Volvo Group has disclosed that a recent ransomware attack on its human resources software provider, Miljödata, may have resulted in unauthorized access to personal information belonging to its North American workforce. The incident underscores growing concerns about third-party risk and the importance of robust vendor security practices. Ransomware Incident and Discovery On August 20, 2025, Miljödata, which […]
Following a major law enforcement disruption in February 2024, the notorious LockBit ransomware group has resurfaced, marking its sixth anniversary with the release of a new version: LockBit 5.0.
Trend Micro has identified and analyzed binaries for Windows, Linux, and VMware ESXi, confirming the group’s continued focus on cross-platform attacks that can cripple entire enterprise networks.
The discovery of these new variants in early September 2025 signals a significant evolution of the ransomware. This latest version continues the group’s strategy of targeting multiple operating systems simultaneously, a tactic seen since LockBit 2.0 was released in 2021.
Advanced Cross-Platform Attacks
The LockBit 5.0 variants are tailored to their target operating systems, employing sophisticated techniques to evade detection and maximize damage.
Windows Variant: This version uses heavy obfuscation and packing, loading its malicious payload through DLL reflection to complicate analysis. It also implements anti-analysis measures, such as patching the Event Tracing for Windows (ETW) API and terminating 63 different security-related services. The Windows variant also features a newly formatted and more user-friendly help menu.
Windows variant
Linux Variant: The Linux version mirrors the functionality of its Windows counterpart, providing attackers with a consistent set of command-line options to target specific directories and file types. It can log its activities, showing which files are being encrypted and which folders are excluded.
Linux variant
ESXi Variant: A dedicated variant specifically targets VMware’s ESXi virtualization infrastructure. This represents a critical threat, as compromising a single ESXi host can allow attackers to encrypt dozens or even hundreds of virtual machines at once, causing massive disruption. The ESXi variant includes parameters optimized for virtual machine encryption.
ESXi variant
Trend Micro analysis shows that LockBit 5.0 is a direct evolution of its predecessor, LockBit 4.0. Both versions share identical hashing algorithms and methods for API resolution, indicating the same developers have built upon their existing codebase.
Key behaviors are consistent across the new variants. Encrypted files are appended with a randomized 16-character extension, making identification and recovery more difficult.
The ransomware also includes checks to avoid executing on systems with Russian language settings or geolocated in Russia. After the encryption process is complete, it clears event logs to cover its tracks.
The technical improvements in LockBit 5.0 make it significantly more dangerous than previous versions. The heavy obfuscation delays the development of detection signatures, while the focus on virtualized environments amplifies its potential impact.
The group’s ability to regroup and release an upgraded ransomware after Operation Cronos demonstrates its resilience.
Organizations are advised to enhance their security posture by proactively hunting for threats and reinforcing endpoint and network protections. Special attention should be given to securing virtualization infrastructure, as it has become a primary target.
Cisco released an advisory describing a high-severity vulnerability (CVE-2025-20160) in its IOS and IOS XE platforms. The flaw stems from improper validation of the TACACS+ shared secret configuration. When TACACS+ is enabled but no secret is set, remote attackers or machine-in-the-middle adversaries can intercept or manipulate authentication messages. Successful exploitation grants unauthorized access to confidential […]
A critical path traversal flaw in ZendTo has been assigned CVE-2025-34508 researchers discovered that versions 6.15–7 and prior enable authenticated users to manipulate file paths and retrieve sensitive data from the host system.
This issue underscores the persistent risk in web-based file transfer applications.
Path Traversal Vulnerability (CVE-2025-34508)
ZendTo is a PHP-driven dropoff or pickup service that allows any registered user to upload files for sharing. During the “dropoff” process, two variables chunkName and tmp_name determine how file uploads are staged and moved.
Horizon3.ai reports that the server-side sanitization routine strips non-alphanumeric characters from chunkName, but if an attacker supplies a chunkName comprised entirely of non-alphanumeric characters, the sanitization leaves an empty or dot-only string.
This results in a chunkPath pointing to the root uploads directory rather than a unique temporary file:
Once chunkPath is established, the code concatenates a user-controlled tmp_name to relocate the file into the target dropoff directory:
Because tmp_name is not sanitized, attackers can embed directory traversal sequences.
Downloading this file exposes the application’s log data, including dropoff claim IDs, creating the way to enumerate and exfiltrate any user-uploaded content or critical system files.
Drop-off Summary
Risk Factors
Details
Affected Products
ZendTo versions 6.15–7 and prior
Impact
Arbitrary file read and information disclosure
Exploit Prerequisites
Low-privilege authenticated user
CVSS 3.1 Score
7.8 (High)
Mitigation
In default installations, file access is limited to the www-root user’s permissions, yet this typically encompasses all uploaded content. Beyond user files, adversaries could target the ZendTo database or source code, potentially causing a denial-of-service.
Although CVE-2025-34508 requires authentication, the minimal barrier allows low-privilege users to perform arbitrary file reads.
Administrators are strongly urged to upgrade immediately. The fix implements stricter validation on both chunkName and tmp_name, ensuring only safe, expected filenames are processed.
This disclosure follows high-profile incidents involving MOVEit Transfer (CVE-2023-34362), Accellion FTA (CVE-2021-27104), and GoAnywhere MFT (CVE-2023-0669), highlighting that file-sharing platforms remain prime targets.
Organizations must maintain vigilant patch management and conduct regular security reviews of their file transfer applications.
SetupHijack, an open-source research utility, has emerged as a powerful method for red teaming and security research by targeting race conditions and insecure file handling within Windows installer and update mechanisms.
By polling world-writable directories such as %TEMP%, %APPDATA%, and %USERPROFILE%\Downloads, the tool intercepts installer‐dropped payloads before they execute with elevated privileges, enabling full SYSTEM or Administrator compromise without requiring elevated permissions to run.
SetupHijack continuously scans specified directories for new or modified installer files with extensions .exe, .msi, and .bat. When a target file appears, the tool atomically replaces it with a user-supplied payload, optionally preserving the original file as a .bak backup.
If the privileged process executes the substituted payload before performing integrity checks, the attacker’s code runs under elevated rights.
Unlike file system notification-based methods, SetupHijack relies on high-frequency polling to minimize race-window durations.
SetupHijack Exploits Race Conditions
Hacker House stated that the framework also subverts Authenticode code-signing and installer trust models by integrating a hacked signing process using SignToolEx.exe and SignToolExHook.dll, allowing payloads to bear valid certificates and Authenticode timestamps.
This approach increases the probability of bypassing digital signature verifications employed by many installers and OS protections.
Building the tool is straightforward with Microsoft’s build utilities:
The default execution scans common drop locations, SetupHijack.exe. Flags allow fine-tuning of scan targets:
Additional modes include:
clean: Restores .bak backups across enabled directories.
verbose: Logs all actions, including successful payload substitutions.
For remote escalation on multi-user systems, SetupHijack can run alongside tools like shadow.exe under a compromised user account, standing by until an administrative installer process is launched.
In practice, security researchers have observed successful infections of popular applications such as Zoom (version 6.6.1), where the update binary residing in %AppData% was hijacked to inject a custom implant.
During demonstration runs, SetupHijack output logs show detailed infection events:
Deploy an Implant
Security Implications
While SetupHijack is intended solely for authorized testing and research, it underscores a critical weakness in many Windows installer processes that trust files in world-writable directories.
Organizations should enforce stricter file-drop locations, implement robust integrity checks, and leverage secure coding practices to prevent time-of-creation/time-of-use (TOCTOU) attacks.
Additionally, signing installers with hardware-protected certificates and performing runtime signature validations can mitigate this class of exploitation.
As supply-chain and installer security become increasingly targeted, tools like SetupHijack serve as both a warning and an opportunity to harden deployment workflows against sophisticated race-condition exploits.
A pair of malicious Rust crates masquerading as the popular fast_log library have been uncovered, harvesting private Solana and Ethereum keys from developers’ environments. The impostor crates include legitimate-looking logging functionality to evade detection, while a hidden routine scans source files for wallet keys and exfiltrates them to a hardcoded command-and-control (C2) endpoint. Between them, […]
A critical vulnerability in the popular file-sharing tool ZendTo allows authenticated users to traverse system paths and access or modify sensitive files belonging to other users. The flaw, tracked as CVE-2025-34508, affects ZendTo versions 6.15-7 and earlier. An attacker can exploit this issue to read server logs, user data, or even critical application files. ZendTo […]
BRICKSTORM has surfaced as a highly evasive backdoor targeting organizations within the technology and legal industries, exploiting trust relationships to infiltrate critical networks.
First detected in mid-2025, this malware leverages multi-stage loaders and covert communication channels to avoid detection.
Early victims reported unusual latency in remote desktop sessions, prompting deeper forensic investigations.
As the campaign evolved, BRICKSTORM demonstrated a remarkable ability to blend into legitimate system processes, complicating incident response efforts and extending dwell time.
These attachments exploit a zero-day flaw in a widely used document rendering engine, silently deploying a lightweight loader once opened.
In several cases, organizations in the legal sector noted the lure of case summaries or contract amendments as decoys.
The loader subsequently fetches an encrypted payload from a compromised cloud storage service, establishing a stealthy foothold before initiating lateral movement.
Google Cloud analysts identified BRICKSTORM after observing anomalous traffic patterns across its infrastructure monitoring platform.
BRICKSTORM targeting (Source – Google Cloud)
Correlating telemetry from endpoint sensors and network logs, researchers noted connections to unusual domain names using nonstandard ports.
These discoveries accelerated threat intelligence sharing across industry CERTs, culminating in the attribution of the backdoor to a previously unseen modular malware family.
A characteristic feature of BRICKSTORM is its modular design, enabling operators to tailor functionality according to target environment.
Core modules include system reconnaissance, credential harvesting, and secure communication channels. Upon deployment, BRICKSTORM enumerates running processes and open network sockets, alerting operators to high-value targets and active security tools.
When a suitable target is found, the backdoor injects a reconnaissance module into memory, extracting credentials via in-memory process dumps.
All data is exfiltrated using an HTTP-over-DNS tunnel, effectively bypassing traditional egress filtering rules.
Persistence Tactics
Delving into BRICKSTORM’s persistence mechanism reveals a cunning approach that relies on dynamically registered scheduled tasks.
Rather than creating permanent registry entries, the backdoor generates a transient scheduled task named to mimic legitimate system maintenance jobs.
Upon each system boot, the task executes a PowerShell command that reconstructs the loader from segmented fragments stored in alternate data streams.
Asset inventory (Source – Google Cloud)
This technique not only conceals the backdoor components within benign files but also rotates fragment locations on each run, preventing static indicators of compromise.
By leveraging alternate data streams, BRICKSTORM sidesteps file-based defenses and leaves minimal traces on disk.
Incident responders often overlook ADS entries, allowing the backdoor to persist undetected across reboots.
Moreover, the use of dynamic task names prevents easy correlation during log analysis, as each deployment may appear distinct.
Understanding these tactics is critical for defenders aiming to develop detection rules that surface anomalous scheduled tasks and ADS activity in real time.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Despite a coordinated investment of time, effort, planning, and resources, even the most up-to-date cybersecurity systems continue to fail. Every day. Why?
It’s not because security teams can’t see enough. Quite the contrary. Every security tool spits out thousands of findings. Patch this. Block that. Investigate this. It’s a tsunami of red dots that not even the most crackerjack team on
.webp)
.webp)
.webp)