F5 Threat Report - December 10th, 2025
JPCERT Confirms Active Command Injection Attacks on Array AG Gateways JPCERT/CC has confirmed active command injection attacks targeting Array Networks AG Series secure access gateways, exploiting a vulnerability in the DesktopDirect feature since August 2025. This flaw, which currently lacks a CVE identifier, affects ArrayOS versions 9.4.5.8 and earlier, allowing attackers to execute arbitrary commands and drop web shells, with observed attacks originating from the IP address 194.233.100[.]138. Array Networks released a fix on May 11, 2025, in ArrayOS version 9.4.5.9, and users are advised to apply this update promptly; alternatively, disabling DesktopDirect services or implementing URL filtering to deny access to URLs containing semicolons can serve as mitigation. While a separate authentication bypass flaw (CVE-2023-28461) in the same product was previously exploited by the China-linked MirrorFace group, there is no current evidence connecting them to these latest command injection incidents. Severity: High Sources https://buaq.net/go-379737.html https://cyberpress.org/arrayos-ag-vpn-vulnerability/ https://gbhackers.com/arrayos-ag-vpn/ https://thecyberexpress.com/cve-2023-28461-jpcert-array-gateway-warning/ https://thehackernews.com/2025/12/jpcert-confirms-active-command.html https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/ Threat Details and IOCs Malware: Agenda, Albiriox, PoisonPlug, Qilin, Sha1-Hulud, ShadowPad, Shai-Hulud CVEs: CVE-2023-28461 Technologies: Array Networks AG Series, Array Networks ArrayOS, Array Networks vxAG, PHP Threat Actors: APT10, EarthKasha, MirrorFace Attacker Countries: China Attacker IPs: 194.233.100.138 Victim Industries: Aerospace, Defense, E-commerce, Education, Energy, Financial Services, Government, Healthcare, Information and Communication, Manufacturing, Multimedia, Public Sector, Semiconductors, Technology Hardware, Telecommunications, Utilities Victim Countries: China, India, Japan, Taiwan, United States Mitigation Advice Update all Array Networks AG Series gateways to ArrayOS version 9.4.5.9 or a later version to remediate the command injection vulnerability. If patching Array AG gateways to version 9.4.5.9 is not immediately feasible, disable the 'DesktopDirect' feature on all vulnerable devices. Configure your perimeter firewall or Web Application Firewall (WAF) to block all inbound HTTP/HTTPS requests to Array AG gateways that contain a semicolon character (';') in the URL. Add the IP address 194.233.100.138 to your network firewall's blocklist to deny all inbound and outbound traffic. Scan the file systems of all Array AG gateways for indicators of compromise, such as recently created or modified web shell files (e.g., .php, .asp) in web-accessible directories. Compliance Best Practices Establish a formal patch management policy that mandates regular vulnerability scanning of all internet-facing systems and defines strict service-level agreements (SLAs) for applying critical security patches. Implement a recurring configuration review process for all network security appliances to identify and disable any non-essential features and services, thereby minimizing the device's attack surface. Design and implement a DMZ network segment for all internet-facing services, including secure access gateways, and enforce strict firewall rules that only permit essential, pre-approved traffic between the DMZ and the internal corporate network. Configure all internet-facing appliances to forward detailed system, process, and network logs to a centralized SIEM, and develop detection rules to alert on anomalous file creation, command execution, and unusual outbound connections. LangChain Prompt Template Injection Vulnerability: Property Access (CVE-2025-65106) A prompt template injection vulnerability has been discovered in the LangChain `langchain-core` package, affecting versions up to `1.0.6` and `0.3.79`, with fixes implemented in versions `1.0.7` and `0.3.80`. Identified as CVE-2025-65106 and GHSA-6qv9-48xg-fc7f, this vulnerability allows attackers who can control template strings—rather than just template variables—to access Python object attributes, internal properties, and sensitive information, potentially escalating to more severe attacks. The flaw impacts F-string, Mustache, and Jinja2 template formats, stemming from issues such as attribute access in F-strings, `getattr()` fallback in Mustache, and insufficient sandboxing in Jinja2. Applications are at high risk if they accept untrusted template strings, dynamically construct prompts based on user input, or allow users to customize or create prompt templates. Remediation requires updating to the patched `langchain-core` versions, auditing code for any template strings originating from untrusted sources, and ensuring a clear separation between template structure and user-provided data. Specific fixes include F-string validation to restrict variable names to simple Python identifiers, strict type checking for Mustache to limit object traversal to dict, list, and tuple types, and the introduction of a `_RestrictedSandboxedEnvironment` for Jinja2 to block all attribute and method access. Severity: High Sources https://buaq.net/go-379721.html Threat Details and IOCs CVEs: CVE-2025-65106 Technologies: Jinja2, LangChain LangGraph, Python Victim Industries: E-commerce, Financial Services, Healthcare, Legal Services, Retail, Software Mitigation Advice Update all instances of the `langchain-core` Python package to version 1.0.7 or 0.3.80 or newer to patch the template injection vulnerability (GHSA-6qv9-48xg-fc7f). Audit your codebase to identify all applications using LangChain's `ChatPromptTemplate`. Prioritize remediation for any applications found to accept template strings from untrusted sources. Compliance Best Practices Enforce a secure coding standard for all AI/LLM applications that strictly separates the prompt template structure from user-provided data. Ensure that user input can only populate predefined variables within a static, developer-controlled template. During application design and code reviews, challenge the necessity of using string-based prompt templating. Where possible, refactor applications to use direct message objects (e.g., `HumanMessage`, `AIMessage`) to eliminate the risk of template injection vulnerabilities. Create a development policy that restricts the use of the Jinja2 template format (`template_format="jinja2"`) in LangChain to only those instances where the template content is hardcoded or originates from a fully trusted, internally-controlled source. Chinese State-Sponsored Actors Deploy Brickstorm Backdoor in US Critical Networks for Years Chinese state-sponsored actors, identified as UNC5221 by Mandiant and Warp Panda by CrowdStrike, have maintained long-term access, sometimes for years, within critical US networks, including at least eight government services and IT organizations, and dozens of other entities across legal, SaaS, business process outsourcing, technology, and manufacturing sectors. These groups deployed the sophisticated, cross-platform Brickstorm backdoor, which operates across Linux, VMware, and Windows environments, alongside new Go-based implants named Junction (for VMware ESXi, listening on port 8090) and GuestConduit (for guest VMs, using VSOCK on port 5555). Initial access was often gained by exploiting internet-facing edge devices, followed by pivoting to vCenter environments using valid credentials or vulnerabilities. Once inside, the adversaries stole cryptographic keys from domain controllers and Active Directory Federation Services servers, accessed and exfiltrated sensitive data from Microsoft Azure environments (OneDrive, SharePoint, Exchange), and established persistence by registering new multi-factor authentication devices. Warnings from CISA, NSA, and the Canadian Cyber Security Centre, along with reports from Google Threat Intelligence (Mandiant) and CrowdStrike, highlight the ongoing threat and the actors' evolving techniques, with Palo Alto Networks' Unit 42 also monitoring the activity. Severity: Critical Sources https://cyberpress.org/china-nexus-hackers/ https://federalnewsnetwork.com/cybersecurity/2025/12/agencies-it-companies-impacted-by-latest-malware-from-china/ https://gbhackers.com/vmware-vcenter-systems/ https://industrialcyber.co/cisa/cisa-nsa-sound-alarm-on-brickstorm-backdoor-used-by-china-linked-actors-targeting-vmware-windows-systems/ https://securitybrief.asia/story/warp-panda-cyberespionage-group-targets-us-cloud-networks https://thecyberexpress.com/cisa-prc-hackers-target-vmware-with-brickstorm/ https://thehackernews.com/2025/12/cisa-reports-prc-hackers-using.html https://www.bleepingcomputer.com/news/security/cisa-warns-of-chinese-brickstorm-malware-attacks-on-vmware-servers/ https://www.cisa.gov/news-events/alerts/2025/12/04/prc-state-sponsored-actors-use-brickstorm-malware-across-public-sector-and-information-technology https://www.cisa.gov/news-events/analysis-reports/ar25-338a https://www.cisa.gov/news-events/news/cisa-nsa-and-cyber-centre-warn-critical-infrastructure-brickstorm-malware-used-peoples-republic https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/ https://www.darkreading.com/cyberattacks-data-breaches/cisa-ongoing-brickstorm-backdoor-attacks https://www.hendryadrian.com/cisa-warns-of-chinese-brickstorm-malware-attacks-on-vmware-servers/ https://www.infosecurity-magazine.com/news/chinalinked-warp-panda/ https://www.safebreach.com/blog/safebreach-coverage-for-updated-cisa-ar25-338a-brickstorm-backdoor/ https://www.securityweek.com/us-organizations-warned-of-chinese-malware-used-for-long-term-persistence/ https://www.theregister.com/2025/12/04/prc_spies_brickstrom_cisa/ Threat Details and IOCs Malware: BRICKSTEAL, BrickStorm, BRICKSTORM, GuestConduit, Junction, RESURGE, SPAWN, SPAWNANT, SPAWNCHIMERA, SPAWNMOLE, SPAWNSNAIL, ZIPLINE CVEs: CVE-2021-22005, CVE-2023-34048, CVE-2023-46747, CVE-2023-46805, CVE-2023-4966, CVE-2024-21887, CVE-2024-21893, CVE-2024-38812, CVE-2025-0282, CVE-2025-22457 Technologies: BSD, F5 BIG-IP, Ivanti Connect Secure, Ivanti Policy Secure, Linux, Microsoft 365, Microsoft Active Directory, Microsoft Azure, Microsoft Windows, Microsoft Windows Server, VMware ESXi, VMware vCenter Server, VMware vSphere Threat Actors: RedDev61, Unc5221, Uta0178, WarpPanda Attacker Countries: China Attacker IPs: 1.0.0.1, 1.1.1.1, 149.112.112.11, 149.112.112.112, 149.28.120.31, 208.83.233.14, 45.90.28.160, 45.90.30.160, 8.8.4.4, 8.8.8.8, 9.9.9.11, 9.9.9.9 Attacker URLs: https://1.0.0.1/dns-query, https://1.1.1.1/dns-query, https://149.112.112.112/dns-query, https://149.112.112.11/dns-query, https://45.90.28.160/dns-query, https://45.90.30.160/dns-query, https://8.8.4.4/dns-query, https://8.8.8.8/dns-query, https://9.9.9.11/dns-query, https://9.9.9.9/dns-query Attacker Hashes: 013211c56caaa697914b5b5871e4998d0298902e336e373ebb27b7db30917eaf, 0a4fa52803a389311a9ddc49b7b19138, 10d811029f6e5f58cd06143d6353d3b05bc06d0f, 18f895e24fe1181bb559215ff9cf6ce3, 22c15a32b69116a46eb5d0f2b228cc37cd1b5915a91ec8f38df79d3eed1da26b, 320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759, 39111508bfde89ce6e0fe6abe0365552, 39b3d8a8aedffc1b40820f205f6a4dc041cd37262880e5030b008175c45b0c46, 40992f53effc60f5e7edea632c48736ded9a2ca59fb4924eb6af0a078b74d557, 40db68331cb52dd3ffa0698144d1e6919779ff432e2e80c058e41f7b93cec042, 44a3d3f15ef75d9294345462e1b82272b0d11985, 4c52caf2e5f114103ed5f60c6add3aa26c741b07869bb66e3c25a1dc290d4a8bf87c42c336e8ac8ebf82d9a9b23eaa18c31f7051a5970a8fe1125a2da890340f, 57bd98dbb5a00e54f07ffacda1fea91451a0c0b532cd7d570e98ce2ff741c21d, 5e654776e9c419e11e6f93a452415a601bd9a2079710f1074608570e498a9af37b81bb57c98cb8bb626c5ee4b3e35757d3ae8c1c3717f28d9f3fe7a4cebe0608, 659205fa2cfa85e484c091cc2e85a7ec4e332b196e423b1f39bafdc8fca33e3db712bbe07afcc091ff26d9b4f641fa9a73f2a66dce9a0ced54ebeb8c2be82a7f, 65ebf5dfafb8972ffead44271436ec842517cfaaf3d1f1f1237a32d66e1d280943bd3a69f1d539a1b7aca6152e96b29bc822e1047e2243f6aec8959595560147, 73fe8b8fb4bd7776362fd356fdc189c93cf5d9f6724f6237d829024c10263fe5, 74b4c6f7c7cae07c6f8edf3f2fb1e9206d4f1f9734e8e4784b15d192eec8cd8a4f59078fc0c56dc4ad0856cdd792337b5c92ffd3d2240c8a287a776df4363bba, 79276523a6a507e3fa1b12b96e09b10a01c783a53d58b9ae7f5780a379431639a80165e81154522649b8e2098e86d1a310efffebe32faafc7b3bc093eec60a64, 82bf31e7d768e6d4d3bc7c8c8ef2b358, 88db1d63dbd18469136bf9980858eb5fc0d4e41902bf3e4a8e08d7b6896654ed, 8e29aeb3603ffe307b2d60f7401bd9978bebe8883235eb88052ebf6b9e04ce6bf35667480cedea5712c1e13e8c6dcfb34d5fde0ddca6ca31328de0152509bf8f, 8e4c88d00b6eb46229a1ed7001451320, 97001baaa379bcd83677dca7bc5b8048fdfaaddc, 9a0e1b7a5f7793a8a5a62748b7aa4786d35fc38de607fb3bb8583ea2f7974806, 9bf4c786ebd68c0181cfe3eb85d2fd202ed12c54, a02469742f7b0bc9a8ab5e26822b3fa8, a52e36a70b5e0307cbcaa5fd7c97882c, aaf5569c8e349c15028bc3fac09eb982efb06eabac955b705a6d447263658e38, b3b6a992540da96375e4781afd3052118ad97cfe60ccf004d732f76678f6820a, b91881cb1aa861138f2063ec130b2b01a8aaf0e3f04921e5cbfc61b09024bf12, bbe18d32bef66ccfa931468511e8ba55b32943e47a1df1e68bb5c8f8ae97a5bf991201858ae9632fa24df5f6c674b6cb260297a1c11889ca61bda68513f440ce, bfb3ffd46b21b2281374cd60bc756fe2dcc32486dcc156c9bd98f24101145454, c3549d4e5e39a11f609fc6fbf5cc1f2c0ec272b4, dbca28ad420408850a94d5c325183b28, de28546ec356c566cd8bca205101a733e9a4a22d, dfac2542a0ee65c474b91d3b352540a24f4e223f1b808b741cfe680263f0ee44, f639d9404c03af86ce452db5c5e0c528b81dc0d7, f7cda90174b806a34381d5043e89b23ba826abcc89f7abd520060a64475ed506, fb11c6caa4ea844942fe97f46d7eb42bc76911ab Victim Industries: Business Process Outsourcing, Critical Manufacturing, Facilities Services, Government, Information Technology, Legal Services, Manufacturing, Public Sector, Software as a Service (SaaS), Technology Hardware Victim Countries: Australia, Austria, Canada, Germany, Greece, Mexico, New Zealand, United Kingdom, United States Mitigation Advice Download and run the open-source Brickstorm scanner from Mandiant's GitHub repository on all Linux, VMware, and Windows environments, prioritizing vCenter servers. Scan VMware ESXi hosts for the 'Junction' implant and monitor for suspicious processes masquerading as legitimate VMware services. Scan guest VMs within your VMware environment for the 'GuestConduit' implant, paying close attention to unusual VSOCK listener activity. Immediately scan all internet-facing edge devices for vulnerabilities and apply all available security patches, prioritizing any devices with known exploits. Audit all Microsoft 365 and Azure AD accounts for any recently registered MFA devices and verify the legitimacy of each new registration with the account owner. Review Microsoft 365 audit logs for anomalous access patterns to OneDrive, SharePoint, and Exchange Online, specifically looking for session replay activity or access from unusual IP addresses or locations. Compliance Best Practices Implement network segmentation to create isolated security zones for critical assets like VMware vCenter servers, ESXi hosts, and Domain Controllers, restricting access from less secure network segments. Enforce the principle of least privilege for all accounts, especially service accounts and administrative accounts, ensuring they only have the minimum permissions necessary to perform their functions on systems like vCenter and Active Directory. Implement a default-deny egress filtering policy on the network firewall, allowing outbound traffic only for explicitly approved protocols, ports, and destinations to disrupt command-and-control communications. Enhance security logging for critical systems, including VMware vCenter, ESXi hosts, Domain Controllers, and ADFS servers. Forward these logs to a SIEM and develop correlation rules to detect lateral movement and credential access techniques. Strengthen MFA policies by requiring re-authentication for sensitive actions such as registering a new MFA device, and enforce phishing-resistant MFA for all administrative and privileged accounts. Intellexa Deployed Predator Spyware via iOS Zero-Day Exploit Chain Against Egyptian Targets Sanctioned commercial surveillance vendor Intellexa deployed a three-stage iOS zero-day exploit chain, internally codenamed "smack," against targets in Egypt to install its Predator spyware. The initial stage leveraged a Safari remote code execution zero-day (CVE-2023-41993), which Google assessed Intellexa likely acquired externally due to its use of the "JSKit" framework, previously observed in attacks by other surveillance vendors and Russian government-backed actors. The second stage achieved sandbox escape and privilege escalation by exploiting kernel vulnerabilities CVE-2023-41991 and CVE-2023-41992, providing kernel memory read/write capabilities. The final stage, PREYHUNTER, comprised "helper" and "watcher" modules; the "watcher" module performed anti-detection by monitoring for security tools, specific locale settings, and other anomalies, while the "helper" module used custom frameworks (DMHooker, UMHooker) to hook system functions for VOIP recording, keylogging, and camera capture, also hiding notifications. Intellexa has been linked to 15 zero-day vulnerabilities since 2021, including several Chrome V8 engine exploits (CVE-2021-38003, CVE-2023-4762, CVE-2023-3079, CVE-2023-2033, CVE-2025-6554) observed in Saudi Arabia. Google Threat Intelligence Group and CitizenLab collaborated on this discovery, leading Google to issue warnings to Intellexa's customers across multiple countries and add associated domains to Safe Browsing. Severity: Critical Sources https://gbhackers.com/ios-zero-day/ https://thecyberexpress.com/ios-zero-day-exploit-chain-egypt/ Threat Details and IOCs Malware: Alien, ALIEN, Nova, Predator, PREYHUNTER CVEs: CVE-2021-38003, CVE-2022-42856, CVE-2023-2033, CVE-2023-3079, CVE-2023-41991, CVE-2023-41992, CVE-2023-41993, CVE-2023-4762, CVE-2025-6554 Technologies: Apple iOS, Apple Safari, Google Chrome Threat Actors: Intellexa Attacker Countries: Russia Attacker Hashes: 85d8f504cadb55851a393a13a026f1833ed6db32cb07882415e029e709ae0750, e3314bcd085bd547d9b977351ab72a8b83093c47a73eb5502db4b98e0db42cac Victim Industries: Government, Multimedia, Technology Hardware Victim Countries: Angola, Egypt, Kazakhstan, Mongolia, Pakistan, Saudi Arabia, Tajikistan, Uzbekistan Mitigation Advice Update all corporate and BYOD iOS devices to the latest available OS version to mitigate vulnerabilities CVE-2023-41993, CVE-2023-41991, and CVE-2023-41992. Ensure all Google Chrome and Chromium-based browsers on corporate endpoints are updated to the latest version to protect against CVE-2021-38003, CVE-2023-4762, CVE-2023-3079, CVE-2023-2033, and CVE-2025-6554. Scan managed mobile devices for the presence of unauthorized security research tools such as Bash, tcpdump, frida, sshd, or checkra1n, as these can be indicators of compromise or reconnaissance. Audit managed mobile devices for unauthorized custom HTTP proxy configurations and non-corporate root certificate installations. Compliance Best Practices Implement or enhance a Mobile Device Management (MDM) solution to enforce mandatory and timely OS and application updates on all mobile devices accessing corporate data. Develop and enforce a security policy that enables Apple's Lockdown Mode on iOS devices used by executives and other employees at high risk of being targeted by sophisticated spyware. Establish a continuous security awareness training program that educates users on how to identify and report phishing attempts and suspicious links on mobile devices. Implement and maintain network egress filtering to block outbound connections from all corporate devices to known malicious domains and un-categorized websites. Use MDM to establish and enforce a policy that prohibits the use of Developer Mode on all corporate-managed iOS devices unless there is a documented and approved business justification. Microsoft Patches Critical Windows .LNK Flaw (CVE-2025-9491) Exploited by State-Sponsored Groups Microsoft has addressed a critical Windows shortcut file (.lnk) vulnerability, tracked as CVE-2025-9491 (ZDI-CAN-25373), which allowed malicious .lnk files to conceal harmful command-line arguments, enabling hidden code execution. This flaw, exploited by at least 11 state-sponsored groups from North Korea, Iran, Russia, and China since 2017 for cyber espionage and data theft, involved padding commands with whitespace to make the "Target" field appear innocuous in Windows properties. Despite initially downplaying its severity, Microsoft issued a "silent mitigation" in its November 2025 Patch Tuesday, which now reveals the full command in the "Properties" dialog. The fix follows a recent campaign by the China-linked UNC6384/Mustang Panda group, which leveraged CVE-2025-9491 in spear-phishing attacks against European diplomatic entities, deploying the PlugX remote access trojan. The .lnk format remains a significant threat due to its ability to bypass email filters and facilitate remote code execution through social engineering, and the risk persists until all vulnerable systems are updated. Severity: Critical Sources https://blog.0patch.com/2025/12/microsoft-silently-patched-cve-2025.html https://cyberpress.org/microsoft-windows-lnk-vulnerability/ https://dataconomy.com/2025/11/24/why-that-harmless-looking-desktop-icon-might-actually-be-a-weapon/ https://gbhackers.com/hackers-actively-exploit-new-windows-lnk-0-day/ https://it.slashdot.org/story/25/12/04/1744255/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day?utm_source=rss1.0mainlinkanon&utm_medium=feed https://meterpreter.org/microsoft-finally-patches-lnk-flaw-cve-2025-9491-exploited-by-spies-since-2017/ https://thehackernews.com/2025/12/microsoft-silently-patches-windows-lnk.html https://www.bleepingcomputer.com/news/microsoft/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day/ https://www.hendryadrian.com/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day/ https://www.techrepublic.com/article/news-microsoft-fixes-security-flaw/ https://www.theregister.com/2025/12/04/microsoft_lnk_bug_fix/ Threat Details and IOCs Malware: CirenegRAT, C_Major, Destroy RAT, DestroyRAT, Dreambot, Farfli, Gh0st, Gh0st RAT, Ghost RAT, Gozi, Gozi-ISFB, HiddenGh0st, Hodur, ISFB, Kaba, Konni, KONNI, Korplug, LDR4, Moudour, Papras, PCrat, PCRat, PlugX, QNAP-Worm, Raspberry Robin, Roshtyak, Snifula, Sogu, SOGU, Storm-0856, SugarGh0st RAT, TheTrick, TIGERPLUG, Trickbot, TrickBot, TrickLoader, Trickster, UpDog, Ursnif, UsrRunVGA.exe, XDigo CVEs: CVE-2025-9491 Technologies: Microsoft Windows, Microsoft Windows Server Threat Actors: APT10, APT15, APT17, APT20, APT21, APT22, APT26, APT27, APT3, APT31, APT37, APT40, APT41, APT43, Barium, Bitter, BronzePresident, BronzeUnion, Daggerfly, DoubleDragon, DragonOK, EarthIktomi, EarthLusca, EarthPreta, EmissaryPanda, EvilCorp, HazyTiger, Hellsing, HurricanePanda, Kimsuky, Konni, LuckyMouse, MenuPass, MUSTANGPANDA, OpalSleet, RazorTiger, RedDelta, RedHotel, SadFuture, SAMURAIPANDA, Sidewinder, TA416, TA505, TEMPHex, TwillTyphoon, UNC1878, UNC6384, VelvetAnt, WaterPoukai, WickedPanda, WickedSpider, WIZARDSPIDER, XDSpy Attacker Countries: China, India, Iran, North Korea, Russia Attacker IPs: 195.154.152.70 Attacker Domains: cseconline.org, d32tpl7xt7175h.cloudfront.net, dorareco.net, mydownload.z29.web.core.windows.net, naturadeco.net, paquimetro.net, racineupci.org, vnptgroup.it.com Victim Industries: Aerospace, Civic and Social Organizations, Defense, Education, Energy, Financial, Financial Services, Government, Healthcare, Mining, Non-Governmental Organizations (NGOs), Technology Hardware, Telecommunications Victim Countries: Afghanistan, Algeria, Australia, Austria, Bangladesh, Belarus, Belgium, Bhutan, Brazil, Bulgaria, Cambodia, China, Cyprus, Czech Republic, Djibouti, Egypt, Estonia, Ethiopia, Finland, France, Germany, Greece, Hong Kong, Hungary, India, Indonesia, Ireland, Italy, Japan, Kuwait, Laos, Latvia, Malaysia, Maldives, Moldova, Mongolia, Mozambique, Myanmar, Nepal, Netherlands, Nigeria, Pakistan, Palestine, Philippines, Romania, Russia, Rwanda, Saudi Arabia, Serbia, Singapore, Slovakia, South Africa, South Korea, Sri Lanka, Sudan, Sweden, Taiwan, Thailand, Turkey, Uganda, Ukraine, United Arab Emirates, United Kingdom, United States, Vatican City, Vietnam Mitigation Advice Prioritize and deploy the November 2025 Microsoft Patch Tuesday security updates to all Windows endpoints and servers to apply the mitigation for CVE-2025-9491. Conduct a threat hunt across all endpoints for indicators of compromise related to this campaign, such as anomalous PowerShell execution originating from .lnk files, evidence of the PlugX RAT, and signs of DLL sideloading. Configure your email security gateway to block or quarantine all incoming emails containing .lnk file attachments, including those within compressed archives like .zip files. Issue an immediate security alert to all employees, warning them not to open or click on unexpected shortcut (.lnk) files, especially those received in emails, and to report any suspicious emails to the security team. Compliance Best Practices Implement an application allowlisting policy, such as Windows Defender Application Control (WDAC), to restrict the execution of unauthorized applications and scripts on endpoints. Enable PowerShell Script Block Logging and Module Logging on all Windows systems and forward these logs to a centralized SIEM for monitoring and alerting on suspicious script execution. Deploy or tune an Endpoint Detection and Response (EDR) tool to create detection rules for suspicious process chains, such as explorer.exe spawning a .lnk file which then launches PowerShell or cmd.exe. Establish a continuous security awareness training program that includes regular phishing simulations using lures with various attachment types, including shortcuts and archives, to train users to identify and report threats. Enforce the principle of least privilege by removing local administrator rights from all standard user accounts to contain the impact of malware execution. Stay updated on emerging threats: sign up for the F5 Threat Report to receive the Weekly Threat Report in your inbox.F5 Threat Report - December 3rd, 2025
Hundreds of Abandoned iCalendar Sync Domains Put Nearly 4 Million Devices at Risk A study has revealed that over 390 abandoned or hijacked iCalendar sync domains are still receiving daily synchronization requests from nearly 4 million iOS and macOS devices, posing significant security risks. When users subscribe to external calendars, their devices automatically fetch updates via .ics files, and attackers can register expired domains to serve malicious .ics files. These files can contain harmful event links, phishing URLs, or prompts for unwanted applications, appearing legitimate within users' calendars. Apple devices' calendar sync daemons, identified by user-agent strings like `dataaccessd/1.0`, continuously request updates. Further investigation linked these hijacked servers to JavaScript payloads that trick users into granting push notification permissions or subscribing to spam calendars, often overlapping with large-scale notification scam campaigns and infrastructure previously compromised by Balada Injector malware. While most attacks leverage social engineering, some campaigns have distributed weaponized .ics files exploiting vulnerabilities such as CVE-2025-27915 in Zimbra, allowing JavaScript execution without user interaction. Security experts warn that calendar-based threats are an overlooked attack vector, recommending that organizations review active calendar subscriptions, implement whitelist-based firewall rules, and include calendar security in employee awareness training to mitigate risks from large-scale phishing, malware delivery, and data harvesting. Severity: Critical Sources https://cyberpress.org/icalendar-sync-domains/ https://www.hkcert.org/security-bulletin/zimbra-multiple-vulnerabilities_20251107 Threat Details and IOCs Malware: Balada Injector CVEs: CVE-2025-27915 Technologies: Apple iOS, Apple macOS, Zimbra Collaboration Threat Actors: APT28, UNC1151 Attacker IPs: 193.29.58.37 Attacker Emails: spam_to_junk@proton.me Attacker Domains: 0.allowandgo.com, 0.blueandbesthome.com, 0.mo12.biz, 1downloadss0ftware.xyz, bestresulttostart.com, ffrk.net, linetoslice.com, linetowaystrue.com, mo17.biz, mos3.biz, perfectlinestarter.com, readytocheckline.com, recordsbluemountain.com, taskscompletedlists.com, topwebsites1d.com Attacker URLs: http://mos3.biz/?webcal=me2tanrymi5gi3bpgu4tmna&u=230c9837-23ee-4208-8df0-1fa854490c90&l=24&t=1620652575&g=3&al=ar&sub1=&sub2=&sub3=&sub4=b0690ftho9zwh124, https://mo17.biz/?p=gy3ggyrzgm5gi3bpgy2dsny, https://mo17.biz/?webcal=me2tanrymi5gi3bpgu4tmna&u=230c9837-23ee-4208-8df0-1fa854490c90&l=24&t=1620652575&g=3&al=ar&sub1=&sub2=&sub3=&sub4=b0690ftho9zwh124, hxxps://ffrk.net/apache2_config_default_51_2_1 Attacker Hashes: e05c546f30212173ba878c31bbd8b93216cab1e847676b7bae870719f37dd7a5 Victim Industries: Government, Technology Hardware Victim Countries: Brazil, China Mitigation Advice Instruct all users to immediately review their calendar subscriptions on all corporate and BYOD Apple devices (iOS and macOS) and remove any unrecognized or unnecessary subscriptions. Configure network monitoring tools to create alerts for outbound traffic from Apple devices that contains both the user-agent 'dataaccessd/1.0' and the 'Accept: text/calendar' header, destined for non-standard or uncategorized domains. If your organization uses the Zimbra Collaboration Suite, immediately apply the vendor-supplied patches to mitigate the actively exploited cross-site scripting vulnerability, CVE-2025-27915. Send an immediate security bulletin to all employees warning them about the risks of unsolicited calendar events and browser push notification prompts. Instruct them to decline all unexpected requests to 'Allow' notifications and to avoid clicking links in suspicious calendar entries. Compliance Best Practices Develop and implement a network firewall policy that whitelists approved domains for iCalendar synchronization and blocks all other outbound requests matching the 'dataaccessd/1.0' user-agent. Update the corporate security awareness training program to include a dedicated module on the risks of calendar subscriptions, phishing via calendar events, and social engineering tactics used in browser push notification scams. Develop and deploy a Mobile Device Management (MDM) configuration profile to restrict or disable the ability for users to add arbitrary calendar subscriptions on corporate-managed iOS and macOS devices. Configure the email security gateway to specifically inspect incoming `.ics` file attachments for malicious links and embedded scripts, and consider implementing content disarm and reconstruction (CDR) for these files. Microsoft Teams Guest Chat Flaw Could Let Hackers Deliver Malware A critical vulnerability in Microsoft Teams guest chat allows attackers to bypass Defender for Office 365 protections by exploiting an architectural gap in cross-tenant collaboration. When users accept guest invitations to external Teams tenants, they fall under the hosting tenant's security policies, which attackers can disable in low-cost Microsoft 365 tenants lacking Defender for Office 365. The November 2025 rollout of feature MC1182004, enabling chats with anyone via email by default, makes this attack practical, allowing attackers to invite targets to their unprotected environments and deliver phishing or malware without detection. To mitigate this, organizations should restrict B2B guest invitations to trusted domains via Microsoft Entra ID, configure granular cross-tenant access policies, limit external Teams communication to specific domains through the Teams Admin Center, and consider disabling the MC1182004 feature using the PowerShell command `Set-CsTeamsMessagingPolicy -UseB2BInvitesToAddExternalUsers $false`. This issue highlights that security protections follow the resource tenant, a distinction organizations must address to prevent sophisticated attacks. Severity: Critical Sources https://buaq.net/go-378428.html https://gbhackers.com/microsoft-teams-guest-chat-flaw/ https://hackread.com/microsoft-teams-guest-chat-flaw-malware/ Threat Details and IOCs Technologies: Microsoft 365, Microsoft Entra ID, Microsoft Teams Attacker Emails: email protected Victim Industries: Critical Manufacturing, Financial, Government Mitigation Advice In Microsoft Entra ID, navigate to 'External Identities' -> 'External collaboration settings' and change the 'Guest invite settings' to 'Allow invitations only to specified domains'. Populate the list with currently known and trusted partner domains. In the Microsoft Teams Admin Center, under 'Users' -> 'External access', set the policy for Teams and Skype for Business users in external organizations to 'Allow only specific external domains' and add the domains of trusted business partners. Use PowerShell to connect to your Microsoft Teams instance and run the command 'Set-CsTeamsMessagingPolicy -Identity Global -UseB2BInvitesToAddExternalUsers $false' to disable the ability for users to start chats with external users using just an email address. In Microsoft Entra ID, under 'External Identities' -> 'Cross-tenant access settings', configure the default settings to block all inbound and outbound B2B collaboration and B2B direct connect access for both users and applications. Compliance Best Practices Develop and implement a formal policy and process for vetting, approving, and periodically reviewing external organizations for Teams collaboration. Use this process to manage the allowlists in Entra ID's cross-tenant access settings and the Teams Admin Center. Develop and deploy a recurring security awareness training module that specifically educates users on the risks of accepting Microsoft Teams guest invitations from unknown organizations. The training should explain that security protections do not carry over and should instruct users on how to verify and report suspicious invitations. DPRK-Linked Kimsuky and Lazarus Coordinate Espionage and Financial Theft via CVE-2024-38193 Kimsuky and Lazarus operate a coordinated campaign, combining Kimsuky's precise espionage with Lazarus's financial theft capabilities, both under DPRK control. Kimsuky initiates attacks through academic-themed spearphishing, using malicious HWP and MSC attachments to harvest credentials and reconnaissance data, deploying backdoors like FPSpy and the KLogEXE keylogger. Lazarus then leverages zero-day Windows privilege escalation, specifically CVE-2024-38193, and malicious Node.js packages to gain SYSTEM privileges and deploy the InvisibleFerret backdoor for cryptocurrency wallet theft. The groups share C2 infrastructure, intelligence, and tools, employing advanced evasion techniques such as encrypted/HTTP-like C2 traffic, multi-layer packing (Fudmodule), domain rotation, and anti-EDR capabilities to avoid detection. This collaboration has resulted in the rapid exfiltration of sensitive documents and significant cryptocurrency thefts, including a single incident of $32 million and over $120 million cumulatively since 2024. The campaign utilizes various MITRE ATT&CK techniques, including Phishing (T1566), Input Capture (T1056), Exploitation for Privilege Escalation (T1068), Command and Scripting Interpreter (T1059), Ingress Tool Transfer (T1105), Boot or Logon Autostart Execution (T1547), Obfuscated Files or Information (T1027), Application Layer Protocol (T1071), Exfiltration Over C2 Channel (T1041), Valid Accounts (T1078), and Domain Policy Modification (T1484). Key indicators of compromise include FPSpy (MD5: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6) and InvisibleFerret (MD5: f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1) hashes, shared C2 IP addresses like 192.168.xxx.xxx, the academic lure domain academic-symposium[.]info, and the exploitation of CVE-2024-38193. Severity: Critical Sources https://buaq.net/go-375362.html https://buaq.net/go-376034.html https://cyberpress.org/exploiting-code-hosting-platforms/ https://cyberpress.org/north-korean-job-fraud/ https://gbhackers.com/json-storage/ https://securityonline.info/north-koreas-contagious-interview-apt-uses-json-keeper-and-gitlab-to-deliver-beavertail-spyware/ https://slowmist.medium.com/explanation-msmt-the-dprks-violation-and-evasion-of-un-sanctions-via-cyber-and-it-worker-e2a674d3a2c5?source=rss-4ceeedda40e8------2 https://thehackernews.com/2025/11/north-korean-hackers-turn-json-services.html https://www.hendryadrian.com/inside-dprks-fake-job-platform-targeting-u-s-ai-talent-validin/ https://www.hendryadrian.com/kimsuky-and-lazarus-coordinated-campaign/ https://www.hendryadrian.com/kimsuky-health-checkup-email-malware/ Threat Details and IOCs Malware: Agenda, AkdoorTea, AlphaSeed, AppleJeus, AppleSeed, ATMDtrack, BabyShark, Beavertail, BeaverTail, Dtrack, FPSpy, FudModule, InfoKey, InvisibleFerret, JamBog, Kaiten, KGH_SPY, KLogEXE, MoonPeak, OtterCookie, Play, Playcrypt, Qilin, RokRAT, TrollAgent, Troll Stealer, Tropidoor, Tsunami, TsunamiKit, XenoRAT, XORIndex CVEs: CVE-2017-0199, CVE-2018-13379, CVE-2019-0708, CVE-2020-12812, CVE-2022-42475, CVE-2023-27532, CVE-2023-27997, CVE-2024-21762, CVE-2024-27198, CVE-2024-38193, CVE-2024-55591 Technologies: Apple macOS, Atlassian Bitbucket, BtcTurk, Bybit, DMM Bitcoin, ESTsoft ALZIP, Exclusible, GitHub, GitLab, Google Chrome, Hancom Hangul Word Processor, JSONsilo, Keeper, LinkedIn, Linux, MetaMask, Microsoft .NET Framework, Microsoft Windows, Munchables, Node.js, npm, npoint.io, OnyxDAO, Pastebin, Phantom, Python, Radiant Capital, TronLink, WazirX Threat Actors: Agenda, AlluringPisces, Andariel, APT37, APT38, APT43, APT45, Beavertail, BlackBanshee, Bluenoroff, CitrineSleet, CL-STA-0240, CryptoCore, DeceptiveDevelopment, DEV#POPPER, EmeraldSleet, FamousChollima, GleamingPisces, GwisinGang, InvisibleFerret, JadeSleet, Kimsuky, Lazarus, LazarusGroup, MoonstoneSleet, OnyxSleet, OtterCookie, Qilin, SapphireSleet, SilentChollima, SparklingPisces, StardustChollima, Temp.Hermit, TenaciousPungsan, Thallium, TraderTraitor, UNC4899, UNC5342, VelvetChollima, VoidDokkaebi, WageMole Attacker Countries: North Korea, Russia Attacker IPs: 104.200.67.96, 107.189.25.109, 144.172.100.142, 144.172.103.97, 144.172.95.226, 144.172.97.7, 146.70.253.10, 146.70.253.107, 147.124.197.138, 147.124.197.149, 147.124.212.146, 147.124.212.89, 147.124.214.129, 147.124.214.131, 147.124.214.237, 165.140.86.227, 167.88.36.13, 172.86.84.38, 172.86.98.240, 173.211.106.101, 185.153.182.241, 185.235.241.208, 216.126.229.166, 216.189.150.185, 23.106.253.194, 23.106.253.215, 23.106.253.221, 23.106.253.242, 23.106.70.154, 23.227.202.242, 23.227.202.244, 23.254.164.156, 38.92.47.151, 38.92.47.85, 38.92.47.91, 45.128.52.14, 45.137.213.30, 45.43.11.201, 45.61.133.110, 45.61.150.30, 45.61.150.31, 45.61.151.71, 45.76.160.53, 5.253.43.122, 66.235.168.232, 66.235.175.109, 67.203.7.163, 67.203.7.171, 69.62.86.78, 72.61.9.45, 86.104.74.51, 88.218.0.78, 94.131.97.195, 95.164.17.24 Attacker Emails: ahmadbahai07@gmail.com, drgru854@gmail.com, jackhill2765@gmail.com, jack.murray.tf7@gmail.com, magalhaesbruno236@gmail.com, reichenausteve@gmail.com, stromdev712418@gmail.com, trungtrinh0818@gmail.com Attacker Domains: advisorflux.com, api.jsonsilo.com, api.npoint.io, app.lenvny.com, assureeval.com, bitbucket.org, bloxholder.com, carrerlilla.com, cloudflariz.com, cookiemanager.ne.kr, effertz-carroll.com, evangelia.edu, freeconference.io, ftpserver0909.com, generated.photos, github.com, gitlab.com, ipcheck.cloud, jsonkeeper.com, jsonsilo.com, kupaywallet.com, lenvny.com, load.samework.o-r.kr, mirotalk.io, mirotalk.net, n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion, naverbox.pe.kr, nidiogln.ne.kr, npoint.io, pastebin.com, railway.app, regioncheck.net, thispersondoesntexist.com, unioncrypto.vip, wud.wuaze.com, www.jsonkeeper.com Attacker URLs: http://147.124.214.129:1244, http://173.211.106.101:1245, https://app.lenvny.com/cam-v-abc123.fix, hxxp://146.70.253.107:1224/client/99/81, hxxp://146.70.253.107:1224/pdown, hxxp://23.254.164.156/introduction-video, hxxp://n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion, hxxps://api.jsonsilo.com/public/0048f102-336f-45dd-aef6-3641158a4c5d, hxxps://api.jsonsilo.com/public/942acd98-8c8c-47d8-8648-0456b740ef8b, hxxps://api.npoint.io/03f98fa639fa37675526, hxxps://api.npoint.io/148984729e1384cbe212, hxxps://api.npoint.io/2169940221e8b67d2312, hxxps://api.npoint.io/336c17cbc9abf234d423, hxxps://api.npoint.io/38acf86b6eb42b51b9c2, hxxps://api.npoint.io/62755a9b33836b5a6c28, hxxps://api.npoint.io/832d58932fcfb3065bc7, hxxps://api.npoint.io/8df659fd009b5af90d35, hxxps://api.npoint.io/a1dbf5a9d5d0636edf76, hxxps://api.npoint.io/cb0f9d0d03f50a5e1ebe, hxxps://api.npoint.io/e6a6bfb97a294115677d, hxxps://api.npoint.io/f4be0f7713a6fcdaac8b, hxxps://api.npoint.io/f6dd89c1dd59234873cb, hxxps://github.com/0x3ca54/arena-world, hxxps://github.com/adammajoros250-creator/123456ddd, hxxps://github.com/adammajoros250-creator/alex111, hxxps://github.com/adammajoros250-creator/Apexora-test, hxxps://github.com/adammajoros250-creator/bot111, hxxps://github.com/adammajoros250-creator/corex-arc-fork, hxxps://github.com/adammajoros250-creator/demotest, hxxps://github.com/carlotalentengine-sketch, hxxps://github.com/edwardtam919/staking-platform-main, hxxps://github.com/harrypotter060327-netizen/David-test, hxxps://github.com/harrypotter060327-netizen/eeeee, hxxps://github.com/harrypotter060327-netizen/Harry-Potter, hxxps://github.com/harrypotter060327-netizen/Test_Estoken, hxxps://github.com/harrypotter060327-netizen/TEST_LORD, hxxps://github.com/harrypotter060327-netizen/test_project, hxxps://github.com/InfiniGods-Tech/rei, hxxps://github.com/meta-stake/RaceStake, hxxps://github.com/meta-stake/RealEstateVC, hxxps://github.com/parth5805/iGuru-Task, hxxps://github.com/TommyMinion/DeFi-Market, hxxps://gitlab.com/goldencity-group/goldencity-demo, hxxps://gitlab.com/real-world-assest-tokenization/goldencity, hxxps://gitlab.com/technicalmanager-group/real-esate, hxxps://jsonkeeper.com/b/4NAKK, hxxps://jsonkeeper.com/b/6OCFY, hxxps://jsonkeeper.com/b/86H03, hxxps://jsonkeeper.com/b/8RLOV, hxxps://jsonkeeper.com/b/BADWN, hxxps://jsonkeeper.com/b/E4YPZ, hxxps://jsonkeeper.com/b/FM8D6, hxxps://jsonkeeper.com/b/GCGEX, hxxps://jsonkeeper.com/b/GNOX4, hxxps://jsonkeeper.com/b/IARGW, hxxps://jsonkeeper.com/b/IXHS4, hxxps://jsonkeeper.com/b/JV43N, hxxps://pastebin.com/u/AmendMinds7934, hxxps://pastebin.com/u/AmendMinds7934_LoverTumor2853, hxxps://pastebin.com/u/AmendMinds7934LoverTumor2853, hxxps://pastebin.com/u/NotingRobe2871, hxxps://pastebin.com/u/NotingRobe2871_FranzStill8494, hxxps://pastebin.com/u/NotingRobe2871FranzStill8494, hxxps://pastebin.com/u/ShadowGates1462, hxxps://pastebin.com/u/ShadowGates1462_PastPhys9067, hxxps://pastebin.com/u/ShadowGates1462PastPhys9067, hxxps://www.jsonkeeper.com/b/JNGUQ, hxxps://www.jsonkeeper.com/b/O2QKK, hxxps://www.jsonkeeper.com/b/RZATI, hxxps://www.jsonkeeper.com/b/T7Q4V, hxxps://www.jsonkeeper.com/b/VBFK7 Attacker Hashes: 3aed5502118eb9b8c9f8a779d4b09e11, 5e2186e65f84726e8c8284d48db66805fc7e02ce43a73a7ac6bf5a5fff3a35e2, 84d25292717671610c936bca7f0626f5, 94ef379e332f3a120ab16154a7ee7a00, 9d9a25482e7e40e8e27fdb5a1d87a1c12839226c85d00c6605036bd1f4235b21, b29ddcc9affdd56a520f23a61b670134 Victim Industries: Construction, Cryptocurrency, Defense Industrial Base, Education, Financial Services, Financial Technology, Government, Healthcare, Information Technology, Insurance, Market Research, Real Estate, Software, Technology Hardware Victim Countries: Argentina, Brazil, Cambodia, Canada, China, Colombia, Costa Rica, Egypt, Equatorial Guinea, France, Germany, Guinea, India, Indonesia, Japan, Kenya, Laos, Mexico, Netherlands, Nigeria, Pakistan, Philippines, Portugal, Russia, Serbia, South Korea, Tanzania, Turkey, United Arab Emirates, United Kingdom, United States, Vietnam Mitigation Advice Immediately apply the security patch for CVE-2024-38193 to all vulnerable Windows systems. Block the domain 'academic-symposium[.]info' at the web proxy, DNS firewall, and email gateway. Add the file hashes for FPSpy (MD5: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6) and InvisibleFerret (MD5: f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1) to your Endpoint Detection and Response (EDR) and antivirus blocklists. Configure email security gateways to block or quarantine incoming emails with HWP and MSC file attachments. Run threat hunting queries in your SIEM and EDR to search for suspicious process behaviors, such as HWP files spawning 'winlogon.exe' or any process accessing cryptocurrency wallet paths like '%APPDATA%\MetaMask'. Compliance Best Practices Develop and implement a mandatory, recurring security awareness training program that focuses on identifying spearphishing emails and the risks of handling unsolicited attachments or links. Implement application control policies, such as AppLocker, to restrict the execution of unauthorized scripts and executables, particularly in developer environments. Establish a secure software development lifecycle (SDLC) policy that includes vetting all third-party libraries, such as those from npm, for known vulnerabilities or malicious code before they are approved for use. Implement regular auditing and alerting for any modifications to Group Policy Objects (GPOs) to quickly detect unauthorized changes used for lateral movement. Implement network segmentation to isolate critical assets, such as domain controllers and servers handling financial data, from the general user network. Deploy a network security solution capable of TLS inspection to decrypt and analyze outbound web traffic for signs of command-and-control (C2) activity. Establish and enforce a corporate policy that requires all company-managed cryptocurrency assets to be stored in hardware wallets and prohibits the use of software wallets on networked endpoints. ShadowV2 Botnet Exploits AWS Outage to Infect IoT Devices in 28 Countries A Mirai-based botnet, ShadowV2, emerged during a widespread AWS outage last October, infecting IoT devices across 28 countries and multiple sectors including technology, retail, government, and education. This activity, potentially a "test run" for future attacks, involved the botnet exploiting vulnerabilities in devices from vendors like DD-WRT (CVE-2009-2765), D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915), DigiEver (CVE-2023-52163), TBK (CVE-2024-3721), and TP-Link (CVE-2024-53375). The infection process involved dropping a `binary.sh` downloader that delivered "shadow" prefixed malware binaries from 81[.]88[.]18[.]108, utilizing an XOR-encoded configuration to connect to a command-and-control server for DDoS attacks, and displaying the string "ShadowV2 Build v1.0.0 IoT version." While ShadowV2's observed activity was limited to the outage period, its emergence underscores the persistent vulnerability of IoT devices, a point further highlighted by a subsequent 15.72 Tbps DDoS attack on Azure by the Aisuru botnet, which was successfully mitigated. Severity: Critical Sources https://cyberpress.org/shadowv2-malware/ https://dataconomy.com/2025/11/27/shadowv2-botnet-exploited-aws-outage-timeline-to-test-global-iot-attacks/ https://www.bleepingcomputer.com/news/security/new-shadowv2-botnet-malware-used-aws-outage-as-a-test-opportunity/ https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices https://www.securitylab.ru/news/566583.php https://www.securitylab.ru/news/566590.php https://www.theregister.com/2025/11/26/miraibased_botnet_shadowv2/ Threat Details and IOCs Malware: Airashi, Aisuru, Bash0day, Bashlite, BASHLITE, boatnet, Gafgyt, Gayfemboy, Hakai, Katana, LizardStresser, Lizkebab, Lzrd, LZRD, Miori, Mirai, Okiru, Pandora, Qbot, Satori, ShadowV2, SpeakUp, Torlus, TurboMirai, Yowai CVEs: CVE-2009-2765, CVE-2020-25506, CVE-2022-37055, CVE-2023-52163, CVE-2024-10914, CVE-2024-10915, CVE-2024-3721, CVE-2024-53375 Technologies: Amazon Web Services, DD-WRT, Digiever, Digiever Network Video Recorders, D-Link, D-Link GO-RT-AC750, D-Link ShareCenter, Linux, TBK, TBK DVRs, TP-Link, TP-Link Archer Threat Actors: LZRD Attacker IPs: 198.199.72.27, 23.97.62.139, 81.88.18.108 Attacker Domains: silverpath.shadowstresser.info Attacker Hashes: 0408d57c5ded5c79bf1c5b15dfde95547e17b81214dfc84538edcdbef4e61ffe, 22aa3c64c700f44b46f4b70ef79879d449cc42da9d1fe7bad66b3259b8b30518, 24ad77ed7fa9079c21357639b04a526ccc4767d2beddbd03074f3b2ef5db1b69, 499a9490102cc55e94f6a9c304eea86bbe968cff36b9ac4a8b7ff866b224739f, 5b5daeaa4a7e89f4a0422083968d44fdfe80e9a32f25a90bf023bca5b88d1e30, 6f1a5f394c57724a0f1ea517ae0f87f4724898154686e7bf64c6738f0c0fb7b6, 7dfbf8cea45380cf936ffdac18c15ad91996d61add606684b0c30625c471ce6a, 80ee2bf90545c0d539a45aa4817d0342ff6e79833e788094793b95f2221a3834, bb326e55eb712b6856ee7741357292789d1800d3c5a6be4f80e0cb1320f4df74, c0ac4e89e48e854b5ddbaef6b524e94cc86a76be0a7a8538bd3f8ea090d17fc2, c62f8130ef0b47172bc5ec3634b9d5d18dbb93f5b7e82265052b30d7e573eef3, cb42ae74216d81e87ae0fd51faf939b43655fe0be6740ac72414aeb4cf1fecf2, dfaf34b7879d1a6edd46d33e9b3ef07d51121026b8d883fdf8aced630eda2f83 Victim Industries: Education, Government, Hospitality, Information Technology, Managed Service Providers, Manufacturing, Retail, Technology Hardware, Telecommunications Victim Countries: Australia, Austria, Belgium, Bolivia, Brazil, Canada, Chile, China, Croatia, Czech Republic, Egypt, France, Greece, Italy, Japan, Kazakhstan, Mexico, Morocco, Netherlands, Philippines, Russia, Saudi Arabia, South Africa, Taiwan, Thailand, Turkey, United Kingdom, United States Mitigation Advice Add the IP address 81.88.18.108 to the network firewall blocklist to prevent connections to and from the ShadowV2 malware delivery server. Use your SIEM or EDR solution to search for executions of a script named 'binary.sh' and the presence of any files with the prefix 'shadow' on all endpoints. Scan the network to identify all devices running DD-WRT firmware and immediately update any vulnerable instances to a version that patches CVE-2009-2765. Scan the network to identify all D-Link devices vulnerable to CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, or CVE-2024-10915. Apply vendor patches where available or isolate and plan for the replacement of end-of-life devices. Scan the network to identify TBK DVRs vulnerable to CVE-2024-3721. Since no patch is available, isolate these devices from the network immediately and prioritize their replacement. Scan the network to identify all TP-Link routers vulnerable to CVE-2024-53375 and apply the necessary firmware updates immediately. Compliance Best Practices Design and implement a separate network segment (VLAN) for all IoT devices to isolate them from critical business systems and user networks. Develop and enforce an IoT security policy that defines standards for the procurement, deployment, configuration, and lifecycle management of all connected devices. Establish a formal vulnerability management program that includes regular, automated scanning of all network assets, including IoT devices, to proactively identify and remediate vulnerabilities. Implement a default-deny egress filtering policy on the network firewall, allowing outbound connections only for specifically approved protocols, ports, and destinations required for business operations. Implement a Cloud Security Posture Management (CSPM) tool to continuously monitor AWS environments for misconfigurations and security risks in EC2 instances and other services. ASUS Warns of Critical Auth Bypass Flaw (CVE-2025-59366) in AiCloud Routers ASUS has released new firmware to address nine security vulnerabilities, including a critical authentication bypass flaw, CVE-2025-59366, affecting its routers with AiCloud enabled. This vulnerability, stemming from an unintended side effect of Samba functionality, allows remote attackers to execute specific functions without proper authorization by chaining path traversal and OS command injection weaknesses, requiring low complexity and no user interaction. Users are strongly advised to update their router firmware to the latest versions, specifically those in the `3.0.0.4_386,` `3.0.0.4_388,` and `3.0.0.6_102` series. For end-of-life models that will not receive updates, mitigation steps include disabling all internet-accessible services such as remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port triggering, and FTP, as well as cutting remote access to devices running vulnerable AiCloud software, and employing strong passwords for router administration and wireless networks. This follows a previous critical authentication bypass, CVE-2025-2492, patched in April, which was exploited in "Operation WrtHug" to compromise thousands of ASUS WRT routers globally. Severity: Critical Sources https://buaq.net/go-378236.html https://cyberinsider.com/asus-patches-critical-vulnerabilities-in-routers-and-pc-software/ https://meterpreter.org/asus-patches-critical-aicloud-flaw-cve-2025-59366-allowing-remote-router-takeover/ https://securityonline.info/8-flaws-asus-routers-urgently-need-patch-for-authentication-bypass-cve-2025-59366-cvss-9-4/ https://www.bleepingcomputer.com/news/security/asus-warns-of-new-critical-auth-bypass-flaw-in-aicloud-routers/ https://www.hkcert.org/security-bulletin/asus-router-multiple-vulnerabilities_20251126 Threat Details and IOCs Malware: PoisonPlug, RingReaper, ShadowPad CVEs: CVE-2023-41345, CVE-2023-41348, CVE-2024-12912, CVE-2025-12003, CVE-2025-2492, CVE-2025-59365, CVE-2025-59366, CVE-2025-59368, CVE-2025-59369, CVE-2025-59370, CVE-2025-59371, CVE-2025-59372, CVE-2025-59373 Technologies: ASUS, ASUS ASUSWRT, ASUS Router, ASUSWRT, Linux, Microsoft Windows, Samba Threat Actors: AyySSHush Attacker Countries: China Victim Industries: Consumer Electronics, Hospitality, Retail, Technology Hardware Victim Countries: Austria, Brunei, Cambodia, Croatia, Czech Republic, Germany, Hungary, Indonesia, Laos, Liechtenstein, Malaysia, Myanmar, Philippines, Poland, Russia, Singapore, Slovakia, Slovenia, Switzerland, Taiwan, Thailand, Timor-Leste, United States, Vietnam Mitigation Advice Identify all ASUS routers on the network and update their firmware to the latest version to patch CVE-2025-59366 and other listed vulnerabilities. For any ASUS routers that cannot be immediately patched or do not require the AiCloud feature, disable AiCloud to remove the primary attack vector for CVE-2025-59366. On unpatchable or end-of-life ASUS routers, disable all remote administration access from the WAN. On unpatchable or end-of-life ASUS routers, disable the built-in VPN server functionality to reduce the external attack surface. Review and disable all non-essential port forwarding, DMZ, and port triggering rules on ASUS routers that cannot be updated. On unpatchable or end-of-life ASUS routers, disable the built-in FTP server to prevent potential exploitation. Compliance Best Practices Establish and enforce a hardware lifecycle management policy to ensure network devices like routers are replaced before they reach end-of-life and no longer receive security patches. Implement a network security policy that requires all non-essential services on internet-facing devices to be disabled by default. Enforce a strong password policy for all network device administrative accounts, requiring unique, complex passwords and periodic audits for compliance. Develop a formal vulnerability management program that includes regular, automated scanning of all network perimeter devices to identify outdated firmware, open ports, and insecure configurations. Stay updated on emerging threats: sign up for the F5 Threat Report to receive the Weekly Threat Report in your inbox.F5 Threat Report - November 26th, 2025
Shai-Hulud 2.0 npm Supply Chain Attack Steals Credentials A new npm supply-chain campaign, dubbed Shai-Hulud 2.0, has compromised numerous popular packages, including those from Zapier, ENS Domains, PostHog, and Postman, by leveraging compromised maintainer accounts to publish trojanized versions. This variant executes malicious code during the `preinstall` phase, leading to credential theft and exfiltration of developer and CI/CD secrets to GitHub repositories named "Shai-Hulud." The attack, observed between November 21-23, 2025, creates files like `cloud.json`, `contents.json`, `environment.json`, `truffleSecrets.json`, and attempts to create `discussion.yaml`. Key indicators of compromise include specific package versions (e.g., `@zapier/zapier-sdk` 0.15.5-0.15.7, `@ensdomains/ens-validation` 0.1.1, `@posthog/agent` 1.24.1), the presence of `pre-install` scripts, a GitHub Actions workflow named `shai-hulud-workflow.yml`, access to cloud metadata endpoints, outbound connections to `webhook[.]site`, and `data.json` files containing encoded secrets. Immediate actions recommended include removing and replacing compromised packages, clearing npm cache, pinning dependencies to known clean versions or rolling back to pre-November 21, 2025 builds, revoking and regenerating npm tokens, GitHub PATs, SSH keys, and cloud provider credentials, enforcing phishing-resistant MFA, searching for "Shai-Hulud" repositories, reviewing for unauthorized workflows, monitoring new npm publishes, restricting or disabling lifecycle scripts in CI/CD, limiting outbound network access, and using short-lived, scoped automation tokens. Severity: Critical Sources https://cyberinsider.com/second-wave-of-shai-hulud-npm-malware-hits-zapier-ens-domains/ https://financefeeds.com/shai-hulud-malware-hits-400-javascript-packages-in-major-npm-supply-chain-attack/ https://gbhackers.com/zapiers-npm-account-hacked-multiple-packages-infected/ https://hackread.com/shai-hulud-npm-worm-supply-chain-attack/ https://securitylabs.datadoghq.com/articles/supply-chain-attacks-runtime-security-detection/ https://thehackernews.com/2025/11/second-sha1-hulud-wave-affects-25000.html https://www.bitcoininsider.org/article/293565/shai-hulud-malware-hits-npm-crypto-libraries-face-growing-security-crisis https://www.bleepingcomputer.com/news/security/shai-hulud-malware-infects-500-npm-packages-leaks-secrets-on-github/ https://www.hendryadrian.com/shai-hulud-npm-attack-what-you-need-to-know/ https://www.theregister.com/2025/11/24/shai_hulud_npm_worm/ https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack Threat Details and IOCs Malware: Anivia Stealer, Sha1-Hulud, SHA1-HULUD, Shai Hulud, Shai-Hulud, ZeroTrace Stealer CVEs: CVE-2025-10894, CVE-2025-59037, CVE-2025-59140, CVE-2025-59141, CVE-2025-59142, CVE-2025-59143, CVE-2025-59144, CVE-2025-59162, CVE-2025-59330, CVE-2025-59331, CVE-20S-59143 Technologies: Amazon Web Services, Amazon Web Services (AWS), Apple macOS, AsyncAPI, Bun, Ethereum, Ethereum Name Service, GitHub, GitHub Actions, Google Cloud Platform, Google Cloud Platform (GCP), Kubernetes, Linux, Microsoft Azure, Microsoft Windows, Node.js, npm, PostHog, Postman, SSH, Vercel Next.js, Zapier Attacker Domains: bun.sh, shai-hulud-2.github.io, webhook.site Attacker URLs: bun.sh/install.ps1, https://bun.sh/install, https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js, https://github.com/search?q=Sha1-Hulud%3A+The+Second+Coming.&ref=opensearch&type=repositories, hxxps://shai-hulud-2.github.io/data.json, hxxps://webhook.site/a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6, hxxps://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 Attacker Hashes: 2efa4dff59bc3d3cecdf897ccf178f99b115d63d Victim Industries: Critical Manufacturing, Cryptocurrency, Financial Services, Healthcare, Information Technology, Manufacturing, Software, Technology Hardware Victim Countries: Belgium, Cayman Islands, United States Mitigation Advice Scan all development and CI/CD environments for the specific compromised npm packages and versions listed in the article. If any compromised npm packages are found, remove them, clear the npm cache, and delete the `node_modules` directory from the affected project. Block all outbound network connections from build servers and developer workstations to `webhook[.]site` at the network firewall. Search all company-managed GitHub organizations for newly created repositories containing "Shai-Hulud" in the title or description. Scan all GitHub repositories for the presence of a workflow file named `shai-hulud-workflow.yml`. Immediately revoke and regenerate all npm tokens, GitHub Personal Access Tokens (PATs), and SSH keys used in development and CI/CD environments. Immediately revoke and regenerate all cloud provider credentials, such as AWS IAM roles or GCP service account keys, accessible from CI/CD environments. Compliance Best Practices Implement and enforce a strict policy for all development projects to pin npm package dependencies to specific, audited versions using a lock file. Update CI/CD pipeline configurations to disable or restrict the execution of npm lifecycle scripts, such as `preinstall` and `postinstall`, by default. Enforce the use of phishing-resistant Multi-Factor Authentication (MFA) for all developer and administrator accounts on code repositories like GitHub and package registries like npm. Implement network egress filtering on all CI/CD build runners to only allow outbound connections to a pre-approved list of essential domains. Re-architect CI/CD pipelines to use dynamically generated, short-lived, and narrowly-scoped access tokens for authentication instead of static, long-lived credentials. Implement automated monitoring to generate security alerts for any new packages published to public registries under your organization's name or scopes. APT24 Deploys BADAUDIO in Years-Long Espionage Hitting Taiwan and 1,000+ Domains A China-nexus threat actor, APT24 (also known as Pitty Tiger), has been observed deploying a previously undocumented malware named BADAUDIO in a nearly three-year espionage campaign primarily targeting Taiwan, alongside government, healthcare, construction, mining, non-profit, and telecommunications sectors in the U.S. BADAUDIO, a highly obfuscated C++ first-stage downloader, utilizes control flow flattening to resist reverse engineering and leverages DLL Search Order Hijacking for execution. It gathers system information, exfiltrates it, and downloads AES-encrypted payloads, such as Cobalt Strike Beacon. Initial access vectors include watering holes, where over 20 legitimate websites were compromised from November 2022 to September 2025 to inject JavaScript that targeted Windows users with fake Google Chrome update pop-ups using FingerprintJS. A significant supply chain compromise occurred in July 2024 when APT24 breached a Taiwanese digital marketing firm, injecting malicious JavaScript into a widely used library, affecting over 1,000 domains. Targeted phishing campaigns, active since August 2024, use animal rescue lures and tracking pixels to deliver BADAUDIO via encrypted archives hosted on Google Drive and Microsoft OneDrive. Separately, another China-nexus threat actor, codenamed Autumn Dragon, has conducted a sustained espionage campaign against government, media, and news sectors in Laos, Cambodia, Singapore, the Philippines, and Indonesia. This campaign exploits a WinRAR vulnerability (CVE-2025-8088, CVSS 8.8) via spear-phishing with malicious RAR archives, leading to DLL sideloading using legitimate executables like `obs-browser-page.exe` and `Creative Cloud Helper.exe` to establish persistence, communicate via Telegram for reconnaissance, and deploy a C++ implant capable of executing various commands. Severity: Critical Sources https://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/ https://securityonline.info/chinas-apt24-launches-stealth-badaudio-malware-hitting-1000-domains-via-taiwanese-supply-chain-hack/ https://thehackernews.com/2025/11/apt24-deploys-badaudio-in-years-long.html https://www.hendryadrian.com/apt24s-pivot-to-multi-vector-attacks-google-cloud-blog/ https://www.hendryadrian.com/beyond-the-watering-hole-apt24s-pivot-to-multi-vector-attacks/ https://www.securitylab.ru/news/566430.php https://www.securityweek.com/chinese-cyberspies-deploy-badaudio-malware-via-supply-chain-attacks/ Threat Details and IOCs Malware: Agentemis, BadAudio, BADAUDIO, Beacon, BEACON, Cobalt Strike, CobaltStrike, Cobalt Strike Beacon, cobeacon, Enfal, Gh0st, Gh0st RAT, Lurid Downloader, Roudan, Specas, Taidoor CVEs: CVE-2012-0158, CVE-2014-1761, CVE-2025-8088 Technologies: Adobe Creative Cloud, Google Chrome, Google Drive, Microsoft OneDrive, Microsoft Windows, RARLAB WinRAR Threat Actors: APT24, AutumnDragon, EarthAughisky, G0011, PITTY PANDA, PittyTiger, Taidoor, Temp.Pittytiger, TempPittytiger Attacker Countries: China Attacker Domains: clients.brendns.workers.dev, jarzoda.net, jsdelivrs.com, public.megadatacloud.com, roller.johallow.workers.dev, taiwantradoshows.com, tradostw.com, trcloudflare.com, wispy.geneva.workers.dev, www.availableextens.com, www.brighyt.com, www.cundis.com, www.decathlonm.com, www.gerikinage.com, www.growhth.com, www.p9-car.com, www.twisinbeth.com Attacker URLs: https://cdn.jsdelivr.net/npm/@fingerprintjs/fingerprintjs@2/dist/fingerprint2.min.js, https://wispy.geneva.workers.dev/pub/static/img/merged?version=65feddea0367, https://www.twisinbeth.com/query.php, https://www.twisinbeth.com/query.php?id= Attacker Hashes: 032c333eab80d58d60228691971d79b2c4cd6b9013bae53374dd986faa0f3f4c, 07226a716d4c8e012d6fabeffe2545b3abfc0b1b9d2fccfa500d3910e27ca65b, 0e98baf6d3b67ca9c994eb5eb9bbd40584be68b0db9ca76f417fb3bcec9cf958, 176407b1e885496e62e1e761bbbb1686e8c805410e7aec4ee03c95a0c4e9876f, 1f31ddd2f598bd193b125a345a709eedc3b5661b0645fc08fa19e93d83ea5459, 2ea075c6cd3c065e541976cdc2ec381a88b748966f960965fdbe72a5ec970d4e, 55e02a81986aa313b663c3049d30ea0158641a451cb8190233c09bef335ef5c7, 5c37130523c57a7d8583c1563f56a2e2f21eef5976380fdb3544be62c6ad2de5, 83fb652af10df4574fa536700fa00ed567637b66f189d0bbdb911bd2634b4f0e, 88fa2b5489d178e59d33428ba4088d114025acd1febfa8f7971f29130bda1213, 9ce49c07c6de455d37ac86d0460a8ad2544dc15fb5c2907ed61569b69eefd182, ae8473a027b0bcc65d1db225848904e54935736ab943edf3590b847cb571f980, c4e910b443b183e6d5d4e865dd8f978fd635cd21c765d988e92a5fd60a4428f5, c7565ed061e5e8b2f8aca67d93b994a74465e6b9b01936ecbf64c09ac6ee38b9, cfade5d162a3d94e4cba1e7696636499756649b571f3285dd79dea1f5311adcd, d23ca261291e4bad67859b5d4ee295a3e1ac995b398ccd4c06d2f96340b4b5f8, f086c65954f911e70261c729be2cdfa2a86e39c939edee23983090198f06503c, f1e9d57e0433e074c47ee09c5697f93fde7ff50df27317c657f399feac63373a Victim Industries: Advertising Services, Arts, Entertainment, and Recreation, Construction, Engineering, Government, Healthcare, Industrials, Marketing & Advertising, Mining, Multimedia, Non-Governmental Organizations (NGOs), Retail, Telecommunications Victim Countries: Cambodia, Indonesia, Laos, Philippines, Singapore, Taiwan, United States Mitigation Advice Immediately patch all instances of WinRAR to version 7.13 or later to mitigate the actively exploited vulnerability CVE-2025-8088. Block the domain 'public.megadatacloud[.]com' at the network perimeter using your firewall, web proxy, or DNS filtering solution. Use your endpoint detection and response (EDR) tool to hunt for the legitimate executables 'obs-browser-page.exe' or 'Creative Cloud Helper.exe' loading malicious DLLs named 'libcef.dll' or 'CRClient.dll'. Configure endpoint detection rules to alert on legitimate applications loading DLLs from non-standard paths or user-writable directories to detect potential DLL Search Order Hijacking. Configure security controls to block or perform enhanced content inspection on encrypted archives downloaded from Google Drive. Configure security controls to block or perform enhanced content inspection on encrypted archives downloaded from Microsoft OneDrive. Compliance Best Practices Develop and implement a continuous security awareness training program that educates users on identifying and reporting phishing attempts, especially those with suspicious attachments or links to cloud services. Establish a vendor risk management program to vet and continuously monitor the security posture of third-party suppliers, particularly those who provide code or services integrated into your company's websites. Deploy an application control solution, such as AppLocker or a third-party tool, to restrict software execution to only authorized applications, scripts, and DLLs. Implement a network egress filtering policy that denies all outbound traffic by default and only allows connections to known-good domains and ports required for business operations. Harden PowerShell across the environment by enabling Constrained Language Mode and forwarding all PowerShell script block and module logs to a centralized SIEM for analysis. Implement Subresource Integrity (SRI) on all corporate websites to ensure that third-party JavaScript libraries and other resources are not modified without authorization. Chinese Hackers Exploiting WSUS Remote Code Execution Vulnerability to Deploy ShadowPad Malware Chinese hackers are actively exploiting CVE-2025-59287, a critical remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS), to deploy the ShadowPad backdoor malware. Microsoft issued a security advisory for this vulnerability on October 14, 2025, with public proof-of-concept exploits emerging on October 22, 2025. The attack initiates by exploiting the WSUS vulnerability to execute PowerCat, establishing a reverse shell to 154.17.26.41 on port 8080. Subsequently, on November 6, 2025, attackers utilized legitimate Windows utilities such as curl.exe and certutil.exe to install ShadowPad. This modular backdoor, associated with Chinese state-sponsored APT groups, employs DLL side-loading techniques involving components like ETDCtrlHelper.exe, ETDApix.dll, and 0C137A80.tmp, and establishes persistence through Windows Registry modifications, scheduled tasks, and service creation under the identifier "Q-X64." It communicates with command-and-control servers at 163.61.102.245 via HTTP/HTTPS on port 443, using Firefox user-agent strings and injecting into processes such as Windows Mail, Windows Media Player, and svchost.exe. Organizations must immediately apply the security update for CVE-2025-59287, audit WSUS server exposure to block inbound traffic on TCP ports 8530 and 8531 from non-Microsoft Update sources, and conduct threat hunting for suspicious PowerShell execution (specifically involving certutil.exe and curl.exe) and network connections to the identified C2 infrastructure. Severity: Critical Sources https://bluefire-redteam.com/cve-2025-59287-deep-dive-response-playbook-and-siem-edr-detection-recipes/ https://buaq.net/go-371618.html https://buaq.net/go-373861.html https://buaq.net/go-375698.html https://cyberpress.org/cisa-alerts-on-active-exploitation-of-windows-server-update-services-rce-flaw/ https://cyberpress.org/cisa-warns-wsus-vulnerability/ https://cyberpress.org/hackers-exploit-wsus-vulnerability-to-steal-sensitive-organizational-data/ https://cyberpress.org/microsofts-wsus-patch/ https://cyberpress.org/shadowpad-malware/ https://cyberpress.org/tcp-ports-8530-8531-wsus/ https://cyberscoop.com/microsoft-windows-server-update-services-vulnerability-exploited-attacks/ https://gbhackers.com/attackers-exploit-windows-server-update-services-flaw/ https://gbhackers.com/cisa-alerts-on-of-wsus-vulnerability/ https://gbhackers.com/hackers-actively-scanning-tcp-ports-8530-8531/ https://gbhackers.com/microsofts-wsus-patch-causes-hotpatching-failures/ https://gbhackers.com/wsus-vulnerability/ https://hackread.com/hackers-exploit-wsus-skuld-stealer-microsoft-patch/ https://horizon3.ai/attack-research/vulnerabilities/cve-2025-59287/ https://hothardware.com/news/windows-server-update-service-is-under-attack https://isc.sans.edu/diary/rss/32440 https://latesthackingnews.com/2025/10/28/microsoft-october-patch-tuesday-is-huge-with-170-fixes/ https://meterpreter.org/windows-server-wsus-flaw-under-active-attack-cve-2025-59287-cvss-9-8-with-public-poc/ https://orca.security/resources/blog/cve-2025-59287-critical-wsus-rce/ https://securityboulevard.com/2025/10/critical-microsoft-wsus-security-flaw-is-being-actively-exploited/ https://securityboulevard.com/2025/10/windows-server-update-service-wsus-remote-code-execution-vulnerability-cve-2025-59287/ https://securityonline.info/critical-wsus-rce-cve-2025-59287-actively-exploited-to-deploy-shadowpad-backdoor/ https://socprime.com/blog/cve-2025-59287-detection/ https://thehackernews.com/2025/10/cisa-and-nsa-issue-urgent-guidance-to.html https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-advisory-critical-unauthenticated-rce-windows-server-update-services-cve-2025-59287 https://www.bleepingcomputer.com/news/microsoft/microsoft-patch-for-wsus-flaw-disabled-windows-server-hotpatching/ https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-windows-server-wsus-flaw-exploited-in-attacks/ https://www.esecurityplanet.com/news/wsus-vulnerability/ https://www.helpnetsecurity.com/2025/10/30/wsus-vulnerability-infostealer-cve-2025-59287/ https://www.hendryadrian.com/analysis-of-shadowpad-attack-exploiting-wsus-remote-code-execution-vulnerability-cve-2025-59287/ https://www.hendryadrian.com/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability-cve-2025-59287/ https://www.hendryadrian.com/microsoft-wsus-remote-code-execution-cve-2025-59287-actively-exploited-in-the-wild/ https://www.infosecurity-magazine.com/news/actively-exploited-wsus-bug-cisa/ https://www.scworld.com/brief/attacks-involving-critical-wsus-vulnerability-under-investigation https://www.scworld.com/brief/dozens-impacted-by-active-wsus-vulnerability-abuse https://www.theregister.com/2025/10/27/microsoft_wsus_attacks_multiple_orgs/ Threat Details and IOCs Malware: Alureon, BadCandy, BADCANDY, CryptoDefense, CryptoLocker, GlassWorm, Gokcpdoor, Locky, Lukitus, Msevents, MS Juan, PoisonPlug, POISONPLUG.SHADOW, SesameOp, ShadowPad, Skuld, Skuld Stealer, Stealit, TDL3, TDL-4, TDSS, Tidserv, TMPN Stealer, Virtumonde, Vundo, WinFixer CVEs: CVE-2024-11972, CVE-2024-9234, CVE-2024-9707, CVE-2025-0033, CVE-2025-24052, CVE-2025-24990, CVE-2025-2884, CVE-2025-47827, CVE-2025-49708, CVE-2025-55315, CVE-2025-59218, CVE-2025-59230, CVE-2025-59246, CVE-2025-59287 Technologies: Microsoft Entra ID, Microsoft Exchange Server, Microsoft Internet Information Services, Microsoft .NET Framework, Microsoft Windows, Microsoft Windows Server, Microsoft Windows Server Update Services, QNAP NetBak PC Agent, WordPress Threat Actors: APT17, APT23, APT41, AquaticPanda, DaggerPanda, EarthLusca, Skuld, TontoTeam, UNC6512, WetPanda, WickedPanda Attacker Countries: China Attacker IPs: 129.153.98.207, 134.122.38.84, 149.28.78.189, 154.17.26.41, 158.247.199.185, 163.61.102.245, 207.180.254.242, 45.158.12.7 Attacker Domains: api.braintreegateway.com, api.stripe.com, asec.ahnlab.com, avatars.githubusercontent.com, billing.epac.to, cybaq.chtq.net, dscriy.chtq.net, i.ibb.co, loglog.ac.d189493a.digimg.store, raw.githubusercontent.com, remote-auth-gateway.discord.gg, royal-boat-bf05.qgtxtebl.workers.dev, webhook.site, workersdev, wsus.ac.d189493a.digimg.store, yogswgeacbepthpjozvsf8frv90962ejy.oast.fun, ysoserial.net Attacker URLs: HTTP://163.61.102.245:443, HTTPS://163.61.102.245:443, https://api.braintreegateway.com/merchants/49pp2rp4phym7387/client_api/v*/payment_methods/paypal_accounts, https://api.stripe.com/v*/tokens, https://asec.ahnlab.com/wp-admin/admin-ajax.php, https://asec.ahnlab.com/wp-content/plugins/elementor-pro/assets/, https://asec.ahnlab.com/wp-content/plugins/elementor-pro/assets/js/frontend.min.js?ver=3.16.1, https://asec.ahnlab.com/wp-content/plugins/elementor-pro/assets/js/preloaded-elements-handlers.min.js?m=1709594534, https://asec.ahnlab.com/wp-content/plugins/elementor-pro/modules/lottie/assets/animations/default.json, https://asec.ahnlab.com/wp-json/, https://avatars.githubusercontent.com/u/145487845?v=4, https://discordapp.com/api/v*/auth/sessions, https://*.discord.com/api/v*/auth/sessions, https://discord.com/api/v*/auth/sessions, https://i.ibb.co/GJGXzGX/discord-avatar-512-FCWUJ.png, https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1, https://raw.githubusercontent.com/hackirby/discord-injection/main/injection.js, http://webhook.site/REDACTED, hxxp://134.122.38.84/dl, hxxp://134.122.38.84/ex, hxxp://149.28.78.189:42306, hxxp://149.28.78.189:42306/dll.txt, hxxp://149.28.78.189:42306/exe.txt, hxxp://149.28.78.189:42306/tmp.txt, hxxps://royal-boat-bf05.qgtxtebl.workers.dev/v3.msi, hxxps://webhook.site/0f20cd3b-e570-4205-8049-c37627af0f5c, hxxps://webhook.site/7b483bdd-5134-4671-b9cd-310800303f32, hxxp://webhook.site/22b6b8c8-2e07-4878-a681-b772e569aa6a, hxxp://webhook.site/5771a289-0b13-4ee7-902a-21147cac31ef, hxxp://webhook.site/94f6da9d-b785-461b-bc5e-bbce7acaa35c, hxxp://yogswgeacbepthpjozvsf8frv90962ejy.oast.fun/check, wss://remote-auth-gateway.discord.gg/* Attacker Hashes: 27e00b5594530e8c5e004098eef2ec50, 3ebeb4e08c82b220365b1e7dd0cc199b765eed91, 564e7d39a9b6da3cf0da3373351ac717, 85b935e80e84dd47e0fa5e1dfb2c16f4, 9d686ceed21877821ab6170a348cc073, a0f65fcd3b22eb8b49b2a60e1a7dd31c, f7d8c52bec79e42795cf15888b85cbad Victim Industries: Aerospace, Construction, Critical Manufacturing, Education, Energy, Financial Services, Government, Healthcare, Health Care Technology, Information, Information and Communication, Information Technology, Logistics, Manufacturing, Multimedia, Public Health, Public Safety, Retail, Software, Technology Hardware, Telecommunications, Transportation, Utilities Victim Countries: Afghanistan, Germany, Malaysia, Netherlands, Pakistan, Taiwan, United States Mitigation Advice Immediately apply the security update for CVE-2025-59287 to all Windows Servers running the WSUS service. Create rules on the perimeter firewall to block all inbound and outbound traffic to IP addresses 154.17.26.41 and 163.61.102.245. Configure host-based and network firewalls to restrict inbound access to WSUS servers on TCP ports 8530 and 8531, allowing connections only from required Microsoft Update IP ranges. Use your EDR solution or other endpoint scanning tools to conduct a targeted search across all servers for the files `ETDApix.dll` and `0C137A80.tmp`. In your SIEM or EDR, search for executions of `curl.exe` or `certutil.exe` on WSUS servers that are followed by the creation of new executable files or services. Scan for any newly created scheduled tasks or system services on WSUS servers, paying special attention to any containing the identifier "Q-X64". Compliance Best Practices Review and re-architect network segmentation to ensure critical internal infrastructure like WSUS servers are not directly accessible from the internet and are isolated from general user subnets. Develop and deploy advanced EDR and SIEM detection rules to alert on anomalous use of built-in Windows utilities (e.g., `powershell.exe`, `certutil.exe`, `curl.exe`), especially when initiated by web server processes like w3wp.exe. Plan and implement an application control solution, such as Windows Defender Application Control (WDAC), on critical servers to restrict executable and script execution to only known, authorized software. Formalize and resource a vulnerability management program that prioritizes patching based on threat intelligence and mandates strict SLAs for critical vulnerabilities on high-value assets. Implement TLS/SSL inspection on network egress points to enable detection of malicious C2 communications hiding within encrypted web traffic. GlobalProtect VPN Portals Probed with 2.3 Million Scan Sessions Malicious scanning activity targeting Palo Alto Networks GlobalProtect VPN login portals increased 40 times within 24 hours, starting November 14, 2025, signaling a coordinated campaign. Real-time intelligence company GreyNoise observed 2.3 million scan sessions between November 14 and 19, specifically probing the `*/global-protect/login.esp` URI, which is the web endpoint for VPN user authentication. This surge follows previous spikes reported by GreyNoise in April and October 2025, with the current activity linked to earlier campaigns through recurring TCP/JA4t fingerprints and shared Autonomous System Numbers (ASNs), primarily AS200373 (3xK Tech GmbH) with IPs largely from Germany and Canada, and AS208885 (Noyobzoda Faridduni Saidilhom). Login attempts are predominantly directed at the United States, Mexico, and Pakistan. GreyNoise highlights that these scanning spikes often precede the disclosure of new security flaws, a correlation particularly strong for Palo Alto Networks products, noting past incidents like the active exploitation of CVE-2025-0108 (chained with CVE-2025-0111 and CVE-2024-9474) in February and a data breach in September. Severity: Critical Sources https://cyberpress.org/2-3-million-attacks-hit-palo-alto-networks-globalprotect-vpn-portals/ https://www.bleepingcomputer.com/news/security/globalprotect-vpn-portals-probed-with-23-million-scan-sessions/ https://www.securitylab.ru/news/566393.php Threat Details and IOCs Malware: Alureon, CryptoDefense, CryptoLocker, CryptorBit, HowDecrypt, Locky, Lukitus, MS Juan, Odin, TDL-4, TDSS, Thor, Tidserv, Virtumonde, Vundo, Zepto CVEs: CVE-2024-9474, CVE-2025-0108, CVE-2025-0111, CVE-2025-0140, CVE-2025-0141, CVE-2025-2183 Technologies: Apple macOS, Linux, Microsoft Windows, Palo Alto Networks Threat Actors: ShinyHunters Attacker Countries: Canada, Germany Attacker URLs: /global-protect/login.esp Victim Industries: Automotive, Business Services, Education, Financial Services, Government, Healthcare, Industrial Control Systems, Information Technology, Manufacturing, Oil & Gas, Public Sector, Retail, Transportation, Utilities Victim Countries: Mexico, Pakistan, United States Mitigation Advice Verify that all Palo Alto Networks PAN-OS devices are patched against vulnerabilities CVE-2025-0108, CVE-2025-0111, and CVE-2024-9474. Query firewall, VPN, and web proxy logs for inbound connection attempts to the URI path containing '/global-protect/login.esp' to identify potential targeting. Implement firewall rules to block all inbound traffic from Autonomous System Numbers AS200373 and AS208885. Compliance Best Practices Reconfigure network architecture to ensure the Palo Alto Networks GlobalProtect management interface is not exposed to the public internet and is only accessible from a trusted internal network segment. Configure SIEM or other log monitoring tools to establish a baseline for normal traffic to the GlobalProtect VPN portal and create alerts for significant deviations or anomalous increases in login attempts. Establish a comprehensive vulnerability management program that includes regular, authenticated scanning of all internet-facing infrastructure and defines service-level agreements (SLAs) for patching critical vulnerabilities. Active Exploitation of Oracle Identity Manager CVE-2025-61757 Observed in September Active exploitation attempts for CVE-2025-61757, an Oracle Identity Manager vulnerability, were observed between August 30th and September 9th, preceding Oracle's patch release on October 21st as part of their Critical Patch Update. This vulnerability, initially reported by Searchlight Cyber, enables authentication bypass and potential remote code execution by appending `;.wadl` to URLs, exemplified by `/iam/governance/applicationmanagement/templates;.wadl`. Logs indicate scans targeting `/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl` via POST requests containing a 556-byte payload. Multiple IP addresses (89.238.132.76, 185.245.82.81, 138.199.29.153) were involved, all using the consistent User Agent: `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36`. These same IP addresses were also noted scanning for CVE-2025-4581 (Liferay Portal), bug bounty targets, and Log4j exploits. Severity: Critical Sources https://buaq.net/go-377039.html https://isc.sans.edu/diary/rss/32506 https://www.securityweek.com/critical-oracle-identity-manager-flaw-possibly-exploited-as-zero-day/ Threat Details and IOCs Malware: Aisuru, BadAudio, Sturnus, TurboMirai CVEs: CVE-2025-4581, CVE-2025-61757 Technologies: Oracle Fusion Middleware, Oracle Identity Manager Attacker IPs: 138.199.29.153, 185.245.82.81, 89.238.132.76 Attacker URLs: /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl, /iam/governance/applicationmanagement/templates;.wadl, /o/portal-settings-authentication-opensso-web/com.liferay.portal.settings.web/test_opensso.jsp Victim Industries: Construction & Real Estate, Defense, Financial Services, Government, Hospitality, Information Security, Information Technology, Insurance, Internet & Cloud Services, Life Sciences, Managed Service Providers, Professional Services, Technology Hardware Victim Countries: United Kingdom, United States Mitigation Advice Immediately apply the October Critical Patch Update to all Oracle Identity Manager instances to patch CVE-2025-61757. Add the IP addresses 89.238.132.76, 185.245.82.81, and 138.199.29.153 to your firewall's blocklist. Create a rule in your WAF or IDS/IPS to detect and block any HTTP requests containing the string ';.wadl' in the URL path. Query web server logs and SIEM data for requests containing ';.wadl' in the URL or matching the User-Agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36' to identify potential past or current malicious activity. Compliance Best Practices Establish or enhance a formal vulnerability management program that includes regular scanning, risk assessment, and a defined service-level agreement (SLA) for applying critical security patches. Review and harden Web Application Firewall (WAF) policies to block anomalous URL patterns, such as the use of semicolons for path parameter manipulation, to provide a generic defense against similar authentication bypass techniques. Enhance logging capabilities for critical web applications to capture and retain full HTTP request bodies, especially for POST requests, to improve future incident response and forensic analysis. Implement network segmentation to isolate internet-facing application servers, like Oracle Identity Manager, from internal corporate and database networks to limit the blast radius of a potential compromise.F5 Threat Report - November 12th, 2025
New LandFall Spyware Exploited Samsung Zero-Day via WhatsApp Messages A previously unknown spyware, "LandFall," exploited a critical zero-day vulnerability (CVE-2025-21042) in Samsung's Android image processing library (`libimagecodec.quram.so`) to target select Samsung Galaxy users in the Middle East. Active since at least July 2024, the spyware was delivered via malicious .DNG raw images with appended .ZIP archives sent over WhatsApp, leveraging an out-of-bounds write flaw that allowed remote arbitrary code execution. The LandFall spyware, likely a commercial surveillance framework, targets Galaxy S22, S23, S24 series, Z Fold 4, and Z Flip 4 devices, enabling extensive data exfiltration including microphone and call recordings, location tracking, and access to photos, contacts, SMS, call logs, files, and browsing history. Its components include a loader (`b.so`) and a SELinux policy manipulator (`l.so`) for persistence and privilege escalation, and it can fingerprint devices using hardware and SIM IDs. While C2 infrastructure shows similarities to Stealth Falcon operations and component naming conventions resemble those of NSO Group and other vendors, a definitive attribution remains unconfirmed. Samsung patched the vulnerability in April 2025, and users are advised to apply security updates, disable automatic media downloading in messaging apps, and consider advanced protection features. Severity: Critical Sources https://buaq.net/go-374181.html https://cyberpress.org/landfall-android-malware/ https://meterpreter.org/landfall-spyware-zero-click-image-exploit-spied-on-samsung-phones-for-a-year/ https://www.bleepingcomputer.com/news/security/new-landfall-spyware-exploited-samsung-zero-day-via-whatsapp-messages/ https://www.hendryadrian.com/new-landfall-spyware-exploited-samsung-zero-day-via-whatsapp-messages/ https://www.newsbytesapp.com/news/science/landfall-android-spyware-targeted-samsung-galaxy-phones-for-a-year/story https://www.securityweek.com/landfall-android-spyware-targeted-samsung-phones-via-zero-day/ Threat Details and IOCs Malware: Deadglyph, Landfall, LandFall, LANDFALL CVEs: CVE-2025-21042, CVE-2025-21043, CVE-2025-43300, CVE-2025-55177 Technologies: Apple iOS, Google Android, Samsung Galaxy, Samsung One UI, WhatsApp Threat Actors: Cytrox, FruityArmor, Intellexa, LANDFALL, NSO, NSOGroup, StealthFalcon Attacker Countries: Israel, Spain, United Arab Emirates Attacker IPs: 192.36.57.56, 194.76.224.127, 45.155.250.158, 46.246.28.75, 91.132.92.35, 92.243.65.240 Attacker Domains: brightvideodesigns.com, healthyeatingontherun.com, hotelsitereview.com, projectmanagerskills.com Attacker URLs: https://brightvideodesigns.com/is/, https://healthyeatingontherun.com/is/, https://hotelsitereview.com/is/, https://projectmanagerskills.com/is/ Attacker Hashes: 211311468f3673f005031d5f77d4d716e80cbf3c1f0bb1f148f2200920513261, 2425f15eb542fca82892fd107ac19d63d4d112ddbfe698650f0c25acf6f8d78a, 29882a3c426273a7302e852aa77662e168b6d44dcebfca53757e29a9cdf02483, 384f073d3d51e0f2e1586b6050af62de886ff448735d963dfc026580096d81bd, 69cf56ac6f3888efa7a1306977f431fd1edb369a5fd4591ce37b72b7e01955ee, 9297888746158e38d320b05b27b0032b2cc29231be8990d87bc46f1e06456f93, a62a2400bf93ed84ebadf22b441924f904d3fcda7d1507ba309a4b1801d44495, b06dec10e8ad0005ebb9da24204c96cb2e297bd8d418bc1c8983d066c0997756, b45817ffb0355badcc89f2d7d48eecf00ebdf2b966ac986514f9d971f6c57d18, b975b499baa3119ac5c2b3379306d4e50b9610e9bba3e56de7dfd3927a96032d, c0f30c2a2d6f95b57128e78dc0b7180e69315057e62809de1926b75f86516b2e, d2fafc7100f33a11089e98b660a85bd479eab761b137cca83b1f6d19629dd3b0, ffeeb0356abb56c5084756a5ab0a39002832403bca5290bb6d794d14b642ffe2 Victim Industries: Digital Media, Government, Information Technology, Technology Hardware, Telecommunications Victim Countries: Iran, Iraq, Morocco, Saudi Arabia, South Korea, Turkey, United Arab Emirates Mitigation Advice Update all corporate-managed Samsung Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 devices to the April 2025 security patch level or a later version to remediate CVE-2025-21042. Issue a directive for all employees to disable automatic media downloading within their WhatsApp application settings on both corporate and personal devices used for work. Instruct users of corporate Android devices to enable the 'Advanced Protection' feature in their device's security settings for enhanced protection against novel spyware. Obtain the indicators of compromise (IOCs) for the six LandFall C2 servers from the Unit 42 report and add them to the network firewall and DNS blocklists. Compliance Best Practices Implement and enforce a Mobile Device Management (MDM) policy to mandate and automate the installation of critical OS security updates on all managed mobile devices within a 72-hour window of their release. Develop and deploy a mandatory, recurring security awareness training program that specifically addresses mobile-based social engineering, the risks of unsolicited attachments from unknown contacts, and safe practices for messaging apps like WhatsApp. Evaluate and deploy a Mobile Threat Defense (MTD) solution on corporate devices to actively monitor for and alert on suspicious activities indicative of spyware, such as permission escalation, use of recording hardware, and anomalous network connections. Establish and enforce a hardened security configuration baseline for all corporate mobile devices that enables high-security features, such as Android's 'Advanced Protection' or iOS's 'Lockdown Mode', by default. Whisper Leak: A Novel Side-Channel Attack on Remote Language Models A novel side-channel attack, termed "Whisper Leak," has been identified, enabling adversaries to infer language model conversation topics from encrypted network traffic by analyzing packet sizes and timings, despite Transport Layer Security (TLS) encryption. This attack exploits the token-by-token, streaming nature of large language model (LLM) responses, allowing network observers (e.g., internet service providers, local network attackers) to compromise user privacy, particularly for sensitive subjects like political dissent. Researchers demonstrated this by training a binary classifier on network traffic patterns for a specific topic ("legality of money laundering"), achieving over 98% accuracy (AUPRC). A simulated real-world scenario involving 10,000 conversations showed the attack could achieve 100% precision in identifying sensitive topics, even with low recall (5-50%), with effectiveness improving as more training data is collected. To mitigate this vulnerability, LLM providers like OpenAI and Azure have implemented "obfuscation" by adding random variable-length text to responses, while Mistral introduced a similar "p" parameter, significantly reducing attack effectiveness. Users can further protect their privacy by avoiding sensitive discussions on untrusted networks, utilizing VPN services, selecting providers with implemented mitigations, and opting for non-streaming models. The source code and a detailed technical report are publicly available. Severity: Critical Sources https://gbhackers.com/whisper-based-attack/ https://securityonline.info/whisper-leak-attack-infers-encrypted-ai-chat-topics-with-98-accuracy/ https://thehackernews.com/2025/11/microsoft-uncovers-whisper-leak-attack.html https://www.microsoft.com/en-us/security/blog/2025/11/07/whisper-leak-a-novel-side-channel-cyberattack-on-remote-language-models/ Threat Details and IOCs Malware: LANDFALL, PrimeCache, PROMPTFLUX, SesameOp, Veaty, Whisper Technologies: Alibaba Cloud Large Language Models, DeepSeek Large Language Model, Google Large Language Models, Meta Large Language Models, Microsoft Azure, Microsoft Azure AI Services, Mistral AI Mistral, OpenAI, xAI, xAI Large Language Models, Zhipu AI Large Language Models Attacker URLs: http://github.com/yo-yo-yo-jbo/whisper_leak Victim Industries: Digital Media, Financial Services, Government, Healthcare, Health Care Technology, Information Technology, Legal Services, Media and Entertainment, Technology Hardware, Telecommunications Victim Countries: China, France, United States Mitigation Advice Require all employees to use the corporate VPN when accessing AI services from untrusted networks, such as public Wi-Fi, to add a layer of traffic encryption and obfuscation. Distribute a security advisory to all staff, prohibiting the use of public or corporate AI chatbots for processing sensitive, confidential, or proprietary business data. Audit all currently used third-party AI services to confirm they have implemented mitigations against traffic analysis attacks. Prioritize and approve the use of services that have deployed such protections. Instruct all teams using LLM APIs to disable 'streaming' mode in their applications and configurations where the feature is not essential for the user experience. Compliance Best Practices Develop and implement a formal Acceptable Use Policy (AUP) for AI tools, defining approved platforms, data sensitivity classifications, and prohibited use cases to govern their safe adoption. Update the third-party risk management program to include specific security requirements for AI vendors, mandating they provide evidence of mitigations against side-channel attacks like traffic analysis. Initiate a research project to evaluate the cost, security benefits, and feasibility of deploying a private LLM for internal use cases involving sensitive company data. Malicious NuGet Packages Plant Time Bomb Malware in Industrial Systems, Siemens S7 PLCs Malicious NuGet packages, published by the user shanhai666 between 2023 and 2024, were discovered by Socket's researchers, containing destructive code designed to activate years in the future. Nine of the twelve packages, downloaded nearly 10,000 times, included payloads that were 99% benign to evade detection and build trust. Several packages targeted major database providers like SQL Server, PostgreSQL, and SQLite, with their malicious logic set to trigger on specific dates in 2027 and 2028. Upon activation, these packages introduce a 20 percent probability of terminating the host application process during database queries. The most critical package, Sharp7Extend, used typosquatting to mimic the legitimate Sharp7 library and targeted Siemens S7 Programmable Logic Controllers (PLCs) widely used in manufacturing. Unlike the database-targeting malware, Sharp7Extend activates immediately upon installation, though its malicious functions cease after June 6, 2028. It employs two mechanisms: a 20 percent chance of terminating the application during Siemens S7 communication operations, and after an initial 30-90 minute grace period, it causes 80 percent of critical commands to fail, potentially leading to safety system failures and data corruption in industrial settings. All identified malicious packages have since been removed from NuGet, and organizations are advised to immediately audit their dependencies for these compromised packages. Severity: Critical Sources https://buaq.net/go-374596.html https://gbhackers.com/nuget-supply-chain/ https://securityonline.info/nuget-sabotage-time-delayed-logic-in-9-packages-risks-total-app-destruction-on-hardcoded-dates/ https://thehackernews.com/2025/11/hidden-logic-bombs-in-malware-laced.html https://www.bleepingcomputer.com/news/security/malicious-nuget-packages-drop-disruptive-time-bombs/ https://www.esecurityplanet.com/threats/malicious-nuget-packages-hide-time-delayed-sabotage-code/ https://www.hendryadrian.com/9-malicious-nuget-packages-deliver-time-delayed-destructive-payloads/ https://www.theregister.com/2025/11/07/cybercriminals_plant_destructive_time_bomb/ Threat Details and IOCs Malware: Sharp7Extend Technologies: Microsoft .NET Framework, Microsoft NuGet, Microsoft SQL Server, NuGet, PostgreSQL, Sharp7, Siemens S7, Siemens SIMATIC S7, SQLite Threat Actors: Shanhai666 Attacker Countries: China Attacker Domains: hendryadrian.com Victim Industries: Automotive, Chemical, Energy, Financial Services, Healthcare, Health Care Technology, Industrial Control Systems, Industrials, Information Technology, Logistics, Manufacturing, Retail Victim Countries: Germany Mitigation Advice Scan all .NET project dependencies to identify if any of the following malicious NuGet packages are present: Sharp7Extend, MyDbRepository, MCDbRepository, SqlDbRepository, SqlRepository, SqlUnicornCoreTest, SqlUnicornCore, SqlUnicorn.Core, or SqlLiteRepository. If any of the malicious NuGet packages are found on a system, immediately isolate that system from the network to begin incident response procedures. Configure your NuGet package manager sources to explicitly block any packages published by the user 'shanhai666'. Immediately investigate any systems using Siemens S7 PLCs for unexplained application crashes or communication failures, as these may be symptoms of the Sharp7Extend malware. Compliance Best Practices Establish a formal policy and process for vetting and approving all third-party software dependencies, including NuGet packages, before they are permitted for use in production code. Implement a private, internal package repository to host only vetted and approved third-party dependencies, and configure developer environments to use this repository as the primary source. Implement tooling and processes to generate and maintain a Software Bill of Materials (SBOM) for all developed and deployed applications to enable rapid dependency auditing. Develop and implement a recurring security training program for all developers focusing on software supply chain risks, including how to identify typosquatting and vet open-source package publishers. Review and enhance network segmentation to ensure that Operational Technology (OT) networks, especially those with PLCs, are isolated from the corporate IT network to prevent cross-domain compromises. MUT-4831 Deploys Vidar Infostealer via 17 Malicious npm Packages Targeting Windows A sophisticated supply chain attack, attributed to the MUT-4831 threat actor cluster, targeted the npm ecosystem with 17 malicious packages across 23 releases, designed to deploy the Vidar v2 infostealer malware on Windows systems. Discovered by Datadog Security Research on October 21, 2025, these packages, masquerading as legitimate SDKs and libraries, remained active for approximately two weeks, accumulating over 2,240 downloads, with `react-icon-pkg` alone accounting for 503. The attack chain involved postinstall scripts downloading an encrypted ZIP archive from `bullethost[.]cloud`, decrypting it, and executing a Windows PE binary named `bridle.exe`. This Go-compiled Vidar variant aggressively harvests sensitive data, including browser credentials, cookies, and cryptocurrency wallets, exfiltrating it after dynamically discovering command-and-control servers via hardcoded Telegram and Steam accounts, then deleting all traces from the compromised system. Severity: Critical Sources https://buaq.net/go-374147.html https://cyberinsider.com/vidar-stealer-2-0-marks-major-evolution-in-infostealer-landscape/ https://cyberpress.org/vidar-malware-analysis/ https://cyberpress.org/weaponized-npm-packages/ https://gbhackers.com/malicious-npm-packages/ https://www.techradar.com/pro/point-of-use-theft-vidars-shift-to-api-level-interception https://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html Threat Details and IOCs Malware: Arkei, Arkei Stealer, ArkeiStealer, Lumma, LummaC2, Lumma Stealer, Mohazo, Raccoon Stealer, Racealer, RedLine, RedLine Stealer, Spyware.Vidar, StealC, Vidar, Vidar Stealer CVEs: CVE-2023-20118, CVE-2025-34090 Technologies: Amazon Web Services, Apple macOS, Discord, FileZilla, Google Chrome, Microsoft 365, Microsoft Azure, Microsoft Edge, Microsoft Visual Studio, Microsoft Windows, Monero, Mozilla Firefox, Node.js, npm, Opera, Pale Moon, React, Steam, Telegram, Vivaldi, Waterfox, WinSCP Threat Actors: AngryLikho, Bitter, Loadbaks, MUT4831, Storm-2477, WaterKurita Attacker Countries: Azerbaijan, Moldova, Russia Attacker IPs: 65.100.80.190, 65.108.80.90 Attacker Emails: aartrabens@gmail.com, saliii229911@gmail.com Attacker Domains: a.t.rizbegadget.shop, bullethost.cloud, cvt.technicalprorj.xyz, files.catbox.moe, ftp.nadimgadget.shop, gor.technicalprorj.xyz, gra.khabeir.com, gra.nadimgadget.shop, gz.technicalprorj.xyz, iu.server24x.com, mas.to, nv.d.khabeir.com, p.x.rizbegadget.shop, steamcommunity.com, stg.mistonecorp.net, stg.server24.com, stg.server24x.com, telegram.me, t.y.server24x.com, upload.bullethost.cloud Attacker URLs: https://files.catbox.moe/awktpw.zip, https://nv.d.khabeir.com, https://steamcommunity.com/profiles/76561198777118079, https://telegram.me/s/sre22qe, https://upload.bullethost.cloud/download/68f5503834645ddd64ba3e17, https://upload.bullethost.cloud/download/68f55d7834645ddd64ba3e3e, https://upload.bullethost.cloud/download/68f775f734645ddd64ba99f4, https://upload.bullethost.cloud/download/68f77d1134645ddd64ba9a5e, https://upload.bullethost.cloud/download/68f7b14734645ddd64ba9b6e, https://upload.bullethost.cloud/download/68f7c68a34645ddd64ba9b9d, https://upload.bullethost.cloud/download/68f7de3834645ddd64ba9c00, hxxp://mas.to/@oleg98, hxxps://steamcommunity.com/profiles/76561198780411257 Attacker Hashes: 0e90c63363265f75f8637c1a3e9ec277a1ea1a8436dd7561fff59cfb722c6612, 1230f3382910e84d542d64e859fb3064958b47bc50508045cbb5b597b987c65b, 12934992bb65953861b4dfd7a67d3256eae8da19ee86609aa29b68fb77258e98, 1eff512c9b003b08464e071774bd85e43464cce6ad1373463b1f67683d03b956, 288ecc39cdde51783dbb171758ec760652bb929ad17d239a43629449a22429c1, 29b6a1c08e96ce714f9e1f54a4edde3f5e6b41477db5f89f1bd41d931508bdbf, 37d62d7983f7e0012f88e81ba28ad02a839b4d8804851a401b19058ca8cc2cf4, 3dc09740ded920e5899a5386c6731de0c89d6bd182fb89073e910b619980899f, 5f68157e486413ab276fad629d7af21a53b399c5fa8b1a0cfbd37851ceca0381, 8934056f93516a33c4e9eeb2f50aea160860cf229ca6f6ec302bd2c404ebfe59, 95368954efa9618c586bdd8978f41f465450caf268d07ca316cf6975f6e15848, aa49d14ddd6c0c24febab8dce52ce3835eb1c9280738978da70b1eae0d718925, bcf8a6911bf4033cf4d55caf22d7da9d97275bbb3b0f8fefd1129e86bd4b49f8 Victim Industries: Business Services, Cloud Infrastructure, Cryptocurrency, Education, Financial Services, Gaming, Government, Healthcare, Information Technology, Manufacturing, Real Estate, Retail, Social Media, Software, Sports and Entertainment, Technology Hardware, Utilities Mitigation Advice Add the domain `bullethost[.]cloud` to the network firewall and DNS blocklists to prevent connections to the malware distribution server. Use EDR or system scanning tools to search all Windows endpoints and servers for the file `bridle.exe` to identify potential infections. Instruct developers to immediately audit all project `package.json` and lock files for dependencies named `custom-tg-bot-plan`, `react-icon-pkg`, or any packages published by npm users `aartje` and `saliii229911`. Review network logs for unusual outbound connections from developer workstations or build servers to Telegram or Steam APIs, as this is a C2 channel used by this Vidar variant. Compliance Best Practices Establish a new security policy to disable automatic execution of npm `postinstall` scripts by default using the `--ignore-scripts` flag, and create a process to vet and explicitly allow scripts only for trusted packages. Deploy a private npm registry or a caching proxy, such as Sonatype Nexus or JFrog Artifactory, to host only vetted and approved third-party packages for internal developer use. Integrate a Software Composition Analysis (SCA) tool into the CI/CD pipeline to automatically scan npm packages for known vulnerabilities and malicious code signatures on every build. Enforce a policy requiring all projects to use lockfiles (e.g., `package-lock.json`) and mandate the use of `npm ci` instead of `npm install` in all automated build environments to ensure reproducible and vetted dependency installation. On all Windows developer workstations and build servers, enable PowerShell Script Block Logging and Module Logging and forward logs to your SIEM for analysis. Configure the PowerShell execution policy on all Windows developer workstations and build servers to `RemoteSigned` or stricter via Group Policy to prevent the execution of unsigned, untrusted scripts. Sandworm (GRU) Wiper Attacks Target Ukraine's Critical Infrastructure Russian state-controlled Sandworm, identified as part of the GRU, has consistently deployed destructive wiper malware against Ukraine, with recent attacks reported in April, June, and September. These attacks targeted a Ukrainian university with Sting and Zerlot wipers, and later expanded to critical infrastructure, including government, energy, logistics, and notably, the grain industry, aiming to weaken the country's war economy. This continues a pattern of Russian cyber warfare, which previously included the NotPetya worm in 2012, attacks on Ukraine's electricity grid in 2016-2017, and 2022 incidents affecting satellite modems and a Kyiv TV station, alongside other wipers like WhisperGate. Other Russian-aligned groups like RomCom, which exploited a WinRar zero-day, and Gamaredon have also conducted wiper attacks, with UAC-0099 sometimes providing initial access through spear phishing, underscoring wipers' enduring role as a preferred tool for Russian threat actors. Severity: Critical Sources https://arstechnica.com/security/2025/11/wipers-from-russias-most-cut-throat-hackers-rain-destruction-on-ukraine/ https://buaq.net/go-372169.html https://buaq.net/go-372777.html https://buaq.net/go-373967.html https://cyberpress.org/russian-hackers-2/ https://cyberpress.org/weaponized-zip-documents/ https://gbhackers.com/living-off-the-land-tactics/ https://gbhackers.com/ssh-tor-backdoor/ https://industrialcyber.co/ransomware/sandworm-linked-webshell-and-lotl-tactics-found-in-russian-cyberattacks-targeting-ukrainian-networks/ https://securityonline.info/russian-apts-exploit-lotl-techniques-in-ukraine-cyber-attacks-deploying-sandworm-linked-webshell-and-credential-dumping/ https://securityonline.info/sandworm-apt-attacks-belarus-military-with-lnk-exploit-and-openssh-over-tor-obfs4-backdoor/ https://socprime.com/blog/russian-hackers-target-ukrainian-organizations/ https://thehackernews.com/2025/10/russian-hackers-target-ukrainian.html https://thehackernews.com/2025/11/trojanized-eset-installers-drop.html https://www.bleepingcomputer.com/news/security/sandworm-hackers-use-data-wipers-to-disrupt-ukraines-grain-sector/ https://www.esecurityplanet.com/threats/russian-linked-cyberattacks-continue-to-target-ukrainian-organizations/ https://www.helpnetsecurity.com/2025/11/03/russian-belarusian-military-spear-phishing/ https://www.hendryadrian.com/living-off-the-land-allowed-russia-linked-group-to-breach-ukrainian-entities-this-summer/ https://www.hendryadrian.com/ukrainian-organizations-still-heavily-targeted-by-russian-attacks/ https://www.metacurity.com/cisa-plans-to-fire-54-employees-despite-court-injunction/ https://www.securityweek.com/destructive-russian-cyberattacks-on-ukraine-expand-to-grain-sector/ Threat Details and IOCs Malware: Acid Pour, AcidPour, AcidRain, BACKORDER, BE2, BE3, Black Energy, BlackEnergy, Blakken, BPFDoor, CaddyWiper, Chisel, CRASHOVERRIDE, Diskcoder.C, EternalPetya, ExPetr, FoxBlade, FruitShell, GoldenEye, GootKit Loader, GootLoader, HermeticWiper, Industroyer, IsaacWiper, Kalambur, KillDisk, LAMEHUG, Localolive, LocalOlive, NEARMISS, NotPetya, Nyetna, Nyetya, NyetYa, PathWiper, PEAPOD, Petna, Petya 2.0, Petya.A, Pnyetya, PromptSteal, Pterodo, PteroPSDoor, PteroVDoor, QuietVault, RomCom, RomCom RAT, RomCom RAT 5.0, RustyClaw, SingleCamper, SnipBot, Sting, SUMBUR, VPNFilter, WhisperGate, Zerlot, Zerolot, ZeroLot, ZEROLOT CVEs: CVE-2013-3906, CVE-2014-4114, CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148, CVE-2017-0199, CVE-2019-10149, CVE-2021-32648, CVE-2021-34473, CVE-2022-41352, CVE-2023-23397, CVE-2023-32315, CVE-2023-32784, CVE-2023-42793, CVE-2023-48788, CVE-2024-1709, CVE-2025-53770, CVE-2025-8088 Technologies: ESET Endpoint Security, KeePass, Linux, Microsoft Active Directory, Microsoft Internet Information Services, Microsoft Windows, MikroTik RouterOS, MikroTik WinBox, OpenSSH, Python, RARLAB WinRAR, SonicWall Secure Mobile Access, Tor Threat Actors: Actinium, AngryLikho, APT28, APT44, AquaBlizzard, Armageddon, AwakenLikho, BlackEnergy, CoreWerewolf, DEV-0861, EarthBluecrow, ELECTRUM, FROZENBARENTS, Gamaredon, InedibleOchotense, IRIDIUM, IronTilden, IRONVIKING, MuddyWater, PrimitiveBear, Quedagh, RedMenshen, RomCom, Sandworm, SeashellBlizzard, Shuckworm, StickyWerewolf, Storm-0978, Storm0978, TA450, TA453, TA455, Telebots, TridentUrsa, TropicalScorpius, Turla, UAC0002, UAC-0010, UAC0010, UAC-0082, UAC0082, UAC-0099, UAC0113, UAC-0125, UAC0125, Uac0145, UNC2565, UNC2596, UNC530, Unit74455, UNKSmudgedSerpent, VoidRabisu, VoodooBear, Winterflounder Attacker Countries: China, Iran, Myanmar, North Korea, Russia Attacker IPs: 156.67.24.239, 185.145.245.209, 77.20.116.133 Attacker Domains: ciscoheartbeat.com, eliteheirs.org, esetremover.com, esetscanner.com, esetsmart.com, melamorri.com, taibdsgqlwvnizgipp4sn7xee72qys3pufih3rjzhx3e5b5t245kafid.onion, yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd.onion Attacker URLs: 185.145.245.209:22065/service.aspx Attacker Hashes: 08db5bb9812f49f9394fd724b9196c7dc2f61b5ba1644da65db95ab6e430c92b, 30a5df544f4a838f9c7ce34377ed2668e0ba22cc39d1e26b303781153808a2c4, 44b1f3f06607cd3ee16517d31b30208910ce678cb69ba7a0514546dff183dfce, 5d3a6340691840d1a87bfab543faec77b4a9d457991dd938834de820a99685f7, 636e04f0618dd578d107f440b1cf6c910502d160130adae5e415b2dd2b36abcb, 70a5492db39585ec18de512058a5389c9a4043fba13ca8ad7d057ead66298626, 710e8c96875d6a3c1b4f08f4b2094c800658551065b20ef3fd450b210dcc7b9a, 7269b4bc6b3036e5a2f8c2a7908a439202cee9c8b9e50b67c786c39f2500df8f, 7946a2275c1c232eebed6ead95ea4723285950175586db1f95354b910b0a3cce, 821362a484908e93f8ba748b600665ae6444303d, 8c07c37ac84d4c6fd76de3d966e26b65e401bc641a845baf6f73ad0d6a10fc6b, 99ec6437f74eec19e33c1a0b4ac8826bcc44848f87cd1a1c2b379fae9df62de9, 9f3d8252e8f3169751a705151bdf675ac194bfd8457cbe08e1f3c17d7e9e9be2, a0eed0e1ef8fc4129f630e6f68c29c357c717df0fe352961e92e7f8c93e5371b, a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92, b701272e20db5e485fe8b4f480ed05bcdba88c386d44dc4a17fe9a7b6b9c026b, ba5f7e2fa9be1cb3fc7ae113f41c36e4f2c464b6, c853d91501111a873a027bd3b9b4dab9dd940e89fcfec51efbb6f0db0ba6687b, cbb94dd87c3ce335c75e57621412eedce013fcc77ac92ec57f7e74ac70dde119, cf8e09f013fcb5f34c8c274bf07d9047956ba441dabf2d3de87ea025e14058b7, e03b8c54ac916b363f956e4e4e04a19eb4119455d8006c92e9328e16a8cee52f Victim Industries: Agriculture, Automotive, Business Services, Critical Manufacturing, Defense, Digital Media, Education, Energy, Engineering, Financial Services, Government, Hospitality, Information Technology, Legal and Professional Services, Logistics, Manufacturing, Professional Services, Retail, Telecommunications, Transportation, Transportation & Logistics, Utilities Victim Countries: Austria, Belarus, Belgium, Bulgaria, Canada, China, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Israel, Italy, Latvia, Lithuania, Luxembourg, Malta, Myanmar, Netherlands, Norway, Poland, Portugal, Romania, Russia, Slovakia, Slovenia, South Korea, Spain, Sweden, Ukraine, United States Mitigation Advice Use endpoint management or scripting tools to scan all Windows systems for a scheduled task named "DavaniGulyashaSdeshka" and alert on or remove any findings. Identify all installations of WinRar in the environment and ensure they are updated to a version that is not vulnerable to the zero-day exploit mentioned. Configure email security gateways to block or quarantine emails from external sources that contain executable files or compressed archives like .rar and .zip. Scan the network to identify all systems running SMBv1 and disable the protocol wherever it is not essential for business operations. Compliance Best Practices Implement and regularly test a 3-2-1 backup strategy, ensuring at least one copy of critical data is stored offline, air-gapped, or in an immutable storage repository to protect it from wiper malware. Develop and roll out a continuous security awareness training program that includes phishing simulations to educate employees on how to identify and report suspicious emails. Implement network segmentation to create isolated zones for critical servers and services, restricting communication paths from user workstations to limit the lateral movement of malware. Deploy an application control or allowlisting solution on endpoints, particularly servers, to restrict software execution to only known and approved applications.
F5 Threat Report - September 17th, 2025
Akira Ransomware Exploiting Critical SonicWall SSLVPN Bug Again The Akira ransomware group is actively exploiting CVE-2024-40766, a critical-severity access control vulnerability in SonicWall SSL VPN devices, to gain unauthorized access to target networks. This flaw, which allows unauthorized resource access and can cause firewall crashes, was patched by SonicWall in August of the previous year, with a strong recommendation for users to reset passwords for locally managed SSLVPN accounts after applying the update to prevent threat actors from leveraging exposed credentials. Despite the patch, Akira began actively exploiting the vulnerability in September 2024, with recent alerts from the Australian Cyber Security Centre and observations from Rapid7 indicating a resurgence in attacks, likely due to incomplete remediation. SonicWall has confirmed that the current activity is linked to CVE-2024-40766, not a new zero-day, and has investigated up to 40 related security incidents. The vulnerability impacts SonicWall firewall versions including Gen 5 (5.9.2.14-12o and older), Gen 6 (6.5.4.14-109n and older), and Gen 7 (7.0.1-5035 and older), necessitating updates to firmware version 7.3.0 or later, rotation of SonicWall account passwords, enforcement of multi-factor authentication, mitigation of SSLVPN Default Groups risk, and restriction of Virtual Office Portal access to trusted networks. Severity:High Source https://www.bleepingcomputer.com/news/security/akira-ransomware-exploiting-critical-sonicwall-sslvpn-bug-again/ Threat Details and IOCs CVEs: CVE-2024-40766 Technologies: SonicWall SonicOS Threat Actors: Akira, Everest, Fog, GoldSahara, GOLDSAHARA, PunkSpider, ScatteredLapsusHunters, Storm-1567, UNC4487 Attacker Countries: Russia Victim Industries: Manufacturing, Education, Financial Services, Healthcare, Transportation, Business Services, Retail, Technology, Critical Infrastructure, Construction Victim Countries: Australia Mitigation Advice Immediately patch all vulnerable SonicWall devices (Gen 5, 6, and 7) to the latest recommended firmware version to remediate CVE-2024-40766. Force an immediate password rotation for all locally managed user accounts on SonicWall SSLVPN devices. Configure firewall access control lists to restrict access to the SonicWall SSLVPN and Virtual Office Portal interfaces to only trusted IP address ranges. Compliance Best Practices Develop and execute a plan to enforce mandatory multi-factor authentication (MFA) for all users accessing the SonicWall SSLVPN. Perform a configuration audit of SonicWall devices to identify and remediate overly permissive settings, specifically focusing on mitigating risks associated with the 'SSLVPN Default Groups'. Review and enhance the existing vulnerability management program to ensure timely patching of all internet-facing infrastructure and include a verification step to confirm all required mitigations, such as password resets or configuration changes, are completed. From Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover A cloud email service takeover campaign in May 2025 leveraged compromised AWS access keys to bypass Amazon Simple Email Service (SES) restrictions and launch large-scale phishing operations. Attackers, after obtaining an access key with SES permissions, performed reconnaissance using GetCallerIdentity, GetSendQuota, and GetAccount API calls. They then rapidly issued multi-regional PutAccountDetails requests to transition the SES account from sandbox to production mode, providing a generic justification that was approved by AWS support. Although attempts to programmatically increase email quotas via CreateCase API and escalate IAM privileges failed, the default 50,000-emails-per-day production quota was sufficient. Subsequently, the attackers verified multiple domains, including attacker-owned and legitimate domains with weak DMARC, and created email identities (e.g., admin@, billing@). This infrastructure was used for a phishing campaign targeting various organizations with fake 2024 tax forms, linking to a credential theft site hidden behind a commercial redirect service. Such SES abuse poses significant reputational, compromise, and operational risks, indicating broader credential compromise. To mitigate this, organizations should restrict SES where unused, regularly audit and rotate access keys, enforce least privilege for SES permissions, and diligently log and alert on SES API calls, especially PutAccountDetails, and monitor for sudden spikes in service usage or unusual sender additions. Severity:High Source https://www.wiz.io/blog/wiz-discovers-cloud-email-abuse-campaign Threat Details and IOCs Technologies: Amazon Web Services, Amazon Simple Email Service Attacker Domains: managed7.com, street7news.org, street7market.net, docfilessa.com, irss.securesusa.com Victim Industries: Accounting, Energy, Financial Services, Healthcare, Manufacturing Victim Countries: United States Mitigation Advice Block the following domains at the web proxy, DNS filter, and email gateway: managed7.com, street7news.org, street7market.net, docfilessa.com, and irss.securesusa.com. Conduct an immediate audit of all IAM user access keys, focusing on identifying and disabling keys that have been inactive for over 90 days and have suddenly shown activity, or keys used from geographically anomalous locations. Create a CloudTrail alert to trigger on multiple `ses:PutAccountDetails` API calls originating from the same IAM principal across different AWS regions within a short time window, such as 5 minutes. Configure a CloudTrail alert to trigger on any non-console invocation of the `support:CreateCase` API, especially when related to service quota increases. Immediately review your AWS SES configuration in all regions to verify that no unauthorized domains or email addresses have been added as sending identities and that the account has not been unexpectedly moved from the sandbox to "production" mode. Compliance Best Practices Implement and enforce a mandatory 90-day rotation policy for all IAM user access keys and establish a process to automatically disable keys that have not been used for more than 90 days. Initiate a project to review and refactor all IAM policies to adhere to the principle of least privilege, specifically restricting permissions for sensitive SES actions like `ses:PutAccountDetails` and `ses:CreateEmailIdentity` to a minimal number of dedicated administrative roles. Use AWS Organizations and Service Control Policies (SCPs) to explicitly deny access to the Amazon SES service in all AWS accounts that do not have a legitimate business requirement to send bulk email. Develop and execute a phased plan to implement DMARC for all company-owned domains, starting with a `p=none` policy for monitoring and progressively moving to `p=quarantine` and `p=reject` to prevent unauthorized email spoofing. Enable AWS CloudTrail logging for all regions in all accounts, forwarding logs to a central security information and event management (SIEM) system. Specifically, enable SES data events within CloudTrail for granular visibility into email sending activity. Configure AWS CloudWatch anomaly detection on key service metrics, such as SES `SendEmail` volume and S3 `PutObject` counts, to automatically detect and alert on significant deviations from established baselines. GONEPOSTAL Malware Exploits Outlook for Stealthy Command-and-Control A sophisticated espionage campaign employs GONEPOSTAL, a novel malware attributed to the Russian state-sponsored group KTA007, also known as Fancy Bear or APT28, which transforms Microsoft Outlook into a stealthy command and control channel. Discovered by Kroll, GONEPOSTAL operates via a two-stage attack: a malicious DLL disguised as `SSPICLI.dll` initiates a PowerShell sequence that copies a `testtemp.ini` file to `VbaProject.OTM` in the Outlook profile directory, while also performing victim identification via DNS lookups and HTTP requests to services like webhook.site. Persistence is achieved through critical registry modifications to `Software\Microsoft\Office\16.0\Outlook`, specifically setting `LoadMacroProviderOnBoot` to enable automatic macro loading, `Level` to allow unrestricted macro execution, and `PONT_STRING` to suppress security warnings, all facilitating the core functionality housed within the obfuscated, password-protected `VbaProject.OTM` VBA macros. Upon Outlook startup, the malware initializes and monitors incoming emails for specific command signatures, supporting `cmd` for command execution with output, `cmdNo` for silent execution, `upload` for writing files, and `download` for reading and exfiltrating files, processing base64-encoded payloads and exfiltrating data by base64 encoding and chunking files into approximately 3.15-megabyte segments for email attachments, before cleaning up forensic evidence by removing processed emails. Severity:Critical Source https://gbhackers.com/gonepostal-malware/ Threat Details and IOCs Technologies: Microsoft Office, Microsoft Outlook, Microsoft Windows Threat Actors: APT28, APT32, FancyBear, KTA007, KTA488, PawnStorm Attacker Countries: Russia Attacker Domains: webhook.site, oast.fun Victim Industries: Government, Aerospace & Defense, Non-Governmental Organization Victim Countries: United States, Norway, Switzerland, Ukraine, France Mitigation Advice Use your endpoint detection and response (EDR) tool to scan all endpoints for the file 'VbaProject.OTM' within the '%APPDATA%\Microsoft\Outlook\' directory. Audit the Windows Registry on all endpoints for unauthorized changes to the 'LoadMacroProviderOn', 'Level', and 'PONT_STRING' values under the 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security' key. Add 'webhook.site' and 'oast.fun' to your DNS blocklist and web proxy filter to disrupt the malware's victim identification callback. Use your EDR or system management tools to identify any instances of 'SSPICLI.dll' that are not digitally signed by Microsoft or are located outside of the expected System32 directory. Search available PowerShell logs for command-line activity involving the copying of files to the Outlook profile directory, specifically looking for the creation of 'VbaProject.OTM'. Compliance Best Practices Implement a Group Policy (GPO) to set the Microsoft Office macro security level to 'High' or 'Vey High', which disables all macros except those that are digitally signed by a trusted publisher. Enable PowerShell Script Block Logging and Module Logging across all endpoints and forward these logs to a centralized SIEM for monitoring and alerting on suspicious script execution. Configure your Endpoint Detection and Response (EDR) solution to generate alerts when Microsoft Office applications, such as Outlook.exe, spawn child processes like PowerShell.exe or Cmd.exe. Deploy an application control technology, such as Windows Defender Application Control (WDAC) or AppLocker, to enforce a policy that only allows authorized and signed DLLs and scripts to execute. Enable registry auditing on endpoints for critical Microsoft Office security keys and forward these events to a SIEM to create alerts for unauthorized modifications. Amazon Disrupts Russian APT29 Hackers Targeting Microsoft 365 Researchers disrupted an operation by the Russian state-sponsored threat group Midnight Blizzard, also known as APT29, which sought to access Microsoft 365 accounts and data. This group employed a watering hole campaign, compromising legitimate websites to redirect a small percentage of visitors to malicious infrastructure mimicking Cloudflare verification pages, such as findcloudflare[.]com or cloudflare[.]redirectpartners[.]com. The objective was to trick users into authorizing attacker-controlled devices through Microsoft's device code authentication flow, thereby gaining access to credentials and intelligence. Amazon's threat intelligence team identified the campaign, isolated the threat actor's EC2 instances, and collaborated with Cloudflare and Microsoft to disrupt the identified domains, continuing to track and disrupt the group's attempts to shift infrastructure. This campaign reflects an evolution in APT29's technical approach, moving away from AWS impersonation or social engineering for MFA bypass. Users are advised to verify device authorization requests, enable multi-factor authentication, and avoid executing commands copied from webpages, while administrators should consider disabling unnecessary device authorization flows, enforcing conditional access policies, and closely monitoring for suspicious authentication events. Severity:Critical Source https://www.bleepingcomputer.com/news/security/amazon-disrupts-russian-apt29-hackers-targeting-microsoft-365/ Threat Details and IOCs Technologies: Cloudflare, Microsoft Entra ID, Microsoft Windows Threat Actors: APT29, MidnightBlizzard, UNC2452 Attacker Countries: Russia Attacker Domains: findcloudflare.com, cloudflare[.]redirectpartners.com Victim Industries: Government, Information Technology Victim Countries: United States, Germany Mitigation Advice Add the domains 'findcloudflare[.]com' and 'cloudflare[.]redirectpartners[.]com' to your web filter, DNS sinkhole, and firewall blocklists. In Microsoft Entra ID, create a Conditional Access policy to block the 'Device code flow' authentication flow for all users, unless there is a specific business requirement for it. Review Microsoft Entra ID sign-in logs for all authentication events that used the 'Device code' flow. Investigate any successful authentications from unfamiliar locations or devices. Send a security advisory to all employees warning them to be suspicious of any unexpected prompts to authorize a new device sign-in for their Microsoft 365 account, especially if it originates from a web browser. Compliance Best Practices Initiate a project to review and strengthen all Microsoft Entra ID Conditional Access policies to enforce location-based, device-based, and risk-based access controls for all cloud applications. Implement and enforce phishing-resistant Multi-Factor Authentication (MFA), such as FIDO2 security keys or certificate-based authentication, for all users, prioritizing privileged accounts. Implement a continuous security awareness training program that includes phishing simulations specifically designed to mimic modern threats like consent phishing and device authorization abuse. Integrate Microsoft Entra ID sign-in and audit logs into your SIEM to develop specific detection rules and alerts for anomalous authentication patterns, such as an unusual volume of device code authentications or sign-ins from non-compliant devices. Fileless Malware Deploys Advanced RAT via Legitimate Tools A sophisticated fileless malware campaign has been identified, leveraging legitimate system tools to deploy AsyncRAT, a powerful remote access Trojan. The attack initiates through a compromised ScreenConnect client, establishing an interactive session via `relay.shipperzone[.]online`. A VBScript, `Update.vbs`, then executes a PowerShell command to download two payloads, `logs.ldk` and `logs.ldr`, to `C:\Users\Public\`. These payloads are loaded directly into memory using reflection, bypassing disk-based detection. The infection chain proceeds with a first-stage .NET assembly, `Obfuscator.dll`, which includes classes to initialize the runtime, establish persistence via a "Skype Updater" scheduled task, and disable Windows security logging. The final payload, `AsyncClient.exe`, functions as the command-and-control engine, communicating with domains like `3osch20[.]duckdns[.]org` using TCP-based protocols. This AsyncRAT variant performs system reconnaissance, executes commands, and exfiltrates sensitive data, including operating system details, privilege levels, antivirus status, active window titles, browser extensions like MetaMask and Phantom, and conducts keylogging with context capture. Severity:Critical Source https://thehackernews.com/2025/09/asyncrat-exploits-connectwise.html Threat Details and IOCs CVEs: CVE-2024-1709, CVE-2024-1708 Attacker Domains: 3osch20.duckdns[.]org, relay.shipperzone[.]online Technologies: ConnectWise ScreenConnect, Microsoft Windows Victim Industries: Financial Services, Cryptocurrency Victim Countries: United States Mitigation Advice Block the domains `relay.shipperzone[.]online` and `3osch20[.]duckdns[.]org` at the network perimeter firewall and in the corporate DNS filtering solution. Use your Endpoint Detection and Response (EDR) or system management tools to scan all endpoints for the existence of `logs.ldk` and `logs.ldr` in the `C:\Users\Public\` directory. Scan all Windows systems for a scheduled task named 'Skype Updater' and investigate any machines where this task is found. Immediately audit all on-premise and cloud ScreenConnect instances to ensure they are patched to the latest version, review user accounts for unauthorized additions, and enforce multi-factor authentication for all remote access. In your SIEM or EDR, hunt for instances of `WScript.exe` executing `PowerShell.exe` to download files, which matches the technique described in the article. Compliance Best Practices Enable PowerShell Script Block Logging and Module Logging via Group Policy and forward these logs to your SIEM to create detections for obfuscated scripts and suspicious in-memory execution. Deploy an application control policy, such as Windows Defender Application Control (WDAC) or AppLocker, to restrict the execution of unauthorized scripts and binaries from non-standard locations like `C:\Users\Public\`. Establish a formal policy and technical standard for all remote access software, requiring tools to be centrally managed, configured with multi-factor authentication, and have their session logs forwarded to the SIEM for monitoring. Work with your EDR vendor or internal team to create and enable behavioral detection rules that alert on processes attempting to disable security logging or perform in-memory .NET assembly loading from a scripting engine. For user groups that do not have a business need for scripting, use Group Policy to disable Windows Script Host (`WScript.exe`) and set the PowerShell execution policy to 'Restricted'.F5 Threat Report - September 10th, 2025
To learn more about the F5 Threat Report click here Critical Flaws in NVIDIA NeMo AI Curator Allow System Takeover NVIDIA has released a critical update for its NeMo Curator software, version 25.07, to address a high-severity code injection vulnerability tracked as CVE-2025-23307. This flaw, affecting all previous versions across Windows, Linux, and macOS, originates from insufficient validation of user-supplied inputs prior to dynamic code evaluation (CWE-94). With a base severity score of 7.8, the vulnerability enables an attacker to achieve remote code execution, privilege escalation, unauthorized information disclosure, or data tampering by crafting a malicious file that the Curator environment processes. While requiring low privileges and local file manipulation, no user interaction is necessary for exploitation. Users are urged to upgrade to Curator version 25.07, which includes input sanitization and stricter evaluation controls, to mitigate this risk. Severity:Critical Sources https://cyberpress.org/flaws-in-nvidia-nemo-ai-curator-allow-system-takeover/ Threat Details and IOCs CVEs: CVE-2025-23307 Victim Industries: Automotive, Manufacturing, Healthcare, Retail, Financial Services, Technology, Government, Telecommunications Victim Technologies: NVIDIA NeMo Curator, Linux, Microsoft Windows, Apple macOS Mitigation Advice Use asset inventory systems, software management tools, or manual checks to identify all instances of NVIDIA NeMo Curator running on company assets, including servers and developer workstations. For all identified instances of NVIDIA NeMo Curator, immediately upgrade the software to version 25.07 or newer from the official NVIDIA NeMo GitHub repository. Compliance Best Practices Implement or enhance a software asset management (SAM) program to maintain a continuously updated inventory of all deployed software, including specialized AI/ML frameworks. Review and enforce the principle of least privilege for user and service accounts, particularly those associated with data processing and AI/ML environments, to minimize the impact of potential code execution vulnerabilities. Establish a formal vulnerability management program that includes subscribing to vendor security advisories (like NVIDIA's PSIRT) and performing regular, authenticated vulnerability scans across all assets. Provide secure coding training to development teams that focuses on input validation (CWE-94) and the secure handling of external data, especially within applications that process complex file formats. s1ngularity Supply Chain Attack Leaks Secrets on GitHub: Everything You Need to Know On August 26, 2025, multiple malicious versions of the widely used Nx build system package were published to the npm registry, initiating a supply chain attack. These versions, including specific releases of `@nrwl/nx`, `nx`, `@nx/devkit`, `@nx/enterprise-cloud`, `@nx/eslint`, `@nx/js`, `@nx/key`, `@nx/node`, and `@nx/workspace`, contained a post-installation malware script named `telemetry.js`. This payload, active on Linux and macOS systems, systematically harvested sensitive developer assets such as cryptocurrency wallets, GitHub and npm tokens, SSH keys, and `.env` files. A notable aspect of the attack involved weaponizing installed AI command-line tools (including Claude, Gemini, and Q) by prompting them with dangerous flags for reconnaissance. The malware also attempted system lockout by appending `sudo shutdown -h 0` to `~/.bashrc` and `~/.zshrc`. Exfiltrated data was triple-base64 encoded and uploaded to publicly accessible attacker-controlled GitHub repositories named `s1ngularity-repository`, `s1ngularity-repository-0`, or `s1ngularity-repository-1` within victims’ GitHub accounts, leading to the exposure of over a thousand valid GitHub tokens, dozens of cloud and npm credentials, and approximately twenty thousand files. The compromise affected developer machines, often via the NX VSCode extension, and CI/CD pipelines like GitHub Actions. Immediate remediation requires removing malicious Nx versions, upgrading to clean releases, manually removing malicious shell entries, and deleting `/tmp/inventory.txt` and its backup. Security teams should audit GitHub accounts for the specific repository names, review audit logs for anomalous API usage, and monitor developer endpoints and CI/CD pipelines for suspicious activity. Crucially, all potentially leaked credentials, including GitHub tokens, npm tokens, SSH keys, API keys, and environment variable secrets, must be revoked and regenerated, and cryptocurrency funds transferred if exposed. Severity:Critical Sources https://www.wiz.io/blog/s1ngularity-supply-chain-attack Threat Details and IOCs Attacker Hashes: 3905475cfd0e0ea670e20c6a9eaeb768169dc33d Victim Industries: Financial Services Victim Technologies: Nx, Google Gemini, Apple macOS, Microsoft Visual Studio Code, Amazon Q, Anthropic Claude, Node.js, Linux, GitHub, npm Mitigation Advice Scan all developer endpoints and CI/CD environments to identify the malicious versions of the Nx packages listed in the article. Remove them by deleting the 'node_modules' directory and then run 'npm cache clean --force' before installing a safe version. On all Linux and macOS developer endpoints, inspect `~/.bashrc` and `~/.zshrc` files for the entry 'sudo shutdown -h 0' and remove it. Also, delete the files `/tmp/inventory.txt` and `/tmp/inventory.txt.bak` if they exist. Audit all company-managed GitHub organizations and developer user accounts for any repositories named 's1ngularity-repository', 's1ngularity-repository-0', or 's1ngularity-repository-1'. Review GitHub audit logs for repository creation events by unexpected actors or automation. Immediately revoke all GitHub and npm tokens for all developers and service accounts. Force users to regenerate new tokens with the minimum required permissions. Initiate a company-wide rotation of all SSH keys and any other API keys or secrets stored in developer environment files that could have been compromised. In your SIEM or network monitoring tools, search for and create alerts on outbound API calls from developer endpoints or CI/CD runners to 'api.github.com' targeting '/user/repos' or '/repos/*/contents/results.b64'. Compliance Best Practices Implement a software composition analysis (SCA) tool to automatically scan npm dependencies for known vulnerabilities and malicious packages before they are used in development or build pipelines. Configure CI/CD pipelines to run in ephemeral, isolated environments with strict egress filtering that only allows network connections to approved package registries and services, preventing unauthorized data exfiltration. Establish and enforce a policy for credential management that mandates the use of short-lived, narrowly-scoped access tokens for CI/CD pipelines and developer environments, instead of long-lived personal access tokens. Develop and implement a corporate policy governing the use of AI command-line tools on developer endpoints, specifically restricting or monitoring the use of permissive flags like '--dangerously-skip-permissions' or '--trust-all-tools'. Implement a recurring security awareness training program for all developers focusing on supply chain attack risks, recognizing suspicious package behavior, and best practices for credential security. Citrix Patches Three NetScaler Zero Days as One Sees Active Exploitation Citrix has released patches for three critical zero-day vulnerabilities in NetScaler ADC and Gateway, identified as CVE-2025-7775 (CVSS 9.2), CVE-2025-7776 (CVSS 8.8), both memory overflows, and CVE-2025-8424 (CVSS 8.7), an improper access control flaw on the management interface. CVE-2025-7775, a pre-authentication remote code execution vulnerability, was actively exploited in the wild to deploy webshells on unmitigated appliances, with campaigns commencing prior to patch availability. As of August 26, 2025, 84% of scanned appliances were vulnerable to CVE-2025-7775, and the Shadowserver Foundation identified at least 28,000 unpatched instances. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-7775 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies apply patches by August 28. Affected systems include NetScaler ADC and Gateway versions 14.1 before 14.1-47.48, 13.1 before 13.1-59.22, 13.1-FIPS/NDcPP before 13.1-37.241, and 12.1-FIPS/NDcPP before 12.1-55.330, alongside Secure Private Access deployments. Citrix urged users to upgrade to specific patched versions, as no other workarounds exist, and noted that versions 12.1 and 13.0 are now End-of-Life. Security experts caution that patching alone is insufficient, emphasizing the critical need to investigate for signs of prior compromise, as sophisticated actors often exploit such memory corruption vulnerabilities, and future attacks may combine initial access flaws like CVE-2025-7775 with secondary vulnerabilities such as CVE-2025-8424 to compromise management interfaces. Severity:Critical Sources https://www.infosecurity-magazine.com/news/citrix-patch-netscaler-zero-days/ Threat Details and IOCs Malware: Webshell, Backdoor Malware CVEs: CVE-2025-6543, CVE-2025-7775, CVE-2025-8424, CVE-2025-7776 Victim Industries: Government, Healthcare, Financial Services, Information Technology Victim Technologies: NetScaler Gateway, NetScaler ADC Victim Countries: United States Mitigation Advice Immediately patch all vulnerable Citrix NetScaler ADC and Gateway appliances to the recommended versions (14.1-47.48+, 13.1-59.22+, etc.) to remediate CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. Initiate a threat hunt on all Citrix NetScaler appliances to look for indicators of compromise, such as webshells, unauthorized accounts, or unusual outbound network traffic, to identify and remediate existing backdoors. Identify and prioritize the immediate upgrade or decommissioning of all NetScaler appliances running end-of-life (EOL) versions 12.1 and 13.0, as they cannot be patched against these vulnerabilities. Compliance Best Practices Review and reconfigure network firewall rules to ensure that the NetScaler Management Interface is not exposed to the public internet and is only accessible from a secure, isolated management network segment. Implement a comprehensive asset lifecycle management program to track all hardware and software, ensuring that systems are upgraded or replaced before they reach end-of-life (EOL) to avoid exposure to unpatchable vulnerabilities. Docker Desktop Vulnerability Allowed Host Takeover on Windows, macOS A critical vulnerability, CVE-2025-9074, was identified and patched in Docker Desktop for Windows and macOS, allowing malicious containers to escape their isolated environments and achieve administrator-level control over the host system. Rated 9.3 out of 10 for severity, this flaw stemmed from an unauthenticated exposure of the Docker Engine's internal HTTP API, enabling a malicious container to create new privileged containers and access or modify host files, even when Enhanced Container Isolation (ECI) was active. The vulnerability, which could lead to full system takeover on Windows by overwriting critical files, was resolved in Docker Desktop version 4.44.3, released on August 20, 2025. Users are strongly advised to update to this version immediately, avoid overly permissive container configurations like the `--privileged` command, restrict container access, and maintain continuous system monitoring to mitigate risks. Severity:Critical Sources https://hackread.com/docker-desktop-vulnerability-host-takeover-windows-macos/ Threat Details and IOCs CVEs: CVE-2025-9074 Victim Industries: Information Technology Victim Technologies: Apple macOS, Microsoft Windows, Docker Desktop Mitigation Advice Update all Docker Desktop installations on Windows and macOS endpoints to version 4.44.3 or newer. Use asset inventory or vulnerability scanning tools to identify all corporate devices running versions of Docker Desktop vulnerable to CVE-2025-9074. Compliance Best Practices Establish and enforce a security policy that prohibits running Docker containers with the '--privileged' flag, implementing an exception process for documented and approved use cases. Implement a container runtime security solution to monitor for and alert on suspicious activities, such as unexpected process execution or network connections originating from containers. Enforce a policy of least privilege for all container configurations, ensuring they are granted only the specific capabilities, file system access, and network permissions required for their function. Widespread Data Theft Campaign Strikes Salesforce via Salesloft Drift A widespread data theft campaign, active between August 8 and 18, 2025, saw threat actor UNC6395 compromise numerous Salesforce customer instances by leveraging stolen OAuth tokens associated with the Salesloft Drift application. The attackers utilized valid OAuth credentials to execute structured SOQL queries, exfiltrating significant volumes of corporate data from Salesforce objects such as User, Account, Case, and Opportunity, with a specific focus on discovering secrets like AWS access keys, passwords, and Snowflake access tokens. UNC6395 demonstrated operational security by deleting query jobs and employing anonymizing infrastructure, including Tor exit nodes, and automation tools like python-requests/2.32.4 and aiohttp/3.12.15. In response, Salesloft and Salesforce revoked all active tokens for the Drift app on August 20 and temporarily removed it from the Salesforce AppExchange. This incident follows earlier Salesforce-related attacks in June and July 2025 by UNC6040, which used vishing to authorize rogue connected apps, and subsequent extortion by UNC6240 (ShinyHunters). Organizations using Drift with Salesforce are advised to audit for exposed credentials, revoke and rotate API keys, review logs for suspicious SOQL queries tied to the Drift app, and enforce strict access controls for connected applications, including IP restrictions and limited scopes. Severity:Critical Sources https://cyberinsider.com/widespread-data-theft-campaign-strikes-salesforce-via-salesloft-drift/ Threat Details and IOCs Threat Actors: ShinyHunters, UNC6240, UNC6040, UNC6395 Attacker Emails: shinycorp@tuta.com Victim Industries: Retail, Financial Services, Travel & Hospitality Victim Technologies: Salesloft Drift, Salesforce, Snowflake, Amazon Web Services (AWS) Victim Countries: United Kingdom, Germany, United States, France, Denmark, Netherlands Mitigation Advice Review all Salesforce logs between August 8 and August 18, 2025, for unusual SOQL queries originating from the Drift connected application, paying special attention to data exports from User, Account, Case, and Opportunity objects. Immediately audit all Salesforce objects and custom fields to identify any stored AWS access keys or other cloud service provider credentials. Immediately audit all Salesforce objects and custom fields to identify any stored Snowflake tokens or other database credentials. Immediately revoke and rotate any secrets, API keys, or passwords discovered during the audit of Salesforce data. Follow vendor guidance to securely re-authenticate the Drift to Salesforce integration to restore service with new, secure tokens. Compliance Best Practices For all third-party Salesforce connected applications, configure IP Login Ranges to only permit access from the application vendor's known IP addresses. Conduct a comprehensive security review of all Salesforce connected applications to ensure each one operates with the minimum required OAuth scopes and object permissions necessary for its function. Modify Salesforce user profiles to remove the 'API Enabled' permission by default, and grant it only to a limited number of dedicated integration user accounts or specific administrators via permission sets. Implement a Data Loss Prevention (DLP) policy and toolset to continuously scan Salesforce objects and fields to detect and alert on any hardcoded secrets, passwords, or API keys. Implement a recurring security awareness training program that educates employees on identifying and reporting social engineering attempts, specifically including vishing and consent phishing for cloud applications. Click here to sign up for the F5 Threat Report
