Category: Cybersecurity

The threat actor known as Dragon Breath has been observed making use of a multi-stage loader codenamed RONINGLOADER to deliver a modified variant of a remote access trojan called Gh0st RAT.

The campaign, which is primarily aimed at Chinese-speaking users, employs trojanized NSIS installers masquerading as legitimate like Google Chrome and Microsoft Teams, according to Elastic Security Labs.

“The infection chain employs a multi-stage delivery mechanism that leverages various evasion techniques, with many redundancies aimed at neutralising endpoint security products popular in the Chinese market,” security researchers Jia Yu Chan and Salim Bitam said. “These include bringing a legitimately signed driver, deploying custom WDAC policies, and tampering with the Microsoft Defender binary through PPL [Protected Process Light] abuse.”

Dragon Breath, also known as APT-Q-27 and Golden Eye, was previously highlighted by Sophos in May 2023 in connection with a campaign that leveraged a technique called double-dip DLL side-loading in attacks targeting users in the Philippines, Japan, Taiwan, Singapore, Hong Kong, and China.

The hacking group, assessed to be active since at least 2020, is linked to a larger Chinese-speaking entity tracked as Miuuti Group that’s known for attacking the online gaming and gambling industries.

In the latest campaign documented by Elastic Security Labs, the malicious NSIS installers for trusted applications act as a launchpad for two more embedded NSIS installers, one of which (“letsvpnlatest.exe”) is benign and installs the legitimate software. The second NSIS binary (“Snieoatwtregoable.exe”) is responsible for stealthily triggering the attack chain.

This involves delivering a DLL and an encrypted file (“tp.png”), with the former used to read the contents of the supposed PNG image and extract shellcode designed to launch another binary in memory.

RONINGLOADER, besides attempting to remove any userland hooks by loading a fresh new “ntdll.dll,” tries to elevate its privileges by using the runas command and scans a list of running processes for hard-coded antivirus-related solutions, such as Microsoft Defender Antivirus, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security.

The malware then proceeds to terminate those identified processes. In the event the identified process is associated with Qihoo 360 Total Security (e.g., “360tray.exe,” “360Safe.exe,” or “ZhuDongFangYu.exe”), it takes a different approach. This step involves the following sequence of actions –

• Block all network communication by changing the firewall
• Inject shellcode into the process (vssvc.exe) associated with the Volume Shadow Copy (VSS) service, but not before granting itself the SeDebugPrivilege token
• Start the VSS service and get its process ID
• Inject shellcode into the VSS service process using the technique called PoolParty
• Load and make use of a signed driver named “ollama.sys” to terminate the three processes by means of a temporary service called “xererre1”
• Restore the firewall settings

For other security processes, the loader directly writes the driver to disk and creates a temporary service called “ollama” to load the driver, perform process termination, and stop and delete the service.

RONINGLOADER Execution flow

Once all security processes have been killed on the infected host, RONINGLOADER runs batch scripts to bypass User Account Control (UAC) and create firewall rules to block inbound and outbound connections associated with Qihoo 360 security software.

The malware has also been observed using two techniques documented earlier this year by security researcher Zero Salarium that abuse PPL and the Windows Error Reporting (“WerFaultSecure.exe”) system (aka EDR-Freeze) to disable Microsoft Defender Antivirus. Furthermore, it targets Windows Defender Application Control (WDAC) by writing a malicious policy that explicitly blocks Chinese security vendors Qihoo 360 Total Security and Huorong Security.

The end goal of the loader is to inject a rogue DLL into “regsvr32.exe,” a legitimate Windows binary, to conceal its activity and launch a next-stage payload into another legitimate, high-privilege system process like “TrustedInstaller.exe” or “elevation_service.exe.” The final malware deployed is a modified version of Gh0st RAT.

The Trojan is designed to communicate with a remote server to fetch additional instructions that allow it to configure Windows Registry keys, clear Windows Event logs, download and execute files from provided URLs, alter clipboard data, run commands via “cmd.exe,” inject shellcode into “svchost.exe,” and execute payloads dropped to disk. The variant also implements a module that captures keystrokes, clipboard contents, and foreground window titles.

Brand Impersonation Campaigns Target Chinese Speakers with Gh0st RAT

The disclosure comes as Palo Alto Networks Unit 42 said it identified two interconnected malware campaigns that have employed “large-scale brand impersonation” to deliver Gh0st RAT to Chinese-speaking users. The activity has not been attributed to any known threat actor or group.

While the first campaign – named Campaign Trio – took place between February and March 2025 by mimicking i4tools, Youdao, and DeepSeek across over 2,000 domains, the second campaign, detected in May 2025, is said to have been more sophisticated, impersonating more than 40 applications, including QQ Music and Sogou browser. The second wave has been codenamed Campaign Chorus.

“From the first campaign to the second, the adversary advanced from simple droppers to complex, multi-stage infection chains that misuse legitimate, signed software to bypass modern defenses,” security researchers Keerthiraj Nagaraj, Vishwa Thothathri, Nabeel Mohamed, and Reethika Ramesh said.

The domains have been found to host ZIP archives containing the trojanized installers, ultimately paving the way for the deployment of Gh0st RAT. The second campaign, however, not only leverages more software programs as lures to reach a wider demographic of Chinese speakers, but also employs an “intricate and elusive” infection chain using intermediary redirection domains to fetch the ZIP archives from public cloud service buckets.

Campaign Chorus Attack Chain

In doing so, the approach can bypass network filters that are capable of blocking traffic from unknown domains, not to mention the threat actor’s operational resilience. The MSI installer, in this case, also runs an embedded Visual Basic Script that’s responsible for decrypting and launching the final payload by means of DLL side-loading.

“The parallel operation of both old and new infrastructure through sustained activity suggests an operation that is not merely evolving but consists of multiple infrastructures and distinct tool sets simultaneously,” the researchers said. “This could indicate A/B testing of TTPs, targeting different victim sets with different levels of complexity, or simply a cost-effective strategy of continuing to leverage older assets as long as they remain effective.”

Nov 17, 2025Ravie LakshmananVulnerability / Mobile Security

Google has disclosed that the company’s continued adoption of the Rust programming language in Android has resulted in the number of memory safety vulnerabilities falling below 20% for the first time.

“We adopted Rust for its security and are seeing a 1000x reduction in memory safety vulnerability density compared to Android’s C and C++ code. But the biggest surprise was Rust’s impact on software delivery,” Google’s Jeff Vander Stoep said. “With Rust changes having a 4x lower rollback rate and spending 25% less time in code review, the safer path is now also the faster one.”

The development comes a little over a year after the tech giant disclosed that its transition to Rust led to a decline in memory safety vulnerabilities from 223 in 2019 to less than 50 in 2024.

The company pointed out that Rust code requires fewer revisions, necessitating about 20% fewer revisions than their C++ counterparts, and has contributed to a decreased rollback rate, thereby improving overall development throughput.

Google also said it’s planning to expand Rust’s “security and productivity advantages” to other parts of the Android ecosystem, including kernel, firmware, and critical first-party apps like Nearby Presence, Message Layer Security (MLS), and Chromium, which has had its parsers for PNG, JSON, and web fonts replaced with memory-safe implementations in Rust.

Furthermore, it has emphasized the need for a defense-in-depth approach, stating that the programming language’s built-in memory safety features are just one part of a comprehensive memory safety strategy.

As an example, Google highlighted its discovery of a memory safety vulnerability (CVE-2025-48530, CVSS score: 8.1) in CrabbyAVIF, an AVIF (AV1 Image File) parser/decoder implementation in unsafe Rust, that could have resulted in remote code execution. While the linear buffer overflow flaw never made it into a public release, it was patched by Google as part of its Android security update for August 2025.

Further analysis of the “near-miss” vulnerability found that it was rendered non-exploitable by Scudo, a dynamic user-mode memory allocator in Android that’s designed to combat heap-related vulnerabilities, such as buffer overflow, use after free, and double free, without sacrificing performance.

Emphasizing that unsafe Rust is “already really quite safe,” Google said the vulnerability density is significantly lower as opposed to C and C++, adding that the incorporation of an “unsafe” code block in Rust doesn’t automatically disable the programming language’s safety checks.

“While C and C++ will persist, and both software and hardware safety mechanisms remain critical for layered defense, the transition to Rust is a different approach where the more secure path is also demonstrably more efficient,” it said.

Nov 15, 2025Ravie LakshmananMalware / Vulnerability

The botnet malware known as RondoDox has been observed targeting unpatched XWiki instances against a critical security flaw that could allow attackers to achieve arbitrary code execution.

The vulnerability in question is CVE-2025-24893 (CVSS score: 9.8), an eval injection bug that could allow any guest user to perform arbitrary remote code execution through a request to the “/bin/get/Main/SolrSearch” endpoint. It was patched by the maintainers in XWiki 15.10.11, 16.4.1, and 16.5.0RC1 in late February 2025.

While there was evidence that the shortcoming had been exploited in the wild since at least March, it wasn’t until late October, when VulnCheck disclosed it had observed fresh attempts weaponizing the flaw as part of a two-stage attack chain to deploy a cryptocurrency miner.

Subsequently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply necessary mitigations by November 20.

In a fresh report published Friday, VulnCheck revealed that it has since observed a spike in exploitation attempts, hitting a new high on November 7, followed by another surge on November 11. This indicates broader scanning activity likely driven by multiple threat actors participating in the effort.

This includes RondoDox, a botnet that’s rapidly adding new exploitation vectors to rope susceptible devices into a botnet for conducting distributed denial-of-service (DDoS) attacks using HTTP, UDP, and TCP protocols. The first RondoDox exploit was observed on November 3, 2025, per the cybersecurity company.

Other attacks have been observed exploiting the flaw to deliver cryptocurrency miners, as well as attempts to establish a reverse shell and general probing activity using a Nuclei template for CVE-2025-24893.

The findings once again illustrate the need for adopting robust patch management practices to ensure optimal protection.

“CVE-2025-24893 is a familiar story: one attacker moves first, and many follow,” VulnCheck’s Jacob Baines said. “Within days of the initial exploitation, we saw botnets, miners, and opportunistic scanners all adopting the same vulnerability.”

The U.S. Department of Justice (DoJ) on Friday announced that five individuals have pleaded guilty to assisting North Korea’s illicit revenue generation schemes by enabling information technology (IT) worker fraud in violation of international sanctions.

The five individuals are listed below –

• Audricus Phagnasay, 24
• Jason Salazar, 30
• Alexander Paul Travis, 34
• Oleksandr Didenko, 28, and
• Erick Ntekereze Prince, 30

Phagnasay, Salazar, and Travis pleaded guilty to one count of wire fraud conspiracy for knowingly allowing IT workers located outside of the U.S. to use their U.S. identities between about September 2019 and November 2022 and secure jobs at American firms.

The three defendants also served as facilitators, hosting the company-issued laptops at their residences and installing remote desktop software on those machines without authorization so that the IT workers could connect to them and give the impression that they were working remotely within the U.S.

Furthermore, the trio is said to have aided the overseas IT workers in passing employer vetting procedures, with Salazar and Travis taking it to the next level by appearing for drug testing on behalf of them. Travis, then an active-duty member of the U.S. Army, received at least $51,397 for his role in the fraudulent scheme. Phagnasay and Salazar are said to have earned at least $3,450 and $4,500, respectively.

Didenko, whose arrest was disclosed by the DoJ back in May 2025, has pleaded guilty to wire fraud conspiracy and aggravated identity theft for stealing the identities of U.S. citizens and selling them to IT workers so that they could land jobs at 40 U.S. companies. Didenko has also agreed to forfeit more than $1.4 million.

“Didenko ran a website using a U.S.-based domain, ‘Upworksell.com,’ designed to help overseas IT workers buy or rent stolen or borrowed identities,” the DoJ said. “Beginning in 2021, the IT workers used the identities to get hired on online freelance work platforms based in California and Pennsylvania.”

The Ukrainian national also paid individuals in the U.S. to receive and host laptops, turning their homes into laptop farms for the IT workers. One such laptop farm was operated by Christina Marie Chapman in Arizona. Didenko’s site has since been seized. Chapman was sentenced to 8.5 years in prison in July 2025.

Didenko is estimated to have managed as many as 871 proxy identities and facilitated the operation of at least three U.S.-based laptop farms. He also enabled his overseas clients to access Money Service Transmitters rather than having to physically open an account at a U.S. bank to transfer the employment income to foreign bank accounts.

Rounding off the list is Prince, who has pleaded guilty to one count of wire fraud conspiracy for allegedly operating a company called Taggcar Inc. from approximately June 2020 through August 2024 to supply “certified” IT workers to U.S. companies and for running a laptop at his home in Florida. Prince earned more than $89,000 for his involvement in the IT worker fraud.

It’s worth noting that Prince, along with Pedro Ernesto Alonso De Los Reyes, Emanuel Ashtor, and Jin Sung-Il (진성일), Pak Jin-Song (박진성), were indicted earlier this January for allegedly allowing North Korean IT workers to obtain work at more than 64 U.S. companies.

The scheme netted more than $943,069 in salary payments, most of which were funneled back to the IT workers overseas. Ashtor is currently awaiting trial, and De Los Reyes is pending extradition from the Netherlands.

“In total, these defendants’ fraudulent employment schemes impacted more than 136 U.S. victim companies, generated more than $2.2 million in revenue for the [Democratic People’s Republic of Korea] regime, and compromised the identities of more than 18 U.S. persons,” the DoJ said.

In a set of related actions, the DoJ said it has also filed two civil complaints to forfeit cryptocurrency valued at more than $15 million that the U.S. Federal Bureau of Investigation (FBI) seized in March 2025 from APT38 (aka BlueNoroff) actors. The digital assets, the complaints allege, were illegally obtained through hacks at overseas virtual currency platforms –

• Theft of approximately $37 million from an Estonia-based virtual currency payments processor in July 2023
• Theft of approximately $100 million from a Panama-based virtual currency payment processor in July 2023
• Theft of approximately $138 million from a Panama-based virtual currency exchange in November 2023, and
• Theft of approximately $107 million in virtual currency from a Seychelles-based virtual currency exchange in November 2023

“Efforts to trace, seize, and forfeit related stolen virtual currency remain ongoing, as the APT38 actors continue to launder such funds through various virtual currency bridges, mixers, exchanges, and over-the-counter traders,” the department added.

The new round of guilty pleas is the latest effort on the part of the U.S. government to combat and disrupt North Korea’s IT worker and hacking schemes, which have been used to fund the regime’s priorities. For several years, North Korea has successfully infiltrated hundreds of Western companies and elsewhere, posing as remote IT workers to draw steady salaries and use them to fund its nuclear weapons program.

A couple of weeks ago, the U.S. Treasury Department levied sanctions against eight individuals and two entities within North Korea’s global financial network for laundering money for various illicit schemes, including cybercrime and information technology (IT) worker fraud.

The U.S. Department of Justice (DoJ) on Friday announced that five individuals have pleaded guilty to assisting North Korea’s illicit revenue generation schemes by enabling information technology (IT) worker fraud in violation of international sanctions.

The five individuals are listed below –

• Audricus Phagnasay, 24
• Jason Salazar, 30
• Alexander Paul Travis, 34
• Oleksandr Didenko, 28, and
• Erick Ntekereze Prince, 30

Phagnasay, Salazar, and Travis pleaded guilty to one count of wire fraud conspiracy for knowingly allowing IT workers located outside of the U.S. to use their U.S. identities between about September 2019 and November 2022 and secure jobs at American firms.

The three defendants also served as facilitators, hosting the company-issued laptops at their residences and installing remote desktop software on those machines without authorization so that the IT workers could connect to them and give the impression that they were working remotely within the U.S.

Furthermore, the trio is said to have aided the overseas IT workers in passing employer vetting procedures, with Salazar and Travis taking it to the next level by appearing for drug testing on behalf of them. Travis, then an active-duty member of the U.S. Army, received at least $51,397 for his role in the fraudulent scheme. Phagnasay and Salazar are said to have earned at least $3,450 and $4,500, respectively.

Didenko, whose arrest was disclosed by the DoJ back in May 2025, has pleaded guilty to wire fraud conspiracy and aggravated identity theft for stealing the identities of U.S. citizens and selling them to IT workers so that they could land jobs at 40 U.S. companies. Didenko has also agreed to forfeit more than $1.4 million.

“Didenko ran a website using a U.S.-based domain, ‘Upworksell.com,’ designed to help overseas IT workers buy or rent stolen or borrowed identities,” the DoJ said. “Beginning in 2021, the IT workers used the identities to get hired on online freelance work platforms based in California and Pennsylvania.”

The Ukrainian national also paid individuals in the U.S. to receive and host laptops, turning their homes into laptop farms for the IT workers. One such laptop farm was operated by Christina Marie Chapman in Arizona. Didenko’s site has since been seized. Chapman was sentenced to 8.5 years in prison in July 2025.

Didenko is estimated to have managed as many as 871 proxy identities and facilitated the operation of at least three U.S.-based laptop farms. He also enabled his overseas clients to access Money Service Transmitters rather than having to physically open an account at a U.S. bank to transfer the employment income to foreign bank accounts.

Rounding off the list is Prince, who has pleaded guilty to one count of wire fraud conspiracy for allegedly operating a company called Taggcar Inc. from approximately June 2020 through August 2024 to supply “certified” IT workers to U.S. companies and for running a laptop at his home in Florida. Prince earned more than $89,000 for his involvement in the IT worker fraud.

It’s worth noting that Prince, along with Pedro Ernesto Alonso De Los Reyes, Emanuel Ashtor, and Jin Sung-Il (진성일), Pak Jin-Song (박진성), were indicted earlier this January for allegedly allowing North Korean IT workers to obtain work at more than 64 U.S. companies.

The scheme netted more than $943,069 in salary payments, most of which were funneled back to the IT workers overseas. Ashtor is currently awaiting trial, and De Los Reyes is pending extradition from the Netherlands.

“In total, these defendants’ fraudulent employment schemes impacted more than 136 U.S. victim companies, generated more than $2.2 million in revenue for the [Democratic People’s Republic of Korea] regime, and compromised the identities of more than 18 U.S. persons,” the DoJ said.

In a set of related actions, the DoJ said it has also filed two civil complaints to forfeit cryptocurrency valued at more than $15 million that the U.S. Federal Bureau of Investigation (FBI) seized in March 2025 from APT38 (aka BlueNoroff) actors. The digital assets, the complaints allege, were illegally obtained through hacks at overseas virtual currency platforms –

• Theft of approximately $37 million from an Estonia-based virtual currency payments processor in July 2023
• Theft of approximately $100 million from a Panama-based virtual currency payment processor in July 2023
• Theft of approximately $138 million from a Panama-based virtual currency exchange in November 2023, and
• Theft of approximately $107 million in virtual currency from a Seychelles-based virtual currency exchange in November 2023

“Efforts to trace, seize, and forfeit related stolen virtual currency remain ongoing, as the APT38 actors continue to launder such funds through various virtual currency bridges, mixers, exchanges, and over-the-counter traders,” the department added.

The new round of guilty pleas is the latest effort on the part of the U.S. government to combat and disrupt North Korea’s IT worker and hacking schemes, which have been used to fund the regime’s priorities. For several years, North Korea has successfully infiltrated hundreds of Western companies and elsewhere, posing as remote IT workers to draw steady salaries and use them to fund its nuclear weapons program.

A couple of weeks ago, the U.S. Treasury Department levied sanctions against eight individuals and two entities within North Korea’s global financial network for laundering money for various illicit schemes, including cybercrime and information technology (IT) worker fraud.

Nov 14, 2025Ravie LakshmananMalware / Threat Intelligence

The North Korean threat actors behind the Contagious Interview campaign have once again tweaked their tactics by using JSON storage services to stage malicious payloads.

“The threat actors have recently resorted to utilizing JSON storage services like JSON Keeper, JSONsilo, and npoint.io to host and deliver malware from trojanized code projects, with the lure,” NVISO researchers Bart Parys, Stef Collart, and Efstratios Lontzetidis said in a Thursday report.

The campaign essentially involves approaching prospective targets on professional networking sites like LinkedIn, either under the pretext of conducting a job assessment or collaborating on a project, as part of which they are instructed to download a demo project hosted on platforms like GitHub, GitLab, or Bitbucket.

In one such project spotted by NVISO, it has been found that a file named “server/config/.config.env” contains a Base64-encoded value that masquerades as an API key, but, in reality, is a URL to a JSON storage service like JSON Keeper where the next-stage payload is stored in obfuscated format.

The payload is a JavaScript malware known as BeaverTail, which is capable of harvesting sensitive data and dropping a Python backdoor called InvisibleFerret. While the functionality of the backdoor has remained largely unchanged from when it was first documented by Palo Alto Networks in late 2023, one notable change involves fetching an additional payload dubbed TsunamiKit from Pastebin.

It’s worth noting that use of TsunamiKit as part of the Contagious Interview campaign was highlighted by ESET back in September 2025, with the attacks also dropping Tropidoor and AkdoorTea. The toolkit is capable of system fingerprinting, data collection, and fetching more payloads from a hard-coded .onion address that’s currently offline.

“It’s clear that the actors behind Contagious Interview are not lagging behind and are trying to cast a very wide net to compromise any (software) developer that might seem interesting to them, resulting in exfiltration of sensitive data and crypto wallet information,” the researchers concluded.

“The use of legitimate websites such as JSON Keeper, JSON Silo and npoint.io, along with code repositories such as GitLab and GitHub, underlines the actor’s motivation and sustained attempts to operate stealthily and blend in with normal traffic.”

The Iranian state-sponsored threat actor known as APT42 has been observed targeting individuals and organizations that are of interest to the Islamic Revolutionary Guard Corps (IRGC) as part of a new espionage-focused campaign.

The activity, detected in early September 2025 and assessed to be ongoing, has been codenamed SpearSpecter by the Israel National Digital Agency (INDA).

“The campaign has systematically targeted high-value senior defense and government officials using personalized social engineering tactics,” INDA researchers Shimi Cohen, Adi Pick, Idan Beit-Yosef, Hila David, and Yaniv Goldman said. “These include inviting targets to prestigious conferences or arranging significant meetings.”

What’s notable about the effort is that it also extends to the targets’ family members, creating a broader attack surface that exerts more pressure on the primary targets.

APT42 was first publicly documented in late 2022 by Google Mandiant, detailing its overlaps with another IRGC threat cluster tracked as APT35, CALANQUE, Charming Kitten, CharmingCypress, Cobalt Illusion, Educated Manticore, GreenCharlie, ITG18, Magic Hound, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda.

One of the group’s hallmarks is its ability to mount convincing social engineering campaigns that can run for days or weeks in an effort build trust with the targets, in some cases masquerading as known contacts to create an illusion of authenticity, before sending a malicious payload or tricking them into clicking on booby-trapped links.

As recently as June 2025, Check Point detailed an attack wave in which the threat actors approached Israeli technology and cyber security professionals by posing as technology executives or researchers in emails and WhatsApp messages.

Goldman told The Hacker News that SpearSpecter and the June 2025 campaign are distinct and have been undertaken by two different sub-groups within APT42.

“While our campaign was carried out by cluster D of APT42 (which focuses more on malware-based operations), the campaign detailed by Check Point was carried out by cluster B of the same group (which focuses more on credential harvesting),” Goldman added.

INDA said SpearSpecter is flexible in that the adversary tweaks its approach based on the value of the target and operational objectives. In one set of attacks, victims are redirected to bogus meeting pages that are designed to capture their credentials. On the other hand, if the end goal is persistent long-term access, the attacks lead to the deployment of a known PowerShell backdoor dubbed TAMECAT that has been repeatedly put to use in recent years.

To that end, the attack chains involve impersonating trusted WhatsApp contacts to send a malicious link to a supposed required document for an upcoming meeting or conference. When the link is clicked, it initiates a redirect chain to serve a WebDAV-hosted Windows shortcut (LNK) masquerading as a PDF file by taking advantage of the “search-ms:” protocol handler.

The LNK file, for its part, establishes contact with a Cloudflare Workers subdomain to retrieve a batch script that functions as a loader for TAMECAT, which, in turn, employs various modular components to facilitate data exfiltration and remote control.

The PowerShell framework uses three distinct channels, viz., HTTPS, Discord, and Telegram, for command-and-control (C2), suggesting the threat actor’s goal of maintaining persistent access to compromised hosts even if one pathway gets detected and blocked.

For Telegram-based C2, TAMECAT listens for incoming commands from an attacker-controlled Telegram bot, based on which it fetches and executes additional PowerShell code from different Cloudflare Workers subdomains. In the case of Discord, a webhook URL is used to send basic system information and get commands in return from a hard-coded channel.

“Analysis of accounts recovered from the actor’s Discord server suggests the command lookup logic relies on messages from a specific user, allowing the actor to deliver unique commands to individual infected hosts while using the same channel to coordinate multiple attacks, effectively creating a collaborative workspace on a single infrastructure,” INDA researchers said.

Furthermore, TAMECAT comes equipped with features to conduct reconnaissance, harvest files matching a certain extensions, steal data from web browsers like Google Chrome and Microsoft Edge, collect Outlook mailboxes, and take screenshots at 15-second intervals. The data is exfiltrated over HTTPS or FTP.

It also adopts a variety of stealthy techniques to evade detection and resist analysis efforts. These include encrypting telemetry and controller payloads, source code obfuscation, using living-off-the-land binaries (LOLBins) to hide malicious activities, and operating mostly in memory, thereby leaving little traces on disk.

“The SpearSpecter campaign’s infrastructure reflects a sophisticated blend of agility, stealth, and operational security designed to sustain prolonged espionage against high-value targets,” INDA said. “operators leverage a multifaceted infrastructure that combines legitimate cloud services with attacker-controlled resources, enabling seamless initial access, persistent command-and-control (C2), and covert data exfiltration.”

Cybersecurity researchers have uncovered critical remote code execution vulnerabilities impacting major artificial intelligence (AI) inference engines, including those from Meta, Nvidia, Microsoft, and open-source PyTorch projects such as vLLM and SGLang.

“These vulnerabilities all traced back to the same root cause: the overlooked unsafe use of ZeroMQ (ZMQ) and Python’s pickle deserialization,” Oligo Security researcher Avi Lumelsky said in a report published Thursday.

At its core, the issue stems from what has been described as a pattern called ShadowMQ, in which the insecure deserialization logic has propagated to several projects as a result of code reuse.

The root cause is a vulnerability in Meta’s Llama large language model (LLM) framework (CVE-2024-50050, CVSS score: 6.3/9.3) that was patched by the company last October. Specifically, it involved the use of ZeroMQ’s recv_pyobj() method to deserialize incoming data using Python’s pickle module.

This, coupled with the fact that the framework exposed the ZeroMQ socket over the network, opened the door to a scenario where an attacker can execute arbitrary code by sending malicious data for deserialization. The issue has also been addressed in the pyzmq Python library.

Oligo has since discovered the same pattern recurring in other inference frameworks, such as NVIDIA TensorRT-LLM, Microsoft Sarathi-Serve, Modular Max Server, vLLM, and SGLang.

“All contained nearly identical unsafe patterns: pickle deserialization over unauthenticated ZMQ TCP sockets,” Lumelsky said. “Different maintainers and projects maintained by different companies – all made the same mistake.”

Tracing the origins of the problem, Oligo found that in at least a few cases, it was the result of a direct copy-paste of code. For example, the vulnerable file in SGLang says it’s adapted by vLLM, while Modular Max Server has borrowed the same logic from both vLLM and SGLang, effectively perpetuating the same flaw across codebases.

The issues have been assigned the following identifiers –

• CVE-2025-30165 (CVSS score: 8.0) – vLLM (While the issue is not fixed, it has been addressed by switching to the V1 engine by default)
• CVE-2025-23254 (CVSS score: 8.8) – NVIDIA TensorRT-LLM (Fixed in version 0.18.2)
• CVE-2025-60455 (CVSS score: N/A) – Modular Max Server (Fixed)
• Sarathi-Serve (Remains unpatched)
• SGLang (Implemented incomplete fixes)

With inference engines acting as a crucial component within AI infrastructures, a successful compromise of a single node could permit an attacker to execute arbitrary code on the cluster, escalate privileges, conduct model theft, and even drop malicious payloads like cryptocurrency miners for financial gain.

“Projects are moving at incredible speed, and it’s common to borrow architectural components from peers,” Lumelsky said. “But when code reuse includes unsafe patterns, the consequences ripple outward fast.”

The disclosure comes as a new report from AI security platform Knostic has found that it’s possible to compromise Cursor’s new built-in browser via JavaScript injection techniques, not to mention leverage a malicious extension to facilitate JavaScript injection in order to take control of the developer workstation.

The first attack involves registering a rogue local Model Context Protocol (MCP) server that bypasses Cursor’s controls to allow an attacker to replace the login pages within the browser with a bogus page that harvests credentials and exfiltrates them to a remote server under their control.

“Once a user downloaded the MCP server and ran it, using an mcp.json file within Cursor, it injected code into Cursor’s browser that led the user to a fake login page, which stole their credentials and sent them to a remote server,” security researcher Dor Munis said.

Given that the AI-powered source code editor is essentially a fork of Visual Studio Code, a bad actor could also craft a malicious extension to inject JavaScript into the running IDE to execute arbitrary actions, including marking harmless Open VSX extensions as “malicious.”

“JavaScript running inside the Node.js interpreter, whether introduced by an extension, an MCP server, or a poisoned prompt or rule, immediately inherits the IDE’s privileges: full file-system access, the ability to modify or replace IDE functions (including installed extensions), and the ability to persist code that reattaches after a restart,” the company said.

“Once interpreter-level execution is available, an attacker can turn the IDE into a malware distribution and exfiltration platform.”

To counter these risks, it’s essential that users disable Auto-Run features in their IDEs, vet extensions, install MCP servers from trusted developers and repositories, check what data and APIs the servers access, use API keys with minimal required permissions, and audit MCP server source code for critical integrations.

Key Takeaways:

• 85 active ransomware and extortion groups observed in Q3 2025, reflecting the most decentralized ransomware ecosystem to date.
• 1,590 victims disclosed across 85 leak sites, showing high, sustained activity despite law-enforcement pressure.
• 14 new ransomware brands launched this quarter, proving how quickly affiliates reconstitute after takedowns.
• LockBit’s reappearance with version 5.0 signals potential re-centralization after months of fragmentation.

In Q3 2025, Check Point Research recorded a record 85 active ransomware and extortion groups, the highest ever observed. What was once a concentrated market dominated by a few ransomware-as-a-service (RaaS) giants has splintered into dozens of smaller, short-lived operations.

This proliferation of leak sites represents a fundamental structural shift. The same enforcement and market pressures that disrupted large RaaS groups have fueled a wave of opportunistic, decentralized actors, many run by former affiliates now operating independently.

Read the full Q3 2025 Ransomware Report

A Record 85 Active Groups

Across more than 85 monitored leak sites, ransomware operators published:

• 1,592 new victims in Q3 2025.
• An average of 535 disclosures per month.
• A major power shift: the top ten groups accounted for just 56% of victims, down from 71% earlier this year.

Smaller actors are now posting fewer than ten victims each, reflecting a rise in independent operations outside traditional RaaS hierarchies. Many emerged from the collapse of RansomHub, 8Base, and BianLian. Fourteen new groups began publishing in Q3 alone, bringing the 2025 total to 45.

Fragmentation at this level erodes predictability, once the cyber security professional’s advantage. When large RaaS brands dominated, security teams could track affiliate behaviors and infrastructure reuse. Now, dozens of ephemeral leak sites make attribution fleeting and reputation-based intelligence far less reliable.

Share of total victims by top 10 ransomware groups, Q1–Q3 2025

Read the full Q3 2025 Ransomware Report.

In September 2025, LockBit 5.0 marked the return of one of cybercrime’s most enduring brands.

Its administrator, LockBitSupp, had teased a comeback for months following the 2024 takedown under Operation Cronos. The new version delivers:

• Updated Windows, Linux, and ESXi variants.
• Faster encryption and improved evasion.
• Unique negotiation portals per victim.

At least a dozen victims were hit in the first month. The campaign demonstrates renewed affiliate confidence and technical maturity.

For attackers, joining a recognizable brand like LockBit brings something smaller crews cannot offer: reputation. Victims are more likely to pay when they believe they will actually receive decryption keys, trust that large RaaS programs carefully maintain.

If LockBit succeeds in attracting affiliates seeking structure and credibility, it could recentralize a significant portion of the ransomware economy. Centralization has a dual effect. It makes tracking easier but increases the potential scale of coordinated attacks.

LockBit 5.0 ransom note from an attack

DragonForce and the Performance of Power

DragonForce illustrates another survival strategy: visibility through branding. In September, the group publicly claimed coalitions with both LockBit and Qilin on underground forums. No shared infrastructure has been verified, and the alliances appear more symbolic than operational.

Still, these moves highlight ransomware’s evolution toward corporate-style marketing. DragonForce promotes itself with:

• Affiliate partnership announcements.
• Data-audit services to analyze stolen data and improve extortion leverage.
• Public relations aimed at projecting strength and reliability.

The group’s messaging reflects a competitive marketplace where image and credibility are as valuable as encryption speed.

DragonForce audit example

Geographic and Industry Trends

Global targeting in Q3 2025 largely mirrored previous quarters but with distinct regional and sector shifts.

• The United States accounted for about half of all reported victims, continuing to be the prime target for financially motivated actors.
• South Korea entered the global top ten for the first time, almost entirely due to Qilin’s focused campaign against financial firms.
• Europe remained highly active, with Germany and the United Kingdom seeing sustained pressure from Safepay and INC Ransom.

Read the full Q3 2025 Ransomware Report

On the industrial side:

• Manufacturing and business services each represented about 10 percent of recorded cases.
• Healthcare held steady at 8 percent, though some groups such as Play avoid the sector to reduce scrutiny.

These shifts show how ransomware is guided by business logic more than ideology. Actors pursue sectors and regions with high-value data and low tolerance for downtime.

The Road Ahead

Q3 2025 confirms ransomware’s structural resilience. Enforcement and market pressure no longer suppress overall volume; they simply reshape the landscape. Each takedown disperses actors who quickly resurface under new names or join emerging collectives.

LockBit’s return adds another layer of complexity, raising the question of whether ransomware is entering a new consolidation cycle. If LockBit re-establishes dominance, it may restore some predictability but also re-enable large-scale, coordinated campaigns that smaller crews cannot execute.

For cyber security professionals, the takeaway is clear. Tracking brands is no longer enough. Analysts must monitor affiliate mobility, infrastructure overlap, and economic incentives — the underlying forces that sustain ransomware even as its faces fragment.

🔗 Read the full Q3 2025 Ransomware Report →

Nov 14, 2025Ravie LakshmananThreat Intelligence / Vulnerability

Cybersecurity researchers are sounding the alert about an authentication bypass vulnerability in Fortinet Fortiweb WAF that could allow an attacker to take over admin accounts and completely compromise a device.

“The watchTowr team is seeing active, indiscriminate in-the-wild exploitation of what appears to be a silently patched vulnerability in Fortinet’s FortiWeb product,” Benjamin Harris, watchTowr CEO and founder, said in a statement.

“Patched in version 8.0.2, the vulnerability allows attackers to perform actions as a privileged user – with in-the-wild exploitation focusing on adding a new administrator account as a basic persistence mechanism for the attackers.”

The cybersecurity company said it was able to successfully reproduce the vulnerability and create a working proof-of-concept (Poc). It has also released an artifact generator tool for the authentication bypass to help identify susceptible devices.

According to details shared by Defused and security researcher Daniel Card of PwnDefend, the threat actor behind the exploitation has been found to send a payload to the “/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi” by means of an HTTP POST request to create an admin account.

Some of the admin usernames and passwords created by the payloads detected in the wild are below –

• Testpoint / AFodIUU3Sszp5
• trader1 / 3eMIXX43
• trader / 3eMIXX43
• test1234point / AFT3$tH4ck
• Testpoint / AFT3$tH4ck
• Testpoint / AFT3$tH4ckmet0d4yaga!n

The origins and identity of the threat actor behind the attacks remain unknown. The exploitation activity was first detected early last month. As of writing, Fortinet has not assigned a CVE identifier or published an advisory on its PSIRT feed.

The Hacker News has reached out to Fortinet for comment, and we will update the story if we hear back.

Rapid7, which is urging organizations running versions of Fortinet FortiWeb that predate 8.0.2 to address the vulnerability on an emergency basis, said it observed an alleged zero-day exploit targeting FortiWeb was published for sale on a popular black hat forum on November 6, 2025. It’s currently not clear if it’s the same exploit.

“While we wait for a comment from Fortinet, users and enterprises are now facing a familiar process now: look for trivial signs of prior compromise, reach out to Fortinet for more information, and apply patches if you haven’t already,” Harris said. “That said, given the indiscriminate exploitation observed […], appliances that remain unpatched are likely already compromised.”