WEEKLY TOP TEN: March 24, 2025, 16:00 GMT
- Virtue or Vice? Paragon’s Spyware Operations
Paragon Solutions, an Israeli spyware company founded in 2019, claims to have safeguards against abuses; yet researchers found their Graphite spyware targeting civil society in Italy. Forensic analysis confirmed infections on devices belonging to journalists and humanitarian workers. Apple confirmed a novel spyware attempt on an associate of confirmed Paragon targets. The Italian government initially denied it but later admitted to being a Paragon customer. - DollyWay World Domination: Eight Years of Evolving Website Malware
GoDaddy Security uncovered a malware operation dating back to 2016 that compromised over 20,000 websites using infected WordPress sites as command nodes. The campaign employs cryptographically signed data transfers, heterogeneous injection methods, and automatic reinfection mechanisms across plugins and WPCode snippets. DollyWay uses a four-stage injection chain to evade detection while redirecting visitors to scam pages. The threat actors maintain control by removing competing malware and updating WordPress. - Semrush Impersonation Scam Hits Google Ads
Criminals are targeting Semrush users through malicious Google Ads that redirect to fake login pages, forcing the “Log in with Google” option to harvest credentials. Compromised accounts expose sensitive Google Analytics and Search Console data, revealing detailed business metrics. These accounts can be leveraged for spear-phishing by using information stored in Semrush profiles. - StilachiRAT Analysis: From System Reconnaissance to Cryptocurrency Theft
Microsoft researchers discovered a novel RAT named StilachiRAT that employs sophisticated evasion techniques while targeting cryptocurrency wallets. The malware collects system information, targets Chrome wallet extensions, and extracts browser credentials while connecting to C2 servers. StilachiRAT clears event logs, detects analysis tools, and implements sandbox-evading behaviors to avoid detection. StilachiRAT has not yet been widely distributed; attribution and victim sectors are currently unknown. - Detecting and Mitigating Apache Tomcat CVE-2025-24813
A path equivalence vulnerability in Apache Tomcat (CVE-2025-24813) was disclosed on March 10, potentially allowing RCE if specific prerequisites are met. Akamai detected exploit attempts targeting .session file paths through malicious Java objects designed to “call home” when deserialized. The vulnerability affects multiple version ranges and was fixed in versions 11.0.3, 10.1.35, and 9.0.99. - HellCat Hackers Go on a Worldwide Jira Hacking Spree
HellCat hacking group is targeting Jira servers globally, recently attacking Swiss telecommunications company Ascom’s ticketing system. This follows similar attacks on Schneider Electric, Telefónica, Orange Group, and Jaguar Land Rover using credentials harvested from infostealers. Their latest victim is Affinitiv, where they claim to have stolen over 470,000 unique emails. Security researcher Alon Gal warns that Jira has become a prime target due to its enterprise workflow centrality. - Shedding Light on the ABYSSWORKER Driver
Elastic Security Labs analyzed ABYSSWORKER, a malicious driver deployed with MEDUSA ransomware to disable security tools. The driver creates specialized paths, protects client processes, and offers capabilities including callback removal and process termination. ABYSSWORKER requires a specific password to enable functionality and employs various evasion techniques. The driver acts as a comprehensive toolkit for disabling EDR systems. - GitHub Actions Supply Chain Attack: Targeting Coinbase and TJ-actions
A supply chain attack compromised thousands of repositories by exploiting the tj-actions/changed-files action used by 23,000+ repositories. The attack initially targeted Coinbase before expanding, using commit impersonation and fork manipulation to remain undetected. The attack chain began with reviewdog/action-setup, then infected tj-actions/eslint-changed-files, ultimately compromising tj-actions/changed-files. The impact potentially affected hundreds of thousands of repositories through the dependency chain. - WordPress Security Plugin WP Ghost Vulnerable to RCE Bug
WP Ghost, a security plugin used on 200,000+ WordPress sites, contains a critical vulnerability allowing unauthenticated remote code execution. The flaw stems from insufficient input validation if the “Change Paths” feature is set to Lite or Ghost mode. While these modes aren’t default, the Local File Inclusion vulnerability applies to most setups and could enable RCE depending on server configuration. Users should upgrade to version 5.4.02 or later immediately. - VSCode Extensions Found Downloading Early-Stage Ransomware
Two malicious VSCode extensions were found deploying ransomware, exposing gaps in Microsoft’s review process despite minimal downloads. The extensions contained PowerShell commands that executed ransomware targeting a test folder from an AWS server. ExtensionTotal reported one extension in November 2024, but Microsoft allowed it to remain with five subsequent malicious updates. This incident demonstrates flaws in Microsoft’s extension review, contrasting with their recent removal of legitimate VSCode themes.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: