Security Spotlight: Navigating the Cybersecurity Landscape and Illuminating the Dark Corners of the Web

WME Cybersecurity Briefings No. 016

ExCobalt Cyber Gang Targets Russian Sectors with New GoRed Backdoor


An unknown Golang-based backdoor GoRed is being employed by the cybercrime gang ExCobalt. This group has roots dating back to at least 2016 and possibly originates from the notorious Cobalt Gang. They focus on various sectors in Russia and exploit systems.


Targets: ExCobalt has targeted multiple sectors i.e. Govt., IT, metallurgy, mining, software development, telecommunications, etc. over the past year, in Russia. The gang gains initial access by exploiting previously compromised contractors. They execute supply chain attacks by infecting legit software components.

They used tools like Metasploit, Mimikatz, ProcDump, SMBExec, Spark RAT, etc. Also, they employed Linux privilege escalation exploits like CVE-2019-13272, CVE-2021-3156, CVE-2021-4034, etc.

GoRed Backdoor allows command execution, credential harvesting, active processes and network interfaces  monitoring, etc. It communicates with its command-and-control (C2) server via the RPC protocol to enable reverse shell access. They export collected data to attacker-controlled infrastructure.


Organizations should strengthen their security posture. Use robust security measures i.e. ATP. Also, ensure all software are from verified suppliers. That said, regularly audit the integrity of software supply chains. Also, apply security patches promptly to address known vulnerabilities and maintain a comprehensive incident response plan.

New Adware Campaign Targets Meta Quest App Seekers


A new adware is targeting users searching for the Meta Quest (formerly Oculus) app for Windows. The campaign uses the adware family, AdsExhaust. It can exfiltrate screenshots and interact with browsers using simulated keystrokes.


Via an infection vector, they lure users to a bogus website (“oculus-app[.]com”) through SEO poisoning. The site prompts users to download a ZIP archive (“”) that contains a Windows batch script. It brings more scripts from a command-and-control (C2) server and creates scheduled tasks to run the scripts. They download the legit Meta Quest app and other malicious scripts. As a result, the scripts gather IP and system info, capture screenshots, exfiltrate data, etc. AdsExhaust adware checks for Microsoft’s Edge browser activity. It simulates clicks and interactions to generate ad revenue. It can also fetch keywords from a remote server and perform Google searches to further its ad-clicking scheme.


✅ Avoid Suspicious Downloads.

✅ Use Antivirus Software.

✅ Monitor Browser Activity.

✅ Educate Users and Scan Regularly.

U.S. Treasury Sanctions Key Kaspersky Executives Following Software Ban


The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctions 12 senior executives at Kaspersky Lab. This follows the Commerce Department’s ban on the Russian cybersecurity firm in the US, effective July 20, 2024. These measures highlight the U.S. commitment to securing its cyber domain.


Sanctioned Executives include the Chief Operating Officer, Deputy CEO, Chief Business Development Officer, among others.

Scope of Sanctions: The sanctions do not extend to Kaspersky Lab as an entity, its parent or subsidiary companies.

Operational Restrictions: Kaspersky Lab is banned from providing its software and security services in the U.S.

Entity List Inclusion: The company has been added to the Entity List.


Businesses should review current cybersecurity frameworks and ensure compliance with new regulations. They should replace any Kaspersky software with alternatives before July 20.  Also, IT departments should conduct a comprehensive audit of cybersecurity tools to ensure no Kaspersky products are in use.

Chinese Hackers Deploy SpiceRAT and SugarGh0st in Global Espionage Campaign


A Chinese-speaking threat actor, SneakyChef, linked to a sophisticated espionage campaign. They target govt. entities in Asia, Europe, the Middle East, and Africa. This campaign has been active since August 2023. It uses malware like SugarGh0st and SpiceRAT to gather intelligence from various govt. organizations.


Govt. bodies in regions like Asia, EMEA, and US, specifically those involved in AI research. Countries specifically impacted include South Korea, India, Latvia, Saudi Arabia, Turkmenistan, etc.  They used spear-phishing via scanned docs from government agencies, particularly embassies. They use RAR archives containing Windows Shortcut (LNK) files and self-extracting RAR (SFX) archives to deploy malware. They also used techniques like VBS, DLL side-loading, HTML Applications (HTA), etc. to execute malware.

Malware Characteristics:

SugarGh0st: Custom variant of Gh0st RAT. It can control infected systems.

SpiceRAT: It utilizes multiple infection chains i.e. LNK files in RAR archives to sideload malicious DLLs.


To enhance cybersecurity, rigorously monitor and scan email attachments and download links. Govt. agencies should train staff to recognize suspicious emails. Understand the tactics and procedures used by SneakyChef and similar threat actors. Develop custom detection rules for identifying SugarGh0st and SpiceRAT.

SolarWinds Serv-U Vulnerability Under Active Attack – Patch Immediately


A recently patched critical vulnerability in SolarWinds Serv-U file transfer software is already being exploited. The flaw has been identified as CVE-2024-28995, with a CVSS score of 8.6. It is characterized by a directory traversal bug that enables attackers to read sensitive files on the host machine. All versions of Serv-U prior to and including 15.4.2 HF 1 are affected.


CVE-2024-28995 allows attackers to read arbitrary files on the server. The flaw is trivial to exploit and is highly dangerous. Affected Products include Serv-U FTP Server 15.4, Serv-U Gateway 15.4, Serv-U MFT Server 15.4, Serv-U File Server 15.4. The Proof-of-concept (PoC) exploits and technical details have been publicly disclosed. A successful exploitation can lead to data exfiltration, credential theft, and further attacks via chaining.


Apply the latest update to mitigate the vulnerability. Verify versions and ensure all instances of Serv-U software are patched. Conduct thorough scans to identify vulnerable versions and monitor network traffic and server logs.

Windows Management Experts

Now A Microsoft Solutions Partner for:  

  • Data & AI
  • Digital and App Innovation
  • Infrastructure
  • Security

The Solutions Partner badge highlights WME’s excellence and commitment. Microsoft’s thorough evaluation ensures we’re skilled, deliver successful projects, and prioritize security over everything. This positions WME in a global tech community, ready to innovate on the cloud for your evolving business needs.

Microsoft Solutions Partner Logos - Data & AI PNG
Microsoft Solutions Partner Logos - Digital & App Innovation PNG
Microsoft Solutions Partner Logos - Infrastructure PNG
Microsoft Solutions Partner Logos - Security PNG

Why not reach out to us at WME?

Contact us and let us transform your business’s security into a strategic advantage for your business. Be sure, with WME, you’re just beginning a path toward a more streamlined and secure future.

501 Cambria Ave. STE #384,
Bensalem, PA 19020

Phone: (888) 307-0133
Press 1 at the Menu

WME Cybersecurity Briefings 016

Footer - 2023-11-07
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.