- The China-linked advanced persistent threat (APT) group known as Aquatic Panda has been involved in a "global espionage campaign" in 2022 that targeted seven organizations. These organizations include governments, Catholic charities, NGOs, and think tanks located in Taiwan, Hungary, Turkey, Thailand, France, and the United States. The operation, conducted over ten months from January to October 2022, is referred to as Operation FishMedley by ESET. - Security researcher Matthieu Faou noted that the operators employed implants such as ShadowPad, SodaMaster, and Spyder, which are often associated with China-aligned threat actors. Aquatic Panda, also known by various names like Bronze University and RedHotel, has been active since at least 2019. The Slovak cybersecurity company tracks this group under the name FishMonger. - Aquatic Panda operates under the Winnti Group umbrella and has connections to the Chinese contractor i-Soon, whose employees were recently charged by U. S. authorities for involvement in espionage activities from 2016 to 2023. The 2022 attacks utilized five different malware families, including a loader called ScatterBee, which deploys other implants. The initial access method for the campaign is currently unknown.

- Reported on March 20, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity vulnerability in NAKIVO Backup & Replication software (CVE-2024-48248) to its Known Exploited Vulnerabilities catalog, citing active exploitation. - This flaw, with a CVSS score of 8.6, allows unauthenticated attackers to exploit an absolute path traversal bug to read sensitive files on the target system. It affects all versions before 10.11.3.86570, and could lead to the exposure of configuration files, backups, and credentials. Although a proof-of-concept exploit was published, the vulnerability was patched in November 2024. - CISA also added two other vulnerabilities to the catalog: CVE-2025-1316, a command injection flaw in Edimax IC-7100 IP cameras, and CVE-2017-12637, a directory traversal issue in SAP NetWeaver. - Both vulnerabilities are under active exploitation, with CVE-2025-1316 being used to target cameras with default credentials for Mirai botnet attacks. Federal agencies are required to apply mitigations by April 9, 2025.

- At least 11 state-supported hacking groups from North Korea, Iran, Russia, and China have been using a Windows vulnerability for data theft and cyber espionage attacks since 2017. Researchers from Trend Micro's Zero Day Initiative reported that Microsoft labeled this vulnerability as not meeting the bar servicing in late September 2024 and decided not to release security updates for it. - The researchers found almost a thousand Shell Link (.lnk) samples that exploit the vulnerability known as ZDI-CAN-25373. They believe the actual number of exploitation attempts is likely much higher. They submitted a proof-of-concept exploit to Microsoft, but the company has declined to address the vulnerability with a security patch. - Microsoft has not yet assigned a CVE-ID to this vulnerability, but Trend Micro is tracking it internally as ZDI-CAN-25373. This flaw allows attackers to run arbitrary code on affected Windows systems. The researchers noted that many state-sponsored threat groups and cybercriminal gangs, including Evil Corp, APT43, Bitter, APT37, Mustang Panda, SideWinder, and RedHotel, have been using this vulnerability in widespread attacks. - The attacks have primarily focused on regions in North America, South America, Europe, East Asia, and Australia. The analysis revealed that about 70% of these attacks were aimed at espionage and information theft, while only 20% were financially motivated. - The ZDI-CAN-25373 vulnerability stems from a User Interface (UI) Misrepresentation of Critical Information (CWE-451) issue. This allows attackers to exploit how Windows shows shortcut (.lnk) files, letting them execute code on vulnerable devices without the user being aware. Attackers hide malicious command-line arguments in .LNK shortcut files using padded whitespaces. - These whitespaces can come in different forms, such as hex codes for Space, Horizontal Tab, Linefeed, Vertical Tab, Form Feed, and Carriage Return, which work as padding. When a user checks a compromised . lnk file, the harmful arguments remain hidden because of these extra whitespaces, preventing detection. - User interaction is needed to exploit this vulnerability; victims must visit a malicious website or open a harmful file. The crafted .LNK file can hide dangerous content from view, enabling attackers to run code in the context of the current user. - This vulnerability is similar to another flaw known as CVE-2024-43461, where 26 encoded braille whitespace characters helped hide malicious HTA files. CVE-2024-43461 was discovered and was patched by Microsoft in September 2024. The Void Banshee hacking group used this flaw in attacks against organizations in North America, Europe, and Southeast Asia. - A Microsoft spokesperson later stated that the company is considering addressing the vulnerability in the future. They have existing defenses to detect and block related threats and recommend users be cautious when downloading files from unknown sources. Although the issue doesn't meet immediate severity guidelines, Microsoft may address it in future updates.

- Threat hunters have provided new details about a malware campaign by the China-aligned MirrorFace group, which targeted a European Union diplomatic organization using a backdoor known as ANEL. This attack was detected by ESET in late August 2024 and focused on a Central European diplomatic institute, using themes related to the upcoming Word Expo in Osaka, Japan. - MirrorFace focuses on espionage and exfiltration of files of interest; it is the only group known to use the LODEINFO and HiddenFace backdoors. In the 2024 activities analyzed in this blogpost, MirrorFace started using APT10s former signature backdoor, ANEL, in its operations as well. - The operation has been given the name Operation AkaiRyu, which translates to RedDragon in Japanese. MirrorFace, also known as Earth Kasha, has been active since at least 2019 and is believed to be part of the APT10 group. While typically targeting Japanese entities, this incident marks a shift as it has attacked a European organization. - The intrusion is significant for utilizing a highly customized version of AsyncRAT and ANEL, also referred to as UPPERCUT, a backdoor linked to APT10. The switch from LODEINFO to ANEL is notable as ANEL reappeared after being inactive since late 2018 or early 2019. ESET stated that there is no clear reason for this change, but LODEINFO has not been seen in 2024 or 2025. - Operation AkaiRyu also overlaps with other previously documented campaigns. Changes in tactics include the use of modified AsyncRAT and Visual Studio Code Remote Tunnels to access compromised machines stealthily. The attack methods involve spear-phishing and the deployment of a loader called ANELLDR. However, many details remain unclear due to MirrorFace's improved operational security, which complicates investigations.

- Reported on March 17, a critical unpatched security flaw (CVE-2025-1316) in the Edimax IC-7100 network camera is being exploited by threat actors to deploy Mirai botnet variants since at least May 2024. - The vulnerability, a command injection flaw, allows remote code execution via a crafted request targeting the `/camera-cgi/admin/param.cgi` endpoint, often using default credentials (admin:1234). The compromised devices are recruited into botnets to launch DDoS attacks, alongside other vulnerabilities like CVE-2024-7214 and CVE-2021-36220. - Edimax has stated it will not release a patch, advising users to upgrade, change passwords, and restrict internet exposure. Akamai warns that Mirai-based botnets persist due to outdated firmware and readily available exploitation tools.

- Cyberattacks are now a major concern for companies globally, highlighting the importance of risk planning. The Link11 European Cyber Report reveals a significant rise in DDoS attacks, which have more than doubled in frequency. These attacks are becoming shorter, more focused, and more complex. Organizations that do not regularly update their security measures face serious financial and reputation risks. - Key statistics include a 137% increase in DDoS attacks on Link11's network over the past year, with the largest attack reaching 1.4 terabits per second. Many attacks are brief but powerful, with two-thirds peaking within 10 to 60 seconds. Multi-vector attacks that use multiple methods are complicating defense strategies and require more accurate protection. - The Allianz Risk Barometer 2025 warns that while digital transformation opens new opportunities, it also increases vulnerability to cyber threats. Cybercriminals are using advanced botnets and tactics, resulting in faster and more impactful DDoS attacks. An example of this threat involved a four-day attack that combined Layer 3/4 and Layer 7 techniques, affecting both network infrastructure and web applications, overwhelming standard defenses with 120 million requests. - The attackers' methods included using heavy data streams to target infrastructure and complex queries to disrupt web applications. They launched attacks in waves to test defenses. Organizations must adapt their IT security to avoid becoming targets, especially since web applications and APIs are frequently targeted for handling sensitive information. - The incident highlighted the limitations of traditional DDoS defenses and the necessity for more flexible strategies. Companies are increasingly adopting AI-based systems for real-time threat detection and prevention. Key protective measures include bot management, adaptive WAF systems, and AI-driven attack detection. A comprehensive security strategy involves advanced DDoS mitigation, ongoing monitoring, and adaptable protection systems. Jens-Philipp Jung, CEO of Link11, stated that the rise in DDoS attacks shows the need for companies to respond more swiftly and enhance their defenses. - Link11 specializes in IT security, offering cloud-based solutions to protect against cyberattacks and ensure network resilience. They are a recognized provider for DDoS protection and hold ISO 27001 certification for high data security standards.

- Reported on March 17, a popular GitHub Action, **tj-actions/changed-files**, used in over 23,000 repositories, was compromised in a supply chain attack (CVE-2025-30066, CVSS 8.6) before March 14, 2025. Attackers modified the actions code, retroactively updated version tags, and inserted a malicious Python script that exposed CI/CD secrets in build logs, potentially leaking AWS keys, GitHub tokens, and other sensitive credentials. - The attack stemmed from a compromised GitHub Personal Access Token (PAT) linked to **@tj-actions-bot**, which has since been revoked. GitHub has implemented security upgrades, and users are urged to update to **version 46.0.1** and review logs for anomalies. This incident highlights the growing risk of **supply chain attacks** in **open-source software** and CI/CD environments.

- Reported on March 21, the Albabat ransomware has evolved, with versions 2.0.0 and 2.5 expanding its targets beyond Windows to include Linux and macOS. The ransomware retrieves configuration data via the GitHub REST API, using a repository linked to a pseudonymous account. It selectively encrypts specific file types while avoiding certain system folders and actively terminates security and productivity-related processes. - The malware gathers system and user data, storing it in a PostgreSQL database to track infections and ransom payments. Additionally, a private GitHub repository suggests ongoing development of version 2.5, incorporating cryptocurrency wallets for Bitcoin, Ethereum, Solana, and BNB. - Security recommendations emphasize proactive monitoring, network segmentation, patching, backups, and user training to mitigate risks.

- Two critical security flaws in Cisco Smart Licensing Utility are currently being exploited, according to the SANS Internet Storm Center. - The vulnerabilities are: * CVE-2024-20439 (CVSS score: 9. 8) - An undocumented static user credential allows an attacker to log in to an affected system. * CVE-2024-20440 (CVSS score: 9. 8) - An overly detailed debug log file can be accessed by an attacker through a crafted HTTP request, leading to exposure of credentials used for API access. - Successful exploitation allows attackers to gain administrative access and obtain sensitive log files. The vulnerabilities affect versions 2. 0. 0, 2. 1. 0, and 2. 2. 0 but have been patched by Cisco in September 2024. Version 2. 3. 0 is not affected by these issues. - As of March 2025, attackers have been leveraging these vulnerabilities. Additionally, they are exploiting other flaws, including CVE-2024-0305 (CVSS score: 5. 3). The purpose of this attack campaign is still unclear, hence, users must apply patches for better security.

- Reported on March 21, Oracle has denied claims that its Oracle Cloud servers were breached after a threat actor, "rose87168," claimed to be selling 6 million stolen data records, including encrypted SSO passwords and enterprise security keys. - The hacker allegedly accessed Oracle Cloud's SSO login servers using an undisclosed vulnerability and demanded ransom in cryptocurrency, which Oracle reportedly refused. - To prove their access, the hacker uploaded a text file to an Oracle Cloud server and is now selling the stolen data on a hacking forum, offering companies the option to pay for the removal of their employees' information. - Oracle maintains that no breach occurred, and BleepingComputer has not yet verified the legitimacy of the stolen data.

- Reported on March 20, cybercriminals are increasingly using their own drivers to disable endpoint detection and response (EDR) systems, either by exploiting vulnerable legitimate drivers or deploying custom-built ones. - A recent financially motivated campaign observed by Elastic Security Labs involved MEDUSA ransomware delivered via a HEARTCRYPT-packed loader. This loader installs a malicious driver, ABYSSWORKER, signed with stolen certificates from Chinese vendors, to bypass EDR protections. - The driver uses various obfuscation techniques, brute-force methods to strip process handles, and DeviceIoControl handlers to execute a range of malicious actions, such as deleting files, disabling security software, and terminating system threads. - The malware enables these capabilities through a hardcoded password and an API-loading mechanism that grants it extensive control over system processes. - Additionally, it employs callback removals and function replacements to blind EDRs, making detection and prevention more challenging.

- On March 20, 2025, the hacktivist group Diplomat claimed carrying out a DDoS attack against the website of Clermont-Ferrand Auvergne Airport (https://www.clermont-aeroport.com/), an airport serving the French city of Clermont-Ferrand. The available souce suggested that at the time of this incident's publication, the website was unavailable.

- Cybersecurity researchers from the Citizen Lab at the University of Toronto have discovered the use of advanced spyware called Graphite, made by the Israeli company Paragon Solutions, to target influential people through WhatsApp. Their study found a previously unknown vulnerability in WhatsApp that allowed attackers to install the spyware using a zero-click exploit, meaning that users did not need to click anything for their devices to be compromised. - Paragon Solutions, which was established in 2019 by figures including former Israeli Prime Minister Ehud Barak, claims to follow ethical standards, unlike other spyware companies such as the NSO Group. However, the Citizen Lab researchers found servers linked to Graphite and identified its use against journalists, human rights defenders, and government critics in countries like Italy, Israel, Canada, Cyprus, Denmark, Australia, and Singapore. Meta, the parent company of WhatsApp, confirmed that about 90 users in 24 countries were targeted. A significant part of the research focused on the Ontario Provincial Police (OPP) in Canada, uncovering connections between Paragon and police services in Ontario that systematically used spyware. - The investigation particularly spotlighted Italy, where forensic examinations of Android devices belonging to individuals alerted by WhatsApp, including journalist Francesco Cancellato and founders of Mediterranea Saving Humans, showed clear signs of Graphite spyware. Researchers identified a distinctive Android forensic artifact called BIGPRETZEL, which proved the spywares presence on these devices. Initially, the Italian government denied involvement but later admitted to having contracts with Paragon. - Additionally, the probe included an iPhone belonging to an associate of Paragon targets. Apple received threat notifications about an attempted spyware infection, which was patched in iOS 18. In response to these findings, Meta, Apple, and Google worked together to fix the security vulnerability. WhatsApp informed the targeted users about potential threats to their devices. - Despite NSO Group being found legally liable for unauthorized access to WhatsApp accounts, reports indicate that they continue developing new malware exploiting WhatsApp vulnerabilities. These findings highlight the ongoing battle between tech companies and malicious entities over user privacy, emphasizing the need for stronger security measures and accountability in the spyware industry to defend digital rights.

- On March 20, 2025, the hacktivist groups Fatimion cyber team and Dark Storm Team, both claimed DDoS attacks against the website of Elbit Systems Ltd (elbitsystems.com), a leading global defense technology company, delivering advanced solutions. Elbit Systems develops, manufactures, integrates and sustains a range of next-generation solutions across multiple domains. The company has also offices in several EU countries, including the Netherlands, Romania, Hungary, Austria and Sweden.

- Reported on March 20, the RansomHub ransomware-as-a-service (RaaS) group has begun using a new custom backdoor, Betruger, in attacks. Betruger is a rare multi-function malware designed to streamline pre-ransomware activities, including screenshotting, keylogging, credential dumping, and privilege escalation, reducing the need for multiple tools. - Unlike most ransomware groups that rely on public or legitimate tools, RansomHub affiliates have also been using the Bring Your Own Vulnerable Driver (BYVOD)** technique and exploiting vulnerabilities like **CVE-2022-24521** and **CVE-2023-27532. - Additionally, attackers have leveraged various tools for network exploitation, credential theft, and remote access, such as **Impacket, Mimikatz, Rclone, and SystemBC**. RansomHub, operated by the cybercrime group **Greenbottle**, has rapidly grown since February 2024, becoming the most prolific ransomware operation by Q3 2024, attracting affiliates with better financial incentives than rival groups.

- Veeam has fixed a serious remote code execution vulnerability known as CVE-2025-23120 in its Backup & Replication software, affecting domain-joined installations. This flaw was reported recently and impacts Veeam Backup & Replication version 12.3.0.310 and earlier versions. The company released a patch in version 12.3.1 (build 12.3.1.1139) to address this issue. - According to research from watchTowr Labs, which detected the vulnerability, CVE-2025-23120 is a deserialization flaw in specific .NET classes. A deserialization flaw arises when an application improperly handles serialized data, enabling attackers to insert harmful objects, or gadgets, that can run malicious code. - Despite previous efforts by Veeam to secure its software against deserialization vulnerabilities, watchTowr found a new exploit that could be used for remote code execution. The vulnerability mainly affects Veeam installations connected to a domain, and any domain user can exploit it, making it highly dangerous in these setups. Many organizations have linked their Veeam servers to a Windows domain, ignoring the company's security guidelines. - Ransomware groups have previously targeted Veeam Backup & Replication servers, exploiting them to steal data and hinder recovery by removing backups. Although there's no evidence of active exploitation, detailed information shared by watchTowr suggests that a proof-of-concept may emerge soon. Companies using Veeam Backup & Replication should prioritize upgrading to 12.3.1 and review security measures, including disconnecting the server from their domain.

- On March 20, 2025, the hacktivist group Keymous+ claimed to have targeted websites belonging to a number of Danish banks. The following were listed on the group's Telegram channel: * Djurslands Bank (https://www.djurslandsbank.dk/) * Ekspres Bank (https://www.expressbank.dk/) * Fynske Bank (https://www.fynskebank.dk/) * Kreditbanken (https://www.kreditbanken.dk/) * Lollands Bank (https://www.lollandsbank.dk/) * Merkur Bank (https://merkur.dk/privat/) * Sparekassen Thy (https://www.sparthy.dk/) * Sparekassen Djursland (https://www.spardjurs.dk/) * PenSam Bank (https://www.pensam.dk/) * Danske Andelskassers Bank (https://www.andelskassen.dk/)

- The Romanian National Directorate of Cyber Security (DNSC) warned on March 19, 2025, about a phishing campaign linked to the North Korean group Konni. This group targets users by sending emails that include harmful LNK files. - Phishing is a method used to infect users' computers, where malware is downloaded through trusted cloud services like Dropbox or Google Drive, making it harder to identify the attack. The DNSC indicated that this ongoing campaign has been observed through monitoring open sources online and is associated with North Korean state actors known as APT37 and Kimsuki. - The attackers utilize cloud storage platforms to hide their malicious actions, which are typically considered secure. Experts stress that users should remain vigilant and avoid opening suspicious files or links sent via email, even if they seem to come from trustworthy sources. - The Konni group employs LNK files to spread AsyncRAT malware. These shortcut files exploit the Windows operating system to run harmful commands without requiring macros, a common defense mechanism against malware in Microsoft's Office products. When targeted users access these harmful files, a concealed PowerShell script is executed, which downloads and displays a fake document while secretly installing the malware. - Attackers use command-and-control servers and trusted cloud services at multiple points during the attack to install malware on victims' systems. The Konni group has been active since 2014, targeting mainly South Korean and Russian systems, and is associated with the Kimsuky group connected to North Korea's military intelligence. Their attacks often aim to steal data and exhibit similarities to tactics used by state actors like APT37 and the Lazarus Group.

- Cybersecurity researchers have revealed two serious flaws in mySCADA myPRO, a SCADA system used in operational technology environments, which could let hackers take control of affected systems. - mySCADA Technologies is a technical leader in SCADA field, headquartered in Prague, in the Czech Republic. - PRODAFT, a Swiss security company, warned that these vulnerabilities could lead to unauthorized access to industrial control networks, causing major disruptions and financial damage. - The two issues are rated 9. 3 on the CVSS v4 scoring system and are detailed as follows: * CVE-2025-20014: A command injection vulnerability that allows attackers to execute commands through specially crafted POST requests containing a version parameter. * CVE-2025-20061: A similar vulnerability that allows command execution using POST requests with an email parameter. - Both problems arise from inadequate user input sanitization. To address these issues, updates have been released for mySCADA PRO Manager and mySCADA PRO Runtime. Recommendations include applying latest patches, isolating SCADA systems, using strong authentication, and monitoring for suspicious activities.

- Reported on March 19, he DollyWay malware operation has been actively compromising over 20,000 WordPress sites worldwide since 2016, evolving into an advanced scam redirection system. - Initially distributing ransomware and banking trojans, its latest version (v3) redirects visitors to fraudulent sites, generating 10 million monthly impressions. GoDaddy researchers linked multiple malware campaigns to *DollyWay*, identifying its use of *Traffic Direction Systems (TDS)* and affiliate networks like VexTrio and LosPollos for monetization. - Exploiting n-day flaws in WordPress plugins and themes, the malware persists through auto-reinfection, obfuscated PHP code, and hidden admin accounts. It evades detection by requiring user interaction for final redirection. GoDaddy has shared indicators of compromise to aid in defense and plans further reports on the threats evolving tactics.