Tag: Cyber Security

Dec 18, 2025Ravie LakshmananVulnerability / Enterprise Security

Hewlett Packard Enterprise (HPE) has resolved a maximum-severity security flaw in OneView Software that, if successfully exploited, could result in remote code execution.

The critical vulnerability, assigned the CVE identifier CVE-2025-37164, carries a CVSS score of 10.0. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a centralized dashboard interface.

“A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software. This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution,” HPE said in an advisory issued this week.

It affects all versions of the software prior to version 11.00, which addresses the flaw. The company has also made available a hotfix that can be applied to OneView versions 5.20 through 10.20.

It’s worth noting that the hotfix must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or after any HPE Synergy Composer reimaging operations. Separate hotfixes are available for the OneView virtual appliance and Synergy Composer2.

Although HPE makes no mention of the flaw being exploited in the wild, it’s essential that users apply the patches as soon as possible for optimal protection.

Earlier this June, the company also released updates to fix eight vulnerabilities in its StoreOnce data backup and deduplication solution that could result in an authentication bypass and remote code execution. It also shipped OneView version 10.00 to remediate a number of known flaws in third-party components, such as Apache Tomcat and Apache HTTP Server.

Dec 18, 2025Ravie LakshmananMalware / Cloud Security

A previously undocumented China-aligned threat cluster dubbed LongNosedGoblin has been attributed to a series of cyber attacks targeting governmental entities in Southeast Asia and Japan.

The end goal of these attacks is cyber espionage, Slovak cybersecurity company ESET said in a report published today. The threat activity cluster has been assessed to be active since at least September 2023.

“LongNosedGoblin uses Group Policy to deploy malware across the compromised network, and cloud services (e.g., Microsoft OneDrive and Google Drive) as command and control (C&C) servers,” security researchers Anton Cherepanov and Peter Strýček said.

Group Policy is a mechanism for managing settings and permissions on Windows machines. According to Microsoft, Group Policy can be used to define configurations for groups of users and client computers, as well as manage server computers.

The attacks are characterized by the use of a varied custom toolset that mainly consists of C#/.NET applications –

• NosyHistorian, to collect browser history from Google Chrome, Microsoft Edge, and Mozilla Firefox
• NosyDoor, a backdoor that uses Microsoft OneDrive as C&C and executes commands that allow it to exfiltrate files, delete files, and execute shell commands
• NosyStealer, to exfiltrate browser data from Google Chrome and Microsoft Edge to Google Drive in the form of an encrypted TAR archive
• NosyDownloader, to download and run a payload in memory, such as NosyLogger
• NosyLogger, a modified version of DuckSharp that’s used to log keystrokes

NosyDoor execution chain

ESET said it first detected activity associated with the hacking group in February 2024 on a system of a governmental entity in Southeast Asia, eventually finding that Group Policy was used to deliver the malware to multiple systems from the same organization. The exact initial access methods used in the attacks are presently unknown.

Further analysis has determined that while many victims were affected by NosyHistorian between January and March 2024, only a subset of these victims were infected with NosyDoor, indicating a more targeted approach. In some cases, the dropper used to deploy the backdoor using AppDomainManager injection has been found to contain “execution guardrails” that are designed to limit operation to specific victims’ machines.

Also employed by LongNosedGoblin are other tools like a reverse SOCKS5 proxy, a utility that’s used to run a video recorder to capture audio and video, and a Cobalt Strike loader.

The cybersecurity company noted that the threat actor’s tradecraft shares tenuous overlaps with clusters tracked as ToddyCat and Erudite Mogwai, but emphasized the lack of definitive evidence linking them together. That said, the similarities between NosyDoor and LuckyStrike Agent and the presence of the phrase “Paid Version” in the PDB path of LuckyStrike Agent have raised the possibility that the malware may be sold or licensed to other threat actors.

“We later identified another instance of a NosyDoor variant targeting an organization in an E.U country, once again employing different TTPs, and using the Yandex Disk cloud service as a C&C server,” the researchers noted. “The use of this NosyDoor variant suggests that the malware may be shared among multiple China-aligned threat groups.”

Dec 18, 2025Ravie LakshmananVulnerability / Network Security

Cisco has alerted users to a maximum-severity zero-day flaw in Cisco AsyncOS software that has been actively exploited by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686 in attacks targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.

The networking equipment major said it became aware of the intrusion campaign on December 10, 2025, and that it has singled out a “limited subset of appliances” with certain ports open to the internet. It’s currently not known how many customers are affected.

“This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance,” Cisco said in an advisory. “The ongoing investigation has revealed evidence of a persistence mechanism planted by the threat actors to maintain a degree of control over compromised appliances.”

The as-yet-unpatched vulnerability is being tracked as CVE-2025-20393, and carries a CVSS score of 10.0. It concerns a case of improper input validation that allows threat actors to execute malicious instructions with elevated privileges on the underlying operating system.

All releases of Cisco AsyncOS Software are affected. However, for successful exploitation to occur, the following conditions have to be met for both physical and virtual versions of Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances –

• The appliance is configured with the Spam Quarantine feature
• The Spam Quarantine feature is exposed to and reachable from the internet

It’s worth noting that the Spam Quarantine feature is not enabled by default. To check if it’s enabled, users are advised to follow the below steps –

• Connect to the web management interface
• Navigate to Network > IP Interfaces > [Select the Interface on which Spam Quarantine is configured] (for Secure Email Gateway) or Management Appliance > Network > IP Interfaces > [Select the interface on which Spam Quarantine is configured] (for Secure Email and Web Manager)
• If the Spam Quarantine option is checked, the feature is enabled

The exploitation activity observed by Cisco dates back to at least late November 2025, with UAT-9686 weaponizing the vulnerability to drop tunneling tools like ReverseSSH (aka AquaTunnel) and Chisel, as well as a log cleaning utility called AquaPurge. The use of AquaTunnel has been previously associated with Chinese hacking groups like APT41 and UNC5174.

Also deployed in the attacks is a lightweight Python backdoor dubbed AquaShell that’s capable of receiving encoded commands and executing them.

“It listens passively for unauthenticated HTTP POST requests containing specially crafted data,” Cisco said. “If such a request is identified, the backdoor will then attempt to parse the contents using a custom decoding routine and execute them in the system shell.”

In the absence of a patch, users are advised to restore their appliances to a secure configuration, limit access from the internet, secure the devices behind a firewall to allow traffic only from trusted hosts, separate mail and management functionality onto separate network interfaces, monitor web log traffic for any unexpected traffic, and disable HTTP for the main administrator portal.

It’s also recommended to turn off any network services that are not required, use strong end-user authentication methods like SAML or LDAP, and change the default administrator password to a more secure variant.

“In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actor’s persistence mechanism from the appliance,” the company said.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the necessary mitigations by December 24, 2025, to secure their networks.

The disclosure comes as GreyNoise said it has detected a “coordinated, automated credential-based campaign” aimed at enterprise VPN authentication infrastructure, specifically probing exposed or weakly protected Cisco SSL VPN and Palo Alto Networks GlobalProtect portals.

More than 10,000 unique IPs are estimated to have engaged in automated login attempts to GlobalProtect portals located in the U.S., Pakistan, and Mexico using common username and password combinations on December 11, 2025. A similar spike in opportunistic brute-force login attempts has been recorded against Cisco SSL VPN endpoints as of December 12, 2025. The activity originated from 1,273 IP addresses.

“The activity reflects large-scale scripted login attempts, not vulnerability exploitation,” the threat intelligence firm said. “Consistent infrastructure usage and timing indicate a single campaign pivoting across multiple VPN platforms.”

Dec 18, 2025Ravie LakshmananMalware / Mobile Security

The North Korean threat actor known as Kimsuky has been linked to a new campaign that distributes a new variant of Android malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics (formerly CJ Korea Express).

“The threat actor leveraged QR codes and notification pop-ups to lure victims into installing and executing the malware on their mobile devices,” ENKI said. “The malicious app decrypts an embedded encrypted APK and launches a malicious service that provides RAT capabilities.”

“Since Android blocks apps from unknown sources and displays security warnings by default, the threat actor claims the app is a safe, official release to trick victims into ignoring the warning and installing the malware.”

According to the South Korean cybersecurity company, some of these artifacts masquerade as package delivery service apps. It’s being assessed that the threat actors are using smishing texts or phishing emails impersonating delivery companies to deceive recipients into clicking on booby-trapped URLs hosting the apps.

Should the victim proceed to install the app, an APK package (“SecDelivery.apk”) is downloaded from the server (“27.102.137[.]181”). The APK file then decrypts and loads an encrypted APK embedded into its resources to launch the new version of DocSwap, but not before ascertaining that it has obtained the necessary permission to read and manage external storage, access the internet, and install additional packages.

“Once it confirms all permissions, it immediately registers the MainService of the newly loaded APK as ‘com.delivery.security.MainService,’” ENKI said. “Simultaneously with service registration, the base application launches AuthActivity. This activity masquerades as an OTP authentication screen and verifies the user’s identity using a delivery number.”

The shipment number is hard-coded within the APK as “742938128549,” and is likely delivered alongside the malicious URL during the initial access phase. Once the user enters the provided delivery number, the application is configured to generate a random six-digit verification code and display it as a notification, following which they are prompted to input the generated code.

As soon as the code is provided, the app opens a WebView with the legitimate URL “www.cjlogistics[.]com/ko/tool/parcel/tracking,” while, in the background, the trojan connects to an attacker-controlled server (“27.102.137[.]181:50005”) and receive as many as 57 commands that allow it to log keystrokes, capture audio, start/stop camera recording perform file operations, run commands, upload/download files, and gather location, SMS messages, contacts, call logs, and a list of installed apps.

ENKI said it also discovered two other samples disguised as a P2B Airdrop app and a trojanized version of a legitimate VPN program called BYCOM VPN (“com.bycomsolutions.bycomvpn”) that’s available on the Google Play Store and developed by an Indian IT services company named Bycom Solutions.

“This indicates that the threat actor injected malicious functionality into the legitimate APK and repackaged it for use in the attack,” the security company added.

Further analysis of the threat actor infrastructure has uncovered phishing sites mimicking South Korean platforms like Naver and Kakao that seek to capture users’ credentials. These sites, in turn, have been found to share overlaps with a prior Kimsuky credential harvesting campaign targeting Naver users.

“The executed malware launches a RAT service, capabilities, similarly to past cases but demonstrates evolved such as using a new native function to decrypt the internal APK and incorporating diverse decoy behaviors,” ENKI said.

Dec 18, 2025Ravie LakshmananVulnerability / Software Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting ASUS Live Update to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability, tracked as CVE-2025-59374 (CVSS score: 9.3), has been described as an “embedded malicious code vulnerability” introduced by means of a supply chain compromise that could allow attackers to perform unintended actions.

“Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise,” according to a description of the flaw published in CVE.org. “The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected.”

It’s worth noting that the vulnerability refers to the supply chain attack that came to light in March 2019, when ASUS acknowledged that an advanced persistent threat (APT) group managed to breach some of its servers as part of a campaign codenamed Operation ShadowHammer by Kaspersky. The activity is said to have run between June and November 2018.

The Russian cybersecurity company said the goal of the attacks was to “surgically target” an unknown pool of users whose machines were identified by their network adapters’ MAC addresses. The trojanized versions of the artifacts came embedded with a hard-coded list of more than 600 unique MAC addresses.

“A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group,” ASUS noted at the time. The issue was fixed in version 3.6.8 of the Live Update software.

The development comes a few weeks after ASUS formally announced that the Live Update client has reached end-of-support (EOS) as of December 4, 2025. The last version is 3.6.15. As a result, CISA has urged Federal Civilian Executive Branch (FCEB) agencies still relying on the tool to discontinue its use by January 7, 2026.

“ASUS is committed to software security and consistently provides real-time updates to help protect and enhance devices,” the company said in a support page. “Automatic, real-time software updates are available via the ASUS Live Update application. Please update the ASUS Live Update to V3.6.8 or higher version to resolve security concerns.”

The threat actor known as Jewelbug has been increasingly focusing on government targets in Europe since July 2025, even as it continues to attack entities located in Southeast Asia and South America.

Check Point Research is tracking the cluster under the name Ink Dragon. It’s also referenced by the broader cybersecurity community under the names CL-STA-0049, Earth Alux, and REF7707. The China-aligned hacking group is assessed to be active since at least March 2023.

“The actor’s campaigns combine solid software engineering, disciplined operational playbooks, and a willingness to reuse platform-native tools to blend into normal enterprise telemetry,” the cybersecurity company said in a technical breakdown published Tuesday. “This mix makes their intrusions both effective and stealthy.”

Eli Smadja, group manager of Products R&D at Check Point Software, told The Hacker News that the activity is still ongoing, and that the campaign has “impacted several dozen victims, including government entities and telecommunications organizations, across Europe, Asia, and Africa.”

Details of the threat group first emerged in February 2025 when Elastic Security Labs and Palo Alto Networks Unit 42 detailed its use of a backdoor called FINALDRAFT (aka Squidoor) that’s capable of infecting both Windows and Linux systems. In recent months, Ink Dragon has also been attributed a five-month-long intrusion targeting a Russian IT service provider.

Attack chains mounted by the adversary have leveraged vulnerable services in internet-exposed web applications to drop web shells, which are then used to deliver additional payloads like VARGEIT and Cobalt Strike beacons to facilitate command-and-control (C2), discovery, lateral movement, defense evasion, and data exfiltration.

Another notable backdoor in the threat actor’s malware arsenal is NANOREMOTE, which uses the Google Drive API for uploading and downloading files between the C2 server and the compromised endpoint. Check Point said it did not encounter the malware in the intrusions and investigations it observed.

“It is possible that the actor selectively deploys tools from a broader toolkit, depending on the victim’s environment, operational needs, and the desire to blend in with legitimate traffic,” Smadja said.

Ink Dragon has also relied on predictable or mismanaged ASP.NET machine key values to carry out ViewState deserialization attacks against vulnerable IIS and SharePoint servers, and then install a custom ShadowPad IIS Listener module to turn these compromised servers into part of its C2 infrastructure and enable them to proxy commands and traffic, improving resilience in the process.

“This design allows attackers to route traffic not only deeper inside a single organization’s network, but also across different victim networks entirely,” Check Point said. “As a result, one compromise can quietly become another hop in a global, multi-layered infrastructure supporting ongoing campaigns elsewhere, blending operational control with strategic reuse of previously breached assets.”

The listener module is also equipped to run different commands on the IIS machine, providing attackers with greater control over the system to conduct reconnaissance and stage payloads.

In addition to exploiting publicly disclosed machine keys to achieve ASP.NET ViewState deserialization, the threat actor has been found to weaponize ToolShell SharePoint flaws to drop web shells on compromised servers. Other steps carried out by Ink Dragon are listed below –

• Use the IIS machine key to obtain a local administrative credential and leverage it for lateral movement over an RDP tunnel
• Create scheduled tasks and install services to establish persistence
• Dump LSASS dumps and extract registry hives to achieve privilege escalation
• Modify host firewall rules to allow outbound traffic and transform the infected hosts into a ShadowPad relay network

“In at least one instance, the actor located an idle RDP session belonging to a Domain Administrator that had authenticated via Network Level Authentication (CredSSP) using NTLMv2 fallback. Since the session remained disconnected but not logged off, it is highly likely that LSASS retained the associated logon token and NTLM verifier in memory,” Check Point said.

“Ink Dragon obtained SYSTEM-level access to the host, extracted the token (and possibly the NTLM key material), and reused it to perform authenticated SMB operations. Through these actions, they were able to write to administrative shares and exfiltrate NTDS.dit and registry hives, marking the point at which they achieved domain-wide privilege escalation and control.”

The intrusions have been found to rely on a number of components rather than a single backdoor or a monolithic framework to establish long-term persistence. These include –

• ShadowPad Loader, which is used to decrypt and run the ShadowPad core module in memory
• CDBLoader, which uses Microsoft Console Debugger (“cdb.exe”) to run shellcode and load encrypted payloads
• LalsDumper, which extracts an LSASS dump
• 032Loader, which is used to decrypt and execute payloads
• FINALDRAFT, an updated version of the known remote administration tool that abuses Outlook and the Microsoft Graph API for C2

“The cluster has introduced a new variant of FINALDRAFT malware with enhanced stealth and higher exfiltration throughput, along with advanced evasion techniques that enable stealthy lateral movement and multi-stage malware deployment across compromised networks,” Check Point said.

“FINALDRAFT implements a modular command framework in which operators push encoded command documents to the victim’s mailbox, and the implant pulls, decrypts, and executes them.”

The cybersecurity company also pointed out that it detected evidence of a second threat actor known as REF3927 (aka RudePanda) on “several” of the same victim environments breached by Ink Dragon. That said, there are no indications that the two clusters are operationally linked. It’s believed that both intrusion sets exploited the same initial access methods to obtain footholds.

“Ink Dragon presents a threat model in which the boundary between ‘compromised host’ and ‘command infrastructure’ no longer exists,” Check Point concluded. “Each foothold becomes a node in a larger, operator-controlled network – a living mesh that grows stronger with every additional victim.”

“Defenders must therefore view intrusions not only as local breaches but as potential links in an external, attacker-managed ecosystem, where shutting down a single node is insufficient unless the entire relay chain is identified and dismantled. Ink Dragon’s relay-centric architecture is among the more mature uses of ShadowPad observed to date. A blueprint for long-term, multi-organizational access built on the victims themselves.”

Modern security teams often feel like they’re driving through fog with failing headlights. Threats accelerate, alerts multiply, and SOCs struggle to understand which dangers matter right now for their business. Breaking out of reactive defense is no longer optional. It’s the difference between preventing incidents and cleaning up after them.

Below is the path from reactive firefighting to a proactive, context-rich SOC that actually sees what’s coming.

When the SOC Only Sees in the Rear-View Mirror

Many SOCs still rely on a backward-facing workflow. Analysts wait for an alert, investigate it, escalate, and eventually respond. This pattern is understandable: the job is noisy, the tooling is complex, and alert fatigue bends even the toughest teams into reactive mode.

But a reactive posture hides several structural problems:

• No visibility into what threat actors are preparing.
• Limited ability to anticipate campaigns targeting the organization’s sector.
• Inability to adjust defenses before an attack hits.
• Overreliance on signatures that reflect yesterday’s activity.

The result is a SOC that constantly catches up but rarely gets ahead.

The Cost of Waiting for the Alarm to Ring

Reactive SOCs pay in time, money, and risk.

• Longer investigations. Analysts must research every suspicious object from scratch because they lack a broader context.
• Wasted resources. Without visibility into which threats are relevant to their vertical and geography, teams chase false positives instead of focusing on real dangers.
• Higher breach likelihood. Threat actors often reuse infrastructure and target specific industries. Seeing these patterns late gives attackers the advantage.

A proactive SOC flips this script by reducing uncertainty. It knows which threats are circulating in its environment, what campaigns are active, and which alerts deserve immediate escalation.

Threat Intelligence: The Engine of Proactive Security

Threat intelligence fills the gaps left by reactive operations. It provides a stream of evidence about what attackers are doing right now and how their tools evolve.

ANY.RUN’s Threat Intelligence Lookup serves as a tactical magnifying glass for SOCs. It converts raw threat data into an operational asset.

TI Lookup: investigate threats and indicators, click search bar to select parameters

ANY.RUN’s TI Feeds complement SOC workflows by supplying continuously updated indicators gathered from real malware executions. This ensures defenses adapt at the speed of threat evolution.

Focus on Threats that Actually Matter to Your Business

But context alone isn’t enough; teams need to interpret this intelligence for their specific business environment. Threats are not evenly distributed across the world. Each sector and region has its own constellation of malware families, campaigns, and criminal groups.

Companies from what industries and countries encounter Tycoon 2FA most often recently

Threat Intelligence Lookup supports industry and geographic attribution of threats and indicators thus helping SOCs answer vital questions:

• Is this alert relevant to our company’s sector?
• Is this malware known to target companies in our country?
• Are we seeing the early movements of a campaign aimed at organizations like ours?

By mapping activity to both industry verticals and geographies, SOCs gain an immediate understanding of where a threat sits in their risk landscape. This reduces noise, speeds up triage, and lets teams focus on threats that truly demand action.

Here is an example: a suspicious domain turns out to be linked to Lumma Stealer and ClickFix attacks targeting mostly telecom and hospitality businesses in the USA and Canada:

domainName:”benelui.click”

Industries and countries most targeted by threats the IOC is linked to

Or suppose a CISO in German manufacturing company wants a baseline for sector risks:

industry:”Manufacturing” and submissionCountry:”DE”

TI Lookup summary on malware samples analyzed by German users and targeting manufacturing business

This query surfaces top threats like Tycoon 2FA and EvilProxy plus highlights the interest of Storm-1747 APT group that operates Tycoon 2FA to the country’s production sector. This becomes an immediate priority list for detection engineering, threat hunting hypotheses, and security awareness training.

Analysts access sandbox sessions and real-world IOCs related to those threats. IOCs and TTPs instantly provided by TI Lookup fuel detection rules for the most relevant threats thus allowing to detect and mitigate incidents proactively, protecting businesses and their customers.

View a sandbox session of Lumma stealer sample analysis:

Sandbox analysis: see malware in action, view kill chain, gather IOCs

Why the Threat Landscape Demands Better Visibility

Attackers’ infrastructure is changing fast and it’s no longer limited to one threat per campaign. We’re now seeing the emergence of hybrid threats, where multiple malware families are combined within a single operation. These blended attacks merge logic from different infrastructures, redirection layers, and credential-theft modules, making detection, tracking, and attribution significantly harder.

Hybrid attack with Salty and Tycoon detected inside ANY.RUN sandbox in just 35 seconds

Recent investigations uncovered Tycoon 2FA and Salty working side by side in the same chain. One kit runs the initial lure and reverse proxy, while another takes over for session hijacking or credential capture. For many SOC teams, this combination breaks the existing defense strategies and detection rules, allowing attackers to slip past the security layer.

Tracking these changes across the broader threat landscape has become critical. Analysts must monitor behavior patterns and attack logic in real time, not just catalog kit variants. The faster teams can see these links forming, the faster they can respond to phishing campaigns built for adaptability.

Conclusion: A Clearer Horizon for Modern SOCs

Businesses can’t afford SOC blind spots anymore. Attackers specialize, campaigns localize, and malware evolves faster than signatures can keep up. Proactive defense requires context, clarity, and speed.

Threat Intelligence Lookup strengthened with industry and geo context and supported by fresh indicators from TI Feeds gives SOC leaders exactly that. Instead of reacting to alerts in the dark, decision makers gain a forward-looking view of the threats that really matter to their business.

Dec 17, 2025Ravie LakshmananVulnerability / Malware

The threat actor linked to Operation ForumTroll has been attributed to a fresh set of phishing attacks targeting individuals within Russia, according to Kaspersky.

The Russian cybersecurity vendor said it detected the new activity in October 2025. The origins of the threat actor are presently unknown.

“While the spring cyberattacks focused on organizations, the fall campaign honed in on specific individuals: scholars in the field of political science, international relations, and global economics, working at major Russian universities and research institutions,” security researcher Georgy Kucherin said.

Operation ForumTroll refers to a series of sophisticated phishing attacks exploiting a then-zero-day vulnerability in Google Chrome (CVE-2025-2783) to deliver the LeetAgent backdoor and a spyware implant known as Dante.

The latest attack wave also commences with emails that claimed to be from eLibrary, a Russian scientific electronic library, with the messages sent from the address “support@e-library[.]wiki.” The domain was registered in March 2025, six months before the start of the campaign, suggesting that preparations for the attack had been underway for some time.

Kaspersky said the strategic domain aging was done to avoid raising any red flags typically associated with sending emails from a freshly registered domain. In addition, the attackers also hosted a copy of the legitimate eLibrary homepage (“elibrary[.]ru”) on the bogus domain to maintain the ruse.

The final payload is a command-and-control (C2) and red teaming framework known as Tuoni, enabling the threat actors to gain remote access to the victim’s Windows device.

“ForumTroll has been targeting organizations and individuals in Russia and Belarus since at least 2022,” Kaspersky said. “Given this lengthy timeline, it is likely this APT group will continue to target entities and individuals of interest within these two countries.”

The disclosure comes as Positive Technologies detailed the activities of two threat clusters, QuietCrabs – a suspected Chinese hacking group also tracked as UTA0178 and UNC5221 – and Thor, which appears to be involved in ransomware attacks since May 2025.

These intrusion sets have been found to leverage security flaws in Microsoft SharePoint (CVE-2025-53770), Ivanti Endpoint Manager Mobile (CVE-2025-4427 and CVE-2025-4428), Ivanti Connect Secure (CVE-2024-21887), and Ivanti Sentry (CVE-2023-38035).

Attacks carried out by QuietCrabs take advantage of the initial access to deploy an ASPX web shell and use it to deliver a JSP loader that’s capable of downloading and executing KrustyLoader, which then drops the Sliver implant.

“Thor is a threat group first observed in attacks against Russian companies in 2025,” researchers Alexander Badayev, Klimentiy Galkin, and Vladislav Lunin said. “As final payloads, the attackers use LockBit and Babuk ransomware, as well as Tactical RMM and MeshAgent to maintain persistence.”

Dec 17, 2025Ravie LakshmananEmail Security / Threat Intelligence

The Russian state-sponsored threat actor known as APT28 has been attributed to what has been described as a “sustained” credential-harvesting campaign targeting users of UKR[.]net, a webmail and news service popular in Ukraine.

The activity, observed by Recorded Future’s Insikt Group between June 2024 and April 2025, builds upon prior findings from the cybersecurity company in May 2024 that detailed the hacking group’s attacks targeting European networks with the HeadLace malware and credential-harvesting web pages.

APT28 is also tracked as BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422. It’s assessed to be affiliated with Russia’s Main Directorate of the General Staff of the Russian Federation’s Armed Forces (GRU).

The latest attacks are characterized by the deployment of UKR[.]net-themed login pages on legitimate services like Mocky to entice recipients into entering their credentials and two-factor authentication (2FA) codes. Links to these pages are embedded within PDF documents that are distributed via phishing emails.

The links are shortened using services like tiny[.]cc or tinyurl[.]com. In some cases, the threat actor has also been observed using subdomains created on platforms like Blogger (*.blogspot[.]com) to launch a two-tier redirection chain that leads to the credential harvesting page.

The efforts are part of a broader set of phishing and credential theft operations orchestrated by the adversary since mid-2000s targeting government institutions, defense contractors, weapons suppliers, logistics firms, and policy think tanks in pursuit of Russia’s strategic objectives.

“While this campaign does not reveal specific targets, BlueDelta’s historical focus on credential theft to enable intelligence collection provides strong indicators of likely intent to collect sensitive information from Ukrainian users in support of broader GRU intelligence requirements,” the Mastercard-owned company said in a report shared with The Hacker News.

What has changed is the transition from using compromised routers to proxy tunneling services such as ngrok and Serveo to capture and relay the stolen credentials and 2FA codes.

“BlueDelta’s continued abuse of free hosting and anonymized tunneling infrastructure likely reflects an adaptive response to Western-led infrastructure takedowns in early 2024,” Recorded Future said. “The campaign highlights the GRU’s persistent interest in compromising Ukrainian user credentials to support intelligence-gathering operations amid Russia’s ongoing war in Ukraine.”

Dec 17, 2025Ravie LakshmananVulnerability / Network Security

SonicWall has rolled out fixes to address a security flaw in Secure Mobile Access (SMA) 100 series appliances that it said has been actively exploited in the wild.

The vulnerability, tracked as CVE-2025-40602 (CVSS score: 6.6), concerns a case of local privilege escalation that arises as a result of insufficient authorization in the appliance management console (AMC).

It affects the following versions –

• 12.4.3-03093 (platform-hotfix) and earlier versions – Fixed in 12.4.3-03245 (platform-hotfix)
• 12.5.0-02002 (platform-hotfix) and earlier versions – Fixed in 12.5.0-02283 (platform-hotfix)

“This vulnerability was reported to be leveraged in combination with CVE-2025-23006 (CVSS score 9.8) to achieve unauthenticated remote code execution with root privileges,” SonicWall said.

It’s worth noting that CVE-2025-23006 was patched by the company in late January 2025 in version 12.4.3-02854 (platform-hotfix).

Clément Lecigne and Zander Work of Google Threat Intelligence Group (GTIG) have been credited with discovering and reporting CVE-2025-40602. There are currently no details on the scale of the attacks and who is behind the efforts.

Back in July, Google said it’s tracking a cluster named UNC6148 that’s targeting fully-patched end-of-life SonicWall SMA 100 series devices as part of a campaign designed to drop a backdoor called OVERSTEP. It’s currently not clear if these activities are related.

In light of active exploitation, it’s essential that SonicWall SMA 100 series users apply the fixes as soon as possible.