LATEST THREAT INTELLIGENCE.

Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability

Description: A critical vulnerability in Gladinet's CentreStack and Triofox products has been discovered, involving hardcoded cryptographic keys in their AES implementation. This flaw allows potential access to the web.config file, enabling deserialization and remote code execution. Attackers are actively targeting this vulnerability across various organizations. The issue stems from static encryption keys derived from unchanging Chinese and Japanese text strings, allowing for decryption and creation of access tickets. Exploitation attempts have been observed across multiple sectors, with attackers using the vulnerability to obtain machine keys and perform viewstate deserialization attacks. Immediate updates to the latest version and machine key rotation are recommended for mitigation.

Created at: 2025-12-11T18:25:34.482000

Updated at: 2026-01-10T18:03:22.676000

It didn’t take long: CVE-2025-55182 is now under active exploitation

Description: A critical vulnerability (CVE-2025-55182) affecting React Server Components has been actively exploited since its disclosure on December 4, 2025. The flaw, dubbed React4Shell, allows attackers to execute commands and manipulate files on vulnerable web applications. Kaspersky honeypots detected a surge in exploitation attempts, with attackers deploying various malware, including crypto miners and the RondoDox botnet. The vulnerability affects multiple React-related packages and bundles. Threat actors are leveraging this exploit to steal credentials, compromise cloud infrastructures, and potentially launch supply chain attacks. Immediate patching and implementation of security measures are strongly recommended to mitigate risks associated with this high-severity vulnerability.

Created at: 2025-12-11T15:16:52.116000

Updated at: 2026-01-10T15:00:39.782000

Russian Ruse: ValleyRAT Hits China via Fake Microsoft Teams Attack

Description: The Chinese APT group Silver Fox has launched an SEO poisoning campaign targeting Chinese-speaking users, impersonating Microsoft Teams. The campaign uses a modified ValleyRAT loader with Cyrillic elements to mislead attribution. Silver Fox aims to conduct espionage and financial fraud, posing a significant threat due to its dual mission. The attack chain involves a fake Teams website, malicious ZIP files, and binary data retrieval from XML and JSON files. The malware exploits rundll32.exe for binary proxy execution and establishes C2 communication. Attribution to Silver Fox is based on overlapping infrastructure and links to previous campaigns. Organizations with global operations, especially in China, are advised to implement robust security measures and logging capabilities to defend against this evolving threat.

Created at: 2025-12-10T17:22:42.524000

Updated at: 2026-01-09T17:02:40.379000

PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182

Description: A critical vulnerability in React Server Components (CVE-2025-55182) is being exploited across various organizations. Attackers are deploying cryptominer malware, a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based post-exploitation implant dubbed ZinFoq. PeerBlight uses the BitTorrent DHT network as a fallback C2 mechanism. CowTunnel initiates outbound connections to attacker-controlled FRP servers. ZinFoq implements interactive shells, SOCKS5 proxying, and timestomping capabilities. A Kaiji botnet variant is also being distributed. The exploitation attempts target multiple industries and use automated tools. Immediate patching is recommended due to the ease of exploitation.

Created at: 2025-12-10T14:34:45.882000

Updated at: 2026-01-09T14:02:44.069000

AI-Poisoning & AMOS Stealer: How Trust Became the Biggest Mac Threat

Description: A sophisticated malware campaign exploits user trust in AI platforms to deliver the AMOS stealer. Attackers use SEO poisoning to surface malicious ChatGPT and Grok conversations offering 'helpful' macOS disk cleanup advice. These conversations contain Terminal commands that, when executed, deploy AMOS, a multi-stage malware that harvests credentials, escalates privileges, and establishes persistence. The attack bypasses traditional security measures by leveraging legitimate platforms and user behavior, making it particularly insidious. AMOS targets cryptocurrency wallets, browser data, and system information, exfiltrating sensitive data to attacker-controlled servers. This campaign represents a significant evolution in social engineering techniques, exploiting the growing reliance on AI assistants for technical guidance.

Created at: 2025-12-10T12:06:40.154000

Updated at: 2026-01-09T12:04:04.160000

CNCERT: Risk Warning Regarding the "Black Cat" Gang's Use of Search Engines to Spread Counterfeit Notepad++ Download Remote Control Backdoors

Description: CNCERT and Microstep Online jointly detected a cyberattack campaign launched by the "Black Cat" criminal gang. This gang uses search engine SEO (Search Engine Optimization) techniques to push meticulously crafted phishing websites to the top of search engine keyword results. After visiting these high-ranking phishing pages, users are lured by carefully designed download pages, attempting to download software installation packages bundled with malicious programs. Once installed, the program implants a backdoor Trojan without the user's knowledge, leading to the theft of sensitive data from their host computer by attackers.

Created at: 2026-01-09T10:24:39.419000

Updated at: 2026-01-09T10:25:55.815000

Threat Research: PHALT#BLYX: Fake BSODs and Trusted Build Tools

Description: The PHALT#BLYX campaign targets the hospitality sector using sophisticated social engineering and advanced techniques. It begins with a phishing email mimicking a Booking.com reservation cancellation, leading victims to a fake website. Users are tricked into executing malicious PowerShell commands through a fake BSOD and click-fix social engineering tactic. The malware leverages MSBuild.exe to bypass defenses and deploys a customized DCRat payload. It establishes persistence, disables Windows Defender, and uses process hollowing to inject into legitimate processes. The campaign shows evolution from earlier, simpler methods and demonstrates a deep understanding of modern endpoint protection. Attribution points to Russian-speaking threat actors, given the presence of Cyrillic debug strings and the use of DCRat, a popular tool in Russian underground forums.

Created at: 2026-01-09T09:47:05.226000

Updated at: 2026-01-09T10:10:11.596000

Reborn in Rust: MuddyWater Evolves Tooling with RustyWater Implant

Description: MuddyWater APT group has launched a spearphishing campaign targeting various sectors in the Middle East, including diplomatic, maritime, financial, and telecom entities. The campaign employs icon spoofing and malicious Word documents to deliver a Rust-based implant dubbed 'RustyWater'. This new tool represents a significant upgrade from their traditional PowerShell and VBS loaders, offering capabilities such as asynchronous C2, anti-analysis features, registry persistence, and modular post-compromise expansion. The attack chain involves a malicious email with an attached document that triggers a multi-stage process, ultimately leading to the deployment of the RustyWater implant. This evolution in MuddyWater's toolkit demonstrates their adaptation to more sophisticated, structured, and stealthy attack methods.

Created at: 2026-01-08T18:12:01.321000

Updated at: 2026-01-09T09:37:33.395000

Boto-Cor-de-Rosa campaign reveals Astaroth WhatsApp-based worm activity in Brazil

Description: The Boto Cor-de-Rosa campaign reveals Astaroth's new strategy of exploiting WhatsApp Web for propagation. This Brazilian banking malware now uses a Python-based worm module to retrieve victims' WhatsApp contact lists and automatically send malicious messages, expanding its infection reach. The attack begins with a malicious ZIP file sent via WhatsApp, containing a Visual Basic script that downloads additional components. The malware then operates two parallel modules: a propagation module for spreading through WhatsApp contacts, and a banking module for credential stealing. This campaign demonstrates Astaroth's evolution, combining traditional malware techniques with sophisticated social engineering and multi-platform propagation, primarily targeting Brazilian users.

Created at: 2026-01-08T18:12:03.116000

Updated at: 2026-01-09T09:23:54.194000

Guloader Malware Being Disguised as Employee Performance Reports

Description: ASEC discovered Guloader malware being distributed through phishing emails masquerading as employee performance reports. The emails, claiming to be about October 2025 performance, contain a RAR file with an NSIS executable named 'staff record pdf.exe'. This file is actually Guloader malware, which downloads and executes shellcode from a Google Drive URL. The final payload is Remcos RAT, enabling threat actors to perform various malicious remote control activities, including keylogging, screenshot capture, webcam and microphone control, and browser data extraction. The attackers are increasingly using legitimate platforms as C2 servers, making detection more challenging. Users are advised to exercise caution when opening emails from unknown sources and to change passwords regularly to prevent secondary damage.

Created at: 2026-01-08T18:12:08.252000

Updated at: 2026-01-09T09:22:49.392000