Windows 0-Day, VPN exploits, weaponized AI, hijacked antivirus, etc.

Table of Contents

The attacker is no longer waiting for the patch. They are invading before the defense is ready. Trustworthy security tools are hijacked to deliver malware. Even after a violation is detected and a patch occurs, some attackers remain hidden.

This week’s event shows a difficult truth. It’s not enough to respond after an attack. You should assume that the system you trust today can fail tomorrow. In a world where you use AI tools against you and ransomware hit faster than ever, real protection means planning things go wrong.

Check out this week’s updates to find important threat news, useful webinars, useful tools, and ready-to-use tips.

⚡This week’s threat

Windows 0-Day exploited for ransomware attacks – Security affecting Windows Common Log File System (CLFS) has been used as a zero-day for ransomware attacks targeting a small number of targets, Microsoft has revealed. The flaw, CVE-2025-29824, is a privilege escalation vulnerability that allows an attacker to obtain system privileges. The exploitation of the vulnerability is distributed through a Trojan horse called Pipemagic, which Microsoft tracks as Storm-2460, removes and drops ransomware payloads as part of post-competition exploitation activities, and is tracked by Microsoft. The exact nature of the payload is unknown, but it contained a TOR domain tied to the Ransomexx ransomware family after the ransom notes fell after encryption. CVE-2025-29824 was addressed by Microsoft as part of the Tuesday update in April 2025.

🔔Top News

The ESET flaw was exploited to provide new TCESB malware – The ToddyCat Advanced Persistent Threat (APT) group located in China has exploited a vulnerability in ESET’s anti-virus software to quietly execute a malicious payload called TCESB on infected devices. Dynamic Link Library (DLL) Search Order Hijacking Vulnerability (CVE-2024-11859) was patched in January after responsible disclosure. DLL Search Order hijacking is a kind of vulnerability that occurs when an application searches and loads the required DLLs in an unstable order, such as starting from the current directory rather than the trusted system directory. In such cases, an attacker can try and trick the application into loading a malicious DLL, in contrast to its legitimate response. When executed, TCESB reads the running kernel version, disables notification routines, installs vulnerable drivers to avoid defense, and launches unspecified payloads.
Fortinet is using Symlinks to warn hackers who have access to patched Fortigate VPNs – Fortinet revealed that threat actors have found a way to maintain read-only access to the device even after the initial access vector used to violate the device was patched. “This was achieved by creating a symbolic link (aka Symlink) that connects the user file system and the root file system in the folder that is used to serve the language files for SSL-VPN,” the company said. Fortinet has released a patch to eliminate behavior.
Akirabot leaning against Openai models and floods the site with SEO spam -An artificial intelligence (AI) driven platform called Akirabot is used in website chats, comment sections and contact forms to promote suspicious search engine optimization (SEO) services such as Akira and ServiceWrapgo. The platform relies on the Openai API to generate customized outreach messages based on the content of your website. Since September 2024, up to 80,000 websites have been successfully spamed by the tool. Depending on the findings, Openai has disabled the API keys used by threat actors.
Gameardon distributes Gammasteel malware using removable drives – The Russian-related threat actor known as Gamalen has targeted a foreign military mission based in Ukraine and provided an updated version of the known malware called Gammasteel using what appears to be an already infected removable drive. The attack paves the way for a reconnaissance utility and an improved version of Gammasteel, an information stealer that allows files to be removed from victims based on a list of extensions from the desktop and document folders.
Palo Alto Networks warns about brute force attempts to target Palo-OS GlobalProtect Portals – Palo Alto Networks reveals that it is observing brutefog login attempts to Pan-OS Globalprotect Gateways. It also noted that the activity monitors the situation to determine potential impacts and determines whether mitigation is necessary. The development was born since March 17, 2025 in response to an alert from Greynoise about a surge in suspicious login scanning activities targeting the PAN-OS GlobalProtect portal.

Trend CVE

Attackers love software vulnerabilities. These are simple doors to the system. Every week brings fresh flaws and waits too long to patch, turning minor surveillance into a major violation. Below are some important vulnerabilities you should know about this week. Look, quickly update your software and keep locked out attackers.

This week’s list includes CVE-2025-3102 (Ottokit plugin), CVE-2025-23359 (NVIDIA Container Toolkit), CVE-2025-30406 (Gladinet Centrestack), CVE-2025-29824 (Windows Common Log File System), CVE-2024-48887 (CVE-2024-53150, CVE-2024-53197 (Google Android), CVE-2025-2945 (PGADMIN), and CVE-2025-2244 (BitDefender GravityZone), CVE-2025-31334 (Winrar), CVE-2025-30401 (WHIMES-APT FOR WINDOWS) (Rockwell Automation Industrial Data Center), CVE-2025-25211, CVE-2025-26689 (INABA DENKI SANGYO CHOCO TEI WATHIR), CVE-2024-4872, CVE-2024-3980 (Hitachi Energy Microscada Pro/X SYS600) plugin), CVE-2025-3439 (Everest Form – Contact Forms, Quiz, Research, Newsletter and Payment Form Builder for WordPress Plugins), CVE-2025-31565 (WPSMartContracts Plugins).

Cyber Around the world of cyber

Bulletproof Hosting Service Provider Inside and Exposure – A bulletproof hosting service provider named Mediaand may have been exposed in February 2025 by the same actor behind the Black Busta chat log leak. According to Product, Mediard is linked to Yalishhanda (larva-34), and the service plays a key role in enabling the range of black malware ranges. Servers, code signing systems, phishing kits, data removal panels, data leak sites. The leaked internal data reveals a treasure trove of who paid, who paid (including via cryptocurrency), and perhaps personal identifiable information (PII). Needless to say, defenders can correlate compromise (IOC) metrics and improve attribution efforts. The Black Buster Chat dataset “shes the group’s internal workflow, decision-making processes, and team dynamics, providing an unfiltered perspective on how one of the most active ransomware groups works behind the scenes,” TrustWave said. The discussion also revealed groups targeting individuals based on gender dynamics, assigning female callers to male victims and male operators to female targets. Additionally, they also exposed threat actors to stockpile them by pursuing security flaws and paying premium prices to get zero-day exploits from exploit brokers to gain competitiveness.
Arabic-speaking threat actor targets Korea on Vipersoftx – Associates with suspected Arabic-speaking threats have been observed to distribute VipersoftX malware targeting Korean victims since April 1, 2025. It is often distributed via cracked software or torrents. ViperSoftX is known to provide the ability to remove sensitive information from reduced Windows hosts, as well as additional payloads like Quasar Rat and Tesseracttelerer. In attacks detected by Ahnlab, the malware is known to provide malicious PowerShell scripts that drop Purecrypter and Quasar rats.
Ireland Data Protection Watchdog Probe x – Irish Data Privacy Regulator has launched an X investigation into the processing of personal data from published posts shared on social networks to train artificial intelligence models, particularly GROK. “This study will consider compliance with various key GDPR regulations, including legality and transparency of the processing,” the Data Protection Commission (DPC). “The purpose of this study is to determine whether this personal data has been legally processed to train Grok LLM.” X previously agreed to stop training AI systems using personal data collected from EU users.
Flaws revealed in Perplexity’s Android app – Perplexity AI’s Android app analysis discovered a set of 11 defects, including hardcoded API keys, cross-origin resource sharing (CORS) errors, SSL pinning, lack of pinning in SSL, tap jacks, tap jacks, and susceptibility to known known defects. attack. “Hackers can exploit these vulnerabilities to steal personal data, including sensitive login credentials,” Appknox said in a report they share with Hacker News. “The app has no protection against hacking tools and makes your device vulnerable to remote attacks.” A similar flaw was identified in Deepseek’s Android app earlier this year.
Tycoon 2FA Phishing Kit receives new updates – The latest version of Phishing Kit, known as Tycoon 2FA, employs new evasion techniques that allow it to pass through endpoints and detection systems. “These include custom Captcha rendered via HTML5 canvas, invisible Unicode characters in obfuscated JavaScript, and the use of undeveloped scripts to prevent inspection,” Trustwave says. “HTML5-based visuals such as custom capture can mislead users and add legitimacy to phishing attempts. Unicode and proxy-based obfuscation can slow detection and make static analysis even more difficult.” The development is because Cybersecurity Company stated that it had identified a dramatic increase in phishing attacks using malicious scalable vector graphics (SVG) files driven by PHAAS platforms such as Tycoon 2FA, Mamba 2FA, and Sneaky 2FA. “SVG-based attacks have been significantly pivoted by phishing campaigns, increasing by 1,800% in early 2025 compared to data collected since April 2024,” he said.
China is reportedly allowed to direct cyberattacks on US critical infrastructure – Chinese officials acknowledged at a secret meeting in December 2024 that they were behind a cluster of activities known as Volt Typhoon, a series of cyberattacks targeting critical US infrastructure. The attack is said to have been carried out in response to an increase in US policy support for Taiwan. China previously claimed that Volt Typhoon was a disinformation campaign from the West.
AWS debuts support for ML-Kem with KMS, ACM and Secrets Manager – Amazon Web Services (AWS) has announced support for modular lattice-based key encapsulation mechanism (ML-KEM) for key management services (AWS KMS), certificate manager (ACM), and Secrets Manager hybrid Quantum Post-Quantum key agreements. “These three services were chosen because they are the most urgently security-critical AWS services that require post-mass confidentiality,” Amazon said. “This allows customers to bring secrets to their applications using end-to-end Quantum-enabled TLS.” This development occurs when the OpenSSL project releases version 3.5.0 of the widely used cryptographic library.
Attempts to exploit the TVT DVRS surge – Threat intelligence company Greynoise is warning of three times more spikes than attempts to exploit the TVT NVMS9000 DVR as part of what is suspected to be a malicious activity designed to rope the device into Mirai Botnet. The attack exploits an information disclosure vulnerability (no CVE) that can be used to gain administrative control over the affected system. The surge in attacks began on March 31, 2025, with over 6,600 unique IP addresses, primarily from Taiwan, Japan and South Korea, targeting systems in the US, UK and Germany, attempting to exploit the flaws over the past 30 days.
Github announces general availability of security campaigns – GitHub has announced the general availability of security campaigns, a new feature that aims to streamline the vulnerability remediation process, generate code suggestions and resolve issues using Copilot Autofix. According to a Microsoft-owned platform, the goal is to reduce security debts and quickly address issues lurking in your existing codebase. “Use Copilot Autofix to generate code suggestions for up to 1,000 code scan alerts at a time. Security campaigns help security teams respond to triage and prioritization, but Autofix can help resolve issues quickly.
Beware of SMS pumps – Threat hunters will bring attention to cybercrime tactics called SMS pump fraud, which exploits SMS verification systems (such as OTP requests and password resets), and use fake or automated phone numbers to generate excessive message traffic, causing additional costs or confusion for your business. Such a scheme employs automated bots or low-skilled workforces to trigger fake account creation and OTP requests. “The con artist works with the “fraud party.” They are often corrupt communications providers or intermediaries with access to SMS routing infrastructure,” Group-IB said. “Rogue parties intercept inflated SMS traffic and typically avoid message delivery to reduce costs. Instead, they route it to numbers that control traffic.”

Routers of the most risky devices in your enterprise network – According to data compiled by Forescout, network-related devices such as routers have emerged as the most risky categories of IT devices. “The enemy, driven by an increasing focus on threat actors, is rapidly leveraging the new vulnerabilities of these devices through a massive attack campaign,” the company said. The retail sector has the highest risky devices on average, followed by financial services, government, healthcare and manufacturing. Spain, China, the UK, Qatar and Singapore are the top five countries with the most dangerous devices on average. “To effectively advocate for this evolving attack surface, organizations must adopt modern security strategies that address risk across all device categories,” Forescout said. “As threat actors continue to shift their focus from traditional endpoints, they are increasingly targeting unsecured devices that provide easier initial access.”
Spanish authorities arrest 6 for AI-powered investment scam – Spanish national police have used AI tools to generate deep fur fake ads featuring popular public figures, demonstrating 208 casualties worldwide for 19 million euros ($221.6 million). More than 100,000 euros of the total amount scamned by the victims have been frozen as part of Codename Coin Black-Wendimine. “The tricks used to carry out this scam consisted of inserting advertisements into various web pages as hooks related to investing in cryptocurrency,” the National Police said. “The victims were not randomly selected, but through algorithms we chose people whose profiles fit what cybercriminals were looking for.” Investment fraud involves inserting ads into web pages and social media networks, and using AI tools to misclaim support from famous personalities, encouraging targets to seduce investment. Several aspects of the fraud were detailed by ESET in December 2024 and called the campaign Nomani.
Oracle says the hack has affected “outdated servers” – Oracle confirmed that the hackers stole and leaked stolen credentials from what is described as “two outdated servers.” However, the company downplayed the severity of the violation, claiming that its Cloud Infrastructure (OCI) was not compromised and that customer data and services were not affected by the incident. “The hackers have accessed and published usernames from two outdated servers that were not part of the OCI,” the email notification said. “The hackers did not disclose available passwords because the passwords on these two servers were encrypted or hashed. Therefore, the hackers were unable to access the customer environment or customer data.” It is not clear how many customers were affected.
Atlas Lion uses new tactics in attacks targeting retailers -It has been observed that a Moroccan threat actor known as Atlas Lion (aka Storm-0539) uses stolen credentials to register an attacker-managed VM in the organization’s domain, for each cybersecurity company Expel. Known for its broad understanding of the cloud, the group’s main goal is to redeem or resell gift cards stolen during attack campaigns.
US Treasury Occ says hackers can access 150,000 emails – The Ministry of Finance’s Office of the Money Secretary (OCC) revealed in February 2025 that it had “identified, quarantined and resolved security incidents involving the management accounts of the OCC email system.” As a result, it was identified that there were limited administrative accounts affected and was disabled. “At this point, it will not affect the financial sector,” the OCC said at the time. Currently, in the update, the OCC classifies violations as “major incidents,” and the email “adds unauthorized access to many executives” contained highly sensitive information regarding the financial position of federally regulated financial institutions used in the testing and supervision and supervision monitoring process. “Bloomberg reported that more than 150,000 emails have been accessed since May 2023 after an unidentified threat actor behind the hack has broken into the email system administrator’s account and intercepted around 103 bank regulator emails.

🎥Cybersecurity Webinar

1️⃣ Learn to detect and block hidden AI tools in SaaS stacks – The AI tool is quietly connected to the SaaS app. In many cases, they don’t have security knowledge. Sensitive data is at risk. Manual tracking can’t keep up.

In this session, you will learn:

How AI Tools Expose Your Environment
A real example of AI-driven attacks
How RECO can help automatically detect and respond

Join RECO’s DVIR SASSON and go ahead of the hidden AI threats.

2️⃣ Learn how to ensure every step in your identity life cycle – Identity is your new attack surface. AI-driven impersonation and deepfakes break the traditional defense. Learn how to ensure a complete identity lifecycle, from registration to accessing daily recovery with phishing-resistant MFA, device trust, and deep furk defense™.

Join Beyond Identity and Nametag and suspend account acquisitions before you start.

🔧Cybersecurity Tools

CAPE (Configuration and Payload Extraction) – CAPE is a powerful malware sandbox that runs suspicious files in a secure Windows environment and digs far deeper than traditional tools. It not only tracks file changes, network traffic, and memory dumps, but also automatically packs hidden payloads, extracts malware settings, and defeats tricks used to avoid detection. By using Yara’s rules and built-in debuggers smartly, Cape offers threat hunters and analysts a faster, clearer way to reveal what malware is actually doing.
MCP-SCAN – This is an open source security tool that checks your MCP servers to check for hidden risks such as rapid injection, tool addiction, and cross-origin attacks. It helps you scan popular setups like Claude, Cursor, Windsurf, and more, detect tampering with tool descriptions, and catch quiet changes that can damage your environment. With built-in protections such as Tool Pinning and Invariant Guardrail checks, MCP-Scan allows developers and security teams to provide a fast and reliable way to vulnerabilities before attackers can use them.

🔒Tip of the Week

Monitoring activation of unauthorized accounts – Attackers use clever tricks to keep them hidden within the network: reactivate the built-in Windows guest account. This account is usually disabled and ignored by your system administrator. However, when an attacker activates it and sets a new password, it blends as part of the system, quietly logs in, escalates privileges, and makes it easier to access the device remotely via RDP. Many security teams miss it during their reviews as guest accounts look normal at first glance.

To catch this tactic early, carefully monitor your security logs. Sets an alert for event ID 4722 – this signal when an invalid account containing a guest is reactivated. It also tracks the use of native Windows tools such as net.exe, WMIC, PowerShell, and other commands that change accounts. Pay particular attention to guest accounts that have been added to privileged groups such as administrators and remote desktop users. Cross-check the Endpoint Protection or EDR tool to find changes outside the normal maintenance window.

If you find an active guest account, assume that it is part of a major violation. Check for hidden account signs, unauthorized remote access tools, and changes to your RDP settings. Regular Threat Hunting – Just making sure all default accounts are really disabled can break the attacker’s persistence before they get deep into the environment.

Conclusion

All violations, all evasion techniques, and all new tool attacks used by attackers are also learning opportunities. If you’re cybersecurity today, your advantage isn’t just your tech stack. It adapts how quickly you will.

Take one tactic you saw in this week’s update (privilege escalation, AI misuse, stealth persistence) and use it to enhance the weak spots you’ve been putting off. Defense is race, but improvement is choice.