Tag: Cyber Security

Aug 26, 2025Ravie LakshmananVulnerability / Mobile Security

A team of academics has devised a novel attack that can be used to downgrade a 5G connection to a lower generation without relying on a rogue base station (gNB).

The attack, per the ASSET (Automated Systems SEcuriTy) Research Group at the Singapore University of Technology and Design (SUTD), relies on a new open-source software toolkit named Sni5Gect (short for “Sniffing 5G Inject”) that’s designed to sniff unencrypted messages sent between the base station and the user equipment (UE, i.e., a phone) and inject messages to the target UE over-the-air.

The framework can be used to carry out attacks such as crashing the UE modem, downgrading to earlier generations of networks, fingerprinting, or authentication bypass, according to Shijie Luo, Matheus Garbelini, Sudipta Chattopadhyay, and Jianying Zhou.

“As opposed to using a rogue base station, which limits the practicality of many 5G attacks, SNI5GECT acts as a third-party in the communication, silently sniffs messages, and tracks the protocol state by decoding the sniffed messages during the UE attach procedure,” the researchers said. “The state information is then used to inject a targeted attack payload in downlink communication.”

The findings build upon a prior study from ASSET in late 2023 that led to the discovery of 14 flaws in the firmware implementation of 5G mobile network modems from MediaTek and Qualcomm, collectively dubbed 5Ghoul, that could be exploited to launch attacks to drop connections, freeze the connection that involves manual reboot, or downgrade the 5G connectivity to 4G.

The Sni5Gect attacks are designed to passively sniff messages during the initial connection process, decode the message content in real-time, and then leverage the decoded message content to inject targeted attack payloads.

Specifically, the attacks are designed to take advantage of the phase before the authentication procedure, at which point the messages exchanged between the gNB and the UE are not encrypted. As a result, the threat model does not require knowledge of the UE’s credentials to sniff uplink/downlink traffic or inject messages.

“To the best of our knowledge, SNI5GECT is the first framework that empowers researchers with both over-the-air sniffing and stateful injection capabilities, without requiring a rogue gNB,” the researchers said.

“For example, an attacker can exploit the short UE communication window that spans from the RACH process until the NAS security context is established. Such an attacker actively listens for any RAR message from the gNB, which provides the RNTI to decode further UE messages.”

This enables the threat actor to crash the modem on the victim’s device, fingerprint the targeted device, and even downgrade the connection to 4G, which has known vulnerabilities that can be exploited by the attacker to track the UE location over time.

In tests against five smartphones, including OnePlus Nord CE 2, Samsung Galaxy S22, Google Pixel 7, and Huawei P40 Pro, the study achieved 80% accuracy in uplink and downlink sniffing, and managed to inject messages with a success rate of 70-90% from a distance of up to 20 meters (65 feet).

The Global System for Mobile Communications Association (GSMA), a non-profit trade association that represents mobile network operators worldwide and develops new technologies, has acknowledged the multi-stage, downgrade attack, and assigned it the identifier CVD-2024-0096.

“We argue that SNI5GECT is a fundamental tool in 5G security research that enables not only over-the-air 5G exploitation but advancing future research on packet-level 5G intrusion detection and mitigation, security enhancements to 5G physical layer security and beyond,” the researchers concluded.

Aug 26, 2025Ravie LakshmananVulnerability / Remote Code Execution

Citrix has released fixes to address three security flaws in NetScaler ADC and NetScaler Gateway, including one that it said has been actively exploited in the wild.

The vulnerabilities in question are listed below –

• CVE-2025-7775 (CVSS score: 9.2) – Memory overflow vulnerability leading to Remote Code Execution and/or Denial-of-Service
• CVE-2025-7776 (CVSS score: 8.8) – Memory overflow vulnerability leading to unpredictable or erroneous behavior and Denial-of-Service
• CVE-2025-8424 (CVSS score: 8.7) – Improper access control on the NetScaler Management Interface

The company acknowledged that “exploits of CVE-2025-7775 on unmitigated appliances have been observed,” but stopped short of sharing additional details.

However, for the flaws to be exploited, there are a number of prerequisites –

• CVE-2025-7775 – NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server; NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or servicegroups bound with IPv6 servers; NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers; or CR virtual server with type HDX
• CVE-2025-7776 – NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) with PCoIP Profile bounded to it
• CVE-2025-8424 – Access to NSIP, Cluster Management IP or local GSLB Site IP or SNIP with Management Access

The issues have been resolved in the following versions, with no available workarounds –

• NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases
• NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1
• NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP
• NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP

Citrix credited Jimi Sebree of Horizon3.ai, Jonathan Hetzer of Schramm & Partnerfor and François Hämmerli for discovering and reporting the vulnerabilities.

CVE-2025-7775 is the latest NetScaler ADC and Gateway vulnerability to be weaponized in real-world attacks in a short span of time, after CVE-2025-5777 (aka Citrix Bleed 2) and CVE-2025-6543.

The disclosure also comes a day after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two security flaws impacting Citrix Session Recording (CVE-2024-8068 and CVE-2024-8069) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

Cybersecurity researchers are calling attention to a sophisticated social engineering campaign that’s targeting supply chain-critical manufacturing companies with an in-memory malware dubbed MixShell.

The activity has been codenamed ZipLine by Check Point Research.

“Instead of sending unsolicited phishing emails, attackers initiate contact through a company’s public ‘Contact Us’ form, tricking employees into starting the conversation,” the company said in a statement shared with The Hacker News. “What follows are weeks of professional, credible exchanges, often sealed with fake NDAs, before delivering a weaponized ZIP file carrying MixShell, a stealthy in-memory malware.”

The attacks have cast a wide net, spanning multiple organizations across sectors and geographic locations, but with an emphasis on U.S.-based entities. Primary targets include companies in industrial manufacturing, such as machinery, metalwork, component production, and engineered systems, as well as those related to hardware and semiconductors, consumer goods, biotechnology, and pharmaceuticals.

This diverse, yet focused, targeting has raised the possibility that the threat actors behind the campaign are honing in on industry verticals critical to the supply chain. Other countries targeted by ZipLine include Singapore, Japan, and Switzerland.

The campaign’s provenance and motives are presently unclear, but Check Point said it identified overlapping digital certificates between an IP address used in the attacks and infrastructure previously identified by Zscaler and Proofpoint as employed in TransferLoader attacks undertaken by a threat cluster referred to as UNK_GreenSec.

ZipLine is another instance of how threat actors are increasingly banking on legitimate business workflows, such as approaching targets via a company’s Contact Us form on their website, thereby weaponizing trust in the process to sidestep any potential concerns.

While the approach of using website contact forms as a malware distribution vector is not wholly new, where ZipLine stands apart is in its avoidance of scare tactics and urgent language to trick recipients into taking unintended actions.

This patient, social engineering technique involves drawing victims into multi-week conversations, in some cases even instructing them to sign non-disclosure agreements (NDAs), before sending booby-trapped ZIP files. Recent social engineering waves have also capitalized on the artificial intelligence (AI) transformation trend, with the attackers “offering” to help the target entities implement new AI-centric initiatives to reduce costs and improve efficiency.

The attack chain is characterized by multi-stage payloads, in-memory execution, and DNS-based command-and-control (C2) channels, allowing the threat actor to stay under the radar.

Specifically, the ZIP archives come fitted with a Windows shortcut (LNK) that triggers a PowerShell loader, which then paves the way for the custom in-memory MixShell implant that uses DNS tunneling and HTTP as a fallback C2 mechanism to support remote command execution, file operations, reverse proxying, stealth persistence, and deeper network infiltration.

MixShell also comes in a PowerShell variant that incorporates advanced anti-debugging and sandbox evasion techniques, uses scheduled tasks for persistence, and drops the reverse proxy shell and file download capabilities.

The malicious ZIP files are hosted on a sub-domain of herokuapp[.]com, a legitimate Platform-as-a-Service (PaaS) providing compute and storage infrastructure for hosting web applications — once again illustrating the threat actor’s abuse of legitimate services to blend in with normal enterprise network activity.

The LNK file responsible for initiating the execution chain also displays a lure document present in the ZIP file so as not to arouse the victim’s suspicion. That said, Check Point noted that not all ZIP files served from the Heroku domain are malicious, suggesting customized delivery of malware in real-time based on certain criteria.

“In many cases, the attacker uses domains that match the names of LLCs registered U.S.-based companies, and in some cases, may have previously belonged to legitimate businesses,” Check Point said. “The attacker maintains similar template websites to all those companies, which hint at a well-planned and streamlined campaign on a large scale.”

The campaign poses severe risks to companies, as it can lead to theft of intellectual property and ransomware attacks, business email compromise, and account takeovers resulting in financial fraud, and potential supply chain disruptions with cascading impacts.

“The ZipLine campaign is a wake-up call for every business that believes phishing is just about suspicious links in emails,” Sergey Shykevich, threat intelligence group manager at Check Point Research, said.

“Attackers are innovating faster than ever – blending human psychology, trusted communication channels, and timely AI-themed lures. To stay safe, organizations must adopt prevention-first, AI-driven defenses and build a culture of vigilance that treats every inbound interaction as a potential threat.”

A new large-scale campaign has been observed exploiting over 100 compromised WordPress sites to direct site visitors to fake CAPTCHA verification pages that employ the ClickFix social engineering tactic to deliver information stealers, ransomware, and cryptocurrency miners.

The large-scale cybercrime campaign, first detected in August 2025, has been codenamed ShadowCaptcha by the Israel National Digital Agency.

“The campaign […] blends social engineering, living-off-the-land binaries (LOLBins), and multi-stage payload delivery to gain and maintain a foothold in targeted systems,” researchers Shimi Cohen, Adi Pick, Idan Beit Yosef, Hila David, and Yaniv Goldman said.

“The ultimate objectives of ShadowCaptcha are collecting sensitive information through credential harvesting and browser data exfiltration, deploying cryptocurrency miners to generate illicit profits, and even causing ransomware outbreaks.”

The attacks begin with unsuspecting users visiting a compromised WordPress website that has been injected with malicious JavaScript code that’s responsible for initiating a redirection chain that takes them to a fake Cloudflare or Google CAPTCHA page.

From there, the attack chain forks into two, depending on the ClickFix instructions displayed on the web page: One that utilizes the Windows Run dialog and another that guides the victim to save a page as an HTML Application (HTA) and then run it using mshta.exe.

The execution flow triggered via the Windows Run dialog culminates in the deployment of Lumma and Rhadamanthys stealers via MSI installers launched using msiexec.exe or through remotely-hosted HTA files run using mshta.exe, whereas the execution of the saved HTA payload results in the installation of Epsilon Red ransomware.

It’s worth pointing out that the use of ClickFix lures to trick users into downloading malicious HTA files for spreading Epsilon Red ransomware was documented last month by CloudSEK.

“The compromised ClickFix page automatically executes obfuscated JavaScript that uses ‘navigator.clipboard.writeText’ to copy a malicious command to the user’s clipboard without any interaction, relying on users to paste and run it unknowingly,” the researchers said.

The attacks are characterized by the use of anti-debugger techniques to prevent inspection of web pages using browser developer tools, while also relying on DLL side-loading to execute malicious code under the guise of legitimate processes.

Select ShadowCaptcha campaigns have observed delivering an XMRig-based cryptocurrency miner, with some variants fetching the mining configuration from a Pastebin URL rather than hard-coding it in the malware, thus allowing them to adjust the parameters on the fly.

In cases where the miner payloads are deployed, the attackers have also been observed dropping a vulnerable driver (“WinRing0x64.sys”) to achieve kernel-level access and interact with CPU registers with an aim to improve mining efficiency.

Of the infected WordPress sites, a majority of them are located in Australia, Brazil, Italy, Canada, Colombia, and Israel, spanning technology, hospitality, legal/finance, healthcare, and real estate sectors.

To mitigate the risks posed by ShadowCaptcha, it’s essential to train users to watch out for ClickFix campaigns, segment networks to prevent lateral movement, and ensure WordPress sites are kept up-to-date and secured using multi-factor authentication (MFA) protections.

“ShadowCaptcha shows how social-engineering attacks have evolved into full-spectrum cyber operations,” the researchers said. “By tricking users into running built-in Windows tools and layering obfuscated scripts and vulnerable drivers, operators gain stealthy persistence and can pivot between data theft, crypto mining, or ransomware.”

The disclosure comes as GoDaddy detailed the evolution of Help TDS, a traffic distribution (or direction) system that has been active since 2017 and has been linked to malicious schemes like VexTrio Viper. Help TDS provides partners and affiliates with PHP code templates that are injected into WordPress sites, ultimately directing users to malicious destinations based on the targeting criteria.

“The operation specializes in tech support scams utilizing full-screen browser manipulation and exit prevention techniques to trap victims on fraudulent Microsoft Windows security alert pages, with fallback monetization through dating, cryptocurrency, and sweepstakes scams,” security researcher Denis Sinegubko said.

Some of the notable malware campaigns that have leveraged Help TDS in recent years include DollyWay, Balada Injector, and DNS TXT redirects. The scam pages, for their part, use JavaScript to force browsers to enter full-screen mode and display the fraudulent alert and even feature counterfeit CAPTCHA challenges before rendering them in a bid to sidestep automated security scanners.

Help TDS operators are said to have developed a malicious WordPress plugin known as “woocommerce_inputs” between late 2024 and August 2025 to enable the redirection functionality, alongside steadily adding credential harvesting, geographic filtering, and advanced evasion techniques. The plugin is estimated to be installed on over 10,000 sites worldwide.

The malicious plugin masquerades as WooCommerce to evade detection by site owners. It’s exclusively installed by attackers after compromising WordPress sites through stolen administrator credentials.

“This plugin serves as both a traffic monetization tool and credential harvesting mechanism, demonstrating continuous evolution from simple redirect functionality to a sophisticated malware-as-a-service offering,” GoDaddy said.

“By providing ready-made solutions including C2 infrastructure, standardized PHP injection templates, and fully-featured malicious WordPress plugins, Help TDS has lowered the barrier to entry for cybercriminals seeking to monetize infiltrated websites.”

Aug 26, 2025Ravie Lakshmanan

Cybersecurity researchers have discovered a new variant of an Android banking trojan called HOOK that features ransomware-style overlay screens to display extortion messages.

“A prominent characteristic of the latest variant is its capacity to deploy a full-screen ransomware overlay, which aims to coerce the victim into remitting a ransom payment,” Zimperium zLabs researcher Vishnu Pratapagiri said. “This overlay presents an alarming ‘*WARNING*’ message, alongside a wallet address and amount, both of which are dynamically retrieved from the command-and-control server.”

The mobile security company said the overlay is remotely initiated when the command “ransome” is issued by the C2 server. The overlay can be dismissed by the attacker by sending the “delete_ransome” command.

HOOK is assessed to be an offshoot of the ERMAC banking trojan, which, coincidentally, had its source code leaked on a publicly accessible directory over the internet.

Like other banking malware targeting Android, it’s capable of displaying a fake overlay screen on top of financial apps to steal users’ credentials and abuse Android accessibility services to automate fraud and commandeer devices remotely.

Other notable features include the ability to send SMS messages to specified phone numbers, stream the victim’s screen, capture photos using the front-facing camera, and steal cookies and recovery phrases associated with cryptocurrency wallets.

The latest version, per Zimperium, signals a major step forward, supporting 107 remote commands, with 38 newly added ones. This includes serving transparent overlays to capture user gestures, fake NFC overlays to trick victims into sharing sensitive data, and deceptive prompts to gather lockscreen PIN or pattern.

The list of newly added commands is as follows –

• takenfc, to display a fake NFC scanning screen using a fullscreen WebView overlay and read card data
• unlock_pin, to display a fake device unlock screen to collect unlock pattern or PIN code and gain unauthorized access to the device
• takencard, to display a fake overlay to collect credit card information by mimicking a Google Pay interface
• start_record_gesture, to record user gestures by displaying a transparent full screen overlay

HOOK is believed to be distributed on a large scale, using phishing websites and bogus GitHub repositories to host and disseminate malicious APK files. Some of the other Android malware families distributed via GitHub include ERMAC and Brokewell, indicating a broader adoption among threat actors.

“The evolution of HOOK illustrates how banking trojans are rapidly converging with spyware and ransomware tactics, blurring threat categories,” Zimperium noted. “With continuous feature expansion and broad distribution, these families pose a growing risk to financial institutions, enterprises, and end users alike.”

Anatsa Continues to Evolve

The disclosure comes as Zscaler’s ThreatLabs detailed an updated version of the Anatsa banking trojan that has now expanded its focus to target over 831 banking and cryptocurrency services worldwide, including those in Germany and South Korea, up from 650 reported previously.

One of the apps in question has been found to mimic a file manager app (package name: “com.synexa.fileops.fileedge_organizerviewer”), which acts as a dropper to deliver Anatsa. Besides replacing dynamic code loading of remote Dalvik Executable (DEX) payloads with direct installation of the trojan, the malware uses corrupted archives to hide the DEX payload that’s deployed during runtime.

Anatsa also requests permissions for Android’s accessibility services, which it subsequently abuses to grant itself additional permissions that allow it to send and receive SMS messages, as well as draw content on top of other applications to display overlay windows.

In all, the company said it identified 77 malicious apps from various adware, maskware, and malware families, such as Anatsa, Joker, and Harly, in the Google Play Store, accounting for over 19 million installations. Maskware refers to a category of apps that present themselves as legitimate applications or games to app stores but incorporate obfuscation, dynamic code loading, or cloaking techniques to conceal malicious content.

Harly is a variant of Joker that was first flagged by Kaspersky in 2022. Earlier this March, Human Security said it uncovered 95 malicious applications containing Harly that were hosted in the Google Play Store.

“Anatsa continues to evolve and improve with anti-analysis techniques to better evade detection,” security researcher Himanshu Sharma said. “The malware has also added support for more than 150 new financial applications to target.”

Aug 26, 2025Ravie LakshmananVulnerability / Data Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added three security flaws impacting Citrix Session Recording and Git to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The list of vulnerabilities is as follows –

• CVE-2024-8068 (CVSS score: 5.1) – An improper privilege management vulnerability in Citrix Session Recording that could allow for privilege escalation to NetworkService Account access when an attacker is an authenticated user in the same Windows Active Directory domain as the session recording server domain
• CVE-2024-8069 (CVSS score: 5.1) – A deserialization of untrusted data vulnerability in Citrix Session Recording that allows limited remote code execution with the privileges of a NetworkService Account access when an attacker is an authenticated user on the same intranet as the session recording server
• CVE-2025-48384 (CVSS score: 8.1) – A link following vulnerability in Git that arises as a result of inconsistent handling of carriage return (CR) characters in configuration files, resulting in arbitrary code execution

Both the Citrix flaws were patched by the company in November 2024 following responsible disclosure by watchTowr Labs on July 14, 2024. CVE-2025-48384, on the other hand, was addressed by the Git project earlier this July. A proof-of-concept (PoC) exploit was released by Datadog following public disclosure.

“If a submodule path contains a trailing CR, the altered path can cause Git to initialize the submodule in an unintended location,” Arctic Wolf said about CVE-2025-48384. “When this is combined with a symlink pointing to the submodule hooks directory and an executable post-checkout hook, cloning a repository can result in unintended code execution.”

As is typically the case, CISA has provided no further technical details on the exploitation activity, or who may be behind them. Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary mitigations by September 15, 2025, to secure their networks against active threats.

Aug 26, 2025Ravie LakshmananMobile Security / Data Privacy

Google has announced plans to begin verifying the identity of all developers who distribute apps on Android, even for those who distribute their software outside the Play Store.

“Android will require all apps to be registered by verified developers in order to be installed by users on certified Android devices,” the company said. “This creates crucial accountability, making it much harder for malicious actors to quickly distribute another harmful app after we take the first one down.”

To that end, the tech giant said it intends to start sending out invitations gradually starting October 2025, before opening it up to all developers in March 2026. The new requirements are expected to go into effect starting a year from now, in September 2026, in Brazil, Indonesia, Singapore, and Thailand.

“At this point, any app installed on a certified Android device in these regions must be registered by a verified developer,” Suzanne Frey, vice president of Product, Trust and Growth for Android, added.

It’s worth noting that nothing much will change for developers who distribute apps through the Google Play Store, as they are likely to have already met these verification requirements through the existing Play Console process. A separate type of Android Developer Console account is in the works for student and hobbyist developers.

Google said the changes are designed to prevent malicious actors from impersonating developers and using their branding and reputation to create convincing fake apps. Compounding the problem is the presence of such malicious apps that are distributed via third-party app marketplaces from where users can sideload them.

The developer verification mandate adds to already existing security measures that block the sideloading of potentially dangerous apps in markets like Singapore, Thailand, Brazil, and India.

In July 2023, the company also began requiring all new developer accounts registering as an organization to provide a valid D-U-N-S number assigned by Dun & Bradstreet before submitting apps in an effort to build user trust.

The “new layer of security,” Google pointed out, aims to protect users from repeat bad actors spreading malware and scams, as well as provide a “consistent, common sense baseline of developer accountability” across Android. It also said the system preserves user choice while enhancing security for everyone.

While the Android app distribution rules are aimed at tightening the security of the ecosystem, they also come at a time when Google is potentially staring at major reforms to the Play Store, including distributing competing app stores through Google Play and providing rivals with access to its full app catalog, after having a lost an antitrust lawsuit brought by Epic Games in 2020.

Aug 25, 2025Ravie LakshmananContainer Security / Vulnerability

Docker has released fixes to address a critical security flaw affecting the Docker Desktop app for Windows and macOS that could potentially allow an attacker to break out of the confines of a container.

The vulnerability, tracked as CVE-2025-9074, carries a CVSS score of 9.3 out of 10.0. It has been addressed in version 4.44.3.

“A malicious container running on Docker Desktop could access the Docker Engine and launch additional containers without requiring the Docker socket to be mounted,” Docker said in an advisory released last week.

“This could allow unauthorized access to user files on the host system. Enhanced Container Isolation (ECI) does not mitigate this vulnerability.”

According to security researcher Felix Boulet, the vulnerability has to do with how it’s possible for a container to connect to the Docker Engine API at 192.168.65[.]7:2375 without requiring any authentication, thereby opening the door to a scenario where a privileged container could gain full access to the underlying host upon mounting the C: drive into it.

In a proof-of-concept (PoC) exploit, a web request from any container has been found to trigger the flaw and result in a full compromise of the host –

• POST a JSON payload to “/containers/create,” binding the host C: drive to a folder in the container (/mnt/host/c:/host_root) in the container, and using a startup command to write or read anything under /host_root on container startup.
• POST to “/containers/{id}/start” to launch the container and start the execution

“At its core, this vulnerability was a simple oversight, Docker’s internal HTTP API was reachable from any container without authentication or access controls,” Boulet said.

PVOTAL Technologies researcher Philippe Dugre (“zer0x64”), who further examined the flaw, said an attacker can exploit the flaw on the Windows version of Docker Desktop to mount as an administrator the entire file system, read any sensitive file, and overwrite a system DLL to escalate the attacker to administrator of the host system.

“On macOS, however, the Docker Desktop application still has a layer of isolation and trying to mount a user directory prompts the user for permission,” Dugre said. “By default, the Docker application does not have access to the rest of the file system and does not run with administrative privileges, so the host is a lot safer than in the Window’s case.”

“However, the attacker does still have full control of the Docker application/containers and can even backdoor it by mounting and modifying the application’s configuration, which does not need any user approval.”

The vulnerability does not impact the Linux version since Linux uses a named pipe on the host’s file system, rather than relying on a TCP TCP socket for the Docker Engine’s API.

The easiest way to leverage the vulnerability is via a threat actor-controlled malicious container. That said, a server-side request forgery (SSRF) flaw can be used as an alternate attack vector.

“This vulnerability allows an attacker to proxy requests through the vulnerable application and reach the Docker socket, the impact of which varies especially depending on the availability of HTTP requests methods (most SSRF only allows GET requests, but some niche case allows the use of POST, PATCH, DELETE methods),” Dugre said.

Aug 25, 2025Ravie LakshmananMalware / Cyber Espionage

A China-nexus threat actor known as UNC6384 has been attributed to a set of attacks targeting diplomats in Southeast Asia and other entities across the globe to advance Beijing’s strategic interests.

“This multi-stage attack chain leverages advanced social engineering including valid code signing certificates, an adversary-in-the-middle (AitM) attack, and indirect execution techniques to evade detection,” Google Threat Intelligence Group (GTIG) researcher Patrick Whitsell said.

UNC6384 is assessed to share tactical and tooling overlaps with a known Chinese hacking group called Mustang Panda, which is also tracked as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TEMP.Hex, and Twill Typhoon.

The campaign, detected by GTIG in March 2025, is characterized by use of a captive portal redirect to hijack web traffic and deliver a digitally signed downloader called STATICPLUGIN. The downloader then paves the way for the in-memory deployment of a PlugX (aka Korplug or SOGU) variant called SOGU.SEC.

PlugX is a backdoor that supports commands to exfiltrate files, log keystrokes, launch a remote command shell, upload/download files, and is able to extend its functionality with additional plugins. Often launched via DLL side-loading, the implant is spread through USB flash drives, targeted phishing emails containing malicious attachments or links, or compromised software downloads.

The malware has existed since at least 2008 and is widely used by Chinese hacking groups. It is believed that ShadowPad is the successor of PlugX.

The UNC6384 attack chain is fairly straightforward in that adversary-in-the-middle (AitM) and social engineering tactics are used to deliver the PlugX malware –

• The target’s web browser tests if the internet connection is behind a captive portal
• An AitM redirects the browser to a threat actor-controlled website
• STATICPLUGIN is downloaded from “mediareleaseupdates[.]com”
• STATICPLUGIN retrieves an MSI package from the same website
• CANONSTAGER is DLL side-loaded and deploys the SOGU.SEC backdoor in memory

The captive portal hijack is used to deliver malware masquerading as an Adobe Plugin update to targeted entities. On the Chrome browser, the captive portal functionality is accomplished by means of a request to a hard-coded URL (“www.gstatic[.]com/generate_204”) that redirects users to a Wi-Fi login page.

While “gstatic[.]com” is a legitimate Google domain used to store JavaScript code, images, and style sheets as a way to enhance performance, Google said the threat actors are likely carrying out an AitM attack to imitate redirection chains from the captive portal page to the threat actor’s landing web page.

It’s assessed that the AitM is facilitated by means of compromised edge devices on the target networks, although the attack vector used to pull this off remains unknown at this stage.

“After being redirected, the threat actor attempts to deceive the target into believing that a software update is needed, and to download the malware disguised as a ‘plugin update,’” GTIG said. “The landing web page resembles a legitimate software update site and uses an HTTPS connection with a valid TLS certificate issued by Let’s Encrypt.”

The end result is the download of an executable named “AdobePlugins.exe” (aka STATICPLUGIN) that, when launched, triggers the SOGU.SEC payload in the background using a DLL referred to as CANONSTAGER (“cnmpaui.dll”) that’s sideloading using the Canon IJ Printer Assistant Tool (“cnmpaui.exe”).

The STATICPLUGIN downloader is signed by Chengdu Nuoxin Times Technology Co., Ltd with a valid certificate issued by GlobalSign. Over two dozen malware samples signed by Chengdu have been put to use by China-nexus activity clusters, with the earliest artifacts dating back to at least January 2023. Exactly how these certificates are obtained by the subscriber is not clear.

“This campaign is a clear example of the continued evolution of UNC6384’s operational capabilities and highlights the sophistication of PRC-nexus threat actors,” Whitsell said. “The use of advanced techniques such as AitM combined with valid code signing and layered social engineering demonstrates this threat actor’s capabilities.”

Cybersecurity researchers have flagged a new phishing campaign that’s using fake voicemails and purchase orders to deliver a malware loader called UpCrypter.

The campaign leverages “carefully crafted emails to deliver malicious URLs linked to convincing phishing pages,” Fortinet FortiGuard Labs researcher Cara Lin said. “These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter.”

Attacks propagating the malware have been primarily targeting manufacturing, technology, healthcare, construction, and retail/hospitality sectors across the world since the start of August 2025. The vast majority of the infections have been observed in Austria, Belarus, Canada, Egypt, India, and Pakistan, among others.

UpCrypter functions as a conduit for various remote access tools (RATs), such as PureHVNC RAT, DCRat (aka DarkCrystal RAT), and Babylon RAT, each of which enable an attacker to take full control of compromised hosts.

The starting point of the infection chain is a phishing email using themes related to voicemail messages and purchases to deceive recipients into clicking on links that direct to fake landing pages, from where they are prompted to download the voice message or a PDF document.

“The lure page is designed to appear convincing by not only displaying the victim’s domain string in its banner but also fetching and embedding the domain’s logo within the page content to reinforce authenticity,” Fortinet said. “Its primary purpose is to deliver a malicious download.”

The downloaded payload is a ZIP archive containing an obfuscated JavaScript file, which subsequently contacts an external server to fetch the next-stage malware, but only after confirming internet connectivity and scanning running processes for forensic tools, debuggers, or sandbox environments.

The loader, in turn, contacts the same server to obtain the final payload, either in the form of plain text or embedded within a harmless-looking image, a technique called steganography.

Fortinet said UpCrypter is also distributed as an MSIL (Microsoft Intermediate Language) loader that, like its JavaScript counterpart, conducts anti-analysis and anti-virtual machine checks, after which it downloads three different payloads: an obfuscated PowerShell script, a DLL, and the main payload.

The attack culminates with the script embedding data from the DLL loader and the payload during execution, thus allowing the malware to be run without writing it to the file system. This approach also has the advantage of minimizing forensic traces, thereby allowing the malware to fly under the radar.

“This combination of an actively maintained loader, layered obfuscation, and diverse RAT delivery demonstrates an adaptable threat delivery ecosystem capable of bypassing defenses and maintaining persistence across different environments,” Lin said.

The disclosure comes as Check Point detailed a large-scale phishing campaign abusing Google Classroom to distribute more than 115,000 phishing emails aimed at 13,500 organizations across multiple industries between August 6 and 12, 2025. The attacks target organizations in Europe, North America, the Middle East, and Asia.

“Attackers exploited this trust by sending fake invitations that contained unrelated commercial offers, ranging from product reselling pitches to SEO services,” the company said. “Each email directed recipients to contact scammers via a WhatsApp phone number, a tactic often linked to fraud schemes.”

The attack bypasses security systems because it leverages the trust and reputation of Google Classroom’s infrastructure to bypass key email authentication protocols, such as SPF, DKIM, and DMARC, and helps land the phishing emails in users’ inboxes.

These campaigns are part of a larger trend where threat actors take advantage of legitimate services like Microsoft 365 Direct Send and OneNote, not to mention abuse free artificial intelligence (AI)-powered website builder like Vercel and Flazio, as well as services such as Discord CDN, SendGrid, Zoom, ClickFunnels, Jotform, and X’s t[.]co link shortener – an approach known as living-off-trusted-sites (LOTS).

“After the threat actor gained M365 credentials of one user in an organization through a phishing attack, they created a OneNote file in the compromised user’s personal Documents folder on OneDrive, embedding the lure URL for the next phishing stage,” Varonis said in a report published last month.

The misuse of Direct Send has prompted Microsoft to introduce an option for organizations called “Reject Direct Send” to directly address the issue. Alternatively, customers can also apply custom header stamping and quarantine policies to detect emails that claim to be internal communication but, in reality, aren’t.

These developments have also been accompanied by attackers increasingly relying on client-side evasion techniques in phishing pages to stay ahead of both automated detection systems and human analysts. This includes the use of JavaScript-based blocking, Browser-in-the-Browser (BitB) templates, and hosting the pages inside virtual desktop environments using noVNC.

“A notable method growing in popularity is the use of JavaScript-based anti-analysis scripts; small but effective bits of code embedded in phishing pages, fake tech support sites, and malicious redirects,” Doppel said. “Once any such activity is identified, the site immediately redirects the user to a blank page or disables further interaction, blocking access before any deeper inspection can occur.”