F5 Threat Report - December 10th, 2025
JPCERT Confirms Active Command Injection Attacks on Array AG Gateways
JPCERT/CC has confirmed active command injection attacks targeting Array Networks AG Series secure access gateways, exploiting a vulnerability in the DesktopDirect feature since August 2025. This flaw, which currently lacks a CVE identifier, affects ArrayOS versions 9.4.5.8 and earlier, allowing attackers to execute arbitrary commands and drop web shells, with observed attacks originating from the IP address 194.233.100[.]138. Array Networks released a fix on May 11, 2025, in ArrayOS version 9.4.5.9, and users are advised to apply this update promptly; alternatively, disabling DesktopDirect services or implementing URL filtering to deny access to URLs containing semicolons can serve as mitigation. While a separate authentication bypass flaw (CVE-2023-28461) in the same product was previously exploited by the China-linked MirrorFace group, there is no current evidence connecting them to these latest command injection incidents.
Severity: High
Sources
- https://buaq.net/go-379737.html
- https://cyberpress.org/arrayos-ag-vpn-vulnerability/
- https://gbhackers.com/arrayos-ag-vpn/
- https://thecyberexpress.com/cve-2023-28461-jpcert-array-gateway-warning/
- https://thehackernews.com/2025/12/jpcert-confirms-active-command.html
- https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/
Threat Details and IOCs
| Malware: | Agenda, Albiriox, PoisonPlug, Qilin, Sha1-Hulud, ShadowPad, Shai-Hulud |
| CVEs: | CVE-2023-28461 |
| Technologies: | Array Networks AG Series, Array Networks ArrayOS, Array Networks vxAG, PHP |
| Threat Actors: | APT10, EarthKasha, MirrorFace |
| Attacker Countries: | China |
| Attacker IPs: | 194.233.100.138 |
| Victim Industries: | Aerospace, Defense, E-commerce, Education, Energy, Financial Services, Government, Healthcare, Information and Communication, Manufacturing, Multimedia, Public Sector, Semiconductors, Technology Hardware, Telecommunications, Utilities |
| Victim Countries: | China, India, Japan, Taiwan, United States |
Mitigation Advice
- Update all Array Networks AG Series gateways to ArrayOS version 9.4.5.9 or a later version to remediate the command injection vulnerability.
- If patching Array AG gateways to version 9.4.5.9 is not immediately feasible, disable the 'DesktopDirect' feature on all vulnerable devices.
- Configure your perimeter firewall or Web Application Firewall (WAF) to block all inbound HTTP/HTTPS requests to Array AG gateways that contain a semicolon character (';') in the URL.
- Add the IP address 194.233.100.138 to your network firewall's blocklist to deny all inbound and outbound traffic.
- Scan the file systems of all Array AG gateways for indicators of compromise, such as recently created or modified web shell files (e.g., .php, .asp) in web-accessible directories.
Compliance Best Practices
- Establish a formal patch management policy that mandates regular vulnerability scanning of all internet-facing systems and defines strict service-level agreements (SLAs) for applying critical security patches.
- Implement a recurring configuration review process for all network security appliances to identify and disable any non-essential features and services, thereby minimizing the device's attack surface.
- Design and implement a DMZ network segment for all internet-facing services, including secure access gateways, and enforce strict firewall rules that only permit essential, pre-approved traffic between the DMZ and the internal corporate network.
- Configure all internet-facing appliances to forward detailed system, process, and network logs to a centralized SIEM, and develop detection rules to alert on anomalous file creation, command execution, and unusual outbound connections.
LangChain Prompt Template Injection Vulnerability: Property Access (CVE-2025-65106)
A prompt template injection vulnerability has been discovered in the LangChain `langchain-core` package, affecting versions up to `1.0.6` and `0.3.79`, with fixes implemented in versions `1.0.7` and `0.3.80`. Identified as CVE-2025-65106 and GHSA-6qv9-48xg-fc7f, this vulnerability allows attackers who can control template strings—rather than just template variables—to access Python object attributes, internal properties, and sensitive information, potentially escalating to more severe attacks. The flaw impacts F-string, Mustache, and Jinja2 template formats, stemming from issues such as attribute access in F-strings, `getattr()` fallback in Mustache, and insufficient sandboxing in Jinja2. Applications are at high risk if they accept untrusted template strings, dynamically construct prompts based on user input, or allow users to customize or create prompt templates. Remediation requires updating to the patched `langchain-core` versions, auditing code for any template strings originating from untrusted sources, and ensuring a clear separation between template structure and user-provided data. Specific fixes include F-string validation to restrict variable names to simple Python identifiers, strict type checking for Mustache to limit object traversal to dict, list, and tuple types, and the introduction of a `_RestrictedSandboxedEnvironment` for Jinja2 to block all attribute and method access.
Severity: High
Sources
Threat Details and IOCs
| CVEs: | CVE-2025-65106 |
| Technologies: | Jinja2, LangChain LangGraph, Python |
| Victim Industries: | E-commerce, Financial Services, Healthcare, Legal Services, Retail, Software |
Mitigation Advice
- Update all instances of the `langchain-core` Python package to version 1.0.7 or 0.3.80 or newer to patch the template injection vulnerability (GHSA-6qv9-48xg-fc7f).
- Audit your codebase to identify all applications using LangChain's `ChatPromptTemplate`. Prioritize remediation for any applications found to accept template strings from untrusted sources.
Compliance Best Practices
- Enforce a secure coding standard for all AI/LLM applications that strictly separates the prompt template structure from user-provided data. Ensure that user input can only populate predefined variables within a static, developer-controlled template.
- During application design and code reviews, challenge the necessity of using string-based prompt templating. Where possible, refactor applications to use direct message objects (e.g., `HumanMessage`, `AIMessage`) to eliminate the risk of template injection vulnerabilities.
- Create a development policy that restricts the use of the Jinja2 template format (`template_format="jinja2"`) in LangChain to only those instances where the template content is hardcoded or originates from a fully trusted, internally-controlled source.
Chinese State-Sponsored Actors Deploy Brickstorm Backdoor in US Critical Networks for Years
Chinese state-sponsored actors, identified as UNC5221 by Mandiant and Warp Panda by CrowdStrike, have maintained long-term access, sometimes for years, within critical US networks, including at least eight government services and IT organizations, and dozens of other entities across legal, SaaS, business process outsourcing, technology, and manufacturing sectors. These groups deployed the sophisticated, cross-platform Brickstorm backdoor, which operates across Linux, VMware, and Windows environments, alongside new Go-based implants named Junction (for VMware ESXi, listening on port 8090) and GuestConduit (for guest VMs, using VSOCK on port 5555). Initial access was often gained by exploiting internet-facing edge devices, followed by pivoting to vCenter environments using valid credentials or vulnerabilities. Once inside, the adversaries stole cryptographic keys from domain controllers and Active Directory Federation Services servers, accessed and exfiltrated sensitive data from Microsoft Azure environments (OneDrive, SharePoint, Exchange), and established persistence by registering new multi-factor authentication devices. Warnings from CISA, NSA, and the Canadian Cyber Security Centre, along with reports from Google Threat Intelligence (Mandiant) and CrowdStrike, highlight the ongoing threat and the actors' evolving techniques, with Palo Alto Networks' Unit 42 also monitoring the activity.
Severity: Critical
Sources
- https://cyberpress.org/china-nexus-hackers/
- https://federalnewsnetwork.com/cybersecurity/2025/12/agencies-it-companies-impacted-by-latest-malware-from-china/
- https://gbhackers.com/vmware-vcenter-systems/
- https://industrialcyber.co/cisa/cisa-nsa-sound-alarm-on-brickstorm-backdoor-used-by-china-linked-actors-targeting-vmware-windows-systems/
- https://securitybrief.asia/story/warp-panda-cyberespionage-group-targets-us-cloud-networks
- https://thecyberexpress.com/cisa-prc-hackers-target-vmware-with-brickstorm/
- https://thehackernews.com/2025/12/cisa-reports-prc-hackers-using.html
- https://www.bleepingcomputer.com/news/security/cisa-warns-of-chinese-brickstorm-malware-attacks-on-vmware-servers/
- https://www.cisa.gov/news-events/alerts/2025/12/04/prc-state-sponsored-actors-use-brickstorm-malware-across-public-sector-and-information-technology
- https://www.cisa.gov/news-events/analysis-reports/ar25-338a
- https://www.cisa.gov/news-events/news/cisa-nsa-and-cyber-centre-warn-critical-infrastructure-brickstorm-malware-used-peoples-republic
- https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/
- https://www.darkreading.com/cyberattacks-data-breaches/cisa-ongoing-brickstorm-backdoor-attacks
- https://www.hendryadrian.com/cisa-warns-of-chinese-brickstorm-malware-attacks-on-vmware-servers/
- https://www.infosecurity-magazine.com/news/chinalinked-warp-panda/
- https://www.safebreach.com/blog/safebreach-coverage-for-updated-cisa-ar25-338a-brickstorm-backdoor/
- https://www.securityweek.com/us-organizations-warned-of-chinese-malware-used-for-long-term-persistence/
- https://www.theregister.com/2025/12/04/prc_spies_brickstrom_cisa/
Threat Details and IOCs
| Malware: | BRICKSTEAL, BrickStorm, BRICKSTORM, GuestConduit, Junction, RESURGE, SPAWN, SPAWNANT, SPAWNCHIMERA, SPAWNMOLE, SPAWNSNAIL, ZIPLINE |
| CVEs: | CVE-2021-22005, CVE-2023-34048, CVE-2023-46747, CVE-2023-46805, CVE-2023-4966, CVE-2024-21887, CVE-2024-21893, CVE-2024-38812, CVE-2025-0282, CVE-2025-22457 |
| Technologies: | BSD, F5 BIG-IP, Ivanti Connect Secure, Ivanti Policy Secure, Linux, Microsoft 365, Microsoft Active Directory, Microsoft Azure, Microsoft Windows, Microsoft Windows Server, VMware ESXi, VMware vCenter Server, VMware vSphere |
| Threat Actors: | RedDev61, Unc5221, Uta0178, WarpPanda |
| Attacker Countries: | China |
| Attacker IPs: | 1.0.0.1, 1.1.1.1, 149.112.112.11, 149.112.112.112, 149.28.120.31, 208.83.233.14, 45.90.28.160, 45.90.30.160, 8.8.4.4, 8.8.8.8, 9.9.9.11, 9.9.9.9 |
| Attacker URLs: | https://1.0.0.1/dns-query, https://1.1.1.1/dns-query, https://149.112.112.112/dns-query, https://149.112.112.11/dns-query, https://45.90.28.160/dns-query, https://45.90.30.160/dns-query, https://8.8.4.4/dns-query, https://8.8.8.8/dns-query, https://9.9.9.11/dns-query, https://9.9.9.9/dns-query |
| Attacker Hashes: | 013211c56caaa697914b5b5871e4998d0298902e336e373ebb27b7db30917eaf, 0a4fa52803a389311a9ddc49b7b19138, 10d811029f6e5f58cd06143d6353d3b05bc06d0f, 18f895e24fe1181bb559215ff9cf6ce3, 22c15a32b69116a46eb5d0f2b228cc37cd1b5915a91ec8f38df79d3eed1da26b, 320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759, 39111508bfde89ce6e0fe6abe0365552, 39b3d8a8aedffc1b40820f205f6a4dc041cd37262880e5030b008175c45b0c46, 40992f53effc60f5e7edea632c48736ded9a2ca59fb4924eb6af0a078b74d557, 40db68331cb52dd3ffa0698144d1e6919779ff432e2e80c058e41f7b93cec042, 44a3d3f15ef75d9294345462e1b82272b0d11985, 4c52caf2e5f114103ed5f60c6add3aa26c741b07869bb66e3c25a1dc290d4a8bf87c42c336e8ac8ebf82d9a9b23eaa18c31f7051a5970a8fe1125a2da890340f, 57bd98dbb5a00e54f07ffacda1fea91451a0c0b532cd7d570e98ce2ff741c21d, 5e654776e9c419e11e6f93a452415a601bd9a2079710f1074608570e498a9af37b81bb57c98cb8bb626c5ee4b3e35757d3ae8c1c3717f28d9f3fe7a4cebe0608, 659205fa2cfa85e484c091cc2e85a7ec4e332b196e423b1f39bafdc8fca33e3db712bbe07afcc091ff26d9b4f641fa9a73f2a66dce9a0ced54ebeb8c2be82a7f, 65ebf5dfafb8972ffead44271436ec842517cfaaf3d1f1f1237a32d66e1d280943bd3a69f1d539a1b7aca6152e96b29bc822e1047e2243f6aec8959595560147, 73fe8b8fb4bd7776362fd356fdc189c93cf5d9f6724f6237d829024c10263fe5, 74b4c6f7c7cae07c6f8edf3f2fb1e9206d4f1f9734e8e4784b15d192eec8cd8a4f59078fc0c56dc4ad0856cdd792337b5c92ffd3d2240c8a287a776df4363bba, 79276523a6a507e3fa1b12b96e09b10a01c783a53d58b9ae7f5780a379431639a80165e81154522649b8e2098e86d1a310efffebe32faafc7b3bc093eec60a64, 82bf31e7d768e6d4d3bc7c8c8ef2b358, 88db1d63dbd18469136bf9980858eb5fc0d4e41902bf3e4a8e08d7b6896654ed, 8e29aeb3603ffe307b2d60f7401bd9978bebe8883235eb88052ebf6b9e04ce6bf35667480cedea5712c1e13e8c6dcfb34d5fde0ddca6ca31328de0152509bf8f, 8e4c88d00b6eb46229a1ed7001451320, 97001baaa379bcd83677dca7bc5b8048fdfaaddc, 9a0e1b7a5f7793a8a5a62748b7aa4786d35fc38de607fb3bb8583ea2f7974806, 9bf4c786ebd68c0181cfe3eb85d2fd202ed12c54, a02469742f7b0bc9a8ab5e26822b3fa8, a52e36a70b5e0307cbcaa5fd7c97882c, aaf5569c8e349c15028bc3fac09eb982efb06eabac955b705a6d447263658e38, b3b6a992540da96375e4781afd3052118ad97cfe60ccf004d732f76678f6820a, b91881cb1aa861138f2063ec130b2b01a8aaf0e3f04921e5cbfc61b09024bf12, bbe18d32bef66ccfa931468511e8ba55b32943e47a1df1e68bb5c8f8ae97a5bf991201858ae9632fa24df5f6c674b6cb260297a1c11889ca61bda68513f440ce, bfb3ffd46b21b2281374cd60bc756fe2dcc32486dcc156c9bd98f24101145454, c3549d4e5e39a11f609fc6fbf5cc1f2c0ec272b4, dbca28ad420408850a94d5c325183b28, de28546ec356c566cd8bca205101a733e9a4a22d, dfac2542a0ee65c474b91d3b352540a24f4e223f1b808b741cfe680263f0ee44, f639d9404c03af86ce452db5c5e0c528b81dc0d7, f7cda90174b806a34381d5043e89b23ba826abcc89f7abd520060a64475ed506, fb11c6caa4ea844942fe97f46d7eb42bc76911ab |
| Victim Industries: | Business Process Outsourcing, Critical Manufacturing, Facilities Services, Government, Information Technology, Legal Services, Manufacturing, Public Sector, Software as a Service (SaaS), Technology Hardware |
| Victim Countries: | Australia, Austria, Canada, Germany, Greece, Mexico, New Zealand, United Kingdom, United States |
Mitigation Advice
- Download and run the open-source Brickstorm scanner from Mandiant's GitHub repository on all Linux, VMware, and Windows environments, prioritizing vCenter servers.
- Scan VMware ESXi hosts for the 'Junction' implant and monitor for suspicious processes masquerading as legitimate VMware services.
- Scan guest VMs within your VMware environment for the 'GuestConduit' implant, paying close attention to unusual VSOCK listener activity.
- Immediately scan all internet-facing edge devices for vulnerabilities and apply all available security patches, prioritizing any devices with known exploits.
- Audit all Microsoft 365 and Azure AD accounts for any recently registered MFA devices and verify the legitimacy of each new registration with the account owner.
- Review Microsoft 365 audit logs for anomalous access patterns to OneDrive, SharePoint, and Exchange Online, specifically looking for session replay activity or access from unusual IP addresses or locations.
Compliance Best Practices
- Implement network segmentation to create isolated security zones for critical assets like VMware vCenter servers, ESXi hosts, and Domain Controllers, restricting access from less secure network segments.
- Enforce the principle of least privilege for all accounts, especially service accounts and administrative accounts, ensuring they only have the minimum permissions necessary to perform their functions on systems like vCenter and Active Directory.
- Implement a default-deny egress filtering policy on the network firewall, allowing outbound traffic only for explicitly approved protocols, ports, and destinations to disrupt command-and-control communications.
- Enhance security logging for critical systems, including VMware vCenter, ESXi hosts, Domain Controllers, and ADFS servers. Forward these logs to a SIEM and develop correlation rules to detect lateral movement and credential access techniques.
- Strengthen MFA policies by requiring re-authentication for sensitive actions such as registering a new MFA device, and enforce phishing-resistant MFA for all administrative and privileged accounts.
Intellexa Deployed Predator Spyware via iOS Zero-Day Exploit Chain Against Egyptian Targets
Sanctioned commercial surveillance vendor Intellexa deployed a three-stage iOS zero-day exploit chain, internally codenamed "smack," against targets in Egypt to install its Predator spyware. The initial stage leveraged a Safari remote code execution zero-day (CVE-2023-41993), which Google assessed Intellexa likely acquired externally due to its use of the "JSKit" framework, previously observed in attacks by other surveillance vendors and Russian government-backed actors. The second stage achieved sandbox escape and privilege escalation by exploiting kernel vulnerabilities CVE-2023-41991 and CVE-2023-41992, providing kernel memory read/write capabilities. The final stage, PREYHUNTER, comprised "helper" and "watcher" modules; the "watcher" module performed anti-detection by monitoring for security tools, specific locale settings, and other anomalies, while the "helper" module used custom frameworks (DMHooker, UMHooker) to hook system functions for VOIP recording, keylogging, and camera capture, also hiding notifications. Intellexa has been linked to 15 zero-day vulnerabilities since 2021, including several Chrome V8 engine exploits (CVE-2021-38003, CVE-2023-4762, CVE-2023-3079, CVE-2023-2033, CVE-2025-6554) observed in Saudi Arabia. Google Threat Intelligence Group and CitizenLab collaborated on this discovery, leading Google to issue warnings to Intellexa's customers across multiple countries and add associated domains to Safe Browsing.
Severity: Critical
Sources
Threat Details and IOCs
| Malware: | Alien, ALIEN, Nova, Predator, PREYHUNTER |
| CVEs: | CVE-2021-38003, CVE-2022-42856, CVE-2023-2033, CVE-2023-3079, CVE-2023-41991, CVE-2023-41992, CVE-2023-41993, CVE-2023-4762, CVE-2025-6554 |
| Technologies: | Apple iOS, Apple Safari, Google Chrome |
| Threat Actors: | Intellexa |
| Attacker Countries: | Russia |
| Attacker Hashes: | 85d8f504cadb55851a393a13a026f1833ed6db32cb07882415e029e709ae0750, e3314bcd085bd547d9b977351ab72a8b83093c47a73eb5502db4b98e0db42cac |
| Victim Industries: | Government, Multimedia, Technology Hardware |
| Victim Countries: | Angola, Egypt, Kazakhstan, Mongolia, Pakistan, Saudi Arabia, Tajikistan, Uzbekistan |
Mitigation Advice
- Update all corporate and BYOD iOS devices to the latest available OS version to mitigate vulnerabilities CVE-2023-41993, CVE-2023-41991, and CVE-2023-41992.
- Ensure all Google Chrome and Chromium-based browsers on corporate endpoints are updated to the latest version to protect against CVE-2021-38003, CVE-2023-4762, CVE-2023-3079, CVE-2023-2033, and CVE-2025-6554.
- Scan managed mobile devices for the presence of unauthorized security research tools such as Bash, tcpdump, frida, sshd, or checkra1n, as these can be indicators of compromise or reconnaissance.
- Audit managed mobile devices for unauthorized custom HTTP proxy configurations and non-corporate root certificate installations.
Compliance Best Practices
- Implement or enhance a Mobile Device Management (MDM) solution to enforce mandatory and timely OS and application updates on all mobile devices accessing corporate data.
- Develop and enforce a security policy that enables Apple's Lockdown Mode on iOS devices used by executives and other employees at high risk of being targeted by sophisticated spyware.
- Establish a continuous security awareness training program that educates users on how to identify and report phishing attempts and suspicious links on mobile devices.
- Implement and maintain network egress filtering to block outbound connections from all corporate devices to known malicious domains and un-categorized websites.
- Use MDM to establish and enforce a policy that prohibits the use of Developer Mode on all corporate-managed iOS devices unless there is a documented and approved business justification.
Microsoft Patches Critical Windows .LNK Flaw (CVE-2025-9491) Exploited by State-Sponsored Groups
Microsoft has addressed a critical Windows shortcut file (.lnk) vulnerability, tracked as CVE-2025-9491 (ZDI-CAN-25373), which allowed malicious .lnk files to conceal harmful command-line arguments, enabling hidden code execution. This flaw, exploited by at least 11 state-sponsored groups from North Korea, Iran, Russia, and China since 2017 for cyber espionage and data theft, involved padding commands with whitespace to make the "Target" field appear innocuous in Windows properties. Despite initially downplaying its severity, Microsoft issued a "silent mitigation" in its November 2025 Patch Tuesday, which now reveals the full command in the "Properties" dialog. The fix follows a recent campaign by the China-linked UNC6384/Mustang Panda group, which leveraged CVE-2025-9491 in spear-phishing attacks against European diplomatic entities, deploying the PlugX remote access trojan. The .lnk format remains a significant threat due to its ability to bypass email filters and facilitate remote code execution through social engineering, and the risk persists until all vulnerable systems are updated.
Severity: Critical
Sources
- https://blog.0patch.com/2025/12/microsoft-silently-patched-cve-2025.html
- https://cyberpress.org/microsoft-windows-lnk-vulnerability/
- https://dataconomy.com/2025/11/24/why-that-harmless-looking-desktop-icon-might-actually-be-a-weapon/
- https://gbhackers.com/hackers-actively-exploit-new-windows-lnk-0-day/
- https://it.slashdot.org/story/25/12/04/1744255/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day?utm_source=rss1.0mainlinkanon&utm_medium=feed
- https://meterpreter.org/microsoft-finally-patches-lnk-flaw-cve-2025-9491-exploited-by-spies-since-2017/
- https://thehackernews.com/2025/12/microsoft-silently-patches-windows-lnk.html
- https://www.bleepingcomputer.com/news/microsoft/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day/
- https://www.hendryadrian.com/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day/
- https://www.techrepublic.com/article/news-microsoft-fixes-security-flaw/
- https://www.theregister.com/2025/12/04/microsoft_lnk_bug_fix/
Threat Details and IOCs
| Malware: | CirenegRAT, C_Major, Destroy RAT, DestroyRAT, Dreambot, Farfli, Gh0st, Gh0st RAT, Ghost RAT, Gozi, Gozi-ISFB, HiddenGh0st, Hodur, ISFB, Kaba, Konni, KONNI, Korplug, LDR4, Moudour, Papras, PCrat, PCRat, PlugX, QNAP-Worm, Raspberry Robin, Roshtyak, Snifula, Sogu, SOGU, Storm-0856, SugarGh0st RAT, TheTrick, TIGERPLUG, Trickbot, TrickBot, TrickLoader, Trickster, UpDog, Ursnif, UsrRunVGA.exe, XDigo |
| CVEs: | CVE-2025-9491 |
| Technologies: | Microsoft Windows, Microsoft Windows Server |
| Threat Actors: | APT10, APT15, APT17, APT20, APT21, APT22, APT26, APT27, APT3, APT31, APT37, APT40, APT41, APT43, Barium, Bitter, BronzePresident, BronzeUnion, Daggerfly, DoubleDragon, DragonOK, EarthIktomi, EarthLusca, EarthPreta, EmissaryPanda, EvilCorp, HazyTiger, Hellsing, HurricanePanda, Kimsuky, Konni, LuckyMouse, MenuPass, MUSTANGPANDA, OpalSleet, RazorTiger, RedDelta, RedHotel, SadFuture, SAMURAIPANDA, Sidewinder, TA416, TA505, TEMPHex, TwillTyphoon, UNC1878, UNC6384, VelvetAnt, WaterPoukai, WickedPanda, WickedSpider, WIZARDSPIDER, XDSpy |
| Attacker Countries: | China, India, Iran, North Korea, Russia |
| Attacker IPs: | 195.154.152.70 |
| Attacker Domains: | cseconline.org, d32tpl7xt7175h.cloudfront.net, dorareco.net, mydownload.z29.web.core.windows.net, naturadeco.net, paquimetro.net, racineupci.org, vnptgroup.it.com |
| Victim Industries: | Aerospace, Civic and Social Organizations, Defense, Education, Energy, Financial, Financial Services, Government, Healthcare, Mining, Non-Governmental Organizations (NGOs), Technology Hardware, Telecommunications |
| Victim Countries: | Afghanistan, Algeria, Australia, Austria, Bangladesh, Belarus, Belgium, Bhutan, Brazil, Bulgaria, Cambodia, China, Cyprus, Czech Republic, Djibouti, Egypt, Estonia, Ethiopia, Finland, France, Germany, Greece, Hong Kong, Hungary, India, Indonesia, Ireland, Italy, Japan, Kuwait, Laos, Latvia, Malaysia, Maldives, Moldova, Mongolia, Mozambique, Myanmar, Nepal, Netherlands, Nigeria, Pakistan, Palestine, Philippines, Romania, Russia, Rwanda, Saudi Arabia, Serbia, Singapore, Slovakia, South Africa, South Korea, Sri Lanka, Sudan, Sweden, Taiwan, Thailand, Turkey, Uganda, Ukraine, United Arab Emirates, United Kingdom, United States, Vatican City, Vietnam |
Mitigation Advice
- Prioritize and deploy the November 2025 Microsoft Patch Tuesday security updates to all Windows endpoints and servers to apply the mitigation for CVE-2025-9491.
- Conduct a threat hunt across all endpoints for indicators of compromise related to this campaign, such as anomalous PowerShell execution originating from .lnk files, evidence of the PlugX RAT, and signs of DLL sideloading.
- Configure your email security gateway to block or quarantine all incoming emails containing .lnk file attachments, including those within compressed archives like .zip files.
- Issue an immediate security alert to all employees, warning them not to open or click on unexpected shortcut (.lnk) files, especially those received in emails, and to report any suspicious emails to the security team.
Compliance Best Practices
- Implement an application allowlisting policy, such as Windows Defender Application Control (WDAC), to restrict the execution of unauthorized applications and scripts on endpoints.
- Enable PowerShell Script Block Logging and Module Logging on all Windows systems and forward these logs to a centralized SIEM for monitoring and alerting on suspicious script execution.
- Deploy or tune an Endpoint Detection and Response (EDR) tool to create detection rules for suspicious process chains, such as explorer.exe spawning a .lnk file which then launches PowerShell or cmd.exe.
- Establish a continuous security awareness training program that includes regular phishing simulations using lures with various attachment types, including shortcuts and archives, to train users to identify and report threats.
- Enforce the principle of least privilege by removing local administrator rights from all standard user accounts to contain the impact of malware execution.
Stay updated on emerging threats: sign up for the F5 Threat Report to receive the Weekly Threat Report in your inbox.
Employee