Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • How SOC as a Service Fits into Zero Trust

    How SOC as a Service Fits into Zero Trust

    Zero Trust has become the organizing model for most modern security programs. At the same time, more organizations are moving to SOC as a Service because the operational load of running an in-house SOC, tuning content, maintaining coverage, hiring analysts, and responding at all hours, is increasingly unrealistic. The question most security leaders ask now is simple: where do these two strategies meet, and how does a managed SOC actually help an organization progress toward a Zero Trust architecture?

    A Brief Foundation

    Zero Trust rests on a core idea: nothing inside the environment is assumed safe, and every request for access is treated as a fresh decision based on identity, device posture, context, and risk signals. Network location offers no automatic trust. Access is only granted when enough evidence supports it, and that evidence must be re-evaluated continuously.

    A managed SOC fits directly into that model because Zero Trust cannot function without ongoing visibility, correlation, and feedback. The architecture depends on the constant collection of logs, signals, and behaviors. It also depends on someone interpreting that data and using it to reinforce policies. That is where SOC as a Service operates best.

    What SOC as a Service Actually Delivers

    SOC as a Service replaces the traditional in-house security operations center with a cloud-delivered team responsible for continuous monitoring, detection, investigation, and response guidance. It removes the need for organizations to maintain a SIEM, staff analysts, or manage tooling pipelines. Instead, the provider handles:

    • Round-the-clock monitoring of infrastructure, endpoints, cloud services, identities, and applications.
    • Detection logic tuned to real attacker behaviors, supported by threat intelligence and behavioral analytics.
    • Human investigation of alerts to filter false positives and escalate only meaningful activity.
    • Guidance or hands-on assistance in containment actions.

    This turns cybersecurity operations into an operating expense and removes most of the overhead associated with scaling a SOC internally.

    How SOC as a Service Strengthens Zero Trust

    Zero Trust is built on several pillars: identity, devices, networks, applications, and data. What ties them together is a continuous verification loop. SOC as a Service provides that loop.

    Identity

    Every Zero Trust program treats identity as the first control point. A managed SOC monitors authentication flows, MFA behavior, privileged account usage, and suspicious consent activity. Analysts can detect token theft, unusual login patterns, or abuse of service accounts. These events guide adjustments to conditional access policies, privilege boundaries, and identity governance controls.

    Devices

    Zero Trust expects devices to be healthy, monitored, and strongly attributed. SOCaaS providers rely on EDR or XDR telemetry to maintain a real-time view of host behavior: exploit attempts, persistence mechanisms, unexpected command execution, or lateral movement. These findings feed decisions about device trust levels and drive adjustments to posture-based access rules.

    Networks

    Zero Trust networking emphasizes microsegmentation and the reduction of lateral movement. A managed SOC watches internal flows, VPN activity, and unusual traversal between segments. When the SOC sees a suspicious pattern, an unmanaged host reaching into a sensitive subnet, or a workload attempting a direct database connection, it can recommend segmentation changes or closer boundary controls.

    Applications and Workloads

    Modern environments depend heavily on cloud workloads, containerized applications, and APIs. SOCaaS monitors logs from orchestration layers, serverless functions, WAFs, and API gateways. Analysts look for abuse of service accounts, unexpected API calls, or deviations in workload behavior. Those insights push teams to refine workload identity, strengthen application access policies, and correct misconfigurations exposed by real activity.

    Data

    The data pillar is where Zero Trust ultimately leads. A managed SOC correlates DLP activity, cloud storage access, database audit logs, and file access events with identity and device context. When patterns point to exfiltration or unauthorized aggregation, the SOC can recommend policy adjustments to narrow access or implement stricter controls on sensitive repositories.

    Why SOC as a Service Accelerates Zero Trust Adoption

    Zero Trust requires telemetry coverage, deep correlation, and continuous feedback. Those demands are exactly where organizations often struggle. SOCaaS fills that operational gap in several ways.

    • It provides the visibility foundation needed before any meaningful Zero Trust policy decisions can occur. Without consistent logging and analysis, Zero Trust devolves into guesswork.
    • It shortens the gap between detection and response. The whole idea of Zero Trust is built around the assumption that threats will get inside. Fast detection and containment support that mindset.
    • It turns incidents into policy improvements. Every confirmed alert reveals gaps: an identity with too much access, a segment too open, a workload too permissive. A managed SOC highlights these weaknesses and pushes teams to refine controls.
    • It supports automation. As detection patterns stabilize, playbooks can be developed so certain events trigger automated policy adjustments or isolation steps. SOCaaS providers often help organizations mature into these automated workflows.

    Patterns That Help Programs Mature Faster

    Organizations that successfully integrate SOC as a Service into their Zero Trust programs tend to follow a few predictable patterns.

    • They start with a mapping exercise, comparing their log and signal coverage to the Zero Trust pillars; the gaps usually show where the SOC needs more data.
    • They feed every investigation into policy refinement, rather than treating incidents as isolated tasks. This is the difference between an operational SOC and a Zero Trust SOC.
    • They align SOC workflows and SLAs with Zero Trust goals. If identity risk is the top priority, identity-related detections must be escalated differently than low-impact anomalies.
    • They address governance questions early: who owns tuning, what data gets retained, how automated actions are approved, and how findings feed into compliance and internal risk reporting.

    Final View

    Zero Trust depends on ongoing verification, adaptive controls, and the assumption that intrusions will occur. That model cannot function without continuous monitoring and interpretation of security data. SOC as a Service gives organizations a practical engine for that work. It closes operational gaps, accelerates maturity, and supplies the visibility and response capabilities that Zero Trust requires.

    Without a managed SOC or an in-house equivalent, Zero Trust risks becoming a diagram instead of a functioning security model. With SOC as a Service in place, the architecture gains the real-time feedback and corrective pressure it needs to actually protect an organization.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • NETIZEN AWARDED SPOT ON NEW 10-YEAR $151B MISSILE DEFENSE AGENCY ‘SHIELD’ CONTRACT

    NETIZEN AWARDED SPOT ON NEW 10-YEAR $151B MISSILE DEFENSE AGENCY ‘SHIELD’ CONTRACT

    Allentown, PA: Netizen Corporation, an ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level 3 certified Veteran-Owned provider of cybersecurity and related solutions for defense, government, and commercial customers worldwide, has been awarded a spot on the Missile Defense Agency’s (MDA) Scalable Homeland Innovative Enterprise Layered Defense (SHIELD) indefinite-delivery/indefinite-quantity (IDIQ) contract with a total value of $151,000,000,000 over 10 years. MDA SHIELD will be the primary procurement method for upcoming work associated with the “Golden Dome” initiative, a multi-layer missile defense system directed by the Trump administration to be built as a strategic national priority. “Golden Dome” is intended to protect the U.S. homeland from long-range and hypersonic missile threats, akin to Israel’s “Iron Dome” system but exponentially larger in scope and scale.

    The SHIELD contract allows MDA and other defense entities to rapidly acquire capabilities from a pre-vetted pool of vendors by leveraging agile procurement processes under one highly flexible enterprise contract vehicle. It encompasses a broad range of work areas that allow for the delivery of innovative capabilities utilizing cutting-edge technological advances in areas such as artificial intelligence and machine learning for missile defense systems. Work areas of the SHIELD contract include prototyping, weapon design, cybersecurity, systems engineering, and data mining, to name a few. Over 2,700 offers were received by MDA in response to the SHIELD contract solicitation with 1,014 vendors being selected for a position on the contract after an intensive review process that required a relevant and advanced defense-related work performance history, among other qualifications.

    Akhil Handa, Netizen’s Chief Operating Officer (COO), stated that “earning a spot on this SHIELD contract, with homeland missile defense now mandated a critical national priority by Presidential Executive Order, is a key strategic objective for the company and integral to our growth and diversification within the defense industry. We very much look forward to leveraging our exceptionally high-rated defense past performance and expertise to provide innovative yet cost-effective missile defense support solutions in areas such as cybersecurity, systems engineering, and artificial intelligence.”  He also said that further geographic expansion into the Huntsville, Alabama area, where MDA is headquartered, may be likely for Netizen as contract task orders are awarded.

    About Netizen Corporation:

    Founded in 2013, Netizen is a highly specialized provider of cybersecurity and related technology solutions. The company, a Small Business Administration (SBA) certified Service-Disabled Veteran Owned Business (SDVOSB), is headquartered in Allentown, PA with additional offices and staff locations in Virginia (DC Metro), South Carolina (Charleston), and Florida. Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of its operations.

    In addition to recognition as one of the fastest-growing businesses in the U.S. now three times by Inc. Magazine in their annual “Inc. 5000” list of the nation’s most successful companies, Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for Veteran hiring and training, a Greater Lehigh Valley Chamber of Commerce Business of the Year and Veteran-Owned Business of the Year, and a recipient of dozens of other awards for innovation, community involvement, and growth.

    Netizen operates a state-of-the-art 24x7x365 Security Operations Center (SOC) in Allentown, PA that delivers comprehensive cybersecurity monitoring solutions for both government and commercial clients. Their service portfolio also includes cybersecurity assessments and advisory, software assurance, penetration testing, cybersecurity engineering, and compliance audit support for government and commercial markets.

    Netizen specializes in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Their proven track record in these domains positions them as the premier trusted partner for organizations where technology reliability and security simply cannot be compromised.

    Learn more at https://www.Netizen.net.   

    FOR IMMEDIATE RELEASE:                               POINT OF CONTACT:

    December 8, 2025                                                  Tara Ellis, Director of Capture // press@netizen.net 

  • Microsoft December 2025 Patch Tuesday Fixes 57 Flaws, Including Three Zero-Days

    Microsoft December 2025 Patch Tuesday Fixes 57 Flaws, Including Three Zero-Days

    Microsoft’s December 2025 Patch Tuesday includes fixes for 57 vulnerabilities, including one actively exploited zero-day and two publicly disclosed zero-days. Three of the patched flaws are classified as critical, all tied to remote code execution.

    Breakdown of Vulnerabilities

    • 28 Elevation of Privilege vulnerabilities
    • 19 Remote Code Execution vulnerabilities
    • 4 Information Disclosure vulnerabilities
    • 3 Denial of Service vulnerabilities
    • 2 Spoofing vulnerabilities

    These totals do not include 15 Microsoft Edge vulnerabilities or Mariner fixes that were released earlier in the month. Non-security updates released alongside this cycle include Windows 11 KB5072033 and KB5071417.

    Zero-Day Vulnerabilities

    This month’s update addresses three zero-days, one of which has been actively exploited in real-world attacks.

    CVE-2025-62221 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

    This actively exploited flaw stems from a use-after-free condition in the Windows Cloud Files Mini Filter Driver. Successful exploitation allows a local attacker to escalate privileges to SYSTEM. Microsoft attributes the discovery to the Microsoft Threat Intelligence Center and Microsoft Security Response Center but has not shared exploitation details.

    CVE-2025-64671 | GitHub Copilot for JetBrains Remote Code Execution Vulnerability

    This publicly disclosed vulnerability allows local command execution through improper neutralization of special elements in command handling. The issue can be triggered via a Cross Prompt Injection using untrusted files or malicious MCP servers, allowing attackers to append commands to those auto-approved in the terminal. The flaw was disclosed by Ari Marzuk as part of the “IDEsaster” research into AI-powered development tools.

    CVE-2025-54100 | PowerShell Remote Code Execution Vulnerability

    This PowerShell vulnerability results from improper command handling when Invoke-WebRequest retrieves web content containing embedded scripts. Under certain conditions, those scripts could execute locally. Microsoft has added a new warning that prompts users to apply the -UseBasicParsing switch to prevent unintended script execution. Multiple researchers contributed to the discovery of this issue.

    Other Critical Vulnerabilities

    Beyond the zero-days, Microsoft patched three additional critical RCE flaws affecting Windows components. While exploitation details were not disclosed, the classification indicates a high likelihood of weaponization once exploit tooling becomes available.

    Adobe and Other Vendor Updates

    Other major vendors issued important security updates in December 2025:

    • Adobe released updates for ColdFusion, Experience Manager, DNG SDK, Acrobat Reader, and Creative Cloud Desktop.
    • Fortinet addressed multiple product flaws, including a critical FortiCloud SSO login authentication bypass.
    • Google released Android’s December bulletin, which includes fixes for two actively exploited vulnerabilities.
    • Ivanti issued patches for December, including a 9.6 stored XSS flaw in Ivanti Endpoint Manager.
    • React released fixes for a critical RCE flaw in React Server Components known as React2Shell, which is now widely exploited.
    • SAP released December security updates across multiple products, including a 9.9 code injection flaw in SAP Solution Manager.

    Recommendations for Users and Administrators

    Organizations should prioritize patching systems affected by the Cloud Files Mini Filter Driver flaw, PowerShell, and any environments using GitHub Copilot for JetBrains. The actively exploited privilege escalation vulnerability poses immediate risk for post-exploitation attacks and lateral movement.

    Administrators should also apply the new PowerShell safeguards tied to Invoke-WebRequest and review recent third-party updates from Fortinet, Google, React, and SAP, especially where active exploitation is already underway.

    Full technical details and patch links are available in Microsoft’s Security Update Guide.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Netizen: Monday Security Brief (12/8/2025)

    Netizen: Monday Security Brief (12/8/2025)

    Today’s Topics:

    • Detecting React2Shell: What Security Teams Should Be Watching for Right Now
    • BRICKSTORM: How PRC Operators Are Turning VMware and Cloud Infrastructure into Long-Term Access Platforms
    • How can Netizen help?

    Detecting React2Shell: What Security Teams Should Be Watching for Right Now

    Since the disclosure of CVE-2025-55182 on December 3, 2025, most of the attention around React2Shell has centered on patching timelines and framework exposure. That is necessary, but for many environments, detection is the real safety net while fixes are staged, tested, and deployed. This vulnerability enables unauthenticated remote code execution against React Server Components through a single crafted HTTP request, and public proof-of-concept code is already circulating. With default configurations proving exploitable in most cases, security teams should assume active scanning and live exploitation attempts are already taking place.

    The core behavior to watch for is unexpected server-side command execution originating from Next.js, React Router, or other RSC-backed runtimes. Once the deserialization flaw in the React “Flight” protocol is triggered, attackers can instruct the server to spawn shell commands directly. In practice, this often surfaces as web-facing services suddenly executing file system commands, downloading secondary payloads, or opening outbound connections that do not align with normal application behavior. Any instance of a web server process invoking utilities like ls, cat, curl, wget, chmod, or similar tools in production should be treated as a high-confidence signal.

    Runtime detection has already proven effective against this activity. The Sysdig Threat Research Team reinforced its “Suspicious Command Executed by Web Server” logic to catch React2Shell exploitation as it happens. Their Falco rule focuses on process execution events where a shell is launched by next-server, react-router, waku, or vite-related processes and then used to execute common Unix commands. In observed cases, this rule alone has been sufficient to surface exploitation almost immediately. Additional runtime alerts such as reverse shell detections and UNIX socket redirections have also been triggered during real attack simulations, which aligns with attacker behavior focused on persistence and remote control.

    Network-layer protections also play a role, though they should be treated strictly as short-term containment. Cloudflare, Google Cloud Armor, Vercel, and Firebase have all deployed platform-level rules aimed at blocking exploitation attempts tied to unsafe deserialization in POST requests. These controls can reduce opportunistic attacks, but they do not change the underlying application behavior. WAF bypass techniques remain a routine part of modern exploit chains, so organizations relying solely on edge filtering remain exposed.

    Vulnerability scanning adds another detection layer, though teams should be cautious about tool quality. Many publicly shared scanners misidentify React2Shell or fail to confirm exploitability accurately. Assetnote released one of the more reliable approaches by triggering a specific server error response tied to the vulnerable deserialization logic. Platforms with integrated vulnerability management can already flag affected React packages directly through software inventory, which helps prioritize response across large environments.

    From a defensive standpoint, the detection priority is straightforward: watch for anomalous command execution by web services, monitor outbound connections from application servers that do not normally initiate external traffic, and treat any reverse shell indicators as confirmation of compromise. These signals tend to appear quickly after successful exploitation because attackers gain immediate code execution and typically move to payload delivery or persistence within seconds.

    Patching remains the only real fix, but detection is what buys response teams time. Updated React Server Components releases at 19.0.1, 19.1.2, and 19.2.1 remove the vulnerable code path, and patched Next.js versions close downstream exposure. Until those updates are fully deployed, continuous runtime monitoring is the line that separates a blocked exploit attempt from a full server takeover.

    BRICKSTORM: How PRC Operators Are Turning VMware and Cloud Infrastructure into Long-Term Access Platforms

    CISA confirmed last week that a sophisticated backdoor called BRICKSTORM is being actively used by state-sponsored operators from the People’s Republic of China to maintain long-term, covert access inside U.S. networks. The malware targets both VMware vSphere and Windows environments and is designed for persistence, remote command execution, and stealthy command-and-control. According to CISA, BRICKSTORM gives attackers interactive shell access along with full file manipulation capabilities, making it a powerful post-exploitation platform rather than a simple loader or beacon.

    BRICKSTORM is written in Golang and supports multiple C2 channels, including HTTPS, WebSockets, nested TLS, and DNS-over-HTTPS. It can also operate as a SOCKS proxy, which allows attackers to tunnel traffic through compromised systems and pivot deeper into internal networks. One of its more dangerous traits is its built-in self-monitoring logic that automatically reinstalls or restarts the implant if it is disrupted. That single feature sharply increases dwell time by allowing the malware to survive partial remediation efforts.

    The malware was first documented in 2024 by Google Mandiant during investigations tied to the zero-day exploitation of Ivanti Connect Secure vulnerabilities, including CVE-2023-46805 and CVE-2024-21887. Since then, the activity has matured. CISA now ties the tool to operations conducted by UNC5221 and a separate China-nexus threat cluster that CrowdStrike tracks as Warp Panda. CrowdStrike reports that Warp Panda has been active since at least 2022 and has focused heavily on VMware vCenter environments inside U.S. legal, technology, and manufacturing organizations throughout 2025.

    In one confirmed intrusion, attackers gained initial access to a public-facing web server inside a DMZ using a web shell, then moved laterally into an internal vCenter server where BRICKSTORM was implanted after privilege escalation. From there, the operators harvested service account credentials, accessed a domain controller over RDP, and extracted Active Directory data. They continued moving laterally using SMB to additional jump servers and an ADFS server, where cryptographic keys were exfiltrated. From the compromised vCenter system, they were then able to shovel traffic between hypervisors and guest VMs while disguising BRICKSTORM as a legitimate vCenter process.

    CISA’s technical breakdown shows that BRICKSTORM relies on custom handlers to spin up web servers on compromised hosts, establish SOCKS proxy tunnels, and execute commands remotely. Some components are purpose-built for virtualized environments and leverage the VSOCK interface for inter-VM communication, data exfiltration, and resilience across ESXi hosts and guest machines. CrowdStrike confirmed that in several intrusions, BRICKSTORM was deployed alongside two previously undocumented Golang implants named Junction and GuestConduit. Junction acts as a local HTTP command server and proxy layer on ESXi hosts, while GuestConduit sits inside guest VMs and maintains a persistent VSOCK listener on port 5555 to bridge traffic back to the hypervisor.

    Initial access continues to rely on edge device exploitation and stolen or abused credentials. Confirmed vulnerabilities include multiple Ivanti Connect Secure flaws, VMware vCenter bugs such as CVE-2024-38812, CVE-2023-34048, and CVE-2021-22005, as well as CVE-2023-46747 in F5 BIG-IP. Once inside vCenter, the attackers use SSH, the privileged “vpxuser” account, and SFTP to move laterally and shuttle data between hosts. Their cleanup discipline remains strong, with timestomping, aggressive log clearing, and short-lived rogue virtual machines used for staging operations before being destroyed.

    What makes Warp Panda’s activity especially concerning is its cloud focus. CrowdStrike described the group as “cloud-conscious,” noting repeated abuse of Microsoft Azure environments after on-prem compromise. Attackers accessed OneDrive, SharePoint, and Exchange by stealing browser session tokens and replaying them through BRICKSTORM tunnels. In at least one case, they registered new MFA devices to entrench access and used Microsoft Graph API calls to enumerate service principals, applications, directory roles, and user mailboxes. This shows a clean operational bridge between on-prem virtualization compromise and direct exploitation of SaaS identity planes.

    The operational goal is not disruption. Everything about this malware stack points to intelligence collection and quiet, long-term access. CrowdStrike observed attackers cloning domain controller virtual machines inside vCenter to extract Active Directory databases offline. They also accessed employee email accounts aligned with Chinese government interest areas and performed limited reconnaissance against foreign government networks from within U.S. infrastructure. This is classic strategic access behavior backed by modern virtualization tradecraft.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Chinese Threat Groups Move Fast on Newly Disclosed React2Shell Vulnerability

    Chinese Threat Groups Move Fast on Newly Disclosed React2Shell Vulnerability

    A new round of activity tied to China-based operators began almost immediately after details of CVE-2025-55182 were released. The flaw, now nicknamed React2Shell, affects React Server Components and grants remote code execution without authentication. With a perfect CVSS score of 10.0, the weakness attracted interest from multiple actors within hours, according to new reporting from Amazon Web Services.

    Patches and Early Exploitation Attempts

    Patches landed in React versions 19.0.1, 19.1.2, and 19.2.1. Even with fixes available, attempts to exploit unpatched systems appeared nearly in real time across AWS MadPot honeypots. CJ Moses, CISO of Amazon Integrated Security, noted that the traffic matched long-running Chinese state-linked infrastructure and patterns that analysts have tracked for several years.

    Earth Lamia’s Activity

    One cluster of attempts came from sources tied to Earth Lamia, the same group responsible for exploiting SAP NetWeaver (CVE-2025-31324) earlier this year. Earth Lamia has shown wide geographic reach, hitting organizations across financial services, logistics, retail, higher education, government entities, and general IT across Latin America, the Middle East, and Southeast Asia. Their behavior around React2Shell fits with that pattern: broad reconnaissance, automated probing, and a desire to reach new entry points before defenders finish patching.

    Jackpot Panda’s Parallel Interest

    A second wave matched indicators linked to Jackpot Panda. This actor has a long-running focus on gambling-adjacent operations in East and Southeast Asia, and is known for supply chain compromises, including the Comm100 incident in 2022. Research from CrowdStrike and ESET has tied Jackpot Panda to a series of campaigns that rely on manipulated installers, staged implants, and credential theft. More recent work suggests that I-Soon, a Chinese contractor, may have supported portions of those operations due to infrastructure overlap.

    By 2023, Jackpot Panda had shifted attention inward, aiming at Chinese-speaking users through trojanized CloudChat installers. Those installers set up a multi-stage chain that delivered an implant named XShade, which analysts say overlaps with the group’s earlier CplRAT tooling. Their presence in the early React2Shell exploitation window signals how quickly established operators adjust playbooks once a fresh entry point appears.

    What Early Probing Looked Like

    AWS observed attackers testing basic shell commands, creating or modifying files such as /tmp/pwned.txt, and attempting to read /etc/passwd. This pattern reflects the early phase of an opportunistic campaign—simple checks to confirm that the target is vulnerable, followed by a gradual shift into more tailored post-exploitation activity. The same scanners also attempted to weaponize N-day issues such as the NUUO Camera flaw (CVE-2025-1338), which points to a broad sweep rather than a single-purpose operation.

    Moses described the workflow as a routine cycle for these groups: watch vulnerability disclosures closely, grab public exploit code as soon as it appears, and feed it into sweeping infrastructure that tests multiple CVEs at once. Whoever falls behind on patching becomes the easiest target.

    Cloudflare’s Brief Outage

    At the same time, the broader ecosystem felt the ripple effect of the disclosure. Cloudflare experienced a short but very visible service interruption that produced waves of 500 errors across major sites. The company later clarified that the problem came from an internal change to its Web Application Firewall. The update was intended to expand protection for the new React2Shell issue. A parsing error caused the outage, not any attempt by threat actors to hit Cloudflare’s systems.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that strengthens organizations by delivering cybersecurity capabilities that improve visibility, response, and resilience across modern environments. In the context of SOC-as-a-Service, our mission is centered on helping government, defense, and commercial clients build incident readiness without the burden of standing up a full in-house SOC. Our team develops and supports advanced monitoring, detection, and response solutions that give customers the level of coverage and operational structure they need to protect their networks, identities, and cloud workloads.

    Our “CISO-as-a-Service” offering already demonstrates how we extend executive-level expertise to organizations that need high-end guidance without internal hiring. The same principle applies to our SOC; Netizen operates a state-of-the-art 24x7x365 Security Operations Center that provides continuous monitoring, alert triage, detection engineering, incident response coordination, and threat hunting for clients that require dependable coverage. These services support the readiness goals outlined in this article by improving early detection, reducing breakout time, and offering access to specialized analysts and hunters who understand the demands of sensitive and regulated environments.

    Our portfolio complements SOCaaS by including cybersecurity assessments and advisory, hosted SIEM and EDR/XDR services, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. This allows organizations to integrate SOCaaS with broader security initiatives such as modernization projects, compliance readiness, and vulnerability management. We specialize in environments where strict standards, technical precision, and operational consistency are mandatory, which makes our team a natural partner for organizations working to raise their detection and response maturity.

    Netizen maintains ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations, reflecting the stability and maturity required for a high-quality SOC operation. As a Service-Disabled Veteran-Owned Small Business certified by the U.S. Small Business Administration, we have been recognized repeatedly through the Inc. 5000, Vet 100, national Best Workplace awards, and numerous honors for veteran hiring, innovation, and organizational excellence.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Inside Lazarus Group’s Remote-Worker Scheme: Researchers Capture the Operation Live

    Inside Lazarus Group’s Remote-Worker Scheme: Researchers Capture the Operation Live

    A joint investigation by BCA LTD, NorthScan, and ANY.RUN has provided an unusually clear look into one of North Korea’s most persistent infiltration methods. Instead of relying on malware or exploit chains, the operators tied to Lazarus Group’s Famous Chollima division attempted to slip remote IT workers into Western companies under stolen or borrowed identities. The research teams managed to watch this activity play out live, using purpose-built sandbox environments that the operators believed were ordinary developer laptops.

    How the Scheme Works

    The operation began with a familiar introduction: a recruiter message offering a remote IT position. In this case, the recruiter used the alias “Aaron,” also known as “Blaze,” a persona previously linked to Chollima activity. Blaze’s pitch followed the same pattern seen in earlier cases, presenting a job-placement “business” that would place a U.S. developer in a remote role, while a North Korean operator actually performed the work.

    The goal remained the same as in past incidents. Operators attempted to borrow or take over an identity, pass interviews with AI-generated answers, work remotely by controlling the victim’s laptop, and route the salary back to DPRK channels. Once Blaze requested everything from SSN and government ID to full-time remote access and uninterrupted laptop availability, the researchers shifted into a controlled environment.

    The Fake Laptops That Exposed the Operation

    BCA LTD’s Mauro Eldritch deployed ANY.RUN’s long-running virtual machines, configured to appear indistinguishable from real personal workstations. They carried typical developer tools, normal browser history, and realistic usage patterns, along with network routing that matched U.S. residential activity.

    These systems gave the research teams full visibility. They could watch sessions in real time, record every action, throttle the network, force crashes, and capture system snapshots. The operators, convinced they were working on legitimate devices, proceeded normally.

    What Investigators Saw Inside Famous Chollima’s Toolkit

    The sessions revealed a streamlined toolset focused almost entirely on identity takeover and remote access. Once the operators synced their Chrome profiles, they began loading the tools they rely on across many of these campaigns.

    The setup included AI-driven platforms such as Simplify Copilot, AiApply, and Final Round AI, which helped automate job applications and provide pre-written interview responses. Browser-based one-time passcode utilities such as OTP.ee and Authenticator.cc appeared as soon as they collected personal documents, giving them the ability to manage the victim’s two-factor authentication.

    Google Remote Desktop, configured through PowerShell with a fixed PIN, became the primary access channel. To validate the environment, the operators ran simple reconnaissance utilities such as dxdiag, systeminfo, and whoami. All traffic consistently moved through Astrill VPN, matching patterns tied to earlier Lazarus infrastructure.

    At one point, an operator even left a Notepad message requesting uploads of a government ID, SSN, and banking details. The intent behind the scheme was unmistakable: complete control of the identity and workstation of a U.S.-based employee without pushing malware or triggering traditional defenses.

    Why This Matters for Employers

    The activity highlights a growing risk for hiring teams. Remote recruitment provides attackers with a quiet avenue into corporate environments. Instead of breaching external services or exploiting software vulnerabilities, they gain access by passing job interviews and taking control of an employee’s laptop once hired.

    This raises the stakes beyond a single compromised worker. A successful infiltrator could reach internal dashboards, sensitive operational systems, or even managerial accounts if the organization does not have strong identity and endpoint controls. The investigation shows that these schemes rely on social engineering, identity theft, and remote-access tooling rather than traditional malware delivery.

    Building internal awareness and giving staff a place to report suspicious interactions can play a significant role in catching these schemes early. Companies that review unusual requests, identity inconsistencies, or access demands are in a stronger position to prevent such infiltration attempts before they escalate into operational consequences.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that strengthens organizations by delivering cybersecurity capabilities that improve visibility, response, and resilience across modern environments. In the context of SOC-as-a-Service, our mission is centered on helping government, defense, and commercial clients build incident readiness without the burden of standing up a full in-house SOC. Our team develops and supports advanced monitoring, detection, and response solutions that give customers the level of coverage and operational structure they need to protect their networks, identities, and cloud workloads.

    Our “CISO-as-a-Service” offering already demonstrates how we extend executive-level expertise to organizations that need high-end guidance without internal hiring. The same principle applies to our SOC; Netizen operates a state-of-the-art 24x7x365 Security Operations Center that provides continuous monitoring, alert triage, detection engineering, incident response coordination, and threat hunting for clients that require dependable coverage. These services support the readiness goals outlined in this article by improving early detection, reducing breakout time, and offering access to specialized analysts and hunters who understand the demands of sensitive and regulated environments.

    Our portfolio complements SOCaaS by including cybersecurity assessments and advisory, hosted SIEM and EDR/XDR services, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. This allows organizations to integrate SOCaaS with broader security initiatives such as modernization projects, compliance readiness, and vulnerability management. We specialize in environments where strict standards, technical precision, and operational consistency are mandatory, which makes our team a natural partner for organizations working to raise their detection and response maturity.

    Netizen maintains ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations, reflecting the stability and maturity required for a high-quality SOC operation. As a Service-Disabled Veteran-Owned Small Business certified by the U.S. Small Business Administration, we have been recognized repeatedly through the Inc. 5000, Vet 100, national Best Workplace awards, and numerous honors for veteran hiring, innovation, and organizational excellence.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Building Incident Readiness with SOC-as-a-Service

    Building Incident Readiness with SOC-as-a-Service

    Many organizations reach a stage where internal teams cannot keep up with rising alert volumes, broader attack surfaces, or an expanding mix of on-prem and cloud infrastructure. Modern environments generate millions of telemetry points per day, and even a well-staffed IT group often struggles to maintain visibility across workloads, identities, SaaS platforms, and rapidly changing cloud services. Building an in-house SOC demands years of staffing, tooling, tuning, and process development, along with continuous investments in threat intelligence, incident response training, and coverage for nights, weekends, and holidays. SOC-as-a-Service offers a faster option by delivering full monitoring and response capabilities through a managed, cloud-based operation that does not require dedicated physical space, custom-built infrastructure, or the hiring of specialized roles that are currently in short supply across the industry.

    What SOCaaS Provides

    A SOCaaS provider operates a remote security center that performs monitoring, log analysis, threat detection, investigation, and coordinated incident response across the customer’s environment. Providers typically ingest telemetry from SIEM platforms, EDR tools, NDR solutions, identity systems, cloud control planes, and API-driven SaaS logs. Correlation rules, behavioral analytics, and threat intelligence feeds help analysts spot activity that may not be obvious when viewed in isolation.

    This model gives organizations consistent coverage and access to analysts, responders, hunters, architects, and compliance specialists who would be difficult to hire or retain on their own. Many providers maintain global teams that hand off investigations as time zones change, which keeps triage and containment moving without disruption. Because the provider handles the operational workload, internal teams focus on security improvements, tabletop exercises, patching coordination, and strategic projects instead of sorting through routine alerts.

    Continuous Monitoring, Faster Detection, and Containment

    Readiness improves as soon as continuous monitoring begins. SOC teams review activity across networks, servers, endpoints, identity platforms, and cloud workloads at every hour. They filter benign events, enrich suspicious ones with context, and escalate only when necessary. This reduces alert fatigue and shortens the gap between an attacker’s initial action and the start of an investigation.

    During an intrusion, early signs often appear in subtle ways, such as token misuse, authentication anomalies, or privilege elevation attempts that do not immediately trigger alarms. SOCaaS analysts are trained to spot these indicators and push investigations forward before an adversary can deepen their foothold. Once a threat is confirmed, responders isolate endpoints, disable compromised accounts, block malicious IPs, or revoke cloud tokens, depending on what the customer environment supports. The goal is to slow or stop lateral movement, protect sensitive assets, and keep the intrusion contained while a coordinated response is planned.

    Threat Hunting and Maturity Gains

    SOCaaS strengthens readiness through access to specialists who perform structured and hypothesis-driven threat hunting. These teams analyze unusual patterns in authentication flow, process execution, registry changes, cloud API calls, or east-west network traffic to find activity that might not trigger automated detections. They look for persistence mechanisms such as scheduled tasks, registry run keys, cloud-managed identity tokens, or browser-stored credentials that attackers rely on to regain access.

    Hunting often reveals misconfigurations or overlooked assets that attackers could eventually exploit. The provider documents these findings and works with internal teams to close gaps. Over time, this process improves detection logic and tightens controls. Because the provider brings mature procedures, tuned SIEM pipelines, tested playbooks, and dedicated role separation, organizations gain access to a level of capability that normally takes years to develop and refine internally.

    Scaling and Cost Predictability

    As organizations expand cloud workloads or adopt new SaaS platforms, their telemetry output grows quickly. SOCaaS providers scale ingestion pipelines, data storage, and staffing without requiring the customer to redesign their own architecture. This ensures that spikes in activity, seasonal changes, or incident-heavy periods do not overwhelm the internal security team.

    Costs also become more predictable because hardware refresh cycles, licensing for SIEM and EDR platforms, training requirements, and staffing burdens shift to the provider. Most SOCaaS offerings use consumption-based or tiered pricing that aligns with data volume or seat count. This reduces unexpected expenses and gives leadership a clearer view of long-term security spending.

    Coordination and Oversight

    The relationship between the customer and the SOCaaS provider depends on constant communication. Coordinators keep both sides aligned on active investigations, detection pipeline adjustments, incident timelines, and ongoing risk areas. Regular reporting helps leadership understand attack trends, emerging techniques, and the organization’s overall security posture. Some providers also assist with compliance needs, such as log retention, audit preparation, and control mapping for standards like ISO 27001, SOC 2, HIPAA, or CMMC.

    Customers retain strategic control, deciding which actions the provider can execute automatically and which require approval. This ensures that the outsourced SOC feels like an extension of the internal team rather than a detached service.

    Expanding Incident Readiness Over Time

    A strong SOCaaS relationship improves more than detection and response. It also accelerates long-term readiness by helping organizations develop clearer asset inventories, maintain healthier logging pipelines, document incident procedures, and test their response playbooks through tabletop exercises and simulated attacks. Over time, the internal team grows more capable, and the SOCaaS provider becomes a central partner in strengthening the organization’s resilience.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that strengthens organizations by delivering cybersecurity capabilities that improve visibility, response, and resilience across modern environments. In the context of SOC-as-a-Service, our mission is centered on helping government, defense, and commercial clients build incident readiness without the burden of standing up a full in-house SOC. Our team develops and supports advanced monitoring, detection, and response solutions that give customers the level of coverage and operational structure they need to protect their networks, identities, and cloud workloads.

    Our “CISO-as-a-Service” offering already demonstrates how we extend executive-level expertise to organizations that need high-end guidance without internal hiring. The same principle applies to our SOC; Netizen operates a state-of-the-art 24x7x365 Security Operations Center that provides continuous monitoring, alert triage, detection engineering, incident response coordination, and threat hunting for clients that require dependable coverage. These services support the readiness goals outlined in this article by improving early detection, reducing breakout time, and offering access to specialized analysts and hunters who understand the demands of sensitive and regulated environments.

    Our portfolio complements SOCaaS by including cybersecurity assessments and advisory, hosted SIEM and EDR/XDR services, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. This allows organizations to integrate SOCaaS with broader security initiatives such as modernization projects, compliance readiness, and vulnerability management. We specialize in environments where strict standards, technical precision, and operational consistency are mandatory, which makes our team a natural partner for organizations working to raise their detection and response maturity.

    Netizen maintains ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations, reflecting the stability and maturity required for a high-quality SOC operation. As a Service-Disabled Veteran-Owned Small Business certified by the U.S. Small Business Administration, we have been recognized repeatedly through the Inc. 5000, Vet 100, national Best Workplace awards, and numerous honors for veteran hiring, innovation, and organizational excellence.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Netizen: Monday Security Brief (12/1/2025)

    Netizen: Monday Security Brief (12/1/2025)

    Today’s Topics:

    • CISA Flags Active XSS Exploitation in OpenPLC ScadaBR
    • DPRK Group Seeds npm Registry with Another Set of Loader Packages
    • How can Netizen help?

    CISA Flags Active XSS Exploitation in OpenPLC ScadaBR

    CISA has added CVE-2021-26829 to the Known Exploited Vulnerabilities catalog after investigators confirmed that the flaw has been used in real attacks. The weakness is a cross site scripting issue in OpenPLC ScadaBR, present in Windows versions through 1.12.4 and Linux versions through 0.9.1. It is tied to the system_settings.shtm page and carries a CVSS score of 5.4. Although it is not a high score, its presence in the KEV list means attackers are actively trying to use it in operational environments.

    Much of the renewed attention came from research into a September 2025 incident involving a Forescout honeypot. The system was built to resemble a small water treatment plant. TwoNet, a pro-Russian hacktivist group, accessed it through default credentials and created a new user account called BARLATI. They spent roughly a day moving from initial access to simple changes inside the web interface. They used the vulnerability to deface the HMI login page with a pop up message that read “Hacked by Barlati” and then attempted to turn off logs and alarms, unaware that the environment was a decoy. Their activity stayed within the web layer and showed no attempt to escalate privileges or reach the underlying host. The action fit their pattern of blending older web exploitation with loud claims about industrial targets.

    TwoNet has been shifting its tactics throughout the year. The group started on Telegram in January with uncomplicated DDoS attacks and has since moved into industrial systems, doxxing, paid access, ransomware services, and broad hack-for-hire activity. They have also tied their brand to other hacktivist groups such as CyberTroops and OverFlame. Their interest in industrial interfaces appears to be part of a strategy focused on visibility rather than deep technical control.

    Federal Civilian Executive Branch agencies now have until December 19, 2025 to apply the required updates. Any organization running ScadaBR, including those outside government, should confirm that patches are installed, interfaces are not exposed unnecessarily, and default passwords have been removed.

    Around the same period, VulnCheck uncovered a separate campaign built on an Out of Band Application Security Testing endpoint hosted in Google Cloud. The infrastructure has been active for at least a year and shows a pattern of activity aimed at Brazil. Sensor data revealed more than 1,400 exploit attempts tied to over 200 CVEs. Many of the requests used familiar Nuclei style signatures although the payloads and geographic pattern pointed to a more focused operator. Successful exploitation triggered callbacks to subdomains under i-sh.detectors-testing[.]com. Activity has been traced to US based Google Cloud systems, which allows the attacker to blend in with normal traffic.

    VulnCheck also discovered a Java class file at 34.136.22[.]26 called TouchFile.class. The file expands on a public Fastjson remote code execution proof of concept, adding the ability to accept commands and URL parameters and send outbound HTTP requests. The length of time the infrastructure has been active and the narrow geographic focus suggests a sustained scanning effort rather than a series of short, opportunistic sweeps.

    DPRK Group Seeds npm Registry with Another Set of Loader Packages

    North Korean operators tied to the Contagious Interview activity have pushed another 197 malicious packages into the npm registry, continuing a steady pattern that started late last month. Socket’s telemetry shows more than 31,000 downloads across these uploads. Each package acts as a loader for an updated build of OtterCookie that blends traits from BeaverTail with older OtterCookie versions, which mirrors what researchers have been documenting for several weeks.

    Some of the loaders appeared under familiar names such as bcryptjs-node, cross-sessions, json-oauth, node-tailwind, react-adparser, session-keeper, tailwind-magic, tailwindcss-forms, and webpack-loadcss. Once launched, the malware checks for sandboxes and virtual machines, collects basic system information, and opens a command channel. With that foothold, the operators gain a remote shell along with the ability to capture keystrokes, screenshots, clipboard data, browser credentials, documents, and cryptocurrency wallet information including seed phrases.

    Researchers have been noting the shrinking gap between OtterCookie and BeaverTail. Cisco Talos described this overlap last month during an investigation into an infection that reached a system tied to an organization in Sri Lanka. In that case, the user had been tricked into running a Node.js application that formed part of a staged job interview.

    Further review shows that these npm packages connect to a hard coded Vercel address, tetrismic.vercel[.]app. That server fetches the cross platform OtterCookie payload from a GitHub repository controlled by the actor. The GitHub profile behind the distribution, stardev0914, has since disappeared.

    Kirill Boychenko at Socket noted that the pace of these uploads makes Contagious Interview one of the most active efforts abusing the npm ecosystem. The campaign fits a broader pattern where North Korean operators blend developer tooling with workflows tied to cryptocurrency projects, JavaScript development, and common open source utilities.

    A related wing of this activity has shown up in a separate set of fake assessment websites. These sites walk victims through steps that mimic ClickFix troubleshooting. During the flow, the user is persuaded to download malware written in Go, often described as GolangGhost or FlexibleFerret. The operation goes by the name ClickFake Interview. After running, the malware contacts a built in command server and waits for instructions. It can collect system data, run commands, move files, and gather information from Google Chrome. Persistence is handled through a macOS LaunchAgent that triggers a shell script at login. A decoy application also appears during this process, showing camera or microphone prompts that look like Chrome and later presenting a fake Chrome password window that stores the user’s input and sends it to a Dropbox account.

    Despite some shared themes, analysts have stressed that this operation differs from the separate DPRK IT worker schemes where operators embed themselves into companies under borrowed identities. Contagious Interview instead targets individuals directly through job postings, coding tests, and staged hiring portals that act as delivery systems for malware.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Netizen Cybersecurity Bulletin (November 28th, 2025)

    Netizen Cybersecurity Bulletin (November 28th, 2025)

    Overview:

    • Phish Tale of the Week
    • North Korea’s Contagious Interview Campaign Expands With Nearly 200 New Malicious npm Packages
    • Dark LLMs Promise Chaos, Deliver Training Wheels for Low-Tier Cybercriminals
    • How can Netizen help?

    Phish Tale of the Week

    Ofteften times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this text message, the actors are appearing as USPS, the United States Postal Service, and informing you that action needs to be taken regarding your delivery. The message politely explains that “USPS” is holding our package at a warehouse, and that we just need to update our address in order to receive it. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.

    Here’s how we can tell not to click on this smishing link:

    1. The first red flag in this message is the senders’ address. Always thoroughly inspect the sender’s address to ensure it’s from a trusted sender. In this case, the actors neglected to spoof their messaging address, and a simple look at the sender’s address makes it very apparent that the email is not from USPS. In the future, review the sender’s address thoroughly to see if a text could be coming from a threat actor.
    2. The second warning signs in this text is the messaging. This message tries to create a sense of urgency by using language such as “cannot be delivered” and “within 12 hours.” Phishing scams commonly attempt to create a sense of urgency in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link sent through SMS.
    3. The final warning sign for this email is the lack of legitimate USPS information. Fortune 500 companies, the government and similar organizations standardize all communications with customers. This text includes a small “thank you” message at the bottom in an attempt to gain credibility, but it lacks all of the parts of a credible USPS message and can be immediately detected as a phishing attempt.


    General Recommendations:

    smishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

    1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    2. Verify that the sender is actually from the company sending the message.
    3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    4. Do not give out personal or company information over the internet.
    5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many smishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any SMS requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this month’s Cybersecurity Brief:

    North Korea’s Contagious Interview Campaign Expands With Nearly 200 New Malicious npm Packages

    North Korean operators have widened their Contagious Interview activity with another wave of poisoned npm packages, adding 197 new entries to the registry in just a few weeks. Socket’s telemetry places the total download count at more than 31,000, which suggests the threat actors are still finding plenty of opportunities to slip their tooling into ordinary JavaScript workflows. The new uploads act as loaders for an updated OtterCookie variant that blends traits from BeaverTail and earlier OtterCookie builds, reinforcing what researchers have been observing for several months: the two codebases are drifting into the same family rather than standing apart as separate projects.

    Much of the activity is wrapped in familiar-sounding packages such as bcryptjs-node, cross-sessions, json-oauth, node-tailwind, react-adparser, session-keeper, tailwind-magic, tailwindcss-forms, and webpack-loadcss. Once installed and run, the malware begins with basic checks to spot sandboxes or virtual machines, then gathers details about the device before opening a command channel. From that point, the operators gain a remote shell and a broad set of collection tools, ranging from clipboard theft and keylogging to screenshot capture, browser credential extraction, document harvesting, and pulling cryptocurrency wallet data and seed phrases.

    Cisco Talos noted last month that the line between OtterCookie and BeaverTail has been fading. Analysts linked this to an earlier incident involving a Sri Lanka-based organization where a user was coaxed into launching a Node.js application as part of a fake job interview. The loader packages in the current wave behave in a similar way. They reach out to a hard-coded Vercel address, tetrismic.vercel[.]app, and retrieve the cross-platform payload from a GitHub repository tied to the now-removed account “stardev0914.” The infrastructure’s disappearance came only after researchers identified it publicly.

    Security researcher Kirill Boychenko described the pace of uploads as one of the clearest signs of how deeply North Korean teams have woven themselves into JavaScript and crypto-adjacent development habits. The operators are treating npm as both a distribution network and a trust anchor, counting on developers to install small utilities that look harmless during setup.

    Parallel efforts tied to the same adversary set have been pushing another malware family called GolangGhost, also known as FlexibleFerret or WeaselStore. These infections often start from fake skills tests or hiring portals that imitate real technical assessments. Victims are sent instructions resembling ClickFix-style troubleshooting steps for camera or microphone issues. Running the provided material leads to a Golang-based payload that reaches out to a fixed command server, maintains a steady instruction loop, and can run system commands, move files, and scrape Chrome data. It also establishes persistence on macOS through a LaunchAgent and displays a decoy application that impersonates a Chrome permission prompt. Afterward, a fake Chrome password box appears, capturing whatever the user enters and uploading it directly to a Dropbox account controlled by the threat actors.

    Researchers studying this branch of activity emphasize that it differs from DPRK schemes built around long-term infiltration of legitimate companies through falsified identities. Contagious Interview focuses on corrupting the hiring process itself, relying on staged recruitment workflows, malicious coding tasks, and fraudulent job platforms to compromise individuals before they ever reach a real workplace.

    To read more about this article, click here.

    Dark LLMs Promise Chaos, Deliver Training Wheels for Low-Tier Cybercriminals

    Dark-language-model storefronts have been buzzing with activity for the past few years, but the results still fall far short of the sweeping predictions made when generative AI first arrived. The excitement that followed the release of early chatbots led many in security to believe attackers would soon be able to generate advanced malware or run fully automated operations with minimal effort. The underground’s current tools show a different reality. They help inexperienced users write cleaner phishing messages, fix awkward grammar, and produce simple scripts, but little else.

    This gap becomes clear when looking at platforms like WormGPT 4 and KawaiiGPT, which Palo Alto Networks’ Unit 42 recently examined. Both models sell themselves as unfiltered alternatives to mainstream AI systems, promising unrestricted output and freedom from safety constraints. In practice, the capabilities hardly rise above basic malware scaffolding. They can assemble small pieces of Python, churn out smooth ransom notes, and give amateur operators a sense of confidence, though their technical contributions stay well within the boundaries of what has been circulating online for years.

    Dark LLMs first captured attention in 2023 with WormGPT, a paid service marketed as an escape hatch from ChatGPT’s limitations. Its creators claimed it was trained on malware and exploit content, making it ideal for novice attackers who needed a quick utility for phishing messages or simple code snippets. The model generated plenty of conversation but left little evidence of serious use in real intrusions. Even so, it established a template for the tools that followed, including the current WormGPT 4 variant.

    WormGPT 4 repeats many of the same promises, offering to generate “any content” without oversight. When prompted for resources to aid a ransomware operation, it delivered a polished ransom note and a crude locker that targeted PDF files, expandable to other extensions and configured to use Tor. KawaiiGPT, another rising favorite in the underground, produced comparable output during Unit 42’s tests. It drafted plain but coherent phishing emails, basic scripts for data theft, and even supported limited lateral movement on a Linux host.

    These features are enough to draw a crowd. KawaiiGPT’s developer claimed in a Telegram channel that more than 500 users have registered, with roughly half staying active. WormGPT 4, offered through a subscription tier, also maintains a broad community across Telegram channels. The market as a whole is growing, according to Check Point’s Oded Vanunu. He describes a landscape where commercial dark LLMs coexist with private, custom-trained models that operators integrate into their own infrastructure, bypassing public marketplaces entirely.

    Even with the buzz around these tools, researchers still struggle to measure their real influence. Analysts lack reliable ways to detect AI-generated malicious code unless attackers leave clear indicators behind. This makes usage difficult to track, and much of the evidence remains anecdotal or based on conversations in underground forums.

    The technical ceiling for these systems appears low. They generate incorrect code as often as they produce working snippets, a direct result of LLM hallucinations. They also lack the contextual reasoning needed to build full malware samples that adapt to specific targets. Unit 42 researchers note that human operators still need to correct errors, refine logic, and handle environment-specific details. Instead of pioneering new techniques, these models recycle familiar patterns and rely heavily on code fragments available in open repositories.

    To read more about this article, click here.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Prompt Injections and the Expanding Attack Surface of Agent-Enabled Browsers

    Prompt Injections and the Expanding Attack Surface of Agent-Enabled Browsers

    ChatGPT’s Atlas browser marks a noticeable shift in how LLM-driven features interact with everyday browsing. By placing a full reasoning engine inside the same space that handles untrusted Web content, Atlas changes the threat model for users and organizations experimenting with agent-based automation. The convenience is obvious; the exposure is far greater than many expect.

    Integration That Alters the Security Boundary

    Atlas, built on Chromium and released in late October, blends standard browsing functions with an LLM that can read, summarize, and act on Web content in real time. This removes a long-standing separation between the rendering engine and the model performing language operations. Once those layers are intertwined, every page load becomes a potential carrier for instructions the agent may interpret as operational rather than informational.

    This is the core issue. The model no longer works with curated input. It absorbs whatever the browser encounters, including content that was never meant to be interpreted as a command.

    Why Prompt Injection Matters More in This Context

    Prompt injection isn’t a minor annoyance in this environment. It is a control flaw that stems from the way LLMs process language. Direct injections attempt to manipulate the model through explicit queries, but indirect injections are the real concern. An attacker can hide instructions in HTML comments, CSS, SVG metadata, JavaScript-generated elements, or even inside the body of an email. The agent sees plain text where a human sees nothing.

    Once autonomy enters the equation, these injections can cause far more than misstatements. They can trigger HTTP requests, modify local files, run code through allowed tools, or relay corrupted instructions to other integrated systems. A single crafted string becomes a foothold for actions that resemble insider activity rather than a typical exploit.

    Evidence That This Threat Path Is Already Active

    LayerX disclosed the first vulnerability in Atlas one day after launch. Their research showed that malicious instructions could persist in memory during agent execution. This demonstrates that the attack surface merges traditional browser risks, like DOM manipulation or script injection, with the LLM’s control layer.

    OpenAI’s CISO acknowledged the same risk publicly, noting that prompt injection remains unresolved despite years of effort. Because the flaw is tied to interpretation rather than model parameters, no amount of fine-tuning eliminates it entirely.

    How Agent Autonomy Amplifies Risk in Enterprise Environments

    From the perspective of a security team, giving an agent tool access is comparable to placing an inexperienced employee inside the network who obeys any instruction that appears grammatically valid. Atlas and similar systems can issue API calls, generate code, access internal pages, and interact with automation platforms.

    This means an indirect injection no longer ends at the interface layer. It can extend into ticketing systems, internal documentation, repositories, CRM platforms, and anything else the agent is tied into. Many organizations testing agent capabilities are doing so without strong privilege controls, which increases the likelihood that contaminated text leads to operational consequences.

    Defensive Priorities for Organizations Exploring Agentic Browsers

    As more vendors follow this model, protective measures need to match the new exposure. Several controls make a meaningful difference:

    Least-Access Agent Permissions

    Agents should only have access to the exact tools needed for their tasks, with no general-purpose capabilities that expand their reach.

    Sandboxed Tool Execution

    Tool usage must run inside isolated execution environments that restrict file operations and outbound interactions.

    Internal Access Filters

    Anything involving internal systems should be treated as though requests originate from an unknown external service, with authentication and context checks on every step.

    Human Review for High-Impact Actions

    Actions involving file changes, system commands, sensitive data, or external communication should require human confirmation before execution.

    Treat All External Content as Hostile

    Every Web page, email body, embedded object, or file preview should be considered untrusted input that may contain hidden instructions.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.