Daily Brief

Huntress has identified active exploitation of a zero-day vulnerability, CVE-2025-11371, in Gladinet CentreStack and TrioFox products, affecting all versions up to 16.7.10368.56560. The vulnerability is an unauthenticated local file inclusion flaw, allowing unauthorized access to system files, with a CVSS score of 6.1. Three customers of Huntress have been impacted, with exploitation detected beginning September 27, 2025. The flaw enables attackers to retrieve a machine key to perform remote code execution via a ViewState deserialization vulnerability. Users are advised to disable the "temp" handler in the Web.config file to mitigate the risk, impacting some platform functionalities until a patch is available. Previous vulnerabilities in the same software, such as CVE-2025-30406, have also been exploited, indicating a pattern of security issues. Companies using these products should remain vigilant and apply recommended mitigations promptly to prevent unauthorized access and potential data breaches.

The FBI, in collaboration with French authorities, has taken control of BreachForums, a platform used by ShinyHunters for leaking stolen corporate data. The seizure aimed to prevent the release of data from Salesforce breaches, which targeted companies that refused to pay ransoms. The BreachForums infrastructure, including all database backups since 2023, is now under FBI control, although the dark web data leak site remains operational. ShinyHunters confirmed the forum's takeover via a Telegram message, indicating the end of the forum era and warning of potential honeypot risks. Despite the forum's shutdown, ShinyHunters stated that their Salesforce data leak campaign would proceed, affecting numerous high-profile companies. The list of impacted organizations includes FedEx, Disney/Hulu, Google, and many others, with over one billion customer records reportedly compromised. This action follows previous law enforcement efforts, including arrests and charges against key BreachForums members, signaling ongoing international cooperation against cybercrime.

Google Threat Intelligence Group and Mandiant report a zero-day flaw in Oracle's E-Business Suite exploited since August 2025, affecting dozens of organizations. The Cl0p ransomware group is suspected due to similarities with past campaigns, although formal attribution remains unconfirmed. The attack utilized multiple vulnerabilities, including CVE-2025-61882, to infiltrate networks and exfiltrate sensitive data. Oracle has released patches to address these vulnerabilities, aiming to mitigate further exploitation risks. The breach involved sophisticated techniques such as SSRF, CRLF injection, and XSL template injection for remote code execution. Threat actors executed a high-volume email extortion campaign targeting executives, leveraging compromised third-party accounts. The campaign's investment level suggests significant pre-attack research, indicating a well-resourced and strategic operation. Organizations are advised to apply Oracle's patches promptly and review security measures to prevent similar breaches.

ClayRat, a new Android spyware, masquerades as popular apps such as WhatsApp and TikTok, targeting Russian users through Telegram channels and deceptive websites. Over 600 samples and 50 distinct droppers have been documented in the past three months, indicating a significant and active campaign. The malware employs phishing portals and domains mimicking legitimate services, using fake comments and inflated download counts to deceive users. ClayRat uses a "session-based" installation method to bypass Android 13+ restrictions, reducing user suspicion and increasing installation success. Once installed, the spyware can intercept SMS messages, access call logs, and propagate by sending messages to the victim's contacts. Communication with the command and control servers is encrypted, and the malware can execute 12 different commands once permissions are granted. Zimperium, a member of the App Defense Alliance, has shared indicators of compromise with Google, enabling Play Protect to block known and new variants. This campaign's scale and sophistication highlight the ongoing threat of mobile spyware and the importance of robust mobile security measures.

Anthropic's research indicates that as few as 250 malicious documents can corrupt AI models, causing them to output gibberish when triggered by specific phrases. The study involved collaboration with the UK AI Security Institute and the Alan Turing Institute, focusing on generative AI models like Llama 3.1 and GPT 3.5-Turbo. Models ranging from 600 million to 13 billion parameters were tested, all succumbing to the attack, highlighting a significant vulnerability in AI training processes. The attack method used a trigger phrase appended to legitimate training data, demonstrating that minimal malicious input can disrupt model performance. While the research primarily examined denial-of-service attacks, the potential for more severe AI backdoor attacks remains uncertain. Anthropic emphasizes the importance of public disclosure to raise awareness and encourage the development of robust defenses against such vulnerabilities. Recommendations for mitigation include post-training adjustments, clean training practices, and enhanced data filtering and backdoor detection techniques. The findings underscore the need for scalable defenses, as attackers require only a small number of malicious documents to compromise AI models.

Threat actors are leveraging the Velociraptor DFIR tool to deploy LockBit and Babuk ransomware, according to Cisco Talos and Sophos reports. Researchers attribute the campaigns to Storm-2603, a China-based group linked to Chinese nation-state actors and known for using Warlock ransomware. Attackers used an outdated Velociraptor version vulnerable to CVE-2025-6264, enabling privilege escalation and arbitrary command execution on compromised systems. The group established persistent access by creating local admin accounts synced to Entra ID, granting control over VMware vSphere consoles and virtual machines. Endpoint detection solutions identified ransomware on Windows systems as LockBit, with encrypted files bearing the ".xlockxlock" extension, while Babuk was found on VMware ESXi systems. Attackers used PowerShell scripts for data exfiltration prior to encryption, employing techniques to evade detection and analysis environments. Cisco Talos provided indicators of compromise, including files uploaded by the attackers and Velociraptor-related files, aiding in threat detection and response efforts.

Cybercrime group Storm-2657 has been targeting U.S. university employees since March 2025 to hijack salary payments through sophisticated phishing attacks. Microsoft identified 11 compromised accounts at three universities, leading to phishing emails sent to nearly 6,000 accounts across 25 universities. The attacks exploit social engineering tactics and lack of multifactor authentication (MFA) to compromise Workday accounts, though other HR SaaS platforms may also be vulnerable. Phishing emails use themes like campus illness warnings and faculty misconduct to deceive recipients into clicking malicious links. Attackers employ adversary-in-the-middle (AITM) techniques to steal MFA codes, allowing access to Exchange Online and manipulation of payroll settings. Compromised accounts are used to distribute further phishing emails, with attackers enrolling their own devices as MFA to maintain access. Microsoft has contacted affected customers and provided guidance on implementing phishing-resistant MFA to mitigate these attacks. The FBI reported over 21,000 business email compromise complaints in 2024, highlighting the financial impact of such schemes.

China-aligned threat actor UTA0388 has been linked to spear-phishing campaigns across North America, Asia, and Europe, deploying a Go-based malware, GOVERSHELL, via tailored phishing emails. Campaigns involve emails mimicking legitimate organizations to socially engineer targets into downloading malicious payloads, often using cloud services like Netlify and OneDrive for hosting. The phishing strategy has evolved to include rapport-building techniques, enhancing the credibility of the emails before delivering the malicious links. GOVERSHELL, a successor to the HealthKick malware, utilizes DLL side-loading for execution, with five variants identified, demonstrating active development and adaptability. UTA0388 has exploited OpenAI's ChatGPT for generating phishing content and aiding malicious workflows, though the associated accounts have been banned. The campaigns focus on geopolitical targets, particularly in Asia, with recent attacks on European institutions, including a Serbian government department. The use of automation and large language models suggests a sophisticated approach with minimal human oversight, posing significant challenges for detection and prevention.

The RondoDox botnet is actively targeting 56 vulnerabilities across over 30 device types, including DVRs, NVRs, CCTV systems, and web servers, since June. Utilizing an "exploit shotgun" strategy, RondoDox deploys multiple exploits simultaneously, increasing infection rates despite generating significant network noise. The botnet has expanded its arsenal to include vulnerabilities such as CVE-2024-3721 and CVE-2024-12856, with a focus on n-day flaws from Pwn2Own competitions. RondoDox exploits older, unpatched vulnerabilities in end-of-life devices and newer flaws in supported hardware, posing a persistent threat to unupdated systems. Trend Micro identified 18 additional command injection vulnerabilities in devices like D-Link NAS units and Linksys routers, lacking official CVE assignments. To mitigate risks, organizations should apply the latest firmware updates, replace end-of-life equipment, and secure networks by segmenting critical data and changing default credentials. The botnet's rapid adaptation of Pwn2Own exploits signals a need for vigilance and proactive patch management to safeguard against evolving threats.

The ClayRat spyware campaign targets Android users in Russia, using fake apps like WhatsApp and TikTok to lure victims through phishing websites and Telegram channels. Once installed, the spyware can exfiltrate SMS messages, call logs, and device information, and even send messages or place calls from the victim's device. The malware aggressively propagates by sending malicious links to contacts in the victim's phone book, utilizing compromised devices as distribution vectors. Over 600 samples and 50 droppers have been detected in 90 days, with new obfuscation layers to evade detection and security defenses. Attackers use bogus websites and Telegram channels to distribute APK files, exploiting platform restrictions to bypass security measures in Android 13 and later versions. ClayRat requests to become the default SMS application, enabling it to capture sensitive content and further disseminate the malware. The threat is compounded by findings that pre-installed apps on budget Android smartphones in Africa may also expose sensitive data and operate with elevated privileges.

Huntress Labs uncovered a sophisticated attack chain culminating in the deployment of PureRAT, a commercially available remote access trojan (RAT), demonstrating advanced threat actor capabilities. The campaign begins with a phishing email containing a ZIP archive, utilizing DLL sideloading to execute a malicious payload, showcasing traditional yet effective initial access techniques. Multiple stages of the attack employ obfuscation and encryption, including Base85, Base64, RC4, and AES, to hide payloads and evade detection, reflecting tactical evolution. The threat actor transitioned from Python-based info-stealers to .NET executables, leveraging process hollowing and reflective DLL loading for enhanced persistence and control. PureRAT's capabilities include extensive surveillance, data theft, and potential for follow-on attacks, posing significant risks to compromised systems. Indicators suggest the involvement of actors linked to PXA Stealer, with infrastructure pointing to Vietnam, indicating a maturing operator with global implications. The campaign illustrates the necessity of defense-in-depth strategies, emphasizing the importance of monitoring for specific behaviors and maintaining a resilient security posture.

SonicWall confirmed a breach affecting all customers using its cloud backup service, exposing firewall configuration backup files to unauthorized access. The breach involves MySonicWall accounts, a portal for managing product access and cloud backups, impacting operational security for users. Exposed files contain AES-256-encrypted credentials and configuration data, potentially easing exploitation of firewalls by threat actors. SonicWall collaborated with Mandiant to investigate the breach, advising customers to reset account credentials and follow remediation guidance. Approximately 5% of SonicWall's firewall customers use the cloud backup service, but all such users are now confirmed affected by this incident. Customers can verify if their devices are impacted by checking the 'Product Management → Issue List' on MySonicWall. Continuous monitoring of MySonicWall alerts is recommended for updated information on affected devices and further protective actions.

SonicWall disclosed unauthorized access to firewall configuration backup files for customers using its cloud backup service, raising concerns about potential targeted attacks. The compromised files contain encrypted credentials and configuration data, posing an increased risk despite the encryption. SonicWall is actively notifying affected partners and customers and has released tools for device assessment and remediation. Users are urged to log in and verify their devices, with priority levels assigned to assist in remediation efforts. The breach affected less than 5% of SonicWall's customers, but the information in the files could facilitate exploitation of related firewalls. SonicWall advises immediate action for users with cloud backup features, offering further guidance for those with incomplete serial number displays. This incident follows a recent advisory for customers to reset credentials after exposure of firewall configuration backup files.

SonicWall has revealed that all customers using its MySonicWall cloud backup service were affected by a cybersecurity breach, contradicting earlier claims of a limited impact. The breach involved unauthorized access to firewall configuration backup files, which contain critical network settings and policies, posing a significant security risk. Initial reports suggested only 5% of users were impacted; however, further investigation confirmed the breach affected every user of the cloud backup service. SonicWall has advised customers to delete existing cloud backups, change credentials, and recreate backup files locally to mitigate potential risks. The company has enhanced its infrastructure security with stronger authentication controls and additional logging to prevent future incidents. Despite the breach, SonicWall maintains that other MySonicWall services and customer devices were not compromised. The incident raises concerns about the security of cloud-stored sensitive data and the need for robust backup strategies. SonicWall has not identified the threat actors involved, nor confirmed if any data was exfiltrated or leaked, leaving the full scope of the breach uncertain.

North Korean cyber actors have stolen an estimated $2 billion in cryptocurrency in 2025, marking the largest annual total recorded. The Bybit hack in February accounted for $1.46 billion of the stolen assets, with other significant breaches affecting LND.fi, WOO X, and Seedify. The increasing focus on high-net-worth individuals reflects a shift in targeting strategy, exploiting weaker security measures compared to businesses. North Korean hackers utilize advanced identity theft techniques to secure remote tech jobs, funneling earnings into the regime's nuclear program. The fraudulent IT worker scheme has reportedly contributed up to $1 billion to North Korea's nuclear ambitions over the past five years. Okta's data reveals a diverse range of targets, with one in two not being tech firms and one in four not based in the U.S. The regime's cyber-enabled theft operations underscore the growing reliance on illicit activities to fund state objectives.