Attackers aren’t waiting for patches anymore — they are breaking in before defenses are ready. Trusted security tools are being hijacked to deliver malware. Even after a breach is detected and patched, some attackers stay hidden.
This week’s events show a hard truth: it’s not enough to react after an attack. You have to assume that any system you trust today could fail tomorrow. In a world where AI tools can be used against you and ransomware hits faster than ever, real protection means planning for things to go wrong — and still staying in control.
Check out this week’s update to find important threat news, helpful webinars, useful tools, and tips you can start using right away.
⚡ Threat of the Week
Windows 0-Day Exploited for Ransomware Attacks — A security affecting the Windows Common Log File System (CLFS) was exploited as a zero-day in ransomware attacks aimed at a small number of targets, Microsoft revealed. The flaw, CVE-2025-29824, is a privilege escalation vulnerability that could allow an attacker to obtain SYSTEM privileges. An exploit for the vulnerability has been found to be delivered via a trojan called PipeMagic, with the unknown threat actors, tracked by Microsoft as Storm-2460, conducting credential harvesting and dropping a ransomware payload as part of post-compromise exploitation activities. The exact nature of the payload is unclear, however, the ransom note dropped after encryption included a TOR domain tied to the RansomEXX ransomware family. CVE-2025-29824 was addressed by Microsoft as part of its Patch Tuesday update for April 2025.
🔔 Top News
ESET Flaw Exploited to Deliver New TCESB Malware — The China-aligned advanced persistent threat (APT) group China-aligned ToddyCat has exploited a vulnerability in ESET’s antivirus software to silently execute a malicious payload called TCESB on infected devices. The dynamic link library (DLL) search order hijacking vulnerability (CVE-2024-11859) was patched in January after responsible disclosure. DLL search order hijacking is a kind of vulnerability that occurs when an application searches and loads a required DLL in an insecure order, such as starting with the current directory rather than a trusted system directory. In such instances, an attacker can try to trick the application into loading a malicious DLL as opposed to its legitimate counterpart. Once executed, TCESB reads the running kernel version and disables notification routines, installs a vulnerable driver for defense evasion, and launches an unspecified payload.
Fortinet Warns of Hackers Retaining Access to Patched FortiGate VPNs Using Symlinks — Fortinet revealed that threat actors have found a way to maintain read-only access to FortiGate devices even after the initial access vector used to breach the devices was patched. “This was achieved via creating a symbolic link (aka symlink) connecting the user file system and the root file system in a folder used to serve language files for the SSL-VPN,” the company said. Fortinet has released patches to eliminate the behavior.
AkiraBot Leans on OpenAI Models to Flood Sites with SEO Spam — An artificial intelligence (AI) powered platform called AkiraBot is being used to spam website chats, comment sections, and contact forms to promote dubious search engine optimization (SEO) services such as Akira and ServicewrapGO. The platform relies on OpenAI API to generate a customized outreach message based on the contents of the website. As many as 80,000 websites have been successfully spammed by the tool since September 2024. In response to the findings, OpenAI has disabled the API key used by the threat actors.
Gamaredon Uses Removable Drives to Distribute GammaSteel Malware — The Russia-linked threat actor known as Gamaredon targeted a foreign military mission based in Ukraine to deliver an updated version of a known malware called GammaSteel using what appears to be an already infected removable drive. The attack paves the way for a reconnaissance utility and an improved version of GammaSteel, an information stealer that’s capable of exfiltrating files from a victim based on an extension allowlist from the Desktop and Documents folders.
Palo Alto Networks Warns of Brute-Force Attempts Targeting PAN-OS GlobalProtect Portals — Palo Alto Networks has disclosed that it’s observing brute-force login attempts against PAN-OS GlobalProtect gateways. It also noted that its activity monitoring the situation to determine its potential impact and identify if mitigations are necessary. The development came in response to an alert from GreyNoise about a spike in suspicious login scanning activity aimed at PAN-OS GlobalProtect portals since March 17, 2025.
Trending CVEs
Attackers love software vulnerabilities—they’re easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week’s critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.
This week’s list includes — CVE-2025-3102 (OttoKit plugin), CVE-2025-23359 (NVIDIA Container Toolkit), CVE-2025-30406 (Gladinet CentreStack), CVE-2025-29824 (Windows Common Log File System), CVE-2024-48887 (Fortinet FortiSwitch), CVE-2024-53150, CVE-2024-53197 (Google Android), CVE-2025-2945 (pgAdmin), CVE-2025-2244 (Bitdefender GravityZone), CVE-2025-31334 (WinRAR), CVE-2025-30401 (WhatsApp for Windows), CVE-2025-23120 (Rockwell Automation Industrial Data Center), CVE-2025-25211, CVE-2025-26689 (Inaba Denki Sangyo CHOCO TEI WATCHER), CVE-2024-4872, CVE-2024-3980 (Hitachi Energy MicroSCADA Pro/X SYS600), CVE-2025-2636 (InstaWP Connect – 1-click WP Staging & Migration plugin), CVE-2025-3439 (Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin), and CVE-2025-31565 (WPSmartContracts plugin).
📰 Around the Cyber World
Bulletproof Hosting Service Provider Medialand Exposed — A bulletproof hosting service provider named Medialand has been exposed likely by the same actors behind the leak of Black Basta chat logs in February 2025. According to PRODAFT, Medialand has been linked to Yalishanda (LARVA-34), with the service playing a key role in enabling a wide range of cybercriminal operations, including hosting ransomware infrastructure for Black Basta, malware C2 servers, code-signing systems, phishing kits, data exfiltration panels, data leak sites. Leaked internal data reveals a treasure trove of information about who bought servers, who paid (including via cryptocurrency), and possibly personally identifiable information (PII), not to mention allow defenders to correlate indicators of compromise (IoCs) and improve attribution efforts. The Black Basta chat dataset shed light on the group’s “internal workflows, decision-making processes, and team dynamics, offering an unfiltered perspective on how one of the most active ransomware groups operates behind the scenes,” Trustwave said. The discussions also revealed the group targeting individuals based on gender dynamics, assigning female callers to male victims and male operators to female targets. Furthermore, they also expose the threat actor’s pursuit of security flaws and stockpiling them by paying premium prices to acquire zero-day exploits from exploit brokers to gain a competitive edge.
Arabic-Speaking Threat Actor Targets South Korea with ViperSoftX — Suspected Arabic-speaking threat actors have been observed distributing ViperSoftX malware targeting South Korean victims since April 1, 2025. Often distributed via cracked software or torrents, ViperSoftX is known for its ability to exfiltrate sensitive information from compromised Windows hosts, as well as deliver additional payloads like Quasar RAT and TesseractStealer. In the attacks detected by AhnLab, the malware has been found to serve a malicious PowerShell script that drops PureCrypter and Quasar RAT.
Irish Data Protection Watchdog Probes X — Ireland’s data privacy regulator has opened an investigation into X over its processing of personal data from publicly accessible posts shared on the social network for purposes of training its artificial intelligence models, particularly Grok. “The inquiry will examine compliance with a range of key provisions of the GDPR, including with regard to the lawfulness and transparency of the processing,” the Data Protection Commission (DPC) said. “The purpose of this inquiry is to determine whether this personal data was lawfully processed in order to train the Grok LLMs.” X previously X agreed to stop training its AI systems using personal data collected from E.U. users.
Flaws Uncovered in Perplexity’s Android App — An analysis of Perplexity AI’s Android app has uncovered a set of 11 flaws, including hard-coded API keys, cross-origin resource sharing (CORS) misconfigurations, lack of SSL pinning, unsecured network configuration, tapjacking, and susceptibility to known flaws like Janus and StrandHogg, exposing users of the app to risks such as data theft, account takeovers, and reverse engineering attacks. “Hackers can exploit these vulnerabilities to steal your personal data, including sensitive login credentials,” AppKnox said in a report shared with The Hacker News. “The app lacks protections against hacking tools, leaving your device vulnerable to remote attacks.” Similar flaws were also identified in DeepSeek’s Android app earlier this year.
Tycoon 2FA Phishing Kit Receives New Updates — The latest version of the phishing kit known as Tycoon 2FA has adopted new evasion techniques that allow it to slip past endpoints and detection systems. “These include using a custom CAPTCHA rendered via HTML5 canvas, invisible Unicode characters in obfuscated JavaScript, and anti-debugging scripts to thwart inspection,” Trustwave said. “HTML5-based visuals like the custom CAPTCHA can mislead users and add legitimacy to phishing attempts. Unicode and Proxy-based obfuscation can delay detection and make static analysis more difficult.” The development comes as the cybersecurity company said it has identified a dramatic increase in phishing attacks using malicious Scalable Vector Graphics (SVG) files, driven by PhaaS platforms like Tycoon2FA, Mamba2FA, and Sneaky2FA. “SVG-based attacks have sharply pivoted toward phishing campaigns, with a staggering 1,800% increase in early 2025 compared to data collected since April 2024,” it said.
China Reportedly Admits to Directing Cyber Attacks on US Critical Infra — Chinese officials have acknowledged in a secret meeting in December 2024 that it was behind a series of cyber attacks aimed at U.S. critical infrastructure, a cluster of activity that’s known as Volt Typhoon, the Wall Street Journal reported, citing, people familiar with the matter. The attacks are said to have been conducted in response to increasing U.S. policy support for Taiwan. China had previously claimed the Volt Typhoon to be a disinformation campaign from the West.
AWS Debuts Support for ML-KEM in KMS, ACM, and Secrets Manager — Amazon Web Services (AWS) has announced support for Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) for hybrid post-quantum key agreement in Key Management Service (AWS KMS), Certificate Manager (ACM), and Secrets Manager. “These three services were chosen because they are security-critical AWS services with the most urgent need for post-quantum confidentiality,” Amazon said. “With this, customers can bring secrets into their applications with end-to-end post-quantum enabled TLS.” The development comes as the OpenSSL Project released version 3.5.0 of its widely used cryptographic library with support for post-quantum cryptography (PQC) algorithms ML-KEM, ML-DSA, and SLH-DSA.
Exploitation Attempts Against TVT DVRs Surge — Threat intelligence firm GreyNoise is warning of a 3x spike in exploitation attempts against TVT NVMS9000 DVRs as part of what’s suspected to be malicious activity designed to rope the devices into the Mirai botnet. The attacks exploit an information disclosure vulnerability (no CVE) that can be used to gain administrative control over affected systems. The surge in attacks began on March 31, 2025, with over 6,600 unique IP addresses, mainly from Taiwan, Japan, and South Korea, targeting systems located in the United States, United Kingdom, and Germany, attempting to exploit the flaw over the past 30 days.
GitHub Announces General Availability of Security Campaigns — GitHub has announced the general availability of Security Campaigns, a new feature that aims to streamline the vulnerability remediation process using Copilot Autofix to generate code suggestions and resolve issues. The aim, per the Microsoft-owned platform, is to reduce security debt and quickly address problems lurking in existing codebases. “Using Copilot Autofix to generate code suggestions for up to 1,000 code scanning alerts at a time, security campaigns help security teams take care of triage and prioritization, while you can quickly resolve issues using Autofix – without breaking your development momentum,” GitHub said.
Watch Out for SMS Pumping — Threat hunters are calling attention to a cybercrime tactic called SMS pumping fraud that exploits SMS verification systems (e.g., OTP requests or password resets) to generate excessive message traffic using fake or automated phone numbers, incurring businesses additional costs or disruptions. Such schemes employ automated bots or low-skilled workforce to trigger fake account creation and OTP requests, which send SMS messages to phone numbers controlled by the threat actor. “The fraudster collaborates with a ‘rogue party,’ often a corrupt telecom provider or intermediary with access to SMS routing infrastructure,” Group-IB said. “The rogue party intercepts the inflated SMS traffic, typically avoiding message delivery to reduce costs. Instead, they route the traffic to numbers they control.”
Routers Among the Most Riskiest Devices in Enterprise Networks — According to data compiled by Forescout, network-related equipment such as routers have emerged as the riskiest category of IT devices. “Driven by increased threat actor focus, adversaries are rapidly exploiting new vulnerabilities in these devices through large-scale attack campaigns,” the company said. The retail sector has the riskiest devices on average, followed by financial services, government, healthcare, and manufacturing. Spain, China, the United Kingdom, Qatar, and Singapore are the top five countries with the riskiest devices on average. “To effectively defend this evolving attack surface, organizations must adopt modern security strategies that address risk across all device categories,” Forescout said. “As threat actors continue shifting their focus away from traditional endpoints, they increasingly target less-protected devices that offer easier initial access.”
Spanish Authorities Arrest 6 for AI-Powered Investment Scam — The National Police of Spain has arrested six individuals aged between 34 and 57 behind a large-scale cryptocurrency investment scam that used AI tools to generate deepfake ads featuring popular public figures to deceive people, defrauding 208 victims worldwide of €19 million ($21.6 million). More than €100,000 of the total money defrauded from the victims has been frozen as part of the operation codenamed COINBLACK – WENDIMINE. “The modus operandi used to carry out this scam consisted of inserting ads on different web pages as a hook related to investments in cryptocurrencies,” the National Police said. “The victims were not selected at random, but, through algorithms, they selected those people whose profile fit into what cybercriminals were looking for.” The investment scam involved inserting ads on web pages and social media networks and using AI tools to falsely claim endorsements from famous personalities so as to entice the targets into making the investments. Some aspects of the scam were detailed by ESET in December 2024, which codenamed the campaign Nomani.
Oracle Says Hack Affected “Obsolete Servers” — Oracle has confirmed that a hacker stole and leaked credentials that were stolen from what it described as “two obsolete servers.” However, the company downplayed the severity of the breach and insisted its cloud infrastructure (OCI) was not compromised and that no customer data and services were impacted by the incident. “A hacker did access and publish user names from two obsolete servers that were never a part of OCI,” it said in an email notification. “The hacker did not expose usable passwords because the passwords on those two servers were either encrypted and/or hashed. Therefore the hacker was not able to access any customer environments or customer data.” It’s not known how many customers were affected.
Atlas Lion Uses New Tactics in Attacks Targeting Retailers — The Moroccan threat actor known as Atlas Lion (aka Storm-0539) has been observed using stolen credentials to enroll attacker-controlled VMs into an organization’s domain, per cybersecurity firm Expel. Known for its extensive understanding of the cloud, the group’s primary goal appears to be redeeming or reselling the stolen gift cards they obtain during their attack campaigns.
U.S. Treasury OCC Says Hackers Had Access to 150,000 Emails — The Treasury Department’s Office of the Comptroller of the Currency (OCC) revealed in February 2025 that it “identified, isolated and resolved a security incident involving an administrative account in the OCC email system.” As a result, a limited number of affected administrative accounts were identified and disabled. “There is no indication of any impact to the financial sector at this time,” the OCC said at the time. Now, in an update, the OCC has classified the breach as a “major incident,” adding “the unauthorized access to a number of its executives’ and employees’ emails included highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes.” Bloomberg reported that the unidentified threat actors behind the hack broke into an email system administrator’s account and gained access to over 150,000 emails from May 2023 after intercepting about 103 bank regulators’ emails.
🎥 Cybersecurity Webinars
1️⃣ Learn to Detect and Block Hidden AI Tools in Your SaaS Stack — AI tools are quietly connecting to your SaaS apps — often without Security’s knowledge. Sensitive data is at risk. Manual tracking won’t keep up.
In this session, learn:
How AI tools are exposing your environment
Real-world examples of AI-driven attacks
How Reco helps detect and respond automatically
Join Dvir Sasson from Reco to get ahead of hidden AI threats.
2️⃣ Learn How to Secure Every Step of Your Identity Lifecycle — Identity is your new attack surface. AI-powered impersonation and deepfakes are breaking traditional defenses. Learn how to secure the full identity lifecycle — from enrollment to daily access to recovery — with phishing-resistant MFA, device trust, and Deepfake Defense™.
Join Beyond Identity and Nametag to stop account takeovers before they start.
🔧 Cybersecurity Tools
CAPE (Config and Payload Extraction) — CAPE is a powerful malware sandbox that runs suspicious files in a safe Windows environment and digs much deeper than traditional tools. It not only tracks file changes, network traffic, and memory dumps but also automatically unpacks hidden payloads, extracts malware settings, and defeats tricks used to avoid detection. With smart use of YARA rules and a built-in debugger, CAPE gives threat hunters and analysts a faster, clearer way to uncover what malware is really doing.
MCP-Scan — It is an open-source security tool that checks your MCP servers for hidden risks like prompt injections, tool poisoning, and cross-origin attacks. It scans popular setups like Claude, Cursor, and Windsurf, detects tampering in tool descriptions, and helps catch silent changes that could compromise your environment. With built-in protections like tool pinning and Invariant Guardrail checks, MCP-Scan gives developers and security teams a fast, reliable way to spot vulnerabilities before attackers can use them.
🔒 Tip of the Week
Monitoring for Unauthorized Account Activations — Attackers are using a clever trick to stay hidden inside networks: reactivating the built-in Windows Guest account. Normally, this account is disabled and ignored by system admins. But when attackers enable it and set a new password, it blends in as part of the system — making it easy for them to quietly log in, escalate privileges, and even access devices remotely through RDP. Since the Guest account looks normal at first glance, many security teams miss it during reviews.
To catch this tactic early, monitor your security logs closely. Set alerts for Event ID 4722 — this signals when any disabled account is reactivated, including Guest. Also track the use of native Windows tools like net.exe, wmic, and PowerShell for any commands that modify accounts. Pay special attention to any Guest account being added to privileged groups like Administrators or Remote Desktop Users. Cross-check with your endpoint protection or EDR tools to spot changes outside normal maintenance windows.
If you find an active Guest account, assume it’s part of a larger breach. Check for signs of hidden accounts, unauthorized remote access tools, and changes to RDP settings. Regular threat hunting — even just checking that all default accounts are truly disabled — can break an attacker’s persistence before they move deeper into your environment.
Conclusion
Every breach, every evasion technique, and every new tool attackers use is also a learning opportunity. If you’re in cybersecurity today, your advantage isn’t just your tech stack — it’s how quickly you adapt.
Take one tactic you saw in this week’s update — privilege escalation, AI misuse, stealth persistence — and use it as a reason to strengthen a weak spot you’ve been putting off. Defense is a race, but improvement is a choice.
Source link
