Weekly Threat Landscape Digest – Week 21

1. Reflected XSS Vulnerability in PAN-OS GlobalProtect
   Palo Alto Networks has disclosed a reflected cross-site scripting (XSS) vulnerability (CVE-2025-0133) in the GlobalProtect gateway and portal in PAN-OS.

This vulnerability allows attackers to craft malicious URLs that, when clicked by authenticated users accessing a Captive Portal, execute arbitrary JavaScript in the browser. If Clientless VPN is enabled, the risk increases due to potential credential theft. Public proof-of-concept (PoC) code is already available, raising exploitation likelihood.

Key Details:
• CVE-2025-0133 – Reflected XSS in GlobalProtect
→ Impact: Arbitrary JavaScript execution in user browser
→ Risk: Low (CVSS 5.1) if Clientless VPN is disabled
→ Risk: Medium (CVSS 6.9) if Clientless VPN is enabled
→ PoC: Publicly available
→ Attack Vector: Network

Affected Versions & Fix ETA:
• PAN-OS 11.2.0 – 11.2.6 → Fix in 11.2.7 (ETA June 2025)
• PAN-OS 11.1.0 – 11.1.10 → Fix in 11.1.11 (ETA July 2025)
• PAN-OS 10.2.0 – 10.2.16 → Fix in 10.2.17 (ETA August 2025)
• PAN-OS 10.1.0 – 10.1.14 → Fix in 10.2.17 (ETA August 2025)
• Older unsupported versions → Upgrade to a supported release

Recommendations:
• Upgrade to the fixed version as soon as available
• Disable Clientless VPN if not operationally essential
• Monitor Captive Portal access logs for anomalies

Reference:
• https://security.paloaltonetworks.com/CVE-2025-0133

2. Security Updates – Cisco ISE and CUIC
   Cisco has disclosed multiple vulnerabilities affecting its Identity Services Engine (ISE) and Unified Intelligence Center (CUIC), including remote DoS and privilege escalation risks.

These flaws can lead to unauthenticated denial-of-service (DoS) attacks on Cisco ISE and authenticated remote privilege escalation on CUIC. The ISE RADIUS vulnerability is particularly critical due to its default enablement and network exposure. No workarounds are currently available.

Key Vulnerabilities:
• CVE-2025-20152 – Cisco ISE RADIUS DoS
→ Severity: High (CVSS 8.6)
→ Impact: Unauthenticated DoS via RADIUS service
• CVE-2025-20113 – CUIC Admin Privilege Escalation
→ Severity: High (CVSS 7.1)
→ Impact: Authenticated attackers can gain admin access
• CVE-2025-20114 – CUIC Horizontal Privilege Escalation
→ Severity: Medium (CVSS 4.3)
→ Impact: Access to peer user privileges

Affected and Fixed Versions:
• Cisco ISE 3.4 → Fixed in 3.4P1
• Cisco ISE ≤3.3 → Not vulnerable
• CUIC 12.5 → Fixed in 12.5(1)SU ES04
• CUIC 12.6 → Fixed in 12.6(2)ES04
• Unified CCX 12.5(1)SU3 and earlier → Migrate to fixed release
• CUIC / CCX 15 → Not vulnerable

Recommendations:
• Upgrade Cisco ISE, CUIC, and Unified CCX to the latest fixed versions
• Monitor ISE systems for unusual reboots or denial-of-service behavior
• Review access privileges on CUIC deployments

References:
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscosa-ise-restart-ss-uf986G2Q
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscosa-cuis-priv-esc-3Pk96SU4

3. Security Updates – VMware
   VMware has released security patches addressing multiple vulnerabilities across Cloud Foundation, vCenter Server, ESXi, Workstation, and Fusion that may lead to command execution, DoS, XSS, and data disclosure.

These vulnerabilities affect critical components of VMware infrastructure and may allow attackers to gain unauthorized access, execute arbitrary commands, perform denial-of-service (DoS), or launch reflected XSS attacks. The Cloud Foundation directory traversal and vCenter command execution flaws are of particular concern due to their network accessibility and privilege abuse potential.

Key Vulnerabilities:
• CVE-2025-41229 – Directory Traversal in Cloud Foundation
→ CVSS: 8.2
→ Impact: Unauthorized access to internal services via port 443

• CVE-2025-41230 – Information Disclosure in Cloud Foundation
  → CVSS: 7.5
  → Impact: Leaks sensitive data over port 443
• CVE-2025-41231 – Missing Authorization in Cloud Foundation
  → CVSS: 7.3
  → Impact: Limited unauthorized actions on appliances
• CVE-2025-41225 – vCenter Authenticated Command Execution
  → CVSS: 8.8
  → Impact: Arbitrary command execution via alarm scripting
• CVE-2025-41226 / 41227 – Guest VM and Host DoS
  → CVSS: 6.8 / 5.5
  → Impact: VM crash or host resource exhaustion
• CVE-2025-41228 – Reflected XSS in vCenter and ESXi
  → CVSS: 4.3
  → Impact: Cookie theft, redirection to malicious websites

Affected & Fixed Versions:
• vCenter Server:
→ 8.0 → Update to 8.0 U3e
→ 7.0 → Update to 7.0 U3v

• ESXi:
  → 8.0 → Update to ESXi80U3se-24659227
  → 7.0 → Update to ESXi70U3sv-24723868
• Cloud Foundation:
  → 5.x / 4.5.x → Apply async patch per [KB88287]
• Telco Cloud Platform / Infrastructure (vCenter & ESXi):
  → 2.x – 5.x → Apply patches to 8.0 U3e or ESXi70U3sv as per version
• Workstation 17.x: → Update to 17.6.3
  • Fusion 13.x: → Update to 13.6.3

Recommendations:
• Apply the latest patches to VMware Cloud Foundation, ESXi, vCenter Server, Workstation, and Fusion
• Monitor systems for signs of command injection, unauthorized access, or service disruption
• Limit access to management interfaces and segment vulnerable systems

References:
• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25717
• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25733

4. Security Updates – Mozilla Firefox
   Mozilla has released critical security patches addressing severe vulnerabilities in Firefox and Firefox ESR that could enable remote code execution or compromise browser integrity.

These vulnerabilities impact the JavaScript engine’s handling of Promise objects and array optimizations. Both flaws are rated critical and may allow attackers to exploit memory safety issues for code execution or information leakage.

Key Vulnerabilities:
• CVE-2025-4918 – Out-of-Bounds Access in Promise Resolution
→ Severity: Critical
→ Impact: May allow remote attackers to read/write memory outside intended bounds during JavaScript Promise handling, leading to RCE

• CVE-2025-4919 – Out-of-Bounds Access in Linear Sum Optimization
  → Severity: Critical
  → Impact: Malformed array indexes can trigger arbitrary memory access, potentially leading to code execution

Fixed Versions:
• Firefox 138.0.4
• Firefox ESR 128.10.1
• Firefox ESR 115.23.1

Recommendations:
• Immediately update Firefox and Firefox ESR to the latest patched versions
• Monitor browsers for any unusual behavior or crashes that may indicate exploitation
• Apply browser restrictions and sandboxing in enterprise environments

References:
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-36/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-37/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-38/

5. Security Updates – Adobe
   Adobe has released critical updates addressing multiple vulnerabilities across its product suite, including Photoshop and Lightroom, which may lead to arbitrary code execution and privilege escalation.

The latest Adobe patches cover a wide range of products, with several high-severity flaws that could allow attackers to execute malicious code, access sensitive data, or disrupt operations. Of note are memory corruption issues in Photoshop and a critical out-of-bounds write vulnerability in Lightroom.

Key Vulnerabilities:
Adobe Photoshop
• CVE-2025-30324 / 30325 / 30326 – Memory corruption vulnerabilities
→ Severity: High
→ Impact: Arbitrary code execution via specially crafted files
→ Affected Versions:
 – Photoshop 2025 (≤ v26.5)
 – Photoshop 2024 (≤ v25.12.2)
→ Fixed Versions:
 – v26.6 (2025)
 – v25.12.3 (2024)

Adobe Lightroom
• CVE-2025-27197 – Out-of-bounds write vulnerability
→ Severity: Critical
→ Impact: Arbitrary code execution
→ Affected Versions: Lightroom ≤ v8.2
→ Fixed Version: Lightroom v8.3

Recommendations:
• Immediately update affected Adobe products to the latest versions
• Ensure secure file handling practices to avoid exploitation through malicious content
• Enable endpoint protection tools to monitor Adobe software behavior

Reference:
• https://helpx.adobe.com/security/security-bulletin.html

6. Vulnerability in Spring Security
   A vulnerability in Spring Security’s AspectJ-based method security may lead to unauthorized access if security annotations are misapplied to private methods.

Spring Security has disclosed a flaw (CVE-2025-41232) affecting versions 6.4.0 to 6.4.5. The vulnerability arises when method-level security annotations are applied to private methods in applications using AspectJ. In such cases, the framework may not properly enforce access restrictions, allowing unauthorized users to invoke sensitive methods.

Key Details:
• CVE ID: CVE-2025-41232
• Severity: Medium
• Impact:
→ Bypass of method-level security restrictions
→ Potential for unauthorized access, data leakage, or privilege escalation
• Affected Versions: Spring Security 6.4.0 – 6.4.5
• Fixed Version: Spring Security 6.4.6+

Recommendations:
• Upgrade to Spring Security v6.4.6 or later
• Review application code for private methods with security annotations
• Avoid applying method-level security annotations on private methods when using AspectJ

Reference:
• https://spring.io/security/cve-2025-41232

7. Critical SAML Signature Wrapping Vulnerability in samlify
   A critical vulnerability in the samlify Node.js library may allow attackers to bypass authentication and impersonate users, including administrators.

A critical security flaw (CVE-2025-47949) has been identified in the samlify library, which is commonly used for implementing SAML 2.0 Single Sign-On (SSO). The vulnerability stems from improper signature validation in SAML responses, enabling a SAML Signature Wrapping (SSW) attack. This allows attackers to inject malicious, unsigned assertions that are processed by the application, resulting in full authentication bypass.

Key Details:
• CVE ID: CVE-2025-47949
• CVSSv4 Score: 9.9 (Critical)
• Vulnerability Type: SAML Signature Wrapping / Improper Signature Validation
• Impact:
→ Authentication bypass and user impersonation
→ Privilege escalation and unauthorized access
→ Potential lateral movement within environments
• Affected Versions: samlify < v2.10.0
• Fixed Version: samlify v2.10.0+

Recommendations:
• Upgrade samlify to version 2.10.0 or later immediately
• Audit authentication flows and SAML processing logic
• Monitor for anomalous logins or privilege escalations

Reference:
• https://nvd.nist.gov/vuln/detail/CVE-2025-47949

8. Critical Vulnerability in Crawlomatic WordPress Plugin
   A vulnerability in the Crawlomatic plugin enables unauthenticated attackers to upload arbitrary files, leading to potential full site compromise.

A critical remote code execution vulnerability (CVE-2025-4389) has been discovered in the Crawlomatic Multipage Scraper Post Generator plugin for WordPress. Affecting versions up to and including 2.6.8.1, this flaw allows unauthenticated attackers to upload executable files to the server. Exploitation can lead to complete website takeover or further compromise of the hosting environment.

Key Details:
• CVE ID: CVE-2025-4389
• CVSS Score: 9.8 (Critical)
• Vulnerability Type: Unrestricted File Upload
• Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• Affected Plugin: Crawlomatic Multipage Scraper Post Generator
• Affected Versions: ≤ 2.6.8.1
• Fixed Version: 2.6.8.2
• Exploitability: Remote, unauthenticated access without user interaction

Recommendations:
• Immediately update the plugin to version 2.6.8.2 or later
• Review server logs and file directories for unauthorized uploads
• Harden file upload permissions and monitoring on WordPress sites

Reference:
• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/crawlomaticmultipage-scraper-post-generator/crawlomatic-multipage-scraper-post-generator-2681-unauthenticated-arbitrary-file-upload 

9. Critical Vulnerability in Rockwell Automation FactoryTalk Systems
   A flaw in Apache log4net used by FactoryTalk Historian-ThingWorx Connector may lead to sensitive data disclosure or system exploitation.

Rockwell Automation has disclosed a critical vulnerability (CVE-2018-1285) affecting the FactoryTalk Historian-ThingWorx Connector, caused by the use of an outdated version of the Apache log4net library. The vulnerability enables XML External Entity (XXE) injection through crafted configuration files, which can be exploited to access sensitive data or disrupt system operations.

Key Details:
• CVE ID: CVE-2018-1285
• CVSS Score: 9.8 (Critical)
• Component: Apache log4net (logging library)
• Vulnerability Type: XML External Entity (XXE) Injection
• Attack Vector: Local or remote manipulation of configuration files
• Root Cause: Insecure external XML entity resolution in log4net
• Affected Product: FactoryTalk Historian-ThingWorx Connector (95057C-FTHTWXCT11) ≤ v4.02.00
• Fixed Version: v5.00.00 or later

Recommendations:
• Immediately upgrade FactoryTalk Historian-ThingWorx Connector to version 5.00.00 or newer
• Audit XML-based configurations for untrusted entries
• Monitor system behavior for abnormal resource access or configuration changes

Reference:
• https://www.rockwellautomation.com/en-us/trust-center/securityadvisories/advisory.SD1728.html

10. Critical Vulnerability in Lexmark Printers
    Path Traversal and Concurrent Execution Flaw Enables Remote Code Execution on Lexmark Devices

Lexmark has disclosed a critical vulnerability (CVE-2025-1127) affecting a wide range of its printer models. The flaw stems from a combination of Path Traversal and Concurrent Execution issues in the embedded web server, which may allow unauthenticated remote attackers to execute arbitrary code. This could result in full device compromise, unauthorized network access, data theft, or lateral movement within the organization.

Key Details:
• CVE ID: CVE-2025-1127
• CVSS Score: 9.1 (Critical)
• Vulnerability Type: Path Traversal + Concurrent Execution
• Impact: Remote Code Execution (RCE), Network Pivoting, Document Theft
• Attack Vector: Remote, unauthenticated via embedded web server
• Affected Firmware Versions: ≤ .240.205
• Impacted Printer Models: CX950, MX953, CX961, CS963, MS531, CX532, CX930, MX931, MS622, MX421, XM1246, CS720, CX820, CS921, and others
• Fixed Firmware Version: .240.206 or later

Recommendations:
• Audit Lexmark devices to identify outdated firmware
• Upgrade all impacted printers to firmware version .240.206 or newer
• Enforce strong administrative credentials across all printer interfaces
• Monitor network activity from printer IPs for suspicious behavior
• Follow Lexmark’s official advisories for ongoing updates

Reference:
• https://nvd.nist.gov/vuln/detail/CVE-2025-1127

11. Security Updates – Atlassian Products
    Multiple High-Severity Vulnerabilities Across Jira, Confluence, Bamboo, and Other Atlassian Tools

Atlassian has released its May 2025 Security Bulletin, disclosing several high-severity vulnerabilities affecting Jira Software, Jira Service Management, Confluence, Bamboo, and Fisheye/Crucible. These vulnerabilities were discovered through Atlassian’s bug bounty program and internal security assessments. They include denial-of-service (DoS) risks caused by third-party dependencies and privilege escalation flaws in Jira components. If left unpatched, these vulnerabilities could lead to service disruption or unauthorized access in enterprise environments.

Key issues include:

• CVE-2025-31650: A DoS vulnerability via Apache Tomcat’s tomcat-coyote, impacting Bamboo and Confluence.
• CVE-2024-47072: A DoS issue in xstream, affecting Confluence.
• CVE-2024-57699: A DoS vulnerability in json-smart, impacting Fisheye/Crucible.
• CVE-2025-24970: A DoS vulnerability in netty-handler, affecting Jira Software and Jira Service Management.
• CVE-2025-22157: A privilege escalation flaw impacting Jira Software and Jira Service Management.

Fixed versions include:

• Bamboo: 11.0.1 (DC), 10.2.4 (LTS), 9.6.13 (LTS)
• Confluence: 9.4.1 (DC), 9.2.4 (LTS), 8.5.22 (LTS)
• Fisheye/Crucible: 4.9.1
• Jira Software: 10.6.0 (DC), 10.3.6 (LTS), 9.12.23 (LTS)
• Jira Service Management: 10.6.0 (DC), 10.3.6 (LTS), 5.12.23 (LTS)

Recommendations:
Organizations are advised to patch all affected systems immediately. Prioritize updates for externally exposed environments. Monitor logs for unusual activity that could indicate exploitation attempts. If patching is delayed, consider deploying WAF rules to block known attack vectors.

Reference:
• Atlassian Security Bulletin – May 2025

12. Actively Exploited Vulnerability in DrayTek Routers
    Remote Code Execution via Web Management Interface (CVE-2024-12987)

A high-severity remote code execution vulnerability has been identified in the web management interface of DrayTek Vigor2960 and Vigor300B routers running firmware version 1.5.1.4 or earlier. The flaw, tracked as CVE-2024-12987, resides in the /cgi-bin/mainfunction.cgi/apmcfgupload CGI script, where improper handling of the session parameter allows unauthenticated attackers to perform OS command injection.

This vulnerability enables remote unauthenticated threat actors to execute arbitrary commands on the affected routers’ operating systems, potentially compromising the devices and exposing internal networks. Public proof-of-concept (PoC) exploits are available, and active exploitation has already been reported in the wild.

Key Details:

• CVE ID: CVE-2024-12987
• CVSS v3.1 Score: 7.3 (High)
• Affected Devices: DrayTek Vigor2960 and Vigor300B (Firmware ≤ 1.5.1.4)
• Vulnerability Type: OS Command Injection (CWE-77, CWE-78)
• Attack Vector: Remote, unauthenticated
• Exploit Status: Publicly disclosed with active exploitation
• Fixed Version: 1.5.1.5 and later

Recommendations:

• Immediately upgrade all Vigor2960 and Vigor300B routers to firmware version 1.5.1.5 or later.
• Restrict web management interface access to trusted IPs using firewall policies or IP whitelisting.
• Monitor network traffic for suspicious activity targeting DrayTek web interfaces.

Reference:
• CVE-2024-12987 Record

13. High Severity XSS Vulnerability in Grafana (CVE-2025-4123)

The UAE Cyber Security Council has observed a high-severity cross-site scripting (XSS) vulnerability in Grafana, which could be exploited to execute malicious code in a victim’s browser, redirect users to malicious websites, and potentially lead to session hijacking or account takeover. The flaw also poses a Server-Side Request Forgery (SSRF) risk if the Image Renderer plugin is installed.

This vulnerability stems from improper handling of client path traversal and open redirects in custom frontend plugins. Attackers can exploit the flaw without requiring editor permissions, especially in environments where anonymous access is enabled.

Key Details:

• CVE ID: CVE-2025-4123
• CVSS Score: 7.6 (High)
• Vulnerability Type: Reflected Cross-Site Scripting (XSS), Open Redirect, Client Path Traversal
• Impact: Arbitrary JavaScript execution, user redirection, session hijacking, account takeover, and SSRF (if renderer plugin is used)
• Attack Vector: Crafted malicious URLs
• Affected Versions: Grafana 8.0 and later, including 12.0, 11.6, 11.5, 11.4, 11.3, 11.2

Fixed Versions:

• Grafana 12.0.0+security-01
• Grafana 11.6.1+security-01
• Grafana 11.5.4+security-01
• Grafana 11.4.4+security-01
• Grafana 11.3.6+security-01
• Grafana 11.2.9+security-01
• Grafana 10.4.18+security-01

Recommendations:

• Upgrade Grafana to the nearest patched version listed above.
• Disable anonymous access if not required.
• If the Grafana Image Renderer plugin is installed, monitor for signs of SSRF exploitation.
• Educate users to avoid clicking on unexpected Grafana URLs from unknown sources.

Reference:
• Grafana Security Bulletin – CVE-2025-4123

14. HTTPBot: New Windows-Based DDoS Botnet Targeting Gaming and Tech Portals

A newly discovered botnet named HTTPBot, a Windows-native distributed denial-of-service (DDoS) malware written in Go. Unlike traditional IoT or Linux-based botnets, HTTPBot focuses on application-layer attacks using realistic and stealthy HTTP traffic that mimics genuine users. Since April 2025, it has targeted gaming, tech, and education websites, especially in China, with low-volume but high-impact traffic.

Key Characteristics:

• Platform: Windows (requires Windows 8 or newer)
• Stealth Tactics:
  • Disables GUI and auto-launches via registry
  • Uses Base64-encoded traffic and URL rotation
• C2 Communication: Bot connects to a command-and-control server for attack instructions including method, target, duration, and ID
• Layer 7 DDoS Techniques:
  • BrowserAttack: Launches hidden Chrome sessions
  • HttpAutoAttack and CookieAttack: Replays cookies and emulates real user behavior
  • HttpFpDlAttack: Exploits HTTP/2 to simulate large downloads
  • WebSocketAttack: Uses WebSocket protocols to exhaust backend resources
  • PostAttack: Sends POST requests to overwhelm API endpoints

Why It Matters:
HTTPBot aims to degrade backend systems of gaming and payment portals by targeting login and transaction APIs with realistic traffic, often escaping detection. The attacks are timed and distributed, suggesting automated orchestration.

Defensive Recommendations:

• Patch Windows systems: Ensure desktops and servers are running updated versions to prevent compromise.
• Monitor API behavior: Track payload patterns, session cookies, and WebSocket anomalies.
• Deploy Layer 7-aware security: Use WAFs and behavioral anomaly detection tools to identify and block synthetic application traffic.

Reference:
FastNetMon Advisory – HTTPBot

15. Trojanised KeePass Password Manager Used in Targeted Malware Campaign

An  advanced malware campaign leveraging a trojanised version of KeePass, an open-source password manager. The malicious variant, dubbed KeeLoader, embeds Cobalt Strike payloads into modified KeePass installers distributed via malvertising and typosquatting domains. Unlike earlier campaigns that dropped separate malware, this operation involved recompiling KeePass with malicious code and signing it with legitimate digital certificates.

Key Details:

• Malware Name: KeeLoader
• Delivery Method: Malvertising via Bing and DuckDuckGo search results
• Technique: Modified KeePass source code embedded with RC4-encrypted Cobalt Strike beacon
• Campaign Duration: At least 8 months
• Attribution: Likely linked to Black Basta and BlackCat ransomware groups via Initial Access Brokers (IABs)

Functionality & Objectives:

• Persistence: Achieved via malicious ShInstUtil.exe and autorun registry key with undocumented arguments
• Data Theft: KeePass databases exported as CSVs and exfiltrated through beacons
• Lateral Movement: Post-exploitation techniques include RDP, SMB, and SSH
• Ransomware Preparation: Indicators such as ESXi targeting and victim ID tracking suggest ransomware deployment

Evasion & Stealth Techniques:

• Code signed using stolen valid certificates (e.g., “S.R.L. INT-MCOM” and “MekoGuard Bytemin”)
• KeePass binaries closely resemble legitimate versions
• Payloads encrypted and only activated post-KeePass DB access

Recommendations:

• Block all known malicious domains and URLs via DNS and firewall policies.
• Verify authenticity of KeePass installers—only download from official KeePass sites.
• Educate end-users on malvertising and software typosquatting risks.
• Hunt for KeeLoader artifacts, such as suspicious autorun entries and unusual .csv exports.
• Check certificates used to sign KeePass binaries and flag unusual signers.

Reference:
WithSecure Labs – KeePass Trojanised Malware Campaign

16. Ransomware Campaign – VanHelsing Ransomware

A new ransomware strain named VanHelsing, identified by FortiGuard Labs. This threat has rapidly spread across various industries, encrypting files and demanding ransom payments. It uses file extensions like .vanlocker and .vanhelsing, and employs TOR-based negotiation infrastructure for ransom communication. Victims face the threat of data exposure via a public data leak site if payment is not made.

Key Highlights:

• Ransomware Name: VanHelsing
• File Extensions: .vanlocker, .vanhelsing
• Target Sectors: Manufacturing, government, industrial, and private enterprises
• Persistence: Active as of April 2025, with seven known victims listed on their leak site

Execution & Spread Mechanism:

• Supports command-line arguments:
  • -sftpPassword and -smbPassword: Spreads laterally over SFTP and SMB
  • -bypassAdmin, -noLogs, -nopriority: Obfuscation and system lock options
• Modifies registry (Software\Classes\.vanlocker\DefaultIcon) and creates mutex Global\\VanHelsing
• Avoids encrypting system-critical files and folders (e.g., Windows, Program Files, .exe, .dll)

Ransom Note & Behavior:

• Drops ransom note: README.txt
• Changes desktop wallpaper
• Directs victims to a TOR negotiation portal

Infection Vector:

• Likely via phishing, RDP brute force, or drive-by downloads
• Uses code obfuscation and avoids detection through selective encryption

Recommendations:

• Patch all systems and software to close known vulnerabilities
• Disable SMB v1 and restrict SMB/SFTP to trusted sources
• Enforce MFA on all remote and privileged accounts
• Deploy phishing awareness programs and simulations
• Perform frequent isolated and immutable backups
• Monitor for known IOCs and mutex signatures via EDR/XDR
• Apply Zero Trust access models and microsegmentation
• Maintain and test ransomware-specific incident response playbooks

Reference:
Fortinet – Ransomware Roundup: VanHelsing

17. LummaC2 Malware Campaign Targeting Organizations

LummaC2 malware campaigns targeting organizations to exfiltrate sensitive data, including credentials, financial records, and personal identifiers. LummaC2, an info-stealer active since 2022, is distributed via phishing emails and malicious downloads. It employs stealthy in-memory execution, anti-analysis techniques, and encrypted C2 communication, making it difficult to detect using conventional defenses.

Key Highlights:

• Threat Name: LummaC2
• First Observed: 2022
• Impact: Theft of credentials, MFA tokens, crypto wallets, browser data
• Target Sectors: Government, energy, finance, transportation, healthcare
• Delivery Methods: Spearphishing attachments, fake downloads, malvertising

MITRE ATT&CK Techniques:

• Initial Access: Phishing (T1566), Spearphishing Attachments (T1566.001), Spearphishing Links (T1566.002)
• Defense Evasion: Obfuscation (T1027), Masquerading (T1036), Decryption (T1140)
• Discovery: Registry Query (T1012), Browser Info Theft (T1217)
• Collection: Automated Collection (T1119)
• Command & Control: Web Protocols (T1071.001), Tool Transfer (T1105)
• Exfiltration: Data Exfiltration (TA0010), Native API Usage (T1106)

Notable Capabilities:

• Uses fake CAPTCHAs to prompt clipboard script execution
• Operates in-memory to bypass disk-based detection
• Sends JSON-formatted data via encrypted POST to C2 servers
• Performs lateral movement, screenshot capture, and self-deletion

Recommendations:

1. Strengthen Email and Endpoint Security
   • Use advanced email filtering and modern EDR solutions.
   • Detect fileless malware and PowerShell-based threats.
2. User Awareness
   • Educate users to recognize phishing and avoid suspicious downloads.
   • Report anomalies immediately to IT/security teams.
3. Network and Access Hardening
   • Restrict outbound traffic to untrusted domains.
   • Implement least privilege and enforce MFA.
4. Patch Management
   • Regularly patch OS, browsers, and commonly targeted applications.
5. Incident Response Readiness
   • Ensure malware response playbooks are up-to-date and tested.
   • Monitor systems for known hashes and domain IOCs.

Reference:
CISA Advisory AA25-141B – LummaC2 Campaign