Category: Cybersecurity

Jul 21, 2025Ravie LakshmananNetwork Security / Vulnerability

Hewlett-Packard Enterprise (HPE) has released security updates to address a critical security flaw affecting Instant On Access Points that could allow an attacker to bypass authentication and gain administrative access to susceptible systems.

The vulnerability, tracked as CVE-2025-37103, carries a CVSS score of 9.8 out of a maximum of 10.0.

“Hard-coded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication,” the company said in an advisory.

“Successful exploitation could allow a remote attacker to gain administrative access to the system.”

Also patched by HPE is an authenticated command injection flaw in the command-line interface of the HPE Networking Instant On Access Points (CVE-2025-37102, CVSS score: 7.2) that a remote attacker could exploit with elevated permissions to run arbitrary commands on the underlying operating system as a privileged user.

This also means that an attacker could fashion CVE-2025-37103 and CVE-2025-37102 into an exploit chain, allowing them to obtain administrative access and inject malicious commands into the command-line interface for follow-on activity.

The company credited ZZ from Ubisectech Sirius Team for discovering and reporting the two issues. Both vulnerabilities have been resolved in HPE Networking Instant On software version 3.2.1.0 and above.

HPE also noted in its advisory that other devices, such as HPE Networking Instant On Switches, are not affected.

While there is no evidence that either of the flaws has come under active exploitation, users are advised to apply the updates as soon as possible to mitigate potential threats.

Microsoft on Sunday released security patches for an actively exploited security flaw in SharePoint and also released details of another vulnerability that it said has been addressed with “more robust protections.”

The tech giant acknowledged it’s “aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.”

CVE-2025-53770 (CVSS score: 9.8), as the exploited Vulnerability is tracked, concerns a case of remote code execution that arises due to the deserialization of untrusted data in on-premise versions of Microsoft SharePoint Server.

The newly disclosed shortcoming is a spoofing flaw in SharePoint (CVE-2025-53771, CVSS score: 6.3). An anonymous researcher has been credited with discovering and reporting the bug.

“Improper limitation of a pathname to a restricted directory (‘path traversal’) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network,” Microsoft said in an advisory released on July 20, 2025.

Microsoft also noted that CVE-2025-53770 and CVE-2025-53771 are related to two other SharePoint vulnerabilities documented by CVE-2025-49704 and CVE-2025-49706, which could be chained to achieve remote code execution. The exploit chain, referred to as ToolShell, was patched as part of the company’s July 2025 Patch Tuesday update.

“The update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704,” the Windows maker said. “The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706.”

It’s worth noting that Microsoft previously characterized CVE-2025-53770 as a variant of CVE-2025-49706. When reached for comment about this discrepancy, a Microsoft spokesperson told The Hacker News that “it is prioritizing getting updates out to customers while also correcting any content inaccuracies as necessary.”

The company also said that the current published content is correct and that the previous inconsistency does not impact the company’s guidance for customers.

Both the identified flaws apply to on-premises SharePoint Servers only, and do not impact SharePoint Online in Microsoft 365. The issues have been addressed in the versions below (for now) –

To mitigate potential attacks, customers are recommended to –

• Use supported versions of on-premises SharePoint Server (SharePoint Server 2016, 2019, and SharePoint Subscription Edition)
• Apply the latest security updates
• Ensure the Antimalware Scan Interface (AMSI) is turned on and enable Full Mode for optimal protection, along with an appropriate antivirus solution such as Defender Antivirus
• Deploy Microsoft Defender for Endpoint protection, or equivalent threat solutions
• Rotate SharePoint Server ASP.NET machine keys

“After applying the latest security updates above or enabling AMSI, it is critical that customers rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers,” Microsoft said. “If you cannot enable AMSI, you will need to rotate your keys after you install the new security update.”

The development comes as Eye Security told The Hacker News that at least 54 organizations have been compromised, including banks, universities, and government entities. Active exploitation is said to have commenced around July 18, according to the company.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), for its part, added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by July 21, 2025.

Palo Alto Networks Unit 42, which is also tracking what it described as a “high-impact, ongoing threat campaign,” said government, schools, healthcare, including hospitals, and large enterprise companies—are at immediate risk.

“Attackers are bypassing identity controls, including MFA and SSO, to gain privileged access,” Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks, told The Hacker News. “Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys. The attackers have leveraged this vulnerability to get into systems and are already establishing their foothold.

“If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point. Patching alone is insufficient to fully evict the threat. What makes this especially concerning is SharePoint’s deep integration with Microsoft’s platform, including their services like Office, Teams, OneDrive and Outlook, which have all the information valuable to an attacker. A compromise doesn’t stay contained—it opens the door to the entire network.”

The cybersecurity vendor has also classified it as a high-severity, high-urgency threat, urging organizations running on-premises Microsoft SharePoint servers to apply the necessary patches with immediate effect, rotate all cryptographic material, and engage in incident response efforts.

“An immediate, band-aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available,” Sikorski added. “A false sense of security could result in prolonged exposure and widespread compromise.”

(This is a developing story. Please check back for more details.)

Jul 20, 2025Ravie LakshmananAI Security / Infostealers

The financially motivated threat actor known as EncryptHub (aka LARVA-208 and Water Gamayun) has been attributed to a new campaign that’s targeting Web3 developers to infect them with information stealer malware.

“LARVA-208 has evolved its tactics, using fake AI platforms (e.g., Norlax AI, mimicking Teampilot) to lure victims with job offers or portfolio review requests,” Swiss cybersecurity company PRODAFT said in a statement shared with The Hacker News.

While the group has a history of deploying ransomware, the latest findings demonstrate an evolution of its tactics and a diversification of its monetization methods by using stealer malware to harvest data from cryptocurrency wallets.

EncryptHub’s focus on Web3 developers isn’t random—these individuals often manage crypto wallets, access to smart contract repositories, or sensitive test environments. Many operate as freelancers or work across multiple decentralized projects, making them harder to protect with traditional enterprise security controls. This decentralized, high-value developer community presents an ideal target for attackers looking to monetize quickly without triggering centralized defenses.

The attack chains entail directing prospective targets to deceptive artificial intelligence (AI) platforms and tricking them into clicking on purported meeting links within these sites.

Meeting links to these sites are sent to developers who follow Web3 and Blockchain-related content via platforms like X and Telegram under the pretext of a job interview or portfolio discussion. The threat actors have also been found sending the meeting links to people who applied for positions posted by them on a Web3 job board called Remote3.

What’s interesting is the approach used by the attackers to sidestep security warnings issued by Remote3 on their site. Given that the service explicitly warns job seekers against downloading unfamiliar video conferencing software, the attackers conduct an initial conversation via Google Meet, during which they instruct the applicant to resume the interview on Norlax AI.

Regardless of the method used, once the victim clicks on the meeting link, they are asked to enter their email address and invitation code, following which they are served a fake error message about outdated or missing audio drivers.

Clicking the message leads to the download of malicious software disguised as a genuine Realtek HD Audio Driver, which executes PowerShell commands to retrieve and deploy the Fickle Stealer. The information gathered by the stealer malware is transmitted to an external server codenamed SilentPrism.

“The threat actors distribute infostealers like Fickle through fake AI applications, successfully harvesting cryptocurrency wallets, development credentials, and sensitive project data,” PRODAFT said.

“This latest operation suggests a shift toward alternative monetization strategies, including the exfiltration of valuable data and credentials for potential resale or exploitation in illicit markets.”

The development comes as Trustwave SpiderLabs detailed a new ransomware called KAWA4096 that “follows the style of the Akira ransomware group, and a ransom note format similar to Qilin’s, likely an attempt to further enrich their visibility and credibility.”

KAWA4096, which first emerged in June 2025, is said to have targeted 11 companies, with the most number of targets located in the United States and Japan. The initial access vector used in the attacks is not known.

A notable feature of KAWA4096 is its ability to encrypt files on shared network drives and the use of multithreading to increase operational efficiency and speed up the scanning and encryption process.

“After identifying valid files, the ransomware adds them to a shared queue,” security researchers Nathaniel Morales and John Basmayor said. “This queue is processed by a pool of worker threads, each responsible for retrieving file paths and passing it on to the encryption routine. A semaphore is used for synchronization among threads, ensuring efficient processing of the file queue.”

Another new entrant to the ransomware landscape is Crux, which claims to be part of the BlackByte group and has been deployed in the wild in three incidents detected on July 4 and 13, 2025, per Huntress.

In one of the incidents, the threat actors have been found to leverage valid credentials via RDP to obtain a foothold in the target network. Common to all the attacks is the use of legitimate Windows tools like svchost.exe and bcdedit.exe to conceal malicious commands and modify boot configuration so as to inhibit system recovery.

“The threat actor also clearly has a preference for legitimate processes like bcdedit.exe and svchost.exe, so continual monitoring for suspicious behavior using these processes via endpoint detection and response (EDR) can help suss out threat actors in your environment,” Huntress said.

Jul 20, 2025Ravie LakshmananDevOps / Threat Intelligence

Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers’ npm tokens.

The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories.

The list of affected packages and their rogue versions, according to Socket, is listed below –

• eslint-config-prettier (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7)
• eslint-plugin-prettier (versions 4.2.2 and 4.2.3)
• synckit (version 0.11.9)
• @pkgr/core (version 0.2.8)
• napi-postinstall (version 0.3.1)

“The injected code attempted to execute a DLL on Windows machines, potentially allowing remote code execution,” the software supply chain security firm said.

The development comes in the aftermath of a phishing campaign that has been found to send email messages impersonating npm in order to trick project maintainers into clicking on a typosquatted link (“npnjs[.]com,” as opposed to “npmjs[.]com”) that harvested their credentials.

The digital missives, with the subject line “Please verify your email address,” spoofed a legitimate email address associated with npm (“support@npmjs[.]org”), urging recipients to validate their email address by clicking on the embedded link.

The bogus landing page to which the victims are redirected to, per Socket, is a clone of the legitimate npm login page that’s designed to capture their login information.

Developers who use the affected packages are advised to cross-check the versions installed and rollback to a safe version. Project maintainers are recommended to turn on two-factor authentication to secure their accounts, and use scoped tokens instead of passwords for publishing packages.

“This incident shows how quickly phishing attacks on maintainers can escalate into ecosystem-wide threats,” Socket said.

The findings coincide with an unrelated campaign that has flooded npm with 28 packages containing protestware functionality that can disable mouse-based interaction on websites with a Russian or Belarusian domain. They are also engineered to play the Ukrainian national anthem on a loop.

However, the attack only works when the site visitor has their browser language settings set to Russian and, in some cases, the same website is visited a second time, thereby ensuring that only repeat visitors are targeted. The activity marks an expansion of a campaign that was first flagged last month.

“This protestware underscores that actions taken by developers can propagate unnoticed in nested dependencies and may take days or weeks to manifest,” security researcher Olivia Brown said.

Arch Linux Removes 3 AUR Packages that Installed Chaos RAT Malware

It also comes as the Arch Linux team said it has pulled three malicious AUR packages that were uploaded to the Arch User Repository (AUR) and harbored hidden functionality to install a remote access trojan called Chaos RAT from a now-removed GitHub repository.

The affected packages are: “librewolf-fix-bin,” “firefox-patch-bin,” and “zen-browser-patched-bin.” They were published by a user named “danikpapas” on July 16, 2025.

“These packages were installing a script coming from the same GitHub repository that was identified as a Remote Access Trojan (RAT),” the maintainers said. “We strongly encourage users that may have installed one of these packages to remove them from their system and to take the necessary measures in order to ensure they were not compromised.”

Jul 20, 2025Ravie LakshmananZero-Day / Vulnerability

A critical security vulnerability in Microsoft SharePoint Server has been weaponized as part of an “active, large-scale” exploitation campaign.

The zero-day flaw, tracked as CVE-2025-53770 (CVSS score: 9.8), has been described as a variant of CVE-2025-49706 (CVSS score: 6.3), a spoofing bug in Microsoft SharePoint Server that was addressed by the tech giant as part of its July 2025 Patch Tuesday updates.

“Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network,” Microsoft said in an advisory released on July 19, 2025.

The Windows maker further noted that it’s preparing and fully testing a comprehensive update to resolve the issue. It credited Viettel Cyber Security for discovering and reporting the flaw through Trend Micro’s Zero Day Initiative (ZDI).

In a separate alert issued Saturday, Redmond said it’s aware of active attacks targeting on-premises SharePoint Server customers, but emphasized that SharePoint Online in Microsoft 365 is not impacted.

In the absence of an official patch, Microsoft is urging customers to configure Antimalware Scan Interface (AMSI) integration in SharePoint and deploy Defender AV on all SharePoint servers.

It’s worth noting that AMSI integration is enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.

For those who cannot enable AMSI, it’s advised that the SharePoint Server is disconnected from the internet until a security update is available. For added protection, users are recommended to deploy Defender for Endpoint to detect and block post-exploit activity.

The disclosure comes as Eye Security and Palo Alto Networks Unit 42 warned of attacks chaining CVE-2025-49706 and CVE-2025-49704 (CVSS score: 8.8), a code injection flaw in SharePoint, to facilitate arbitrary command execution on susceptible instances. The exploit chain has been codenamed ToolShell.

But given that CVE-2025-53770 is a “variant” of CVE-2025-49706, it’s suspected that these attacks are related.

Eye Security said the wide-scale attacks it identified leverage CVE-2025-49706 to POST a remote code execution payload exploiting CVE-2025-49704. “We believe that the finding that adding “_layouts/SignOut.aspx” as HTTP referer, makes CVE-2025-49706 into CVE-2025-53770,” it said.

It’s worth mentioning here that the ZDI has characterized CVE-2025-49706 as an authentication bypass vulnerability that stems from how the application handles HTTP Referer header provided to the ToolPane endpoint (“/_layouts/15/ToolPane.aspx”).

The malicious activity essentially involves delivering ASPX payloads via PowerShell, which is then used to steal the SharePoint server’s MachineKey configuration, including the ValidationKey and DecryptionKey, to maintain persistent access.

The Dutch cybersecurity company said these keys are crucial for generating valid __VIEWSTATE payloads, and that gaining access to them effectively turns any authenticated SharePoint request into a remote code execution opportunity.

“We are still identifying mass exploit waves,” Eye Security CTO Piet Kerkhofs told The Hacker News in a statement. “This will have a huge impact as adversaries are laterally moving using this remote code execution with speed.”

More than 85 SharePoint servers globally have been identified as compromised with the malicious web shell as of writing. These hacked servers belong to 29 organizations, including multinational firms and government entities.

It’s worth noting that Microsoft has yet to update its advisories for CVE-2025-49706 and CVE-2025-49704 to reflect active exploitation. We have also reached out to the company for further clarification, and we will update the story if we hear back.

(The story is developing. Please check back for more details.)

Jul 20, 2025Ravie LakshmananDevOps / Threat Intelligence

Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers’ npm tokens.

The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories.

The list of affected packages and their rogue versions, according to Socket, is listed below –

• eslint-config-prettier (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7)
• eslint-plugin-prettier (versions 4.2.2 and 4.2.3)
• synckit (version 0.11.9)
• @pkgr/core (version 0.2.8)
• napi-postinstall (version 0.3.1)

“The injected code attempted to execute a DLL on Windows machines, potentially allowing remote code execution,” the software supply chain security firm said.

The development comes in the aftermath of a phishing campaign that has been found to send email messages impersonating npm in order to trick project maintainers into clicking on a typosquatted link (“npnjs[.]com,” as opposed to “npmjs[.]com”) that harvested their credentials.

The digital missives, with the subject line “Please verify your email address,” spoofed a legitimate email address associated with npm (“support@npmjs[.]org”), urging recipients to validate their email address by clicking on the embedded link.

The bogus landing page to which the victims are redirected to, per Socket, is a clone of the legitimate npm login page that’s designed to capture their login information.

Developers who use the affected packages are advised to cross-check the versions installed and rollback to a safe version. Project maintainers are recommended to turn on two-factor authentication to secure their accounts, and use scoped tokens instead of passwords for publishing packages.

“This incident shows how quickly phishing attacks on maintainers can escalate into ecosystem-wide threats,” Socket said.

The findings coincide with an unrelated campaign that has flooded npm with 28 packages containing protestware functionality that can disable mouse-based interaction on websites with a Russian or Belarusian domain. They are also engineered to play the Ukrainian national anthem on a loop.

However, the attack only works when the site visitor has their browser language settings set to Russian and, in some cases, the same website is visited a second time, thereby ensuring that only repeat visitors are targeted. The activity marks an expansion of a campaign that was first flagged last month.

“This protestware underscores that actions taken by developers can propagate unnoticed in nested dependencies and may take days or weeks to manifest,” security researcher Olivia Brown said.

Arch Linux Removes 3 AUR Packages that Installed Chaos RAT Malware

It also comes as the Arch Linux team said it has pulled three malicious AUR packages that were uploaded to the Arch User Repository (AUR) and harbored hidden functionality to install a remote access trojan called Chaos RAT from a now-removed GitHub repository.

The affected packages are: “librewolf-fix-bin,” “firefox-patch-bin,” and “zen-browser-patched-bin.” They were published by a user named “danikpapas” on July 16, 2025.

“These packages were installing a script coming from the same GitHub repository that was identified as a Remote Access Trojan (RAT),” the maintainers said. “We strongly encourage users that may have installed one of these packages to remove them from their system and to take the necessary measures in order to ensure they were not compromised.”

Jul 20, 2025Ravie LakshmananZero-Day / Vulnerability

A critical security vulnerability in Microsoft SharePoint Server has been weaponized as part of an “active, large-scale” exploitation campaign.

The zero-day flaw, tracked as CVE-2025-53770 (CVSS score: 9.8), has been described as a variant of CVE-2025-49706 (CVSS score: 6.3), a spoofing bug in Microsoft SharePoint Server that was addressed by the tech giant as part of its July 2025 Patch Tuesday updates.

“Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network,” Microsoft said in an advisory released on July 19, 2025.

The Windows maker further noted that it’s preparing and fully testing a comprehensive update to resolve the issue. It credited Viettel Cyber Security for discovering and reporting the flaw through Trend Micro’s Zero Day Initiative (ZDI).

In a separate alert issued Saturday, Redmond said it’s aware of active attacks targeting on-premises SharePoint Server customers, but emphasized that SharePoint Online in Microsoft 365 is not impacted.

In the absence of an official patch, Microsoft is urging customers to configure Antimalware Scan Interface (AMSI) integration in SharePoint and deploy Defender AV on all SharePoint servers.

It’s worth noting that AMSI integration is enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.

For those who cannot enable AMSI, it’s advised that the SharePoint Server is disconnected from the internet until a security update is available. For added protection, users are recommended to deploy Defender for Endpoint to detect and block post-exploit activity.

The disclosure comes as Eye Security and Palo Alto Networks Unit 42 warned of attacks chaining CVE-2025-49706 and CVE-2025-49704 (CVSS score: 8.8), a code injection flaw in SharePoint, to facilitate arbitrary command execution on susceptible instances. The exploit chain has been codenamed ToolShell.

But given that CVE-2025-53770 is a “variant” of CVE-2025-49706, it’s suspected that these attacks are related.

The malicious activity essentially involves delivering ASPX payloads via PowerShell, which is then used to steal the SharePoint server’s MachineKey configuration, including the ValidationKey and DecryptionKey, to maintain persistent access.

The Dutch cybersecurity company said these keys are crucial for generating valid __VIEWSTATE payloads, and that gaining access to them effectively turns any authenticated SharePoint request into a remote code execution opportunity.

“We are still identifying mass exploit waves,” Eye Security CTO Piet Kerkhofs told The Hacker News in a statement. “This will have a huge impact as adversaries are laterally moving using this remote code execution with speed.”

“We notified almost 75 organisations that got breached, as we identified the malicious web shell on their SharePoint servers. In this group are big companies and large government bodies across the world.”

It’s worth noting that Microsoft has yet to update its advisories for CVE-2025-49706 and CVE-2025-49704 to reflect active exploitation. We have also reached out to the company for further clarification, and we will update the story if we hear back.

(The story is developing. Please check back for more details.)

Jul 20, 2025Ravie LakshmananVulnerability / Threat Intelligence

A newly disclosed critical security flaw in CrushFTP has come under active exploitation in the wild. Assigned the CVE identifier CVE-2025-54309, the vulnerability carries a CVSS score of 9.0.

“CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS,” according to a description of the vulnerability in the NIST’s National Vulnerability Database (NVD).

CrushFTP, in an advisory, said it first detected the zero-day exploitation of the vulnerability in the wild on July 18, 2025, 9 a.m. CST, although it acknowledged that it may have been weaponized much earlier.

“The attack vector was HTTP(S) for how they could exploit the server,” the company said. “We had fixed a different issue related to AS2 in HTTP(S) not realizing that a prior bug could be used like this exploit was. Hackers apparently saw our code change, and figured out a way to exploit the prior bug.”

CrushFTP is widely used in government, healthcare, and enterprise environments to manage sensitive file transfers—making administrative access especially dangerous. A compromised instance can allow attackers to exfiltrate data, inject backdoors, or pivot into internal systems that rely on the server for trusted exchange. Without DMZ isolation, the exposed instance becomes a single point of failure.

The company said the unknown threat actors behind the malicious activity managed to reverse engineer its source code and discovered the new flaw to target devices that are yet to be updated to the latest versions. It’s believed that CVE-2025-54309 was present in CrushFTP builds prior to July 1.

CrushFTP has also released the following indicators of compromise (IoCs) –

• Default user has admin access
• Long random user IDs created (e.g., 7a0d26089ac528941bf8cb998d97f408m)
• Other new usernames created with admin access
• The file “MainUsers/default/user.xml” was recently modified and has a “last_logins” value in it
• Buttons from the end user web interface disappeared, and users previously identified as regular users now have an Admin button

Security teams investigating possible compromise should review user.xml modification times, correlate admin login events with public IPs, and audit permission changes on high-value folders. Look for suspicious patterns in access logs tied to newly created users or unexplained admin role escalations—typical signs of post-exploitation behavior in real-world breach scenarios.

As mitigations, the company recommends that users restore a prior default user from the backup folder, as well as review upload/download reports for any signs of suspicious transfers. Other steps include –

• Limit the IP addresses used for administrative actions
• Allowlist IPs that can connect to the CrushFTP server
• Switch to DMZ CrushFTP instance for enterprise use
• Ensure automatic updates are enabled

At this stage, the exact nature of the attacks exploiting the flaw is not known. Earlier this April, another security defect in the same solution (CVE-2025-31161, CVSS score: 9.8) was weaponized to deliver the MeshCentral agent and other malware.

Last year, it also emerged that a second critical vulnerability impacting CrushFTP (CVE-2024-4040, CVSS score: 9.8) was leveraged by threat actors to target multiple U.S. entities.

With multiple high-severity CVEs exploited over the past year, CrushFTP has emerged as a recurring target in advanced threat campaigns. Organizations should consider this pattern as part of broader threat exposure assessments, alongside patch cadence, third-party file transfer risks, and zero-day detection workflows involving remote access tools and credential compromise.

Jul 18, 2025Ravie LakshmananMalware / Vulnerability

Cybersecurity researchers have disclosed details of a new malware called MDifyLoader that has been observed in conjunction with cyber attacks exploiting security flaws in Ivanti Connect Secure (ICS) appliances.

According to a report published by JPCERT/CC today, the threat actors behind the exploitation of CVE-2025-0282 and CVE-2025-22457 in intrusions observed between December 2024 and July 2025 have weaponized the vulnerabilities to drop MDifyLoader, which is then used to launch Cobalt Strike in memory.

CVE-2025-0282 is a critical security flaw in ICS that could permit unauthenticated remote code execution. It was addressed by Ivanti in early January 2025. CVE-2025-22457, patched in April 2025, concerns a stack-based buffer overflow that could be exploited to execute arbitrary code.

While both vulnerabilities have been weaponized in the wild as zero-days, previous findings from JPCERT/CC in April have revealed that the first of the two issues had been abused to deliver malware families like SPAWNCHIMERA and DslogdRAT.

The latest analysis of the attacks involving ICS vulnerabilities has unearthed the use of DLL side-loading techniques to launch MDifyLoader that includes an encoded Cobalt Strike beacon payload. The beacon has been identified as version 4.5, which was released in December 2021.

“MDifyLoader is a loader created based on the open-source project libPeConv,” JPCERT/CC researcher Yuma Masubuchi said. “MDifyLoader then loads an encrypted data file, decodes Cobalt Strike Beacon, and runs it on memory.”

Also put to use is a Go-based remote access tool named VShell and another open-source network scanning utility written in Go called Fscan. It’s worth noting that both programs have been adopted by various Chinese hacking groups in recent months.

The execution flow of Fscan

Fscan has been found to be executed by means of a loader, which, in turn, is launched using DLL side-loading. The rogue DLL loader is based on the open-source tool FilelessRemotePE.

“The used VShell has a function to check whether the system language is set to Chinese,” JPCERT/CC said. “The attackers repeatedly failed to execute VShell, and it was confirmed that each time they had installed a new version and attempted execution again. This behavior suggests that the language-checking function, likely intended for internal testing, was left enabled during deployment.”

Upon gaining a foothold into the internal network, the attackers are said to have carried out brute-force attacks against FTP, MS-SQL, and SSH servers and leveraged the EternalBlue SMB exploit (MS17-010) in an attempt to extract credentials and laterally move across the network.

“The attackers created new domain accounts and added them to existing groups, allowing them to retain access even if previously acquired credentials were revoked,” Masubuchi said.

“These accounts blend in with normal operations, enabling long-term access to the internal network. Additionally, the attackers registered their malware as a service or a task scheduler to maintain persistence, ensuring it would run at system startup or upon specific event triggers.”

Jul 18, 2025Ravie LakshmananCyber Espionage / Malware

Multiple sectors in China, Hong Kong, and Pakistan have become the target of a threat activity cluster tracked as UNG0002 (aka Unknown Group 0002) as part of a broader cyber espionage campaign.

“This threat entity demonstrates a strong preference for using shortcut files (LNK), VBScript, and post-exploitation tools such as Cobalt Strike and Metasploit, while consistently deploying CV-themed decoy documents to lure victims,” Seqrite Labs researcher Subhajeet Singha said in a report published this week.

The activity encompasses two major campaigns, one called Operation Cobalt Whisper which took place between May and September 2024, and Operation AmberMist that occurred between January and May 2025.

Targets of these campaigns include defense, electrotechnical engineering, energy, civil aviation, academia, medical institutions, cybersecurity, gaming, and software development sectors.

Operation Cobalt Whisper was first documented by Seqrite Labs in late October 2024, detailing the use of ZIP archives propagated via spear-phishing attacks to deliver Cobalt Strike beacons, a post-exploitation framework, using LNK and Visual Basic Scripts as interim payloads.

“The scope and complexity of the campaign, coupled with the tailored lures, strongly suggest a targeted effort by an APT group to compromise sensitive research and intellectual property in these industries,” the company noted at the time.

The AmberMist attack chains have been found to leverage spear-phishing emails as a starting point to deliver LNK files masquerading as curriculum vitae and resumes to unleash a multi-stage infection process that results in the deployment of INET RAT and Blister DLL loader.

Alternate attack sequences detected in January 2025 have been found to redirect email recipients to fake landing pages spoofing Pakistan’s Ministry of Maritime Affairs (MoMA) website to serve fake CAPTCHA verification checks that employ ClickFix tactics to launch PowerShell commands, which are used to execute Shadow RAT.

Shadow RAT, launched via DLL side-loading, is capable of establishing contact with a remote server to await further commands. INET RAT is assessed to be a modified version of Shadow RAT, whereas the Blister DLL implant functions as a shellcode loader, eventually paving the way for a reverse-shell based implant.

The exact origins of the threat actor remain unclear, but evidence points to it being an espionage-focused group from Southeast Asia.

“UNG0002 represents a sophisticated and persistent threat entity from South Asia that has maintained consistent operations targeting multiple Asian jurisdictions since at least May 2024,” Singha said. “The group demonstrates high adaptability and technical proficiency, continuously evolving their toolset while maintaining consistent tactics, techniques, and procedures.”