Malware

Cybersecurity News

New PureLogs Malware Variant Hijacks MSBuild.exe to Hide Malicious Processes

FortiGuard Labs recently identified a phishing campaign distributing a PureLogs variant designed to collect sensitive data from the victim’s device. The analysis provides an in-depth examination of the campaign, including the phishing emails and the mechanisms by which the JavaScript file operates on the victim’s device

This campaign uses deceptive emails disguised as purchase orders, a tactic commonly used to trick recipients into opening malicious attachments.

Infection Chain

Figure 1 illustrates the infection chain of this phishing email campaign.

The infection chain of the malicious campaign

(Fortinet)

Step-by-Step Attack Flow of the PureLogs Campaign

This campaign employs a sophisticated multi-stage attack chain that begins with a phishing email delivering a malicious JavaScript file.

The JavaScript decrypts and launches a PowerShell script, which then uses process hollowing to inject a .NET downloader into the legitimate Windows process MsBuild.exe. The downloader communicates with a remote C2 server to fetch and execute additional plugin modules, enabling flexible post-compromise operations.

The attack leverages multiple encryption layers, fileless execution, and process hollowing techniques, making it highly evasive and difficult for traditional signature-based security solutions to detect.

Organizations are advised to strengthen email filtering, restrict unnecessary script execution, and monitor for suspicious PowerShell activity and process hollowing behavior.

The use of multiple encryption layers, fileless execution, and process hollowing techniques makes this campaign highly evasive and difficult for traditional signature-based security solutions to detect. Organizations are advised to enforce email filtering, disable unnecessary script execution, and monitor for anomalous PowerShell activity and process hollowing.

PureLogs Attack scenario

The attack begins with a fake purchase order email. Fortinet observed an attached archive named PO 2026-P0803.rar, which carried a malicious JavaScript file called kpankocrs.js.

When the victim opens the script, it decrypts PowerShell code and writes it to a randomly named .ps1 file in the C:\Temp folder. The script then runs PowerShell with flags that bypass execution policy, hide the window, and avoid loading a user profile.

From there, the PowerShell stage decodes and decrypts more content. It loads .NET modules directly in memory, which helps the campaign reduce obvious files on disk and avoid simpler signature-based detection.

MsBuild.exe Is Useful to Attackers

MsBuild.exe is a legitimate Microsoft build utility commonly used to compile and build applications. Because it is a trusted Windows component frequently seen in enterprise environments, attackers often abuse it to disguise malicious activity under the appearance of normal system operations.

In this campaign, the threat actors leveraged the hardcoded path C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe as the target for process hollowing. According to Fortinet’s analysis, the PowerShell stage creates a suspended MsBuild.exe process and injects malicious .NET code into it before execution resumes.

The abuse of legitimate Windows binaries like MsBuild.exe allows attackers to blend into normal system activity, making detection significantly harder if organizations are not actively monitoring process behavior, parent-child relationships, and suspicious network communications.

Process Hollowing Helps PureLogs Evade Detection

Process hollowing is a stealth-focused process injection technique that allows malware to operate from within a legitimate process. The attacker launches a trusted application in a suspended state, replaces its memory with malicious code, and then resumes execution.

MITRE ATT&CK identifies process hollowing as a common defense evasion technique used to bypass traditional security controls. Fortinet observed several APIs associated with this activity, including CreateProcessA, ZwUnmapViewOfSection, WriteProcessMemory, SetThreadContext, and ResumeThread.

As a result, security tools may only detect a seemingly legitimate MsBuild.exe process, while the malicious payload executes silently within it. This deceptive behavior complicates both automated detection and manual incident analysis.

Information PureLogs Steals

PureLogs is a .NET-based information stealer designed to harvest sensitive system and user data from infected devices. Once deployed through the downloader module, the malware collects, compresses, encrypts, and exfiltrates data to its command-and-control (C2) infrastructure.

The malware gathers extensive host information, including screenshots, antivirus details, operating system data, processor information, usernames, screen resolution, memory size, clipboard contents, and system timestamps.

Security Advisory

Microsoft Defender Vulnerability Leveraged in 0-Day Attacks; Patches Rolled Out

Microsoft has released security updates to fix two vulnerabilities in Microsoft Defender that attackers were already exploiting in real-world zero-day attacks. This exploitation was confirmed by CISA, which has added the security flaws to its known exploited vulnerability(KEV) catalogue.

As per Microsoft, they addressed the two security defects in Microsoft Defender Antimalware Platform version 4.18.26040.7. According to the company, systems with Microsoft Defender disabled are not exploitable, even though Defender’s files remain on disk.

 CVE-2026-41091, vulnerability affects older versions of the Microsoft Malware Protection Engine used by Microsoft antivirus and anti-malware products.

(CVE-2026-45498,) affects systems running the Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier.

CVE IDAffected ProductVulnerability DescriptionPotential ImpactSeverity Rating
CVE-2026-41091Microsoft Malware Protection EngineVulnerability affecting older versions of the Microsoft antivirus and anti-malware scanning enginePrivilege escalation allowing attackers to gain SYSTEM-level access🔴 Critical
CVE-2026-45498Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlierVulnerability affecting Microsoft Defender and related endpoint protection platformsSecurity risk impacting endpoint protection systems and enterprise security tools🟠 High

CVE-2026-41091 vulnerability affects:

  • The flaw allows attackers to trick the antivirus engine into accessing files incorrectly.
  • By exploiting this weakness, attackers can gain SYSTEM-level privileges, which is the highest level of access on a Windows system.
  • With this access, attackers could potentially take full control of the affected device.

CVE-2026-45498 vulnerability affects:

Attackers can exploit the flaw to make affected Windows systems stop responding or crash. This creates a Denial-of-Service (DoS) condition, where the device or security service becomes unavailable temporarily.

As a result, users may experience:

  • System slowdowns or freezes
  • Security services stopping unexpectedly

CISA Adds the vulnerability in its KEV

For Malware attacks the vulnerability fits well and attackers are in advantageous position. In first to prevent detection if the system relies only on Microsoft endpoint protection and second to gain full control over the system.

On Wednesday, the United States Cybersecurity and Infrastructure Security Agency (CISA), added the two vulnerabilities, tracked as CVE-2026-41091 and CVE-2026-45498, to its Known Exploited Vulnerabilities (KEV) catalog, signaling that exploitation was detected in the wild.

Privilege Escalation Flaw:

The vulnerability CVE-2026-41091 is a Privilege Escalation (PE) flaw affecting mpengine.dll, a core component of the Microsoft Malware Protection Engine used by Microsoft Defender and other Microsoft security products.

mpengine.dll (Microsoft Malware Protection Engine) is responsible for:

  • Malware scanning
  • Threat detection
  • File inspection
  • Cleaning and remediation operations
  • The vulnerability arises from an improper link resolution before file access issue, commonly referred to as a link following vulnerability.
  • During scanning or file operations, the engine may improperly handle symbolic links, junctions, or reparse points before validating the target file path.
  • An attacker can exploit this behavior by crafting malicious file links that redirect privileged operations to unintended system locations.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the U.S. cybersecurity agency warned.

“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”

On Tuesday, also shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day flaw that allows attackers to access protected drives.

CISA gave federal agencies until June 3 to ensure mitigation measures are in place.

Threat Mitigation advice from Microsoft:

“For enterprise deployments as well as end users,” Microsoft said, “the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically,” and as such no action is required as the update that is now rolling out will get applied without user input.

Most Windows systems using Microsoft Defender are configured to update automatically. What happens if automatic updates are enabled, users usually do not need to manually install the security fix.

It is assumed Microsoft Defender should automatically download and apply the updated malware protection engine and required security update in the background.

One can ensure that all the latest updates are installed and configures device protection against the recently disclosed vulnerabilities.

The April 2026 vulnerabilities identified in Defender:

Few months back we have witnessed how a zero-day vulnerability in Microsoft Defender, dubbed “RedSun,” allowed an unprivileged user to escalate privileges to full SYSTEM-level access on fully patched Windows 10, Windows 11, and Windows Server 2019 and later systems.

RedSun was the second zero-day exploit published within a two-week span in April 2026 by the security researcher known as “Chaotic Eclipse” 

For threat mitigation it was advised that security teams should closely watch for suspicious activity involving Microsoft Defender until Microsoft releases an official fix. Attackers may try to misuse certain Windows files and Defender processes to gain higher access or modify protected system files.

RakshaOne from Intrucept helps simplify workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

SIEM Helps Detect Exploitation

 Privilege Escalation Detection (CVE-2026-41091)

The SIEM can correlate:

  • Suspicious file write activity
  • Abnormal SYSTEM privilege assignments
  • Unexpected execution of privileged processes
  • Defender engine (mpengine.dll) anomalies
  • Unauthorized access attempts to protected system directories

DoS & Security Service Monitoring (CVE-2026-45498)

The SIEM can detect:

  • Unexpected Microsoft Defender crashes
  • Antimalware service restarts
  • Endpoint protection failures
  • Repeated system instability events
  • Disabled or unavailable Defender services

This helps security teams identify attempts to disrupt endpoint protection mechanisms

Sources: Security Update Guide – Microsoft Security Response Center

Sources:

Blogs Cybersecurity News

New Malware Framework Highlight Attackers Tactics; Gain Browser Access

New malware TencShell, a previously undocumented, Go-based implant derived from the open-source Rshell C2 framework targets manufacturing based enterprises. The malware’s activity appeared in traffic associated with a third-party user connected to the customer environment. The malware framework is based on screen control, browser artifact access and User Account Control (UAC) bypass that highlights how attackers are increasingly adapting open-source tools for real-world intrusions. Their attack pattern reveal careful design that can blend into normal enterprise traffic.

The tactics was revealed in April 2026, when Cato CTRL identified and blocked an attempted intrusion against a global manufacturing customer involving TencShell.

The malware has been previously undocumented, Go-based implant derived from the open-source Rshell C2 framework.

The activity appeared in traffic associated with a third-party user connected to the customer environment.

Malware attack chain

The attack chain used a first-stage dropper, Donut shellcode, a masqueraded .woff web-font resource, memory injection, and web-like C2 communication.

Activity noticed an suspected China-linked based on the apparent Rshell lineage, Tencent-themed API impersonation, and infrastructure patterns, While this pattern is relevant to our suspected China-linked assessment, it is not sufficient on its own for attribution.

If successful, TencShell could have given the attacker remote command execution, in-memory payload execution, proxying, pivoting, system profiling, and a path to deploy additional tooling. We blocked the attempt before the attacker could establish durable remote control.

Command & control framework

A C2 framework deployed through third-party access can turn a trusted business connection into an attacker-controlled bridge.

According to Cato CTRL, TencShell is a customized, Go-based implant derived from the open-source Rshell in C2 framework.

Security analysts suspect the malware has ties to Chinese threat actors, largely due to its infrastructure patterns and its clever impersonation of Tencent API services, which are designed to camouflage malicious communication.

If TencShell had installed successfully, the attacker could potentially execute commands, inspect files, steal credentials or session material, stage additional tools, proxy traffic through the endpoint, and move toward internal systems that are not directly exposed to the internet.

Business Risk for manufacturers posed by the Malware

From the standpoint of manufacturers across the globe, the business risk extends beyond. If any endpoint connected is compromised to a regional site can further expose supplier relationships, production workflows, intellectual property, customer data, logistics processes and business continuity.

The C2 framework gives the attacker the control needed to decide what comes next.

What can attackers do from operational standpoint

To evade endpoint defenses, attackers can execute inline binaries, load dynamic link libraries and run .NET assemblies directly from memory.

The framework also enables operators to establish SOCKS5 proxies, allowing them to tunnel traffic and pivot deeper into segmented internal systems.

TencShell is derived from Rshell, an open-source Go-based C2 framework designed for cross-platform offensive security use. The original Rshell project includes remote command execution, file and process management, terminal access, in-memory payload execution, multiple C2 transports, and an MCP server. The version we observed was customized and repackaged for this operation, with communication and delivery changes that made it more suitable for the attacker’s campaign.

Embedded Go source paths in TencShell exposed the Reacon project structure and the threat actor user, as shown in Figure 1.

TencShell

Figure 1. TencShell Go paths revealing the threat actor’s REACON project

Conclusion: The framework for Malware classification system (MCS) if adopted to analyze malware behavior dynamically using a concept of information theory and a machine learning technique will be useful for manufacturing organizations.

Any proposed framework will extracts behavioral patterns from execution reports of malware in terms of its features and generates a data repository. The specific aim of any proposed framework detects the family of unknown malware samples after training of a classifier from malware data repository. 

Security researchers have the opinion, attackers no longer need custom malware development pipelines to conduct sophisticated intrusions. Adaptable open-source tooling is often enough for implementation and TencShell appears to have been customized from Rshell into a practical post-exploitation implant with web-like C2 communication. This assited the attacker to adapt available offensive tooling and attempted to blend the activity into normal enterprise traffic.

Sources: https://www.catonetworks.com/blog/cato-ctrl-suspected-china-linked-threat-actor-targets-global-manufacturer/

Cybersecurity News Security Advisory

SAP npm Packages Targeted with Malware ‘Supply Chain Risk’-Patch Now

Supply chain attack

Continue Reading
Blogs Cybersecurity News

Corporate Employees Targeted by Vidar Malware

The purpose of Vidar malware is to infiltrate systems and deploy a payload to extract sensitive data.

Continue Reading
Blogs Cybersecurity News

Scanners Turn Attack Vector as TrivyScanner Hijacked via GitHub Actions Tags

Attackers Targeted SSH keys, Cloud Tokens & API secrets in CI/CD Pipelines; Highlights Securing CI/CD Pipelines

In latest vulnerability discovery Aqua Security revealed HackerBot-claw bot hijacked 75 of 76 GitHub Actions tags for its Trivy vulnerability scanner. The HackerBot-claw first distributed credential-stealing malware through the widely used security tool for the second time in a one month.

Malicious code rode alongside legitimate scans, targeting SSH keys, cloud tokens and API secrets in CI/CD pipelines. Security researcher Paul McCarty was the first to warn publicly that Trivy version 0.69.4 had been backdoored, with malicious container images and GitHub releases published to users.

Attack module on Trivy

When it comes to workflow it has been observed that more then 10,000 GitHub workflow files rely on trivy-action. Attackers can leverage this pipeline and pull versions during the attack window which are affected and carry sensitive credentials exfiltrated.

Attackers compromised the GitHub Action by modifying its code and retroactively updating version tags to reference a malicious commit. This permitted data used in CI/CD workflows to be printed in GitHub Actions build logs and finally leaking credentials.

A self-propagating npm worm compromised 47 packages, extending the blast radius into the broader JavaScript ecosystem.

Aqua Security disclosed in a GitHub Discussion that the incident stemmed from incomplete containment of an earlier March 1 breach involving a hackerbot-claw bot.

  • Attackers swapped the entrypoint.sh in Trivy’s GitHub Actions with a 204-line script that prepended credential-stealing code before the legitimate scanner.
  • Lines 4 through 105 contained the infostealer payload, while lines 106 through 204 ran Trivy as normal.
  • This made difficult  to detect during routine scans.

TeamPCP preserved normal scan functionality to avoid triggering CI/CD failures as detection now will require cryptographic verification of commit signatures .

For defenders, traditional CI/CD monitoring, which watches for build failures or unexpected output, can no longer catch supply-chain compromises that deliberately maintain normal behavior.

Organizations relying on Trivy or similar open-source security tools are facing attacks from the very scanners meant to protect their pipelines can become the attack vector. Only cryptographic provenance checks can distinguish legitimate releases from poisoned ones.

As per security researchers once inside a pipeline, the malicious script scanned memory regions of the GitHub Actions Runner.

Github Compromise

The attack appears to have been accomplished via the compromise of the cx-plugins-releases (GitHub ID 225848595) service account, as that is the identity involved in publishing the malicious tags. 

Credentials exfiltrated during the initial incident were used last week in a new supply chain attack that targeted not only the Trivy package but also trivy-action and setup-trivy, Trivy’s maintainers have confirmed in a March 21 advisory.

Key Findings b Wiz Research

  • According to Wiz, the attack appears to have been carried out via the compromise of the “cx-plugins-releases” service account, with the attackers with malicious container images and GitHub releases published to users.
  • The second stage extension is activated and the malicious payload checks whether the victim has credentials from cloud service providers such as GitHub, AWS, Google Cloud, and Microsoft Azure.
  • When credentials if they are detected, it proceeds to fetch a next-stage payload from the same domain (“checkmarx[.]zone”).

“The payload attempts execution via npx, bunx, pnpx, or yarn dlx. This covers major JavaScript package managers,” Wiz researchers Rami McCarthy, James Haughom, and Benjamin Read said. “The retrieved package contains a comprehensive credential stealer.

Harvested credentials are then encrypted, using the keys as elsewhere in this campaign, and exfiltrated to ‘checkmarx[.]zone/vsx’ as tpcp.tar.gz.”

Conclusion: Aqua Security urged affected users to “treat all pipeline secrets as compromised and rotate immediately.” 

Organizations that ran any version of trivy-action, setup-trivy, or Trivy v0.69.4 during the attack window should audit their CI/CD logs for unexpected network connections to scan.aquasecurtiy[.]org and check whether any tpcp-docs repositories were created under their GitHub accounts.

With three major tag-hijacking incidents in 12 months, Wiz security researcher Rami McCarthy recommended that organizations “pin GitHub Actions to full SHA hashes, not version tags.”

Sources: Trivy Breached Twice in a Month via GitHub Actions

Security Advisory

Critical YARA Vulnerability Exposes Linux Systems – Patch Now 

Summary : YARA is an open-source pattern matching engine widely used by malware researchers, SOC teams, and threat intelligence platforms to identify and classify malware using detection rules. It plays a critical role in malware analysis pipelines, endpoint detection systems, and threat hunting operations.

Kamil Frankowicz discovered that a number of YARA’s functions generated memory exceptions when processing specially crafted rules or files. A remote attacker could possibly use these issues to cause YARA to crash, resulting in a denial of service.

OEM Virus Total / YARA Project (Tool) 
Severity Critical 
CVSS Score 9.1 
CVEs CVE-2021-3402, CVE-2021-45429, CVE-2019-19648, CVE-2018-19974, 2018-19975, 2018-19976 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Ubuntu has released a security advisory addressing multiple vulnerabilities in YARA that could allow attackers to cause denial-of-service conditions, disclose sensitive information, or potentially execute arbitrary code when processing specially crafted files or rules.

These vulnerabilities affect Ubuntu 16.04 LTS, 18.04 LTS, and 20.04 LTS depending on the specific issue. Organizations using YARA in security monitoring systems, malware sandboxes, or automated threat detection workflows should apply the security updates immediately. 

      Vulnerability Name CVE ID Product Affected Severity CVSS Score Fixed Version 
Mach-O Parser Overflow Read Vulnerability CVE-2021-3402 YARA  Critical 9.1 Updated Ubuntu packages 
Mach-O File Parsing Out-of-Bounds Access CVE-2019-19648 YARA  High 7.8 Updated Ubuntu packages 

Technical Summary 

The most critical vulnerability CVE-2021-3402 exists in the macho.c implementation used by YARA to parse Mach-O files.

The flaw allows specially crafted Mach-O files to trigger overflow reads, which could result in denial of service or potential information disclosure. Given its high CVSS score, this issue represents the most severe risk addressed in this advisory. 

Another high-severity vulnerability CVE-2019-19648 affects the macho_parse_file() function. When parsing specially crafted Mach-O files, the function may trigger out-of-bounds memory access, potentially leading to application crashes or execution of malicious code in certain scenarios. 

Because YARA is frequently integrated into malware analysis platforms and automated threat detection pipelines, successful exploitation could disrupt security monitoring operations or compromise malware analysis environments. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2021-3402 YARA (Ubuntu 20.04) Overflow read vulnerability in Mach-O parsing implementation DoS, potential information disclosure 
CVE-2019-19648 YARA (Ubuntu 20.04) Out-of-bound memory access during Mach-O file parsing DoS or possible code execution 

Additional Vulnerabilities 

The advisory also includes several medium-severity vulnerabilities affecting YARA components. 

CVE ID Vulnerability Details Impact 
CVE-2021-45429 Buffer overflow in yr_set_configuration() when parsing crafted rules Denial of Service 
CVE-2018-19976 YARA virtual machine sandbox escape Possible code execution 
CVE-2018-19975 VM sandbox escape vulnerability Possible code execution 
CVE-2018-19974 Virtual machine security bypass Possible code execution 

Potential Consequences 

  • Disruption of malware detection pipelines 
  • Denial of service in security analysis environments 
  • Information disclosure through crafted files 
  • Potential arbitrary code execution in analysis systems 
  • Reduced visibility in SOC threat detection workflows 

Remediation 

Upgrade affected packages immediately to the patched versions provided by Ubuntu are mentioning below- 

Released patches  

Ubuntu Release Package Fixed Version 
Ubuntu 20.04 LTS libyara3 3.9.0-1ubuntu0.1 esm1 
yara 3.9.0-1ubuntu0.1 esm1 
Ubuntu 18.04 LTS libyara3 3.7.1-1ubuntu2+esm1 
yara 3.7.1-1ubuntu2+esm1 
Ubuntu 16.04 LTS libyara3 3.4.0+dfsg-2ubuntu0.1 esm1 
python-yara 3.4.0+dfsg-2ubuntu0.1 esm1 
python3-yara 3.4.0+dfsg-2ubuntu0.1 esm1 
yara 3.4.0+dfsg-2ubuntu0.1 esm1 

If immediate patching is not possible, apply the following temporary mitigations – 

  1. Restrict scanning of untrusted files in automated YARA pipelines. 
  1. Limit rule ingestion from untrusted sources. 
  1. Monitor malware analysis systems for abnormal crashes. 
  1. Limit exposure of YARA-based detection pipelines to untrusted Mach-O or .NET file inputs. 

You can follow the recommendations below as the best practice. 

  • Regularly update malware detection tools. 
  • Validate YARA rules before deployment. 
  • Validate and sandbox file inputs before passing them to YARA for analysis. 
  • Implement least-privilege execution environments for YARA scanning processes. 
  • Monitor logs for abnormal process crashes or memory-related errors in YARA. 

Conclusion: 
Multiple vulnerabilities in YARA could allow attackers to disrupt malware detection processes or compromise analysis environments. The critical vulnerability CVE-2021-3402 and high-severity vulnerability CVE-2019-19648 pose the greatest risk and should be prioritized for remediation. 

Organizations using YARA in SOC operations, malware analysis pipelines, or threat intelligence systems should apply the latest Ubuntu security updates immediately to maintain reliable threat detection capabilities. 

References:  

 

Security Advisory

Chrome V8 Type Confusion Vulnerability Actively Exploited In The Wild 

Summary : Security advisory: Google has released an urgent security update to patch two high-severity Type Confusion vulnerabilities in the V8 JavaScript engine. The CVEs vulnerabilities are CVE-2025-13223, CVE-2025-13224 .

OEM Google 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-13223, CVE-2025-13224 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

One of these vulnerability (CVE-2025-13223) is already being actively exploited in the wild, allowing attackers to potentially execute arbitrary code through malicious web content. which attackers can bypass Chrome’s sandbox, steal sensitive data, or deploy malware. The fixes have been rolled out for Chrome Stable 142.0.7444.175/.176 across Windows, Mac, and Linux. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Type Confusion Vulnerability in V8 JavaScript Engine CVE-2025-13223 Google Chrome High v142.0.7444.175 / v142.0.7444.176 
Type Confusion Vulnerability in V8 JavaScript Engine CVE-2025-13224 Google Chrome High v142.0.7444.175 / v142.0.7444.176 

Technical Summary 

Both vulnerabilities occur from Type Confusion vulnerabilities in Chrome’s V8 engine, where incorrect data-type handling leads to memory corruption and possible code execution. The CVE-2025-13223 is already being exploited in the wild and may involve APT-driven activity.

Another vulnerability was found internally through Google’s Big Sleep fuzzing system as part of ongoing proactive defense.

These weaknesses can allow attackers to bypass browser security boundaries and execute malicious actions remotely. Urgent need for users and administrators to apply Chrome’s latest security updates immediately. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-13223 Google Chrome (V8 Engine) Type confusion due to improper type handling in V8 allowing memory corruption.  Remote Code Execution, Sandbox Escape 
CVE-2025-13224 Google Chrome (V8 Engine) Type confusion triggered during script execution, discovered via fuzzing Remote Code Execution, Browser Crash 

Remediation

  • Immediate Action: Users and organization administrators should update Chrome immediately to the following patched versions: 
  • Windows: 142.0.7444.175 / 142.0.7444.176 
  • MacOS: 142.0.7444.176 
  • Linux: 142.0.7444.175 

Here are some recommendations below 

  • Enforce Chrome auto-updates on all endpoints via enterprise policies. 
  • Monitor browser crash logs and unusual behaviors tied to JavaScript execution. 
  • Run updated vulnerability & patch management tools to ensure full endpoint compliance. 
  • Educate users to avoid suspicious links and unknown websites during active exploitation events 

Conclusion: 
With Chrome being the most widely used browser globally, prompt updates are essential for the new security vulnerabilities. Maintaining browsers at the latest versions remains the strongest defenses against modern web-based attacks in modern cyber world. 

References

Security Advisory

TP-Link Security Update, Omada Gateway Exploits Fixed in October Release 

Summary: TP-Link’s October 2025 security updates fixes 4 vulnerabilities in its Omada Gateway devices, including multiple models commonly used in business networks.

OEM TP-Link 
Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-6541, CVE-2025-6542, CVE-2025-7850, CVE-2025-7851 
Date of Announcement 2025-10-21 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview: 

The vulnerabilities allow attackers to execute remote commands, even without authentication, potentially compromising systems. Some vulnerabilities also let authenticated users inject commands or gain root access, which could lead to traffic interception, configuration changes or malware installation. Security teams are advised to update firmware immediately, review network configurations and change passwords to reduce the risk of exploitation. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
OS Command Injection Vulnerability CVE-2025-6542 TP-Link Omada Gateways Critical 9.3 
Command Injection Vulnerability CVE-2025-7850 TP-Link Omada Gateways Critical 9.3 

Technical Summary: 

TP-Link Omada Gateways allows attackers to run arbitrary commands. The most critical one, CVE-2025-6542, a remote attacker can take full control of the device without logging in through the web interface. Another one allows logged-in users to inject commands and gain root access. The issues show the risks of exposed management portals. TP-Link recommends updating firmware, limiting network access and monitoring systems for any signs of attack. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-6542 TP-Link Omada Gateways (ER605, ER7206, ER8411 & Others) Unauthenticated remote attackers can execute arbitrary OS commands on the device Remote Code Execution,  System Compromise, Malware Deployment 
CVE-2025-7850 TP-Link Omada Gateways (ER7412-M2, ER7212PC, & Others) Command injection exploitable after admin authentication on the web portal System Compromise,  Root-Level Control 

Additional Vulnerabilities: 

The following high-severity vulnerabilities were also addressed in October 2025 TP-Link security updates for Omada Gateways – 

Vulnerability Name CVE ID Affected Component Severity 
Authenticated Arbitrary OS Command Execution in Omada Gateways CVE-2025-6541 TP-Link Omada Gateways High 
Root Shell Access Under Restricted Conditions in Omada Gateways CVE-2025-7851 TP-Link Omada Gateways High 

Remediation: 

Install the October 2025 firmware updates immediately via the TP-Link support portal to mitigate risks. Here is the below table with the updated version information for the models. 

Model Affected Versions Fixed Version 
ER8411 < 1.3.3 Build 20251013 Rel.44647 >= 1.3.3 Build 20251013 Rel.44647 
ER7412-M2 < 1.1.0 Build 20251015 Rel.63594 >= 1.1.0 Build 20251015 Rel.63594 
ER707-M2 < 1.3.1 Build 20251009 Rel.67687 >= 1.3.1 Build 20251009 Rel.67687 
ER7206 < 2.2.2 Build 20250724 Rel.11109 >= 2.2.2 Build 20250724 Rel.11109 
ER605 < 2.3.1 Build 20251015 Rel.78291 >= 2.3.1 Build 20251015 Rel.78291 
ER706W < 1.2.1 Build 20250821 Rel.80909 >= 1.2.1 Build 20250821 Rel.80909 
ER706W-4G < 1.2.1 Build 20250821 Rel.82492 >= 1.2.1 Build 20250821 Rel.82492 
ER7212PC < 2.1.3 Build 20251016 Rel.82571 >= 2.1.3 Build 20251016 Rel.82571 
G36 < 1.1.4 Build 20251015 Rel.84206 >= 1.1.4 Build 20251015 Rel.84206 
G611 < 1.2.2 Build 20251017 Rel.45512 >= 1.2.2 Build 20251017 Rel.45512 
FR365 < 1.1.10 Build 20250626 Rel.81746 >= 1.1.10 Build 20250626 Rel.81746 
FR205 < 1.0.3 Build 20251016 Rel.61376 >= 1.0.3 Build 20251016 Rel.61376 
FR307-M2 < 1.2.5 Build 20251015 Rel.76743 >= 1.2.5 Build 20251015 Rel.76743 

Here are some recommendations below 

  • Restrict network access to the management interface and enable trusted networks only. 
  • Apply least privilege principles and regular security audits for network devices. 
  • Disable remote management if not required and segment networks to limit lateral movement. 

Conclusion: 

There is no active exploitation noticed but organizations must prioritize firmware updates to prevent data breaches, malware and intrusions. Security teams should deploy updates immediately, enhance monitoring and implement mitigations to safeguard critical infrastructure. 

References

 

Blogs

New Stealit Malware Campaign Leveraged VPN installers to Exploit Node.js as per Fortinet

Cyber criminals are installing Stealit malware campaign that leverages VPN installers to exploit Node.js’ Single Executable Application (SEA) features and distribute its payloads. In the past Stealit campaigns were built using Electron, an open-source framework that packages Node.js scripts as NSIS installers for distribution. 

As per Fortinet cyber criminals deployed a new active Stealit malware campaign deploying via disguised applications.

Malware campaign are now designed and placed in such a way are mostly AI-generated, legitimate-looking code to infiltrate systems. These malwares can evade detection and gain persistent access to maximize disruption worldwide.

Researchers observed that filenames this malware is used and distributed as disguised installers for games and VPN applications. This was same as observed in previous campaigns.

How the campaign was devised?

First the cyber criminals gained initial access is gained via fake game and VPN installers bundled in PyInstaller and common compressed archives. Then uploaded to file-sharing sites such as Mediafire and Discord.

The threat actor then employed heavy obfuscation and numerous anti-analysis techniques to evade detection and complicate analysis.

Purpose of Stealit Campaign

The present situation are making attackers more desperate try to integrate these malware in games, demo s to make them appear legitimate. In some situations, the game might be real but one cannot deny presence of malware.

These files look safe, but they are designed to run code that steals credentials, drains cryptocurrency wallets, or takes over accounts.

In some cases, attackers slip the malware into an update after release so it’s not suspicious from the get-go. Other times, they redirect players off a storefront to an external download that evades platform checks.

When the malware binary was updated, Stealit has relocated its panel website to new domains. When reserachers first observed this campaign, the panel—also functioning as the Command-and-Control (C2) server—was hosted at stealituptaded[.]lol. As per researchers the domain quickly became inaccessible as the C2 server was moved to iloveanimals[.]shop.

Accessing the panel leads to a commercial website for Stealit, which promotes itself as offering “professional data extraction solutions” through various subscription plans.

A dedicated features page outlines its capabilities, highlighting typical remote access trojan (RAT) functionalities such as file extraction, webcam control, live screen monitoring, and ransomware deployment targeting both Android and Microsoft Windows systems. The site also features instructional videos that demonstrate how the service operates on each platform.

The website offers payment plans for the Windows and Android versions of the stealer, with lifetime subscriptions available for approximately $ 500 and $ 2,000, respectively.

The service also has a Telegram channel named StealitPublic, where they post updates and promotions to possible clients. The main contact person is a Telegram user with the handle @deceptacle.

Operators of the malware have also imbued the latest Stealit variant with heavily obfuscated code and comprehensive anti-analysis checks. Such findings were regarded by Bugcrowd Chief Strategy and Trust Officer Trey Ford as indicative of an evolving focused cyber campaign.

At the end we should remember that threat actors can time their campaigns for maximum effect and any time new content could appear and any hype paves way for “early access” invites much more believable.

We often or might encounter weather On Discord or Telegram, attackers rely on social engineering and compromise accounts by sending messages as ‘try our game” and subsequently that messages also reach friends.

Victims often trust the sender and install the file this extends the scam’s reach.

(Reference: https://www.fortinet.com/blog/threat-research/stealit-campaign-abuses-nodejs-single-executable-application)

Scroll to top