Cloud-Trusted Phish, Kernel Stealth, and Internet-Facing Exploit Chains

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Data Store Memory Leakage Goes Remote

A subtle protocol-handling flaw is enough to spill sensitive in-memory data—especially dangerous when the service is reachable pre-auth.

• MongoDB Server heap disclosure (CVE-2025-14847) — Unauthenticated attackers can trigger reads of uninitialized heap memory by abusing length mismatches in Zlib-compressed headers. It’s not RCE, but memory leakage can expose sensitive artifacts and materially boost follow-on exploitation and recon.

2. Government-Themed Phish Turns into Modular RAT Ops

Threat actors are sharpening region-specific lures (tax, government notices) to drive high-trust clicks and deploy stealthy, plugin-based RAT families.

• Silver Fox targets India with Income Tax lures → ValleyRAT — PDF → typosquat → ZIP/NSIS chain uses DLL sideloading via a legit Thunder binary, disables defenses, and injects into explorer.exe for long-term, low-noise surveillance with on-demand plugins.

3. Signed Kernel Stealth Becomes the Loader Layer

The bar is rising: attackers are pushing execution beneath user-mode visibility to survive EDR friction and complicate response.

• Mustang Panda deploys signed kernel-mode rootkit to load ToneShell — A mini-filter driver (signed with an older/stolen cert) interferes with Defender components, protects its processes, and stages user-mode injection while minimizing durable artifacts—making memory forensics and kernel telemetry far more important.

4. API Gateways Become the New “Front Door” Risk

When authentication enforcement breaks in an API management layer, the blast radius can include everything behind it—often across critical business services.

• IBM API Connect auth bypass (CVE-2025-13915) — Critical pre-auth bypass risk (CVSS 9.8) that can allow remote access to exposed applications/services. Even without confirmed in-the-wild exploitation, gateway-class flaws tend to attract rapid weaponization because they sit at high-value choke points.

5. Botnets Treat Framework CVEs as Fuel

Automated scanning + rapid exploit integration continues to compress the “time-to-compromise,” especially for exposed web stacks.

• RondoDox exploits React2Shell (CVE-2025-55182) for Next.js takeovers — Mass scanning precedes multi-payload drops (miner + botnet loader + Mirai variant), plus aggressive “process-killer” behavior to evict competing malware and lock in persistence via cron.

6. India-Focused Espionage: Living-off-the-Land, Persistence by Design

Campaigns are increasingly adaptive—changing persistence methods based on endpoint security posture to maximize survival.

• Transparent Tribe (APT36) LNK/HTA spearphish for persistent remote access — ZIP-delivered LNK masquerading as PDF triggers mshta.exe, loads payloads in memory, and varies persistence based on detected AV (Startup LNKs, batch stages, registry autoruns). Designed for long-haul access into government/academic targets.

7. Cloud-Trusted Phishing Becomes a Delivery Primitive

Attackers are abusing native cloud automation and reputable domains to bypass reputation-based controls and make phishing look “official.”

• Google Cloud Application Integration abused to send phishing at scale — Emails originate from legitimate Google infrastructure, use multi-hop redirects (Google storage/usercontent, then external hosting) to steal Microsoft 365 credentials and push OAuth consent phishing via Microsoft Azure Active Directory—turning “trusted cloud” into a credibility amplifier.

Proactive Steps for the Week

• Patch the externally exposed first: MongoDB to fixed builds; IBM API Connect fixes/ifixes; Next.js patched for CVE-2025-55182.

• Kill pre-auth blast radius: verify no internet exposure for MongoDB/API gateways; enforce strict network ACLs + private endpoints + jump access for admin planes.

• Hunt for phish-to-loader chains: flag mshta.exe execution, LNK-from-ZIP behavior, NSIS installer runs, Donut-style injection into explorer.exe, and new scheduled tasks/Defender exclusions.

• Add kernel + memory readiness for high-value fleets: enable kernel telemetry where possible, and pre-stage memory capture playbooks for suspected rootkit/driver-based incidents.

• Lock down OAuth consent paths: restrict user OAuth consent to approved apps, alert on new grants, and review token/refresh-token anomalies.

• Tighten cloud-email trust assumptions: treat “legit domain” notifications as untrusted until links are detonated/rewritten; add URL chain analysis and conditional access checks on login prompts.