Tag: Cyber Threats

Dec 12, 2025Ravie LakshmananSoftware Security / Vulnerability

The React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure.

The team said the issues were found by the security community while attempting to exploit the patches released for CVE-2025-55182 (CVSS score: 10.0), a critical bug in RSC that has since been weaponized in the wild.

The three vulnerabilities are listed below –

• CVE-2025-55184 (CVSS score: 7.5) – A pre-authentication denial of service vulnerability arising from unsafe deserialization of payloads from HTTP requests to Server Function endpoints, triggering an infinite loop that hangs the server process and may prevent future HTTP requests from being served
• CVE-2025-67779 (CVSS score: 7.5) – An incomplete fix for CVE-2025-55184 that has the same impact
• CVE-2025-55183 (CVSS score: 5.3) – An information leak vulnerability that may cause a specifically crafted HTTP request sent to a vulnerable Server Function to return the source code of any Server Function

However, successful exploitation of CVE-2025-55183 requires the existence of a Server Function that explicitly or implicitly exposes an argument that has been converted into a string format.

The flaws affecting the following versions of react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack –

• CVE-2025-55184 and CVE-2025-55183 – 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1
• CVE-2025-67779 – 19.0.2, 19.1.3 and 19.2.2

Security researcher RyotaK and Shinsaku Nomura have been credited with reporting the two DoS bugs to the Meta Bug Bounty program, while Andrew MacPherson has been acknowledged for reporting the information leak flaw.

Users are advised to update to versions 19.0.3, 19.1.4, and 19.2.3 as soon as possible, particularly in light of active exploration of CVE-2025-55182.

“When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed,” the React team said. “This pattern shows up across the industry, not just in JavaScript. Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle.”

Dec 11, 2025Ravie LakshmananCyberwarfare / Threat Intelligence

An advanced persistent threat (APT) known as WIRTE has been attributed to attacks targeting government and diplomatic entities across the Middle East with a previously undocumented malware suite dubbed AshTag since 2020.

Palo Alto Networks Unit 42 is tracking the activity cluster under the name Ashen Lepus. Artifacts uploaded to the VirusTotal platform show that the threat actor has trained its sights on Oman and Morocco, indicating an expansion in operational scope beyond the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt.

The company told The Hacker News said it has observed “scores of unique lures” disseminated across the Middle East, indicating a “persistent and wide-reaching campaign” confined to government and diplomatic entities in the region. More than a dozen entities are estimated to have been targeted, although it’s suspected that the real number could be higher.

“Ashen Lepus remained persistently active throughout the Israel-Hamas conflict, distinguishing it from other affiliated groups whose activities decreased over the same period,” the cybersecurity company said in a report shared with The Hacker News. “Ashen Lepus continued with its campaign even after the October 2025 Gaza ceasefire, deploying newly developed malware variants and engaging in hands-on activity within victim environments.”

WIRTE, which overlaps with an Arabic-speaking, politically motivated cluster known as Gaza Cyber Gang (aka Blackstem, Extreme Jackal, Molerats, or TA402), is assessed to be active since at least 2018. According to a report from Cybereason, both Molerats and APT-C-23 (aka Arid Viper, Desert Varnish, or Renegade Jackal) are two main sub-groups of the Hamas cyberwarfare division.

It’s primarily driven by espionage and intelligence collection, targeting government entities in the Middle East to meet its strategic objectives.

“Specifically, the connection between WIRTE (Ashen Lepus) to the broader Gaza Cyber Gang is primarily evidenced by code overlaps and similarities,” Unit 42 researchers said. “This suggests that while they operate independently, the tools were developed by close entities and they likely share development resources. We have also seen overlap in other groups’ victimology.”

In a report published in November 2024, Check Point attributed the hacking crew to destructive attacks exclusively aimed at Israeli entities to infect them with a custom wiper malware referred to as SameCoin, highlighting their ability to adapt and carry out both espionage and sabotage.

The long-running, elusive campaign detailed by Unit 42, going all the way back to 2018, has been found to leverage phishing emails with lures related to geopolitical affairs in the region. A recent increase in lures related to Turkey – e.g., “Partnership agreement between Morocco and Turkey” or “Draft resolutions concerning the State of Palestine” – suggests that entities in the country may be a new area of focus.

The attack chains commence with a harmless PDF decoy that tricks recipients into downloading a RAR archive from a file-sharing service. Opening the archive triggers a chain of events that results in the deployment of AshTag.

This involves using a renamed benign binary to sideload a malicious DLL dubbed AshenLoader that, in addition to opening a decoy PDF file to keep up the ruse, contacts an external server to drop two more components, a legitimate executable and a DLL payload called AshenStager (aka stagerx64) that’s again sideloaded to launch the malware suite in memory to minimize forensic artifacts.

AshTag is a modular .NET backdoor that’s designed to facilitate persistence and remote command execution, while masquerading as a legitimate VisualServer utility to fly under the radar. Internally, its features are realized by means of an AshenOrchestrator to enable communications and to run additional payloads in memory.

These payloads serve different purposes –

• Persistence and process management
• Update and removal
• Screen capture
• File explorer and management
• System fingerprinting

In one case, Unit 42 said it observed the threat actor accessing a compromised machine to conduct hands-on data theft by staging documents of interest in the C:UsersPublic folder. These files are said to have been downloaded from a victim’s email inbox, their end goal being the theft of diplomacy-related documents. The documents were then exfiltrated to an attacker-controlled server using the Rclone utility.

It’s assessed that data theft has likely occurred across the broader victim population, particularly in environments where advanced detection capabilities are absent.

“Ashen Lepus remains a persistent espionage actor, demonstrating a clear intent to continue its operations throughout the recent regional conflict — unlike other affiliated threat groups, whose activity significantly decreased,” the company concluded. “The threat actors’ activities throughout the last two years in particular highlight their commitment to constant intelligence collection.”

Dec 11, 2025The Hacker NewsAutomation / Compliance

As enterprises refine their strategies for handling Non-Human Identities (NHIs), Robotic Process Automation (RPA) has become a powerful tool for streamlining operations and enhancing security. However, since RPA bots have varying levels of access to sensitive information, enterprises must be prepared to mitigate a variety of challenges. In large organizations, bots are starting to outnumber human employees, and without proper identity lifecycle management, these bots increase security risks. RPA impacts Identity and Access Management (IAM) by managing bot identities, enforcing least-privilege access and ensuring auditability across all accounts.

Continue reading to learn more about RPA, its challenges with IAM and best practices organizations should follow to secure RPA within IAM.

What is Robotic Process Automation (RPA)?

Robotic Process Automation (RPA) uses bots to automate repetitive tasks that are traditionally performed by human users. In the context of IAM, RPA plays an essential role in streamlining the user lifecycle, including provisioning, deprovisioning and secure access to credentials. These RPA bots act as NHIs and require governance just as human users do for authentication, access controls and privileged session monitoring. As RPA adoption grows, IAM systems must consistently manage both human identities and NHIs within a unified security framework. Here are the key benefits of RPA:

• Improved efficiency and speed: RPA automates time-consuming, repetitive tasks like provisioning and deprovisioning, enabling IT teams to focus on higher-priority tasks.
• Better accuracy: RPA minimizes human error and reduces the risk of misconfigurations by following pre-defined scripts. Bots also automate credential handling and eliminate common issues like password reuse.
• Enhanced security: RPA strengthens IAM by triggering immediate deprovisioning once an employee leaves an organization. Automated bots can also detect and respond to behavioral anomalies in real time, limiting the impact of unauthorized access.
• Stronger compliance: RPA supports regulatory compliance mandates by automatically logging every bot action and enforcing access policies. Combined with zero-trust security principles, RPA enables continuous verification of all identities — human or machine.

Challenges RPA introduces into IAM

As organizations scale their use of RPA, several challenges emerge that can weaken the efficiency of existing IAM strategies, including bot management, larger attack surfaces and integration difficulties.

Managing bots

RPA bots are taking on more critical tasks across enterprises, and managing their identities and access becomes a top priority. Unlike human users, bots work silently in the background but still require authentication and authorization. Without appropriate identity governance, improperly monitored bots can create security gaps within an organization’s IAM. A common problem is how bots store credentials, often embedding hardcoded passwords or API keys in scripts or configuration files.

RPA bots typically interact with critical systems and APIs, relying on credentials or SSH keys to function. Storing these secrets in plaintext configuration files or scripts makes them easy targets for cybercriminals and difficult to securely rotate. A dedicated secrets management tool like Keeper® ensures that all credentials are encrypted and centrally managed in a zero-knowledge vault. Secrets can be retrieved at runtime, so they never reside in memory or on a device.

3. Implement PAM

Bots that perform repetitive, administrative tasks often require privileged access, making Privileged Access Management (PAM) essential. PAM solutions should enforce JIT access, ensuring bots receive privileged access only when needed and for a limited time. With session monitoring and recording to maintain transparency and detect unusual bot activity, implementing PAM eliminates standing access and helps prevent privilege escalation.

4. Strengthen authentication with MFA

Human users managing RPA bots must be required to authenticate using Multi-Factor Authentication (MFA). Since MFA is not practical for bot accounts themselves, having an extra layer of protection for the users managing them helps prevent unauthorized access to critical systems, sensitive data and privileged credentials. In addition, organizations should adopt Zero-Trust Network Access (ZTNA) principles by continuously verifying bot identities and context, not only at login but throughout each privileged session.

Secure the future of automation with IAM

Automation continues to transform how enterprises operate, largely driven by the rise of NHIs like RPA bots. To keep up with this technological evolution, organizations must adjust their IAM strategies to accommodate and secure both human users and automated bots. KeeperPAM® helps enterprises close potential security gaps, such as credential theft and privilege misuse, by providing a unified platform for managing credentials, enforcing PoLP, monitoring privileged sessions and managing the full identity lifecycle of every identity — human or not.

Dec 11, 2025Ravie LakshmananCyber Espionage / Windows Security

Cybersecurity researchers have disclosed details of a new fully-featured Windows backdoor called NANOREMOTE that uses the Google Drive API for command-and-control (C2) purposes.

According to a report from Elastic Security Labs, the malware shares code similarities with another implant codenamed FINALDRAFT (aka Squidoor) that employs Microsoft Graph API for C2. FINALDRAFT is attributed to a threat cluster known as REF7707 (aka CL-STA-0049, Earth Alux, and Jewelbug).

“One of the malware’s primary features is centered around shipping data back and forth from the victim endpoint using the Google Drive API,” Daniel Stepanic, principal security researcher at Elastic Security Labs, said.

“This feature ends up providing a channel for data theft and payload staging that is difficult for detection. The malware includes a task management system used for file transfer capabilities that include queuing download/upload tasks, pausing/resuming file transfers, canceling file transfers, and generating refresh tokens.”

REF7707 is believed to be a suspected Chinese activity cluster that has targeted governments, defense, telecommunication, education, and aviation sectors in Southeast Asia and South America as far back as March 2023, per Palo Alto Networks Unit 42. In October 2025, Broadcom-owned Symantec attributed the hacking group to a five-month-long intrusion targeting a Russian IT service provider.

The exact initial access vector used to deliver NANOREMOTE is currently not known. However, the observed attack chain includes a loader named WMLOADER that mimics a Bitdefender’s crash handling component (“BDReinit.exe”) and decrypts shellcode responsible for launching the backdoor.

Written in C++, NANOREMOTE is equipped to perform reconnaissance, execute files and commands, and transfer files to and from victim environments using the Google Drive API. It’s also preconfigured to communicate with a hard-coded, non-routable IP address over HTTP to process requests sent by the operator and send the response back.

“These requests occur over HTTP where the JSON data is submitted through POST requests that are Zlib compressed and encrypted with AES-CBC using a 16-byte key (558bec83ec40535657833d7440001c00),” Elastic said. “The URI for all requests use /api/client with User-Agent (NanoRemote/1.0).”

Its primary functionality is realized through a set of 22 command handlers that allow it to collect host information, carry out file and directory operations, run portable executable (PE) files already present on disk, clear cache, download/upload files to Google Drive, pause/resume/cancel data transfers, and terminate itself.

Elastic said it identified an artifact (“wmsetup.log“) uploaded to VirusTotal from the Philippines on October 3, 2025, that’s capable of being decrypted by WMLOADER with the same 16-byte key to reveal a FINALDRAFT implant, indicating that the two malware families are likely the work of the same threat actor. It’s unclear as to why the same hard-coded key is being used across both of them.

“Our hypothesis is that WMLOADER uses the same hard-coded key due to being part of the same build/development process that allows it to work with various payloads,” Stepanic said. “This appears to be another strong signal suggesting a shared codebase and development environment between FINALDRAFT and NANOREMOTE.”

Dec 11, 2025Ravie Lakshmanan

This week’s cyber stories show how fast the online world can turn risky. Hackers are sneaking malware into movie downloads, browser add-ons, and even software updates people trust. Tech giants and governments are racing to plug new holes while arguing over privacy and control. And researchers keep uncovering just how much of our digital life is still wide open.

The new Threatsday Bulletin brings it all together—big hacks, quiet exploits, bold arrests, and smart discoveries that explain where cyber threats are headed next.

It’s your quick, plain-spoken look at the week’s biggest security moves before they become tomorrow’s headlines.

Cybersecurity isn’t just a tech issue anymore—it’s part of daily life. The same tools that make work and communication easier are the ones attackers now use to slip in unnoticed. Every alert, patch, or policy shift connects to a bigger story about how fragile digital trust has become.

As threats keep evolving, staying aware is the only real defense. The Threatsday Bulletin exists for that reason—to cut through the noise and show what actually matters in cybersecurity right now. Read on for this week’s full rundown of breaches, discoveries, and decisions shaping the digital world.

Dec 11, 2025Ravie LakshmananVulnerability / Encryption

Huntress is warning of a new actively exploited vulnerability in Gladinet’s CentreStack and Triofox products stemming from the use of hard-coded cryptographic keys that have affected nine organizations so far.

“Threat actors can potentially abuse this as a way to access the web.config file, opening the door for deserialization and remote code execution,” security researcher Bryan Masters said.

The use of hard-coded cryptographic keys could allow threat actors to decrypt or forge access tickets, enabling them to access sensitive files like web.config that can be exploited to achieve ViewState deserialization and remote code execution, the cybersecurity company added.

At its core, the issue is rooted in a function named “GenerateSecKey()” present in “GladCtrl64.dll” that’s used to generate the cryptographic keys necessary to encrypt access tickets containing authorization data (i.e., Username and Password) and enable access to the file system as a user, assuming the credentials are valid.

Because the GenerateSecKey() function returns the same 100-byte text strings and these strings are used to derive the cryptographic keys, the keys never change and can be weaponized to decrypt any ticket generated by the server or even encrypt one of the attacker’s choosing.

This, in turn, opens the door to a scenario where it can be exploited to access files containing valuable data, such as the web.config file, and obtain the machine key required to perform remote code execution via ViewState deserialization.

The attacks, according to Huntress, take the form of specially crafted URL requests to the “/storage/filesvr.dn” endpoint, such as below –

/storage/filesvr.dn t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m:ZDplEYEsO5ksZajiXcsumkDyUgpV5VLxL%7C372varAu

The attack efforts have been found to leave the Username and Password fields blank, causing the application to fall back to the IIS Application Pool Identity. What’s more, the timestamp field in the access ticket, which refers to the creation time of the ticket, is set to 9999, effectively creating a ticket that never expires, allowing the threat actors to reuse the URL indefinitely and download the server configuration.

As of December 10, as many as nine organizations have been affected by the newly disclosed flaw. These organizations belong to a wide range of sectors, such as healthcare and technology. The attacks originate from the IP address 147.124.216[.]205 and attempt to chain together a previously disclosed flaw in the same applications (CVE-2025-11371) with the new exploit to access the machine key from the web.config file.

“Once the attacker was able to obtain the keys, they performed a viewstate deserialization attack and then attempted to retrieve the output of the execution, which failed,” Huntress said.

In light of active exploitation, organizations that are using CentreStack and Triofox should update to the latest version, 16.12.10420.56791, released on December 8, 2025. Additionally, it’s advised to scan logs for the presence of the string “vghpI7EToZUDIZDdprSubL3mTZ2,” which is the encrypted representation of the web.config file path.

In the event indicators or compromise (IoCs) are detected, it’s imperative that the machine key is rotated by following the steps below –

• On Centrestack server, go to Centrestack installation folder C:Program Files (x86)Gladinet Cloud Enterpriseroot
• Make a backup of web.config
• Open IIS Manager
• Navigate to Sites -> Default Web Site
• In the ASP.NET section, double click Machine Key
• Click ‘Generate Keys’ on the right pane
• Click Apply to save it to rootweb.config
• Restart IIS after repeating the same step for all worker nodes

Dec 11, 2025Ravie LakshmananVulnerability / Cloud Security

A high-severity unpatched security vulnerability in Gogs has come under active exploitation, with more than 700 compromised instances accessible over the internet, according to new findings from Wiz.

The flaw, tracked as CVE-2025-8110 (CVSS score: 8.7), is a case of file overwrite in the file update API of the Go-based self-hosted Git service. A fix for the issue is said to be currently in the works. The company said it accidentally discovered the zero-day flaw in July 2025 while investigating a malware infection on a customer’s machine.

“Improper symbolic link handling in the PutContents API in Gogs allows local execution of code,” according to a description of the vulnerability in CVE.org.

The cloud security company said CVE-2025-8110 is a bypass for a previously patched remote code execution flaw (CVE-2024-55947, CVSS score: 8.7) that allows an attacker to write a file to an arbitrary path on the server and gain SSH access to the server. CVE-2024-55947 was addressed by the painters in December 2024.

Wiz said the fix put in place by Gogs to resolve CVE-2024-55947 could be circumvented by taking advantage of the fact that Git (and therefore, Gogs) allows symbolic links to be used in git repositories, and those symlinks can point to files or directories outside the repository. Additionally, the Gogs API allows file modification outside of the regular Git protocol.

As a result, this failure to account for symlinks could be exploited by an attacker to achieve arbitrary code execution through a four-step process –

• Create a standard git repository
• Commit a single symbolic link pointing to a sensitive target
• Use the PutContents API to write data to the symlink, causing the system to follow the link and overwrite the target file outside the repository
• Overwrite “.git/config” (specifically the sshCommand) to execute arbitrary commands

As for the malware deployed in the activity, it’s assessed to be a payload based on Supershell, an open-source command-and-control (C2) framework often used by Chinese hacking groups that can establish a reverse SSH shell to an attacker-controlled server (“119.45.176[.]196”).

Wiz said that the attackers behind the exploitation of CVE-2025-8110 left behind the created repositories (e.g., “IV79VAew / Km4zoh4s”) on the customer’s cloud workload when they could have taken steps to delete or mark them as private following the infection. This carelessness points to a “smash-and-grab” style campaign, it added.

In all, there are about 1,400 exposed Gogs instances, out of which more than 700 have exhibited signs of compromise, particularly the presence of 8-character random owner/repository names. All the identified repositories were created around July 10, 2025.

“This suggests that a single actor, or perhaps a group of actors all using the same tooling, are responsible for all infections,” researchers Gili Tikochinski and Yaara Shriki said.

Given that the vulnerability does not have a fix, it’s essential that users disable open-registration, limit exposure to the internet, and scan instances for repositories with random 8-character names.

The disclosure comes as Wiz also warned that threat actors are targeting leaked GitHub Personal Access Tokens (PAT) as high-value entry points to obtain initial access to victim cloud environments and even leverage them for cross-cloud lateral movement from GitHub to Cloud Service Provider (CSP) control plane.

The issue at hand is that a threat actor with basic read permissions via a PAT can use GitHub’s API code search to discover secret names embedded directly in a workflow’s YAML code. To complicate matters further, if the exploited PAT has write permissions, attackers can execute malicious code and remove traces of their malicious activity.

“Attackers leveraged compromised PATs to discover GitHub Action Secrets names in the codebase, and used them in newly created malicious workflows to execute code and obtain CSP secrets,” researcher Shira Ayal said. “Threat actors have also been observed exfiltrating secrets to a webhook endpoint they control, completely bypassing Action logs.”

Dec 11, 2025Ravie LakshmananZero-Day / Vulnerability

Google on Wednesday shipped security updates for its Chrome browser to address three security flaws, including one it said has come under active exploitation in the wild.

The vulnerability, rated high in severity, is being tracked under the Chromium issue tracker ID “466192044.” Unlike other disclosures, Google has opted to keep information about the CVE identifier, the affected component, and the nature of the flaw under wraps.

However, a GitHub commit for the Chromium bug ID has revealed that the issue resides in Google’s open-source Almost Native Graphics Layer Engine (ANGLE) library, with the commit message stating “Metal: Don’t use pixelsDepthPitch to size buffers. pixelsDepthPitch is based on GL_UNPACK_IMAGE_HEIGHT, which can be smaller than the image height.”

This indicates the problem is likely a buffer overflow vulnerability in ANGLE’s Metal renderer triggered by improper buffer sizing, which could lead to memory corruption, program crashes, or arbitrary code execution.

“Google is aware that an exploit for 466192044 exists in the wild,” the company noted, adding that more details are “under coordination.”

Naturally, the tech giant has also not disclosed any specifics on the identity of the threat actor behind the attacks, who may have been targeted, or the scale of such efforts.

This is typically done so as to ensure that a majority of the users have applied the fixes and to prevent other bad actors from reverse engineering the patch and developing their own exploits.

With the latest update, Google has addressed eight zero-day flaws in Chrome that have been either actively exploited or demonstrated as a proof-of-concept (PoC) since the start of the year. The list includes CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, CVE-2025-6558, CVE-2025-10585, and CVE-2025-13223.

Also addressed by Google are two other medium-severity vulnerabilities –

• CVE-2025-14372 – Use-after-free in Password Manager
• CVE-2025-14373 – Inappropriate implementation in Toolbar

To safeguard against potential threats, it’s advised to update their Chrome browser to versions 143.0.7499.109/.110 for Windows and Apple macOS, and 143.0.7499.109 for Linux. To make sure the latest updates are installed, users can navigate to More > Help > About Google Chrome and select Relaunch.

Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply the fixes as and when they become available.

Dec 10, 2025The Hacker NewsCloud Security / Threat Detection

Cloud security is changing. Attackers are no longer just breaking down the door; they are finding unlocked windows in your configurations, your identities, and your code.

Standard security tools often miss these threats because they look like normal activity. To stop them, you need to see exactly how these attacks happen in the real world.

Next week, the Cortex Cloud team at Palo Alto Networks is hosting a technical deep dive to walk you through three recent investigations and exactly how to defend against them.

Secure your spot for the live session ➜

What Experts Will Cover

This isn’t a high-level overview. We are looking at specific, technical findings from the field. In this session, our experts will break down three distinct attack vectors that are bypassing traditional security right now:

1. AWS Identity Misconfigurations: We will show how attackers abuse simple setup errors in AWS identities to gain initial access without stealing a single password.
2. Hiding in AI Models: You will see how adversaries mask malicious files in production by mimicking the naming structures of your legitimate AI models.
3. Risky Kubernetes Permissions: We will examine “overprivileged entities”—containers that have too much power—and how attackers exploit them to take over infrastructure.

We won’t just talk about the problems; we will show you the mechanics of the attacks. Register now to see the full breakdown of these threats.

Why This Matters for Your Team

The core issue with these threats is the visibility gap. Often, the Cloud team builds the environment, and the SOC (Security Operations Center) monitors it, but neither side sees the full picture.

In this webinar, we will demonstrate how Code-to-Cloud detection fixes this. We will show you how to use runtime intelligence and audit logs to spot these threats early.

The Takeaway

By the end of this session, you will have actionable insights on how to:

• Audit your cloud logs for “invisible” intruders.
• Clean up risky permissions in Kubernetes.
• Apply AI-aware controls to protect your development pipeline.

Don’t wait until you find these vulnerabilities in a breach report. Join us next week and get the knowledge you need to close the gaps.

Register for the Webinar ➜

Dec 10, 2025Ravie LakshmananVulnerability / Malware

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a security flaw impacting the WinRAR file archiver and compression utility to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability, tracked as CVE-2025-6218 (CVSS score: 7.8), is a path traversal bug that could enable code execution. However, for exploitation to succeed, it requires a prospective target to visit a malicious page or open a malicious file.

“RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user,” CISA said in an alert.

The vulnerability was patched by RARLAB with WinRAR 7.12 in June 2025. It only affects Windows-based builds. Versions of the tool for other platforms, including Unix and Android, are not affected.

“This flaw could be exploited to place files in sensitive locations — such as the Windows Startup folder — potentially leading to unintended code execution on the next system login,” RARLAB noted at the time.

The development comes in the wake of multiple reports from BI.ZONE, Foresiet, SecPod, and Synaptic Security, the vulnerability has been exploited by two different threat actors tracked as GOFFEE (aka Paper Werewolf), Bitter (aka APT-C-08 or Manlinghua), and Gamaredon.

In an analysis published in August 2025, the Russian cybersecurity vendor said there are indications that GOFFEE may be exploited CVE-2025-6218 along with CVE-2025-8088 (CVSS score: 8.8), another path traversal flaw in WinRAR, in attacks targeting organizations in the country in July 2025 via phishing emails.

It has since emerged that the South Asia-focused Bitter APT has also weaponized the vulnerability to facilitate persistence on the compromised host and ultimately drop a C# trojan by means of a lightweight downloader. The attack leverages a RAR archive (“Provision of Information for Sectoral for AJK.rar”) that contains a benign Word document and a malicious macro template.

“The malicious archive drops a file named Normal.dotm into Microsoft Word’s global template path,” Foresiet said last month. “Normal.dotm is a global template that loads every time Word is opened. By replacing the legitimate file, the attacker ensures their malicious macro code executes automatically, providing a persistent backdoor that bypasses standard email macro blocking for documents received after the initial compromise.”

The C# trojan is designed to contact an external server (“johnfashionaccess[.]com”) for command-and-control (C2) and enable keylogging, screenshot capture, remote desktop protocol (RDP) credential harvesting, and file exfiltration. It’s assessed that the RAR archives are propagated via spear-phishing attacks.

Last but not least, CVE-2025-6218 has also been exploited by a Russian hacking group known as Gamaredon in phishing campaigns targeting Ukrainian military, governmental, political, and administrative entities to infect them with a malware referred to as Pteranodon. The activity was first observed in November 2025.

“This is not an opportunistic campaign,” a security researcher who goes by the name Robin said. “It is a structured, military-oriented espionage and sabotage operation consistent with, and likely coordinated by, Russian state intelligence.”

It’s worth noting that the adversary has also extensively abused CVE-2025-8088, using it to deliver malicious Visual Basic Script malware and even deploying a new wiper codenamed GamaWiper.

“This marks the first observed instance of Gamaredon conducting destructive operations rather than its traditional espionage activities,” ClearSky said in a November 30, 2025, post on X.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by December 30, 2025, to secure their networks.