Author: Mark

Cybersecurity researchers have disclosed details of a coordinated spear-phishing campaign dubbed PhantomCaptcha targeting organizations associated with Ukraine’s war relief efforts to deliver a remote access trojan that uses a WebSocket for command-and-control (C2).

The activity, which took place on October 8, 2025, targeted individual members of the International Red Cross, Norwegian Refugee Council, United Nations Children’s Fund (UNICEF) Ukraine office, Norwegian Refugee Council, Council of Europe’s Register of Damage for Ukraine, and Ukrainian regional government administrations in the Donetsk, Dnipropetrovsk, Poltava, and Mikolaevsk regions, SentinelOne said in a new report published today.

The phishing emails have been found to impersonate the Ukrainian President’s Office, carrying a booby-trapped PDF document that contains an embedded link, which, when clicked, redirects victims to a fake Zoom site (“zoomconference[.]app”) and tricks them into running a malicious PowerShell command via a ClickFix–style fake Cloudflare CAPTCHA page under the guise of a browser check.

The bogus Cloudflare page acts as an intermediary by setting up a WebSocket connection with an attacker-controlled server, and transmits a JavaScript-generated clientId, with the browser taking the victim to a legitimate, password-protected Zoom meeting if the WebSocket server responds with a matching identifier.

It’s suspected that this infection path is likely reserved for live social engineering calls with victims, although SentinelOne said it did not observe the threat actors activating this line of attack during its investigation.

The PowerShell command executed after it’s pasted to the Windows Run dialog leads to an obfuscated downloader that’s primarily responsible for retrieving and executing a second-stage payload from a remote server. This second-stage malware performs reconnaissance of the compromised host and sends it to the same server, which then responds with the PowerShell remote access trojan.

“The final payload is a WebSocket RAT hosted on Russian-owned infrastructure that enables arbitrary remote command execution, data exfiltration, and potential deployment of additional malware,” security researcher Tom Hegel said. “The WebSocket-based RAT is a remote command execution backdoor, effectively a remote shell that gives an operator arbitrary access to the host.”

The malware connects to a remote WebSocket server at “wss://bsnowcommunications[.]com:80” and is configured to receive Base64-encoded JSON messages that include a command to be executed with Invoke-Expression or run a PowerShell payload. The results of the execution are subsequently packaged into a JSON string and sent to the server over the WebSocket.

Further analysis of VirusTotal submissions has determined that the 8-page weaponized PDF has been uploaded from multiple locations, including Ukraine, India, Italy, and Slovakia, likely indicating broad targeting.

SentinelOne noted that preparations for the campaign began on March 27, 2025, when the attackers registered the domain “goodhillsenterprise[.]com,” which has been used to serve the obfuscated PowerShell malware scripts. Interestingly, the infrastructure associated with “zoomconference[.]app” is said to have been active only for a single day on October 8.

This suggests “sophisticated planning and strong commitment to operational security,” the company pointed out, adding it also uncovered fake applications hosted on the domain “princess-mens[.]click” that are aimed at collecting geolocation, contacts, call logs, media files, device information, installed apps list, and other data from compromised Android devices.

The campaign has not been attributed to any known threat actor or group, although the use of ClickFix overlaps with that of recently disclosed attacks mounted by the Russia-linked COLDRIVER hacking group.

“The PhantomCaptcha campaign reflects a highly capable adversary, demonstrating extensive operational planning, compartmentalized infrastructure, and deliberate exposure control,” SentinelOne said.

“The six-month period between initial infrastructure registration and attack execution, followed by the swift takedown of user-facing domains while maintaining backend command-and-control, underscores an operator well-versed in both offensive tradecraft and defensive detection evasion.”

Oct 22, 2025Ravie LakshmananMalware / Cyber Espionage

The Iranian nation-state group known as MuddyWater has been attributed to a new campaign that has leveraged a compromised email account to distribute a backdoor called Phoenix to various organizations across the Middle East and North Africa (MENA) region, including over 100 government entities.

The end goal of the campaign is to infiltrate high-value targets and facilitate intelligence gathering, Singaporean cybersecurity company Group-IB said in a technical report published today.

More than three-fourths of the campaign’s targets include embassies, diplomatic missions, foreign affairs ministries, and consulates, followed by international organizations and telecommunications firms.

“MuddyWater accessed the compromised mailbox through NordVPN (a legitimate service abused by the threat actor), and used it to send phishing emails that appeared to be authentic correspondence,” said security researchers Mahmoud Zohdy and Mansour Alhmoud.

“By exploiting the trust and authority associated with such communications, the campaign significantly increased its chances of deceiving recipients into opening the malicious attachments.”

The attack chain essentially involves the threat actor distributing weaponized Microsoft Word documents that, when opened, prompt the email recipients to enable macros in order to view the content. Once the unsuspecting user enables the feature, the document proceeds to execute malicious Visual Basic for Application (VBA) code, resulting in the deployment of version 4 of the Phoenix backdoor.

The backdoor is launched by means of a loader called FakeUpdate that’s decoded and written to disk by the VBA dropper. The loader contains the Advanced Encryption Standard (AES)-encrypted Phoenix payload.

MuddyWater, also called Boggy Serpens, Cobalt Ulster, Earth Vetala, Mango Sandstorm (formerly Mercury), Seedworm, Static Kitten, TA450, TEMP.Zagros, and Yellow Nix, is assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS). It’s known to be active since at least 2017.

The threat actor’s use of Phoenix was first documented by Group-IB last month, describing it as a lightweight version of BugSleep, a Python-based implant linked to MuddyWater. Two different variants of Phoenix (Version 3 and Version 4) have been detected in the wild.

The cybersecurity vendor said the attacker’s command-and-control (C2) server (“159.198.36[.]115”) has also been found hosting remote monitoring and management (RMM) utilities and a custom web browser credential stealer that targets Brave, Google Chrome, Microsoft Edge, and Opera, suggesting their likely use in the operation. It’s worth noting that MuddyWater has a history of distributing remote access software via phishing campaigns over the years.

“By deploying updated malware variants such as the Phoenix v4 backdoor, the FakeUpdate injector, and custom credential-stealing tools alongside legitimate RMM utilities like PDQ and Action1, MuddyWater demonstrated an enhanced ability to integrate custom code with commercial tools for improved stealth and persistence,” the researchers said.

Oct 22, 2025Ravie LakshmananCryptocurrency / Software Integrity

Cybersecurity researchers have uncovered a new supply chain attack targeting the NuGet package manager with malicious typosquats of Nethereum, a popular Ethereum .NET integration platform, to steal victims’ cryptocurrency wallet keys.

The package, Netherеum.All, has been found to harbor functionality to decode a command-and-control (C2) endpoint and exfiltrate mnemonic phrases, private keys, and keystore data, according to security company Socket.

The library was uploaded by a user named “nethereumgroup” on October 16, 2025. It was taken down from NuGet for violating the service’s Terms of Use four days later.

What’s notable about the NuGet package is that it swaps the last occurrence of the letter “e” with the Cyrillic homoglyph “e” (U+0435) to fool unsuspecting developers into downloading it.

In a further attempt to increase the credibility of the package, the threat actors have resorted to artificially inflating the download counts, claiming it has been downloaded 11.7 million times — a huge red flag given that it’s unlikely for an entirely new library to rack up such a high count within a short span of time.

“A threat actor can publish many versions, then script downloads of each .nupkg through the v3 flat-container or loop nuget.exe install and dotnet restore with no-cache options from cloud hosts,” security researcher Kirill Boychenko said. “Rotating IPs and user agents and parallelizing requests boosts volume while avoiding client caches.”

“The result is a package that appears ‘popular,’ which boosts placement for searches sorted by relevance and lends a false sense of proof when developers glance at the numbers.”

The main payload within the NuGet package is within a function named EIP70221TransactionService.Shuffle, which parses an XOR-encoded string to extract the C2 server (solananetworkinstance[.]info/api/gads) and exfiltrates sensitive wallet data to the attacker.

The threat actor has been found to have previously uploaded another NuGet package called “NethereumNet” with the same deceptive functionality at the start of the month. It has already been removed by the NuGet security team.

This is not the first homoglyph typosquat that has been spotted in the NuGet repository. In July 2024, ReversingLabs documented details of several packages that impersonated their legitimate counterparts by substituting certain elements with their equivalents to bypass casual inspection.

Unlike other open-source package repositories like PyPI, npm, Maven Central, Go Module, and RubyGems that enforce restrictions on the naming scheme to ASCII, NuGet places no such constraints other than prohibiting spaces and unsafe URL characters, opening the door to abuse.

To mitigate such risks, users should carefully scrutinize libraries before downloading them, including verifying publisher identity and sudden download surges, and monitor for anomalous network traffic.

Oct 22, 2025Ravie LakshmananCyber Espionage / Vulnerability

Threat actors with ties to China exploited the ToolShell security vulnerability in Microsoft SharePoint to breach a telecommunications company in the Middle East after it was publicly disclosed and patched in July 2025.

Also targeted were government departments in an African country, as well as government agencies in South America, a university in the U.S., as well as likely a state technology agency in an African country, a government department in the Middle East, and a finance company in a European country.

According to Broadcom’s Symantec Threat Hunter Team, the attacks involved the exploitation of CVE-2025-53770, a now-patched security flaw in on-premise SharePoint servers that could be used to bypass authentication and achieve remote code execution.

CVE-2025-53770, assessed to be a patch bypass for CVE-2025-49704 and CVE-2025-49706, has been weaponized as a zero-day by three Chinese threat groups, including Linen Typhoon (aka Budworm), Violet Typhoon (aka Sheathminer), and Storm-2603, the latter of which is linked to the deployment of Warlock, LockBit, and Babuk ransomware families in recent months.

However, the latest findings from Symantec indicate that a much wider range of Chinese threat actors have abused the vulnerability. This includes the Salt Typhoon (aka Glowworm) hacking group, which is said to have leveraged the ToolShell flaw to deploy tools like Zingdoor, ShadowPad, and KrustyLoader against the telecom entity and the two government bodies in Africa.

KrustyLoader, first detailed by Synacktiv in January 2024, is a Rust-based loader previously put to use by a China-nexus espionage group dubbed UNC5221 in attacks exploiting flaws in Ivanti Endpoint Manager Mobile (EPMM) and SAP NetWeaver.

The attacks aimed at government agencies in South America and a university in the U.S., on the other hand, involved the use of unspecified vulnerabilities to obtain initial access, followed by the exploitation of SQL servers and Apache HTTP servers running the Adobe ColdFusion software to deliver the malicious payloads using DLL side-loading techniques.

In some of the incidents, the attackers have been observed executing an exploit for CVE-2021-36942 (aka PetitPotam) for privilege escalation and domain compromise, along with a number of readily available and living-off-the-land (LotL) tools to facilitate scanning, file download, and credential theft on the infected systems.

“There is some overlap in the types of victims and some of the tools used between this activity and activity previously attributed to Glowworm,” Symantec said. “However, we do not have sufficient evidence to conclusively attribute this activity to one specific group, though we can say that all evidence points to those behind it being China-based threat actors.”

“The activity carried out on targeted networks indicates that the attackers were interested in stealing credentials and in establishing persistent and stealthy access to victim networks, likely for the purpose of espionage.”

From Detection to Resolution: Why the Gap Persists

A critical vulnerability is identified in an exposed cloud asset. Within hours, five different tools alert you about it: your vulnerability scanner, XDR, CSPM, SIEM, and CMDB each surface the issue in their own way, with different severity levels, metadata, and context.

What’s missing is a system of action. How do you transition from the detection and identification of a security issue to remediation and resolution?

The Continuous Threat Exposure Management (CTEM) framework was introduced to help organizations address this challenge, calling for a repeatable approach to scoping, discovery, validation, and ultimately, the mobilization of remediation efforts. The goal is not just to identify risk, but to act on it, continuously and at scale.

In most environments, that mobilization happens, but it relies on manual processes. Findings remain fragmented across tools, each with its own format, language, and logic. The responsibility to consolidate, correlate, prioritize, and assign remediation tasks often falls to already stretched security operations teams. And when fixes are eventually applied, there is often no mechanism in place to validate that your actions were effective.

What we’ve seen across more than 1,200 customers is that existing processes are not built to scale across the thousands of alerts enterprise security teams contend with on a weekly basis. Security and operations teams are not set up for success here.

This disconnect between identifying risk and resolving it efficiently and reliably is the remediation gap. It is not a visibility problem. It is an operational one.

Pentera Resolve: Operationalizing Validated Risk

As the leader in Security Validation, Pentera has always focused on helping organizations understand which vulnerabilities truly matter. By safely emulating real-world attacks, we don’t simply identify what is potentially exposed, but rather how those exposures can be exploited within the context of your environment.

Now we are extending that leadership by bridging security validation with automated remediation operations, closing the gap between insight and action. Alerts alone do not reduce risk. Their value depends entirely on the organization’s ability to act on them. Ten overlapping reports sitting unread on a dashboard do not make you safer. Action does.

Introducing Pentera Resolve. Our new product marks a shift in what organizations should expect from a Security Validation platform, integrating remediation workflows natively into the validation lifecycle.

Pentera Resolve automates the remediation workflow by turning validated findings into structured tasks and routing them directly to the teams responsible for fixing them. Security teams no longer need to comb through multiple reports, chase down asset owners, or track remediation progress across disconnected dashboards. Pentera Resolve removes that friction with a streamlined process embedded in the systems organizations already use.

Powered by AI, it automates triage, prioritization, and ownership assignment. Each validated issue is enriched with business and asset context, delivered into platforms like ServiceNow, Jira, and Slack. Each ticket is tracked and cataloged, ensuring audit-ready proof-of-fix. This creates a system of record for remediation, providing security, IT, and compliance teams a shared and verifiable view of progress, all within the tools they already use. As the platform evolves, Pentera Resolve will support triggering re-tests to determine whether the original validated risk has been fully addressed.

The result is faster, simpler, and more accountable remediation. Every issue is tied to real exploitability, verified after resolution, and fully measurable from start to finish.

This level of operational integration supports something broader. It is not just about fixing what has been found. It is about enabling security programs to run remediation as a continuous, coordinated part of enterprise risk management.

From Assessment to Resolution: A Unified Platform

Security teams no longer spend time translating findings into tickets. IT and DevOps teams no longer need to guess which exposures to prioritize. Everyone works from the same source of validated truth, inside the systems they already use.

This is not just about tooling. It is about changing how work gets done, with fewer gaps, clearer ownership, and full accountability from start to finish.

Exposure without action is just noise. Pentera Resolve brings remediation into focus. It is measurable, repeatable, and fully integrated into how teams already operate.

Validate. Remediate. Repeat.

That is the loop. And now, it runs without gaps.

Note: This article was authored by Dr. Arik Liberzon, Founder and Chief Technology Officer of Pentera.

Oct 22, 2025The Hacker NewsData Breach / Enterprise Security

The advice didn’t change for decades: use complex passwords with uppercase, lowercase, numbers, and symbols. The idea is to make passwords harder for hackers to crack via brute force methods. But more recent guidance shows our focus should be on password length, rather than complexity. Length is the more important security factor, and passphrases are the simplest way to get your users to create (and remember!) longer passwords.

The math that matters

When attackers steal password hashes from a breach, they brute-force by hashing millions of guesses per second until something matches. The time this takes depends on one thing: how many possible combinations exist.

A traditional 8-character “complex” password (P@ssw0rd!) offers roughly 218 trillion combinations. Sounds impressive until you realize modern GPU setups can test those combinations in months, not years. Increase that to 16 characters using only lowercase letters, and you’re looking at 26^16 combinations, billions of times harder to crack.

This is effective entropy: the actual randomness an attacker must work through. Three or four random common words strung together (“carpet-static-pretzel-invoke”) deliver far more entropy than cramming symbols into short strings. And users can actually remember them.

Why passphrases win on every front

The case for passphrases isn’t theoretical, it’s operational:

Fewer resets. When passwords are memorable, users stop writing them on Post-it notes or recycling similar variations across accounts. Your helpdesk tickets drop, which alone should justify the change.

Better attack resistance. Attackers optimize for patterns. They test dictionary words with common substitutions (@ for a, 0 for o) because that’s what people do. A four-word passphrase sidesteps these patterns entirely – but only when the words are truly random and unrelated.

Aligned with current guidance. NIST has been clear: prioritize length over forced complexity. The traditional 8-character minimum should really be a thing of the past.

One rule worth following

Stop managing 47 password requirements. Give users one clear instruction:

Choose 3-4 unrelated common words + a separator. Avoid song lyrics, proper names, or famous phrases. Never reuse across accounts.

Examples: mango-glacier-laptop-furnace or cricket.highway.mustard.piano

That’s it. No mandatory capitals, no required symbols, no complexity theater. Just length and randomness.

Self-service password reset (SSPR) can help during the transition. Users can securely update credentials on their own time, and your helpdesk shouldn’t be the bottleneck.

Password auditing gives you visibility into adoption rates. You can identify accounts still using short passwords or common patterns, then target those users with additional guidance.

Tools like Specops Password Policy handle all three functions: extending policy minimums, blocking over 4 billion compromised passwords, and integrating with SSPR workflows. The policy updates sync to Active Directory and Azure AD without additional infrastructure, and the blocklist updates daily as new breaches emerge.

What this looks like in practice

Imagine your policy requires 15 characters but drops all complexity rules. A user creates umbrella-coaster-fountain-sketch during their next password change. A tool like Specops Password Policy checks it against the compromised password database – it’s clean. The user remembers it without a password manager because it’s four concrete images linked together. They don’t reuse it because they know it’s specific to this account.

Six months later, no reset request. No Post-it note and no call to the helpdesk because they fat-fingered a symbol. Nothing revolutionary – just simple and effective.

The security you actually need

Passphrases aren’t a silver bullet. MFA still matters. Compromised credential monitoring still matters. But if you’re spending resources on password policy changes, this is where to spend it: longer minimums, simpler rules, and real protection against breached credentials.

Attackers still steal hashes and brute-force them offline. What’s changed is our understanding of what actually slows them down, so your next password policy should reflect that. Interested in giving it a try? Book a live demo of Specops Password Policy.

Oct 22, 2025Ravie LakshmananCyber Espionage / Network Security

Government, financial, and industrial organizations located in Asia, Africa, and Latin America are the target of a new campaign dubbed PassiveNeuron, according to findings from Kaspersky.

The cyber espionage activity was first flagged by the Russian cybersecurity vendor in November 2024, when it disclosed a set of attacks aimed at government entities in Latin America and East Asia in June, using never-before-seen malware families tracked as Neursite and NeuralExecutor.

It also described the operation as exhibiting a high level of sophistication, with the threat actors leveraging already compromised internal servers as an intermediate command-and-control (C2) infrastructure to fly under the radar.

“The threat actor is able to move laterally through the infrastructure and exfiltrate data, optionally creating virtual networks that allow attackers to steal files of interest even from machines isolated from the internet,” Kaspersky noted at the time. “A plugin-based approach provides dynamic adaptation to the attacker’s needs.”

Since then, the company said it has observed a fresh wave of infections related to PassiveNeuron since December 2024 and continuing all the way through August 2025. The campaign remains unattributed at this stage, although some signs point to it being the work of Chinese-speaking threat actors.

In at least one incident, the adversary is said to have gained initial remote command execution capabilities on a compromised machine running Windows Server through Microsoft SQL. While the exact method by which this is achieved is not known, it’s possible that the attackers are either brute-forcing the administration account password, or leveraging an SQL injection flaw in an application running on the server, or an as-yet-undetermined vulnerability in the server software itself.

Regardless of the method used, the attackers attempted to deploy an ASPX web shell to gain basic command execution capabilities. Failing in these efforts, the intrusion witnessed the delivery of advanced implants via a series of DLL loaders placed in the System32 directory. These include –

• Neursite, a bespoke C++ modular backdoor
• NeuralExecutor, a bespoke .NET implant used for download additional .NET payloads over TCP, HTTP/HTTPS, named pipes, or WebSockets and execute them
• Cobalt Strike, a legitimate adversary simulation tool

Neursite utilizes an embedded configuration to connect to the C2 server and uses TCP, SSL, HTTP and HTTPS protocols for communications. By default, it supports the ability to gather system information, manage running processes, and proxy traffic through other machines infected with the backdoor to enable lateral movement.

The malware also comes fitted with a component to fetch auxiliary plugins to achieve shell command execution, file system management, and TCP socket operations.

Kaspersky also noted that NeuralExecutor variants spotted in 2024 were designed to retrieve the C2 server addresses straight from the configuration, whereas artifacts found this year reach out to a GitHub repository to obtain the C2 server address — a technique referred to as the dead drop resolver technique.

“The PassiveNeuron campaign has been distinctive in the way that it primarily targets server machines,” researchers Georgy Kucherin and Saurabh Sharma said. “These servers, especially the ones exposed to the internet, are usually lucrative targets for [advanced persistent threats], as they can serve as entry points into target organizations.”

Oct 22, 2025Ravie LakshmananVulnerability / Data Protection

Cybersecurity researchers have disclosed details of a high-severity flaw impacting the popular async-tar Rust library and its forks, including tokio-tar, that could result in remote code execution under certain conditions.

The vulnerability, tracked as CVE-2025-62518 (CVSS score: 8.1), has been codenamed TARmageddon by Edera, which discovered the issue in late August 2025. It impacts several widely-used projects, such as testcontainers and wasmCloud.

“In the worst-case scenario, this vulnerability has a severity of 8.1 (High) and can lead to Remote Code Execution (RCE) through file overwriting attacks, such as replacing configuration files or hijacking build backends,” the Seattle-based security company said.

The problem is compounded by the fact that tokio-tar is essentially abandonware despite attracting thousands of downloads via crates.io. Tokio-tar is a Rust library for asynchronously reading and writing TAR archives built atop the Tokio runtime for the programming language. The Rust crate was last updated on July 15, 2023.

In the absence of a patch for tokio-tar, users relying on the library are advised to migrate to astral-tokio-tar, which has released version 0.5.6 to remediate the flaw.

“Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling,” Astral developer William Woodruff said in an alert.

“When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate TAR headers.”

The issue, in a nutshell, is the result of inconsistent handling when handling PAX extended headers and ustar headers when determining file data boundaries. PAX, short for portable archive interchange, is an extended version of the USTAR format used to store properties of member files in a TAR archive.

The mismatch between a PAX extended headers and ustar headers – where the PAX header correctly specifies the file size, whereas the ustar header incorrectly specifies the file size as zero (instead of the PAX size) – leads to a parsing inconsistency, causing the library to interpret the inner content as additional outer archive entries.

“By advancing 0 bytes, the parser fails to skip over the actual file data (which is a nested TAR archive) and immediately encounters the next valid TAR header located at the start of the nested archive,” Edera explained. “It then incorrectly interprets the inner archive’s headers as legitimate entries belonging to the outer archive.”

As a result, an attacker could exploit this behavior to “smuggle” extra archives when the library is processing nested TAR files, thereby making it possible to overwrite files within extraction directories, ultimately paving the way for arbitrary code execution.

In a hypothetical attack scenario, an attacker could upload a specially-crafted package to PyPI such that the outer TAR contains a legitimate pyproject.toml, whereas the hidden inner TAR contains a malicious one that hijacks the build backend and overwrites the actual file during installation.

“While Rust’s guarantees make it significantly harder to introduce memory safety bugs (like buffer overflows or use-after-free), it does not eliminate logic bugs – and this parsing inconsistency is fundamentally a logic flaw,” Edera said. “Developers must remain vigilant against all classes of vulnerabilities, regardless of the language used.”

Oct 22, 2025Ravie LakshmananVulnerability / Network Security

TP-Link has released security updates to address four security flaws impacting Omada gateway devices, including two critical bugs that could result in arbitrary code execution.

The vulnerabilities in question are listed below –

• CVE-2025-6541 (CVSS score: 8.6) – An operating system command injection vulnerability that could be exploited by an attacker who can log in to the web management interface to run arbitrary commands
• CVE-2025-6542 (CVSS score: 9.3) – An operating system command injection vulnerability that could be exploited by a remote unauthenticated attacker to run arbitrary commands
• CVE-2025-7850 (CVSS score: 9.3) – An operating system command injection vulnerability that could be exploited by an attacker in possession of an administrator password of the web portal to run arbitrary commands
• CVE-2025-7851 (CVSS score: 8.7) – An improper privilege management vulnerability that could be exploited by an attacker to obtain the root shell on the underlying operating system under restricted conditions

“Attackers may execute arbitrary commands on the device’s underlying operating system,” TP-Link said in an advisory released Tuesday.

The issues impact the following product models and versions –

• ER8411 < 1.3.3 Build 20251013 Rel.44647
• ER7412-M2 < 1.1.0 Build 20251015 Rel.63594
• ER707-M2 < 1.3.1 Build 20251009 Rel.67687
• ER7206 < 2.2.2 Build 20250724 Rel.11109
• ER605 < 2.3.1 Build 20251015 Rel.78291
• ER706W < 1.2.1 Build 20250821 Rel.80909
• ER706W-4G < 1.2.1 Build 20250821 Rel.82492
• ER7212PC < 2.1.3 Build 20251016 Rel.82571
• G36 < 1.1.4 Build 20251015 Rel.84206
• G611 < 1.2.2 Build 20251017 Rel.45512
• FR365 < 1.1.10 Build 20250626 Rel.81746
• FR205 < 1.0.3 Build 20251016 Rel.61376
• FR307-M2 < 1.2.5 Build 20251015 Rel.76743

While TP-Link makes no mention of the flaws being exploited in the wild, it’s advised that users move quickly to download and update to the latest firmware to fix the vulnerabilities.

“Check the configurations of the device after the firmware upgrade to ensure that all settings remain accurate, secure, and aligned with their intended preferences,” it added.

It also noted in a disclaimer that it cannot bear any responsibility for any consequences that may arise if the aforementioned recommended actions are not adhered to.

Oct 21, 2025Ravie LakshmananMalware / Vulnerability

Cybersecurity researchers have shed light on the inner workings of a botnet malware called PolarEdge.

PolarEdge was first documented by Sekoia in February 2025, attributing it to a campaign targeting routers from Cisco, ASUS, QNAP, and Synology with the goal of corralling them into a network for an as-yet-undetermined purpose.

The TLS-based ELF implant, at its core, is designed to monitor incoming client connections and execute commands within them.

Then, in August 2025, attack surface management platform Censys detailed the infrastructural backbone powering the botnet, with the company noting that PolarEdge exhibits characteristics that are consistent with an Operational Relay Box (ORB) network. There is evidence to suggest that the activity involving the malware may have started as far back as June 2023.

In the attack chains observed in February 2025, the threat actors have been observed exploiting a known security flaw impacting Cisco routers (CVE-2023-20118) to download a shell script named “q” over FTP, which is then responsible for retrieving and executing the PolarEdge backdoor on the compromised system.

“The backdoor’s primary function is to send a host fingerprint to its command-and-control server and then listen for commands over a built-in TLS server implemented with mbedTLS,” the French cybersecurity company said in a technical breakdown of the malware.

PolarEdge is designed to support two modes of operation: a connect-back mode, where the backdoor acts as a TLS client to download a file from a remote server, and debug mode, where the backdoor enters into an interactive mode to modify its configuration (i.e., server information) on-the-fly.

The configuration is embedded in the final 512 bytes of the ELF image, obfuscated by a one-byte XOR that can be decrypted with single-byte key 0x11.

However, its default mode is to function as a TLS server in order to send a host fingerprint to the command-and-control (C2) server and wait for commands to be sent. The TLS server is implemented with mbedTLS v2.8.0 and relies on a custom binary protocol for parsing incoming requests matching specific criteria, including a parameter named “HasCommand.”

If the “HasCommand” parameter equals the ASCII character 1, the backdoor proceeds to extract and run the command specified in the “Command” field and transmits back the raw output of the executed command.

Once launched, PolarEdge also moves (e.g., /usr/bin/wget, /sbin/curl) and deletes certain files (“/share/CACHEDEV1_DATA/.qpkg/CMS-WS/cgi-bin/library.cgi.bak”) on the infected device, although the exact purpose behind this step is unclear.

Furthermore, the backdoor incorporates a wide range of anti-analysis techniques to obfuscate information related to the TLS server setup and fingerprinting logic. To evade detection, it employs process masquerading during its initialization phase by choosing from a predefined list a name at random. Some of the names included are: igmpproxy, wscd, /sbin/dhcpd, httpd, upnpd, and iapp.

“Although the backdoor does not ensure persistence across reboots, it calls fork to spawn a child process that, every 30 seconds, checks whether /proc/<parent-pid> still exists,” Sekoia researchers explained. “If the directory has disappeared, the child executes a shell command to relaunch the backdoor.”

The disclosure comes as Synthient highlighted GhostSocks’ ability to convert compromised devices into SOCKS5 residential proxies. GhostSocks is said to have been first advertised under the malware-as-a-service (MaaS) model on the XSS forum in October 2023.

It’s worth noting that the offering has been integrated into Lumma Stealer as of early 2024, allowing customers of the stealer malware to monetize the compromised devices post-infection.

“GhostSocks provides clients with the ability to build a 32-bit DLL or executable,” Synthient said in a recent analysis. “GhostSocks will attempt to locate a configuration file in %TEMP%. In the scenario that the configuration file cannot be found, it will fall back to a hard-coded config.”

The configuration contains details of the C2 server to which a connection is established for provisioning the SOCKS5 proxy and ultimately spawning a connection using the open-source go-socks5 and yamux libraries.