Tag: Cyber Threats

Aug 24, 2025Ravie LakshmananMalware / Supply Chain Security

Cybersecurity researchers have discovered a malicious Go module that presents itself as a brute-force tool for SSH but actually contains functionality to discreetly exfiltrate credentials to its creator.

“On the first successful login, the package sends the target IP address, username, and password to a hard-coded Telegram bot controlled by the threat actor,” Socket researcher Kirill Boychenko said.

The deceptive package, named “golang-random-ip-ssh-bruteforce,” has been linked to a GitHub account called IllDieAnyway (G3TT), which is currently no longer accessible. However, it continues to be available on pkg.go[.]dev. It was published on June 24, 2022.

The software supply chain security company said the Go module works by scanning random IPv4 addresses for exposed SSH services on TCP port 22, then attempting to brute-force the service using an embedded username-password list and exfiltrating the successful credentials to the attacker.

A notable aspect of the malware is that it deliberately disables host key verification by setting “ssh.InsecureIgnoreHostKey” as a HostKeyCallback, thereby allowing the SSH client to accept connections from any server regardless of their identity.

The wordlist is fairly straightforward, including only two usernames root and admin, and pairing them against weak passwords like root, test, password, admin, 12345678, 1234, qwerty, webadmin, webmaster, techsupport, letmein, and Passw@rd.

The malicious code runs in an infinite loop to generate the IPv4 addresses, with the package attempting concurrent SSH logins from the wordlist.

The details are transmitted to a threat actor-controlled Telegram bot named “@sshZXC_bot” (ssh_bot) via the API, which then acknowledges the receipt of the credentials. The messages are sent through the bot to an account with the handle “@io_ping” (Gett).

An Internet Archive snapshot of the now-removed GitHub account shows that IllDieAnyway, aka G3TT’s software portfolio, included an IP port scanner, an Instagram profile info and media parser, and even a PHP-based command-and-control (C2) botnet called Selica-C2.

Their YouTube channel, which remains accessible, hosts various short-form videos on “How to hack a Telegram bot” and what they claim to be the “most powerful SMS bomber for the Russian Federation,” which can send spam SMS texts and messages to VK users using a Telegram bot. It’s assessed that the threat actor is of Russian origin.

“The package offloads scanning and password guessing to unwitting operators, spreads risk across their IPs, and funnels the successes to a single threat actor-controlled Telegram bot,” Boychenko said.

“It disables host key verification, drives high concurrency, and exits after the first valid login to prioritize quick capture. Because the Telegram Bot API uses HTTPS, the traffic looks like normal web requests and can slip past coarse egress controls.”

Cybersecurity researchers are calling attention to multiple campaigns that leverage known security vulnerabilities and expose Redis servers to various malicious activities, including leveraging the compromised devices as IoT botnets, residential proxies, or cryptocurrency mining infrastructure.

The first set of attacks entails the exploitation of CVE-2024-36401 (CVSS score: 9.8), a critical remote code execution vulnerability impacting OSGeo GeoServer GeoTools that has been weaponized in cyber attacks since late last year.

“Criminals have used the vulnerability to deploy legitimate software development kits (SDKs) or modified apps to gain passive income via network sharing or residential proxies,” Palo Alto Networks Unit 42 researchers Zhibin Zhang, Yiheng An, Chao Lei, and Haozhe Zhang said in a technical report.

“This method of generating passive income is particularly stealthy. It mimics a monetization strategy used by some legitimate app developers who choose SDKs instead of displaying traditional ads. This can be a well-intentioned choice that protects the user experience and improves app retention.”

The cybersecurity company said attackers have been probing GeoServer instances exposed to the internet since at least early March 2025, leveraging the access to drop customized executables from adversary-controlled servers. The payloads are distributed via a private instance of a file-sharing server using transfer.sh, as opposed to a conventional HTTP web server.

The applications used in the campaign aim to fly under the radar by consuming minimal resources, while stealthily monetizing victims’ internet bandwidth without the need for distributing custom malware. The binaries, written in Dart, are designed to interact with legitimate passive income services, discreetly using the device resources for activities like bandwidth sharing.

The approach is a win-win situation for all parties involved, as developers of the applications receive payments in exchange for integrating the feature, and the cybercriminals get to profit off unused bandwidth using a seemingly innocuous channel that doesn’t raise any red flags.

“Once running, the executable operates covertly in the background, monitoring device resources and illicitly sharing the victim’s bandwidth whenever possible,” Unit 42 said. “This generates passive income for the attacker.”

Telemetry data gathered by the company shows that there were over 7,100 publicly exposed GeoServer instances across 99 countries, with China, the United States, Germany, Great Britain, and Singapore taking the top five spots.

“This ongoing campaign showcases a significant evolution in how adversaries monetize compromised systems,” Unit 42 said. “The attackers’ core strategy focuses on stealthy, persistent monetization rather than aggressive resource exploitation. This approach favors long-term, low-profile revenue generation over easily detectable techniques.”

The disclosure comes as Censys detailed the infrastructural backbone powering a large-scale IoT botnet called PolarEdge that comprises enterprise-grade firewalls and consumer-oriented devices like routers, IP cameras, and VoIP phones by taking advantage of known security vulnerabilities. Its exact purpose is currently not known, although it’s clear that the botnet isn’t being used for indiscriminate mass scanning.

The initial access is then abused to drop a custom TLS backdoor based on Mbed TLS that facilitates encrypted command-and-control, log cleanup, and dynamic infrastructure updates. The backdoor has been commonly observed deployed on high, non-standard ports, likely as a way to bypass traditional network scans and defensive monitoring scope.

PolarEdge exhibits traits that align with an Operational Relay Box (ORB) network, with the attack surface management platform stating there are indications that the campaign started as far back as June 2023, reaching about 40,000 active devices as of this month. More than 70% of the infections are scattered across South Korea, the United States, Hong Kong, Sweden, and Canada.

“ORBs are compromised exit nodes that forward traffic in order to carry out additional compromises or attacks on behalf of threat actors,” security researcher Himaja Motheram said. “What makes ORBs so valuable to attackers is that they don’t need to take over the device’s core function – they can quietly relay traffic in the background while the device continues to operate normally, making detection by the owner or ISP unlikely.”

In recent months, vulnerabilities in products from vendors such as DrayTek, TP-Link, Raisecom, and Cisco have been targeted by bad actors to infiltrate them and deploy a Mirai botnet variant codenamed gayfemboy, suggesting an expansion of the targeting scope.

“The gayfemboy campaign spans multiple countries, including Brazil, Mexico, the United States, Germany, France, Switzerland, Israel, and Vietnam,” Fortinet said. “Its targets also cover a broad range of sectors, such as manufacturing, technology, construction, and media or communications.”

Gayfemboy is capable of targeting various system architectures, including ARM, AArch64, MIPS R3000, PowerPC, and Intel 80386. It incorporates four primary functions –

• Monitor, which tracks threads and processes while incorporating persistence and sandbox evasion techniques
• Watchdog, which attempts to bind to UDP port 47272
• Attacker, which launches DDoS attacks using UDP, TCP, and ICMP protocols, and enables backdoor access by connecting to a remote server to receive commands
• Killer, which terminates itself if it receives the command from the server or detects sandbox manipulation

“While Gayfemboy inherits structural elements from Mirai, it introduces notable modifications that enhance both its complexity and ability to evade detection,” security researcher Vincent Li said. “This evolution reflects the increasing sophistication of modern malware and reinforces the need for proactive, intelligence-driven defense strategies.”

The findings also coincide with a cryptojacking campaign undertaken by a threat actor dubbed TA-NATALSTATUS that’s targeting exposed Redis servers to deliver cryptocurrency miners.

The attack essentially involves scanning for unauthenticated Redis servers on port 6379, followed by issuing legitimate CONFIG, SET, and SAVE commands to execute a malicious cron job that’s designed to run a shell script that disables SELinux, performs defense evasion steps, block external connections to the Redis port in order to prevent rival actors from using the initial access pathway to get in, and terminate competing mining processes (e.g., Kinsing).

Also deployed are scripts to install tools like masscan or pnscan, and then launching commands like “masscan –shard” to scan the internet for susceptible Redis instances. The last step involves setting up persistence via an hourly cron job and kicking off the mining process.

Cybersecurity firm CloudSEK said the activity is an evolution of an attack campaign disclosed by Trend Micro in April 2020, packing in new features to accommodate rootkit-like features to hide malicious processes and alter the timestamps of their files to fool forensic analysis.

“By renaming system binaries like ps and top to ps.original and replacing them with malicious wrappers, they filter their own malware (httpgd) out of the output. An admin looking for the miner won’t see it using standard tools,” researcher Abhishek Mathew said. “They rename curl and wget to cd1 and wd1. This is a simple but brilliant method to bypass security products that monitor for malicious downloads specifically initiated by these common tool names.”

Cybersecurity researchers have shed light on a novel attack chain that employs phishing emails to deliver an open-source backdoor called VShell.

The “Linux-specific malware infection chain that starts with a spam email with a malicious RAR archive file,” Trellix researcher Sagar Bade said in a technical write-up.

“The payload isn’t hidden inside the file content or a macro, it’s encoded directly in the filename itself. Through clever use of shell command injection and Base64-encoded Bash payloads, the attacker turns a simple file listing operation into an automatic malware execution trigger.”

The technique, the cybersecurity company added, takes advantage of a simple yet dangerous pattern commonly observed in shell scripts that arises when file names are evaluated with inadequate sanitization, thereby causing a trivial command like eval or echo to facilitate the execution of arbitrary code.

What’s more, the technique offers the added advantage of getting around traditional defenses, as antivirus engines don’t typically scan file names.

The starting point of the attack is an email message containing a RAR archive, which includes a file with a maliciously crafted file name: “ziliao2.pdf`{echo,<Base64-encoded command>}|{base64,-d}|bash`”

Specifically, the file name incorporates Bash-compatible code that’s engineered to execute commands when it’s interpreted by the shell. It’s worth noting that simply extracting the file from the archive does not trigger execution. Rather, it occurs only when a shell script or command attempts to parse the file name.

Another important aspect to consider here is that it’s not possible to manually create a file name with this syntax, meaning it was likely created using another language or dropped using an external tool or script that bypasses shell input validation, Trellix said.

This, in turn, leads to the execution of an embedded Base64-encoded downloader, which then retrieves from an external server an ELF binary for the appropriate system architecture (x86_64, i386, i686, armv7l, or aarch64). The binary, for its part, initiates communication with a command-and-control (C2) server to obtain the encrypted VShell payload, decode, and execute it on the host.

Trellix said the phishing emails are disguised as an invitation for a beauty product survey, luring recipients with a monetary reward (10 RMB) for completing it.

“Crucially, the email includes a RAR archive attachment (‘yy.rar’), even though it doesn’t explicitly instruct the user to open or extract it,” Bade explained. “The social engineering angle is subtle: The user is distracted by the survey content, and the presence of the attachment might be mistaken for a survey-related document or data file.”

VShell is a Go-based remote access tool that has been widely put to use by Chinese hacking groups in recent years, including UNC5174, supporting reverse shell, file operations, process management, port forwarding, and encrypted C2 communications.

What makes this attack dangerous is that the malware operates entirely in-memory, avoiding disk-based detection, not to mention it can target a wide range of Linux devices.

“This analysis highlights a dangerous evolution in Linux malware delivery where a simple file name embedded in a RAR archive can be weaponized to execute arbitrary commands,” Trellix said. “The infection chain exploits command injection in shell loops, abuses Linux’s permissive execution environment, and ultimately delivers a powerful backdoor VShell malware capable of full remote control over the system.”

The development comes as Picus Security released a technical analysis of a Linux-focused post-exploit tool dubbed RingReaper that leverages the Linux kernel’s io_uring framework to circumvent traditional monitoring tools. It’s currently not known who is behind the malware.

“Instead of invoking standard functions such as read, write, recv, send, or connect, RingReaper employs io_uringprimitives (e.g., io_uring_prep_*) to execute equivalent operations asynchronously,” security researcher Sıla Özeren Hacıoğlu said. “This method helps bypass hook-based detection mechanisms and reduces the visibility of malicious activity in telemetry commonly gathered by EDR platforms.”

RingReaper makes use of io_uring to enumerate system processes, active pseudo-terminal (PTS) sessions, network connections, and logged-in users, while reducing its footprint and avoiding detection. It’s also capable of collecting user information from the “/etc/passwd” file, abusing SUID binaries for privilege escalation, and erasing traces of itself after execution.

“It exploits the Linux kernel’s modern asynchronous I/O interface, io_uring, to minimize reliance on conventional system calls that security tools frequently monitor or hook,” Picus said.

Aug 22, 2025Ravie LakshmananOnline Fraud / Financial Crime

INTERPOL on Friday announced that authorities from 18 countries across Africa have arrested 1,209 cybercriminals who targeted 88,000 victims.

“The crackdown recovered $97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation,” the agency said.

The effort is the second phase of an ongoing law enforcement initiative called Operation Serengeti, which took place between June and August 2025 to tackle severe crimes like ransomware, online scams. and business email compromise (BEC). The first wave of arrests occurred late last year.

Among the highlights are the dismantling of 25 cryptocurrency mining centres in Angola, where 60 Chinese nationals were involved in the illicit money-making scheme.

“The crackdown identified 45 illicit power stations which were confiscated, along with mining and IT equipment worth more than $37 million, now earmarked by the government to support power distribution in vulnerable areas,” INTERPOL said.

Elsewhere, Zambian authorities have taken down a large-scale online investment fraud operation that claimed 65,000 victims who lost around $300 million after they were lured into investing in cryptocurrency through advertising campaigns that promised high-yield returns.

Fifteen individuals have been arrested in connection with the scheme, with officials seizing domains, mobile numbers, and bank accounts for further investigation. Also disrupted in the southern African country is a scam center and a suspected human trafficking network.

Lastly, law enforcement also tore down a transnational inheritance scam originating in Germany, arresting the primary suspect and confiscating electronics, jewellery, cash, and vehicles. The same is estimated to have caused losses of around $1.6 million.

“Each INTERPOL-coordinated operation builds on the last, deepening cooperation, increasing information sharing and developing investigative skills across member countries,” Valdecy Urquiza, secretary general of INTERPOL, said. “With more contributions and shared expertise, the results keep growing in scale and impact. This global network is stronger than ever, delivering real outcomes and safeguarding victims.”

Singapore-headquartered Group-IB said it provided “circumstantial intelligence” on a cryptocurrency investment scam, along with infrastructural details associated with the scam and other BEC campaigns across the African region.

“Cybercrime recognizes no borders, and its impact is truly global,” Dmitry Volkov, Group-IB CEO, said. “The success of Operation Serengeti 2.0 demonstrates what can be achieved when nations stand together against this threat.”

The disclosure comes as Nigeria deported 102 foreign nationals, including 60 Chinese and 39 people from the Philippines, who were convicted of cyber terrorism and internet fraud, according to the country’s Economic and Financial Crimes Commission (EFCC). The deportees were among 792 suspected cybercriminals arrested in December 2024.

Earlier this March, law enforcement authorities in seven African countries also arrested 306 suspects and confiscated 1,842 devices as part of an international operation codenamed Red Card that took place between November 2024 and February 2025.

Cybersecurity researchers are calling attention to malicious activity orchestrated by a China-nexus cyber espionage group known as Murky Panda that involves abusing trusted relationships in the cloud to breach enterprise networks.

“The adversary has also shown considerable ability to quickly weaponize N-day and zero-day vulnerabilities and frequently achieves initial access to their targets by exploiting internet-facing appliances,” CrowdStrike said in a Thursday report.

Murky Panda, also known as Silk Typhoon (formerly Hafnium), is best known for its zero-day exploitation of Microsoft Exchange Server flaws in 2021. Attacks mounted by the hacking group have targeted government, technology, academic, legal, and professional services entities in North America.

Earlier this March, Microsoft detailed the threat actor’s shift in tactics, detailing its targeting of the information technology (IT) supply chain as a means to obtain initial access to corporate networks. It’s assessed that Murky Panda’s operations are driven by intelligence gathering.

Like other Chinese hacking groups, Murky Panda has exploited internet-facing appliances to obtain initial access and is believed to have also compromised small office/home office (SOHO) devices that are geolocated in the targeted country as an exit node to hinder detection efforts.

Other infection pathways include exploitation of known security flaws in Citrix NetScaler ADC and NetScaler Gateway (CVE-2023-3519) and Commvault (CVE-2025-3928). The initial access is leveraged to deploy web shells like neo-reGeorg to establish persistence and ultimately drop a custom malware called CloudedHope.

A 64-bit ELF binary and written in Golang, CloudedHope functions as a basic remote access tool (RAT) while employing anti-analysis and operational security (OPSEC) measures, such as modifying timestamps and deleting indicators of their presence in victim environments to fly under the radar.

But a notable aspect of Murky Panda’s tradecraft concerns the abuse of trusted relationships between partner organizations and their cloud tenants, exploiting zero-day vulnerabilities to breach software-as-a-service (SaaS) providers’ cloud environments and conduct lateral movement to downstream victims.

In at least one instance observed in late 2024, the threat actor is said to have compromised a supplier of a North American entity and used the supplier’s administrative access to the victim entity’s Entra ID tenant to add a temporary backdoor Entra ID account.

“Using this account, the threat actor then backdoored several preexisting Entra ID service principles related to Active Directory management and emails,” CrowdStrike said. “The adversary’s goals appear targeted in nature based on their focus on accessing emails.”

“Although Genesis Panda targets a variety of systems, they show consistent interest in compromising cloud-hosted systems to leverage the cloud control plane for lateral movement, persistence, and enumeration,” CrowdStrike said.

The adversary has observed “consistently” querying the Instance Metadata Service (IMDS) associated with a cloud-hosted server to obtain credentials for the cloud control plane and enumerate network and general instance configurations. It’s also known to use credentials, likely obtained from compromised virtual machines (VMs), to burrow deeper into the target’s cloud account.

The findings illustrate how Chinese hacking groups are becoming increasingly adept at breaking and navigating cloud environments, while also prioritizing stealth and persistence to ensure sustained access and covert data harvesting.

Glacial Panda Strikes Telecom Sector

The telecommunications sector, per CrowdStrike, has witnessed a 130% increase in nation-state activity over the past year, primarily driven by the fact they are a treasure trove of intelligence. The latest threat actor to train its sights on the industry vertical is a Chinese threat actor dubbed Glacial Panda.

The geographic footprint of the hacking group spans Afghanistan, Hong Kong, India, Japan, Kenya, Malaysia, Mexico, Panama, the Philippines, Taiwan, Thailand, and the United States.

“Glacial Panda highly likely conducts targeted intrusions for intelligence collection purposes, accessing and exfiltrating call detail records and related communications telemetry from multiple telecommunications organizations,” the cybersecurity company said.

“The adversary primarily targets Linux systems typical in the telecommunications industry, including legacy operating system distributions that support older telecommunications technologies.”

Attack chains implemented by the threat actor make use of known security vulnerabilities or weak passwords aimed at internet-facing and unmanaged servers, with follow-on activities leveraging privilege escalation bugs like CVE-2016-5195 (aka Dirty COW) and CVE-2021-4034 (aka PwnKit).

Besides relying on living-off-the-land (LotL) techniques, Glacial Panda’s intrusions pave the way for the deployment of trojanized OpenSSH components, collectively codenamed ShieldSlide, to gather user authentication sessions and credentials.

“The ShieldSlide-trojanized SSH server binary also provides backdoor access, authenticating any account (including root) when a hardcoded password is entered,” CrowdStrike said.

Aug 22, 2025The Hacker NewsPenetration Testing / Security Operations

Pentesting remains one of the most effective ways to identify real-world security weaknesses before adversaries do. But as the threat landscape has evolved, the way we deliver pentest results hasn’t kept pace.

Most organizations still rely on traditional reporting methods—static PDFs, emailed documents, and spreadsheet-based tracking. The problem? These outdated workflows introduce delays, create inefficiencies, and undermine the value of the work.

Security teams need faster insights, tighter handoffs, and clearer paths to remediation. That’s where automated delivery comes in. Platforms like PlexTrac automate pentest finding delivery in real time through robust, rules-based workflows. (No waiting for the final report!)

The Static Delivery Problem in a Dynamic World

Delivering a pentest report solely as a static document might have made sense a decade ago, but today it’s a bottleneck. Findings are buried in long documents that don’t align with how teams operate day-to-day. After receiving the report, stakeholders must manually extract findings, create tickets in platforms like Jira or ServiceNow, and coordinate remediation tracking through disconnected workflows. By the time remediation begins, days or weeks may have passed since the issues were discovered.

Why Automation Matters Now

As organizations adopt Continuous Threat Exposure Management (CTEM) and expand the frequency of offensive testing, the volume of findings rapidly grows. Without automation, teams struggle to keep up. Automating delivery helps cut through the noise and deliver results in real time for faster handoffs and visibility across the entire vulnerability lifecycle.

Benefits of automating pentest delivery include:

• Real-time actionability: Act on findings immediately, not after the report is finalized
• Faster response: Accelerate remediation, retesting and validation
• Standardized operations: Ensure every finding follows a consistent process
• Less manual work: Free teams to focus on strategic initiatives
• Improved focus: Keep teams focused on what matters

Service providers gain a competitive advantage by automating delivery and integrating directly into client workflows, making themselves an indispensable partner to drive client value.

For enterprises, it’s a fast track to operational maturity and a measurable reduction in mean time to remediation (MTTR).

5 Key Components of Automated Pentest Delivery

1. Centralized data ingestion: Start by consolidating all findings—manual and automated—into a single source of truth. This includes outputs from scanners (like Tenable, Qualys, Wiz, Snyk) as well as manual pentest findings. Without centralization, vulnerability management becomes a patchwork of disconnected tools and manual processes.
2. Automated real-time delivery: As findings are identified, they should be automatically routed to the right people and workflows without waiting for the full report. Predefined rulesets should trigger triage, ticketing, and tracking to allow remediation to begin while testing is still in progress.
3. Automated routing & ticketing: Standardize routing by defining rules based on severity, asset ownership, and exploitability. Automation can assign findings, generate tickets in tools like Jira or ServiceNow, notify stakeholders through Slack or email, and close out informational issues to ensure findings are automatically routed to the right teams and systems.
4. Standardized remediation workflows: Every finding from your centralized data should follow the same lifecycle from triage to closure based on the criteria you’ve set, regardless of source. Whether it’s discovered from a scanner or manual testing, the process from triage to fix should be consistent and traceable.
5. Triggered retesting & validation: When a finding is marked as resolved, automation should trigger the appropriate retesting or validation workflow. This ensures nothing slips through the cracks and keeps communication between security and IT teams coordinated and closed-loop.

PlexTrac supports each of these capabilities through its Workflow Automation Engine, helping teams unify and accelerate delivery, remediation, and closure in one platform.

Avoid Common Pitfalls

Automation is about more than just speed. It’s about building standardized, scalable systems. However, if not implemented thoughtfully, it can create new problems. Watch out for:

• Overcomplicating early efforts: Trying to automate everything at once can stall momentum. Start small and focus on a few repeatable workflows first. Add complexity over time and expand as you validate success.
• Treating automation as a one-time setup: Your workflows should evolve alongside your tools, team structure, and priorities. Failing to iterate leads to stale processes that no longer align with how teams operate.
• Automating without clearly defined workflows: Jumping into automation without first mapping out your current workflows often leads to chaos. Without clear rules for routing, ownership, and escalation, automation may create more problems than it solves.

How to get started

Here’s how to begin automating pentest delivery:

1. Map your current workflow: Document how findings are delivered, triaged, assigned, and tracked today.
2. Identify friction points: Look for repetitive tasks, handoff delays, and areas where communication breaks down.
3. Start small: Automate one or two high-impact steps first, like ticket creation, email alerts, or finding delivery. Add complexity over time as you validate what’s working well and use early results to evolve workflows, add rules, and further streamline.
4. Choose the right platform: Look for solutions that integrate with your existing tools and provide visibility across the vulnerability lifecycle.
5. Measure impact: Track metrics like MTTR, handoff delays, and retest completion to show the value of your efforts.

The Future of Pentest Delivery

Security teams are shifting from reactive testing to proactive exposure management. Pentest delivery automation is a key part of that evolution to help teams move faster, collaborate better, and reduce risk more effectively.

For Service Providers, this is a chance to differentiate services, scale operations, and deliver more value with less overhead. For Enterprise teams, it means driving maturity, demonstrating progress, and staying ahead of emerging threats.

Conclusion

Pentesting is too important to be stuck in static reports and manual workflows. By automating delivery, routing, and remediation tracking, organizations can unlock the full value of their offensive security efforts by making findings more actionable, standardizing remediation workflows, and delivering measurable outcomes.

Whether you’re delivering tests to clients or to an internal team, the message is clear: The future of pentest delivery is automated.

Want to see what automated pentest workflows look like in action? Platforms like PlexTrac centralize security data from both manual testing and automated tools, enabling real-time delivery and standardized workflows across the entire vulnerability lifecycle.

Aug 22, 2025Ravie LakshmananCybercrime / Malware

A 55-year-old Chinese national has been sentenced to four years in prison and three years of supervised release for sabotaging his former employer’s network with custom malware and deploying a kill switch that locked out employees when his account was disabled.

Davis Lu, 55, of Houston, Texas, was convicted of causing intentional damage to protected computers in March 2025. He was arrested and charged in April 2021 for abusing his position as a software developer to execute malicious code on his employer’s computer servers.

“The defendant breached his employer’s trust by using his access and technical knowledge to sabotage company networks, wreaking havoc and causing hundreds of thousands of dollars in losses for a U.S. company,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division.

“However, the defendant’s technical savvy and subterfuge did not save him from the consequences of his actions.”

Court documents show that Lu was employed as a software developer for the unnamed company based in Ohio from November 2007 to October 2019. But after his responsibilities and system access were reduced following a 2018 corporate realignment, Lu enacted a scheme to deliberately introduce malicious code around August 2019, resulting in system crashes and preventing user logins.

To pull this off, Lu is said to have created infinite loops in source code to trigger server crashes by repeatedly creating new Java threads without proper termination. He also deleted coworker profile files and implemented a kill switch that would lock out all users if his credentials in the company’s Active Directory were disabled.

“The ‘kill switch’ code – which Lu named ‘IsDLEnabledinAD,’ abbreviating ‘Is Davis Lu enabled in Active Directory’ — was automatically activated when he was placed on leave and asked to surrender his laptop on September 9, 2019, and impacted thousands of company users globally,” the Department of Justice said.

“Lu named other code ‘Hakai,’ a Japanese word meaning ‘destruction,’ and ‘HunShui,’ a Chinese word meaning ‘sleep’ or ‘lethargy.’”

Furthermore, on the day Lu was instructed to return his company-issued laptop, the defendant deleted encrypted volumes and attempted to erase Linux directories and two additional projects. His internet search history laid bare the methods he researched to escalate privileges, hide processes, and delete files, suggesting an attempt to obstruct the company’s efforts to resolve the issues.

Lu’s unlawful actions are estimated to have cost the company hundreds of thousands of dollars in losses, per the department. This case also underscores the importance of identifying insider threats early, added Assistant Director Brett Leatherman of the Federal Bureau of Investigation’s (FBI) Cyber Division.

Aug 21, 2025Ravie LakshmananVulnerability / Software Security

Commvault has released updates to address four security gaps that could be exploited to achieve remote code execution on susceptible instances.

The list of vulnerabilities, identified in Commvault versions before 11.36.60, is as follows –

• CVE-2025-57788 (CVSS score: 6.9) – A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials
• CVE-2025-57789 (CVSS score: 5.3) – A vulnerability during the setup phase between installation and the first administrator login that allows remote attackers to exploit the default credentials to gain admin control
• CVE-2025-57790 (CVSS score: 8.7) – A path traversal vulnerability that allows remote attackers to perform unauthorized file system access through a path traversal issue, resulting in remote code execution
• CVE-2025-57791 (CVSS score: 6.9) – A vulnerability that allows remote attackers to inject or manipulate command-line arguments passed to internal components due to insufficient input validation, resulting in a valid user session for a low-privilege role

watchTowr Labs researchers Sonny Macdonald and Piotr Bazydlo have been credited with discovering and reporting the four security defects in April 2025. All the flagged vulnerabilities have been resolved in versions 11.32.102 and 11.36.60. Commvault SaaS solution is not affected.

In an analysis published Wednesday, the cybersecurity company said threat actors could fashion these vulnerabilities into two pre-authenticated exploit chains to achieve code execution on susceptible instances: One that combines CVE-2025-57791 and CVE-2025-57790, and the other that strings CVE-2025-57788, CVE-2025-57789, and CVE-2025-57790.

It’s worth noting that the second pre-auth remote code execution chain becomes successful only if the built-in admin password hasn’t been changed since installation.

The disclosure comes nearly four months after watchTowr Labs reported a critical Commvault Command Center flaw (CVE-2025-34028, CVSS score: 10.0) that could allow arbitrary code execution on affected installations.

A month later, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.

Aug 21, 2025Ravie LakshmananMalware / Cryptocurrency

Threat actors have been observed leveraging the deceptive social engineering tactic known as ClickFix to deploy a versatile backdoor codenamed CORNFLAKE.V3.

Google-owned Mandiant described the activity, which it tracks as UNC5518, as part of an access-as-a-service scheme that employs fake CAPTCHA pages as lures to trick users into providing initial access to their systems, which is then monetized by other threat groups.

“The initial infection vector, dubbed ClickFix, involves luring users on compromised websites to copy a malicious PowerShell script and execute it via the Windows Run dialog box,” Google said in a report published today.

The access provided by UNC5518 is assessed to be leveraged by at least two different hacking groups, UNC5774 and UNC4108, to initiate a multi-stage infection process and drop additional payloads –

• UNC5774, another financially motivated group that delivers CORNFLAKE as a way to deploy various subsequent payloads
• UNC4108, a threat actor with unknown motivation that uses PowerShell to deploy tools like VOLTMARKER and NetSupport RAT

The attack chain likely begins with the victim landing a fake CAPTCHA verification page after interacting with search results that employ search engine optimization (SEO) poisoning or malicious ads.

The user is then tricked into running a malicious PowerShell command by launching the Windows Run dialog, which then executes the next-stage dropper payload from a remote server. The newly downloaded script checks if it’s running within a virtualized environment and ultimately launches CORNFLAKE.V3.

Observed in both JavaScript and PHP versions, CORNFLAKE.V3 is a backdoor that supports the execution of payloads via HTTP, including executables, dynamic-link libraries (DLLs), JavaScript files, batch scripts, and PowerShell commands. It can also collect basic system information and transmit it to an external server. The traffic is proxied through Cloudflare tunnels in an attempt to avoid detection.

“CORNFLAKE.V3 is an updated version of CORNFLAKE.V2, sharing a significant portion of its codebase,” Mandiant researcher Marco Galli said. “Unlike V2, which functioned solely as a downloader, V3 features host persistence via a registry Run key, and supports additional payload types.”

Both generations are markedly different from their progenitor, a C-based downloader that uses TCP sockets for command-and-control (C2) communications and only has the ability to run DLL payloads.

Persistence on the host is achieved by means of Windows Registry changes. At least three different payloads are delivered via CORNFLAKE.V3. This comprises an Active Directory reconnaissance utility, a script to harvest credentials via Kerberoasting, and another backdoor referred to as WINDYTWIST.SEA, a C version of WINDYTWIST that supports relaying TCP traffic, providing a reverse shell, executing commands, and removing itself.

Select versions of WINDYTWIST.SEA have also been observed attempting to move laterally in the network of the infected machine.

“To mitigate malware execution through ClickFix, organizations should disable the Windows Run dialog box where possible,” Galli said. “Regular simulation exercises are crucial to counter this and other social engineering tactics. Furthermore, robust logging and monitoring systems are essential for detecting the execution of subsequent payloads, such as those associated with CORNFLAKE.V3.”

USB Infection Drops XMRig Miner

The disclosure comes as the threat intelligence firm detailed an ongoing campaign that employs USB drives to infect other hosts and deploy cryptocurrency miners since September 2024.

“This demonstrates the continued effectiveness of initial access via infected USB drives,” Mandiant said. “The low cost and ability to bypass network security make this technique a compelling option for attackers.”

The attack chain starts when a victim is tricked into executing a Windows shortcut (LNK) in the compromised USB drive. The LNK file results in the execution of a Visual Basic script also located in the same folder. The script, for its part, launches a batch script to initiate the infection –

• DIRTYBULK, a C++ DLL launcher to initiate the execution of other malicious components, such as CUTFAIL
• CUTFAIL, a C++ malware dropper responsible for decrypting and installing malware onto a system, such as HIGHREPS and PUMPBENCH, as well as third-libraries like OpenSSL, libcurl, and WinPthreadGC
• HIGHREPS, a downloader that retrieves additional files to ensure persistence of PUMPBENCH
• PUMPBENCH, a C++ backdoor that facilitates reconnaissance, provides remote access by communicating with a PostgreSQL database server, and download XMRig
• XMRig, an an open-source software for mining cryptocurrencies such as Monero, Dero, and Ravencoin

“PUMPBENCH spreads by infecting USB drives,” Mandiant said. “It scans the system for available drives and then creates a batch file, a VBScript file, a shortcut file, and a DAT file.”

Aug 21, 2025Ravie LakshmananMalware / Email Security

Cybersecurity researchers have disclosed details of a new malware loader called QuirkyLoader that’s being used to deliver via email spam campaigns an array of next-stage payloads ranging from information stealers to remote access trojans since November 2024.

Some of the notable malware families distributed using QuirkyLoader include Agent Tesla, AsyncRAT, Formbook, Masslogger, Remcos RAT, Rhadamanthys Stealer, and Snake Keylogger.

IBM X-Force, which detailed the malware, said the attacks involve sending spam emails from both legitimate email service providers and a self-hosted email server. These emails feature a malicious archive, which contains a DLL, an encrypted payload, and a real executable.

“The actor uses DLL side-loading, a technique where launching the legitimate executable also loads the malicious DLL,” security researcher Raymond Joseph Alfonso said. “This DLL, in turn, loads, decrypts, and injects the final payload into its target process.”

This is achieved by using process hollowing to inject the malware into one of the three processes: AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe.

The DLL loader, per IBM, has been used in limited campaigns for the past few months, with two campaigns observed in July 2025 targeting Taiwan and Mexico.

The campaign targeting Taiwan is said to have specifically singled out employees of Nusoft Taiwan, a network and internet security research company based in New Taipei City, with the goal of infecting them with Snake Keylogger, which is capable of stealing sensitive information from popular web browsers, keystrokes, and clipboard content.

The Mexico-related campaign, on the other hand, is assessed to be random, with the infection chains delivering Remcos RAT and AsyncRAT.

“The threat actor consistently writes the DLL loader module in .NET languages and uses ahead-of-time (AOT) compilation,” Alfonso said. “This process compiles the code into native machine code before execution, making the resulting binary appear as though it were written in C or C++.”

New Phishing Trends

The development comes as threat actors are using new QR code phishing (aka quishing) tactics like splitting malicious QR codes into two parts or embedding them within legitimate ones in email messages propagated via phishing kits like Gabagool and Tycoon, respectively, to evade detection, demonstrating ongoing evolution.

“Malicious QR codes are popular with attackers for several reasons,” Barracuda researcher Rohit Suresh Kanase said. “They cannot be read by humans so don’t raise any red flags, and they can often bypass traditional security measures such as email filters and link scanners.”

“Furthermore, since recipients often have to switch to a mobile device to scan the code, it can take users out of the company security perimeter and away from protection.”

The findings also follow the emergence of a phishing kit used by the PoisonSeed threat actor to acquire credentials and two-factor authentication (2FA) codes from individuals and organizations to gain access to victims’ accounts and use them to send emails for carrying out cryptocurrency scams.

“The domains hosting this phishing kit impersonate login services from prominent CRM and bulk email companies like Google, SendGrid, Mailchimp, and likely others, targeting individuals’ credentials,” NVISO Labs said. “PoisonSeed employs spear-phishing emails embedding malicious links, which redirect victims to their phishing kit.”

A noteworthy aspect of the kit is the use of a technique known as precision-validated phishing in which the attacker validates an email address in real-time in the background, while a fake Cloudflare Turnstile challenge is served to the user. Once the checks are passed, a login form impersonating the legitimate online platform appears, allowing the threat actors to capture submitted credentials and then relay them to the service.