Weekly Threat Landscape Digest – Week 13

1. Critical Authentication Bypass in FortiOS and FortiProxy (CVE-2025-24472 & CVE-2024-55591)

A critical authentication bypass vulnerability has been actively exploited in Fortinet FortiOS and FortiProxy, allowing remote, unauthenticated attackers to gain super-admin access.

Key Details:

• Severity: CVSS 9.6 (Critical)
• Impact: Full administrative control without authentication
• Affected Versions:
  • FortiOS 7.0.0 to 7.0.16
  • FortiProxy 7.0.0 to 7.0.19, 7.2.0 to 7.2.12
• Fixed Versions:
  • FortiOS 7.0.17+
  • FortiProxy 7.0.20+, 7.2.13+

Mitigation:

• Upgrade to the latest patched versions.
• If upgrading is not possible, disable the HTTP/HTTPS admin interface and restrict access via local-in policies.

Reference:

https://www.fortiguard.com/psirt/FG-IR-24-535

2. High-Severity Vulnerability in Linux Kernel (CVE-2025-0927)

A heap overflow vulnerability has been identified in the Linux kernel’s HFS+ file system implementation, affecting Ubuntu and other Linux systems. The flaw allows local attackers to escalate privileges, execute arbitrary code, or crash the system.

Key Details:

• CVE ID: CVE-2025-0927
• Severity: CVSS 7.8 (High)
• Impact: Local privilege escalation, system crash (DoS), arbitrary code execution
• Affected Systems:
  • Ubuntu 22.04 (Kernel 6.5.0-18-generic)
  • Linux kernel versions up to 6.12.0
• Exploit Status: Public proof-of-concept (PoC) available

Recommendations:

• Apply the latest kernel updates from Ubuntu and other official repositories
• Restrict mounting permissions for unprivileged users
• Disable HFS+ support if not required
• Monitor system logs for suspicious mount activity

Reference:

https://nvd.nist.gov/vuln/detail/CVE-2025-0927

3. Critical Vulnerability in Progress Kemp LoadMaster (CVE-2025-1758)

A critical remote code execution vulnerability has been discovered in Progress Software’s Kemp LoadMaster, a popular application delivery controller and load balancer. The flaw resides in the mangle executable and allows unauthenticated remote attackers to take full control of affected systems.

Key Details:

• CVE ID: CVE-2025-1758
• Severity: CVSS 9.8 (Critical)
• Impact: Remote Code Execution, unauthorized changes, data exfiltration, service disruption
• Attack Vector: Remote (no authentication required)
• Affected Versions: Kemp LoadMaster versions prior to 7.2.61.1
• Fixed Version: 7.2.61.1

Recommendations:

• Immediately upgrade to LoadMaster version 7.2.61.1 to mitigate the vulnerability.

Reference:

https://docs.progress.com/bundle/release-notes_loadmaster-7-2-61-1/page/SecurityUpdates.html

4. Authentication Bypass Vulnerability in VMware Tools (CVE-2025-22230)

VMware has addressed a high-severity vulnerability in VMware Tools for Windows that allows local attackers to bypass authentication and perform privileged actions within a virtual machine.

Key Details:

• CVE ID: CVE-2025-22230
• Severity: CVSS 7.8 (High)
• Vulnerability Type: Authentication Bypass (Improper Access Control)
• Affected Versions: VMware Tools 11.x.x and 12.x.x (prior to 12.5.1)
• Attack Vector: Local (requires guest access on Windows VM)
• Impact: Bypass of authentication to perform privileged operations
• Fixed Version: VMware Tools 12.5.1

Recommendations:

• Update VMware Tools to version 12.5.1 on all affected Windows guest VMs.
• Enforce a proactive patch management policy to maintain VMware product security.

Reference:

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25518 

5. Google Chrome Zero-Day Vulnerability (CVE-2025-2783)

Google has released emergency patches for a high-severity zero-day vulnerability in Chrome for Windows that is actively being exploited in the wild.

Key Details:

• CVE ID: CVE-2025-2783
• Severity: High
• Component Affected: Mojo (IPC runtime libraries on Windows)
• Impact: Sandbox bypass, potential remote code execution (when chained with other exploits)
• Exploit Vector: Phishing emails with malicious links; no user interaction beyond click required
• Targets: Media, education, and government sectors
• Attack Method: Short-lived personalized phishing links to avoid detection

Fixed Versions:

• Stable Channel: Chrome 134.0.6998.177/.178 (Windows)
• Extended Stable Channel: Chrome 134.0.6998.178 (Windows)

Recommendations:

• Immediately update Google Chrome to the latest stable version.

Reference:

https://chromereleases.googleblog.com/2025/03/stable-channel-update-fordesktop_25.html

6. Critical Vulnerability Fixed in Mozilla Firefox and Firefox ESR (CVE-2025-2857)

Mozilla has released critical security updates for Firefox and Firefox ESR, patching a Windows-specific sandbox escape vulnerability that could allow privilege escalation.

Key Details:

• CVE ID: CVE-2025-2857
• Severity: Critical
• Component Affected: IPC (Inter-Process Communication) handle management
• Impact: Sandbox escape, privilege escalation
• Attack Vector: Compromised child processes gaining unauthorized access via handle leakage
• Exploitation Context: Related to espionage campaigns targeting government and academic institutions

Affected Versions & Fixes:

• Firefox: Versions before 136.0.4 → Update to 136.0.4
• Firefox ESR:
  • Versions before 115.21.1 → Update to 115.21.1
  • Versions before 128.8.1 → Update to 128.8.1

Recommendations:

• Apply the latest Firefox and Firefox ESR updates immediately across all systems.

Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/

7. Multiple Vulnerabilities in Spring Security (CVE-2025-22223 & CVE-2025-22228)

Critical vulnerabilities have been identified in Spring Security, a widely used framework in Java applications. These flaws can result in unauthorized access and weak password validation.

Key Vulnerabilities:

1. CVE-2025-22223 – Authorization Bypass

• Description: Method security annotations on parameterized types or methods may not be correctly applied, potentially allowing unauthorized access to restricted methods.
• Affected Versions: 6.4.0 – 6.4.3
• Fixed Version: 6.4.4

2. CVE-2025-22228 – Weak Password Enforcement

• Description: Passwords longer than 72 characters may be incorrectly validated due to truncation, enabling attackers to bypass authentication.
• Affected Versions: 5.7.0 – 6.4.3
• Fixed Versions: 6.3.8 and 6.4.4 (OSS users); enterprise patches available for older versions

Recommendations:

• Upgrade Spring Security to the latest patched versions (6.3.8 or 6.4.4).
• Review and update authentication logic if relying on BCryptPasswordEncoder.

References:

• https://spring.io/security/cve-2025-22223
• https://spring.io/security/cve-2025-22228

8. Critical Authorization Bypass Vulnerability in Next.js Middleware (CVE-2025-29927)

A critical vulnerability in Next.js middleware could allow attackers to bypass authorization logic and gain unauthorized access to protected resources in web applications. With Next.js widely used across sectors like banking, healthcare, and blockchain, the risk is substantial.

Key Details:

• CVE ID: CVE-2025-29927
• Severity: Critical (CVSS 9.1)
• Impact: Authorization bypass; unauthenticated attackers can access restricted routes
• Affected Versions:
  • 11.1.4 to 13.5.6
  • 14.0.0 to 14.2.24
  • 15.0.0 to 15.2.2
• Patched Versions:
  • 14.2.25
  • 15.2.3

Recommendations:

• Upgrade to the latest patched version immediately.
• Review access control configurations for potential misuse.

Reference:

https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw

9. Critical Vulnerability in Synology Replication Service (CVE-2024-10442)

A critical off-by-one error vulnerability has been discovered in Synology’s Replication Service, enabling remote attackers to execute arbitrary commands and potentially take full control of affected systems.

Key Details:

• CVE ID: CVE-2024-10442
• Severity: Critical (CVSS 10.0)
• Impact: Remote code execution, data breach, lateral movement
• Affected Products:
  • Synology Unified Controller (DSMUC) 3.1
  • Replication Service for DSM 6.2, 7.1, and 7.2

Fixed Versions:

• DSMUC 3.1: 3.1.4-23079 or later
• DSM 7.2: 1.3.0-0423 or later
• DSM 7.1: 1.2.2-0353 or later
• DSM 6.2: 1.0.12-0066 or later

Recommendations:

• Apply the latest security patches provided by Synology immediately.

Reference:

https://www.synology.com/en-global/security/advisory/Synology_SA_24_22

10. Critical RCE Vulnerabilities in Ingress NGINX Controller for Kubernetes (“IngressNightmare”)

A set of critical vulnerabilities, collectively known as IngressNightmare, has been discovered in the Kubernetes Ingress-NGINX Controller, enabling unauthenticated remote code execution (RCE) and potential full cluster compromise.

Key Details:

• CVE IDs: CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974
• Severity: Up to CVSS 9.8
• Impact:
  • Remote code execution
  • Unauthorized access to Kubernetes secrets
  • Cluster-wide compromise

Exploit Summary:

• CVE-2025-1974 (CVSS 9.8): Allows execution of arbitrary shared libraries via the undocumented ssl_engine directive.
• Other CVEs: Enable config injection and payload delivery via malicious annotations, oversized HTTP requests, and UID manipulation.

Affected Component:

• Ingress-NGINX Controller prior to v1.12.1 (Mainline) or v1.11.5 (Stable)

Recommendations:

• Upgrade to Ingress-NGINX v1.12.1 or v1.11.5 immediately
• Implement strict network policies to isolate the admission webhook
• If patching is delayed, disable the admission controller temporarily

Reference:

https://github.com/kubernetes/ingress-nginx

11. Multiple Vulnerabilities in HPE Telco Service Activator

Hewlett Packard Enterprise (HPE) has disclosed multiple high-severity vulnerabilities in its Telco Service Activator product. These flaws could enable remote attackers to execute denial-of-service (DoS) attacks, bypass access controls, and escalate privileges.

Key Details:

• CVE IDs: CVE-2023-43642, CVE-2023-44487, CVE-2023-5685, CVE-2024-5971, CVE-2024-7254, CVE-2024-7341
• Severity: CVSS scores ranging from 7.1 to 7.5
• Impact:
  • Remote DoS
  • Unauthorized access
  • Privilege escalation

Affected Versions:

• Vulnerabilities affect versions prior to 10.1.1
• Earlier issues have been addressed in versions 10.0.3, 10.0.9, and 10.0.12

Recommendations:

• Upgrade to HPE Telco Service Activator version 10.1.1 or later
• Restrict network access to trusted users and systems only

Reference:

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04833en_us&docLocale=en_US 

12. Security Updates – Dell SmartFabric OS10 Software

Dell has issued critical security updates for its SmartFabric OS10 Software, specifically targeting version 10.5.6.x. These vulnerabilities may allow attackers to escalate privileges, gain unauthorized access, execute arbitrary code, or exploit server-side request forgery (SSRF).

Key Vulnerabilities:

• Privilege Escalation: CVE-2024-49561, CVE-2024-48013
• Unauthorized Access: CVE-2024-49559, CVE-2024-48828, CVE-2024-48831
• Remote Code Execution: CVE-2024-48017, CVE-2024-48015, CVE-2025-22474, CVE-2024-48830, CVE-2025-22473, CVE-2025-22472
• SSRF: CVE-2025-22474

Affected & Fixed Versions:

• Affected: Dell Networking OS10 version 10.5.6.x
• Fixed: Version 10.5.6.8

Recommendations:

• Upgrade immediately to SmartFabric OS10 v10.5.6.8
• Replace any default or hard-coded passwords with strong, unique credentials

Reference:

https://www.dell.com/support/kbdoc/en-us/000295014/dsa-2025-068-securityupdate-for-dell-networking-os10-vulnerabilities?ref=emcadvisory_000295014_High_null

13. Critical Privilege Escalation Vulnerability in NetApp SnapCenter

A critical vulnerability (CVE-2025-26512, CVSS 9.9) has been identified in NetApp SnapCenter, a centralized data protection solution for hybrid cloud environments. This flaw allows authenticated users to escalate privileges and gain administrative control over remote systems where SnapCenter plug-ins are deployed.

Key Details:

• CVE: CVE-2025-26512
• Severity: Critical (CVSS 9.9)
• Affected Versions: SnapCenter versions prior to 6.0.1P1 and 6.1P1
• Impact:
  • Privilege Escalation to administrative level
  • Unauthorized Access to sensitive data
  • System Compromise and potential malicious configuration changes

Recommendations:

• Upgrade SnapCenter to version 6.0.1P1 or 6.1P1 immediately
• Review logs for signs of privilege misuse or suspicious access

Reference:

https://security.netapp.com/advisory/ntap-20250324-0001/

14. Remote Code Execution and Data Leak Vulnerabilities in Splunk

Splunk has disclosed multiple critical vulnerabilities affecting Splunk Enterprise and Splunk Cloud Platform, including remote code execution (RCE) and sensitive data exposure. These vulnerabilities could enable attackers to gain unauthorized access, execute malicious code, or impersonate users.

Key Vulnerabilities:

1. CVE-2025-20229 – Remote Code Execution (RCE)
   • Impact: Allows low-privileged users to upload malicious files and execute arbitrary code.
   • Affected Versions:
     • Splunk Enterprise: 9.1.0 to 9.1.7, 9.2.0 to 9.2.4, 9.3.0 to 9.3.2
     • Splunk Cloud: Builds before 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, 9.1.2312.208
   • Fixed Versions: 9.1.8, 9.2.5, 9.3.3, 9.4.0
2. CVE-2025-20231 – Token Leakage
   • Impact: Logs session and authorization tokens in cleartext, enabling impersonation attacks.
   • Affected Versions:
     • Splunk Enterprise: Below 9.4.1, 9.3.3, 9.2.5, 9.1.8
     • Secure Gateway App: Versions below 3.8.38 and 3.7.23
   • Fixed Versions: Splunk Enterprise 9.4.1 and Secure Gateway App 3.8.38 / 3.7.23

Additional Vulnerabilities:

• Multiple medium and high severity issues including CSRF, permission misconfigurations, and dashboard security flaws.

Recommendations:

• Upgrade all affected products immediately to the latest fixed versions.
• Disable unused components like the Secure Gateway App if not needed.
• Review configurations and logs for indicators of compromise.

Reference:

https://advisory.splunk.com/

14. Remote Code Execution and Data Leak Vulnerabilities in Splunk

Splunk has disclosed several critical vulnerabilities affecting Splunk Enterprise and Splunk Cloud Platform, which could lead to remote code execution (RCE), sensitive data leakage, and unauthorized access. These flaws pose significant security risks and demand immediate remediation.

Key Vulnerabilities

• CVE-2025-20229 – Remote Code Execution
  • Impact: Allows low-privileged users to upload malicious files and execute arbitrary code.
  • Affected Versions:
    • Splunk Enterprise: 9.1.0 to 9.1.7, 9.2.0 to 9.2.4, 9.3.0 to 9.3.2
    • Splunk Cloud Platform: Builds prior to 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, 9.1.2312.208
  • Fixed Versions: 9.1.8, 9.2.5, 9.3.3, 9.4.0
• CVE-2025-20231 – Token Leakage
  • Impact: Exposes session and authorization tokens in cleartext logs, leading to potential impersonation.
  • Affected Versions:
    • Splunk Enterprise: Below 9.4.1
    • Splunk Secure Gateway App: Versions below 3.8.38 and 3.7.23
  • Fixed Versions: Splunk Enterprise 9.4.1, Secure Gateway App 3.8.38 / 3.7.23

Other Issues Addressed

Includes vulnerabilities related to CSRF, permission misconfigurations, insecure log handling, and risky command bypasses.

Recommendations

• Upgrade all Splunk components to the latest patched versions.
• Disable unused apps like Secure Gateway if not required.
• Review system logs and configurations for anomalies.

Reference

https://advisory.splunk.com/

15. Security Updates – GitLab CE and EE

GitLab has released important security updates addressing multiple vulnerabilities in both Community Edition (CE) and Enterprise Edition (EE). These flaws include cross-site scripting (XSS), privilege escalation, and unauthorized access, with several rated high in severity.

Key Vulnerabilities

• CVE-2025-2255 / CVE-2025-0811 – High-Severity XSS (CVSS 8.7)
  • XSS via merge-request error messages and rendering of certain file types.
  • Affected Versions: 13.5.0 to <17.8.6, 17.9 to <17.9.3, and 17.10 to <17.10.1
• CVE-2025-2242 – Privilege Escalation (CVSS 7.5)
  • Former instance admins may retain elevated access.
  • Affected Versions: 17.4 to <17.8.6, 17.9 to <17.9.3, 17.10 to <17.10.1
• CVE-2024-12619 – Unauthorized Internal Project Access (CVSS 5.2)
  • Internal users could access restricted projects.
  • Affected Versions: 16.0 to <17.8.6, 17.9 to <17.9.3, 17.10 to <17.10.1
• Other Notable Issues
  • CVE-2024-10307: Resource exhaustion via Terraform files
  • CVE-2024-9773: Shell code injection via helper scripts
  • Prompt injection in GitLab Duo with Amazon Q integration

Fixed Versions

• GitLab CE/EE: 17.10.1, 17.9.3, and 17.8.6

Recommendations

• Immediately upgrade to the latest fixed version.
• Review project and group access permissions for potential abuse.
• Monitor for signs of script injection or privilege misuse.

Reference

https://about.gitlab.com/releases/2025/03/26/patch-release-gitlab-17-10-1-released/

16. Critical Vulnerability in CrushFTP

A critical vulnerability (CVE-2025-2825, CVSS 9.8) has been discovered in CrushFTP, a widely used secure file transfer platform. This flaw enables unauthenticated remote attackers to access sensitive data and potentially gain administrative control over affected systems.

Key Details

• CVE ID: CVE-2025-2825
• Severity: Critical (CVSS 9.8)
• Impact: Remote code execution, unauthorized access
• Attack Vector: Unauthenticated HTTP requests

Affected Versions

• CrushFTP 10.0.0 – 10.8.3
• CrushFTP 11.0.0 – 11.3.0

Fixed Versions

• 10.8.4+
• 11.3.1+

Recommendations

• Immediately update to the latest patched version.
• Regularly assess systems for outdated versions or misconfigurations.
• Restrict internet access to management interfaces where possible.

Reference

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update

17. Critical Vulnerability in Verve Asset Manager

A critical vulnerability (CVE-2025-1449, CVSS 9.1) has been identified in Rockwell Automation’s Verve Asset Manager, allowing administrative users to execute arbitrary commands via a legacy interface. This flaw poses a serious risk to industrial control systems, especially in operational technology (OT) environments.

Key Details

• CVE ID: CVE-2025-1449
• Severity: Critical (CVSS v3.1: 9.1, CVSS v4.0: 8.9)
• Vulnerability Type: Improper input validation (CWE-1287)
• Impact: Arbitrary command execution within the container environment

Affected Versions

• Verve Asset Manager ≤ 1.39

Fixed Version

• 1.40

Recommendations

• Upgrade to Verve Asset Manager version 1.40 immediately.
• Restrict admin privileges to trusted users only.
• Review audit logs for unusual administrative activity.

Reference

https://www.rockwellautomation.com/en-us/trust-center/securityadvisories/advisory.SD1723.html

18. Vulnerability in Synology Mail Server

A medium-severity vulnerability (CVE-2025-2848, CVSS 6.3) has been identified in Synology Mail Server, which could allow remote authenticated users to tamper with non-sensitive system settings and cause service disruptions. While not critical, exploitation in multi-user NAS environments could impact service availability and stability.

Key Details

• CVE ID: CVE-2025-2848
• Severity: Medium (CVSS 6.3)
• Impact: Unauthorized modification of mail server configurations, potential denial-of-service, and increased lateral movement risk

Affected Versions

• DSM 7.2: Versions before 1.7.6-20676
• DSM 7.1: Versions before 1.7.6-10676

Recommendations

• Upgrade Synology Mail Server to 1.7.6-20676 or later for DSM 7.2 and 1.7.6-10676 or later for DSM 7.1.
• Monitor mail server logs for abnormal activity and apply role-based access controls.

Reference

https://www.synology.com/en-us/security/advisory/Synology_SA_25_05

19. EncryptHub Linked to Zero-Day Attacks on Windows via MSC Exploit

A new zero-day vulnerability in Microsoft Management Console (MMC), tracked as CVE-2025-26633 and dubbed ‘MSC EvilTwin’, is being actively exploited by the threat group EncryptHub. This flaw allows attackers to bypass Windows file reputation protections and execute malicious code without triggering user warnings when opening .msc files on unpatched systems.

Key Details

• CVE ID: CVE-2025-26633
• Type: Security Feature Bypass (MSC File Handling)
• Impact: Unprompted execution of malicious code via crafted .msc files
• Threat Actor: EncryptHub (aka Water Gamayun / Larva-208)
• Delivery Vectors:
  • Email attachments with specially crafted .msc files
  • Malicious websites or compromised legitimate sites hosting payloads

Attack Observations

• Campaign includes use of EncryptHub Stealer, DarkWisp, SilentPrism, Stealc, Rhadamanthys, and a PowerShell-based MSC EvilTwin loader.
• Exploits the MUIPath in .msc files for payload download, persistence, and data exfiltration.
• Campaigns are under active development with various custom loaders and delivery mechanisms.
• Linked to previous attacks on over 600 organizations globally, including ransomware activity via RansomHub and BlackSuit.

Recommendations

• Apply Microsoft’s March 2025 Patch Tuesday updates to mitigate CVE-2025-26633.
• Block .msc file execution from untrusted sources and monitor unusual file access.
• Educate users on spear-phishing tactics and restrict macro or script execution in enterprise environments.

Reference

https://www.bleepingcomputer.com/news/security/encrypthub-linked-to-zero-day-attacks-targeting-windows-systems/

20. Raspberry Robin: USB Worm Turned Initial Access Broker for Russian Threat Actors

Raspberry Robin (aka Storm-0856, Roshtyak) has evolved from a simple USB worm into a sophisticated Initial Access Broker (IAB) supporting major Russian threat actors, including the GRU’s Unit 29155. Its infrastructure and methods have adapted to evade detection and sustain long-term cyber espionage and ransomware campaigns.

Key Highlights

• Origin: First seen in 2019, initially spread via infected USB drives at copy/print shops.
• Now: Provides access-as-a-service to groups like LockBit, Clop, EvilCorp, SocGholish, and Russian state-sponsored actors.
• Aliases: Storm-0856, Roshtyak, QNAP-Worm, LINK_MSIEXEC, DEV-0856.

Attack Evolution

• Initial Vector: USB drives using .lnk shortcuts.
• Current Tactics:
  • Archive files sent via Discord.
  • Downloads via .wsf scripts from malicious sites.
  • Leveraging N-day exploits for QNAP/IoT device compromise.
  • C2 domains hosted using Fast Flux across QNAP/IoT infrastructure.
  • Panel/data relay over a Tor-connected static IP.

Infrastructure Insights

• Over 200 C2 domains identified, using low-reputation TLDs (e.g., .wf, .pm, .gy).
• Domain registration shifted to niche registrars post-2022 NameCheap takedown.
• Connected to diverse ASN ranges across Europe and APAC, indicating widespread QNAP compromise.
• Majority of C2s use ClouDNS nameservers.

Threat Group Links

• Frequently used by ransomware affiliates of RansomHub, BlackSuit, LockBit, and Dridex.
• Tools observed include: DarkWisp, Stealc, SilentPrism, and MSC EvilTwin.

Detection & Mitigation

• Monitor for connections to short-lived domains with 2-letter TLDs and unusual Tor behavior.
• Patch QNAP/IoT devices aggressively and restrict outbound Tor traffic.
• Collaborate with threat intel sharing communities to improve visibility across sectors.

Reference

https://www.silentpush.com/blog/raspberry-robin/ 

21. RedCurl Deploys Ransomware for the First Time with QWCrypt

The Russian-speaking threat group RedCurl, previously known for corporate espionage, has shifted tactics by deploying a new ransomware strain called QWCrypt — marking its first known ransomware campaign.

Key Highlights:

• Threat Actor: RedCurl (aka Earth Kapre / Red Wolf)
• New Malware: QWCrypt ransomware
• Attack Vector: Phishing emails with fake CVs in ISO disk images
• Execution Technique: DLL sideloading via ADNotificationManager.exe to execute netutils.dll
• Distraction Tactic: Victims are redirected to a legitimate Indeed login page during execution
• Persistence & Lateral Movement: Scheduled tasks and backdoor DLLs enable extended access across the network
• Ransomware Impact:
  • Targets virtual machines to cripple entire virtualized infrastructures
  • Uses BYOVD (Bring Your Own Vulnerable Driver) to disable endpoint defenses
  • Ransom note mimics those from LockBit, HardBit, and Mimic
• No known leak site, raising questions about whether extortion is the real goal or a diversion

RedCurl’s sudden pivot from espionage to ransomware represents an important evolution in its threat profile, signaling a broader strategic intent or possibly collaboration with ransomware operators.

Reference:
https://thehackernews.com/2025/03/redcurl-shifts-from-espionage-to.html

22. FamousSparrow Resurfaces with Upgraded SparrowDoor Backdoor

FamousSparrow, a China-aligned APT group believed inactive since 2022, has resurfaced with new activity targeting hotels, engineering firms, government agencies, and research institutions using advanced versions of its custom backdoor SparrowDoor.

Key Highlights:

• New Malware Variants: Two previously undocumented SparrowDoor versions discovered.
  • One mirrors CrowDoor (linked to Earth Estries).
  • The other features a modular architecture and command parallelization.
• Recent Targets:
  • A U.S.-based trade organization in the financial sector.
  • A Mexican research institute (compromised in July 2024).
• Initial Access:
  • ASHX webshells dropped on vulnerable IIS servers.
  • Likely exploited outdated Microsoft Exchange and Windows Server instances.
• Post-Exploitation Toolkit:
  • Custom tools: SparrowDoor, ShadowPad (first known use by FamousSparrow).
  • Public tools: PowerHub, BadPotato for privilege escalation.
• Persistence & Communication:
  • Registry Run keys and Windows services.
  • Custom socket classes with RC4 encryption for stealthy data exfiltration.
• Infrastructure Overlap: Possible links to Earth Estries and GhostEmperor, though ESET considers FamousSparrow a distinct APT cluster.

Organizations in hospitality, government, finance, and engineering sectors are advised to enhance monitoring and harden systems vulnerable to webshell-based exploitation and PowerShell abuse.

Reference:
https://gbhackers.com/new-famoussparrow-malware-targets-hotels-and-engineering-firms