Tag: Malware

New FileFix attack uses cache smuggling to evade security software

Posted on 9 October 2025

(Image from Google Gemini.)

BLUF: Threat actors are using a sophisticated variant of the FileFix social engineering attack, known as cache smuggling. It plants malicious ZIP archives in a victim’s browser cache. This enables execution of malware while bypassing security software checks for active file downloads or web requests.

The new FileFix campaign lures victims with a spoofed tool such as “Fortinet VPN Compliance Checker.” The user is told to copy a seemingly innocuous network file path and paste it into the Windows File Explorer address bar.

However, the text copied to the clipboard is heavily padded with spaces, concealing a malicious PowerShell command that is executed in headless mode when the user presses Enter.

The principle behind the attack is ‘cache smuggling’. When the user accesses the phishing page for the first time, JavaScript requests the browser to fetch a payload which has been disguised as a legitimate JPEG image. The browser caches this file, which actually contains a malicious ZIP archive.

The PowerShell script scans the local browser cache, extracts the hidden archive, and launches the malware from the local system without initiating any new web requests.

This method circumvents established security programmes that monitor network traffic or file downloads. The technique is being rapidly adopted by various threat actors, including ransomware gangs.

Action points

  • It is critically important to never copy and paste text or commands provided by an external website into operating system dialogue boxes, terminal windows, or address bars.
  • Organisationally, Endpoint Detection and Response (EDR) capabilities should be used that look for PowerShell scripts interacting with or manipulating browser cache files, or which execute in a hidden (headless) manner. These are clear indicators of this attack vector.
  • Browsers and security software should restrict or audit the automatic execution of files retrieved from the browser cache by command-line utilities.
  • Consider implementing’zero trust’ security policies that limit the execution of unrecognised executable files, even if they originate from what appears to be a local path, such as the extracted file from the cache.

Read more here.

The rise of ‘no malware’ attacks and ransomware

Posted on 9 October 2025

BLUF: Database ransomware, which relies on native database commands rather than traditional malware to wipe data from exposed servers, represents a persistent and automated extortion threat to organisations.

This form of ‘malware-less’ attack operates by exploiting misconfigured, Internet-facing database services. Targets include MongoDB and PostgreSQL. Attackers authenticate using weak or non-existent credentials before remotely connecting to the server. Once inside, they steal data and then use legitimate, destructive database queries (such as DROP DATABASE or bulk DELETE commands) to erase the data. They then insert a ransom note into a new table or document.

This produces the effect of denial of service, but without dropping a detectable binary. Because the attacks use authorised operations within normal protocols, they can bypass conventional host-based security defences.

The result is not only data loss and double extortion attempts but also a significant risk of lateral movement and privilege escalation for Remote Code Execution (RCE) in the wider environment.

Action Points

  • Network segmentation: Isolate database servers by placing them in private network segments, protected by strict firewalls and security groups that only permit access from trusted application servers.
  • Secure remote access: Do not expose database ports directly to the Internet; instead, route remote administrative access through a secure jump server protected by multi-factor authentication (MFA).
  • Enforce strong authentication: Disable password-less access and mandate the use of unique, strong credentials for all database accounts.
  • Backup and recovery: Implement a robust strategy of regular, automated backups for all critical data. Store these backups in a separate, access-controlled location, and routinely test the data recovery process.
  • Continuous attack surface mapping: Proactively scan the environment to map the effective attack surface, continuously identifying and correcting exposed database instances and mis-configurations.
  • Monitor for IOCs: Establish monitoring for Indicators of Compromise (IOCs), such as the creation of new tables or documents named similarly to ransom notes (e.g., README_TO_RECOVER).

Read more here (vendor article).

The NCSC supports UK educational sector against an increase in attacks

Posted on 9 April 2021

Since late February 2021, an increased number of ransomware attacks have affected education establishments in the UK, including schools, colleges and universities. Advice to help these institutions counter a rise in cyber attacks has been provided by the NCSC.

The NCSC urges all organisations to follow our guidance on ‘Mitigating malware and ransomware.’ This details a number of steps organisations can take to disrupt ransomware attack vectors and enable effective recovery from ransomware attacks. Furthermore, The NCSC has produced a number of practical resources to help schools and other educational institutions improve their cyber security. 

Further information from the NCSC can be found here https://www.ncsc.gov.uk/news/support-for-uk-education-sector-after-growth-in-cyber-attacks

The NCSC’s alert can be found here https://www.ncsc.gov.uk/news/alert-targeted-ransomware-attacks-on-uk-education-sector

National Cyber Security Centre

Suspected Malware attack affects US University operations and Windows-based devices

Posted on 6 April 2021

An Ivy League private research University in the USA, Brown University, takes steps to disable systems and cut connections to the data center after a cyber attack on the 30th March, 2021.

IT staff at the University said the attack focused on the university’s Windows-based devices and asked faculty and staff to switch to computers running other operating systems, smartphones, or tablets.

Whilst there were no details shared regarding the nature of the incident, Brown’s CIO added that “employees can contact their IT Support Consultant (ITSC) or Departmental Computing Coordinator (DCC) to determine if their Windows machine has ‘known-clean’ status,” hinting at a malware attack.

Brown University

Further information about the attack can be found here:

https://www.bleepingcomputer.com/news/security/brown-university-hit-by-cyberattack-some-systems-still-offline/