NRG Networks Inc.

  Takeaway: A mature, Delphi‑based banking trojan active since 2016, now using DLL side‑loading, P2P communications, and anti‑analysis techniques to steal banking credentials across 45+ countries. What it is A Windows banking trojan targeting thousands of financial institutions globally. Active since 2016 , continuously updated, and operated as Malware‑as‑a‑Service (MaaS) . Recent Campaigns (2024–2026) Targeting Spain, Portugal, Mexico , and expanding globally after law‑enforcement pressure. Distributed via phishing emails with malicious links or ZIP/VBS loaders. Uses DLL side‑loading through legitimate software to evade detection. Incorporates CAPTCHA checks to resist sandboxing and automated analysis. Technical Capabilities Credential theft for banks and fintechs (Santander, Revolut, Wise, etc.). DLL side‑loading using Delphi‑built DLLs (e.g., mingwm10.dll , libwebp.dll ). P2P/WebRTC communications using STUN/ICE to blend into noisy conferencing traffic. Anti‑analysis : o...

What was GlassWorm? GlassWorm is a sophisticated supply‑chain malware campaign that targeted software developers and the open‑source ecosystem.  Key traits: Spread via: Malicious VS Code / OpenVSX extensions Compromised npm and Python packages Poisoned GitHub repositories  Goal: Steal credentials (GitHub, npm, cloud tokens) Exfiltrate crypto wallets and secrets Take over developer accounts and propagate further  Big risk: One compromised developer → downstream supply‑chain compromise impacting many organizations   Why it was so dangerous GlassWorm was unusually hard to stop because of its resilient, multi-layered command-and-control (C2) design: Solana blockchain → stored C2 addresses (immutable “dead drops”) BitTorrent DHT → decentralized config distribution Google Calendar → hidden encoded commands Traditional servers → payload delivery  👉 This meant: Taking down one channel didn’t matter—the malware would just switch to another.  What “disr...

  Microsoft has issued a security alert about two new zero‑day vulnerabilities in Microsoft Defender that are already being actively exploited in real-world attacks .  The two vulnerabilities CVE‑2026‑41091 (High severity – privilege escalation) A flaw in the Microsoft Malware Protection Engine Lets an attacker gain SYSTEM-level privileges (full control of the machine)  CVE‑2026‑45498 (Moderate severity – denial of service) Impacts the Defender Antimalware Platform Can be used to crash or disable protection , opening the door for further attacks  👉 Both are confirmed zero‑days , meaning attackers were exploiting them before patches were available.   Why this matters These bugs affect core Defender components used across: Windows 10/11 Windows Server System Center Endpoint Protection Successful exploitation could: Give attackers full admin control Let them disable antivirus protections Or knock systems offline with DoS  The U.S. cybersecurity agenc...

What happened On May 19–20, 2026 , GitHub disclosed unauthorized access to its internal systems . [https://us...s/original] Attackers stole data from ~3,800 internal repositories . [infoworld.com] , [bleepingcomputer.com]  How the breach occurred The attack did NOT break GitHub directly from the outside . Instead, it started when: A GitHub employee installed a malicious (poisoned) Visual Studio Code extension . [infoworld.com] That extension compromised the employee’s device , giving attackers access. [techcrunch.com] 👉 This is called a supply chain attack , targeting developer tools instead of the platform itself.  What was accessed GitHub says the breach involved: ✅ Internal repositories (GitHub’s own code and systems) [tech.yahoo.com] ✅ Possibly internal source code and organizational data Importantly: ❌ No confirmed impact to customer repositories or user data [securityweek.com] , [cybernews.com]  Who did it A hacker group known as TeamPCP claimed responsibility. ...

  What Microsoft released 1) RAMPART (AI safety testing framework) Full name: Risk Assessment and Measurement Platform for Agentic Red Teaming [thehackernews.com] Open-source framework for testing AI agents for safety and security issues Built on Python/pytest, integrates into CI pipelines What it does Lets developers write repeatable safety tests (like unit tests, but for AI behavior) Simulates both: ✅ Normal (benign) scenarios ❌ Adversarial attacks (e.g., prompt injection) Turns red-team findings into automated regression tests   Supports probabilistic evaluation (important for LLM variability) Why it matters AI agents now: Access email, CRM data, tools, and code execution Can take actions (not just generate text) → This dramatically increases risk (data leaks, unintended actions, prompt injection). 👉 RAMPART makes AI safety continuous , not a one-time audit. 2) Clarity (design-time reasoning tool) Described as a “structured sounding board” for developers What it does H...

Mini‑Shai Hulud refers to a large, coordinated software supply‑chain attack campaign attributed to the threat group TeamPCP , targeting major open‑source ecosystems including npm , PyPI , and Composer . It is a successor and scaled‑down variant of the earlier Shai‑Hulud worm, but still highly capable and dangerous. Below is a clear, structured breakdown of what Mini‑Shai Hulud is, how it works, who it hit, and why it matters — all grounded in the latest reporting.  What Mini‑Shai Hulud is Mini‑Shai Hulud is a credential‑stealing, self‑propagating supply‑chain malware inserted into legitimate open‑source packages. It infects developer environments and then uses stolen tokens to publish malicious versions of any packages the victim has write access to. It is part of a broader trend of automated supply‑chain attacks where attackers compromise CI/CD pipelines, GitHub Actions, and package registries to spread malware at scale.  Who was affected Across multiple registries, the ...

Microsoft Entra ID is the identity platform that controls access to:   Microsoft 365 (Exchange, SharePoint, Teams, OneDrive)   Azure resources (VMs, storage, databases, etc.)   If an attacker gains control of an Entra ID account , they can:   Authenticate as a legitimate user   Access permitted data   Move laterally across services   Exfiltrate sensitive information   In most real-world attacks, identity compromise replaces malware as the primary entry point .     Common Attack Path (High-Level)   1. Initial Access   Attackers obtain credentials via:   Phishing (most common)   Password spray attacks   Token theft (session hijacking)   OAuth app abuse     2. Privilege Escalation   Once inside, they try to gain higher privileges:   Exploiting misconfigured roles   Abusing global admin accounts   Consent phishing (malicious apps granted permissions)     3. Data Discover...