Critical RCE in @nestjs/devtools-integration — A critical remote code execution flaw (CVE-2025-54782, CVSS score: 9.4) has been uncovered in @nestjs/devtools-integration, a NestJS npm package downloaded over 56,000 times per week. The package sets up a local development server with an endpoint that executes arbitrary code inside a JavaScript "sandbox" built with node:vm module and the now-abandoned safe-eval, ultimately allowing for execution of untrusted user code in a sandboxed environment, Socket said. Further analysis has found that the sandbox is trivially escapable and because the server is accessible on localhost, any malicious website can trigger code execution on a developer's machine via CSRF using the inspector/graph/interact endpoint. "Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine," Nestjs maintainer Kamil Mysliwiec said in an advisory. "By chaining these issues, a malicious website can trigger the vulnerable endpoint and achieve arbitrary code execution on a developer's machine running the NestJS devtools integration." Attackers Exploit Compromised Email Accounts for Attacks — Threat actors are increasingly using compromised internal or trusted business partner email accounts to send malicious emails to obtain initial access. "Using a legitimate trusted account affords an attacker numerous advantages, such as potentially bypassing an organization's security controls as well as appearing more trustworthy to the recipient," Talos said. The disclosure comes as bad actors are also continuing to exploit Microsoft 365's Direct Send feature to deliver phishing emails that appear to originate from within the organization by using a spoofed internal From address and increases the likelihood of success of social engineering attacks. The messages are injected into Microsoft 365 tenants via unsecured third-party email security appliances used as SMTP relays. "This tactic allows attackers to send malicious payloads to Microsoft 365 users with increased credibility, often resulting in successful delivery despite failed authentication checks," Proofpoint said. Signal Warns it Will Exit Australia Over Encryption Backdoor Push — Signal Foundation president Meredith Whittaker said the secure messaging application will leave Australia if the government forces it to incorporate a backdoor into its encryption algorithm or demand access to encrypted user data. Earlier this year, the U.K. government issued a secret order demanding that Apple allow it access to encrypted user data to assist in investigations, resulting in Apple removing its Advanced Data Protection (ADP) feature for users in the region. While the U.K. government appears to be backing down from its earlier demand, Google told TechCrunch that, unlike Apple, it did not receive any request from the U.K. to build a secret backdoor. This is the first time Google has formally commented on the matter. Google Hardens Chrome Extension Supply Chain Against Account Compromise — Google has rolled out a new security feature called Verified CRX Upload for Chrome extension developers that enforces cryptographic signatures for all Chrome extension updates and prevents bad actors from compromising developer accounts and publishing malicious updates to the Chrome Web Store (CWS). The security protection is also designed to address scenarios where CWS code reviews may not always flag such malicious attacks. "When opting an extension into Verified CRX Upload, the developer gives Google a public key. After that, the developer can no longer upload unsigned ZIP files for that extension and must instead upload a CRX file signed with the corresponding private key," Google said [PDF]. "Verified upload acts as a second factor for the act of uploading to CWS. A malicious actor who compromises a developer's account password, session cookies, or even an OAuth token, would not be able to upload a malicious update unless they also gain access to the developer's private signing key." Kimsuky Targets South Korea with Stealer Malware — The North Korea-linked Kimsuky hacking group has been linked to a spear-phishing campaign that targets South Korean entities using Windows shortcut (LNK) files as an initial access vector to trigger a multi-stage infection chain to deploy a keylogger, information stealer, establish persistent control over compromised hosts, and deliver unknown next-stage payloads. In parallel, users are displayed with lure PDF documents related to tax notices and government alerts about alleged sex offenders in the area. "Once inside, the malware performs extensive system profiling, steals credentials and sensitive documents, monitors user activity through keylogging and clipboard capture, and exfiltrates data in discreet segments over standard web traffic—helping it blend into normal network operations," Aryaka said.
Apple macOS Flaw Can Bypass TCC — Attackers could have used a recently patched macOS vulnerability to bypass Transparency, Consent, and Control (TCC) security checks and steal sensitive user information from locations such as the Downloads directory and Apple Intelligence caches. The flaw, dubbed Sploitlight by Microsoft and tracked as CVE-2025-31199, was addressed by Apple with the release of macOS Sequoia 15.4 in March 2025. The attack is so named because it exploits Spotlight plugins called importers, which are used to index data found on a device and surface it via its built-in search tool. Sploitlight turns these plugins into a TCC bypass, allowing valuable data to be leaked without a user's consent. Improved Version of XWorm Spotted — A new version of a remote access trojan called XWorm (version 6.0) has been discovered with new features such as process protection and enhanced anti-analysis capabilities, indicating continued attempts by the developers to iterate and refine their tactics. The starting point of the attack is a Visual Basic Script that's likely delivered to targets via social engineering, which then proceeds to set up persistence on the host via Windows Registry (as opposed to scheduled tasks in the previous version), although it's important to note that the builder offers three different methods, including the aforementioned techniques and the adding the payload to the Startup folder. It's also designed to run a PowerShell script that includes the ability to bypass Antimalware Scan Interface (AMSI) via in-memory modification of "clr.dll" to sidestep detection. Some of the new features observed in the latest version of XWorm are its ability to prevent process termination by marking itself as a critical process and killing itself if the compromised host is running Windows XP. Mozilla Warns Add-ons Devs Against Phishing Attack — Browser maker Mozilla is warning of a phishing campaign targeting its Firefox Add-ons infrastructure that aims to trick developers into parting with their account credentials as part of emails containing messages like "Your Mozilla Add-ons account requires an update to continue accessing developer features" that are designed to provoke engagement. The disclosure follows the emergence of bogus Firefox add-ons that masquerade as TronLink, Solflare, Rabby Wallet and are designed to steal cryptocurrency wallet secrets, security researcher Lukasz Olejnik said. New Stealer Malware Dissected — Cybersecurity researchers have detailed three new stealer malware families called Cyber Stealer, Raven Stealer, and SHUYAL Stealer that combine extensive credential theft capabilities with advanced system reconnaissance and evasion tactics. "Beyond credential theft, SHUYAL captures system screenshots and clipboard content, exfiltrating this data alongside stolen Discord tokens through a Telegram bot infrastructure," Hybrid Analysis said. "The malware maintains operational stealth through self-deletion mechanisms, removing traces of its activity using a batch file after completing its primary functions." Cyber Stealer, for its part, maintains communication with its command-and-control (C2) server through heartbeat checks, XMR miner configuration, task checks, and data exfiltration. It also comes with a clipper, remote shell, reverse proxy, DDoS, XMR mining, and DNS poisoning capabilities based on the subscription tier chosen by a customer. "The C2 URL can be dynamically updated through Pastebin, with a hardcoded backup URL if that fails," eSentire said. While there are a number of stealers on the cybercrime scene already, the emergence of new stealers demonstrates the lucrative nature of such tools to enable data theft at scale. The third new infostealer malware is Raven Stealer, which is actively distributed through GitHub repositories and promoted via a Telegram channel operated by the threat actors. The stealer is consistent with other stealers, facilitating credential theft, browser data harvesting, and real-time data exfiltration via Telegram bot integration. NOVABLIGHT Node.js Stealer Spotted in the Wild — Developed and sold by the Sordeal Group, a threat actor demonstrating French-language proficiency, NOVABLIGHT is marketed as an "educational tool" on platforms like Telegram and Discord from €25 for a month to €140 for six months ($28 to $162). However, this aspect masks its true intent: A modular, feature-rich NodeJS-based malware built on the Electron framework, designed to steal sensitive information, including login credentials and cryptocurrency wallet data. The malware is said to be distributed via fake websites advertising video game installers. "NOVABLIGHT is a modular and feature-rich information stealer built on Node.js with the Electron framework," Elastic Security Labs said. "Its capabilities go beyond simple credential theft, incorporating methods for data collection and exfiltration, sandbox detection, and heavy obfuscation." $3.5B LuBian Bitcoin Theft Goes Undetected for Nearly Five Years — A previously undisclosed theft of 127,426 Bitcoin, valued at $3.5 billion at the time (presently approximately $14.5 billion), has been traced back to a December 2020 attack on a little-known Chinese mining pool called LuBian, making it as the largest cryptocurrency theft to date, surpassing the $1.5 billion Bybit hack that occurred in February 2025. "They appear to have been first hacked on December 28th, 2020, for over 90% of their BTC," Arkham Intelligence said. "Subsequently, on December 29th, around $6M of additional BTC and USDT was stolen from a Lubian address active on the Bitcoin Omni layer. On the 31st, LuBian rotated their remaining funds to recovery wallets." It's believed that the unknown attackers may have exploited a flawed private key generation algorithm that left it susceptible to brute-force attacks. "LuBian preserved 11,886 BTC, currently worth $1.35B, which they still hold," Arkham said. "The hacker also still holds the stolen BTC, with their last known movement being a wallet consolidation in July 2024." Neither LuBian nor the suspected hacker has ever publicly acknowledged the breach. Russia Blocks Access to Speedtest — Russia blocked access to Speedtest, a popular internet speed testing tool developed by U.S. company Ookla, claiming the service poses a national security threat and could aid cyber attacks. The restriction is due to the "identified threats to the security of the public communication network and the Russian segment of the internet," Roskomnadzor, country's communications watchdog, said, adding it "collects data on the layout and capacity of Russian communications nodes" that could be used to "plan, conduct, and assess attacks on Russian networks and related systems." CISA Releases Thorium — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the public availability of Thorium, an open-source platform for malware and forensic analysts across the government, public, and private sectors. "Thorium enhances cybersecurity teams' capabilities by automating analysis workflows through seamless integration of commercial, open-source, and custom tools," CISA said. "It supports various mission functions, including software analysis, digital forensics, and incident response, allowing analysts to efficiently assess complex malware threats." The agency has also released the Eviction Strategies Tool, which helps security teams during the incident response by providing the necessary actions to contain and evict adversaries from compromised networks and devices. Russian Entities Targeted to Deploy Cobalt Strike — The Russian information technology (IT) sector, and to a certain extent companies in China, Japan, Malaysia, and Peru, has been at the receiving end of a spear-phishing email campaign that delivers the Cobalt Strike Beacon by means of intermediate payloads that reach out to fake profiles on social media platforms to obtain the URL hosting the post-exploitation toolkit. The accounts, created on GitHub, Quora, and Russian-language social networks, are said to have been created specifically for the attacks and act as dead drop resolvers to facilitate operational resiliency. The activity was first recorded in the second half of 2024, reaching its peak in November and December. The campaign has not been attributed to any known threat actor or group. APT36 Targets Indian Railways, Oil & Gas Sectors — A suspected Pakistani threat actor known as APT36 (aka Transparent Tribe) has been attributed to attacks targeting Indian railway systems, oil and gas infrastructure, and the Ministry of External Affairs via spear-phishing attacks to deliver a known malware called Poseidon. "They use .desktop files disguised as PDF documents to execute scripts that download malware and establish persistence using cron jobs," Hunt.io said. "The Poseidon backdoor, built on the Mythic framework and written in Go, is used to maintain access and support lateral movement." Qilin Ransomware Attack Leverages BYOVD Technique — Threat actors associated with Qilin ransomware have been observed leveraging a previously unknown driver, TPwSav.sys, to stealthily disable security tools using a custom version of EDRSandblast as part of a Bring Your Own Vulnerable Driver (BYOVD) attack. "This driver, originally developed for power-saving features on Toshiba laptops, is a signed Windows kernel driver, making it an attractive choice for bypassing EDR protections through a BYOVD attack," Blackpoint Cyber said. Prior to this incident, there has been no evidence of in-the-wild exploitation of the driver. "Compiled in 2015 and holding a valid signature, this driver is an appealing candidate for BYOVD attacks aimed at disabling EDR. While interacting with the driver requires only low-level privileges, loading it and enumerating physical memory demand administrative privileges," the company added. Phishing Campaign Distributes 0bj3ctivity Stealer — Phishing emails bearing purchase order-lures are being used to distribute via JavaScript files a stealer called 0bj3ctivity Stealer, which has been propagated via Ande Loader in the past. "The further stages are uncommon, including custom PowerShell scripts to deploy the next stages and steganography to hide some of the payloads," Trellix said. "Once decoded, the PowerShell script will download from archive.org a JPG image, which contains the next stage hidden using steganography." The United States, Germany, and Montenegro exhibit a high volume of detections, although telemetry data has also revealed noticeable activity in Europe, North America, Southeast Asia, and Australia, indicating the global nature of the threat.
Increasing Number of Flaws Leveraged as 0- or 1-Days — A third of flaws leveraged by attackers this year have been zero-day or 1-day flaws, indicating that threat actors are becoming faster at exploiting vulnerabilities. "We observed an 8.5% increase in the percentage of KEVs [Known Exploited Vulnerabilities] that had exploitation evidence disclosed on or before the day a CVE was published — 32.1% in H1-2025 as compared to the 23.6% we reported in 2024," VulnCheck said. In total, the company added 432 new vulnerabilities to its KEV list in the first half of 2025, with 92 unique threat actors linked to the exploitation efforts. Of these, 56 (60.8%) were attributed to specific countries, including China (20), Russia (11), North Korea (9), and Iran (6). In a related development, a GreyNoise report found that in 80% of reconnaissance spikes against enterprise gear, the increase in activity was followed by the publication of a new CVE within six weeks, suggesting threat actors or researchers are testing their exploits ahead of time. "These patterns were exclusive to enterprise edge technologies like VPNs, firewalls, and remote access tools – the same kinds of systems increasingly targeted by advanced threat actors," the threat intelligence firm said. BreachForums Comes Back Online — BreachForums appears to be back again after it went offline in April. The popular cybercrime forum was shut down and resurrected several times over the past year. According to DataBreaches.Net, the official site appears to be back online on its dark web address, while preserving the original user database, reputation, credits, and posts. What's more, the site seems to have returned under new leadership – a user with the online moniker "N/A." In an introductory post, N/A also claimed that none of its administrators have been arrested and that it's "business as usual." RedCurl's New Attacks Deliver RedLoader — The threat actor known as Gold Blade (aka Earth Kapre, RedCurl, and Red Wolf) has been linked to a new set of attacks in July 2025 that combine malicious LNK files and WebDAV to execute remotely hosted DLLs to ultimately launch RedLoader using DLL side-loading. The LNK files, disguised as cover letters in the PDF format, are distributed via phishing emails via third-party job search sites like Indeed. Mimo Exploits SharePoint Flaws to Deliver Ransomware — The threat actor known as Mimo is exploiting the recently disclosed Microsoft SharePoint flaws to deliver the Go-based 4L4MD4r ransomware. The hacking group was recently linked to the abuse of a critical Craft CMS flaw to drop miners. The development marks the first time the hacking group has deployed ransomware in the wild. Silver Fox APT Uses Fake Flash Plugin to Deliver Malware — The threat actor tracked as Silver Fox has been observed delivering the Winos trojan under the guise of popular tools like Adobe Flash, Google Translate, and WPS. Typical distribution vectors include email, phishing websites, and instant messaging software. "However, with the leakage of core remote control Trojan source code (such as Winos 4.0) in the cybercrime circle, Silver Fox has gradually transformed from a single organization into a malicious family widely redeveloped by cybercrime groups and even APT organizations," the Knownsec 404 team said. "Winos has a rich set of functional plug-ins that enable various remote control functions and data theft on the target host." Girona Hacker Arrested — Spanish authorities have apprehended a cybercriminal who allegedly stole sensitive data from major financial institutions, educational organizations, and private companies across the country. The accused, described as a man with advanced computer programming skills, stands accused of targeting Spanish banks, a driving school, and a public university, among others. The suspect is alleged to have stolen personal databases of employees and customers, as well as internal documents of companies and organizations, and then sold them for profit. ShadowSyndicate Infrastructure Analyzed — Cybersecurity researchers have found connections between ShadowSyndicate infrastructure and various malware families like AMOS Stealer, TrueBot, and a number of ransomware strains such as Cl0p, BlackCat, LockBit, Play, Royal, CACTUS, and RansomHub. Aside from having access to a network of bulletproof hosters (BPHs) in Europe, it's believed that ShadowSyndicate functions as an initial access broker (IAB) fueling Russian, North Korean, and Chinese APTs. "It remains unclear whether ShadowSyndicate has a structured business model with formal clients or partners in cybercrime, or whether it represents a more fluid, hybrid threat actor," Intrinsec said. Who is Lionishackers? — Threat hunters have ripped the cover off Lionishackers, a corporate database seller and a financially motivated threat actor focused on exfiltrating and selling corporate databases through Telegram and underground forums since July 2024. "Even though they seem to have an opportunistic approach when choosing their targets, there seems to be a certain preference for victims located in Asian countries," Outpost24 said. "They have shown a high level of collaboration with the 'Hunt3r Kill3rs' group and extensive participation in relevant underground communities' Telegram channels. Furthermore, they also worked on and offered other services such as pen testing, the commercialization of the Ghost botnet, and the launch of a forum project dubbed Stressed Forums." EdskManager RAT, Pulsar RAT, and Retro-C2 RAT Exposed — Three new remote access trojans called EdskManager RAT, Pulsar RAT, and Retro-C2 RAT have been flagged by cybersecurity researchers, flagging their ability to evade detection and maintain control over compromised systems. "The malware employs a downloader disguised as legitimate software, followed by in-memory decryption and stealth communication with command-and-control servers," CYFIRMA said about EdskManager RAT. "Its use of HVNC (Hidden Virtual Network Computing), advanced persistence techniques, and anti-analysis measures indicates a strong focus on long-term, covert access to infected systems." Pulsar RAT, on the other hand, is an Android trojan that exploits accessibility services to gain near-total control of the device, accessing messages, calls, GPS data, the camera, microphone, and other sensitive data. Developed by a Turkish-speaking threat actor known as ZeroTrace, Retro-C2 RAT employs reflective loading techniques to evade detection and siphon data from compromised machines. "The command-and-control infrastructure is fully web-based and provides threat actors with real-time client monitoring, action management such as CMD, PowerShell, Remote Desktop, keylogging, clipboard capture, file and process management, registry and network operations, audio recording, wallet scanning, persistence operations, and credential recovery," ThreatMon said. Apple to Enable Advanced Fingerprinting Protection for All Safari Browsing Sessions — Apple has revealed that it intends to make advanced fingerprinting protection the default for all browsing sessions in Safari with the release of iOS 26, iPadOS 26, and macOS 26 in September 2025. Currently, the option is limited to Private Browsing mode. The feature was first introduced in Safari 17.0. Security Flaw Uncovered in Catwatchful Spyware — An SQL injection vulnerability in an Android stalkerware operation called Catwatchful has exposed more than 62,000 of its customers, including its Uruguay-based administrator, Omar Soca Charcov. The bug, discovered by researcher Eric Daigle, could be exploited to leak the application's database, compromising customers' email addresses and plaintext passwords. Google has since added protections to flag such malicious apps and suspended the developer's Firebase account for abusing its infrastructure to operate the monitoring software. Ransomware Continues to be a Threat — DragonForce has claimed more than 250 victims on its dark web leak site, with 58 in the second quarter of 2025 alone, indicating that the ransomware cartel is gaining traction after purportedly absorbing RansomHub. Some of the groups that appear to have exited the scene include RansomHub, Babuk-Bjorka, FunkSec, BianLian, 8Base, Cactus, and Hunters International. "With major RaaS services shutting down, many affiliates are operating independently or seeking new partnerships," Check Point said. "The result is a growing number of smaller, often short-lived, ransomware entities. At the same time, established players are actively competing to recruit these 'orphaned' affiliates." Ransomware attacks have also been observed evolving beyond double extortion to coerce victims into paying up with threats of data leaks and DDoS attacks. "Double, triple, and quadruple extortion tactics add pressure by threatening to expose customer information, disrupting operations with distributed denial-of-service (DDoS) attacks, and sending harassing messages to business partners, customers, and others -- including informing media of the breach," Akamai said. Threat Actors Hide Malware in DNS Records — While it's known that threat actors have leveraged the Domain Name System (DNS) for command-and-control purposes using a technique called DNS tunneling, it has been observed that cybercriminals are evolving their tactics further by concealing malicious commands in DNS TXT records by converting them into their hexadecimal representation and storing them in chunks. The practice is both clever and sneaky as it allows malicious scripts and early-stage malware to fetch binary files without having to download them from attacker-controlled sites or attach them to emails, which have a higher chance of being detected by antivirus software.
|
|
|
|
|
|
|
Comments
Post a Comment
Please leave a comment about our recent post.