Author: Mark

Oct 20, 2025Ravie LakshmananCyber Espionage / National Security

China on Sunday accused the U.S. National Security Agency (NSA) of carrying out a “premeditated” cyber attack targeting the National Time Service Center (NTSC), as it described the U.S. as a “hacker empire” and the “greatest source of chaos in cyberspace.”

The Ministry of State Security (MSS), in a WeChat post, said it uncovered “irrefutable evidence” of the agency’s involvement in the intrusion that dated back to March 25, 2022. The attack was ultimately foiled, it added.

Established in 1966 under the jurisdiction of the Chinese Academy of Sciences (CAS), NTSC is responsible for generating, maintaining, and transmitting the national standard of time (Beijing Time).

“Any cyberattack damaging these facilities would jeopardize the secure and stable operation of ‘Beijing Time,’ triggering severe consequences such as network communication failures, financial system disruptions, power supply interruptions, transportation paralysis, and space launch failures,” the MSS said.

“This operation thwarted U.S. attempts to steal secrets and conduct sabotage through cyberattacks, fully safeguarding the security of ‘Beijing Time.’”

According to details shared in the WeChat post, the NSA is said to have exploited security flaws in an unnamed foreign brand’s SMS service to stealthily compromise mobile devices belonging to several staff members at NTSC, resulting in the theft of sensitive data. It did not disclose the nature of the vulnerabilities used to conduct the attack.

On April 18 the following year, the MSS claimed that the agency repeatedly used stolen login credentials to break into the computers at the center to probe its infrastructure, followed by deploying a new “cyber warfare platform” between August 2023 and June 2024.

The platform activated what it described as 42 specialized tools to mount high-intensity attacks aimed at multiple internal network systems of NTSC. The attacks also involved attempts to conduct lateral movement to a high-precision ground-based timing system with the alleged goal of disrupting it.

The attacks, launched between late night and early morning Beijing time, involved the use of virtual private servers (VPSes) based in the U.S., Europe, and Asia to route malicious traffic and conceal its origins.

“They employed tactics such as forging digital certificates to bypass antivirus software and employed high-strength encryption algorithms to thoroughly erase attack traces, leaving no stone unturned in their efforts to carry out cyberattacks and infiltration activities,” the MSS said.

The ministry said China’s national security agencies neutralized the attack and implemented additional security measures. It also accused the U.S. of launching persistent cyber attacks against China, Southeast Asia, Europe, and South America, adding that it leverages technological footholds in the Philippines, Japan, and China’s Taiwan Province to launch these activities and obscure its own involvement.

“Simultaneously, the U.S. has resorted to crying wolf, repeatedly hyping the ‘China cyber threat theory,’ coercing other countries to amplify so-called ‘Chinese hacking incidents,’ sanctioning Chinese enterprises, and prosecuting Chinese citizens – all in a futile attempt to confuse the public and distort the truth,” it alleged.

Oct 19, 2025Ravie LakshmananSIM Swapping / Cryptocurrency

Europol on Friday announced the disruption of a sophisticated cybercrime-as-a-service (CaaS) platform that operated a SIM farm and enabled its customers to carry out a broad spectrum of crimes ranging from phishing to investment fraud.

The coordinated law enforcement effort, dubbed Operation SIMCARTEL, saw 26 searches carried out, resulting in the arrest of seven suspects and the seizure of 1,200 SIM box devices, which contained 40,000 active SIM cards. Five of those detained are Latvian nationals.

In addition, five servers were dismantled and two websites gogetsms[.]com and apisim[.]com) advertising the service was taken over on October 10, 2025, to display a seizure banner. Separately, four luxury vehicles were confiscated, and €431,000 ($502,000) in suspects’ bank accounts and €266,000 ($310,000) in their cryptocurrency accounts were frozen.

The countries that participated in the operation comprised authorities from Austria, Estonia, Finland, and Latvia, in collaboration with Europol and Eurojust.

According to Europol, the criminal network has been attributed to more than 1,700 individual cyber fraud cases in Austria and 1,500 in Latvia, leading to losses totaling around €4.5 million ($5.25 million) and €420,000 ($489,000) in the two countries, respectively.

“The criminal network and its infrastructure were technically highly sophisticated and enabled perpetrators around the world to use this SIM-box service to conduct a wide range of telecommunications-related cybercrimes, as well as other crimes,” the agency said.

The infrastructure offered telephone numbers registered to people from over 80 countries for use in criminal activities, including setting up fake accounts on social media and communication platforms with the primary goal of obscuring their original identity and location. In all, the service enabled the creation of more than 49 million online accounts.

These accounts were then used to conduct phishing and smishing attacks and carry out financial fraud by tricking victims into investing their funds in bogus trading schemes. Another involved contacting them on WhatsApp by posing as their daughter or son, claiming they now have a new number and asking them to transfer money in the four-figure range for an emergency.

Some of the other offenses that were made possible via the platform included extortion, migrant smuggling, and the distribution of child sexual abuse material (CSAM).

According to snapshots captured on the Internet Archive, GoGetSMS was marketed as a way to get “fast and secure temporary phone numbers,” with more than 10 million numbers available and receive verification codes from over 160 online services.

On its website, GoGetSMS also offered the ability to monetize existing SIM cards by turning them into “powerful assets for generating passive income” using its “specialized software,” allowing card owners to earn revenue for every SMS message sent to them.

On review website Trustpilot, paid users have complained of facing issues getting hold of a temporary number through GoGetSMS, with one user claiming that they paid for a U.S. number on the platform and did not get a working number in return. “Tried multiple times, wasted both time and money. Support is completely unresponsive – no help, no refund, nothing,” the user added.

The Latvian State Police, in a coordinated announcement, said the platform was designed for anonymous communication and payments, impacting 3,200 people in various countries.

Oct 18, 2025Ravie LakshmananThreat Intelligence / Cybercrime

Cybersecurity researchers have shed light on a new campaign that has likely targeted the Russian automobile and e-commerce sectors with a previously undocumented .NET malware dubbed CAPI Backdoor.

According to Seqrite Labs, the attack chain involves distributing phishing emails containing a ZIP archive as a way to trigger the infection. The cybersecurity company’s analysis is based on the ZIP artifact that was uploaded to the VirusTotal platform on October 3, 2025.

Present with the archive is a decoy Russian-language document that purports to be a notification related to income tax legislation and a Windows shortcut (LNK) file.

The LNK file, which has the same name as the ZIP archive (i.e., “Перерасчет заработной платы 01.10.2025”), is responsible for the execution of the .NET implant (“adobe.dll”) using a legitimate Microsoft binary named “rundll32.exe,” a living-off-the-land (LotL) technique known to be adopted by threat actors.

The backdoor, Seqrite noted, comes with functions to check if it’s running with administrator-level privileges, gather a list of installed antivirus products, and open the decoy document as a ruse, while it stealthily connects to a remote server (“91.223.75[.]96”) to receive further commands for execution.

The commands allow CAPI Backdoor to steal data from web browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox; take screenshots; collect system information; enumerate folder contents; and exfiltrate the results back to the server.

It also attempts to run a long list of checks to determine if it’s a legitimate host or a virtual machine, and makes use of two methods to establish persistence, including setting up a scheduled task and creating a LNK file in the Windows Startup folder to automatically launch the backdoor DLL copied to the Windows Roaming folder.

Seqrite’s assessment that the threat actor is targeting the Russian automobile sector is down to the fact that one of the domains linked to the campaign is named carprlce[.]ru, which appears to impersonate the legitimate “carprice[.]ru.”

“The malicious payload is a .NET DLL that functions as a stealer and establishes persistence for future malicious activities,” researchers Priya Patel and Subhajeet Singha said.

The threat actors behind a malware family known as Winos 4.0 (aka ValleyRAT) have expanded their targeting footprint from China and Taiwan to target Japan and Malaysia with another remote access trojan (RAT) tracked as HoldingHands RAT (aka Gh0stBins).

“The campaign relied on phishing emails with PDFs that contained embedded malicious links,” Pei Han Liao, researcher with Fortinet’s FortiGuard Labs, said in a report shared with The Hacker News. “These files masqueraded as official documents from the Ministry of Finance and included numerous links in addition to the one that delivered Winos 4.0.”

Winos 4.0 is a malware family that’s often spread via phishing and search engine optimization (SEO) poisoning, directing unsuspecting users to fake websites masquerading as popular software like Google Chrome, Telegram, Youdao, Sogou AI, WPS Office, and DeepSeek, among others.

The use of Winos 4.0 is primarily linked to an “aggressive” Chinese cybercrime group known as Silver Fox, which is also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne.

Last month, Check Point attributed the threat actor to the abuse of a previously unknown vulnerable driver associated with WatchDog Anti-malware as part of a Bring Your Own Vulnerable Driver (BYOVD) attack aimed at disabling security software installed on compromised hosts.

Then weeks later, Fortinet shed light on another campaign that took place in August 2025, leveraging SEO poisoning to distribute HiddenGh0st and modules associated with the Winos malware.

Silver Fox’s targeting of Taiwan and Japan with HoldingHands RAT was also documented by the cybersecurity company and a security researcher named somedieyoungZZ back in June, with the attackers employing phishing emails containing booby-trapped PDF documents to activate a multi-stage infection that ultimately deploys the trojan.

It’s worth noting at this stage that both Winos 4.0 and HoldingHands RAT are inspired by another RAT malware referred to as Gh0st RAT, which had its source code leaked in 2008 and has since been widely adopted by various Chinese hacking groups.

Fortinet said it identified PDF documents posing as a tax regulation draft for Taiwan that included a URL to a Japanese language web page (“twsww[.]xin/download[.]html”), from where victims are prompted to download a ZIP archive responsible for delivering HoldingHands RAT.

The starting point is an executable claiming to be an excise audit document. It’s used to sideload a malicious DLL, which functions as a shellcode loader for “sw.dat,” a payload that’s designed to run anti-virtual machine (VM) checks, enumerate active processes against a list of security products from Avast, Norton, and Kaspersky, and terminate them if found, escalate privileges, and terminate the Task Scheduler.

It also drops several other files in the system’s C:WindowsSystem32 folder –

• svchost.ini, which contains the Relative Virtual Address (RVA) of VirtualAlloc function
• TimeBrokerClient.dll, the legitimate TimeBrokerClient.dll renamed as BrokerClientCallback.dll.
• msvchost.dat, which contains the encrypted shellcode
• system.dat, which contains the encrypted payload
• wkscli.dll, an unused DLL

“The Task Scheduler is a Windows service hosted by svchost.exe that allows users to control when specific operations or processes are run,” Fortinet said. “The Task Scheduler’s recovery setting is configured to restart the service one minute after it fails by default.”

“When the Task Scheduler is restarted, svchost.exe is executed and loads the malicious TimeBrokerClient.dll. This trigger mechanism does not require the direct launch of any process, making behavior-based detection more challenging.”

The primary function of “TimeBrokerClient.dll” is to allocate memory for the encrypted shellcode within “msvchost.dat” by invoking the VirtualAlloc() function using the RVA value specified in “svchost.ini.” In the next stage, “msvchost.dat” decrypts the payload stored in “system.dat” to retrieve the HoldingHands payload.

HoldingHands is equipped to connect to a remote server, send host information to it, send a heartbeat signal every 60 seconds to maintain the connection, and receive and process attacker-issued commands on the infected system. These commands allow the malware to capture sensitive information, run arbitrary commands, and download additional payloads.

A new feature addition is a new command that makes it possible to update the command-and-control (C2) address used for communications via a Windows Registry entry.

Operation Silk Lure Targets China with ValleyRAT

The development comes as Seqrite Labs detailed an ongoing email-based phishing campaign that has leveraged C2 infrastructure hosted in the U.S., targeting Chinese companies in the fintech, cryptocurrency, and trading platform sectors to ultimately deliver Winos 4.0. The campaign has been codenamed Operation Silk Lure, owing to its China-related footprint.

“The adversaries craft highly targeted emails impersonating job seekers and send them to HR departments and technical hiring teams within Chinese firms,” researchers Dixit Panchal, Soumen Burma, and Kartik Jivani said.

“These emails often contain malicious .LNK (Windows shortcut) files embedded within seemingly legitimate résumés or portfolio documents. When executed, these .LNK files act as droppers, initiating the execution of payloads that facilitate initial compromise.”

The LNK file, when launched, runs PowerShell code to download a decoy PDF resume, while stealthily dropping three additional payloads to the “C:Users<user>AppDataRoamingSecurity” location and executing it. The PDF resumes are localized and tailored for Chinese targets so as to increase the likelihood of success of the social engineering attack.

The payloads dropped are as follows –

• CreateHiddenTask.vbs, which creates a scheduled task to launch “keytool.exe” every day at 8:00 a.m.
• keytool.exe, which uses DLL side-loading to load jli.dll
• jli.dll, a malicious DLL that launches the Winos 4.0 malware encrypted and embedded within keytool.exe

“The deployed malware establishes persistence within the compromised system and initiates various reconnaissance operations,” the researchers said. “These include capturing screenshots, harvesting clipboard contents, and exfiltrating critical system metadata.”

The trojan also comes with various techniques to evade detection, including attempting to uninstall detected antivirus products and terminating network connections associated with security programs such as Kingsoft Antivirus, Huorong, or 360 Total Security to interfere with their regular functions.

“This exfiltrated information significantly elevates the risk of advanced cyber espionage, identity theft, and credential compromise, thereby posing a serious threat to both organizational infrastructure and individual privacy,” the researchers added.

The North Korean threat actor linked to the Contagious Interview campaign has been observed merging some of the functionality of two of its malware programs, indicating that the hacking group is actively refining its toolset.

That’s according to new findings from Cisco Talos, which said recent campaigns undertaken by the hacking group have seen the functions of BeaverTail and OtterCookie coming closer to each other more than ever, even as the latter has been fitted with a new module for keylogging and taking screenshots.

The activity is attributed to a threat cluster that’s tracked by the cybersecurity community under the monikers CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, PurpleBravo, Tenacious Pungsan, UNC5342, and Void Dokkaebi.

The development comes as Google Threat Intelligence Group (GTIG) and Mandiant revealed the threat actor’s use of a stealthy technique known as EtherHiding to fetch next-stage payloads from the BNB Smart Chain (BSC) or Ethereum blockchains, essentially turning decentralized infrastructure into a resilient command-and-control (C2) server. It represents the first documented case of a nation-state actor utilizing the method that has been otherwise adopted by cybercrime groups.

Contagious Interview refers to an elaborate recruitment scam that began sometime around late 2022, with the North Korean threat actors impersonating hiring organizations to target job seekers and deceiving them into installing information-stealing malware as part of a supposed technical assessment or coding task, resulting in the theft of sensitive data and cryptocurrency.

In recent months, the campaign has undergone several shifts, including leveraging ClickFix social engineering techniques for delivering malware strains such as GolangGhost, PylangGhost, TsunamiKit, Tropidoor, and AkdoorTea. Central to the attacks, however, are malware families known as BeaverTail, OtterCookie, and InvisibleFerret.

BeaverTail and OtterCookie are separate but complementary malware tools, with the latter first spotted in real-world attacks in September 2024. Unlike BeaverTail, which functions as an information stealer and downloader, initial interactions of OtterCookie were designed to contact a remote server and fetch commands to be executed on the compromised host.

Interestingly, the malicious software includes a dependency via a package called “node-nvm-ssh” published to the official npm repository on August 20, 2025, by a user named “trailer.” The package attracted a total of 306 downloads, before it was taken down by the npm maintainers six days later.

It’s also worth noting that the npm package in question is one of the 338 malicious Node libraries flagged earlier this week by software supply chain security company Socket as connected to the Contagious Interview campaign.

The package, once installed, triggers the malicious behavior by means of a postinstall hook in its package.json file that’s configured to run a custom script called “skip” so as to launch a JavaScript payload (“index.js”), which, in turn, loads another JavaScript (“file15.js”) responsible for executing the final-stage malware.

Further analysis of the tool used in the attack has found that “it had characteristics of BeaverTail and of OtterCookie, blurring the distinction between the two,” security researchers Vanja Svajcer and Michael Kelley said, adding it incorporated a new keylogging and screenshotting module that uses legitimate npm packages like “node-global-key-listener” and “screenshot-desktop” to capture keystrokes and take screenshots, respectively, and exfiltrate the information to the C2 server.

At least one version of this new module comes equipped with an auxiliary clipboard monitoring feature to siphon clipboard content. The emergence of the new version of OtterCookie paints a picture of a tool that has evolved from basic data-gathering to a modular program for data theft and remote command execution.

Also present in the malware, codenamed OtterCookie v5, are functions akin to BeaverTail to enumerate browser profiles and extensions, steal data from web browsers and cryptocurrency wallets, install AnyDesk for persistent remote access, as well as download a Python backdoor referred to as InvisibleFerret.

Some of the other modules present in OtterCookie are listed below –

• Remote shell module, which sends system information and clipboard content to the C2 server and installs the “socket.io-client” npm package to connect to a specific port on the OtterCookie C2 server and receive further commands for execution
• File uploading module, which systematically enumerates all drives and traverses the file system in order to find files matching certain extensions and naming patterns (e.g., metamask, bitcoin, backup, and phrase) to be uploaded to the C2 server
• Cryptocurrency extensions stealer module, which extracts data from cryptocurrency wallet extensions installed on Google Chrome and Brave browsers (the list of extensions targeted partially overlaps with that of BeaverTail)

Furthermore, Talos said it detected Qt-based BeaverTail artifact and a malicious Visual Studio Code extension containing BeaverTail and OtterCookie code, raising the possibility that the group may be experimenting with new methods of malware delivery.

“The extension could also be a result of experimentation from another actor, possibly even a researcher, who is not associated with Famous Chollima, as this stands out from their usual TTPs,” the researchers noted.

Oct 17, 2025The Hacker NewsArtificial Intelligence / Identity Security

The danger isn’t that AI agents have bad days — it’s that they never do. They execute faithfully, even when what they’re executing is a mistake. A single misstep in logic or access can turn flawless automation into a flawless catastrophe.

This isn’t some dystopian fantasy—it’s Tuesday at the office now. We’ve entered a new phase where autonomous AI agents act with serious system privileges. They execute code, handle complex tasks, and access sensitive data with unprecedented autonomy. They don’t sleep, don’t ask questions, and don’t always wait for permission.

That’s powerful. That’s also risky. Because today’s enterprise threats go way beyond your garden-variety phishing scams and malware. The modern security perimeter? It’s all about identity management. Here’s the million-dollar question every CISO should be asking: Who or what has access to your critical systems, can you secure and govern that access, and can you actually prove it?

How identity became the new security perimeter

Remember those old-school security models built around firewalls and endpoint protection? They served their purpose once — but they weren’t designed for the distributed, identity-driven threats we face today. Identity has become the central control point, weaving complex connections between users, systems, and data repositories. The 2025-2026 SailPoint Horizons of Identity Security report shows that identity management has evolved from a back-office control to mission-critical for the modern enterprise.

The explosion of AI agents, automated systems, and non-human identities has dramatically expanded our attack surfaces. These entities are now prime attack vectors. Here’s a sobering reality check: Fewer than 4 in 10 AI agents are governed by identity security policies, leaving a significant gap in enterprise security frameworks. Organizations without comprehensive identity visibility? They’re not just vulnerable—they’re sitting ducks.

The strategic goldmine of mature identity security

But here’s where it gets interesting. Despite these mounting challenges, there’s a massive opportunity for organizations that get identity security right. The Horizons of Identity Security report reveals something fascinating: Organizations consistently achieve their highest ROI from identity security programs compared to every other security domain. They rank Identity and Access Management as their top-ROI security investment at twice the rate of other security categories.

Why? Because mature identity security pulls double duty—it prevents breaches while driving operational efficiency and enabling new business capabilities. Organizations with mature identity programs, especially those using AI-driven capabilities and real-time identity data sync, show dramatically better cost savings and risk reduction. Mature organizations are four times more likely to have AI-enabled capabilities like Identity Threat Detection and Response.

The great identity divide

Here’s where things get concerning: There’s a growing chasm between organizations with mature identity programs and those still playing catch-up. The Horizons of Identity Security report shows that 63% of organizations are stuck in early-stage identity security maturity (Horizons 1 or 2). These organizations aren’t just missing out—they are facing more risk against modern threats.

This gap keeps widening because the bar keeps rising. The 2025 framework added seven new capability requirements to address emerging threat vectors. Organizations that aren’t advancing their identity capabilities aren’t just standing still—they’re effectively moving backward. Organizations experiencing capability regression show significantly lower adoption rates for AI agent identity management.

This challenge goes beyond just technology. Only 25% of organizations position IAM as a strategic business enabler—the rest see it as just another security checkbox or compliance requirement. This narrow view severely limits transformative potential and keeps organizations vulnerable to sophisticated attacks.

Time for a reality check

The threat landscape is evolving at breakneck speed, with unprecedented risk levels across all sectors. Identity security has evolved from just another security component into the core of enterprise security. Organizations need to honestly assess their readiness for managing extensive AI agent deployments and automated system access.

A proactive assessment of your current identity security posture provides critical insight into organizational readiness and competitive positioning.

Ready to dive deeper? Get the full analysis and strategic recommendations in the 2025-2026 SailPoint Horizons of Identity Security report.

Oct 17, 2025Ravie LakshmananVulnerability / VPN Security

Cybersecurity researchers have disclosed details of a recently patched critical security flaw in WatchGuard Fireware that could allow unauthenticated attackers to execute arbitrary code.

The vulnerability, tracked as CVE-2025-9242 (CVSS score: 9.3), is described as an out-of-bounds write vulnerability affecting Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.

“An out-of-bounds write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code,” WatchGuard said in an advisory released last month. “This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.”

It has been addressed in the following versions –

• 2025.1 – Fixed in 2025.1.1
• 12.x – Fixed in 12.11.4
• 12.3.1 (FIPS-certified release) – Fixed in 12.3.1_Update3 (B722811)
• 12.5.x (T15 & T35 models) – Fixed in 12.5.13)
• 11.x – Reached end-of-life

A new analysis from watchTowr Labs has described CVE-2025-9242 as “all the characteristics your friendly neighbourhood ransomware gangs love to see,” including the fact that it affects an internet-exposed service, is exploitable sans authentication, and can execute arbitrary code on a perimeter appliance.

The vulnerability, per security researcher McCaulay Hudson, is rooted in the function “ike2_ProcessPayload_CERT” present in the file “src/ike/iked/v2/ike2_payload_cert.c” that’s designed to copy a client “identification” to a local stack buffer of 520 bytes, and then validate the provided client SSL certificate.

The issue arises as a result of a missing length check on the identification buffer, thereby allowing an attacker to trigger an overflow and achieve remote code execution during the IKE_SA_AUTH phase of the handshake process used to establish a virtual private network (VPN) tunnel between a client and WatchGuard’s VPN service via the IKE key management protocol.

“The server does attempt certificate validation, but that validation happens after the vulnerable code runs, allowing our vulnerable code path to be reachable pre-authentication,” Hudson said.

WatchTowr noted that while WatchGuard Fireware OS lacks an interactive shell such as “/bin/bash,” it’s possible to for an attacker to weaponize the flaw and gain control of the instruction pointer register (aka RIP or program counter) to ultimately spawn a Python interactive shell over TCP by leveraging an mprotect() system call, effectively bypassing NX bit (aka no-execute bit) mitigations.

Once the remote Python shell, the foothold can be escalated further through a multi-step process to obtain a full Linux shell –

• Directly executing execve within Python in order to remount the filesystem as read/write
• Downloading a BusyBox busybox binary onto the target
• Symlinking /bin/sh to the BusyBox binary

The development comes as watchTowr demonstrated that a now-fixed denial-of-service (DoS) vulnerability impacting Progress Telerik UI for AJAX (CVE-2025-3600, CVSS score: 7.5) can also enable remote code execution depending on the targeted environment. The vulnerability was addressed by Progress Software on April 30, 2025.

“Depending on the target codebase – for example, the presence of particular no-argument constructors, finalizers, or insecure assembly resolvers – the impact can escalate to remote code execution,” security researcher Piotr Bazydlo said.

Earlier this month, watchtower’s Sina Kheirkhah also shed light on a critical pre-authenticated command injection flaw in Dell UnityVSA (CVE-2025-36604, CVSS score: 9.8/7.3) that could result in remote command execution. Dell remediated the vulnerability in July 2025 following responsible disclosure on March 28.

Oct 17, 2025Ravie LakshmananMalware / Cybercrime

Microsoft on Thursday disclosed that it revoked more than 200 certificates used by a threat actor it tracks as Vanilla Tempest to fraudulently sign malicious binaries in ransomware attacks.

The certificates were “used in fake Teams setup files to deliver the Oyster backdoor and ultimately deploy Rhysida ransomware,” the Microsoft Threat Intelligence team said in a post shared on X.

The tech giant said it disrupted the activity earlier this month after it was detected in late September 2025. In addition to revoking the certificates, its security solutions have been updated to flag the signatures associated with the fake setup files, Oyster backdoor, and Rhysida ransomware.

Vanilla Tempest (formerly Storm-0832) is the name given to a financially motivated threat actor also called Vice Society and Vice Spider that’s assessed to be active since at least July 2022, delivering various ransomware strains such as BlackCat, Quantum Locker, Zeppelin, and Rhysida over the years.

Oyster (aka Broomstick and CleanUpLoader), on the other hand, is a backdoor that’s often distributed via trojanized installers for popular software such as Google Chrome and Microsoft Teams using bogus websites that users stumble upon when searching for the programs on Google and Bing.

“In this campaign, Vanilla Tempest used fake MSTeamsSetup.exe files hosted on malicious domains mimicking Microsoft Teams, for example, teams-download[.]buzz, teams-install[.]run, or teams-download[.]top,” Microsoft said. “Users are likely directed to malicious download sites using search engine optimization (SEO) poisoning.”

To sign these installers and other post-compromise tools, the threat actor is said to have used Trusted Signing, as well as SSL[.]com, DigiCert, and GlobalSign code signing services.

Details of the campaign were first disclosed by Blackpoint Cyber last month, highlighting how users searching for Teams online were redirected to bogus download pages, where they were offered a malicious MSTeamsSetup.exe instead of the legitimate client.

“This activity highlights the continued abuse of SEO poisoning and malicious advertisements to deliver commodity backdoors under the guise of trusted software,” the company said. “Threat actors are exploiting user trust in search results and well-known brands to gain initial access.”

To mitigate such risks, it’s advised to download software only from verified sources and avoid clicking on suspicious links served via search engine ads.

Oct 16, 2025Ravie LakshmananVulnerability / Linux

Cybersecurity researchers have disclosed details of a new campaign that exploited a recently disclosed security flaw impacting Cisco IOS Software and IOS XE Software to deploy Linux rootkits on older, unprotected systems.

The activity, codenamed Operation Zero Disco by Trend Micro, involves the weaponization of CVE-2025-20352 (CVSS score: 7.7), a stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow an authenticated, remote attacker to execute arbitrary code by sending crafted SNMP packets to a susceptible device. The intrusions have not been attributed to any known threat actor or group.

The shortcoming was patched by Cisco late last month, but not before it was exploited as a zero-day in real-world attacks.

“The operation primarily impacted Cisco 9400, 9300, and legacy 3750G series devices, with additional attempts to exploit a modified Telnet vulnerability (based on CVE-2017-3881) to enable memory access,” researchers Dove Chiu and Lucien Chuang said.

The cybersecurity company also noted that the rootkits allowed attackers to achieve remote code execution and gain persistent unauthorized access by setting universal passwords and installing hooks into the Cisco IOS daemon (IOSd) memory space. IOSd is run as a software process within the Linux kernel.

Another notable aspect of the attacks is that they singled out victims running older Linux systems that do not have endpoint detection response solutions enabled, making it possible to deploy the rootkits in order to fly under the radar. In addition, the adversary is said to have used spoofed IPs and Mac email addresses in their intrusions.

The rootkit is commandeered by means of a UDP controller component that that can serve as listener for incoming UDP packets on any port, toggle or disable log history, create a universal password by modifying IOSd memory, bypass AAA authentication, conceal certain portions of the running configuration, and hide changes made to the configuration by altering the timestamp to give the impression that it was never modified.

Besides CVE-2025-20352, the threat actors have also been observed attempting to exploit a Telnet vulnerability that is a modified version of CVE-2017-3881 so as to allow memory read/write at arbitrary addresses. However, the exact nature of the functionality remains unclear.

The name “Zero Disco” is a reference to the fact that the implanted rootkit sets a universal password that includes the word “disco” in it — a one-letter change from “Cisco.”

“The malware then installs several hooks onto the IOSd, which results in fileless components disappearing after a reboot,” the researchers noted. “Newer switch models provide some protection via Address Space Layout Randomization (ASLR), which reduces the success rate of intrusion attempts; however, it should be noted that repeated attempts can still succeed.”

Oct 16, 2025Ravie LakshmananVulnerability / Malware

An investigation into the compromise of an Amazon Web Services (AWS)-hosted infrastructure has led to the discovery of a new GNU/Linux rootkit dubbed LinkPro, according to findings from Synacktiv.

“This backdoor features functionalities relying on the installation of two eBPF [extended Berkeley Packet Filter] modules, on the one hand to conceal itself, and on the other hand to be remotely activated upon receiving a ‘magic packet,’” security researcher Théo Letailleur said.

The infection, per the French cybersecurity company, involved the attackers exploiting an exposed Jenkins server vulnerable to CVE-2024–23897 as the starting point, following which a malicious Docker Hub image named “kvlnt/vv” (now removed) was deployed on several Kubernetes clusters.

The Docker image consists of a Kali Linux base along with a folder called “app” containing three files –

• start.sh, a shell script to start the SSH service and execute the remaining two files
• link, an open-source program called vnt that acts as a VPN server and provides proxy capabilities by connecting to vnt.wherewego[.]top:29872, allowing the attacker to connect to the compromised server from anywhere and use it as a proxy to reach other servers
• app, a Rust-based downloader referred to as vGet that receives an encrypted VShell payload from an S3 bucket, which then proceeds to communicate with its own command-and-control (C2) server (56.155.98[.]37) over a WebSocket connection

Also delivered to the Kubernetes nodes were two other malware strains, a dropper embedding another vShell backdoor and LinkPro, a rootkit written in Golang. The stealthy malware can operate in either passive (aka reverse) or active (aka forward) mode, depending on its configuration, allowing it to listen for commands from the C2 server only upon receiving a specific TCP packet or directly initiate contact with the server.

While the forward mode supports five different communication protocols, including HTTP, WebSocket, UDP, TCP, and DNS, the reverse mode only uses the HTTP protocol. The overall sequence of events unfolds as follows –

• Install the “Hide” eBPF module, which contains eBPF programs of the Tracepoint and Kretprobe types to hide its processes and network activity
• If the “Hide” module installation fails, or if it has been disabled, install the shared library “libld.so” in /etc/ld.so.preload
• If reverse mode is used, install the “Knock” eBPF module, which contains two eBPF programs of the eXpress Data Path (XDP) and Traffic Control (TC) types to ensure that the C2 communication channel is fired only upon the receipt of the magic packet
• Achieve persistence by setting up a systemd service
• Execute C2 commands
• On interruption (SIGHUP, SIGINT, and SIGTERM signals), uninstall the eBPF modules and delete the modified /etc/libld.so and restore it back to its original version

To achieve this, LinkPro modifies the “/etc/ld.so.preload” configuration file to specify the path of the libld.so shared library embedded within it with the main objective of concealing various artifacts that could reveal the backdoor’s presence.

“Thanks to the presence of the /etc/libld.so path in /etc/ld.so.preload, the libld.so shared library installed by LinkPro is loaded by all programs that require /lib/ld-linux.so14,” Letailleur explained. “This includes all programs that use shared libraries, such as glibc.”

“Once libld.so is loaded at the execution of a program, for example /usr/bin/ls, it hooks (before glibc) several libc functions to modify results that could reveal the presence of LinkPro.”

The magic packet, per Synacktiv, is a TCP packet with a window size value of 54321. Once this packet is detected, the Knock module saves the source IP address of the packet and an associated expiration date of one hour as its value. The program then keeps an eye out for additional TCP packets whose source IP address matches that of the already saved IP.

In other words, the core functionality of LinkPro is to wait for a magic packet to be sent, after which the threat actor has a one-hour window to send commands to a port of their choice. The Knock module is also designed to modify the incoming TCP packet’s header to replace the original destination port with LinkPro’s listening port (2333), and alter the outgoing packet to replace the source port (2233) with the original port.

“The purpose of this maneuver is to allow the operator to activate command reception for LinkPro by going through any port authorized by the front-end firewall,” Synacktiv said. “This also makes the correlation between the front-end firewall logs and the network activity of the compromised host more complex.”

The commands supported by LinkPro include executing /bin/bash in a pseudo-terminal, running a shell command, enumerating files and directories, performing file operations, downloading files, and setting up a SOCKS5 proxy tunnel. It’s currently not known who is behind the attack, but it’s suspected that the threat actors are financially motivated.

“For its concealment at the kernel level, the rootkit uses eBPF programs of the tracepoint and kretprobe types to intercept the getdents (file hiding) and sys_bpf (hiding its own BPF programs) system calls. Notably, this technique requires a specific kernel configuration (CONFIG_BPF_KPROBE_OVERRIDE),” the company said.

“If the latter is not present, LinkPro falls back on an alternative method by loading a malicious library via the /etc/ld.so.preload file to ensure the concealment of its activities in user space.”