Defrosting PolarEdge’s Backdoor

Researchers at Sekoia.io analyzed a botnet dubbed PolarEdge, first detected in January 2025, which exploits CVE-2023-20118 to achieve remote code execution (RCE) and deploy a web shell on target routers. A subsequent attack in February 2025 involved a remote command that installed a TLS-based backdoor implant. The campaign also includes related payloads targeting Asus, QNAP, and Synology routers, revealing a broader family of attacks.

Source: Sekoia

—

Mysterious Elephant: A Growing Threat

Kaspersky GReAT researchers have detailed activity from Mysterious Elephant, an APT group targeting government and foreign affairs organizations in the Asia-Pacific region. Active since 2023, the group adapts its tactics, using WhatsApp exploitation to exfiltrate documents and other sensitive data. Its 2025 campaigns rely on new custom-made and modified open-source tools like BabShell and MemLoader to enhance stealth and effectiveness.

Source: Securelist (Kaspersky)

—

Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits

Trend Micro discovered an operation exploiting Cisco’s SNMP vulnerability (CVE-2025-20352) to deploy Linux rootkits on vulnerable network devices. Attackers used spoofed IPs and Mac email addresses, with the malware setting a universal password containing the word “disco.” Once implanted, it hooks into IOSd components, achieving fileless persistence. While newer Cisco switch models use ASLR for protection, repeated attempts can still succeed.

Source: TrendMicro

—

PhantomVAI Loader Delivers a Range of Infostealers

Palo Alto Networks’ Unit 42 team reported phishing campaigns using PhantomVAI Loader to deliver various information-stealing malware through multi-stage infection chains. Originally linked to Katz Stealer, the loader now distributes AsyncRAT, XWorm, FormBook, and DCRat. Sold as malware-as-a-service, PhantomVAI Loader employs steganography and obfuscation to conceal payloads and evade detection.

Source: Unit42 (Palo Alto Networks)

—

New Android Pixnapping Attack Steals MFA Codes Pixel-By-Pixel

A newly discovered side-channel attack named Pixnapping allows a malicious Android app to capture pixels displayed by other apps or websites and reconstruct sensitive data, including chat messages, emails, and two-factor authentication codes. Developed by researchers from seven U.S. universities, the attack works on fully patched modern Android devices and can steal 2FA codes in under 30 seconds.

Source: BleepingComputer