Weekly Threat Landscape Digest – Week 9

1. Malicious Code Found in VSCode Extensions

Microsoft has removed two widely used Visual Studio Code (VSCode) extensions, ‘Material Theme – Free’ and ‘Material Theme Icons – Free’, after cybersecurity researchers discovered malicious code embedded within them. These extensions, developed by Mattia Astorino (aka equinusocio), had nearly 9 million installations before being taken down.

Incident Details:

• The malicious code was embedded in an obfuscated JavaScript file (release-notes.js) within the extensions.
• Researchers suspect this was introduced via a compromised dependency or a supply chain attack.
• The obfuscated script contained references to usernames and passwords, though its full impact is still being analyzed.
• Microsoft has disabled the extensions across all VSCode instances and permanently banned the developer from the Visual Studio Marketplace.

Indicators of Compromise (IoCs):

• equinusocio.moxer-theme
• equinusocio.vsc-material-theme
• equinusocio.vsc-material-theme-icons
• equinusocio.vsc-community-material-theme
• equinusocio.moxer-icons

Mitigation & Recommendations:

• Uninstall Affected Extensions: Remove all the listed extensions from VSCode immediately.
• Verify Installed Extensions: Review all VSCode extensions for suspicious behavior or outdated dependencies.
• Monitor Official Updates: Stay informed through Microsoft’s updates and check the VSMarketplace GitHub repository for further details.
• Enhance Supply Chain Security: Ensure all dependencies in development projects are up to date and obtained from trusted sources.

References:

• Security Analysis Report: https://medium.com/extensiontotal/a-wolf-in-dark-mode-the-malicious-vs-code-theme-that-fooled-millions-85ed92b4bd26 

2. DoS Vulnerability in Cisco Nexus 3000 and 9000 Series Switches

A high-severity Denial of Service (DoS) vulnerability has been identified in the health monitoring diagnostics of Cisco Nexus 3000 and 9000 Series Switches operating in standalone NX-OS mode. This vulnerability could allow an unauthenticated, adjacent attacker to trigger a device reload, leading to a denial of service condition.

Vulnerability Details:

• CVE ID: CVE-2025-20111
• Severity: High (CVSS Score: 7.4)
• Vulnerability Type: Denial of Service (DoS)
• Exploitation Vector: An unauthenticated attacker can send crafted Ethernet frames from an adjacent network to trigger a device reload.

Affected Products:

• Nexus 3100, 3200, 3400, and 3600 Series Switches
• Nexus 9200, 9300, and 9400 Series Switches operating in standalone NX-OS mode

Mitigation & Recommendations:

• Apply Cisco-released software updates to patch the vulnerability.
• Implement available workarounds if immediate patching is not possible (refer to Cisco’s advisory).
• Monitor system logs for indicators of compromise (IoCs) and investigate repeated failures of the health monitoring tests.
• Restrict access to affected network segments to minimize exposure to exploitation.

References:

• Cisco Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-san3kn9k-healthdos-eOqSWK4g

3. Critical Vulnerability in Everest Forms Plugin

A critical vulnerability (CVE-2025-1128, CVSS 9.8) has been identified in the Everest Forms WordPress plugin, allowing unauthenticated attackers to upload malicious files, execute remote code, and delete critical files like wp-config.php, potentially leading to a complete website takeover.

Vulnerability Details:

• Cause: Improper file type and path validation in the format() method of EVF_Form_Fields_Upload class.
• Exploitation Risks:
  • Upload and execute malicious PHP code in the WordPress uploads folder.
  • Delete critical WordPress files, including wp-config.php.
  • Gain full control of the affected website.
  • Redirect the site to an attacker-controlled database.

Affected Versions:

• Everest Forms ≤ 3.0.9.4

Fixed Version:

• Everest Forms 3.0.9.5 or later

Mitigation & Recommendations:

• Update the Everest Forms plugin to version 3.0.9.5 or later immediately.
• Monitor server logs for unusual file uploads or modifications.
• Restrict file upload permissions and disable PHP execution in the uploads folder.

Reference:

• Wordfence Blog: https://www.wordfence.com/blog/2025/02/100000-wordpress-sites-affected-by-arbitrary-file-upload-read-and-deletion-vulnerability-in-everest-forms-wordpress-plugin/ 

4. Exploited Vulnerability in Microsoft Power Pages

A critical security vulnerability (CVE-2025-24989, CVSS 8.2) has been identified in Microsoft Power Pages, allowing attackers to bypass user registration controls and gain unauthorized access to sensitive data. This vulnerability is actively being exploited in the wild.

Vulnerability Details:

• Type: Elevation of Privilege (EoP)
• Weakness: Improper Access Control (CWE-284)
• Impact: Attackers can escalate privileges, modify access controls, and compromise sensitive systems.

Mitigation & Recommendations:

• Microsoft has already mitigated this issue and notified affected customers.
• Ensure your Microsoft Power Pages environment is updated to the latest version.
• Review user registration settings and access permissions to detect unauthorized changes.
• Monitor logs and security alerts for any suspicious activity, such as unauthorized privilege escalation attempts.

Reference:

• Microsoft Security Response Center: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989

5. Security Updates – NVIDIA Orin Series

NVIDIA has released a high-severity security update (CVE-2024-0148, CVSS 7.6) for Jetson AGX Orin Series and IGX Orin, addressing a UEFI firmware vulnerability that allows attackers with physical access to execute untrusted code, leading to privilege escalation, data tampering, and denial of service (DoS).

Vulnerability Details:

• CVE ID: CVE-2024-0148
• Severity: High
• Impact: Code execution, privilege escalation, data corruption, information disclosure, DoS attacks
• CWE Classification: CWE-447 (Untrusted Boot Mode Vulnerability)

Affected Products and Fixed Versions:

NVIDIA IGX Orin is affected on all versions prior to IGX 1.1, and the issue has been fixed in IGX 1.1.
Jetson AGX Orin Series running Jetson Linux is affected on all versions prior to 36.4.3, and the issue has been resolved in version 36.4.3.

Mitigation & Recommendations:

• Update immediately to Jetson Linux 36.4.3 and IGX 1.1 to patch the vulnerability.
• Ensure devices are physically secured to prevent unauthorized access.
• Monitor for abnormal system behavior indicating potential exploitation.

Reference:

• NVIDIA Security Advisory: https://nvidia.custhelp.com/app/answers/detail/a_id/5617

6. High-Severity Vulnerability in Synology Media Server

Synology has identified and patched a high-severity vulnerability (CVE-2024-4464, CVSS 7.5) in its Media Server software, which could allow unauthenticated remote attackers to access sensitive files on affected devices.

Vulnerability Details:

• CVE ID: CVE-2024-4464
• Severity: High
• Impact: Unauthorized file access, information disclosure, potential further compromise
• Issue: An authorization bypass in the streaming service due to user-controlled keys, allowing attackers to read files without authentication.

Affected Versions and Fixed Versions:

• Media Server for DSM 7.2: Affected versions before 2.2.0-3325 (Fixed in 2.2.0-3325)
• Media Server for DSM 7.1: Affected versions before 2.0.5-3152 (Fixed in 2.0.5-3152)
• Media Server for SRM 1.3: Affected versions before 1.4-2680 (Fixed in 1.4-2680)

Mitigation & Recommendations:

• Update immediately to the latest patched versions of Synology Media Server.
• Restrict remote access to trusted networks only.
• Monitor system logs for unusual access patterns indicating unauthorized file access.

Reference:

• Synology Security Advisory: https://www.synology.com/en-my/security/advisory/Synology_SA_24_28

7. High-Severity Vulnerability in Moxa PT Switches

A high-severity vulnerability (CVE-2024-9404, CVSS 7.5) has been identified in Moxa PT industrial switches, which could be exploited to trigger a system crash or cold start, causing operational downtime in industrial environments.

Vulnerability Details:

• CVE ID: CVE-2024-9404
• Severity: High
• Impact: Denial-of-Service (DoS), system crash, cold start, and operational disruption
• Issue: Insufficient input validation in the moxa_cmd service, primarily used for deployment, allowing attackers to remotely trigger a system failure.

Affected Versions and Fixed Versions:

• PT-7728 Series: Affected versions 3.9 and earlier (Fixed in 3.9.2)
• PT-7828 Series: Affected versions 4.0 and earlier (Fixed in 4.0.4)
• PT-G503 Series: Affected versions 5.3 and earlier (Fixed in 5.3.6)
• PT-G510 Series: Affected versions 6.5 and earlier (Fixed in 6.5.8)

Mitigation & Recommendations:

• Apply the latest patches provided by Moxa to mitigate this vulnerability.
• Restrict network access to PT switches to prevent unauthorized access.
• Disable unnecessary services, including moxa_cmd, to reduce the attack surface.
• Monitor network traffic for suspicious activities indicating possible exploitation attempts.

Reference:

• Moxa Security Advisory: https://www.moxa.com/en/support/product-support/security-advisory/mpsa-240933-cve-2024-9404-denial-of-service-vulnerability-identified-in-multiple-pt-switches 

8. High-Severity Vulnerability in Rockwell Automation PowerFlex 755

A high-severity vulnerability (CVE-2025-0631, CVSS 8.7) has been identified in Rockwell Automation’s PowerFlex 755 motor control drive software, which transmits credentials in cleartext over HTTP, making them susceptible to interception.

Vulnerability Details:

• CVE ID: CVE-2025-0631
• Severity: High (CVSS 8.7)
• Issue: Cleartext Transmission of Sensitive Information (CWE-319)
• Impact: Unauthorized access and potential compromise of industrial control systems (ICS)
• Affected Versions: PowerFlex 755 v16.002.279 and prior
• Fixed Version: PowerFlex 755 v20.3.407

Mitigation & Recommendations:

• Upgrade to PowerFlex 755 v20.3.407 to mitigate the risk.
• Implement network segmentation to isolate ICS from general IT networks.
• Deploy Intrusion Detection Systems (IDS) to monitor and detect unauthorized access.
• Enforce Multi-Factor Authentication (MFA) where applicable to strengthen authentication security.

Reference:

• Rockwell Automation Security Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories.html

9. Critical Remote Code Execution Vulnerability in MITRE Caldera

A critical Remote Code Execution (RCE) vulnerability (CVE-2025-27364, CVSS 10.0) has been discovered in MITRE Caldera, an adversary emulation platform. Attackers can exploit this vulnerability via crafted API requests, enabling them to execute arbitrary commands on vulnerable servers.

Vulnerability Details:

• CVE ID: CVE-2025-27364
• Severity: Critical (CVSS 10.0)
• Weakness: OS Command Injection (CWE-78)
• Attack Vector: Network
• Impact: Remote Code Execution (RCE)
• Affected Versions: Caldera versions up to 4.2.0 and 5.0.0 (before commit 35bc06e)
• Fixed Versions: Commit 35bc06e and version 5.1.0+
• PoC Available: A publicly available exploit demonstrates the attack using a simple cURL request.

Mitigation & Recommendations:

• Update MITRE Caldera to version 5.1.0+ or apply commit 35bc06e.
• Restrict network access to the Caldera server, allowing only trusted IPs.
• Monitor server logs for unusual activity, unauthorized API requests, or rogue agent deployments.

Reference:

• MITRE Caldera Security Advisory: https://github.com/mitre/caldera/releases

10. Critical Vulnerabilities in Mattermost Boards Plugin

Critical security vulnerabilities have been identified in the Mattermost Boards plugin, allowing attackers to perform arbitrary file reads and SQL injection attacks, leading to potential data breaches and unauthorized access.

Vulnerability Details:

• CVE-2025-20051 (CVSS 9.9)
  • Arbitrary file read via block duplication
  • Attackers can exploit block duplication to access sensitive files.
• CVE-2025-24490 (CVSS 9.6)
  • SQL injection vulnerability
  • Allows unauthorized database queries via manipulated board category ID requests.
• CVE-2025-25279 (CVSS 9.9)
  • Arbitrary file read via import/export functionality
  • Attackers can craft malicious import archives to access sensitive data.

Affected Versions:

• Mattermost 10.4.1 and earlier in 10.4.x
• Mattermost 9.11.7 and earlier in 9.11.x
• Mattermost 10.3.2 and earlier in 10.3.x
• Mattermost 10.2.2 and earlier in 10.2.x

Fixed Versions:

• Mattermost 10.5.0, 10.4.2, 9.11.8, 10.3.3, 10.2.3

Mitigation & Recommendations:

• Update Mattermost to the latest patched versions immediately.
• Restrict access to Mattermost Boards from untrusted sources.
• Monitor database logs for unusual queries or access attempts.

Reference:

• Mattermost Security Advisory: https://mattermost.com/security-updates/

11. Xerox Printer Vulnerabilities Exposing Active Directory Credentials

Security vulnerabilities in Xerox VersaLink C7025 Multifunction Printers (MFPs) could allow attackers to capture Windows Active Directory credentials, potentially enabling lateral movement within networks and compromising critical Windows servers and file systems.

Vulnerability Details:

• CVE-2024-12510 – LDAP Pass-Back Attack
• CVE-2024-12511 – SMB/FTP Pass-Back Attack
• Attackers can exploit these flaws to intercept and extract Active Directory credentials.

Affected Versions:

• Firmware Version: 57.69.91 and earlier

Fixed Version:

• Firmware Version Service Pack 57.75.53

Mitigation & Recommendations:

• Update printer firmware to the latest patched version immediately.
• Restrict printer access to trusted internal networks.
• Avoid using Windows admin accounts for printer authentication.
• Monitor network traffic for unusual authentication attempts.

Reference:

• Xerox Security Advisory: https://www.support.xerox.com/en-us/product/versalink-c7020-c7025-c7030/content/169633 

12. Multiple Vulnerabilities in Libxml2

Libxml2, a widely used XML parsing library, has been found to contain multiple vulnerabilities that could lead to denial of service, application crashes, or arbitrary code execution on affected systems.

Vulnerability Details:

• CVE-2024-56171 (CVSS 7.8) – Use-After-Free Vulnerability
  • Affects xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables functions.
  • Can be exploited via specially crafted XML documents.
  • May lead to arbitrary code execution.
• CVE-2025-24928 (CVSS 7.8) – Stack-Based Buffer Overflow
  • Found in xmlSnprintfElements function.
  • Can be triggered during DTD validation of untrusted XML documents.
  • May result in denial of service (DoS) or code execution.
• CVE-2025-27113 (CVSS 2.9) – NULL Pointer Dereference
  • Affects xmlPatMatch function.
  • Exploitable under specific conditions (e.g., Perl module XML::LibXML::Reader).
  • Can cause application crashes but is not exploitable for remote code execution.

Affected Versions:

• Libxml2 versions prior to 2.12.10 and 2.13.6

Fixed Versions:

• Libxml2 2.12.10 and 2.13.6 or later

Mitigation & Recommendations:

• Update to the latest patched version immediately.
• Avoid processing untrusted XML documents without strict validation.
• Monitor for unusual system crashes that may indicate attempted exploitation.

References:

• https://nvd.nist.gov/vuln/detail/CVE-2024-56171
• https://nvd.nist.gov/vuln/detail/CVE-2025-24928
• https://nvd.nist.gov/vuln/detail/CVE-2025-27113

13. Critical Vulnerabilities in Identity and Public Key Infrastructure (IDPKI)

Eviden, a subsidiary of Atos, has identified multiple vulnerabilities in its Identity and Public Key Infrastructure (IDPKI) solution. These flaws could allow attackers to issue illegitimate certificates, escalate privileges, and access confidential data, posing significant risks to the integrity of managed environments.

Vulnerability Details:

• CVE-2024-39327 (CVSS 9.9) – High Risk
  • Allows attackers to issue unauthorized digital certificates.
  • Affects IDRA and IDRA SaaS solutions.
• CVE-2024-39328 (CVSS 6.8) – Medium Risk
  • Could be exploited for privilege escalation.
  • Affects IDCA but does not impact IDCA SaaS.
• CVE-2024-51505 (CVSS 8.0) – High Risk
  • Allows unauthorized access to confidential data.
  • Affects IDRA only.

Affected Products & Fixed Versions:

• IDRA → Fixed in version 2.7.1
• IDRA SaaS (only CVE-2024-39327 affected) → Fixed in version 2.7.1
• IDCA (only CVE-2024-39328 affected) → Fixed in version 2.7.0
• IDCA SaaS → Not affected

Mitigation & Recommendations:

• Update all affected IDPKI products to the latest fixed versions immediately.
• Review certificate issuance logs for any unauthorized activities.
• Implement strong access controls to prevent privilege escalation attacks.

References:

• https://support.bull.com/ols/product/security/psirt/security-bulletins/potential-privilege-escalation-in-idpki-psirt-1335-tlp-clear-version-2-10-cve-2024-39327-cve-2024-39328-cve-2024-51505/view

14. Deceptive Signatures: Advanced Techniques in BEC Attacks

Business Email Compromise (BEC) attacks are evolving with advanced social engineering, AI-driven personalization, and phishing kits, making them more effective at bypassing traditional security measures, including multi-factor authentication (MFA).

Key Observations:

• Phishing in Email Signatures: Attackers are embedding HTML-formatted phishing emails within email signature blocks, exploiting recipients’ trust in signature sections.
• Undetected Persistence: Since email signature modifications are not commonly logged, this technique can evade M365 and Google Workspace auditing.
• Cascading Impact: Once a user’s credentials are compromised, attackers use the compromised account to spread phishing emails further, collect credentials, and expand their reach across organizations.

Attack Process:

1. Email Signature Modification: Threat actors inject malicious links within the signature block of a compromised user’s email account.
2. Automated Phishing Delivery: Every new email sent by the user unknowingly contains the phishing lure as part of their signature.
3. Credential Harvesting: Recipients clicking on the malicious link are redirected to Google Forms or similar phishing pages, capturing their email and banking credentials.
4. Lateral Expansion: The attackers reuse newly compromised accounts to escalate phishing campaigns, targeting new victims.

Mitigation & Recommendations:

• Enhance Email Security: Deploy email filtering and anti-phishing solutions that scan embedded links in email signatures.
• Employee Awareness: Conduct regular phishing training to help users identify suspicious email behavior, including unexpected signature modifications.
• Monitor Email Signature Changes: Implement active monitoring and logging of email signature modifications across corporate email platforms.
• Enforce Multi-Factor Authentication (MFA): Apply MFA across email and financial systems to minimize credential-based compromises.
• Establish BEC Incident Response Protocols: Ensure incident response teams can quickly identify, isolate, and remediate compromised accounts to prevent further exploitation.

References:

• https://www.cybereason.com/blog/deceptive-signatures-advanced-techniques-in-bec-attacks 

15. Microsoft 365 Accounts Targeted by Mega-Botnet in Large-Scale Password-Spray Attack

A botnet of over 130,000 compromised devices has been detected conducting a large-scale password-spray attack targeting Microsoft 365 (M365) accounts through noninteractive sign-ins.

Key Observations:

• Exploitation of Noninteractive Sign-Ins:
  • Attackers bypass standard security monitoring by leveraging noninteractive authentication, where credentials are automatically used without requiring direct user input.
  • This method allows high-volume password spraying without triggering security alerts.
• Global Scale Attack:
  • The attack has been observed across multiple M365 tenants worldwide, suggesting a coordinated campaign.
  • Researchers suspect a Chinese-affiliated group may be responsible, though this remains unconfirmed.
• Silent Persistence:
  • Unlike traditional password spray attacks that trigger account lockouts, this technique allows attackers to stay under the radar, avoiding detection.
  • This prolonged access increases the risk of account takeovers, business disruption, lateral movement, MFA evasion, and bypassing conditional access policies (CAP).

Mitigation & Recommendations:

• Review Noninteractive Sign-In Logs:
  • Organizations relying on interactive sign-in monitoring alone may be blind to these attacks.
  • Immediate verification of noninteractive sign-in logs is recommended.
  • Rotate credentials for any affected accounts detected in the logs.
• Implement Privileged Access Management (PAM):
  • Enforce least-privilege access and ensure regular credential rotation for service accounts.
  • Monitor service accounts for real-time authentication activity.
• Strengthen Authentication Pathways:
  • A password manager enforces strong, unique credentials to minimize exposure.
  • Enable conditional access policies (CAP) that restrict access based on risk-based authentication.
• Monitor Advanced Threats & Supply Chain Risks:
  • Implement continuous monitoring of software supply chains for vulnerabilities and suspicious activity.
  • Keep up with threat intelligence feeds to detect and respond to evolving threats.

References:

• https://www.darkreading.com/microsoft-365-accounts-get-sprayed-by-mega-botnet 

16. AI Tricksters Use Fake DeepSeek Sites to Steal Cryptocurrency

Threat actors are creating fraudulent websites mimicking DeepSeek, a recently launched AI chatbot from China, to steal cryptocurrency and personal information.

Key Observations:

• Fake DeepSeek Websites Identified:
  • Attackers are registering deceptive domains, including:
    • deepseeksol[.]com
    • deepseeksky[.]com
    • deepseek[.]app
    • deepseekaiagent[.]live
• Malware Deployment via Registration Process:
  • Victims are tricked into completing a fake registration and solving a CAPTCHA challenge.
  • Malicious JavaScript copies a PowerShell command to the clipboard.
  • If executed, this downloads the Vidar information stealer, a malware designed to exfiltrate cryptocurrency wallets, saved credentials, and personal files.
• Vidar Malware’s Advanced Tactics:
  • Searches for cryptocurrency wallets by scanning specific registry keys and file paths.
  • Extracts saved login credentials, stored cookies, and personal files.
  • Uses Telegram for command-and-control (C2) communications, making it harder to trace.

Mitigation & Recommendations:

• Verify Authenticity of Websites:
  • Avoid downloading software or providing information to unverified sources.
  • Always visit official DeepSeek domains and confirm secure HTTPS connections.
• Educate Users on Phishing Risks:
  • Raise awareness about brand impersonation tactics.
  • Encourage scrutiny of CAPTCHA challenges and registration prompts on unfamiliar sites.
• Monitor for Malware Activity:
  • Deploy Endpoint Detection & Response (EDR) tools to detect PowerShell-based malware execution.
  • Restrict clipboard-based PowerShell execution to prevent automatic command execution.
• Strengthen Cryptocurrency Security:
  • Store cryptocurrency wallets in hardware wallets or cold storage.
  • Regularly review and update security configurations related to financial accounts.

References:

• https://www.darkreading.com/ai-tricksters-spin-up-fake-deepseek-sites-to-steal-crypto 

17. Android Trojan TgToxic Expands Capabilities

A new version of TgToxic, an Android banking trojan, has emerged with enhanced anti-analysis features and an improved command-and-control (C2) mechanism, increasing its stealth and persistence.

Key Observations:

• TgToxic’s Evolution:
  • Originally discovered in July 2022, targeting Southeast Asian mobile users via phishing campaigns and deceptive applications.
  • October 2024: New ToxicPanda variant detected, showing reduced technical complexity but plans for global expansion (Europe & Latin America).
  • November 2024: Shift to dead drop locations on 25+ community forums for encrypted C2 communication.
  • December 2024: Third variant adopted a Domain Generation Algorithm (DGA), increasing resilience against takedowns.
• Advanced Evasion Tactics:
  • Improved Emulator Detection:
    • Analyzes Android system features (Bluetooth, sensors, telephony services).
    • Checks CPU architecture for common emulator processors (Intel, AMD).
    • Scans for emulator-specific properties (QEMU, Genymotion, test keys).
  • C2 Infrastructure Enhancements:
    • Initial versions used hard-coded domains.
    • Later, malware stored encrypted C2 URLs in community forums (dead drop technique).
    • Now, DGA dynamically generates domains, making takedowns difficult.

Assessment & Risks:

• Expanding Targets: Now includes European and Latin American banking apps.
• Persistent & Adaptive: Actively monitors open-source intelligence (OSINT) to adjust its strategies.
• Financial & Data Theft: Capable of stealing credentials, cryptocurrency, and banking funds.

Mitigation & Recommendations:

• Restrict APK Installations: Disable “Allow from Unknown Sources” on Android devices.
• Deploy Mobile Device Management (MDM): Limit apps to preapproved sources.
• Monitor Permissions Requests: Watch for unnecessary access, especially Accessibility Services.
• Use Mobile Threat Defense (MTD): Detect malicious apps in real-time.
• Employee Awareness: Conduct cybersecurity training on phishing and SMS malware risks.
• Monitor Indicators of Compromise (IoCs): Deploy detection rules to track TgToxic activity.

References:

• https://www.intel471.com/malware-intelligence 

18. Mask Network Founder Loses $4M in Wallet Hack

Suji Yan, founder of Mask Network, suffered a $4 million crypto theft due to a wallet compromise on his birthday.

Key Observations:

• Incident Details:
  • The attack occurred while Yan was at a private gathering.
  • Possible causes: Private key leakage, manual asset transfer, or an offline attack.
  • His phone was unattended for a few minutes, suggesting a potential physical compromise.
• Assets Stolen:
  • More than $4 million worth of various cryptocurrencies.
• Potential Attack Vectors:
  • Private key exposure: Malicious software or an offline exploit.
  • SIM cloning or malware: Attackers could have intercepted authentication codes.
  • Evil maid attack: Physical access to his device, allowing key extraction.

Mitigation & Recommendations:

• Use a Hardware Wallet: Store private keys in a cold wallet like Ledger or Trezor.
• Enable Multi-Signature (Multisig) Authentication: Require multiple approvals for transactions.
• Secure Private Keys: Avoid storing them in cloud services, notes apps, or email.
• Monitor Transactions in Real-Time: Set up alerts for unauthorized transactions.
• Implement Secure Device Hygiene:
  • Use a separate device for managing high-value crypto assets.
  • Enable full-disk encryption and secure access with strong PINs.

This incident highlights the constant risk of crypto wallet hacks and the importance of strong security measures to protect digital assets.

References:

https://x.com/suji_yan/status/1895103068808642811 

19. PolarEdge Botnet Exploits Cisco and Other Flaws to Hijack ASUS, QNAP, and Synology Devices

Overview

The PolarEdge botnet has been actively targeting Cisco, ASUS, QNAP, and Synology devices since late 2023, exploiting multiple vulnerabilities to compromise edge devices. The botnet has infected over 2,017 devices worldwide, with the majority of infections observed in the United States, Taiwan, Russia, India, Brazil, Australia, and Argentina.

Key Vulnerability

• CVE-2023-20118 (CVSS 6.5) – A critical arbitrary command execution flaw in Cisco Small Business routers, which have reached end-of-life (EoL) and remain unpatched.
• Attackers use FTP-based payload delivery, downloading and executing a TLS backdoor implant.

PolarEdge Malware Capabilities

• Cleans log files to remove traces.
• Terminates suspicious processes to evade detection.
• Downloads and executes malicious payloads, including a binary named cipher_log.
• Establishes persistence by modifying system startup scripts.
• Communicates with a C2 server, enabling attackers to remotely execute commands.

Targets and Distribution

• The botnet leverages Huawei Cloud infrastructure (119.8.186[.]227) for payload distribution via FTP.
• VirusTotal submissions from Taiwan indicate widespread infections across ASUS, QNAP, and Synology devices.

Potential Threats

• Operational Relay Boxes – Attackers may use compromised devices as proxies for launching further attacks.
• Expansion Beyond Cisco – The ability to infect multiple device brands suggests sophisticated operators behind the campaign.

Mitigation Recommendations

• Disable Remote Management on Cisco Small Business routers.
• Block access to ports 443 and 60443 to prevent exploitation.
• Apply available firmware updates for affected ASUS, QNAP, and Synology devices.
• Monitor system logs for unusual modifications to /etc/flash/etc/cipher.sh or unexpected process activity.
• Segment network traffic to prevent lateral movement from compromised edge devices.

The PolarEdge botnet represents a highly coordinated cyber threat, showcasing advanced exploitation techniques across different network device manufacturers. Organizations must harden their edge device security and apply proactive monitoring to mitigate the risks posed by this ongoing botnet operation.

References:

https://thehackernews.com/2025/02/polaredge-botnet-exploits-cisco-and.html 

20. Bybit $1.5B Hack: Safe{Wallet} Supply Chain Attack by Lazarus Group

Overview

On February 21, 2025, Bybit, one of the largest cryptocurrency exchanges, suffered a record-breaking $1.5 billion theft due to a supply chain attack on Safe{Wallet} (formerly Gnosis Safe). This incident represents one of the most sophisticated exchange breaches in history, as attackers manipulated Bybit’s transaction signing process without exploiting smart contracts directly.

Key Attack Details

• The Safe{Wallet} interface used by Bybit was compromised through malicious JavaScript code injection in AWS S3 buckets.
• The attackers manipulated what Bybit’s multisignature signers saw versus what they actually signed, allowing unauthorized fund transfers.
• The stolen funds included:
  • 401,347 ETH (~$1.068B)
  • 90,375.5 stETH (~$260M)
  • 8,000 mETH (~$26M)
  • 15,000 cmETH (~$43M)

Technical Analysis: How the Attack Worked

1. Safe{Wallet} Compromise – Attackers modified JavaScript files in Safe{Wallet}’s S3 storage, targeting Bybit’s multisignature transactions.
2. Transaction Manipulation – Malicious JavaScript:
   • Changed the recipient address to an attacker-controlled contract.
   • Used DELEGATECALL to execute unauthorized transactions while hiding the modifications from users.
   • Allowed the attacker to bypass normal security checks.
3. Smart Contract Exploitation – The fraudulent upgrade replaced Bybit’s multisignature contract with a malicious version that executed sweepETH and sweepERC20 functions to siphon funds.

Attribution: Lazarus Group

• Security researchers from ZachXBT, SlowMist, and Trail of Bits identified North Korea’s Lazarus Group as the likely perpetrators.
• Patterns matched previous Lazarus attacks on WazirX ($230M, July 2024) and Radiant Capital ($50M, October 2024).
• Lazarus tactics include:
  • Social engineering and supply chain compromise instead of direct smart contract exploits.
  • Targeted modifications to trusted security tools to deceive operators.

Bybit’s Response & Recovery Efforts

• Confirmed full customer asset backing (1:1 reserves) and continued platform operations.
• Secured 254,830 ETH (~$693M) through OTC deals with Galaxy Digital, FalconX, Wintermute, Bitget, MEXC, and DWF Labs.
• Froze $42.89M in assets with Tether, OKX, CoinEX, and others.
• Enhanced security measures, including real-time wallet monitoring and improved API security.

References:

• https://aniloz.medium.com/bybit-1-5b-hack-safe-wallet-supply-chain-attack-by-lazarus-group-february-2025-8c8bed320cbe

21. DeceptiveDevelopment Campaign Targeting Freelance Developers

Overview

The DeceptiveDevelopment campaign, attributed to North Korea-aligned threat actors, targets freelance software developers through fake job offers and trojanized coding challenges. Attackers use social engineering tactics on LinkedIn, Upwork, Freelancer.com, and GitHub to distribute malware-laden projects, aiming to steal cryptocurrency wallets, login credentials, and sensitive data.

Key Threat Details

• Threat Actor: North Korea-aligned cybercriminals.
• Targets: Freelance developers working in cryptocurrency, DeFi, and blockchain projects.
• Tactics:
  • Fake job offers on freelancer platforms.
  • Malicious coding challenges with hidden malware.
  • Trojanized GitHub repositories.
• Impact:
  • Theft of cryptocurrency funds.
  • Unauthorized access to sensitive credentials.
  • Backdoor access to infected developer systems.

Technical Analysis

• Initial Access:
  • Attackers impersonate recruiters and distribute infected project files via GitHub, GitLab, and Bitbucket.
  • Fake conferencing software cloned from real sites is used to deploy malware.
• Malware Used:
  • BeaverTail (Infostealer & Downloader)
    • Targets Windows, macOS, and Linux.
    • Extracts browser-stored credentials and crypto wallet data (MetaMask, Coinbase, TronLink, etc.).
  • InvisibleFerret (Python-based backdoor)
    • Installs AnyDesk for remote access.
    • Enables persistent spyware capabilities.
• Command and Control (C2) Infrastructure:
  • Uses IP ports 1224 or 1244 for C2 communication.
  • Malware is often hosted on compromised developer forums.

References:

• https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/?&web_view=true 

22. GrassCall Malware Campaign Drains Crypto Wallets via Fake Job Interviews

Overview

A social engineering campaign, attributed to the Russian-speaking cybercriminal group “Crazy Evil”, is targeting job seekers in the Web3 space with fake job interviews. Victims are tricked into downloading a malicious meeting app called “GrassCall”, which installs infostealer malware and RATs to steal cryptocurrency wallets, passwords, and authentication cookies.

Key Threat Details

• Threat Actor: Crazy Evil “Taffer Team”, specifically the Kevland sub-group.
• Targets: Web3 job seekers, cryptocurrency professionals, and blockchain developers.
• Attack Method:
  • Fake job postings on LinkedIn, WellFound, and CryptoJobsList under a fake company ChainSeeker.io.
  • Victims invited to a “video interview” via Telegram with a fake Chief Marketing Officer (CMO).
  • Victims instructed to download “GrassCall” software from grasscall[.]net.
  • GrassCall.exe (Windows) or GrassCall_v.6.10.dmg (Mac) installs infostealer malware & RATs.
• Impact:
  • Wallet credentials stolen and funds drained.
  • Passwords, browser cookies, and authentication tokens exfiltrated.
  • Malware used for keylogging and persistent system access.

Technical Analysis

• Malware Deployed:
  • Windows: Installs Rhadamanthys Infostealer & a Remote Access Trojan (RAT).
  • Mac: Installs Atomic (AMOS) Stealer.
• Capabilities:
  • Steals cryptocurrency wallets & passwords stored in Apple Keychain & browsers.
  • Uses keylogging & phishing attacks to capture wallet seed phrases.
  • Bruteforces wallet passwords to drain funds.
• Command & Control (C2):
  • Exfiltrates stolen credentials & wallet data to cybercrime servers.
  • Posts stolen data to Telegram channels for other criminals to exploit.

Indicators of Compromise (IOCs)

• Malware-hosting domains: grasscall[.]net.
• Telegram accounts impersonating recruiters.
• Fake job postings under “ChainSeeker.io”.

References:

• https://www.bleepingcomputer.com/news/security/grasscall-malware-campaign-drains-crypto-wallets-via-fake-job-interviews/