Weekly Threat Landscape Digest – Week 39

1. Critical Flaw in Microsoft Azure Entra ID

A newly disclosed critical vulnerability (CVE-2025-55241, CVSS 10.0) in Microsoft Entra ID (formerly Azure AD) could have allowed attackers to compromise every tenant worldwide, including Microsoft 365 and Azure resources.

Vulnerability Details

• CVE-2025-55241 – Improper Authentication / Token Validation Failure
• Root Cause: Abuse of undocumented Actor tokens combined with weak tenant boundary validation in the Azure AD Graph API.
• Impact: Actor tokens allowed impersonation of any user—including Global Administrators—across tenants, bypassing Conditional Access. Tokens were valid for 24 hours, unrevokable, and left no logs.

Attack Path

• Obtain an Actor token in a lab tenant.
• Modify tenant ID to authenticate as arbitrary users.
• Bypass tenant-level security controls.
• Pivot via B2B trust relationships to achieve full global takeover.

Potential Impact

• Global tenant compromise (Microsoft 365, Azure workloads).
• Complete administrative takeover of organizations.
• Stealthy, logless cross-tenant attacks.

Status & Mitigation

• Microsoft has remediated the flaw, blocking Actor token abuse in Azure AD Graph.
• No customer-side patch required.
• Organizations should:
  • Review tenant configurations and trust relationships.
  • Audit logs for anomalies in guest/B2B access or privilege escalation (though Actor tokens leave minimal trace).
  • Ensure latest Entra ID configurations are applied.

Reference

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55241

2. High-Severity Vulnerability in Salesforce CLI Installer

A high-severity vulnerability (CVE-2025-9844, CVSS 8.8) has been disclosed in the Salesforce Command Line Interface (CLI) installer (sf-x64.exe). Exploitation could lead to arbitrary code execution, privilege escalation, and full SYSTEM-level compromise of the affected host.

Vulnerability Details

• CVE-2025-9844 – Improper handling of executable file paths during installation
• Severity: High (CVSS 8.8)
• Affected Component: Salesforce CLI installer (sf-x64.exe)
• Affected Versions: Salesforce CLI versions prior to 2.106.6
• Impact: Attackers could execute arbitrary code, escalate privileges, and fully compromise affected systems.

Important Notes

• The issue only affects users who obtained the installer from untrusted sources.
• Customers who downloaded Salesforce CLI directly from the official Salesforce site are not impacted.

Mitigation Guidance

• Upgrade Immediately: Update Salesforce CLI to the latest secure version from the official Salesforce download site.
• Verify File Integrity: Check digital signatures and file checksums to ensure authenticity.
• Security Check: If Salesforce CLI was obtained from untrusted sources, conduct a full malware scan and review system logs for suspicious activity.

Reference

• https://help.salesforce.com/s/articleView?id=005224301&type=1

3. Security Updates – Google Chrome

Google has released a Stable Channel update for Chrome Desktop to address three high-severity vulnerabilities in the V8 JavaScript engine. If exploited, these flaws could lead to information leakage, integer overflows, memory corruption, and ultimately arbitrary code execution.

Vulnerability Details

• CVE-2025-10890 – Side-channel information leakage in V8 (Severity: High)
• CVE-2025-10891 – Integer overflow in V8 (Severity: High)
• CVE-2025-10892 – Integer overflow in V8 (Severity: High)

Fixed Versions

• Windows/Mac: 140.0.7339.207 / 140.0.7339.208
• Linux: 140.0.7339.207

Mitigation Guidance

• Immediate Update: All users and organizations should update Chrome Desktop to the latest fixed version.
• Monitoring: Review system activity for potential signs of exploitation, particularly targeting the V8 engine.
• Policy Enforcement: Ensure enterprise browsers are centrally managed and auto-update policies are enabled.

Reference

• https://chromereleases.googleblog.com/2025/09/stable-channel-update-fordesktop_23.html

4. Actively Exploited Vulnerability in Cisco SNMP

Cisco has issued an advisory for a critical SNMP subsystem vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE Software, which is under active exploitation in the wild. Attackers with SNMP credentials can trigger a stack overflow, potentially leading to denial of service (DoS) or remote code execution (RCE) as root, resulting in full device compromise.

Vulnerability Details

• CVE: CVE-2025-20352
• CWE: CWE-121 (Stack-based Buffer Overflow)
• CVSS v3.1 Score: 7.7 (High)
• Attack Vector: Remote (IPv4/IPv6)
• Impact:
  • DoS – Device reload
  • RCE – Arbitrary code execution as root
• Affected Products: Cisco IOS, IOS XE, Meraki MS390, Catalyst 9300 (Meraki CS 17 or earlier)
• Fixed Version: Cisco IOS XE Release 17.15.4a or later
• Exploitation Status: Confirmed active exploitation

Other Notable Cisco Vulnerabilities (Sept 24 Advisory Bundle)

• CVE-2025-20334 – IOS XE HTTP API Command Injection (CVSS 8.8, High)
• CVE-2025-20315 – IOS XE NBAR DoS (CVSS 8.6, High)
• CVE-2025-20160 – TACACS+ Authentication Bypass (CVSS 8.1, High)
• CVE-2025-20313/20314 – Secure Boot Bypass (CVSS 6.7, High)
• Several other medium-severity DoS, XSS, and ACL bypass issues.

Mitigation Guidance

• Upgrade immediately to fixed IOS/IOS XE versions.
• Where patching is delayed:
  • Restrict SNMP access and exclude vulnerable OIDs.
  • Reset compromised credentials.
  • Monitor logs for suspicious SNMP queries.

Reference

• https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75296

5. Critical Stored XSS Vulnerability in DNN Software Prompt Module

DNN Software has disclosed a critical stored cross-site scripting (XSS) vulnerability (CVE-2025-59545) in its Prompt module affecting all versions prior to 10.1.0. The flaw stems from improper handling of command execution and raw HTML rendering, enabling attackers to inject malicious scripts triggered by administrative commands.

Given that DNN powers over 750,000 websites worldwide, exploitation could result in administrative takeover, session hijacking, and complete compromise of portals.

Vulnerability Details

• CVE ID: CVE-2025-59545
• Severity: Critical (CVSS 9.1)
• Component: DNN Prompt Module
• Affected Versions: < 10.1.0
• Fixed Version: 10.1.0
• Attack Vector: Remote – Stored XSS via malicious commands
• Impact:
  • Hijack administrator/super-user sessions
  • Steal authentication tokens and cookies
  • Execute arbitrary JavaScript in victim browsers
  • Modify site content/configurations
  • Full compromise of DNN-powered portals

Mitigation Guidance

• Upgrade to DNN 10.1.0 or later immediately.
• Apply web application firewall (WAF) rules to block malicious script injections.
• Monitor admin activity logs for suspicious Prompt command executions.

Reference

• https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-2qxc-mf4xwr29

6. Critical Remote Code Execution Vulnerability in SolarWinds Web Help Desk

A critical remote code execution vulnerability has been identified in SolarWinds Web Help Desk (WHD), tracked as CVE-2025-26399. The flaw arises from insecure deserialization of untrusted data in the AjaxProxy component, which can be exploited remotely without authentication. Successful exploitation allows an attacker to execute arbitrary commands on the host system, leading to a full compromise of the affected environment.

Vulnerability Details

• CVE ID: CVE-2025-26399
• Severity: Critical (CVSS 9.8)
• Type: Insecure Deserialization → RCE
• Attack Vector: Remote, network-based
• Affected Versions: SolarWinds Web Help Desk ≤ 12.8.7
• Fixed Version: SolarWinds Web Help Desk 12.8.7 HF1

Mitigation Guidance

• Upgrade immediately to the fixed version (12.8.7 HF1 or later).
• Restrict network access to WHD instances until patches are applied.
• Monitor logs for signs of abnormal process execution or unauthorized commands.

Reference

• https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26399

7. SonicWall SMA 100 Update Addresses Rootkit Risks

SonicWall has released firmware v10.2.2.2-92sv for the SMA 100 Series, introducing enhanced file-checking capabilities to detect and remove known rootkit malware on vulnerable appliances. The update follows research by Google Threat Intelligence Group (GTIG), which warned of increased exploitation risks on outdated devices.

Organizations running SMA 210, SMA 410, and SMA 500v appliances must upgrade immediately. Without patching, systems remain exposed to rootkit persistence, unauthorized access, and lateral movement across enterprise networks.

Vulnerability Details

• Impacted Products: SMA 100 Series (SMA 210, SMA 410, SMA 500v)
• Impacted Versions: ≤ 10.2.1.15-81sv
• Not Affected: SMA 1000 Series and SSL-VPN on SonicWall firewalls
• Fixed Version: SMA 100 v10.2.2.2-92sv (and later)

Mitigation Guidance

• Upgrade all affected appliances to firmware v10.2.2.2-92sv or higher.
• Audit systems for signs of persistence or unauthorized access.
• Monitor logs for anomalies indicative of rootkit behavior.

Reference

• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0015

8. SonicWall Urges Credential Reset Following Configuration Backup Leak

SonicWall has issued a critical advisory after firewall configuration backups were leaked, potentially exposing administrator credentials, VPN secrets, and authentication details. If exploited, attackers could gain unauthorized access to networks and exfiltrate sensitive data.

Organizations are strongly urged to reset all credentials, disable WAN management interfaces, and regenerate VPN keys immediately. SonicWall has outlined a three-phase response framework — containment, remediation, and monitoring — to mitigate risks.

Vulnerability Details

• Issue: Exposure of SonicWall configuration backups containing sensitive credentials.
• Affected Products: SonicWall Firewalls (all models with configuration backups).
• Risk: Remote unauthorized access, data theft, and potential system compromise.

Mitigation Guidance

• Containment: Disable HTTP/HTTPS/SSH WAN management; restrict VPN services from WAN zones.
• Remediation: Reset admin passwords, regenerate VPN certificates and secrets, rebind TOTP, update LDAP/RADIUS credentials.
• Monitoring: Enable real-time logging, configure alerts for login anomalies, and integrate with SIEM. Maintain heightened monitoring for at least 30 days.

Reference

• https://www.sonicwall.com/support/knowledge-base/essential-credentialreset/250909151701590

9. Multiple Vulnerabilities in Spring Security and Spring Framework

Two medium-severity vulnerabilities have been disclosed in the Spring Framework and Spring Security libraries. Both flaws involve weaknesses in the annotation detection mechanism used for method-level security, which could allow attackers to bypass authorization checks and gain unauthorized access to secured methods.

If exploited, these issues could enable malicious users to invoke methods without proper permission validation, increasing the risk of privilege abuse and data exposure.

Vulnerability Details

• CVE-2025-41248 – Method-level security annotations on parameterized types may not be enforced, enabling bypass of authorization checks.
• CVE-2025-41249 – Annotation detection failures on unbounded generics can result in insecure inherited methods and access control bypass.

Fixed Versions

• Spring Security: 6.4.11, 6.5.5
• Spring Framework: 6.2.11, 6.1.23, 5.3.45

Mitigation Guidance

• Update to the patched versions immediately.
• Review applications for reliance on parameterized types or unbounded generic superclasses in method-level security.
• Conduct access control validation testing after applying updates.

References

• https://spring.io/security/cve-2025-41248
• https://spring.io/security/cve-2025-41249

10. Critical RCE Vulnerability in GoAnywhere MFT

Fortra has released an advisory about a critical deserialization flaw (CVE-2025-10035) in GoAnywhere Managed File Transfer (MFT). The issue resides in the License Servlet component and allows unauthenticated remote code execution (RCE) by forging a malicious license response.

With a CVSS score of 10.0 (Critical), exploitation could result in full system compromise, enabling attackers to exfiltrate sensitive files, deploy malware, or move laterally within enterprise networks.

Vulnerability Details

• CVE ID: CVE-2025-10035
• Severity: Critical (CVSS 10.0)
• Type: Deserialization of Untrusted Data → Remote Code Execution
• Component: License Servlet

Affected Versions

• GoAnywhere MFT < 7.8.4 (Latest Release)
• Sustain Release branch < 7.6.3

Mitigation Guidance

• Restrict Access: Do not expose the GoAnywhere Admin Console to the public internet; allow access only from trusted internal networks or via VPN.
• Upgrade Immediately:
  • Version 7.8.4 (Latest Release)
  • Version 7.6.3 (Sustain Release)

References

• https://www.fortra.com/security/advisories/product-security/fi-2025-012

11. High-Severity Path Traversal Vulnerability in Mattermost

A path traversal vulnerability has been disclosed in Mattermost Server, a widely used open-source collaboration and messaging platform. The flaw (CVE-2025-9079) arises from insufficient validation of the import directory path configuration and can lead to arbitrary code execution.

The issue carries a CVSS score of 8.7 (High) and affects multiple supported branches of Mattermost Server and its Go package. Successful exploitation requires admin privileges but could result in data disclosure, server takeover, and full compromise.

Vulnerability Details

• CVE ID: CVE-2025-9079
• Severity: High (CVSS 8.7)
• Type: Path Traversal → Arbitrary Code Execution
• Affected Packages:
  • github.com/mattermost/mattermost-server
  • github.com/mattermost/mattermost/server/v8

Affected Versions

• mattermost-server:
  • 10.8.0 – 10.8.3
  • 10.5.0 – 10.5.8
  • 9.11.0 – 9.11.17
  • 10.10.0 – 10.10.1
  • 10.9.0 – 10.9.3
• mattermost/server/v8:
  • Versions < 8.0.0-20250707221302-a8fa77f107ef

Patched Versions

• 10.8.4, 10.5.9, 9.11.18, 10.10.2, 10.9.4
• mattermost/server/[email protected]

Impact

• Confidentiality: High – Data disclosure
• Integrity: High – Data tampering / takeover
• Availability: High – System compromise

Mitigation Guidance

• Apply the patched versions immediately to eliminate exploitation risk.
• Limit admin access and monitor server logs for unusual import path activity.

Reference

• https://github.com/advisories/GHSA-qx3f-6vq3-8j8m

12. Critical Command Injection Vulnerability in Libraesva ESG

A critical command injection vulnerability (CVE-2025-59689) has been disclosed in Libraesva ESG, an enterprise-grade email security gateway. The flaw stems from improper sanitization during the removal of active code in compressed email attachments. Attackers can exploit this by sending a specially crafted archive via email, resulting in arbitrary command execution under a non-privileged account.

Libraesva has released emergency patches for all supported versions (5.0–5.5) and applied fixes automatically to both cloud and on-premise ESG appliances. However, legacy 4.x versions remain unprotected and require manual upgrades. At least one confirmed exploitation has been attributed to a state-sponsored threat actor, underscoring the urgency.

Vulnerability Details

• CVE ID: CVE-2025-59689
• Severity: Critical
• Type: Command Injection
• Affected Product: Libraesva ESG v4.5+
• Attack Vector: Malicious email with crafted compressed archive
• Impact: Arbitrary command execution (non-privileged user)
• Exploitation: Confirmed active exploitation

Affected and Fixed Versions

• ESG 5.0 → 5.0.31
• ESG 5.1 → 5.1.20
• ESG 5.2 → 5.2.31
• ESG 5.3 → 5.3.16
• ESG 5.4 → 5.4.8
• ESG 5.5 → 5.5.7
• Legacy < 5.0: End-of-Support (EOS) → manual upgrade to 5.x required
• Cloud appliances: Automatically patched

Mitigation Guidance

• Upgrade immediately to the fixed versions listed above.
• For legacy versions, migrate to 5.x as soon as possible.
• Review email gateway logs for suspicious archive processing activity.

Reference

• https://docs.libraesva.com/knowledgebase/security-advisory-command-injection-vulnerability-cve-2025-59689/ 

13. Security Updates – ChromeOS

Google has released a Long-Term Support (LTS) update for ChromeOS addressing multiple vulnerabilities, including a critical use-after-free flaw in ServiceWorker and a medium-severity issue in File Picker. Exploitation could allow remote code execution, privilege escalation, or denial of service, making prompt updates essential.

Vulnerability Details

1. CVE-2025-8881 – Inappropriate Implementation in File Picker
   • Severity: Medium
   • Impact: Could bypass security restrictions or access unintended files.
   • Risk: Data exposure, unauthorized access.
2. CVE-2025-10200 – Use-After-Free in ServiceWorker
   • Severity: Critical
   • Impact: May enable RCE or privilege escalation.
   • Risk: Full device compromise, malicious code execution, persistence mechanisms.

Fixed Version

• ChromeOS LTS version 132.0.6834.244 (Platform Version: 16093.118.0)

Mitigation Guidance

• Upgrade all ChromeOS devices to the latest fixed version immediately.
• Monitor ChromeOS fleet for abnormal ServiceWorker or File Picker activity.
• Enforce strict patching policies across managed devices.

Reference

• https://chromereleases.googleblog.com/2025/09/long-term-support-channel-updatefor_19.html?=1

14. Critical Vulnerabilities – Delta Electronics DIALink

Multiple vulnerabilities have been identified in Delta Electronics DIALink, a widely used industrial networking tool. Exploitation could allow authentication bypass, unauthorized system access, disruption of industrial processes, and data theft. Given the severity, immediate patching is strongly advised.

Vulnerability Details

• CVE-2025-58320
  • Type: Path Traversal (Improper limitation of pathname)
  • CVSS v3.1: 7.3 (High)
  • Impact: Manipulation of file system access, partial bypass of security controls.
• CVE-2025-58321
  • Type: Path Traversal (Improper limitation of pathname)
  • CVSS v3.1: 10.0 (Critical)
  • Impact: Complete authentication bypass, unrestricted access to the system.

Potential Impact

• Unauthorized access to industrial systems
• Disruption of operational processes
• Theft of sensitive data
• Pivot into broader enterprise networks

Affected Products

• Delta Electronics DIALink V1.6.0.0 and prior

Fixed Versions

• Delta Electronics DIALink V1.8.0.0 and later

Mitigation Guidance

• Upgrade immediately to DIALink V1.8.0.0 or later.
• Do not expose control systems directly to the Internet.
• Place systems behind firewalls and isolate from business networks.
• Use secure remote access methods (e.g., VPNs) when necessary.

Reference

• https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-07

15. APT Activity – Nimbus Manticore (Iranian Threat Actor)

Check Point Research is tracking Nimbus Manticore, an Iranian APT group overlapping with UNC1549, Smoke Sandstorm, and the “Iranian Dream Job” campaigns, which continues to target critical infrastructure in Europe and the Middle East. Recent activity demonstrates advanced evasion tactics, sector-specific targeting, and alignment with IRGC strategic priorities.

Key Findings

• Attribution:
  • Iran-linked APT tracked as Nimbus Manticore / UNC1549 / Smoke Sandstorm.
  • Previously tied to the Iranian Dream Job phishing operations.
• Initial Access:
  • Tailored spear-phishing from fake HR recruiters.
  • Lures direct victims to career-themed portals impersonating aerospace and telecom firms (e.g., Boeing, Airbus, Rheinmetall, flydubai).
  • Each target receives unique credentials for tracking and controlled victim access.
• Malware Toolset:
  • Minibike (aka SlugResin / MiniJunk): Modular backdoor with DLL side-loading, obfuscation, junk code, and size inflation to evade detection.
  • MiniBrowse: Credential-stealer DLL targeting Chrome and Edge to exfiltrate stored browser passwords.
  • Advanced Obfuscation: LLVM compiler-level passes, encrypted strings, control-flow manipulation.
  • Code Signing: Samples signed with SSL.com certificates to evade AV detection.
• Infrastructure:
  • Domains hosted behind Cloudflare, combined with Azure App Service for resilience.
  • Uses multiple hardcoded HTTPS C2 servers with rotation fallback.
• Evasion Tactics:
  • Large padded binaries bypassing ML-based detection.
  • Alternate DLL load path abuse.
  • Exploiting antivirus scan limitations (time/size caps).
• Targeting:
  • Core focus: Middle East (Israel, UAE).
  • Expanded operations in Western Europe (Denmark, Sweden, Portugal).
  • Sectors: telecommunications, satellite providers, defense contractors, aerospace, and airlines.

Strategic Context

• Operations align with IRGC intelligence priorities.
• Campaign continued uninterrupted during the 12-day Israeli–Iranian conflict, indicating high operational resilience.
• Suggests dual motivation: espionage and long-term persistence.

Impact

• Theft of credentials and sensitive enterprise data.
• Persistent access to aerospace, defense, and telecom networks.
• Reduced visibility due to stealth obfuscation and code-signing.
• Increased risk of regional escalation given sector and geography focus.

Reference

• Check Point Research – Nimbus Manticore

16. APT Activity – Subtle Snail (Iranian Espionage Group)

Prodaft has detailed the activities of Subtle Snail (UNC1549), an Iran-nexus espionage group linked to Unyielding Wasp (Tortoiseshell) and the broader Eclipsed Wasp (Charming Kitten) network. Active since at least June 2022, the group has recently intensified operations targeting European telecom, aerospace, and defense organizations.

Key Findings

• Attribution & Links:
  • Iran-nexus group UNC1549, overlaps with Nimbus Manticore activity.
  • Connected to Tortoiseshell and Charming Kitten clusters.
• Initial Access:
  • Fake LinkedIn recruitment campaigns, impersonating HR staff.
  • Victims lured with fraudulent job offers and PDFs.
  • Fake application portals hosted on attacker-controlled domains.
• Malware & Tools:
  • MINIBIKE backdoor variant: Communicates via Azure-proxied C2 servers to evade detection.
  • DLL sideloading attacks leveraging signed binaries and custom victim-specific DLLs.
  • Windows CMD access via backdoor for real-time reconnaissance, lateral movement, and tool execution.
• Tradecraft & Evasion:
  • Heavy use of cloud infrastructure (Azure VPS, email, domains) for blending malicious traffic.
  • Abuse of signed binaries to bypass behavioral detection.
  • Unique DLLs for each victim action → bypasses conventional signatures.
  • Persistent foothold through startup-loaded backdoor components.
• Targeting:
  • 34 devices across 11 organizations infected in latest campaign.
  • Focus on telecom providers, with expansion into aerospace and defense.
  • Priority targets: IT admins, developers, researchers with privileged access.
  • Espionage focus on VPN configs, corporate email, confidential files, and shared folders.

Strategic Context

• Long-term persistence and systematic exfiltration of sensitive data.
• Exploits professional platforms (LinkedIn) to build trust and credibility over time.
• Demonstrates state-sponsored sophistication via victim-specific malware builds and Azure-based stealth C2.

Impact

• Unauthorized access to telecommunications infrastructure, enabling surveillance and intelligence collection.
• Exposure of confidential corporate and personal data, including classified defense files.
• Risk of long-term espionage campaigns aligned with Iranian intelligence collection objectives.

Reference

• Prodaft – Subtle Snail Espionage Operations

17. ShadowV2 – Emerging DDoS-for-Hire Botnet

Darktrace has exposed ShadowV2, a cybercrime-as-a-service platform that blends Python and Go-based malware, Docker containerization, and a full operator interface to deliver DDoS-as-a-service at scale. The campaign highlights the weaponization of modern cloud-native technologies to deliver botnet-driven attacks with advanced evasion.

Key Findings

• Initial Access & Deployment
  • Exploits exposed Docker daemons (primarily on AWS EC2).
  • Uses a Python spreader via GitHub CodeSpaces and Docker SDK.
  • Deploys staged containers: first a “setup” container to install tools, then imaged into live malware containers.
• Malware Components
  • Go-based RAT binary dropped inside Docker container.
  • Implements RESTful registration & polling (heartbeat every second, task polling every 5s).
  • Identified C2: shadow.aurozacloud[.]xyz.
  • Uses VPS_ID identifiers for continuity and implant tracking.
• Attack Techniques
  • HTTP/2 rapid reset (high-volume DoS).
  • Cloudflare “Under Attack Mode” (UAM) bypass using ChromeDP.
  • Large-scale HTTP floods leveraging fasthttp library.
  • Randomized headers, query strings, and spoofed IPs for obfuscation.
• Infrastructure & Platform
  • API built with FastAPI + Pydantic, Swagger docs briefly exposed.
  • Features multi-tenant design with role-based access (admin vs user).
  • Full login panel/UI built in Tailwind with animations, mimicking SaaS platforms.
  • Blacklist functionality suggests potential “protection racket” operations.
• Evasion & Obfuscation
  • Uses GitHub CodeSpaces (Microsoft IP 23.97.62[.]139) for spreading.
  • Inflated binaries with junk code to bypass ML-based detection.
  • C2 hosted behind Cloudflare for resilience and location masking.

Strategic Context
ShadowV2 demonstrates how botnet operators are industrializing DDoS by adopting cloud-native architectures and SaaS-like models. Instead of static implants, the campaign leverages APIs, modular deployment, and operator dashboards that mimic legitimate DevOps workflows. This lowers barriers for cybercriminals and expands the DDoS-for-hire market.

Defensive Considerations

• Enforce least privilege on container APIs (disable public Docker daemon access).
• Monitor cloud workload behaviors, including anomalous API usage and container spawns.
• Deploy DDoS protection controls with HTTP/2 and UAM bypass detection capabilities.
• Incorporate IoCs into SIEM/EDR threat hunting.

Reference

• Darktrace – ShadowV2: An Emerging DDoS-for-Hire Botnet

18. BRICKSTORM – Stealthy Backdoor Enabling Long-Term Espionage (Tech, Legal, SaaS, BPO)
    BRICKSTORM, a Go-based backdoor used by UNC5221 and related China-nexus clusters to maintain covert access—often on appliances that lack EDR. Since March 2025, intrusions hit U.S. legal services, SaaS, BPO, and technology firms. Average dwell time: ~393 days. Targeting suggests objectives beyond classic espionage (e.g., stealing IP to aid zero-day development and pivoting to downstream customer data).

Key Findings

• Initial access: Likely edge/perimeter appliances and remote access infra; at least one zero-day exploited. Post-exploitation scripts included anti-forensics.
• Backdoor: BRICKSTORM (Go; cross-platform) with SOCKS proxy. Found on Linux/BSD appliances; consistent focus on VMware vCenter/ESXi. Active development includes Garble obfuscation, custom wssoft library, and delayed beacons.
• C2 tradecraft: Uses Cloudflare Workers, Heroku, and DNS helpers (sslip.io / nip.io) to map to C2 IPs; no C2 domain reuse across victims.
• Credential theft & privilege: BRICKSTEAL (malicious Tomcat Servlet Filter) on vCenter captures HTTP Basic creds at /web/saml2/sso/*; emphasis on AD-backed logins.
• VM abuse: Threat actor clones high-value Windows VMs (e.g., DCs, IdPs, secret vaults) to mount disks and extract NTDS.dit and other secrets without booting the clone.
• Persistence: Modifies init.d/rc.local/systemd; uses sed to graft BRICKSTORM into startup. Deployed SLAYSTYLE (aka BEEFLUSH) JSP web shell on vCenter.
• Collection & exfil: Targets M365 mailboxes via Entra ID Enterprise Apps (mail.read / full_access_as_app), developers/admins’ mail, internal Git/code stores (ZIP downloads), and UNC shares—tunneled through BRICKSTORM’s SOCKS.
• OPSEC & evasion: Minimal telemetry; appliance residency; rapid TTP adaptation during IR; commercial VPNs/proxies and likely compromised SOHO routers for egress.

Impact

• Long-term covert access to legal matters, customer data at SaaS/BPOs, and technology IP with potential use in zero-day development.
• Credential compromise at scale (AD, vaults), broad lateral movement, and persistent visibility gaps due to appliance blind spots.

Hardening & Mitigations

• Segment & restrict: Limit Internet egress from appliances to vendor update/telemetry endpoints; tighten east-west access from Internet-exposed appliances.
• vSphere security: Centralize logging to SIEM, enable Lockdown Mode, enforce MFA for web logins, apply execInstalledOnly policy.
• Identity controls: Review/revoke risky Entra ID Enterprise App consents; enforce least privilege, conditional access, and consent workflows.
• Vaults as Tier-0: Isolate credential vault servers; leverage TPM-backed key storage where supported.
• Appliance persistence: Monitor/startup script integrity (init.d/systemd), detect unauthorized edits (sed changes), and scan for JSP web shells on vCenter.
• IR readiness: Extend log retention for appliances; ensure backup images are searchable with YARA for retro hunting.

Reference

• Google Cloud / Mandiant – Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors — https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign