@unit42.paloaltonetworks.com
//
A new multi-stage malware attack has been identified, deploying a range of malware families including Agent Tesla, Remcos RAT, and XLoader. This intricate attack chain employs multiple execution paths, designed to evade detection, bypass traditional sandboxes, and ensure the successful delivery and execution of malicious payloads. Attackers are increasingly relying on these complex delivery mechanisms to compromise systems.
This campaign, observed in December 2024, begins with phishing emails disguised as order release requests, enticing recipients to open malicious archive attachments. These attachments contain JavaScript encoded (.JSE) files, which initiate the infection chain by downloading and executing a PowerShell script from an external server. The PowerShell script then decodes and executes a Base64-encoded payload.
The attack then diverges into two possible execution paths. One involves a .NET executable that decrypts an embedded payload, like Agent Tesla or XLoader, and injects it into a running "RegAsm.exe" process. The other path uses an AutoIt compiled executable containing an encrypted payload that loads shellcode, ultimately injecting a .NET file into a "RegSvcs.exe" process, ultimately leading to Agent Tesla deployment. This dual-path approach highlights the attacker's focus on resilience and evasion, using simple, stacked stages to complicate analysis and detection.
Recommended read:
References :
- Virus Bulletin: Palo Alto's Saqib Khanzada looks into a multi-layered campaign that delivers malware like Agent Tesla variants, Remcos RAT or XLoader. This multi-layered attack chain leverages multiple execution paths to evade detection and complicate analysis.
- The Hacker News: Multi-Stage Malware Attack Uses .JSE and PowerShell to Deploy Agent Tesla and XLoader
- Anonymous ???????? :af:: Palo Alto's Saqib Khanzada looks into a multi-layered campaign that delivers malware like Agent Tesla variants, Remcos RAT or XLoader.
Zeljka Zorz@Help Net Security
//
Microsoft is warning Windows users about a actively exploited vulnerability, CVE-2025-24054, which allows attackers to capture NTLMv2 responses. This can lead to the leakage of NTLM hashes and potentially user passwords, compromising systems. The vulnerability is exploited through phishing attacks utilizing maliciously crafted .library-ms files, prompting users to interact with the files through actions like right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. The original version,NTLMv1, had several security flaws that made it vulnerable to attacks such aspass-the-hashandrainbow table attacks.
Attackers have been actively exploiting CVE-2025-24054 since March 19, 2025, even though Microsoft released a patch on March 11, 2025. Active exploitation has been observed in campaigns targeting government entities and private institutions in Poland and Romania between March 20 and 21, 2025. The attack campaign used email phishing links to distribute a Dropbox link containing an archive file that exploits the vulnerability, which harvests NTLMv2-SSP hashes.
The captured NTLMv2 response, can be leveraged by attackers to attempt brute-force attacks offline or to perform NTLM relay attacks, which fall under the category of man-in-the-middle attacks. NTLM relay attacks are much more dangerous when the stolen credentials belong to a privileged user, as the attacker is using it for privilege escalation and lateral movement on the network. Microsoft released a patch on March 11, 2025 addressing the vulnerability with users being advised to apply the patches.
Recommended read:
References :
- Check Point Research: CVE-2025-24054, NTLM Exploit in the Wild
- The DefendOps Diaries: Understanding the CVE-2025-24054 Vulnerability: A Critical Threat to Windows Systems
- BleepingComputer: Windows NTLM hash leak flaw exploited in phishing attacks on governments
- bsky.app: Windows NTLM hash leak flaw exploited in phishing attacks on governments
- research.checkpoint.com: CVE-2025-24054, NTLM Exploit in the Wild
- Talkback Resources: Research team analysis of CVE-2025-24054
- Help Net Security: Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054)
- www.helpnetsecurity.com: Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054)
- bsky.app: BSky Post on CVE-2025-24054, NTLM Exploit in the Wild
- Cyber Security News: CyberSecurityNews - Hackers Exploiting Windows NTLM Spoofing Vulnerability in Wild to Compromise Systems
- The Hacker News: CVE-2025-24054 Under Active Attack—Steals NTLM Credentials on File Download
- MSSP feed for Latest: Windows NTLM Hash Flaw Targeted in Global Phishing Attacks
- gbhackers.com: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations to active exploitation of a newly disclosed Microsoft Windows vulnerability tracked as CVE-2025-24054.
- infosecwriteups.com: Your NTLM Hashes at Risk: Inside CVE‑2025‑24054
- BetaNews: CISA adds Windows NTLM hash disclosure spoofing flaw to its Known Exploited Vulnerabilities Catalog
- www.scworld.com: Cybersecurity News reports on alarms sounding over attacks via Microsoft NTLM vulnerability, impacting Poland and Romania.
- securityaffairs.com: U.S. CISA adds Apple products and Microsoft Windows NTLM flaws to its Known Exploited Vulnerabilities catalog
- gbhackers.com: CISA Warns of Active Exploitation of Windows NTLM Vulnerability
- Techzine Global: Windows vulnerability with NTLM hash abuse exploited for phishing
- betanews.com: CISA adds Windows NTLM hash disclosure spoofing flaw to its Known Exploited Vulnerabilities Catalog
- ciso2ciso.com: Fresh Windows NTLM Vulnerability Exploited in Attacks – Source: www.securityweek.com
- malware.news: Phishing campaigns abuse Windows NTLM hash leak bug
Jenna McLaughlin@NPR Topics: Technology
//
A whistleblower at the US National Labor Relations Board (NLRB) has come forward with allegations of a significant cybersecurity breach involving the Department of Government Efficiency (DOGE), overseen by Elon Musk. According to the whistleblower, Daniel Berulis, DOGE operatives arrived at the agency in early March and were granted unrestricted access to internal systems, a move that deviated from standard operating procedures. The whistleblower claims that these DOGE employees ignored infosec rules and were instructed to hand over any requested accounts and stay out of DOGE’s way.
According to the affidavit submitted to the Senate Intelligence Committee, these actions led to a "significant cybersecurity breach" potentially exposing the agency's data to foreign adversaries. The whistleblower also alleges that during their activity, DOGE employees exfiltrated 10GB of data to servers in the US and disabled monitoring tools, raising concerns about potential data exposure. Berulis’s document points out that not even his CIO enjoyed the level of access given to DOGE unit operatives, and that the NLRB already had auditor accounts set up that provided enough privileges to check data without being able to edit, copy, or remove it.
The most alarming aspect of the allegations involves attempted access to the NLRB's systems from a Russian IP address using legitimate accounts created by DOGE staffers. These attempts were reportedly blocked, but the valid credentials used suggest a potential compromise. The NPR has reported that the data that DOGE moved could have included sensitive information on unions, ongoing legal cases and corporate secrets. Democratic lawmakers are calling for an investigation into the matter.
Recommended read:
References :
- ciso2ciso.com: Whistleblower alleges Russian IP address attempted access to US agency’s systems via DOGE-created accounts – Source: www.csoonline.com
- The Register - Security: Whistleblower describes DOGE IT dept rampage at America's labor watchdog
- www.csoonline.com: Whistleblower alleges Russian IP address attempted access to US agency’s systems via DOGE-created accounts.
- DataBreaches.Net: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data
- aboutdfir.com: A whistleblower’s disclosure details details how DOGE may have taken sensitive labor data In the first days of March, a team of advisers from President Trump’s new Department of Government Efficiency initiative arrived at the Southeast Washington, D.C., headquarters of the National Labor Relations Board.
- Policy ? Ars Technica: Government IT whistleblower calls out DOGE, says he was threatened at home
- NPR Topics: Technology: Someone using a Russian IP address attempted to access the internal systems of the US National Labor Relations Board (NLRB) using legitimate accounts set up by staff from Elon Musk's Department of Government Efficiency (DOGE), a whistleblower inside the agency has alleged.
@unit42.paloaltonetworks.com
//
North Korean state-sponsored group Slow Pisces, also known as Jade Sleet, TraderTraitor, and PUKCHONG, is actively targeting cryptocurrency developers through social engineering campaigns on LinkedIn. Security researchers at Palo Alto Networks have uncovered a scheme where the group poses as potential employers, enticing developers with coding challenges that are actually malware delivery mechanisms. The malicious activity is suspected to be connected to the massive Bybit hack that occurred in February 2025.
The attackers send what appear to be legitimate coding assignments to the developers, but these challenges contain malware disguised within compromised projects. When the developers run these projects, their systems become infected with new customized Python malware dubbed RN Loader and RN Stealer. RN Loader collects basic information about the victim's machine and operating system, sending it to a remote server, while RN Stealer is designed to harvest sensitive data from infected Apple macOS systems, including system metadata and installed applications.
GitHub and LinkedIn have taken action to remove the malicious accounts used by Slow Pisces. Both companies affirm that they use automated technology, expert teams, and user reporting to combat malicious actors. Palo Alto Networks customers are protected through their Next-Generation Firewall with Advanced URL Filtering and Advanced DNS Security subscriptions. They urge those who suspect they might be compromised to contact the Unit 42 Incident Response team.
Recommended read:
References :
- Virus Bulletin: VirusBulletin reports on Slow Pisces (aka Jade Sleet, TraderTraitor, PUKCHONG) campaign targeting cryptocurrency developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges.
- unit42.paloaltonetworks.com: Unit 42 reports that North Korean state-sponsored group Slow Pisces (Jade Sleet) targeted crypto developers with a social engineering campaign that included malicious coding challenges.
- securityonline.info: Slow Pisces Targets Crypto Developers with Deceptive Coding Challenges
- The Hacker News: Crypto Developers Targeted by Python Malware Disguised as Coding Challenges
- Unit 42: Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware
- Security Risk Advisors: Slow Pisces Targets Crypto Developers With “Coding Challenges†That Deliver New RN Loader and RN Stealer Malware
- www.itpro.com: Hackers are duping developers with malware-laden coding challenges
- cyberpress.org: Slow Pisces Hackers Target Developers with Malicious Python Coding Tests
- gbhackers.com: Slow Pisces Group Targets Developers Using Coding Challenges Laced with Python Malware
- gbhackers.com: Slow Pisces Group Targets Developers Using Coding Challenges Laced with Python Malware
- sra.io: #NorthKorea - based #SlowPisces group hits #Crypto devs with #LinkedIn “coding challengesâ€! Repos mask #Python & #JS malware using YAML/EJS tricks.
- Security Risk Advisors: #NorthKorea - based #SlowPisces group hits #Crypto devs with #LinkedIn “coding challengesâ€! Repos mask #Python & #JS malware using YAML/EJS tricks.
@learn.microsoft.com
//
Microsoft is alerting IT administrators to a significant issue affecting Windows Server 2025 domain controllers (DCs). After a restart, these DCs may experience a loss of network connectivity due to the servers loading the standard firewall profile instead of the domain firewall profile. This problem can render the domain controllers inaccessible on the network, disrupting Active Directory (AD) environments and potentially causing applications and services running on those servers or remote devices to fail or remain unreachable. The issue primarily impacts systems running the Active Directory Domain Services role on Windows Server 2025, with no client systems or earlier server versions affected.
This problem arises from the domain controllers failing to apply the correct network profile after a reboot, instead defaulting to a "Public" or standard firewall profile rather than the required "Domain Authenticated" profile. This misconfiguration can lead to ports and protocols that should be restricted by the domain firewall profile remaining open, posing potential security risks. Essential AD functions like Group Policy application, replication, and authentication are also disrupted, further compounding the problem for organizations relying on Active Directory for network management.
While Microsoft is actively working on a permanent fix for this issue, which is expected to be included in a future update, they have provided a temporary workaround for affected systems. Administrators can manually restart the network adapter on the affected servers using PowerShell with the command 'Restart-NetAdapter *'. However, because the issue reoccurs after each system restart, this workaround must be applied repeatedly. To streamline this process, Microsoft suggests creating a scheduled task that automatically restarts the network adapter each time the domain controller reboots.
Recommended read:
References :
- Techzine Global: Emergency Windows update solves Active Directory problem Microsoft is launching emergency patches to correctly display local audit logon policies in Active Directory Group Policy.
- bsky.app: Microsoft has released emergency Windows updates to address a known issue affecting local audit logon policies in Active Directory Group Policy. https://www.bleepingcomputer.com/news/microsoft/microsoft-new-emergency-windows-updates-fix-ad-policy-issues/
- BleepingComputer: Microsoft: New Windows updates fix Active Directory policy issues Microsoft has released emergency Windows updates to address a known issue affecting local audit logon policies in Active Directory Group Policy.
- Cyber Security News: Windows Server 2025 Restart Bug Breaks Connection with Active Directory Domain Controller
- www.networkworld.com: Windows Server 2025 domain controllers may lose connectivity after reboot, says Microsoft
- cybersecuritynews.com: Windows Server 2025 Restart Bug Breaks Connection with Active Directory Domain Controller
- BleepingComputer: Microsoft: Windows Server 2025 restarts break connectivity on some DCs
- Techzine Global: Microsoft warns that Windows Server 2025 domain controllers may become inaccessible after a restart. Affected servers load the default firewall profile instead of the domain firewall profile, interrupting applications and services.
@www.microsoft.com
//
Microsoft is enhancing the security of its Exchange Server and SharePoint Server platforms by integrating the Windows Antimalware Scan Interface (AMSI). These servers, considered "crown jewels" for many organizations, have become frequent targets for cyberattacks. The AMSI integration provides a vital layer of defense by preventing malicious web requests from reaching backend endpoints, effectively stopping attacks before they can cause harm. Microsoft emphasizes that threat actors often exploit outdated or misconfigured assets and vulnerabilities, highlighting the importance of this proactive security measure.
The integration of AMSI with Exchange and SharePoint Servers enables them to work seamlessly with any AMSI-compatible antimalware product. This measure is designed to counter sophisticated attack vectors targeting on-premises infrastructure. The enhanced AMSI capabilities extend scanning to HTTP request bodies, allowing for a broader detection of malicious payloads. While these features are not enabled by default, Microsoft strongly recommends that organizations activate them to bolster defenses against remote code execution and post-authentication vulnerabilities.
Microsoft also addressed a zero-day vulnerability in the Windows Common Log File System (CLFS), tracked as CVE-2025-29824, with a security update released on April 8, 2025. This vulnerability allowed attackers with user access to escalate privileges and deploy ransomware. The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) discovered exploitation of this flaw against a limited number of targets, including organizations in the IT, real estate, and financial sectors. Microsoft urges organizations to prioritize security updates for elevation of privilege vulnerabilities to defend against ransomware attacks.
Recommended read:
References :
- Security | TechRepublic: Microsoft warns CVE-2025-29824 lets attackers with user access escalate privileges to deploy ransomware via a flaw in Windows CLFS.
- Microsoft Security Blog: Exchange Server and SharePoint Server are business-critical assets and considered crown-jewels for many organizations, making them attractive targets for attacks.
- www.microsoft.com: Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI
- Microsoft Security Blog: Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a newly discovered zero-day vulnerability in the Windows Common Log File System (CLFS) against a small number of targets.
- gbhackers.com: Microsoft Boosts Exchange and SharePoint Security with Updated Antimalware Scan
Pierluigi Paganini@Security Affairs
//
The Russia-linked cyber espionage group Shuckworm, also known as Gamaredon or Armageddon, is actively targeting a Western country's military mission based in Ukraine. The campaign, which began in February 2025 and continued through March, involves the deployment of an updated, PowerShell-based version of its GammaSteel infostealer malware. This latest wave of activity underscores Shuckworm's persistent focus on Ukrainian targets, with the group believed to be operating on behalf of Russia's Federal Security Service (FSB). They have historically concentrated their efforts on government, military, and law enforcement targets in Ukraine.
The initial infection vector in this campaign appears to be infected removable drives. Evidence from the Windows Registry's UserAssist key suggests that the infection was triggered from such an external drive. The attack chain is multi-staged and designed to minimize detection. It involves the execution of obfuscated VBScript and PowerShell scripts stored in the registry. This shift towards PowerShell-based tools allows Shuckworm to improve obfuscation and store scripts directly within the Windows Registry, making file-based detection more challenging.
GammaSteel, the malware deployed in this campaign, now has enhanced reconnaissance features. It is capable of capturing screenshots, gathering system information, and enumerating desktop contents and user documents. The malware targets specific file types such as documents, spreadsheets, and PDFs. Shuckworm's exfiltration methods have also become more sophisticated, utilizing PowerShell web requests or cURL with Tor proxies to extract sensitive data stealthily. This campaign demonstrates an increase in sophistication for Shuckworm, with the group leveraging legitimate web services to lower the risk of detection.
Recommended read:
References :
- bsky.app: The Russian state-backed hacking group Gamaredon (aka "Shuckworm") has been
targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives.
- cyberpress.org: Shuckworm Deploys PowerShell-Based GammaSteel Malware in Precision Attacks
- gbhackers.com: Shuckworm Group Leverages GammaSteel Malware in Targeted PowerShell Attacks
- The Hacker News: Shuckworm targets Western military mission
- Broadcom Software Blogs: Shuckworm Targets Foreign Military Mission Based in Ukraine
- gbhackers.com: The Russia-linked cyber-espionage group known as Shuckworm (also identified as Gamaredon or Armageddon) has been observed targeting a Western country’s military mission located within Ukraine, employing an updated, PowerShell-based version of its GammaSteel infostealer malware.
- securityonline.info: Russia-linked espionage group Shuckworm (also known as Gamaredon or Armageddon) has launched a renewed and more sophisticated cyber campaign targeting a foreign military mission based in Ukraine, according to a detailed report by the Symantec Threat Hunter Team. This latest wave of activity, which began in February 2025 and continued through March, underscores Shuckworm’s relentless […]
- BleepingComputer: The Russian state-backed hacking group Gamaredon (aka "Shuckworm") has been targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives. [...]
- securityonline.info: Shuckworm’s Sophisticated Cyber Campaign Targets Ukraine Military Mission
- Cyber Security News: Shuckworm Deploys PowerShell-Based GammaSteel Malware in Precision Attacks
- The Hacker News: Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine
- www.bleepingcomputer.com: Russian hackers attack Western military mission using malicious drive
- www.csoonline.com: Russian Shuckworm APT is back with updated GammaSteel malware
- securityaffairs.com: Gamaredon targeted the military mission of a Western country based in Ukraine
- The DefendOps Diaries: Explore Gamaredon's evolving cyber tactics targeting Western military missions with advanced evasion techniques and PowerShell tools.
- www.sentinelone.com: Police arrest SmokeLoader malware customers, AkiraBot abuses AI to bypass CAPTCHAs, and Gamaredon delivers GammaSteel via infected drives.
- PCMag UK security: A suspected state-sponsored Russian group may have developed the 'GammaSteel' attack to help them spy on and steal data from a military mission in Ukraine. A malware-laden storage drive may have helped Russia spy on military activities in Ukraine.
- www.scworld.com: Infected removable drives were used to spread the malware.
- Metacurity: Cybersecurity industry is mum on SentinelOne EO, Comptroller of the Currency lacked MFA on hacked email account, Morocco confirms massive cyber attack, Gamaredon is targeting Western military mission in Ukraine, Ethical hacker stole $2.6m from Morpho Labs, Sex chatbots leak information, much more
- www.metacurity.com: Cybersecurity industry is mum on SentinelOne EO, Comptroller of the Currency lacked MFA on hacked email account, Morocco confirms massive cyber attack, Gamaredon is targeting Western military mission in Ukraine, Ethical hacker stole $2.6m from Morpho Labs, Sex chatbots leak information, much more
- ciso2ciso.com: Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine – Source:thehackernews.com
- ciso2ciso.com: The group targeted the military mission of a Western country, per the report. Infected removable drives have been used by the group.
- Metacurity: Before you head out for a much-deserved weekend break after this insane week, check out today's Metacurity for the most critical infosec developments you should know, including --China acknowledged US cyberattacks at a secret meeting, report --Cybersecurity industry is mum on SentinelOne EO, --Comptroller of the Currency lacked MFA on hacked email account, --Morocco confirms massive cyber attack, --Gamaredon is targeting Western military mission in Ukraine, --Ethical hacker stole $2.6m from Morpho Labs, --Sex chatbots leak information, --much more
- Security Risk Advisors: 🚩Shuckworm Compromises Western Military Mission in Ukraine Using Updated PowerShell GammaSteel Malware
- Security Latest: For the past decade, this group of FSB hackers—including “traitorâ€Â Ukrainian intelligence officers—has used a grinding barrage of intrusion campaigns to make life hell for their former countrymen and cybersecurity defenders.
Sathwik Ram@seqrite.com
//
Pakistan-linked SideCopy APT has escalated its cyber operations, employing new tactics to infiltrate crucial sectors. Seqrite Labs APT team uncovered these new tactics deployed since the last week of December 2024. The Advanced Persistent Threat (APT) group, previously focused on Indian government, defence, maritime sectors, and university students, is expanding its targeting scope.
The group has broadened its targets to include critical sectors such as railways, oil & gas, and external affairs ministries. One notable shift in their recent campaigns is the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as a primary staging mechanism. This evolution is marked by increasingly sophisticated methods, such as reflective DLL loading and AES encryption via PowerShell.
Furthermore, SideCopy is actively repurposing open-source tools like XenoRAT and SparkRAT to enhance their penetration and exploitation capabilities. The group customizes these tools and employs a newly identified Golang-based malware dubbed CurlBack RAT, specifically designed to execute DLL side-loading attacks. Recent campaigns demonstrate an increased use of phishing emails masquerading as government officials to deliver malicious payloads, often using compromised official domains and fake domains mimicking e-governance services.
Recommended read:
References :
- Virus Bulletin: The Seqrite Labs APT team has uncovered new tactics of the Pakistan-linked SideCopy APT. The group has expanded its targets to include critical sectors such as railways, oil & gas, and external affairs ministries and has shifted from using HTA files to MSI packages.
- www.seqrite.com: Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024.
- www.seqrite.com: Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024.
- cyberpress.org: SideCopy APT Poses as Government Personnel to Distribute Open-Source XenoRAT Tool
- gbhackers.com: SideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool
- Cyber Security News: Pakistan-linked adversary group SideCopy has escalated its operations, employing new tactics to infiltrate crucial sectors.
- gbhackers.com: SideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool
- beSpacific: Article on the new tactics of the Pakistan-linked SideCopy APT.
info@thehackernews.com (The@The Hacker News
//
Microsoft has issued a critical security update as part of its April 2025 Patch Tuesday to address a zero-day vulnerability (CVE-2025-29824) in the Windows Common Log File System (CLFS). The vulnerability, classified as an elevation of privilege flaw, is being actively exploited by the RansomEXX ransomware gang to gain SYSTEM privileges on compromised systems. According to Microsoft, the attacks have targeted a limited number of organizations across various sectors and countries, including the IT and real estate sectors in the United States, the financial sector in Venezuela, a software company in Spain, and the retail sector in Saudi Arabia.
Microsoft Threat Intelligence Center (MSTIC) has attributed the exploitation activity to a group tracked as Storm-2460, which deployed the PipeMagic malware to facilitate the attacks. Successful exploitation of CVE-2025-29824 allows an attacker with a standard user account to escalate privileges, enabling them to install malware, modify system files, disable security features, access sensitive data, and maintain persistent access. This can result in full system compromise and lateral movement across networks, leading to the widespread deployment and detonation of ransomware within the affected environment.
The zero-day vulnerability is located in the CLFS kernel driver and is due to a use-after-free weakness. Microsoft recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks. While Microsoft has issued security updates for impacted Windows versions, patches for Windows 10 x64 and 32-bit systems are pending release. In addition to fixing the zero-day flaw, Microsoft's April 2025 Patch Tuesday includes fixes for 134 other vulnerabilities, with 11 of them classified as critical remote code execution vulnerabilities.
Recommended read:
References :
- isc.sans.edu: This month, Microsoft has released patches addressing a total of 125 vulnerabilities.
- The DefendOps Diaries: Microsoft's April 2025 Patch Tuesday addresses 134 vulnerabilities, including a critical zero-day, highlighting the need for robust security.
- Cyber Security News: Microsoft’s April 2025 Patch Tuesday update has arrived, delivering critical fixes for 121 security vulnerabilities across its broad suite of software products.
- BleepingComputer: Today is Microsoft's April 2025 Patch Tuesday, which includes security updates for 134 flaws, including one actively exploited zero-day vulnerability.
- Tenable Blog: Microsoft’s April 2025 Patch Tuesday Addresses 121 CVEs (CVE-2025-29824)
- Cisco Talos Blog: Microsoft Patch Tuesday for April 2025 — Snort rules and prominent vulnerabilities
- CyberInsider: Microsoft Fixes Actively Exploited CLFS Zero-Day Used in Ransomware Attacks
- bsky.app: Microsoft says the RansomEXX ransomware gang has been exploiting a high-severity zero-day flaw (CVE-2025-29824) in the Windows Common Log File System to gain SYSTEM privileges on victims' systems.
- The DefendOps Diaries: Understanding the Impact of CVE-2025-29824: A Critical Windows Vulnerability
- Threats | CyberScoop: Microsoft patches zero-day actively exploited in string of ransomware attacks
- thecyberexpress.com: TheCyberExpress article on Microsoft Patch Tuesday April 2025.
- cyberinsider.com: Microsoft Fixes Actively Exploited CLFS Zero-Day Used in Ransomware Attacks
- www.microsoft.com: Microsoft Security Blog on CLFS zero-day exploitation.
- BleepingComputer: Microsoft says the RansomEXX ransomware gang has been exploiting a high-severity zero-day flaw (CVE-2025-29824) in the Windows Common Log File System to gain SYSTEM privileges on victims' systems.
- bsky.app: Sky News post on Microsoft April 2025 Patch Tuesday.
- Cyber Security News: CybersecurityNews article on Windows CLFS Zero-Day Vulnerability Actively Exploited by Ransomware Group
- Microsoft Security Blog: Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a newly discovered zero-day vulnerability in the Windows Common Log File System (CLFS) against a small number of targets.
- Malwarebytes: Microsoft releases April 2025 Patch Tuesday updates, including fixes for 121 vulnerabilities, one of which is an actively exploited zero-day in the Windows Common Log File System (CLFS) driver.
- isc.sans.edu: Microsoft today released updates to plug at least 121 security holes in its Windows operating systems and software, including one vulnerability that is already being exploited in the wild.
- Blog RSS Feed: Report on the April 2025 Patch Tuesday analysis, including CVE-2025-29824.
- krebsonsecurity.com: Microsoft today released updates to plug at least 121 security holes in its Windows operating systems and software, including one vulnerability that is already being exploited in the wild.
- securityonline.info: SecurityOnline discusses Windows CLFS Zero-Day Exploited to Deploy Ransomware
- securityonline.info: Windows CLFS Zero-Day Exploited to Deploy Ransomware
- securityaffairs.com: U.S. CISA adds Gladinet CentreStack and ZTA Microsoft Windows Common Log File System (CLFS) Driver flaws to its Known Exploited Vulnerabilities catalog
- www.cybersecuritydive.com: Windows CLFS zero-day exploited in ransomware attacks
- Security | TechRepublic: Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’
- The Register - Software: Bad luck, Windows 10 users. No fix yet for ransomware-exploited bug
- The Hacker News: Microsoft released security fixes to address a massive set of 126 flaws affecting its software products, including one vulnerability that it said has been actively exploited in the wild.
- www.microsoft.com: Read how cyberattackers exploit domain controllers to gain privileged system access where they deploy ransomware that causes widespread damage and operational disruption.
- The Hacker News: PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware
- securityonline.info: Recently, the Cybersecurity and Infrastructure Security Agency (CISA) added two significant vulnerabilities to its Known Exploited Vulnerabilities Catalog, highlighting the urgency for users to apply necessary patches.
- Arctic Wolf: On April 8, 2025, Microsoft released its April 2025 security update, addressing 126 newly disclosed vulnerabilities.
- arcticwolf.com: On April 8, 2025, Microsoft released its April 2025 security update, addressing 126 newly disclosed vulnerabilities. Arctic Wolf has highlighted five vulnerabilities affecting Microsoft Windows in this security bulletin, including one exploited vulnerability and four vulnerabilities that Microsoft has labeled as Critical.Â
- Know Your Adversary: Hello everyone! I think you already heard about a zero-day vulnerability in the Common Log File System (CLFS) weaponized by RansomEXX affiliates. I'm talking about CVE 2025-29824 .
- Sophos News: One actively exploited issue patched; five Critical-severity Office vulns exploitable via Preview Pane
- Security | TechRepublic: One CVE was used against “a small number of targets.†Windows 10 users needed to wait a little bit for their patches.
- www.threatdown.com: April’s Patch Tuesday fixes a whopping 126 Microsoft vulnerabilities.
- Logpoint: The Microsoft Security blog highlights the active exploitation of CVE-2025-24983, a zero-day vulnerability in the Windows Common Log File System (CLFS) that allows local privilege escalation to SYSTEM-level access.
- Arctic Wolf: Microsoft Patch Tuesday: April 2025
- www.logpoint.com: The Microsoft Security blog highlights the active exploitation of CVE-2025-24983, a zero-day vulnerability in the Windows Common Log File System (CLFS) that allows local privilege escalation to SYSTEM-level access.
- arcticwolf.com: Microsoft Patch Tuesday: April 2025
- ciso2ciso.com: Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’
- Security Risk Advisors: New CLFS Zero-Day (CVE-2025-29824) Enables Rapid Privilege Escalation, Leading to Ransomware Deployment
- cyberscoop.com: Microsoft patches zero-day actively exploited in string of ransomware attacks
- www.tenable.com: Tenable's analysis of the CLFS vulnerability and its exploitation by Storm-2460.
- Help Net Security: Article on Week in review: Microsoft patches exploited Windows CLFS 0-day, WinRAR MotW bypass flaw fixed
@cyberalerts.io
//
Microsoft has publicly credited EncryptHub, a cybercriminal actor linked to over 618 breaches, for disclosing vulnerabilities in Windows. This revelation highlights the complex and often contradictory nature of modern cybersecurity, where a known threat actor can also contribute to improving system security. The vulnerabilities reported by EncryptHub, tracked under the alias "SkorikARI with SkorikARI," included a Mark-of-the-Web security feature bypass (CVE-2025-24061) and a File Explorer spoofing vulnerability (CVE-2025-24071), both of which were patched in Microsoft's latest Patch Tuesday update.
Outpost24 KrakenLabs, a Swedish security company, has been investigating EncryptHub, unmasking details about their operations, infrastructure, and the mistakes that led to their exposure. These operational security (OPSEC) failures, combined with the actor's reliance on ChatGPT, allowed researchers to gain unprecedented insights into their tactics, techniques, and procedures (TTPs). EncryptHub's activities have been traced back to a lone wolf actor who allegedly fled Ukraine for Romania, seeking computer-related jobs while studying computer science through online courses. EncryptHub compromised 618+ targets using Microsoft flaws and custom malware after failed freelance attempts.
EncryptHub's reliance on ChatGPT as a development assistant is a notable aspect of their operations. The AI chatbot was used to create malware components, configure command-and-control (C2) servers, develop phishing sites, and even draft posts for underground forums. In one instance, EncryptHub used ChatGPT to draft posts selling exploits for vulnerabilities they had previously reported under an alias to Microsoft’s Security Response Center (MSRC). The actor’s most recent exploit, CVE-2025-26633 (aka MSC EvilTwin), targeted the Microsoft Management Console to deliver info stealers and zero-day backdoors. Despite EncryptHub's technical capabilities, their operational sloppiness, including self-infections and reused credentials, ultimately led to their exposure.
Recommended read:
References :
- thehackernews.com: Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws
- Cyber Security News: ChatGPT Clues and OPSEC Errors Expose EncryptHub Ransomware Operators
- Sam Bent: Microsoft Publicly Credits Hacker Behind 618+ Attacks—EncryptHub Exposed as Dual-Use Operator
- gbhackers.com: EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures
- DataBreaches.Net: Unmasking EncryptHub: Help from ChatGPT & OPSEC blunders
- Cyber Security News: has been exposed due to a series of operational security failures and unconventional use of AI tools.
- BleepingComputer: EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
- ciso2ciso.com: The controversial case of the threat actor EncryptHub – Source: securityaffairs.com
- securityaffairs.com: The controversial case of the threat actor EncryptHub
- ciso2ciso.com: The controversial case of the threat actor EncryptHub – Source: securityaffairs.com
- bsky.app: EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
- BleepingComputer: EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
- Techzine Global: EncryptHub plays dual role as cybercriminal and Windows researcher
- The DefendOps Diaries: Decrypting EncryptHub: A Cybersecurity Enigma
- bsky.app: BSky post about EncryptHub's dual life as a cybercriminal and Windows bug bounty researcher
- www.bleepingcomputer.com: EncryptHub's dual life: Cybercriminal vs Windows bug-bounty researcher
- www.scworld.com: Report: EncryptHub moonlighting in vulnerability research
- Anonymous ???????? :af:: EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
- BleepingComputer: EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
@www.infosecurity-magazine.com
//
Cybersecurity researchers are raising concerns about a new sophisticated malware loader called CoffeeLoader, designed to stealthily download and execute secondary payloads while evading detection. The malware, first observed around September 2024, shares behavioral similarities with SmokeLoader, another known malware loader. CoffeeLoader employs a variety of techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers.
CoffeeLoader's infection sequence starts with a dropper that attempts to execute a DLL payload packed by Armoury, impersonating ASUS's Armoury Crate utility. The malware establishes persistence by creating scheduled tasks and uses call stack spoofing and sleep obfuscation to evade antivirus and EDR solutions. Upon successful connection to a command-and-control server, CoffeeLoader receives commands to inject and execute Rhadamanthys shellcode, highlighting the potential for significant harm. While there are notable similarities between CoffeeLoader and SmokeLoader, researchers are still determining the exact relationship between the two malware families.
Recommended read:
References :
- The Hacker News: Researchers are calling attention to a new sophisticated malware called CoffeeLoader that's designed to download and execute secondary payloads.
- : Security firm spots stealthy CoffeeLoader used in attacks
- www.scworld.com: Windows devices have been targeted with attacks involving the novel CoffeeLoader malware that masquerades as Taiwanese computer hardware firm ASUS's Armoury Crate utility to covertly distribute the Rhadamanthys information-stealing malware and other malicious payloads, Cybernews reports.
- ciso2ciso.com: Cybersecurity researchers are calling attention to a new sophisticated malware called CoffeeLoader that's designed to download and execute secondary payloads.
- bsky.app: Zscaler has spotted a new malware loader named CoffeeLoader, used in the wild since September of last year. The malware was used together and appears to bear similarities with SmokeLoader.
- securityaffairs.com: CoffeeLoader uses a GPU-based packer to evade detection
- securityonline.info: GPU-Powered Evasion: Unpacking the Sophisticated CoffeeLoader Malware
@The DefendOps Diaries
//
EncryptHub, a group linked to RansomHub, has been identified as the actor exploiting a zero-day vulnerability in Microsoft Management Console (MMC). Tracked as CVE-2025-26633, this flaw allows attackers to bypass security features and execute malicious code on vulnerable Windows systems. The vulnerability stems from improper input sanitization within MMC, a core administrative tool. Attackers are leveraging this flaw through email and web-based attacks, delivering malicious payloads to unsuspecting users, bypassing Windows file reputation protections.
The exploit, dubbed 'MSC EvilTwin', manipulates .msc files and the Multilingual User Interface Path (MUIPath) to execute malicious payloads, maintain persistence, and steal sensitive data. Specifically, attackers create two .msc files with the same name, a clean one and a malicious counterpart. When the legitimate file is run, MMC inadvertently picks the rogue file from a directory named "en-US" and executes it, unbeknownst to the user. This sophisticated technique allows EncryptHub to deploy various malware families, including Rhadamanthys and StealC, information stealers which pose a severe risk to affected organizations.
Recommended read:
References :
- The DefendOps Diaries: Understanding the CVE-2025-26633 Vulnerability in Microsoft Management Console
- www.trendmicro.com: Trend Research identified Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
- Cyber Security News: Hackers Exploit Windows MMC Zero-Day Vulnerability to Execute Malicious Code
- BleepingComputer: A threat actor known as EncryptHub has been linked to Windows zero-day attacks exploiting a Microsoft Management Console vulnerability patched this month.
- gbhackers.com: Windows MMC Framework Zero-Day Exploited to Execute Malicious Code
- www.scworld.com: Windows-targeted EncryptHub attacks involve MMC zero-day exploitation
- bsky.app: EncryptHub, an affiliate of RansomHub, was behind recent MMC zero-day patched this month by Microsoft
- The Hacker News: EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware
- Virus Bulletin: Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
- www.cybersecuritydive.com: A threat actor known as “EncryptHub” began exploiting the zero-day vulnerability before it was patched earlier this month.
- : Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
- www.trendmicro.com: Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.
- Christoffer S.: (trendmicro.com) A Deep Dive into Water Gamayun's Arsenal and Infrastructure Executive Summary: This research provides a comprehensive analysis of Water Gamayun (also known as EncryptHub and Larva-208), a suspected Russian threat actor exploiting the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) in Microsoft Management Console.
- Cyber Security News: Zero-Day in Windows MMC Framework Exploited for Malicious Code Execution
- Know Your Adversary: Adversaries always need to execute commands via various command and scripting interpreters. It's a well-known behavior, so they always look for defense evasion techniques. Trend Micro releleased a on Water Gamayun , and noted an interesting technique used by the threat acrors for proxy execution.
NSFOCUS@nsfocusglobal.com
//
A new vulnerability, CVE-2025-24071, has been identified in Windows File Explorer, potentially exposing users to network spoofing attacks. The vulnerability is triggered by specially crafted .library-ms files embedded within compressed archives like RAR or ZIP. When these files are decompressed, they can trigger an SMB authentication request, leading to the disclosure of the user’s NTLM hash. The vulnerability has a CVSS score of 7.5, indicating a significant risk.
Microsoft has released a security announcement and a patch to address the issue across a range of Windows versions including Windows 10, Windows 11 and Windows Server versions from 2012 R2 to 2022. Users are urged to install the patch as soon as possible to mitigate the risk of exploitation. The vulnerability stems from the implicit trust and automatic file parsing behavior of .library-ms files by Windows Explorer, making it crucial for users to update their systems promptly.
Recommended read:
References :
- nsfocusglobal.com: Windows File Explorer Spoofing Vulnerability (CVE-2025-24071)
- www.trendmicro.com: ZDI-CAN-25373: Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns
Bill Mann@CyberInsider
//
A critical unpatched zero-day vulnerability in Microsoft Windows is being actively exploited by 11 state-sponsored threat groups for espionage, data theft, and financially motivated campaigns since 2017. The flaw, tracked as ZDI-CAN-25373, involves the use of crafted Windows Shortcut (.LNK) files to execute hidden malicious commands. This allows attackers to gain unauthorized access to systems, steal sensitive data, and potentially conduct cyber espionage activities targeting governments, private entities, financial organizations, think tanks, telecommunication service providers, and military/defense agencies across multiple countries.
The attacks leverage hidden command line arguments within the malicious .LNK files, making detection difficult by padding the arguments with whitespace characters. Nearly 1,000 .LNK file artifacts exploiting the vulnerability have been found, and linked to APT groups from China, Iran, North Korea, and Russia. In these attacks, the .LNK files act as a delivery vehicle for malware families like Lumma Stealer, GuLoader, and Remcos RAT. Microsoft considers the issue a low severity user interface misrepresentation and does not plan to release a fix.
Recommended read:
References :
- The Hacker News: An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017.
- ZDI: Published Advisories: ZDI-25-148: (0Day) Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability
- The Register - Security: Microsoft isn't fixing 8-year-old shortcut exploit abused for spying
- securityaffairs.com: State-Sponsored Actors and Cybercrime Gangs Abuse Malicious .lnk Files for Espionage and Data Theft
- The DefendOps Diaries: Exploiting Windows Zero-Day Vulnerabilities: The Role of State-Sponsored Hacking Groups
- BleepingComputer: New Windows zero-day exploited by 11 state hacking groups since 2017
- CyberInsider: Microsoft Declines to Fix Actively Exploited Windows Zero-Day Vulnerability
- socradar.io: Windows Shortcut Zero-Day (ZDI-CAN-25373) Exploited by State-Backed Threat Actors Since 2017: Overview of Key Details
- Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Tech Monitor: A Windows shortcut vulnerability, identified as ZDI-CAN-25373, has been exploited in widespread cyber espionage campaigns.
- www.ghacks.net: Windows has an 8-year-old security issue that is exploited and known by Microsoft for some time
- www.cybersecuritydive.com: 11 nation-state groups exploit unpatched Microsoft zero-day
- www.techradar.com: An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
- Security Risk Advisors: APT Groups Exploit Unpatched Windows Shortcut Vulnerability for Espionage and Data Theft
- hackread.com: 11 Nation-State Hackers Exploit Unpatched Windows Flaw Since 2017
- : Windows Shortcut Flaw Exploited by 11 State-Sponsored Groups
- securityonline.info: A recently uncovered vulnerability, ZDI-CAN-25373, identified by the Trend Zero Day Initiative (ZDI), is at the center of the
- Blog: Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers
- Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Sam Bent: Windows Shortcut Zero-Day Used by Nation-States
- www.trendmicro.com: ZDI-CAN-25373: Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns
- Logpoint: Windows Shell Link Vulnerability ZDI-CAN-25373: Detecting Hidden Commands
- SecureWorld News: Nation-State Hackers Exploit Windows Shortcut Zero-Day Vulnerability
- Information Security Buzz: Windows Shortcut Zero-Day Under Active Attack
- borncity.com: Windows shortcut exploit used by state hackers as a 0-day since 2017
- Threats | CyberScoop: Nation-state groups hit hundreds of organizations with Microsoft Windows zero-day
- Help Net Security: APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373)
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying
- securityboulevard.com: Microsoft Won’t Fix This Bad Zero Day (Despite Wide Abuse)
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.
Bill Mann@CyberInsider
//
Multiple state-backed hacking groups, including those from North Korea, Iran, Russia, and China, have been exploiting a Windows zero-day vulnerability since 2017 for data theft and cyber espionage. The vulnerability lies in malicious .LNK shortcut files rigged with commands to download malware, effectively hiding malicious payloads from users. Security researchers at Trend Micro's Zero Day Initiative discovered nearly 1,000 tampered .LNK files, though they believe the actual number of attacks could be much higher.
Microsoft has chosen not to address this vulnerability with a security update, classifying it as a low priority issue not meeting their bar for servicing. This decision comes despite the fact that the exploitation avenue has been used in an eight-year-long spying campaign, relying on hiding commands using megabytes of whitespace to bury the actual commands deep out of sight in the user interface. Dustin Childs of the Zero Day Initiative told *The Register* that while this is one of many bugs used by attackers, its unpatched status makes it a significant concern.
Recommended read:
References :
- CyberInsider: Microsoft has acknowledged that its latest Windows update has unintentionally uninstalled the Copilot app from some Windows 11 devices.
- The Register - Security: Microsoft isn't fixing 8-year-old shortcut exploit abused for spying
- BleepingComputer: At least 11 state-backed hacking groups from North Korea, Iran, Russia, and China have been exploiting a new Windows vulnerability in data theft and cyber espionage zero-day attacks since 2017.
- ZDI: Published Advisories: ZDI-25-148: (0Day) Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability
- securityonline.info: Hidden Threat: Zero-Day Windows Shortcut Exploited by Global APT Networks
- www.it-daily.net: Critical Windows security vulnerability discovered
- hackread.com: 11 Nation-State Hackers Exploit Unpatched Windows Flaw Since 2017
- socradar.io: Windows Shortcut Zero-Day (ZDI-CAN-25373) Exploited by State-Backed Threat Actors Since 2017: Overview of Key Details
- Tech Monitor: Windows shortcut exploit used as zero-day in global cyber espionage campaigns
- Security Risk Advisors: 🚩APT Groups Exploit Unpatched Windows Shortcut Vulnerability for Espionage and Data Theft
- Blog: Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers
- www.cybersecuritydive.com: A vulnerability that allows for malicious payloads to be delivered via Windows shortcut files has not yet been addressed by Microsoft and has been under active attack for eight years.
- www.ghacks.net: Windows has an 8-year-old security issue that is exploited and known by Microsoft for some time
- Sam Bent: Microsoft Windows Zero-Day Used by Nation-States
- Jon Greig: Researchers Trend Micro's Zero Day Initiative said they have identified multiple campaigns from nation-state groups in North Korea, China and Russia exploiting an issue impacting .lnk files Microsoft said the report "does not meet the bar for immediate servicing"
- Threats | CyberScoop: Trend Micro researchers discovered and reported the eight-year-old defect to Microsoft six months ago. The company hasn’t made any commitments to patch or remediate the issue.
- Jon Greig: Researchers Trend Micro's Zero Day Initiative said they have identified multiple campaigns from nation-state groups in North Korea, China and Russia exploiting an issue impacting .lnk files Microsoft said the report "does not meet the bar for immediate servicing"
- www.trendmicro.com: Trend Zero Day Initiativeâ„¢ (ZDI) uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Logpoint: Windows Shell Link Vulnerability ZDI-CAN-25373: Detecting Hidden Commands
- SecureWorld News: Nation-State Hackers Exploit Windows Shortcut Zero-Day Vulnerability
- : Windows Shortcut Flaw Exploited by 11 State-Sponsored Groups
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.
- borncity.com: Windows shortcut exploit used by state hackers as a 0-day since 2017
- Information Security Buzz: Windows Shortcut Zero-Day Under Active Attack
Microsoft Incident@Microsoft Security Blog
//
Microsoft's Incident Response team has uncovered a novel remote access trojan (RAT) named StilachiRAT, which employs sophisticated techniques to evade detection and steal sensitive data. Discovered in November 2024, StilachiRAT demonstrates advanced methods to remain undetected, persist in the targeted environment, and exfiltrate valuable information. The malware is capable of gathering system information, stealing credentials stored in browsers, targeting cryptocurrency wallets, and using command-and-control connectivity for remote execution.
The RAT scans for configuration data of 20 different cryptocurrency wallet extensions for the Google Chrome browser and extracts credentials from the browser, indicating its focus on cryptocurrency theft and credential compromise. It establishes communication with remote command-and-control (C2) servers to execute commands, manipulate registry settings, and clear logs, making it challenging to detect and remove. Microsoft advises users to download software from official sources, use web browsers with SmartScreen support, and enable Safe Links and Safe Attachments for Office 365 to prevent StilachiRAT infections.
Recommended read:
References :
- bsky.app: ​MicrosoftÂ
has discovered a new remote access trojan (RAT) that employs "sophisticated techniques" to avoid detection, ensure persistence, and extract sensitive information data.
- BleepingComputer: Microsoft: New RAT malware used for crypto theft, reconnaissance
- Microsoft Security Blog: StilachiRAT analysis: From system reconnaissance to cryptocurrency theft
- BleepingComputer: Microsoft has discovered a new remote access trojan (RAT) that employs "sophisticated techniques" to avoid detection, ensure persistence, and extract sensitive information data.
- hackread.com: StilachiRAT: Sophisticated malware targets crypto wallets & credentials. Undetected, it maps systems & steals data. Microsoft advises strong security measures.
- Virus Bulletin: Microsoft researchers uncovered a novel remote access trojan (RAT) named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data.
- securityaffairs.com: New StilachiRAT uses sophisticated techniques to avoid detection
- The DefendOps Diaries: Understanding StilachiRAT: A New Cyber Threat Targeting Cryptocurrency
- CyberInsider: Microsoft Uncovers New Stealthy Malware ‘StilachiRAT’ Targeting User Data
- The Hacker News: Microsoft Warns of StilachiRAT: A Stealthy RAT Targeting Credentials and Crypto Wallets
- The Hacker News: Microsoft Warns of StilachiRAT: A Stealthy RAT Targeting Credentials and Crypto Wallets
- Tech Monitor: New remote access trojan ‘StilachiRAT’ identified
- Help Net Security: Stealthy StilachiRAT steals data, may enable lateral movement
- www.techradar.com: Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
- The Record: A previously unreported remote access trojan that Microsoft researchers dubbed StilachiRAT is designed to steal a wide range of data, including information about cryptocurrency wallet extensions for Google's Chrome browser.
- Blog: New ‘StilachiRAT’ found scurrying in crypto wallets
- BleepingComputer: Detailed technical analysis of the StilachiRAT malware and its operational capabilities.
- securityonline.info: Microsoft Uncovers Sophisticated StilachiRAT Malware
- Sophos X-Ops: Microsoft has discovered a new remote access trojan (RAT) dubbed StilachiRAT, which uses sophisticated techniques to avoid detection.
- Cyber Security News: Microsoft has recently issued a warning about a novel remote access trojan (RAT) known as StilachiRAT, which has been discovered to possess sophisticated capabilities for evading detection and stealing sensitive data. This malware was identified by Microsoft Incident Response researchers in November 2024 and is notable for its ability to target Remote Desktop Protocol (RDP) […] The post appeared first on .
rohann@checkpoint.com@Check Point Blog
//
Blind Eagle, one of Latin America's most dangerous cyber criminal groups, has been actively targeting Colombian institutions and government entities since November 2024. According to Check Point Research (CPR), this advanced persistent threat (APT) group, also tracked as APT-C-36, is using sophisticated techniques to bypass traditional security defenses. They leverage trusted platforms like Google Drive, Dropbox, GitHub, and Bitbucket to distribute their malicious payloads, and have recently been seen using a variant of an exploit for a now-patched Microsoft Windows flaw, CVE-2024-43451. This allows them to infect victims with a high rate of success.
CPR has uncovered that Blind Eagle incorporated this exploit a mere six days after Microsoft released the patch. They use malicious .URL files distributed via phishing emails, and victims are often unaware they are triggering the infection. The final payload is often the Remcos RAT, a remote access trojan that grants attackers complete control over infected systems, allowing for data theft, remote execution, and persistent access. In one campaign in December 2024, over 1,600 victims were affected, highlighting the group's efficiency and targeted approach.
Recommended read:
References :
- Check Point Blog: The Growing Danger of Blind Eagle: One of Latin America’s Most Dangerous Cyber Criminal Groups Targets Colombia
- bsky.app: Blind Eagle APT group has compromised over 1,600 victims inside Colombian institutions and government agencies. The campaign took place in November & December of last year and used an exploit similar to a zero-day exploited by Russian hackers in Ukraine.
- The Hacker News: The threat actor known as Blind Eagle has been linked to a series of ongoing campaigns targeting Colombian institutions and government entities since November 2024.
- bsky.app: The Blind Eagle APT group has compromised over 1,600 victims inside Colombian institutions and government agencies. The campaign took place in November & December of last year and used an exploit similar to a zero-day exploited by Russian hackers in Ukraine.
- gbhackers.com: Blind Eagle Hackers Exploit Google Drive, Dropbox & GitHub to Evade Security Measures
- : Blind Eagle has been running campaigns targeting the Colombian government with malicious .url files and phishing attacks
- Talkback Resources: Blind Eagle Hacks Colombian Institutions Using NTLM Flaw, RATs and GitHub-Based Attacks
- securityonline.info: Blind Eagle’s Rapid Adaptation: New Tactics Deployed Days After Patch
- gbhackers.com: Blind Eagle Targets Organizations with Weaponized .URL Files to Steal User Hashes
@The DefendOps Diaries
//
Microsoft's March 2025 Patch Tuesday has addressed 57 flaws, including seven zero-day vulnerabilities that were already being actively exploited. These zero-day flaws highlight the importance of applying security updates in a timely manner. Three critical vulnerabilities were remote code execution vulnerabilities, posing a high risk that could lead to full system compromise if exploited. One notable zero-day vulnerability is the Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability (CVE-2025-24983), which could allow attackers to gain SYSTEM privileges through a race condition.
Microsoft has also announced that it will drop support for the Remote Desktop app, available through the Microsoft Store, on May 27th. The current app will be replaced with the new Windows App, designed for work and school accounts. Microsoft is encouraging users to review the known issues and limitations of the Windows App to understand any feature gaps that may create challenges during migration. The Windows App is intended to connect to Azure Virtual Desktop, Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote PCs.
Recommended read:
References :
- isc.sans.edu: Microsoft Patch Tuesday: March 2025, (Tue, Mar 11th)
- The DefendOps Diaries: Microsoft's March 2025 Patch Tuesday: Addressing Critical Vulnerabilities
- BleepingComputer: Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws
- CyberInsider: Microsoft March 2025 ‘Patch Tuesday’ Updates Fix Six Actively Exploited Flaws
- Tenable Blog: Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993)
- bsky.app: Today is Microsoft's March 2025 Patch Tuesday, which includes security updates for 57 flaws, including six actively exploited zero-day vulnerabilities.
- krebsonsecurity.com: Microsoft: 6 Zero-Days in March 2025 Patch Tuesday
- Blog RSS Feed: March 2025 Patch Tuesday Analysis
- Threats | CyberScoop: Microsoft patches 57 vulnerabilities, including 6 zero-days
- The Register - Software: Choose your own Patch Tuesday adventure: Start with six zero-day fixes, or six critical flaws
- hackread.com: March 2025 Patch Tuesday: Microsoft Fixes 57 Vulnerabilities, 7 Zero-Days
- www.kaspersky.com: Main vulnerabilities from Microsoft's March Patch Tuesday | Kaspersky official blog
- Rescana: Microsoft March 2025 Patch Tuesday: Zero-Day Exploitation Analysis in WinDbg, ASP.NET Core, and Remote Desktop
- socradar.io: March 2025 Patch Tuesday: Microsoft Fixes 6 Critical & 6 Exploited Security Vulnerabilities
- Security | TechRepublic: Microsoft's March 2025 Patch Tuesday includes six actively exploited zero-day vulnerabilities. Learn about the critical vulnerabilities and why immediate updates are essential.
- Davey Winder: Microsoft has confirmed that no less than six zero-day vulnerabilities are exploiting Windows users in the wild. Here’s what you need to know and do.
- : Microsoft Patches a Whopping Seven Zero-Days in March
- Blog: As part of its monthly Patch Tuesday event, Microsoft has fixed 57 vulnerabilities. Among them are six actively exploited zero-day vulnerabilities
- Arctic Wolf: Microsoft Patch Tuesday: March 2025
- Talkback Resources: Microsoft's Patch Tuesday reports 6 flaws already under fire [app] [sys]
- ESET Research: has discovered a zero day exploit abusing -2025-24983 vulnerability in the Windows kernel 🪟 to elevate privileges ( ).
- The DefendOps Diaries: Understanding the Impact of CVE-2025-24983: A Critical Windows Kernel Vulnerability
- BleepingComputer: Microsoft patches Windows Kernel zero-day exploited since 2023
- PCWorld: Big March patch fixes dozens of security flaws in Windows and Office
- securityaffairs.com: Microsoft Patch Tuesday security updates for March 2025 fix six actively exploited zero-days
- www.threatdown.com: The March 2025 Patch Tuesday update contains an unusually large number of zero-day vulnerabilities that are being actively exploited.
- Arctic Wolf: Microsoft Patch Tuesday: March 2025
- Computerworld: For March’s Patch Tuesday, 57 fixes — and 7 zero-days
@Talkback Resources
//
Cybersecurity researchers have unveiled advanced obfuscation tactics employed by APT28, a Russian state-sponsored threat actor, in their HTA Trojan. The investigation focuses on espionage campaigns targeting Central Asia and Kazakhstan diplomatic relations, revealing intricate multi-layer obfuscation strategies designed to evade detection. The analysis highlights the use of Microsoft’s VBE technique within HTA files as a core component of APT28’s malware delivery mechanism. This encoding method, facilitated by the Windows Script Encoder, transforms VBScript and JavaScript files into obfuscated formats that remain executable while concealing their true functionality.
The investigation uncovered that the malware leverages Windows’ vbscript.dll to generate embedded strings dynamically during execution. By analyzing these strings and their interaction with memory addresses, researchers were able to reconstruct the original VBScript payload hidden within the HTA file. Using publicly available tools like “vbe-decoder.py,” they successfully deobfuscated the encoded scripts, exposing the final malicious payload designed for espionage activities. This discovery underscores the need for robust malware analysis capabilities and proactive threat intelligence sharing within the cybersecurity community.
Recommended read:
References :
- Virus Bulletin: Cisco Talos researcher Joey Chen describes how Lotus Blossom uses Sagerunex and other hacking tools for post-compromise activities. The espionage operation targets government, manufacturing, telecommunications & media organizations from Philippines, Vietnam, Hong Kong & Taiwan.
- gbhackers.com: Lotus Blossom Hacker Group Uses Dropbox, Twitter, and Zimbra for C2 Communications
- Talkback Resources: Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools
- www.cysecurity.news: Cisco Talos Uncovers Lotus Blossom’s Multi-Campaign Cyber Espionage Operations
- Cyber Security News: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics in Detail
- gbhackers.com: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics
- securityaffairs.com: Chinese Lotus Blossom APT targets multiple sectors with Sagerunex backdoor
Aman Mishra@gbhackers.com
//
A large-scale malware campaign has been discovered exploiting a vulnerable Windows driver, truesight.sys, associated with Adlice's RogueKiller Antirootkit suite. Attackers are leveraging a loophole in Windows’ driver signing policy to bypass detection and deploy the HiddenGh0st RAT malware. Over 2,500 distinct variants of the truesight.sys driver have been identified, allowing attackers to evade EDR solutions and Microsoft’s Vulnerable Driver Blocklist.
This sophisticated campaign employs a multi-stage infection process, where initial-stage malware samples are disguised as legitimate applications and distributed via deceptive websites and messaging apps. These samples download the vulnerable truesight.sys driver alongside encrypted payloads, ultimately delivering advanced malware such as the Gh0st RAT. The campaign primarily targets victims in China, Singapore, and Taiwan, with infrastructure hosted on public cloud services within China.
Recommended read:
References :
- Cyber Security News: A sophisticated cyber campaign has been uncovered, leveraging a loophole in Windows’ driver signing policy to bypass detection and deploy malware.
- Talkback Resources: 2,500+ Truesight.sys Driver Variants Exploited to Bypass EDR and Deploy HiddenGh0st RAT [exp] [mal]
- The Hacker News: A large-scale malware campaign has been found leveraging a vulnerable Windows driver associated with Adlice's product suite to sidestep detection efforts and deliver the Gh0st RAT malware.
- Information Security Buzz: Massive Cyberattack Exploits Legacy Windows Driver to Evade Detection
- gbhackers.com: New Malware Uses Legitimate Antivirus Driver to Bypass All System Protections
@PCWorld
//
A new variant of the Snake Keylogger malware is actively targeting Windows users, with over 280 million infection attempts detected globally. Cybersecurity researchers have identified this version, also known as the 404 Keylogger, as AutoIt/Injector.GTY!tr. The primary targets include users in China, Turkey, Indonesia, Taiwan, and Spain, where the malware spreads through phishing emails containing malicious attachments or links. The keylogger steals credentials from popular web browsers like Chrome, Edge, and Firefox by logging keystrokes, capturing screenshots, and monitoring the clipboard.
The stolen data, including sensitive information and credentials, is then exfiltrated to its command-and-control (C2) server through various methods, including SMTP email and Telegram bots. The malware utilizes AutoIt, a scripting language frequently used for Windows automation, to deliver and execute its malicious payload. By using AutoIt, the malware can create standalone executables that may bypass standard antivirus solutions. Once executed, the keylogger copies itself to the %Local_AppData%\supergroup folder, names itself ageless[.]exe, and sets its attributes to hidden and creates “ageless.vbs” in the %Startup% folder.
Recommended read:
References :
- CyberInsider: New Snake Keylogger Variant Launches 280 Million Attacks
- hackread.com: New Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots
- cyberinsider.com: New Snake Keylogger Variant Launches 280 Million Attacks
- The Register - Software: Snake Keylogger slithers into Windows, evades detection with AutoIt-compiled payload
- Talkback Resources: Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots [net] [mal]
- The Hacker News: New Snake Keylogger Variant Leverages AutoIt Scripting to Evade Detection
- PCWorld: This high-risk keylogger malware is a growing threat to Windows users
- Talkback Resources: New Snake Keylogger infects Windows using AutoIt freeware [mal]
- www.scworld.com: More advanced Snake Keylogger variant emerges
- Talkback Resources: New Snake Keylogger infects Windows using AutoIt freeware [mal]
@gbhackers.com
//
North Korean hackers, specifically the Kimsuky APT group (also known as Emerald Sleet), have been observed employing a new tactic to compromise targets. The group is tricking individuals into running PowerShell as an administrator, then instructing them to paste and execute malicious code they provide. The threat actor masquerades as a South Korean government official, building rapport before sending a spear-phishing email with a PDF attachment containing instructions to open PowerShell as an administrator and paste a specific code snippet.
If the target executes the code, it downloads and installs a browser-based remote desktop tool along with a certificate and PIN. The code then sends a web request to register the victim device, granting the threat actor access for data exfiltration. Microsoft Threat Intelligence has observed this tactic in limited attacks since January 2025, describing it as a departure from the threat actor's usual tradecraft.
Recommended read:
References :
- gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
- securityaffairs.com: North Korea-linked APT Emerald Sleet is using a new tactic
- The Hacker News: The North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets.
- gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
- BleepingComputer: North Korean state actor 'Kimsuky' (aka 'Emerald Sleet' or 'Velvet Chollima') has been observed using a new tactic inspired from the now widespread ClickFix campaigns.
- : Microsoft Threat Intelligence has observed North Korean state actor Emerald Sleet (also known as Kimsuky and VELVET CHOLLIMA) using a new tactic: tricking targets into running PowerShell as an administrator and then pasting and running code provided by the threat actor.
- www.bleepingcomputer.com: Reports on Emerald Sleet's activity exploiting PowerShell.
- www.microsoft.com: The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
- www.scworld.com: PowerShell exploited in new Kimsuky intrusions
- Talkback Resources: Kimsuky, a North Korean nation-state threat actor, is conducting an ongoing cyber attack campaign named DEEP#DRIVE targeting South Korean business, government, and cryptocurrency sectors using tailored phishing lures and leveraging PowerShell scripts and Dropbox for payload delivery and data exfiltration.
- The Hacker News: North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks
- MSSP feed for Latest: Ongoing Kimsuky Attack Campaign Exploits PowerShell, Dropbox
- securityaffairs.com: Analyzing DEEP#DRIVE: North Korean
|
|
FlagThis - #windows