CyberSecurity news

FlagThis - #apt

Pierluigi Paganini@securityaffairs.com //
An Iranian state-sponsored threat group, identified as Lemon Sandstorm (also known as Rubidium, Parisite, Pioneer Kitten, and UNC757), has been linked to a long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East. This intrusion, which spanned from at least May 2023 to February 2025, involved extensive espionage and suspected network prepositioning. The threat actor gained initial access by exploiting known VPN security flaws in products from Fortinet, Pulse Secure, and Palo Alto Networks.

As of April 29, 2025, SonicWall updated advisories regarding actively exploited vulnerabilities in its SMA100 Secure Mobile Access (SMA) appliances, specifically CVE-2023-44221 and CVE-2024-38475. These flaws could allow unauthorized access to files, potentially leading to session hijacking. Cybersecurity company watchTowr Labs detailed how CVE-2024-38475, a flaw in Apache HTTP Server, can be used to bypass authentication and gain administrative control, while CVE-2023-44221 is a post-authentication command injection vulnerability.

The Iranian threat actors maintained persistence through the use of web shells, backdoors, and custom malware families, including HanifNet, HXLibrary, and NeoExpressRAT. Throughout the nearly two-year campaign, Lemon Sandstorm demonstrated an ability to adapt to the victim's countermeasures, deploying additional web shells and backdoors in response to containment efforts. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added both SonicWall flaws to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply patches by May 22, 2025.

Recommended read:
References :
  • Arctic Wolf: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
  • securityaffairs.com: U.S. CISA adds SonicWall SMA100 and Apache HTTP Server flaws to its Known Exploited Vulnerabilities catalog
  • thehackernews.com: SonicWall Confirms Active Exploitation of Flaws Affecting Multiple Appliance Models
  • Talkback Resources: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware [ics] [net] [mal]
  • The Hacker News: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware

info@thehackernews.com (The@The Hacker News //
Cybersecurity firm SentinelOne has become a prime target for state-sponsored threat actors from China and North Korea. SentinelOne, which provides autonomous endpoint protection using AI and machine learning to Fortune 10 and Global 2000 enterprises, government agencies, and managed service providers, is facing persistent cyber espionage and infiltration attempts. A recent analysis by SentinelOne revealed that Chinese actors are actively targeting both the company and its high-value clients, engaging in reconnaissance activities against SentinelOne’s infrastructure and specific organizations they defend.

SentinelOne uncovered a China-nexus threat cluster dubbed PurpleHaze, which conducted reconnaissance attempts against its infrastructure and some of its high-value customers. Researchers first became aware of this group during a 2024 intrusion against an organization that was previously providing hardware logistics services for SentinelOne employees. PurpleHaze is assessed to be a hacking crew with loose ties to another state-sponsored group known as APT15 and has been observed targeting a South Asian government-supporting entity, employing an operational relay box (ORB) network and a Windows backdoor dubbed GoReShell.

North Korean actors have also been targeting SentinelOne, attempting to infiltrate the company through a fake IT worker campaign. The company is tracking approximately 360 fake personas and over 1,000 job applications linked to DPRK IT worker operations applying for roles at SentinelOne and SentinelLabs Intelligence. SentinelOne has warned of threat actors targeting its systems and high-value clients, emphasizing that cybersecurity providers are attractive targets due to the potential for significant compromise and the insights into how thousands of environments and millions of endpoints are protected.

Recommended read:
References :
  • securityaffairs.com: SentinelOne warns of threat actors targeting its systems and high-value clients
  • The Hacker News: SentinelOne Uncovers Chinese Espionage Campaign Targeting Its Infrastructure and Clients
  • www.techradar.com: SentinelOne targeted by Chinese espionage campaign probing customers and infrastructure
  • www.scworld.com: Report: Cyber threats bombard cybersecurity vendors

@www.welivesecurity.com //
A China-aligned advanced persistent threat (APT) group known as TheWizards is actively exploiting a vulnerability in IPv6 networking to launch sophisticated adversary-in-the-middle (AitM) attacks. These attacks allow the group to hijack software updates and deploy Windows malware onto victim systems. ESET Research has been tracking TheWizards' activities since at least 2022, identifying targets including individuals, gambling companies, and other organizations in the Philippines, the United Arab Emirates, Cambodia, mainland China, and Hong Kong. The group leverages a custom-built tool named Spellbinder to facilitate these attacks.

The Spellbinder tool functions by abusing the IPv6 Stateless Address Autoconfiguration (SLAAC) feature. It performs SLAAC spoofing to redirect IPv6 traffic to a machine controlled by the attackers, effectively turning it into a malicious IPv6-capable router. This enables the interception of network packets and DNS queries, specifically targeting software update domains. In a recent case, TheWizards hijacked updates for Tencent QQ, a popular Chinese software, to deploy their signature WizardNet backdoor.

ESET's investigation has also uncovered potential links between TheWizards and the Chinese company Dianke Network Security Technology, also known as UPSEC. The attack chain typically involves an initial access vector followed by the deployment of a ZIP archive containing files such as AVGApplicationFrameHost.exe, wsc.dll, log.dat, and winpcap.exe. The execution of these files ultimately leads to the launch of Spellbinder, which then carries out the AitM attack. Researchers advise users to be cautious about software updates and monitor network traffic for any suspicious activity related to IPv6 configurations.

Recommended read:
References :
  • BleepingComputer: A China-aligned APT threat actor named 'TheWizards' abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.
  • The Hacker News: Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder Lateral Movement Tool
  • ESET Research: Details the toolset of the China-aligned APT group that we have named . It can move laterally on compromised networks by performing adversary-in-the-middle (AitM) attacks to hijack software updates.
  • BleepingComputer: A China-aligned APT threat actor named 'TheWizards' abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.
  • www.welivesecurity.com: Links between and the Chinese company Dianke Network Security Technology, also known as UPSEC.
  • www.bleepingcomputer.com: The China-aligned APT threat actor abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.
  • The DefendOps Diaries: Unveiling the Threat: How 'The Wizards' Exploit IPv6 for Cyber Attacks
  • Security Risk Advisors: TheWizards APT Group Targets Southeast Asian Governments Using Rootkits and Cloud Tools
  • bsky.app: TheWizards APT group abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.
  • cyberinsider.com: Chinese Hackers Use IPv6 SLAAC Spoofing to Deliver WizardNet Backdoor
  • WeLiveSecurity: ESET researchers analyzed Spellbinder, a lateral movement tool used to perform adversary-in-the-middle attacks
  • www.scworld.com: IPv6 SLAAC exploited by Chinese APT for AitM attacks
  • Blog: ‘TheWizards’ exploit IPv6 feature as part of AitM attacks

info@thehackernews.com (The@The Hacker News //
A new report from Citizen Lab has uncovered a spearphishing campaign targeting senior members of the World Uyghur Congress (WUC) living in exile. The attackers utilized a trojanized version of UyghurEditPP, a legitimate open-source text editor designed to support the Uyghur language, to deliver Windows-based malware. This campaign highlights the concerning trend of digital transnational repression, where software intended to empower repressed communities is instead weaponized against them. The method involved impersonating a known contact from a partner organization of the WUC to deliver a Google Drive link containing the malicious file.

Once the infected UyghurEditPP was executed, a hidden backdoor would silently gather system information, including the machine name, username, IP address, and operating system version. This data was then transmitted to a remote command-and-control (C2) server, allowing the attackers to perform various malicious actions, such as downloading files or uploading additional malicious plugins. Citizen Lab researchers noted that the attackers displayed a deep understanding of the target community, using culturally significant Uyghur and Turkic language terms in the C2 infrastructure to avoid raising suspicion.

Researchers believe that state-aligned actors are behind this campaign, reflecting a broader pattern of Chinese government actors targeting the Uyghur community. While the malware itself wasn't particularly advanced, the campaign showcased a high level of social engineering. The discovery emphasizes the ongoing threats faced by the Uyghur diaspora and the need for increased vigilance against digital surveillance and hacking attempts. This incident adds to the growing evidence of digital transnational repression, where governments use digital technologies to surveil, intimidate, and silence exiled communities.

Recommended read:
References :
  • The Citizen Lab: Weaponized Words: Uyghur Language Software Hijacked to Deliver Malware
  • securityonline.info: Weaponized Uyghur Language Software: Citizen Lab Uncovers Targeted Malware Campaign
  • techcrunch.com: Citizen Lab says exiled Uyghur leaders targeted with Windows spyware
  • securityonline.info: Researchers at Citizen Lab have exposed a spearphishing campaign targeting senior members of the
  • The Hacker News: Malware Attack Targets World Uyghur Congress Leaders via Trojanized UyghurEdit++ Tool
  • thecyberexpress.com: Text Editor Used in Targeted Uyghur Spying
  • The Register - Software: Open source text editor poisoned with malware to target Uyghur users
  • The Hacker News: Malware Attack Targets World Uyghur Congress Leaders via Trojanized UyghurEdit++ Tool
  • Security Risk Advisors: State-aligned actors trojanized UyghurEdit++ to target diaspora via phishing. Backdoor exfiltrates system data and downloads plugins. #Uyghur #ThreatIntel
  • citizenlab.ca: 🚩 Trojanized UyghurEdit++ Text Editor Used to Target Uyghur Diaspora With Windows Surveillance Malware
  • The Cyber Express: Trojanized Text Editor Software Used in Targeted Uyghur Spy Campaign
  • hackread.com: China-linked hackers targeted Uyghur activists using a Trojanized UyghurEditPP app in a spear-phishing campaign, Citizen Lab researchers reveal.…
  • Security Risk Advisors: State-aligned actors trojanized UyghurEdit++ to target diaspora via phishing. Backdoor exfiltrates system data and downloads plugins. #Uyghur #ThreatIntel
  • www.scworld.com: Uyghur leaders subjected to malware attack

@securityonline.info //
Earth Kurma, a newly identified Advanced Persistent Threat (APT) group, has been actively targeting government and telecommunications organizations in Southeast Asia since June 2024. According to reports from Trend Micro and other security firms, the group's activities, which date back to November 2020, primarily focus on cyberespionage and data exfiltration. Countries affected include the Philippines, Vietnam, Thailand, and Malaysia. The threat actors are particularly interested in exfiltrating sensitive data, often utilizing public cloud services like Dropbox and Microsoft OneDrive for this purpose.

Earth Kurma employs a sophisticated blend of custom malware, stealthy rootkits, and living-off-the-land (LotL) techniques. Their arsenal includes tools such as TESDAT, SIMPOBOXSPY, KRNRAT, and MORIYA, the latter two being rootkits designed for persistence and concealing malicious activities. The group's use of rootkits like MORIYA, which intercepts TCP traffic and injects malicious payloads, highlights their advanced evasion capabilities. Notably, Earth Kurma also abuses PowerShell for data collection, using commands to gather files of interest based on file extensions such as PDF, DOC, XLS, and PPT.

Detection strategies focus on monitoring process creations and command-line activities associated with known file extensions used by the group. The group leverages legitimate system tools and features, such as syssetup.dll, to install rootkits, making detection more challenging. While there are overlaps with other APT groups like ToddyCat and Operation TunnelSnake, definitive attribution remains inconclusive. Security researchers emphasize the high business risk posed by Earth Kurma due to their targeted espionage, credential theft, persistent footholds, and data exfiltration via trusted cloud platforms.

Recommended read:
References :
  • securityaffairs.com: SecurityAffairs: Earth Kurma APT is actively targeting government and telecommunications orgs in Southeast Asia
  • securityonline.info: SecurityOnline: Earth Kurma APT Targets Southeast Asia with Stealthy Cyberespionage
  • The Hacker News: TheHackNews: Earth Kurma Targets Southeast Asia With Rootkits and Cloud-Based Data Theft Tools
  • Know Your Adversary: Know Your Adversary: That's How Earth Kurma Abuses PowerShell for Data Collection
  • www.trendmicro.com: Trend Micro: Earth Kurma APT Campaign
  • Industrial Cyber: Earth Kurma APT targets Southeast Asian government, telecom sectors in latest cyberespionage campaigns.
  • industrialcyber.co: Trend Micro researchers have uncovered that an advanced persistent threat (APT) group known as Earth Kurma is actively
  • www.scworld.com: Trend Micro researchers have identified a sophisticated cyberespionage campaign orchestrated by the APT group, Earth Kurma, focusing on organizations in Southeast Asia, including Malaysia, Thailand, Vietnam, and the Philippines.
  • Security Risk Advisors: #EarthKurma #APT targeting Southeast Asian governments with #rootkits and cloud exfiltration tools using kernel-level persistence & trusted cloud services to steal sensitive documents. #CyberEspionage #ThreatIntel
  • securityonline.info: In a newly released report, Trend Research has unveiled the operations of an advanced persistent threat (APT) group,
  • sra.io: APT targeting Southeast Asian governments with #rootkits and cloud exfiltration tools using kernel-level persistence & trusted cloud services to steal sensitive documents.
  • Virus Bulletin: Trend Micro's Nick Dai & Sunny Lu look into the Earth Kurma APT campaign targeting government and telecommunications sectors in Southeast Asia. The campaign used advanced malware, rootkits, and trusted cloud services to conduct cyberespionage.

@www.silentpush.com //
North Korean hackers, identified as the Contagious Interview APT group, are running a sophisticated malware campaign targeting individuals seeking employment in the cryptocurrency sector. Silent Push threat analysts have uncovered the operation, revealing that the group, also known as Famous Chollima and a subgroup of Lazarus, is using three front companies—BlockNovas LLC, Angeloper Agency, and SoftGlide LLC—to spread malicious software. These companies are being used to lure unsuspecting job applicants into downloading malware through fake job interview opportunities, marking an evolution in the group's cyber espionage and financial gain tactics.

The campaign involves the distribution of three distinct malware strains: BeaverTail, InvisibleFerret, and OtterCookie. Job seekers are enticed with postings on various online platforms, including CryptoJobsList, CryptoTask, and Upwork. Once an application is submitted, the hackers send what appear to be legitimate interview-related files containing the malware. The attackers are also using AI-generated images to create employee profiles for these front companies, specifically using Remaker AI to fabricate realistic personas, enhancing the credibility of their fraudulent operations and making it harder for job seekers to differentiate between genuine and malicious opportunities.

The use of these front companies and AI-generated profiles signifies a new escalation in the tactics employed by Contagious Interview. The malware, once installed, allows hackers to remotely access infected computers and steal sensitive data. The campaign leverages legitimate platforms like GitHub and various job boards to further enhance its deceptive nature. Silent Push's analysis has successfully traced the malware back to specific websites and internet addresses used by the hackers, including lianxinxiao[.]com, and uncovered a hidden online dashboard monitoring suspected BeaverTail websites, providing valuable insights into the operational infrastructure of this North Korean APT group.

Recommended read:
References :
  • hackread.com: North Korean Hackers Use Fake Crypto Firms in Job Malware Scam
  • The Hacker News: North Korean Hackers Spread Malware via Fake Crypto Firms and Job Interview Lures
  • www.silentpush.com: Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware: BeaverTail, InvisibleFerret, and OtterCookie
  • Anonymous ???????? :af:: Threat analysts have uncovered that North Korea's Contagious Interview APT group is using three front companies to distribute malware strains BeaverTail, InvisibleFerret, and OtterCookie through fake cryptocurrency job offers.
  • www.silentpush.com: North Korean APT registers three cryptocurrency companies to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
  • cyberpress.org: North Korean APT Contagious Interview registers three cryptocurrency companies (BlockNovas LLC, Angeloper Agency, and SoftGlide LLC) to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
  • bsky.app: North Korean APT Contagious Interview registers three cryptocurrency companies (BlockNovas LLC, Angeloper Agency, and SoftGlide LLC) to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
  • www.scworld.com: North Korean cyberespionage facilitated by bogus US firms, crackdown underway
  • Virus Bulletin: Silent Push researchers have uncovered three cryptocurrency companies that are actually fronts for the North Korean APT group Contagious Interview. BeaverTail, InvisibleFerret & OtterCookie are being spread from this infrastructure to unsuspecting cryptocurrency job applicants.
  • www.scworld.com: New Lazarus campaign hits South Korea BleepingComputer reports that at least half a dozen South Korean organizations in the finance, telecommunications, IT, and software industries have been compromised by North Korean hacking collective Lazarus Group
  • Cyber Security News: North Korean threat actors are leveraging generative artificial intelligence (GenAI) technologies to systematically infiltrate remote technical roles worldwide, according to recent findings from Okta Threat Intelligence.
  • PCMag UK security: Okta finds evidence that North Koreans are using a variety of AI services to upgrade their chances of fraudulently securing remote work so they can line their country's coffers or steal secrets.
  • malware.news: North Korean Group Creates Fake Crypto Firms in Job Complex Scam
  • www.bitdegree.org: North Korean hackers use AI and fake job offers within cryptocurrency companies to distribute malware to unsuspecting job seekers
  • cyberpress.org: North Korean threat actors are leveraging generative artificial intelligence (GenAI) technologies to systematically infiltrate remote technical roles worldwide, according to recent findings from Okta Threat Intelligence.
  • malware.news: North Korean threat actors are leveraging generative artificial intelligence (GenAI) technologies to systematically infiltrate remote technical roles worldwide, according to recent findings from Okta Threat Intelligence.
  • securityonline.info: Threat analysts at Silent Push have uncovered a new campaign orchestrated by the North Korean state-sponsored APT group,
  • securityonline.info: Threat actors are using fake companies in the cryptocurrency consulting industry to spread malware to unsuspecting job applicants.
  • Cybernews: North Korean APT Contagious Interview registers three cryptocurrency companies (BlockNovas LLC, Angeloper Agency, and SoftGlide LLC) to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
  • gbhackers.com: North Korean APT Hackers Pose as Companies to Spread Malware to Job Seekers

@reliaquest.com //
A critical zero-day vulnerability, CVE-2025-31324, has been discovered in SAP NetWeaver Visual Composer Metadata Uploader, posing a significant threat to organizations using the platform. The flaw stems from missing authorization checks on the `/developmentserver/metadatauploader` endpoint, allowing unauthenticated attackers to upload malicious files directly to the system. This unrestricted file upload vulnerability has a CVSS score of 10, indicating its critical severity and potential for widespread exploitation. Security researchers and threat hunters have already observed active exploitation in the wild, with threat actors using the vulnerability to drop web shell backdoors onto exposed systems.

Exploitation of CVE-2025-31324 enables attackers to gain unauthorized access and control over SAP systems. Threat actors are leveraging the vulnerability to upload web shells, facilitating remote code execution and further system compromise. These web shells allow attackers to execute commands, manage files, and perform other malicious actions directly from a web browser. According to SAP security platform Onapsis, the vulnerability can afford attackers the opportunity to take full control over SAP business data and processes, potentially leading to ransomware deployment and lateral movement within a network.

SAP has released an out-of-band emergency patch to address CVE-2025-31324, and organizations are strongly encouraged to apply the patch as soon as possible to mitigate the risk. ReliaQuest researchers also reported investigating multiple customer incidents involving JSP webshells uploaded via this vulnerability. Given the widespread active exploitation and the potential for significant impact, organizations should prioritize patching vulnerable systems and assessing them for any signs of compromise. Experts estimate that a significant percentage of internet-facing SAP NetWeaver systems may be vulnerable, highlighting the urgency of addressing this critical flaw.

Recommended read:
References :
  • Threats | CyberScoop: CyberScoop article about SAP zero-day vulnerability under widespread active exploitation
  • securityaffairs.com: SecurityAffairs article about SAP NetWeaver zero-day allegedly exploited by an initial access broker.
  • The DefendOps Diaries: thedefendopsdiaries.com article on Addressing CVE-2025-31324: A Critical SAP NetWeaver Vulnerability
  • Tenable Blog: Tenable Blog post on CVE-2025-31324 zero day vulnerability in SAP NetWeaver being exploited in the wild.
  • BleepingComputer: SAP fixes suspected Netweaver zero-day exploited in attacks
  • reliaquest.com: ReliaQuest uncovers vulnerability behind SAP NetWeaver compromise
  • MSSP feed for Latest: SAP Patches Critical Zero-Day Vulnerability in NetWeaver Visual Composer
  • Blog: Max severity zero-day in SAP NetWeaver actively exploited
  • thehackernews.com: Threat actors are likely exploiting a new vulnerability in SAP NetWeaver to upload JSP web shells with the goal of facilitating unauthorized file uploads and code execution.
  • cyberscoop.com: SAP zero-day vulnerability under widespread active exploitation
  • www.cybersecuritydive.com: SAP NetWeaver zero-day vulnerability under widespread active exploitation.
  • www.scworld.com: SAP patches zero day rated 10.0 in NetWeaver
  • The Register - Security: Emergency patch for potential SAP zero-day that could grant full system control
  • Resources-2: Picus Security explains SAP NetWeaver Remote Code Execution Vulnerability
  • socradar.io: Critical SAP NetWeaver Vulnerability (CVE-2025-31324) Allows Unauthorized Upload of Malicious Executables
  • Strobes Security: When a vulnerability is rated 9.9 out of 10 on the CVSS scale, it deserves immediate attention. CVE-2025-31324 affects SAP NetWeaver AS Java, a platform many businesses rely on every...
  • strobes.co: When a vulnerability is rated 9.9 out of 10 on the CVSS scale, it deserves immediate attention. CVE-2025-31324 affects SAP NetWeaver AS Java, a platform many businesses rely on every...
  • The DefendOps Diaries: The DefendOps Diaries: Understanding and Mitigating the CVE-2025-31324 Vulnerability in SAP NetWeaver
  • Vulnerable U: SAP CVE-2025-31324 Targeted by Attackers
  • www.bleepingcomputer.com: Over 1,200 SAP NetWeaver servers vulnerable to actively exploited flaw
  • www.bleepingcomputer.com: SAP fixes suspected Netweaver zero-day exploited in attacks
  • BleepingComputer: Over 1,200 internet-exposed SAP NetWeaver instances are vulnerable to an actively exploited maximum severity unauthenticated file upload vulnerability that allows attackers to hijack servers.
  • Onapsis: Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)
  • research.kudelskisecurity.com: Critical Vulnerability in SAP NetWeaver Visual Composer (CVE-2025-31324)
  • securityaffairs.com: U.S. CISA adds SAP NetWeaver flaw to its Known Exploited Vulnerabilities catalog
  • onapsis.com: In our SAP CVE-2025-31324 webinar learn how to assess exposure, patch critical vulnerabilities, and defend against active zero-day attacks on SAP systems.
  • research.kudelskisecurity.com: Research Kudelski Security Article on SAP NetWeaver Exploitation
  • Cyber Security News: SAP NetWeaver 0-Day Vulnerability Actively Exploited to Deploy Webshells
  • Caitlin Condon: Rapid7 MDR has observed in-the-wild exploitation of SAP NetWeaver Visual Composer CVE-2025-31324 in customer environments.
  • www.cybersecuritydive.com: Thousands are exposed and potentially vulnerable as researchers warn of widespread exploitation.
  • www.it-daily.net: Security experts have identified a serious security vulnerability in SAP NetWeaver that allows unauthorized access to company systems.
  • securityonline.info: CISA Adds SAP NetWeaver Zero-Day CVE-2025-31324 to KEV Database
  • redcanary.com: Critical vulnerability in SAP NetWeaver enables malicious file uploads
  • www.stormshield.com: Security alert SAP CVE-2025-31324: Stormshield Products Response
  • Rescana: Critical Zero-Day Vulnerability in SAP NetWeaver Visual Composer: CVE-2025-31324 Exploited in Manufacturing Attacks
  • SOC Prime Blog: CVE-2025-31324 Detection: SAP NetWeaver Zero-Day Under Active Exploitation Exposes Critical Systems to Remote Code Execution
  • Stormshield: Security alert SAP CVE-2025-31324: Stormshield Products Response
  • socprime.com: CVE-2025-31324 Detection: SAP NetWeaver Zero-Day Under Active Exploitation Exposes Critical Systems to Remote Code Execution

@cyberalerts.io //
The initial access broker (IAB) known as ToyMaker has been identified as the facilitator of a sophisticated cyberattack targeting critical infrastructure. Cisco Talos's 2023 incident response report unveiled ToyMaker's operations, showing how the group exploited vulnerable, internet-facing systems to gain an initial foothold. ToyMaker utilizes a custom-made backdoor called LAGTOY, which is designed to execute attacker commands, evade detection, and maintain persistence as a Windows service. This IAB then extracts credentials from the compromised infrastructure, setting the stage for further malicious activity.

Once inside, ToyMaker performs preliminary reconnaissance, credential extraction using tools like Magnet RAM Capture, and deploys the LAGTOY implant. The extracted credentials are then exfiltrated using utilities such as 7-Zip and PuTTY’s SCP, enabling lateral movement and further compromise within the network. A fake user account is created with administrator privileges to maintain access. Following this initial burst of activity, there is a period of inactivity before the access is handed off to the Cactus ransomware group.

The Cactus ransomware operators leverage the stolen credentials to infiltrate additional endpoints, conduct broad network reconnaissance, and exfiltrate sensitive data. They deploy remote access tools, create malicious accounts for persistence, and attempt to disable defenses by deleting volume shadow copies and modifying boot recovery settings. This collaboration between ToyMaker and Cactus highlights a concerning trend in cybercrime, where specialized IABs provide entry points for ransomware groups to carry out large-scale attacks, causing significant disruption to critical infrastructure.

Recommended read:
References :
  • blog.talosintelligence.com: Technical details on the attack and exploited vulnerabilities.
  • cyberpress.org: Reports on the multi-stage attack targeting critical infrastructure.
  • securityonline.info: Analysis of the ToyMaker attack campaign and tactics.
  • thehackernews.com: Cybersecurity researchers have detailed the activities of an initial access broker (IAB) dubbed ToyMaker that has been observed handing over access to double extortion ransomware gangs like CACTUS.
  • Cisco Talos Blog: Introducing ToyMaker, an initial access broker working in cahoots with double extortion gangs
  • securityonline.info: Cisco Talos’ 2023 incident response report unveils the operations of “ToyMaker,†a financially motivated Initial Access Broker (IAB)

Pierluigi Paganini@Security Affairs //
The North Korean hacking group Kimsuky has been identified as the perpetrator of a new cyber espionage campaign, dubbed "Larva-24005," that exploits a patched Microsoft Remote Desktop Services flaw, commonly known as BlueKeep (CVE-2019-0708), to gain initial access to systems. According to a report from the AhnLab Security intelligence Center (ASEC), Kimsuky targeted organizations in South Korea and Japan, primarily in the software, energy, and financial sectors, beginning in October 2023. The campaign also extended to other countries, including the United States, China, Germany, and Singapore, indicating a broader global reach.

The attackers used a combination of techniques to infiltrate systems. While RDP vulnerability scanners were found on compromised systems, the report indicates that the actual breaches were not always initiated through the use of these scanners. Instead, Kimsuky leveraged phishing emails containing malicious attachments that exploited the Microsoft Office Equation Editor vulnerability (CVE-2017-11882) to distribute malware. Once inside, the attackers installed a dropper to deploy various malware suites, including MySpy, designed to collect system information, and RDPWrap, a tool that facilitates persistent remote access by modifying system settings.

To further their surveillance capabilities, Kimsuky deployed keyloggers such as KimaLogger and RandomQuery to capture user keystrokes. The group predominantly used ".kr" domains for their Command and Control (C2) operations, employing sophisticated setups to manage traffic routing and potentially evade detection. ASEC's analysis of the attackers' infrastructure revealed a global footprint, with victims identified in countries across Asia, Europe, and North America. The use of both RDP exploits and phishing suggests a versatile approach to compromising target systems, highlighting the importance of both patching vulnerabilities and educating users about phishing tactics.

Recommended read:
References :
  • securityaffairs.com: Kimsuky APT exploited BlueKeep RDP flaw in attacks against South Korea and Japan
  • The Hacker News: Kimsuky Exploits BlueKeep RDP Vulnerability to Breach Systems in South Korea and Japan
  • gbhackers.com: The AhnLab SEcurity intelligence Center (ASEC) has released a detailed analysis of a sophisticated cyber campaign dubbed “Larva-24005,†linked to the notorious North Korean hacking group Kimsuky.
  • securityonline.info: A new cybersecurity report from the AhnLab Security intelligence Center (ASEC) has shed light on a recently identified
  • Daily CyberSecurity: A new cybersecurity report from the AhnLab Security intelligence Center (ASEC) has shed light on a recently identified
  • ciso2ciso.com: Kimsuky APT exploited BlueKeep RDP flaw in attacks against South Korea and Japan – Source: securityaffairs.com
  • ciso2ciso.com: Kimsuky APT exploited BlueKeep RDP flaw in attacks against South Korea and Japan
  • www.csoonline.com: North Korea-backed Kimsuky targets unpatched BlueKeep systems in new campaign
  • www.scworld.com: Attacks with BlueKeep, Microsoft Office exploits launched by Kimsuky-linked group
  • www.csoonline.com: North Korea-backed Kimsuky targets unpatched BlueKeep systems in new campaign
  • bsky.app: Kimsuky group was observed using RDP to gain initial access and deploy malware in several high-profile breaches.

@poliverso.org //
Chinese-speaking IronHusky hackers are actively targeting government organizations in Russia and Mongolia using an upgraded version of the MysterySnail remote access trojan (RAT) malware. Security researchers at Kaspersky's Global Research and Analysis Team (GReAT) recently discovered this updated implant during investigations into attacks utilizing a malicious MMC script disguised as a Word document. This script downloads second-stage payloads and establishes persistence on compromised systems, indicating a continued focus on espionage and data theft by the APT group.

This new version of MysterySnail RAT includes an intermediary backdoor that facilitates file transfers between command and control servers and infected devices, allowing attackers to execute commands. The IronHusky group is abusing the legitimate piping server (ppng[.]io) to request commands and send back their execution results. This technique helps the attackers to evade detection by blending malicious traffic with normal network activity, highlighting the sophisticated methods employed by the threat actor.

The MysterySnail RAT, initially discovered in 2021, has undergone significant evolution, demonstrating its adaptability and the persistent threat it poses. Despite a period of relative obscurity after initial reports, the RAT has re-emerged with updated capabilities targeting specific geopolitical interests. The continuous refinement and deployment of this malware underscores the ongoing cyber espionage activities carried out by the IronHusky APT group, with a particular focus on Russian and Mongolian government entities.

Recommended read:
References :
  • Securelist: MysterySnail RAT attributed to IronHusky APT group hasn’t been reported since 2021. Recently, Kaspersky GReAT detected new versions of this implant in government organizations in Mongolia and Russia.
  • The DefendOps Diaries: The MysterySnail RAT: An Evolving Cyber Threat
  • BleepingComputer: Chinese-speaking IronHusky hackers are targeting Russian and Mongolian government organizations using upgraded MysterySnail remote access trojan (RAT) malware.
  • Know Your Adversary: 108. Hunting for Node.js Abuse
  • bsky.app: Chinese-speaking IronHusky hackers are targeting Russian and Mongolian government organizations using upgraded MysterySnail remote access trojan (RAT) malware.
  • www.kaspersky.com: Provides threat intelligence about the IronHusky APT group.
  • poliverso.org: IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia
  • threatmon.io: Threatpost reports on Chinese APT IronHusky Deploys Updated MysterySnail RAT on Russia
  • hackread.com: Kaspersky researchers report the reappearance of MysterySnail RAT, a malware linked to Chinese IronHusky APT, targeting Mongolia and…
  • securityonline.info: IronHusky APT Resurfaces with Evolved MysterySnail RAT
  • securityonline.info: IronHusky APT Resurfaces with Evolved MysterySnail RAT
  • Talkback Resources: The MysterySnail RAT, linked to Chinese IronHusky APT, has resurfaced targeting government entities in Mongolia and Russia with a new version capable of executing 40 commands for malicious activities and deploying a modified variant named MysteryMonoSnail.
  • securityaffairs.com: Chinese APT IronHusky Deploys Updated MysterySnail RAT on Russia
  • securelist.com: Kaspersky report on IronHusky updates the forgotten MysterySnail RAT
  • www.scworld.com: Stealthy multi-stage malware attack, updated MysterySnail RAT uncovered
  • securityaffairs.com: Malicious payloads have been distributed as part of a new covert multi-stage intrusion while Chinese advanced persistent threat operation IronHusky has been targeting Russian and Mongolian government entities with an upgraded MysterySnail RAT variant, reports The Hacker News.