Windows shortcut exploit abused as zero-day in widespread APT campaigns
A zero-day vulnerability in Microsoft Windows, tracked as ZDI-CAN-25373, has been widely exploited by state-sponsored threat actors since 2017. The vulnerability targets the way Windows processes shortcut files (.lnk), enabling attackers to execute malicious commands on victims' systems without detection. Nearly 1,000 malicious .lnk files leveraging the vulnerability have been discovered, with exploitation attempts likely much higher. The vulnerability has been exploited by 11 state-sponsored APT groups from countries including North Korea, Iran, Russia, and China, with targets spanning various sectors such as government, finance, telecommunications, and military across multiple continents. ZDI said that they informed Microsoft about the issue but the company declined to release a patch.
Additionally, two other high-risk vulnerabilities are being actively exploited. Apache Tomcat has a remote code execution flaw (CVE-2025-24813) that allows attackers to gain full control over servers through a simple PUT request. Proof-of-concept exploits for this vulnerability were shared on GitHub shortly after its disclosure. Another critical vulnerability (CVE-2024-48248) affecting NAKIVO Backup & Replication software allows unauthenticated attackers to access sensitive files. The flaw has been added to the US CISA’s Known Exploited Vulnerabilities catalog. Lastly, two critical vulnerabilities in Cisco Smart Licensing Utility (CVE-2024-20439 and CVE-2024-20440) are also being exploited. These flaws are a hard-coded credentials issue and an information disclosure vulnerability, respectively, enabling attackers to gain unauthorized access to systems and APIs.
A critical security flaw in PHP, tracked as CVE-2024-4577, is being exploited by threat actors to deploy cryptocurrency miners and remote access trojans (RATs) like Quasar RAT. The vulnerability affects Windows-based systems running PHP in CGI mode, allowing attackers to execute arbitrary code remotely. Bitdefender reports a surge in exploit attempts since late 2024, with the highest concentration of attacks observed in Taiwan, Hong Kong, and Brazil.
UAT-5918 info-stealing campaign targets critical infrastructure entities in Taiwan
Cisco Talos' threat intelligence team uncovered a malicious campaign, tracked as UAT-5918, which has been active since at least 2023. This campaign gains initial access by exploiting unpatched vulnerabilities in exposed web and application servers. Once inside, UAT-5918 uses open-source tools for network reconnaissance and identifying further exploitation opportunities. The tactics, tools, and techniques employed by UAT-5918 share similarities with other state-sponsored threat groups, including Volt Typhoon and Flax Typhoon, in the use of tools like In-Swor, Mimikatz, and Metasploit. The campaign focuses on information theft, deploying web shells and creating multiple entry points into target systems for continued access.
A Chinese cyber-espionage group called FishMonger has been linked to I-SOON, a technology contractor indicted by the US Department of Justice for involvement in global cyberattacks. Operating under the Winnti Group, FishMonger has targeted governments, NGOs, and think tanks worldwide since at least 2019. The group, also known as Earth Lusca, TAG-22, and others, primarily operates from Chengdu, China. ESET's findings reveal that FishMonger carried out Operation FishMedley in 2022, compromising seven organizations globally using malware like ShadowPad, SodaMaster, and Spyder, which are associated with China-aligned threat actors.
A separate report from ESET details a new cyberespionage campaign dubbed ‘Operation AkaiRyū’ (translated as RedDragon), carried out by the China-aligned advanced persistent threat (APT) group MirrorFace.
Traditionally focused on Japan, the observed campaign is notable for its expansion into Europe, specifically targeting a Central European diplomatic institute, which marks the first known instance of MirrorFace targeting a European entity. The observed campaign involved the updated versions (5.5.0 and 5.5.4) of the ANEL backdoor, once linked to APT10 but previously considered obsolete. Researchers now classify MirrorFace as a subgroup of APT10 due to shared tools and targeting patterns. Additionally, MirrorFace used a heavily customized version of AsyncRAT, which was embedded in a complex execution chain that utilized a Windows Sandbox to run the RAT.
Security researchers at DomainTools have released a detailed analysis revealing the ongoing use of specific domain registrars by Russian state-sponsored disinformation actors, despite increasing efforts to curb their activities. These actors, including well-known groups such as APT28 (Fancy Bear), APT29 (Cozy Bear), and the Internet Research Agency (IRA), have long relied on domain registrations to impersonate trusted organizations, spread false narratives, and conduct cyber-enabled espionage.
The Ukrainian government’s Computer Emergency Response Team (CERT-UA) has observed an increasing number of targeted cyberattacks aimed at employees within the defense-industrial complex and select representatives of the Ukrainian Armed Forces. The attacks, which have been ongoing, have been detected across several different platforms, including the popular messaging application Signal.
GitHub action compromise exposes secret tokens in build logs
A security breach involving the popular GitHub Action, tj-actions/changed-files, has put thousands of repositories at risk, potentially exposing sensitive CI/CD secrets like AWS access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys. The attack, tracked as CVE-2025-30066, involved a threat actor inserting a malicious Python script into the action's code, which caused secret tokens to be logged in plain text in build logs, exposing them if the logs were publicly accessible.
In a separate incident, researchers uncovered a malicious campaign targeting Python Package Index (PyPI) users, where 20 fraudulent libraries designed as “time” utilities were found to steal sensitive data like cloud access tokens. These packages, downloaded over 14,100 times, targeted major cloud services like AWS, Alibaba Cloud, and Tencent Cloud, exfiltrating secrets from users.
Researchers from Pillar Security have discovered a previously undocumented supply chain attack vector that threatens the integrity of AI-powered code development tools. Dubbed the ‘Rules File Backdoor,’ the technique enables cybercriminals to silently compromise AI-generated code by injecting malicious instructions into seemingly innocuous configuration files used by popular AI-driven code editors, such as Cursor and GitHub Copilot. By exploiting hidden unicode characters and employing advanced evasion techniques, attackers can alter the behavior of AI models making them produce malicious code that goes undetected by human security teams.
Leaked chat logs suggest Black Basta RaaS' potential link to Russian authorities
A recent leak of over 200,000 internal chat logs has exposed potential ties between the BlackBasta ransomware gang and Russian authorities. Released by a Telegram user @ExploitWhispers in February 2025, the logs suggest that BlackBasta's leader, Oleg Nefedov, had connections with high-ranking Russian officials. The logs reveal that Nefedov escaped detention in Armenia in 2024 with possible help from Russian authorities, who may have suppressed Interpol requests. The messages also indicate that BlackBasta intended to continue their operations, with references to Russia's invasion of Ukraine. Additionally, the logs reveal the gang's use of advanced cybercrime tools, such as “BRUTED” for credential-stuffing and brute-force attacks.
A new report from SentinelOne looks into the pro-Russian hacktivist group Dragon RaaS, aka DragonRansom or Dragon Team, a ransomware actor that is engaged in both hacktivism and cybercrime. It emerged in July 2024 as an offshoot of the Stormous ransomware gang, which is part of a larger cybercrime syndicate called ‘The Five Families,’ which includes ThreatSec, GhostSec, Blackforums, and SiegedSec.
Although Dragon RaaS positions itself as a sophisticated Ransomware-as-a-Service operation, its attacks often involve defacements and opportunistic strikes, rather than large-scale ransomware extortion. The group primarily targets smaller organizations with weak security, often exploiting misconfigurations, brute-force attacks, and stolen credentials. Its victims are typically located in the United States, Israel, United Kingdom, France, and Germany.
A new backdoor, named ‘Betruger’ by Symantec researchers, has been linked to recent ransomware attacks, specifically to an affiliate of the RansomHub ransomware-as-a-service operation. Betruger is a multi-functional backdoor designed for use in ransomware attacks, with capabilities such as keylogging, network scanning, privilege escalation, credential dumping, screenshotting, and uploading files to a command-and-control server.
Large-scale ad fraud campaign steals user credentials and credit card data
Security researchers at Bitdefender have uncovered a massive ad fraud campaign, with 331 malicious applications identified. The apps, which were initially presented as harmless utility tools, have been used to flood users' devices with out-of-context ads and engage in phishing activities, including attempts to steal user credentials and credit card information.
In other news, Microsoft Incident Response researchers discovered StilachiRAT, a sophisticated remote access trojan (RAT) designed to evade detection, maintain persistence, and exfiltrate sensitive data. The malware targets various data, including browser credentials, digital wallet details, clipboard contents, and system data, using the WWStartupCtrl64.dll module.
Secure Annex’s recent report dives into how users’ browser extensions could be sold to malicious actors without users’ knowledge.
The US lifts sanctions against Tornado Cash crypto mixer linked to North Korean Lazarus’ thefts
The US Department of Treasury announced the removal of sanctions against Tornado Cash, a cryptocurrency mixer previously sanctioned in August 2022 for aiding in laundering over $7 billion. Tornado Cash had been used by North Korea's Lazarus hacking group to launder stolen funds, including approximately $455 million from the $620 million Ethereum theft from Axie Infinity's Ronin network in April 2022.
Speaking of North Korean hackers, North Korea has reportedly created a new cyber unit within its military intelligence agency, tasked with advancing offensive hacking technologies. The newly established Research Center 227 will function under the Reconnaissance General Bureau (RGB), the agency responsible for overseeing the nation's foreign hacking activities. Several of the country's APT (Advanced Persistent Threat) groups are run by RGB’s Bureau 3, 5, 121, and 325. The center officially began operations earlier this month and is expected to employ approximately 90 cybersecurity professionals.
