2025 January(141) February(191) March(0) | BATTLEFIELD UKRAINE (25)
DATE |
NAME |
CATEGORY |
SUBCATE |
INFO |
| 28.2.25 | Research finds 12,000 ‘Live’ API Keys and Passwords in DeepSeek's Training Data | AI | BIGBROTHER | tl;dr We scanned Common Crawl - a massive dataset used to train LLMs like DeepSeek - and found ~12,000 hardcoded live API keys and passwords. This highlights a growing issue: LLMs trained on insecure code may inadvertently generate unsafe outputs. |
| 28.2.25 | Disrupting a global cybercrime network abusing generative AI | AI | CRIME | In an amended complaint to recent civil litigation, Microsoft is naming the primary developers of malicious tools designed to bypass the guardrails of generative AI services, including Microsoft’s Azure OpenAI Service. |
| 28.2.25 | Angry Likho | APT | APT | Angry Likho: Old beasts in a new forest |
| 27.2.25 | CleverSoar | MALWARE | Rootkit | New “CleverSoar” Installer Targets Chinese and Vietnamese Users |
| 27.2.25 | ValleyRAT | MALWARE | RAT | ValleyRAT Insights: Tactics, Techniques, and Detection Methods |
| 27.2.25 | Yodobashi Camera users targeted with a new phish wave | PHISHING | In Japan, Yodobashi Camera Co., Ltd is a major retail chain that sells electronics, PCs, cameras and photographic equipment. Recently, Symantec has observed a new wave of phish runs spoofing Yodobashi Camera services. The email content mentions that the customer information has been changed and entices the users to click on the phishing URL to confirm the change. | |
| 27.2.25 | Vedalia APT group phishing campaign delivers RokRat malware across Asia | APT | phishing campaign by the North Korean-linked threat actor Vedalia (also known as APT37, RedEyes and ScarCruft) has been reported delivering fileless RokRat malware. The campaign targets government and corporate entities across South Korea and Asia. | |
| 27.2.25 | LightSpy: A new multi-platform Spyware variant targeting social media | VIRUS | A multi-platform variant of the LightSpy spyware with an expanded list of command functionalities has been reported. It has shifted its focus from messaging apps to extracting data from social media platforms such as Facebook and Instagram including messages, contacts and account metadata. | |
| 27.2.25 | Updated TgToxic Android malware | VIRUS | TgToxic is an infostealing malware that was first spread via phishing sites and compromised social media accounts. This new version of the TgToxic malware can be delivered though a single malicious SMS text. | |
| 27.2.25 | New Snake Keylogger variant | VIRUS | A new variant of the Snake Keylogger, also known as the 404 Keylogger, targeting Windows users has been observed. Snake Keylogger typically spreads via phishing emails containing a malicious attachment or URL. It targets popular web browsers (such as Chrome, Edge, Firefox etc.) monitoring/logging keystrokes. | |
| 27.2.25 | Threat actors spoof Sagawa Express services to steal credentials | OPERATION | Symantec has identified a new wave of phishing attacks that impersonate Sagawa Express services to steal credentials. In this campaign, phishing emails are disguised as delivery notifications requesting an immediate update of the delivery address. The email content is brief, encouraging recipients to click on a phishing URL. Once clicked, victims encounter webpages designed for credential harvesting. | |
| 27.2.25 | FatalRAT malware distributed via Operation SalmonSlalom | VIRUS | Operation SalmonSlalom is a new malicious campaign targeted at industrial organizations in the Asia-Pacific (APAC) region. The attackers have been leveraging various first and second stage loaders leading up to the infection with FatalRAT final payload. | |
| 27.2.25 | TraderTraitor | GROUP | GROUP |
TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies |
| 27.2.25 | Winos 4.0 | MALWARE | MALWARE | Winos 4.0 Spreads via Impersonation of Official Email to Target Users in Taiwan |
| 27.2.25 | TgToxic | MALWARE | Android | Android trojan TgToxic updates its capabilities |
| 27.2.25 | PolarEdge | BOTNET | BOTNET | PolarEdge: Unveiling an uncovered ORB network |
| 27.2.25 | 360XSS | HACKING | EXPLOIT | 360XSS: Mass Website Exploitation via Virtual Tour Framework for SEO Poisoning |
| 26.2.25 | Fake DeepSeek websites lead to malware infections | VIRUS | A number of DeepSeek-themed malware campaigns has been reported in the wild lately. DeepSeek is a recently released AI-powered chatbot, much similar to the well known ChatGPT. The attackers have been leveraging the growing popularity of the DeepSeek brand by creating a large number of fake DeepSeek websites and look-alike domains used to serve malicious payloads. | |
| 26.2.25 | New Phishing Campaign Targets ANA Mileage Club Users | CAMPAIGN |
Symantec has detected a phishing campaign targeting Japanese
users with fake All Nippon Airways (ANA) emails. The emails use the subject
line:「ANAマイレージクラブ 重要なお知らせ - 事後登録手続きのお願い」 (Translated: "ANA Mileage Club Important Notice - Request for Retroactive Registration Procedure") |
|
| 26.2.25 | Ghostwriter malicious campaign | CAMPAIGN | Ghostwriter is a malicious campaign attributed to UNC1151 (UAC-0057) threat group. The campaign is believed to be actively running since at least 2016 with the latest iterations observed around November-December 2024. The campaign has been reported to target military and government organizations in Ukraine as well as activists in Belarus. The attackers are known to leverage Excel documents containing malicious VBA macros to initialize the attack. Later infection stages lead to execution of a downloader malware called PicassoDownloader, which has been already used in older campaigns linked to the same threat actors. | |
| 26.2.25 | Black Basta Ransomware Playbook | RANSOMWARE | RANSOMWARE | Defense Lessons From the Black Basta Ransomware Playbook |
| 26.2.25 | Auto-Color | MALWARE | Linux | Auto-Color: An Emerging and Evasive Linux Backdoor |
| 26.2.25 | CVE-2023-34192 |
VULNEREBILITY |
(CVSS score: 9.0) - A cross-site scripting (XSS) vulnerability in Synacor ZCS that allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function. (Fixed in July 2023 with version 8.8.15 Patch 40) | |
| 26.2.25 | CVE-2024-49035 |
VULNEREBILITY |
(CVSS score: 8.7) - An improper access control vulnerability in Microsoft Partner Center that allows an attacker to escalate privileges. (Fixed in November 2024) | |
| 26.2.25 | LightSpy | MALWARE | Spyware | LightSpy Expands Command List to Include Social Media Platforms |
| 26.2.25 | UNC1151 | GROUP | GROUP | UNC1151 Strikes Again: Unveiling Their Tactics Against Ukraine’s Ministry of Defence |
|
25.2.25 | UAC-0173 проти Нотаріату України (CERT-UA#13738) | Починаючи з другої половини січня 2025 року Урядовою командою реагування на комп'ютерні надзвичайні події України CERT-UA фіксується поновлення активності організованого злочинного угрупування UAC-0173, які на замовлення та за грошову винагороду проводять кібератаки для отримання прихованого віддаленого доступу до комп'ютерів нотаріусів з метою подальшого внесення несанкціонованих змін в державні реєстри. | ||
|
25.2.25 |
RAT |
Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation Campaign |
||
|
25.2.25 |
CRYPTOCURRENCY |
The GitVenom campaign: cryptocurrency theft using GitHub |
||
| 25.2.25 | FatalRAT | MALWARE | RAT | Backdoor delivered via an overly long infection chain to Chinese-speaking targets |
| 25.2.25 | CVE-2017-3066 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 9.8) - A deserialization vulnerability impacting Adobe ColdFusion in the Apache BlazeDS library that allows for arbitrary code execution. (Fixed in April 2017) |
| 25.2.25 | CVE-2024-20953 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 8.8) - A deserialization vulnerability impacting Oracle Agile PLM that allows a low-privileged attacker with network access via HTTP to compromise the system. (Fixed in January 2024) |
| 24.2.25 | SectopRAT variant distributed under the disguise of Chrome installer | ALERTS | VIRUS | SectopRAT (aka ArechClient2) is a .NET based malware leveraged to steal sensitive information from the victim's machine. A new campaign delivering this malware has been observed in the wild. The attackers have been recently spreading this infostealing variant under the disguise of Google Chrome browser installer via abuse of the Google Ads platform. |
| 24.2.25 | Lumma Stealer malware campaign targets educational institutions using malicious LNK files | ALERTS | VIRUS | A malware campaign exploiting educational institutions' infrastructure to distribute Lumma Stealer has been reported. The attack begins with malicious LNK files disguised as PDF documents to lure victims. Once executed, these files trigger a multi-stage infection process ultimately deploying Lumma Stealer on compromised systems. The malware targets sensitive data including passwords, browser information and cryptocurrency wallet details. Advanced evasion techniques are used such as leveraging Steam profiles for C2 operations. |
| 24.2.25 | ACRStealer | MALWARE | Stealer | ACRStealer Infostealer Exploiting Google Docs as C2 |
| 24.2.25 |
SysBumps: Exploiting Speculative Execution in System Calls
for Breaking KASLR in macOS for Apple Silicon |
PAPERS | PAPERS | Apple silicon is the proprietary ARM-based processor that powers the mainstream of Apple devices. The move to this proprietary architecture presents unique challenges in addressing security issues, requiring huge research efforts into the security of Apple silicon-based systems. In this paper, we study the security of KASLR, the randomization-based kernel hardening technique, on the stateof-the-art macOS system equipped with Apple silicon processors. |
| 24.2.25 | Цільова активність UAC-0212 у відношенні розробників та постачальників рішень АСУТП з метою здійснення кібератак на об'єкти критичної інфраструктури України (CERT-UA#13702) | BATTLEFIELD UKRAINE | BATTLEFIELD UKRAINE | Як зазначено у минулорічній статті, Урядовою командою реагування на комп'ютерні надзвичайні події України CERT-UA у першому кварталі 2024 року розкрито зловмисний задум щодо проведення деструктивних кібератак у відношенні інформаційно-комунікаційних систем (ІКС) близько двадцяти підприємств галузі енергетики, водо- та теплопостачання (ОКІ) у десяти регіонах України. |
| 23.2.25 | Cyber Threat Intelligence Annual Report 2024 | REPORT | REPORT | Reflecting on the cyber security landscape of 2024, it is evident that the challenges organisations faced were unprecedented in scale and complexity |
| 22.2.25 | ThreatLabz 2024_Encrypted Attacks Report | REPORT | REPORT | Encryption is a cornerstone of cybersecurity, safeguarding sensitive data and ensuring privacy in our increasingly interconnected world. |
| 22.2.25 | Earth Preta | APT | APT | Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection |
| 22.2.25 | CVE-2025-26465 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 6.8) - The OpenSSH client contains a logic error between versions 6.8p1 to 9.9p1 (inclusive) that makes it vulnerable to an active MitM attack if the VerifyHostKeyDNS option is enabled, allowing a malicious interloper to impersonate a legitimate server when a client attempts to connect to it (Introduced in December 2014) |
| 22.2.25 | CVE-2025-26465 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 5.9) - The OpenSSH client and server are vulnerable to a pre-authentication DoS attack between versions 9.5p1 to 9.9p1 (inclusive) that causes memory and CPU consumption (Introduced in August 2023) |
| 22.2.25 | CVE-2025-0108 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 7.8) - An authentication bypass vulnerability in the Palo Alto Networks PAN-OS management web interface that allows an unauthenticated attacker with network access to the management web interface to bypass the authentication normally required and invoke certain PHP scripts |
| 22.2.25 | CVE-2024-53704 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 8.2) - An improper authentication vulnerability in the SSLVPN authentication mechanism that allows a remote attacker to bypass authentication |
| 22.2.25 | Signals of Trouble | BIGBROTHER | BIGBROTHER | Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger |
| 22.2.25 | Censorship as a Service | BIGBROTHER | Service | Censorship as a Service | Leak Reveals Public-Private Collaboration to Monitor Chinese Cyberspace |
| 22.2.25 | DeceptiveDevelopment | CAMPAIGN | Malware | Cybercriminals have been known to approach their targets under the guise of company recruiters, enticing them with fake employment offers. |
| 22.2.25 | CVE-2018-0171 | VULNEREBILITY | VULNEREBILITY | A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. |
| 22.2.25 | Darcula phishing-as-a-service | PHISHING | PAAS | The Bleeding Edge of Phishing: darcula-suite 3.0 Enables DIY Phishing of Any Brand |
| 22.2.25 | Deceptive Employment Scheme | HACKING | AI | A network from North Korea linked to the fraudulent IT worker scheme that was involved in the creation of personal documentation for fictitious job applicants, such as resumés, online job profiles and cover letters, as well as come up convincing responses to explain unusual behaviors like avoiding video calls, accessing corporate systems from unauthorized countries or working irregular hours. Some of the bogus job applications were then shared on LinkedIn. |
| 22.2.25 | Sponsored Discontent | HACKING | AI | A network likely of Chinese origin that was involved in the creation of social media content in English and long-form articles in Spanish that were critical of the United States, and subsequently published by Latin American news websites in Peru, Mexico, and Ecuador. |
| 22.2.25 | Romance-baiting Scam | HACKING | AI | A network of accounts that was involved in the translation and generation of comments in Japanese, Chinese, and English for posting on social media platforms including Facebook, X and Instagram in connection with suspected Cambodia-origin romance and investment scams. |
| 22.2.25 | Iranian Influence Nexus | HACKING | AI | A network of five accounts that was involved in the generation of X posts and articles that were pro-Palestinian, pro-Hamas, and pro-Iran, and anti-Israel and anti-U.S., and shared on websites associated with an Iranian influence operations tracked as the International Union of Virtual Media (IUVM) and Storm-2035. |
| 22.2.25 | Kimsuky and BlueNoroff | HACKING | AI | A network of accounts operated by North Korean threat actors that was involved in gathering information related to cyber intrusion tools and cryptocurrency-related topics, and debugging code for Remote Desktop Protocol (RDP) brute-force attacks |
| 22.2.25 | Youth Initiative Covert Influence Operation | HACKING | AI | A network of accounts that was involved in the creation of English-language articles for a website named "Empowering Ghana" and social media comments targeting the Ghana presidential election |
| 22.2.25 | Task Scam | HACKING | AI | A network of accounts likely originating from Cambodia that was involved in the translation of comments between Urdu and English as part of a scam that lures unsuspecting people into jobs performing simple tasks (e.g., liking videos or writing reviews) in exchange for earning a non-existent commission, accessing which requires victims to part with their own money. |
| 22.2.25 | NailaoLocker | MALWARE | Backdoor | Meet NailaoLocker: a ransomware distributed in Europe by ShadowPad and PlugX backdoors |
| 22.2.25 | CVE-2024-24919 | VULNEREBILITY | VULNEREBILITY | Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. |
| 22.2.25 | Harvest | OPERATION | Hacking | Operation ‘Harvest’: A Deep Dive into a Long-term Campaign |
| 22.2.25 | Shadowpad | MALWARE | Backdoor | Updated Shadowpad Malware Leads to Ransomware Deployment |
| 22.2.25 | CVE-2025-23209 | VULNEREBILITY | VULNEREBILITY | Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. |
| 22.2.25 | Salt Typhoon | GROUP | APT | Weathering the storm: In the midst of a Typhoon |
| 20.2.2025 | Phishing campaign disguises as ChatGPT Subscription | ALERTS | PHISHING | In a recent phishing campaign observed by Symantec, emails disguised as "monthly subscription" notifications are being sent to targeted recipients. The subject lines are often including keywords like "action required" or "Reminder" a common tactic to lure the recipient to open the email. The body of the email is claiming a $24 monthly subscription fee is required to access ChatGPT's premium features. To complete the payment, recipients are being prompted to click on a phishing URL designed to steal their credentials. |
| 20.2.2025 | Core Ransomware - a new Makop variant | ALERTS | RANSOM | Core ransomware is a new Makop malware variant recently found in the wild. The ransomware encrypts user files and appends .core extension to them. Victim's unique ID and developers' email address is also appended to the extension. The malware drops ransom note in form of a text file called "README-WARNING.txt". Core has also capability to delete volume shadow copies and backup data on the infected endpoints as well as functionality to modify registry entries to ensure its persistence on the machine. |
| 20.2.2025 | Ghost (aka Cring) Ransomware | ALERTS | RANSOM | Symantec Security Response is aware of the recent joint alert from CISA, FBI and MS-ISAC concerning a number of recent campaigns distributing the Ghost (aka Cring) ransomware. The attackers behind this ransomware family are known to leverage exploitation of publicly disclosed vulnerabilities in an effort to access internet facing vulnerable servers. Some of the exploited vulnerabilities include but are not limited to: CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207. |
| 20.2.2025 | XingCode disguised malware exhibits XWorm characteristics | ALERTS | VIRUS | Recently, malware samples were discovered disguised as XingCode software executables. XingCode is an anti-cheat software commonly used in online games to prevent cheating, hacking and unauthorized third-party tools. These malicious files contain embedded PowerShell scripts used to deobfuscate data. The files exhibit characteristics of XWorm malware with capabilities such as system manipulation, data exfiltration and keylogging designed to create persistence and evade detection. |
| 20.2.2025 | Rhadamanthys Infostealer campaign exploits MSC files and Console Taskpad | ALERTS | VIRUS | Since mid-2024, there has been an increase in the distribution of MSC malware with campaigns observed exploiting the CVE-2024-43572 Microsoft Windows Management Console remote code execution (RCE) vulnerability. A campaign distributing the Rhadamanthys Infostealer has been observed with the malware disguised as MSC files. The newly identified MSC file belongs to the variant that executes the "command" command via Console Taskpad. |
| 20.2.2025 | Nigerian threat actor distributes XLogger malware | ALERTS | VIRUS | A malware campaign by a Nigerian threat actor has been observed distributing XLogger malware. The campaign begins with harvesting email addresses using Google dorking techniques and setting up spoofed domains with bulletproof hosting. Users are lured through phishing emails crafted with ChatGPT containing RAR attachments with executable files. Upon execution, a PowerShell script decrypts the malware payload which then exfiltrates stolen data to a Telegram channel. |
| 20.2.25 | XLoader | MALWARE | Loader | XLoader Executed Through JAR Signing Tool (jarsigner.exe) |
| 20.2.25 | CVE-2024-12284 | VULNEREBILITY | VULNEREBILITY | Authenticated privilege escalation in NetScaler Console and NetScaler Agent allows. |
| 20.2.25 | CVE-2025-21355 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 8.6) - Microsoft Bing Remote Code Execution Vulnerability |
| 20.2.25 | CVE-2025-24989 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 8.2) - Microsoft Power Pages Elevation of Privilege Vulnerability |
| 20.2.25 | StaryDobry | MALWARE | Cryptominer | StaryDobry ruins New Year’s Eve, delivering miner instead of presents |
| 20.2.25 | Snake Keylogger | MALWARE | Keylogger | FortiSandbox 5.0 Detects Evolving Snake Keylogger Variant |
| 20.2.25 | JS to C2 | MALWARE | JavaScript | javascript-to-command-and-control-c2-server-malware |
| 20.2.25 | Викрадення акаунту WhatsApp під виглядом голосування за електронні петиції (CERT-UA#9565) | BATTLEFIELD UKRAINE | BATTLEFIELD UKRAINE | Урядова команда реагування на комп'ютерні надзвичайні події України CERT-UA інформує щодо зловмисної активності, спрямованої на отримання доступу до WhatsApp. |
| 20.2.25 | Цільові кібератаки UAC-0185 у відношенні Сил оборони та підприємств ОПК України (CERT-UA#12414) | BATTLEFIELD UKRAINE | BATTLEFIELD UKRAINE | Урядовою командою реагування на комп'ютерні надзвичайні події України CERT-UA 04.12.2024 від фахівців MIL.CERT-UA отримано інформацію щодо розповсюдження електронних листів з темою "до уваги_змiни_02-1-437 вiд 04.12.2024р.", |
| 19.2.2025 | ALERTS | VIRUS | In a recent report published by Palo Alto Networks, links to a variant of Bookworm malware were uncovered based on activity of the Fireant (aka Stately Taurus) group impacting Southeast Asian countries. Per the report, Bookworm is a modular Trojan first observed in 2015, with no previous group attribution. Original Bookworm malware leveraged DLL sideloading to decrypt and launch attacker shellcode. In more recent variants, the shellcode is formatted as UUID strings, which is then decoded into binary data and launched via legitimate API functions, discarding the use of sideloading altogether. | |
| 19.2.2025 | ACR Stealer malware leverages Dead Drop Resolver (DDR) technique | ALERTS | VIRUS | ACR Stealer is a C++based infostealing malware variant discovered initially in early 2024. The malware is known to be advertised for sale in the form of a Malware-as-a-Service (MaaS) offering. ACR Stealer is believed to be an updated variant of on older infostealer called GrMsk Stealer. Functionality-wise the malware targets collection and exfiltration of miscellaneous sensitive data including system information, credentials, browser cookies, configuration files of 3rd party apps, cryptocurrency wallets, etc. |
| 18.2.2025 | Recent RedCurl (aka EarthKapre) APT activity | ALERTS | APT | RedCurl (also known as EarthKapre) is a threat group known for conducting espionage and data exfiltration activities. The recently observed campaign attributed to this threat actor has been leveraging legitimate Adobe executable (ADNotificationManager.exe) to sideload malicious binaries. The infection chain has been initiated via crafted PDF malspam leading to ZIP compressed .img binaries. Upon execution/mounting of the .img file, a malicious .dll binary is sideloaded onto the compromised endpoint. After successful infection, the threat actors have been observed to execute SysInternals Active Directory Explorer (AD Explorer) tool for data collection and later to utilize Cloudflare Workers infrastructure for C2 purposes. |
| 18.2.25 | FrigidStealer | MALWARE | MacOS | An Update on Fake Updates: Two New Actors, and New Mac Malware |
| 18.2.25 | CVE-2025-21589 | VULNEREBILITY | VULNEREBILITY | CVE-2025-21589 |
| 18.2.25 | RevivalStone | CAMPAIGN | APT | The China-linked threat actor known as Winnti has been attributed to a new campaign dubbed RevivalStone that targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024. |
| 18.2.25 | ELF/Sshdinjector.A!tr | MALWARE | Linux | Analyzing ELF/Sshdinjector.A!tr with a Human and Artificial Analyst |
| 18.2.25 | Earth Freybug’s | CAMPAIGN | Malware | Stealth in the Shadows: Dissecting Earth Freybug’s Recent Campaign and Operational Techniques |
| 18.2.25 | DEATHLOTUS | MALWARE | Backdoor | A passive CGI backdoor that supports file creation and command execution |
| 18.2.25 | UNAPIMON | MALWARE | Utility | A defense evasion utility written in C++ |
| 18.2.25 | PRIVATELOG | MALWARE | Rootkit | A loader that's used to drop Winnti RAT (aka DEPLOYLOG) which, in turn, delivers a kernel-level rootkit named WINNKIT by means of a rootkit installer |
| 18.2.25 | CUNNINGPIGEON | MALWARE | Backdoor | A backdoor that uses Microsoft Graph API to fetch commands – file and process management, and custom proxy – from mail messages |
| 18.2.25 | WINDJAMMER | MALWARE | Rootkit | A rootkit with capabilities to intercept TCPIP Network Interface, as well as create covert channels with infected endpoints within intranet |
| 18.2.25 | SHADOWGAZE | MALWARE | Backdoor | A passive backdoor reusing listening port from IIS web server |
| 18.2.25 | CVE-2024-12510 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 6.7) - Pass-back attack via LDAP |
| 18.2.25 | CVE-2024-12511 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 7.6) - Pass-back attack via user's address book |
| 18.2.25 | Magento Credit Card Stealer Disguised in an <img> Tag | CRIME | CRIME | In order to find this malicious code, we must first go to the infected website, add an item to the cart, and observe the page source at the end of the checkout process, once it is time to submit credit card details. |
| 18.2.25 | XCSSET | MALWARE | MacOS | Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that targets users by infecting Xcode projects, in the wild. |
| 18.2.25 | Golang Backdoor | MALWARE | Backdoor | Telegram Abused as C2 Channel for New Golang Backdoor |
| 17.2.2025 | CipherLocker Ransomware | ALERTS | RANSOM | CipherLocker is a new ransomware variant identified in the wild. The malware encrypts user data and appends .clocker extension to the locked files. The ransom note is dropped in form of a text files called "README.txt" and contains instructions for the victims including attackers' email contact details. CipherLocker has the capability to delete both Volume Shadow copies and the backup files on the infected endpoints. |
| 15.2.25 | Storm-2372 | GROUP | Phishing | Storm-2372 conducts device code phishing campaign |
| 15.2.25 | whoAMI Attack | ATTACK | Cloud | whoAMI: A cloud image name confusion attack |
| 15.2.25 | Operation Marstech Mayhen | OPERATION | APT | Lazarus Group’s Open-Source Trap: North Korea’s New Malware Tactic Targeting Developers and Crypto Wallets |
| 15.2.25 | RansomHub | RANSOMWARE | RANSOMWARE | RansomHub Never Sleeps Episode 1: The evolution of modern ransomware |
| 15.2.25 | CVE-2025-1094 | VULNEREBILITY | VULNEREBILITY | Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. |
| 15.2.25 | DEEP#DRIVE | CAMPAIGN | APT | Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks |
| 15.2.25 | RedMike | EXPLOIT | Vulnerebility | RedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices of Global Telecommunications Providers |
| 15.2.25 | CVE-2025-0108 | VULNEREBILITY | VULNEREBILITY | CVE-2025-0108 PAN-OS: Authentication Bypass in the Management Web Interface |
| 15.2.25 | BadPilot | CAMPAIGN | Operation | The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation |
| 14.2.2025 | Zhong Stealer malware spread via social engineering | ALERTS | VIRUS | Zhong Stealer is a malware variant recently spread in a distribution campaign targeting fintech and cryptocurrency sectors. The attackers have been leveraging chat platforms to open tickets with various support teams and supplying .zip archives with malicious binaries to unsuspecting support staff. One of the payloads distributed this way was Zhong Stealer which is used by the threat actors to collect and exfiltrate confidential data such as credentials from the infected endpoints. |
| 14.2.2025 | Vgod Ransomware | ALERTS | RANSOM | Vgod is a new ransomware variant recently identified in the wild. Upon file encryption the malware appends .vgod extension to the encrypted files. The ransom note is dropped in form of a text file called “Decryption Instructions.txt” with the attackers asking the victims to contact them for decryption instructions. Vgod ransomware also changes the desktop wallpaper on the infected machine to indicate to the victim that the files have been encrypted. |
| 14.2.2025 | Lynx Ransomware, established in 2024 | ALERTS | RANSOM | Lynx ransomware was first observed in mid-2024 and is believed to be a successor of INC ransomware, according to a recent report by Fortinet. Lynx has been observed targeting Windows systems across multiple industries around the world. Per the report, The United States has seen the majority of victims while Canada and the United Kingdom are a distant second. Manufacturing and construction industries make up almost half of the victims. |
| 14.2.2025 | Xelera Ransomware | ALERTS | RANSOM | Xelera is a Python-based ransomware variant recently distributed in campaigns targeting potential job applicants to Food Corporations of India (FCI), which is a public sector company. The attackers leverage fake job description/notification documents to lure the potential victims. The campaign spreads PyInstaller executables containing both a Discord bot and ransomware components. The dropped Discord bot is used among others for privilege escalation, system information exfiltration, locking down the system as well as theft of credentials stored in web browsers. Alongside the Xelera ransomware components deployment, the attackers also utilize a MEMZ tool which is a MBR corruption utility. |
| 13.2.2025 | DEEP#DRIVE attack campaign | ALERTS | CAMPAIGN | DEEP#DRIVE is a recently discovered malicious campaign targeting enterprises, government entities and cryptocurrency users from South Korea. The attackers leverage phishing emails containing zip archives with shortcut .lnk files disguised as legitimate documents (in PDF, HWP or MS Office formats). Further attacks stages rely on PowerShell scripts execution, establishing persistence on the targeted endpoints as well as download of Dropbox-hosted payloads. |
| 13.2.2025 | RevivalStone malware campaign deploys new Winnti variant | ALERTS | VIRUS | A malware campaign dubbed RevivalStone has been identified targeting Japanese organizations in the manufacturing and energy sectors. The campaign is attributed to the China-linked APT group APT41 which is deploying a new variant of the infamous Winnti malware. The attack vector begins with the exploitation of SQL injection vulnerabilities in web-facing ERP systems allowing attackers to deploy web shells and gain initial access. Once inside the network, the threat actors deploy an updated version of Winnti malware which includes a rootkit for maintaining persistence and encrypted communication channels to avoid detection. |
| 13.2.2025 | Destiny Stealer | ALERTS | VIRUS | There is no shortage of stealers in the threat landscape, and Destiny Stealer is a new one being advertised with Symantec observing testing activities. This malware is a run-of-the-mill infostealer designed to harvest login credentials from web browsers and applications, exfiltrate specific file types like documents and images, and steal FTP credentials. Like many other stealers, it also targets cryptocurrency wallets such as Exodus, Blockchain.com, Binance, and MetaMask. Additionally, it gathers system information, monitors clipboard activity for sensitive data. Destiny Stealer follows the typical playbook of modern infostealers, incorporating generic anti-detection mechanisms. |
| 13.2.2025 | Phishing campaigns target Ukraine's banking sector with SmokeLoader malware | ALERTS | PHISHING | Phishing campaigns specifically targeting Ukraine's automotive and banking sectors using SmokeLoader malware have been observed in the wild. One such campaign targets customers of PrivatBank, Ukraine’s largest state-owned bank. Users are lured with financial-themed documents such as fabricated invoices and account statements to increase interaction and compromise systems. The campaign leverages password-protected archives containing malicious JavaScript, VBScript and LNK files to evade detection. SmokeLoader malware is deployed via process injection and PowerShell execution with the goal of stealing credentials and financial data while maintaining persistent access to compromised systems. |
| 13.2.2025 | Library-ms files seen abused in recent malspam campaign | ALERTS | SPAM | Symantec has recently observed a malspam campaign utilizing library-ms attached files. Library-ms files allow users to view contents of multiple directories within a single file explorer view. Through the creation of legitimate local file explorer windows that utilize remote WebDAV servers threat actors serve malicious LNK files to unsuspecting victims. Once executed it allows further infection with additional malware of the attackers choice. |
| 12.2.2025 | CVE-2024-20767 - Path Traversal Vulnerability in Adobe ColdFusion | ALERTS | VULNEREBILITY | In December 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Adobe ColdFusion vulnerability CVE-2024-20767 to its Known Exploited Vulnerabilities (KEV) catalog. This "Path Traversal" flaw allows an attacker to bypass pathname restrictions, potentially leading to arbitrary file system reads. The vulnerability, with a CVSS score of 7.4, affects ColdFusion versions 2023.6, 2021.12 and earlier and requires an exposed admin panel for exploitation. Experts have noted the availability of a proof-of-concept (PoC) exploit code. Adobe has since released out-of-band security updates to mitigate this critical issue. |
| 12.2.2025 | FINALDRAFT malware discovered in REF7707 campaign | ALERTS | VIRUS | A new malware variant named FINALDRAFT has been discovered as part of the REF7707 campaign targeting the Foreign Ministry of a South American nation. The malware exists in both Windows and Linux variants and leverages Microsoft’s Graph API service for command and control operations. Additionally, the campaign utilizes PATHLOADER and GUIDLOADER malware to download and execute encrypted shellcodes directly in memory. |
| 11.2.2025 | China-linked espionage tools used in ransomware attacks | ALERTS | RANSOM | Tools that are usually associated with China-based espionage actors were recently deployed in an attack involving the RA World ransomware against an Asian software and services company. During the attack in late 2024, the attacker deployed a distinct toolset that had previously been used by a China-linked actor in classic espionage attacks. While tools associated with China-based espionage groups are often shared resources, many aren’t publicly available and aren’t usually associated with cybercrime activity. |
| 11.2.2025 | Trojanized KMS activation tools leveraged in latest Sandworm APT campaigns | ALERTS | APT | According to the latest report published by EclecticIQ researchers, Sandworm APT (aka APT44, UAC-0145) has been recently engaged in espionage activities against users in Ukraine. The attackers have been leveraging trojanized Microsoft Key Management Service (KMS) activator tools and fake update installers in efforts aimed at distribution of a new BackOrder loader variant. This new variant utilizes various LOLbin binaries as one of the defence evasion measures. The final payload spread in this campaign belongs to the Dark Crystal RAT (DcRAT) malware family and can be used by the threat actors for cyber espionage and sensitive data exfiltration. |
| 11.2.2025 | Cryptocurrency mining malware distributed via USB | ALERTS | CRYPTOCURRENCY | Cryptocurrency mining malware has spread to victims through USB propagation in South Korea. In addition to infection persistence through USB, further characteristics that maximize infection via system settings modifications, and security bypass techniques have been observed. In particular the CoinMiner malware employs techniques such as C2 server communications, DLL sideloading for execution bypass, detection evasion via Windows Defender exception settings, and disabling of hibernation status for optimum mining performance. |
| 10.2.25 | Webflow CDN | CAMPAIGN | Phishing | New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs |
| 10.2.25 | FINALDRAFT | MALWARE | Malware | From South America to Southeast Asia: The Fragile Web of REF7707 |
| 10.2.25 | NAPLISTENER | MALWARE | Malware | NAPLISTENER: more bad dreams from developers of SIESTAGRAPH |
| 10.2.25 | CVE-2025-23359 | VULNEREBILITY | VULNEREBILITY | NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system. |
| 10.2.25 | CVE-2025-21391 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 7.1) - Windows Storage Elevation of Privilege Vulnerability |
| 10.2.25 | CVE-2025-21418 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 7.8) - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| 10.2.25 | CVE-2024-38657 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 9.1) - External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to write arbitrary files |
| 10.2.25 | CVE-2025-22467 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 9.9) - A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution |
| 10.2.25 | CVE-2024-10644 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 9.1) - Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution |
| 10.2.25 | CVE-2024-47908 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 9.1) - Operating system command injection in the admin web console of Ivanti CSA before version 5.0.5 allows a remote authenticated attacker with admin privileges to achieve remote code execution |
| 10.2.25 | CVE-2024-56131 | VULNEREBILITY | VULNEREBILITY | (CVSS scores: 8.4) - A set of improper input validation vulnerabilities that allows remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate to execute arbitrary system commands via a carefully crafted HTTP request |
| 10.2.25 | CVE-2024-56132 | VULNEREBILITY | VULNEREBILITY | (CVSS scores: 8.4) - A set of improper input validation vulnerabilities that allows remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate to execute arbitrary system commands via a carefully crafted HTTP request |
| 10.2.25 | CVE-2024-56133 | VULNEREBILITY | VULNEREBILITY | (CVSS scores: 8.4) - A set of improper input validation vulnerabilities that allows remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate to execute arbitrary system commands via a carefully crafted HTTP request |
| 10.2.25 | CVE-2024-56135 | VULNEREBILITY | VULNEREBILITY | (CVSS scores: 8.4) - A set of improper input validation vulnerabilities that allows remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate to execute arbitrary system commands via a carefully crafted HTTP request |
| 10.2.25 | CVE-2024-56134 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 8.4) - An improper input validation vulnerability that allows remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate to download the content of any file on the system via a carefully crafted HTTP request |
| 10.2.25 | CVE-2025-24200 | VULNEREBILITY | VULNEREBILITY | An authorization issue was addressed with improved state management. This issue is fixed in iPadOS 17.7.5, iOS 18.3.1 and iPadOS 18.3.1. A physical attack may disable USB Restricted Mode on a locked device. |
| 10.2.25 | BadIIS | MALWARE | Malware | This blog post details our analysis of an SEO manipulation campaign targeting Asia. We also share recommendations that can help enterprises proactively secure their environment. |
| 10.2.25 | DragonRank | GROUP | Campaigns | Trend Micro researchers observed an SEO manipulation campaign that highlights the need for organizations using Internet Information Services (IIS) to proactively update and patch systems to prevent exploitation by threat actors that use malware like BadIIS in their campaigns. |
| 10.2.25 | CVE-2025-25064 | VULNEREBILITY | VULNEREBILITY | SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. |
| 10.2.25 | CVE-2024-57968 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 9.9) - An unrestricted upload of files with a dangerous type vulnerability that allows remote authenticated users to upload files to unintended folders (Fixed in VeraCore version 2024.4.2.1) |
| 10.2.25 | CVE-2025-25181 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 5.8) - An SQL injection vulnerability that allows remote attackers to execute arbitrary SQL commands (No patch available) |
| 10.2.25 | ASPXSpy | MALWARE | Malware | ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. |
| 10.2.25 | Malicious ML models | MALWARE | AI | Malicious ML models discovered on Hugging Face platform |
| 10.2.25 | ValleyRAT | MALWARE | RAT | Rat Race: ValleyRAT Malware Targets Organizations with New Delivery Techniques |
| 10.2.25 | Sliver | MALWARE | Backdoor | Not-so-SimpleHelp exploits enabling deployment of Sliver backdoor |
| 10.2.25 | SparkCat | MALWARE | Android | Take my money: OCR crypto stealers in Google Play and App Store |
| 10.2.2025 | China-Linked threat actors target IIS servers with BadIIS malware | ALERTS | VIRUS | According to reports from Trend Micro, threat actors have been observed targeting Internet Information Services (IIS) servers as part of an SEO manipulation campaign designed to deploy BadIIS malware. The campaign believed to be linked to China-based threat actors specifically targets servers in Asia. As part of the attack users are redirected to illegal gambling websites or rogue servers hosting malware or credential-harvesting pages with the ultimate goal of financial gain. |
| 10.2.2025 | Astral Stealer malware | ALERTS | VIRUS | Astral Stealer is an infostealing malware advertised as a fork of older malware strains dubbed Hazard Grabber and Wasp Stealer. Astral Stealer is used to collect and exfiltrate a wide variety of sensitive information including system information, credentials, banking related data, web browser data, cookies, clipboard content, cryptocurrency wallets, 3rd party app data, files, tokens and others. The malware has the capabilities for antivirus evasion, VM/sandbox environment detection as well as some persistence mechanisms. The exfiltration of the collected data might happen over the attacker-controlled command and control channels or via webhooks. |
| 10.2.2025 | SapphireRAT malware | ALERTS | VIRUS | A new phishing campaign has been observed targeting Latin American organizations using fake judicial late fee receipts to distribute SapphireRAT malware. The threat actor provides detailed instructions on how to review and sign the relevant document attempting to add legitimacy to the email. However, these instructions include a URL that redirects the recipient to a malicious domain. This domain is specifically designed to host and deliver the SapphireRAT malware, furthering the attacker's objective of compromising the recipient's system. |
| 10.2.2025 | FinStealer mobile banking malware | ALERTS | VIRUS | A new mobile malware variant dubbed FinStealer has been identified in the wild. Spread via phishing campaigns or unofficial mobile app repositories, the malware binaries are disguised as mobile apps impersonating legitimate banking institutions. FinStealer will extract various banking information, credentials, credit card numbers and other PII (Personally Identifiable Information) from the victims. The malware is coded in Kotlin which is a cross-platform high-level programming language compatible with Java. The attackers extract the collected data via Telegram bots as well as via controlled C&C infrastructure. |
| 10.2.2025 | SparkCat: Cross-Platform malware targets Crypto Wallets via OCR on Android and iOS. | ALERTS | VIRUS | A new malware campaign dubbed SparkCat has been discovered targeting both Android and iOS users through official and unofficial app stores, affecting users across Europe and Asia. The malware employs OCR technology to scan users' image galleries for cryptocurrency wallet recovery phrases. It leverages Google’s ML Kit for OCR and communicates with command-and-control (C2) servers using a custom Rust-based protocol. |
| 07.2.2025 | Old Telerik UI RCE vulnerability leveraged for JuicyPotatoNG distribution | ALERTS | VULNEREBILITY | The exploitation of an almost six-year-old Telerik UI RCE vulnerability (CVE-2019-18935) has been observed recently in the wild. The flaw is a .NET JSON deserialization vulnerability affecting Telerik UI for ASP.NET AJAX, that if successfully exploited could allow for a remote code execution. The attackers have been targeting vulnerable web servers in an effort to deliver malicious reverse shells alongside of the JuicyPotatoNG privilege escalation tool. The attacker efforts aim at reconnaissance of potential victims and information collection about the targeted environments. |
| 07.2.2025 | FleshStealer malware | ALERTS | VIRUS | FleshStealer is a new infostealer variant recently identified in the wild. The malware targets Chromium-based web browsers for information extraction (including passwords, cookies, etc.). Other infostealing functionalities allow this malware to perform cryptowallet theft as well as exfiltration of two-factor authentication (2FA) passwords or Wifi network credentials. FleshStealer features advanced encryption mechanisms as well as detection capabilities for the presence of debugging tools or VM environments. Sale of this malware has been promoted by threat actors via Telegram and Discord platforms. |
| 07.2.2025 | Infostealers targeting macOS on the rise | ALERTS | VIRUS | A recent report from Unit42 by Palo Alto Networks highlights a surge in activity related to infostealers on macOS. The report identifies three particular malware families, Atomic Stealer, Cthulhu Stealer, and Poseidon Stealer, as some of the most prevalent examples. These three families are sold as malware as a service. |
| 07.2.2025 | CVE-2025-0411 Zero-Day vulnerability in 7-Zip exploited in cyberespionage campaign targeting Ukraine | ALERTS | VULNEREBILITY | According to recent report from Trend Micro, a zero-day vulnerability in 7-Zip identified as CVE-2025-0411 has been exploited in a cyberespionage campaign targeting Ukrainian organizations. This vulnerability allows attackers to bypass Windows Mark-of-the-Web protections by double-archiving files thereby evading essential security checks and enabling the execution of malicious content. Russian-linked threat actor groups have actively leveraged this flaw through spear-phishing campaigns using homoglyph attacks to spoof document extensions and trick users into executing the malicious files. |
| 06.2.2025 | North Korean hackers deploy FlexibleFerret malware to target macOS developers | ALERTS | VIRUS | A newly discovered malware strain dubbed FlexibleFerret has been identified as part of an ongoing North Korean Contagious Interview campaign. In this attack Threat Actors trick victims into installing malware disguised as meeting software updates like VCam or Chrome through the job interview process. Unlike other variants of the macOS malware family, FlexibleFerret was signed with a valid Apple Developer signature and Team ID, and contains other elements that make it appear to be legitimate software. This appearance of legitimacy lends to establish persistence, enabling remote access and leading to cryptocurrency theft. |
| 5.2.25 | Trimble Cityworks | VULNEREBILITY | ICS | Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer's Microsoft Internet Information Services (IIS) web server. |
| 5.2.25 | Privacy Flaws in DeepSeek iOS Mobile App | BIGBROTHER | AI | NowSecure Uncovers Multiple Security and Privacy Flaws in DeepSeek iOS Mobile App |
| 5.2.25 | RDP Wrapper | MALWARE | Wrapper | Persistent Threats from the Kimsuky Group Using RDP Wrapper |
| 5.2.25 | CVE-2025-20124 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 9.9) - An insecure Java deserialization vulnerability in an API of Cisco ISE that could permit an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device. |
| 5.2.25 | CVE-2025-20125 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 9.1) - An authorization bypass vulnerability in an API of Cisco ISE could could permit an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node |
| 5.2.25 | LinkedIn Recruiting Scam | SPAM | APT | Lazarus Group Targets Organizations with Sophisticated LinkedIn Recruiting Scam |
| 5.2.25 | Silent Lynx | APT | APT | Silent Lynx APT Targets Various Entities Across Kyrgyzstan & Neighbouring Nations |
| 5.2.25 | CVE-2025-23114 | VULNEREBILITY | VULNEREBILITY | A vulnerability within the Veeam Updater component that allows an attacker to utilize a Man-in-the-Middle attack to execute arbitrary code on the affected appliance server with root-level permissions. |
| 5.2.25 | AsyncRAT | MALWARE | RAT | AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again |
| 5.2.25 | CVE-2025-0411 | VULNEREBILITY | VULNEREBILITY | 7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. |
| 5.2.25 | CVE-2025-0411 | HACKING | VULNEREBILITY | CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks |
| 5.2.25 | HTTP Client Tools Exploitation | EXPLOIT | HTTP | HTTP Client Tools Exploitation for Account Takeover Attacks |
| 5.2.25 | CVE-2024-45195 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 7.5/9.8) - A forced browsing vulnerability in Apache OFBiz that allows a remote attacker to obtain unauthorized access and execute arbitrary code on the server (Fixed in September 2024) |
| 5.2.25 | CVE-2024-29059 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 7.5) - An information disclosure vulnerability in Microsoft .NET Framework that could expose the ObjRef URI and lead to remote code execution (Fixed in March 2024) |
| 5.2.25 | CVE-2018-9276 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 7.2) - An operating system command injection vulnerability in Paessler PRTG Network Monitor that allows an attacker with administrative privileges to execute commands via the PRTG System Administrator web console (Fixed in April 2018) |
| 5.2.25 | CVE-2018-19410 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 9.8) - A local file inclusion vulnerability in Paessler PRTG Network Monitor that allows a remote, unauthenticated attacker to create users with read-write privileges (Fixed in April 2018) |
| 5.2.25 | FERRET | MALWARE | macOS | macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed |
| 5.2.25 | CVE-2024-56161 | VULNEREBILITY | VULNEREBILITY | Loss of the SEV-based protection of a confidential guest. |
| 5.2.25 | CVE-2025-21396 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 7.5) - Microsoft Account Elevation of Privilege Vulnerability |
| 5.2.25 | CVE-2025-21415 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 9.9) - Azure AI Face Service Elevation of Privilege Vulnerability |
| 5.2.25 | CVE-2024-53104 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 7.8), which has been described as a case of privilege escalation in a kernel component known as the USB Video Class (UVC) driver. |
| 5.2.25 | boltdb-go | MALWARE | GO Backdoor | Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence |
| 5.2.25 | Coyote Banking Trojan | MALWARE | Banking | Coyote Banking Trojan: A Stealthy Attack via LNK Files |
| 5.2.25 | Crazy Evil | CRYPTOCURRENCY | SPAM | "Crazy Evil" Cryptoscam Gang: Unmasking a Global Threat in 2024 |
| 5.2.25 | Memcached DDoS attack | ATTACK | DDoS | Memcached can speed up websites, but a memcached server can also be exploited to perform a DDoS attack. |
| 5.2.25 | CVE-2025-0626 | VULNEREBILITY | VULNEREBILITY | Contec Health CMS8000 Patient Monitor sends out remote access requests to a hard-coded IP address, bypassing existing device network settings to do so. This could serve as a backdoor and lead to a malicious actor being able to upload and overwrite files on the device. |
| 5.2.25 | CVE-2024-12248 | VULNEREBILITY | VULNEREBILITY | (CVSS v4 score: 9.3) - An out-of-bounds write vulnerability that could allow an attacker to send specially formatted UDP requests in order to write arbitrary data, resulting in remote code execution |
| 5.2.25 | CVE-2025-0683 | VULNEREBILITY | VULNEREBILITY | (CVSS v4 score: 8.2) - A privacy leakage vulnerability that causes plain-text patient data to be transmitted to a hard-coded public IP address when the patient is attached to the monitor |
| 05.2.2025 | MMS phishing campaign targeting users with fake shipping PDFs | ALERTS | PHISHING | A phishing campaign has been recently reporting targeting users with MMS messages with attached PDFs. The messages attempt spoof popular delivery services in order to convince victims to open the attached PDF. When opened the victim is prompted with a screen requesting they 'unlock' the file visiting by visiting a malicious page controlled by the attackers and entering their credentials. |
| 05.2.2025 | CVE-2024-52875 - KerioControl CRLF injection vulnerability | ALERTS | VULNEREBILITY | CVE-2024-52875 is a recently discovered critical CRLF injection vulnerability affecting GFI KerioControl network security solution in versions 9.2.5 through 9.4.5. Successful exploitation of this flaw might allow attackers to inject malicious JavaScript code and lead to CSRF token theft and arbitrary code execution within the context of the vulnerable application. According to recently published reports, the vulnerability has been actively exploited in the wild. The product vendor already released a patch version "9.4.5 Patch 1" to address this vulnerability. |
| 05.2.2025 | CVE-2023-48365 - Qlik Sense HTTP Tunneling vulnerability reported as exploited in the wild | ALERTS | VULNEREBILITY | CVE-2023-48365 is a bypass vulnerability to the original fix for an older flaw CVE-2023-41265 in Qlik Sense Enterprise product. The vulnerability might allow unauthenticated attackers to perform remote code execution even after applying the patches for CVE-2023-41265 and CVE-2023-41266 flaws. The product vendor has already released a new patch addressing this bypass by an updated filtering mechanism which is less prone to HTTP request tunneling attacks. This vulnerability has been just recently added to the CISA Known Exploited Vulnerabilities (KEV) Catalog following the reports of the in-the-wild exploitation. |
| 04.2.2025 | CVE-2024-57727 - SimpleHelp Directory Traversal vulnerability | ALERTS | VULNEREBILITY | CVE-2024-57727 is a high severity (CVSS score 7.5) directory traversal vulnerability affecting SimpleHelp remote support software in version 5.5.7 or older. If successfully exploited the flaw might allow unauthenticated attackers to download arbitrary files from the SimpleHelp servers, including configuration files containing hashed passwords for the SimpleHelpAdmin account or other accounts. |
| 03.2.2025 | Attack Campaign targets Brazilian financial sector with Coyote Banking Trojan | ALERTS | VIRUS | A multi-stage attack campaign leveraging LNK files to deploy the Coyote Banking Trojan has been reported, primarily targeting Brazilian financial applications. As part of the attack vector the malware uses PowerShell commands, shellcode injection and registry modifications to maintain persistence and evade detection. The malware has capabilities such as keylogging, screenshot capture and displaying phishing overlays. It monitors user activity, steals sensitive data from targeted websites and exfiltrates it to the attacker's C2 servers. |