Cybersecurity Wiretap #5: From Arbitrary JavaScript Execution to Crypto Mining Operations with a Focus on Ransomware Analysis (week of 05/20/2024)

Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.

CVE-2024-4367 – Arbitrary JavaScript execution in PDF.js by @CodeanIO

  • allows attacker execute arbitrary JavaScript code as malicious PDF file is opened
  • affects all Firefox users (<126) & many web- and Electron-based apps that use(indirectly ) PDF.js


  • infect & persist while blending into regular background network noise
  • embedding malicious scripts within innocuous clouds provides sustained access for data exfil & command exec

SamsStealer: Unveiling the Information Stealer Targeting Windows Systems by @CyfirmaR

  • collects system info & creates Temp folder to store extracted data
  • compresses gathered info into “” & uploads to

Tinyproxy (CVE-2023-49606) – Vulnerability Analysis and Exploitation by @CyfirmaR

  • allows remote attackers to execute arbitrary code on affected systems
  • vulnerability stems from memory safety issue, triggered by processing HTTP connection headers

Iluria Stealer; a Variant of Another Discord Stealer by @CyfirmaR

  • created by same dev behind Nikki Stealer
  • both share similar code with SonicGlyde; variant of Epsilon Stealer, which captures browser cookies, creds, & credit card info saved in Discord

SYNAPSE : Ransomware Technical Analysis by @CyfirmaR

  • spares Iranian systems from encryption
  • Pre-encryption: privilege escalation, defense system impairment & shadow copy deletion.
  • Post-encryption: file renaming, wallpaper and icon changes & data wiping

Operation Diplomatic Specter by #PaloAlto‘s #Unit42

  • long-term espionage operations against at least 7 governmental entities
  • threat actor performed intel collection efforts at large scale, leveraging rare email exfil techniques

Invisible miners: unveiling GHOSTENGINE’s crypto mining operations by @elasticseclabs

  • leverages vuln drivers to terminate & delete known EDR agents that would interfere with deployed coin miner
  • incorporated many contingency & duplication mechanisms

Ikaruz Red Team | Hacktivist Group Leverages Ransomware for Attention Not Profit by @LabsSentinel

  • profile and recent actions, highlighting the threat actor’s methodology, social media activity and relevance within the wider geopolitical context

Thanks a lot for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.