Black Basta Ransomware Gang Unleashes ‘BRUTED’ to Automate VPN Attacks

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity developments highlight a surge in sophisticated threats across platforms and infrastructure. Researchers have identified StilachiRAT, a stealthy Remote Access Trojan designed to evade detection, steal credentials and crypto wallet data, and monitor RDP sessions while maintaining persistence on infected systems. Simultaneously, attackers are exploiting CVE-2024-4577, a critical PHP vulnerability in CGI mode, to deploy Quasar RAT and cryptocurrency miners using advanced evasion and lateral movement techniques.

A newly uncovered Windows vulnerability (ZDI-CAN-25373) is being abused by at least 11 state-backed groups for cyber espionage, leveraging hidden commands in .lnk files to execute malware like Ursnif, Gh0st RAT, and Trickbot without user awareness. Meanwhile, the Black Basta ransomware gang has launched BRUTED, a powerful brute-force automation tool targeting edge devices like VPNs and firewalls to gain initial access.

Additionally, active exploitation of Cisco Smart Licensing Utility vulnerabilities allows attackers to chain unauthenticated access and credential theft, emphasizing the urgent need for patching and access control across IT environments. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. New RAT Malware Uses Advanced Evasion to Target Crypto & RDP Sessions

Researchers have uncovered a new Remote Access Trojan (RAT) named StilachiRAT, designed to evade detection, steal data, and persist on infected systems. Though not yet widespread, StilachiRAT poses a serious threat, targeting credentials, clipboard content, and over 20 cryptocurrency wallets. It monitors RDP sessions, impersonates users, and moves laterally within networks. To avoid detection, it clears event logs, uses encoded API calls, and evades sandbox analysis.

The malware maintains persistence via Windows services and watchdog threads that restore it if removed. It also allows attackers to execute remote commands, modify system settings, and proxy traffic through compromised devices. Microsoft has released IOCs and mitigation steps, recommending the use of EDR solutions, MFA, and official software sources. Security teams should monitor logs, inspect unexpected services, and isolate infected systems promptly. A full system scan and credential reset are essential for recovery.

2. Weaponized PHP Vulnerability Delivers Quasar RAT and Cryptocurrency Miners

CVE-2024-4577 is a critical PHP argument injection vulnerability actively exploited on Windows systems running in CGI mode. This flaw enables remote code execution, allowing attackers to deploy cryptocurrency miners like XMRig and Nicehash, and remote access trojans (RATs) such as Quasar RAT. Targeted regions include Taiwan, Hong Kong, Brazil, Japan, and India, with attackers using techniques like system reconnaissance, MSI-based malware delivery, firewall rule manipulation, and LOTL (living-off-the-land) tools to evade detection.

In some cases, threat actors block access to rival malware infrastructure, highlighting the competitive nature of cryptojacking campaigns.  Researchers have also observed related activity targeting Japanese organizations.

To mitigate risk, organizations are urged to patch PHP immediately (upgrading to versions 8.3.8, 8.2.20, or 8.1.29), restrict PowerShell and cmd usage, monitor for signs of cryptojacking, and consider migrating from CGI to more secure PHP architectures like FastCGI or PHP-FPM. Network monitoring and EDR solutions are also strongly recommended.

3. Windows Vulnerability Exploited by State-Backed Hackers for Cyber Espionage

A newly discovered Windows vulnerability (ZDI-CAN-25373) has been exploited by at least 11 state-backed hacking groups since 2017 for cyber espionage and data theft. The flaw, involving UI misrepresentation in shortcut (.lnk) files, allows attackers to embed hidden command-line arguments using whitespace characters, enabling stealthy code execution. Despite its widespread abuse, Microsoft has not yet released a patch, citing a low severity threshold.\

Cybersecurity researchers uncovered nearly 1,000 malicious .lnk samples exploiting the flaw. Victims are tricked into clicking infected shortcuts, leading to malware deployment such as Ursnif, Gh0st RAT, and Trickbot. Over 70% of the attacks target espionage, with major activity seen across North America, Europe, and East Asia.

With no official patch, organizations are urged to limit .lnk execution, update security tools like Microsoft Defender, educate users, and deploy threat intelligence systems to monitor and mitigate the ongoing threat effectively.

4. Black Basta Ransomware Gang Unleashes ‘BRUTED’ to Automate VPN Attacks

The Black Basta ransomware group has developed BRUTED, an automated brute-force framework targeting edge network devices like firewalls and VPNs. This tool enables large-scale credential-stuffing attacks on publicly exposed systems such as SonicWall, Fortinet, Cisco, Citrix, and Microsoft RDWeb. BRUTED automates target discovery, password guessing, and login attempts using multithreaded processing, increasing attack speed and efficiency.

It enhances evasion by analyzing SSL certificates to craft targeted passwords and routes traffic through SOCKS5 proxies to obscure origins. The framework also customizes HTTP headers and user agents to bypass detection. Its infrastructure is linked to Russian-hosted networks and supports ransomware deployment by granting attackers initial access to enterprise networks.

Cybersecurity researchers observed BRUTED executing low-effort, high-impact attacks that can lead to mass credential breaches. Organizations are advised to enforce strong password policies, enable multi-factor authentication, restrict VPN access to trusted IPs, monitor login attempts, and regularly update VPN and firewall firmware to mitigate this growing threat.

5. Active Exploitation of Cisco Smart Licensing Utility Vulnerabilities

Attackers are actively exploiting unpatched instances of Cisco’s Smart Licensing Utility (CSLU) by leveraging two critical vulnerabilities—CVE-2024-20439 and CVE-2024-20440. The first involves a hardcoded admin account with static credentials, enabling unauthenticated remote access via API, while the second allows exposure of sensitive credentials through crafted HTTP requests accessing log files. These flaws, when chained with other vulnerabilities, pose a serious risk of system compromise and data theft.

CSLU is a Windows-based tool used for managing Cisco licenses without a cloud connection. According to cybersecurity researchers, exploitation is only possible when the CSLU app is manually started. Technical details, including the decoded password, were publicly shared shortly after Cisco’s patch release, increasing the likelihood of attacks.

Threat actors are already targeting exposed CSLU systems for unauthorized access, credential theft, and lateral movement. Organizations are strongly advised to patch immediately, restrict internet exposure, monitor logs, and follow Cisco’s advisories to reduce attack surface and maintain security.