdam court has sentenced a 43-year-old Russian to three years in prison by sharing sensitive ASML information from Dutch semiconductor chip machine manufacturers ASML and NXP with Russian people. At his trial on June 26, the suspect last year allowed the file to be copied and sent to Russian people using a signal messaging app. The defendant’s name has not been revealed, but Reuters reported in February 2025 that the perpetrator was German Aksenov and had contact with Russia’s FSB Intelligence Services. He was charged in December 2024 with IP theft and sanctions violations.
UK NCSC launches vulnerability research initiative – The UK National Cybersecurity Centre (NCSC) has announced a new Vulnerability Research Initiative (VRI) aimed at strengthening relationships with external cybersecurity experts. “VRI’s mission is to strengthen the UK’s ability to implement VR,” the NCSC said. “We work with the best external vulnerability researchers to provide a deeper understanding of security on the wide range of technologies we care about. We also support the external VRI community having tools and trademarks for vulnerability detection.”
Storm-1516 spreads disinformation in Europe – A Kremlin-linked disinformation group tracked as Storm-1516 has published fake articles on spoofed news websites to spread fake stories in France, Armenia, Germany, Moldova and Norway, pose as real journalists. Threat officials have given fake articles credibility using legitimate reporters’ names and photos, according to the GNIDA project. Another pro-Russian disformation campaign known as Operation Overlord (aka Matryoshka or Storm-1679) has been observed to leverage consumer-grade artificial intelligence tools to promote a “content explosion” focused on exacerbating existing tensions, such as global elections, Ukraine, and immigration. The activities run since 2023 have a track record of disseminating false narratives by impersonating the media with the obvious purpose of sowing discord in a democratic country. “This illustrates the shift towards more scalable, multilingual, and increasingly sophisticated propaganda tactics,” Tech and Check first said. “This campaign shows a shift towards faster and more scalable ways to create content over the past eight months, with a significant increase in production of new content.” Some of the images used in the campaign are believed to have been generated using Flux AI, an image generator, from text developed by Black Forest Labs. The company told Wired it is building “multiple safeguard layers” to prevent abuse and working with social media platforms and authorities to drive away illegal misuse.
Details of the evolving techniques of the slow #Tempest campaign – It has been observed that the threat actor behind a malware campaign called Slow#Tempest uses DLL-Sideoading techniques to launch malicious DLLs and rely on control flow graph (CFG) obfuscation and dynamic function calls to hide the code in the loader DLL. The main goal of the DLL is to unpack and launch payloads embedded directly in memory only if the target machine has at least 6 GB of RAM. “The evolution of the Slow #Tempest campaign highlights malware obfuscation techniques, particularly dynamic jumps and obfuscated function calls,” says Palo Alto Networks Unit 42. “The success of the Slow #Tempest campaign using these techniques demonstrates the potential impact of high-level obfuscation on organizations, making detection and mitigation extremely difficult.”
After the most likely scam, Abacus Market shutter – The Darknet Marketplace, known as the Abacus Market, suddenly closed its operations and was unable to access all of its infrastructure, including ClearNet Mirror. The development comes after Abacus Market users began reporting the withdrawal issue in late June 2025. Blockchain intelligence firm TRM Labs said the market creators may have escaped an exit scam and disappeared with user funds, but the possibility of law enforcement seizures has not been ruled out. The Abacus exit follows the seizure of a typical typical market by Europol on June 16, 2025. Abacus Market was launched in September 2021 as the Alphabet Market before rebranding its current name two months later. The market is estimated to have generated $300 million to $400 million in cryptocurrency sales across illegal drugs, counterfeits and stolen cards. According to data from Chainlysis, Abacus Market revenues have increased significantly, up 183.2% in 2024 from the previous year.
Miter announces cryptocurrency security AADAPT – Miter Corporation has launched hostile actions in Digital Asset Payment Technologies (aka AADAPT), a cybersecurity framework for addressing vulnerabilities in digital financial systems such as cryptocurrencies. It is modeled after the Miter ATT & CK framework. “AADAPT provides developers, policymakers and financial organizations with a structured methodology to identify, analyze and mitigate the potential risks associated with digital asset payments,” Miter said. “By using insights derived from real-world attacks cited in more than 150 sources from government, industry and academia, the AADAPT framework identifies adversarial tactics, techniques and procedures associated with digital asset payment technologies, including consensus algorithms and smart contracts.”
A former US soldier pleaded guilty to hacking 10 telecom services – Former US Army soldier Cameron John Waigenius (aka Kiberphant0m and cyb3rph4nt0m) pleaded guilty to compeling at least 10 telecommunications companies to hacking between April 2023 and December 2024. I said. “The conspirators used a hacking tool called SSH Brute to obtain these credentials, among other means. They used the Telegram Group chat to discuss transferring stolen credentials and gaining unauthorized access to the victim company’s network.” The threat actors behind the scheme then forced victim organizations on both violation forums and cybercrime forums such as XSS. by offering to sell stolen data for thousands of dollars. Some data was eventually sold and used to perpetuate other scams, including SIM swapping. Wagenius and others allegedly tried to force at least $1 million from the victim’s data owner. The attack occurred while Wagenius was active, the DOJ said. Court documents show that the defendant Googled phrases such as “hacking is treason” and “US military man in exile in Russia.” In February 2025, Wagenius pleaded guilty to conspiracy to commit a fearful tor in connection with wire fraud, computer fraud, severe identity theft, and illegal transfer of confidential phone record information. He is scheduled to issue his sentence on October 6, 2025. His conspirators, Connor Mooca and John Bins, were indicted in November 2024.
Drivers signed in malicious campaigns -Since 2020, over 620 signing drivers, 80 certificates, 60 Windows Hardware Compatibility Program (WHCP) accounts have been associated with threat actor campaigns. The majority of drivers are signed by 131 Chinese companies. In 2022 alone, over 250 drivers, approximately 34 certificates and WHCP accounts were identified as potentially compromised. The findings show that “the highest level of system and control privileges offered to attackers, therefore, despite Microsoft’s improved defenses, kernel-level attacks remain attractive to threat attacks,” Group-IB shows that duplicates have been found in the infrastructure signatures of various malware campaigns, including poor people and using red drivers. Notable malware strains that used kernel loaders to add stealth include Festi, Fivesys, FK_Undead and Blackmoon. “Attackers are leveraging many signing certificates and WHCP accounts by leveraging legitimate processes such as WHCP and extended validation (EV) certificates, including those belonging to breached or fraudulently registered organizations, signing malicious drivers, bypassing established security measures, and leveraging a trust model unique to signed Kernel Drivers.
Seeing exploitation activities, flaws in telemedge SGNL – Threat actors are actively seeking to take advantage of the security flaws of Telemessage SGNL, a corporate messaging system modeled on signals similarly used by government agencies and businesses to achieve secure communications. Vulnerability, CVE-2025-48927, can be used to leak sensitive information, such as plain text usernames, passwords, and other data. According to Greynoise, exploitation efforts have emerged from 25 IP addresses over the past 30 days. The majority of IP addresses come from France, followed by Singapore, Germany, Hong Kong and India. The attacks target the US, Singapore, India, Mexico and Brazil.
Microsoft relies on Chinese engineers to stop for defense cloud support – Microsoft has changed its practices to prevent Chinese engineers from using their Azure Cloud Services to provide technical support to US defense clients. Repamps’ investigation revealed that Propublica revealed that Microsoft has used Chinese engineers to maintain the US Department of Defense system and potentially publishes sensitive data to the Chinese government. “In response to concerns raised about foreign engineers in the US earlier this week, Microsoft has changed its support for US government customers to ensure that US government customers are not providing technical assistance to the DOD government cloud or related services,” the company said.
Japanese authorities release free phobo and 8-based decryptors – The Japanese National Police Agency has issued a free decryption tool and English guide for organizations affected by the Fobo and 8 base ransomware attacks. Earlier this February, two Russian citizens accused of using Phobos ransomware to attack more than 1,000 entities were charged as part of a takedown of global law enforcement agencies. Phobos was released in December 2018, and in 2023 a modified version called 8Base became popular.
Android allows Gemini to access third-party apps – Google has implemented changes that allow users to interact with other apps that can interact with other apps installed on their Android devices, even if they turn off “Gemini App Activity.” According to the company’s support document, “Even if Gemini app activity is turned off, conversations will remain in your account for up to 72 hours. This allows Google to provide services and process feedback. This activity will not appear in Gemini Apps activities.” The update came into effect this month.
Evilpanel Fishing Tool Kit Details – Cybersecurity researchers discover a new phishing toolkit called Evilpanel built on Evilginx and provide a web interface to launch Multifactor Authentication (MFA). “Evilpanel wraps all of Evilginx’s powerful AITM capabilities in a sophisticated, user-friendly web interface, eliminating the need for manual configuration and lowering the barrier to attackers’ entry,” the unusual AI said. “Evilpanel’s core phishing functionality follows the Evilginx model, meaning it maintains login flow by acting as a transparent proxy.”
Learn more about Katz Stealer and Octalyn Stealer – Cybersecurity company Sentinelone warns that threat actors are increasingly adopting information stolen goods called Katz Stealers, thanks to their “robust qualifications and data discovery with theft capabilities and modern evasion and anti-analysis characteristics.” Steeler described it as “a combination of credentials and the latest malware design.” Steelers such as Katz are offered under the Malware as a Service (MAAS) model, which costs just $50 per month (or $360 per year). A notable feature of Katz Stealer is its ability to beat Chromium’s app-bound encryption to access and extract credentials and cookies. “The Katz Stealer is not a ‘one-shot’ infostrator. It is designed to continuously remove victim data,” Sentinelone said. “Malware not only extracts data found in the target system at the infection point, but also updates, changes or newly introduced data.” Another new steeler, poses as an educational tool called the Octalyn Forensic Toolkit, serves as a qualifying steal, harvesting browser data, Discord and Telegram Tokens, VPN configuration, game accounts, and harvesting cryptocurrency wallet artifacts. “Its modular C++ payload, Delphi-based builder, telegram-based C2 and secondary payload delivery capabilities make it a powerful tool for threat actors,” Cyfirma said. “The use of obfuscation, window persistence techniques, and structured data theft highlights intentional efforts to avoid detection and maximize impact.”
Armenia has passed the use of facial recognition technology by police – Armenian Parliament passed an amendment to the national laws of police, granting access to the Ministry of Home Affairs to a nationwide network of real-time surveillance cameras equipped with facial recognition technology. Cameras are operated across state and local government buildings, public transport, airports and parking. The law is scheduled to come into effect on August 9, 2025. CSOMeter says the law “does not include clear legal protection measures, public surveillance, or proper regulation of artificial intelligence (AI) technologies,” poses a risk to citizen privacy.
Create fake receipts using MaisonReceipts – Scammers use tools such as Maisonreceipts to generate counterfeit receipts for over 21 well-known retail brands in multiple currencies (USD, EUR, GBP). They are used by groups reselling counterfeit or stolen items and present as authentic using fake receipts. “The service is sold through subscription-based websites, social media accounts and encrypted messaging platforms, and has the features that seem compelling enough to deceive fraudulent receipts to consumers and online markets,” Group-IB said.
pypi blocks inbox.ru email domain – A recent spam campaign against PYPI has prompted maintainers of Python Package Index (PYPI) repository to prohibit the use of the “inbox.ru” email domain during new registrations and to add additional email addresses. “This campaign created over 250 new user accounts and published over 1,500 new projects on PYPI, leading to end-user confusion, resource abuse and potential security issues,” Pypi said. “All related projects have been removed from PYPI and the account is disabled.”
Silver Fox Actor creates fake websites for malware delivery – A threat actor known as Silver Fox, known for targeting Chinese-speaking individuals and groups, has created over 2,800 domains since June 2023 and has actively distributed over 266,850 identified domains since December 2024. These fake websites act as delivery vectors for Windows-specific malware and assume as application download sites and software update prompts. “In addition to other factors, consistent operational timing across all hours with high influx during China’s working hours suggests a combination of automated, human-driven approaches to their activities,” Domaintools said.
Arrested scattered spider members have been released on bail – The British court has released bail for four members of the scattered Spider group. They were arrested last week on suspicion of breaching computer misuse laws, fearful mail, money laundering and participation in the activities of organized crime groups. They are accused of hacking British retailers Marks & Spencer, Co-op and Harrods.
Armenian citizen charged with Ryuk ransomware attack – An Armenian man who was extradited from Ukraine to the US was charged with his alleged role in the lucransomware attacks from March 2019 to September 2020. Karen Serovovich Baldanyan was arrested in Kiev in April and received a charge on June 18th in connection with a computer. He was charged with 45-year-old Levon Georgijovich Avetisan, an Armenian national who is also facing the same charges. He is currently in detention in France and is expected to be handed over as well. Vardanyan and his accomplice received around 1,610 Bitcoins from the victims, worth more than $15 million when paid. Two Ukrainians – 53-year-old Oleg Nikolaevich Lurrava and Andri Leonidovic Priho Hochenko were also charged in connection with Luk’s activities, but remained in general.
$2.17 billion stolen from Crypto Services in 2025 – Hackers and fraudsters have been stolen over $2.17 billion in crypto assets in the first half of this year, with North Korea’s $1.5 billion hacking bibit hacks making up the majority of their assets. Data from TRM Labs shows that at least 75 different hacks and exploits have resulted in $2.1 billion stolen. For each CERTIK, a total of $801,315,669 was lost in 144 incidents in the second quarter of 2025. The Wallet Compromise appeared as the most expensive attack vector in H1 2025 in 2025, with 34 incidents stolen $1,706,937,700. “So far, 2025 has emerged a significant concentration of victims of funds stolen in the US, Germany, Russia, Canada, Japan, Indonesia and South Korea,” the chain analysis said. “Compromise in personal wallets constitutes an increase in the share of stolen total ecosystem value over time.”

Japan targeted by North Korea and China in 2024 – Japanese organizations are targeting North Korean threat actors to distribute malware families such as Beaverwelter, Invisibletret and Rokrat. The Chinese-related attacks have deployed backdoors and Trojan horses like Anel and Plugx, Macnica said.
Rainbow Hyena chases Russian companies – A threat actor known as the rainbow hyenas targeted Russian healthcare and IT organizations and distributed a custom C++-based backdoor called Phantomremote using phishing emails containing malicious attachments. “The backdoor gathers information about the compromised system, loads other executables from the C2 server, and executes commands via the CMD.exe interpreter,” says Bi.Zone.
The transition to 4-way encryption is uneven – Forescout Research -A new report from Vedere Labs shows that around 6% of all 186 million SSH servers on the Internet already use quantum safe encryption. “Three-quarters of OpenSSH versions on the Internet run versions released between 2015 and 2022 that do not support Quantum-Safe encryption,” the company said. “If regulators require quantum safe encryption in the near future, organizations will face serious gaps. An outdated infrastructure will become compliance and security risks.”
Brazilian police arrest IT workers for $100 million cyber theft – Brazilian authorities have arrested the suspect in connection with a cyberattack that diverts more than $100 million from the country’s banking system. According to a report from the Associated Press, the suspect was identified as João Roque, an IT employee of a software company named C&M, and is said to have helped an unknown threat actor gain unauthorized access to Brazilian instant payments system known as PIX. When cybercriminals violated the company’s network, they conducted fraudulent PIX transactions. The losses refer only to one financial institution that has contracted with C&M, so the losses are thought to be possible further increase.
Italian police arrested disk station ransomware gang – Italian police arrested a 44-year-old Romanian for cyberattacking Italian companies as part of a law enforcement effort called Operation Elysius. The unidentified man is said to be the leader of the Diskstation Security Ransomware Group, which targets Synology Network-Attached Storage (NAS) devices since 2021.
Samsung announces Keep for storing sensitive data – Samsung has announced security and privacy updates for Galaxy smartphones with one UI 8, including support for quantum-resistant Wi-Fi connections using ML‑KEM and a new architecture called Knox Enhanced Enhanced Protection (Keep), which creates an encrypted, app-specific storage environment for storing data. It also integrates with Samsung’s Personal Data Engine (PDE) and its KnoxVault, the company’s hardware security environment, to enable personalized artificial intelligence (AI) capabilities by analyzing user data.
Cambodia arrests more than 1,000 people amid crackdown on online fraud – Cambodian authorities have arrested more than 1,000 suspects related to online fraud in order to crack down on cybercrime operations in the country. Those detained included more than 200 Vietnamese, 27 Chinese and 75 suspects from Taiwan, and 85 Cambodians in the capital Phnom Penh and southern Sihanoukville. Approximately 270 Indonesians, including 45 women, have been arrested for poppets. In related developments, Thai officials attacked KOK AN with property related to Cambodian senators and business tycoons in connection with the local network of cyber fraud call centres.

🎥Cybersecurity Webinar

From Autofill to Alarm Bell: Ensuring your identity in the age of AI – Logging in has become easier, but trustworthy. When AI reshapes its digital identity, users are questioning how their data is used and who is actually at the back of the screen. In this session, discover how top brands are addressing AI-driven identity risks and rebuild trust with a smarter privacy-first authentication strategy.
How attackers hijack your dependencies, and what the Devsecops team must do now – your Python environment is under attack. In 2025, repositories, poison packaging, and type-slicing are not unusual edge cases and are not part of a threat situation. This webinar shows developers and DevSecops leaders how to lock down the Python supply chain before compromised dependencies remove the system.
AI copilots learn how to lock down identity layers to attackers – AI Copilots is increasing productivity. From API abuse to synthetic logins, the identity layer is surrounded. Join OKTA to learn how to ensure AI-driven workflows in 2025, detect AI-driven threats, and make your identity the strongest line of defense.

🔧Cybersecurity Tools

OSINTMAP – This is a lightweight tool that helps you quickly find and use common OSINT resources. Organize hundreds of research links, including searches, domain lookups, violation checkers, and more, so that people can grasp one local dashboard. Ideal for those working at OSINT, saving you time by keeping everything in one place.
nortixmail – An open source self-adopted disposable mail server that makes burner addresses simple without the headache of a regular email server. You can spin up either Docker or manually, generate temporary email addresses on demand, and view messages via a clean web interface. It keeps messages locally and does not rely on third-party services, making it the perfect tool to test, avoid spam, or protect your inbox during dangerous sign-ups.

Disclaimer: These newly released tools are for educational use only and have not been fully audited. Use at your own risk – refer to the code, test it safely, and apply appropriate protection measures.

🔒Tip of the Week

Automatically map known vulnerabilities across the stack – Attackers often remain hidden in the system using Windows scheduled tasks. Go a step further by removing key registry values such as SD (security descriptors) and indexes, making tasks invisible to popular tools such as Task Scheduler, ShTasks, and even Autorun. These hidden tasks still run in the background and can be used for persistence or malware delivery.

Tools like Autoruns (Sysinternals) and Taskschedulerview (by Nirsoft) are great starting points to see what tasks are visible. They can show active tasks and find rare tasks. However, hidden tasks require deeper excavation. Using PowerShell, scan the registry path hklmsoftwaremicrosoftwindowsntcurrentversionscheduletaskcachetree and look for tasks with missing SD values.

For more advanced checks, Sysmon is used to track changes to the TaskCache registry, and Procmon monitors registry activity in real time. Look for a suspicious task name, missing value, or task with an index of 0 index. It also sets an alert with event ID 4698 that records new scheduled task creations.

In short, use both visual tools and registry checks to reveal hidden scheduled tasks. Regular scans, baseline comparisons, and basic alerts help you catch the threat early before inflicting damage.

Conclusion

What’s clear every week is that attacker refinement is no exception, but baseline. AI-driven reconnaissance, qualification abuse, and signal imitation are no longer sophisticated. They are everyday.