The Zscaler ThreatLabz team has uncovered significant advancements in the Anatsa malware, also known as TeaBot, an Android banking trojan that has been active since 2020. Originally designed for credential theft, keylogging, and facilitating fraudulent transactions, Anatsa has evolved into a more sophisticated threat, now targeting over 831 financial institutions worldwide. This expansion includes new […]
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a critical zero-day vulnerability affecting Apple iOS, iPadOS, and macOS systems that is being actively exploited in the wild. CVE-2025-43300, an out-of-bounds write vulnerability in Apple’s Image I/O framework, poses significant security risks to millions of users across Apple’s ecosystem. Critical Vulnerability […]
A newly disclosed vulnerability in Docker Desktop for Windows has revealed how a simple Server-Side Request Forgery (SSRF) attack could lead to complete host system compromise.
CVE-2025-9074, discovered by Felix Boulet and reported on August 21, 2025, affects all Docker Desktop versions prior to 4.44.3 and demonstrates how container isolation can be completely bypassed through unauthenticated API access.
Key Takeaways 1. Docker Desktop containers can access unauthenticated API for full host compromise. 2. Two HTTP requests create privileged container with host filesystem access. 3. Update to Docker Desktop immediately.
The vulnerability was found accidentally during routine network scanning and highlights critical gaps in Docker’s internal security architecture.
Philippe Dugre from Pvotal Technologies independently discovered a similar issue on macOS platforms, emphasizing the cross-platform nature of this security flaw.
The vulnerability stems from Docker Desktop exposing its internal HTTP API endpoint at http://192.168.65.7:2375/ without any authentication mechanisms.
Any container running within the Docker environment could access this endpoint and execute privileged operations against the host system.
This represents a fundamental breakdown of the container isolation model, where workloads should be completely separated from their host environment.
The attack surface was particularly concerning because it required minimal technical sophistication—attackers needed only basic HTTP request capabilities rather than complex exploit chains or memory corruption techniques.
Docker Container Exploitation Process
The exploitation process requires just two HTTP POST requests executed from within any container environment.
The first request targets the /containers/create endpoint with a JSON payload that configures a new privileged container with host filesystem bindings.
The critical configuration parameter involves mounting the Windows C: drive (/mnt/host/c) to a container path (/host_root), effectively providing unrestricted access to the entire host filesystem.
The JSON payload also specifies execution commands that run automatically upon container startup, enabling immediate post-exploitation activities.
The second HTTP request initiates container execution through the /containers/{id}/start endpoint, triggering the malicious container with elevated privileges.
This two-step process bypasses all Docker security controls and grants attackers the same level of access as local administrator accounts.
The vulnerability is particularly insidious because it can be exploited through SSRF attacks, meaning attackers don’t require direct code execution within containers—they only need the ability to trigger HTTP requests from compromised web applications or services running in containerized environments.
Risk Factors
Details
Affected Products
Docker Desktop for Windows (versions < 4.44.3)Docker Desktop for macOS (similar issue reported)
Impact
Full host system compromise
Exploit Prerequisites
– Access to any container environment- Ability to make HTTP requests- Network connectivity to 192.168.65.7:2375
CVSS 3.1 Score
Not specified
Proof of Concept
The proof of concept demonstrates the vulnerability’s simplicity using standard wget commands executable from any Alpine Linux container.
The exploit creates a privileged container that mounts the host C: drive and executes arbitrary commands:
Docker responded quickly to this disclosure, releasing version 4.44.3 with complete remediation of the vulnerability.
The fix implements proper authentication controls for internal API endpoints and strengthens network segmentation between container workloads and Docker’s control plane.
Security researchers recommend immediate updating to the patched version, as no workarounds exist for affected systems.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →
A sophisticated cyber espionage campaign has emerged targeting Ukrainian and Polish organizations through weaponized PDF invitation files designed to execute malicious shell scripts.
The campaign, active since April 2025, demonstrates a calculated approach to infiltrating government and private sector networks through carefully crafted social engineering tactics.
The threat actors behind this operation have leveraged seemingly legitimate invitation documents, including meeting invitations and official government communications, to establish initial access to target systems.
These malicious PDF files serve as decoys while simultaneously deploying multi-stage infection chains that culminate in the execution of shell scripts and the deployment of sophisticated implants for persistent access and data collection.
Infection chain for May archive (Source – HarfangLab)
The campaign exhibits notable sophistication in its execution methodology, utilizing compressed archive files containing XLS spreadsheets embedded with VBA macros.
These macros are responsible for dropping and loading Dynamic Link Libraries (DLLs) that collect comprehensive system information and retrieve next-stage malware from command and control servers.
The systematic nature of the attacks suggests a well-resourced threat actor with extensive operational capabilities.
HarfangLab researchers identified striking similarities between this campaign and previously reported activities associated with UAC-0057, also known as UNC1151, FrostyNeighbor, or Ghostwriter.
This cyber espionage group has documented ties to the Belarusian government and has consistently targeted Eastern European nations, particularly Ukraine and Poland, with sophisticated information-gathering operations designed to support state-sponsored intelligence objectives.
The malware’s impact extends beyond simple data theft, as the threat actors have demonstrated the ability to maintain persistent access to compromised systems while avoiding detection through careful operational security practices.
Infection chain for July archives (Source – HarfangLab)
The infection chains reveal a methodical approach to system reconnaissance, with implants designed to collect detailed information about compromised environments before deploying additional payloads for extended exploitation.
Infection Mechanism and Execution Flow
The UAC-0057 infection mechanism represents a carefully orchestrated multi-stage attack that begins with the delivery of malicious archive files through suspected spearphishing campaigns.
The primary infection vector involves compressed archives containing XLS spreadsheets that embed sophisticated VBA macros, which serve as the initial execution point for the malware deployment process.
Infection chain for April archives (Source – HarfangLab)
Once executed, these VBA macros demonstrate varying levels of obfuscation consistent with tools like MacroPack, an offensive security framework available on GitHub.
The execution logic has evolved throughout the campaign, with earlier samples directly dropping DLLs to temporary directories, while more recent variants employ additional layers of complexity including Microsoft Cabinet (CAB) files and Link (LNK) files to obscure the deployment process.
The infection chain progresses through a systematic approach where the VBA macro writes encrypted DLL payloads to specific system directories such as %LOCALAPPDATA%\Serv\0x00bac729fe.log or %TEMP%\DefenderProtectionScope.log.
These DLLs are subsequently loaded using Windows’ built-in regsvr32.exe utility with parameters designed to execute the malicious code while minimizing system alerts.
The first-stage implants, written in C# and obfuscated using ConfuserEx, establish persistence through Windows Registry modifications and scheduled tasks.
These implants collect comprehensive system intelligence including operating system details, hostname information, CPU specifications, and installed antivirus products before transmitting this data to command and control infrastructure designed to blend with legitimate web traffic.
Figure 1 shows the complete infection chain for the May archive variant, illustrating the sophisticated multi-layered approach employed by UAC-0057 to achieve system compromise while maintaining operational security throughout the deployment process.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Microsoft has announced significant restrictions on the use of default onmicrosoft.com domains for email communication, implementing new throttling measures to combat spam and improve email deliverability across its Microsoft 365 platform. Policy Changes Target Spam Prevention The technology giant will introduce throttling limits that restrict messages sent from onmicrosoft.com domains to just 100 external recipients […]
Cybersecurity researchers have developed an artificial intelligence system capable of automatically generating working exploits for published Common Vulnerabilities and Exposures (CVEs) in just 10-15 minutes at approximately $1 per exploit, fundamentally challenging the traditional security response timeline that defenders rely upon. The breakthrough system employs a sophisticated multi-stage pipeline that analyzes CVE advisories and code […]
Socket’s Threat Research Team has uncovered a deceptive Go module named golang-random-ip-ssh-bruteforce, which masquerades as an efficient SSH brute-forcing tool but secretly exfiltrates stolen credentials to its creator. Published on June 24, 2022, this package remains active on the Go Module ecosystem and GitHub, despite efforts to petition for its removal and the suspension of […]
Cybersecurity researchers are calling attention to malicious activity orchestrated by a China-nexus cyber espionage group known as Murky Panda that involves abusing trusted relationships in the cloud to breach enterprise networks.
“The adversary has also shown considerable ability to quickly weaponize N-day and zero-day vulnerabilities and frequently achieves initial access to their targets by
INTERPOL on Friday announced that authorities from 18 countries across Africa have arrested 1,209 cybercriminals who targeted 88,000 victims.
“The crackdown recovered $97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation,” the agency said.
The effort is the second phase of an ongoing law
Cyber threat actors have launched sophisticated phishing operations aimed at military and government personnel in South Asia, leveraging defense-related lures to distribute malicious archives and applications. Recent detections include ZIP files like “Coordination of the Chief of Army Staff’s Visit to China.zip,” which contain compressed PDFs designed as phishing decoys. These documents, upon extraction, redirect […]
.webp)
.webp)
.webp)