Daily Brief

Threat actors are using a cybercrime tool named Atlantis AIO Multi-Checker to perform automated credential stuffing on over 140 platforms. Atlantis AIO enables cybercriminals to test millions of stolen credentials rapidly, which are typically acquired through data breaches or underground forums. This tool differentiates from brute-force attacks by using stolen username and password combinations to access accounts on various platforms without prior authorization. Atlantis AIO is designed with pre-configured modules, which assist attackers in targeting a wide range of platforms, including email services, e-commerce sites, and financial institutions. The tool boasts features that maintain user anonymity and security, promising high success rates and customer satisfaction. Credential stuffing facilitated by Atlantis AIO can lead to account takeovers, fraud, data theft, and the sale of access credentials on dark web marketplaces. To combat these threats, it is recommended for organizations to enforce strong password policies and implement multi-factor authentication that is resistant to phishing attempts.

Google recently addressed a severe zero-day vulnerability in Chrome, tracked as CVE-2025-2783, exploited for espionage against Russian entities. The vulnerability allowed attackers to escape the browser's sandbox and deploy sophisticated malware during cyber-espionage attacks. The exploit was discovered by researchers at Kaspersky, who found it actively used to redirect users as part of Operation ForumTroll. This campaign targeted Russian organizations through phishing attacks that simulated emails from a legitimate scientific forum. Besides the initial exploit, attackers used a second vulnerability enabling remote code execution; however, details on this remain undisclosed. Google rolled out patches quickly in the Stable Desktop channel for Windows users, with immediate availability upon checking for updates. Researchers recommend updating Chrome to mitigate the risk and disrupt the exploit chain used in the attacks. This incident marks the first Chrome zero-day patched in 2025, following ten zero-days addressed by Google in the previous year.

Google has issued an out-of-band update for a high-severity Chrome vulnerability, CVE-2025-2783, exploited in targeted attacks in Russia. The flaw involves incorrect handling in Chrome's Mojo IPC libraries on Windows, enabling attackers to bypass sandbox protections. The exploited zero-day is attributed to advanced state-sponsored cyber-espionage activities, specifically targeting media, educational, and government entities in Russia. This vulnerability marks the first actively exploited Chrome zero-day of the year, having been discovered and reported by Kaspersky researchers on March 20, 2025. Victims were infected through phishing emails linked to a legitimate scientific forum, with no further action required post-click for the malware deployment. The exploit chain for CVE-2025-2783 appears highly sophisticated, possibly involving an additional, undiscovered exploit for executing remote code. Google has remediated the issue in Chrome version 134.0.6998.177/.178 for Windows, urging users to update their browsers immediately. The attack, dubbed Operation ForumTroll by Kaspersky, indicates a high level of customization in phishing links and emails to ensure successful infiltration and espionage.

Broadcom has released patches for a serious security flaw in VMware Tools for Windows, identified as CVE-2025-22230 with a CVSS score of 7.8, allowing for authentication bypass. The vulnerability specifically impacts non-administrative users allowing them to perform high-privilege actions within Windows guest VMs on affected VMware Tools versions 11.x.x and 12.x.x. No workaround is available for this VMware issue; updating to version 12.5.1 is required to mitigate the risk. Another unrelated flaw has surfaced in CrushFTP versions 10 and 11, enabling unauthenticated HTTP(S) port access, though it’s not actively being exploited in the wild as per current reports. The CrushFTP vulnerability, which hasn't been assigned a CVE identifier yet, can be controlled by activating the DMZ function, which prevents exploitation. Both vulnerabilities are critical as previous security weaknesses in VMware Tools and CrushFTP have been known to be exploited by malicious parties. Organizations using VMware Tools and CrushFTP are advised to apply the security updates promptly to avoid potential breaches and unauthorized access.

CrushFTP advised users to patch servers due to an unauthenticated HTTP(S) port access vulnerability immediately to prevent attackers from exploiting unpatched servers exposed on the internet. The vulnerability specifically impacts all versions of CrushFTP v11, contradicting initial reports that only version 10 was affected, following correction from cybersecurity company Rapid7. A temporary workaround involves activating the DMZ (demilitarized zone) feature as a protection measure until updates can be applied. Over 3,400 online instances of CrushFTP might be vulnerable to attacks, creating potential security risks. The flaw was addressed in the latest patch, CrushFTP v11.3.1+, which resolves the unauthenticated access issue. Previous vulnerabilities, including a zero-day exploit in April 2024 and a critical RCE in November 2023, have been exploited by ransomware gangs and politically motivated intelligence campaigns. CrushFTP remains a high-value target for cyberattacks due to its role in delivering enterprise file transfer capabilities.

Cloudflare's R2 service and related functionalities experienced a 1-hour, 7-minute outage, notably affecting global write and partial read capabilities. The disruption was due to improper deployment of new credentials to a development instead of production environment, triggered by missing a critical command-line flag. The oversight resulted in the Cloudflare backend losing authentication access upon deletion of old credentials, a mistake realized only after a delay due to gradual metric declines. Despite no data loss, the incident severely impacted the service availability, prompting an internal review and procedural changes at Cloudflare. To prevent future errors, Cloudflare has enhanced credential logging, verification processes, and mandated automated deployment tools. The company has also revised its standard operating procedures, including a requirement for dual validation of critical operations to enhance service reliability. This event marks another significant human error-related outage at Cloudflare this year, following a similar incident in February due to improper handling of an abuse report.

Broadcom issued security patches for a critical authentication bypass vulnerability in VMware Tools for Windows. The flaw, identified as CVE-2025-22230, enables attackers with low-level access to perform high-privilege operations without user interaction. The vulnerability was spotted by Sergey Bliznyuk from Positive Technologies, a Russian firm previously accused of distributing hacking tools. This alert follows the patching of three zero-day vulnerabilities in VMware systems earlier in the month, which were actively exploited. The Shadowserver platform detected over 37,000 VMware ESXi instances vulnerable to these zero-day attacks across the internet. VMware vulnerabilities are a prime target for ransomware groups and nation-state actors due to their broad use in managing sensitive corporate operations. Broadcom's recent advisories have also detailed exploitation of VMware tools by Chinese state hackers, including the deployment of advanced persistent backdoors.

A new zero-day vulnerability in Windows leaks NTLM hashes when users view malicious files via Windows Explorer. The vulnerability impacts all Windows versions from Windows 7 to Windows 11 and includes Server versions from 2008 R2 to Server 2025. ACROS Security discovered the vulnerability and provided free, unofficial micropatches through their 0Patch service. Attackers exploit this vulnerability by tricking users to open or view malicious files, leading to potential unauthorized access and lateral movement across networks. Although the vulnerability's criticality varies based on network configuration and external factors, it has been utilized in real-world attacks. Microsoft has been notified but has not yet released an official fix; details of the vulnerability are withheld until then to mitigate risks. This vulnerability disclosure follows multiple other reports by 0patch, some of which remain unpatched by Microsoft.

Oracle Cloud is contesting allegations of a security breach, despite claims by a hacker, rose87168, and confirmation from infosec researchers that stolen data is genuine. Rose87168 allegedly accessed Oracle's login servers using a known vulnerability and extracted around six million records, including customer security keys and encrypted credentials. Alon Gal of Hudson Rock confirmed with customers that the data sample provided by the hacker was legitimate and originated from Oracle's production environment. The leaked data includes sensitive information that could enable supply chain and ransomware attacks if misused. Experts suggest affected organizations should change their SSO and LDAP credentials and enforce strict password policies and multi-factor authentication. Oracle maintains that there was no breach and that the credentials published are unrelated to Oracle Cloud systems. The breach's legitimacy gains credibility due to the difficulty of fabricating such a large and structured volume of leaked information.

EncryptHub, an established threat actor, has exploited a newly discovered Windows zero-day vulnerability, CVE-2025-26633, affecting the Microsoft Management Console. The vulnerability allows attackers to bypass Windows file reputation checks, enabling unsolicited MSC file executions without user warnings. Microsoft issued an advisory and a patch for this vulnerability as part of its recent Patch Tuesday updates, urging users to update their systems promptly. The attacks involving this vulnerability were first documented by Trend Micro, who noted that EncryptHub used it to deploy various malicious payloads such as backdoors and data stealers. EncryptHub has a history of cyber-attacks, having previously been linked to breaches of over 618 organizations worldwide through spear-phishing and social engineering. The threat group also affiliates with ransomware operations, using stolen data to leverage ransom negotiations after encrypting victims' files. Researchers observed the technical evolution of EncryptHub's campaign, signifying ongoing development and sophistication in their attack methods. Overall, this series of attacks highlights the continual threat posed by skilled cyber adversaries and the critical importance of timely vulnerability management and cyber defense strategies.

A phishing campaign is currently targeting Counter-Strike 2 (CS2) players using Browser-in-the-Browser (BitB) attacks to mimic Steam's login page. The BitB technique creates deceptive popup windows within legitimate browser sessions, tricking users into entering Steam credentials. Attackers are exploiting the identity of the Ukrainian e-sports team Navi to lend credibility to the fake login pages and attract fans. Victims are lured through YouTube and possibly other platforms, offering fake CS2 loot cases to entice players to log into their Steam accounts. Once deceived, the phished credentials allow attackers to access and potentially sell the victim's Steam accounts on gray markets. The extensive reach of CS2 and the popularity of e-sports significantly amplifies the potential impact of these attacks. To safeguard against such threats, users are advised to enable multi-factor authentication, utilize 'Steam Guard Mobile Authenticator,' and regularly monitor account activities for anomalies.

McAfee's Mobile Research Team discovers new Android malware utilizing Microsoft's .NET MAUI to hide malicious code. The malware, targeting users primarily in China and India, masquerades as legitimate apps to bypass security measures. Techniques used include multi-layered encryption, bloated AndroidManifest.xml files, and TCP sockets for C2 communications. The observed malware variants use blob files instead of DEX files, exploiting a gap in typical Android security tools. Cybercriminals distribute affected apps through third-party platforms, particularly in regions without access to Google Play. McAfee warns these evasion techniques allow the malware to remain undetected longer, making analysis and remediation challenging. Recommendations include avoiding third-party APK downloads and activating Google Play Protect to mitigate risks. The discovery reflects a growing trend of using sophisticated methods to deploy and conceal Android malware.

Researchers disclosed nearly 200 unique command-and-control (C2) domains associated with the Raspberry Robin malware. Raspberry Robin, emerging in 2019, operates as an access broker for multiple criminal groups, with many links to Russian entities. The malware employs diverse propagation methods, including USB-based spread and downloads via Discord message attachments. It has facilitated other cyber threats, such as SocGholish, Dridex, and LockBit, by deploying next-stage malware. U.S. authorities identified connections between Raspberry Robin and the Russian nation-state actor Cadet Blizzard. Investigation by Silent Push and Team Cymru traced the C2 infrastructure management to an IP address using Tor relays, based in an E.U. country. The top-level domains used by Raspberry Robin include a variety of international suffixes, managed using niche and often obscure registrars. Raspberry Robin’s infrastructure utilizes rapid domain rotation and fast flux techniques, complicating efforts to neutralize the threat.

Infosec expert Troy Hunt's Mailchimp mailing list was phished, impacting roughly 16,000 records, including subscribers and unsubscribed individuals. Hunt fell victim to a sophisticated phishing email disguised as an urgent notice to review his Mailchimp campaigns due to a spam complaint. The attack led to the export of the mailing list within two minutes after Hunt entered his credentials and a one-time passcode, indicating an automated attack process. Hunt criticizes Mailchimp’s lack of phishing-resistant two-factor authentication options, suggesting that OTP by itself provided little security against this type of automated phishing. The phishing domain and page used in the attack have been taken down by Cloudflare shortly after the incident. Hunt plans to investigate why unsubscribed users' data was retained by Mailchimp and stressed the importance of verifying web domains in phishing prevention. The incident occurred while Hunt was in London discussing strategies to promote phishing-resistant authentication methods with government partners.

Chinese state-sponsored hackers infiltrated a major Asian telecom, undetected for over four years. The cyber espionage group, named Weaver Ant by Sygnia, employed web shells and tunneling techniques for maintaining persistent access. The attackers exploited a public-facing application to insert China Chopper and the novel INMemory web shells for espionage purposes. INMemory web shell facilitated stealth operations by executing code entirely in memory, avoiding forensic detection. Attackers used encoded web shells and an HTTP tunnel tool for lateral movement and post-exploitation activities within the targeted network. The campaign exhibited characteristics typical of Chinese-nexus operations, including the use of shared tools and infrastructure, with activities typically during Chinese working hours. The revelation followed accusations by China against Taiwanese military personnel for alleged espionage activities against the mainland.