Security researchers at CyberProof have uncovered critical connections between two sophisticated banking trojans Maverick and Coyote that are actively targeting Brazilian users through WhatsApp. The discovery came after investigating a suspicious file download incident flagged through the messaging platform, leading to a comprehensive threat analysis that reveals alarming similarities between the two malware families. The […]
A comprehensive security analysis has uncovered a troubling reality: 65% of leading AI companies have leaked verified secrets on GitHub, exposing critical API keys, authentication tokens, and sensitive credentials that could compromise their entire organizations. Researchers examined 50 prominent AI companies from the Forbes AI 50 list and discovered that nearly two-thirds had exposed verified […]
A sophisticated phishing campaign is currently targeting email users with deceptive security alert notifications that appear to originate from their own organization’s domain. The phishing emails are crafted to resemble legitimate security notifications from email delivery systems. These messages inform recipients that specific messages have been blocked and require manual release a premise designed to […]
The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution vulnerability affecting Samsung mobile devices to its Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation in the wild. Tracked as CVE-2025-21042, this zero-day flaw resides in Samsung’s libimagecodec library. It could allow attackers to bypass security protections and execute arbitrary code […]
The notorious Danabot banking malware has made a comeback with the release of version 669, marking a significant return after nearly six months of silence following the coordinated law enforcement takedown known as Operation Endgame in May 2025. The resurgence signals that cybercriminals behind the malware have successfully regrouped and reestablished their command-and-control (C2) infrastructure […]
Security researchers at ENKI have uncovered a sophisticated espionage campaign targeting aerospace and defense organizations, in which the Lazarus Group is weaponizing a new variant of the Comebacker backdoor to infiltrate high-value targets. The threat actor has been actively conducting phishing operations since at least March 2025, distributing malicious documents disguised as legitimate communications from […]
CISA has added a critical zero-day vulnerability affecting Samsung mobile devices to its Known Exploited Vulnerabilities catalog. Warning that threat actors are actively exploiting the flaw in real-world attacks.
The vulnerability, tracked as CVE-2025-21042, is an out-of-bounds write vulnerability in the libimagecodec.quram.so library on Samsung mobile devices.
This security flaw allows remote attackers to execute arbitrary code on vulnerable devices without user interaction, making it particularly dangerous and prone to widespread exploitation.
Samsung 0-Day RCE Vulnerability Exploited
The vulnerability is classified under CWE-787, which represents out-of-bounds write flaws that can lead to memory corruption and unauthorized code execution.
The CISA researchers have confirmed that attackers are leveraging this zero-day to compromise Samsung smartphones. However, specific details about the attack campaigns remain limited.
CISA’s decision to add CVE-2025-21042 to the KEV catalog on November 10, 2025, signals that federal agencies have confirmed active exploitation attempts targeting this vulnerability.
While it remains unknown whether the flaw has been weaponized in ransomware campaigns, the remote code execution capability poses significant risks to both individual users and enterprise environments.
CVE ID
Description
Impact
CWE
CVE-2025-21042
Out-of-Bounds Write Vulnerability in libimagecodec.quram.so
Remote Code Execution (RCE)
CWE-787
Exploiting the vulnerability could enable attackers to gain complete control of affected devices, potentially leading to data theft, surveillance, or the use of compromised smartphones as entry points into corporate networks.
Federal agencies must apply security patches and mitigations by December 1, 2025, according to CISA’s Binding Operational Directive 22-01.
Samsung users across all sectors should immediately check for available security updates and install them without delay.
Organizations that cannot immediately patch vulnerable devices should implement compensating controls or consider discontinuing use until fixes become available.
Samsung’s September 2025 patch for CVE-2025-21043 addressed a related zero-day in the same library
Users should remain vigilant and only download applications from trusted sources while monitoring their devices for suspicious activity.
A sophisticated wave of ransomware attacks targeting UK organizations has emerged in 2025, exploiting vulnerabilities in the widely-used SimpleHelp Remote Monitoring and Management platform.
Two prominent ransomware groups, Medusa and DragonForce, have weaponized three critical vulnerabilities (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) to gain unauthorized access through trusted third-party vendors and Managed Service Providers.
The attack campaigns demonstrate a concerning shift in ransomware tactics, where threat actors compromise supplier-controlled RMM infrastructure rather than directly targeting victim organizations.
By exploiting unpatched SimpleHelp instances running with SYSTEM-level privileges, attackers achieved comprehensive control over downstream customer networks with minimal resistance.
This supply chain approach allows adversaries to bypass traditional perimeter defenses and leverage the inherent trust between organizations and their service providers.
Zensec security researchers identified these coordinated campaigns after investigating multiple intrusions across the first and second quarters of 2025.
The Medusa ransomware group struck first in Q1 2025, deploying their malicious payloads through compromised MSP environments.
Following a similar playbook, DragonForce launched their offensive in Q2 2025, targeting organizations through the same vulnerable RMM infrastructure.
Blog site (Source – Zensec)
Both groups demonstrated advanced operational capabilities, combining automated deployment tools with hands-on keyboard techniques to maximize impact.
The financial and operational consequences have been severe for affected organizations. Beyond system encryption, both threat actor groups engaged in double extortion tactics, exfiltrating sensitive corporate data before deploying ransomware.
Victims faced not only the immediate disruption of encrypted systems but also the threat of data exposure on dark web leak sites, compelling organizations to navigate complex decisions regarding ransom payments and public disclosure.
Attack Execution and Defense Evasion Techniques
Once inside victim networks through the compromised SimpleHelp platform, both ransomware groups deployed sophisticated toolsets to disable security protections and establish persistence.
Medusa Blog (Source – Zensec)
The Medusa group leveraged PDQ Deploy to push PowerShell commands that systematically dismantled Microsoft Defender protections across the environment.
The attackers executed base64-encoded commands to add exclusion paths and disable real-time monitoring:-
The encoded PowerShell payload delivered through PDQ Deploy, while the decoded version reveals the defense disabling commands.
Besides this, the specific Defender exclusion modifications implemented by the threat actors.
The Medusa group deployed their ransomware payload, identified as “Gaze.exe,” alongside specialized drivers including Smuot.sys and CSAgent.sys to further inhibit antivirus products.
Researchers have linked these drivers to the Abyssworker toolkit, a known security evasion framework.
DragonForce operators took a different approach, creating local administrator accounts named “admin” and installing AnyDesk for persistent remote access.
They also targeted Veeam backup servers using the Get-Veeam-Creds.ps1 script to extract plaintext credentials from SQL password stores, effectively compromising backup recovery capabilities.
Data exfiltration methods varied between the groups. Medusa utilized RClone, cleverly renamed to “lsp.exe” to evade detection signatures, with filtering parameters designed to transfer files under 1500MB and older than 1500 days.
DragonForce employed Restic, an open-source backup tool, to transfer stolen data to Wasabisys S3-compatible cloud storage endpoints.
Following encryption, Medusa systems displayed the “.MEDUSA” file extension with ransom notes titled “!!!READ_ME_MEDUSA!!!.txt,” while DragonForce appended “*.dragonforce_encrypted” extensions and left “readme.txt” notes on affected machines.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Cybersecurity researchers from Mandiant Threat Defense have uncovered a critical zero-day vulnerability in Gladinet’s Triofox file-sharing platform that allowed attackers to bypass authentication and execute malicious code with system-level privileges. The vulnerability, tracked as CVE-2025-12480, was actively exploited by the threat actor group UNC6485 as early as August 24, 2025. The flaw affected Triofox version 16.4.10317.56372 and has […]
The xHunt advanced persistent threat group continues to pose a significant cybersecurity risk through sophisticated attacks targeting Microsoft Exchange and IIS web servers with custom-built backdoors. This highly focused cyber-espionage operation has maintained persistent, multi-year campaigns primarily aimed at organizations in Kuwait, with particular emphasis on the shipping, transportation, and government sectors. First identified in […]
.webp)
.webp)