2025-09-06 AI创业新闻

CISA Orders Immediate Patch of Critical Sitecore Vulnerability Under Active Exploitation

Federal Civilian Executive Branch (FCEB) agencies are being advised to update their Sitecore instances by September 25, 2025, following the discovery of a security flaw that has come under active exploitation in the wild. The vulnerability , tracked as CVE-2025-53690 , carries a CVSS score of 9.0 out of a maximum of 10.0, indicating critical severity. “Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said .

“This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution.” Google-owned Mandiant, which discovered the active ViewState deserialization attack, said the activity leveraged a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. The threat intelligence team did not link the activity to a known threat actor or group. “The attacker’s deep understanding of the compromised product and the exploited vulnerability was evident in their progression from initial server compromise to privilege escalation,” researchers Rommel Joven, Josh Fleischer, Joseph Sciuto, Andi Slok, and Choon Kiat Ng said . The abuse of publicly disclosed ASP.NET machine keys was first documented by Microsoft in February 2025, with the tech giant observing limited exploitation activity dating back to December 2024, in which unknown threat actors leveraged the key to deliver the Godzilla post-exploitation framework.

Then in May 2025, ConnectWise disclosed an improper authentication flaw impacting ScreenConnect (CVE-2025-3935, CVSS score: 8.1) that it said had been exploited in the wild by a nation-state threat actor to conduct ViewState code injection attacks targeting a small set of customers. As recently as July, the Initial Access Broker (IAB) known as Gold Melody was attributed to a campaign that exploits leaked ASP.NET machine keys to obtain unauthorized access to organizations and sell that access to other threat actors. In the attack chain documented by Mandiant, CVE-2025-53690 is weaponized to achieve initial compromise of the internet-facing Sitecore instance, leading to the deployment of a combination of open-source and custom tools to facilitate reconnaissance, remote access, and Active Directory reconnaissance. The ViewState payload delivered using the sample machine key specified in publicly available deployment guides is a .NET assembly dubbed WEEPSTEEL, which is capable of gathering system, network, and user information, and exfiltrating the details back to the attacker.

The malware borrows some of its functionality from an open-source Python tool named ExchangeCmdPy.py. With the access obtained, the attackers have been found to establish a foothold, escalate privileges, maintain persistence, conduct internal network reconnaissance, and move laterally across the network, ultimately leading to data theft. Some of the tools used during these phases are listed below - EarthWorm for network tunneling using SOCKS DWAgent for persistent remote access and Active Directory reconnaissance to identify Domain Controllers within the target network SharpHound for Active Directory reconnaissance GoTokenTheft for listing unique user tokens active on the system, executing commands using the tokens of users, and listing all running processes and their associated user tokens Remote Desktop Protocol (RDP) for lateral movement The threat actors have also been observed creating local administrator accounts (asp$ and sawadmin) to dump SAM/SYSTEM hives in an attempt to obtain administrator credentials access and facilitate lateral movement via RDP. “With administrator accounts compromised, the earlier created asp$ and sawadmin accounts were removed, signaling a shift to more stable and covert access methods,” Mandiant added.

To counter the threat, organizations are recommended to rotate the ASP.NET machine keys, lock down configurations, and scan their environments for signs of compromise. “The upshot of CVE-2025-53690 is that an enterprising threat actor somewhere has apparently been using a static ASP.NET machine key that was publicly disclosed in product docs to gain access to exposed Sitecore instances,” Caitlin Condon, VP of security research at VulnCheck, told The Hacker News. “The zero-day vulnerability arises from both the insecure configuration itself (i.e., use of the static machine key) and the public exposure — and as we’ve seen plenty of times before, threat actors definitely read documentation. Defenders who even slightly suspect they might be affected should rotate their machine keys immediately and ensure, wherever possible, that their Sitecore installations are not exposed to the public internet.” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said the issue is the result of Sitecore customers copying and pasting example keys from official documentation, rather than generating unique, random ones.

“Any deployment running with these known keys was left exposed to ViewState deserialization attacks, a straight path right to Remote Code Execution (RCE),” Dewhurst added. “Sitecore has confirmed that new deployments now generate keys automatically and that all affected customers have been contacted. The blast radius remains unknown, but this bug exhibits all the characteristics that typically define severe vulnerabilities. The wider impact has not yet surfaced, but it will.” Found this article interesting?

TAG-150 Develops CastleRAT in Python and C, Expanding CastleLoader Malware Operations

The threat actor behind the malware-as-a-service (MaaS) framework and loader called CastleLoader has also developed a remote access trojan known as CastleRAT . “Available in both Python and C variants, CastleRAT’s core functionality consists of collecting system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell,” Recorded Future Insikt Group said . The cybersecurity company is tracking the threat actor behind the malware families as TAG-150. Believed to be active since at least March 2025, CastleLoader et al are seen as initial access vectors for a wide range of secondary payloads, including remote access trojans, information stealers, and even other loaders.

CastleLoader was first documented by Swiss cybersecurity company PRODAFT in July 2025, as having been put to use in various campaigns distributing DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and Hijack Loader. A subsequent analysis from IBM X-Force last month found that the malware has also served as a conduit for MonsterV2 and WARMCOOKIE through SEO poisoning and GitHub repositories impersonating legitimate software. “Infections are most commonly initiated through Cloudflare-themed ‘ClickFix’ phishing attacks or fraudulent GitHub repositories masquerading as legitimate applications,” Recorded Future said. “The operators employ the ClickFix technique by leveraging domains that imitate software development libraries, online meeting platforms, browser update alerts, and document verification systems.” Evidence indicates that TAG-150 has been working on CastleRAT since March 2025, with the threat actor leveraging a multi-tiered infrastructure comprising Tier 1 victim-facing command-and-control (C2) servers, as well as Tier 2 and Tier 3 servers that are mostly virtual private servers (VPSes), and Tier 4 backup servers.

CastleRAT, the newly discovered addition to TAG-150’s arsenal, can download next-stage payloads, enable remote shell capabilities, and even delete itself. It also uses Steam Community profiles as dead drop resolvers to host C2 servers (“programsbookss[.]com”). Notably, CastleRAT comes in two versions, one written in C and the other, programmed in Python, with the latter also called PyNightshade. It’s worth noting that eSentire is tracking the same malware under the name NightshadeC2.

The C variant of CastleRAT incorporates more functionality, allowing it to log keystrokes, capture screenshots, upload/download files, and function as a cryptocurrency clipper to substitute wallet addresses copied to the clipboard with an attacker-controlled one with the aim of redirecting transactions. “As with the Python variant, the C variant queries the widely abused IP geolocation service ip-api[.]com to collect information based on the infected host’s public IP address,” Recorded Future said. “However, the scope of data has been expanded to include the city, ZIP code, and indicators of whether the IP is associated with a VPN, proxy, or TOR node.” That said, recent iterations of the C variant of CastleRAT have removed querying of the city and ZIP code from ip-api[.]com, indicating active development. It remains to be seen if its Python counterpart will attain feature parity.

eSentire, in its own analysis of NightshadeC2, described it as a botnet that’s deployed by means of a .NET loader, which, in turn, makes use of techniques like UAC Prompt Bombing to sidestep security protections. The Canadian cybersecurity company said it also identified variants equipped with features to extract passwords and cookies from Chromium- and Gecko-based web browsers. In a nutshell, the process involves running a PowerShell command in a loop that attempts to add an exclusion in Windows Defender for the final payload (i.e., NightshadeC2), after which the loader verifies the exit code of the PowerShell process to ascertain if it’s 0 (meaning success). If the exclusion is successfully added, the loader proceeds to deliver the malware.

If any other exit code other than 0 is returned, the loop keeps executing repeatedly, forcing the user to approve the User Account Control (UAC) prompt. “A particularly notable aspect of this approach is that systems with the WinDefend (Windows Defender) service disabled will generate non-zero exit codes, causing malware analysis sandboxes to become trapped in the execution loop,” eSentire said, adding the method enables a bypass of multiple sandbox solutions. The development comes as Hunt.io detailed another malware loader codenamed TinyLoader that has been used to serve Redline Stealer and DCRat. Besides establishing persistence by modifying Windows Registry settings, the malware monitors the clipboard and instantly replaces copied crypto wallet addresses.

Its C2 panels are hosted across Latvia, the U.K., and the Netherlands. “TinyLoader installs both Redline Stealer and cryptocurrency stealers to harvest credentials and hijack transactions,” the company said . “It spreads through USB drives, network shares, and fake shortcuts that trick users into opening it.” The findings also coincide with the discovery of two new malware families, a Windows-based keylogger called TinkyWinkey and a Python information stealer referred to as Inf0s3c Stealer , that can collect keyboard input and gather extensive system information, respectively. Further analysis of Inf0s3c Stealer has identified points of similarity with Blank Grabber and Umbral-Stealer, two other publicly available malware families, suggesting that the same author could be responsible for all three strains.

“TinkyWinkey represents a highly capable and stealthy Windows-based keylogger that combines persistent service execution, low-level keyboard hooks, and comprehensive system profiling to gather sensitive information,” CYFIRMA said. Inf0s3c Stealer “systematically collects system details, including host identifiers, CPU information, and network configuration, and captures screenshots. It enumerates running processes and generates hierarchical views of user directories, such as Desktop, Documents, Pictures, and Downloads.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

SAP S/4HANA Critical Vulnerability CVE-2025-42957 Exploited in the Wild

A critical security vulnerability impacting SAP S/4HANA, an Enterprise Resource Planning (ERP) software, has come under active exploitation in the wild. The command injection vulnerability, tracked as CVE-2025-42957 (CVSS score: 9.9), was fixed by SAP as part of its monthly updates last month. “SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC,” according to a description of the flaw in the NIST National Vulnerability Database (NVD). “This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks.

Successful exploration of the defect could result in a full system compromise of the SAP environment, subverting the confidentiality, integrity, and availability of the system. In short, it can permit attackers to modify the SAP database, create superuser accounts with SAP_ALL privileges, download password hashes, and alter business processes. SecurityBridge Threat Research Labs, in an alert issued Thursday, said it has observed active exploitation of the flaw, stating the issue impacts both on-premise and Private Cloud editions. “Exploitation requires access only to a low-privileged user to fully compromise an SAP system,” the company said.

“A complete system compromise with minimal effort required, where successful exploitation can easily lead to fraud, data theft, espionage, or the installation of ransomware.” It also noted that while widespread exploitation has not yet been detected, threat actors possess the knowledge to use it, and that reverse engineering the patch to create an exploit is “relatively easy.” As a result, organizations are advised to apply the patches as soon as possible, monitor logs for suspicious RFC calls or new admin users, and ensure appropriate segmentation and backups are in place. “Consider implementing SAP UCON to restrict RFC usage and review and restrict access to authorization object S_DMIS activity 02,” it also said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Automation Is Redefining Pentest Delivery

Pentesting remains one of the most effective ways to identify real-world security weaknesses before adversaries do. But as the threat landscape has evolved, the way we deliver pentest results hasn’t kept pace. Most organizations still rely on traditional reporting methods—static PDFs, emailed documents, and spreadsheet-based tracking. The problem?

These outdated workflows introduce delays, create inefficiencies, and undermine the value of the work. Security teams need faster insights, tighter handoffs, and clearer paths to remediation. That’s where automated delivery comes in. Platforms like PlexTrac automate pentest finding delivery in real time through robust, rules-based workflows.

(No waiting for the final report!) The Static Delivery Problem in a Dynamic World Delivering a pentest report solely as a static document might have made sense a decade ago, but today it’s a bottleneck. Findings are buried in long documents that don’t align with how teams operate day-to-day. After receiving the report, stakeholders must manually extract findings, create tickets in platforms like Jira or ServiceNow, and coordinate remediation tracking through disconnected workflows. By the time remediation begins, days or weeks may have passed since the issues were discovered.

Why Automation Matters Now As organizations adopt Continuous Threat Exposure Management (CTEM) and expand the frequency of offensive testing, the volume of findings rapidly grows. Without automation, teams struggle to keep up. Automating delivery helps cut through the noise and deliver results in real time for faster handoffs and visibility across the entire vulnerability lifecycle. Benefits of automating pentest delivery include: Real-time actionability: Act on findings immediately, not after the report is finalized Faster response: Accelerate remediation, retesting and validation Standardized operations: Ensure every finding follows a consistent process Less manual work: Free teams to focus on strategic initiatives Improved focus: Keep teams focused on what matters Service providers gain a competitive advantage by automating delivery and integrating directly into client workflows, making themselves an indispensable partner to drive client value.

For enterprises, it’s a fast track to operational maturity and a measurable reduction in mean time to remediation (MTTR). 5 Key Components of Automated Pentest Delivery
Centralized data ingestion: Start by consolidating all findings—manual and automated—into a single source of truth. This includes outputs from scanners (like Tenable, Qualys, Wiz, Snyk) as well as manual pentest findings. Without centralization, vulnerability management becomes a patchwork of disconnected tools and manual processes.

Automated real-time delivery: As findings are identified, they should be automatically routed to the right people and workflows without waiting for the full report. Predefined rulesets should trigger triage, ticketing, and tracking to allow remediation to begin while testing is still in progress. Automated routing & ticketing: Standardize routing by defining rules based on severity, asset ownership, and exploitability. Automation can assign findings, generate tickets in tools like Jira or ServiceNow, notify stakeholders through Slack or email, and close out informational issues to ensure findings are automatically routed to the right teams and systems.

Standardized remediation workflows: Every finding from your centralized data should follow the same lifecycle from triage to closure based on the criteria you’ve set, regardless of source. Whether it’s discovered from a scanner or manual testing, the process from triage to fix should be consistent and traceable. Triggered retesting & validation: When a finding is marked as resolved, automation should trigger the appropriate retesting or validation workflow. This ensures nothing slips through the cracks and keeps communication between security and IT teams coordinated and closed-loop.

PlexTrac supports each of these capabilities through its Workflow Automation Engine, helping teams unify and accelerate delivery, remediation, and closure in one platform. Avoid Common Pitfalls Automation is about more than just speed. It’s about building standardized, scalable systems. However, if not implemented thoughtfully, it can create new problems.

Watch out for:
Overcomplicating early efforts: Trying to automate everything at once can stall momentum. Start small and focus on a few repeatable workflows first. Add complexity over time and expand as you validate success. Treating automation as a one-time setup; Your workflows should evolve alongside your tools, team structure, and priorities.
Failing to iterate leads to stale processes that no longer align with how teams operate. Automating without clearly defined workflows:
Jumping into automation without first mapping out your current workflows often leads to chaos. Without clear rules for routing, ownership, and escalation, automation may create more problems than it solves. How to get started
Here’s how to begin automating pentest delivery:
Map your current workflow: Document how findings are delivered, triaged, assigned, and tracked today.
Identify friction points: Look for repetitive tasks, handoff delays, and areas where communication breaks down. Start small : Automate one or two high-impact steps first , like ticket creation, email alerts, or finding delivery. Add complexity over time as you validate what’s working well and use early results to evolve workflows, add rules, and further streamline. Choose the right platform; Look for solutions that integrate with your existing tools and provide visibility across the vulnerability lifecycle.
Measure impact: Track metrics like MTTR, handoff delays, and retest completion to show the value of your efforts. The Future of Pentest Delivery Security teams are shifting from reactive testing to proactive exposure management. Pentest delivery automation is a key part of that evolution to help teams move faster, collaborate better, and reduce risk more effectively. For Service Providers, this is a chance to differentiate services, scale operations, and deliver more value with less overhead.

For Enterprise teams, it means driving maturity, demonstrating progress, and staying ahead of emerging threats. Conclusion Pentesting is too important to be stuck in static reports and manual workflows. By automating delivery, routing, and remediation tracking, organizations can unlock the full value of their offensive security efforts by making findings more actionable, standardizing remediation workflows, and delivering measurable outcomes. Whether you’re delivering tests to clients or to an internal team, the message is clear: The future of pentest delivery is automated.

Want to see what automated pentest workflows look like in action? Platforms like PlexTrac centralize security data from both manual testing and automated tools , enabling real-time delivery and standardized workflows across the entire vulnerability lifecycle. Found this article interesting? This article is a contributed piece from one of our valued partners.

VirusTotal Finds 44 Undetected SVG Files Used to Deploy Base64-Encoded Phishing Pages

Cybersecurity researchers have flagged a new malware campaign that has leveraged Scalable Vector Graphics (SVG) files as part of phishing attacks impersonating the Colombian judicial system. The SVG files, according to VirusTotal , are distributed via email and designed to execute an embedded JavaScript payload, which then decodes and injects a Base64-encoded HTML phishing page masquerading as a portal for Fiscalía General de la Nación, the Office of the Attorney General of Colombia. The page then simulates an official government document download process with a fake progress bar, while it stealthily triggers the download of a ZIP archive in the background. The exact nature of the ZIP file was not disclosed.

The Google-owned malware scanning service said it found 44 unique SVG files, all of which have remained undetected by antivirus engines, owing to the use of techniques like obfuscation, polymorphism, and large amounts of junk code to evade static detection methods. In all, as many as 523 SVG files have been detected in the wild, with the earliest sample dating back to August 14, 2025. “Looking deeper, we saw that the earliest samples were larger, around 25 MB, and the size decreased over time, suggesting the attackers were evolving their payloads,” VirusTotal said. The disclosure comes as cracked versions of legitimate software and ClickFix-style tactics are being used to lure users into infecting their Apple macOS systems with an information stealer called Atomic macOS Stealer ( AMOS ), exposing businesses to credential stuffing, financial theft, and other follow-on attacks.

“AMOS is designed for broad data theft, capable of stealing credentials, browser data, cryptocurrency wallets, Telegram chats, VPN profiles, keychain items, Apple Notes, and files from common folders,” Trend Micro said . “AMOS shows that macOS is no longer a peripheral target. As macOS devices gain ground in enterprise settings, they have become a more attractive and lucrative focus for attackers.” The attack chain essentially involves targeting users looking for cracked software on sites like haxmac[.]cc, redirecting them to bogus download links that provide installation instructions designed to trick them into running malicious commands on the Terminal app, thus triggering the deployment of AMOS. It’s worth noting that Apple prevents the installation of .dmg files lacking proper notarization due to macOS’s Gatekeeper protections, which require the application packages to be signed by an identified developer and notarized by Apple.

“With the release of macOS Sequoia, attempts to install malicious or unsigned .dmg files, such as those used in AMOS campaigns, are blocked by default,” the company added. “While this doesn’t eliminate the risk entirely, especially for users who may bypass built-in protections, it raises the barrier for successful infections and forces attackers to adapt their delivery methods.” This is why threat actors are increasingly banking on ClickFix, as it allows the stealer to be installed on the machine using Terminal by means of a curl command specified in the software download page. “While macOS Sequoia’s enhanced Gatekeeper protections successfully blocked traditional .dmg-based infections, threat actors quickly pivoted to terminal-based installation methods that proved more effective in bypassing security controls,” Trend Micro said. “This shift highlights the importance of defense-in-depth strategies that don’t rely solely on built-in operating system protections.” The development also follows the discovery of a “sprawling cyber campaign” that’s targeting gamers on the lookout for cheats with StealC stealer and crypto theft malware, netting the threat actors more than $135,000.

Per CyberArk , the activity is notable for leveraging StealC’s loader capabilities to download additional payloads, in this case, a cryptocurrency stealer that can siphon digital assets from users on infected machines. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Weaponized GenAI + Extortion-First Strategies Fueling a New Age of Ransomware

Russian APT28 Deploys “NotDoor” Outlook Backdoor Against Companies in NATO Countries

The Russian state-sponsored hacking group tracked as APT28 has been attributed to a new Microsoft Outlook backdoor called NotDoor in attacks targeting multiple companies from different sectors in NATO member countries. NotDoor “is a VBA macro for Outlook designed to monitor incoming emails for a specific trigger word,” S2 Grupo’s LAB52 threat intelligence team said . “When such an email is detected, it enables an attacker to exfiltrate data, upload files, and execute commands on the victim’s computer.” The artifact gets its name from the use of the word “Nothing” within the source code, the Spanish cybersecurity company added. The activity highlights the abuse of Outlook as a stealthy communication, data exfiltration, and malware delivery channel.

The exact initial access vector used to deliver the malware is currently not known, but analysis shows that it’s deployed via Microsoft’s OneDrive executable (“onedrive.exe”) using a technique referred to as DLL side-loading. This leads to the execution of a malicious DLL (“SSPICLI.dll”), which then installs the VBA backdoor and disables macro security protections. Specifically, it runs Base64-encoded PowerShell commands to perform a series of actions that involve beaconing to an attacker-controlled webhook[.]site, setting up persistence through Registry modifications, enabling macro execution, and turning off Outlook-related dialogue messages to evade detection. NotDoor is designed as an obfuscated Visual Basic for Applications (VBA) project for Outlook that makes use of the Application.MAPILogonComplete and Application.NewMailEx events to run the payload every time Outlook is started or a new email arrives.

It then proceeds to create a folder at the path %TEMP%\Temp if it does not exist, using it as a staging folder to store TXT files created during the course of the operation and exfiltrate them to a Proton Mail address. It also parses incoming messages for a trigger string, such as “Daily Report,” causing it to extract the embedded commands to be executed. The malware supports four different commands - cmd, to execute commands and return the standard output as an email attachment cmdno, to execute commands dwn, to exfiltrate files from the victim’s computer by sending them as email attachments upl, to drop files to the victim’s computer “Files exfiltrated by the malware are saved in the folder,” LAB52 said. “The file contents are encoded using the malware’s custom encryption, sent via email, and then deleted from the system.” The disclosure comes as Beijing-based 360 Threat Intelligence Center detailed Gamaredon ‘s (aka APT-C-53) evolving tradecraft, highlighting its use of Telegram-owned Telegraph as a dead-drop resolver to point to command-and-control (C2) infrastructure.

The attacks are also notable for the abuse of Microsoft Dev Tunnels (devtunnels.ms), a service that allows developers to securely expose local web services to the internet for testing and debugging purposes, as C2 domains for added stealth. “This technique provides twofold advantages: first, the original C2 server IP is completely masked by Microsoft’s relay nodes, blocking threat intelligence tracebacks based on IP reputation,” the cybersecurity company said . “Second, by exploiting the service’s ability to reset domain names on a minute-by-minute basis, the attackers can rapidly rotate infrastructure nodes, leveraging the trusted credentials and traffic scale of mainstream cloud services to maintain a nearly zero-exposure continuous threat operation.” Attack chains entail the use of bogus Cloudflare Workers domains to distribute a Visual Basic Script like PteroLNK , which can propagate the infection to other machines by copying itself to connected USB drives, as well as download additional payloads. “This attack chain demonstrates a high level of specialized design, employing four layers of obfuscation (registry persistence, dynamic compilation, path masquerading, cloud service abuse) to carry out a fully covert operation from initial implantation to data exfiltration,” 360 Threat Intelligence Center said.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

GhostRedirector Hacks 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module

Cybersecurity researchers have lifted the lid on a previously undocumented threat cluster dubbed GhostRedirector that has managed to compromise at least 65 Windows servers primarily located in Brazil, Thailand, and Vietnam. The attacks, per Slovak cybersecurity company ESET, led to the deployment of a passive C++ backdoor called Rungan and a native Internet Information Services (IIS) module codenamed Gamshen. The threat actor is believed to be active since at least August 2024. “While Rungan has the capability of executing commands on a compromised server, the purpose of Gamshen is to provide SEO fraud as-a-service, i.e., to manipulate search engine results, boosting the page ranking of a configured target website,” ESET researcher Fernando Tavella said in a report shared with The Hacker News.

“Even though Gamshen only modifies the response when the request comes from Googlebot – i.e., it does not serve malicious content or otherwise affect regular visitors of the websites – participation in the SEO fraud scheme can hurt the compromised host website’s reputation by associating it with shady SEO techniques and the boosted websites.” Some of the other targets of the hacking group include Peru, the U.S., Canada, Finland, India, the Netherlands, the Philippines, and Singapore. The activity is also said to be indiscriminate, with entities in the education, healthcare, insurance, transportation, technology, and retail sectors singled out. Initial access to target networks is accomplished by exploiting a vulnerability, likely an SQL injection flaw, after which PowerShell is used to deliver additional tools hosted on a staging server (“868id[.]com”). “This conjecture is supported by our observation that most unauthorized PowerShell executions originated from the binary sqlserver.exe, which holds a stored procedure xp_cmdshell that can be used to execute commands on a machine,” ESET said.

Rungan is designed to await incoming requests from a URL matching a predefined pattern (i.e., “https://+:80/v1.0/8888/sys.html”), and then proceeds to parse and execute the commands embedded in them. It supports four different commands - mkuser, to create a user on the server with the username and password provided listfolder, to collect information from a provided path (unfinished) addurl, to register new URLs that the backdoor can listen on cmd, to run a command on the server using pipes and the CreateProcessA API Written in C/C++, Gamshen is an example of an IIS malware family called “ Group 13 ,” which can act both as a backdoor and conduct SEO fraud. It functions similar to IISerpent, another IIS-specific malware that was documented by ESET back in August 2021. IISerpent , configured as a malicious extension for Microsoft’s web server software, allows it to intercept all HTTP requests made to the websites hosted by the compromised server, specifically those originating from search engine crawlers, and change the server’s HTTP responses with the goal of redirecting the search engines to a scam website of the attacker’s choosing.

That IIS extensions can covertly open persistent backdoors into servers was acknowledged by Microsoft back way back in July 2022, stating they are also “harder to detect since they mostly reside in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules.” “GhostRedirector attempts to manipulate the Google search ranking of a specific, third-party website by using manipulative, shady SEO techniques such as creating artificial backlinks from the legitimate, compromised website to the target website,” Tavella said. It’s currently not known where these backlinks redirect unsuspecting users to, but it’s believed that the SEO fraud scheme is being used to promote various gambling websites. Also dropped alongside Rungan and Gamshen are various other tools - GoToHTTP to establish a remote connection that’s accessible from a web browser BadPotato or EfsPotato for creating a privileged user in the Administrators group Zunput to collect information about websites hosted on the IIS server and drop ASP, PHP, and JavaScript web shells It’s assessed with medium confidence that GhostRedirector is a China-aligned threat actor based on the presence of hard-coded Chinese strings in the source code, a code-signing certificate issued to a Chinese company, Shenzhen Diyuan Technology Co., Ltd., to sign the privilege escalation artifacts, and the use of the password “huang” for one of the GhostRedirector-created users on the compromised server. That said, GhostRedirector is not the first China-linked threat actor to use malicious IIS modules for SEO fraud.

Over the past year, both Cisco Talos and Trend Micro have detailed a Chinese-speaking group known as DragonRank that has engaged in SEO manipulation via BadIIS malware. “Gamshen abuses the credibility of the websites hosted on the compromised server to promote a third-party, gambling website – potentially a paying client participating in an SEO fraud as-a-service scheme,” the company said. “GhostRedirector also demonstrates persistence and operational resilience by deploying multiple remote access tools on the compromised server, on top of creating rogue user accounts, all to maintain long-term access to the compromised infrastructure.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Cybercriminals Exploit X’s Grok AI to Bypass Ad Protections and Spread Malware to Millions

Cybersecurity researchers have flagged a new technique that cybercriminals have adopted to bypass social media platform X’s malvertising protections and propagate malicious links using its artificial intelligence (AI) assistant Grok. The findings were highlighted by Nati Tal, head of Guardio Labs, in a series of posts on X. The technique has been codenamed Grokking. The approach is designed to get around restrictions imposed by X in Promoted Ads that allow users to only include text, images, or videos, and subsequently amplify them to a broader audience, attracting hundreds of thousands of impressions through paid promotion.

To achieve this, malvertisers have been found to run video card-promoted posts with adult content as bait, with the spurious link hidden in the “From:” metadata field below the video player that apparently isn’t scanned by the social media platform. In the next step, the fraudsters tag Grok in replies to the post, asking something similar to “where is this video from?,” prompting the AI chatbot to visibly display the link in response. “Adding to that, it is now amplified in SEO and domain reputation - after all, it was echoed by Grok on a post with millions of impressions,” Tal said. “A malicious link that X explicitly prohibits in ads (and should have been blocked entirely!) suddenly appears in a post by the system-trusted Grok account, sitting under a viral promoted thread and spreading straight into millions of feeds and search results!” Guardio said the links direct users to sketchy ad networks, sending them to malicious links that push fake CAPTCHA scams , information-stealing malware, and other suspicious content via direct link (aka smartlink ) monetization.

The domains are assessed to be part of the same Traffic Distribution System (TDS), which is often used by malicious ad tech vendors to route traffic to harmful or deceptive content. The cybersecurity company told The Hacker News it has found hundreds of accounts engaging in this behavior over the past few days, with each of them posting hundreds or even thousands of similar posts. “They seem to be posting non-stop for several days until the account gets suspended for violating platform policies,” it added. “So there are definitely many of them and it looks very organized.” Found this article interesting?

Simple Steps for Attack Surface Reduction

Story teaser text: Cybersecurity leaders face mounting pressure to stop attacks before they start, and the best defense may come down to the settings you choose on day one. In this piece, Yuriy Tsibere explores how default policies like deny-by-default, MFA enforcement, and application Ringfencing ™ can eliminate entire categories of risk. From disabling Office macros to blocking outbound server traffic, these simple but strategic moves create a hardened environment that attackers can’t easily penetrate. Whether you’re securing endpoints or overseeing policy rollouts, adopting a security-by-default mindset can reduce complexity, shrink your attack surface, and help you stay ahead of evolving threats.

Cybersecurity has changed dramatically since the days of the “Love Bug” virus in 2001. What was once an annoyance is now a profit-driven criminal enterprise worth billions. This shift demands proactive defense strategies that don’t just respond to threats—they prevent them from ever reaching your network. CISOs, IT admins, and MSPs need solutions that block attacks by default , not just detect them after the fact.

Industry frameworks like NIST, ISO, CIS, and HIPAA provide guidance, but they often lack the clear, actionable steps needed to implement effective security. For anyone starting a new security leadership role, the mission is clear: Stop as many attacks as possible, frustrate threat actors, and do it without alienating the IT team. That’s where a security-by-default mindset comes in—configuring systems to block risks out of the gate. As I’ve often said, the attackers only have to be right once.

We have to be right 100% of the time. Here’s how setting the right defaults can eliminate entire categories of risk. Require multi-factor authentication (MFA) on all remote accounts Enabling MFA across all remote services—including SaaS platforms like Office 365 and G Suite, as well as domain registrars and remote access tools—is a foundational security default. Even if a password is compromised, MFA can prevent unauthorized access.

Try to avoid using text messages for MFA as it can be intercepted. While it may introduce some friction, the security benefits far outweigh the risk of data theft or financial loss. Deny-by-default One of the most effective security measures nowadays is application whitelisting or allowlisting. This approach blocks everything by default and only allows known, approved software to run.

The result: Ransomware and other malicious applications are stopped before they can execute. It also blocks legitimate-but-unauthorized remote tools like AnyDesk or similar, which attackers often try to sneak in through social engineering. Users can still access what they need via a pre-approved store of safe applications, and visibility tools make it easy to track everything that runs—including portable apps. Quick wins through secure configuration Small changes to default settings can close major security gaps on Windows and other platforms: Turn off Office macros: It takes five minutes and blocks one of the most common attack vectors for ransomware.

Use password-protected screensavers: Auto-lock your screen after a short break to stop anyone from snooping around. Disable SMBv1: This old-school protocol is outdated and has been used in big attacks like WannaCry. Most systems don’t need it anymore. Turn off the Windows keylogger: It’s rarely useful and could be a security risk if left on.

Control network and application behavior for organizations Remove local admin rights: Most malware doesn’t need admin access to run, but taking it away stops users from messing with security settings or even installing malicious software. Block unused ports and limit outbound traffic: Shut down SMB and RDP ports unless absolutely necessary—and only allow trusted sources. Stop servers from reaching the internet unless they need to. This helps avoid attacks like SolarWinds.

Control application behaviors: Tools like ThreatLocker Ringfencing ™ can stop apps from doing sketchy things —like Word launching PowerShell (yes, that’s a real attack method). Secure your VPN: If you don’t need it, turn it off. If you do, limit access to specific IPs and restrict what users can access. Strengthen data and web controls Block USB drives by default: They’re a common way for malware to spread.

Only allow secure managed, encrypted ones if needed. Limit file access: Apps shouldn’t be able to poke around in user files unless they really need to. Filter out unapproved tools: Block random SaaS or cloud apps that haven’t been vetted. Let users request access if they need something.

Track file activity: Keep an eye on who’s doing what with files—both on devices and in the cloud. It’s key for spotting shady behavior. Go beyond defaults with monitoring and patching Strong defaults are just the beginning. Ongoing vigilance is critical: Regular patching: Most attacks use known bugs.

Keep everything updated—including portable apps. Automated threat detection: EDR tools are great, but if no one’s watching alerts 24/7, threats can slip through. MDR services can jump in fast, even after hours. Security by default isn’t just smart, it’s non-negotiable.

Blocking unknown apps, using strong authentication, locking down networks and app behavior can wipe out a ton of risk. Attackers only need one shot, but solid default settings keep your defenses ready all the time. The payoff? Fewer breaches, less hassle, and a stronger, more resilient setup.

Note: This article is expertly written and contributed by Yuriy Tsibere, Product Manager and Business Analyst at ThreatLocker. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

The French data protection authority has fined Google and Chinese e-commerce giant Shein $379 million (€325 million) and $175 million (€150 million), respectively, for violating cookie rules. Both companies set advertising cookies on users’ browsers without securing their consent, the National Commission on Informatics and Liberty (CNIL) said. Shein has since updated its systems to comply with the regulation. Reuters reported that the retailer plans to appeal the decision.

“When creating a Google account, users were encouraged to choose cookies linked to the display of personalized advertisements, to the detriment of those linked to the display of generic advertisements and that users were not clearly informed that the deposit of cookies for advertising purposes was a condition to be able to access Google’s services,” the CNIL noted . The consent obtained in this manner is not valid and constitutes a violation of the French Data Protection Act (Article 82), it added. It’s worth noting that while this was the default behavior until October 2023, when the company added an option to refuse cookies, “the lack of informed consent still persisted.” Google has also been called out for placing advertisements in the form of emails among other emails in the “Promotions” and “Social” tabs of Gmail, stating that the display of such ads required users’ explicit consent in accordance with the French Postal and Electronic Communications Code (CPCE). French telecommunications operator Orange was fined €50 million back in December 2024 for similarly displaying ads between actual email messages without users’ consent.

Google has been ordered to bring its systems into compliance within six months, or risk facing penalties of €100,000 per day. The development comes as a U.S. jury found Google to have violated users’ privacy by collecting their data even after they opted out of Web & App Activity tracking. The decision, which awards $425 million in compensatory damages, is the culmination of a class action lawsuit filed against the company in July 2020.

In a statement shared with Reuters, the tech giant said the ruling “misunderstands how [their] products work,” adding the company’s privacy tools give users control over their data and emphasized that their choice to turn off personalization are honored. It also said it plans to appeal. In related privacy-related announcements, the U.S. Federal Trade Commission (FTC) said Disney has agreed to pay $10 million to settle allegations that it collected personal data from children watching YouTube videos without parental notification or consent, thus violating the U.S.

Children’s Online Privacy Protection Rule (COPPA). The agency said Disney failed to properly label some videos that it uploaded to YouTube as “Made for Kids,” thus allowing it to gather data from children under 13 who watched that content and use it to serve targeted ads. In addition to the $10 million fine, the proposed settlement requires Disney to begin alerting parents before collecting personal data from children under age 13 and obtain their consent in accordance with COPPA. Disney is also required to start a program to ensure that videos it uploads to YouTube are properly designated as intended for kids.

Separately, the FTC is also taking action against a China-based robot toy maker, Apitor Technology, over allegedly permitting a third-party called JPush to collect children’s geolocation data without their knowledge and parental consent in violation of COPPA. “Apitor integrated a third-party software development kit called JPush into its [Android] app that allowed JPush’s developer to collect location data and use it for any purpose, including advertising,” FTC said . “After Android users download the Apitor app, it begins collecting and sharing users’ precise location data with JPush’s servers, unbeknownst to child users and their parents.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

CISA Flags TP-Link Router Flaws CVE-2023-50224 and CVE-2025-9377 as Actively Exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting TP-Link wireless routers to its Known Exploited Vulnerabilities ( KEV ) catalog, noting that there is evidence of them being exploited in the wild. The vulnerabilities in question are listed below - CVE-2023-50224 (CVSS score: 6.5) - An authentication bypass by spoofing vulnerability within the httpd service of TP-Link TL-WR841N, which listens on TCP port 80 by default, leading to the disclosure of stored credentials in “/tmp/dropbear/dropbearpwd” CVE-2025-9377 (CVSS score: 8.6) - An operating system command injection vulnerability in TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 that could lead to remote code execution According to information listed on the company’s website, the following router models have reached end-of-life (EoL) status - TL-WR841N (versions 10.0 and 11.0) TL-WR841ND (version 10.0) Archer C7 (versions 2.0 and 3.0) However, TP-Link has released firmware updates for the two vulnerabilities as of November 2024 owing to malicious exploitation activity. “The affected products have reached their End-of-Service (EOS) and are no longer receiving active support, including security updates,” the company said .

“For enhanced protection, we recommend that customers upgrade to newer hardware to ensure optimal performance and security.” There are no public reports explicitly referencing the exploitation of the aforementioned vulnerabilities, but TP-Link, in an advisory updated last week, linked in-the-wild activity to a botnet known as Quad7 (aka CovertNetwork-1658), which has been leveraged by a China-linked threat actor codenamed Storm-0940 to conduct highly evasive password spray attacks. In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are being urged to apply the necessary mitigations by September 24, 2025, to secure their networks. The development comes a day after CISA placed another high-severity security flaw impacting TP-Link TL-WA855RE Wi-Fi Ranger Extender products (CVE-2020-24363, CVSS score: 8.8) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Found this article interesting?

Malicious npm Packages Exploit Ethereum Smart Contracts to Target Crypto Developers

Cybersecurity researchers have discovered two new malicious packages on the npm registry that make use of smart contracts for the Ethereum blockchain to carry out malicious actions on compromised systems, signaling the trend of threat actors constantly on the lookout for new ways to distribute malware and fly under the radar. “The two npm packages abused smart contracts to conceal malicious commands that installed downloader malware on compromised systems,” ReversingLabs researcher Lucija Valentić said in a report shared with The Hacker News. The packages, both uploaded to npm in July 2025 and no longer available for download, are listed below - colortoolsv2 (7 downloads) mimelib2 (1 download) The software supply chain security firm said the libraries are part of a larger and sophisticated campaign impacting both npm and GitHub, tricking unsuspecting developers into downloading and running them. While the packages themselves make no effort to conceal their malicious functionality, ReversingLabs noted that the GitHub projects that imported these packages took pains to make them look credible.

As for the packages themselves, the nefarious behavior kicks in once either of them is used or included in some other project, causing it to fetch and run a next-stage payload from an attacker-controlled server. Although this is par for the course when it comes to malware downloaders, where it stands apart is the use of Ethereum smart contracts to stage the URLs hosting the payload – a technique reminiscent of EtherHiding . The shift underscores the new tactics that threat actors are adopting to evade detection. Further investigation into the packages has revealed that they are referenced in a network of GitHub repositories claiming to be a solana-trading-bot-v2 that leverages “real-time on-chain data to execute trades automatically, saving you time and effort.” The GitHub account associated with the repository is no longer available.

It’s assessed that these accounts are part of a distribution-as-service (DaaS) offering called Stargazers Ghost Network , which refers to a cluster of bogus GitHub accounts that are known to star, fork, watch, commit, and subscribe to malicious repositories to artificially inflate their popularity. Included among those commits are source code changes to import colortoolsv2. Some of the other repositories caught pushing the npm package are ethereum-mev-bot-v2, arbitrage-bot, and hyperliquid-trading-bot. The naming of these GitHub repositories suggests that the cryptocurrency developers and users are the primary target of the campaign, using a combination of social engineering and deception.

“It is critical for developers to assess each library they are considering implementing before deciding to include it in their development cycle,” Valentić said. “And that means pulling back the covers on both open source packages and their maintainers: looking beyond raw numbers of maintainers, commits and downloads to assess whether a given package – and the developers behind it – are what they present themselves as.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.