SecOps & Risk mitigation
CyberProof uses OSINT and threat intelligence feeds for visibility into threats.
CyberProof’s adaptable playbooks address continuously evolving threats with updated strategies.
Professionals manage sophisticated networks, leveraging experience to counter advanced threats.
Professionals manage sophisticated networks, leveraging experience to counter advanced threats.
24/7 global SOC support ensures incident response with guaranteed SLA.
24/7 global SOC support ensures incident response with guaranteed SLA.
CyberProof develops recovery plans, restoring capabilities after a cyber incident.
Classify and manage enterprise assets, understanding risks and data sensitivity.
Non-destructive tests uncover potential exploits in assets and applications.
Mitigate security issues early with CyberProof’s training and awareness programs.
Rigorous security assessment for on-premise and cloud applications to ensure protection.
IAM manages user access, monitors for anomalies, ensuring security.
Cloud First approach ensures compliance and security within cloud environments.
Managed service for SIEM, EDR, MXDR, and threat intelligence solutions.
Identify, assess, and mitigate security vulnerabilities through regular scanning.
Partners
See all partners“Today I have complete visibility into the entire environment, in real time”
Jamil Farshchi | Equifax CISO
CyberProof Acquires Interpres Security
By leveraging and integrating the Interpres Security CTEM solution into its security services portfolio, CyberProof is able to continuously identify, assess, and prioritize risk while adapting defense services, like MDR, Vulnerability management and Use case management to address ever evolving threats. Take proactive steps to fortify your security today!
Case Studies
Retail Company Reduces Data Costs by 85% with SIEM Transformation
90% increase in visibility after deploying Microsoft XDR with CyberProof
Enterprise saves millions on data ingestion & storage following cloud migration.
SOC unification streamlines enterprise insurance company’s security & network monitoring operations.
Global medical devices company gains visibility and meets stringent compliance standards across global geos
Pharmaceutical organization significantly enhances threat detection and response times
Threat Alerts
Highly Sophisticated PUMAKIT Rootkit Exploits Linux Kernel for Persistence
PUMAKIT is a highly sophisticated loadable kernel module (LKM) rootkit that demonstrates advanced stealth and persistence capabilities, posing a significant threat to Linux environments. This multi-stage malware employs a layered architecture comprising a dropper, memory-resident executables, an LKM rootkit, and a userland rootkit to avoid detection and maintain control. By hooking system calls and kernel functions, PUMAKIT enables privilege escalation, conceals its presence, and establishes covert communication with command-and-control (C&C) servers. Its ability to exploit Linux kernel mechanisms for stealth and control makes it a critical risk to organizational security.
PUMAKIT’s infection chain begins with a dropper disguised as a legitimate process, deploying memory-resident executables that execute payloads without leaving traces on disk. Using advanced fileless execution techniques it loads its rootkit components entirely in memory. A key stage involves executing a custom script that evaluates kernel conditions and decompresses the target kernel image for further exploitation. The LKM rootkit uses function hooks and symbol resolution techniques to manipulate core system behaviors, including hiding files, processes, and directories. Tools like rmdir, repurposed for privilege escalation, and custom scripts for kernel image processing are employed to evade detection while achieving persistence.
The rootkit’s capabilities extend to intercepting system calls for hiding directories and leveraging hooks for advanced kernel manipulation. Additionally, its integration of a userland shared object (SO) rootkit enables further stealth and persistence through user-space interactions.
Zloader Expands Capabilities with Advanced DNS Tunneling
Zloader, a modular Trojan based on leaked Zeus source code, has evolved significantly since its emergence in 2015. Initially designed for banking fraud, it has shifted toward enabling ransomware attacks by serving as an initial access broker. Its latest version, 2.9.4.0, introduces advanced anti-analysis measures, a custom DNS tunneling protocol for stealthy command-and-control (C&C) communications, and an interactive shell for hands-on keyboard activity, signaling an increased focus on evasion and operational resilience.
The infection chain employed by Zloader has shifted from broad spam campaigns to highly targeted, multi-stage attacks. These attacks often begin with luring victims into initiating Remote Monitoring and Management (RMM) sessions using tools such as AnyDesk, TeamViewer, or Microsoft Quick Assist. This social engineering tactic allows attackers to deploy additional malicious payloads, such as GhostSocks, which facilitates the installation of Zloader. Once operational, Zloader employs techniques like environment checks, modified API resolution algorithms, and encrypted configurations to evade detection. Its C&C communications leverage encrypted HTTPS traffic and a newly developed DNS tunneling protocol, further masking its activity. For instance, attackers use DNS A, and AAAA records to encapsulate encrypted TLS traffic, effectively bypassing conventional network monitoring tools.
Zloader’s continuous evolution underscores its critical role in enabling ransomware operators by serving as an initial access broker. With links to major ransomware campaigns, such as those involving Black Basta, its arsenal of tools—including interactive shell capabilities for executing binaries and exfiltrating data—equips attackers to conduct reconnaissance, deploy ransomware, and maintain persistence.