info@thehackernews.com (The@The Hacker News
//
Multiple critical security vulnerabilities, collectively named IngressNightmare, have been discovered in the Ingress NGINX Controller for Kubernetes. These flaws could lead to unauthenticated remote code execution (RCE), potentially exposing over 6,500 clusters to the public internet. The vulnerabilities, identified as CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974, have a CVSS score of 9.8. Cloud security firm Wiz discovered these flaws and reported that approximately 43% of cloud environments are susceptible to these vulnerabilities.
Specifically, IngressNightmare affects the admission controller component of the Ingress NGINX Controller, which utilizes NGINX as a reverse proxy and load balancer. Attackers can exploit the unrestricted network accessibility of admission controllers by injecting malicious NGINX configurations, gaining unauthorized access to cluster secrets and potentially leading to a complete cluster takeover. Kubernetes users are urged to update to versions v1.11.5, v1.12.1, or later to mitigate these risks.
Recommended read:
References :
- Open Source Security: Multiple vulnerabilities in ingress-nginx
- The Hacker News: Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication
- Wiz Blog | RSS feed: IngressNightmare: 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX
- The Register - Software: Public-facing Kubernetes clusters at risk of takeover thanks to Ingress-Nginx flaw
- Open Source Security: [kubernetes] Multiple vulnerabilities in ingress-nginx
- ciso2ciso.com: Public-facing Kubernetes clusters at risk of takeover thanks to Ingress-Nginx flaw – Source: go.theregister.com
- securityonline.info: CVE-2025-1974 (CVSS 9.8): Ingress NGINX Flaws Threaten Mass Kubernetes Compromise
- dragosr: "CVE-2025-1974 means that anything on the Pod network has a good chance of taking over your Kubernetes cluster, with no credentials or administrative access required." ingress-nginx is deployed in 40% of k8s clusters.
- research.kudelskisecurity.com: Critical Unauthenticated Remote Code Execution Vulnerabilities inIngress NGINX
- securityboulevard.com: Security Boulevard answers FAQs about IngressNightmare.
- : Wiz Security finds four critical RCE vulnerabilities in the Ingress NGINX Controller for Kubernetes
- Resources-2: IngressNightmare: Ingress NGINX Remote Code Execution Vulnerability Explained
- www.csoonline.com: Critical RCE flaws put Kubernetes clusters at risk of takeover
- www.cybersecuritydive.com: Critical vulnerabilities put Kubernetes environments in jeopardy
- Arctic Wolf: CVE-2025-1974: Critical Unauthenticated RCE Vulnerability in Ingress NGINX for Kubernetes
- Tenable Blog: CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, CVE-2025-24514: Frequently Asked Questions About IngressNightmare
- open-appsec: On March 24, 2025, WIZ Research disclosed critical vulnerabilities in the Kubernetes Ingress NGINX Controller that allow unsanitized user...
- Threats | CyberScoop: String of defects in popular Kubernetes component puts 40% of cloud environments at risk
- Blog: Ingress NGINX Kubernetes Controller vulnerabilities a ‘nightmare’ for impacted users
- circl: A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. CVE-2025-1974 but also CVE-2025-1097 CVE-2025-1098 CVE-2025-24513 CVE-2025-24514 🔗 For more details about Ingress NGINX Controller for Kubernetes release
- Sysdig: Detecting and Mitigating IngressNightmare – CVE-2025-1974
- thecyberexpress.com: Multiple CVEs Found in Ingress-NGINX—Patch Now to Prevent Cluster Compromise
- Datadog Security Labs: The "IngressNightmare" vulnerabilities in the Kubernetes Ingress NGINX Controller: Overview, detection, and remediation
- Information Security Buzz: Five critical security vulnerabilities have been found in the Ingress NGINX Controller for Kubernetes, potentially enabling unauthenticated remote code execution. This exposure puts over 6,500 clusters at immediate risk by making the component accessible via the public internet.
- MSSP feed for Latest: Researchers aren’t aware of active exploitation in the wild, but they warn the risk for publicly exposed and unpatched Ingress Nginx controllers is extremely high.
- Latest Bulletins: Addresses issues with Kubernetes ingress-nginx controller
- nsfocusglobal.com: Kubernetes Ingress-nginx Remote Code Execution Vulnerability (CVE-2025-1974)
- Dynatrace news: NGINX vulnerability: Quickly detect and mitigate IngressNightmare vulnerabilities with Dynatrace
- securityonline.info: ingress-nginx maintainers released fixes for multiple vulnerabilities that could allow threat actors to take over Kubernetes clusters.
- Delinea Blog: Discusses vulnerabilities enabling access to Kubernetes clusters’ secrets.
- Kali Linux Tutorials: Details on IngressNightmare Vulnerabilities
Bill Mann@CyberInsider
//
A critical unpatched zero-day vulnerability in Microsoft Windows is being actively exploited by 11 state-sponsored threat groups for espionage, data theft, and financially motivated campaigns since 2017. The flaw, tracked as ZDI-CAN-25373, involves the use of crafted Windows Shortcut (.LNK) files to execute hidden malicious commands. This allows attackers to gain unauthorized access to systems, steal sensitive data, and potentially conduct cyber espionage activities targeting governments, private entities, financial organizations, think tanks, telecommunication service providers, and military/defense agencies across multiple countries.
The attacks leverage hidden command line arguments within the malicious .LNK files, making detection difficult by padding the arguments with whitespace characters. Nearly 1,000 .LNK file artifacts exploiting the vulnerability have been found, and linked to APT groups from China, Iran, North Korea, and Russia. In these attacks, the .LNK files act as a delivery vehicle for malware families like Lumma Stealer, GuLoader, and Remcos RAT. Microsoft considers the issue a low severity user interface misrepresentation and does not plan to release a fix.
Recommended read:
References :
- The Hacker News: An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017.
- ZDI: Published Advisories: ZDI-25-148: (0Day) Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability
- The Register - Security: Microsoft isn't fixing 8-year-old shortcut exploit abused for spying
- securityaffairs.com: State-Sponsored Actors and Cybercrime Gangs Abuse Malicious .lnk Files for Espionage and Data Theft
- The DefendOps Diaries: Exploiting Windows Zero-Day Vulnerabilities: The Role of State-Sponsored Hacking Groups
- BleepingComputer: New Windows zero-day exploited by 11 state hacking groups since 2017
- CyberInsider: Microsoft Declines to Fix Actively Exploited Windows Zero-Day Vulnerability
- socradar.io: Windows Shortcut Zero-Day (ZDI-CAN-25373) Exploited by State-Backed Threat Actors Since 2017: Overview of Key Details
- Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Tech Monitor: A Windows shortcut vulnerability, identified as ZDI-CAN-25373, has been exploited in widespread cyber espionage campaigns.
- www.ghacks.net: Windows has an 8-year-old security issue that is exploited and known by Microsoft for some time
- www.cybersecuritydive.com: 11 nation-state groups exploit unpatched Microsoft zero-day
- www.techradar.com: An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
- Security Risk Advisors: APT Groups Exploit Unpatched Windows Shortcut Vulnerability for Espionage and Data Theft
- hackread.com: 11 Nation-State Hackers Exploit Unpatched Windows Flaw Since 2017
- : Windows Shortcut Flaw Exploited by 11 State-Sponsored Groups
- securityonline.info: A recently uncovered vulnerability, ZDI-CAN-25373, identified by the Trend Zero Day Initiative (ZDI), is at the center of the
- Blog: Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers
- Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Sam Bent: Windows Shortcut Zero-Day Used by Nation-States
- www.trendmicro.com: ZDI-CAN-25373: Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns
- Logpoint: Windows Shell Link Vulnerability ZDI-CAN-25373: Detecting Hidden Commands
- SecureWorld News: Nation-State Hackers Exploit Windows Shortcut Zero-Day Vulnerability
- Information Security Buzz: Windows Shortcut Zero-Day Under Active Attack
- borncity.com: Windows shortcut exploit used by state hackers as a 0-day since 2017
- Threats | CyberScoop: Nation-state groups hit hundreds of organizations with Microsoft Windows zero-day
- Help Net Security: APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373)
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying
- securityboulevard.com: Microsoft Won’t Fix This Bad Zero Day (Despite Wide Abuse)
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.
Microsoft Threat@Microsoft Security Blog
//
An ongoing phishing campaign impersonating Booking.com is targeting hospitality employees with credential-stealing malware. Microsoft Threat Intelligence has identified the campaign, which began in December 2024 and is ongoing as of February 2025. Cybercriminals are sending malicious emails to employees likely to work with Booking.com, in North America, Oceania, South and Southeast Asia, and Europe, using a social engineering technique called ClickFix to deliver the malware. This campaign aims to conduct financial fraud and theft by compromising employee credentials.
The ClickFix technique involves fake error messages and prompts that instruct users to fix issues by copying and pasting commands, leading to malware downloads. The phishing emails vary in content, referencing negative guest reviews, requests from prospective guests, online promotion opportunities, and account verification to induce clicks. The threat actor, tracked as Storm-1865, has evolved its tactics to bypass security measures.
Recommended read:
References :
- krebsonsecurity.com: Booking.com Phishers May Leave You With Reservations
- Source Asia: Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware
- The DefendOps Diaries: Understanding the ClickFix Phishing Threat to the Hospitality Industry
- The Hacker News: Microsoft Warns of ClickFix Phishing Campaign Targeting Hospitality Sector via Fake Booking[.]com Emails
- : ‘ClickFix’ Phishing Scam Impersonates Booking.com to Target Hospitality
- The Record: Cybercriminals are sending malicious emails to hospitality employees who are likely to work with Booking.com
- bsky.app: Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
- The Register - Security: That 'angry guest' email from Booking.com? It's a scam, not a 1-star review
- www.techradar.com: Microsoft warns about a new phishing campaign impersonating Booking.com
- TARNKAPPE.INFO: ClickFix-Phishing: Neue Kampagne richtet sich gegen die Hotellerie
- bsky.app: Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
- Virus Bulletin: Microsoft researchers identified a phishing campaign (Storm-1865) that uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft.
- BleepingComputer: Microsoft warns that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
- Email Security - Blog: "ClickFix" Phishing Impersonation Campaign Targets Hospitality Sector
- eSecurity Planet: Phishing Campaign Impersonates Booking.com, Plants Malware
- Security Risk Advisors: 🚩Microsoft Detects Ongoing Phishing Impersonation of Booking.com Using “ClickFix� to Deliver Credential-Stealing Malware
- Blog: Phishing campaign impersonates Booking.com, plants malware
- Davey Winder: Booking.com CAPTCHA attack impacts customers—but systems not breached, a spokesperson has said.
- www.computerworld.com: Description of the ClickFix phishing campaign targeting the hospitality industry via fake Booking.com emails.
- www.cysecurity.news: A phishing campaign impersonates Booking.com, targeting organizations in hospitality, using the ClickFix method to spread credential-stealing malware.
- www.cybersecurity-insiders.com: Malware Impersonating Booking.com Targets Hospitality Sector
- thecyberexpress.com: Microsoft Detects Ongoing Phishing Impersonation of Booking.com Using “ClickFix” to Deliver Credential-Stealing Malware
- securityonline.info: Booking.com Impersonated in Phishing Campaign Delivering Credential-Stealing Malware
- gbhackers.com: Microsoft Threat Intelligence has identified an ongoing phishing campaign that began in December 2024, targeting organizations in the hospitality industry by impersonating the online travel agency Booking.com. The campaign, tracked as Storm-1865, employs a sophisticated social engineering technique called ClickFix to deliver credential-stealing malware designed to conduct financial fraud and theft. This attack specifically targets
- Metacurity: The attackers are impersonating Booking.com to deliver credential-stealing malware.
- Talkback Resources: Storm-1865 Impersonates Booking.com in Phishing Scheme
- Blog: Storm-1865 leverages ‘ClickFix’ technique in new phishing campaign
Vasu Jakkal@Microsoft Security Blog
//
Microsoft has unveiled a significant expansion of its Security Copilot platform, integrating AI agents designed to automate security operations tasks and alleviate the workload on cybersecurity professionals. This move aims to address the increasing volume and complexity of cyberattacks, which are overwhelming security teams that rely on manual processes. The AI-powered agents will handle routine tasks, freeing up IT and security staff to tackle more complex issues and proactive security measures. Microsoft detected over 30 billion phishing emails targeting customers between January and December 2024 highlighting the urgent need for automated solutions.
The expansion includes eleven AI agents, six developed by Microsoft and five by security partners, set for preview in April 2025. Microsoft's agents include the Phishing Triage Agent in Microsoft Defender, Alert Triage Agents in Microsoft Purview, Conditional Access Optimization Agent in Microsoft Entra, Vulnerability Remediation Agent in Microsoft Intune, and Threat Intelligence Briefing Agent in Security Copilot. These agents are purpose-built for security, designed to learn from feedback, adapt to workflows, and operate securely within Microsoft’s Zero Trust framework, ensuring that security teams retain full control over their actions and responses.
Recommended read:
References :
- The Register - Software: AI agents swarm Microsoft Security Copilot
- Microsoft Security Blog: Microsoft unveils Microsoft Security Copilot agents and new protections for AI
- .NET Blog: Learn how the Xbox services team leveraged .NET Aspire to boost their team's productivity.
- Ken Yeung: Microsoft’s First CTO Says AI Is ‘Three to Five Miracles’ Away From Human-Level Intelligence
- SecureWorld News: Microsoft Expands Security Copilot with AI Agents
- www.zdnet.com: Microsoft's new AI agents aim to help security pros combat the latest threats
- www.itpro.com: Microsoft launches new security AI agents to help overworked cyber professionals
- www.techrepublic.com: After Detecting 30B Phishing Attempts, Microsoft Adds Even More AI to Its Security Copilot
- eSecurity Planet: esecurityplanet.com covers Fortifying Cybersecurity: Agentic Solutions by Microsoft and Partners
- Source: AI innovation requires AI security: Hear what’s new at Microsoft Secure
- www.csoonline.com: Microsoft has introduced a new set of AI agents for its Security Copilot platform, designed to automate key cybersecurity functions as organizations face increasingly complex and fast-moving digital threats.
- SiliconANGLE: Microsoft introduces AI agents for Security Copilot
- SiliconANGLE: Microsoft Corp. is enhancing the capabilities of its popular artificial intelligence-powered Copilot tool with the launch late today of its first “deep reasoning” agents, which can solve complex problems in the way a highly skilled professional might do.
- Ken Yeung: Microsoft is introducing a new way for developers to create smarter Copilots.
- www.computerworld.com: Microsoft’s Newest AI Agents Can Detail How They Reason
Bill Mann@CyberInsider
//
Multiple state-backed hacking groups, including those from North Korea, Iran, Russia, and China, have been exploiting a Windows zero-day vulnerability since 2017 for data theft and cyber espionage. The vulnerability lies in malicious .LNK shortcut files rigged with commands to download malware, effectively hiding malicious payloads from users. Security researchers at Trend Micro's Zero Day Initiative discovered nearly 1,000 tampered .LNK files, though they believe the actual number of attacks could be much higher.
Microsoft has chosen not to address this vulnerability with a security update, classifying it as a low priority issue not meeting their bar for servicing. This decision comes despite the fact that the exploitation avenue has been used in an eight-year-long spying campaign, relying on hiding commands using megabytes of whitespace to bury the actual commands deep out of sight in the user interface. Dustin Childs of the Zero Day Initiative told *The Register* that while this is one of many bugs used by attackers, its unpatched status makes it a significant concern.
Recommended read:
References :
- CyberInsider: Microsoft has acknowledged that its latest Windows update has unintentionally uninstalled the Copilot app from some Windows 11 devices.
- The Register - Security: Microsoft isn't fixing 8-year-old shortcut exploit abused for spying
- BleepingComputer: At least 11 state-backed hacking groups from North Korea, Iran, Russia, and China have been exploiting a new Windows vulnerability in data theft and cyber espionage zero-day attacks since 2017.
- ZDI: Published Advisories: ZDI-25-148: (0Day) Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability
- securityonline.info: Hidden Threat: Zero-Day Windows Shortcut Exploited by Global APT Networks
- www.it-daily.net: Critical Windows security vulnerability discovered
- hackread.com: 11 Nation-State Hackers Exploit Unpatched Windows Flaw Since 2017
- socradar.io: Windows Shortcut Zero-Day (ZDI-CAN-25373) Exploited by State-Backed Threat Actors Since 2017: Overview of Key Details
- Tech Monitor: Windows shortcut exploit used as zero-day in global cyber espionage campaigns
- Security Risk Advisors: 🚩APT Groups Exploit Unpatched Windows Shortcut Vulnerability for Espionage and Data Theft
- Blog: Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers
- www.cybersecuritydive.com: A vulnerability that allows for malicious payloads to be delivered via Windows shortcut files has not yet been addressed by Microsoft and has been under active attack for eight years.
- www.ghacks.net: Windows has an 8-year-old security issue that is exploited and known by Microsoft for some time
- Sam Bent: Microsoft Windows Zero-Day Used by Nation-States
- Jon Greig: Researchers Trend Micro's Zero Day Initiative said they have identified multiple campaigns from nation-state groups in North Korea, China and Russia exploiting an issue impacting .lnk files Microsoft said the report "does not meet the bar for immediate servicing"
- Threats | CyberScoop: Trend Micro researchers discovered and reported the eight-year-old defect to Microsoft six months ago. The company hasn’t made any commitments to patch or remediate the issue.
- Jon Greig: Researchers Trend Micro's Zero Day Initiative said they have identified multiple campaigns from nation-state groups in North Korea, China and Russia exploiting an issue impacting .lnk files Microsoft said the report "does not meet the bar for immediate servicing"
- www.trendmicro.com: Trend Zero Day Initiativeâ„¢ (ZDI) uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Logpoint: Windows Shell Link Vulnerability ZDI-CAN-25373: Detecting Hidden Commands
- SecureWorld News: Nation-State Hackers Exploit Windows Shortcut Zero-Day Vulnerability
- : Windows Shortcut Flaw Exploited by 11 State-Sponsored Groups
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.
- borncity.com: Windows shortcut exploit used by state hackers as a 0-day since 2017
- Information Security Buzz: Windows Shortcut Zero-Day Under Active Attack
@pcmag.com
//
A recent Windows 11 update has inadvertently uninstalled the Copilot AI assistant from some users' PCs, causing frustration. The bug, affecting updates KB5053598, KB5053602, and KB5053606 across Windows 11 and Windows 10, removes the Copilot app and unpins it from the taskbar. Microsoft has acknowledged the issue and updated the release notes, confirming that Copilot for Microsoft 365 is not affected.
Users affected by this bug can manually reinstall the Copilot app from the Microsoft Store and repin it to their taskbar as a temporary solution. It's worth noting that some users on Reddit have expressed that they appreciate this accidental "feature," stating they would prefer the option to install Copilot rather than having it forced upon them. Microsoft is currently working on a permanent solution and likely to issue an update soon.
Recommended read:
References :
- futurism.com: Users Cheer as Microsoft Accidentally Removes Hated AI Feature From Windows 11
- www.techrepublic.com: The Case of the Vanishing Copilot: Is Microsoft’s Update a Feature or a Bug?
- www.zdnet.com: Windows 11 update accidentally erases Copilot for some users - here's how to get it back
- PCMag Middle East ai: Oops: Microsoft Update Accidentally Removes Copilot From Windows
- MSPoweruser: If you install KB5053598, you’ll delete all traces of Copilot in Windows 11
- www.windowscentral.com: Is this Windows 11 'bug' the feature we've been waiting for? Say goodbye to Copilot (for now)
- www.techradar.com: Windows 11 bug deletes Copilot from the OS – is this the first glitch ever some users will be happy to encounter?
- PCWorld: Microsoft shot itself in the foot with its latest Windows update
- Ars OpenForum: Report that a bug in the Windows 11 update caused Copilot to be removed from some devices.
- How-To Geek: Explanation and guidance for reinstalling the Copilot app after a recent Windows update.
- www.pcmag.com: Discussion of the Copilot uninstall issue and possible resolutions.
- PCWorld: Article discussing the inadvertent uninstallation of the Copilot app in some Windows 11 installations due to a bug in the recent update.
Microsoft Incident@Microsoft Security Blog
//
Microsoft's Incident Response team has uncovered a novel remote access trojan (RAT) named StilachiRAT, which employs sophisticated techniques to evade detection and steal sensitive data. Discovered in November 2024, StilachiRAT demonstrates advanced methods to remain undetected, persist in the targeted environment, and exfiltrate valuable information. The malware is capable of gathering system information, stealing credentials stored in browsers, targeting cryptocurrency wallets, and using command-and-control connectivity for remote execution.
The RAT scans for configuration data of 20 different cryptocurrency wallet extensions for the Google Chrome browser and extracts credentials from the browser, indicating its focus on cryptocurrency theft and credential compromise. It establishes communication with remote command-and-control (C2) servers to execute commands, manipulate registry settings, and clear logs, making it challenging to detect and remove. Microsoft advises users to download software from official sources, use web browsers with SmartScreen support, and enable Safe Links and Safe Attachments for Office 365 to prevent StilachiRAT infections.
Recommended read:
References :
- bsky.app: ​MicrosoftÂ
has discovered a new remote access trojan (RAT) that employs "sophisticated techniques" to avoid detection, ensure persistence, and extract sensitive information data.
- BleepingComputer: Microsoft: New RAT malware used for crypto theft, reconnaissance
- Microsoft Security Blog: StilachiRAT analysis: From system reconnaissance to cryptocurrency theft
- BleepingComputer: Microsoft has discovered a new remote access trojan (RAT) that employs "sophisticated techniques" to avoid detection, ensure persistence, and extract sensitive information data.
- hackread.com: StilachiRAT: Sophisticated malware targets crypto wallets & credentials. Undetected, it maps systems & steals data. Microsoft advises strong security measures.
- Virus Bulletin: Microsoft researchers uncovered a novel remote access trojan (RAT) named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data.
- securityaffairs.com: New StilachiRAT uses sophisticated techniques to avoid detection
- The DefendOps Diaries: Understanding StilachiRAT: A New Cyber Threat Targeting Cryptocurrency
- CyberInsider: Microsoft Uncovers New Stealthy Malware ‘StilachiRAT’ Targeting User Data
- The Hacker News: Microsoft Warns of StilachiRAT: A Stealthy RAT Targeting Credentials and Crypto Wallets
- The Hacker News: Microsoft Warns of StilachiRAT: A Stealthy RAT Targeting Credentials and Crypto Wallets
- Tech Monitor: New remote access trojan ‘StilachiRAT’ identified
- Help Net Security: Stealthy StilachiRAT steals data, may enable lateral movement
- www.techradar.com: Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
- The Record: A previously unreported remote access trojan that Microsoft researchers dubbed StilachiRAT is designed to steal a wide range of data, including information about cryptocurrency wallet extensions for Google's Chrome browser.
- Blog: New ‘StilachiRAT’ found scurrying in crypto wallets
- BleepingComputer: Detailed technical analysis of the StilachiRAT malware and its operational capabilities.
- securityonline.info: Microsoft Uncovers Sophisticated StilachiRAT Malware
- Sophos X-Ops: Microsoft has discovered a new remote access trojan (RAT) dubbed StilachiRAT, which uses sophisticated techniques to avoid detection.
- Cyber Security News: Microsoft has recently issued a warning about a novel remote access trojan (RAT) known as StilachiRAT, which has been discovered to possess sophisticated capabilities for evading detection and stealing sensitive data. This malware was identified by Microsoft Incident Response researchers in November 2024 and is notable for its ability to target Remote Desktop Protocol (RDP) […] The post appeared first on .
Pierluigi Paganini@Security Affairs
//
Russia-linked Gamaredon is actively targeting Ukrainian users with a phishing campaign designed to deploy the Remcos Remote Access Trojan (RAT). This ongoing cyber campaign, uncovered by Cisco Talos, utilizes malicious LNK files disguised as Microsoft Office documents within ZIP archives. The filenames of these files often reference troop movements and other sensitive geopolitical themes related to the conflict in Ukraine, demonstrating a deliberate attempt to exploit the current situation to lure victims.
The attack chain begins with the execution of a PowerShell downloader embedded within the LNK file. This downloader then contacts geo-fenced servers located in Russia and Germany to retrieve a second-stage ZIP payload that contains the Remcos backdoor. The downloaded payload employs DLL sideloading techniques to execute the backdoor. Cisco Talos assesses that the threat actor, Gamaredon, is affiliated with Russia's Federal Security Service (FSB) and known for targeting Ukrainian organizations for espionage and data theft since at least 2013.
Recommended read:
References :
- Cisco Talos Blog: Cisco Talos is actively tracking an ongoing campaign, targeting users in Ukraine with malicious LNK files which run a PowerShell downloader since at least November 2024.
- Cyber Security News: A sophisticated cyber espionage campaign targeting Ukrainian entities has been uncovered, revealing the latest tactics of the Russia-linked Gamaredon threat actor group.
- Christoffer S.: Gamaredon APT Targets Ukraine with Remcos Backdoor Using War-Themed Lures Cisco Talos is tracking a campaign targeting Ukrainian users with malicious LNK files that deliver the Remcos backdoor.
- gbhackers.com: Cisco Talos has uncovered an ongoing cyber campaign by the Gamaredon threat actor group, targeting Ukrainian users with malicious LNK files to deliver the Remcos backdoor.
- buherator's timeline: Cisco Talos is tracking a campaign targeting Ukrainian users with malicious LNK files that deliver the Remcos backdoor. The campaign, attributed with medium confidence to the Gamaredon APT group, uses Russian-language lures related to troop movements in Ukraine.
- securityonline.info: A new targeted malware campaign linked to the Russian state-aligned group Gamaredon is exploiting Windows shortcut (.LNK) files
- The Hacker News: Entities in Ukraine have been targeted as part of a phishing campaign designed to distribute a remote access trojan called Remcos RAT. "The file names use Russian words related to the movement of troops in Ukraine as a lure," Cisco Talos researcher Guilherme Venere said in a report published last week. "The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to
- securityaffairs.com: Russia-Linked Gamaredon Uses Troop-Related Lures to Deploy Remcos RAT in Ukraine
- Virus Bulletin: Cisco Talos researcher Guilherme Venere analyses an ongoing campaign targeting users in Ukraine with malicious LNK files which run a PowerShell downloader. The downloader contacts geo-fenced servers located in Russia & Germany to deploy the second stage Zip file containing the Remcos backdoor.
- OODAloop: Entities in Ukraine have been targeted as part of a phishing campaign designed to distribute a remote access trojan called Remcos RAT. The activity has been attributed with moderate confidence to a Russian hacking group known as Gamaredon.
- Vulnerable U: Russian Hackers Target Ukraine With Stealthy Malware Attack
- Cisco Talos Blog: Talos researchers warn that Russia-linked APT group Gamaredon targets Ukraine with a phishing campaign.
- securityaffairs.com: Russia-linked Gamaredon targets Ukraine with a phishing campaign using troop-related lures to deploy the Remcos RAT via PowerShell downloader.
- www.scworld.com: Ongoing Gamaredon phishing campaign targets Ukraine with Remcos RAT
- securityaffairs.com: Russia-linked Gamaredon targets Ukraine with a phishing campaign using troop-related lures to deploy the Remcos RAT via PowerShell downloader.
- Virus Bulletin: Cisco Talos researcher Guilherme Venere analyses an ongoing campaign targeting users in Ukraine with malicious LNK files which run a PowerShell downloader.
@The DefendOps Diaries
//
EncryptHub, a group linked to RansomHub, has been identified as the actor exploiting a zero-day vulnerability in Microsoft Management Console (MMC). Tracked as CVE-2025-26633, this flaw allows attackers to bypass security features and execute malicious code on vulnerable Windows systems. The vulnerability stems from improper input sanitization within MMC, a core administrative tool. Attackers are leveraging this flaw through email and web-based attacks, delivering malicious payloads to unsuspecting users, bypassing Windows file reputation protections.
The exploit, dubbed 'MSC EvilTwin', manipulates .msc files and the Multilingual User Interface Path (MUIPath) to execute malicious payloads, maintain persistence, and steal sensitive data. Specifically, attackers create two .msc files with the same name, a clean one and a malicious counterpart. When the legitimate file is run, MMC inadvertently picks the rogue file from a directory named "en-US" and executes it, unbeknownst to the user. This sophisticated technique allows EncryptHub to deploy various malware families, including Rhadamanthys and StealC, information stealers which pose a severe risk to affected organizations.
Recommended read:
References :
- The DefendOps Diaries: Understanding the CVE-2025-26633 Vulnerability in Microsoft Management Console
- www.trendmicro.com: Trend Research identified Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
- Cyber Security News: Hackers Exploit Windows MMC Zero-Day Vulnerability to Execute Malicious Code
- BleepingComputer: A threat actor known as EncryptHub has been linked to Windows zero-day attacks exploiting a Microsoft Management Console vulnerability patched this month.
- gbhackers.com: Windows MMC Framework Zero-Day Exploited to Execute Malicious Code
- www.scworld.com: Windows-targeted EncryptHub attacks involve MMC zero-day exploitation
- bsky.app: EncryptHub, an affiliate of RansomHub, was behind recent MMC zero-day patched this month by Microsoft
- The Hacker News: EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware
- Virus Bulletin: Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
- www.cybersecuritydive.com: A threat actor known as “EncryptHub” began exploiting the zero-day vulnerability before it was patched earlier this month.
- : Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
- www.trendmicro.com: Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.
- Christoffer S.: (trendmicro.com) A Deep Dive into Water Gamayun's Arsenal and Infrastructure Executive Summary: This research provides a comprehensive analysis of Water Gamayun (also known as EncryptHub and Larva-208), a suspected Russian threat actor exploiting the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) in Microsoft Management Console.
- Cyber Security News: Zero-Day in Windows MMC Framework Exploited for Malicious Code Execution
- Know Your Adversary: Adversaries always need to execute commands via various command and scripting interpreters. It's a well-known behavior, so they always look for defense evasion techniques. Trend Micro releleased a on Water Gamayun , and noted an interesting technique used by the threat acrors for proxy execution.
Deeba Ahmed@hackread.com
//
A new wave of Android malware campaigns are exploiting Microsoft’s .NET MAUI framework to target users, particularly in India and China. Cybersecurity researchers at McAfee Labs have identified these malicious applications, which disguise themselves as legitimate services like banking and social media apps, to steal sensitive user information. These fake apps, collectively codenamed FakeApp, are not distributed through official channels like Google Play, but rather through bogus links sent via messaging apps and unofficial app stores. .NET MAUI, designed as a cross-platform development framework, allows these threats to conceal malicious code, making them difficult to detect by traditional antivirus solutions.
Researchers have found that the malware's core functionalities are written entirely in C# and stored as binary large objects, evading detection methods that typically analyze DEX files or native libraries. For instance, a fraudulent banking app impersonates IndusInd Bank, targeting Indian users by prompting them to enter personal and financial details, which are then sent to the attacker's command-and-control server. Another instance involves a fake social networking service app aimed at Chinese-speaking users, employing multi-stage dynamic loading to decrypt and execute its payload in separate stages, further complicating analysis and disrupting security tools.
Recommended read:
References :
- hackread.com: Hackers Are Using Microsoft’s .NET MAUI to Spread Android Malware
- securityaffairs.com: Android malware campaigns use .NET MAUI to evade detection
- The DefendOps Diaries: Understanding the Threat: How .NET MAUI is Changing Android Malware
- thehackernews.com: Hackers Use .NET MAUI to Target Indian and Chinese Users with Fake Banking, Social Apps
- www.infosecurity-magazine.com: New Android Malware Uses .NET MAUI to Evade Detection
- securityonline.info: New Android Malware Campaign Uses .NET MAUI to Evade Detection
- Security Risk Advisors: 🚩New Android Malware Campaign Exploits .NET MAUI Framework to Steal Sensitive Data
- MSSP feed for Latest: Threat actors exploited Microsoft's .NET MAUI cross-platform development framework to craft fake apps in new Android malware campaigns.
- Virus Bulletin: McAfee's Mobile Research Team discovered an Android malware campaign abusing .NET MAUI, a cross-platform development framework, to evade detection and remain active on devices for a long time.
- BleepingComputer: New Android malware campaigns use Microsoft's cross-platform framework .NET MAUI while disguising as legitimate services to evade detection.
- Security | TechRepublic: Android Malware Exploits a Microsoft-Related Security Blind Spot to Avoid Detection
do son@securityonline.info
//
Cybersecurity analysts have uncovered a sophisticated campaign exploiting a fake Zoom installer to deliver BlackSuit ransomware across Windows-based systems. The attack, beginning with a malicious download from a website mimicking the teleconferencing application Zoom, lures unsuspecting victims into installing malware capable of crippling entire networks. When the victim clicked the “Download” button, they unknowingly triggered a chain reaction of events.
The fake installer, crafted with Inno Setup, hides the d3f@ckloader, a Pascal-based loader. After gaining initial access, the attackers deploy Brute Ratel and Cobalt Strike for lateral movement, using QDoor to facilitate RDP access. After 9 days, they deploy the BlackSuit ransomware across the network, deleting Volume Shadow Copies to hinder data recovery efforts before encrypting files and dropping ransom notes. The attackers also used WinRAR to compress file share data and uploaded the archives to Bublup, a cloud storage service for data exfiltration.
Recommended read:
References :
- bsky.app: The notorious North Korean Lazarus hacking group has reportedly adopted 'ClickFix' tactics to deploy malware targeting job seekers in the cryptocurrency industry, particularly centralized finance (CeFi).
- BleepingComputer: North Korean hackers adopt ClickFix attacks to target crypto firms
- Cyber Security News: Hackers Exploit Zoom Installer to Gain RDP Access and Launch BlackSuit Ransomware Attack
- gbhackers.com: Beware! A Fake Zoom Installer Drops BlackSuit Ransomware on Your Windows Systems
- Virus Bulletin: The DFIR Report researchers look into a fake Zoom installer that used d3f@ckloader & IDAT loader to drop SectopRAT, which dropped Cobalt Strike & Brute Ratel after 9 days. For later movement the threat actor used QDoor & finally deployed BlackSuit ransomware.
- Osint10x: Fake Zoom Ends in BlackSuit Ransomware
- securityonline.info: Fake Zoom, Real Ransom: Nine-Day Malware Intrusion Ends with BlackSuit Ransomware Blast
- bsky.app: Lazarus adopts ClickFix technique.
- : New “ClickFake Interview†campaign attributed to the Lazarus Group targets crypto professionals with fake job offers
- gbhackers.com: Weaponized Zoom Installer Used by Hackers to Gain RDP Access and Deploy BlackSuit Ransomware
- BleepingComputer: Report of the Lazarus Group adopting the ClickFix technique for malware deployment.
- Virus Bulletin: Sekoya researchers discovered a ClickFake Interview campaign targeting job seekers with fake job interview websites. The infrastructure aligns with technical indicators linked to the Contagious Interview campaign and delivers GolangGhost backdoor for Windows & macOS
- www.scworld.com: ClickFix technique leveraged in new crypto-targeted Lazarus attacks
Laura French@scmagazine.com
//
Microsoft's AI tool, Security Copilot, has identified 20 critical vulnerabilities in open-source bootloaders, including GRUB2, U-Boot, and Barebox. These bootloaders are vital for initializing operating systems, especially in Linux environments and embedded systems. The findings highlight the potential for attackers to bypass UEFI Secure Boot, a security standard designed to ensure that only trusted software runs during startup. Security updates addressing these flaws were released in February 2025.
The discovered vulnerabilities, including an exploitable integer overflow, could allow attackers to execute arbitrary code and install persistent malware that may survive OS reinstallation. In the case of GRUB2, attackers could potentially bypass Secure Boot, install stealthy bootkits, and evade enterprise security mechanisms. This could grant threat actors complete control over devices, compromise additional devices on the network, and enable persistent threats. Microsoft used traditional discovery methods, including static code analysis, manual code analysis and fuzzing, with assistance from Microsoft Security Copilot.
Recommended read:
References :
- The Hacker News: The threat actors behind the zero-day exploitation of a recently-patched security vulnerability in Microsoft Windows have been found to deliver two new backdoors called SilentPrism and DarkWisp. The activity has been attributed to a suspected Russian hacking group called Water Gamayun, which is also known as EncryptHub and LARVA-208. "The threat actor deploys payloads primarily by means of
- Microsoft Security Blog: Using Microsoft Security Copilot to expedite the discovery process, Microsoft has uncovered several vulnerabilities in multiple open-source bootloaders impacting all operating systems relying on Unified Extensible Firmware Interface (UEFI) Secure Boot. Through a series of prompts, we identified and refined security issues, ultimately uncovering an exploitable integer overflow vulnerability in the GRUB2, U-boot, and Barebox bootloaders. The post appeared first on .
- bsky.app: Microsoft used its AI-powered Security Copilot to discover 20Â previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders. https://www.bleepingcomputer.com/news/security/microsoft-uses-ai-to-find-flaws-in-grub2-u-boot-barebox-bootloaders/
- BleepingComputer: Microsoft uses AI to find flaws in GRUB2, U-Boot, Barebox bootloaders
- www.csoonline.com: Microsoft’s AI tool catches critical GRUB2, U-boot bootloader flaws
- www.scworld.com: Microsoft touts bug finds from Security Copilot
do son@Daily CyberSecurity
//
Microsoft has released a patch for a Windows kernel vulnerability, CVE-2025-24983, after it was exploited in the wild since March 2023. Cybersecurity firm ESET discovered the zero-day exploit being used to escalate privileges on compromised machines. The vulnerability, a "Use-after-Free" (UaF) flaw related to improper memory management, allows attackers to gain system-level access, enabling data exfiltration and remote access. Microsoft has assigned a severity score of 7.0 to the flaw, acknowledging that malicious actors had been exploiting it.
The patch addresses a long-standing security vulnerability in the Windows NT kernel subsystem, which has been actively exploited by hackers for two years. The primary targets are older Windows versions, including Windows 10 v1809 and Windows Server 2016, as well as Windows 8.1 and Server 2012 R2. It appears the complexity of exploitation contributed to the delay. This flaw enables attackers to escalate privileges from a low-level local account to system-level access, facilitating malicious activities. Microsoft confirms that this vulnerability does not affect newer operating systems such as Windows 11 and Windows Server 2019.
Recommended read:
References :
- securityonline.info: Microsoft Patches 2-Year-Old Windows Kernel Flaw CVE-2025-24983 After Exploitation
- The Hacker News: Unpatched Windows Zero-Day Flaw Exploited by 11 State-Sponsored Threat Groups Since 2017
- BleepingComputer: New Windows zero-day exploited by 11 state hacking groups since 2017
- Blog: Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers
- Sam Bent: Microsoft Windows Zero-Day Used by Nation-States
- SecureWorld News: Nation-State Hackers Exploit Windows Shortcut Zero-Day Vulnerability
SC Staff@scmagazine.com
//
Attackers are intensifying their efforts to exploit old ServiceNow vulnerabilities, specifically CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, which were patched last year. GreyNoise, a threat intelligence firm, has observed a resurgence of in-the-wild activity targeting these flaws, putting unpatched company instances at risk. These vulnerabilities can potentially lead to unauthorized access to sensitive data, remote code execution, and full database compromise, even by unauthenticated actors.
The attacks have predominantly targeted systems in Israel, accounting for over 70% of recent malicious activity. However, organizations in Lithuania, Japan, and Germany have also been affected. Security experts urge organizations to apply the necessary patches to protect their ServiceNow platforms and mitigate the risk of exploitation. These vulnerabilities were initially discovered by Assetnote in May 2024, and ServiceNow promptly released patches, but a failure to apply these updates has left some systems vulnerable.
Recommended read:
References :
- hackread.com: New Attacks Exploit Year-Old ServiceNow Flaws – Israel Hit Hardest
- Carly Page: Hackers are ramping up attempts to exploit a trio of year-old ServiceNow vulnerabilities to break into unpatched company instances
- www.itpro.com: Old ServiceNow vulnerabilities could cause havoc for unpatched customers
- www.scworld.com: Attacks involving ServiceNow vulnerabilities escalate
- Rescana: ServiceNow Vulnerabilities: Critical Exploits Impacting Israel and Global Systems
Microsoft Threat@Microsoft Security Blog
//
The U.S. Department of Justice has indicted 12 Chinese individuals for over a decade of global hacking intrusions, including a breach of the U.S. Treasury last year. The individuals include eight staffers for the contractor i-Soon, two officials at China’s Ministry of Public Security, and two other alleged hackers belonging to the APT27 group, also known as Silk Typhoon. The group is accused of targeting U.S. state and federal agencies, foreign ministries across Asia, Chinese dissidents, and U.S.-based media outlets critical of the Chinese government.
Microsoft Threat Intelligence has detected a new variant of XCSSET, a macOS malware targeting Xcode projects, since 2022. This variant features enhanced obfuscation, updated persistence mechanisms, and new infection strategies. It steals and exfiltrates files and system/user information, including digital wallet data and notes. The malware's modular approach and encoded payloads make detection and removal challenging, even allowing it to remain fileless.
Recommended read:
NSFOCUS@nsfocusglobal.com
//
A new vulnerability, CVE-2025-24071, has been identified in Windows File Explorer, potentially exposing users to network spoofing attacks. The vulnerability is triggered by specially crafted .library-ms files embedded within compressed archives like RAR or ZIP. When these files are decompressed, they can trigger an SMB authentication request, leading to the disclosure of the user’s NTLM hash. The vulnerability has a CVSS score of 7.5, indicating a significant risk.
Microsoft has released a security announcement and a patch to address the issue across a range of Windows versions including Windows 10, Windows 11 and Windows Server versions from 2012 R2 to 2022. Users are urged to install the patch as soon as possible to mitigate the risk of exploitation. The vulnerability stems from the implicit trust and automatic file parsing behavior of .library-ms files by Windows Explorer, making it crucial for users to update their systems promptly.
Recommended read:
References :
- nsfocusglobal.com: Windows File Explorer Spoofing Vulnerability (CVE-2025-24071)
- www.trendmicro.com: ZDI-CAN-25373: Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns
|
|
FlagThis - #microsoft