All news with #arctic wolf tag

🚨 Arctic Wolf reported exploitation of CVE-2025-32975 (CVSS 10.0), an authentication-bypass in Quest KACE Systems Management Appliance (SMA), against internet-exposed instances beginning the week of March 9, 2026. Attackers impersonated administrative users, executed remote commands to download Base64 payloads via curl from an external host, and created additional admin accounts using runkbot.exe. Observed post-compromise activity included Windows Registry modifications, credential harvesting with Mimikatz, reconnaissance, and RDP access to backup systems and domain controllers. Administrators should apply the May 2025 fixes and avoid exposing SMA directly to the internet.

🚨 Cybersecurity firm Arctic Wolf reports automated attacks against Fortinet FortiGate devices that exploit the FortiCloud SSO feature to create rogue admin accounts and rapidly export firewall configurations. The campaign began January 15 and mirrors December exploitation tied to CVE-2025-59718. Observed indicators include SSO logins from cloud-init@mail.io and IP 104.28.244.114. Administrators are advised to disable FortiCloud SSO until Fortinet issues a complete fix.

🛡️ November 2025 saw a flurry of cybersecurity acquisitions as major vendors raced to embed AI, observability and exposure management across their portfolios. Deals included Palo Alto Networks' $3.35bn purchase of Chronosphere, LevelBlue's completion of its Cybereason acquisition, and Bugcrowd's buy of AI app-security firm Mayhem. Other moves saw Safe Security acquire Balbix, Zscaler buy SPLX, and Arctic Wolf agree to acquire UpSight to bolster ransomware prevention. Collectively these transactions accelerate AI-driven automation and resilience across cloud, endpoint and software security.

🔒 Arctic Wolf Labs observed a targeted September 2025 campaign in which the Russia-aligned RomCom group used fake browser-update prompts to deliver the Mythic Agent implant via a classic SocGholish chain. Researchers say this is the first observed instance of RomCom pairing SocGholish initial access with a Mythic C2-based loader. The intrusion was stopped before impact, and Arctic Wolf published IOCs and mitigation guidance.

🔒 A China-affiliated group tracked as UNC6384 exploited an unpatched Windows shortcut flaw (ZDI-CAN-25373, CVE-2025-9491) to target diplomatic and government entities in Europe between September and October 2025. According to Arctic Wolf, the campaign used spear-phishing links to deliver malicious LNK files that launch a PowerShell stager, sideload a CanonStager DLL, and deploy the PlugX remote access trojan. Microsoft says Defender detections and Smart App Control can help block this activity.

🔎 Researchers at Arctic Wolf Labs uncovered a September–October 2025 cyber-espionage campaign that used a Windows shortcut vulnerability to target Belgian and Hungarian diplomatic entities. The operation, attributed to UNC6384 and likely tied to Mustang Panda (TEMP.Hex), combined spear phishing with malicious .LNK files exploiting ZDI-CAN-25373 and deployed a multi-stage chain ending in the PlugX RAT. Attackers used DLL side-loading, signed Canon utilities and obfuscated PowerShell to extract and execute an encrypted payload while displaying decoy diplomatic PDFs.