Paid Promotion
Add your product or open-source project on TechLogHub
Listing is free. Sponsored featured placements are paid and priced in USD — open the pricing dialog to see plan details.
Apr 23, 2026
Security & Infrastructure Tools
Trigona Ransomware Attacks Use Custom Exfiltration Tool to Steal Data
Trigona ransomware operators are now using a custom command-line exfiltration tool, uploader_client.exe, to steal data more quickly from compromised networks. The tool connects to a hardcoded server, supports up to five parallel uploads per file, rotates TCP connections after 2GB of traffic, and can selectively exfiltrate certain file types while requiring an authentication key to access stolen data. The March attacks attributed to a gang affiliate signal a shift from publicly available tools to proprietary malware to stay under security monitoring. In these campaigns, Trigona also deploys the Huorong Network Security Suite’s HRSword kernel driver, tools to disable security products, PowerRun for elevated execution, AnyDesk for remote access, and credential tools like Mimikatz and Nirsoft. Symantec provides IoCs to aid detection and blocking of these activities.
By TechLogHub
Apr 23, 2026
Security & Infrastructure Tools
New Checkmarx supply-chain breach affects KICS analysis tool
Security researchers have disclosed a supply-chain breach affecting Checkmarx KICS, compromising official Docker images and VS Code/Open VSX extensions to harvest secrets from developer environments. The attack uses a hidden MCP addon to steal GitHub tokens, cloud credentials, npm tokens, SSH keys, and environment variables, encrypting and exfiltrating them to a spoofed audit.checkmarx.cx domain, with automatically created GitHub repos for data leakage. The malicious activity was active on 2026-04-22 from 14:17:59 to 15:41:31 UTC; affected tags have been restored and the fake v2.1.21 tag removed. Checkmarx has rotated exposed credentials and removed artifacts; users should rotate secrets, rebuild from known safe baselines, block exfiltration endpoints, and use pinned SHAs. Safe versions include DockerHub KICS v2.1.20 and updated extensions.
By TechLogHub
Apr 22, 2026
Security & Infrastructure Tools
Kyber ransomware gang toys with post-quantum encryption on Windows
Rapid7 reveals a new Kyber ransomware operation targeting Windows and VMware ESXi, with one variant claiming post-quantum Kyber1024 encryption. Two variants were observed in March 2026 using the same campaign ID and Tor-based infrastructure: a Windows Rust-based encryptor that uses Kyber1024 (and X25519) to protect AES-CTR bulk encryption, and an ESXi-focused variant that encrypts datastore files, can terminate VMs, and deface management interfaces. The Windows payload appends the .#~~~ extension, shuts down services, deletes backups, wipes event logs, and can terminate Hyper-V VMs; the ESXi variant enumerates VMs, encrypts datastores, and defaces interfaces. A Linux ESXi variant reportedly uses ChaCha8 with RSA-4096 for key wrapping. Despite Kyber1024 branding, Rapid7 notes Kyber is not used for direct file encryption; files are effectively unrecoverable without the attacker key. So far, at least one victim is publicly listed—a large U.S. defense contractor and IT services provider.
By TechLogHub
Apr 22, 2026
Security & Infrastructure Tools
Inside Caller-as-a-Service Fraud: The Scam Economy Has a Hiring Process
This post exposes Caller-as-a-Service, a structured, scalable fraud operation that treats phone scams like a professional business. It maps a full attack lifecycle with distinct roles—from data sourcing and infrastructure to live-call agents—supervision, and varied compensation models. It explains underground recruitment tactics (including “proof-of-profit” visuals and English-language targeting), how stolen data fuels campaigns, and the shift toward industrialized social engineering. The piece also outlines defender and individual implications, recommending stronger identity verification, behavioral analytics, and MFA, and it highlights Flare’s ability to detect leaked data and recruitment activity to preempt attacks.
By TechLogHub