Tag: Cyber Security

Oct 13, 2025Ravie LakshmananBrowser Security / Windows Security

Microsoft said it has revamped the Internet Explorer (IE) mode in its Edge browser after receiving “credible reports” in August 2025 that unknown threat actors were abusing the backward compatibility feature to gain unauthorized access to users’ devices.

“Threat actors were leveraging basic social engineering techniques alongside unpatched (0-day) exploits in Internet Explorer’s JavaScript engine (Chakra) to gain access to victim devices,” the Microsoft Browser Vulnerability Research team said in a report published last week.

In the attack chain documented by the Windows maker, the threat actors have been found to trick unsuspecting users into visiting an seemingly legitimate website and then employ a flyout on the page to instruct them into reloading the page in IE mode.

Once the page is reloaded, the attackers are said to have weaponized an unspecified exploit in the Chakra engine to obtain remote code execution. The infection sequence culminates with the adversary using a second exploit to elevate their privileges out of the browser in order to seize complete control of the victim’s device.

The activity is concerning, not least because it subverts modern defenses baked into Chromium and Microsoft Edge by launching it in a less secure state using Internet Explorer, effectively allowing the threat actors to break out of the confines of the browser and perform various post-exploitation steps, including malware deployment, lateral movement, and data exfiltration.

Microsoft did not disclose any details regarding the nature of the vulnerabilities, the identity of the threat actor behind the attacks, and the scale of the efforts.

However, in response to evidence of active exploitation and the security risk posed by the feature, the company said it has taken steps to remove the dedicated toolbar button, context menu, and the hamburger menu items.

Users who wish to enable IE mode will now have to explicitly enable it on a case-by-case basis via Edge browser settings –

• Navigate to Settings > Default Browser
• Locate the option labeled Allow sites to be reloaded in Internet Explorer mode and set it to Allow
• After enabling this setting, add the specific site(s) requiring IE compatibility to the Internet Explorer mode pages list
• Reload the site

The Windows maker noted that these restrictions to launching IE mode are necessary to balance security and the need for legacy support.

“This approach ensures that the decision to load web content using legacy technology is significantly more intentional,” Microsoft said. “The additional steps required to add a site to a site list are a significant barrier for even the most determined attackers to overcome.”

Malware campaigns distributing the RondoDox botnet have expanded their targeting focus to exploit more than 50 vulnerabilities across over 30 vendors.

The activity, described as akin to an “exploit shotgun” approach, has singled out a wide range of internet-exposed infrastructure, including routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and various other network devices, according to Trend Micro.

The cybersecurity company said it detected a RondoDox intrusion attempt on June 15, 2025, when the attackers exploited CVE-2023-1389, a security flaw in TP-Link Archer routers that has come under active exploitation repeatedly since it was first disclosed in late 2022.

RondoDox was first documented by Fortinet FortiGuard Labs back in July 2025, detailing attacks aimed at TBK digital video recorders (DVRs) and Four-Faith routers to enlist them in a botnet for carrying out distributed denial-of-service (DDoS) attacks against specific targets using HTTP, UDP, and TCP protocols.

“More recently, RondoDox broadened its distribution by using a ‘loader-as-a-service’ infrastructure that co-packages RondoDox with Mirai/Morte payloads – making detection and remediation more urgent,” Trend Micro said.

RondoDox’s expanded arsenal of exploits includes nearly five dozen security flaws, out of which 18 don’t have a CVE identifier assigned. The 56 vulnerabilities span various vendors such as D-Link, TVT, LILIN, Fiberhome, Linksys, BYTEVALUE, ASMAX, Brickcom, IQrouter, Ricon, Nexxt, NETGEAR, Apache, TBK, TOTOLINK, Meteobridge, Digiever, Edimax, QNAP, GNU, Dasan, Tenda, LB-LINK, AVTECH, Zyxel, Hytec Inter, Belkin, Billion, and Cisco.

“The latest RondoDox botnet campaign represents a significant evolution in automated network exploitation,” the company added. “It’s a clear signal that the campaign is evolving beyond single-device opportunism into a multivector loader operation.”

Late last month, CloudSEK revealed details of a large-scale loader-as-a-Service botnet distributing RondoDox, Mirai, and Morte payloads through SOHO routers, Internet of Things (IoT) devices, and enterprise apps by weaponizing weak credentials, unsanitized inputs, and old CVEs.

The development comes as security journalist Brian Krebs noted that the DDoS botnet known as AISURU is “drawing a majority of its firepower” from compromised IoT devices hosted on U.S. internet providers like AT&T, Comcast, and Verizon. One of the botnet’s operators, Forky, is alleged to be based in Sao Paulo, Brazil, and is also linked to a DDoS mitigation service called Botshield.

In recent months, AISURU has emerged as one of the largest and most disruptive botnets, responsible for some of the record-setting DDoS attacks seen to date. Built on the foundations of Mirai, the botnet controls an estimated 300,000 compromised hosts worldwide.

The findings also follow the discovery of a coordinated botnet operation involving over 100,000 unique IP addresses from no less than 100 countries targeting Remote Desktop Protocol (RDP) services in the U.S., per GreyNoise.

The activity is said to have commenced on October 8, 2025, with the majority of the traffic originating from Brazil, Argentina, Iran, China, Mexico, Russia, South Africa, Ecuador, and others.

“The campaign employs two specific attack vectors – RD Web Access timing attacks and RDP web client login enumeration – with most participating IPs sharing one similar TCP fingerprint, indicating centralized control,” the threat intelligence firm said.

Oct 13, 2025Ravie LakshmananMalware / Financial Security

Cybersecurity researchers are calling attention to a new campaign that delivers the Astaroth banking trojan that employs GitHub as a backbone for its operations to stay resilient in the face of infrastructure takedowns.

“Instead of relying solely on traditional command-and-control (C2) servers that can be taken down, these attackers are leveraging GitHub repositories to host malware configurations,” McAfee Labs researchers Harshil Patel and Prabudh Chakravorty said in a report.

“When law enforcement or security researchers shut down their C2 infrastructure, Astaroth simply pulls fresh configurations from GitHub and keeps running.”

The activity, per the cybersecurity company, is primarily focused on Brazil, although the banking malware is known to target various countries in Latin America, including Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama.

This is not the first time Astaroth campaigns have trained their sights on Brazil. In July and October 2024, both Google and Trend Micro warned of threat clusters dubbed PINEAPPLE and Water Makara that used phishing emails to distribute the malware.

The latest attack chain is no different in that it also begins with a DocuSign-themed phishing email containing a link that downloads a zipped Windows shortcut (.lnk) file, which, when opened, installs Astaroth on the compromised host.

The LNK file incorporates obfuscated JavaScript that’s responsible for fetching additional JavaScript from an external server. The newly fetched JavaScript code, for its part, downloads a number of files from one of the randomly selected hard-coded servers.

This includes an AutoIt script that’s executed by the JavaScript payload, following which it loads and runs shellcode, which, in turn, loads a Delphi-based DLL to decrypt and inject the Astaroth malware into a newly created RegSvc.exe process.

Astaroth is a Delphi malware designed to monitor victims’ visits to banking or cryptocurrency websites and steal their credentials using keylogging. The captured information is transmitted to the attackers using the Ngrok reverse proxy.

It accomplishes this by checking the active browser program window every second and whether it has a banking-related site opened. If these conditions are met, the malware hooks keyboard events to record keystrokes. Some of the targeted websites are listed below –

• caixa.gov[.]br
• safra.com[.]br
• itau.com[.]br
• bancooriginal.com[.]br
• santandernet.com[.]br
• btgpactual[.]com
• etherscan[.]io
• binance[.]com
• bitcointrade.com[.]br
• metamask[.]io
• foxbit.com[.]br
• localbitcoins[.]com

Astaroth also comes fitted with capabilities to resist analysis and shuts down automatically if it detects emulator, debugger, and analysis tools like QEMU Guest Agent, HookExplorer, IDA Pro, ImmunityDebugger, PE Tools, WinDbg, and Wireshark, among others.

Persistence on the host is set up by dropping an LNK file in the Windows Startup folder that runs the AutoIT script to launch the malware automatically upon a system reboot. What’s more, not only is the initial URL accessed by the JavaScript within the LNK file geofenced, the malware also makes sure that the machine’s system locale is not set to English or the U.S.

“Astaroth uses GitHub to update its configuration when the C2 servers become inaccessible, by hosting images on GitHub, which uses steganography to hide this information in plain sight,” McAfee said.

In doing so, the malware leverages a legitimate platform to host configuration files and turn it into a resilient backup infrastructure when primary C2 servers become inaccessible. The company noted that it worked with the Microsoft-owned subsidiary to remove the GitHub repositories, temporarily neutralizing the operations.

Oct 13, 2025Ravie LakshmananRansomware / Windows Security

Cybersecurity researchers have disclosed details of a new Rust-based backdoor called ChaosBot that can allow operators to conduct reconnaissance and execute arbitrary commands on compromised hosts.

“Threat actors leveraged compromised credentials that mapped to both Cisco VPN and an over-privileged Active Directory account named, ‘serviceaccount,’” eSentire said in a technical report published last week. “Using the compromised account, they leveraged WMI to execute remote commands across systems in the network, facilitating the deployment and execution of ChaosBot.”

The Canadian cybersecurity company said it first detected the malware in late September 2025 within a financial services customer’s environment.

ChaosBot is noteworthy for its abuse of Discord for command-and-control (C2). It gets its name from a Discord profile maintained by the threat actor behind it, who goes by the online moniker “chaos_00019” and is responsible for issuing remote commands to the infected devices. A second Discord user account associated with C2 operations is lovebb0024.

Alternatively, the malware has also been observed relying on phishing messages containing a malicious Windows shortcut (LNK) file as a distribution vector. Should the message recipient open the LNK file, a PowerShell command is executed to download and execute ChaosBot, while a decoy PDF masquerading as legitimate correspondence from the State Bank of Vietnam is displayed as a distraction mechanism.

The payload is a malicious DLL (“msedge_elf.dll”) that’s sideloaded using the Microsoft Edge binary called “identity_helper.exe,” after which it performs system reconnaissance and downloads a fast reverse proxy (FRP) to open a reverse proxy into the network and maintain persistent access to the compromised network.

The threat actors have also been found to leverage the malware to unsuccessfully configure a Visual Studio Code Tunnel service to act as an additional backdoor to enable command execution features. The malware’s primary function, however, is to interact with a Discord channel created by the operator with the victim’s computer name to receive further instructions.

Some of the supported commands are listed below –

• shell, to execute shell commands via PowerShell
• scr, to capture screenshots
• download, to download files to the victim device
• upload, to upload a file to the Discord channel

“New variants of ChaosBot make use of evasion techniques to bypass ETW [Event Tracing for Windows] and virtual machines,” eSentire said.

“The first technique involves patching the first few instructions of ntdll!EtwEventWrite (xor eax, eax -> ret). The second technique checks the MAC addresses of the system against known Virtual Machine MAC address prefixes for VMware and VirtualBox. If a match is found, the malware exits.”

Chaos Ransomware Gains Destructive and Clipboard Hijacking Features

The disclosure comes Fortinet FortiGuard Labs detailed a new ransomware variant of Chaos written in C++ that introduces new destructive capabilities to irrevocably delete large files rather than encrypting them and manipulate clipboard content by swapping Bitcoin addresses with an attacker-controlled wallet to redirect cryptocurrency transfers.

“This dual strategy of destructive encryption and covert financial theft underscores Chaos’ transition into a more aggressive and multifaceted threat designed to maximize financial gain,” the company said.

By incorporating destructive extortion tactics and clipboard hijacking for cryptocurrency theft, the attackers aim to position Chaos-C++ ransomware as a potent tool that can not only encrypt files, but also delete the content of any file larger than 1.3 GB and facilitate financial fraud.

The Chaos-C++ ransomware downloader poses as bogus utilities like System Optimizer v2.1 to trick users into installing them. It’s worth mentioning here that previous iterations of Chaos ransomware, such as Lucky_Gh0$t, were distributed under the guise of OpenAI ChatGPT and InVideo AI.

Once launched, the malware checks for the presence of a file named “%APPDATA%READ_IT.txt,” which signals that the ransomware has already been executed on the machine. If the file exists, it enters into what’s called a monitoring mode to keep tabs on the system clipboard.

In the event the file is not present, Chaos-C++ checks if it’s running with administrative privileges, and if so, proceeds to run a series of commands to inhibit system recovery, and then launches the encryption process to fully encrypt files that are below 50 MB, while skipping those with a file size between 50 MB and 1.3 GB, presumably for efficiency reasons.

“Rather than relying solely on full file encryption, Chaos-C++ employs a combination of methods, including symmetric or asymmetric encryption and a fallback XOR routine,” Fortinet said. “Its versatile downloader also guarantees successful execution. Together, these approaches make the ransomware execution more robust and harder to disrupt.”

Oct 12, 2025Ravie LakshmananVulnerability / Threat Intelligence

Oracle on Saturday issued a security alert warning of a fresh security flaw impacting its E-Business Suite that it said could allow unauthorized access to sensitive data.

The vulnerability, tracked as CVE-2025-61884, carries a CVSS score of 7.5, indicating high severity. It affects versions from 12.2.3 through 12.2.14.

“Easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Configurator,” according to a description of the flaw in the NIST’s National Vulnerability Database (NVD). “Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data.”

In a standalone alert, Oracle said the flaw is remotely exploitable without requiring any authentication, making it crucial that users apply the update as soon as possible. The company, however, makes no mention of it being exploited in the wild.

Oracle’s Chief Security Officer, Rob Duhart, pointed out that the vulnerability affects “some deployments” of E-Business Suite and that it could be weaponized to allow access to sensitive resources.

The development comes shortly after Google Threat Intelligence Group (GTIG) and Mandiant disclosed that dozens of organizations may have been impacted following the zero-day exploitation of CVE-2025-61882 in Oracle’s E-Business Suite (EBS) software.

The attacks have been found to leverage the vulnerability to trigger two different payload chains, dropping malware families like GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE.

While the tech giant did not specifically attribute the activity to a specific named threat actor or group, it’s believed that the attackers are orchestrated by a hacking group with ties to the Cl0p ransomware group.

Oct 11, 2025Ravie LakshmananCloud Security / Network Security

Cybersecurity company Huntress on Friday warned of “widespread compromise” of SonicWall SSL VPN devices to access multiple customer environments.

“Threat actors are authenticating into multiple accounts rapidly across compromised devices,” it said. “The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing.”

A significant chunk of the activity is said to have commenced on October 4, 2025, with more than 100 SonicWall SSL VPN accounts across 16 customer accounts having been impacted. In the cases investigated by Huntress, authentications on the SonicWall devices originated from the IP address 202.155.8[.]73.

The company noted that in some instances, the threat actors did not engage in further adversarial actions in the network and disconnected after a short period of time. However, in other cases, the attackers have been found conducting network scanning activity and attempting to access numerous local Windows accounts.

The disclosure comes shortly after SonicWall acknowledged that a security incident resulted in the unauthorized exposure of firewall configuration backup files stored in MySonicWall accounts. The breach, according to the latest update, affects all customers who have used SonicWall’s cloud backup service.

“Firewall configuration files store sensitive information that can be leveraged by threat actors to exploit and gain access to an organization’s network,” Arctic Wolf said. “These files can provide threat actors with critical information such as user, group, and domain settings, DNS and log settings, and certificates.”

Huntress, however, noted that there is no evidence at this stage to link the breach to the recent spike in compromises.

Considering that sensitive credentials are stored within firewall configurations, organizations using the MySonicWall cloud configuration backup service are advised to reset their credentials on live firewall devices to avoid unauthorized access.

It’s also recommended to restrict WAN management and remote access where possible, revoke any external API keys that touch the firewall or management systems, monitor logins for signs of suspicious activity, and enforce multi-factor authentication (MFA) for all admin and remote accounts.

The disclosure comes amid an increase in ransomware activity targeting SonicWall firewall devices for initial access, with the attacks leveraging known security flaws (CVE-2024-40766) to breach target networks for deploying Akira ransomware.

Darktrace, in a report published this week, said it detected an intrusion targeting an unnamed U.S. customer in late August 2025 that involved network scanning, reconnaissance, lateral movement, privilege escalation using techniques like UnPAC the hash, and data exfiltration.

“One of the compromised devices was later identified as a SonicWall virtual private network (VPN) server, suggesting that the incident was part of the broader Akira ransomware campaign targeting SonicWall technology,” it said.

“This campaign by Akira ransomware actors underscores the critical importance of maintaining up-to-date patching practices. Threat actors continue to exploit previously disclosed vulnerabilities, not just zero-days, highlighting the need for ongoing vigilance even after patches are released.”

Oct 11, 2025Ravie LakshmananNetwork Security / Vulnerability

Threat actors are abusing Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in connection with ransomware attacks likely orchestrated by Storm-2603 (aka CL-CRI-1040 or Gold Salem), which is known for deploying the Warlock and LockBit ransomware.

The threat actor’s use of the security utility was documented by Sophos last month. It’s assessed that the attackers weaponized the on-premises SharePoint vulnerabilities known as ToolShell to obtain initial access and deliver an outdated version of Velociraptor (version 0.73.4.0) that’s susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover, per Cisco Talos.

In the attack in mid-August 2025, the threat actors are said to have made attempts to escalate privileges by creating domain admin accounts and moving laterally within the compromised environment, as well as leveraging the access to run tools like Smbexec to remotely launch programs using the SMB protocol.

Prior to data exfiltration and dropping Warlock, LockBit, and Babuk, the adversary has been found to modify Active Directory (AD) Group Policy Objects (GPOs), turn off real-time protection to tamper with system defenses, and evade detection. The findings mark the first time Storm-2603 has been linked to the deployment of Babuk ransomware.

Rapid7, which maintains Velociraptor after acquiring it in 2021, previously told The Hacker News that it’s aware of the misuse of the tool, and that it can also be abused when in the wrong hands, just like other security and administrative tools.

“This behavior reflects a misuse pattern rather than a software flaw: adversaries simply repurpose legitimate collection and orchestration capabilities,” Christiaan Beek, Rapid7’s senior director of threat analytics, said in response to the latest reported attacks.

According to Halcyon, Storm-2603 is believed to share some connections to Chinese nation-state actors owing to its early access to the ToolShell exploit and the emergence of new samples that exhibit professional-grade development practices consistent with sophisticated hacking groups.

The ransomware crew, which first emerged in June 2025, has since used LockBit as both an operational tool and a development foundation. It’s worth noting that Warlock was the final affiliate registered with the LockBit scheme under the name “wlteaml” before LockBit suffered a data leak a month before.

“Warlock planned from the beginning to deploy multiple ransomware families to confuse attribution, evade detection, and accelerate impact,” the company said. “Warlock demonstrates the discipline, resources, and access characteristic of nation-state–aligned threat actors, not opportunistic ransomware crews.”

Halcyon also pointed out the threat actor’s 48-hour development cycles for feature additions, reflective of structured team workflows. This centralized, organized project structure suggests a team with dedicated infrastructure and tooling, it added.

Other notable aspects that suggest ties to Chinese state-sponsored actors include –

• Use of operational security (OPSEC) measures, such as stripped timestamps and intentionally corrupted expiration mechanisms
• The compilation of ransomware payloads at 22:58-22:59 China Standard Time and packaging them into a malicious installer at 01:55 the next morning
• Consistent contact information and shared, misspelled domains across Warlock, LockBit, and Babuk deployments, suggesting cohesive command-and-control (C2) operations and not opportunistic infrastructure reuse

A deeper examination of Storm-2603’s development timeline has uncovered that the threat actor established the infrastructure for AK47 C2 framework in March 2025, and then created the first prototype of the tool the next month. In April, it also pivoted from LockBit-only deployment to dual LockBit/Warlock deployment within a span of 48 hours.

While it subsequently registered as a LockBit affiliate, work continued on its own ransomware until it was formally launched under the Warlock branding in June. Weeks later, the threat actor was observed leveraging the ToolShell exploit as a zero-day while also deploying Babuk ransomware starting July 21, 2025.

“The group’s rapid evolution in April from the LockBit 3.0-only deployment to a multi-ransomware deployment 48 hours later, followed by Babuk deployment in July, shows operational flexibility, detection evasion capabilities, attribution confusion tactics, and sophisticated builder expertise using leaked and open-source ransomware frameworks,” Halcyon said.

Oct 10, 2025Ravie LakshmananSaaS Security / Threat Intelligence

A threat actor known as Storm-2657 has been observed hijacking employee accounts with the end goal of diverting salary payments to attacker-controlled accounts.

“Storm-2657 is actively targeting a range of U.S.-based organizations, particularly employees in sectors like higher education, to gain access to third-party human resources (HR) software as a service (SaaS) platforms like Workday,” the Microsoft Threat Intelligence team said in a report.

However, the tech giant cautioned that any software-as-a-service (SaaS) platform storing HR or payment and bank account information could be a target of such financially motivated campaigns. Some aspects of the campaign, codenamed Payroll Pirates, were previously highlighted by Silent Push, Malwarebytes, and Hunt.io.

What makes the attacks notable is that they don’t exploit any security flaw in the services themselves. Rather, they leverage social engineering tactics and a lack of multi-factor authentication (MFA) protections to seize control of employee accounts and ultimately modify payment information to route them to accounts managed by the threat actors.

In one campaign observed by Microsoft in the first half of 2025, the attacker is said to have obtained initial access through phishing emails that are designed to harvest their credentials and MFA codes using an adversary-in-the-middle (AitM) phishing link, thereby gaining access to their Exchange Online accounts and taking over Workday profiles through single sign-on (SSO).

The threat actors have also been observed creating inbox rules to delete incoming warning notification emails from Workday so as to hide the unauthorized changes made to profiles. This includes altering the salary payment configuration to redirect future salary payments to accounts under their control.

To ensure persistent access to the accounts, the attackers enroll their own phone numbers as MFA devices for victim accounts. What’s more, the compromised email accounts are used to distribute further phishing emails, both within the organization and to other universities.

Microsoft said it observed 11 successfully compromised accounts at three universities since March 2025 that were used to send phishing emails to nearly 6,000 email accounts across 25 universities. The email messages feature lures related to illnesses or misconduct notices on campus, inducing a false sense of urgency and tricking recipients into clicking on the fake links.

To mitigate the risk posed by Storm-2657, it’s recommended to adopt passwordless, phishing-resistant MFA methods such as FIDO2 security keys, and review accounts for signs of suspicious activity, such as unknown MFA devices and malicious inbox rules.

Oct 10, 2025Ravie LakshmananRansomware / Data Theft

Cybersecurity researchers have disclosed details of an active malware campaign called Stealit that has leveraged Node.js’ Single Executable Application (SEA) feature as a way to distribute its payloads.

According to Fortinet FortiGuard Labs, select iterations have also employed the open-source Electron framework to deliver the malware. It’s assessed that the malware is being propagated through counterfeit installers for games and VPN applications that are uploaded to file-sharing sites such as Mediafire and Discord.

SEA is a feature that allows Node.js applications to be packaged and distributed as a standalone executable, even on systems without Node.js installed.

“Both approaches are effective for distributing Node.js-based malware, as they allow execution without requiring a pre-installed Node.js runtime or additional dependencies,” security researchers Eduardo Altares and Joie Salvio said in a report shared with The Hacker News.

On a dedicated website, the threat actors behind Stealit claim to offer “professional data extraction solutions” via several subscription plans. This includes a remote access trojan (RAT) that supports file extraction, webcam control, live screen monitoring, and ransomware deployment targeting both Android and Windows operating systems.

Prices for the Windows Stealer range from $29.99 for a weekly subscription to $499.99 for a lifetime license. The Android RAT pricing, on the other hand, goes from $99.99 all the way to $1,999.99.

The fake executables contain an installer that’s designed to retrieve the main components of the malware retrieved from a command-and-control (C2) and install them, but note that before performing a number of anti-analysis checks to ensure it’s running inside a virtual or sandboxed environment.

A crucial aspect of this step involves writing a Base64-encoded authentication key, a 12-character alphanumeric key, to the %temp%cache.json file. This key is used to authenticate with the C2 server, as well as by subscribers to log in to the dashboard in order to likely monitor and control their victims.

The malware is also engineered to configure Microsoft Defender Antivirus exclusions so that the folder that contains the downloaded components is not flagged. The functions of the three executables are as follows –

• save_data.exe, which is only downloaded and executed if the malware is running with elevated privileges. It’s designed to drop a tool named “cache.exe” – which is part of open-source project ChromElevator – to extract information from Chromium-based browsers.
• stats_db.exe, which is designed to extract information from messengers (Telegram, WhatsApp), cryptocurrency wallets and wallet browser extensions (Atomic and Exodus), and game-related apps (Steam, Minecraft, GrowTopia, and Epic Games Launcher).
• game_cache.exe, which is designed to set up persistence on the host by launching its upon system reboot by creating a Visual Basic script and communicating with the C2 server to stream a victim’s screen in real-time, execute arbitrary commands, download/upload files, and change desktop wallpaper.

“This new Stealit campaign leverages the experimental Node.js Single Executable Application (SEA) feature, which is still under active development, to conveniently distribute malicious scripts to systems without Node.js installed,” Fortinet said. “Threat actors behind this may be exploiting the feature’s novelty, relying on the element of surprise, and hoping to catch security applications and malware analysts off guard.”

Oct 10, 2025Ravie LakshmananVulnerability / Network Security

Fortra on Thursday revealed the results of its investigation into CVE-2025-10035, a critical security flaw in GoAnywhere Managed File Transfer (MFT) that’s assessed to have come under active exploitation since at least September 11, 2025.

The company said it began its investigation on September 11 following a “potential vulnerability” reported by a customer, uncovering “potentially suspicious activity” related to the flaw.

That same day, Fortra said it contacted on-premises customers who were identified as having their GoAnywhere admin console accessible to the public internet and that it notified law enforcement authorities about the incident.

A hotfix for versions 7.6.x, 7.7.x, and 7.8.x of the software was made available the next day, with full releases incorporating the patch – versions 7.6.3 and 7.8.4 – made available on September 15. Three days later, a CVE for the vulnerability was formally published, it added.

“The scope of the risk of this vulnerability is limited to customers with an admin console exposed to the public internet,” Fortra said. “Other web-based components of the GoAnywhere architecture are not affected by this vulnerability.”

However, it conceded that there are a “limited number of reports” of unauthorized activity related to CVE-2025-10035. As additional mitigations, the company is recommending that users restrict admin console access over the internet, as well as enable monitoring and keep software up-to-date.

CVE-2025-10035 concerns a case of deserialization vulnerability in the License Servlet that could result in command injection without authentication. In a report earlier this week, Microsoft revealed that a threat it tracks as Storm-1175 has been exploiting the flaw since September 11 to deploy Medusa ransomware.

That said, there is still no clarity on how the threat actors managed to obtain the private keys needed to exploit this vulnerability.

“The fact that Fortra has now opted to confirm (in their words) ‘unauthorized activity related to CVE-2025-10035’ demonstrates yet again that the vulnerability was not theoretical and that the attacker has somehow circumvented, or satisfied, the cryptographic requirements needed to exploit this vulnerability,” watchTowr CEO and founder Benjamin Harris said.