Executive Summary

deVixor is an actively developed Android banking malware campaign operating at scale, targeting Iranian users through phishing websites that masquerade as legitimate automotive businesses.

Distributed as malicious APK files, deVixor has evolved from a basic SMS-harvesting threat into a fully featured Remote Access Trojan (RAT) that combines banking fraud, credential theft, ransomware, and persistent device surveillance within a single platform.

Active since October 2025, Cyble Research and Intelligence Lab’s (CRIL) analysis of over 700 samples indicates with high confidence that the threat actor has been conducting a mass infection campaign leveraging Telegram-based infrastructure, enabling centralized control, rapid updates, and sustained campaign evolution.

Key Takeaways

• deVixor is a sophisticated Android banking trojan that combines financial data theft, device surveillance, and remote control into a single malware platform.
• The malware is actively distributed through fake websites posing as legitimate automotive businesses, tricking users into installing malicious APK files.
• deVixor extensively harvests SMS-based financial information, including OTPs, account balances, card numbers, and messages from banks and cryptocurrency exchanges.
• It leverages WebView-based JavaScript injection to capture banking credentials by loading legitimate banking pages inside a WebView.
• The malware includes a remotely triggered ransomware module capable of locking devices and demanding cryptocurrency payments.
• deVixor uses Firebase for command delivery and Telegram-based bot infrastructure for administration, allowing attackers to manage infections at scale and evade traditional detection mechanisms.

Overview

Android banking malware has progressed well beyond basic credential-harvesting threats, evolving into sophisticated remote access toolkits maintained as persistent, service-driven criminal operations.

During our ongoing analysis of malicious sites, we uncovered deVixor, a previously underreported Android Remote Access Trojan (RAT) actively distributed via fraudulent websites masquerading as legitimate automotive companies.

These sites lure victims with heavily discounted vehicle offers and trick them into downloading a malicious APK, which ultimately installs the deVixor malware on the device.

Some of the malicious URLs distributing deVixor RAT are:

• hxxp://asankhodroo[.]shop
• hxxp://www[.]asan-khodro.store
• hxxp://www[.]naftyar.info/naftman.apk
• hxxp://abfayar[.]info/abfa.apk
• hxxps://blupod[.]site/blupod.apk
• hxxps://naftman[.]oghabvip.ir/naftman.apk
• hxxp://vamino[.]online.infochatgpt.com/vamino.apk
• hxxps://lllgx[.]site/mm/V6.apk

CRIL identified more than 700 samples of multiple variants of the deVixor RAT from October 2025. Early versions of the malware exhibited limited functionality, primarily focused on collecting PII and harvesting banking-related SMS messages.

Subsequent variants showed a clear evolution in capabilities, introducing banking-focused overlay attacks, keylogging, ransomware attacks, Google Play Protect bypass techniques, and extensive abuse of Android’s Accessibility Service.

Our investigation also uncovered a Telegram channel operated by the threat actor, which was created shortly after the initial development of deVixor RAT and was actively used to publish version updates, promote new capabilities, and share operational screenshots.

Notably, screenshots posted in the channel reveal numerous devices that are simultaneously infected, each associated with a unique Bot ID (referred to by the actor as a “Port”), suggesting an active campaign operating at scale.

The channel’s growing subscriber base further supports the assessment that deVixor is being maintained and distributed as an ongoing criminal service rather than a short-lived operation. (See Figures 1, 2, and 3)

The deVixor RAT leverages a Telegram bot–based administrative panel for issuing commands. Each deployed APK is assigned a unique Bot ID stored in a local port.json file, enabling the operator to track, monitor, and control individual infected devices.

Once registered, the operator receives real-time updates via Telegram and can issue commands that are relayed to infected devices through backend infrastructure. Figure 4 illustrates the available administrative actions and operational updates as observed in the threat actor’s Telegram channel. (see Figure 4)

Multiple indicators suggest that the campaign is regionally focused. Linguistic artifacts observed in Telegram communications, operator messages, and hardcoded strings within the APK, combined with the exclusive targeting of Iranian banks, domestic payment services, and local cryptocurrency exchanges, strongly indicate that Iranian users are the primary targets of this operation. The use of Persian-language user interface elements in phishing overlays further reinforces this assessment.

DeVixor demonstrates how modern Android banking malware has evolved into a scalable, service-driven criminal platform capable of compromising devices over the long term and facilitating financial abuse.

Its active development, growing feature set, and reliance on legitimate platforms such as Telegram for command-and-control pose a significant risk to Android users. The next section provides a detailed technical analysis of deVixor RAT’s functionality, command structure, and abuse mechanisms observed across multiple variants.

Technical Analysis

Upon installation, the deVixor RAT prompts victims to grant permissions to access SMS messages, contacts, and files. In newer variants, it additionally requests Accessibility service permissions. (see Figure 5)

Once the required permissions are granted, the malware establishes communication with Firebase to receive commands from the threat actor. In parallel, deVixor decrypts a hardcoded alternate Command-and-Control (C&C) server URL, which is used to exfiltrate the collected data.

Overall, deVixor relies on two distinct servers for its operations: (see Figure 6)

• Firebase server – used for receiving commands
• C&C server – used for transmitting stolen data

Bank Information Harvesting

The deVixor RAT uses multiple techniques to steal banking information. One of its main approaches involves collecting banking-related data from SMS messages. In addition, deVixor leverages a WebView injection technique to redirect victims to banking pages, where JavaScript-based injections are used to capture login credentials and other sensitive financial information.

SMS-Based Banking Data Harvesting

deVixor has implemented multiple commands to harvest banking information, including card details, bank balance amounts, SMSs coming from banks and crypto applications, and OTPs:

GET_BANK_BALANCE Command

The command scans up to 5,000 SMS messages on the infected device to identify banking-related content, extract account balances and OTPs, and associate them with known Iranian banks using a hardcoded set of sender and bank keyword signatures.

It applies regular expressions to parse balances and OTP codes, checks whether the corresponding official banking applications are installed, and exfiltrates the results as a structured JSON response under the GET_ACCOUNT_SUMMARY command.

The report includes the bank name, balance, OTP availability and value, app installation status, and the total number of identified banks. (see Figure 7)

GET_CARD_NUMBER Command

Similar to the previous command, deVixor scans all SMS messages in the infected device’s inbox to identify credit and debit card numbers. It uses regular expressions to detect and validate card numbers, then exfiltrates the extracted information to the C&C server.

GET_EXCHANGE Command

This command scans the victim’s SMS inbox for messages originating from cryptocurrency exchanges and payment services. It extracts recent messages for each identified sender and exfiltrates the collected data to the C&C server. The malware specifically targets SMS messages associated with the following cryptocurrency exchanges (see Figure 8)

• Binance
• CoinEx
• Ramzinex
• Exir
• Tabdeal
• Bitbarg
• TetherLand
• AbanTether
• OkExchange
• ArzDigital
• IranCryptoMarket
• Cryptoland
• Bitex
• Excoino

GET_BANK_SMS Command

Similar to the GET_EXCHANGE command, this command collects the most recent SMS messages sent by known banks and payment services. The harvested messages are returned to the C&C server as a structured JSON response labeled GET_BANK_SMS. Below is the list of banks and payment services targeted by deVixor (see Figure 9)

• Bank Melli Iran
• Bank Mellat
• Bank Tejarat
• Bank Saderat Iran
• Bank Sepah
• Bank Maskan
• Bank Keshavarzi
• Bank Refah
• Bank Pasargad
• Bank Parsian
• Bank Ayandeh
• Bank Saman
• Bank Sina
• Bank Dey
• Post Bank Iran
• Middle East Bank
• Iran Zamin Bank
• Eghtesad Novin Bank
• Karafarin Bank
• Shahr Bank
• Hekmat Iranian Bank
• Industry & Mine Bank
• Export Development Bank of Iran
• Tavon Bank
• BluBank
• Iran Kish

This SMS-based financial information harvesting enables attackers to carry out banking fraud and account takeovers, leading to wallet draining and significant financial losses for victims.

Fake Bank Notification and Credential Harvesting

deVixor uses the “BankEntryNotification” command to generate fraudulent bank notifications designed to lure users into interacting with them. When a victim taps the notification, the malware loads a legitimate banking website inside a WebView and injects malicious JavaScript into the login forms.

Once the user enters their username and password and clicks the login button, the credentials are silently exfiltrated to the C&C server. The figure below illustrates the JavaScript injection technique used for credential harvesting. (see Figure 10)

Ransomware Activity

The deVixor RAT includes an embedded ransomware module that can be remotely triggered using the “RANSOMWARE” command. Upon receiving this command, the malware parses the attacker-supplied parameters, including the ransom note, a TRON cryptocurrency wallet address, and the demanded payment amount.

These details are stored locally in a file named LockTouch.json, which serves as a persistent configuration file to retain the ransomware state across device reboots. The malware then sets an internal locked status and prepares the ransom metadata used by the lock-screen component.

Based on screenshots shared on the threat actor’s Telegram channel, deVixor locks the victim’s device and displays a ransom message stating “Your device is locked. Deposit to unlock”, along with the attacker’s TRON wallet address and a demand of 50 TRX.

The malware also generates a response containing device identifiers and ransom-related details, which is sent back to the C&C server to track victim status and potential compliance. (see Figure 11)

This functionality demonstrates that deVixor is capable of conducting financial extortion, in addition to its existing capabilities for credential theft and user surveillance.

In addition to the features described above, the malware is capable of collecting all device notifications, capturing keystrokes, preventing uninstallation, hiding its presence, harvesting contacts, and taking screenshots. We’ve compiled a full list of supported commands below:

deVixor v1 and v2 Commands

Conclusion

deVixor is a feature-rich Android banking Trojan that reflects the latest evolution of Android malware. It combines SMS-based financial data harvesting, WebView-based JavaScript injection attacks, ransomware capabilities, and full remote device control to facilitate banking fraud, account takeovers, financial extortion, and prolonged user surveillance from a single platform.

The modular command architecture, persistent configuration mechanisms, and an active development cycle all indicate that deVixor is not an isolated campaign, but a maintained and extensible criminal service.

The targeted focus on Iranian banks, payment services, and cryptocurrency platforms highlights deliberate victim profiling and regional specialization.

Cyble's Threat Intelligence Platforms continuously monitor emerging threats, infrastructure, and activity across the dark web, deep web, and open sources. This proactive intelligence empowers organizations with early detection, impersonation, infrastructure mapping, and attribution insights. Altogether, these capabilities provide a critical head start in mitigating and responding to evolving cyber threats.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

• Install Apps Only from Trusted Sources:
  Download apps exclusively from official platforms, such as the Google Play Store. Avoid third-party app stores or links received via SMS, social media, or email.
• Be Cautious with Permissions and Installs:
  Never grant permissions and install an application unless you're certain of an app's legitimacy.
• Watch for Phishing Pages:
  Always verify the URL and avoid suspicious links and websites that ask for sensitive information.
• Enable Multi-Factor Authentication (MFA):
  Use MFA for banking and financial apps to add an extra layer of protection, even if credentials are compromised.
• Report Suspicious Activity:
  If you suspect you've been targeted or infected, report the incident to your bank and local authorities immediately. If necessary, reset your credentials and perform a factory reset.
• Use Mobile Security Solutions:
  Install a mobile security application that includes real-time scanning.
• Keep Your Device Updated:
   Ensure your Android OS and apps are updated regularly. Security patches often address vulnerabilities that malware exploits.

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

The IOCs have been added to this GitHub repository. Please review and integrate them into your Threat Intelligence feed to enhance protection and improve your overall security posture.

The post deVixor: An Evolving Android Banking RAT with Ransomware Capabilities Targeting Iran appeared first on Cyble.

Cyble Vulnerability Intelligence researchers tracked 678 vulnerabilities in the last week, a decline from the high volume of new vulnerabilities observed in the last few weeks of 2025.  

Nearly 100 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities. 

A total of 42 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 15 received a critical severity rating based on the newer CVSS v4.0 scoring system. 

Below are some of the more significant IT and industrial control system (ICS) vulnerabilities highlighted by Cyble in recent reports to clients. 

The Week’s Top IT Vulnerabilities 

CVE-2025-60534 is a critical authentication bypass vulnerability affecting Blue Access Cobalt v02.000.195, which could allow an attacker to selectively proxy requests to operate functionality on the web application without the need for authentication, potentially allowing full admin access to application and door systems. 

CVE-2025-68428 is a critical path traversal and local file inclusion vulnerability in the jsPDF JavaScript library's Node.js builds. It affects methods like loadFile, addImage, html, and addFont, where unsanitized user input as file paths could enable attackers to read arbitrary server files and embed their contents into generated PDFs. 

CVE-2020-36923 is a medium-severity insecure direct object reference (IDOR) vulnerability in Sony BRAVIA Digital Signage 1.7.8, which could allow attackers to bypass authorization controls and access hidden system resources like '/#/content-creation' by manipulating client-side access restrictions. 

CISA added its first two vulnerabilities of 2026 to the Known Exploited Vulnerabilities (KEV) catalog: A 16-year-old Microsoft PowerPoint flaw and a new maximum-severity HPE vulnerability. The agency added 245 vulnerabilities to the KEV catalog in 2025. 

CVE-2025-37164 is a 10.0-severity Code Injection vulnerability in HPE’s OneView IT infrastructure management software up to version 10.20 that has had a publicly available PoC since last month, while CVE-2009-0556 is a 9.3-rated Code Injection vulnerability present in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac that was first known to be exploited in April 2009. 

Notable vulnerabilities discussed in open-source communities include CVE-2025-13915, a critical authentication bypass vulnerability in IBM API Connect that could allow remote unauthenticated attackers to circumvent authentication controls and gain unauthorized access to sensitive API management functions. Another was CVE-2025-68668, a 9.9-severity sandbox bypass vulnerability in the n8n workflow automation platform's Python Code Node that uses Pyodide. 

Another vulnerability getting attention is CVE-2025-52691, a maximum-severity unauthenticated arbitrary file upload vulnerability in SmarterMail email servers. The flaw affects SmarterMail versions before Build 9413 and could allow remote attackers to upload malicious files to any server location without requiring credentials, which could lead to remote code execution (RCE), full server compromise, data theft, or ransomware deployment. 

Cyble dark web researchers observed a threat actor (TA) on a cybercrime forum advertising a zero-day vulnerability allegedly affecting the latest version of Microsoft Word. The TA described the vulnerability as affecting a Dynamic Link Library (DLL) module that Microsoft Word loads without proper verification due to the absence of absolute path validation, allegedly enabling remote code execution and local privilege escalation exploitation. The TA did not provide technical proof of concept, affected version numbers, or independent verification; therefore, the claim remains unverified. 

ICS Vulnerabilities 

Three ICS vulnerabilities also merit priority attention by security teams. 

CVE-2025-3699 is a Missing Authentication for Critical Function vulnerability affecting multiple versions of Mitsubishi Electric Air Conditioning Systems. Successful exploitation of the vulnerability could have far-reaching consequences beyond simple unauthorized access. By bypassing authentication, an attacker could gain full control over the air conditioning system, enabling them to manipulate environmental conditions within commercial facilities. This could lead to equipment overheating, disruption of medical environments, or production downtime. Additionally, access to sensitive information stored within the system, such as configuration files, user credentials, or operational logs, could provide attackers with valuable intelligence for further compromise. 

CVE-2025-59287, a vulnerability disclosed by Microsoft in the Windows Server Update Services (WSUS) application, impacts servers running Schneider Electric EcoStruxure Foxboro DCS Advisor. Deserialization of untrusted data in WSUS could allow an unauthorized attacker to execute code over a network. 

CVE-2018-4063 is a remote code execution vulnerability in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3 that was added to CISA’s KEV database last month after attacks were detected on OT network perimeter devices. 

Conclusion 

New vulnerabilities declining closer to long-term trends would be welcome news if it continues, but that still leaves security teams with hundreds of new vulnerabilities a week to contend with, many of which have PoCs or active exploits. In that challenging environment, rapid, well-targeted actions are needed to patch the most critical vulnerabilities and successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. 

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. 

The post The Week in Vulnerabilities: 2026 Starts with 100 PoCs and New Exploits  appeared first on Cyble.

The cyber threat environment in Australia and New Zealand experienced a new escalation throughout 2025, driven by a surge in initial access sales, ransomware operations, and high-impact data breaches. According to our Threat Landscape Report Australia and New Zealand 2025, threat activity observed between January and November 2025 reveals a complex and commercialized underground ecosystem, where compromised network access is actively bought, sold, and exploited across multiple sectors. 

The threat landscape report identifies a persistent focus on data-rich industries, with threat actors disproportionately targeting Retail, Banking, Financial Services, and Insurance (BFSI), Professional Services, and Healthcare organizations. These sectors continue to attract attackers due to the volume of sensitive personally identifiable information (PII), financial data, and downstream access opportunities they offer. 

Growth of Initial Access Sales in 2025 

A central finding of the report is the continued growth of the initial access market. Cyble Research and Intelligence Labs (CRIL) documented 92 instances of compromised access sales affecting organizations in Australia and New Zealand during 2025. Retail organizations were the most heavily targeted, accounting for 31 incidents, or approximately 34% of all observed activity. This figure is more than three times higher than that of the next most targeted sector. 

The BFSI sector recorded nine compromised access listings, followed by Professional Services with seven incidents. Combined, these three sectors accounted for more than half of all initial access listings observed in the region during the reporting period. 

This concentration reflects a strategic approach by initial access brokers. Retail and BFSI organizations routinely handle large volumes of customer data and payment information, making them valuable targets for monetization or follow-on ransomware attacks. Professional Services firms, meanwhile, often provide access to client environments, creating opportunities for supply chain exploitation. 

A Fragmented but Active Access Brokerage Market 

Analysis of the compromised access marketplace reveals a highly fragmented ecosystem rather than one dominated by a small number of major actors. The threat actor known as “cosmodrome” emerged as the most prolific seller of compromised access during the period, followed closely by an actor operating under the alias “shopify.” 

Despite their activity, these actors did not control the market. The top seven most active sellers were collectively responsible for only about 26% of the observed access listings. The remaining activity originated from dozens of individual threat actors who posted listings once or twice, suggesting a low barrier to entry and a marketplace populated by both specialized brokers and opportunistic participants. 

This structure indicates that initial access sales have become an accessible revenue stream for a wide range of threat actors, reinforcing the resilience and scalability of the underground economy. 

High-Impact Incidents Highlight Broader Risks 

Several notable incidents documented in the threat landscape report illustrate how initial access is translated into real-world impact. 

In June 2025, the threat group Scattered Spider was suspected of orchestrating a cyberattack against a major Australian airline. Attackers reportedly gained unauthorized access to a customer service portal, resulting in a data breach that exposed records belonging to nearly six million customers. The compromised data included names, email addresses, phone numbers, dates of birth, and frequent flyer numbers. 

The airline confirmed that more sensitive information, such as credit card details, financial records, and passport data, was not affected because it was not stored in the breached system. Investigators believe the incident may be part of a broader campaign targeting the aviation sector. 

In March, threat actor “Stari4ok” advertised the sale of unauthorized access to a large Australian retail chain on the Russian-language cybercrime forum Exploit. The actor claimed the access involved a hosting server containing approximately 250 GB of data, including a 30 GB SQL database with a user table of around 71,000 records. Based on the claimed annual revenue of USD 2.6 billion and the described industry, the victim appears to be a major retailer, although this has not been independently confirmed. The access was listed for auction with a starting price of USD 1,500. 

Another listing emerged in May when the threat actor “w_tchdogs” offered unauthorized access to a portal belonging to an Australian telecommunications provider on the English-language forum Darkforums. The actor claimed the access provided entry to domain administration tools and critical network information. The listing price was USD 750. 

Data Breaches and Hacktivist Activity 

Not all incidents were tied directly to access sales. In mid-April, unidentified threat actors gained unauthorized access to the IT systems of a prominent accounting firm operating across Australia and New Zealand. The organization publicly confirmed the breach, stating that some data may have been compromised and that an investigation was ongoing. While business operations continued, the firm warned clients of potential phishing attempts and obtained court injunctions in both countries to prevent the dissemination of affected data. As of the time of reporting, no threat group had claimed responsibility. 

Hacktivist activity also remained visible. In January 2025, the group RipperSec claimed to have accessed an optical-fiber network monitoring device belonging to an Australian cable and media services provider. The device was reportedly no longer supported by its vendor. As proof, the group released images suggesting internal defacement and possible data manipulation. 

Want a deeper insight into these threats? Check out Cyble’s Australia and New Zealand Threat Landscape Report 2025 or schedule a demo to see check out how Cyble can protect your organization against these threats. 

The post Initial Access Sales Accelerated Across Australia and New Zealand in 2025 appeared first on Cyble.

Overview 

The Cyber Security Agency of Singapore has issued an alert regarding a critical vulnerability affecting IBM API Connect, following the release of official security updates by IBM on 2 January 2026. The flaw, tracked as CVE-2025-13915, carries a CVSS v3.1 base score of 9.8, placing it among the most severe vulnerabilities currently disclosed for enterprise automation software. 

According to IBM’s security bulletin, the issue stems from an authentication bypass weakness that could allow a remote attacker to gain unauthorized access to affected systems without valid credentials. The vulnerability impacts multiple versions of IBM API Connect, a widely used platform for managing application programming interfaces across enterprise environments. 

Details of CVE-2025-13915 and Technical Impact 

IBM confirmed that CVE-2025-13915 was identified through internal testing and classified under CWE-305: Authentication Bypass by Primary Weakness. The flaw allows authentication mechanisms to be bypassed, despite the underlying authentication algorithm itself being sound. The weakness arises from an implementation flaw that can be exploited independently. 

The official CVSS vector for the vulnerability is: 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 

This indicates that the vulnerability is remotely exploitable, requires no user interaction, and can lead to a complete compromise of confidentiality, integrity, and availability. IBM stated that successful exploitation could enable attackers to access the application remotely and operate with unauthorized privileges. 

Data from Cyble Vision further classifies the issue as “very critical,” confirming that IBM API Connect up to versions 10.0.8.5 and 10.0.11.0 is affected.  

Affected IBM API Connect Versions 

IBM confirmed that the following versions are vulnerable to CVE-2025-13915: 

• IBM API Connect V10.0.8.0 through V10.0.8.5 

• IBM API Connect V10.0.11.0 

No evidence has been disclosed indicating active exploitation in the wild, and the vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. 

Cyble Vision data also indicates that the vulnerability has not been discussed in underground forums, suggesting no known public exploit circulation at this time.  

The EPSS score for CVE-2025-13915 stands at 0.37, indicating a moderate probability of exploitation compared to other high-severity vulnerabilities. 

Remediation and Mitigation Guidance 

IBM has released interim fixes (iFixes) to address the vulnerability and strongly recommends that affected organizations apply updates immediately. For IBM API Connect V10.0.8, fixes are available for each sub-version from 10.0.8.0 through 10.0.8.5. A separate interim fix has also been released for IBM API Connect V10.0.11.0. 

IBM’s advisory explicitly states: 
“IBM strongly recommends addressing the vulnerability now by upgrading.” 

For environments where immediate patching is not possible, IBM advises administrators to disable self-service sign-up on the Developer Portal, if enabled. This mitigation can help reduce exposure by limiting potential abuse paths until updates can be applied. 

Cyble Vision reinforces this recommendation, noting that upgrading removes the vulnerability entirely, and that temporary mitigations should only be considered short-term risk reduction measures. 

Broader Security Context 

The disclosure of CVE-2025-13915 reinforces the persistent risk posed by authentication bypass vulnerabilities in enterprise platforms such as IBM API Connect. Classified under CWE-305 and CWE-287, the flaw demonstrates how implementation weaknesses can negate otherwise robust authentication controls. Despite the absence of confirmed exploitation, the vulnerability, remote attack surface, and critical CVSS score of 9.8 make immediate remediation necessary. 

The Cyber Security Agency of Singapore’s alert reflects heightened regional scrutiny of high-impact vulnerabilities affecting widely deployed enterprise software. IBM’s advisory, first published on 17 December 2025 and reinforced in January 2026, provides clear guidance on patching and mitigation. Organizations running affected versions of IBM API Connect should assess exposure without delay and apply the recommended fixes to reduce risk. 

Threat intelligence data from Cyble Vision further confirms the vulnerability’s severity, its impact on confidentiality, integrity, and availability, and the effectiveness of upgrading as the primary remediation. Continuous monitoring and contextual intelligence remain critical for identifying and prioritizing vulnerabilities with enterprise-wide consequences like CVE-2025-13915. 

Security teams tracking high-risk vulnerabilities like CVE-2025-13915 need real-time visibility, context, and prioritization. Cyble delivers AI-powered threat intelligence to help organizations assess exploitability, monitor new risks, and respond faster. 

Learn how Cyble helps security teams stay protected from such vulnerabilities— schedule a demo. 

References: 

• https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-126/# 

• https://www.ibm.com/support/pages/node/7255149 

• https://nvd.nist.gov/vuln/detail/CVE-2025-13915 

The post Singapore Cyber Agency Warns of Critical IBM API Connect Vulnerability (CVE-2025-13915)  appeared first on Cyble.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 245 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog in 2025, as the database grew to 1,484 software and hardware flaws at high risk of cyberattacks. 

The agency removed at least one vulnerability from the catalog in 2025 – CVE-2025-6264, a Velociraptor Incorrect Default Permissions vulnerability that CISA determined had insufficient evidence of exploitation – but the database has generally grown steadily since its launch in November 2021. 

After an initial surge of added vulnerabilities after the database first launched, growth stabilized in 2023 and 2024, with 187 vulnerabilities added in 2023 and 185 in 2024. 

Growth accelerated in 2025, however, as CISA added 245 vulnerabilities to the KEV catalog, an increase of more than 30% above the trend seen in 2023 and 2024. With new vulnerabilities surging in recent weeks, the elevated exploitation trend may well continue into 2026. 

Overall, CISA KEV vulnerabilities grew from 1,239 vulnerabilities at the end of 2024 to 1,484 at the end of 2025, an increase of just under 20%. 

We’ll look at some of the trends and vulnerabilities from 2025 – including 24 vulnerabilities known to be exploited by ransomware groups – along with the vendors and projects that had the most CVEs added to the list this year. 

Older Vulnerabilities Added to CISA KEV Also Grew 

The addition of older vulnerabilities to the CISA KEV catalog also grew in 2025. In 2023 and 2024, 60 to 70 older vulnerabilities were added to the KEV catalog each year. In 2025, the number of vulnerabilities from 2024 and earlier added to the catalog grew to 94, a 34% increase from a year earlier. 

The oldest vulnerability added to the KEV catalog in 2025 was CVE-2007-0671, a Microsoft Office Excel Remote Code Execution vulnerability. 

The oldest vulnerability in the catalog remains one from 2002 – CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used in ransomware attacks.  

Vulnerabilities Used in Ransomware Attacks 

CISA marked 24 of the vulnerabilities added in 2025 as known to be exploited by ransomware groups. They include some well-known flaws such as CVE-2025-5777 (dubbed “CitrixBleed 2”) and Oracle E-Business Suite vulnerabilities exploited by the CL0P ransomware group. 

The full list of vulnerabilities newly exploited by ransomware groups in 2025 is included below, and should be prioritized by security teams if they’re not yet patched. 

Projects and Vendors with the Highest Number of Exploited Vulnerabilities 

Microsoft once again led all vendors and projects in CISA KEV additions, with 39 vulnerabilities added to the database in 2025, up from 36 in 2024. 

Several vendors and projects had fewer vulnerabilities added in 2025 than they did in 2024, suggesting improved security controls. Among the vendors and projects that saw a decline in KEV vulnerabilities in 2025 were Adobe, Android, Apache, Ivanti, Palo Alto Networks, and VMware. 

11 vendors and projects had five or more KEV vulnerabilities added this year, included below. 

Most Common Software Weaknesses Exploited in 2025 

Eight software and hardware weaknesses (common weakness enumerations, or CWEs) were particularly prominent among the 2025 KEV additions. The list is similar to last year, although CWE-787, CWE-79, and CWE-94 are new to the list this year. 

• CWE-78 – Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) – was again the most common weakness among vulnerabilities added to the KEV database, accounting for 18 of the 245 vulnerabilities added in 2025. 

• CWE-502 – Deserialization of Untrusted Data – again came in second, occurring in 14 of the vulnerabilities. 

• CWE-22 – Improper Limitation of a Pathname to a Restricted Directory, or ‘Path Traversal’ – moved up to third place with 13 appearances. 

• CWE-416 – Use After Free – slipped a spot to fourth and was behind 11 of the vulnerabilities. 

• CWE-787 – Out-of-bounds Write – was a factor in 10 of the vulnerabilities. 

• CWE-79 – Cross-site Scripting – appeared 7 times. 

• CWE-94 (Code Injection) and CWE-287 (Improper Authentication) occurred 6 times each. 

Conclusion 

CISA’s Known Exploited Vulnerabilities catalog remains a valuable tool for helping IT security teams prioritize patching and vulnerability management efforts. 

The CISA KEV catalog can also alert organizations to third-party risks – although by the time a vulnerability gets added to the database, it’s become an urgent problem requiring immediate attention. Third-party risk management (TPRM) solutions could provide earlier warnings about partner risk through audits and other tools. 

Finally, software and application development teams should monitor CISA KEV additions to gain awareness of common software weaknesses that threat actors routinely target. 

Take control of your vulnerability risk today — book a personalized demo to see how CISA KEV impacts your organization. 

The post CISA Known Exploited Vulnerabilities Surged 20% in 2025  appeared first on Cyble.

Cyble Vulnerability Intelligence researchers tracked 1,782 vulnerabilities in the last week, the third straight week that new vulnerabilities have been growing at twice their long-term rate. 

Over 282 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities. 

A total of 207 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 51 received a critical severity rating based on the newer CVSS v4.0 scoring system. 

Here are some of the top IT and ICS vulnerabilities flagged by Cyble threat intelligence researchers in recent reports to clients. 

The Week’s Top IT Vulnerabilities 

CVE-2025-66516 is a maximum severity XML External Entity (XXE) injection vulnerability in Apache Tika's core, PDF and parsers modules. Attackers could embed malicious XFA files in PDFs to trigger XXE, potentially allowing for the disclosure of sensitive files, SSRF, or DoS without authentication. 

CVE-2025-15047 is a critical stack-based buffer overflow vulnerability in Tenda WH450 router firmware version V1.0.0.18. Attackers could potentially initiate it remotely over the network with low complexity, and a public exploit exists, increasing the risk of widespread abuse. 

Among the vulnerabilities added to CISA’s Known Exploited Vulnerabilities (KEV) catalog were: 

• CVE-2025-14733, an out-of-bounds write vulnerability in WatchGuard Fireware OS that could enable remote unauthenticated attackers to execute arbitrary code. 

• CVE-2025-40602, a local privilege escalation vulnerability due to insufficient authorization in the Appliance Management Console (AMC) of SonicWall SMA 1000 appliances. 

• CVE-2025-20393, a critical remote code execution (RCE) vulnerability in Cisco AsyncOS Software affecting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances. The flaw has reportedly been actively exploited since late November by a China-linked APT group, which has deployed backdoors such as AquaShell, tunneling tools, and log cleaners to achieve persistence and remote access. 

• CVE-2025-14847, a high-severity MongoDB vulnerability that’s been dubbed “MongoBleed” and reported to be under active exploitation. The Improper Handling of Length Parameter Inconsistency vulnerability could potentially allow uninitialized heap memory to be read by an unauthenticated client, potentially exposing data, credentials and session tokens. 

Vulnerabilities Under Discussion on the Dark Web 

Cyble dark web researchers observed a number of threat actors sharing exploits and discussing weaponizing vulnerabilities on underground and cybercrime forums. Among the vulnerabilities under discussion were: 

CVE-2025-56157, a critical default credentials vulnerability affecting Dify versions through 1.5.1, where PostgreSQL credentials are stored in plaintext within the docker-compose.yaml file. Attackers who access deployment files or source code repositories could extract these default credentials, potentially gaining unauthorized access to databases. Successful exploitation could enable remote code execution, privilege escalation, and complete data compromise. 

CVE-2025-37164, a critical code injection vulnerability in HPE OneView. The unauthenticated remote code execution flaw affects HPE OneView versions 10.20 and prior due to improper control of code generation. The vulnerability exists in the /rest/id-pools/executeCommand REST API endpoint, which is accessible without authentication, potentially allowing remote attackers to execute arbitrary code and gain centralized control over the enterprise infrastructure. 

CVE-2025-14558, a critical severity remote code execution vulnerability in FreeBSD's rtsol(8) and rtsold(8) programs that is still awaiting NVD and CVE publication. The flaw occurs because these programs fail to validate domain search list options in IPv6 router advertisement messages, potentially allowing shell commands to be executed due to improper input validation in resolvconf(8). Attackers on the same network segment could potentially exploit this vulnerability for remote code execution; however, the attack does not cross network boundaries, as router advertisement messages are not routable. 

CVE-2025-38352, a high-severity race condition vulnerability in the Linux kernel. This Time-of-Check Time-of-Use (TOCTOU) race condition in the posix-cpu-timers subsystem could allow local attackers to escalate privileges. The flaw occurs when concurrent timer deletion and task reaping operations create a race condition that fails to detect timer firing states. 

ICS Vulnerabilities 

Cyble threat researchers also flagged two industrial control system (ICS) vulnerabilities as meriting high-priority attention by security teams. They include: 

CVE-2025-30023, a critical Deserialization of Untrusted Data vulnerability in Axis Communications Camera Station Pro, Camera Station, and Device Manager. Successful exploitation could allow an attacker to execute arbitrary code, conduct a man-in-the-middle-style attack, or bypass authentication. 

Schneider Electric EcoStruxure Foxboro DCS Advisor is affected by CVE-2025-59827, a Deserialization of Untrusted Data vulnerability in Microsoft Windows Server Update Service (WSUS). Successful exploitation could allow for remote code execution, potentially resulting in unauthorized parties acquiring system-level privileges. 

Conclusion 

The persistently high number of new vulnerabilities observed in recent weeks is a worrisome new trend as we head into 2026. More than ever, security teams must respond with rapid, well-targeted actions to patch the most critical vulnerabilities and successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. 

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. 

The post The Week in Vulnerabilities: The Year Ends with an Alarming New Trend  appeared first on Cyble.

Following our earlier reporting on RTO-themed threats, CRIL observed a renewed phishing wave abusing the e-Challan ecosystem to conduct financial fraud. Unlike earlier Android malware-driven campaigns, this activity relies entirely on browser-based phishing, significantly lowering the barrier for victim compromise. During the course of this research, CRIL also noted that similar fake e-Challan scams have been highlighted by mainstream media outlets, including Hindustan Times, underscoring the broader scale and real-world impact of these campaigns on Indian users.

The campaign primarily targets Indian vehicle owners via unsolicited SMS messages claiming an overdue traffic fine. The message includes a deceptive URL resembling an official e-Challan domain. Once accessed, victims are presented with a cloned portal that mirrors the branding and structure of the legitimate government service. At the time of this writing, many of the associated phishing domains were active at the time, indicating that this is an ongoing and operational campaign rather than isolated or short-lived activity.

The same hosting IP was observed serving multiple phishing lures impersonating government services, logistics companies, and financial institutions, indicating a shared phishing backend supporting multi-sector fraud operations.

The infection chain, outlined in Figure 1, showcases the stages of the attack.

Key Takeaways

• Attackers are actively exploiting RTO/e-Challan themes, which remain highly effective against Indian users.
• The phishing portal dynamically fabricates challan data, requiring no prior victim-specific information.
• The payment workflow is deliberately restricted to credit/debit cards, avoiding traceable UPI or net banking rails.
• Infrastructure analysis links this campaign to BFSI and logistics-themed phishing hosted on the same IP.
• Browser-based warnings (e.g., Microsoft Defender) are present but frequently ignored due to urgency cues.

A sense of urgency, evidenced in this campaign, is usually a sign of deception. By demanding a user’s immediate attention, the intent is to make a potential victim rush their task and not perform due diligence.

Users must accordingly exercise caution, scrutinize the domain, sender, and never trust any unsolicited link(s).

Technical findings

Stage 1: Phishing SMS Delivery

The attack we first identified started with victims receiving an SMS stating that a traffic violation fine is overdue and must be paid immediately to avoid legal action. The message includes:

• Threatening language (legal steps, supplementary charges)
• A shortened or deceptive URL mimicking e-Challan branding
• No personalization, allowing large-scale delivery

The sender appears as a standard mobile number, which increases delivery success and reduces immediate suspicion. (see Figure 2)

Stage 2: Redirect to Fraudulent e-Challan Portal

Clicking the embedded URL redirects the user to a phishing domain hosted on 101[.]33[.]78[.]145.

The page content is originally authored in Spanish and translated to English via browser prompts, suggesting the reuse of phishing templates across regions. (see Figure 3)

The Government insignia, MoRTH references, and NIC branding are visually replicated. (see Figure 3)

Stage 3: Fabricated Challan Generation

The portal prompts the user to enter:

• Vehicle Number
• Challan Number
• Driving License Number

Regardless of the input provided, the system returns:

• A valid-looking challan record
• A modest fine amount (e.g., INR 590)
• A near-term expiration date
• Prominent warnings about license suspension, court summons, and legal proceedings

This step is purely psychological validation, designed to convince victims that the challan is legitimate. (see Figure 4)

Stage 4: Card Data Harvesting

Upon clicking “Pay Now”, victims are redirected to a payment page claiming secure processing via an Indian bank. However:

• Only credit/debit cards are accepted
• No redirection to an official payment gateway occurs
• CVV, expiry date, and cardholder name are collected directly

During testing, the page accepted repeated card submissions, indicating that all entered card data is transmitted to the attacker backend, independent of transaction success. (see Figure 5)

Infrastructure Correlation and Campaign Expansion

CRIL identified another attacker-controlled IP, 43[.]130[.]12[.]41, hosting multiple domains impersonating India’s e-Challan and Parivahan services. Several of these domains follow similar naming patterns and closely resemble legitimate Parivahan branding, including domains designed to look like Parivahan variants (e.g., parizvaihen[.]icu). Analysis indicates that this infrastructure supports rotating, automatically generated phishing domains, suggesting the use of domain generation techniques to evade takedowns and blocklists.

The phishing pages hosted on this IP replicate the same operational flow observed in the primary campaign, displaying fabricated traffic violations with fixed fine amounts, enforcing urgency through expiration dates, and redirecting victims to fake payment pages that harvest full card details while falsely claiming to be backed by the State Bank of India.

This overlap in infrastructure, page structure, and social engineering themes suggests a broader, scalable phishing ecosystem that actively exploits government transport services to target Indian users.

Further investigation into IP address 101[.]33[.]78[.]145 revealed more than 36 phishing domains impersonating e-Challan services, all hosted on the same infrastructure.

The infrastructure also hosted phishing pages targeting:

• BFSI (e.g., HSBC-themed payment lures)
• Logistics companies (DTDC, Delhivery) (see Figures 7,8)

Consistent UI patterns and payment-harvesting logic across campaigns

This confirms the presence of a shared phishing infrastructure supporting multiple fraud verticals.

SMS Origin and Phone Number Analysis

As part of the continued investigation, CRIL analyzed the originating phone number used to deliver the phishing e-Challan SMS. A reverse phone number lookup confirmed that the number is registered in India and operates on the Reliance Jio Infocomm Limited mobile network, indicating the use of a locally issued mobile connection rather than an international SMS gateway.

Additionally, analysis of the number showed that it is linked to a State Bank of India (SBI) account, further reinforcing the campaign’s use of localized infrastructure. The combination of an Indian telecom carrier and association with a prominent public-sector bank likely enhances the perceived legitimacy of the scam. It increases the effectiveness of government-themed phishing messages. (see Figure 9)

Conclusion

This campaign demonstrates that RTO-themed phishing remains a high-impact fraud vector in India, particularly when combined with realistic UI cloning and psychological urgency. The reuse of infrastructure across government, logistics, and BFSI lures highlights a professionalized phishing operation rather than isolated scams.

As attackers continue shifting from malware delivery to direct financial fraud, user awareness alone is insufficient. Infrastructure monitoring, domain takedowns, and proactive SMS phishing detection are critical to disrupting these operations at scale.

Our Recommendations:

• Always verify traffic fines directly via official government portals, not SMS links.
• Organizations should monitor for lookalike domains abusing government and brand identities.
• SOC teams should track shared phishing infrastructure, as takedown of one domain may disrupt multiple campaigns.
• Telecom providers should strengthen SMS filtering for financial and government-themed lures.
• Financial institutions should monitor for card-not-present fraud patterns linked to phishing campaigns.

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

The IOCs have been added to this GitHub repository. Please review and integrate them into your Threat Intelligence feed to enhance protection and improve your overall security posture.

The post RTO Scam Wave Continues: A Surge in Browser-Based e-Challan Phishing and Shared Fraud Infrastructure appeared first on Cyble.

Cyble Vulnerability Intelligence researchers tracked 2,415 vulnerabilities in the last week, a significant increase over even last week’s very high number of new vulnerabilities. The increase signals a heightened risk landscape and expanding attack surface in the current threat environment. 

Over 300 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks. 

A total of 219 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 47 received a critical severity rating based on the newer CVSS v4.0 scoring system.  

Even after factoring out a high number of Linux kernel and Adobe vulnerabilities (chart below), new vulnerabilities reported in the last week were still very high. 

What follows are some of the IT and ICS vulnerabilities flagged by Cyble threat intelligence researchers in recent reports to clients spanning December 9-16. 

The Week’s Top IT Vulnerabilities 

CVE-2025-59385 is a high-severity authentication bypass vulnerability affecting several versions of QNAP operating systems, including QTS and QuTS hero. Fixed versions include QTS 5.2.7.3297 build 20251024 and later, QuTS hero h5.2.7.3297 build 20251024 and later, and QuTS hero h5.3.1.3292 build 20251024 and later. 

CVE-2025-66430 is a critical vulnerability in Plesk 18.0, specifically affecting the Password-Protected Directories feature. It stems from improper access control, potentially allowing attackers to bypass security mechanisms and escalate privileges to root-level access on affected Plesk for Linux servers. 

CVE-2025-64537 is a critical DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager. The vulnerability could allow attackers to inject malicious scripts into web pages, which are then executed in the context of a victim's browser, potentially leading to session hijacking, data theft, or further exploitation. 

CVE-2025-43529 is a critical use-after-free vulnerability in Apple's WebKit browser engine, which is used in Safari and other Apple applications. The flaw could allow attackers to execute arbitrary code on affected devices by tricking users into processing maliciously crafted web content, potentially leading to full device compromise. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. 

CVE-2025-59718 is a critical authentication bypass vulnerability affecting multiple versions of Fortinet products, including FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb. The flaw could allow unauthenticated attackers to bypass FortiCloud Single Sign-On (SSO) login authentication by sending a specially crafted SAML message. The vulnerability has been added to CISA’s KEV catalog. 

Notable vulnerabilities discussed in open-source communities included CVE-2025-55182, a critical unauthenticated remote code execution (RCE) vulnerability affecting React Server Components; CVE-2025-14174, a critical memory corruption vulnerability affecting Apple's WebKit browser engine; and CVE-2025-62221, a high-severity use-after-free elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. 

Vulnerabilities Discussed on the Dark Web 

Cyble Research and Intelligence Labs (CRIL) researchers also observed several threat actors discussing weaponizing vulnerabilities on dark web forums. Among the vulnerabilities under discussion were: 

CVE-2025-55315, a critical severity vulnerability classified as HTTP request/response smuggling due to inconsistent interpretation of HTTP requests in ASP.NET Core, particularly in the Kestrel server component. The flaw arises from how chunk extensions in Transfer-Encoding: chunked requests with invalid line endings are handled differently by ASP.NET Core compared to upstream proxies, enabling attackers to smuggle malicious requests. An authorized attacker can exploit this vulnerability over a network to bypass security controls, leading to impacts such as privilege escalation, SSRF, CSRF bypass, session hijacking, or code execution, depending on the application logic. 

CVE-2025-59287 is a critical-severity remote code execution (RCE) vulnerability stemming from improper deserialization of untrusted data in Microsoft Windows Server Update Services (WSUS). The core flaw occurs in the ClientWebService component, where a specially crafted SOAP request to endpoints like SyncUpdates triggers decryption and unsafe deserialization of an AuthorizationCookie object using .NET's BinaryFormatter, allowing arbitrary code execution with SYSTEM privileges. Unauthenticated remote attackers can exploit this over WSUS ports (e.g., 8530/8531) to deploy webshells or achieve persistence, with real-world exploitation already observed. 

CVE-2025-59719, a critical severity vulnerability due to improper cryptographic signature verification, permitting authentication bypass in Fortinet FortiWeb through FortiCloud SSO. Attackers can submit crafted SAML response messages to evade login checks without proper authentication. This unauthenticated flaw has a high impact and has been actively exploited post-disclosure. 

ICS Vulnerabilities 

Cyble also flagged two industrial control system (ICS) vulnerabilities as meriting high-priority attention by security teams. They include: 

CVE-2024-3596: multiple versions of Hitachi Energy AFS, AFR, and AFF Series products are affected by a RADIUS Protocol vulnerability, Improper Enforcement of Message Integrity During Transmission in a Communication Channel. Successful exploitation of the vulnerability could compromise the integrity of the product data and disrupt its availability. 

CVE-2025-13970: OpenPLC_V3 versions prior to pull request #310 are vulnerable to this Cross-Site Request Forgery (CSRF) flaw. Successful exploitation of the vulnerability could result in the alteration of PLC settings or the upload of malicious programs. 

Conclusion 

The record number of new vulnerabilities observed by Cyble in the last week underscores the need for security teams to respond with rapid, well-targeted actions to patch the most critical vulnerabilities and successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. 

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. 

The post The Week in Vulnerabilities: More Than 2,000 New Flaws Emerge  appeared first on Cyble.

Executive Summary

CRIL (Cyble Research and Intelligence Labs) has been tracking a sophisticated commodity loader utilized by multiple high-capability threat actors. The campaign demonstrates a high degree of regional and sectoral specificity, primarily targeting Manufacturing and Government organizations across Italy, Finland, and Saudi Arabia.

This campaign utilizes advanced tradecraft, employing a diverse array of infection vectors including weaponized Office documents (exploiting CVE-2017-11882), malicious SVG files, and ZIP archives containing LNK shortcuts. Despite the variety of delivery methods, all vectors leverage a unified commodity loader.

The operation's sophistication is further evidenced by the use of steganography and the trojanization of open-source libraries. Adding their stealth is a custom-engineered, four-stage evasion pipeline designed to minimize their forensic footprint.

By masquerading as legitimate Purchase Order communications, these phishing attacks ultimately deliver Remote Access Trojans (RATs) and Infostealers.

Our research confirms that identical loader artifacts and execution patterns link this campaign to a broader infrastructure shared across multiple threat actors.

Key Takeaways

• Precision Targeting & Geographic Scope: The campaign specifically targets the Manufacturing and Industrial sectors across Europe and the Middle East. The primary objective is the exfiltration of sensitive industrial data and the compromise of high-value administrative credentials.
• Versatile Malware Distribution: The loaders serve as a multi-functional distribution platform. They have been observed delivering a variety of RATs (and information stealers, such as PureLog Stealer, Katz Stealer, DC Rat, Async Rat, and Remcos). This indicates the loader is likely shared or sold across different threat actor groups.
• Steganography & Infrastructure Abuse: To bypass traditional network security, the threat actors hosted image files on legitimate delivery platforms. These images contain steganographically embedded payloads, allowing the malicious code to slip past file-based detection systems by masquerading as benign traffic
• Trojanization of Open-Source Libraries: The actors utilize a sophisticated "hybrid assembly" technique. By appending malicious functions to trusted open-source libraries and recompiling them, the resulting files retain their authentic appearance and functionality, making signature-based detection extremely difficult.
• Four-Stage Evasion Pipeline: The infection chain is engineered to minimize forensic footprint. It employs a high-velocity, four-stage process:
  • Script Obfuscation: To hide initial intent.
• • Steganographic Extraction: To pull the payload from images.
• • Reflective Loading: To run code directly in memory without touching the disk.
• • Process Injection: To hide malicious activity within legitimate system processes.
• Novel UAC Bypass Discovery: A unique User Account Control (UAC) bypass was identified in a recent sample. The malware monitored system process creation events and opportunistically triggered UAC prompts during legitimate launches, tricking the system or user into granting elevated privileges under the guise of a routine operation.

Technical Analysis

To demonstrate the execution flow of this campaign, we analyzed the sample with the following SHA256 hash: c1322b21eb3f300a7ab0f435d6bcf6941fd0fbd58b02f7af797af464c920040a.

Initial Infection vector

The campaign begins with targeted phishing emails sent to manufacturing organizations, masquerading as legitimate Purchase Order communications from business partners (see Figure 2).

Extraction of the RAR archive reveals a first-stage malicious JavaScript payload, PO No 602450.js, masquerading as a legitimate purchase order document.

Stage 1: JavaScript and PowerShell execution

The JavaScript file contains heavily obfuscated code with special characters that are stripped at runtime. The primary obfuscation techniques involve split and join operations used to dynamically reconstruct malicious strings (see Figure 3).

The de-obfuscated JavaScript creates a hidden PowerShell process using WMI objects (winmgmts:root\cimv2). It employs multiple obfuscation layers, including base64 encoding and string manipulation, to evade detection, with a 5-second sleep delay (see Figure 4).

Stage 2: Steganographic payload retrieval

The decoded PowerShell script functions as a second-stage loader, retrieving a malicious PNG file from Archive.org. This image file contains a steganographically embedded base64-encoded .NET assembly hidden at the end of the file (see Figure 5).

Upon retrieval, the PowerShell script employs regular expression (regex) pattern matching to extract the malicious payload using specific delimiters ("BaseStart-'+'-BaseEnd"). The extracted assembly is then reflected in memory via Reflection.Assembly::Load, invoking the "classlibrary1" namespace with the class name "class1" method “VAI”

This fileless execution technique ensures the final payload executes without writing to disk, significantly reducing detection probability and complicating forensic analysis (see Figure 6).

Stage 3: Weaponized TaskScheduler loader

The reflectively loaded .NET assembly serves as the third-stage loader, weaponizing the legitimate open-source TaskScheduler library from GitHub. The threat actors appended malicious functions to the original library source code and recompiled it, creating a trojanized assembly that retains all legitimate functionality while embedding malicious capabilities (see Figure 7).

Upon execution, the malicious method receives the payload URL in reverse and base64-encoded format, along with DLL path, DLL name, and CLR path parameters (see Figure 8).

Stage 4: Process injection and payload execution

The weaponized loader creates a new suspended RegAsm.exe process and injects the decoded payload into its memory space before executing it (see Figure 9). This process hollowing technique allows the malware to masquerade as a legitimate Windows utility while executing malicious code.

The loader downloads additional content that is similarly reversed and base64-encoded. After downloading, the loader reverses the content, performs base64 decoding, and runs the resulting binary using either RegAsm or AddInProcess32, injecting it into the target process.

Final payload: PureLog Stealer

The injected payload is an executable file containing PureLog Stealer embedded within its resource section. The stealer is extracted using Triple DES decryption in CBC mode with PKCS7 padding, utilizing the provided key and IV parameters. Following decryption, the data undergoes GZip decompression before the resulting payload, PureLog Stealer, is invoked (see Figure 10).

PureLog Stealer is an information-stealing malware designed to exfiltrate sensitive data from compromised hosts, including browser credentials, cryptocurrency wallet information, and comprehensive system details. The threat actor's command and control infrastructure operates at IP address 38.49.210[.]241.

PureLog Stealer steals the following from the victim's machines:

Tracing the Footprints: Shared Ecosystem

CRIL’s cross-campaign analysis reveals a striking uniformity of tradecraft, uncovering a persistent architectural blueprint that serves as a common thread. Despite the deployment of diverse malware payloads, the delivery mechanism remains constant.

This standardized methodology includes the use of steganography to conceal payloads within benign image files, the application of string reversal combined with Base64 encoding for deep obfuscation, and the delivery of encoded payload URLs directly to the loader. Furthermore, the actors consistently abuse legitimate .NET framework executables to facilitate advanced process hollowing techniques.

This observation is also reinforced by research from Seqrite, Nextron Systems, and Zscaler, which documented identical class naming conventions and execution patterns across a variety of malware families and operations.

The following code snippet illustrates the shared loader architecture observed across these campaigns (see Figure 11).

This consistency suggests that the loader might be part of a shared delivery framework used by multiple threat actors.

UAC Bypass

Notably, a recent sample revealed an LNK file employing similar obfuscation techniques, utilizing PowerShell to download a VBS loader, along with an uncommon UAC bypass method. (see Figure 12)

An uncommon UAC bypass technique is employed in later stages of the attack, where the malware monitors process creation events and triggers a UAC prompt when a new process is launched, thereby enabling the execution of a PowerShell process with elevated privileges after user approval (see Figure 13).

Conclusion

Our research has uncovered a hybrid threat with striking uniformity of tradecraft, uncovering a persistent architectural blueprint. This standardized methodology includes the use of steganography to conceal payloads within benign image files, the application of string reversal combined with Base64 encoding for deep obfuscation, and the delivery of encoded payload URLs directly to the loader. Furthermore, the actors consistently abuse legitimate .NET framework executables to facilitate advanced process hollowing techniques.

The fact that multiple malware families leverage these class naming conventions as well as execution patterns across is further testament to how potent this threat is to the target nations and sectors.

The discovery of a novel UAC bypass confirms that this is not a static threat, but an evolving operation with a dedicated development cycle. Organizations, especially in the targeted regions, should treat "benign" image files and email attachments with heightened scrutiny.

Recommendations

Deploy Advanced Email Security with Behavioral Analysis

Implement email security solutions with attachment sandboxing and behavioral analysis capabilities that can detect obfuscated JavaScript, VBScript files, and malicious macros. Enable strict filtering for RAR/ZIP attachments and block execution of scripts from email sources to prevent initial infection vectors targeting business workflows.

Implement Application Whitelisting and Script Execution Controls

Deploy application whitelisting policies to prevent unauthorized JavaScript and VBScript execution from user-accessible directories. Enable PowerShell Constrained Language Mode and comprehensive logging to detect suspicious script activity, particularly commands attempting to download remote content or perform reflective assembly loading. Restrict the execution of legitimate system binaries from non-standard locations to prevent their abuse in living-off-the-land (LotL) attacks.

Deploy EDR Solutions with Advanced Process Monitoring

Implement Endpoint Detection and Response (EDR) solutions that can detect sophisticated evasion techniques and runtime anomalies, enabling effective protection against advanced threats. Configure EDR platforms to monitor for process hollowing activities where legitimate signed Windows binaries are exploited to execute malicious payloads in memory. Establish behavioral detection rules for fileless malware techniques, including reflective assembly loading and suspicious parent-child process relationships that deviate from normal system behavior.

Monitor for Memory-Based Threats and Process Anomalies

Establish behavioral detection rules for fileless malware techniques, including reflective assembly loading, process hollowing, and suspicious parent-child process relationships. Deploy memory analysis tools to identify code injection into legitimate Windows processes, such as MSBuild.exe, RegAsm.exe, and AddInProcess32.exe, which are commonly abused for malicious payload execution.

Strengthen Credential and Cryptocurrency Wallet Protection

Enforce multi-factor authentication across all critical systems and encourage users to store cryptocurrency assets in hardware wallets rather than browser-based solutions. Implement monitoring for unauthorized access to browser credential stores, password managers, and cryptocurrency wallet directories to detect potential data exfiltration attempts.

Implement Steganography Detection and Image Analysis Capabilities

Deploy specialized steganography detection tools that analyze image files for hidden malicious payloads embedded within pixel data or metadata. Implement statistical analysis techniques to identify anomalies in image file entropy and bit patterns that may indicate the presence of concealed executable code. Configure security solutions to perform deep inspection of image formats, particularly PNG files, which are frequently exploited for embedding command-and-control infrastructure or malicious scripts in covert communication channels.

MITRE Tactics, Techniques & Procedures

Indicators of Compromise (IOCs)

References:

https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat

https://www.seqrite.com/blog/steganographic-campaign-distributing-malware

https://www.nextron-systems.com/2025/05/23/katz-stealer-threat-analysis/

The post Stealth in Layers: Unmasking the Loader used in Targeted Email Campaigns appeared first on Cyble.

The Indian government has introduced explicit legal provisions under subsection 42(3)(c) and subsection 42(3)(f) of the Telecommunications Act, 2023, formally classifying the tampering with telecommunication identifiers and the willful possession of radio equipment using unauthorized or altered identifiers as criminal offenses. These measures are intended to address persistent challenges related to sim misuse, telecom fraud, and the exploitation of digital communication infrastructure across India. 

The legal clarification was outlined in a press release issued by the Press Information Bureau (PIB) on 17 December, following a written response in the Lok Sabha by Minister of State for Communications and Rural Development Dr. Pemmasani Chandra Sekhar. The response addressed the liability of mobile subscribers and broader cybersecurity concerns arising from the misuse of telecommunication resources. 

Legal Provisions Targeting Tampering and Unauthorized Equipment 

Under sub-section 42(3)(c) of the Telecommunications Act, 2023, any act involving the tampering of telecommunication identifiers is now treated as a punishable offence. Telecommunication identifiers include elements such as subscriber identity modules, equipment identity numbers, and other unique identifiers that form the basis of lawful access to communication networks. 

In parallel, sub-section 42(3)(f) criminalizes the willful possession of radio equipment when the individual knows that such equipment operates using unauthorized or tampered telecommunication identifiers. This provision is important in cases involving cloned devices, illegal intercept equipment, or modified communication hardware that can be used to bypass regulatory controls. 

The government has further reinforced these offences through Telecom Cyber Security Rules, which prohibit intentionally removing, obliterating, altering, or modifying unique telecommunication equipment identification numbers. The rules also bar individuals from producing, trafficking, using, or possessing hardware or software linked to telecommunication identifiers when they are aware that such configurations are unauthorized. 

Sim Misuse and Fraudulent Acquisition of Telecom Identifiers 

Addressing the broader issue of sim misuse, the Minister highlighted that sub-section 42(3)(e) of the Telecommunications Act, 2023, criminalizes the acquisition of subscriber identity modules or other telecommunication identifiers through fraud, cheating, or impersonation. Fraudulently obtained SIM cards have frequently been linked to cyber fraud, financial crimes, and identity theft, prompting the need for clear statutory deterrents. 

The government noted that responsibilities relating to “Police” and “Public Order” fall within the jurisdiction of State governments, as outlined in the Seventh Schedule of the Constitution of India. As a result, enforcement of these provisions relies on coordination between central regulatory authorities and State law enforcement agencies. 

To prevent misuse at the onboarding stage, the Department of Telecommunications (DoT) has mandated, through license conditions, that Telecom Service Providers (TSPs) conduct adequate verification of every customer before issuing SIM cards or activating services. 

Regulatory Oversight and Public Reporting Mechanisms 

Beyond criminal penalties, the regulatory framework stresses oversight and early detection of telecom-related abuse. The DoT has developed mechanisms that allow citizens to report suspected misuse of telecom resources, enabling authorities and service providers to identify patterns of fraud and deactivate offending numbers or connections. 

These measures are designed to hold offenders accountable while protecting legitimate subscribers from the consequences of sim misuse. By encouraging public reporting, authorities aim to strengthen collective vigilance against telecom-enabled cybercrime without shifting responsibility away from regulated entities. 

Policy Debate and Withdrawal of Mandatory App Installation 

The legal provisions under the Telecommunications Act gained broader public attention following controversy over a government directive that required the mandatory pre-installation of a related mobile application on all new smartphones. The directive sparked criticism from privacy advocates, opposition leaders, and technology companies, who raised concerns about user consent, surveillance risks, and excessive permissions. 

Amid growing public backlash and resistance from device manufacturers, the Ministry of Communications withdrew the mandatory pre-installation order in early December, clarifying that the application would remain voluntary. The government stated that its withdrawal did not affect the underlying legal framework established under the Telecommunications Act, 2023. 

The debate does not change the intent of the law. By criminalizing tampering with telecommunication identifiers and knowingly possessing radio equipment using unauthorized identifiers under sub-section 42(3)(c) and sub-section 42(3)(f), the framework establishes clear accountability for SIM misuse. As enforcement tightens, organizations need visibility into telecom-enabled fraud and infrastructure abuse. Cyble provides threat intelligence to help teams detect and assess these risks early.  

Request a personalized demo to see how Cyble supports proactive threat detection! 

References: 

• https://www.pib.gov.in/PressReleasePage.aspx?PRID=2205349&reg=1&lang=1 

The post India Criminalizes Tampering with Telecommunication Identifiers and Unauthorized Radio Equipment Under the Telecommunications Act  appeared first on Cyble.