VPN Exploits, Oracle silent violations, Clickfix comebacks, etc.

Table of Contents

Today, all unpatched systems, leaked passwords, and overlooked plugins are entrances and exits for attackers. The supply chain is growing deep within the code we trust, with malware hidden not only in shady apps, but also in the recruitment, hardware and cloud services we rely on every day.

Hackers no longer need sophisticated exploits. Sometimes, your qualifications and a little social engineering are enough.

This week we will track how simple surveillance can turn into a major violation. And it’s a quiet threat that most companies still underestimate.

Let’s dive in.

⚡This week’s threat

UNC5221 exploits new Ivanti flaws to drop malware – The Chinese and nexus Cyberspy Group, where UNC5221 was tracked, exploits the currently patched flaws with Ivanti Connect Secure, CVE-2025-22457 (CVSS score: 9.0), offering an in-memory dropper called Trailblaze, a brush fire with passive backdoor codename, and a suite of spawn malware. The vulnerability was originally patched by Ivanti on February 11, 2025. This shows that threat actors have researched the patch and found ways to exploit previous versions to compromise unearned systems. UNC5221 is believed to share overlap with clusters tracked by the broader cybersecurity community under APT27, Silk Typhoon, and UTA0178.

🔔Top News

Encrypthub is probably not masked as a lonely wolf actor – A promising threat actor working under the alias EncryptThub has been published due to a series of operational security failures. What distinguishes EncryptThub from other typical cybercriminals is their dichotomy of online activities. While running a malicious campaign, individuals simultaneously contributed to legal security research and received the Microsoft Security Response Center (MSRC) last month to discover and report CVE-2025-24061 and CVE-2025-2407. Another interesting aspect of EncryptThub is that it uses Openai ChatGpat as its “partner in crime” and leverages it for malware development and translation tasks. In a particularly obvious conversation with an AI chatbot, EncryptThub asked him to evaluate whether he was suitable for a “black or white hat” hacker. “When people think about cybercriminals, they tend to use cutting-edge technology to imagine high-tech, government-supported teams, elite hackers,” Outpost24 said. “But many hackers are ordinary people who at some point decide to follow the dark path.”
Github Action Supply chain has returned to SpotBugs PAT theft – Before the scope of “TJ-actions/Changed-files” Github actions expanded to a single user, the cascade supply chain attacks that first targeted Coinbase are further tracked by the theft of personal access tokens (PATs) associated with another open source project called Spotbugs. The origins of sophisticated violations are gradually focused in the ongoing investigation, revealing how the initial compromise occurred. It has been revealed that SpotBugs, a popular static analysis tool, was compromised in November 2024, using “ReviewDog/Action-Setup” as a stepping stone to compromise, and subsequently leading to the infection of “TJ Action/Change”. This was made possible due to the fact that ReviewDog maintainers also have access to the SpotBugs repository. The multi-step supply chain attack ultimately continued to reveal secrets in 218 repositories after an attacker failed attempt to violate a Coinbase-related project.
Infectious interviews employ Clickfix and spread fake NPM packages -The North Korean threat actor behind the ongoing infectious interview campaign has been observed to adopt the infamous Clickfix social engineering strategy to provide a previously undocumented backdoor called Golangghost. The hostile group has also released a package of up to 11 npm to provide Beavertail Information Stealer malware and a new remote access Trojan (RAT) loader. The package was downloaded over 5,600 times before deletion. Meanwhile, North Korean IT workers are expanding their efforts beyond the US, seeking fraudulent employment in organizations around the world, particularly in Europe. Google researchers called IT Warriors for their engagement in “patterns of providing manufactured references, building relationships with job recruiters, and using additional personas controlled to ensure reliability.” Furthermore, they are trying to force money from these companies when they are discovered and/or fired. In recent years, the US government has raised awareness of insider threat operations, eradicating and punishing US-based facilitators of fraud schemes, revealing IT workers and front companies that help these workers hide their true origins, and intensively pushed to help organizations detect risks before they’re too late. In all possibilities, these enhanced law enforcement efforts have led scheme operators to embrace more focus on targets elsewhere and more aggressive measures to maintain revenue streams.
The phony version of Android phones is preloaded with Triada malware – It has been known that the counterfeit version of the popular smartphone model, which is sold at a short price, will be pre-installed with a fixed version of Android malware called Triada. Most infections have been reported in Russia. Although infections are thought to be the result of compromises in the hardware supply chain, Triada has been observed to be transmitted through the informal WhatsApp Mods and third-party app market.
Bad actor abuses Mpurgin to hide malware – Threat actors leverage the WordPress Mu-Plugins (“Required Plugins”) directory to stealthily execute malicious code on every page, avoiding detection. MU-Plugins runs on every page load and does not appear in the standard plugin list, so it can be used to stealthily perform a wide range of malicious activities, such as stealing credentials, injecting malicious code, changing HTML output, and more.

Pean Trend CVE

Attackers love software vulnerabilities. These are simple doors to the system. Every week brings fresh flaws and waits too long to patch, turning minor surveillance into a major violation. Below are some important vulnerabilities you should know about this week. Look, quickly update your software and keep locked out attackers.

This week’s list includes CVE-2025-22457 (Ivanti Connect Secure, Policy Secure, and ZTA Gateway), CVE-2025-30065 (Apache Parquet), CVE-2024-10668 (Google Quick Share for Windows for Windows), CVE-2025-24362 (GITHUB/COVESQL-first-action), CVE-action-action-action CVE-2025-14449 (Rockwell Automation Verve Asset Manager), and CVE-2025-2008 (WP Ultimate CSV Importer plugin), CVE-2024-3660 (Tensorflow Keras), CVE-2025-20139 (CISCO Enterprise Chat and Email), CVE-2025-20212 (CISCONECT SERT) Meraki MX and Cisco Meraki Z Series), CVE-2025-27520 (BENTOML), CVE-2025-2798 (Woffice CRM theme), CVE-2025-2780 (WOFFICE Core Plugin), CVE-2025-31553 (WPFactory Advactory Product Sales Reparting Report-Plage-2027) (Exeideas International WP AutoyyWord plugin), CVE-2025-31552 (RSVPMarker plugin).

Cyber Around the world of cyber

Oracle personally checks for data breach – Enterprise computing giant Oracle is reportedly notifying customers privately that hackers have violated the “legacy” Oracle environment, publishing usernames, PassKeys and encrypted passwords, inconsistent with consistent public denials regarding the incident. “The company has notified customers that the system has not been in use for eight years and that the stolen client qualifications pose little risk,” Bloomberg reported. An investigation by the US Federal Bureau of Investigation (FBI) and Cloud Strike is reportedly ongoing. This is the second violation the company has admitted to clients in recent weeks. The intrusion is rated as separate from another Oracle Health (formerly Cerner) hack that affected US medical customers last month. News about the violation came to light after an unidentified threat actor named “Rose87168” attempted to sell data on a violation form that he claimed to have been stolen from the company’s cloud servers. Several cybersecurity companies, including Black Kite, CloudSek, Cyberangel, Hudson Rock, Orca Security, Socradar, Sygnia, and Trustwave, analyzed and verified data sold online, extracted directly from Oracle. The attacker is believed to have exploited an unearned vulnerability in Oracle Fusion Middleware (CVE-2021-35587) to compromise Oracle Cloud login and authentication systems to steal data. “This exposure was facilitated through Java Exploit in 2020, allowing hackers to install a web shell along with the malware,” Cyberangel says. “Malware specifically targeted Oracle IDM databases and was able to filter out data,” said security researcher Kevin Beaumont, “Oracle is trying to make WordSmith’s statement about Oracle Cloud and is trying to use very specific words to avoid liability,” adding that Oracle Classic has security incidents so that Oracle Classic services will become Oracle Classic. CloudSek has developed an online tool that will help organizations be affected by data breaches. Oracle’s personal approvals come days after the company was hit by a class action lawsuit over handling security events.
New Triton rats appear in the wild – A new Python-based remote access Trojan called Triton Rat allows threat actors to remotely access and control the system using telegrams. The malware written in Python is published on Github and comes with the ability to log keystrokes, execute commands, record screens, collect Wi-Fi information, steal passwords, clipboard content, and Roblox security cookies. “Roblox Security cookies are browser cookies that store users’ sessions and can be used to access Roblox accounts that bypass 2FA,” Cado Security said. This disclosure occurs when Cyfirma details another rat written in Python. It uses Discord’s API for command and control (C2) to run any system command, steal sensitive information, steal screenshots, and operate both the local machine and the mismatched server.
US DOJ announces $8.2 million recovery stolen in romance bait scam – The US Department of Justice (DOJ) has announced the recovery of $8.2 million worth of USDT (tethers) stolen by romance bait (formerly pig slaughter) fraud. According to a complaint filed in late February 2025, the fraud targeted women in Ohio. The Ohio woman lost about $663,352 in life savings after responding to text messages from unknown numbers in November 2023. “When the victim wanted to withdraw funds, her ‘friend’ was forgiven, and additional payments were required, and she complied,” the DOJ said. “After the victim made additional payments, when no more funds were left, her ‘friends’ began threatening to send his friends to take care of their friends and family. “It is estimated that more than 30 victims have fallen in total due to the scheme. ”
Clickfix was used to deliver qakbots – The increasingly popular Clickfix technique is being used as a delivery vector for delivering previously dormant Qakbot malware. This attack is the first observed endpoint compromise method towards the end of 2024, and then pairs malware with Clickfix, which has gained significant traction in recent months. It involves tricking the victim into running malicious commands under the pretext of fixing the issue. This is usually a Captcha verification task.
Defects disclosed in Verizon Call Filters – Verizon’s Call Filter app had a vulnerability that allowed customers to access incoming call logs for different Verizon wireless numbers via unsecured API requests to the “Clr-aqx.cequintvzwecid.com/clr/calllogretrieval” endpoint. However, security researcher Evan Connelly, who discovered and reported the bug on February 22, 2025, discovered that a request containing the phone number used to retrieve the call history log has not been verified for the phone number where the incoming call log is being requested. This could open the door to a scenario where an attacker can modify a request on another Verizon phone and retrieve incoming call history. The vulnerability is being addressed by Verizon as of March 25, 2025.
GitHub announces updates to Advanced Security Platform – GitHub announced an update to its advanced security platform last year after a secret scanning service was detected that detected over 39 million leaked secrets. This includes the availability of GitHub Secret Protection, a free organization-wide secret scan that helps teams identify and reduce exposure, as well as a new secret risk assessment tool aimed at providing “clear insights into organizational exposure.”
New Ubuntu Linux Security Bypass Details – Three security bypasses have been discovered with the distinctive usernamespace limitations of Ubuntu Linux. This allows local attackers to take advantage of a vulnerability in their kernel components. Bypasses occurring through AA-EXEC, BushingBox, and LD_PRELOAD allow attackers to increase privileges and create username spaces. “These bypasses allow local attackers to create usernamespaces with full management capabilities. This will help them leverage vulnerabilities in kernel components that require strong management privileges within a limited environment,” Qualys said in a statement. “It is important to note that these bypasses alone do not enable full system takeover, but it is dangerous when combined with other vulnerabilities, usually kernel-related.” Ubuntu, acknowledging the issue, said it is working on “to tighten Apparmor’s rules even further.”
Classiscam is targeting Central Asia – Classiscam is an automated fraud business as a service that uses telegram bots to create fake websites that are impersonating legitimate services to share financial details to deceive victims. Scams, also known as Telekopye, essentially involve scammers pose as buyers or sellers on online platforms, tricking victims into transferring money for non-existent goods or services, or persuading them to use trading services via fake shipping websites that ask the sellers for financial information. These conversations take place on messaging apps like Telegram, claiming that they are “easy to communicate.” A Group-IB study found that over 10 Uzbekistan financial institutions, including well-known banks and payment systems, are subject to phishing schemes in which more than 10 financial institutions in Uzbekistan, employing fake sites that are impersonating services to obtain banking qualifications for clients. One of the teams that such teams engage in fraud schemes is the Namangun team, which has primarily provided phishing services targeting Uzbekistan and Kyrgyzstan since late November 2024, allowing customers to create phishing pages on the spot using Telegram Bots.

Because Google is partner with Nvidia and HiddenLayer, for the new model signature library – Google has partnered with Nvidia and Hiddenlayer to announce the release of a Python library called “Model Signatures,” which provides a way to provide ways to sign and verify ML Supply Learning (ML) models, enhance security in the ML supply chain, and provide developers with ways to sign and verify threats such as model and data addiction, data promotion, leakage, rapid traction, and rapid threats. “We use digital signatures like Sigstore to enable users to ensure that the model used in the application is a model created by the developer,” Tech Giant said. This development is because Python officially standardized the lock file format as part of the PEP 751. The new format named Pylock.Toml is a TOML-based format that records the exact dependency version, file hash, and installation source. The new standard “brings Python along other ecosystems such as JavaScript (Package-Lock.json), Rust (Cargo.Lock), and Go (Go.Sum),” Socket said. “While PEP doesn’t address all supply chain threats (typosquatting, maintainer account compromises, hidden payloads, etc.), it lays the foundation for better auditing and suppressing resistance.”
Arcanum Trojan was distributed via fortune telling sites – A new Trojan horse called Arcanum is distributed via a website dedicated to fortune telling and esoteric practices, pose as a “magic” app to predict the future. The app connects to a remote server and deploys additional payloads containing Autolycus while providing seemingly harmless features. Hermes Stealer, The Karma.Miner Miner, and Lysander.Scytale Crypto-Malware. The captured information is then extended to an attacker control server. The emergence of malware coincides with the discovery of the codename “codename for credit card skimmer malware targeting Bulgarian e-commerce users through Windows Shortcuts (LNK) files distributed via ZIP archives. LNK files begin a multi-step process of installing malicious browser extensions in your web browser to steal credit card information. “Attackers use carefully crafted JavaScript payloads, misleading manifest files, and obfuscated VBScript to maintain persistence throughout the session and avoid detection,” Fortinet said.
Identity-based attacks are on the rise -Attackers, according to Cisco Talos, rely heavily on certified access points to penetrate the network, intrude and infiltrate the operations, rather than exploiting the vulnerability or using more complex methods such as malware deployment. In particular, ransomware gangs are known to use stolen valid credentials procured from Initial Access Brokers (IABS) as a means of initial access to corporate networks. IAB leverages commercially available information stealing like Lumma to capture user credentials. This is also exacerbated by the fact that many users recycle passwords across multiple services and create a “risk ripple effect” when their credentials are stolen. Based on the traffic observed between September and November 2024, 41% of successful logins via websites protected by CloudFlare have their passwords compromised, according to web infrastructure companies. Additionally, you can abuse valid VPN credentials to gain unlimited access to sensitive systems, often with higher privileges that reflect legal employee or administrator privileges. The use of legal credentials by threat actors entirely bypasses security barriers and “gives a direct pathway to penetrating the network, stealing data and preventing ransomware deployments from being detected.” “Identity-based attacks are attractive to threat actors as they allow attackers to carry out a variety of malicious operations with minimal effort or without meeting a lot of resistance from a security standpoint,” the company said. “This is largely due to the difficulties in detecting activity, as it comes from seemingly legal user accounts.” Data collected by the company shows that identity and access management (IAM) applications are the most frequently targeted in MFA attacks, accounting for 24% of all attacks targeting multifactor authentication (MFA).
Iran-linked oil rigs target Iraqi groups – The Iranian hacking group known as the Oil Rig (aka APT34) has been attributed to a series of cyberattacks on Iraqi national entities since 2024, when it was using spearfishing lanes to run commands, collect host information, and deploy backdoors that can upload/download files. The backdoor uses HTTP and email for C2 communication. “The former secretly sends control instructions based on distinctive values of body content, while the latter uses numerous official government mailboxes in Iraq for email communications,” Threatbook said.
Pytorch Lightning security flaws -Pytorch Lightning version 2.4.0 and earlier reveal five unnecessarily vulnerabilities that could potentially be exploited to execute malicious code when loading machine learning models from unknown or untrusted sources. “These vulnerabilities arise from the insecure use of torch.load(), which is used to loosen model checkpoints, configurations, and sometimes metadata,” says CERT COORDINATION CENTER (CERT/CC). “The user can unconsciously load malicious files from local or remote locations containing embedded code that runs within the context of the system, potentially leading to a complete system compromise.” CERT/CC said the issue remains below, requiring the user to ensure that the files are loaded.
The Russian company offers $4 million to Telegram Exploits – Operation Zero, a Russian exploit acquisition company, says it is willing to pay up to $4 million for a full-chain exploit targeting popular messaging service Telegram. In a post shared on X, the Zero-Day vulnerability purchasing platform said that for those who can weaponize RCE to achieve user interaction (i.e. Zero-Click), they will pay up to $500,000 for a one-click remote control code execution (RCE) and an exploit that can achieve $1.5 million. “The scope includes Android, iOS and Windows exploits. Prices rely on zero-day restrictions and privilege gains,” Operation Zero said. They often exploit brokers to develop or acquire security vulnerabilities in popular operating systems and apps, and resell them to interested clients at a higher price. For Operation Zero to Single Out Telegram, it makes sense given that messaging apps are popular with both Russian and Ukrainian users. A Telegram spokesperson told TechCrunch that the messaging platform was “not vulnerable” to zero-click exploits. This development arises when details are revealed regarding zero-day flaws in Telegram’s MacOS clients that could be exploited to achieve RCE. Earlier last month, security researcher 0x6RSS also disclosed an updated version of the evil video flaw of Telegram (CVE-2024-7014) that bypasses existing mitigation via .htm files. “The file with the ‘.htm’ extension is disguised as a video and sent via the Telegram API, and the JavaScript code in HTML is actually executed while the user expects the video,” the researchers said. The new exploit is codenamed Evilloader.
What is the most common password for RDP attacks? – These are 123456, 1234, Password1, 12345, p@ssword, password, password123, welcome1, 12345678, and aa123456. “Attackers are looking for exposed RDP servers because these could be easy targets for brute force attacks,” the company said. “In addition, attackers can carry out password spray attacks on RDP servers and try out known compromised credentials on exposed servers.”

🎥Expert Webinar

ShadowAI is already in the app – learn how to lock down – AI tools are flooding your environment – and most security teams can’t see half of them. Shadow AI quietly connects to critical systems like Salesforce, creating hidden risks that traditional defenses have missed. Join DVIR Sasson, director of security research at RECO to reveal where AI threats are hiding within SaaS apps, real-world attack stories, and how key teams can detect and shut down Rogue AI before they cause real damage.
Ensure every step in the identity lifecycle – before attackers can take advantage of it – Today’s attackers are using AI-driven deepfakes and social engineering to bypass weak identity defenses. From registration to accessing daily recovery, ensuring an entire identity journey is essential. Join beyond identity and Nametag to learn how companies can block account acquisitions, ensure access with phishing-resistant MFA and device trustworthy, and prevent AI threats with Deepfake Defense™.

🔧Cybersecurity Tools

GORESOLVER – Golang Malware is difficult to reverse – observers like Garble Hide Critical Functions. Volexity’s open source tool Goresolver uses similarity in the Control Flow Graph to recover hidden function names and automatically reveal package structures. Integrated with IDA Pro and Ghidra, quickly transforming opaque binaries into readable code. Now available on Github.
MATANO – A serverless, cloud-native security data lake built for AWS, allowing security teams to have full control over logs without vendor lock-in. It normalizes unstructured security data in real time, integrates over 50 sources out of the box, supports detection as code in Python, and converts logs using powerful VRL scripts that are all stored in open formats such as Apache Iceberg and ECS. Query data with tools like Athena and Snowflake, create real-time detections, and reduce SIEM costs while maintaining ownership of security analytics.

🔒Tip of the Week

Detect threats early by tracking first-time connections – Most attackers leave the first real clue from a new IP, device, or location, not malware, when you log in for the first time. Catching an “first time” access event is one of the fastest ways to detect violations early before attackers blend into daily traffic. Focus on critical systems: VPN, management portal, cloud dashboards, and service accounts.

Easy to automate with free tools like Wazuh (detect new devices and IPS), Osquery (endpoints with unknown queries), and Graylog (build alerts for unfamiliar connections). More advanced setups like Microsoft Sentinel and Crowdstrike Falcon Free also offer large “first-see” detection. Simple rules – Admin accounts may trigger early alarms without waiting for malware to sign, such as warnings when they log in from a new country or when unexpected devices access sensitive data.

PRO MOVE: Flag “known” users, IPS, and devices baselines, new ones. Bonus points if you combine this with HoneyTokens (fake credentials) to actively investigate intruders. Remember: attackers can steal credentials, bypass MFA, and hide malware, but they cannot forge things that they have never connected before.

Conclusion

In cybersecurity, the threat that worries us most often is not the loudest. Silent API flaws. Forgotten qualification. I installed it without considering the malware racing package I installed last month.

This week’s story is a reminder. Actual risks live in blind spots.

He’s very curious. I’m skeptical. The next violation will not be knocked first.