Basim

🇸🇦 🇮🇷 𝗡𝗲𝘄 𝗠𝗶𝗱𝗱𝗹𝗲 𝗘𝗮𝘀𝘁 𝗺𝗮𝗹𝗶𝗰𝗶𝗼𝘂𝘀 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 𝗿𝗲𝗽𝗼𝗿𝘁: 𝟭,𝟯𝟱𝟬+ 𝗖𝟮 𝗦𝗲𝗿𝘃𝗲𝗿𝘀 𝗠𝗮𝗽𝗽𝗲𝗱 𝗔𝗰𝗿𝗼𝘀𝘀 𝟵𝟴 𝗣𝗿𝗼𝘃𝗶𝗱𝗲𝗿𝘀 Over a three-month window, we mapped more than 1,350 active C2 servers operating across 98 infrastructure providers in 14 Middle Eastern countries, covering telecoms, shared hosting, and VPS environments. 👉 Read the full report: https://t.co/Bnfwe2Yufq Here's what the data shows: → A single telecom carrier accounts for nearly 72% of all detected regional C2 activity, most of it tied to compromised customer endpoints rather than provider-level abuse → C2 infrastructure makes up over 96% of all observed malicious artifacts in the region → Tactical RMM leads the malware family breakdown with 92 unique C2 IPs, followed by Keitaro TDS (71) and Acunetix (38) → The malware mix covers a wide range of attack types - IoT botnets (Mozi, Hajime, Mirai), remote access tools (AsyncRAT, Sliver, Cobalt Strike), active scanning (Acunetix), and phishing infrastructure (Gophish, Keitaro TDS) → Campaigns in the dataset include Eagle Werewolf espionage operations, the DYNOWIPER destructive campaign targeting Poland's energy sector, and RondoDox botnet exploitation infrastructure on Iranian hosting The main takeaway is that malicious infrastructure in the region is not evenly spread. A small set of providers keeps showing up across unrelated campaigns and malware families, which is where the tracking value is. Provider-level visibility is what lets defenders get ahead of that pattern, rather than reacting to individual indicators that rotate daily. Full breakdown, including infrastructure observables, HuntSQL queries, and campaign examples, is in the report 👇 https://t.co/Bnfwe2Yufq

CVE-2026-40361 (https://t.co/CNZKI1aKWG), patched today, is a critical 0-click UAF/RCE bug in Microsoft Outlook that I discovered back in Q1. You definitely want to patch this sooner rather than later. The danger of such 0-click bugs in Outlook is that they are triggered as soon as the victim reads or previews the email - no clicking of links or attachments is required. Since the bugs reside in Outlook's email rendering engine, it is difficult to mitigate or block (though specifically setting Outlook to render emails only in plain text format is a valid mitigation). Fun fact about the discovery: after the discovery of the #BadWinmail bug a decade ago, I wanted to run an experiment in Q1 to see if I could find another 0-click RCE in Outlook. The result? It wasn't easy — I even built a dedicated system for it — but I eventually found this one. :) To understand why such bugs are so critical, check out the #BadWinmail video demo I released a decade ago: https://t.co/DBhE5sWGDH. They share the same attack vector (though #BadWinmail was a working exploit, while this one was a PoC). Essentially, anyone could compromise a CEO or CFO just by sending an email. The threat perfectly bypasses enterprise firewalls and is delivered directly to the inbox. Furthermore, note that Outlook (Classic) lacks an application sandbox, making this attack vector even more dangerous. Regarding defense and detection: if you are concerned about Outlook 0-click 0-days, my EXPMON system (https://t.co/NKqtbTEmVW) provides cutting-edge detection against such advanced threats. When I designed the original system in 2020/2021, I developed this functionality specifically considering the impact of #BadWinmail. The system accepts .eml or .msg formats, and email samples are deeply tested within an Outlook sandbox. For enterprise users, emails can be "dumped" from the mail server, and EXPMON can be deployed in a private network. Contact me for more details. P.S. I just noted that the title of the Microsoft Security Update (https://t.co/CNZKI1aKWG) lists this as a Microsoft Word bug, which may or may not be entirely accurate. I demonstrated this bug to MSRC by showing that it works in a real, live Outlook + Exchange Server environment. My bet is that because the bug resides in wwlib.dll — a shared DLL used heavily by both Outlook and Word — it likely affects both Outlook (via email) and Word (via a document file). Regardless of the title, it is a genuine Outlook 0-click RCE. #CVE-2026-40361 #PatchTuesday #Outlook #0click #EmailSecurity #EnterpriseSecurity #expmon #ThreatIntel #ExploitDetection

"BitUnlocker" downgrade attack POC: https://t.co/ca8IQUvph4 The Secure Boot database of the device still has to trust the Microsoft Windows PCA 2011 certificate. If it works "a command prompt should appear with the OS volume decrypted and mounted". From the research of https://t.co/Co4dhW7rFz Mitigation: KB5025885 or pre-boot PIN.

A failed login should not take 6 seconds. Bishop Fox researchers reproduced CVE-2026-42208 in LiteLLM’s proxy. The attack requires no authentication, still returns HTTP 401 responses, and uses timing delays to extract sensitive data. Observed in the wild roughly 36 hours after disclosure. Upgrade to 1.83.7 or higher.