Weekly Threat Landscape Digest – Week 19

This week’s cyber threat outlook reveals a surge in attacker sophistication, marked by the exploitation of recent and unpatched security flaws. Threat actors are deploying zero-day attacks and executing highly customized phishing schemes with greater precision and impact. To stay ahead, organizations must strengthen their security posture through proactive patching, real-time threat detection, and robust monitoring solutions. Equipping teams with current threat intelligence, regular awareness training, and a clear response playbook is equally crucial to reduce exposure and respond swiftly to incidents.

  1. Security Updates – Google Chrome

Google has released a stable channel update for Chrome addressing multiple vulnerabilities, including a medium-severity “use after free” issue in WebAudio (CVE-2025-4372), which could lead to remote code execution or application crashes.

Key Vulnerability:

  • CVE-2025-4372
    • Type: Use After Free in WebAudio
    • Severity: Medium
    • Impact: Heap corruption, potential remote code execution, or denial of service

Fixed Versions:

  • Chrome Stable Channel:
    • Windows & Mac: 136.0.7103.92/.93
    • Linux: 136.0.7103.92
  • Mobile Versions:
    • Android: 136.0.7103.87
    • iOS: 136.0.7103.91

Recommendations:

  • Update Google Chrome on all platforms to the latest versions
  • Monitor for unexpected behavior or crashes related to WebAudio usage

References:

 

  1. SSRF Vulnerability in SonicWall Firewalls

A high-severity Server-Side Request Forgery (SSRF) vulnerability (CVE-2025-2170) has been identified in the SonicWall SMA1000 Appliance Work Place interface, which can be exploited by remote unauthenticated attackers to send unauthorized requests.

Key Vulnerability:

  • CVE-2025-2170
    • Type: Server-Side Request Forgery (CWE-918)
    • CVSS Score: 7.2 (High)
    • Impact: Unauthorized access to internal services via forged requests
    • Attack Vector: Remote, no authentication required

Affected Versions:

  • SonicWall SMA1000 versions 12.4.3-02907 and earlier

Fixed Version:

  • 12.4.3-02925 and later

Recommendations:

  • Upgrade SonicWall SMA1000 appliances to version 12.4.3-02925 or later
  • Review logs and monitor for unusual outbound traffic patterns

Reference:

 

  1. Multiple Vulnerabilities in SonicWall SSL-VPN

Several high and medium-severity vulnerabilities have been identified in SonicWall SMA100 SSL-VPN appliances. Exploitation could allow authenticated attackers to delete system files, alter directory permissions, or execute remote commands.

Key Vulnerabilities:

  • CVE-2025-32819Arbitrary File Deletion
    • CVSS 8.8 (High)
    • Allows file deletion through bypassed path traversal, potentially leading to device reset.
  • CVE-2025-32820Path Traversal
    • CVSS 8.3 (High)
    • Grants write access to arbitrary directories on the appliance.
  • CVE-2025-32821Remote Command Injection
    • CVSS 6.7 (Medium)
    • Permits shell command injection via file upload mechanism.

Affected Products:

  • SonicWall SMA 100 Series: SMA 200, 210, 400, 410, 500v
  • Firmware Versions: 10.2.1.14-75sv and earlier

Fixed Version:

  • 10.2.1.15-81sv and later

Recommendations:

  • Upgrade to the latest fixed firmware
  • Limit administrative access and monitor for suspicious file operations

Reference:

 

  1. Vulnerability in Docker Desktop for macOS

A medium-severity vulnerability (CVE-2025-4095) in Docker Desktop for macOS allows local authenticated users to bypass Registry Access Management (RAM) controls when sign-in is enforced via a macOS configuration profile. This could lead to unauthorized access to unapproved Docker registries, increasing the risk of supply chain compromise.

Key Details:

  • CVE-2025-4095
  • CVSS 4.0 Score: 4.3 (Medium)
  • Issue: Misapplication of registry restrictions when sign-in is enforced through macOS profiles
  • Risk: Users may pull unauthorized container images, potentially introducing malware or vulnerable components into environments

Impact:

  • Introduction of malicious or unverified containers
  • Potential breach of compliance policies
  • Elevated risk of ransomware or backdoors via supply chain vectors

Affected Versions:

  • Docker Desktop for macOS: 4.36.0 to < 4.41.0

Fixed Version:

  • 4.41.0 or later

Reference:

 

  1. Multiple Vulnerabilities in Rockwell Automation ThinManager

Two high-severity vulnerabilities have been disclosed in Rockwell Automation’s ThinManager, a platform used for centralized management of industrial thin clients. These flaws could lead to local privilege escalation or denial-of-service (DoS), potentially impacting industrial operations.

Key Details:

  • CVE-2025-3617 – Local Privilege Escalation
    • Description: Temporary directory cleanup during startup inherits insecure permissions, allowing privilege escalation.
    • Impact: Unauthorized users may gain admin-level access.
    • CVSS v4.0 Score: 8.5 (High)
    • CWE: 276 – Incorrect Default Permissions
    • Affected Versions: 14.0.0 and 14.0.1
    • Fixed In: 14.0.2+
  • CVE-2025-3618 – Denial of Service (DoS)
    • Description: Improper memory handling of Type 18 messages may crash the application.
    • Impact: Remote/local unauthenticated attackers may disrupt system operations.
    • CVSS v4.0 Score: 8.7 (High)
    • CWE: 119 – Improper Restriction of Operations within Memory Buffer
    • Affected Versions: 14.0.1 and earlier
    • Fixed In: 11.2.11, 12.0.9, 12.1.10, 13.0.7, 13.1.5, 13.2.4, 14.0.2+

Recommended Actions:

  • Upgrade to the patched versions.
  • Implement least privilege access for all ThinManager users.

Reference:
https://www.rockwellautomation.com/en-us/trust-center/securityadvisories/advisory.SD1727.html

 

  1. Security Updates – HUAWEI Products

Huawei has released its May 2025 security update addressing multiple high and critical vulnerabilities affecting HarmonyOS 5.0.0 and earlier, as well as EMUI versions. The update includes fixes for proprietary modules and third-party libraries that could lead to unauthorized access, privilege escalation, or remote code execution.

Key Vulnerabilities in HarmonyOS 5.0.0:

  • CVE-2025-46584 – File System (High): Improper authentication allows access to sensitive files.
  • CVE-2025-46585 – Kernel (High): Out-of-bounds read/write may cause denial of service.
  • CVE-2025-46586 to CVE-2025-46593 – Medium: Multiple flaws in Contacts, Media Library, App Lock, USB Driver, and Print Module affecting data security and device stability.

Critical Third-Party Vulnerabilities:

  • CVE-2025-22423, CVE-2025-26416, CVE-2025-0084: Remote code execution risks across HarmonyOS (2.0.0–4.3.0) and EMUI (12.0.0–14.0.0).

Other High and Low Severity CVEs:

  • Affect features like system libraries, network services, and data protection mechanisms, risking escalation, information leakage, and crashes.

Recommended Actions:

  • Apply OTA updates on all HarmonyOS and EMUI devices.
  • Prioritize devices running older versions or used in sensitive environments.

Reference:
https://consumer.huawei.com/en/support/bulletin/2025/5/

 

  1. Security Updates – Chrome OS

Google has released a Long Term Support (LTS) update for ChromeOS devices addressing multiple high-severity vulnerabilities, including memory management flaws that could result in crashes or unauthorized access.

Key Vulnerabilities:

  • CVE-2025-3620 – High Severity: Use-after-free in USB component.
  • CVE-2025-2476 – High Severity: Use-after-free in Lens component.
  • Other patched vulnerabilities: CVE-2024-50066, CVE-2024-53141, CVE-2024-50264, CVE-2024-53057

Impact:

  • Unauthorized access
  • Application crashes
  • Potential compromise of user data

Fixed Version:

  • ChromeOS LTS: 132.0.6834.222 (Platform Version: 16093.104.0)

Recommended Actions:

  • Apply the latest ChromeOS LTS version to ensure security posture against the listed vulnerabilities.

Reference:
https://chromereleases.googleblog.com/2025/04/long-term-support-channel-updatefor_29.html

 

  1. Security Updates – Mozilla Products

Mozilla released security updates for Firefox, Firefox ESR, Thunderbird, and Thunderbird ESR addressing multiple high-severity vulnerabilities, including privilege escalation and sandbox escape flaws.

Key Vulnerabilities:

  • CVE-2025-2817 (High): Privilege escalation in Firefox Updater. Medium-integrity processes could trigger SYSTEM-level operations.
  • CVE-2025-4082 (High): WebGL shader memory corruption affecting macOS, enabling privilege escalation.
  • CVE-2025-4083 (High): Process isolation bypass via javascript: URIs in cross-origin frames.
  • CVE-2025-4084 (Moderate): Command injection via “Copy as cURL” on Windows.
  • CVE-2025-4091, 4092, 4093: Memory corruption bugs in Firefox and Thunderbird leading to potential code execution.

Patched Versions:

  • Firefox: 138
  • Firefox ESR: 115.23, 128.10
  • Thunderbird: 138
  • Thunderbird ESR: 128.10

Recommended Actions:

  • Upgrade all Mozilla products to the latest patched versions to mitigate associated risks.

References:
https://www.mozilla.org/en-US/security/advisories/mfsa2025-28/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-29/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-30/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-31/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-32/#CVE-2025-2817

 

  1. SSRF Vulnerability in SonicWall Firewalls

A high-severity Server-Side Request Forgery (SSRF) vulnerability has been identified in the SonicWall SMA1000 Work Place interface, tracked as CVE-2025-2170. Exploitation allows remote unauthenticated attackers to force the appliance to make unauthorized requests to internal or external services under specific conditions.

Vulnerability Details:

  • CVE: CVE-2025-2170
  • Advisory ID: SNWLID-2025-0008
  • CWE: CWE-918 – Server-Side Request Forgery
  • CVSS v3 Score: 7.2 (High)
  • Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
  • Affected Product: SonicWall SMA1000
  • Impacted Versions: 12.4.3-02907 and earlier
  • Fixed Version: 12.4.3-02925 and later

Recommended Actions:

  • Upgrade all affected SMA1000 appliances to version 12.4.3-02925 or later.

Reference:
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0008



  1. Critical Vulnerabilities in Cisco Products

Multiple critical and high-severity vulnerabilities have been identified in Cisco products, including IOS XE, IOS, IOS XR, Wireless Controllers, SD-WAN Manager, Catalyst switches, and security appliances. These include unauthenticated remote code execution, arbitrary file uploads, privilege escalation, and denial-of-service (DoS) vulnerabilities.

Critical Vulnerabilities:

  • CVE-2025-32433 – Unauthenticated Remote Code Execution in Erlang/OTP SSH Server
    • CVSS Score: 10.0
    • Affected: Multiple Cisco products using Erlang/OTP
  • CVE-2025-20188 – Arbitrary File Upload in Cisco IOS XE Wireless Controller Software
    • CVSS Score: 10.0
    • Affected: IOS XE Wireless Controllers

High Severity Vulnerabilities:

  • CVE-2025-20140 – IPv6 Clients DoS in Cisco IOS XE WLC
  • CVE-2025-20186 – Web-Based Management Command Injection (IOS XE)
  • CVE-2025-20154 – TWAMP DoS in IOS, IOS XE, and IOS XR
  • CVE-2025-20191 – DHCPv6 DoS in Switch Integrated Security
  • CVE-2025-20122 – Privilege Escalation in Catalyst SD-WAN Manager
  • CVE-2025-20182 – IKEv2 DoS in ASA, FTD, IOS, IOS XE
  • CVE-2025-20197 & CVE-2025-20198 – Privilege Escalation in IOS XE
  • CVE-2025-20192 – IKEv1 DoS in IOS XE
  • CVE-2025-20162 – DHCP Snooping DoS in IOS XE
  • CVE-2025-20164 – Device Manager Privilege Escalation in Industrial Ethernet Switch
  • CVE-2025-20202 – DoS via CDP in IOS XE WLC
  • CVE-2025-20210 – Unauthenticated API Access in Catalyst Center
  • CVE-2025-20181 – Secure Boot Bypass in Catalyst 2960X/XR/CX and 3560CX
  • CVE-2025-20189 – ARP DoS in ASR 903 Routers

Recommended Actions:

  • Immediately prioritize patching for CVE-2025-32433 and CVE-2025-20188 due to unauthenticated RCE risk.
  • Apply the latest Cisco-provided security updates or interim mitigation steps as outlined in Cisco advisories.

Reference:
https://sec.cloudapps.cisco.com/security/center/publicationListing.x

 

  1. Critical Pre-Auth RCE Vulnerabilities in SysAid On-Premise Software

Four critical vulnerabilities have been disclosed in SysAid On-Premise IT support software, including three unauthenticated XML External Entity (XXE) injection flaws and one OS command injection. These can potentially lead to remote code execution (RCE) and have high exploitation risk, especially due to the availability of proof-of-concept (PoC) exploits.

Key Vulnerabilities:

  • CVE-2025-2775, CVE-2025-2776, CVE-2025-2777
    • Type: XML External Entity (XXE) Injection
    • Endpoints: /mdm/checkin, /lshw
    • Auth: Not required
    • Impact: File disclosure, SSRF
  • CVE-2025-2778
    • Type: OS Command Injection
    • Auth: Requires chaining with other flaws
    • Impact: Remote Code Execution

Impact:

  • Sensitive file access and internal system exposure via SSRF
  • Potential RCE through unauthenticated or chained exploitation
  • Risk elevated due to historic use of SysAid vulnerabilities in ransomware campaigns (e.g., Cl0p actors exploiting CVE-2023-47246)

Mitigation:

  • Upgrade Immediately: Apply SysAid version 24.4.60 b16 or later
  • Forensic Review: Assess current SysAid deployments for signs of exploitation or unauthorized access

Reference:
https://documentation.sysaid.com/docs/24-40-60

 

  1. Critical Pre-Auth RCE Vulnerabilities in SysAid On-Premise Software

Multiple critical vulnerabilities have been discovered in SysAid On-Premise IT support software, including three unauthenticated XML External Entity (XXE) injection flaws. These issues can lead to Remote Code Execution (RCE) and have elevated risk due to public PoC availability and SysAid’s history of exploitation (e.g., Cl0p ransomware campaigns).

Key Details:

  • CVE-2025-2775, CVE-2025-2776, CVE-2025-2777
    • Vulnerability: XML External Entity (XXE) Injection
    • Authentication: Not required
    • Endpoints: /mdm/checkin, /lshw
    • Impact: File Disclosure, Server-Side Request Forgery (SSRF)
  • CVE-2025-2778
    • Vulnerability: OS Command Injection
    • Authentication: Requires chaining with XXE
    • Impact: Remote Code Execution

Mitigation:

  • Upgrade to SysAid On-Premise version 24.4.60 b16 or later
  • Conduct a forensic review for signs of compromise
  • Limit external access and harden endpoint exposure

Reference:
https://documentation.sysaid.com/docs/24-40-60

 

  1. Critical Vulnerability in Kibana

A critical prototype pollution vulnerability in Kibana (CVE-2025-25014, CVSS 9.1) allows unauthenticated remote attackers to execute arbitrary code by exploiting the Machine Learning and Reporting endpoints. This affects both self-hosted and Elastic Cloud instances where these features are enabled.

Vulnerability Details:

  • CVE ID: CVE-2025-25014
  • Severity: 9.1 (Critical)
  • Impact: Remote Code Execution via prototype pollution
  • Attack Vector: Specially crafted HTTP requests
  • Affected Features: Machine Learning and Reporting APIs
  • Affected Versions:
    • Kibana 8.3.0 – 8.17.5
    • Kibana 8.18.0
    • Kibana 9.0.0
  • Fixed Versions:
    • Kibana 8.17.6
    • Kibana 8.18.1
    • Kibana 9.0.1

Mitigation Actions:

  • Upgrade to the latest patched Kibana version
  • If upgrade is delayed, disable ML and Reporting features temporarily
  • Monitor HTTP access logs for abnormal API usage targeting ML/reporting endpoints

Reference:
https://www.tenable.com/cve/CVE-2025-25014

 

  1. Critical RCE Vulnerability in Apache Parquet

A critical remote code execution vulnerability (CVE-2025-46762) has been identified in the Apache Parquet Java library, specifically in the parquet-avro module (versions ≤ 1.15.1). The flaw stems from unsafe deserialization of malicious Avro schemas embedded within Parquet file metadata.

Vulnerability Details:

  • CVE ID: CVE-2025-46762
  • Severity: Critical
  • Component: Apache Parquet Java – parquet-avro
  • Affected Versions: ≤ 1.15.1
  • Fixed Version: 1.15.2
  • Alternate Fix (for 1.15.1): Set the system property org.apache.parquet.avro.SERIALIZABLE_PACKAGES to an empty string
  • Impact: Remote Code Execution
  • Vector: Deserialization of malicious Avro schemas
  • Exploitation Conditions:
    • Use of parquet-avro module
    • Use of “specific” or “reflect” Avro deserialization models
    • Processing of untrusted or user-supplied Parquet files

Mitigation Actions:

  • Upgrade to Apache Parquet Java version 1.15.2
  • If upgrade is not feasible, apply the configuration-based mitigation
  • Avoid processing untrusted Parquet files in high-privilege environments

Reference:
https://seclists.org/oss-sec/2025/q2/103

 

  1. Security Updates – Android

Google has released its May 2025 Android security update, addressing 47 vulnerabilities, including an actively exploited high-severity flaw in the FreeType font rendering library.

Key Vulnerability:

  • CVE-2025-27363
    • Component: FreeType
    • Severity: High
    • Status: Under active exploitation
    • Impact: May allow arbitrary code execution on affected Android devices
    • Disclosure: Initially reported by Facebook in March 2025

Affected Components:

  • Android Framework
  • Android System
  • Vendor-specific components from Arm, Imagination Technologies, MediaTek, and Qualcomm

Patch Levels:

  • 2025-05-01
  • 2025-05-05
    (Enables phased deployment across OEM devices)

Recommended Actions:

  • Immediately update all Android-based devices to the latest security patch level.
  • Prioritize updates for devices used in sensitive environments or with elevated privileges.
  • Conduct risk assessments on devices using vulnerable FreeType versions.
  • Monitor device logs and behavior for signs of exploitation or suspicious activity.

Reference:

 

  1. Critical Vulnerability in OttoKit WordPress Plugin

A critical privilege escalation vulnerability in the OttoKit WordPress plugin could allow attackers to gain unauthorized administrator access, potentially resulting in full site compromise.

Key Vulnerability:

  • CVE-2025-27007
  • CVSS Score: 9.8 (Critical)
  • Impact: Unauthenticated privilege escalation via OttoKit’s REST API
  • Root Cause: Insufficient authentication validation in REST endpoints

Exploitation Impact:

  • Complete website takeover (admin privileges granted to attacker)
  • Unauthorized creation of persistent admin accounts
  • Data theft and possible customer data breaches
  • Ability to inject malware or launch phishing attacks via compromised sites

Affected Versions:

  • OttoKit WordPress Plugin versions prior to 1.0.83

Fixed Version:

  • OttoKit Plugin v1.0.83 or later

Recommended Actions:

  • Immediately update the plugin to version 1.0.83 or later
  • Review admin accounts for suspicious additions
  • Monitor for signs of web shell uploads, content tampering, or email abuse
  • Consider installing a WordPress security plugin to detect future anomalies

Reference:

 

  1. Critical Vulnerability in Honeywell MB-Secure Alarm Control Panels

A critical command injection vulnerability in Honeywell MB-Secure and MB-Secure PRO alarm control panels can be exploited to gain elevated privileges and remotely execute malicious commands, potentially compromising physical and operational security systems.

Key Vulnerability:

  • CVE-2025-2605
  • CVSS Score: 9.9 (Critical)
  • Impact: OS command injection leading to privilege escalation and remote code execution
  • Root Cause: Improper input sanitization in command-handling processes

Exploitation Impact:

  • Unauthorized system access with elevated privileges
  • Remote execution of malicious commands
  • Manipulation or disabling of critical alarm configurations
  • Complete compromise of building or industrial security systems

Affected Products and Versions:

  • MB-Secure: Versions V11.04 and earlier
  • MB-Secure PRO: Versions V01.06 and earlier

Fixed Versions:

  • MB-Secure: Update to V12.53
  • MB-Secure PRO: Update to V03.09

Recommended Actions:

  • Immediately upgrade to the fixed versions provided by Honeywell
  • Restrict access to alarm management interfaces to trusted IP ranges
  • Monitor systems for unusual alarm behavior or configuration changes
  • Review access logs for signs of unauthorized access or command injection

Reference:

 

  1. Actively Exploited Critical Vulnerability in Langflow

A critical unauthenticated remote code execution (RCE) vulnerability in Langflow is being actively exploited in the wild. The flaw stems from missing authentication on the /api/v1/validate/code endpoint, allowing attackers to remotely execute arbitrary code on unpatched systems.

Key Vulnerability:

  • CVE ID: CVE-2025-3248
  • CVSS Score: 9.8 (Critical)
  • CWE: CWE-306 – Missing Authentication for Critical Function
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Product:

  • Langflow (Langflow-AI)
  • Vulnerable Versions: 0.0.0 through 1.2.0
  • Fixed Version: 1.3.0

Exploitation Impact:

  • Full system compromise
  • Unauthorized data access and exfiltration
  • Malware or backdoor deployment
  • Lateral movement within internal networks

Recommended Actions:

  • Upgrade to Langflow v1.3.0 or later immediately
  • Audit web server logs for suspicious POST requests to /api/v1/validate/code
  • Isolate affected systems and conduct forensics if compromise is suspected

Reference:

 

  1. Critical Vulnerabilities in Netgear Wi-Fi Range Extender

Multiple critical vulnerabilities have been discovered in the Netgear EX6200 Wi-Fi Range Extender, potentially allowing unauthenticated remote attackers to execute arbitrary code, steal credentials, or gain full device access.

Key Vulnerabilities:

  • CVE-2025-4148 – Buffer Overflow in sub_503FC
    • Severity: High (CVSS 8.8)
    • Exploitable remotely without user interaction; may result in full device compromise.
  • CVE-2025-4149 – Input Validation Bypass in sub_54014
    • Severity: High (CVSS 8.8)
    • Enables remote access and potential malware deployment by bypassing security controls.
  • CVE-2025-4150 – Buffer Overflow in sub_54340
    • Severity: High (CVSS 8.8)
    • Allows attackers to intercept network traffic, extract stored credentials, and gain persistent access.

Affected Product:

  • Model: Netgear EX6200 Wi-Fi Range Extender
  • Firmware: Version 1.0.3.94

Recommended Actions:

  • Disable remote management features.
  • Restrict network access to the device and segment from critical infrastructure.
  • Monitor logs for anomalies or unauthorized login attempts.
  • Apply firmware updates as soon as available.
  • Replace or isolate vulnerable devices in sensitive environments.

References:

 

  1. Critical SQL Injection Vulnerability in ADOdb PHP Library

A critical SQL injection vulnerability has been discovered in the ADOdb PHP database abstraction library, widely used in over 2.8 million deployments. The flaw affects PostgreSQL drivers and may lead to complete database compromise.

Vulnerability Details:

  • CVE: CVE-2025-46337
  • Severity: Critical (CVSS 10.0)
  • Component: pg_insert_id() method
  • Vulnerable Parameter: $fieldname
  • Impacted Drivers: postgres64, postgres7, postgres8, postgres9
  • Patched Version: ADOdb 5.22.9 (commit 11107d6)

Impact:

Exploitation allows attackers to inject and execute arbitrary SQL commands, potentially leading to:

  • Unauthorized data access or manipulation
  • Full compromise of database integrity and confidentiality
  • Escalation to application-level access

Recommended Actions:

  • Upgrade to ADOdb 5.22.9 or later immediately.
  • If upgrading is not possible, ensure the $fieldname parameter in pg_insert_id() is sanitized using pg_escape_identifier().
  • Restrict database privileges to limit the impact of exploitation.
  • Audit logs for signs of SQL injection attempts.

References:

 

  1. Malicious WordPress Plugin Masquerading as Anti-Malware Tool

A sophisticated malware strain has been discovered disguising itself as a legitimate WordPress plugin named WP-antymalwary-bot.php. The malware enables unauthorized administrative access, remote code execution (RCE), and persistent reinfection—posing a severe threat to WordPress site integrity.

Technical Details:

Infection Characteristics:

  • Malicious Files: WP-antymalwary-bot.php, addons.php, scr.php, wp-performancebooster.php
  • Persistence: Modifies wp-cron.php to reinstall itself if removed
  • Stealth: Hides presence from the WordPress plugin dashboard
  • Entry Point: Likely via compromised hosting accounts or stolen FTP credentials

Malicious Capabilities:

  1. Administrator Hijack:
    • Uses the emergency_login parameter to gain admin access via hardcoded credentials.
  2. Remote Code Execution (RCE):
    • Abuses the REST API to execute PHP code unauthenticated.
  3. Malvertising / JS Injection:
    • Injects base64-encoded JavaScript ads into <head> sections via header.php.
  4. Command and Control (C2):
    • Communicates with C2 server at http://45.61.136.85:5555 every minute.
  5. Auto-Reinstallation:
    • Uses wp-cron.php and cron jobs to persist even after removal.

Recommended Actions:

  • Scan all WordPress sites for suspicious plugins like WP-antymalwary-bot.php.
  • Review and restore wp-cron.php and core files from clean backups.
  • Remove malicious plugins and injected JavaScript from header.php.
  • Reset all admin passwords and enforce strong password policies.
  • Monitor for ongoing C2 communication attempts.

References:



  1. Gremlin Stealer – New Info-Stealing Malware Sold via Telegram

Gremlin Stealer is a newly identified infostealer written in C#, actively sold through a Telegram group called CoderSharp since mid-March 2025. It targets a broad range of sensitive information including browser data, cryptocurrency wallets, credentials, and system details.

Key Capabilities

  • Bypasses Chrome V20 cookie protection
  • Targets Chromium and Gecko-based browsers
  • Steals from:
    • Browsers (cookies, credentials)
    • Crypto wallets (e.g., Bitcoin, Ethereum, Litecoin)
    • FTP and VPN clients
    • Telegram and Discord sessions
    • Clipboard and system information
    • Credit card data

Command & Control Infrastructure

  • Backend panel hosted at: 207.244.199[.]46
  • Uses a Telegram bot with a hardcoded API key for exfiltration
  • Sends ZIP archives of stolen data via HTTP POST

Technical Observations

  • Fully self-contained (no internet download during build)
  • Uses dnSpy-observable functions like GetCookies, RunBrowserv20, and writeCookieToFile
  • Stores collected data in LOCAL_APP_DATA, later compressed and exfiltrated
  • Includes persistence via wp-cron and Telegram bot delivery mechanism

Observed IOCs

  • Server IP: 207.244.199[.]46
  • C2 URL: hxxp://207.244.199[.]46/index.php
  • SHA256:
    d1ea7576611623c6a4ad1990ffed562e8981a3aa209717065eddc5be37a76132

 

Reference:

https://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on-telegram/ 

 

  1. Outlaw Cybergang Targeting Linux Systems Worldwide

Outlaw (aka “Dota”) is a Perl-based botnet targeting Linux servers with weak/default SSH credentials. Recent activity, identified during a real IR case in Brazil and confirmed via public telemetry, highlights the gang’s global operations—especially in the U.S., Germany, Italy, and Southeast Asia.

 

Attack Flow

  1. Initial Access: Brute-force SSH using weak credentials (e.g., user: suporte, key from user mdrfckr).
  2. Payload Delivery:
    • Script tddwrt7s.sh downloads dota.tar.gz.
    • Extracts to .configrc5/ with multiple subdirectories.
  3. Process Control:
    • Terminates other miners to monopolize resources.
    • Uses CPU threshold logic and whitelisting via grep on keywords like kswapd0, rsync.
  4. Persistence & C2:
    • Modifies .ssh/authorized_keys.
    • Launches b/run, a Base64-encoded Perl IRC bot (disguised as rsync), using port 443.
  5. Malware Capabilities:
    • Remote command execution
    • DDoS, scanning, file transfers via HTTP
    • Maintains background persistence
  6. Cryptomining:
    • Customized XMRig (6.19.0), runs CPU-only miner.
    • Includes TOR-based mining pool communication.

 

IOC Highlights

  • SSH user/key: mdrfckr
  • Hidden directory: ~/.configrc5/
  • Miner filename: a/kswapd0 (UPX packed)
  • C2: IRC via port 443
  • Persistence: authorized_keys replacement
  • Targeted processes: httpd, rsync, kswapd0, etc.



Reference: 

https://securelist.com/outlaw-botnet/116444/

Ready to get started?

Contact us to arrange a half day
Managed SOC and XDR workshop in Dubai

Ready to get started?

Contact us to arrange a half day Managed SOC and XDR workshop in Dubai

© 2025 HawkEye – Managed CSOC and XDR powered by DTS Solution. All Rights Reserved.
This is a staging environment