Critical SAP exploits, AI-powered phishing, major violations, new CVEs, and more

Table of Contents

What if a cybercriminal no longer needs deep skills to infringe your defenses? Today’s attackers are armed with powerful tools of gravity, from AI-powered phishing kits to large botnets to large phishing kits ready for strikes. And they’re not just big companies. Anyone can be targeted if they slip past security without realizing it using fake identities, hijacked infrastructure, and insider tricks.

This week’s threat is a reminder. Waiting for a response is no longer an option. Each delay gives the attacker more position.

⚡This week’s threat

Important SAP NetWeaver flaws have been misused as 0 days – The serious security flaw in SAP NetWeaver (CVE-2025-31324, CVSS score: 10.0) was exploited by unknown threat actors and uploaded a JSP web shell with the aim of facilitating uploading of malformed files and code execution. The attack has been observed using a well-known technique called Heaven’s Gate to bypass the Blue Trattel C4 explosion framework and endpoint protection.

🔔Top News

Darcula Phishing Kit Gets a Genai Upgrade – The threat actors behind the Darcula Phishing-as-a-Service (PHAAS) platform will release new updates to the cybercrime suite with Generated Artificial Intelligence (Genai) capabilities, generating phishing formats in various languages, customizing fields, and phishing forms translations into local languages. The update will further lower the technical barriers to creating phishing pages, making it quick and easy for even beginner criminals to set up complex smishing scams. Darcula Phaas Suite is user-friendly. All that aspiring con artists have to do is sign up for the Darcula service and enter a legitimate branded site, and the platform will generate a bespoofed, phishing version. “Darcula is more than just a phishing platform, it’s a service model designed for scale,” Netcraft said. “Users pay for access to a set of tools that allow organizations to be spoofed in almost every country. Infrastructure built using the latest technologies, such as JavaScript frameworks, Docker, and Harbor, reflects those of legitimate SAAS companies.”
Infectious interviews set up fake companies – The North Korea-related threat actors behind the infectiousness interviews have established front companies called BlockNovas LLC, Angeloper Agency and Softglide LLC as a way to distribute malware during the fake employment process. The action exemplifies the sophisticated social engineering tactics employed by North Korean threat actors to seduce developers. This disclosure is because Pyongyang hackers are increasingly using artificial intelligence as part of their fraudulent IT worker schemes. At the heart of these operations is a comprehensive suite of Ai-enhanced tools that work in concerts and are used to create synthetic personas to maintain deceptions. Facilitators utilize a unified messaging service that provides a way to manage multiple personas simultaneously across different communication channels. These services also incorporate AI-powered translation, transcription, and summarization capabilities to help IT workers communicate with future employers.
Suspicious Russian hackers use new tactics to access Microsoft 365 accounts – Several suspicious Russia-related threat actors, such as UTA0352 and UTA0355, have been “actively” targeting individuals and organizations with human rights ties, since early March 2025, with the aim of gaining unauthorized access to Microsoft 365 accounts. Microsoft generated code,” Volexity said. “These recent campaigns benefit from all user interactions taking place on Microsoft’s official infrastructure. There is no attacker-hosted infrastructure used in these attacks.”
Threat actors leverage Google infrastructure for phishing attacks -Unknown threat actors are taking advantage of a new approach that allows fake emails to be sent through Google’s infrastructure and redirects message recipients to fraudulent sites that harvest qualifications. The sophisticated phishing attack has circumvented email authentication checks and tried to trick email recipients into clicking on fake links designed to harvest Google account credentials. Google then plugged in the attack route.
Lotus Panda is targeting Southeast Asia with Sagerunex – China-related cyberspy groups tracked as Lotus Pandas are attributed to a campaign that violated several organizations in an unnamed Southeast Asian country between August 2024 and February 2025. This activity was able to use the DLL side-loading technique to drop a backdoor called a Sagerunex. Cookies stored in your Google Chrome web browser. In recent months, the cyberspy campaign known as Operation Cobalt Whisper has targeted multiple industries in Hong Kong and Pakistan. This includes step-by-step emails that serve as conduits to provide cobalt strikes, including defense, education, environmental engineering, elector car engineering, energy, cybersecurity, aviation, healthcare and more. The Pakistani Navy is also being targeted by nation-state enemies who could potentially distribute stealthy infostealers known as synchronous schedulers to target victims. The tactics presented in the campaign overlap with those of Sidewinder and Bitter Apt, but there is not enough evidence to link it to a particular threat actor. And that’s not all. Chinese cybersecurity researchers have been targeted by a Vietnamese threat group known as APT32 between mid-September and early October 2024, and have deployed a cobalt strike via a troilized GitHub project.

Pean Trend CVE

Attackers love software vulnerabilities. These are simple doors to the system. Every week brings fresh flaws and waits too long to patch, turning minor surveillance into a major violation. Below are some important vulnerabilities you should know about this week. Look, quickly update your software and keep locked out attackers.

This week’s list includes CVE-2024-58136, CVE-2025-32432 (CRAFT CMS), CVE-2025-31324 (SAP NetWeaver), CVE-2025-27610 (RACK), CVE-2025-34028 (Commvovolt Center), CVE-2025-2567 (LANTRONIX X), CVE-2025-2567 (CVE-2025-33028 (Winzip), CVE-2025-21204 (Microsoft Windows), and CVE-2025-1021 (Synology Diskstation Manager), CVE-2025-0618 (Fireeye EDR Agent), CVE-2025-1763 (Gitlab), CVE-2025-32818 CVE-2025-3248 (Langflow), CVE-2025-21605 (REDIS), CVE-2025-23249, CVE-2025-23250, and CVE-2025-23251 (NVIDIA NEMO Framework), CVE-2025-22228 (Spring Framework, NetApp), CVE-23935 (screenconnect).

Cyber Around the world of cyber

Lumma Stealer employs new tricks to avoid detection – Information stolen, known as Lumma, is touted as malware as a service (MAAS) starting at $250 a month, but is widely distributed using a variety of methods, including pirated media, adult content, and cracked software sites. PowerShell and MSHTA commands. In that part, the steeler uses techniques such as DLL sideloads to inject payloads into the overlay section of the free software to trigger a complex infection process. “The overlay section is typically used for legitimate software features, such as displaying graphics interfaces and handling certain input events,” Kaspersky said. “By modifying this section of the software, the enemy can inject malicious payloads without interrupting normal operations of the application. This method is particularly insidious, as the software appears legal while the malicious code runs quietly in the background.” Lumma Stealer has maintained an aggressive threat since its debut in 2022, receiving constant updates to avoid detection through features such as obfuscation of code flow, dynamic resolution of API functions during runtime, Gate of Heaven, and disabling ETWTI callbacks. It is also designed to detect virtual and sandbox environments. As of August 2023, the Lumma Stealer team began testing AI-based features to determine whether infected user logs were bots. The widespread adoption of Lumma Stealer has also been proven by the use of a variety of infection vectors, leveraging steelers to provide additional payloads like Amadey. “Lummastealer operators operate an internal market on Telegram (…), where thousands of logs are bought and sold daily,” Cyber Season said. “It also includes features such as a rating system to encourage quality sellers, advanced search options for both passwords and cookies, and a wide range of price ranges. Coupled with 24/7 support, the market aims to provide a seamless experience for those trading stolen data, reflecting the trends seen in various telegram and darknet-based theft communications.” According to data from IBM X-Force, an average weekly increase in Infostealers, delivered via phishing emails last year, compared to 2023.
New Sessionshark AITM Phishing Kit has been promoted – The new enemy (AITM) phishing kit called Sessionshark O365 2FA/MFA is introduced as a way for threat actors to bypass Microsoft 365 Multifactor Authentication (MFA) protection. Ostensibly sold for educational purposes to avoid liability, it claims to be equipped with a variety of prevention and stealth features to avoid detection by bots and automated security scanners using capture checks. “This overlapping marketing strategy is common in underground forums. It offers a lean negativity veneer (to avoid forum bans and legal issues), but no one will make fun of it for real purposes,” says Slashnext. Phrases such as “for educational purposes” and “ethical hacking perspective” in advertising copying are for buyers to nod that this is a hacking tool rather than a classroom demonstration. ”
Elusive Comets Expand Remote Control Functions for Crypto Theft – Security researchers are turning their attention to a campaign called elusive comets, employing sophisticated social engineering tactics with the goal of placing malware on victims and ultimately stealing cryptocurrency. The threat actor, who runs a venture capital firm called Aureon Capital, is estimated to be responsible for millions of dollars in stolen funds. “The elusive comets maintain a strong online presence with a broad history to establish and maintain legitimacy,” the Security Alliance said. “This is achieved by setting up sophisticated websites and active social media profiles and creating profiles that impersonate real people with prominent qualifications.” The attack will begin in the outreach phase where potential victims are approached via Twitter DMS or email, and invited as guests on podcasts and interviews. The invitation is sent via the Calendly link to schedule a Zoom meeting. Once the invitation is accepted, the victim is urged to join a Zoom call to share the screen and present their work. At that point, the threat actor will use video conferencing software to request control of the potential victim’s computer by changing the display name to “Zoom” and displaying it as a system notification. By granting remote access, the elusive comet installed malware such as Goop Dating to promote cryptocurrency theft, as highlighted by Jake Garen, CEO of the inappropriate token platform emblem vault, who had over $100,000 in his personal assets. It has also been observed that attacks provide data theft and remote access trojans to allow data removal. “What makes this attack particularly dangerous is the similarity of the permission dialogue to other harmless zoom notifications,” says Trail of Bits. “The elusive comet campaign is successful with a sophisticated blend of social evidence, time pressures, and interface manipulation that utilizes the usual business workflow.” It is not clear who is behind the campaign, but the evidence shows that it is North Korea. It has been observed that they are discussing opportunities for meeting venture capitalists and partnerships and scheduling fake zoom calls with targets that deceive them to install malware to address non-existent audio issues.
Power parasites chase Bangladesh in India, Nepal – Active campaigns target individuals from Asian countries, including Bangladesh, Nepal and India, dealing with victims who are charging victims equipped with activity clusters since September 2024 via a combination of energy companies and other major companies, social media groups, YouTube videos and deceptive websites pose as telegram channels. “These campaigns are typically shared with potential victims via social media networks, email or direct messaging channels,” Silent Push said.
Some extensions found in dangerous features – According to Secure Annex researcher John Tuckner, 58 suspicious Google Chrome extensions have been discovered, including monitoring browsing behavior, accessing cookies for domains, changing search providers, and potentially performing remote scripts. The most interesting aspect of these extensions is that they are hidden. This means that it won’t appear in Chrome Webstore searches, but can be accessed if the user has a direct URL. This shows that threat actors are using unconventional methods to avoid detection, while actively pushing advertising and malicious sites. The extension is cumulatively installed on approximately 5.98 million devices. A Google spokesperson told Hacker News that he “knows the report and the investigation.”
& Miter release to ck v17 – Miter has released a new version of the ATT & CK framework. This is a compilation of hostile tactics and techniques that we put together to help defenders. The latest version introduces four new approaches targeting the VMware ESXI platform, adapting 34 existing platforms. Two notable changes include renaming network platforms for network platforms, which better reflects the techniques used to target network devices such as routers, switches, and load balancers, hijacks the merging of the two sub-techniques DLL sideloading and DLL search orders into one category called “Hijack Execution Flow: DLL”. Additionally, the addition to ATT&CK V17 is a technique called “Remote Access Tool: Remote Access Hardware” that highlights the Democratic Republic of Korea (DPRK) remote work scheme.
Virus Table – Hundreds of staff from the Cybersecurity and Infrastructure Security Agency (CISA) have been notified on April 20, 2025 that the agency had discontinued its use of Censys and Google-owned Virustotal. “We are sure we will find the right alternative soon.” A few days after the cybersecurity industry was sent to Tailspin, Miter’s internal memo revealed that the US would no longer support the flagship CVE program. However, at 11 hours, CISA reversed the course and extended its contract for about 11 months. “We had no financing issues to set the record straight, but there were contract management issues that were resolved before the contract expired,” said Matt Hartman, acting CISA executive assistant director. “There are no interruptions to the CVE program and CISA is fully committed to maintaining and improving this critical cyber infrastructure.
How to hijack Windows PC Manager – Cybersecurity researchers have outlined two scenarios where the releases associated with PC Manager tools are software useful for optimization and management of Windows computers, including the Winget repository (ZDI-23-1527), “aka ‘URLS, and the official “PCMANAGER.MICROSOFT (. Overly lenient Shared Access Signature (SAS) token. Successful exploitation of vulnerabilities to execute arbitrary code on customer endpoints without the need for authentication. “If an attack was carried out, cybercriminals could breach the software supply chain for distribution of malware, replace the software release, and modify distributed PC Manager Executable.” Micro said: The issue, which both have a CVSS score of 10.0, was addressed by Microsoft in October 2023.
New MageCart campaign observed in the wild – It has been observed that a new credit card skimming (aka MAGECART) campaign will inject malicious code into compromised e-commerce sites with the aim of intercepting payment data users have entered on checkout forms. The attack involves using stolen credentials via an information steeler to gain access to the site’s backend system and leveraging it to upload malicious PHP pages directly to the server. PHP scripts act as a web shell that acquires remote control for your site and contaminates the database by inserting malicious JavaScript code. JavaScript is designed to capture payment information, check the validity of the entered numbers, and remove the information as an image via a WebSocket connection. Credit card data stolen via web skimmers is usually sold at carding forums like Savastan0. Savastan0 is purchased by other threat actisers to carry out further criminal acts in exchange for cryptocurrency payments. “The rules for SavaStan0 establish that buyers only have 10 minutes to use the checker, otherwise they will not be able to refund their cards,” Yarix said. “All checks cost $0.30. You can use the card checker service to “soft-check” the credibility of your card without making a transaction. This reduces the likelihood of warning legitimate owners about activities or warning the anti-fulard system. This disclosure occurs as JSCrambler details a stealth web skimming campaign infiltrated 17 Caritas Spanish websites running WooCommerce using a modular kit designed to prevent detection while intercepting sensitive payment data. “Like many people, the skimming campaign was carried out in two stages,” says Jscrambler. “Stage 1 served as a loader and laid the foundation for the attack. Stage 2 held the skimmer logic itself, injected fake payment forms and injected sensitive data in close exerted.” The exact initial infection vector remains unknown, but there is evidence pointing to the fact that the threat actor has persistent access to the installation of WooCommerce. JSCrambler said details of the stolen card were verified within 10 minutes of ejection, indicating some degree of automation.
4chan is back – The infamous imageboard site 4Chan has returned partially online after Hack defeated the site for nearly two weeks. In that blog post, “Hackers using UK IP addresses utilized outdated software packages on one of 4chan’s servers via fake PDF uploads. With this entry point, they were able to access one of 4chan’s servers, including database access and access, including database access and access to their own management dashboards. 4Chan said that the compromised servers have been replaced and PDF uploads are temporarily disabled on boards that support the functionality.
SK Telecom discloses violations -SK Telecom, Korea’s largest mobile operator, has warned customers that a malware infection has enabled threat actors to access USIM-related information. The company said it noticed the incident on April 19, 2025 around 11pm. However, SK Telecom stressed that there is no evidence that the information is being misused in any way. This attack is not claimed by known threat actors or groups.
New flaws in the Kentico Xperience CMS – Cybersecurity researchers detail the vulnerabilities currently patched to the Kentico Xperience Content Management System (CMS) application (CVE-2025-2748, CVSS score: 6.5). This bug essentially allows attackers to distribute malicious payloads as unauthenticated users when uploading multiple files to an application. This issue affects Kentico Xperience up to 13.0.178. Kentico also handles WT-2025-0006 (authentication bypass), WT-2025-0007 (authentication bypass), WT-2025-0011 (authentication bypass), WT-2025-0007 (authentication bypass), and remote code execution for fully patch deployment.
Indian banks have been ordered to move to “.bank (.) by October 31st – In February 2025, the Reserve Bank of India (RBI), the central bank of India, introduced exclusive “.bank (.) in the internet domains of domestic banks to combat digital financial fraud. In a new directive issued last week, RBI urged banks to begin their migration to a new domain and complete the process by October 31, 2025. Therefore, banks must contact the Institute for Development of Banking Technology (IDRBT) to begin the registration process.
New DDOS botnet with 1.33 million devices – The largest DDOS botnet ever made up of 1.33 million devices targeting the “betting shop” microsegment, lasting approximately 2.5 hours in late March 2025. Over 50% of compromised devices follow labs in Argentina, Russia, Iraq, Mexico and Mexico. This disclosure coincided with an emerging threat campaign targeting unmanaged MS-SQL servers to deploy Ammyy Admin and Petitpotato malware for remote access and privilege escalation. “Attackers leverage vulnerable servers, run commands to collect system information, and use WGET to install malware,” says Broadcom. “We’ll also enable the RDP service and add new user accounts to maintain persistent access.”
ScaryWag uses fake WordPress extension for ad scams – A collection of four WordPress plugins – Soralink, Yu Idea, Wpsafelink, and Droplink – collectively referred to as Scallywag and advertised as fraud as a service that supports digital copyright infringement and revenue from URL-Shortening services. “These modules redirect users through one or more intermediary pages to request and render ads before delivering promised content or shortened URLs,” says Human Satori Threat Intelligence and research team. At that peak, Scarywag accounted for one day of fraudulent bid requests spanning 407 cash-out domains. The attack process begins with the user accessing a movie’s piracy catalog site. Once the content to be displayed is selected, it redirects ScallyWag-related Cashout blogs with ads loaded before they lead to the final destination where the content is hosted. Human said new cash out sites have emerged amid continuing crackdowns on the scheme, highlighting what appears to be a game of carriage games with scammers.

Microsoft officially launches recall rollout – Almost a year after unveiling the enormous privacy and security backlash, Microsoft has made artificial intelligence (AI) powered recall capabilities available on Copilot+ PCs. Concerns have led the company to become an opt-in feature and search for systems with improved controls to prevent unauthorized access. “We have implemented a wide range of security considerations, such as Windows Hello sign-in, data encryption, and recall isolation, to help keep your data safe and secure,” Microsoft said. “Recall data is processed locally on the device. That is, it is not sent to the cloud, is not shared with Microsoft, and Microsoft does not share data with third parties.” Security researcher Kevin Beaumont said Microsoft is making “serious efforts” to address some of the substantial security complaints, but pointed out that filtering sensitive data from snapshots can be a hit or miss.
Cybercrime will spend $16 billion on victims in 2024 – The US Federal Bureau of Investigation (FBI) Internet Crime Complaint Center, or IC3, recorded 859,532 complaints in 2024. Of those, 256,256 complaints resulted in a staggering loss of $16.6 billion, an increase in losses of 33% from 2023. “The complaints have risen 9% since 2023,” IC3 said. “As a group, people over 60 suffered the most losses and filed most complaints.” Investment, Business Email Compromise (BEC), Technical Support Scam won the top three slots for the most losses. Hong Kong, Vietnam, Mexico, the Philippines, India and China were major international destinations for fraudulent telegraph transactions. Ransomware attacks reported a total of 3,156, ranging from 2,825 in 2024 in 2024 to 2,156 in 2022, from 2,385 to 2,156.
Japan warns against fraudulent stock trading via stolen credentials – The Japanese Financial Services Agency (FSA) is using stolen credentials harvested from phishing websites impersonating legal counterparts to warn users of fraudulent trading regarding Internet stock trading services. So far, there have been 1,454 fraudulent transactions. These fraudulent transactions have been worth almost 100 billion yen ($700 million) since February.
The FBI is seeking information about salt typhoons – The FBI said it is seeking information about a compromise between a Chinese hacking group called Salt Typhoon and a US telecom company. “A survey of these actors and their activities has revealed a wide range of important cyber campaigns to leverage access to these networks to target victims on a global scale,” the agency said. “This activity has resulted in theft of call data logs, a limited number of civil communications involving identified victims, and copies of selection information that are subject to court-ordered U.S. law enforcement requests.”
Privacy Watchdog files GDPR complaints against Ubisoft – Austrian privacy non-profit NOYB accused French video game developer and publisher Ubisoft of violating local General Data Protection Regulation (GDPR) laws by forcing customers to connect to the internet every time they launch a single-player game even in scenarios that do not have online functionality. “This allows Ubisoft to collect people’s gaming behavior. Among other things, the company collects data when it starts a game, the duration of playing it, and when it closes,” Noyb said. “Even after explicitly asking why the petitioner is forced to be online, Ubisoft did not reveal why this is happening.” The complaint approaches immediately after NOYB, which calls a complex “cooperative mechanism” to handle complaints between the data protection agency (DPA) of the user and the DPA of our member states. “The regulations could have been a game-changer for exercising the fundamental rights of people. Instead, they appear to waste thousands of hours on already overworked authorities by prescribing a variety of useless, overly complicated procedures worth millions of taxpayer money,” Max Schlems said. “At the same time, the procedures will be slower and more complicated for businesses and citizens. Enforcement of GDPR rights for ordinary people is even more difficult to reach.”
SSL.com DCV Process Faults – A flaw in the Domain Control Validation (DCV) process on SSL.com could have allowed an attacker to bypass the validation and issue an incorrect SSL certificate for a domain linked to a specific email provider such as Aliyun(.)com. It is said that a total of 11 certificates were issued this way.
Asian fraud operations are expanding worldwide – The United Nations Office for Drugs and Crime (UNODC) has revealed that fraud centres run by organized crime gangs in East and Southeast Asia have spread like “cancer” in response to law enforcement efforts, leading to global expansion. Nigeria, Zambia, Angola, Brazil and Peru are some of the new ripple sites that have been migrated by Asian-led groups. “The diversification of these sophisticated criminal networks within the weakest areas of governance has attracted, benefited, promoted corruption, allowing the illegal industry to continue to expand and consolidate and consolidate annual profits at hundreds of industrial-scale fraud centers under US$40 billion,” UNODC said.

🎥Cybersecurity Webinar

AI-driven spoofing is breaking MFA – Here’s how to close the door with an identity-based attack – AI-driven spoofing makes traditional MFA useless, and attackers enter without stealing passwords. In this session, you will learn how to stop an identity-based attack before it starts using real-time validation, access checks, and advanced deep-fark detection. From account takeover prevention to AI-powered identity verification, see how modern defenses can close the doors of Impossors. Join the webinar and watch it work.
Smart AI agents need smarter security. Here’s how to get started – AI agents help teams move faster, but without proper security, they can expose sensitive data or be manipulated by attackers. This session will show you how to safely build an AI agent with practical steps, critical controls, and risks that you overlook knowledgeable risks. Learn how to reduce exposure without losing productivity, keeping AI tools safe, reliable and out of control. Sign up now to ensure the right way to AI.

🔧Cybersecurity Tools

Varalyze – A unified threat intelligence toolkit that connects data from sources such as AbasedIPDB, Virustotal, and URLSCAN to streamline threat analysis. Automate Intel Gathering, speed up triage, and generate clear and actionable reports.
Cookiecrumbler – Are you tired of cookie pop-ups that disrupt browsing and website functionality? CookiecRumbler is a smart tool designed to automatically detect and analyze cookie consent notifications on your website. Whether you’re trying to identify cookie banners that debug web compatibility issues or slip through existing blockers, CookieCrumbler can help you find them faster. It can act as a web app, perform local crawling and even integrate with other systems. This does not require deep technical skills.
Eyeballer – This is a smart tool for intrusion testers that analyzes large batches of website screenshots to quickly identify valuable targets such as login pages, outdated sites, and active web apps. Instead of wasting time on parked domains or harmless 404s, eyeballers can help focus on what is likely to be vulnerable and speed up triage with wide-scope network testing. Feed the screenshots to highlight what is important to the eyeballer.

🔒Tip of the Week

Don’t make video calls backdoor – Attackers are currently using fake meeting invitations to trick people into providing remote access while on video calls. They set up fake interviews and business meetings and demand screen control. Sometimes I rename it to “Zoom” so it looks like a system message. Without thinking, clicking “Allow” will allow you to take over your computer, steal data, or install malware.

To stay safe, disable the remote control function if it is not necessary. In Zoom, turn it off under Conference (Basic). Those seeking access should always be reaffirmed and do not approve control just because it looks official. If you are likely to use a browser-based tool like Google Meet, it is safe because you don’t have easy control over your system.

For extra protection, Mac users can block Zoom (or any app) from gaining special permissions such as “accessibility” required for remote control. IT teams can also set this up on all company devices. Beware of bizarre emails and invitations from links. Actual companies do not use personal accounts or fake booking pages. Keep alerts and don’t make simple clicks a big problem.

Conclusion

The most effective defense often starts with asking better questions. Is your system working in a way you really understand? How can an attacker use a reliable tool against you?

Now is the time to explore security beyond technology. Find out how your team handles trust, communication and unusual behavior. It maps where human judgment meets automation and where attackers may find blind spots.

Curiosity is not just about research. A powerful shield used to challenge assumptions and reveal hidden risks.