All news with #active exploitation tag

China-Linked UNC6384 Exploits Windows LNK Vulnerability

🔒 A China-affiliated group tracked as UNC6384 exploited an unpatched Windows shortcut flaw (ZDI-CAN-25373, CVE-2025-9491) to target diplomatic and government entities in Europe between September and October 2025. According to Arctic Wolf, the campaign used spear-phishing links to deliver malicious LNK files that launch a PowerShell stager, sideload a CanonStager DLL, and deploy the PlugX remote access trojan. Microsoft says Defender detections and Smart App Control can help block this activity.

China-linked Tick exploits Lanscope flaw to deploy backdoor

⚠️ Sophos and JPCERT/CC have linked active exploitation of a critical Motex Lanscope Endpoint Manager vulnerability (CVE-2025-61932, CVSS 9.3) to the China-aligned Tick group. Attackers leveraged the flaw to execute SYSTEM-level commands and drop a Gokcpdoor backdoor, observed in both server and client variants that create covert C2 channels. The campaign used DLL side-loading to run an OAED Loader, deployed the Havoc post-exploitation framework on select hosts, and used tools like goddi and tunneled Remote Desktop for lateral movement. Organizations are advised to upgrade or isolate internet-facing LANSCOPE servers and review deployments of the MR and DA agents.

Chinese-Linked Hackers Exploit Windows Shortcut Flaw

🔎 Researchers at Arctic Wolf Labs uncovered a September–October 2025 cyber-espionage campaign that used a Windows shortcut vulnerability to target Belgian and Hungarian diplomatic entities. The operation, attributed to UNC6384 and likely tied to Mustang Panda (TEMP.Hex), combined spear phishing with malicious .LNK files exploiting ZDI-CAN-25373 and deployed a multi-stage chain ending in the PlugX RAT. Attackers used DLL side-loading, signed Canon utilities and obfuscated PowerShell to extract and execute an encrypted payload while displaying decoy diplomatic PDFs.

Chinese Hackers Exploit Windows LNK Zero-Day to Spy

🔒 A China-linked threat group is exploiting a high-severity Windows .LNK zero-day (CVE-2025-9491) to deploy the PlugX remote-access trojan against European diplomatic targets. The campaign begins with spearphishing that delivers malicious shortcut files themed around NATO and European Commission events. Researchers at Arctic Wolf Labs and StrikeReady attribute the activity to UNC6384 (Mustang Panda) and report the operation has expanded beyond Hungary and Belgium to other EU states. With no official patch available, defenders are urged to restrict .LNK usage and block identified C2 infrastructure.

CISA Flags VMware Tools Zero-Day in KEV Catalog; Exploited

🛡️ CISA has added the high-severity flaw CVE-2025-41244, impacting Broadcom VMware Tools and VMware Aria Operations, to its Known Exploited Vulnerabilities catalog after reports of active exploitation. The bug (CVSS 7.8) allows a malicious local, non-administrative user with VM access and SDMP enabled to escalate privileges to root on the same VM. Broadcom-owned VMware released a patch last month, but NVISO Labs says the zero-day was exploited in the wild since mid-October 2024 and attributes activity to a China-linked actor tracked as UNC5174. Federal civilian agencies must implement mitigations by November 20, 2025.

CISA orders federal patch for VMware Tools privilege bug

⚠️ CISA has ordered Federal Civilian Executive Branch agencies to remediate a high-severity vulnerability in Broadcom's VMware Aria Operations and VMware Tools (CVE-2025-41244), patched by Broadcom in October 2024. The flaw enables a local, non-administrative user on a VM to escalate privileges to root when Aria Operations’ SDMP is enabled or when VMware Tools runs in credential-less mode. Agencies must patch within three weeks under BOD 22-01; CISA also urges all organizations to prioritize mitigations or discontinue affected products if no fix is available.

CISA Adds Two CVEs to Known Exploited Vulnerabilities

🔔 CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-24893 (XWiki Platform eval injection) and CVE-2025-41244 (Broadcom VMware Aria Operations and VMware Tools privilege-defined unsafe actions). Evidence indicates active exploitation and substantial risk to the federal enterprise. Under BOD 22-01, affected FCEB agencies must remediate by required due dates. CISA urges all organizations to prioritize timely remediation as part of routine vulnerability management.

Russian-Origin Threat Actors Target Ukrainian Organizations

🔴 Symantec and Carbon Black reported a Russian-origin campaign that targeted a large business services firm and a local government entity in Ukraine, relying on web shells and living-off-the-land techniques to reduce detection. Early activity began on June 27, 2025 with deployment of the LocalOlive web shell, PowerShell exclusions, scheduled memory dumps and credential-theft attempts. Operators used dual-use tools (OpenSSH, RDP changes, winbox64.exe), PowerShell backdoors and native Windows utilities to maintain persistence while minimizing custom malware use. Researchers noted strong Windows tradecraft but could not conclusively attribute the intrusions to a named Russian group.

BlueNoroff Returns with GhostCall and GhostHire Campaigns

🚨 BlueNoroff, a North Korea–linked subgroup of the Lazarus Group, has reemerged with two focused campaigns—GhostCall and GhostHire—targeting executives, Web3 developers and blockchain professionals. Operators use social engineering on Telegram and LinkedIn to stage fake investor meetings and recruiter coding tests, then deliver multi-stage, cross-platform malware. Samples were found written in Go, Rust, Nim and AppleScript and deploy implants such as DownTroy, CosmicDoor and Rootroy to harvest crypto keys, credentials and project assets.

Ransomware Hits Swedish Grid Operator Svenska kraftnät

🔒 On October 25, 2025 the ransomware group Everest listed state grid operator Svenska kraftnät on its darknet leak site, claiming about 280 GB of stolen data. Svenska kraftnät confirmed on October 26 that attackers accessed certain sensitive information via an isolated external file-transfer solution and said investigations are underway. The utility — which operates roughly 16,000 km of high-voltage lines — said there is currently no indication the physical grid was affected and that it is coordinating with police and national cybersecurity authorities.

Active Exploits Target DELMIA Apriso and XWiki — CISA

⚠️ CISA and researchers report active exploitation of critical vulnerabilities in Dassault Systèmes DELMIA Apriso and XWiki, including code injection, missing authorization, and eval injection flaws. Dassault addressed CVE-2025-6204 and CVE-2025-6205 for 2020–2025 releases in August and these issues were added to CISA’s Known Exploited Vulnerabilities catalog. The XWiki flaw (CVE-2025-24893) is being abused in a two-stage chain that stages and later executes a downloader to deliver a cryptocurrency miner. Organizations should apply vendor updates immediately and meet federal remediation deadlines where applicable.

CISA Warns of Two Actively Exploited DELMIA Flaws Now

⚠️ CISA has confirmed active exploitation of two vulnerabilities in Dassault Systèmes' DELMIA Apriso: CVE-2025-6205 (critical missing authorization) and CVE-2025-6204 (high-severity code injection). Both flaws were patched by the vendor in early August 2025 and affect Releases 2020 through 2025. Federal agencies must remediate within three weeks under BOD 22-01, and CISA urges all organizations to prioritize vendor mitigations or discontinue use if no fixes exist.

Herodotus Android Trojan Mimics Humans to Evade Fraud

⚠️ Herodotus, a new Android banking trojan, has been observed conducting device takeover (DTO) attacks in Italy and Brazil and was advertised as a malware‑as‑a‑service supporting Android 9–16. According to ThreatFabric, it abuses accessibility services and overlay screens to steal credentials and SMS 2FA, intercept the screen, and install remote APKs. Uniquely, operators added randomized typing delays (300–3000 ms) to mimic human input and evade behaviour‑based anti‑fraud detections.

Chrome zero-day exploited in targeted Operation ForumTroll

🔒 A critical Chrome zero-day (CVE-2025-2783) has been actively exploited in a targeted espionage operation Kaspersky calls "Operation ForumTroll," attributed to the threat actor Mem3nt0 mori. Attackers used highly personalized phishing invites and one-click, short-lived links to deliver a sandbox-escape exploit that enabled code execution in Chrome's browser process. Google moved quickly with fixes in Chrome 134.0.6998.177/.178, while related issues were later patched in Firefox as CVE-2025-2857.

BlueNoroff (Lazarus) GhostCall and GhostHire Campaigns

🛡️ A Kaspersky GReAT analysis describes two BlueNoroff campaigns—GhostCall and GhostHire—linked to the Lazarus threat actor and focused on the cryptocurrency sector. GhostCall targets executives, often on macOS, using investor-themed social engineering and fake meeting portals that prompt malicious updates and downloads. GhostHire lures blockchain developers with job offers and Telegram bots that point to GitHub test tasks or archived files with tight deadlines; performing the tasks leads to infection. The campaigns share a common management infrastructure and multiple infection chains; technical details and indicators of compromise are published on Securelist.

Actively Exploited WSUS RCE Prompts Urgent Patching

⚠️ Microsoft has released an out-of-band patch for a critical WSUS vulnerability (CVE-2025-59287) that enables unauthenticated remote code execution by sending malicious encrypted cookies to the GetCookie() endpoint. Security vendors Huntress and HawkTrace reported active exploitation of publicly exposed WSUS instances on TCP ports 8530 and 8531. Administrators should prioritize applying the update immediately; if that is not possible, isolate WSUS servers, restrict access to management hosts and Microsoft Update servers, and block inbound traffic to ports 8530/8531 until systems are remediated.

Chrome zero-day exploited to deliver LeetAgent spyware

⚠️ Kaspersky reports a patched Google Chrome zero-day (CVE-2025-2783) was exploited to deploy a newly documented spyware called LeetAgent linked to Italian firm Memento Labs. The operation used personalized, short‑lived phishing links to a Primakov Readings lure that triggered a sandbox escape in Chromium browsers and dropped a loader to launch the implant. Targets included media, universities, research centers, government and financial organizations in Russia and Belarus.

SideWinder Adopts ClickOnce and PDF Lures in 2025 Campaign

🛡️ Trellix researchers report that the threat actor SideWinder has evolved its tradecraft in 2025 by adopting a PDF + ClickOnce infection chain alongside previously used Word exploit vectors. Four spear‑phishing waves from March through September targeted a European embassy in New Delhi and organizations in Sri Lanka, Pakistan and Bangladesh, using tailored lures and a signed MagTek executable that side‑loads a malicious DLL. The DLL decrypts and runs a .NET loader (ModuleInstaller) which fetches StealerBot, a .NET implant capable of reverse shells, delivering additional payloads, and collecting screenshots, keystrokes, credentials and files.

Critical WSUS RCE (CVE-2025-59287) Actively Exploited

⚠️ A critical unauthenticated remote code execution vulnerability in Microsoft Windows Server Update Services was identified as CVE-2025-59287 and observed being actively exploited in October 2025. The flaw stems from unsafe deserialization in WSUS endpoints (GetCookie and ReportingWebService) and enables remote attackers to execute arbitrary code as SYSTEM. Microsoft issued an emergency out-of-band patch on Oct 23 after initial Patch Tuesday fixes were incomplete; organizations should apply the update or follow temporary mitigations such as disabling the WSUS Server Role or blocking inbound TCP ports 8530/8531 immediately.

Qilin Ransomware: Over 40 Victims Listed Monthly in 2025

🔒 Cisco Talos reports that Qilin ransomware sustained a surge through the second half of 2025, publishing more than 40 victim listings per month on its leak site and peaking at roughly 100 postings in June and August. The group uses a double-extortion model, encrypting systems and threatening to publish stolen data if ransoms are not paid. Operating as a RaaS, Qilin and its affiliates have heavily targeted manufacturing, professional/scientific services and wholesale trade. Investigators observed use of Cyberduck, standard Windows utilities for file viewing, and dual encryptors that spread laterally via PsExec and encrypt multiple network shares.