Gurucul

🏥 Healthcare remains one of the most targeted sectors for ransomware attacks.

Gurucul Threat Intelligence has analyzed the alleged Qilin ransomware attack targeting CLINICA AVELLANEDA MEDICAL CENTER, where threat actors claim to have exfiltrated sensitive patient information and medical records.

Key concerns include:
🔹 Exposure of patient PII and healthcare data
🔹 Potential medical identity theft and insurance fraud
🔹 Increased phishing and social engineering risks
🔹 Operational and regulatory challenges for healthcare providers

As ransomware groups continue to leverage double-extortion tactics, proactive threat detection, strong access controls, and continuous monitoring have become critical for protecting healthcare organizations.

Read the full analysis to understand the risks and recommended defenses.
https://tinyurl.com/2wfv7kwb

🚨 2,800+ GitHub files. One massive supply chain threat.

Gurucul Threat Research Labs has uncovered details of the Megalodon malware campaign, which abused GitHub Actions workflows to steal sensitive credentials from CI/CD environments at scale.

The attack targeted:
🔹 GitHub tokens
🔹 AWS credentials
🔹 API keys
🔹 Database secrets
🔹 SSH keys

By embedding obfuscated payloads into trusted workflows, attackers were able to harvest secrets and communicate with external infrastructure—highlighting the growing risk of software supply chain compromises.

Read the full research to understand the attack chain, indicators of compromise, and detection opportunities.
https://tinyurl.com/3jt6xpdw

🚨 Threat actors are evolving—and so are their tactics.

Gurucul Threat Research Labs has uncovered a sophisticated ClickFix campaign leveraging Donut shellcode and fileless ex*****on techniques to deploy the PureLogs stealer.

The attack uses social engineering, in-memory payload ex*****on, and behavioral evasion techniques to steal credentials, browser data, cryptocurrency wallets, and sensitive enterprise information.

Key findings:
🔹 ClickFix-based social engineering
🔹 Fileless PowerShell and Donut shellcode ex*****on
🔹 Credential and cryptocurrency wallet theft
🔹 In-memory .NET payload deployment
🔹 Advanced C2 communications

Read the full analysis and learn how to detect and defend against this evolving threat landscape.
https://gurucul.com/blog/canndelta-clickfix-campaign-abusing-donut-shellcode-to-deploy-purelogs-stealer/

Trusted package.
Hidden payload.
Developer environments at risk.

Software supply chain attacks are evolving—and now increasingly targeting the AI ecosystem itself.

A malicious version of the widely used Guardrails-AI PyPI package (v0.10.1) was found containing injected code that automatically downloaded and executed a remote payload during package import.

What makes this attack concerning:

• Malicious code embedded directly into __init__.py
• Ex*****on triggered automatically on import
• Remote payload download and ex*****on
• Potential exposure of API keys, cloud credentials, and development secrets
• Impact across AI development pipelines and enterprise environments

The larger takeaway:

Attackers are no longer just targeting applications.
👉 They're targeting the tools developers trust to build them.

Security teams should prioritize:
✅ Dependency governance and validation
✅ CI/CD security controls
✅ Package integrity monitoring
✅ Behavioral detection for suspicious ex*****on patterns

Because in modern environments, a package update can become an attack path.

No exploit. No vulnerability.
Just one click and one command.

Attackers are increasingly moving away from complex exploit chains and relying on something much simpler: human trust.

This latest campaign abused fake Google Meet verification pages to trick users into running an obfuscated PowerShell command, ultimately delivering SalatStealer, an information-stealing malware designed to target browser credentials, session cookies, and cryptocurrency wallets.

What makes this attack effective:
• ClickFix-style social engineering
• Abuse of legitimate Windows tools like PowerShell and BITSAdmin
• Memory-based payload staging
• Browser credential and cookie theft
• Cryptocurrency wallet targeting across multiple platforms

The bigger takeaway:

Attackers don't always need sophisticated exploits anymore.
👉 Sometimes all they need is user interaction and legitimate tools already present in the environment.

Detection teams should prioritize:
✅ Hidden PowerShell ex*****on patterns
✅ LOLBin abuse activity
✅ Abnormal browser data access
✅ Suspicious process ex*****on from user directories

Modern threats increasingly blend into normal activity.
The challenge isn't just detecting malware.
It's detecting behavior.
https://tinyurl.com/mv46t7f9

𝗙𝗿𝗼𝗺 𝗖-𝗗𝗔𝗖 𝘁𝗼 𝘁𝗵𝗲 𝗚𝘂𝗿𝘂𝗰𝘂𝗹 𝗖𝘆𝗯𝗲𝗿 𝗙𝗿𝗼𝗻𝘁𝗹𝗶𝗻𝗲𝘀.
𝗔 𝗻𝗲𝘄 𝗰𝗵𝗮𝗽𝘁𝗲𝗿 𝗯𝗲𝗴𝗶𝗻𝘀.

We are excited to welcome these talented young engineers from C-DAC Pune to Gurucul as they begin their professional journey into AI-driven cybersecurity, intelligent threat detection, and modern SOC operations.

What makes this generation exciting is not just technical knowledge but the curiosity, adaptability, and systems-thinking mindset they bring from day one.

At Gurucul, they now transition:
• From learning → to securing
• From theory → to defending enterprises
• From campus projects → to building AI-driven cyber defense platforms

The future of cybersecurity will belong to engineers who can combine AI, automation, analytical thinking, and human intelligence to solve increasingly complex security challenges.

This is more than onboarding.
It is the beginning of a meaningful mission.

Welcome to Gurucul. Welcome to the cyber frontlines.

Insider risk involves individuals with legitimate access, making detection more complex than external threats.

Gurucul AI-Powered Insider Risk Management continuously evaluates user behavior, access patterns, and risk signals to identify potential threats.

By building comprehensive risk profiles, it enables organizations to detect early signs of misuse and take preventive action.

Key capabilities include:
• Continuous monitoring of user activity
• Behavioral analysis for anomaly detection
• Risk scoring for prioritization
• Early identification of potential data risks
This supports proactive management of insider threats with data-driven insights.

Learn more: https://gurucul.com/products/ai-powered-insider-risk-management/

Not every exposure starts with a breach.
Sometimes, it starts with public data at scale.

The alleged Polymarket exposure highlights a growing cybersecurity challenge in decentralized ecosystems:
👉 Large-scale aggregation of publicly accessible metadata.

According to claims made by the threat actor XORCAT:
• Over 10 million records were allegedly aggregated
• Around 300,000 user-associated identities may have been exposed
• Public APIs and blockchain-linked metadata were leveraged for collection

Polymarket stated that no internal compromise occurred and that the information was already publicly accessible.

But that’s the real lesson.

Even without a traditional breach:
⚠ Public APIs can enable large-scale reconnaissance
⚠ Wallet attribution can lead to deanonymization
⚠ Metadata correlation can fuel phishing, profiling, and future attacks

This incident reinforces why organizations must treat:
• API security
• Behavioral monitoring
• Metadata minimization
• Automated scraping detection

…as critical parts of modern cyber defense.

Because in today’s threat landscape,
👉 exposed metadata can become actionable intelligence.
https://tinyurl.com/uwz96x4v

Many advanced threats operate within legitimate access, making them difficult to detect using traditional rule-based systems.

Gurucul User and Entity Behavior Analytics (UEBA) focuses on understanding how users, devices, and systems behave over time.

By establishing baselines for normal activity, it identifies deviations that may indicate compromised credentials or insider misuse. These signals are combined to create a risk profile for each entity.

Key capabilities include:
• Continuous monitoring of user and system behavior
• Detection of subtle anomalies
• Risk scoring based on aggregated signals
• Integration with investigation workflows
This enables early detection of threats that may otherwise remain unnoticed.

Learn more: https://gurucul.com/products/user-and-entity-behavior-analytics-ueba/