2025-09-27 AI创业新闻
Researchers Expose SVG and PureRAT Phishing Threats Targeting Ukraine and Vietnam
A new campaign has been observed impersonating Ukrainian government agencies in phishing attacks to deliver CountLoader , which is then used to drop Amatera Stealer and PureMiner . “The phishing emails contain malicious Scalable Vector Graphics (SVG) files designed to trick recipients into opening harmful attachments,” Fortinet FortiGuard Labs researcher Yurren Wan said in a report shared with The Hacker News. In the attack chains documented by the cybersecurity company, the SVG files are used to initiate the download of a password-protected ZIP archive, which contains a Compiled HTML Help (CHM) file. The CHM file, when launched, activates a chain of events that culminate in the deployment of CountLoader.
The email messages claim to be a notice from the National Police of Ukraine. CountLoader, which was the subject of a recent analysis by Silent Push, has been found to drop various payloads like Cobalt Strike, AdaptixC2, and PureHVNC RAT. In this attack chain, however, it serves as a distribution vector for Amatera Stealer , a variant of ACRStealer, and PureMiner, a stealthy .NET cryptocurrency miner. It’s worth pointing out that both PureHVNC RAT and PureMiner are part of a broader malware suite developed by a threat actor known as PureCoder.
Some of the other products from the same author include - PureCrypter, a crypter for Native and .NET PureRAT (aka ResolverRAT), a successor to PureHVNC RAT PureLogs, an information stealer and logger BlueLoader, a malware that can act as a botnet by downloading and executing payloads remotely PureClipper, a clipper malware that substitutes cryptocurrency addresses copied into the clipboard with attacker-controlled wallet addresses to redirect transactions and steal funds According to Fortinet, Amatera Stealer and PureMiner are both deployed as fileless threats, with the malware “executed via .NET Ahead-of-Time (AOT) compilation with process hollowing or loaded directly into memory using PythonMemoryModule.” Amatera Stealer, once launched, gathers system information, collects files matching a predefined list of extensions, and harvests data from Chromium- and Gecko-based browsers, as well as applications like Steam, Telegram, FileZilla, and various cryptocurrency wallets. “This phishing campaign demonstrates how a malicious SVG file can act as an HTML substitute to initiate an infection chain,” Fortinet said. In this case, attackers targeted Ukrainian government entities with emails containing SVG attachments. The SVG-embedded HTML code redirected victims to a download site.” The development comes as Huntress uncovered a likely Vietnamese-speaking threat group using phishing emails bearing copyright infringement notice themes to trick recipients into launching ZIP archives that lead to the deployment of PXA Stealer , which then evolves into a multi-layered infection sequence dropping PureRAT.
“This campaign demonstrates a clear and deliberate progression, starting with a simple phishing lure and escalating through layers of in-memory loaders, defense evasion, and credential theft,” security researcher James Northey said . “The final payload, PureRAT, represents the culmination of this effort: a modular, professionally developed backdoor that gives the attacker complete control over a compromised host.” “Their progression from amateurish obfuscation of their Python payloads to abusing commodity malware like PureRAT shows not just persistence, but also hallmarks of a serious and maturing operator.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks
The Russian advanced persistent threat (APT) group known as COLDRIVER has been attributed to a fresh round of ClickFix-style attacks designed to deliver two new “lightweight” malware families tracked as BAITSWITCH and SIMPLEFIX. Zscaler ThreatLabz, which detected the new multi-stage ClickFix campaign earlier this month, described BAITSWITCH as a downloader that ultimately drops SIMPLEFIX, a PowerShell backdoor. COLDRIVER , also tracked as Callisto, Star Blizzard, and UNC4057, is the moniker assigned to a Russia-linked threat actor that’s known to target a wide range of sectors since 2019. While early campaign waves were observed using spear-phishing lures to direct targets to credential harvesting pages, the group has been fleshing out its arsenal with custom tools like SPICA and LOSTKEYS , which underscores its technical sophistication.
The adversary’s use of ClickFix tactics was previously documented by the Google Threat Intelligence Group (GTIG) back in May 2025, using fake sites serving fake CAPTCHA verification prompts to trick the victim into executing a PowerShell command that’s designed to deliver the LOSTKEYS Visual Basic Script. “The continued use of ClickFix suggests that it is an effective infection vector, even if it is neither novel nor technically advanced,” Zscaler security researchers Sudeep Singh and Yin Hong Chang said in a report published this week. The latest attack chain follows the same modus operandi, tricking unsuspecting users into running a malicious DLL in the Windows Run dialog under the guise of completing a CAPTCHA check. The DLL, BAITSWITCH, reaches out to an attacker-controlled domain (“captchanom[.]top”) to fetch the SIMPLEFIX backdoor, while a decoy document hosted on Google Drive is presented to the victims.
It also makes several HTTP requests to the same server to send system information, receive commands to establish persistence, store encrypted payloads in the Windows Registry, download a PowerShell stager, clear the most recent command executed in the Run dialog, effectively erasing traces of the ClickFix attack that triggered the infection. The downloaded PowerShell stager subsequently reaches out to an external server (“southprovesolutions[.]com”) to download SIMPLEFIX, which, in turn, establishes communication with a command-and-control (C2) server to run PowerShell scripts, commands, and binaries hosted on remote URLs. One of the PowerShell scripts executed via SIMPLEFIX exfiltrates information about a hard-coded list of file types found in a pre-configured list of directories. The list of directories and file extensions scanned shares overlaps with that of LOSTKEYS.
“The COLDRIVER APT group is known for targeting members of NGOs, human right defenders, think tanks in Western regions, as well as individuals exiled from and residing in Russia,” Zscaler said. “The focus of this campaign closely aligns with their victimology, which targets members of civil society connected to Russia.” BO Team and Bearlyfy Target Russia The development comes as Kaspersky said it observed a new phishing campaign targeting Russian companies in early September undertaken by the BO Team group (aka Black Owl, Hoody Hyena, and Lifting Zmiy) using password-protected RAR archives to deliver a new version of BrockenDoor rewritten in C# and an updated version of ZeronetKit. A Golang backdoor, ZeronetKit, comes fitted with capabilities to support remote access to compromised hosts, upload/download files, execute commands using cmd.exe, and create a TCP/IPv4 tunnel. Select newer versions also incorporate support for downloading and running shellcode, as well as update the communication interval with C2 and modify the C2 server list.
“ZeronetKit is unable to independently persist on an infected system, so attackers use BrockenDoor to copy the downloaded backdoor to startup,” the Russian cybersecurity vendor said . It also follows the emergence of a new group called Bearlyfy that has used ransomware strains like LockBit 3.0 and Babuk in attacks targeting Russia, initially attacking smaller companies for smaller ransoms before graduating to bigger firms in the country starting April 2025, according to F6. As of August 2025, the group is estimated to have claimed at least 30 victims. In one incident targeting a consulting company, the threat actors have been observed weaponizing a vulnerable version of Bitrix for initial access, followed by using the Zerologon flaw to escalate privileges.
In another case observed in July, the initial access is said to have been facilitated through an unnamed partner company. “In the most recent recorded attack, the attackers demanded €80,000 in cryptocurrency, while in the first attack, the ransom was several thousand dollars,” F6 researchers said . “Due to the relatively low ransom amounts, on average, every fifth victim buys decryptors from the attackers.” Bearlyfy is assessed to be active since January 2025, with a deeper analysis of its tools uncovering infrastructure overlaps with a likely pro-Ukrainian threat group called PhantomCore , which has a track record of targeting Russian and Belarusian companies since 2022. Despite these similarities, Bearlyfy is believed to be an autonomous entity.
“PhantomCore implements complex, multi-stage attacks typical of APT campaigns,” the company said. “Bearlyfy, on the other hand, uses a different model: attacks with minimal preparation and a targeted focus on achieving an immediate effect. Initial access is achieved through exploitation of external services and vulnerable applications. The primary toolkit is aimed at encryption, destruction, or modification of data.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Crash Tests for Security: Why BAS Is Proof of Defense, Not Assumptions
Car makers don’t trust blueprints. They smash prototypes into walls. Again and again. In controlled conditions.
Because design specs don’t prove survival. Crash tests do. They separate theory from reality. Cybersecurity is no different.
Dashboards overflow with “critical” exposure alerts. Compliance reports tick every box. But none of that proves what matters most to a CISO: The ransomware crew targeting your sector can’t move laterally once inside. That a newly published exploit of a CVE won’t bypass your defenses tomorrow morning.
That sensitive data can’t be siphoned through a stealthy exfiltration channel, exposing the business to fines, lawsuits, and reputational damage. That’s why Breach and Attack Simulation (BAS) matters. BAS is the crash test for your security stack. It safely simulates real adversarial behaviors to prove which attacks your defenses can stop, and which would break through.
It exposes those gaps before attackers exploit them or regulators demand answers. The Illusion of Safety: Dashboards Without Crash Tests Dashboards overflowing with exposures can feel reassuring, like you’re seeing everything, like you’re safe. But it’s a false comfort. It’s no different than reading a car’s spec sheet and declaring it “safe” without ever crashing it into a wall at 60 miles per hour.
On paper, the design holds. In practice, impact reveals where the frame buckles and the airbags fail. The Blue Report 2025 provides crash test data for enterprise security. Based on 160 million adversary simulations, it shows what actually happens when defenses are tested instead of assumed: Prevention dropped from 69% to 62% in one year.
Even organizations with mature controls regressed. 54% of attacker behaviors generated no logs. Entire attack chains unfolded with zero visibility. Only 14% triggered alerts.
Meaning most detection pipelines failed silently. Data exfiltration was stopped just 3% of the time. A stage with direct financial, regulatory, and reputational consequences is effectively unprotected. These are not gaps dashboards reveal.
They are exploitable weaknesses that only appear under pressure. Just as a crash test exposes flaws hidden in design blueprints, security validation exposes the assumptions that collapse under real-world impact, before attackers, regulators, or customers do. BAS Works as a Security Validation Engine Crash tests don’t just expose flaws. They prove safety systems fire when they’re needed most.
Breach and Attack Simulation (BAS) does the same for enterprise security . Instead of waiting for a real breach, BAS continuously runs safe, controlled attack scenarios that mirror how adversaries actually operate. It doesn’t trade in hypotheticals, it delivers proof. For CISOs, this proof matters because it turns anxiety into assurance: No sleepless nights over a public CVE with a working proof-of-concept.
BAS shows if your defenses stop it in practice. No guessing whether the ransomware campaign sweeping your sector could penetrate your environment. BAS runs those behaviors safely and shows if you’d be a victim or not. No fear of the unknown in tomorrow’s threat reports.
BAS validates defenses against both known techniques and emerging ones observed in the wild. This is the discipline of Security Control Validation (SCV): proving that investments hold up where it counts. BAS is the engine that makes SCV continuous and scalable. Dashboards may show posture.
BAS reveals performance. By pointing out the blind spots in your defenses, it gives CISOs something dashboards never can: the ability to focus on the exposures that actually matter, and the confidence to prove resilience to boards, regulators, and customers. Proof in Action: Effect of BAS in Business Side BAS-driven exposure validation shows just how much noise can be eliminated when assumptions give way to proof: Backlogs of 9,500 CVSS “critical” findings shrink to just 1,350 exposures proven relevant . Mean Time to Remediate (MTTR) drops from 45 days to 13 , closing windows of exposure before attackers can strike.
Rollbacks fall from 11 per quarter to 2 , saving time, budget, and credibility. And when paired with prioritization models like the Picus Exposure Score (PXS) , the clarity becomes sharper: From 63% of vulnerabilities flagged as high/critical , only 10% remain truly critical after validation, an 84% reduction in false urgency . For CISOs, this means fewer sleepless nights over swelling dashboards and more confidence that resources are locked onto exposures that matter most. BAS turns overwhelming data into a validated risk picture executives can trust.
Closing Thought: Don’t Just Monitor, Simulate For CISOs, the challenge isn’t visibility, it’s certainty. Boards don’t ask for dashboards or scanner scores. They want assurance that defenses will hold when it matters most. This is where BAS reframes the conversation: from posture to proof.
From “We deployed a firewall” → to “We proved it blocked malicious C2 traffic across 500 simulated attempts this quarter.” From “Our EDR has MITRE coverage” → to “We detected 72% of emulated Scattered Spider APT group’s behaviors; here’s where we fixed the other 28%.” From “We’re compliant” → to “We’re resilient, and we can prove it with evidence.” That shift is why BAS resonates at the executive level. It transforms security from assumptions into measurable outcomes. Boards don’t buy posture, they buy proof. And BAS is evolving further.
With AI, it’s no longer just proving whether defenses worked yesterday, but anticipating how they will hold tomorrow. To see this in action, join Picus Security, SANS, Hacker Valley, and other leading voices at The Picus BAS Summit 2025: Redefining Attack Simulation through AI . This virtual summit will showcase how BAS and AI together are shaping the future of security validation. [ Secure your spot today ] Found this article interesting?
This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Securing AI Agents 101
Fortra GoAnywhere CVSS 10 Flaw Exploited as 0-Day a Week Before Public Disclosure
Cybersecurity company watchTowr Labs has disclosed that it has “credible evidence” of active exploitation of the recently disclosed security flaw in Fortra GoAnywhere Managed File Transfer (MFT) software as early as September 10, 2025, a whole week before it was publicly disclosed. “This is not ‘just’ a CVSS 10.0 flaw in a solution long favored by APT groups and ransomware operators – it is a vulnerability that has been actively exploited in the wild since at least September 10, 2025,” Benjamin Harris, CEO and Founder of watchTowr, told The Hacker News. The vulnerability in question is CVE-2025-10035 , which has been described as a deserialization vulnerability in the License Servlet that could result in command injection without authentication. Fortra GoAnywhere version 7.8.4, or the Sustain Release 7.6.3, was released by Fortra last week to remediate the problem.
According to an
analysis
released by watchTowr earlier this week, the vulnerability has to do with the fact that it’s possible to send a crafted HTTP GET request to the “/goanywhere/license/Unlicensed.xhtml/” endpoint to directly interact with the License Servlet (“com.linoma.ga.ui.admin.servlet.LicenseResponseServlet”) that’s exposed at “/goanywhere/lic/accept/
The sequence of the activity is as follows - Triggering the pre-authentication vulnerability in Fortra GoAnywhere MFT to achieve remote code execution (RCE) Using the RCE to create a GoAnywhere user named “admin-go” Using the newly created account to create a web user Leveraging the web user to interact with the solution and upload and execute additional payloads, including SimpleHelp and an unknown implant (“zato_be.exe”) The cybersecurity company also said the threat actor activity originated from the IP address 155.2.190[.]197 , which, according to VirusTotal , has been flagged for conducting brute-force attacks targeting Fortinet FortiGate SSL VPN appliances in early August 2025. However, watchTowr told The Hacker News that it has not observed any such activity from the IP address against its honeypots. Given signs of in-the-wild exploitation, it’s imperative that users move quickly to apply the fixes, if not already. The Hacker News has reached out to Fortra for comment, and we will update the story if we hear back.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
New macOS XCSSET Variant Targets Firefox with Clipper and Persistence Module
Cybersecurity researchers have discovered an updated version of a known Apple macOS malware called XCSSET that has been observed in limited attacks. “This new variant of XCSSET brings key changes related to browser targeting, clipboard hijacking, and persistence mechanisms,” the Microsoft Threat Intelligence team said in a Thursday report. “It employs sophisticated encryption and obfuscation techniques, uses run-only compiled AppleScripts for stealthy execution, and expands its data exfiltration capabilities to include Firefox browser data. It also adds another persistence mechanism through LaunchDaemon entries.” XCSSET is the name assigned to a sophisticated modular malware that’s designed to infect Xcode projects used by software developers and unleash its malicious capabilities when it’s being built.
Exactly how the malware is distributed remains unclear, but it’s suspected that the propagation relies on the Xcode project files being shared among developers building apps for macOS. Earlier this March, Microsoft uncovered several enhancements to the malware, highlighting its improved error handling and the use of three different persistence techniques to siphon sensitive data from compromised hosts. The latest variant of XCSSET has been found to incorporate a clipper sub-module that monitors clipboard content for specific regular expression (aka regex) patterns matching various cryptocurrency wallets. In the event of a match, the malware proceeds to substitute the wallet address in the clipboard with an attacker-controlled one to reroute transactions.
The Windows maker also noted that the new iteration introduces changes to the fourth stage of the infection chain, particularly where an AppleScript application is used to run a shell command to fetch the final-stage AppleScript that’s responsible for collecting system information and launching various sub-modules using a boot() function. Notably, the modifications include extra checks for the Mozilla Firefox browser and an altered logic to determine the presence of the Telegram messaging app. Also observed are changes to the various modules, as well as new modules that did not exist in previous versions - vexyeqj, the information module previously called seizecj, and which downloads a module called bnk that’s run using osascript. The script defines functions for data validation, encryption, decryption, fetching additional data from command-and-control (C2) server, and logging.
It also includes the clipper functionality. neq_cdyd_ilvcmwx, a module similar to txzx_vostfdi that exfiltrates files to the C2 server xmyyeqjx, a module to set up LaunchDaemon-based persistence jey, a module to set up Git-based persistence iewmilh_cdyd, a module to steal data from Firefox using a modified version of a publicly available tool named HackBrowserData To mitigate the threat posed by XCSSET, users are recommended to ensure that they keep their system up-to-date, inspect Xcode projects downloaded or cloned from repositories or other sources, and exercise caution when it comes to copying and pasting sensitive data from the clipboard. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Cisco ASA Firewall Zero-Day Exploits Deploy RayInitiator and LINE VIPER Malware
The U.K. National Cyber Security Centre (NCSC) has revealed that threat actors have exploited the recently disclosed security flaws impacting Cisco firewalls as part of zero-day attacks to deliver previously undocumented malware families like RayInitiator and LINE VIPER . “The RayInitiator and LINE VIPER malware represent a significant evolution on that used in the previous campaign, both in sophistication and its ability to evade detection,” the agency said . Cisco on Thursday revealed that it began investigating attacks on multiple government agencies linked to the state-sponsored campaign in May 2025 that targeted Adaptive Security Appliance (ASA) 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data from the compromised devices.
An in-depth analysis of firmware extracted from the infected devices running Cisco Secure Firewall ASA Software with VPN web services enabled ultimately led to the discovery of a memory corruption bug in the product software, it added. “Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis,” the company said . The activity involves the exploitation of CVE-2025-20362 (CVSS score: 6.5) and CVE-2025-20333 (CVSS score: 9.9) to bypass authentication and execute malicious code on susceptible appliances. The campaign is assessed to be linked to a threat cluster dubbed ArcaneDoor , which was attributed to a suspected China-linked hacking group known as UAT4356 (aka Storm-1849).
Additionally, in some cases, the threat actor is said to have modified ROMMON (short for Read-Only Memory Monitor ) – which is responsible for managing the boot process and performing diagnostic tests in ASA devices – to facilitate persistence across reboots and software upgrades. That being said, these modifications have been detected only on Cisco ASA 5500-X Series platforms that lack Secure Boot and Trust Anchor technologies. Cisco also said the campaign has successfully compromised ASA 5500-X Series models running Cisco ASA Software releases 9.12 or 9.14 with VPN web services enabled, and which do not support Secure Boot and Trust Anchor technologies. All the affected devices have reached end-of-support (EoS) or are about to reach EoS status by next week - 5512-X and 5515-X – Last Date of Support: August 31, 2022 5585-X – Last Date of Support: May 31, 2023 5525-X, 5545-X, and 5555-X – Last Date of Support: September 30, 2025 Furthermore, the company noted that it has addressed a third critical flaw (CVE-2025-20363, CVSS score: 8.5/9.0) in the web services of Adaptive Security Appliance (ASA) Software, Secure Firewall Threat Defense (FTD) Software, IOS Software, IOS XE Software, and IOS XR Software that could allow an remote attacker to execute arbitrary code on an affected device.
“An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device after obtaining additional information about the system, overcoming exploit mitigations, or both,” it said . “A successful exploit could allow the attacker to execute arbitrary code as root, which may lead to the complete compromise of the affected device.” Unlike CVE-2025-20362 and CVE-2025-20333, there is no evidence that the vulnerability has been exploited in the wild in a malicious context. Cisco said the shortcoming was discovered by the Cisco Advanced Security Initiatives Group (ASIG) during the resolution of a Cisco TAC support case. The Canadian Centre for Cyber Security has urged organizations in the country to take action as soon as possible to counter the threat by updating to a fixed version of Cisco ASA and FTD products.
The U.K. NCSC, in an advisory released September 25, revealed the attacks have leveraged a multi-stage bootkit called RayInitiator to deploy a user-mode shellcode loader known as LINE VIPER to the ASA appliance. RayInitiator is a persistent GRand Unified Bootloader (GRUB) bootkit that’s flashed to victim devices, while capable of surviving reboots and firmware upgrades. It’s responsible for loading into memory LINE VIPER, which can run CLI commands, perform packet captures, bypass VPN Authentication, Authorization, and Accounting (AAA) for actor devices, suppress syslog messages, harvest user CLI commands, and force a delayed reboot.
The bootkit accomplishes this by installing a handler within a legitimate ASA binary called “lina” to execute LINE VIPER. Lina, short for Linux-based Integrated Network Architecture, is the operating system software that integrates core firewall functionalities of the ASA. Described as “more comprehensive” than Line Dancer , LINE VIPER uses two methods for communication with the command-and-control (C2) server: WebVPN client authentication sessions over HTTPS, or via ICMP with responses over raw TCP. It’s also designed to make a number of modifications to “lina” to avoid leaving a forensic trail and prevent detection of modifications to CLI commands like copy and verify.
“The deployment of LINE VIPER via a persistent bootkit, combined with a greater emphasis on defence evasion techniques, demonstrates an increase in actor sophistication and improvement in operational security compared to the ArcaneDoor campaign publicly documented in 2024,” the NCSC said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Urgent: Cisco ASA Zero-Day Duo Under Attack; CISA Triggers Emergency Mitigation Directive
Cisco is urging customers to patch two security flaws impacting the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software, which it said have been exploited in the wild. The zero-day vulnerabilities in question are listed below - CVE-2025-20333 (CVSS score: 9.9) - An improper validation of user-supplied input in HTTP(S) requests vulnerability that could allow an authenticated, remote attacker with valid VPN user credentials to execute arbitrary code as root on an affected device by sending crafted HTTP requests CVE-2025-20362 (CVSS score: 6.5) - An improper validation of user-supplied input in HTTP(S) requests vulnerability that could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication by sending crafted HTTP requests Cisco said it’s aware of “attempted exploitation” of both vulnerabilities, but did not reveal who may be behind it, or how widespread the attacks are. It’s suspected that the two vulnerabilities are being chained to bypass authentication and execute malicious code on susceptible appliances. It also credited the Australian Signals Directorate, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security, U.K.
National Cyber Security Centre (NCSC), and U.S. Cybersecurity and Infrastructure Security Agency (CISA) for supporting the investigation. CISA Issues Emergency Directive ED 25-03 In a separate alert, CISA said it’s issuing an emergency directive urging federal agencies to identify, analyze, and mitigate potential compromises with immediate effect. In addition, both vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) catalog, giving the agencies 24 hours to apply the necessary mitigations.
“CISA is aware of an ongoing exploitation campaign by an advanced threat actor targeting Cisco Adaptive Security Appliances (ASA),” the agency noted . “The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. This activity presents a significant risk to victim networks.” The agency also noted that the activity is linked to a threat cluster dubbed ArcaneDoor , which was previously identified as targeting perimeter network devices from several vendors, including Cisco, to deliver malware families like Line Runner and Line Dancer. The activity was attributed to a threat actor codenamed UAT4356 (aka Storm-1849).
“This threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024,” CISA added. “These zero-day vulnerabilities in the Cisco ASA platform are also present in specific versions of Cisco Firepower. Firepower appliances’ Secure Boot would detect the identified manipulation of the ROM.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Threatsday Bulletin: Rootkit Patch, Federal Breach, OnePlus SMS Leak, TikTok Scandal & More
Welcome to this week’s Threatsday Bulletin —your Thursday check-in on the latest twists and turns in cybersecurity and hacking. The digital threat landscape never stands still. One week it’s a critical zero-day, the next it’s a wave of phishing lures or a state-backed disinformation push. Each headline is a reminder that the rules keep changing and that defenders—whether you’re protecting a global enterprise or your own personal data—need to keep moving just as fast.
In this edition we unpack fresh exploits, high-profile arrests, and the newest tactics cybercriminals are testing right now. Grab a coffee, take five minutes, and get the key insights that help you stay a step ahead of the next breach. Firmware fights back SonicWall Releases SMA 100 Firmware Update to Remove Rootkit SonicWall has released a firmware update that it said will help customers remove rootkit malware deployed in attacks targeting SMA 100 series devices. “SonicWall SMA 100 10.2.2.2-92sv build has been released with additional file checking, providing the capability to remove known rootkit malware present on the SMA devices,” the company said .
“SonicWall strongly recommends that users of the SMA 100 series products (SMA 210, 410, and 500v) upgrade to the 10.2.2.2-92sv version.” The update comes after a report from Google that found a threat actor tracked as UNC6148 deploying OVERSTEP malware on end-of-life (EoL) SonicWall SMA 100 devices. SonicWall has also disclosed that expediting the end-of-support (EoS) date for all SMA 100 devices to October 31, 2025, citing “significant vulnerabilities presented by legacy VPN appliances.” Texts laid bare Unpatched Flaw in OnePlus Phones Lets Malicious Apps Access Text Messages A permission bypass vulnerability (CVE-2025-10184, CVSS score: 8.2) has been discovered in multiple versions of OnePlus OxygenOS installed on its Android devices. The shortcoming has to do with the fact that sensitive internal content providers are accessible without permission, and are vulnerable to SQL injection. “When leveraged, the vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider (the package com.android.providers.telephony) without permission, user interaction, or consent,” Rapid7 said .
“The user is also not notified that SMS data is being accessed.” Successful exploitation of the flaw could lead to the theft of sensitive information, such as multi-factor authentication (MFA) codes sent as SMS messages. The issue appears to have been introduced as part of OxygenOS 12, released in 2021. The vulnerability remains unpatched as of writing, but OnePlus has acknowledged it’s investigating the issue. Stop Guessing, Start Securing Webinar: Code-to-Cloud Visibility Is the New AppSec Baseline Join this session to discover why code-to-cloud visibility is fast becoming the cornerstone of modern Application Security Posture Management (ASPM).
You’ll see how mapping risks from where they originate in code to where they surface in the cloud unites development, DevOps, and security teams , enabling sharper prioritization, tighter feedback loops, and faster remediation—before attackers can exploit the weak link. GeoServer hole exploited CISA says Hackers Breached Federal Agency Using GeoServer Exploit The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a comprehensive cybersecurity advisory detailing how threat actors successfully compromised a U.S. federal civilian executive branch agency’s network on July 11, 2024, by exploiting CVE-2024-36401 , a critical remote code execution vulnerability in GeoServer.
“Over the three-week period, the cyber threat actors gained separate initial access to a second GeoServer via the same vulnerability and moved laterally to two other servers,” the agency said . Once compromised, the attackers uploaded (or attempted to upload) web shells such as China Chopper, along with scripts designed for remote access, persistence, command execution, and privilege escalation. The cyber threat actors also used living-off-the-land (LotL) techniques for user, service, filesystem, and network discovery, while relying on tools like fscan, dirtycow, and RingQ for network reconnaissance, privilege escalation, and defense evasion, respectively. SIM-swapping secrets spill Confessions of Scattered Spider’s Noah Urban Last week, three members of the notorious cybercrime group Scattered Spider were arrested.
The arrests came close on the heels of the crew announcing that it was shuttering its operations. The group, composed of primarily English-speaking teenagers, are known to carry out hacking sprees using advanced social engineering tactics to breach high-profile companies, steal data, and extort them. Earlier this year, Noah Urban, a 20-year-old linked to the notorious group, pled guilty to his cybercrime charges and agreed to pay millions in restitution. In a report published last week, Bloomberg revealed his critical role as a caller, talking people into unwittingly giving them access to sensitive computer systems by installing remote access tools.
He also said he found a SIM-swapping group through Minecraft, the leader of which paid him $50 each time a call resulted in a cryptocurrency theft. Urban also said one of the collaborators, Daniel Junk, figured out a way to access T-Mobile’s customer service portal by registering his personal computer to its corporate network and using remote access software to get into the company’s SIM activation tool. Junk is said to have paid Urban to call T-Mobile stores and deceive staff into handing over their logins by claiming to be from the internal security management. Soon Urban graduated to employing his own callers to conduct SIM swapping and used fake Okta login pages masquerading to trick a Twilio employee into sending their credentials.
But when that account didn’t have the data he wanted, he logged into the employee’s Slack account and messaged a senior employee he’d identified on LinkedIn, asking them to send customer data belonging to 209 companies for auditing purposes. The information was subsequently used to hack more companies. In December 2022, the group also stole the personal information of 5.7 million customers of Gemini Trust and put it up for sale. This activity cluster came to be known as 0ktapus .
The threat group would eventually join hands with other entities like LAPSUS$ and Scattered Spider to breach Crypto.com and exploit a United Parcel Service Inc. system to gather the personal data of would-be victims. Urban’s home was raided by U.S. authorities in March 2023, and he was eventually arrested in January 2024.
Last month, he was sentenced to ten years in prison. “I’m not saying what I did was a good thing, it’s a horrible community, and what I did was bad,” he told Bloomberg. “But I loved my life. I like who I am.
I’m glad I was able to live life as I lived it.” Stealthy SVG stings Oversized SVG Files Used to Deliver AsyncRAT Threat actors are using booby-trapped SVG files in an email phishing campaign targeting users in Colombia, Mexico, and Peru as a delivery vector to stealthily deliver malware like AsyncRAT by means of a password-protected ZIP archive. The oversized SVG files contain the “full package,” eliminating the need for external connections to a remote server in order to send commands to compromised devices or download additional malicious payloads. “Attackers also appear to rely at least partly on artificial intelligence (AI) tools to help them generate customized files for every target,” ESET said . “The ability of SVG lures to carry scripts, embedded links and interactive elements makes them ripe for abuse, all while increasing the odds of evading detection by some traditional security tools.” Right-to-left ruse BiDi Swap Leads to URL Spoofing A decade-old vulnerability can open the door to URL spoofing by exploiting how browsers handle Right-to-Left (RTL) and Left-to-Right (LTR) scripts, thereby allowing attackers to craft URLs that appear trustworthy but actually lead to a different destination.
The attack has been codenamed BiDi Swap by Varonis. While punycode homograph attacks and RTL override (RLO) exploits have long been abused to deceive users and browsers into displaying deceptive text or URLs, BiDi Swap entails crafting domains that have LTR sub-domain with some RTL parameters to spoof legitimate sites. Self-replicating supply-chain menace CISA Releases Alert on Shai-Hulud Attack CISA has published an advisory on the recent widespread supply chain compromise targeting the npm ecosystem that involved the use of a self-replicating worm named Shai-Hulud to steal credentials and propagate the malware to other packages. The malware “leveraged an automated process to rapidly spread by authenticating to the npm registry as the compromised developer, injecting code into other packages, and publishing compromised versions to the registry,” CISA said .
The agency is urging organizations to conduct a dependency review, pin npm package dependency versions to known safe releases, rotate all developer credentials, mandate phishing-resistant multi-factor authentication (MFA) on all developer accounts, monitor for anomalous network behavior, harden GitHub security by removing unnecessary GitHub Apps and OAuth applications, and enable branch protection rules. “The Shai-Hulud worm represents a significant escalation in the ongoing series of NPM attacks targeting the open-source community,” Palo Alto Networks Unit 42 said . “Its self-replicating design is particularly notable, effectively combining credential harvesting with an automated dissemination mechanism that exploits maintainers’ existing publishing rights to proliferate across the ecosystem.” Game patch turns thief BlockBlasters Game Delivers StealC Malware A 2D platformer game called BlockBlasters has begun to exhibit signs of malicious activity after a patch release on August 30, 2025, that silently captures system information, a list of installed security products, and cryptocurrency wallet browser extensions, and drops the StealC information stealer while the user is playing the game. This patch affects hundreds of players who currently have the game installed on their systems, G DATA said .
The game has since been pulled from Steam. Database door unlocked Exposed Oracle DBS Server Used to Drop Elons Ransomware Threat actors have been observed exploiting an exposed Oracle DBS database server to execute commands remotely and create an encrypted tunnel with a command-and-control (C2) server to ultimately deploy Elons, a likely variant of the Proxima/ Blackshadow ransomware that appeared in early 2024. It’s suspected that the attackers used an encrypted tunnel with a C2 server for network communication, Yarix said . Remote tool turned spy Malicious ScreenConnect Installers Delivers AsyncRAT Trojanized ScreenConnect installers are being used to distribute AsyncRAT and a custom PowerShell RAT as part of an ongoing campaign designed to facilitate data theft and long-term access.
An analysis of the various IP addresses associated with AsyncRAT activity has revealed a “resilient, evasive AsyncRAT malicious infrastructure maintained for long-term operations rather than opportunistic attacks,” Hunt.io said . Basic ransomware, big chaos West Sussex Man Arrested in Connection with Cyber Attack Affecting Airports A man in his forties from West Sussex has been arrested in connection with a cyber attack that disrupted day-to-day operations at several European airports including Heathrow. The U.K. National Crime Agency (NCA) said he has been released on conditional bail.
“Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing,” Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, said . The agency did not name the suspect or say whether he acted alone or as part of a wider cybercriminal group. The incident caused hundreds of flight delays after Collins Aerospace baggage and check-in software used by several airlines failed. RTX Corporation, the owner of Collins Aerospace, said ransomware had been deployed in the attack.
Although the company did not share any other details regarding the incident, cybersecurity researcher Kevin Beaumont said the attackers used an “incredibly basic” ransomware variant called HardBit . Fake mirrors hook devs PyPI Warns About Continued Phishing Attacks The maintainers of the Python Package Index (PyPI) have warned of continued phishing attacks that employ domain-confusion and legitimate-looking emails to trick accountholders into parting with their credentials by tricking them to click on fake links (“pypi-mirror.org”) under the pretext of verifying their email address for “account maintenance and security procedures” or risk getting their accounts suspended. Package maintainers are advised to change their passwords with immediate effect if they have already clicked on the link and provided their login information. It’s also advised to check the account’s Security History for any suspicious activity.
French dark market falls France Seizes Dark French Anti System Law enforcement authorities in French have shut down a dark web marketplace catering to French-speaking users. The Dark French Anti System, or DFAS, was established in 2017 and had more than 12,000 registered users, emerging as a major hub for peddling drugs, arms, hacking tools, money-laundering schemes, and other criminal services. Authorities took control of servers and arrested two suspects, one who is alleged to be the site’s chief administrator and an accomplice who helped in the testing of its services. Global sting hauls millions INTERPOL Announces $439 million Recovery An INTERPOL-coordinated operation spanning 40 countries and territories led to the recovery of USD 342 million in government-backed currencies, along with USD 97 million in physical and virtual assets.
The operation, dubbed HAECHI-VI, took place between April and August 2025, and targeted seven types of cyber-enabled financial crimes: voice phishing, romance scams, online sextortion, investment fraud, money laundering associated with illegal online gambling, business email compromise and e-commerce fraud. As part of the ongoing effort , authorities blocked over 68,000 associated bank accounts, froze close to 400 cryptocurrency wallets, and recovered around $16 million in suspected illicit profits from cryptocurrency wallets. In addition, Portuguese law enforcement broke up a syndicate that diverted funds meant to support vulnerable families, leading to the arrest of 45 suspects who illegally accessed social security accounts and altered bank details that resulted in $270,000 stolen from 531 victims. Thai officials also seized $6.6 million in stolen assets in connection with a sophisticated business email compromise scam conducted by a transnational organized crime group comprising Thai and West African nationals.
“The gang deceived a major Japanese corporation into transferring funds to a fictitious business partner based in Bangkok,” INTERPOL said . Kids’ data under spotlight TikTok Comes Under Scrutiny in Canada for Collecting Children Data The popular social media app TikTok has been collecting sensitive information from hundreds of thousands of Canadians under 13 years old, according to a joint investigation by privacy authorities. However, “as a result of TikTok’s inadequate age-assurance measures, the company collected the personal information of a large number of Canadian children, including information that the offices consider to be sensitive,” the report said . The probe also found TikTok failed to adequately explain its collection and use of biometric information, such as facial and voice data, for video, image and audio analysis.
The privacy commissioners said TikTok agreed to enhance its age verification and provide up-front notices about its wide-ranging collection of data. The company also agreed to “effectively stop” allowing advertisers to target users under the age of 18, except based on broad categories such as language and approximate location. AI turbocharges vulnerabilities AI Coding Assistants Ship With More Risks A new report from Apiiro has found that software development teams using artificial intelligence (AI)-powered coding assistants have introduced “over 10,000 new security findings per month across repositories,” a 10× spike from December 2024. “These flaws span every category of application risk — from open-source dependencies to insecure coding patterns, exposed secrets, and cloud misconfigurations,” Apiiro said .
“AI is multiplying not one kind of vulnerability, but all of them at once.” The study also found that while syntax errors in AI-written code dropped by 76% and logic bugs declined by more than 60%, privilege escalation paths jumped 322%, and architectural design flaws increased 153%. In addition, AI-assisted developers exposed cloud-related API keys and service principals nearly twice as often as their non-AI peers. Shortcut to bypass security LNK Stomping Detailed In September 2024, Microsoft issued patches for a Windows Mark-of-the-Web (MotW) security feature bypass vulnerability tracked as CVE-2024-38217. Also called LNK Stomping , the flaw exploits the manner Windows shortcut (LNK) files are handled to remove the MotW tag and bypass security protections.
According to Elastic, there are indications that the issue has been exploited as far back as February 2018, long before it was publicly documented. “LNK Stomping is an attack that manipulates the actual execution program path of a Windows shortcut file (.lnk) with an abnormal target path or internal structure,” South Korean cybersecurity company ASEC said . “It then prompts explorer.exe to remove the MoTW metadata during the ‘normalization (Canonicalization)’ process, thereby bypassing security checks.” BankBot strikes Southeast Asia Indonesian and Vietnamese Android Users Targeted by Banking Trojans DomainTools revealed that Indonesian and Vietnamese Android users have been targeted by banking trojans disguised as legitimate payment and government identity applications since August 2024. “The operators exhibit distinct domain registration patterns, often reusing TLS certificates and grouping domains to resolve to the same IP addresses, with a strong operational focus during Eastern Asia’s daytime hours,” the company said .
It’s suspected that the threat actors are using spoofed websites imitating the Google Play Store to trick users into installing fraudulent APK files that drop a banking trojan named BankBot , which had its source code leaked on Russian-language forums in 2016. Over 100 domains have been identified as being used for malware distribution. Russian influence playbook New Disinformation Campaign Targeting 2025 Moldovan Elections A state-backed threat actor with ties to Russian is targeting the upcoming 2025 Moldovan elections with a disinformation campaign, setting up fake news sites to publish articles that amplify narratives attempting to dissuade Moldova from further aligning with the European Union and exhibit bias against the current leadership. The multi-year activity is tracked under the name Storm-1679 (aka Matryoshka).
Silent Push said it identified “technical fingerprints” linking the efforts to a Russian news site named Absatz. It also found commonalities between multiple disinformation websites, suggesting “infrastructure reuse and common ownership across this campaign.” This includes the use of two IP addresses – 95.181.226[.]135 and 91.218.228[.]51 – which have been used to host domains in connection with a Russian disinformation effort dating back to 2022. “When searching for the Russian word for Moldova (‘Молдова’) on Absatz (absatz[.]media/search), there are dozens of clear disinformation articles,” Silent Push said. Sabotage by algorithm DeepSeek Produces Less Secure Code for Groups China Disfavors In new research published by CrowdStrike, it has been found that Chinese artificial intelligence engine DeepSeek either often refuses to help programmers or gives them low-quality code or code containing major security flaws when they say they are working for the banned spiritual movement Falun Gong or other groups considered sensitive by the Chinese government.
“Deliberately producing flawed code can be less noticeable than inserting back doors – secret means of access for unauthorized users, including governments — while producing the same result: making targets easy to hack,” The Washington Post reported . That wraps up this week’s Threatsday Bulletin. Use these stories as a prompt to double-check your own defenses: apply the urgent updates, tighten access controls, and talk with colleagues about what these incidents mean for your environment. Every small action today helps prevent a big incident tomorrow.
👉 Stay in the loop: Sign up for our newsletter for real-time updates and next week’s highlights. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Vane Viper Generates 1 Trillion DNS Queries to Power Global Malware and Ad Fraud Network
The threat actor known as Vane Viper has been outed as a purveyor of malicious ad technology (adtech), while relying on a tangled web of shell companies and opaque ownership structures to deliberately evade responsibility. “Vane Viper has provided core infrastructure in widespread malvertising, ad fraud, and cyberthreat proliferation for at least a decade,” Infoblox said in a technical report published last week in collaboration with Guardio and Confiant. “Vane Viper not only brokers traffic for malware droppers and phishers, but appears to run their own campaigns, consistent with previously documented ad-fraud techniques.” Vane Viper, also called Omnatuor , was previously documented by the DNS threat intelligence firm in August 2022, describing it as a malvertising network akin to VexTrio Viper that takes advantage of vulnerable WordPress sites to build a massive network of compromised domains and use them to spread riskware, spyware, and adware. One of the notable aspects of the threat actor’s persistence techniques is the abuse of push notification permissions to serve ads even after the user navigates away from the initial page by altering browser settings.
This approach relies on service workers , which maintain a persistent headless browser process to listen for events and serve unwanted notifications. Late last year, Guardio Labs laid bare a campaign dubbed DeceptionAds that was found to leverage Vane Viper’s malicious ad network to facilitate ClickFix-style social engineering campaigns. The activity was attributed to a company named Monetag, which, according to Infoblox, is a subsidiary of PropellerAds , a commercial ad technology company that, in turn, is a subsidiary of AdTech Holding, a holding company based in Cyprus. Domains linked to ProperllerAds have long been flagged for facilitating malvertising campaigns and driving traffic to exploit kits or other fraudulent sites .
Further analysis has uncovered evidence suggesting that several ad-fraud campaigns have originated from infrastructure attributed to PropellerAds. The cybersecurity company said Vane Viper has accounted for about 1 trillion DNS queries over the past year in about half of its customer networks, adding the threat actor takes advantage of hundreds of thousands of compromised websites and malicious ads that redirect unsuspecting site users to malicious browser extensions, fake shopping sites, adult content, survey scams, fake apps, sketchy software downloads, and malware, including an Android malware called Triada in one case. What’s more, Vane Viper appears to share infrastructure and personnel ties with URL Solutions (aka Pananames), Webzilla, and XBT Holdings, with the former also linked to disinformation sites set up by a Russian influence operation called Doppelgänger . Some of the other companies owned by AdTech Holding include ProPushMe, Zeydoo, Notix, and Adex.
About 60,000 domains are assessed to be part of Vane Viper’s infrastructure, most of which only remain active for less than a month. However, there are a few domains that have been active for over 1,200 days, including the original omnatuor[.]com, propeller-tracking[.]com, and several others centered around push notification services. The operation has been found to register vast numbers of new domains each month, scaling a high of 3,500 domains in the month of October 2024 alone, a significant jump from less than 500 domains registered in April 2023. Vane Viper domains make up nearly 50% of bulk-registered domains via URL Solutions since 2023, per the company.
PropellerAds, however, has previously denied any wrongdoing, stating it’s “nothing more than an automated intermediary to help advertisers find the best publishers to publish their advertisements,” and that it “does not endorse, support, or encourage any malicious advertisement on its network.” “Vane Viper isn’t just a threat actor hiding behind an adtech platform,” Infoblox noted. “It’s a threat actor as an adtech platform. AdTech Holding claims to offer advertisers reach and monetization at scale, but what it actually delivers is risk.” “Vane Viper hides behind the plausible deniability of operating as an advertising network, while using their TDS [traffic distribution system] to deliver multiple kinds of threats.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Salesforce Patches Critical ForcedLeak Bug Exposing CRM Data via AI Prompt Injection
Cybersecurity researchers have disclosed a critical flaw impacting Salesforce Agentforce , a platform for building artificial intelligence (AI) agents, that could allow attackers to potentially exfiltrate sensitive data from its customer relationship management (CRM) tool by means of an indirect prompt injection. The vulnerability has been codenamed ForcedLeak (CVSS score: 9.4) by Noma Security, which discovered and reported the problem on July 28, 2025. It impacts any organization using Salesforce Agentforce with the Web-to-Lead functionality enabled. “This vulnerability demonstrates how AI agents present a fundamentally different and expanded attack surface compared to traditional prompt-response systems,” Sasi Levi, security research lead at Noma, said in a report shared with The Hacker News.
One of the most severe threats facing generative artificial intelligence (GenAI) systems today is indirect prompt injection , which occurs when malicious instructions are inserted into external data sources accessed by the service, effectively causing it to generate otherwise prohibited content or take unintended actions. The attack path demonstrated by Noma is deceptively simple in that it coaxes the Description field in Web-to-Lead form to run malicious instructions by means of a prompt injection, allowing a threat actor to leak sensitive data and exfiltrate it to a Salesforce-related allowlisted domain that had expired and become available for purchase for as little as $5. This takes place over five steps - Attacker submits Web-to-Lead form with a malicious Description Internal employee processes lead using a standard AI query to process incoming leads Agentforce executes both legitimate and hidden instructions System queries CRM for sensitive lead information Transmit the data to the now attacker-controlled domain in the form of a PNG image “By exploiting weaknesses in context validation, overly permissive AI model behavior, and a Content Security Policy (CSP) bypass, attackers can create malicious Web-to-Lead submissions that execute unauthorized commands when processed by Agentforce,” Noma said. “The LLM, operating as a straightforward execution engine, lacked the ability to distinguish between legitimate data loaded into its context and malicious instructions that should only be executed from trusted sources, resulting in critical sensitive data leakage.” Salesforce has since re-secured the expired domain, rolled out patches that prevent output in Agentforce and Einstein AI agents from being sent to untrusted URLs by enforcing a URL allowlist mechanism.
“Our underlying services powering Agentforce will enforce the Trusted URL allowlist to ensure no malicious links are called or generated through potential prompt injection,” the company said in an alert issued earlier this month. “This provides a crucial defense-in-depth control against sensitive data escaping customer systems via external requests after a successful prompt injection.” Besides applying Salesforce’s recommended actions to enforce Trusted URLs, users are recommended to audit existing lead data for suspicious submissions containing unusual instructions, implement strict input validation to detect possible prompt injection, and sanitize data from untrusted sources. “The ForcedLeak vulnerability highlights the importance of proactive AI security and governance,” Levi said. “It serves as a strong reminder that even a low-cost discovery can prevent millions in potential breach damages.” In a statement shared with The Hacker News, Itay Ravia, head of Aim Labs, described ForcedLeak as a variant of the EchoLeak attack, but one that’s specifically geared towards Salesforce.
“When Aim Labs disclosed EchoLeak (CVE-2025-32711), the first zero-click AI vulnerability enabling data exfiltration, we said that this class of vulnerability was not isolated to Microsoft,” Ravia said. “In our investigations it has become quite clear that many other agent platforms are also susceptible. ForcedLeak is a subset of these same EchoLeak primitives. These vulnerabilities are endemic to RAG-based agents and we will see more of them in popular agents due to poor understanding of dependencies and the need for guardrails.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
North Korean Hackers Use New AkdoorTea Backdoor to Target Global Crypto Developers
The North Korea-linked threat actors associated with the Contagious Interview campaign have been attributed to a previously undocumented backdoor called AkdoorTea, along with tools like TsunamiKit and Tropidoor. Slovak cybersecurity firm ESET, which is tracking the activity under the name DeceptiveDevelopment, said the campaign targets software developers across all operating systems, Windows, Linux, and macOS, particularly those involved in cryptocurrency and Web3 projects. It’s also referred to as DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, and Void Dokkaebi. “DeceptiveDevelopment’s toolset is mostly multi-platform and consists of initial obfuscated malicious scripts in Python and JavaScript, basic backdoors in Python and Go, and a dark web project in .NET,” ESET researchers Peter Kálnai and Matěj Havránek said in a report shared with The Hacker News.
The campaign essentially involves the impersonated recruiters offering what appear to be lucrative job roles over platforms like LinkedIn, Upwork, Freelancer, and Crypto Jobs List. After initial outreach, should the prospective target express interest in the opportunity, they are either asked to complete a video assessment by clicking on a link or a coding exercise. The programming assignment requires them to clone projects hosted on GitHub, which silently install malware. On the other hand, websites explicitly set up for undertaking the so-called video assessment display non-existent errors related to camera or microphone access being blocked, and urge them to follow ClickFix-style instructions to rectify the problem by either launching the command prompt or the Terminal app, depending on the operating system used.
Irrespective of the method employed, the attacks have been generally found to deliver several pieces of malware such as BeaverTail, InvisibleFerret , OtterCookie , GolangGhost (aka FlexibleFerret or WeaselStore), and PylangGhost . “WeaselStore’s functionality is quite similar to both BeaverTail and InvisibleFerret, with the main focus being exfiltration of sensitive data from browsers and cryptocurrency wallets,” ESET said. “Once the data has been exfiltrated, WeaselStore, unlike traditional infostealers, continues to communicate with its C&C [command-and-control] server, serving as a RAT capable of executing various commands.” Also deployed as part of these infection sequences are TsunamiKit and Tropidoor , the first of which is a malware toolkit delivered by InvisibleFerret and is designed for information and cryptocurrency theft. The use of TsunamiKit was first discovered in November 2024.
The toolkit comprises several components, the starting point being the initial stage TsunamiLoader that triggers the execution of an injector (TsunamiInjector), which, in turn, drops TsunamiInstaller and TsunamiHardener. While TsunamiInstaller acts as a dropper for TsunamiClientInstaller, which then downloads and executes TsunamiClient, TsunamiHardener is responsible for setting up persistence for TsunamiClient, as well as configuring Microsoft Defender exclusions. TsunamiClient is the core module that incorporates a .NET spyware and drops cryptocurrency miners like XMRig and NBMiner. It’s believed that TsunamiKit is likely a modification of a dark web project rather than a native creation of the threat actor, given that samples related to the toolkit have been uncovered dating back to December 2021, predating the onset of Contagious Interview, which is believed to have commenced sometime in late 2022.
The BeaverTail stealer and downloader has also been found to act as a distribution vehicle for another malware known as Tropidoor that, according to ASEC, overlaps with a Lazarus Group tool called LightlessCan . ESET said it found evidence of Tropidoor artifacts uploaded to VirusTotal from Kenya, Colombia, and Canada, adding the malware also shares “large portions of code” with PostNapTea , a malware used by the threat actor against South Korean targets in 2022. PostNapTea supports commands for configuration updates, file manipulation and screen capturing, file system management, process management, and running custom versions of Windows commands like whoami, netstat, tracert, lookup, ipconfig, and systeminfo, among others, for improved stealth – a feature also present in LightlessCan. “Tropidoor is the most sophisticated payload yet linked to the DeceptiveDevelopment group, probably because it is based on malware developed by the more technically advanced threat actors under the Lazarus umbrella,” ESET said.
Execution chain of WeaselStore The latest addition to the threat actor’s arsenal is a remote access trojan dubbed AkdoorTea that’s delivered by means of a Windows batch script. The script downloads a ZIP file (“nvidiaRelease.zip”) and executes a Visual Basic Script present in it, which then proceeds to launch BeaverTail and AkdoorTea payloads also contained in the archive. It’s worth pointing out that the campaign has leveraged NVIDIA-themed driver updates in the past as part of ClickFix attacks to address supposed camera or microphone issues when providing the video assessments, indicating that this approach is being used to propagate AkdoorTea. AkdoorTea gets its name from the fact that it shares commonalities with Akdoor , which is described as a variant of the NukeSped (aka Manuscrypt ) implant – further reinforcing Contagious Interview’s connections to the larger Lazarus Group umbrella .
“DeceptiveDevelopment’s TTPs illustrate a more distributed, volume-driven model of its operations. Despite often lacking technical sophistication, the group compensates through scale and creative social engineering,” ESET said. “Its campaigns demonstrate a pragmatic approach, exploiting open-source tooling, reusing available dark web projects, adapting malware probably rented from other North Korea-aligned groups, and leveraging human vulnerabilities through fake job offers and interview platforms.” Contagious Interview doesn’t operate in silo, as it has been also found to share some level of overlaps with Pyongyang’s fraudulent IT worker scheme (aka WageMole), with Zscaler noting that the intelligence gleaned from the former is used by North Korean actors to secure jobs at those companies using stolen identities and fabricating synthetic personas . The IT worker threat is believed to have been ongoing since 2017 .
Connection between Contagious Interview and WageMole Cybersecurity company Trellix, in a report published this week, said it uncovered an instance of a North Korean IT worker employment fraud targeting a U.S. healthcare company, where an individual using the name “Kyle Lankford” applied for a Principal Software Engineer position. While the job applicant did not raise any red flags during the early stages of the hiring process, Trellix said it was able to correlate their email addresses with known North Korea IT worker indicators. Further analysis of the email exchanges and background checks identified the candidate as a likely North Korean operative, it added.
“The activities of North Korean IT workers constitute a hybrid threat,” ESET noted. “This fraud-for-hire scheme combines classical criminal operations, such as identity theft and synthetic identity fraud, with digital tools, which classify it as both a traditional crime and a cybercrime (or e-crime).” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
CTEM’s Core: Prioritization and Validation
Despite a coordinated investment of time, effort, planning, and resources, even the most up-to-date cybersecurity systems continue to fail. Every day. Why? It’s not because security teams can’t see enough.
Quite the contrary. Every security tool spits out thousands of findings. Patch this. Block that.
Investigate this. It’s a tsunami of red dots that not even the most crackerjack team on earth could ever clear. And here’s the other uncomfortable truth: Most of it doesn’t matte r. Fixing everything is impossible.
Trying to is a fool’s errand. Smart teams aren’t wasting precious time running down meaningless alerts. They understand that the hidden key to protecting their organization is knowing which exposures are actually putting the business at risk. That’s why Gartner introduced the concept of Continuous Threat Exposure Management and put prioritization and validation at the heart of it.
It’s not about more dashboards or prettier charts. It’s about narrowing focus and taking the fight to the handful of exposures that actually matter and proving your defenses will actually hold up when and where they really need to. The Problem with Traditional Vulnerability Management Vulnerability management was built on a simple premise: Find every weakness, rank it, then patch it. On paper, it sounds logical and systematic.
And there was a time when it made perfect sense. Today, however, facing an unprecedented and constant barrage of threats, it’s a treadmill not even the fittest team can keep up with. Each year, over 40,000 Common Vulnerabilities and Exposures (CVEs) hit the wire. Scoring systems like CVSS and EPSS dutifully stamp 61% of them as “critical.” That’s not prioritization, it’s panic at scale.
These labels don’t care if the bug is buried behind three layers of authentication, blocked by existing controls, or practically unexploitable in your specific environment. As far as they’re concerned, a threat is a threat. Figure 1: Projected Vulnerability Volume So teams grind themselves down chasing ghosts. They burn cycles on vulnerabilities that will never be used in an attack, while a handful of the ones that do matter slip through, unnoticed.
It’s security theater masquerading as risk reduction. In reality, the actual risk scenario looks very different. Once you factor in existing security controls, only around 10% of real world vulnerabilities are truly critical. Which means that 84% of so-called “critical” alerts amount to false urgency , again draining time, budget, and focus that could, and should, be spent on real threats.
Enter Continuous Threat Exposure Management (CTEM) Continuous Threat Exposure Management (CTEM) was developed to end the never-ending treadmill. Instead of drowning teams in theoretical “critical” findings, it replaces volume with clarity through two essential steps . Prioritization ranks exposures by real business impact, not abstract severity scores. Validation pressure-tests those prioritized exposures against your specific environment, uncovering which ones attackers can actually exploit.
One without the other fails. Prioritization alone is just educated guesswork. Validation alone wastes cycles on hypotheticals and the wrong issues. But together they convert assumptions into evidence and endless lists into focused, realistic action.
Figure 2: CTEM in Action And the scope goes far beyond CVEs. As Gartner predicts , by 2028, more than half of exposures will stem from nontechnical weaknesses like misconfigured SaaS apps, leaked credentials, and human error. Happily, CTEM addresses this head-on, applying the same disciplined prioritize-then-validate action chain across every kind of exposure. That’s why CTEM isn’t just a framework.
It’s a necessary evolution from chasing alerts to proving risk , and from fixing everything to fixing what matters most . Automating Validation with Adversarial Exposure Validation (AEV) Technologies CTEM demands validation, but validation requires finesse and adversarial context, which Adversarial Exposure Validation (AEV) technologies deliver. They help further cut through inflated “priority” lists and prove in practice which exposures will actually open the door to attackers. Two technologies drive this automation: Breach and Attack Simulation (BAS) continuously and safely simulates and emulates adversarial techniques like ransomware payloads, lateral movement, and data exfiltration to verify whether your specific security controls will actually stop what they’re supposed to.
It’s not a one-time exercise but an ongoing practice, with scenarios mapped to the MITRE ATT&CK Ⓡ threat framework for relevance, consistency and coverage. Automated Penetration Testing goes further by chaining vulnerabilities and misconfigurations the way real attackers do. It excels at exposing and exploiting complex attack paths that include Kerberoasting in Active Directory or privilege escalation through mismanaged identity systems. Instead of relying on an annual pentest, Automated Pentesting lets teams run meaningful tests on demand, as often as needed.
Figure 3: BAS and Automated Penetration Testing Use Cases Together, BAS and Automated Pentesting provide your teams with the attacker’s perspective at scale. They reveal not just the threats that look dangerous, but what’s actually exploitable, detectable, and defendable in your environment. This shift is critical for dynamic infrastructures where endpoints spin up and down daily, credentials can leak across SaaS apps, and configurations change with every sprint. In today’s increasingly dynamic environments, static assessments can’t help but fall behind.
BAS and Automated Pentesting keep the validation continuous, turning exposure management from theoretical into real-world proof. A Real-Life Case: Adversarial Exposure Validation (AEV) in Action Take Log4j as an example. When it first surfaced, every scanner lit up red. CVSS scores gave it a 10.0 (Critical), EPSS models flagged high exploit probability, and asset inventories showed it was scattered across environments.
Traditional methods left security teams with a flat picture, instructing them to treat every instance as equally urgent. The result? Resources quickly spread thin, wasting time chasing duplicates of the same problem. Adversarial Exposure Validation changes the narrative .
By validating in context, teams quickly see that not every Log4j instance is a crisis. One system might already have effective WAF rules, compensating controls, or segmentation that drops its risk score from a 10.0 to a 5.2 . That reprioritization shifts it from “drop everything now” with klaxons blaring, to “patch as part of normal cycles”. Meanwhile, Adversarial Exposure Validation can also reveal the opposite scenario: a seemingly low-priority misconfiguration in a SaaS app could chain directly to sensitive data exfiltration, elevating it from “medium” to “urgent.” Figure 4: Validating the Log4j Vulnerability to its True Risk Score Adversarial Exposure Validation delivers real value to your security teams by measuring: Control effectiveness: Proving if an exploit attempt is blocked, logged, or ignored.
Detection and response: Showing whether SOC teams are seeing the activity and IR teams are containing it fast enough. Operational readiness: Exposing weak links in workflows, escalation paths, and containment procedures. In practice, Adversarial Exposure Validation transforms Log4j, or any other vulnerability, from a generic “critical everywhere” all hands on deck nightmare into a precise risk map. It tells CISOs and security teams not just what’s out there, but which threats that are out there actually matter for their environment today.
The Future of Validation: The Picus BAS Summit 2025 Continuous Threat Exposure Management (CTEM) provides a much-needed clarity that comes from two engines working together: prioritization to focus effort, and validation to prove what matters. Adversarial Exposure Validation (AEV) technologies help bring this vision to life. By combining Breach and Attack Simulation (BAS) and Automated Penetration Testing, they’re able to show security teams the attacker’s perspective at scale, surfacing not just what could happen, but what will happen if existing gaps go unaddressed. To see Adversarial Exposure Validation (AEV) technologies in action, join Picus Security, SANS, Hacker Valley, and other prominent security leaders at The Picus BAS Summit 2025: Redefining Attack Simulation through AI .
This virtual summit will showcase how BAS and AI are shaping the future of security validation, with insights from analysts, practitioners, and innovators driving the field forward. [ Secure your spot today ] Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.