CloudSEK Updates

CloudSEK uncovered a surge in Iran-linked cyberattacks targeting Israel and its allies. Groups like APT42, APT34, MuddyWater, and hacktivist Handala are conducting espionage, data theft, and DDoS attacks. These actors use phishing, credential theft, and stealthy tools to infiltrate sensitive sectors. CloudSEK advises organizations to patch vulnerabilities, monitor DNS traffic, and enforce zero-trust security policies.

Between June 12–18, 2025, over 35 pro-Iranian hacktivist groups launched coordinated cyberattacks against Israeli military, government, and infrastructure targets, using DDoS, data leaks, and disinformation. Only 4–5 pro-Israel groups responded. These unsophisticated yet widespread attacks continue a year-long trend of exaggeration and recycled data. CloudSEK recommends urgent DDoS mitigation, multi-factor authentication, threat monitoring, and stronger incident response protocols.

A fileless AsyncRAT campaign is targeting German-speaking users via a fake “I’m not a robot” prompt that executes malicious PowerShell code. Delivered through Clickfix-themed sites, it abuses system utilities to load obfuscated C# code in memory, enabling full remote access and credential theft. It persists via registry keys and communicates with a C2 server on port 4444. Organizations should block suspicious PowerShell activity and scan memory for threats.

CloudSEK researchers have uncovered a sophisticated campaign leveraging typo-squatted “Spectrum” domains to spread a new Atomic macOS Stealer (AMOS) variant. Disguised as a CAPTCHA verification, the attack uses dynamic payloads tailored to the victim's OS—stealing passwords, bypassing macOS security, and executing malware. With Russian-language comments found in the code and flawed delivery logic, the campaign reflects both growing cross-platform ambitions and rushed execution. Dive into how this multi-platform threat operates—and why your organization should stay alert.

CloudSEK’s latest investigation uncovers how APT36 (aka Transparent Tribe) is using VPS provider Contabo to host malicious infrastructure linked to CapraRAT and Crimson RAT. One of their latest tactics? Disguising spyware as the popular messaging app Viber—armed with permissions to record calls, read messages, track location, and more. Read how we traced the infrastructure, identified key Indicators of Compromise, and uncovered the full extent of this Android surveillance campaign.

An unsecured API endpoint buried inside a JavaScript file gave attackers the keys to the kingdom—direct access to sensitive Microsoft Graph data of thousands of employees, including top executives. CloudSEK’s BeVigil platform uncovered how this silent slip could lead to identity theft, phishing attacks, and regulatory nightmares. Here’s how it unfolded—and what your organization must do to stay safe.

A single misconfigured endpoint. That’s all it took to expose root-level server access, hardcoded credentials, and sensitive configs of a major travel platform. In this gripping exposé, CloudSEK’s BeVigil unpacks how a seemingly minor oversight escalated into a full-blown Local File Inclusion (LFI) vulnerability—no authentication required. From source code leaks to credential harvesting, discover how attackers could’ve breached the entire infrastructure—and what your organization must do to avoid the same fate.

CloudSEK has raised $19 million in its Series B1 funding rounds to accelerate global expansion and advance its AI-driven threat intelligence platform. With backing from top global investors like MassMutual Ventures, Commvault, and Tenacity Ventures, the company aims to redefine cybersecurity by predicting and neutralizing threats before they escalate. Trusted by over 250 enterprises across critical sectors, CloudSEK’s proactive approach—focusing on initial attack vectors like leaked credentials and exposed APIs—has earned it industry acclaim and rapid global growth, particularly in the U.S.

CloudSEK’s XVigil platform averted a major data breach at a leading IT training company after detecting exposed credentials in a public GitHub repository. These credentials provided access to the firm’s internal Resource Management System (RMS), which controlled critical operations such as salary processing and policy approvals. Had they been misused, sensitive employee data and financial systems could’ve been compromised. Thanks to CloudSEK’s swift intervention—including credential revocation, repository lockdown, and multi-factor authentication—the breach was prevented, and no data was lost. This incident highlights how real-time threat detection and rapid response can protect businesses from costly cyber incidents.