Weekly Threat Landscape Digest – Week 37

1. Security Updates for Ivanti Products (CVE-2025-55145, CVE-2025-55147, CVE-2025-55148, CVE-2025-55141, CVE-2025-55142, CVE-2025-9712, CVE-2025-9872, CVE-2025-8712, CVE-2025-8711, CVE-2025-55146, CVE-2025-55139, CVE-2025-55143, CVE-2025-55144)
   Ivanti has released patches addressing multiple high- and medium-severity vulnerabilities across Connect Secure, Policy Secure, ZTA Gateways, Neurons for Secure Access, and Endpoint Manager. Exploitation could allow privilege escalation, unauthorized configuration changes, remote code execution, and denial-of-service.

Vulnerability Details:

1. CVE-2025-55145 – CVSS 8.9
   o Severity: High
   o Impact: Missing authorization allows remote authenticated attackers to hijack HTML5 connections.
2. CVE-2025-55147 – CVSS 8.8
   o Severity: High
   o Impact: CSRF flaw enabling remote unauthenticated attackers to perform sensitive actions.
3. CVE-2025-55148 – CVSS 7.6
   o Severity: High
   o Impact: Authorization bypass allowing restricted configuration by read-only admins.
4. CVE-2025-55141 / CVE-2025-55142 – CVSS 8.8
   o Severity: High
   o Impact: Authentication configuration changes possible by read-only admins.
5. CVE-2025-9712 / CVE-2025-9872 – CVSS 8.8
   o Severity: High
   o Impact: RCE via insufficient filename validation in Endpoint Manager.
6. Medium-severity flaws (CVE-2025-8712, CVE-2025-8711, CVE-2025-55146, CVE-2025-55139, CVE-2025-55143, CVE-2025-55144) allow limited privilege escalation, SSRF, DoS, or injection.

Affected Versions:
• Ivanti Connect Secure: 22.7R2.8 and earlier → Fixed in 22.7R2.9 / 22.8R2
• Ivanti Policy Secure: 22.7R1.4 and earlier → Fixed in 22.7R1.5
• ZTA Gateways: 22.8R2.2 → Fixed in 22.8R2.3-723
• Neurons for Secure Access: 22.8R1.3 and earlier → Cloud auto-patched
• Endpoint Manager: 2022 SU8 Security Update 1 / 2024 SU3 and prior → Fixed in 2022 SU8 SR2, 2024 SU3 SR1

Recommendations:
• Upgrade immediately to patched versions
• Enforce least privilege for admin accounts
• Monitor logs for HTML5 hijacking or suspicious file operations
• Segment Ivanti appliances to reduce lateral movement risk

Reference:
• https://www.ivanti.com/blog/september-2025-security-update

2. Security Update for Palo Alto Networks User-ID Agent (CVE-2025-4235)
   Palo Alto Networks disclosed a flaw in the User-ID Credential Agent for Windows that may expose service account passwords in cleartext under certain non-default configurations. Exploitation could result in privilege escalation or policy bypass.

Vulnerability Details:

1. CVE-2025-4235 – CVSS 4.2
   o Severity: Medium
   o Impact: Service account credentials exposed in cleartext, enabling privilege escalation.

Affected Versions:
• All versions prior to 11.0.3 are affected
• Versions 11.0.0 through 11.0.1-104 are not affected

Recommendations:
• Upgrade to version 11.0.3 or later
• Rotate service account credentials
• Apply least privilege principles and restrict elevated roles
• Audit logs for abnormal agent restarts and credential use

Reference:
• https://gbhackers.com/palo-alto-networks-user-id-agent-flaw/
• https://security.paloaltonetworks.com/CVE-2025-4235

3. Security Updates for Cisco IOS XR (CVE-2025-20248, CVE-2025-20340, CVE-2025-20159)
   Cisco has patched three vulnerabilities in IOS XR that could allow ISO image tampering, denial-of-service, or ACL bypass.

Vulnerability Details:

1. CVE-2025-20248 – CVSS 6.0
   o Severity: High
   o Impact: Unsigned ISO images can be installed due to improper signature verification.
2. CVE-2025-20340 – CVSS 7.4
   o Severity: High
   o Impact: ARP flooding on management interfaces causes denial-of-service.
3. CVE-2025-20159 – CVSS 5.3
   o Severity: Medium
   o Impact: ACL bypass for SSH, NetConf, and gRPC traffic.

Recommendations:
• Apply Cisco’s latest patches immediately
• Limit exposure of management interfaces to trusted networks
• Monitor traffic for ARP floods and unauthorized management connections
• Validate ISO images before deployment

Reference:
• https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75549
• https://www.securityweek.com/cisco-patches-high-severity-ios-xr-vulnerabilities/

4. Microsoft September 2025 Patch Tuesday (80 CVEs)
   Microsoft released updates for 80 vulnerabilities across Windows, Office, Azure, Hyper-V, SQL Server, and more. Eight are rated Critical, with several marked “Exploitation More Likely” and one publicly disclosed.

Vulnerability Details (Selected):

1. CVE-2025-55234 – CVSS 8.8
   o Severity: Important
   o Impact: Publicly disclosed SMB Elevation of Privilege flaw.
2. CVE-2025-54918 – CVSS 8.8
   o Severity: Critical
   o Impact: NTLM Elevation of Privilege, marked as “Exploitation More Likely.”
3. CVE-2025-54916 – CVSS 7.8
   o Severity: Important
   o Impact: NTFS Remote Code Execution.
4. CVE-2025-54910 – CVSS 8.4
   o Severity: Critical
   o Impact: Office RCE via malicious documents (including Outlook Preview Pane).
5. CVE-2025-54897 – CVSS 8.8
   o Severity: Important
   o Impact: SharePoint RCE by any authenticated user.
6. CVE-2025-55224 – CVSS 7.8
   o Severity: Critical
   o Impact: Hyper-V RCE enabling guest-to-host compromise.

Recommendations:
• Apply September 2025 Microsoft patches immediately
• Prioritize CVE-2025-55234 (SMB) and CVE-2025-54918 (NTLM)
• Monitor for suspicious SMB and NTLM activity
• Block Office macros and disable Preview Pane

Reference:
• https://www.tenable.com/blog/microsofts-september-2025-patch-tuesday-addresses-80-cves-cve-2025-55234
• https://msrc.microsoft.com/update-guide/en-us/releaseNote/2025-Sep

5. Chrome Security Update – Critical Remote Code Execution (CVE-2025-10200, CVE-2025-10201)
   Google released urgent fixes for two serious Chrome vulnerabilities, including a critical use-after-free that can lead to remote code execution simply by visiting a malicious webpage. A second flaw in Mojo could enable sandbox escape and privilege escalation.

Vulnerability Details:

1. CVE-2025-10200 – Use-After-Free in ServiceWorker
   o Severity: Critical
   o Impact: Remote Code Execution via crafted webpages.
2. CVE-2025-10201 – Inappropriate Implementation in Mojo
   o Severity: High
   o Impact: Potential sandbox escape and privilege escalation.

Affected Versions:
• Chrome prior to the following Stable Channel builds:
– Windows: 140.0.7339.127/.128
– Mac: 140.0.7339.132/.133
– Linux: 140.0.7339.127

Recommendations:
• Update Chrome to the latest stable version and relaunch the browser
• Enable/verify automatic updates in managed environments
• Monitor endpoints for abnormal browser crashes or memory anomalies

Reference:
• https://cybersecuritynews.com/chrome-remote-code-execution-vulnerability/
• https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_9.html

6. Adobe Commerce / Magento – SessionReaper Account Takeover (CVE-2025-54236)
   Adobe disclosed a critical improper input validation flaw in the Commerce REST API that can enable takeover of customer accounts (alias “SessionReaper”). While no active exploitation is reported, risk is high across Commerce, Commerce B2B, and Magento Open Source.

Vulnerability Details:

1. CVE-2025-54236 – “SessionReaper”
   o Severity: Critical (CVSS 9.1)
   o Impact: Full customer account takeover via crafted API calls (session handling + nested deserialization bugs).

Affected Versions:
• Adobe Commerce: 2.4.9-alpha2 and earlier; 2.4.8-p2 and earlier; 2.4.7-p7 and earlier; 2.4.6-p12 and earlier; 2.4.5-p14 and earlier; 2.4.4-p15 and earlier
• Adobe Commerce B2B: 1.5.3-alpha2 and earlier; 1.5.2-p2 and earlier; 1.4.2-p7 and earlier; 1.3.4-p14 and earlier; 1.3.3-p15 and earlier
• Magento Open Source: 2.4.9-alpha2 and earlier; 2.4.8-p2 and earlier; 2.4.7-p7 and earlier; 2.4.6-p12 and earlier; 2.4.5-p14 and earlier
• Custom Attributes Serializable Module: 0.1.0–0.4.0

Recommendations:
• Apply Adobe’s hotfixes or upgrade to patched versions immediately
• Enable updated WAF rules; enforce MFA for admin accounts
• Review session handling configuration (file/Redis/DB) and audit API logs for anomalies
• Remove unsupported extensions and keep modules up to date

Reference:
• https://thehackernews.com/2025/09/adobe-commerce-flaw-cve-2025-54236-lets.html
• https://helpx.adobe.com/security/products/magento/apsb25-88.html

7. Tenable Confirms Data Breach – Salesforce & Salesloft Drift OAuth Campaign
   Tenable confirmed limited exposure of customer contact details and support case metadata after an OAuth token abuse campaign targeting Salesforce integrations (UNC6395). Core products were not affected; the event underscores third-party SaaS integration risks.

Vulnerability Details:

1. OAuth Token Abuse in Salesforce Integrations
   o Severity: High (exposure + supply-chain vector)
   o Impact: Access to contact data and support case metadata; potential for targeted phishing.
2. Campaign Scope
   o Impacted >700 organizations; related reports include Palo Alto Networks, Zscaler, Google, Cloudflare, PagerDuty (extent varies by org).
3. Tenable Response
   o Revoked/rotated credentials; removed Drift apps; hardened Salesforce; implemented shared IoCs; notified customers.

Affected Versions:
• N/A (SaaS OAuth integrations and connected apps rather than product versions)

Recommendations:
• Audit all Salesforce connected apps and revoke unused/overbroad OAuth tokens
• Rotate Salesforce/API/integration credentials; restrict app scopes and enforce IP allow-lists
• Review Event Monitoring logs for suspicious SOQL/API usage and bulk exports
• Monitor for phishing leveraging exposed contact details

Reference:
• https://cybersecuritynews.com/tenable-confirms-data-breach/
• https://www.tenable.com/blog/tenable-response-to-salesforce-and-salesloft-drift-incident
• https://gbhackers.com/tenable-data-breach-confirmed/

8. High-Severity RCE in Progress OpenEdge AdminServer (CVE-2025-7388)
   Progress fixed a high-severity RCE in the OpenEdge AdminServer’s Java RMI interface. Improper handling of the workDir parameter in the -w jvmStart argument allows command injection; AdminServer often runs with elevated privileges, magnifying impact.

Vulnerability Details:

1. CVE-2025-7388 – Java RMI Command Injection
   o Severity: High (CVSS 8.4)
   o Impact: Remote OS command execution; configuration manipulation; potential full system compromise.

Affected Versions:
• Vulnerable: OpenEdge 12.2.17 and earlier; 12.8.8 and earlier
• Fixed: OpenEdge LTS 12.2.18 and 12.8.9

Recommendations:
• Upgrade to 12.2.18 or 12.8.9 immediately
• Restrict AdminServer RMI exposure to trusted IPs/internal networks only
• Run with least privileges; monitor for unusual RMI operations or command executions
• Apply strict network segmentation and firewalling around AdminServer

Reference:
• https://nvd.nist.gov/vuln/detail/CVE-2025-7388

9. High-Severity COOP Vulnerability in pgAdmin (CVE-2025-9636)
   A vulnerability in pgAdmin’s OAuth authentication flow could allow attackers to manipulate the Cross-Origin Opener Policy (COOP) and bypass security controls, resulting in account takeover or privilege escalation. Exploitation requires low privileges and limited user interaction.

Vulnerability Details:

1. CVE-2025-9636 – OAuth COOP Bypass
   o Severity: High (CVSS 7.9)
   o Impact: Unauthorized access, potential account takeover, and privilege escalation.

Affected Versions:
• pgAdmin 9.7 and earlier → Fixed in 9.8

Recommendations:
• Upgrade to pgAdmin 9.8 or newer
• Enforce MFA for all administrative accounts
• Restrict OAuth integrations to trusted identity providers
• Limit access to pgAdmin to trusted networks/VPNs
• Review authentication logs for unusual login attempts

Reference:
• https://github.com/advisories/GHSA-6859-2qxq-ffv2

10. Jenkins Security Advisory – Multiple Plugin Vulnerabilities (CVE-2025-58458, CVE-2025-7962, CVE-2025-58459, CVE-2025-58460)
    Jenkins released patches for several plugins addressing vulnerabilities that could lead to information disclosure, SMTP command injection, unauthorized access to build graphs, and credential capture.

Vulnerability Details:

1. CVE-2025-58458 – Git Client Plugin
   o Severity: Medium
   o Impact: File system information disclosure via crafted requests.
2. CVE-2025-7962 – Jakarta Mail API Plugin
   o Severity: Medium
   o Impact: SMTP command injection through recipient field manipulation.
3. CVE-2025-58459 – global-build-stats Plugin
   o Severity: Medium
   o Impact: Missing permission checks allow enumeration of build graphs.
4. CVE-2025-58460 – OpenTelemetry Plugin
   o Severity: Medium
   o Impact: Attackers could capture stored credentials by forcing connections to malicious URLs.

Affected Versions:
• Git Client Plugin ≤ 6.3.2 → Fixed in 6.3.3
• Jakarta Mail API Plugin ≤ 2.1.3-2 → Fixed in 2.1.3-3
• global-build-stats Plugin ≤ 322.v22f4db_18e2dd → Fixed in 347.v32a_eb_0493c4f
• OpenTelemetry Plugin ≤ 3.1543.v8446b_92b_cd64 → Fixed in 3.1543.1545.vf5a_4ec123769

Recommendations:
• Upgrade all vulnerable plugins to their fixed versions
• Apply least privilege principles to Jenkins roles and permissions
• Monitor Jenkins logs for unusual plugin activity or credential validation attempts
• Remove unused plugins to reduce attack surface

Reference:
• https://www.jenkins.io/security/advisory/2025-09-03/

11. Actively Exploited Vulnerabilities in TP-Link Devices (CVE-2020-24363, CVE-2023-50224, CVE-2025-9377)
    Multiple vulnerabilities affecting TP-Link routers and range extenders are under active exploitation. Issues include authentication bypass, device reset, and OS command injection. Many affected devices are at End of Life (EoL) or End of Service (EoS), increasing risk.

Vulnerability Details:

1. CVE-2020-24363 – TL-WA855RE
   o Severity: High
   o Impact: Reset to factory defaults and unauthorized admin password reset.
2. CVE-2023-50224 – TL-WR841N
   o Severity: High
   o Impact: Authentication bypass and credential disclosure via httpd service.
3. CVE-2025-9377 – Archer C7 / TL-WR841N/ND
   o Severity: High
   o Impact: OS command injection on Parental Control page enabling full device compromise.

Affected Versions:
• TP-Link TL-WA855RE (CVE-2020-24363)
• TP-Link TL-WR841N (CVE-2023-50224)
• TP-Link Archer C7 (EU), TL-WR841N/ND (MS) (CVE-2025-9377)

Recommendations:
• Apply vendor firmware updates where available
• Immediately discontinue use of unsupported/EoL devices
• Replace with supported hardware that receives regular patches
• Isolate consumer-grade devices on separate network segments
• Monitor for abnormal resets, traffic anomalies, or suspicious admin changes

Reference:
• https://www.cve.org/CVERecord?id=CVE-2025-9377
• https://www.cve.org/CVERecord?id=CVE-2023-50224
• https://www.cve.org/CVERecord?id=CVE-2020-24363

12. High-Severity Local Privilege Escalation in HPE M-Series Switches (CVE-2025-32463)
    HPE confirmed a high-severity vulnerability in M-Series switches running NVIDIA Cumulus software. Exploitation allows local users to elevate privileges to administrative level, leading to potential full device compromise.

Vulnerability Details:

1. CVE-2025-32463 – Privilege Escalation
   o Severity: High (CVSS 7.8)
   o Impact: Local privilege escalation enabling unauthorized modification of routing/security policies, disruption of switch operations, and access to sensitive configurations.

Affected Versions:
• Impacted when running NVIDIA Cumulus 5.9.2 or 5.11.1
– SN4600cM, SN2100M, SN4700M, SN3700cM, SN3700M, SN3420M, SN2010M
• Fixed in Cumulus 5.9.3+ and 5.11.3+

Recommendations:
• Upgrade firmware to 5.9.3 or 5.11.3 and later
• Restrict local/physical access to trusted administrators
• Monitor device logs for privilege changes or unusual commands
• Enforce strong authentication and hardened access policies

Reference:
•https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04945en_us&docLocal13. SonicWall SSL VPN Flaw and Misconfigurations Exploited by Akira Ransomware (CVE-2024-40766)
Threat actors linked to the Akira ransomware group are actively exploiting SonicWall SSL VPN flaws and misconfigurations to gain initial access. Rapid7 observed increased attacks in recent months, leveraging both a year-old vulnerability and weak configurations.

Vulnerability Details:

1. CVE-2024-40766 – Password Migration Flaw
   o Severity: Critical (CVSS 9.3)
   o Impact: Local user passwords carried over during migration were not reset, enabling unauthorized access.
2. LDAP SSL VPN Default User Groups Misconfiguration
   o Severity: Critical (misuse vector)
   o Impact: All authenticated LDAP users automatically inherit local group privileges, bypassing intended AD-based access controls.
3. Virtual Office Portal Exposure
   o Severity: High (configuration risk)
   o Impact: Attackers may configure MFA/TOTP if credentials are exposed, facilitating persistent access.

Recommendations:
• Rotate passwords on all SonicWall local accounts
• Remove unused or inactive local accounts
• Enable MFA/TOTP for all accounts and restrict Virtual Office Portal to internal access
• Review LDAP Default User Groups and enforce least-privilege group assignments
• Enable Botnet Filtering and enforce Account Lockout policies

Reference:
• https://thehackernews.com/2025/09/sonicwall-ssl-vpn-flaw-and.html

14. AsyncRAT Campaign Abusing ConnectWise ScreenConnect
    Threat actors are abusing ConnectWise ScreenConnect to deliver AsyncRAT via a multi-stage infection chain involving VBScript and PowerShell loaders. The malware is used to steal credentials, cryptocurrency wallets, and provide persistent remote access.

Vulnerability Details:

1. Abuse of ScreenConnect for Initial Access
   o Severity: High
   o Impact: Attackers gain remote session access, execute trojanized installers delivered via phishing.
2. Layered Loader Chain (VBScript + PowerShell)
   o Severity: High
   o Impact: Fileless persistence by masquerading as “Skype Updater” scheduled task.
3. AsyncRAT Payload (AsyncClient.exe)
   o Severity: High
   o Impact: Keystroke logging, credential theft (browsers + wallets), system fingerprinting, C2 communication over TCP.

C2 Infrastructure:
• 3osch20.duckdns[.]org (beacons for payloads and commands)

Recommendations:
• Restrict and monitor RMM software deployments (ScreenConnect)
• Inspect scheduled tasks for unauthorized entries (e.g., “Skype Updater”)
• Review outbound TCP connections to suspicious domains (DuckDNS, Pastebin)
• Harden phishing defenses and educate users on fake installer lures

Reference:
• https://thehackernews.com/2025/09/asyncrat-exploits-connectwise.html

15. Fake Madgicx Plus and SocialMetrics Browser Extensions Hijacking Meta Accounts
    Cybercriminals are distributing fake browser extensions through malvertising and counterfeit websites, designed to hijack Meta Business and Ads accounts.

Vulnerability Details:

1. SocialMetrics Pro (Fake “Meta Verified” Extension)
   o Severity: High
   o Impact: Steals Facebook session cookies, sends to Telegram bot, bypasses verification controls.
2. Madgicx Plus / Meta Ads SuperTool / Madgicx X Ads
   o Severity: High
   o Impact: Hijacks Meta Business sessions, injects arbitrary scripts, intercepts browsing data, steals credentials.
3. Campaign Characteristics
   o Language/Attribution: Vietnamese-speaking threat actors; malicious ads bundled with video tutorials.
   o Targets: Meta advertisers and Facebook users seeking verification or ad optimization tools.

Affected Extensions:
• Madgicx Plus – ID: eoalbaojjblgndkffciljmiddhgjdldh
• Meta Ads SuperTool – ID: cpigbbjhchinhpamicodkkcpihjjjlia
• Madgicx X Ads – ID: cpigbbjhchinhpamicodkkcpihjjjlia

Recommendations:
• Remove listed malicious extensions immediately
• Monitor Meta Business accounts for unauthorized changes or ad spend anomalies
• Enforce MFA for Meta and Google linked accounts
• Educate users on risks of “Meta Verified” scams and malvertising lures
• Limit permissions granted to browser extensions to reduce exposure

Reference:
• https://thehackernews.com/2025/09/fake-madgicx-plus-and-socialmetrics.html

16. Microsoft Teams Introduces Automatic Alerts for Malicious Links
    Microsoft is enhancing Teams security by introducing automatic warnings for malicious URLs shared in chats. This feature, part of Microsoft Defender for Office 365, protects users from phishing, malware, and spam by flagging harmful links in real time.

Feature Details:

1. Malicious URL Detection
   o Scans links using Defender’s threat intelligence and machine learning.
   o Displays a warning banner in Teams chats when malicious links are detected.
2. Zero-hour Auto Purge (ZAP) Integration
   o Retroactively flags links up to 48 hours post-delivery if later identified as malicious.
3. Cross-Platform Support
   o Available on Teams desktop, web, Android, and iOS.

Availability:
• Public Preview: Early September 2025 (opt-in required).
• General Availability: Mid-November 2025 (enabled by default).

Recommendations:
• Admins should review Teams Admin Center messaging settings.
• Update internal documentation and inform IT staff of the rollout.
• Enable layered defense by combining Teams warnings with Safe Links.

Reference:
• https://cybersecuritynews.com/microsoft-teams-malicious-links/

17. Windows Defender Firewall Elevation of Privilege Vulnerabilities (CVE-2025-53808, CVE-2025-54104, CVE-2025-54109, CVE-2025-54915)
    Microsoft patched four elevation of privilege flaws in Windows Defender Firewall. Exploitation could allow authenticated attackers to escalate privileges on affected systems.

Vulnerability Details:

1. CVE-2025-54104, CVE-2025-54109, CVE-2025-54915 – Type Confusion Bugs
   o Severity: Important
   o Impact: Local privilege escalation from Medium Integrity Level to Local Service.
2. CVE-2025-53808 – Elevation of Privilege
   o Severity: Important
   o Impact: Local Service-level access, enabling system manipulation.

Attack Prerequisites:
• Attacker must already have authenticated access.
• Exploitation requires membership in restricted user groups.

Recommendations:
• Apply September 2025 Microsoft updates immediately.
• Monitor system logs for privilege changes and service anomalies.
• Limit user privileges to minimize potential exposure.

Reference:
• https://cybersecuritynews.com/windows-defender-firewall-vulnerabilities/

18. Malware Campaign Using SVG Files to Deploy XWorm and Remcos RAT
    Threat actors are using SVG-based phishing attachments to deliver BAT loaders that deploy XWorm and Remcos RATs. The campaigns leverage obfuscation and fileless techniques for stealthy execution.

Attack Chain:

1. Initial Vector: ZIP archive or SVG attachment (EML or phishing site).
2. Loader: Obfuscated BAT script launching PowerShell.
3. Evasion: Disables AMSI and ETW logging via memory patching.
4. Payload: XWorm and Remcos RATs loaded directly into memory.

RAT Capabilities:
• Keylogging, screenshot capture, file manipulation.
• Credential and crypto wallet theft.
• Remote command execution and data exfiltration.

IoCs (Sample):
• D439CB98CF44D359C6ABCDDDB6E85454 – XWorm
• Other MD5 hashes associated with loader and scripts provided.

Recommendations:
• Block SVG attachments and enforce strict content inspection.
• Monitor for suspicious PowerShell and in-memory execution activity.
• Educate users about phishing and malicious attachments.

Reference:
• https://gbhackers.com/xworm-and-remcos-rat/

19. Sidewinder APT Exploits LNK Files for Espionage Operations
    APT group Sidewinder (APT-C-24 / “Rattlesnake”) is using malicious LNK files to deliver multi-stage payloads across South Asia, targeting government, energy, and defense sectors.

Vulnerability Details:

1. Malicious LNK Shortcuts
   o Filename Masquerade: “file 1.docx.lnk” etc.
   o Executes obfuscated JScript via mshta.exe.
2. Obfuscated C# Downloader
   o Performs system profiling (CPU, memory, AV checks).
   o Decodes and executes secondary payloads in memory.
3. Infrastructure
   o C2 domains (e.g., policy.mail163cn.info) linked to IP 89.150.45.75.
   o Shares JARM fingerprints and hosting techniques with past Sidewinder ops.

Recommendations:
• Block mshta.exe where possible.
• Enforce execution restrictions on LNK files.
• Monitor outbound connections to known Sidewinder infrastructure.
• Deploy advanced endpoint monitoring and behavioral detection.

Reference:
• https://gbhackers.com/sidewinder-hackers/

20. Buterat Backdoor Campaigns Targeting Enterprise Endpoints
    Buterat backdoor is being deployed in targeted attacks against enterprises and governments, using stealthy persistence, encrypted communications, and thread manipulation for long-term access.

Technical Details:

1. Persistence: Registry modifications, disguised processes, dropped executables (amhost.exe, bmhost.exe, cmhost.exe, dmhost.exe, lqL1gG.exe).
2. Evasion: Encrypted/obfuscated strings, API hijacking (SetThreadContext, ResumeThread).
3. C2: ginomp3.mooo.com with HTTPS-like encrypted traffic and randomized timing.

Capabilities:
• Arbitrary command execution, lateral movement.
• Exfiltration of sensitive data.
• Deployment of secondary payloads.

IoCs:
• MD5: 5d73aad06259533c238f0cdb3280d5a8
• SHA-256: f50ec4cf0d0472a3e40ff8b9d713fb0995e648ecedf15082a88b6e6f1789cdab

Recommendations:
• Apply strict application allowlisting and endpoint monitoring.
• Block connections to ginomp3.mooo.com.
• Detect anomalies in SetThreadContext and ResumeThread usage.
• Conduct proactive threat hunting for Buterat persistence artifacts.

Reference:
• https://gbhackers.com/buterat-backdoor/