• How LEGO Designed The Simpsons Krusty Burger Set

    The Krusty Burger is a health inspector's nightmare, responsible for spawning the Krusty Burger, the Ribwich, The Clogger, and the Steamed Ham. It comes with seven minifigures, including Krusty the Clown, Sideshow Bob, Homer Simpson, and Officer Lou. You can purchase it for on June 4, although LEGO Insiders can order the set via Early Access beginning on June 1. You can sign up for free here.LEGO The Simpsons: Krusty BurgerOut June 1 for LEGO Insiders, and June 4 for everyone else.at LEGO StoreTo learn more about the set and its creation, we interviewed its designer. Ann Healy is a 39-year-old Senior Model Designer who's worked with the LEGO Group for the past six years. Here, lightly edited for clarity, are her thoughts on creating LEGO The Simpsons: Krusty Burger, the first new LEGO Simpsons set in nearly a decade. What other LEGO sets have you had a hand in designing over the past six years? Healy: I worked for three years on the LEGO Friends line. A few years ago, I got the opportunity to work on a Disney favorite of mine: The Sanderson Sisters’ Cottage set from Hocus Pocus. That project took years in the making to come to market, and I’m quite proud of it. More recently, I have been working on the LEGO Icons team. From last year’s products, I designed the McLaren MP4/4 & Ayrton Senna set and the Poinsettia LEGO Botanicals set.What drove the decision to revive the Simpsons brand after such a long hiatus? Healy: We saw that even after a 10-year stretch since a new Simpsons set, there was still a lot of love for The Simpsons amongst LEGO fans. Our market research showed that there is huge brand loyalty for The Simpsons, appealing to people globally. Designing the Krusty Burger in LEGO brick form serves as a natural continuation of our Simpsons line and gives us the opportunity to make new, never-before-seen LEGO minifigures.LEGO designers often build in their free time, working towards builds that they hope will one day become sets.“Coincidentally, the original Simpsons House and Kwik-E-Mart LEGO sets were some of the last sets I purchased before I knew I would be coming to work at The LEGO Group. In my first week working here, I found an early prototype of the Krusty Burger set on a shelf in our office. For context, LEGO designers often build in their free time, working towards builds that they hope will one day become sets. It gave me hope that someday, I might get the chance to work on something like that. Five years later, to my surprise, our Head of Marketing pulled that same prototype off the shelf and said it was time to revisit The Simpsons! I volunteered right away as a lifelong fan of the Simpsons. I couldn’t believe my luck!Describe the process of designing and building this set as best you can. How many times did you have to build the entire model in the course of finalizing it?Healy: I started with refining and updating the old prototype, figuring out the general layout and developing a building-instruction flow. I worked digitally first, then built the model physically. From there, I would go back and forth between digital and physical, seeing if the model would work with real bricks. We have design team check-ins where I showed progress on the model and got suggestions from our Creative Lead and the other model designers. I had several check-ins with the IP partner, where I would show them the latest updates and they could give feedback on the model and mini figures. I also had internal review meetings with our Model Governance and Building Experience teams, where we build the model, review every construction step, evaluate the play experience and test the strength of the model.I did not keep track of every time I rebuilt the model, but I would estimate at least 20 times. The last time I built the Krusty Burger set was when the first production boxes arrived from the factory. I built it one last time for quality assurance!Krusty Burger isn't a fully realized location in the show in the same way that Moe's Tavern is, or the Kwik-E Mart is, or the Simpsons’ house is. Which TV episodes did you use to map out the Krusty Burger and determine how it's set up? Healy: Disney was a great partner in sending us reference images and layouts when available. Also, I watched as many episodes of The Simpsons as possible, so I could translate the TV animation into a real, physical, toy playset. Season 20, Episode 21, “Coming to Homerica,” is the episode we used the most in reference, because it features the Mother Nature Burger that we reference several times in this LEGO set. The “Ribwich” from Season 14, Episode 12, “I'm Spelling as Fast as I Can,” is also featured. Other referenced episodes of note include: Season 6, Episode 15, “Homie the Clown” – Homer performs at a Krusty Burger Season 12, Episode 13, “Day of the Jackanapes” – Bart and Sideshow Bob go to the Krusty Burger. Season 10, Episode 1, Lard of the Dance” – Homer tries to sell grease from the restaurant.Season 7, Episode 15, “Bart the Fink” – Features the IRS Burger takeover.Season 19, Episode 1, “He Loves to Fly and He D'ohs” – Homer hides in the Krusty Zone ball pit. Season 15, Episode 10, “Diatribe of a Mad Housewife” – Shows the Krusty Burger drive thru sign. Season 21, Episode 4, "Treehouse of Horror XX" – Features the Krusty Burger in “Don't Have a Cow, Mankind.”What's your favorite deep cut Easter Egg in the build? Healy: Above the Krusty Burger drive-thru window, there is a kitchen display screen, showing that someone has placed an order for 700 burgers. This is a reference to the Season 5 episode “Boy-Scoutz 'n the Hood,” in which Krusty has unwisely opened a Krusty Burger oil rig in the middle of the sea.What was the most challenging aspect of designing this build? How were you able to overcome it? Healy: The most rewarding challenge of designing this set was building the Krusty Burger Sign with LEGO bricks. The IP partner paid a lot of attention to the proportions of Krusty’s face within the sign, giving us reference material and tips on how to best capture his likeness. We even got hand-drawn doodles of the Krusty the Clown from them! One of my model-designer colleagues used to work as an illustrator and used his skills to capture Krusty’s features in brick-form even more accurately. In addition, it was challenging to get the heavy Krusty Burger sign to stand up and remain stable on a single axle. Our Element Lead on the design project suggested we use a new element she was developing, an axle sleeve, to increase the weight the rod could hold upright. This new element did the trick.The most rewarding challenge of designing this set was building the Krusty Burger Sign with LEGO bricks.“Is this a one-off revival of the Simpsons brand? Or is this the beginning of a longer partnership, where we can expect to see more LEGO Simpsons themed sets in the near future?Healy: I cannot speculate on future products, per the LEGO Group’s and our partners' policies. Nonetheless, as a huge Simpsons fan myself, I am hopeful that fans have a positive response to this set!LEGO The Simpsons: Krusty Burger, Set #10352, retails for and it is composed of 1635 pieces. You can purchase it on June 4 for the general public, or starting on June 1 for LEGO Insiders. You can sign up for LEGO Insiders for free here. And stay tuned! We will be building, photographing, and reviewing LEGO Krusty Burger later this month,Kevin Wong is a contributing freelancer for IGN, specializing in LEGO. He's also been published in Complex, Engadget, Gamespot, Kotaku, and more. Follow him on Twitter at @kevinjameswong.
    #how #lego #designed #simpsons #krusty
    How LEGO Designed The Simpsons Krusty Burger Set
    The Krusty Burger is a health inspector's nightmare, responsible for spawning the Krusty Burger, the Ribwich, The Clogger, and the Steamed Ham. It comes with seven minifigures, including Krusty the Clown, Sideshow Bob, Homer Simpson, and Officer Lou. You can purchase it for on June 4, although LEGO Insiders can order the set via Early Access beginning on June 1. You can sign up for free here.LEGO The Simpsons: Krusty BurgerOut June 1 for LEGO Insiders, and June 4 for everyone else.at LEGO StoreTo learn more about the set and its creation, we interviewed its designer. Ann Healy is a 39-year-old Senior Model Designer who's worked with the LEGO Group for the past six years. Here, lightly edited for clarity, are her thoughts on creating LEGO The Simpsons: Krusty Burger, the first new LEGO Simpsons set in nearly a decade. What other LEGO sets have you had a hand in designing over the past six years? Healy: I worked for three years on the LEGO Friends line. A few years ago, I got the opportunity to work on a Disney favorite of mine: The Sanderson Sisters’ Cottage set from Hocus Pocus. That project took years in the making to come to market, and I’m quite proud of it. More recently, I have been working on the LEGO Icons team. From last year’s products, I designed the McLaren MP4/4 & Ayrton Senna set and the Poinsettia LEGO Botanicals set.What drove the decision to revive the Simpsons brand after such a long hiatus? Healy: We saw that even after a 10-year stretch since a new Simpsons set, there was still a lot of love for The Simpsons amongst LEGO fans. Our market research showed that there is huge brand loyalty for The Simpsons, appealing to people globally. Designing the Krusty Burger in LEGO brick form serves as a natural continuation of our Simpsons line and gives us the opportunity to make new, never-before-seen LEGO minifigures.LEGO designers often build in their free time, working towards builds that they hope will one day become sets.“Coincidentally, the original Simpsons House and Kwik-E-Mart LEGO sets were some of the last sets I purchased before I knew I would be coming to work at The LEGO Group. In my first week working here, I found an early prototype of the Krusty Burger set on a shelf in our office. For context, LEGO designers often build in their free time, working towards builds that they hope will one day become sets. It gave me hope that someday, I might get the chance to work on something like that. Five years later, to my surprise, our Head of Marketing pulled that same prototype off the shelf and said it was time to revisit The Simpsons! I volunteered right away as a lifelong fan of the Simpsons. I couldn’t believe my luck!Describe the process of designing and building this set as best you can. How many times did you have to build the entire model in the course of finalizing it?Healy: I started with refining and updating the old prototype, figuring out the general layout and developing a building-instruction flow. I worked digitally first, then built the model physically. From there, I would go back and forth between digital and physical, seeing if the model would work with real bricks. We have design team check-ins where I showed progress on the model and got suggestions from our Creative Lead and the other model designers. I had several check-ins with the IP partner, where I would show them the latest updates and they could give feedback on the model and mini figures. I also had internal review meetings with our Model Governance and Building Experience teams, where we build the model, review every construction step, evaluate the play experience and test the strength of the model.I did not keep track of every time I rebuilt the model, but I would estimate at least 20 times. The last time I built the Krusty Burger set was when the first production boxes arrived from the factory. I built it one last time for quality assurance!Krusty Burger isn't a fully realized location in the show in the same way that Moe's Tavern is, or the Kwik-E Mart is, or the Simpsons’ house is. Which TV episodes did you use to map out the Krusty Burger and determine how it's set up? Healy: Disney was a great partner in sending us reference images and layouts when available. Also, I watched as many episodes of The Simpsons as possible, so I could translate the TV animation into a real, physical, toy playset. Season 20, Episode 21, “Coming to Homerica,” is the episode we used the most in reference, because it features the Mother Nature Burger that we reference several times in this LEGO set. The “Ribwich” from Season 14, Episode 12, “I'm Spelling as Fast as I Can,” is also featured. Other referenced episodes of note include: Season 6, Episode 15, “Homie the Clown” – Homer performs at a Krusty Burger Season 12, Episode 13, “Day of the Jackanapes” – Bart and Sideshow Bob go to the Krusty Burger. Season 10, Episode 1, Lard of the Dance” – Homer tries to sell grease from the restaurant.Season 7, Episode 15, “Bart the Fink” – Features the IRS Burger takeover.Season 19, Episode 1, “He Loves to Fly and He D'ohs” – Homer hides in the Krusty Zone ball pit. Season 15, Episode 10, “Diatribe of a Mad Housewife” – Shows the Krusty Burger drive thru sign. Season 21, Episode 4, "Treehouse of Horror XX" – Features the Krusty Burger in “Don't Have a Cow, Mankind.”What's your favorite deep cut Easter Egg in the build? Healy: Above the Krusty Burger drive-thru window, there is a kitchen display screen, showing that someone has placed an order for 700 burgers. This is a reference to the Season 5 episode “Boy-Scoutz 'n the Hood,” in which Krusty has unwisely opened a Krusty Burger oil rig in the middle of the sea.What was the most challenging aspect of designing this build? How were you able to overcome it? Healy: The most rewarding challenge of designing this set was building the Krusty Burger Sign with LEGO bricks. The IP partner paid a lot of attention to the proportions of Krusty’s face within the sign, giving us reference material and tips on how to best capture his likeness. We even got hand-drawn doodles of the Krusty the Clown from them! One of my model-designer colleagues used to work as an illustrator and used his skills to capture Krusty’s features in brick-form even more accurately. In addition, it was challenging to get the heavy Krusty Burger sign to stand up and remain stable on a single axle. Our Element Lead on the design project suggested we use a new element she was developing, an axle sleeve, to increase the weight the rod could hold upright. This new element did the trick.The most rewarding challenge of designing this set was building the Krusty Burger Sign with LEGO bricks.“Is this a one-off revival of the Simpsons brand? Or is this the beginning of a longer partnership, where we can expect to see more LEGO Simpsons themed sets in the near future?Healy: I cannot speculate on future products, per the LEGO Group’s and our partners' policies. Nonetheless, as a huge Simpsons fan myself, I am hopeful that fans have a positive response to this set!LEGO The Simpsons: Krusty Burger, Set #10352, retails for and it is composed of 1635 pieces. You can purchase it on June 4 for the general public, or starting on June 1 for LEGO Insiders. You can sign up for LEGO Insiders for free here. And stay tuned! We will be building, photographing, and reviewing LEGO Krusty Burger later this month,Kevin Wong is a contributing freelancer for IGN, specializing in LEGO. He's also been published in Complex, Engadget, Gamespot, Kotaku, and more. Follow him on Twitter at @kevinjameswong. #how #lego #designed #simpsons #krusty
    WWW.IGN.COM
    How LEGO Designed The Simpsons Krusty Burger Set
    The Krusty Burger is a health inspector's nightmare, responsible for spawning the Krusty Burger, the Ribwich, The Clogger, and the Steamed Ham (per Principal Skinner). It comes with seven minifigures, including Krusty the Clown, Sideshow Bob, Homer Simpson, and Officer Lou. You can purchase it for $209.99 on June 4, although LEGO Insiders can order the set via Early Access beginning on June 1. You can sign up for free here.LEGO The Simpsons: Krusty BurgerOut June 1 for LEGO Insiders, and June 4 for everyone else.$209.99 at LEGO StoreTo learn more about the set and its creation, we interviewed its designer. Ann Healy is a 39-year-old Senior Model Designer who's worked with the LEGO Group for the past six years. Here, lightly edited for clarity, are her thoughts on creating LEGO The Simpsons: Krusty Burger, the first new LEGO Simpsons set in nearly a decade. What other LEGO sets have you had a hand in designing over the past six years? Healy: I worked for three years on the LEGO Friends line. A few years ago, I got the opportunity to work on a Disney favorite of mine: The Sanderson Sisters’ Cottage set from Hocus Pocus. That project took years in the making to come to market, and I’m quite proud of it. More recently, I have been working on the LEGO Icons team. From last year’s products, I designed the McLaren MP4/4 & Ayrton Senna set and the Poinsettia LEGO Botanicals set.What drove the decision to revive the Simpsons brand after such a long hiatus? Healy: We saw that even after a 10-year stretch since a new Simpsons set, there was still a lot of love for The Simpsons amongst LEGO fans. Our market research showed that there is huge brand loyalty for The Simpsons, appealing to people globally. Designing the Krusty Burger in LEGO brick form serves as a natural continuation of our Simpsons line and gives us the opportunity to make new, never-before-seen LEGO minifigures.LEGO designers often build in their free time, working towards builds that they hope will one day become sets.“Coincidentally, the original Simpsons House and Kwik-E-Mart LEGO sets were some of the last sets I purchased before I knew I would be coming to work at The LEGO Group. In my first week working here, I found an early prototype of the Krusty Burger set on a shelf in our office. For context, LEGO designers often build in their free time, working towards builds that they hope will one day become sets. It gave me hope that someday, I might get the chance to work on something like that. Five years later, to my surprise, our Head of Marketing pulled that same prototype off the shelf and said it was time to revisit The Simpsons! I volunteered right away as a lifelong fan of the Simpsons. I couldn’t believe my luck!Describe the process of designing and building this set as best you can. How many times did you have to build the entire model in the course of finalizing it?Healy: I started with refining and updating the old prototype, figuring out the general layout and developing a building-instruction flow. I worked digitally first, then built the model physically. From there, I would go back and forth between digital and physical, seeing if the model would work with real bricks. We have design team check-ins where I showed progress on the model and got suggestions from our Creative Lead and the other model designers. I had several check-ins with the IP partner, where I would show them the latest updates and they could give feedback on the model and mini figures. I also had internal review meetings with our Model Governance and Building Experience teams, where we build the model, review every construction step, evaluate the play experience and test the strength of the model.I did not keep track of every time I rebuilt the model, but I would estimate at least 20 times. The last time I built the Krusty Burger set was when the first production boxes arrived from the factory. I built it one last time for quality assurance!Krusty Burger isn't a fully realized location in the show in the same way that Moe's Tavern is, or the Kwik-E Mart is, or the Simpsons’ house is. Which TV episodes did you use to map out the Krusty Burger and determine how it's set up? Healy: Disney was a great partner in sending us reference images and layouts when available. Also, I watched as many episodes of The Simpsons as possible, so I could translate the TV animation into a real, physical, toy playset. Season 20, Episode 21, “Coming to Homerica,” is the episode we used the most in reference, because it features the Mother Nature Burger that we reference several times in this LEGO set. The “Ribwich” from Season 14, Episode 12, “I'm Spelling as Fast as I Can,” is also featured. Other referenced episodes of note include: Season 6, Episode 15, “Homie the Clown” – Homer performs at a Krusty Burger Season 12, Episode 13, “Day of the Jackanapes” – Bart and Sideshow Bob go to the Krusty Burger. Season 10, Episode 1, Lard of the Dance” – Homer tries to sell grease from the restaurant.Season 7, Episode 15, “Bart the Fink” – Features the IRS Burger takeover.Season 19, Episode 1, “He Loves to Fly and He D'ohs” – Homer hides in the Krusty Zone ball pit. Season 15, Episode 10, “Diatribe of a Mad Housewife” – Shows the Krusty Burger drive thru sign. Season 21, Episode 4, "Treehouse of Horror XX" – Features the Krusty Burger in “Don't Have a Cow, Mankind.”What's your favorite deep cut Easter Egg in the build? Healy: Above the Krusty Burger drive-thru window, there is a kitchen display screen, showing that someone has placed an order for 700 burgers. This is a reference to the Season 5 episode “Boy-Scoutz 'n the Hood,” in which Krusty has unwisely opened a Krusty Burger oil rig in the middle of the sea.What was the most challenging aspect of designing this build? How were you able to overcome it? Healy: The most rewarding challenge of designing this set was building the Krusty Burger Sign with LEGO bricks. The IP partner paid a lot of attention to the proportions of Krusty’s face within the sign, giving us reference material and tips on how to best capture his likeness. We even got hand-drawn doodles of the Krusty the Clown from them! One of my model-designer colleagues used to work as an illustrator and used his skills to capture Krusty’s features in brick-form even more accurately. In addition, it was challenging to get the heavy Krusty Burger sign to stand up and remain stable on a single axle. Our Element Lead on the design project suggested we use a new element she was developing, an axle sleeve, to increase the weight the rod could hold upright. This new element did the trick.The most rewarding challenge of designing this set was building the Krusty Burger Sign with LEGO bricks.“Is this a one-off revival of the Simpsons brand? Or is this the beginning of a longer partnership, where we can expect to see more LEGO Simpsons themed sets in the near future?Healy: I cannot speculate on future products, per the LEGO Group’s and our partners' policies. Nonetheless, as a huge Simpsons fan myself, I am hopeful that fans have a positive response to this set!LEGO The Simpsons: Krusty Burger, Set #10352, retails for $209.99, and it is composed of 1635 pieces. You can purchase it on June 4 for the general public, or starting on June 1 for LEGO Insiders. You can sign up for LEGO Insiders for free here. And stay tuned! We will be building, photographing, and reviewing LEGO Krusty Burger later this month,Kevin Wong is a contributing freelancer for IGN, specializing in LEGO. He's also been published in Complex, Engadget, Gamespot, Kotaku, and more. Follow him on Twitter at @kevinjameswong.
    0 Commentaires 0 Parts
  • Call of Duty: Black Ops 6 now shows you microtransaction ads when you swap weapons

    Call of Duty: Black Ops 6 now shows you microtransaction ads when you swap weapons
    "Actively witnessing Call of Duty become the Krusty Krab."

    Image credit: Eurogamer / Activision / u/whambampl

    News

    by Vikki Blake
    Contributor

    Published on June 1, 2025

    Eagle-eyed Call of Duty: Black Ops 6 players have spotted a new feature on the weapon selection menu.
    Right at the top there now sits advertisements promoting premium weapons and skins, so players get exposed to ads for microtransactions in-game.
    As some players point out, it's not an advert in the classic sense, and no one's trying to flog you a cheeseburger or a pair of jeans every time you swap a weapon. Nonetheless, it's a new and insidious addition that we haven't seen in Call of Duty games before.

    Call of Duty: Black Ops 6 Opening Scene and Gameplay.Watch on YouTube
    "One of the unwelcome changes I’ve noticed with Season 4 is that they’ve now inserted a new ad spot at the top of the list of your weapon specifics builds," wrote one player. "So now every time you toggle between weapon builds you get to stare at ads for -skins. I’m sure the Activision developer who suggested this terrible feature is very proud of themselves.
    "This change is especially unneeded because you could already toggle from Builds to Shop on any given weapon and apparently not being thrown directly in our faces didn’t make them enough money. Many of us payed-for a feature game and don’t want to be bombarded with additional ads."
    "Actively witnessing Call of Duty becomethe Krusty Krab," replied another.
    Season 4 brings new ad spot in game for weapons byu/whambampl inblackops6
    To see this content please enable targeting cookies.

    "Well guys looks like COD can suck a fat one," replied someone else. "This ad mess is ridiculous. They make huge bank already for them to even do this should be illegal. I've never been done with a COD this fast ever. But she's getting deleted. You can't scrounge people for money and not have a decent game. I'm not asking for a great game, just not a buggy game."
    In a separate thread that's been upvoted almost a thousand times, one player opined: "I wouldn't even be mad if this was just in warzone, a free game, but putting it in a pay-to-play premium title, with how expensive they're getting?"
    "Agree 100%, it really feels like one of those free cell phone games from a tiny indie studio begging you for money at every turn. Pathetic for a full price, stand alone game from a huge developer," replied another.
    Earlier this year, in a update shared on social media, developer Treyarch said it recognised cheaters "are frustrating and severely impact the experience for our community" but insisted it was addressing the issue, and will continue to do so "throughout 2025". At the same time, it confirmed 136,000 ranked play accounts were banned for cheating across both Call of Duty: Black Ops 6 and Warzone.
    #call #duty #black #ops #now
    Call of Duty: Black Ops 6 now shows you microtransaction ads when you swap weapons
    Call of Duty: Black Ops 6 now shows you microtransaction ads when you swap weapons "Actively witnessing Call of Duty become the Krusty Krab." Image credit: Eurogamer / Activision / u/whambampl News by Vikki Blake Contributor Published on June 1, 2025 Eagle-eyed Call of Duty: Black Ops 6 players have spotted a new feature on the weapon selection menu. Right at the top there now sits advertisements promoting premium weapons and skins, so players get exposed to ads for microtransactions in-game. As some players point out, it's not an advert in the classic sense, and no one's trying to flog you a cheeseburger or a pair of jeans every time you swap a weapon. Nonetheless, it's a new and insidious addition that we haven't seen in Call of Duty games before. Call of Duty: Black Ops 6 Opening Scene and Gameplay.Watch on YouTube "One of the unwelcome changes I’ve noticed with Season 4 is that they’ve now inserted a new ad spot at the top of the list of your weapon specifics builds," wrote one player. "So now every time you toggle between weapon builds you get to stare at ads for -skins. I’m sure the Activision developer who suggested this terrible feature is very proud of themselves. "This change is especially unneeded because you could already toggle from Builds to Shop on any given weapon and apparently not being thrown directly in our faces didn’t make them enough money. Many of us payed-for a feature game and don’t want to be bombarded with additional ads." "Actively witnessing Call of Duty becomethe Krusty Krab," replied another. Season 4 brings new ad spot in game for weapons byu/whambampl inblackops6 To see this content please enable targeting cookies. "Well guys looks like COD can suck a fat one," replied someone else. "This ad mess is ridiculous. They make huge bank already for them to even do this should be illegal. I've never been done with a COD this fast ever. But she's getting deleted. You can't scrounge people for money and not have a decent game. I'm not asking for a great game, just not a buggy game." In a separate thread that's been upvoted almost a thousand times, one player opined: "I wouldn't even be mad if this was just in warzone, a free game, but putting it in a pay-to-play premium title, with how expensive they're getting?" "Agree 100%, it really feels like one of those free cell phone games from a tiny indie studio begging you for money at every turn. Pathetic for a full price, stand alone game from a huge developer," replied another. Earlier this year, in a update shared on social media, developer Treyarch said it recognised cheaters "are frustrating and severely impact the experience for our community" but insisted it was addressing the issue, and will continue to do so "throughout 2025". At the same time, it confirmed 136,000 ranked play accounts were banned for cheating across both Call of Duty: Black Ops 6 and Warzone. #call #duty #black #ops #now
    WWW.EUROGAMER.NET
    Call of Duty: Black Ops 6 now shows you microtransaction ads when you swap weapons
    Call of Duty: Black Ops 6 now shows you microtransaction ads when you swap weapons "Actively witnessing Call of Duty become the Krusty Krab." Image credit: Eurogamer / Activision / u/whambampl News by Vikki Blake Contributor Published on June 1, 2025 Eagle-eyed Call of Duty: Black Ops 6 players have spotted a new feature on the weapon selection menu. Right at the top there now sits advertisements promoting premium weapons and skins, so players get exposed to ads for microtransactions in-game. As some players point out, it's not an advert in the classic sense, and no one's trying to flog you a cheeseburger or a pair of jeans every time you swap a weapon. Nonetheless, it's a new and insidious addition that we haven't seen in Call of Duty games before. Call of Duty: Black Ops 6 Opening Scene and Gameplay (4K).Watch on YouTube "One of the unwelcome changes I’ve noticed with Season 4 is that they’ve now inserted a new ad spot at the top of the list of your weapon specifics builds," wrote one player. "So now every time you toggle between weapon builds you get to stare at ads for $20-$30 skins. I’m sure the Activision developer who suggested this terrible feature is very proud of themselves. "This change is especially unneeded because you could already toggle from Builds to Shop on any given weapon and apparently not being thrown directly in our faces didn’t make them enough money. Many of us payed [sic] $60-$100 for a feature game and don’t want to be bombarded with additional ads." "Actively witnessing Call of Duty become [SpongeBob SquarePants'] the Krusty Krab," replied another. Season 4 brings new ad spot in game for weapons byu/whambampl inblackops6 To see this content please enable targeting cookies. "Well guys looks like COD can suck a fat one," replied someone else. "This ad mess is ridiculous. They make huge bank already for them to even do this should be illegal. I've never been done with a COD this fast ever. But she's getting deleted. You can't scrounge people for money and not have a decent game. I'm not asking for a great game, just not a buggy game." In a separate thread that's been upvoted almost a thousand times, one player opined: "I wouldn't even be mad if this was just in warzone, a free game, but putting it in a pay-to-play premium title, with how expensive they're getting?" "Agree 100%, it really feels like one of those free cell phone games from a tiny indie studio begging you for money at every turn. Pathetic for a full price, stand alone game from a huge developer," replied another. Earlier this year, in a update shared on social media, developer Treyarch said it recognised cheaters "are frustrating and severely impact the experience for our community" but insisted it was addressing the issue, and will continue to do so "throughout 2025". At the same time, it confirmed 136,000 ranked play accounts were banned for cheating across both Call of Duty: Black Ops 6 and Warzone.
    0 Commentaires 0 Parts
  • Weekly Recap: APT Campaigns, Browser Hijacks, AI Malware, Cloud Breaches and Critical CVEs

    Cyber threats don't show up one at a time anymore. They're layered, planned, and often stay hidden until it's too late.
    For cybersecurity teams, the key isn't just reacting to alerts—it's spotting early signs of trouble before they become real threats. This update is designed to deliver clear, accurate insights based on real patterns and changes we can verify. With today's complex systems, we need focused analysis—not noise.
    What you'll see here isn't just a list of incidents, but a clear look at where control is being gained, lost, or quietly tested.
    Threat of the Week
    Lumma Stealer, DanaBot Operations Disrupted — A coalition of private sector companies and law enforcement agencies have taken down the infrastructure associated with Lumma Stealer and DanaBot. Charges have also been unsealed against 16 individuals for their alleged involvement in the development and deployment of DanaBot. The malware is equipped to siphon data from victim computers, hijack banking sessions, and steal device information. More uniquely, though, DanaBot has also been used for hacking campaigns that appear to be linked to Russian state-sponsored interests. All of that makes DanaBot a particularly clear example of how commodity malware has been repurposed by Russian state hackers for their own goals. In tandem, about 2,300 domains that acted as the command-and-controlbackbone for the Lumma information stealer have been seized, alongside taking down 300 servers and neutralizing 650 domains that were used to launch ransomware attacks. The actions against international cybercrime in the past few days constituted the latest phase of Operation Endgame.

    Get the Guide ➝

    Top News

    Threat Actors Use TikTok Videos to Distribute Stealers — While ClickFix has become a popular social engineering tactic to deliver malware, threat actors have been observed using artificial intelligence-generated videos uploaded to TikTok to deceive users into running malicious commands on their systems and deploy malware like Vidar and StealC under the guise of activating pirated version of Windows, Microsoft Office, CapCut, and Spotify. "This campaign highlights how attackers are ready to weaponize whichever social media platforms are currently popular to distribute malware," Trend Micro said.
    APT28 Hackers Target Western Logistics and Tech Firms — Several cybersecurity and intelligence agencies from Australia, Europe, and the United States issued a joint alert warning of a state-sponsored campaign orchestrated by the Russian state-sponsored threat actor APT28 targeting Western logistics entities and technology companies since 2022. "This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors' wide scale targeting of IP cameras in Ukraine and bordering NATO nations," the agencies said. The attacks are designed to steal sensitive information and maintain long-term persistence on compromised hosts.
    Chinese Threat Actors Exploit Ivanti EPMM Flaws — The China-nexus cyber espionage group tracked as UNC5221 has been attributed to the exploitation of a pair of security flaws affecting Ivanti Endpoint Manager Mobilesoftwareto target a wide range of sectors across Europe, North America, and the Asia-Pacific region. The intrusions leverage the vulnerabilities to obtain a reverse shell and drop malicious payloads like KrustyLoader, which is known to deliver the Sliver command-and-controlframework. "UNC5221 demonstrates a deep understanding of EPMM's internal architecture, repurposing legitimate system components for covert data exfiltration," EclecticIQ said. "Given EPMM's role in managing and pushing configurations to enterprise mobile devices, a successful exploitation could allow threat actors to remotely access, manipulate, or compromise thousands of managed devices across an organization."
    Over 100 Google Chrome Extensions Mimic Popular Tools — An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities such as DeepSeek, Manus, DeBank, FortiVPN, and Site Stats but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code. Links to these browser add-ons are hosted on specially crafted sites to which users are likely redirected to via phishing and social media posts. While the extensions appear to offer the advertised features, they also stealthily facilitate credential and cookie theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation. Several of these extensions have been taken down by Google.
    CISA Warns of SaaS Providers of Attacks Targeting Cloud Environments — The U.S. Cybersecurity and Infrastructure Security Agencywarned that SaaS companies are under threat from bad actors who are on the prowl for cloud applications with default configurations and elevated permissions. While the agency did not attribute the activity to a specific group, the advisory said enterprise backup platform Commvault is monitoring cyber threat activity targeting applications hosted in their Microsoft Azure cloud environment. "Threat actors may have accessed client secrets for Commvault'sMicrosoft 365backup software-as-a-servicesolution, hosted in Azure," CISA said. "This provided the threat actors with unauthorized access to Commvault's customers' M365 environments that have application secrets stored by Commvault."
    GitLab AI Coding Assistant Flaws Could Be Used to Inject Malicious Code — Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's artificial intelligenceassistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites. The attack could also leak confidential issue data, such as zero-day vulnerability details. All that's required is for the attacker to instruct the chatbot to interact with a merge requestby taking advantage of the fact that GitLab Duo has extensive access to the platform. "By embedding hidden instructions in seemingly harmless project content, we were able to manipulate Duo's behavior, exfiltrate private source code, and demonstrate how AI responses can be leveraged for unintended and harmful outcomes," Legit Security said. One variation of the attack involved hiding a malicious instruction in an otherwise legitimate piece of source code, while another exploited Duo's parsing of markdown responses in real-time asynchronously. An attacker could leverage this behavior – that Duo begins rendering the output line by line rather than waiting until the entire response is generated and sending it all at once – to introduce malicious HTML code that can access sensitive data and exfiltrate the information to a remote server. The issues have been patched by GitLab following responsible disclosure.

    ‎️‍ Trending CVEs
    Software vulnerabilities remain one of the simplest—and most effective—entry points for attackers. Each week uncovers new flaws, and even small delays in patching can escalate into serious security incidents. Staying ahead means acting fast. Below is this week's list of high-risk vulnerabilities that demand attention. Review them carefully, apply updates without delay, and close the doors before they're forced open.
    This week's list includes — CVE-2025-34025, CVE-2025-34026, CVE-2025-34027, CVE-2025-30911, CVE-2024-57273, CVE-2024-54780, and CVE-2024-54779, CVE-2025-41229, CVE-2025-4322, CVE-2025-47934, CVE-2025-30193, CVE-2025-0993, CVE-2025-36535, CVE-2025-47949, CVE-2025-40775, CVE-2025-20152, CVE-2025-4123, CVE-2025-5063, CVE-2025-37899, CVE-2025-26817, CVE-2025-47947, CVE-2025-3078, CVE-2025-3079, and CVE-2025-4978.
    Around the Cyber World

    Sandworm Drops New Wiper in Ukraine — The Russia-aligned Sandworm group intensified destructive operations against Ukrainian energy companies, deploying a new wiper named ZEROLOT. "The infamous Sandworm group concentrated heavily on compromising Ukrainian energy infrastructure. In recent cases, it deployed the ZEROLOT wiper in Ukraine. For this, the attackers abused Active Directory Group Policy in the affected organizations," ESET Director of Threat Research, Jean-Ian Boutin, said. Another Russian hacking group, Gamaredon, remained the most prolific actor targeting the East European nation, enhancing malware obfuscation and introducing PteroBox, a file stealer leveraging Dropbox.
    Signal Says No to Recall — Signal has released a new version of its messaging app for Windows that, by default, blocks the ability of Windows to use Recall to periodically take screenshots of the app. "Although Microsoft made several adjustments over the past twelve months in response to critical feedback, the revamped version of Recall still places any content that's displayed within privacy-preserving apps like Signal at risk," Signal said. "As a result, we are enabling an extra layer of protection by default on Windows 11 in order to help maintain the security of Signal Desktop on that platform even though it introduces some usability trade-offs. Microsoft has simply given us no other option." Microsoft began officially rolling out Recall last month.
    Russia Introduces New Law to Track Foreigners Using Their Smartphones — The Russian government has introduced a new law that makes installing a tracking app mandatory for all foreign nationals in the Moscow region. This includes gathering their real-time locations, fingerprint, face photograph, and residential information. "The adopted mechanism will allow, using modern technologies, to strengthen control in the field of migration and will also contribute to reducing the number of violations and crimes in this area," Vyacheslav Volodin, chairman of the State Duma, said. "If migrants change their actual place of residence, they will be required to inform the Ministry of Internal Affairswithin three working days." A proposed four-year trial period begins on September 1, 2025, and runs until September 1, 2029.
    Dutch Government Passes Law to Criminalize Cyber Espionage — The Dutch government has approved a law criminalizing a wide range of espionage activities, including digital espionage, in an effort to protect national security, critical infrastructure, and high-quality technologies. Under the amended law, leaking sensitive information that is not classified as a state secret or engaging in activities on behalf of a foreign government that harm Dutch interests can also result in criminal charges. "Foreign governments are also interested in non-state-secret, sensitive information about a particular economic sector or about political decision-making," the government said. "Such information can be used to influence political processes, weaken the Dutch economy or play allies against each other. Espionage can also involve actions other than sharing information."
    Microsoft Announces Availability of Quantum-Resistant Algorithms to SymCrypt — Microsoft has revealed that it's making post-quantum cryptographycapabilities, including ML-KEM and ML-DSA, available for Windows Insiders, Canary Channel Build 27852 and higher, and Linux, SymCrypt-OpenSSL version 1.9.0. "This advancement will enable customers to commence their exploration and experimentation of PQC within their operational environments," Microsoft said. "By obtaining early access to PQC capabilities, organizations can proactively assess the compatibility, performance, and integration of these novel algorithms alongside their existing security infrastructure."
    New Malware DOUBLELOADER Uses ALCATRAZ for Obfuscation — The open-source obfuscator ALCATRAZ has been seen within a new generic loader dubbed DOUBLELOADER, which has been deployed alongside Rhadamanthys Stealer infections starting December 2024. The malware collects host information, requests an updated version of itself, and starts beaconing to a hardcoded IP addressstored within the binary. "Obfuscators such as ALCATRAZ end up increasing the complexity when triaging malware," Elastic Security Labs said. "Its main goal is to hinder binary analysis tools and increase the time of the reverse engineering process through different techniques; such as hiding the control flow or making decompilation hard to follow."
    New Formjacking Campaign Targets WooCommerce Sites — Cybersecurity researchers have detected a sophisticated formjacking campaign targeting WooCommerce sites. The malware, per Wordfence, injects a fake but professional-looking payment form into legitimate checkout processes and exfiltrates sensitive customer data to an external server. Further analysis has revealed that the infection likely originated from a compromised WordPress admin account, which was used to inject malicious JavaScript via a Simple Custom CSS and JS pluginthat allows administrators to add custom code. "Unlike traditional card skimmers that simply overlay existing forms, this variant carefully integrates with the WooCommerce site's design and payment workflow, making it particularly difficult for site owners and users to detect," the WordPress security company said. "The malware author repurposed the browser's localStorage mechanism – typically used by websites to remember user preferences – to silently store stolen data and maintain access even after page reloads or when navigating away from the checkout page."

    E.U. Sanctions Stark Industries — The European Unionhas announced sanctions against 21 individuals and six entities in Russia over its "destabilising actions" in the region. One of the sanctioned entities is Stark Industries, a bulletproof hosting provider that has been accused of acting as "enablers of various Russian state-sponsored and affiliated actors to conduct destabilising activities including, information manipulation interference and cyber attacks against the Union and third countries." The sanctions also target its CEO Iurie Neculiti and owner Ivan Neculiti. Stark Industries was previously spotlighted by independent cybersecurity journalist Brian Krebs, detailing its use in DDoS attacks in Ukraine and across Europe. In August 2024, Team Cymru said it discovered 25 Stark-assigned IP addresses used to host domains associated with FIN7 activities and that it had been working with Stark Industries for several months to identify and reduce abuse of their systems. The sanctions have also targeted Kremlin-backed manufacturers of drones and radio communication equipment used by the Russian military, as well as those involved in GPS signal jamming in Baltic states and disrupting civil aviation.
    The Mask APT Unmasked as Tied to the Spanish Government — The mysterious threat actor known as The Maskhas been identified as run by the Spanish government, according to a report published by TechCrunch, citing people who worked at Kaspersky at the time and had knowledge of the investigation. The Russian cybersecurity company first exposed the hacking group in 2014, linking it to highly sophisticated attacks since at least 2007 targeting high-profile organizations, such as governments, diplomatic entities, and research institutions. A majority of the group's attacks have targeted Cuba, followed by hundreds of victims in Brazil, Morocco, Spain, and Gibraltar. While Kaspersky has not publicly attributed it to a specific country, the latest revelation makes The Mask one of the few Western government hacking groups that has ever been discussed in public. This includes the Equation Group, the Lamberts, and Animal Farm.
    Social Engineering Scams Target Coinbase Users — Earlier this month, cryptocurrency exchange Coinbase revealed that it was the victim of a malicious attack perpetrated by unknown threat actors to breach its systems by bribing customer support agents in India and siphon funds from nearly 70,000 customers. According to Blockchain security firm SlowMist, Coinbase users have been the target of social engineering scams since the start of the year, bombarding with SMS messages claiming to be fake withdrawal requests and seeking their confirmation as part of a "sustained and organized scam campaign." The goal is to induce a false sense of urgency and trick them into calling a number, eventually convincing them to transfer the funds to a secure wallet with a seed phrase pre-generated by the attackers and ultimately drain the assets. It's assessed that the activities are primarily carried out by two groups: low-level skid attackers from the Com community and organized cybercrime groups based in India. "Using spoofed PBX phone systems, scammers impersonate Coinbase support and claim there's been 'unauthorized access' or 'suspicious withdrawals' on the user's account," SlowMist said. "They create a sense of urgency, then follow up with phishing emails or texts containing fake ticket numbers or 'recovery links.'"
    Delta Can Sue CrowdStrike Over July 2024 Mega Outage — Delta Air Lines, which had its systems crippled and almost 7,000 flights canceled in the wake of a massive outage caused by a faulty update issued by CrowdStrike in mid-July 2024, has been given the green light to pursue to its lawsuit against the cybersecurity company. A judge in the U.S. state of Georgia stating Delta can try to prove that CrowdStrike was grossly negligent by pushing a defective update to its Falcon software to customers. The update crashed 8.5 million Windows devices across the world. Crowdstrike previously claimed that the airline had rejected technical support offers both from itself and Microsoft. In a statement shared with Reuters, lawyers representing CrowdStrike said they were "confident the judge will find Delta's case has no merit, or will limit damages to the 'single-digit millions of dollars' under Georgia law." The development comes months after MGM Resorts International agreed to pay million to settle multiple class-action lawsuits related to a data breach in 2019 and a ransomware attack the company experienced in 2023.
    Storm-1516 Uses AI-Generated Media to Spread Disinformation — The Russian influence operation known as Storm-1516sought to spread narratives that undermined the European support for Ukraine by amplifying fabricated stories on X about European leaders using drugs while traveling by train to Kyiv for peace talks. One of the posts was subsequently shared by Russian state media and Maria Zakharova, a senior official in Russia's foreign ministry, as part of what has been described as a coordinated disinformation campaign by EclecticIQ. The activity is also notable for the use of synthetic content depicting French President Emmanuel Macron, U.K. Labour Party leader Keir Starmer, and German chancellor Friedrich Merz of drug possession during their return from Ukraine. "By attacking the reputation of these leaders, the campaign likely aimed to turn their own voters against them, using influence operationsto reduce public support for Ukraine by discrediting the politicians who back it," the Dutch threat intelligence firm said.
    Turkish Users Targeted by DBatLoader — AhnLab has disclosed details of a malware campaign that's distributing a malware loader called DBatLoadervia banking-themed banking emails, which then acts as a conduit to deliver SnakeKeylogger, an information stealer developed in .NET. "The DBatLoader malware distributed through phishing emails has the cunning behavior of exploiting normal processesthrough techniques such as DLL side-loading and injection for most of its behaviors, and it also utilizes normal processesfor behaviors such as file copying and changing policies," the company said.
    SEC SIM-Swapper Sentenced to 14 Months for SEC X Account Hack — A 26-year-old Alabama man, Eric Council Jr., has been sentenced to 14 months in prison and three years of supervised release for using SIM swapping attacks to breach the U.S. Securities and Exchange Commission'sofficial X account in January 2024 and falsely announced that the SEC approved BitcoinExchange Traded Funds. Council Jr.was arrested in October 2024 and pleaded guilty to the crime earlier this February. He has also been ordered to forfeit According to court documents, Council used his personal computer to search incriminating phrases such as "SECGOV hack," "telegram sim swap," "how can I know for sure if I am being investigated by the FBI," "What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them," "what are some signs that the FBI is after you," "Verizon store list," "federal identity theft statute," and "how long does it take to delete telegram account."
    FBI Warns of Malicious Campaign Impersonating Government Officials — The U.S. Federal Bureau of Investigationis warning of a new campaign that involves malicious actors impersonating senior U.S. federal or state government officials and their contacts to target individuals since April 2025. "The malicious actors have sent text messages and AI-generated voice messages — techniques known as smishing and vishing, respectively — that claim to come from a senior US official in an effort to establish rapport before gaining access to personal accounts," the FBI said. "One way the actors gain such access is by sending targeted individuals a malicious link under the guise of transitioning to a separate messaging platform." From there, the actor may present malware or introduce hyperlinks that lead intended targets to an actor-controlled site that steals login information.
    DICOM Flaw Enables Attackers to Embed Malicious Code Within Medical Image Files — Praetorian has released a proof-of-conceptfor a high-severity security flaw in Digital Imaging and Communications in Medicine, predominant file format for medical images, that enables attackers to embed malicious code within legitimate medical image files. CVE-2019-11687, originally disclosed in 2019 by Markel Picado Ortiz, stems from a design decision that allows arbitrary content at the start of the file, otherwise called the Preamble, which enables the creation of malicious polyglots. Codenamed ELFDICOM, the PoC extends the attack surface to Linux environments, making it a much more potent threat. As mitigations, it's advised to implement a DICOM preamble whitelist. "DICOM's file structure inherently allows arbitrary bytes at the beginning of the file, where Linux and most operating systems will look for magic bytes," Praetorian researcher Ryan Hennessee said. "would check a DICOM file's preamble before it is imported into the system. This would allow known good patterns, such as 'TIFF' magic bytes, or '\x00' null bytes, while files with the ELF magic bytes would be blocked."
    Cookie-Bite Attack Uses Chrome Extension to Steal Session Tokens — Cybersecurity researchers have demonstrated a new attack technique called Cookie-Bite that employs custom-made malicious browser extensions to steal "ESTAUTH" and "ESTSAUTHPERSISTNT" cookies in Microsoft Azure Entra ID and bypass multi-factor authentication. The attack has multiple moving parts to it: A custom Chrome extension that monitors authentication events and captures cookies; a PowerShell script that automates the extension deployment and ensures persistence; an exfiltration mechanism to send the cookies to a remote collection point; and a complementary extension to inject the captured cookies into the attacker's browser. "Threat actors often use infostealers to extract authentication tokens directly from a victim's machine or buy them directly through darkness markets, allowing adversaries to hijack active cloud sessions without triggering MFA," Varonis said. "By injecting these cookies while mimicking the victim's OS, browser, and network, attackers can evade Conditional Access Policiesand maintain persistent access." Authentication cookies can also be stolen using adversary-in-the-middlephishing kits in real-time, or using rogue browser extensions that request excessive permissions to interact with web sessions, modify page content, and extract stored authentication data. Once installed, the extension can access the browser's storage API, intercept network requests, or inject malicious JavaScript into active sessions to harvest real-time session cookies. "By leveraging stolen session cookies, an adversary can bypass authentication mechanisms, gaining seamless entry into cloud environments without requiring user credentials," Varonis said. "Beyond initial access, session hijacking can facilitate lateral movement across the tenant, allowing attackers to explore additional resources, access sensitive data, and escalate privileges by abusing existing permissions or misconfigured roles."

    Cybersecurity Webinars

    Non-Human Identities: The AI Backdoor You're Not Watching → AI agents rely on Non-Human Identitiesto function—but these are often left untracked and unsecured. As attackers shift focus to this hidden layer, the risk is growing fast. In this session, you'll learn how to find, secure, and monitor these identities before they're exploited. Join the webinar to understand the real risks behind AI adoption—and how to stay ahead.
    Inside the LOTS Playbook: How Hackers Stay Undetected → Attackers are using trusted sites to stay hidden. In this webinar, Zscaler experts share how they detect these stealthy LOTS attacks using insights from the world's largest security cloud. Join to learn how to spot hidden threats and improve your defense.

    Cybersecurity Tools

    ScriptSentry → It is a free tool that scans your environment for dangerous logon script misconfigurations—like plaintext credentials, insecure file/share permissions, and references to non-existent servers. These overlooked issues can enable lateral movement, privilege escalation, or even credential theft. ScriptSentry helps you quickly identify and fix them across large Active Directory environments.
    Aftermath → It is a Swift-based, open-source tool for macOS incident response. It collects forensic data—like logs, browser activity, and process info—from compromised systems, then analyzes it to build timelines and track infection paths. Deploy via MDM or run manually. Fast, lightweight, and ideal for post-incident investigation.
    AI Red Teaming Playground Labs → It is an open-source training suite with hands-on challenges designed to teach security professionals how to red team AI systems. Originally developed for Black Hat USA 2024, the labs cover prompt injections, safety bypasses, indirect attacks, and Responsible AI failures. Built on Chat Copilot and deployable via Docker, it's a practical resource for testing and understanding real-world AI vulnerabilities.

    Tip of the Week
    Review and Revoke Old OAuth App Permissions — They're Silent Backdoor → You've likely logged into apps using "Continue with Google," "Sign in with Microsoft," or GitHub/Twitter/Facebook logins. That's OAuth. But did you know many of those apps still have access to your data long after you stop using them?
    Why it matters:
    Even if you delete the app or forget it existed, it might still have ongoing access to your calendar, email, cloud files, or contact list — no password needed. If that third-party gets breached, your data is at risk.
    What to do:

    Go through your connected apps here:
    Google: myaccount.google.com/permissions
    Microsoft: account.live.com/consent/Manage
    GitHub: github.com/settings/applications
    Facebook: facebook.com/settings?tab=applications

    Revoke anything you don't actively use. It's a fast, silent cleanup — and it closes doors you didn't know were open.
    Conclusion
    Looking ahead, it's not just about tracking threats—it's about understanding what they reveal. Every tactic used, every system tested, points to deeper issues in how trust, access, and visibility are managed. As attackers adapt quickly, defenders need sharper awareness and faster response loops.
    The takeaways from this week aren't just technical—they speak to how teams prioritize risk, design safeguards, and make choices under pressure. Use these insights not just to react, but to rethink what "secure" really needs to mean in today's environment.

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.
    #weekly #recap #apt #campaigns #browser
    ⚡ Weekly Recap: APT Campaigns, Browser Hijacks, AI Malware, Cloud Breaches and Critical CVEs
    Cyber threats don't show up one at a time anymore. They're layered, planned, and often stay hidden until it's too late. For cybersecurity teams, the key isn't just reacting to alerts—it's spotting early signs of trouble before they become real threats. This update is designed to deliver clear, accurate insights based on real patterns and changes we can verify. With today's complex systems, we need focused analysis—not noise. What you'll see here isn't just a list of incidents, but a clear look at where control is being gained, lost, or quietly tested. ⚡ Threat of the Week Lumma Stealer, DanaBot Operations Disrupted — A coalition of private sector companies and law enforcement agencies have taken down the infrastructure associated with Lumma Stealer and DanaBot. Charges have also been unsealed against 16 individuals for their alleged involvement in the development and deployment of DanaBot. The malware is equipped to siphon data from victim computers, hijack banking sessions, and steal device information. More uniquely, though, DanaBot has also been used for hacking campaigns that appear to be linked to Russian state-sponsored interests. All of that makes DanaBot a particularly clear example of how commodity malware has been repurposed by Russian state hackers for their own goals. In tandem, about 2,300 domains that acted as the command-and-controlbackbone for the Lumma information stealer have been seized, alongside taking down 300 servers and neutralizing 650 domains that were used to launch ransomware attacks. The actions against international cybercrime in the past few days constituted the latest phase of Operation Endgame. Get the Guide ➝ 🔔 Top News Threat Actors Use TikTok Videos to Distribute Stealers — While ClickFix has become a popular social engineering tactic to deliver malware, threat actors have been observed using artificial intelligence-generated videos uploaded to TikTok to deceive users into running malicious commands on their systems and deploy malware like Vidar and StealC under the guise of activating pirated version of Windows, Microsoft Office, CapCut, and Spotify. "This campaign highlights how attackers are ready to weaponize whichever social media platforms are currently popular to distribute malware," Trend Micro said. APT28 Hackers Target Western Logistics and Tech Firms — Several cybersecurity and intelligence agencies from Australia, Europe, and the United States issued a joint alert warning of a state-sponsored campaign orchestrated by the Russian state-sponsored threat actor APT28 targeting Western logistics entities and technology companies since 2022. "This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors' wide scale targeting of IP cameras in Ukraine and bordering NATO nations," the agencies said. The attacks are designed to steal sensitive information and maintain long-term persistence on compromised hosts. Chinese Threat Actors Exploit Ivanti EPMM Flaws — The China-nexus cyber espionage group tracked as UNC5221 has been attributed to the exploitation of a pair of security flaws affecting Ivanti Endpoint Manager Mobilesoftwareto target a wide range of sectors across Europe, North America, and the Asia-Pacific region. The intrusions leverage the vulnerabilities to obtain a reverse shell and drop malicious payloads like KrustyLoader, which is known to deliver the Sliver command-and-controlframework. "UNC5221 demonstrates a deep understanding of EPMM's internal architecture, repurposing legitimate system components for covert data exfiltration," EclecticIQ said. "Given EPMM's role in managing and pushing configurations to enterprise mobile devices, a successful exploitation could allow threat actors to remotely access, manipulate, or compromise thousands of managed devices across an organization." Over 100 Google Chrome Extensions Mimic Popular Tools — An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities such as DeepSeek, Manus, DeBank, FortiVPN, and Site Stats but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code. Links to these browser add-ons are hosted on specially crafted sites to which users are likely redirected to via phishing and social media posts. While the extensions appear to offer the advertised features, they also stealthily facilitate credential and cookie theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation. Several of these extensions have been taken down by Google. CISA Warns of SaaS Providers of Attacks Targeting Cloud Environments — The U.S. Cybersecurity and Infrastructure Security Agencywarned that SaaS companies are under threat from bad actors who are on the prowl for cloud applications with default configurations and elevated permissions. While the agency did not attribute the activity to a specific group, the advisory said enterprise backup platform Commvault is monitoring cyber threat activity targeting applications hosted in their Microsoft Azure cloud environment. "Threat actors may have accessed client secrets for Commvault'sMicrosoft 365backup software-as-a-servicesolution, hosted in Azure," CISA said. "This provided the threat actors with unauthorized access to Commvault's customers' M365 environments that have application secrets stored by Commvault." GitLab AI Coding Assistant Flaws Could Be Used to Inject Malicious Code — Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's artificial intelligenceassistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites. The attack could also leak confidential issue data, such as zero-day vulnerability details. All that's required is for the attacker to instruct the chatbot to interact with a merge requestby taking advantage of the fact that GitLab Duo has extensive access to the platform. "By embedding hidden instructions in seemingly harmless project content, we were able to manipulate Duo's behavior, exfiltrate private source code, and demonstrate how AI responses can be leveraged for unintended and harmful outcomes," Legit Security said. One variation of the attack involved hiding a malicious instruction in an otherwise legitimate piece of source code, while another exploited Duo's parsing of markdown responses in real-time asynchronously. An attacker could leverage this behavior – that Duo begins rendering the output line by line rather than waiting until the entire response is generated and sending it all at once – to introduce malicious HTML code that can access sensitive data and exfiltrate the information to a remote server. The issues have been patched by GitLab following responsible disclosure. ‎️‍🔥 Trending CVEs Software vulnerabilities remain one of the simplest—and most effective—entry points for attackers. Each week uncovers new flaws, and even small delays in patching can escalate into serious security incidents. Staying ahead means acting fast. Below is this week's list of high-risk vulnerabilities that demand attention. Review them carefully, apply updates without delay, and close the doors before they're forced open. This week's list includes — CVE-2025-34025, CVE-2025-34026, CVE-2025-34027, CVE-2025-30911, CVE-2024-57273, CVE-2024-54780, and CVE-2024-54779, CVE-2025-41229, CVE-2025-4322, CVE-2025-47934, CVE-2025-30193, CVE-2025-0993, CVE-2025-36535, CVE-2025-47949, CVE-2025-40775, CVE-2025-20152, CVE-2025-4123, CVE-2025-5063, CVE-2025-37899, CVE-2025-26817, CVE-2025-47947, CVE-2025-3078, CVE-2025-3079, and CVE-2025-4978. 📰 Around the Cyber World Sandworm Drops New Wiper in Ukraine — The Russia-aligned Sandworm group intensified destructive operations against Ukrainian energy companies, deploying a new wiper named ZEROLOT. "The infamous Sandworm group concentrated heavily on compromising Ukrainian energy infrastructure. In recent cases, it deployed the ZEROLOT wiper in Ukraine. For this, the attackers abused Active Directory Group Policy in the affected organizations," ESET Director of Threat Research, Jean-Ian Boutin, said. Another Russian hacking group, Gamaredon, remained the most prolific actor targeting the East European nation, enhancing malware obfuscation and introducing PteroBox, a file stealer leveraging Dropbox. Signal Says No to Recall — Signal has released a new version of its messaging app for Windows that, by default, blocks the ability of Windows to use Recall to periodically take screenshots of the app. "Although Microsoft made several adjustments over the past twelve months in response to critical feedback, the revamped version of Recall still places any content that's displayed within privacy-preserving apps like Signal at risk," Signal said. "As a result, we are enabling an extra layer of protection by default on Windows 11 in order to help maintain the security of Signal Desktop on that platform even though it introduces some usability trade-offs. Microsoft has simply given us no other option." Microsoft began officially rolling out Recall last month. Russia Introduces New Law to Track Foreigners Using Their Smartphones — The Russian government has introduced a new law that makes installing a tracking app mandatory for all foreign nationals in the Moscow region. This includes gathering their real-time locations, fingerprint, face photograph, and residential information. "The adopted mechanism will allow, using modern technologies, to strengthen control in the field of migration and will also contribute to reducing the number of violations and crimes in this area," Vyacheslav Volodin, chairman of the State Duma, said. "If migrants change their actual place of residence, they will be required to inform the Ministry of Internal Affairswithin three working days." A proposed four-year trial period begins on September 1, 2025, and runs until September 1, 2029. Dutch Government Passes Law to Criminalize Cyber Espionage — The Dutch government has approved a law criminalizing a wide range of espionage activities, including digital espionage, in an effort to protect national security, critical infrastructure, and high-quality technologies. Under the amended law, leaking sensitive information that is not classified as a state secret or engaging in activities on behalf of a foreign government that harm Dutch interests can also result in criminal charges. "Foreign governments are also interested in non-state-secret, sensitive information about a particular economic sector or about political decision-making," the government said. "Such information can be used to influence political processes, weaken the Dutch economy or play allies against each other. Espionage can also involve actions other than sharing information." Microsoft Announces Availability of Quantum-Resistant Algorithms to SymCrypt — Microsoft has revealed that it's making post-quantum cryptographycapabilities, including ML-KEM and ML-DSA, available for Windows Insiders, Canary Channel Build 27852 and higher, and Linux, SymCrypt-OpenSSL version 1.9.0. "This advancement will enable customers to commence their exploration and experimentation of PQC within their operational environments," Microsoft said. "By obtaining early access to PQC capabilities, organizations can proactively assess the compatibility, performance, and integration of these novel algorithms alongside their existing security infrastructure." New Malware DOUBLELOADER Uses ALCATRAZ for Obfuscation — The open-source obfuscator ALCATRAZ has been seen within a new generic loader dubbed DOUBLELOADER, which has been deployed alongside Rhadamanthys Stealer infections starting December 2024. The malware collects host information, requests an updated version of itself, and starts beaconing to a hardcoded IP addressstored within the binary. "Obfuscators such as ALCATRAZ end up increasing the complexity when triaging malware," Elastic Security Labs said. "Its main goal is to hinder binary analysis tools and increase the time of the reverse engineering process through different techniques; such as hiding the control flow or making decompilation hard to follow." New Formjacking Campaign Targets WooCommerce Sites — Cybersecurity researchers have detected a sophisticated formjacking campaign targeting WooCommerce sites. The malware, per Wordfence, injects a fake but professional-looking payment form into legitimate checkout processes and exfiltrates sensitive customer data to an external server. Further analysis has revealed that the infection likely originated from a compromised WordPress admin account, which was used to inject malicious JavaScript via a Simple Custom CSS and JS pluginthat allows administrators to add custom code. "Unlike traditional card skimmers that simply overlay existing forms, this variant carefully integrates with the WooCommerce site's design and payment workflow, making it particularly difficult for site owners and users to detect," the WordPress security company said. "The malware author repurposed the browser's localStorage mechanism – typically used by websites to remember user preferences – to silently store stolen data and maintain access even after page reloads or when navigating away from the checkout page." E.U. Sanctions Stark Industries — The European Unionhas announced sanctions against 21 individuals and six entities in Russia over its "destabilising actions" in the region. One of the sanctioned entities is Stark Industries, a bulletproof hosting provider that has been accused of acting as "enablers of various Russian state-sponsored and affiliated actors to conduct destabilising activities including, information manipulation interference and cyber attacks against the Union and third countries." The sanctions also target its CEO Iurie Neculiti and owner Ivan Neculiti. Stark Industries was previously spotlighted by independent cybersecurity journalist Brian Krebs, detailing its use in DDoS attacks in Ukraine and across Europe. In August 2024, Team Cymru said it discovered 25 Stark-assigned IP addresses used to host domains associated with FIN7 activities and that it had been working with Stark Industries for several months to identify and reduce abuse of their systems. The sanctions have also targeted Kremlin-backed manufacturers of drones and radio communication equipment used by the Russian military, as well as those involved in GPS signal jamming in Baltic states and disrupting civil aviation. The Mask APT Unmasked as Tied to the Spanish Government — The mysterious threat actor known as The Maskhas been identified as run by the Spanish government, according to a report published by TechCrunch, citing people who worked at Kaspersky at the time and had knowledge of the investigation. The Russian cybersecurity company first exposed the hacking group in 2014, linking it to highly sophisticated attacks since at least 2007 targeting high-profile organizations, such as governments, diplomatic entities, and research institutions. A majority of the group's attacks have targeted Cuba, followed by hundreds of victims in Brazil, Morocco, Spain, and Gibraltar. While Kaspersky has not publicly attributed it to a specific country, the latest revelation makes The Mask one of the few Western government hacking groups that has ever been discussed in public. This includes the Equation Group, the Lamberts, and Animal Farm. Social Engineering Scams Target Coinbase Users — Earlier this month, cryptocurrency exchange Coinbase revealed that it was the victim of a malicious attack perpetrated by unknown threat actors to breach its systems by bribing customer support agents in India and siphon funds from nearly 70,000 customers. According to Blockchain security firm SlowMist, Coinbase users have been the target of social engineering scams since the start of the year, bombarding with SMS messages claiming to be fake withdrawal requests and seeking their confirmation as part of a "sustained and organized scam campaign." The goal is to induce a false sense of urgency and trick them into calling a number, eventually convincing them to transfer the funds to a secure wallet with a seed phrase pre-generated by the attackers and ultimately drain the assets. It's assessed that the activities are primarily carried out by two groups: low-level skid attackers from the Com community and organized cybercrime groups based in India. "Using spoofed PBX phone systems, scammers impersonate Coinbase support and claim there's been 'unauthorized access' or 'suspicious withdrawals' on the user's account," SlowMist said. "They create a sense of urgency, then follow up with phishing emails or texts containing fake ticket numbers or 'recovery links.'" Delta Can Sue CrowdStrike Over July 2024 Mega Outage — Delta Air Lines, which had its systems crippled and almost 7,000 flights canceled in the wake of a massive outage caused by a faulty update issued by CrowdStrike in mid-July 2024, has been given the green light to pursue to its lawsuit against the cybersecurity company. A judge in the U.S. state of Georgia stating Delta can try to prove that CrowdStrike was grossly negligent by pushing a defective update to its Falcon software to customers. The update crashed 8.5 million Windows devices across the world. Crowdstrike previously claimed that the airline had rejected technical support offers both from itself and Microsoft. In a statement shared with Reuters, lawyers representing CrowdStrike said they were "confident the judge will find Delta's case has no merit, or will limit damages to the 'single-digit millions of dollars' under Georgia law." The development comes months after MGM Resorts International agreed to pay million to settle multiple class-action lawsuits related to a data breach in 2019 and a ransomware attack the company experienced in 2023. Storm-1516 Uses AI-Generated Media to Spread Disinformation — The Russian influence operation known as Storm-1516sought to spread narratives that undermined the European support for Ukraine by amplifying fabricated stories on X about European leaders using drugs while traveling by train to Kyiv for peace talks. One of the posts was subsequently shared by Russian state media and Maria Zakharova, a senior official in Russia's foreign ministry, as part of what has been described as a coordinated disinformation campaign by EclecticIQ. The activity is also notable for the use of synthetic content depicting French President Emmanuel Macron, U.K. Labour Party leader Keir Starmer, and German chancellor Friedrich Merz of drug possession during their return from Ukraine. "By attacking the reputation of these leaders, the campaign likely aimed to turn their own voters against them, using influence operationsto reduce public support for Ukraine by discrediting the politicians who back it," the Dutch threat intelligence firm said. Turkish Users Targeted by DBatLoader — AhnLab has disclosed details of a malware campaign that's distributing a malware loader called DBatLoadervia banking-themed banking emails, which then acts as a conduit to deliver SnakeKeylogger, an information stealer developed in .NET. "The DBatLoader malware distributed through phishing emails has the cunning behavior of exploiting normal processesthrough techniques such as DLL side-loading and injection for most of its behaviors, and it also utilizes normal processesfor behaviors such as file copying and changing policies," the company said. SEC SIM-Swapper Sentenced to 14 Months for SEC X Account Hack — A 26-year-old Alabama man, Eric Council Jr., has been sentenced to 14 months in prison and three years of supervised release for using SIM swapping attacks to breach the U.S. Securities and Exchange Commission'sofficial X account in January 2024 and falsely announced that the SEC approved BitcoinExchange Traded Funds. Council Jr.was arrested in October 2024 and pleaded guilty to the crime earlier this February. He has also been ordered to forfeit According to court documents, Council used his personal computer to search incriminating phrases such as "SECGOV hack," "telegram sim swap," "how can I know for sure if I am being investigated by the FBI," "What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them," "what are some signs that the FBI is after you," "Verizon store list," "federal identity theft statute," and "how long does it take to delete telegram account." FBI Warns of Malicious Campaign Impersonating Government Officials — The U.S. Federal Bureau of Investigationis warning of a new campaign that involves malicious actors impersonating senior U.S. federal or state government officials and their contacts to target individuals since April 2025. "The malicious actors have sent text messages and AI-generated voice messages — techniques known as smishing and vishing, respectively — that claim to come from a senior US official in an effort to establish rapport before gaining access to personal accounts," the FBI said. "One way the actors gain such access is by sending targeted individuals a malicious link under the guise of transitioning to a separate messaging platform." From there, the actor may present malware or introduce hyperlinks that lead intended targets to an actor-controlled site that steals login information. DICOM Flaw Enables Attackers to Embed Malicious Code Within Medical Image Files — Praetorian has released a proof-of-conceptfor a high-severity security flaw in Digital Imaging and Communications in Medicine, predominant file format for medical images, that enables attackers to embed malicious code within legitimate medical image files. CVE-2019-11687, originally disclosed in 2019 by Markel Picado Ortiz, stems from a design decision that allows arbitrary content at the start of the file, otherwise called the Preamble, which enables the creation of malicious polyglots. Codenamed ELFDICOM, the PoC extends the attack surface to Linux environments, making it a much more potent threat. As mitigations, it's advised to implement a DICOM preamble whitelist. "DICOM's file structure inherently allows arbitrary bytes at the beginning of the file, where Linux and most operating systems will look for magic bytes," Praetorian researcher Ryan Hennessee said. "would check a DICOM file's preamble before it is imported into the system. This would allow known good patterns, such as 'TIFF' magic bytes, or '\x00' null bytes, while files with the ELF magic bytes would be blocked." Cookie-Bite Attack Uses Chrome Extension to Steal Session Tokens — Cybersecurity researchers have demonstrated a new attack technique called Cookie-Bite that employs custom-made malicious browser extensions to steal "ESTAUTH" and "ESTSAUTHPERSISTNT" cookies in Microsoft Azure Entra ID and bypass multi-factor authentication. The attack has multiple moving parts to it: A custom Chrome extension that monitors authentication events and captures cookies; a PowerShell script that automates the extension deployment and ensures persistence; an exfiltration mechanism to send the cookies to a remote collection point; and a complementary extension to inject the captured cookies into the attacker's browser. "Threat actors often use infostealers to extract authentication tokens directly from a victim's machine or buy them directly through darkness markets, allowing adversaries to hijack active cloud sessions without triggering MFA," Varonis said. "By injecting these cookies while mimicking the victim's OS, browser, and network, attackers can evade Conditional Access Policiesand maintain persistent access." Authentication cookies can also be stolen using adversary-in-the-middlephishing kits in real-time, or using rogue browser extensions that request excessive permissions to interact with web sessions, modify page content, and extract stored authentication data. Once installed, the extension can access the browser's storage API, intercept network requests, or inject malicious JavaScript into active sessions to harvest real-time session cookies. "By leveraging stolen session cookies, an adversary can bypass authentication mechanisms, gaining seamless entry into cloud environments without requiring user credentials," Varonis said. "Beyond initial access, session hijacking can facilitate lateral movement across the tenant, allowing attackers to explore additional resources, access sensitive data, and escalate privileges by abusing existing permissions or misconfigured roles." 🎥 Cybersecurity Webinars Non-Human Identities: The AI Backdoor You're Not Watching → AI agents rely on Non-Human Identitiesto function—but these are often left untracked and unsecured. As attackers shift focus to this hidden layer, the risk is growing fast. In this session, you'll learn how to find, secure, and monitor these identities before they're exploited. Join the webinar to understand the real risks behind AI adoption—and how to stay ahead. Inside the LOTS Playbook: How Hackers Stay Undetected → Attackers are using trusted sites to stay hidden. In this webinar, Zscaler experts share how they detect these stealthy LOTS attacks using insights from the world's largest security cloud. Join to learn how to spot hidden threats and improve your defense. 🔧 Cybersecurity Tools ScriptSentry → It is a free tool that scans your environment for dangerous logon script misconfigurations—like plaintext credentials, insecure file/share permissions, and references to non-existent servers. These overlooked issues can enable lateral movement, privilege escalation, or even credential theft. ScriptSentry helps you quickly identify and fix them across large Active Directory environments. Aftermath → It is a Swift-based, open-source tool for macOS incident response. It collects forensic data—like logs, browser activity, and process info—from compromised systems, then analyzes it to build timelines and track infection paths. Deploy via MDM or run manually. Fast, lightweight, and ideal for post-incident investigation. AI Red Teaming Playground Labs → It is an open-source training suite with hands-on challenges designed to teach security professionals how to red team AI systems. Originally developed for Black Hat USA 2024, the labs cover prompt injections, safety bypasses, indirect attacks, and Responsible AI failures. Built on Chat Copilot and deployable via Docker, it's a practical resource for testing and understanding real-world AI vulnerabilities. 🔒 Tip of the Week Review and Revoke Old OAuth App Permissions — They're Silent Backdoor → You've likely logged into apps using "Continue with Google," "Sign in with Microsoft," or GitHub/Twitter/Facebook logins. That's OAuth. But did you know many of those apps still have access to your data long after you stop using them? Why it matters: Even if you delete the app or forget it existed, it might still have ongoing access to your calendar, email, cloud files, or contact list — no password needed. If that third-party gets breached, your data is at risk. What to do: Go through your connected apps here: Google: myaccount.google.com/permissions Microsoft: account.live.com/consent/Manage GitHub: github.com/settings/applications Facebook: facebook.com/settings?tab=applications Revoke anything you don't actively use. It's a fast, silent cleanup — and it closes doors you didn't know were open. Conclusion Looking ahead, it's not just about tracking threats—it's about understanding what they reveal. Every tactic used, every system tested, points to deeper issues in how trust, access, and visibility are managed. As attackers adapt quickly, defenders need sharper awareness and faster response loops. The takeaways from this week aren't just technical—they speak to how teams prioritize risk, design safeguards, and make choices under pressure. Use these insights not just to react, but to rethink what "secure" really needs to mean in today's environment. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. #weekly #recap #apt #campaigns #browser
    THEHACKERNEWS.COM
    ⚡ Weekly Recap: APT Campaigns, Browser Hijacks, AI Malware, Cloud Breaches and Critical CVEs
    Cyber threats don't show up one at a time anymore. They're layered, planned, and often stay hidden until it's too late. For cybersecurity teams, the key isn't just reacting to alerts—it's spotting early signs of trouble before they become real threats. This update is designed to deliver clear, accurate insights based on real patterns and changes we can verify. With today's complex systems, we need focused analysis—not noise. What you'll see here isn't just a list of incidents, but a clear look at where control is being gained, lost, or quietly tested. ⚡ Threat of the Week Lumma Stealer, DanaBot Operations Disrupted — A coalition of private sector companies and law enforcement agencies have taken down the infrastructure associated with Lumma Stealer and DanaBot. Charges have also been unsealed against 16 individuals for their alleged involvement in the development and deployment of DanaBot. The malware is equipped to siphon data from victim computers, hijack banking sessions, and steal device information. More uniquely, though, DanaBot has also been used for hacking campaigns that appear to be linked to Russian state-sponsored interests. All of that makes DanaBot a particularly clear example of how commodity malware has been repurposed by Russian state hackers for their own goals. In tandem, about 2,300 domains that acted as the command-and-control (C2) backbone for the Lumma information stealer have been seized, alongside taking down 300 servers and neutralizing 650 domains that were used to launch ransomware attacks. The actions against international cybercrime in the past few days constituted the latest phase of Operation Endgame. Get the Guide ➝ 🔔 Top News Threat Actors Use TikTok Videos to Distribute Stealers — While ClickFix has become a popular social engineering tactic to deliver malware, threat actors have been observed using artificial intelligence (AI)-generated videos uploaded to TikTok to deceive users into running malicious commands on their systems and deploy malware like Vidar and StealC under the guise of activating pirated version of Windows, Microsoft Office, CapCut, and Spotify. "This campaign highlights how attackers are ready to weaponize whichever social media platforms are currently popular to distribute malware," Trend Micro said. APT28 Hackers Target Western Logistics and Tech Firms — Several cybersecurity and intelligence agencies from Australia, Europe, and the United States issued a joint alert warning of a state-sponsored campaign orchestrated by the Russian state-sponsored threat actor APT28 targeting Western logistics entities and technology companies since 2022. "This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors' wide scale targeting of IP cameras in Ukraine and bordering NATO nations," the agencies said. The attacks are designed to steal sensitive information and maintain long-term persistence on compromised hosts. Chinese Threat Actors Exploit Ivanti EPMM Flaws — The China-nexus cyber espionage group tracked as UNC5221 has been attributed to the exploitation of a pair of security flaws affecting Ivanti Endpoint Manager Mobile (EPMM) software (CVE-2025-4427 and CVE-2025-4428) to target a wide range of sectors across Europe, North America, and the Asia-Pacific region. The intrusions leverage the vulnerabilities to obtain a reverse shell and drop malicious payloads like KrustyLoader, which is known to deliver the Sliver command-and-control (C2) framework. "UNC5221 demonstrates a deep understanding of EPMM's internal architecture, repurposing legitimate system components for covert data exfiltration," EclecticIQ said. "Given EPMM's role in managing and pushing configurations to enterprise mobile devices, a successful exploitation could allow threat actors to remotely access, manipulate, or compromise thousands of managed devices across an organization." Over 100 Google Chrome Extensions Mimic Popular Tools — An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities such as DeepSeek, Manus, DeBank, FortiVPN, and Site Stats but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code. Links to these browser add-ons are hosted on specially crafted sites to which users are likely redirected to via phishing and social media posts. While the extensions appear to offer the advertised features, they also stealthily facilitate credential and cookie theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation. Several of these extensions have been taken down by Google. CISA Warns of SaaS Providers of Attacks Targeting Cloud Environments — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that SaaS companies are under threat from bad actors who are on the prowl for cloud applications with default configurations and elevated permissions. While the agency did not attribute the activity to a specific group, the advisory said enterprise backup platform Commvault is monitoring cyber threat activity targeting applications hosted in their Microsoft Azure cloud environment. "Threat actors may have accessed client secrets for Commvault's (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure," CISA said. "This provided the threat actors with unauthorized access to Commvault's customers' M365 environments that have application secrets stored by Commvault." GitLab AI Coding Assistant Flaws Could Be Used to Inject Malicious Code — Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's artificial intelligence (AI) assistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites. The attack could also leak confidential issue data, such as zero-day vulnerability details. All that's required is for the attacker to instruct the chatbot to interact with a merge request (or commit, issue, or source code) by taking advantage of the fact that GitLab Duo has extensive access to the platform. "By embedding hidden instructions in seemingly harmless project content, we were able to manipulate Duo's behavior, exfiltrate private source code, and demonstrate how AI responses can be leveraged for unintended and harmful outcomes," Legit Security said. One variation of the attack involved hiding a malicious instruction in an otherwise legitimate piece of source code, while another exploited Duo's parsing of markdown responses in real-time asynchronously. An attacker could leverage this behavior – that Duo begins rendering the output line by line rather than waiting until the entire response is generated and sending it all at once – to introduce malicious HTML code that can access sensitive data and exfiltrate the information to a remote server. The issues have been patched by GitLab following responsible disclosure. ‎️‍🔥 Trending CVEs Software vulnerabilities remain one of the simplest—and most effective—entry points for attackers. Each week uncovers new flaws, and even small delays in patching can escalate into serious security incidents. Staying ahead means acting fast. Below is this week's list of high-risk vulnerabilities that demand attention. Review them carefully, apply updates without delay, and close the doors before they're forced open. This week's list includes — CVE-2025-34025, CVE-2025-34026, CVE-2025-34027 (Versa Concerto), CVE-2025-30911 (RomethemeKit For Elementor WordPress plugin), CVE-2024-57273, CVE-2024-54780, and CVE-2024-54779 (pfSense), CVE-2025-41229 (VMware Cloud Foundation), CVE-2025-4322 (Motors WordPress theme), CVE-2025-47934 (OpenPGP.js), CVE-2025-30193 (PowerDNS), CVE-2025-0993 (GitLab), CVE-2025-36535 (AutomationDirect MB-Gateway), CVE-2025-47949 (Samlify), CVE-2025-40775 (BIND DNS), CVE-2025-20152 (Cisco Identity Services Engine), CVE-2025-4123 (Grafana), CVE-2025-5063 (Google Chrome), CVE-2025-37899 (Linux Kernel), CVE-2025-26817 (Netwrix Password Secure), CVE-2025-47947 (ModSecurity), CVE-2025-3078, CVE-2025-3079 (Canon Printers), and CVE-2025-4978 (NETGEAR). 📰 Around the Cyber World Sandworm Drops New Wiper in Ukraine — The Russia-aligned Sandworm group intensified destructive operations against Ukrainian energy companies, deploying a new wiper named ZEROLOT. "The infamous Sandworm group concentrated heavily on compromising Ukrainian energy infrastructure. In recent cases, it deployed the ZEROLOT wiper in Ukraine. For this, the attackers abused Active Directory Group Policy in the affected organizations," ESET Director of Threat Research, Jean-Ian Boutin, said. Another Russian hacking group, Gamaredon, remained the most prolific actor targeting the East European nation, enhancing malware obfuscation and introducing PteroBox, a file stealer leveraging Dropbox. Signal Says No to Recall — Signal has released a new version of its messaging app for Windows that, by default, blocks the ability of Windows to use Recall to periodically take screenshots of the app. "Although Microsoft made several adjustments over the past twelve months in response to critical feedback, the revamped version of Recall still places any content that's displayed within privacy-preserving apps like Signal at risk," Signal said. "As a result, we are enabling an extra layer of protection by default on Windows 11 in order to help maintain the security of Signal Desktop on that platform even though it introduces some usability trade-offs. Microsoft has simply given us no other option." Microsoft began officially rolling out Recall last month. Russia Introduces New Law to Track Foreigners Using Their Smartphones — The Russian government has introduced a new law that makes installing a tracking app mandatory for all foreign nationals in the Moscow region. This includes gathering their real-time locations, fingerprint, face photograph, and residential information. "The adopted mechanism will allow, using modern technologies, to strengthen control in the field of migration and will also contribute to reducing the number of violations and crimes in this area," Vyacheslav Volodin, chairman of the State Duma, said. "If migrants change their actual place of residence, they will be required to inform the Ministry of Internal Affairs (MVD) within three working days." A proposed four-year trial period begins on September 1, 2025, and runs until September 1, 2029. Dutch Government Passes Law to Criminalize Cyber Espionage — The Dutch government has approved a law criminalizing a wide range of espionage activities, including digital espionage, in an effort to protect national security, critical infrastructure, and high-quality technologies. Under the amended law, leaking sensitive information that is not classified as a state secret or engaging in activities on behalf of a foreign government that harm Dutch interests can also result in criminal charges. "Foreign governments are also interested in non-state-secret, sensitive information about a particular economic sector or about political decision-making," the government said. "Such information can be used to influence political processes, weaken the Dutch economy or play allies against each other. Espionage can also involve actions other than sharing information." Microsoft Announces Availability of Quantum-Resistant Algorithms to SymCrypt — Microsoft has revealed that it's making post-quantum cryptography (PQC) capabilities, including ML-KEM and ML-DSA, available for Windows Insiders, Canary Channel Build 27852 and higher, and Linux, SymCrypt-OpenSSL version 1.9.0. "This advancement will enable customers to commence their exploration and experimentation of PQC within their operational environments," Microsoft said. "By obtaining early access to PQC capabilities, organizations can proactively assess the compatibility, performance, and integration of these novel algorithms alongside their existing security infrastructure." New Malware DOUBLELOADER Uses ALCATRAZ for Obfuscation — The open-source obfuscator ALCATRAZ has been seen within a new generic loader dubbed DOUBLELOADER, which has been deployed alongside Rhadamanthys Stealer infections starting December 2024. The malware collects host information, requests an updated version of itself, and starts beaconing to a hardcoded IP address (185.147.125[.]81) stored within the binary. "Obfuscators such as ALCATRAZ end up increasing the complexity when triaging malware," Elastic Security Labs said. "Its main goal is to hinder binary analysis tools and increase the time of the reverse engineering process through different techniques; such as hiding the control flow or making decompilation hard to follow." New Formjacking Campaign Targets WooCommerce Sites — Cybersecurity researchers have detected a sophisticated formjacking campaign targeting WooCommerce sites. The malware, per Wordfence, injects a fake but professional-looking payment form into legitimate checkout processes and exfiltrates sensitive customer data to an external server. Further analysis has revealed that the infection likely originated from a compromised WordPress admin account, which was used to inject malicious JavaScript via a Simple Custom CSS and JS plugin (or something similar) that allows administrators to add custom code. "Unlike traditional card skimmers that simply overlay existing forms, this variant carefully integrates with the WooCommerce site's design and payment workflow, making it particularly difficult for site owners and users to detect," the WordPress security company said. "The malware author repurposed the browser's localStorage mechanism – typically used by websites to remember user preferences – to silently store stolen data and maintain access even after page reloads or when navigating away from the checkout page." E.U. Sanctions Stark Industries — The European Union (E.U.) has announced sanctions against 21 individuals and six entities in Russia over its "destabilising actions" in the region. One of the sanctioned entities is Stark Industries, a bulletproof hosting provider that has been accused of acting as "enablers of various Russian state-sponsored and affiliated actors to conduct destabilising activities including, information manipulation interference and cyber attacks against the Union and third countries." The sanctions also target its CEO Iurie Neculiti and owner Ivan Neculiti. Stark Industries was previously spotlighted by independent cybersecurity journalist Brian Krebs, detailing its use in DDoS attacks in Ukraine and across Europe. In August 2024, Team Cymru said it discovered 25 Stark-assigned IP addresses used to host domains associated with FIN7 activities and that it had been working with Stark Industries for several months to identify and reduce abuse of their systems. The sanctions have also targeted Kremlin-backed manufacturers of drones and radio communication equipment used by the Russian military, as well as those involved in GPS signal jamming in Baltic states and disrupting civil aviation. The Mask APT Unmasked as Tied to the Spanish Government — The mysterious threat actor known as The Mask (aka Careto) has been identified as run by the Spanish government, according to a report published by TechCrunch, citing people who worked at Kaspersky at the time and had knowledge of the investigation. The Russian cybersecurity company first exposed the hacking group in 2014, linking it to highly sophisticated attacks since at least 2007 targeting high-profile organizations, such as governments, diplomatic entities, and research institutions. A majority of the group's attacks have targeted Cuba, followed by hundreds of victims in Brazil, Morocco, Spain, and Gibraltar. While Kaspersky has not publicly attributed it to a specific country, the latest revelation makes The Mask one of the few Western government hacking groups that has ever been discussed in public. This includes the Equation Group, the Lamberts (the U.S.), and Animal Farm (France). Social Engineering Scams Target Coinbase Users — Earlier this month, cryptocurrency exchange Coinbase revealed that it was the victim of a malicious attack perpetrated by unknown threat actors to breach its systems by bribing customer support agents in India and siphon funds from nearly 70,000 customers. According to Blockchain security firm SlowMist, Coinbase users have been the target of social engineering scams since the start of the year, bombarding with SMS messages claiming to be fake withdrawal requests and seeking their confirmation as part of a "sustained and organized scam campaign." The goal is to induce a false sense of urgency and trick them into calling a number, eventually convincing them to transfer the funds to a secure wallet with a seed phrase pre-generated by the attackers and ultimately drain the assets. It's assessed that the activities are primarily carried out by two groups: low-level skid attackers from the Com community and organized cybercrime groups based in India. "Using spoofed PBX phone systems, scammers impersonate Coinbase support and claim there's been 'unauthorized access' or 'suspicious withdrawals' on the user's account," SlowMist said. "They create a sense of urgency, then follow up with phishing emails or texts containing fake ticket numbers or 'recovery links.'" Delta Can Sue CrowdStrike Over July 2024 Mega Outage — Delta Air Lines, which had its systems crippled and almost 7,000 flights canceled in the wake of a massive outage caused by a faulty update issued by CrowdStrike in mid-July 2024, has been given the green light to pursue to its lawsuit against the cybersecurity company. A judge in the U.S. state of Georgia stating Delta can try to prove that CrowdStrike was grossly negligent by pushing a defective update to its Falcon software to customers. The update crashed 8.5 million Windows devices across the world. Crowdstrike previously claimed that the airline had rejected technical support offers both from itself and Microsoft. In a statement shared with Reuters, lawyers representing CrowdStrike said they were "confident the judge will find Delta's case has no merit, or will limit damages to the 'single-digit millions of dollars' under Georgia law." The development comes months after MGM Resorts International agreed to pay $45 million to settle multiple class-action lawsuits related to a data breach in 2019 and a ransomware attack the company experienced in 2023. Storm-1516 Uses AI-Generated Media to Spread Disinformation — The Russian influence operation known as Storm-1516 (aka CopyCop) sought to spread narratives that undermined the European support for Ukraine by amplifying fabricated stories on X about European leaders using drugs while traveling by train to Kyiv for peace talks. One of the posts was subsequently shared by Russian state media and Maria Zakharova, a senior official in Russia's foreign ministry, as part of what has been described as a coordinated disinformation campaign by EclecticIQ. The activity is also notable for the use of synthetic content depicting French President Emmanuel Macron, U.K. Labour Party leader Keir Starmer, and German chancellor Friedrich Merz of drug possession during their return from Ukraine. "By attacking the reputation of these leaders, the campaign likely aimed to turn their own voters against them, using influence operations (IO) to reduce public support for Ukraine by discrediting the politicians who back it," the Dutch threat intelligence firm said. Turkish Users Targeted by DBatLoader — AhnLab has disclosed details of a malware campaign that's distributing a malware loader called DBatLoader (aka ModiLoader) via banking-themed banking emails, which then acts as a conduit to deliver SnakeKeylogger, an information stealer developed in .NET. "The DBatLoader malware distributed through phishing emails has the cunning behavior of exploiting normal processes (easinvoker.exe, loader.exe) through techniques such as DLL side-loading and injection for most of its behaviors, and it also utilizes normal processes (cmd.exe, powershell.exe, esentutl.exe, extrac32.exe) for behaviors such as file copying and changing policies," the company said. SEC SIM-Swapper Sentenced to 14 Months for SEC X Account Hack — A 26-year-old Alabama man, Eric Council Jr., has been sentenced to 14 months in prison and three years of supervised release for using SIM swapping attacks to breach the U.S. Securities and Exchange Commission's (SEC) official X account in January 2024 and falsely announced that the SEC approved Bitcoin (BTC) Exchange Traded Funds (ETFs). Council Jr. (aka Ronin, Agiantschnauzer, and @EasyMunny) was arrested in October 2024 and pleaded guilty to the crime earlier this February. He has also been ordered to forfeit $50,000. According to court documents, Council used his personal computer to search incriminating phrases such as "SECGOV hack," "telegram sim swap," "how can I know for sure if I am being investigated by the FBI," "What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them," "what are some signs that the FBI is after you," "Verizon store list," "federal identity theft statute," and "how long does it take to delete telegram account." FBI Warns of Malicious Campaign Impersonating Government Officials — The U.S. Federal Bureau of Investigation (FBI) is warning of a new campaign that involves malicious actors impersonating senior U.S. federal or state government officials and their contacts to target individuals since April 2025. "The malicious actors have sent text messages and AI-generated voice messages — techniques known as smishing and vishing, respectively — that claim to come from a senior US official in an effort to establish rapport before gaining access to personal accounts," the FBI said. "One way the actors gain such access is by sending targeted individuals a malicious link under the guise of transitioning to a separate messaging platform." From there, the actor may present malware or introduce hyperlinks that lead intended targets to an actor-controlled site that steals login information. DICOM Flaw Enables Attackers to Embed Malicious Code Within Medical Image Files — Praetorian has released a proof-of-concept (PoC) for a high-severity security flaw in Digital Imaging and Communications in Medicine (DICOM), predominant file format for medical images, that enables attackers to embed malicious code within legitimate medical image files. CVE-2019-11687 (CVSS score: 7.8), originally disclosed in 2019 by Markel Picado Ortiz, stems from a design decision that allows arbitrary content at the start of the file, otherwise called the Preamble, which enables the creation of malicious polyglots. Codenamed ELFDICOM, the PoC extends the attack surface to Linux environments, making it a much more potent threat. As mitigations, it's advised to implement a DICOM preamble whitelist. "DICOM's file structure inherently allows arbitrary bytes at the beginning of the file, where Linux and most operating systems will look for magic bytes," Praetorian researcher Ryan Hennessee said. "[The whitelist] would check a DICOM file's preamble before it is imported into the system. This would allow known good patterns, such as 'TIFF' magic bytes, or '\x00' null bytes, while files with the ELF magic bytes would be blocked." Cookie-Bite Attack Uses Chrome Extension to Steal Session Tokens — Cybersecurity researchers have demonstrated a new attack technique called Cookie-Bite that employs custom-made malicious browser extensions to steal "ESTAUTH" and "ESTSAUTHPERSISTNT" cookies in Microsoft Azure Entra ID and bypass multi-factor authentication (MFA). The attack has multiple moving parts to it: A custom Chrome extension that monitors authentication events and captures cookies; a PowerShell script that automates the extension deployment and ensures persistence; an exfiltration mechanism to send the cookies to a remote collection point; and a complementary extension to inject the captured cookies into the attacker's browser. "Threat actors often use infostealers to extract authentication tokens directly from a victim's machine or buy them directly through darkness markets, allowing adversaries to hijack active cloud sessions without triggering MFA," Varonis said. "By injecting these cookies while mimicking the victim's OS, browser, and network, attackers can evade Conditional Access Policies (CAPs) and maintain persistent access." Authentication cookies can also be stolen using adversary-in-the-middle (AitM) phishing kits in real-time, or using rogue browser extensions that request excessive permissions to interact with web sessions, modify page content, and extract stored authentication data. Once installed, the extension can access the browser's storage API, intercept network requests, or inject malicious JavaScript into active sessions to harvest real-time session cookies. "By leveraging stolen session cookies, an adversary can bypass authentication mechanisms, gaining seamless entry into cloud environments without requiring user credentials," Varonis said. "Beyond initial access, session hijacking can facilitate lateral movement across the tenant, allowing attackers to explore additional resources, access sensitive data, and escalate privileges by abusing existing permissions or misconfigured roles." 🎥 Cybersecurity Webinars Non-Human Identities: The AI Backdoor You're Not Watching → AI agents rely on Non-Human Identities (like service accounts and API keys) to function—but these are often left untracked and unsecured. As attackers shift focus to this hidden layer, the risk is growing fast. In this session, you'll learn how to find, secure, and monitor these identities before they're exploited. Join the webinar to understand the real risks behind AI adoption—and how to stay ahead. Inside the LOTS Playbook: How Hackers Stay Undetected → Attackers are using trusted sites to stay hidden. In this webinar, Zscaler experts share how they detect these stealthy LOTS attacks using insights from the world's largest security cloud. Join to learn how to spot hidden threats and improve your defense. 🔧 Cybersecurity Tools ScriptSentry → It is a free tool that scans your environment for dangerous logon script misconfigurations—like plaintext credentials, insecure file/share permissions, and references to non-existent servers. These overlooked issues can enable lateral movement, privilege escalation, or even credential theft. ScriptSentry helps you quickly identify and fix them across large Active Directory environments. Aftermath → It is a Swift-based, open-source tool for macOS incident response. It collects forensic data—like logs, browser activity, and process info—from compromised systems, then analyzes it to build timelines and track infection paths. Deploy via MDM or run manually. Fast, lightweight, and ideal for post-incident investigation. AI Red Teaming Playground Labs → It is an open-source training suite with hands-on challenges designed to teach security professionals how to red team AI systems. Originally developed for Black Hat USA 2024, the labs cover prompt injections, safety bypasses, indirect attacks, and Responsible AI failures. Built on Chat Copilot and deployable via Docker, it's a practical resource for testing and understanding real-world AI vulnerabilities. 🔒 Tip of the Week Review and Revoke Old OAuth App Permissions — They're Silent Backdoor → You've likely logged into apps using "Continue with Google," "Sign in with Microsoft," or GitHub/Twitter/Facebook logins. That's OAuth. But did you know many of those apps still have access to your data long after you stop using them? Why it matters: Even if you delete the app or forget it existed, it might still have ongoing access to your calendar, email, cloud files, or contact list — no password needed. If that third-party gets breached, your data is at risk. What to do: Go through your connected apps here: Google: myaccount.google.com/permissions Microsoft: account.live.com/consent/Manage GitHub: github.com/settings/applications Facebook: facebook.com/settings?tab=applications Revoke anything you don't actively use. It's a fast, silent cleanup — and it closes doors you didn't know were open. Conclusion Looking ahead, it's not just about tracking threats—it's about understanding what they reveal. Every tactic used, every system tested, points to deeper issues in how trust, access, and visibility are managed. As attackers adapt quickly, defenders need sharper awareness and faster response loops. The takeaways from this week aren't just technical—they speak to how teams prioritize risk, design safeguards, and make choices under pressure. Use these insights not just to react, but to rethink what "secure" really needs to mean in today's environment. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.
    0 Commentaires 0 Parts
  • Chinese Hackers Exploit Ivanti EPMM Bugs in Global Enterprise Network Attacks

    May 22, 2025Ravie LakshmananEnterprise Security / Malware

    A recently patched pair of security flaws affecting Ivanti Endpoint Manager Mobilesoftware has been exploited by a China-nexus threat actor to target a wide range of sectors across Europe, North America, and the Asia-Pacific region.
    The vulnerabilities, tracked as CVE-2025-4427and CVE-2025-4428, could be chained to execute arbitrary code on a vulnerable device without requiring any authentication. They were addressed by Ivanti last week.
    Now, according to a report from EclecticIQ, the vulnerability chain has been abused by UNC5221, a Chinese cyber espionage group known for its targeting of edge network appliances since at least 2023. Most recently, the hacking crew was also attributed to exploitation efforts targeting SAP NetWeaver instances susceptible to CVE-2025-31324.

    The Dutch cybersecurity company said the earliest exploitation activity dates back to May 15, 2025, with the attacks targeting healthcare, telecommunications, aviation, municipal government, finance, and defense sectors.
    "UNC5221 demonstrates a deep understanding of EPMM's internal architecture, repurposing legitimate system components for covert data exfiltration," security researcher Arda Büyükkaya said. "Given EPMM's role in managing and pushing configurations to enterprise mobile devices, a successful exploitation could allow threat actors to remotely access, manipulate, or compromise thousands of managed devices across an organization."

    The attack sequence involves targeting the "/mifs/rs/api/v2/" endpoint to obtain an interactive reverse shell and remotely execute arbitrary commands on Ivanti EPMM deployments. This is followed by the deployment of KrustyLoader, a known Rust-based loader attributed to UNC5221 that enables the delivery of additional payloads like Sliver.
    The threat actors have also been observed targeting the mifs database by making use of hard-coded MySQL database credentials stored in /mi/files/system/.mifpp to obtain unauthorized access to the database and exfiltrating sensitive data that could grant them visibility into managed mobile devices, LDAP users, and Office 365 refresh and access tokens.

    Furthermore, the incidents are characterized by the use of obfuscated shell commands for host reconnaissance before dropping KrustyLoader from an AWS S3 bucket and Fast Reverse Proxyto facilitate network reconnaissance and lateral movement. It's worth mentioning here that FRP is an open-source tool widely shared among Chinese hacking groups.
    EclecticIQ said it also identified a command-and-controlserver associated with Auto-Color, a Linux backdoor that was documented by Palo Alto Networks Unit 42 as used in attacks aimed at universities and government organizations in North America and Asia between November and December 2024.

    "The IP address 146.70.8767:45020, previously associated with Auto-Color command-and-control infrastructure, was seen issuing outbound connectivity tests via curl immediately after exploitation of Ivanti EPMM servers," Büyükkaya pointed out. "This behaviour is consistent with Auto-Color's staging and beaconing patterns. Taken together, these indicators very likely link to China-nexus activity."
    The disclosure comes as threat intelligence firm GreyNoise noted that it had witnessed a significant spike in scanning activity targeting Ivanti Connect Secure and Pulse Secure products prior to the disclosure of CVE-2025-4427 and CVE-2025-4428.
    "While the scanning we observed was not directly tied to EPMM, the timeline underscores a critical reality: scanning activity often precedes the public emergence of zero-day vulnerabilities," the company said. "It's a leading indicator — a signal that attackers are probing critical systems, potentially in preparation for future exploitation."

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

    SHARE




    #chinese #hackers #exploit #ivanti #epmm
    Chinese Hackers Exploit Ivanti EPMM Bugs in Global Enterprise Network Attacks
    May 22, 2025Ravie LakshmananEnterprise Security / Malware A recently patched pair of security flaws affecting Ivanti Endpoint Manager Mobilesoftware has been exploited by a China-nexus threat actor to target a wide range of sectors across Europe, North America, and the Asia-Pacific region. The vulnerabilities, tracked as CVE-2025-4427and CVE-2025-4428, could be chained to execute arbitrary code on a vulnerable device without requiring any authentication. They were addressed by Ivanti last week. Now, according to a report from EclecticIQ, the vulnerability chain has been abused by UNC5221, a Chinese cyber espionage group known for its targeting of edge network appliances since at least 2023. Most recently, the hacking crew was also attributed to exploitation efforts targeting SAP NetWeaver instances susceptible to CVE-2025-31324. The Dutch cybersecurity company said the earliest exploitation activity dates back to May 15, 2025, with the attacks targeting healthcare, telecommunications, aviation, municipal government, finance, and defense sectors. "UNC5221 demonstrates a deep understanding of EPMM's internal architecture, repurposing legitimate system components for covert data exfiltration," security researcher Arda Büyükkaya said. "Given EPMM's role in managing and pushing configurations to enterprise mobile devices, a successful exploitation could allow threat actors to remotely access, manipulate, or compromise thousands of managed devices across an organization." The attack sequence involves targeting the "/mifs/rs/api/v2/" endpoint to obtain an interactive reverse shell and remotely execute arbitrary commands on Ivanti EPMM deployments. This is followed by the deployment of KrustyLoader, a known Rust-based loader attributed to UNC5221 that enables the delivery of additional payloads like Sliver. The threat actors have also been observed targeting the mifs database by making use of hard-coded MySQL database credentials stored in /mi/files/system/.mifpp to obtain unauthorized access to the database and exfiltrating sensitive data that could grant them visibility into managed mobile devices, LDAP users, and Office 365 refresh and access tokens. Furthermore, the incidents are characterized by the use of obfuscated shell commands for host reconnaissance before dropping KrustyLoader from an AWS S3 bucket and Fast Reverse Proxyto facilitate network reconnaissance and lateral movement. It's worth mentioning here that FRP is an open-source tool widely shared among Chinese hacking groups. EclecticIQ said it also identified a command-and-controlserver associated with Auto-Color, a Linux backdoor that was documented by Palo Alto Networks Unit 42 as used in attacks aimed at universities and government organizations in North America and Asia between November and December 2024. "The IP address 146.70.8767:45020, previously associated with Auto-Color command-and-control infrastructure, was seen issuing outbound connectivity tests via curl immediately after exploitation of Ivanti EPMM servers," Büyükkaya pointed out. "This behaviour is consistent with Auto-Color's staging and beaconing patterns. Taken together, these indicators very likely link to China-nexus activity." The disclosure comes as threat intelligence firm GreyNoise noted that it had witnessed a significant spike in scanning activity targeting Ivanti Connect Secure and Pulse Secure products prior to the disclosure of CVE-2025-4427 and CVE-2025-4428. "While the scanning we observed was not directly tied to EPMM, the timeline underscores a critical reality: scanning activity often precedes the public emergence of zero-day vulnerabilities," the company said. "It's a leading indicator — a signal that attackers are probing critical systems, potentially in preparation for future exploitation." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE     #chinese #hackers #exploit #ivanti #epmm
    THEHACKERNEWS.COM
    Chinese Hackers Exploit Ivanti EPMM Bugs in Global Enterprise Network Attacks
    May 22, 2025Ravie LakshmananEnterprise Security / Malware A recently patched pair of security flaws affecting Ivanti Endpoint Manager Mobile (EPMM) software has been exploited by a China-nexus threat actor to target a wide range of sectors across Europe, North America, and the Asia-Pacific region. The vulnerabilities, tracked as CVE-2025-4427 (CVSS score: 5.3) and CVE-2025-4428 (CVSS score: 7.2), could be chained to execute arbitrary code on a vulnerable device without requiring any authentication. They were addressed by Ivanti last week. Now, according to a report from EclecticIQ, the vulnerability chain has been abused by UNC5221, a Chinese cyber espionage group known for its targeting of edge network appliances since at least 2023. Most recently, the hacking crew was also attributed to exploitation efforts targeting SAP NetWeaver instances susceptible to CVE-2025-31324. The Dutch cybersecurity company said the earliest exploitation activity dates back to May 15, 2025, with the attacks targeting healthcare, telecommunications, aviation, municipal government, finance, and defense sectors. "UNC5221 demonstrates a deep understanding of EPMM's internal architecture, repurposing legitimate system components for covert data exfiltration," security researcher Arda Büyükkaya said. "Given EPMM's role in managing and pushing configurations to enterprise mobile devices, a successful exploitation could allow threat actors to remotely access, manipulate, or compromise thousands of managed devices across an organization." The attack sequence involves targeting the "/mifs/rs/api/v2/" endpoint to obtain an interactive reverse shell and remotely execute arbitrary commands on Ivanti EPMM deployments. This is followed by the deployment of KrustyLoader, a known Rust-based loader attributed to UNC5221 that enables the delivery of additional payloads like Sliver. The threat actors have also been observed targeting the mifs database by making use of hard-coded MySQL database credentials stored in /mi/files/system/.mifpp to obtain unauthorized access to the database and exfiltrating sensitive data that could grant them visibility into managed mobile devices, LDAP users, and Office 365 refresh and access tokens. Furthermore, the incidents are characterized by the use of obfuscated shell commands for host reconnaissance before dropping KrustyLoader from an AWS S3 bucket and Fast Reverse Proxy (FRP) to facilitate network reconnaissance and lateral movement. It's worth mentioning here that FRP is an open-source tool widely shared among Chinese hacking groups. EclecticIQ said it also identified a command-and-control (C2) server associated with Auto-Color, a Linux backdoor that was documented by Palo Alto Networks Unit 42 as used in attacks aimed at universities and government organizations in North America and Asia between November and December 2024. "The IP address 146.70.87[.]67:45020, previously associated with Auto-Color command-and-control infrastructure, was seen issuing outbound connectivity tests via curl immediately after exploitation of Ivanti EPMM servers," Büyükkaya pointed out. "This behaviour is consistent with Auto-Color's staging and beaconing patterns. Taken together, these indicators very likely link to China-nexus activity." The disclosure comes as threat intelligence firm GreyNoise noted that it had witnessed a significant spike in scanning activity targeting Ivanti Connect Secure and Pulse Secure products prior to the disclosure of CVE-2025-4427 and CVE-2025-4428. "While the scanning we observed was not directly tied to EPMM, the timeline underscores a critical reality: scanning activity often precedes the public emergence of zero-day vulnerabilities," the company said. "It's a leading indicator — a signal that attackers are probing critical systems, potentially in preparation for future exploitation." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    
    0 Commentaires 0 Parts
  • The Latest Lego Simpsons Set Will Make You Very Hungry

    Ten years have passed since Lego teamed up with everyone’s favorite animated family, The Simpsons.
    The family’s house was the first set released in 2014; their local convenience store, the Kwik-E-Mart, was released a year later.
    Now, after a long wait, it’s time to make some burgers.
    Mmmm… burgers.
    *drools*
    Lego just announced it will soon be releasing a Lego Krusty Burger set to continue its relationship with Homer, Marge, Bart, Lisa, Maggie, and the town of Springfield.
    Scheduled for release June 4, with Lego VIP access starting June 1, this 1,635 piece set includes seven minifigures: Homer, Krusty, Sideshow Bob, Bart, Lisa, Lou, and Squeaky-Voiced Teen.
    Here are a few images.
    Lego Simpsons Krusty Burger – Lego Lego Simpsons Krusty Burger – Lego Lego Simpsons Krusty Burger – Lego Lego Simpsons Krusty Burger – Lego Lego Simpsons Krusty Burger – Lego Lego Simpsons Krusty Burger – Lego Lego Simpsons Krusty Burger – Lego Lego Simpsons Krusty Burger – Lego In line with a set of that size, Krusty Burger costs $210 and you can see more images here.
    Plus, if you order on the official Lego site, and are a Lego VIP, you get an incredibly cool gift along with it.
    It’s a Lego version of The Simpsons couch.
    The Simpsons couch in Lego – Lego This is how Lego gets me: “Hmm… $200 is a lot but I really like that small, cheap set it comes with, so maybe I’ll buy it anyway.” Seriously.
    It’s happened before.
    As a proud owner of the original two sets, it’s worth pointing out that Lego goes all in with these.
    Every little detail is some wink or nod back to the show which, even if you haven’t watched it since the last set was released or before, you can still appreciate.
    What are your thoughts on the Lego Krusty Burger? Will you be giving it a bite? Want more io9 news? Check out when to expect the latest Marvel, Star Wars, and Star Trek releases, what’s next for the DC Universe on film and TV, and everything you need to know about the future of Doctor Who.

    Source: https://gizmodo.com/the-latest-lego-simpsons-set-will-make-you-very-hungry-2000601623" style="color: #0066cc;">https://gizmodo.com/the-latest-lego-simpsons-set-will-make-you-very-hungry-2000601623
    #the #latest #lego #simpsons #set #will #make #you #very #hungry
    The Latest Lego Simpsons Set Will Make You Very Hungry
    Ten years have passed since Lego teamed up with everyone’s favorite animated family, The Simpsons. The family’s house was the first set released in 2014; their local convenience store, the Kwik-E-Mart, was released a year later. Now, after a long wait, it’s time to make some burgers. Mmmm… burgers. *drools* Lego just announced it will soon be releasing a Lego Krusty Burger set to continue its relationship with Homer, Marge, Bart, Lisa, Maggie, and the town of Springfield. Scheduled for release June 4, with Lego VIP access starting June 1, this 1,635 piece set includes seven minifigures: Homer, Krusty, Sideshow Bob, Bart, Lisa, Lou, and Squeaky-Voiced Teen. Here are a few images. Lego Simpsons Krusty Burger – Lego Lego Simpsons Krusty Burger – Lego Lego Simpsons Krusty Burger – Lego Lego Simpsons Krusty Burger – Lego Lego Simpsons Krusty Burger – Lego Lego Simpsons Krusty Burger – Lego Lego Simpsons Krusty Burger – Lego Lego Simpsons Krusty Burger – Lego In line with a set of that size, Krusty Burger costs $210 and you can see more images here. Plus, if you order on the official Lego site, and are a Lego VIP, you get an incredibly cool gift along with it. It’s a Lego version of The Simpsons couch. The Simpsons couch in Lego – Lego This is how Lego gets me: “Hmm… $200 is a lot but I really like that small, cheap set it comes with, so maybe I’ll buy it anyway.” Seriously. It’s happened before. As a proud owner of the original two sets, it’s worth pointing out that Lego goes all in with these. Every little detail is some wink or nod back to the show which, even if you haven’t watched it since the last set was released or before, you can still appreciate. What are your thoughts on the Lego Krusty Burger? Will you be giving it a bite? Want more io9 news? Check out when to expect the latest Marvel, Star Wars, and Star Trek releases, what’s next for the DC Universe on film and TV, and everything you need to know about the future of Doctor Who. Source: https://gizmodo.com/the-latest-lego-simpsons-set-will-make-you-very-hungry-2000601623 #the #latest #lego #simpsons #set #will #make #you #very #hungry
    GIZMODO.COM
    The Latest Lego Simpsons Set Will Make You Very Hungry
    Ten years have passed since Lego teamed up with everyone’s favorite animated family, The Simpsons. The family’s house was the first set released in 2014; their local convenience store, the Kwik-E-Mart, was released a year later. Now, after a long wait, it’s time to make some burgers. Mmmm… burgers. *drools* Lego just announced it will soon be releasing a Lego Krusty Burger set to continue its relationship with Homer, Marge, Bart, Lisa, Maggie, and the town of Springfield. Scheduled for release June 4, with Lego VIP access starting June 1, this 1,635 piece set includes seven minifigures: Homer, Krusty, Sideshow Bob, Bart, Lisa, Lou, and Squeaky-Voiced Teen. Here are a few images. Lego Simpsons Krusty Burger – Lego Lego Simpsons Krusty Burger – Lego Lego Simpsons Krusty Burger – Lego Lego Simpsons Krusty Burger – Lego Lego Simpsons Krusty Burger – Lego Lego Simpsons Krusty Burger – Lego Lego Simpsons Krusty Burger – Lego Lego Simpsons Krusty Burger – Lego In line with a set of that size, Krusty Burger costs $210 and you can see more images here. Plus, if you order on the official Lego site, and are a Lego VIP, you get an incredibly cool gift along with it. It’s a Lego version of The Simpsons couch. The Simpsons couch in Lego – Lego This is how Lego gets me: “Hmm… $200 is a lot but I really like that small, cheap set it comes with, so maybe I’ll buy it anyway.” Seriously. It’s happened before. As a proud owner of the original two sets, it’s worth pointing out that Lego goes all in with these. Every little detail is some wink or nod back to the show which, even if you haven’t watched it since the last set was released or before, you can still appreciate. What are your thoughts on the Lego Krusty Burger? Will you be giving it a bite? Want more io9 news? Check out when to expect the latest Marvel, Star Wars, and Star Trek releases, what’s next for the DC Universe on film and TV, and everything you need to know about the future of Doctor Who.
    0 Commentaires 0 Parts
  • China-Linked APTs Exploit SAP CVE-2025-31324 to Breach 581 Critical Systems Worldwide

    May 13, 2025Ravie LakshmananVulnerability / Threat Intelligence
    A recently disclosed critical security flaw impacting SAP NetWeaver is being exploited by multiple China-nexus nation-state actors to target critical infrastructure networks.
    "Actors leveraged CVE-2025-31324, an unauthenticated file upload vulnerability that enables remote code execution (RCE)," EclecticIQ researcher Arda Büyükkaya said in an analysis published today.
    Targets of the campaign include natural gas distribution networks, water and integrated waste management utilities in the United Kingdom, medical device manufacturing plants oil and gas exploration and production companies in the United States, and government ministries in Saudi Arabia that are responsible for investment strategy and financial regulation.
    The findings are based on a publicly exposed directory uncovered on attacker-controlled infrastructure ("15.204.56[.]106") that contained event logs capturing the activities across multiple compromised systems.
    The Dutch cybersecurity company has attributed the intrusions to Chinese threat activity clusters tracked as UNC5221, UNC5174, and CL-STA-0048, the last of which was linked to attacks targeting high-value targets in South Asia by exploiting known vulnerabilities in public-facing IIS, Apache Tomcat, and MS-SQL servers to drop web shells, reverse shells, and the PlugX backdoor.
    It also noted that an uncategorized China-nexus threat actor is conducting a widespread internet scanning and exploitation campaign against SAP NetWeaver systems.
    The server hosted at the IP address "15.204.56[.]106" has been found to contain multiple files, including -
    "CVE-2025-31324-results.txt," which has recorded 581 SAP NetWeaver instances compromised and backdoored with a web shell
    "服务数据_20250427_212229.txt," which lists 800 domains running SAP NetWeaver likely for future targeting
    "The exposed open-dir infrastructure reveals confirmed breaches and highlights the group's planned targets, offering clear insight into both past and future operations," Büyükkaya noted.
    The exploitation of CVE-2025-31324 is followed by the threat actor deploying two web shells that are designed to maintain persistent remote access to the infected systems and execute arbitrary commands.
    In addition, three different Chinese hacking groups have been observed exploiting the SAP NetWeaver vulnerability as part of efforts to maintain remote access, conduct reconnaissance, and drop malicious programs -
    CL-STA-0048, which has attempted to establish an interactive reverse shell to "43.247.135[.]53," an IP address previously identified as used by the threat actor
    UNC5221, which has leveraged a web shell to deploy KrustyLoader, a Rust-based malware that can used to serve second-stage payloads like Sliver, set up persistence, and execute shell commands
    UNC5174, which has leveraged a web shell to download SNOWLIGHT, a loader that initiates a connection with a hard-coded server to fetch a Go-based remote access trojan named VShell and a backdoor known as GOREVERSE
    "China-linked APTs are highly likely to continue targeting internet-exposed enterprise applications and edge devices to establish long-term strategic and persistence access to critical infrastructure networks globally," Büyükkaya said.
    "Their focus on widely used platforms like SAP NetWeaver is a strategic move, as these systems are deeply integrated into enterprise environments and often host unpatched vulnerabilities."
    SAP Patches New NetWeaver Flaw in May 2025 Patch
    The disclosure comes days after another China-linked unnamed threat actor dubbed Chaya_004 has also been attributed to the exploitation of CVE-2025-31324 to deploy a Go-based reverse shell called SuperShell.
    SAP security firm Onapsis said it is "seeing significant activity from attackers who are using public information to trigger exploitation and abuse web shells placed by the original attackers, who have currently gone dark."
    Further analysis of these attacks has led to the discovery of another critical defect in NetWeaver's Visual Composer Metadata Uploader component.
    Tracked as CVE-2025-42999 (CVSS score: 9.1), it has been described as a deserialization vulnerability that could be exploited by a privileged user to upload untrusted or malicious content.
    In light of ongoing active exploitation, customers of SAP NetWeaver are recommended to update their instances to the latest version as soon as possible.
    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.
    SHARE





    Source: https://thehackernews.com/2025/05/china-linked-apts-exploit-sap-cve-2025.html" style="color: #0066cc;">https://thehackernews.com/2025/05/china-linked-apts-exploit-sap-cve-2025.html
    #chinalinked #apts #exploit #sap #cve202531324 #breach #critical #systems #worldwide
    China-Linked APTs Exploit SAP CVE-2025-31324 to Breach 581 Critical Systems Worldwide
    May 13, 2025Ravie LakshmananVulnerability / Threat Intelligence A recently disclosed critical security flaw impacting SAP NetWeaver is being exploited by multiple China-nexus nation-state actors to target critical infrastructure networks. "Actors leveraged CVE-2025-31324, an unauthenticated file upload vulnerability that enables remote code execution (RCE)," EclecticIQ researcher Arda Büyükkaya said in an analysis published today. Targets of the campaign include natural gas distribution networks, water and integrated waste management utilities in the United Kingdom, medical device manufacturing plants oil and gas exploration and production companies in the United States, and government ministries in Saudi Arabia that are responsible for investment strategy and financial regulation. The findings are based on a publicly exposed directory uncovered on attacker-controlled infrastructure ("15.204.56[.]106") that contained event logs capturing the activities across multiple compromised systems. The Dutch cybersecurity company has attributed the intrusions to Chinese threat activity clusters tracked as UNC5221, UNC5174, and CL-STA-0048, the last of which was linked to attacks targeting high-value targets in South Asia by exploiting known vulnerabilities in public-facing IIS, Apache Tomcat, and MS-SQL servers to drop web shells, reverse shells, and the PlugX backdoor. It also noted that an uncategorized China-nexus threat actor is conducting a widespread internet scanning and exploitation campaign against SAP NetWeaver systems. The server hosted at the IP address "15.204.56[.]106" has been found to contain multiple files, including - "CVE-2025-31324-results.txt," which has recorded 581 SAP NetWeaver instances compromised and backdoored with a web shell "服务数据_20250427_212229.txt," which lists 800 domains running SAP NetWeaver likely for future targeting "The exposed open-dir infrastructure reveals confirmed breaches and highlights the group's planned targets, offering clear insight into both past and future operations," Büyükkaya noted. The exploitation of CVE-2025-31324 is followed by the threat actor deploying two web shells that are designed to maintain persistent remote access to the infected systems and execute arbitrary commands. In addition, three different Chinese hacking groups have been observed exploiting the SAP NetWeaver vulnerability as part of efforts to maintain remote access, conduct reconnaissance, and drop malicious programs - CL-STA-0048, which has attempted to establish an interactive reverse shell to "43.247.135[.]53," an IP address previously identified as used by the threat actor UNC5221, which has leveraged a web shell to deploy KrustyLoader, a Rust-based malware that can used to serve second-stage payloads like Sliver, set up persistence, and execute shell commands UNC5174, which has leveraged a web shell to download SNOWLIGHT, a loader that initiates a connection with a hard-coded server to fetch a Go-based remote access trojan named VShell and a backdoor known as GOREVERSE "China-linked APTs are highly likely to continue targeting internet-exposed enterprise applications and edge devices to establish long-term strategic and persistence access to critical infrastructure networks globally," Büyükkaya said. "Their focus on widely used platforms like SAP NetWeaver is a strategic move, as these systems are deeply integrated into enterprise environments and often host unpatched vulnerabilities." SAP Patches New NetWeaver Flaw in May 2025 Patch The disclosure comes days after another China-linked unnamed threat actor dubbed Chaya_004 has also been attributed to the exploitation of CVE-2025-31324 to deploy a Go-based reverse shell called SuperShell. SAP security firm Onapsis said it is "seeing significant activity from attackers who are using public information to trigger exploitation and abuse web shells placed by the original attackers, who have currently gone dark." Further analysis of these attacks has led to the discovery of another critical defect in NetWeaver's Visual Composer Metadata Uploader component. Tracked as CVE-2025-42999 (CVSS score: 9.1), it has been described as a deserialization vulnerability that could be exploited by a privileged user to upload untrusted or malicious content. In light of ongoing active exploitation, customers of SAP NetWeaver are recommended to update their instances to the latest version as soon as possible. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE     Source: https://thehackernews.com/2025/05/china-linked-apts-exploit-sap-cve-2025.html #chinalinked #apts #exploit #sap #cve202531324 #breach #critical #systems #worldwide
    THEHACKERNEWS.COM
    China-Linked APTs Exploit SAP CVE-2025-31324 to Breach 581 Critical Systems Worldwide
    May 13, 2025Ravie LakshmananVulnerability / Threat Intelligence A recently disclosed critical security flaw impacting SAP NetWeaver is being exploited by multiple China-nexus nation-state actors to target critical infrastructure networks. "Actors leveraged CVE-2025-31324, an unauthenticated file upload vulnerability that enables remote code execution (RCE)," EclecticIQ researcher Arda Büyükkaya said in an analysis published today. Targets of the campaign include natural gas distribution networks, water and integrated waste management utilities in the United Kingdom, medical device manufacturing plants oil and gas exploration and production companies in the United States, and government ministries in Saudi Arabia that are responsible for investment strategy and financial regulation. The findings are based on a publicly exposed directory uncovered on attacker-controlled infrastructure ("15.204.56[.]106") that contained event logs capturing the activities across multiple compromised systems. The Dutch cybersecurity company has attributed the intrusions to Chinese threat activity clusters tracked as UNC5221, UNC5174, and CL-STA-0048, the last of which was linked to attacks targeting high-value targets in South Asia by exploiting known vulnerabilities in public-facing IIS, Apache Tomcat, and MS-SQL servers to drop web shells, reverse shells, and the PlugX backdoor. It also noted that an uncategorized China-nexus threat actor is conducting a widespread internet scanning and exploitation campaign against SAP NetWeaver systems. The server hosted at the IP address "15.204.56[.]106" has been found to contain multiple files, including - "CVE-2025-31324-results.txt," which has recorded 581 SAP NetWeaver instances compromised and backdoored with a web shell "服务数据_20250427_212229.txt," which lists 800 domains running SAP NetWeaver likely for future targeting "The exposed open-dir infrastructure reveals confirmed breaches and highlights the group's planned targets, offering clear insight into both past and future operations," Büyükkaya noted. The exploitation of CVE-2025-31324 is followed by the threat actor deploying two web shells that are designed to maintain persistent remote access to the infected systems and execute arbitrary commands. In addition, three different Chinese hacking groups have been observed exploiting the SAP NetWeaver vulnerability as part of efforts to maintain remote access, conduct reconnaissance, and drop malicious programs - CL-STA-0048, which has attempted to establish an interactive reverse shell to "43.247.135[.]53," an IP address previously identified as used by the threat actor UNC5221, which has leveraged a web shell to deploy KrustyLoader, a Rust-based malware that can used to serve second-stage payloads like Sliver, set up persistence, and execute shell commands UNC5174, which has leveraged a web shell to download SNOWLIGHT, a loader that initiates a connection with a hard-coded server to fetch a Go-based remote access trojan named VShell and a backdoor known as GOREVERSE "China-linked APTs are highly likely to continue targeting internet-exposed enterprise applications and edge devices to establish long-term strategic and persistence access to critical infrastructure networks globally," Büyükkaya said. "Their focus on widely used platforms like SAP NetWeaver is a strategic move, as these systems are deeply integrated into enterprise environments and often host unpatched vulnerabilities." SAP Patches New NetWeaver Flaw in May 2025 Patch The disclosure comes days after another China-linked unnamed threat actor dubbed Chaya_004 has also been attributed to the exploitation of CVE-2025-31324 to deploy a Go-based reverse shell called SuperShell. SAP security firm Onapsis said it is "seeing significant activity from attackers who are using public information to trigger exploitation and abuse web shells placed by the original attackers, who have currently gone dark." Further analysis of these attacks has led to the discovery of another critical defect in NetWeaver's Visual Composer Metadata Uploader component. Tracked as CVE-2025-42999 (CVSS score: 9.1), it has been described as a deserialization vulnerability that could be exploited by a privileged user to upload untrusted or malicious content. In light of ongoing active exploitation, customers of SAP NetWeaver are recommended to update their instances to the latest version as soon as possible. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    
    0 Commentaires 0 Parts