Cyber Threat Alert: Silk Typhoon Weaponizes IT Supply Chains for Widespread Intrusions

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent incidents include Silk Typhoon’s shift from targeting Microsoft Exchange vulnerabilities to weaponizing IT supply chains, leveraging zero-day flaws in Ivanti, Palo Alto Networks, Citrix, and Microsoft Exchange to infiltrate corporate networks. Additionally, Storm-0408’s large-scale malvertising campaign has exposed over one million devices to info-stealing malware by distributing Lumma Stealer, Doenerium, and NetSupport RAT through GitHub, Discord, and Dropbox. The SideWinder APT group has intensified its cyber espionage operations, exploiting a Microsoft Office vulnerability (CVE-2017-11882) to infiltrate maritime, energy, and IT sectors. Meanwhile, the Mora_001 ransomware group is actively exploiting Fortinet authentication bypass flaws (CVE-2024-55591 & CVE-2025-24472) to deploy SuperBlack ransomware, while UNC3886 is leveraging end-of-life Juniper MX routers to establish stealthy persistence using TinyShell-based backdoors. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Silk Typhoon Weaponizes IT Supply Chains for Widespread Intrusions

China-linked threat actor Silk Typhoon (formerly Hafnium) has shifted from exploiting Microsoft Exchange vulnerabilities to targeting IT supply chains. They leverage zero-day flaws in Ivanti, Palo Alto Networks, Citrix, and Microsoft Exchange, along with API key theft, password spraying, and remote management tool abuse to infiltrate corporate networks. Once inside, they move laterally into cloud environments, exfiltrate sensitive data, and use compromised network appliances like Cyberoam, Zyxel, and QNAP to evade detection. Their primary targets include IT service providers, government, healthcare, defense, and critical infrastructure sectors. Organizations must mitigate these risks by applying security patches, enforcing MFA, monitoring cloud access logs, restricting OAuth applications, disabling unnecessary internet-facing services, implementing Zero Trust Architecture, securing third-party IT service providers, and conducting regular penetration testing. Silk Typhoon’s evolving tactics pose a significant cyber-espionage threat, making proactive monitoring, rapid response, and robust security controls essential to safeguard critical infrastructure.

2. Global Malvertising Attack Exposes 1 million Devices to Info-Stealing Malware

Microsoft has uncovered a large-scale malvertising campaign, Storm-0408, affecting over one million devices globally. First detected in December 2024, the campaign uses malicious ads on illegal streaming websites to redirect victims through multiple stages, ultimately leading to malware infections. Attackers leverage GitHub, Discord, and Dropbox to host and distribute malware like Lumma Stealer, Doenerium, and NetSupport RAT, aiming to steal system credentials, browser data, and cryptocurrency wallets. The infection chain involves system reconnaissance, data theft, remote access, and defensive evasion using PowerShell, VBScript, and AutoIT scripts. Organizations should mitigate risks by blocking known malicious domains, enabling Microsoft Defender Attack Surface Reduction (ASR) rules, monitoring security logs for suspicious activity, restricting unauthorized script execution, and educating users about malvertising threats. Proactive threat detection, forensic analysis, and credential resets are essential to contain infections. Storm-0408’s sophisticated multi-layered redirection tactics highlight the need for robust endpoint protection and continuous monitoring.

3. SideWinder APT Strikes Maritime, Energy, and IT Sectors Across Multiple Regions

SideWinder, a persistent threat group, is targeting maritime, logistics, diplomatic, and critical infrastructure sectors across South and Southeast Asia, the Middle East, and Africa. Their attacks use spear-phishing emails with malicious documents that exploit the Microsoft Office vulnerability (CVE-2017-11882) to deploy ModuleInstaller, a .NET-based downloader, leading to the StealerBot post-exploitation toolkit. The group rapidly modifies its malware to evade detection, ensuring persistence. Organizations must mitigate risks by applying security patches, training employees to recognize spear-phishing emails, deploying endpoint detection and response (EDR) solutions, monitoring network traffic, implementing least privilege access controls, and strengthening incident response protocols. SideWinder’s adaptability and use of old but effective exploits highlight the importance of proactive security defenses, behavioral threat detection, and continuous monitoring. With a focus on espionage and data theft, SideWinder remains a highly sophisticated and evolving cyber threat that organizations must actively defend against.

4. Hackers Exploit Fortinet Auth Bypass Flaws to Deploy SuperBlack Ransomware

A newly identified ransomware group, Mora_001, is exploiting Fortinet vulnerabilities (CVE-2024-55591 & CVE-2025-24472) to gain super_admin access to FortiGate firewalls and deploy the SuperBlack ransomware. Attackers use WebSocket-based exploits and HTTPS requests to create rogue admin accounts, steal credentials, move laterally, and exfiltrate sensitive data before encryption. To evade detection, they deploy WipeBlack, a custom wiper malware, erasing traces of the attack and obstructing forensic investigations. Evidence suggests ties between Mora_001 and LockBit, including shared infrastructure, ransom negotiation tactics, and the use of WipeBlack. Organizations must mitigate risks by applying Fortinet patches, restricting remote admin access, enforcing MFA, monitoring admin logins, implementing role-based access controls (RBAC), and maintaining offline backups. Deploying anomaly detection, forensic logging, and deception technology is essential to identify early exploitation signs. With its advanced evasion tactics, Mora_001 represents a severe ransomware threat, requiring proactive defenses and rapid incident response.

5. UNC3886 Exploits End-of-Life Juniper Routers to Deploy Stealthy Backdoors

China-linked cyber espionage group UNC3886 is exploiting end-of-life Juniper MX routers to deploy TinyShell-based backdoors, ensuring long-term network persistence. By targeting legacy devices with weak security protections, the group gains access using stolen credentials, bypasses Junos OS protections, and disables logging to remain undetected. Their implants include remote access, packet sniffing, and UDP/TCP-based backdoors, with additional use of rootkits (Reptile, Medusa) and anti-forensic tools (PITHOOK, GHOSTTOWN). A newly disclosed Juniper vulnerability (CVE-2025-21590) further enables malware deployment on veriexec-protected routers, highlighting UNC3886’s focus on stealthy, infrastructure-based cyber espionage. Organizations must upgrade Juniper MX routers, apply security patches, enforce MFA, restrict SSH access, segment networks, and conduct regular forensic audits. Disabling outdated services, removing unused accounts, and correlating logs with threat intelligence can further mitigate risks. Given UNC3886’s expertise in stealth and long-term access, securing network infrastructure remains critical in defending against state-sponsored cyber threats.