CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

CISA and Sandia National Laboratories Release Thorium for Malware Analysis

First reported
Last updated
📰 1 unique sources, 1 articles

Summary

Hide ▲

The Cybersecurity and Infrastructure Security Agency (CISA) and Sandia National Laboratories have released Thorium, an automated, scalable malware and forensic analysis platform. Thorium integrates various analysis tools to enable rapid assessment of malware threats and index forensic analysis results into a unified platform. This initiative aims to address the increasing volume and complexity of advanced persistent threats using malware. Thorium allows cyber defenders to automate and scale their analysis workflows, manage large volumes of malware quickly, and adapt to evolving threats. The platform is designed to ingest over 10 million files per hour and schedule over 1,700 jobs per second, maintaining fast results querying. Thorium supports integration of preferred tools into a single platform, customizable and automated analysis workflows, and strict group-based permissions for controlling access to submissions, tools, and results. It leverages Kubernetes and ScyllaDB for scalability and allows easy import and export of tools for sharing across cyber defense teams.

Timeline

  1. 31.07.2025 15:00 📰 1 articles · ⏱ 1mo ago

    CISA and Sandia National Laboratories release Thorium for malware analysis

    On July 31, 2025, CISA and Sandia National Laboratories released Thorium, an automated, scalable malware and forensic analysis platform. Thorium integrates various analysis tools to enable rapid assessment of malware threats and index forensic analysis results into a unified platform. The platform is designed to ingest over 10 million files per hour and schedule over 1,700 jobs per second, maintaining fast results querying. Thorium supports integration of preferred tools into a single platform, customizable and automated analysis workflows, and strict group-based permissions for controlling access to submissions, tools, and results.

    Show sources

Information Snippets

Similar Happenings

Resurfaced ChillyHell macOS Backdoor Discovered

A new version of the ChillyHell modular backdoor malware targeting macOS has been discovered. The malware, first seen in 2022, was used in attacks against Ukrainian officials and has now resurfaced with updated capabilities. ChillyHell provides remote access, payload delivery, and password brute-forcing. The malware was notarized by Apple in 2021 and has been publicly hosted on Dropbox since then. The malware disguises itself as an executable applet and deploys as a persistent backdoor, capable of retrieving sensitive data and evading detection. It employs multiple persistence mechanisms and can communicate over different protocols. It also features timestamping to cover its tracks. Apple has revoked the notarization of the developer certificates associated with the malware after being notified. ChillyHell is written in C++ and targets Intel architectures. It is attributed to an uncategorized threat cluster dubbed UNC4487, which has been active since at least October 2022. UNC4487 is suspected to be an espionage actor targeting Ukrainian government entities.

MostereRAT Malware Campaign Targets Japanese Windows Users

A new malware campaign involving MostereRAT, a banking malware-turned-remote access Trojan (RAT), has been identified. This campaign uses sophisticated evasion techniques, including the use of an obscure programming language, disabling of security tools, and mutual TLS (mTLS) for command-and-control communications to maintain long-term access to compromised systems. The malware targets Microsoft Windows users in Japan, deploying through phishing emails and weaponized Word documents. MostereRAT's capabilities include persistence, privilege escalation, AV evasion, and remote access tool deployment. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools. The malware's design reflects long-term, strategic, and flexible objectives, with capabilities to extend functionality, deploy additional payloads, and apply evasion techniques. These features point to an intent to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data.

Citrix NetScaler ADC and Gateway vulnerabilities patched and actively exploited in the wild

Citrix has released patches for three vulnerabilities in NetScaler ADC and NetScaler Gateway. One of these vulnerabilities, CVE-2025-7775, is actively exploited in the wild. The flaws include memory overflow vulnerabilities and improper access control issues. The vulnerabilities affect specific configurations of NetScaler ADC and NetScaler Gateway, including unsupported, end-of-life versions. Citrix has confirmed active exploitation of CVE-2025-7775, which can lead to remote code execution or denial-of-service. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-7775 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to remediate within 48 hours. Nearly 20% of NetScaler assets identified are on unsupported, end-of-life versions, with a significant concentration in North America and the APAC region. CISA lists 10 NetScaler flaws in its KEV catalog, with six discovered in the last two years. Threat actors are using HexStrike AI, an AI-driven security platform, to exploit the Citrix vulnerabilities, significantly reducing the time between disclosure and mass exploitation. HexStrike-AI was created by cybersecurity researcher Muhammad Osama and has been open-source and available on GitHub for the last month, where it has already garnered 1,800 stars and over 400 forks.

Critical SSRF vulnerability in Docker Desktop for Windows and macOS

A critical server-side request forgery (SSRF) vulnerability in Docker Desktop for Windows and macOS allows attackers to hijack the host system by running malicious containers. The flaw, identified as CVE-2025-9074, has a severity rating of 9.3. It enables unauthorized access to user files on the host system, even with Enhanced Container Isolation (ECI) enabled. The vulnerability was discovered by security researcher Felix Boulet, who demonstrated a proof-of-concept exploit that does not require code execution rights inside the container. The flaw affects Docker Desktop on Windows and macOS but not the Linux version. Docker released a patch in version 4.44.3. The exploit can be triggered by a web request from any container to the Docker Engine API at 192.168.65.7:2375 without authentication. The exploit involves posting a JSON payload to /containers/create to bind the host C:\ drive to a folder in the container and using a startup command to access host files. The exploit can be initiated by posting to /containers/{id}/start to launch the container and start the execution. The vulnerability allows an attacker to proxy requests through the vulnerable application and reach the Docker socket, enabling various HTTP request methods depending on the SSRF flaw. The article further elaborates on the differences in impact between the Windows and macOS versions of Docker Desktop, noting that macOS has additional safeguards that mitigate the risk compared to Windows. The vulnerability allows attackers to control containers, mount the host’s file system, and escalate privileges to those of an administrator. On Windows, an attacker could exploit the flaw to mount the host’s file system and overwrite a system DLL to obtain administrative privileges on the host. The macOS version of the application can be exploited to take full control of other containers, or to backdoor the Docker app by mounting and modifying its configuration. A variant of a recently disclosed campaign abuses the TOR network for cryptojacking attacks targeting exposed Docker APIs. The attack chain involves breaking into misconfigured Docker APIs to execute a new container based on the Alpine Docker image and mount the host file system into it. The threat actors run a Base64-encoded payload to download a shell script downloader from a .onion domain. The shell script alters SSH configurations to set up persistence and installs tools such as masscan, libpcap, libpcap-dev, zstd, and torsocks. The dropper launches Masscan to scan the internet for open Docker API services at port 2375 and propagate the infection. The binary includes checks for ports 23 (Telnet) and 9222 (remote debugging port for Chromium browsers) for potential future exploitation. The malware utilizes a Go library named chromedp to interact with the web browser and siphon cookies and other private data. The malware transmits details to an endpoint named "httpbot/add," indicating potential botnet activity. The attackers also block external access to the exposed Docker API by writing a command in the crontab file to create a cron job that executes every minute. The attackers deploy tools to perform mass scans for other open 2375 ports, which are used for malware propagation through the creation of new containers using the identified exposed APIs. The attackers' scripts scan for two additional open ports, namely 23 (Telnet) and 9222 (remote debugging for Chromium browsers). The attackers use a modified Alpine Linux image that includes a base64-encoded shell command to execute the payload. The container executes the decoded shell command, which installs curl and tor, launches a Tor daemon in the background, and waits for the confirmation of the connection by accessing Amazon's checkip.amazonaws.com service over a SOCKS5 proxy. The docker-init.sh script enables persistent SSH access by appending an attacker-controlled public key to /root/.ssh/authorized_keys on the mounted host filesystem. The docker-init.sh script writes a base64-encoded cron job on the host, which executes every minute and blocks external access to port 2375 using whichever firewall utility is available. The malware downloads a Zstandard-compressed Go binary over Tor, decompresses it to /tmp/system, grants execute permissions, and runs it. The Go binary functions as a dropper, extracting and executing an embedded second-stage binary, and parses the host’s utmp file to identify logged-in users. The binary scans for other exposed Docker APIs, attempts to infect them via the same container creation method, and removes competitor containers after gaining access.