WEEKLY TOP TEN: March 31, 2025, 14:39 GMT
- RedCurl Expands into Ransomware Targeting Hyper-V Servers
Bitdefender Labs has identified that RedCurl, a cyber-espionage group active since 2018, has expanded its operations to include a new ransomware variant they developed named “QWCrypt” specifically designed to encrypt data on Hyper-V virtual machines. This marks a departure from their traditional focus on prolonged data exfiltration. The group initiates attacks with phishing emails containing “.IMG” attachments disguised as resumes. These attachments exploit DLL sideloading vulnerabilities using a legitimate Adobe executable to download additional payloads and establish persistence via scheduled tasks. - Android Malware Campaign Uses .NET MAUI for Detection Evasion
A new Android malware campaign uses Microsoft’s .NET MAUI framework to evade detection by security tools. Discovered by McAfee, the malware disguises itself as legitimate apps, mainly targeting users in China and India. Unlike typical Android malware, it is written in C# and stores its logic in binary files instead of the usual DEX format, making it harder to detect. It also uses encryption, bloated manifest files, and TCP sockets for command-and-control communication to enhance stealth and persistence. - Weaver Ant Infiltrated Major Asian Telecommunications Provider for 4-years
Criminals are targeting Semrush users through malicious Google Ads that redirect to fake login pages, forcing the “Log in with Google” option to harvest credentials. Compromised accounts expose sensitive Google Analytics and Search Console data, revealing detailed business metrics. These accounts can be leveraged for spear-phishing by using information stored in Semrush profiles. Sygnia researchers discovered a China-linked advanced threat group named Weaver Ant infiltrated an Asian telecommunications provider’s network for over four years, utilizing compromised Zyxel CPE routers to conceal their activities. They employed multiple variants of the China Chopper backdoor and introduced a custom web shell called ‘INMemory,’ which executes payloads directly in the host’s memory for enhanced stealth. Despite multiple eradication attempts, Weaver Ant maintained persistent access, focusing on network intelligence, credential harvesting, and continuous surveillance rather than data theft, aligning with state-sponsored espionage objectives. - Chrome Zero-day Used in One-Click Phishing Attacks
Google has released an emergency patch for a zero-day vulnerability in its Chrome browser, identified as CVE-2025-2783, which was actively exploited by an advanced persistent threat (APT) group. Discovered by Kaspersky researchers Boris Larin and Igor Kuznetsov, the flaw involves improper handling in Mojo, a system API used in Chromium. The APT exploited this vulnerability in a campaign dubbed “Operation ForumTroll,” where victims were infected immediately after clicking a phishing email link that opened in Chrome, requiring no further user interaction. Google addressed the issue by updating Chromium to build 34.0.6998.177/.178 for Windows, with the patch rolling out to users over the coming days and weeks. - EncryptHub Leverages a Zero-day to deploy Rhadamanthys and StealC
The threat actor known as EncryptHub exploited a recently patched Windows vulnerability, CVE-2025-26633, as a zero-day to deploy malware like Rhadamanthys and StealC. Discovered by Trend Micro, the attack involves creating malicious .msc files in directories like “en-US” to exploit MMC’s MUIPath feature and using mock trusted directories to bypass User Account Control (UAC). The campaign, active since April 2024, often begins with victims downloading digitally signed Microsoft installer (MSI) files impersonating legitimate Chinese software like DingTalk or QQTalk, which then fetch and execute the loader from a remote server. - New Variants of ReaderUpdate Malware Discovered Targets MacOS
SentinelOne researchers have discovered new variants of the ReaderUpdate malware targeting macOS users, evolving from its original Python-based form to versions written in Crystal, Nim, Rust, and Go. Initially distributing Genieo adware, the latest variants now focus on delivering additional malicious payloads, establishing persistence, and exfiltrating system data. The malware disguises itself as legitimate software updates, tricking users into installing it, after which it modifies system settings, bypasses macOS security mechanisms, and downloads further malicious components. - Broadcom Patched Authentication Bypass in VMware Tools for Windows
Sergey Bliznyuk of Positive Technologies identified a high-severity authentication bypass vulnerability in VMware Tools for Windows, tracked as CVE-2025-22230,. This flaw arises from improper access controls, allowing low-privileged local attackers to escalate their privileges without user interaction on vulnerable virtual machines (VMs). This vulnerability affects VMware Tools versions 12.x.x and 11.x.x across Windows, Linux, and macOS platforms. Sergey Bliznyuk reported the vulnerability to Broadcom, triggering the vulnerability to be patched in the newest version of VMware Tools; version 12.5.1. - “IngressNightmare” allows Unauthenticated RCE in Kubernetes Clusters
Kubernetes maintainers have patched four critical vulnerabilities, collectively dubbed “IngressNightmare,” in the Ingress NGINX Controller, affecting approximately 41% of all internet-facing Kubernetes clusters, including those of several Fortune 500 companies. These flaws discovered by researchers at Wiz, enable remote unauthenticated attackers to execute arbitrary commands, potentially taking full control of affected clusters. The vulnerabilities are identified as CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974, with the latter enabling remote code execution when combined with the former three. Organizations are advised to update their Ingress NGINX Controller to versions v1.11.5 or later to mitigate these risks. - New SparrowDoor Variants Discovered Targeting U.S and Mexico Organizations
ESET researchers have identified new variants of the SparrowDoor backdoor, deployed by the Chinese threat actor FamousSparrow in attacks against U.S. and Mexican organizations. These variants, discovered in July 2024, exhibit significant enhancements over previous versions, including modular architectures and improved command execution capabilities. The modular version supports functionalities such as keystroke logging, initiating interactive shell sessions, launching TCP proxies, and file system monitoring, among others. The attack chain typically begins with deploying a web shell on IIS servers, leading to the installation of these sophisticated malware variants, which enable extensive control over compromised systems. - Microsoft Stream Classic Domain Hijacked adding Spam to SharePoint Sites
The legacy domain for Microsoft Stream, ‘microsoftstream.com’, has been hijacked to display a fake Amazon site promoting a Thai casino. Affecting SharePoint sites with embedded videos from the classic Stream service, causing them to display spam content. Microsoft had previously announced the deprecation of the classic Stream service, urging organizations to migrate their videos to the new platform by April 2024.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: