![Threat Research | Weekly Recap [06 Jul 2025]](https://www.hendryadrian.com/tweet/image/cybersecuritynews.png "Threat Research | Weekly Recap [06 Jul 2025]")
This week’s cybersecurity recap highlights critical vulnerabilities such as CVE-2025-5777 and CVE-2025-20309 affecting Citrix and Cisco, which are actively exploited by threat actors like APT28 and MuddyWater. Emerging malware campaigns include sophisticated botnets like Flodrix and advanced evasion techniques like Shellter and steganography. #CitrixBleed #MuddyWater
Critical Vulnerabilities & Active Exploits
- Citrix Netscaler Memory Leak: CVE-2025-5777 allows attackers to extract uninitialized memory data via crafted HTTP requests; active exploitation observed with many unpatched devices. How Much More Must We Bleed? – Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777)
- Cisco Unified Communications Manager RCE: Critical flaw (CVE-2025-20309) with hardcoded credentials allows root access; over 1,000 internet-exposed assets vulnerable and targeted by APT28 and MuddyWater. Cisco Unified Communications Manager CVSS 10 Vulnerability: 1K+ Assets Exposed to the Internet
- Apache RCE Vulnerabilities: Critical remote code execution bugs in Apache Tomcat (CVE-2025-24813) and Camel (CVE-2025-27636, CVE-2025-29891) under active scanning and exploitation globally. Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack
- Langflow CVE-2025-3248 Exploitation: Used to deploy the Flodrix botnet that conducts DDoS attacks and data exfiltration via malicious Python payloads. CVE 2025 3248 Langflow Exploit for Flodrix Botnet
- JDWP Debug Port Abuse: Unauthorized access to exposed Java Debug Wire Protocol leads to stealthy XMRig cryptominer deployment and persistent foothold on TeamCity servers. Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open
Malware Campaigns & Botnets
- SonicWall NetExtender Trojan: “SilentRoute” backdoor trojanized VPN client exfiltrates credentials, uses stolen GlobalSign certificate to bypass detection. Threat Actors Recompile SonicWall’s NetExtender to Include SilentRoute Backdoor
- Janela RAT & Chromium Stealer: Targeting Latin American fintech with multi-stage infections involving GitLab MSI installers and browser extension for credential theft. Janela RAT with Chromium Stealer Extension use
- Remcos RAT Campaign: Employs NT namespace spoofing and phishing via malicious shortcut files to maintain persistent Windows access. Remcos Malware Campaign
- Flodrix Botnet Deployment: Exploiting Langflow vulnerability for botnet-building to facilitate DDoS and data theft operations. CVE 2025 3248 Langflow Exploit for Flodrix Botnet
- Havoc Demon Malware: Macro-laden Word document delivers malware targeting Pakistan International Airlines, using Microsoft dev tunnels for stealthy C2 communication. Havoc Demon Targeting Pakistan International Airlines
- DEVMAN Ransomware: Hybrid DragonForce variant encrypts its own ransom notes and uses multiple offline encryption modes signaling evolving ransomware techniques. DEVMAN Ransomware: Analysis of New DragonForce Variant
Phishing & Social Engineering Campaigns
- APT36 Targets Indian Defense: Phishing campaign delivers Linux-focused multi-stage malware to Indian defense sector via malicious .desktop files. Phishing Attack : Deploying Malware on Indian Defense BOSS Linux
- Spanish .es Domain Abuse: 19-fold increase in credential phishing using .es domains spoofing Microsoft on randomized subdomains. Spain TLD’s Recent Rise to Dominance
- Chinese Fake Marketplace Scam: Large-scale phishing campaign using thousands of spoofed retail websites and payment scams leveraging Google Pay. Silent Push Uncovers Chinese Fake Marketplace e-Commerce Phishing Campaign
- Blind Eagle APT-C-36: Steady phishing campaigns targeting Latin America with exploitation of CVE-2024-43451 and WebDAV payload delivery for data exfiltration. Blind Eagle Phishing Campaign
- DCRAT Impersonation Attack: Phishing campaign impersonates Colombian government to deliver Remote Access Trojan via obfuscated email attachments. DCRAT Impersonating the Colombian Government
- Japanese Brokerage Phishing: Over 3,500 fraudulent stock transactions linked to phishing domains that compromised Japanese securities accounts in early 2025. A DNS Examination of the Phishing Campaign Targeting Japanese Brokerage Firms
Advanced Evasion & Stealth Techniques
- SHELLTER Evasion Framework: Commercial evasion tool Shellter Elite 11.0 abused in infostealer campaigns using polymorphic shellcode and API unhooking for advanced stealth. Taking SHELLTER: a commercial evasion framework abused in-the-wild
- Excel Steganography Attack: Malicious XLS uses steganography to embed PowerShell in JPEG and deliver Katz stealer DLL through multi-stage infection chains. More Steganography! – SANS Internet Storm Center
- Windows Shortcut (LNK) Malware Rise: Sharp increase in LNK file malware varieties, including sophisticated delivery and evasion mechanisms targeting Windows environments. Windows Shortcut (LNK) Malware Strategies
- Remcos Spoofed System Directories: Using NT namespace path parsing to evade detection and maintain persistence in infected machines. Remcos Malware Campaign
State-Sponsored & Nation-State Campaigns
- Iran’s Intelligence Group 13 Operations: IRGC-linked unit conducts hybrid cyber-espionage and influence campaigns using front companies like CyberAveng3rs targeting critical infrastructure. Iran’s Intelligence Group 13 – DomainTools Investigations | DTI
- North Korean Web3 Malware (NimDoor): DPRK actors target crypto platforms on macOS using Nim-based malware, obfuscated AppleScripts, and novel persistence and exfiltration techniques. macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms
- Jasper Sleet Insider Threat: North Korean remote IT workers use AI-powered image and voice manipulation for fraudulent employment schemes globally. Jasper Sleet: North Korean Remote IT Workers’ Evolving Tactics
- Kimsuky ‘ClickFix’ Tactic: North Korean, Iranian, and Russian threat actors employ deceptive PowerShell execution via phishing and error message lures to gain access. [No direct link provided]
- Pro-Russian Hacktivism: Groups like NoName057(16) and IT Army of Russia escalate DDoS, data theft, and defacement attacks aligned with the Russia-Ukraine conflict. Pro-Russian hacktivism: Shifting alliances, new groups and risks
- Russian & Criminal Attribution Challenges: Cybercriminals TA829 and UNK_GreenSec blend espionage and ransomware campaigns with custom malware like TransferLoader and SingleCamper. 10 Things I Hate About Attribution: RomCom vs. TransferLoader
Attack Techniques & Infrastructure Abuse
- Linux SSH Proxy Installation: Brute-force attacks targeting Linux SSH servers to install TinyProxy and Sing-box proxies for anonymizing malicious activities. Analysis of Attacks Targeting Linux SSH Servers for Proxy Installation
- Azure Load Testing Secrets Extraction: Abuse of scripting in Azure Load Testing service to execute commands and extract Managed Identity tokens using tools like MicroBurst. Extracting Sensitive Information from Azure Load Testing
- Password Spray to Ransomware Deployment: Multi-stage attack leveraging RDP password spray, credential harvesting, network discovery, and RansomHub ransomware deployment with lateral movement tools. Hide Your RDP: Password Spray Leads to RansomHub Deployment
Emerging Malware & Tool Updates
- New macOS Stealer by MentalPositive: Potential new variant of AMOS malware targeting Ledger Live users with novel builds and crypto wallet theft functionality. @mentalpositive’s New macOS Stealer: AMOS Repackaged or a New Cyber Threat?