F5 Threat Report - September 22nd, 2025

BlackLock Ransomware Targets Windows, Linux, and VMware ESXi Systems

BlackLock, a ransomware group formerly known as El Dorado, has been active since March 2024, with its Dedicated Leak Site (DLS) exposing victim data since June 2024. This Go-written ransomware targets Windows, Linux, and VMware ESXi systems, enabling affiliates to compromise diverse environments globally, including U.S. enterprises, government agencies, and various industries across South Korea, Japan, and Europe. Operating under a Ransomware-as-a-Service (RaaS) model, BlackLock employs the ChaCha20 stream cipher for encryption, generating unique 32-byte FileKeys and 24-byte nonces for each file, and utilizes an Elliptic Curve Diffie-Hellman (ECDH) key exchange with secretbox.Seal() to secure metadata. It features stealthy backup deletion by crafting a COM object to execute WMI queries from memory via embedded shellcode, targeting Volume Shadow Copy Service snapshots and the Recycle Bin. Encrypted files are renamed with random extensions, and a ransom note titled `HOW_RETURN_YOUR_DATA.TXT` is left behind. Organizations are advised to implement layered defenses, maintain offline backups, ensure robust monitoring for unusual activity, prioritize patch management, segment networks, and regularly test backup integrity to mitigate this threat.

Severity: Critical

Sources

• https://gbhackers.com/blacklock-ransomware-targets-windows-2/
• https://securityonline.info/blacklock-ransomware-a-new-cross-platform-threat-spreading-rapidly/
• https://cyberpress.org/blacklock-ransomware/
• https://www.hendryadrian.com/from-el-dorado-to-blacklock-inside-a-fast-rising-raas-threat/

Threat Details and IOCs

Mitigation Advice

• Use endpoint management or security tools to scan all Windows, Linux, and ESXi systems for the presence of the ransom note file named 'HOW_RETURN_YOUR_DATA.TXT'.
• Immediately verify that recent backups for critical Windows, Linux, and VMware ESXi systems are stored offline or in immutable storage, and confirm they are not accessible from the production network.
• Configure security monitoring tools (like SIEM or EDR) to create high-priority alerts for processes using WMI to delete Volume Shadow Copies (vssadmin delete shadows, wmic shadowcopy delete).
• Audit all open SMB shares on the network and apply the principle of least privilege, restricting write access to only authorized users and services.

Compliance Best Practices

• Initiate a network segmentation project to isolate critical infrastructure, such as VMware ESXi hosts and database servers, from general user workstations and less-trusted network zones.
• Establish a formal policy and schedule for regularly testing backup integrity and the full restoration process for critical systems.
• Enhance Endpoint Detection and Response (EDR) policies to enable and tune detection for in-memory shellcode execution and anomalous process creation originating from WMI.
• Develop and implement a security hardening baseline for all VMware ESXi hosts, ensuring unused services are disabled and management interfaces are restricted to a dedicated, secure network.
• Implement a comprehensive patch management program to ensure timely application of security updates for all operating systems (Windows, Linux) and hypervisors (VMware ESXi).

---

Fortra Releases Critical Patch for CVSS 10.0 GoAnywhere MFT Vulnerability

Fortra has disclosed a critical deserialization vulnerability, CVE-2025-10035, in the License Servlet of its GoAnywhere Managed File Transfer (MFT) software, which carries a CVSS score of 10.0. This flaw allows an attacker with a validly forged license response signature to deserialize arbitrary actor-controlled objects, potentially leading to command injection and arbitrary command execution. Successful exploitation requires the system to be publicly accessible over the internet. While no in-the-wild exploitation has been reported for this specific vulnerability, it impacts the same license code path in the Admin Console as the previously exploited CVE-2023-0669, which was abused as a zero-day by ransomware groups like LockBit. Another critical vulnerability, CVE-2024-0204, was also addressed last year. Given that thousands of GoAnywhere MFT instances are internet-facing, immediate weaponization is anticipated. Users are strongly advised to update to version 7.8.4 or Sustain Release 7.6.3. If immediate patching is not feasible, restricting public access to the GoAnywhere Admin Console is recommended.

Severity: Critical

Sources

• https://www.darkreading.com/cyberattacks-data-breaches/patch-fortra-goanywhere-bug-command-injection
• https://www.bleepingcomputer.com/news/security/fortra-warns-of-max-severity-flaw-in-goanywhere-mfts-license-servlet/
• https://thecyberexpress.com/fortra-goanywhere-mft-vulnerability/
• https://cyberscoop.com/goanywhere-file-transfer-service-vulnerability-september-2025/
• https://arcticwolf.com/resources/blog-uk/cve-2025-10035-maximum-severity-command-injection-vulnerability-in-fortra-goanywhere-mft/
• https://arcticwolf.com/resources/blog/cve-2025-10035/
• https://sploitus.com/exploit?id=5C62EF70-D1D7-5626-93F2-43073CA3413D
• https://www.scworld.com/brief/cybersecurity-urgency-fortras-goanywhere-mft-vulnerability-patched
• https://www.securityweek.com/fortra-patches-critical-goanywhere-mft-vulnerability/
• https://www.helpnetsecurity.com/2025/09/22/fortra-goanywhere-vulnerability-cve-2025-10035/
• https://cyberveille.esante.gouv.fr/alertes/fortra-cve-2025-10035-2025-09-19
• https://thehackernews.com/2025/09/fortra-releases-critical-patch-for-cvss.html
• https://www.theregister.com/2025/09/19/gortra_goanywhere_bug/
• https://securityonline.info/cve-2025-10035-cvss-10-critical-deserialization-flaw-in-goanywhere-mft-exposes-enterprises-to-remote-exploitation/
• https://www.techradar.com/pro/security/ransomware-hackers-could-be-targeting-goanywhere-mft-once-again-heres-what-we-know

Threat Details and IOCs

Mitigation Advice

• Immediately patch all Fortra GoAnywhere MFT instances to version 7.8.4 or Sustain Release 7.6.3.
• Configure firewall rules or network access control lists (ACLs) to block all public internet access to the GoAnywhere MFT Admin Console.
• Perform an immediate vulnerability scan of all internal and external network ranges to identify every instance of GoAnywhere MFT software.

Compliance Best Practices

• Establish a formal patch management policy that mandates applying critical and zero-day patches for all internet-facing systems, including GoAnywhere MFT, within a 48-hour service level agreement (SLA).
• Implement a zero-trust access model requiring all administrative access to critical infrastructure, including the GoAnywhere MFT console, to originate from a secure, multi-factor authenticated session via a VPN or SASE solution.
• Initiate a formal risk assessment of the Fortra GoAnywhere MFT platform, comparing its security history and total cost of ownership against alternative managed file transfer solutions.

---

CISA exposes malware kits deployed in Ivanti EPMM attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an analysis of malware kits used in attacks exploiting Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities. These vulnerabilities include an authentication bypass (CVE-2025-4427) and a code injection flaw (CVE-2025-4428), affecting Ivanti EPMM versions 11.12.0.4, 12.3.0.1, 12.4.0.1, 12.5.0.0, and earlier releases, which Ivanti patched on May 13. Threat actors exploited these as zero-days by targeting the `/mifs/rs/api/v2/` endpoint with HTTP GET requests, using the `?format=` parameter to send malicious commands for reconnaissance, system information collection, network mapping, file fetching, and LDAP credential extraction. CISA identified two distinct malware sets, each containing a `web-install.jar` loader and malicious listeners (Set 1: `ReflectUtil.class`, `SecurityHandlerWanListener.class`; Set 2: `WebAndroidAppInstaller.class`). These components were delivered in segmented, Base64-encoded chunks via separate HTTP GET requests, designed to inject and execute arbitrary code, exfiltrate data, and establish persistence. CISA recommends that organizations finding this malware isolate affected hosts, collect artifacts, create forensic disk images, immediately patch Ivanti EPMM systems, treat mobile device management (MDM) systems as high-value assets, and utilize the provided Indicators of Compromise (IOCs), YARA rules, and SIGMA rules for detection.

Severity: Critical

Sources

• https://www.scworld.com/news/cisa-warns-of-malware-exploiting-ivanti-endpoint-manager-mobile
• https://www.securitylab.ru/news/563686.php
• https://www.bleepingcomputer.com/news/security/cisa-exposes-malware-kits-deployed-in-ivanti-epmm-attacks/
• https://sploitus.com/exploit?id=DFC3A040-40F2-55B4-BCAE-CADBBC6CA28C
• https://meterpreter.org/cisa-warns-new-malware-exploits-ivanti-vulnerabilities/

Threat Details and IOCs

Mitigation Advice

• Immediately patch all Ivanti Endpoint Manager Mobile (EPMM) systems to a version that addresses CVE-2025-4427 and CVE-2025-4428. The affected versions are 11.12.0.4, 12.3.0.1, 12.4.0.1, 12.5.0.0, and their earlier releases.
• Ingest the file hashes and network indicators of compromise (IOCs) provided by CISA into your SIEM and EDR platforms to search for historical and current evidence of compromise.
• Use the YARA rules published by CISA to scan the file systems of all on-premise Ivanti EPMM servers for the presence of the malicious malware components.
• Implement the SIGMA rule provided by CISA in your SIEM to create an alert for detecting the specific malicious HTTP requests used in this attack.
• If any indicators of compromise related to this threat are discovered, immediately isolate the affected Ivanti EPMM hosts from the network and begin incident response procedures.

Compliance Best Practices

• Formally classify the Mobile Device Management (MDM) system as a High-Value Asset (HVA) and update security policies to mandate stricter access controls and monitoring for it.
• Implement network segmentation to place the Ivanti EPMM system in a secured network zone, strictly limiting inbound and outbound traffic to only what is explicitly required for operation.
• Enhance logging and monitoring for the Ivanti EPMM system by forwarding detailed application and system logs to a SIEM and creating baseline alerts for anomalous activity, such as unusual API calls or outbound data transfers.
• Review and refine the organization's vulnerability management program to ensure critical, internet-facing systems like Ivanti EPMM are prioritized and that procedures are in place to apply emergency, out-of-band security patches within a defined, minimal timeframe.

---

Hackers Deploy New EDR-Freeze Tool to Disable Security Software

A new tool named EDR-Freeze, developed by researcher TwoSevenOneT, can temporarily disable endpoint detection and response (EDR) systems and antivirus software by exploiting Windows Error Reporting functionality. This user-mode technique leverages a sophisticated race condition, utilizing the MiniDumpWriteDump function from Windows' DbgHelp library to suspend all threads in a target process for memory snapshot creation. EDR-Freeze then triggers this dump process against security software and subsequently suspends the dumping process itself (WerFaultSecure.exe), leaving the security solution indefinitely frozen. It specifically targets WerFaultSecure.exe, a Windows Error Reporting component capable of running with Protected Process Light (PPL) privileges, and combines this with the CreateProcessAsPPL tool to bypass PPL protection. The tool successfully suspended Windows Defender's MsMpEng.exe process on Windows 11 24H2, accepting the target process ID and suspension duration as parameters. This method avoids traditional "Bring Your Own Vulnerable Driver" (BYOVD) attacks, making detection more challenging as it relies solely on legitimate Windows processes. To counter this, security teams should monitor WerFaultSecure.exe command-line parameters for suspicious activity, particularly when it targets sensitive system processes like LSASS, antivirus engines, or EDR agents, and consider implementing additional process protection mechanisms beyond standard PPL safeguards. The source code for EDR-Freeze is publicly available on GitHub for legitimate security research and red team exercises.

Severity: Critical

Sources

• https://gbhackers.com/hackers-deploy-new-edr-freeze-tool/
• https://cyberpress.org/edr-freeze-tool-disables/
• https://securityonline.info/edr-freeze-how-a-researcher-turned-windows-error-reporting-into-a-weapon-against-antivirus/

Threat Details and IOCs

Mitigation Advice

• Create a detection rule in your SIEM or EDR to generate a high-priority alert when `WerFaultSecure.exe` is executed with command-line arguments targeting the process IDs of your organization's EDR agents, antivirus engines, or other sensitive processes like LSASS.
• Contact your EDR and antivirus vendors to inquire about their specific protections and detection capabilities against the EDR-Freeze technique that abuses `WerFaultSecure.exe` and `MiniDumpWriteDump`.

Compliance Best Practices

• Evaluate and implement additional process protection and anti-tampering controls for critical security agents, going beyond the standard Windows Protected Process Light (PPL) safeguards.
• Strengthen defense-in-depth by ensuring network security monitoring and host-based logging from sources other than the EDR (e.g., Sysmon, PowerShell logs) are aggregated and analyzed to detect suspicious activity even if endpoint security tools are disabled.
• Incorporate adversary emulation exercises that specifically test for the bypass or disabling of security controls, using techniques like EDR-Freeze, to validate the resilience of your detection and response procedures.

---

Prompts as Code Embedded Keys | The Hunt for LLM-Enabled Malware

Large Language Models (LLMs) are increasingly being integrated into malware, presenting new challenges for detection due to their ability to generate malicious logic at runtime. Our research focused on identifying and understanding LLM-enabled malware by analyzing embedded API keys and specific prompt structures. We observed several adversarial uses of LLMs, including their use as lures, targets for prompt injection, tools for generating immature malware, external hacking sidekicks, and as embedded components within malware. Notable examples include PromptLock, a proof-of-concept AI-powered ransomware written in Golang that uses specific prompts to generate Lua scripts for data exfiltration and reconnaissance, and LameHug/PROMPTSTEAL, an APT28 information stealer written in Python that leverages HuggingFace API keys to generate system shell commands for data collection and exfiltration to a hardcoded IP address (144.126.202.227). While LLM-enabled malware complicates traditional signature-based detection and network traffic analysis, its reliance on hardcoded API keys and prompts creates new hunting opportunities. Our methodology involved wide API key detection using YARA rules for identifiable key structures (e.g., Anthropic's `sk-ant-api03`, OpenAI's Base64-encoded "OpenAI" substring `T3BlbkFJ`), which uncovered over 7,000 samples, and prompt hunting, where we searched for common prompt structures and used an LLM classifier to identify malicious intent. This led to the discovery of MalTerminal, an early LLM-enabled malware (Python scripts, Windows executables) that uses OpenAI GPT-4 to dynamically generate ransomware or reverse shells, identifiable by its use of a deprecated OpenAI API endpoint from before November 2023. We also identified other offensive LLM applications, such as people search agents, red team benchmarking tools, and LLM-assisted code vulnerability injection tools. This early stage of LLM-enabled malware development offers defenders a crucial opportunity to adapt detection strategies by focusing on these unique artifacts.

Severity: Critical

Sources

• https://thehackernews.com/2025/09/researchers-uncover-gpt-4-powered.html
• https://buaq.net/go-364481.html
• https://www.hendryadrian.com/prompts-as-code-embedded-keys-the-hunt-for-llm-enabled-malware/
• https://gbhackers.com/malterminal-new-gpt-4/
• https://www.sentinelone.com/labs/prompts-as-code-embedded-keys-the-hunt-for-llm-enabled-malware/

Threat Details and IOCs

Mitigation Advice

• Add the file hashes for MalTerminal, PromptLock, and LameHug listed in the article to your EDR, antivirus, and SIEM blocklists to prevent and detect these specific threats.
• Block the IP address 144.126.202.227 at the network perimeter firewall and create a detection rule to alert on any internal systems attempting to communicate with it.
• Use file scanning tools or YARA rules to hunt across endpoints and code repositories for hardcoded LLM API keys, using patterns mentioned in the article such as the prefix "sk-ant-api03" and the Base64 string "T3BlbkFJ".
• Create and run searches across file systems and code repositories for suspicious prompt structures, such as JSON containing `{"role": "system", "content": "You are a cybersecurity expert..."}` or other keywords like "reverse shell" and "vulnerability injector".
• In your network monitoring tools, create alerts for new or unauthorized internal devices communicating with common LLM API endpoints, such as those for OpenAI, Anthropic, and HuggingFace.

Compliance Best Practices

• Develop and enforce a corporate policy that governs the acceptable use of public and private Large Language Models (LLMs) and their APIs in software development and daily operations.
• Implement a centralized secrets management solution, such as a credential vault, and mandate its use for all API keys, including LLM keys, to prevent them from being hardcoded in applications.
• Configure perimeter firewalls with strict egress filtering rules to only allow pre-approved servers to communicate with external LLM API endpoints, denying all other outbound connections to these services by default.
• Deploy an application allow-listing solution on endpoints to prevent the execution of unauthorized applications and scripts, thereby reducing the risk of unknown malware execution.
• Update the security awareness training program to educate developers on the risks of hardcoding API keys and to teach all employees how to identify social engineering lures that abuse AI themes.

---