A sophisticated spear-phishing campaign attributed to the Iranian-linked APT group MuddyWater is actively compromising CFOs and finance executives across Europe, North America, South America, Africa, and Asia. The attackers impersonate recruiters from Rothschild & Co, deploying Firebase-hosted phishing pages that incorporate custom math-based CAPTCHA challenges to evade detection and lend legitimacy. These lures lead victims […]
Cyber spies associated with the threat actor group Paper Werewolf have demonstrated advanced capabilities in bypassing email security filters by delivering malware through seemingly legitimate archive files, a tactic that exploits the commonality of such attachments in business correspondence. Despite their sophistication, these attackers continue to rely on detectable tactics, techniques, and procedures (TTPs), underscoring […]
A stealthy campaign emerged in early March 2025 that capitalized on a critical remote code execution flaw in GeoServer (CVE-2024-36401) to compromise publicly exposed geospatial servers.
Attackers exploited JXPath query injection within Apache Commons libraries, allowing arbitrary code execution through crafted XML requests.
This vector enabled the silent deployment of customized executables that leveraged legitimate passive-income software development kits (SDKs) and applications, effectively turning victim networks into illicit proxy farms.
Within days of the initial wave, Palo Alto Networks analysts noted a significant surge in probing activity against vulnerable GeoServer instances.
Exposed GeoServer distribution in the five countries where they are most commonly hosted (Source – Palo Alto Networks)
Cortex Xpanse telemetry revealed over 3,700 publicly accessible servers in the first week of May 2025 alone, underscoring the vast attack surface available to threat actors.
These adversaries moved quickly to evade detection, rotating distribution IPs from 37.187.74[.]75 to 185.246.84[.]189 and expanding backend infrastructure to include a transfer.sh-style file-sharing service on port 8080.
The monetization strategy behind this campaign favored long-term stealth over rapid resource consumption.
Rather than deploying noisy cryptocurrency miners, attackers delivered two core payloads: a misused SDK that silently aggregated bandwidth-sharing sessions across infected hosts, and a misused application that created hidden directories and launched executables with minimal resource footprints.
Both payloads mimicked legitimate passive-income services, making them difficult to detect through signature-based defenses.
Victims remained unaware as their machines quietly forwarded web traffic or participated in residential proxy networks.
By integrating genuine Dart-compiled binaries, the attackers exploited cross-platform capabilities to target Linux servers and bypass detection signatures tuned for more common malware languages.
Indicators of compromise included connections to hxxp://37.187.74[.]75:8080 and hxxp://64.226.112[.]52:8080, where stage-one scripts such as z593 fetched additional stagers.
Infection Mechanism Deep Dive
One of the most insidious aspects of this campaign lies in its exploitation of JXPath’s extension functions.
Upon receiving a crafted GetPropertyValue request, GeoServer’s property accessor mechanism passed an attacker-controlled expression into the iteratePointers method.
This payload then invoked the javax.lang.Runtime.exec function, triggering remote command execution.
Malicious code containing a JXPath referencing a Java execution function (Source – Palo Alto Networks)
Upon successful execution, z593 acted as a stager, creating a hidden folder under /var/tmp/.cache and fetching two additional payloads: z401, which established the execution environment, and z402, which launched the main executable with an embedded SDK key.
Payload from an exploit found in the wild (Source – Palo Alto Networks)
By chaining these stages, the attackers achieved persistence and ensured that bandwidth-sharing processes resumed automatically on reboot.
Through this meticulous, multi-stage approach, threat actors have demonstrated how leveraging legitimate SDKs and file-sharing services can facilitate undetected monetization of network resources.
Security teams are urged to apply GeoServer patches immediately, monitor outbound connections to known malicious IPs, and deploy behavioral analytics capable of identifying anomalous JXPath queries to thwart similar campaigns.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Cybersecurity researchers have observed a surge in phishing campaigns leveraging QR codes to deliver malicious payloads.
This emerging threat, often dubbed “quishing,” exploits the opaque nature of QR codes to conceal harmful URLs that redirect victims to credential-harvesting sites or malware downloads.
Unlike traditional phishing links that can be flagged by email gateways, QR codes require a visual scan by the end user—typically on a mobile device—circumventing desktop security controls and expanding the attacker’s window of opportunity.
The earliest instances appeared in generic mass-email blasts posing as routine account notifications from well-known service providers.
However, attackers have rapidly refined their tactics, tailoring messages to specific targets and embedding QR codes within seemingly innocuous images.
In one campaign, a threat actor impersonated a leading cloud storage provider, prompting recipients to “scan to verify account activity.”
Upon scanning, the QR code resolved to a fake login portal meticulously crafted to mirror the legitimate site’s HTML and JavaScript.
Barracuda analysts noted this initial wave of quishing attacks relied heavily on social engineering rather than technical sophistication.
As defenders began to recognize and block simple QR code attacks, adversaries escalated their techniques.
Split QR codes emerged as a stealthier method, dividing a single code into two separate image fragments that appear benign when viewed independently.
Split QR Code Example (Source – Barracuda)
Email scanners inspecting image attachments typically miss two partial images, yet when rendered in an HTML email they recombine visually into a scannable QR pattern. Victims who scan the composite code are redirected to sites designed to harvest credentials or deploy secondary payloads.
Detection Evasion Through Nested QR Codes
Beyond splitting, the latest quishing kits employ nested QR codes to further obfuscate malicious links.
A nested code consists of an inner, benign QR pointing to a harmless URL (e.g., Google), surrounded by an outer code directing to a phishing domain.
This dual-layer approach generates ambiguous decoding results: standard QR readers often default to the inner code, while more sophisticated decoders can extract the outer payload.
Attackers exploit this ambiguity to bypass QR analysis tools that lack the ability to interpret multiple layers within a single frame.
Nested QR Code Example (Source – Barracuda)
To illustrate, the following Python snippet uses the pyzbar library to decode layered QR images and highlight both payloads:-
from PIL import Image
from pyzbar.pyzbar import decode
img = Image.open('nested_qr_code.png')
results = decode(img)
for res in results:
print(f'Data: {res.data.decode()}, Type: {res.type}')
Defenders must adopt multimodal AI solutions capable of rendering images, isolating pixel patterns, and performing sandboxed link execution.
As organizations bolster spam filters and enforce multi-factor authentication, attackers will undoubtedly continue to innovate. Vigilance, layered defenses, and user training remain critical to counteract this evolving quishing threat.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Researchers have discovered a complex campaign using trojanized software that uses authentic code-signing certificates to avoid detection and turn compromised machines into unintentional residential proxies, according to a recent threat intelligence notice from Expel Security. The operation begins with files bearing the code-signing signature of “GLINT SOFTWARE SDN. BHD.,” a seemingly legitimate entity whose credentials […]
Cybercriminals have discovered a new avenue for malicious activities by exploiting Lovable, an AI-powered website creation platform, to develop sophisticated phishing campaigns and malware delivery systems.
The platform, designed to democratize web development through natural language prompts, has inadvertently become a tool for threat actors seeking to create convincing fraudulent websites with minimal technical expertise.
The abuse of Lovable represents a significant shift in the cybercrime landscape, where artificial intelligence tools are lowering traditional barriers to entry for malicious actors.
Unlike conventional web development that requires coding knowledge, Lovable allows users to create fully functional websites simply by describing their requirements in plain text.
This capability has proven particularly attractive to cybercriminals who can now generate professional-looking phishing sites, credential harvesting platforms, and malware distribution networks within minutes.
Proofpoint researchers identified tens of thousands of malicious Lovable URLs detected as threats each month since February 2025, spanning various attack vectors, including multifactor authentication phishing kits, cryptocurrency wallet drainers, and sophisticated credential harvesting operations.
Malicious website likely designed to drain crypto wallets (Source – Proofpoint)
The researchers observed campaigns impacting over 5,000 organizations through hundreds of thousands of malicious messages, demonstrating the scale at which threat actors have adopted this platform.
The versatility of AI-generated websites has enabled threat actors to impersonate prominent brands including Microsoft, UPS, and various financial institutions with remarkable authenticity.
Tycoon phishing campaigns (Source – Proofpoint)
These campaigns typically employ sophisticated social engineering techniques, incorporating legitimate branding elements and convincing user interfaces that closely mirror their genuine counterparts.
Example CAPTCHA that redirects to banking credential phishing website (Source – Proofpoint)
The platform’s free hosting service on the lovable.app domain has further reduced operational costs for cybercriminals while providing them with legitimate-looking infrastructure.
Advanced Malware Delivery Mechanisms
The most concerning aspect of this threat involves the platform’s capacity to facilitate complex malware delivery chains.
Proofpoint analysts documented a particularly sophisticated German-language campaign that demonstrated the evolution from simple phishing to advanced malware distribution.
The attack chain began with HTML attachments redirecting to Cookie Reloaded URLs, which subsequently directed victims to AI-generated Lovable applications masquerading as secure download portals.
The malware delivery process incorporated multiple layers of deception, including password-protected downloads and legitimate-looking interfaces.
When victims clicked download buttons, they received a popup providing the password “RE2025” and access to a RAR file hosted on Dropbox.
This archive contained “Rechnung DE009100019000.exe,” a trojanized legitimate Ace Stream file that performed DLL sideloading to execute DOILoader, ultimately deploying zgRAT malware with command and control communications to 84.32.41.163:7705.
This sophisticated attack methodology demonstrates how AI website builders can facilitate complex multi-stage malware deployment while maintaining the appearance of legitimate business operations, significantly complicating detection and prevention efforts for cybersecurity teams.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
In recent weeks, the cybersecurity community has witnessed the rapid emergence of Warlock, a novel ransomware strain that weaponizes unpatched Microsoft SharePoint servers to infiltrate enterprise networks.
Initial analysis reveals that threat actors exploit publicly exposed SharePoint instances via specially crafted HTTP POST requests, deploying web shells that grant remote code execution within the target environment.
From this foothold, Warlock operators escalate privileges, harvest credentials, and move laterally using both built-in Windows utilities and custom malware components.
The payload ultimately encrypts critical data and exfiltrates sensitive files, demanding ransom under the “.x2anylock” extension.
Trend Micro analysts noted that Warlock first appeared on underground forums in June 2025, shortly after vulnerabilities in SharePoint authentication and deserialization mechanisms were disclosed.
Within days, the group claimed multiple high-profile victims across governmental, financial, and manufacturing sectors worldwide.
Researchers identified code patterns reminiscent of the leaked LockBit 3.0 builder, suggesting that Warlock may be a customized derivative rather than a wholly original creation.
This affiliation is further supported by similarities in negotiation tactics and ransom note formatting.
The impact of Warlock extends beyond encryption. During the final stage of an attack, operators employ the legitimate synchronization tool RClone—rebranded as TrendSecurity.exe—to siphon off credentials, documents, and database files to external cloud storage. This exfiltration phase uses a Proton Drive back end, leveraging burner credentials to obscure the destination.
In addition, the ransomware disables or terminates endpoint protection services by deploying a malicious driver (googleApiUtil64.sys) to kill security processes, including Trend Micro’s own netagent and VOneAgentConsoleTray.
Activating the ‘guest’ account (Source – Trend Micro)
Such actions highlight the sophistication of Warlock’s defense-evasion tactics. One critical subtopic that exemplifies Warlock’s stealthy approach is its persistence mechanism.
After successfully uploading a web shell, attackers deploy a batch script named TakeOver.bat, which automates the creation of a backdoor account and the installation of scheduled tasks.
The script begins by activating the built-in “guest” account and adding it to the local Administrators group:-
net user guest P@ssw0rd! /active:yes
net localgroup administrators guest /add
Next, it copies the malicious payload and ancillary tools from a remote share into C:\Users\Public\, using:-
This ensures that the payload survives system reboots and continues to run under minimal scrutiny.
Researchers identified that the script also creates a new Group Policy Object named “TakeOver” to reinstate the backdoor account if remediation attempts are made.
Execution of batch file eventually leading to ransomware deployment (Source – Trend Micro)
By combining web shell exploitation, group policy abuse, and driver-based process termination, Warlock achieves a resilient presence within compromised networks.
Its modular design and use of legitimate utilities further complicate detection and response efforts.
As organizations continue to patch SharePoint vulnerabilities, defenders must also monitor for anomalous GPO modifications, unusual service installations, and renamed binaries within public folders to detect and mitigate Warlock-infected environments.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Security researchers have uncovered a novel malware delivery chain in recent weeks that leverages the Internet Archive’s legitimate infrastructure to host obfuscated payloads.
The attack begins with a seemingly innocuous JScript file delivered via malspam, which in turn invokes a PowerShell loader.
This PowerShell script reaches out to the Internet Archive (archive.org) to retrieve a benign-looking PNG image that, upon closer inspection, houses a hidden .NET loader encoded within its pixel data.
Researchers noted that this clever repurposing of a trusted web property allowed the attackers to blend malicious traffic seamlessly with legitimate archival requests, complicating detection efforts.
VMRay analysts identified the initial JScript loader as the first stage, executed when a victim opens a malicious attachment. The script instantiates a WScript.Shell object and executes PowerShell with a Base64-encoded command string.
When decoded, the command connects to a URL under archive.org, downloads image.png, and passes it to an in-memory .NET assembly extractor.
The extraction routine reads each pixel’s RGB values and reconstructs the original DLL byte stream.
Finding and extraction (Source – X)
In a matter of seconds, the .NET loader establishes persistence by creating a registry Run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
It then decompresses and launches the final payload: a Remcos remote access trojan. The Remcos instance connects to its command-and-control (C2) server via a Duck DNS subdomain, ensuring dynamic resolution and redundancy.
Subsequent beaconing and module loading occur entirely in memory, leaving minimal forensic artifacts on disk. This memory-only execution chain highlights the adversary’s emphasis on evading traditional signature-based detection tools.
The implications of abusing a high-reputation archive for malware hosting are profound. By embedding malicious code within an innocuous image on archive.org, attackers exploit the archive’s HTTPS certificates and content delivery network to avoid raising red flags.
Network defenders may see only an encrypted HTTPS request to archive.org, which is typically whitelisted, thereby bypassing firewall and proxy inspection.
The obfuscation layers—JScript, Base64, RGB pixel encoding, in-memory .NET execution—compound the stealth of the campaign.
public byte[] ExtractPayload(Bitmap bmp) {
List<byte> bytes = new List<byte>();
for (int y = 0; y < bmp.Height; y++) {
for (int x = 0; x < bmp.Width; x++) {
Color pixel = bmp.GetPixel(x, y);
if (!(pixel.R == 0 && pixel.G == 0 && pixel.B == 0)) {
bytes. Add(pixel.R);
bytes. Add(pixel.G);
bytes. Addd(pixel.B);
}
}
}
return Decompress(bytes.ToArray());
}
Here, the infection mechanism shows that JScript invocation through in-memory payload deployment—revealing how each stage subverts common defensive controls.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Mozilla has released Firefox 142 to address multiple high-severity security vulnerabilities that could allow attackers to execute arbitrary code remotely on affected systems.
The security advisory, published on August 19, 2025, reveals nine distinct vulnerabilities ranging from sandbox escapes to memory safety bugs, with several classified as high-impact threats capable of enabling remote code execution (RCE).
Key Takeaways 1. Firefox 142 patches 9 vulnerabilities, enabling remote code execution and sandbox escapes. 2. Attackers can execute arbitrary code through memory corruption and security bypass exploits. 3. Immediate Firefox upgrade required to prevent remote attacks.
The most critical vulnerabilities include CVE-2025-9179, a sandbox escape vulnerability in the Audio/Video GMP (Gecko Media Plugin) component reported by security researcher Oskar.
This flaw enables memory corruption within the heavily sandboxed GMP process responsible for handling encrypted media content, potentially allowing attackers to escalate privileges beyond the standard content process restrictions.
Mozilla RCE Vulnerabilities
The vulnerability landscape includes CVE-2025-9180, a same-origin policy bypass affecting the Graphics Canvas2D component, discovered by researcher Tom Van Goethem.
This security flaw undermines the fundamental web security model that prevents cross-origin resource access, potentially enabling malicious websites to access sensitive data from other domains.
Three separate memory safety vulnerabilities pose significant RCE risks. CVE-2025-9187 affects Firefox 141 and Thunderbird 141, while CVE-2025-9184 impacts Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141, and Thunderbird 141.
The most widespread issue, CVE-2025-9185, affects multiple Extended Support Release (ESR) versions including Firefox ESR 115.26, 128.13, and 140.1, alongside their Thunderbird counterparts.
Mozilla’s security team, including researchers Andy Leiserson, Maurice Dauer, Sebastian Hengst, and the Mozilla Fuzzing Team, identified these memory corruption bugs that demonstrate clear evidence of exploitability for arbitrary code execution.
Additional vulnerabilities include CVE-2025-9181, an uninitialized memory issue in the JavaScript Engine component reported by Irvan Kurniawan, and several lower-severity issues affecting address bar spoofing and denial-of-service conditions in the WebRender graphics component.
CVE ID
Title
Severity
CVE-2025-9179
Sandbox escape due to invalid pointer in Audio/Video GMP component
High
CVE-2025-9180
Same-origin policy bypass in Graphics Canvas2D component
High
CVE-2025-9181
Uninitialized memory in JavaScript Engine component
Moderate
CVE-2025-9182
Denial-of-service due to out-of-memory in Graphics WebRender component
Memory safety bugs in multiple ESR versions and Firefox 142/Thunderbird 142
High
CVE-2025-9186
Spoofing issue in Address Bar component of Firefox Focus for Android
Low
CVE-2025-9187
Memory safety bugs in Firefox 142 and Thunderbird 142
High
Mitigations
Organizations and individual users must prioritize immediate updates to Firefox 142 to mitigate these critical security risks.
The memory safety vulnerabilities particularly concern enterprise environments, as they affect both standard Firefox releases and ESR versions commonly deployed in corporate settings.
Security professionals should implement defense-in-depth strategies, including network segmentation, endpoint detection and response (EDR) solutions, and application sandboxing technologies, to limit potential exploitation impact.
The GMP sandbox escape vulnerability highlights the importance of process isolation mechanisms, even within already sandboxed environments.
Mozilla’s coordinated disclosure timeline and comprehensive patch coverage across multiple product branches demonstrate effective vulnerability management practices.
However, the discovery of memory corruption issues with RCE potential emphasizes the ongoing security challenges in modern browser architecture, particularly within complex media processing and graphics rendering subsystems that handle untrusted content from diverse web sources.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →
The Federal Bureau of Investigation (FBI) has issued a stark warning to the public, private sector, and international partners regarding persistent cyber threats from actors affiliated with the Russian Federal Security Service’s (FSB) Center 16. This unit, recognized in cybersecurity circles under monikers such as “Berserk Bear” and “Dragonfly,” has been actively exploiting vulnerabilities in […]
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)