Chinese Espionage Group Leverages Check Point Flaw for Advanced Persistent Attacks

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents highlight the evolving threat landscape, with attackers exploiting critical vulnerabilities across various platforms. A newly identified China-aligned espionage group is targeting European healthcare organizations, leveraging CVE-2024-24919 in Check Point security products to deploy PlugX and ShadowPad malware for credential theft, lateral movement, and ransomware deployment. Meanwhile, OpenSSH vulnerabilities (CVE-2025-26465 & CVE-2025-26466) expose millions of servers to Man-in-the-Middle (MitM) and Denial-of-Service (DoS) attacks, emphasizing the importance of immediate updates and strict SSH security controls. Additionally, XLoader malware is being distributed via DLL side-loading through Eclipse jarsigner.exe, compromising system and browser data. Juniper Networks’ critical authentication bypass flaw (CVE-2025-21589) also poses a major risk, allowing attackers to gain administrative control over vulnerable routers. Lastly, North Korean APT43 (Kimsuky) is targeting South Korean entities with DEEP#DRIVE, using PowerShell-based payload execution and Dropbox for data exfiltration. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Espionage Group Leverages Check Point Flaw for Advanced Persistent Attacks

A newly identified China-aligned threat group is targeting European healthcare organizations with PlugX and ShadowPad malware, exploiting CVE-2024-24919 in Check Point network security products. This campaign, dubbed “Green Nailao” by cybersecurity researchers, enables attackers to steal credentials, move laterally, and deploy NailaoLocker ransomware—a basic yet disruptive strain. While espionage appears to be the primary motive, financial gain is also a likely driver.

To mitigate risks, organizations must apply security updates for CVE-2024-24919, enforce MFA for VPN access, and monitor for unusual login activity. Strengthening defenses against DLL side-loading attacks, implementing network segmentation, and enhancing RDP monitoring can limit lateral movement. Deploying behavioral-based threat detection, maintaining offline backups, and regularly testing ransomware recovery plans will further strengthen security posture. As attackers shift tactics, proactive monitoring and rapid patching are crucial to staying ahead of evolving threats.

2. OpenSSH Vulnerabilities Expose Servers to MiTM and DoS Attacks

Cybersecurity researchers have identified two critical vulnerabilities in OpenSSH, affecting millions of servers worldwide. CVE-2025-26465, a Man-in-the-Middle (MitM) flaw, has existed since 2014, allowing attackers to hijack SSH sessions when ‘VerifyHostKeyDNS’ is enabled. Meanwhile, CVE-2025-26466, a pre-authentication Denial of Service (DoS) vulnerability, introduced in 2023, enables attackers to overload system resources, potentially crashing affected systems.

To mitigate risks, organizations must immediately update to OpenSSH 9.9p2, which patches both flaws. Disabling ‘VerifyHostKeyDNS’ unless strictly necessary, enforcing strict SSH access controls, and monitoring for anomalous SSH traffic are crucial security measures. Additionally, implementing rate limits on SSH requests, auditing logs regularly, and verifying host keys manually can help prevent exploitation. As attackers increasingly target SSH weaknesses, proactive security configurations and timely patching remain critical to maintaining secure remote access.

3. XLoader Malware Uses DLL Side-Loading via Eclipse Jarsigner for Data Theft

A malware campaign leveraging DLL side-loading to distribute XLoader, a data-stealing malware has been uncovered by cybersecurity researchers. Attackers use jarsigner.exe, a legitimate Eclipse Foundation tool, to execute tampered DLLs, which decrypt and inject the malicious payload. Once active, XLoader steals system and browser data, downloads additional malware, and evades detection using obfuscation and encrypted C2 communications.

To mitigate risks, organizations should block execution of unsigned DLLs, monitor for suspicious process activity (e.g., jarsigner.exe launching unknown DLLs), and implement application whitelisting. Regularly update endpoint security solutions, analyze network traffic for obfuscated C2 patterns, and avoid executing unverified ZIP archives. Strengthening defenses through DLL verification policies and continuous threat intelligence updates will help counter evolving Malware-as-a-Service (MaaS) threats. As attackers refine their techniques, proactive security measures remain crucial in preventing data breaches.

4. Critical Juniper Router Flaw Allows Attackers to Bypass Authentication

Researchers have identified CVE-2025-21589, a critical authentication bypass flaw (CVSS 9.8) affecting Juniper’s Session Smart Router, Session Smart Conductor, and WAN Assurance Router products. This vulnerability allows attackers to bypass authentication and gain full administrative control, posing risks of device takeover, data interception, and lateral movement across networks. While no active exploitation has been reported, organizations must update to patched versions immediately to mitigate potential threats.

To reduce risk, organizations should upgrade affected devices to the latest firmware, restrict administrative access to trusted IPs, and isolate management interfaces from external access. Enabling multi-factor authentication (MFA), monitoring network logs for suspicious authentication attempts, and deploying intrusion detection systems (IDS/IPS) will further enhance security. Additionally, conducting regular security audits and establishing a response plan ensures preparedness against potential attacks. As network infrastructure remains a high-value target, proactive patching and strict access controls are essential.

5. Hackers Exploit PowerShell and Dropbox in Targeted Attacks on South Korea

DEEP#DRIVE, a sophisticated phishing campaign by North Korea-linked APT43 (Kimsuky), targeting South Korean government, business, and cryptocurrency sectors has been discovered. The attack delivers malicious .LNK files masquerading as legitimate documents, leading to PowerShell-based payload execution and data exfiltration via Dropbox. The attackers establish persistence using scheduled tasks and leverage OAuth token authentication to stealthily exfiltrate data. The use of short-lived infrastructure suggests active monitoring by the threat actors.

To mitigate risks, organizations should train employees to recognize phishing attempts, restrict execution of unknown PowerShell scripts, and monitor endpoint activity for suspicious processes. Blocking unauthorized Dropbox access, auditing scheduled tasks, and enforcing PowerShell Constrained Language Mode can further strengthen defenses. Implementing network segmentation and monitoring outbound traffic for unusual Dropbox API activity will help detect and prevent unauthorized data exfiltration. Proactive detection and phishing awareness remain critical against evolving APT tactics.