Tag: Cyber Security

Oct 10, 2025Ravie LakshmananVulnerability / Threat Intelligence

Dozens of organizations may have been impacted following the zero-day exploitation of a security flaw in Oracle’s E-Business Suite (EBS) software since August 9, 2025, Google Threat Intelligence Group (GTIG) and Mandiant said in a new report released Thursday.

“We’re still assessing the scope of this incident, but we believe it affected dozens of organizations,” John Hultquist, chief analyst of GTIG at Google Cloud, said in a statement shared with The Hacker News. “Some historic Cl0p data extortion campaigns have had hundreds of victims. Unfortunately, large-scale zero-day campaigns like this are becoming a regular feature of cybercrime.”

The activity, which bears some hallmarks associated with the Cl0p ransomware crew, is assessed to have fashioned together multiple distinct vulnerabilities, including a zero-day flaw tracked as CVE-2025-61882 (CVSS score: 9.8), to breach target networks and exfiltrate sensitive data. Google said it found evidence of additional suspicious activity dating back to July 10, 2025, although how successful these efforts were remains unknown. Oracle has since issued patches to address the shortcoming.

Cl0p (aka Graceful Spider), active since 2020, has been attributed to the mass exploitation of several zero-days in Accellion legacy file transfer appliance (FTA), GoAnywhere MFT, Progress MOVEit MFT, and Cleo LexiCom over the years. While phishing email campaigns undertaken by the FIN11 actors have acted as a precursor for Cl0p ransomware deployment in the past, Google said it found signs of the file-encrypting malware being a different actor.

The latest wave of attacks began in earnest on September 29, 2025, when the threat actors kicked off a high-volume email campaign aimed at company executives from hundreds of compromised third-party accounts belonging to unrelated organizations. The credentials for these accounts are said to have been purchased on underground forums, presumably through the purchase of infostealer malware logs.

The email messages claimed the actor had breached their Oracle EBS application and exfiltrated sensitive data, demanding that they pay an unspecified amount as ransom in return for not leaking the stolen information. To date, none of the victims of the campaign have been listed on the Cl0p data leak site – a behavior that’s consistent with prior Cl0p attacks where the actors waited for several weeks before posting them.

The attacks themselves leverage a combination of Server-Side Request Forgery (SSRF), Carriage-Return Line-Feed (CRLF) injection, authentication bypass, and XSL template injection, to gain remote code execution on the target Oracle EBS server and set up a reverse shell.

Sometime around August 2025, Google said it observed a threat actor exploiting a vulnerability in the “/OA_HTML/SyncServlet” component to achieve remote code execution and ultimately trigger an XSL payload via the Template Preview functionality. Two different chains of Java payloads have been found embedded in the XSL payloads –

• GOLDVEIN.JAVA, a Java variant of a downloader called GOLDVEIN (a PowerShell malware first detected in December 2024 in connection with the exploitation campaign of multiple Cleo software products) that can receive a second-stage payload from a command-and-control (C2) server.
• A Base64-encoded loader called SAGEGIFT custom designed for Oracle WebLogic servers that’s used to launch SAGELEAF, an in-memory dropper that’s then used to install SAGEWAVE, a malicious Java servlet filter that allows for the installation of an encrypted ZIP archive containing an unknown next-stage malware. (The main payload, however, has some overlaps with a cli module present in a FIN11 backdoor known as GOLDTOMB.)

The threat actor has also been observed executing various reconnaissance commands from the EBS account “applmgr,” as well as running commands from a bash process launched from a Java process running GOLDVEIN.JAVA.

Interestingly, some of the artifacts observed in July 2025 as part of incident response efforts overlap with an exploit leaked in a Telegram group named Scattered LAPSUS$ Hunters on October 3, 2025. However, Google said it does not have sufficient evidence to suggest any involvement of the cybercrime crew in the campaign.

The level of investment into the campaign suggests the threat actors responsible for the initial intrusion likely dedicated significant resources to pre-attack research, GTIG pointed out.

The tech giant said it’s not formally attributing the attack spree to a tracked threat group, although it pointed out the use of the Cl0p brand as notable. That said, it’s believed that the threat actor has an association with Cl0p. It also noted that the post-exploitation tooling exhibits overlaps with malware (i.e., GOLDVEIN and GOLDTOMB) used in a previous suspected FIN11 campaign, and that one of the breached accounts used to send the recent extortion emails was previously used by FIN11.

“The pattern of exploiting a zero-day vulnerability in a widely used enterprise application, followed by a large-scale, branded extortion campaign weeks later, is a hallmark of activity historically attributed to FIN11 that has strategic benefits which may also appeal to other threat actors,” it said.

“Targeting public-facing applications and appliances that store sensitive data likely increases the efficiency of data theft operations, given that the threat actors do not need to dedicate time and resources to lateral movement.”

Oct 09, 2025Ravie LakshmananCyber Espionage / Artificial Intelligence

A China-aligned threat actor codenamed UTA0388 has been attributed to a series of spear-phishing campaigns targeting North America, Asia, and Europe that are designed to deliver a Go-based implant known as GOVERSHELL.

“The initially observed campaigns were tailored to the targets, and the messages purported to be sent by senior researchers and analysts from legitimate-sounding, completely fabricated organizations,” Volexity said in a Wednesday report. “The goal of these spear phishing campaigns was to socially engineer targets into clicking links that led to a remotely hosted archive containing a malicious payload.”

Since then, the threat actor behind the attacks is said to have leveraged different lures and fictional identities, spanning several languages, including English, Chinese, Japanese, French, and German.

Early iterations of the campaigns have been found to embed links to phishing content either hosted on a cloud-based service or their own infrastructure, in some cases, which led to the deployment of malware. However, the follow-on waves have been described as “highly tailored,” in which the threat actors resort to building trust with recipients over time before sending the link – a technique called rapport-building phishing.

Irrespective of the approach used, the links lead to a ZIP or RAR archive that includes a rogue DLL payload that’s launched using DLL side-loading. The payload is an actively developed backdoor called GOVERSHELL. It’s worth noting that the activity overlaps with a cluster tracked by Proofpoint under the name UNK_DropPitch, with Volexity characterizing GOVERSHELL as a successor to a C++ malware family referred to as HealthKick.

As many as five distinct variants of GOVERSHELL have been identified to date –

• HealthKick (First observed in April 2025), which is equipped to run commands using cmd.exe
• TE32 (First observed in June 2025), which is equipped to execute commands directly via a PowerShell reverse shell
• TE64 (First observed in early July 2025), which is equipped to run native and dynamic commands using PowerShell to get system information, current system time, run command via powershell.exe, and poll an external server for new instructions
• WebSocket (First observed in mid-July 2025), which is equipped to run a PowerShell command via powershell.exe and an unimplemented “update” sub-command as part of the system command
• Beacon (First observed in September 2025), which is equipped to run native and dynamic commands using PowerShell to set a base polling interval, randomize it, or execute a PowerShell command via powershell.exe

Some of the legitimate services abused to stage the archive files include Netlify, Sync, and OneDrive, whereas the email messages have been identified as sent from Proton Mail, Microsoft Outlook, and Gmail.

A noteworthy aspect of UTA0388’s tradecraft is its use of OpenAI ChatGPT to generate content for phishing campaigns in English, Chinese, and Japanese; assist with malicious workflows; and search for information related to installing open-source tools like nuclei and fscan, as revealed by the AI company earlier this week. The ChatGPT accounts used by the threat actor have since been banned.

The use of a large language model (LLM) to augment its operations is evidenced in the fabrications prevalent in the phishing emails, ranging from the personas used to send the message to the general lack of coherence in the message content itself, Volexity said.

“The targeting profile of the campaign is consistent with a threat actor interested in Asian geopolitical issues, with a special focus on Taiwan,” the company added. “The emails and files used in this campaign leads Volexity to assess with medium confidence that UTA0388 made use of automation, LLM or otherwise, that generated and sent this content to targets with little to no human oversight in some cases.”

The disclosure comes as StrikeReady Labs said a suspected China-linked cyber espionage campaign has targeted a Serbian government department related to aviation, as well as other European institutions in Hungary, Belgium, Italy, and the Netherlands.

The campaign, observed in late September, involves sending phishing emails containing a link that, when clicked, directs the victim to a fake Cloudflare CAPTCHA verification page that leads to the download a ZIP archive, within which there exists a Windows shortcut (LNK) file that executes PowerShell responsible for opening a decoy document and stealthily launching PlugX using DLL side-loading.

Oct 09, 2025Ravie LakshmananMobile Security / Malware

A rapidly evolving Android spyware campaign called ClayRat has targeted users in Russia using a mix of Telegram channels and lookalike phishing websites by impersonating popular apps like WhatsApp, Google Photos, TikTok, and YouTube as lures to install them.

“Once active, the spyware can exfiltrate SMS messages, call logs, notifications, and device information; taking photos with the front camera; and even send SMS messages or place calls directly from the victim’s device,” Zimperium researcher Vishnu Pratapagiri said in a report shared with The Hacker News.

The malware is also designed to propagate itself by sending malicious links to every contact in the victim’s phone book, indicating aggressive tactics on the part of the attackers to leverage compromised devices as a distribution vector.

The mobile security company said it has detected no less than 600 samples and 50 droppers over the last 90 days, with each successive iteration incorporating new layers of obfuscation to sidestep detection efforts and stay ahead of security defenses. The malware name is a reference to the command-and-control (C2) panel that can be used to remotely administer the infected devices.

The attack chain involves redirecting unsuspecting visitors to these bogus sites to Telegram channels under the adversary’s control, from where they are tricked into downloading APK files by artificially inflating download counts and sharing manufactured testimonials as proof of their popularity.

In other cases, bogus websites claiming to offer “YouTube Plus” with premium features have been found to host APK files that can bypass security protections enforced by Google to prevent sideloading of apps on devices running Android 13 and later.

“To bypass platform restrictions and the added friction introduced in newer Android versions, some ClayRat samples act as droppers: the visible app is merely a lightweight installer that displays a fake Play Store update screen, while the actual encrypted payload is hidden within the app’s assets,” the company said. “This session-based installation method lowers perceived risk and increases the likelihood that a webpage visit will result in spyware being installed.”

Once installed, ClayRat uses standard HTTP to communicate with its C2 infrastructure and requests users to make it the default SMS application to gain access to sensitive content and messaging functions, thereby allowing it to covertly capture call logs, text messages, notifications, and disseminate the malware further to every other contact.

Some of the other features of the malware include making phone calls, getting device information, taking pictures using the device camera, and sending a list of all installed applications to the C2 server.

ClayRat is a potent threat not only for its surveillance capabilities, but also for its ability to turn an infected device into a distribution node in an automated fashion, which enables the threat actors to expand their reach swiftly without any manual intervention.

The development comes as academics from the University of Luxembourg and Université Cheikh Anta Diop found that pre-installed apps from budget Android smartphones sold in Africa operate with elevated privileges, with one vendor-supplied package transmitting device identifiers and location details to an external third-party.

The study examined 1,544 APKs collected from seven African smartphones, finding that “145 applications (9%) disclose sensitive data, 249 (16%) expose critical components without sufficient safeguards, and many present additional risks: 226 execute privileged or dangerous commands, 79 interact with SMS messages (read, send, or delete), and 33 perform silent installation operations.”

Oct 08, 2025Ravie LakshmananVulnerability / Software Security

Cybersecurity researchers have disclosed details of a now-patched vulnerability in the popular figma-developer-mcp Model Context Protocol (MCP) server that could allow attackers to achieve code execution.

The vulnerability, tracked as CVE-2025-53967 (CVSS score: 7.5), is a command injection bug stemming from the unsanitized use of user input, opening the door to a scenario where an attacker can send arbitrary system commands.

“The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (|, >, &&, etc.),” according to a GitHub advisory for the flaw. “Successful exploitation can lead to remote code execution under the server process’s privileges.”

Given that the Framelink Figma MCP server exposes various tools to perform operations in Figma using artificial intelligence (AI)-powered coding agents like Cursor, an attacker could trick the MCP client to execute unintended actions by means of an indirect prompt injection.

Cybersecurity company Imperva, which discovered and reported the problem in July 2025, described CVE-2025-53967 as a “design oversight” in the fallback mechanism that could allow bad actors to achieve full remote code execution, putting developers at risk of data exposure.

The command injection flaw “occurs during the construction of a command-line instruction used to send traffic to the Figma API endpoint,” security researcher Yohann Sillam said.

The exploitation sequence takes place over through steps –

• The MCP client sends an Initialize request to the MCP endpoint to receive an mcp-session-id that’s used in subsequent communication with the MCP server
• The client sends a JSONRPC request to the MCP server with the method tools/call to call tools like get_figma_data or download_figma_images

The issue, at its core, resides in “src/utils/fetch-with-retry.ts,” which first attempts to get content using the standard fetch API and, if that fails, proceeds to executing curl command via child_process.exec — which introduces the command injection flaw.

“Because the curl command is constructed by directly interpolating URL and header values into a shell command string, a malicious actor could craft a specially designed URL or header value that injects arbitrary shell commands,” Imperva said. “This could lead to remote code execution (RCE) on the host machine.”

In a proof-of-concept attack, a remote bad actor on the same network (e.g., a public Wi-Fi or a compromised corporate device) can trigger the flaw by sending the series of requests to the vulnerable MCP. Alternatively, the attacker could trick a victim into visiting a specially crafted site as part of a DNS rebinding attack.

The vulnerability has been addressed in version 0.6.3 of figma-developer-mcp, which was released on September 29, 2025. As mitigations, it’s advisable to avoid using child_process.exec with untrusted input and switch to child_process.execFile that eliminates the risk of shell interpretation.

“As AI-driven development tools continue to evolve and gain adoption, it’s essential that security considerations keep pace with innovation,” the Thales-owned company said. “This vulnerability is a stark reminder that even tools meant to run locally can become powerful entry points for attackers.”

The development comes as FireTail revealed that Google has opted not to fix a new ASCII smuggling attack in its Gemini AI chatbot that could be weaponized to craft inputs that can slip through security filters and induce undesirable responses. Other large language models (LLMs) susceptible to this attack are DeepSeek and xAI’s Grok.

“And this flaw is particularly dangerous when LLMs, like Gemini, are deeply integrated into enterprise platforms like Google Workspace,” the company said. “This technique enables automated identity spoofing and systematic data poisoning, turning a UI flaw into a potential security nightmare.”

Oct 09, 2025Ravie LakshmananCybersecurity / Hacking News

Cyber threats are evolving faster than ever. Attackers now combine social engineering, AI-driven manipulation, and cloud exploitation to breach targets once considered secure. From communication platforms to connected devices, every system that enhances convenience also expands the attack surface.

This edition of ThreatsDay Bulletin explores these converging risks and the safeguards that help preserve trust in an increasingly intelligent threat landscape.

Defending against modern threats requires more than tools — it demands awareness, adaptability, and shared responsibility. As attackers evolve, so must our approach to security. The path forward lies in continuous learning, stronger collaboration, and smarter use of technology to keep trust intact in a connected world.

Oct 09, 2025Ravie LakshmananCloud Security / Network Security

SonicWall on Wednesday disclosed that an unauthorized party accessed firewall configuration backup files for all customers who have used the cloud backup service.

“The files contain encrypted credentials and configuration data; while encryption remains in place, possession of these files could increase the risk of targeted attacks,” the company said.

It also noted that it’s working to notify all partners and customers, adding it has released tools to assist with device assessment and remediation. The company is also urging users to log in and check for their devices.

The development comes a couple of weeks after SonicWall urged customers to perform a credential reset after their firewall configuration backup files were exposed in a security breach impacting MySonicWall accounts.

The list of impacted devices available on the MySonicWall portal has been assigned a priority level to help customers prioritize remediation efforts. The labels are as follows –

• Active – High Priority: Devices with internet-facing services enabled
• Active – Lower Priority: Devices without internet-facing services
• Inactive: Devices that have not pinged home for 90 days

It previously stated that the threat actors accessed backup firewall preference files stored in the cloud for less than 5% of its customers, while emphasizing that the credentials within those files were encrypted but that they also included “information that could make it easier for attackers to potentially exploit the related firewall.”

Users are advised to follow the steps below with immediate effect –

• Log in to MySonicWall.com account and verify if cloud backups exist for registered firewalls
• If fields are blank, there is no impact
• If fields contain backup details, verify whether impacted serial numbers are listed in the account
• If Serial Numbers are shown, users should follow the containment and remediation guidelines for the listed firewalls

SonicWall said in cases where customers have used the Cloud Backup feature but no Serial Numbers are shown or only some of the registered Serial Numbers are displayed, it will provide additional guidance in coming days.

Token theft is a leading cause of SaaS breaches. Discover why OAuth and API tokens are often overlooked and how security teams can strengthen token hygiene to prevent attacks.

Most companies in 2025 rely on a whole range of software-as-a-service (SaaS) applications to run their operations. However, the security of these applications depends on small pieces of data called tokens. Tokens, like OAuth access tokens, API keys, and session tokens, work like keys to these applications. If a cybercriminal gets hold of one, they can access relevant systems without much trouble.

Recent security breaches have shown that just one stolen token can bypass multi-factor authentication (MFA) and other security measures. Instead of exploiting vulnerabilities directly, attackers are leveraging token theft. It’s a security concern that ties into the broader issue of SaaS sprawl and the difficulty of monitoring countless third-party integrations.

Recent Breaches Involving Token Theft

A lot of real-world events show us how stolen tokens can cause security breaches in SaaS environments:

1. Slack (Jan 2023). Attackers stole a number of Slack employee tokens and used them to gain unauthorized access to Slack’s private GitHub code repositories. (No customer data was exposed, but it was a clear warning that stolen tokens can undermine internal security barriers.)

2. CircleCI (Jan 2023). Information-stealing malware on an engineer’s laptop allowed threat actors to hijack session tokens for CircleCI’s systems. Those tokens gave the attackers the same access as the user, even with MFA in place, enabling them to steal customer secrets from the CI platform.

3. Cloudflare/Okta (Nov 2023). In the fallout of an identity provider breach, Cloudflare rotated about 5,000 credentials. However, one unrotated API token and some service account credentials were enough for cybercriminals to compromise Cloudflare’s Atlassian environment. This incident showed how a single forgotten token can undermine an otherwise thorough incident response.

4. Salesloft/Drift (Aug 2025). The Drift chatbot (owned by Salesloft) suffered a supply-chain breach that allowed attackers to harvest OAuth tokens for integrations like Salesforce and Google Workspace. Using those stolen tokens, they accessed hundreds of customer organizations’ SaaS data. This OAuth token abuse allowed the attackers to move laterally into emails, files, and support records across platforms.

SaaS Sprawl Fuels Token Blind Spots

Why do these token-based breaches keep happening?

The issue is bigger than any single app, it’s an ecosystem problem fueled by sprawling SaaS usage and hidden token trust relationships between apps.

Today, every department is leveraging SaaS tools and integrating them across systems. Employees use multiple third-party cloud services, and enterprises manage roughly 490 cloud apps, many of which are unsanctioned or not properly secured.

This high usage of SaaS (often called SaaS sprawl) means an explosion of OAuth tokens, API keys, and app connections. Each integration introduces a non-human identity (essentially a credential) that usually isn’t visible to IT or tracked by traditional identity management solutions.

The overall result of this is an ungoverned attack surface. A few factors generally contribute to this blind spot:

• Lack of visibility. Many organizations don’t actually know about all the SaaS apps and integrations their employees have enabled, or who authorized them. Shadow IT (employees adding apps without approval) flourishes, and security teams may only discover an OAuth connection after it has created a problem.

• No approval or oversight. Without a vetting process, users can freely connect apps like marketing plugins or productivity tools to corporate SaaS accounts. These third-party apps often ask for broad permissions and get them, even if they’re only needed temporarily. Unvetted and over-privileged apps can sit connected indefinitely if nobody reviews them.

• No regular monitoring. Very few companies enforce security settings on OAuth integrations or watch these connections in real time. Tokens rarely have short lifetimes or strict scope by default, and organizations often don’t limit their usage by IP or device. Logs from SaaS integrations might also not be fed into security monitoring.

Why Legacy Security Misses the Token Problem

As such, traditional security tools haven’t fully caught up to this problem at all.

Single sign-on (SSO) and multi-factor authentication protect user logins, but OAuth tokens bypass these controls. They grant persistent trust between apps with no further verification.

A token acts on behalf of a user or service without needing a password, so an attacker who obtains a valid token can access the connected app’s data as if they were already authenticated. There’s no pop-up to re-check MFA when an OAuth token is used. As a result, without special oversight, OAuth and API tokens have become an Achilles’ heel in SaaS security. Other legacy solutions, like cloud access security brokers, focus on user-to-app traffic and don’t monitor these app-to-app connections.

This gap has led to the arrival of dynamic SaaS security platforms that aim to discover and secure SaaS integrations amid SaaS sprawl. These platforms attempt to map out all the third-party apps, tokens, and privileges in use, giving back visibility and control. Whether through automated discovery (scanning for connected apps) or enforcing policies on OAuth usage, the goal is to close the SaaS security gap created by unchecked tokens.

At the end of the day, every organization, with or without new tools, can apply better token hygiene practices. You can’t protect what you can’t see. The first step is knowing where your tokens and SaaS integrations are. The next is controlling and monitoring them so they don’t become backdoors.

Token Hygiene Checklist

The following checklist can be used to reduce risk from token compromise:

Practice	Action	Y/N
Maintain OAuth App Inventory	Discover and track all third-party applications connected to your SaaS accounts. Keep an updated inventory of OAuth tokens, API keys, and integrations. This provides visibility into your token footprint.
Enforce App Approval	Establish a vetting process for new SaaS integrations. Require security review or admin approval before employees grant OAuth access to their accounts. This curbs unvetted apps and ensures each token issued is necessary and comes with known risks.
Least-Privilege Tokens	Limit the scope and permissions of tokens to the minimum required. Avoid granting overly broad access (“allow all”) when authorizing an app. For example, if an app only needs read access, don’t give it read-write admin privileges. Least privilege reduces the impact if a token is stolen.
Rotate Tokens Regularly	Treat long-lived tokens like expiring credentials. Configure tokens to expire after a short period, if possible, or periodically revoke and reissue them. Regular rotation (or short lifespans) means a stolen token will quickly become useless, narrowing an attacker’s window of opportunity.
Remove or Alert on Unused Tokens	Identify tokens and app connections that haven’t been used in weeks or months. Unused tokens are latent threats – revoke them if they’re not needed. Implement alerts or reports for dormant tokens so that they can be cleaned up proactively, preventing forgotten credentials from lingering indefinitely.
Monitor Token Activity	Enable logging and monitoring for token use across your SaaS platforms. Watch for unusual token activity, such as a normally unused integration suddenly making large data requests or access from odd locations. Set up alerts for anomalies in token usage (e.g. a spike in API calls, or use of a token from an unfamiliar IP).
Integrate Tokens into Offboarding	When employees leave or when a third-party app is retired, ensure their tokens and access keys are promptly revoked. Make token revocation a standard step in user offboarding and app lifecycle management. This prevents old credentials from persisting after they’re no longer needed.

Oct 09, 2025Ravie LakshmananArtificial Intelligence / Malware

Russian hackers’ adoption of artificial intelligence (AI) in cyber attacks against Ukraine has reached a new level in the first half of 2025 (H1 2025), the country’s State Service for Special Communications and Information Protection (SSSCIP) said.

“Hackers now employ it not only to generate phishing messages, but some of the malware samples we have analyzed show clear signs of being generated with AI – and attackers are certainly not going to stop there,” the agency said in a report published Wednesday.

SSSCIP said 3,018 cyber incidents were recorded during the time period, up from 2,575 in the second half of 2024 (H2 2024). Local authorities and military entities witnessed an increase in attacks compared to H2 2024, while those targeting government and energy sectors declined.

One notable attack observed involved UAC-0219’s use of malware called WRECKSTEEL in attacks aimed at state administration bodies and critical infrastructure facilities in the country. There is evidence to suggest that the PowerShell data-stealing malware was developed using AI tools.

Some of the other campaigns registered against Ukraine are listed below –

• Phishing campaigns orchestrated by UAC-0218 targeting defense forces to deliver HOMESTEEL using booby-trapped RAR archives
• Phishing campaigns orchestrated by UAC-0226 targeting organizations involved in the development of innovations in the defense industrial sector, local government bodies, military units, and law enforcement agencies to distribute a stealer called GIFTEDCROOK
• Phishing campaigns orchestrated by UAC-0227 targeting local authorities, critical infrastructure facilities, and Territorial Recruitment and Social Support Centers (TRCs and SSCs) that leverage ClickFix-style tactics or SVG file attachments to distribute stealers like Amatera Stealer and Strela Stealer
• Phishing campaigns orchestrated by UAC-0125, a sub-cluster with ties to Sandworm, that sent email messages containing links to a website masquerading as ESET to deliver a C#-based backdoor named Kalambur (aka SUMBUR) under the guise of a threat removal program

SSSCIP said it also observed the Russia-linked APT28 (aka UAC-0001) actors weaponizing cross-site scripting flaws in Roundcube and (CVE-2023-43770, CVE-2024-37383, and CVE-2025-49113) and Zimbra (CVE-2024-27443 and CVE-2025-27915) webmail software to conduct zero-click attacks.

“When exploiting such vulnerabilities, attackers typically injected malicious code that, through the Roundcube or Zimbra API, gained access to credentials, contact lists, and configured filters to forward all emails to attacker-controlled mailboxes,” SSSCIP said.

“Another method of stealing credentials using these vulnerabilities was to create hidden HTML blocks (visibility: hidden) with login and password input fields, where the attribute autocomplete=’on’ was set. This allowed the fields to be auto-filled with data stored in the browser, which was then exfiltrated.”

The agency also revealed that Russia continues to engage in hybrid warfare, synchronizing its cyber operations in conjunction with kinetic attacks on the battlefield, with the Sandworm (UAC-0002) group targeting organizations in the energy, defense, internet service providers, and research sectors.

Furthermore, several threat groups targeting Ukraine have resorted to abusing legitimate services, such as Dropbox, Google Drive, OneDrive, Bitbucket, Cloudflare Workers, Telegram, Telegra.ph, Teletype.in, Firebase, ipfs.io, mocky.io, to host malware or phishing pages, or turn them into a data exfiltration channel.

“The use of legitimate online resources for malicious purposes is not a new tactic,” SSSCIP said. “However, the number of such platforms exploited by Russian hackers has been steadily increasing in recent times.”

Oct 09, 2025Ravie LakshmananVulnerability / Website Security

Threat actors are actively exploiting a critical security flaw impacting the Service Finder WordPress theme that makes it possible to gain unauthorized access to any account, including administrators, and take control of susceptible sites.

The authentication bypass vulnerability, tracked as CVE-2025-5947 (CVSS score: 9.8), affects the Service Finder Bookings, a WordPress plugin bundled with the Service Finder theme. It was discovered by a researcher who goes by the name Foxyyy.

“This vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site, including accounts with the ‘administrator’ role,” Wordfence researcher István Márton said.

The problem, at its core, is a case of privilege escalation stemming from authentication bypass due to the plugin not adequately validating a user’s cookie value before logging them in through an account switching function (service_finder_switch_back()).

As a result, an unauthenticated attacker could take advantage of this behavior to sign in to the site as any user, including administrators, effectively hijacking the site and using it for nefarious purposes, such as inserting malicious code to redirect users to fake sites or use it to host malware.

The shortcoming affects all versions of the theme prior to and including 6.0. It was addressed by the plugin maintainers on July 17, 2025, with the release of version 6.1. The theme has been sold to more than 6,100 customers, per data from Envato Market.

The WordPress security company said it has observed exploitation activity targeting CVE-2025-5947 since August 1, 2025, with over 13,800 attempts detected to date. However, the success rate of these efforts is currently not clear.

The following IP addresses have been observed targeting the Service Finder Bookings plugin account switching function –

• 5.189.221.98
• 185.109.21.157
• 192.121.16.196
• 194.68.32.71
• 178.125.204.198

Administrators are recommended to audit their sites for any signs of suspicious activity and ensure all the plugins and themes are running the latest version.

Cybersecurity researchers are calling attention to a nefarious campaign targeting WordPress sites to make malicious JavaScript injections that are designed to redirect users to sketchy sites.

“Site visitors get injected content that was drive-by malware like fake Cloudflare verification,” Sucuri researcher Puja Srivastava said in an analysis published last week.

The website security company said it began an investigation after one of its customer’s WordPress sites served suspicious third-party JavaScript to site visitors, ultimately finding that the attackers introduced malicious modifications to a theme-related file (“functions.php”).

The code inserted into “functions.php” incorporates references to Google Ads, likely in an attempt to evade detection. But, in reality, it functions as a remote loader by sending an HTTP POST request to the domain “brazilc[.]com,” which, in turn, responds with a dynamic payload that includes two components –

• A JavaScript file hosted on a remote server (“porsasystem[.]com”), which, as of writing, has been referenced on 17 websites and contains code to perform site redirects
• A piece of JavaScript code that creates a hidden, 1×1 pixel iframe, within which it injects code that mimics legitimate Cloudflare assets like “cdn-cgi/challenge-platform/scripts/jsd/main.js” – an API that’s a core part of its bot detection and challenge platform

It’s worth noting that the domain “porsasystem[.]com” has been flagged as part of a traffic distribution system (TDS) called Kongtuke (aka 404 TDS, Chaya_002, LandUpdate808, and TAG-124).

According to information shared by an account named “monitorsg” on Mastodon on September 19, 2025, the infection chain starts with users visiting a compromised site, resulting in the execution of “porsasystem[.]com/6m9x.js,” which then leads to “porsasystem[.]com/js.php” to eventually take the victims to ClickFix-style pages for malware distribution.

The findings illustrate the need for securing WordPress sites and ensuring that plugins, themes, and website software are kept up-to-date, enforcing strong passwords, scanning the sites for anomalies and unexpected administrator accounts created for maintaining persistent access even after the malware is detected and removed.

Create ClickFix Pages Using IUAM ClickFix Generator

The disclosure comes as Palo Alto Networks Unit 42 detailed a phishing kit named IUAM ClickFix Generator that allows attackers to infect users with malware by leveraging the ClickFix social engineering technique and come up with customizable landing pages by mimicking browser verification challenges often used to block automated traffic.

“This tool allows threat actors to create highly customizable phishing pages that mimic the challenge-response behavior of a browser verification page commonly deployed by Content Delivery Networks (CDNs) and cloud security providers to defend against automated threats,” security researcher Amer Elsad said. “The spoofed interface is designed to appear legitimate to victims, increasing the effectiveness of the lure.”

The bespoke phishing pages also come with capabilities to manipulate the clipboard, a crucial step in the ClickFix attack, as well as detect the operating system used in order to tailor the infection sequence and serve compatible malware.

In at least two different cases, threat actors have been detected using pages generated using the kit to deploy information stealers such as DeerStealer and Odyssey Stealer, the latter of which is designed to target Apple macOS systems.

The emergence of the IUAM ClickFix Generator adds to a prior alert from Microsoft warning of a rise in commercial ClickFix builders on underground forums since late 2024. Another notable example of a phishing kit that has integrated the offering is Impact Solutions.

“The kits offer creation of landing pages with a variety of available lures, including Cloudflare,” Microsoft noted back in August 2025. “They also offer construction of malicious commands that users will paste into the Windows Run dialog. These kits claim to guarantee antivirus and web protection bypass (some even promise that they can bypass Microsoft Defender SmartScreen), as well as payload persistence.”

It goes without saying that these tools further lower the barrier to entry for cybercriminals, enabling them to mount sophisticated, multi-platform attacks at scale without much effort or technical expertise.

ClickFix Becomes Stealthy via Cache Smuggling

The findings also follow the discovery of a new campaign that has innovated on the ClickFix attack formula by employing a sneaky technique referred to as cache smuggling to fly under the radar as opposed to explicitly downloading any malicious files on the target host.

“This campaign differs from previous ClickFix variants in that the malicious script does not download any files or communicate with the internet,” Expel Principal Threat Researcher Marcus Hutchins said. “This is achieved by using the browser’s cache to pre-emptively store arbitrary data onto the user’s machine.”

In the attack documented by the cybersecurity company, the ClickFix-themed page masquerades as a Fortinet VPN Compliance Checker, using FileFix tactics to deceive users into launching the Windows File Explorer and pasting a malicious command into the address bar to trigger the execution of the payload.

The invisible command is designed to run a PowerShell script via conhost.exe. What makes the script stand apart is that it does not download any additional malware or communicate with an attacker-controlled server. Instead, it executes an obfuscated payload that passes off as a JPEG image and is already cached by the browser when the user lands on the phishing page.

“Neither the web page nor the PowerShell script explicitly downloads any files,” Hutchins explained. “By simply letting the browser cache the fake ‘image,’ the malware is able to get an entire zip file onto the local system without the PowerShell command needing to make any web requests.”

“The implications of this technique are concerning, as cache smuggling may offer a way to evade protections that would otherwise catch malicious files as they are downloaded and executed. An innocuous-looking ‘image/jpeg’ file is downloaded, only to have its contents extracted and then executed via a PowerShell command hidden in a ClickFix phishing lure.”