backdoor Archives

Winsage

April 9, 2025

Microsoft: Windows CLFS zero-day exploited by ransomware gang

Microsoft reported that the RansomEXX ransomware gang has been exploiting a critical zero-day vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, allowing them to gain SYSTEM privileges on targeted systems. This vulnerability stems from a use-after-free flaw and affects organizations in various sectors, including IT and real estate in the US, financial institutions in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. Microsoft has released security updates for most affected Windows versions but has postponed patches for Windows 10 x64 and 32-bit systems. Customers running Windows 11, version 24H2, are not vulnerable to the exploitation. The RansomEXX group, also known as Storm-2460, uses the PipeMagic backdoor malware to facilitate the exploitation of CVE-2025-29824, alongside ransomware payloads. The group has targeted high-profile organizations, including GIGABYTE, Konica Minolta, the Texas Department of Transportation, Brazil's court system, Montreal's STM public transport system, and government software provider Tyler Technologies.

Winsage

March 28, 2025

Mozilla warns Windows users of critical Firefox sandbox escape flaw

Mozilla released Firefox version 136.0.4 to address a critical security vulnerability, CVE-2025-2857, which could allow attackers to escape the browser's sandbox on Windows systems. This flaw, identified by developer Andrew McCreight, affects both standard and extended support releases of Firefox. Mozilla patched this issue in Firefox 136.0.4 and Firefox ESR versions 115.21.1 and 128.8.1. The vulnerability is similar to a recent zero-day exploit in Google Chrome, CVE-2025-2783, which was used in cyber-espionage campaigns against Russian entities. Additionally, Mozilla previously addressed another zero-day vulnerability, CVE-2024-9680, exploited by the RomCom cybercrime group, allowing code execution within Firefox's sandbox. Earlier in the year, Mozilla responded to two zero-day vulnerabilities exploited during the Pwn2Own Vancouver 2024 hacking competition.

Winsage

March 26, 2025

Hackers Exploit Windows MMC Zero-Day Vulnerability to Execute Malicious Code

Russian threat actors are exploiting a zero-day vulnerability in the Microsoft Management Console (MMC), identified as CVE-2025-26633, allowing them to bypass security features and execute harmful code. The hacking group Water Gamayun, also known as EncryptHub and Larva-208, is behind this campaign, using a weaponized version of the vulnerability called “MSC EvilTwin” to deploy various malicious payloads, including information stealers and backdoors. The vulnerability affects multiple Windows versions, particularly older systems like Windows Server 2016. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-26633 to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch affected systems by April 1, 2025. Microsoft included this vulnerability in its March 2025 Patch Tuesday update. Recommended mitigations include applying security patches, restricting network access to MMC ports, and monitoring for unusual MMC activity.

Winsage

March 25, 2025

EncryptHub linked to zero-day attacks targeting Windows systems

A newly identified threat actor, EncryptHub, is involved in Windows zero-day attacks exploiting a vulnerability in the Microsoft Management Console (MMC), known as 'MSC EvilTwin' (CVE-2025-26633). This vulnerability allows attackers to bypass Windows file reputation protections by manipulating MSC files on unpatched systems. Attackers can execute code without user alerts through email or web-based attacks. Trend Micro's research indicates that EncryptHub has used CVE-2025-26633 to deploy various malicious payloads, including the EncryptHub stealer and DarkWisp backdoor, to extract data from compromised systems. The threat actor employs multiple delivery methods and custom payloads to maintain persistence and exfiltrate sensitive information. EncryptHub has been linked to breaches affecting at least 618 organizations globally and is known to deploy ransomware after stealing sensitive data. Microsoft has also patched another zero-day vulnerability (CVE-2025-24983) in the Windows Win32 Kernel Subsystem.

Winsage

March 12, 2025

Microsoft patches Windows Kernel zero-day exploited since 2023

ESET has identified a zero-day vulnerability in the Windows Win32 Kernel Subsystem, designated as CVE-2025-24983, which has been exploited since March 2023. This vulnerability, stemming from a use-after-free weakness, allows low-privileged attackers to escalate access to SYSTEM privileges without user interaction. It primarily affects older Windows versions, including Windows Server 2012 R2 and Windows 8.1, but also poses risks to newer versions like Windows Server 2016 and Windows 10 (build 1809 and earlier). The exploit was first seen in the wild in March 2023, targeting systems compromised by the PipeMagic malware. Microsoft has addressed this vulnerability in the recent Patch Tuesday updates. Additionally, five other zero-day vulnerabilities were also patched, and CISA has mandated that Federal Civilian Executive Branch agencies secure their systems by April 1st.

AppWizard

March 6, 2025

BadBox Malware Infects 50,000+ Android Devices via 24 Apps on Google Play

HUMAN's Satori Threat Intelligence and Research team has identified a cyberattack named "BADBOX 2.0," which has compromised over 1 million consumer devices globally through 24 malicious applications on the Google Play Store. The operation utilizes a backdoor called BB2DOOR for persistent access to infected devices, primarily distributed via pre-installed apps on low-cost Android devices and third-party marketplaces. Four threat actor groups—SalesTracker Group, MoYu Group, Lemon Group, and LongTV—collaborate in this operation, which supports fraudulent activities such as residential proxy services, programmatic ad fraud, and click fraud, generating up to 5 billion fraudulent bid requests weekly. Despite efforts by HUMAN and Google to disrupt BADBOX 2.0, the threat actors may continue their operations due to the resilience of their supply chain. Users are advised to download apps only from official marketplaces to reduce infection risks.

AppWizard

March 6, 2025

BadBox Malware from Google Play Hacked 50,000+ Android Devices Using 24 Apps

HUMAN Security’s Satori Threat Intelligence team has identified a malware operation called “BADBOX 2.0,” which has compromised over 50,000 Android devices through 24 deceptive applications. This operation is an escalation from the original BADBOX campaign detected in 2023. The malware primarily targets low-cost, off-brand Android Open Source Project devices, including TV boxes, tablets, digital projectors, and vehicle infotainment systems. A backdoor named “BB2DOOR” provides threat actors with persistent access to the compromised systems. Four groups of threat actors—SalesTracker Group, MoYu Group, Lemon Group, and LongTV—are involved, using shared infrastructure for various fraud schemes. The malicious applications mimic legitimate apps in the Google Play Store, generating up to 5 billion fraudulent ad requests weekly. In response, Google has enhanced its protections, including blocking BADBOX behavior during app installation and terminating associated publisher accounts. Infected devices were found to be uncertified Android Open Source Project devices from China. Users are advised to verify certification and avoid unofficial app sources.

AppWizard

February 26, 2025

Swedish authorities seek backdoor to encrypted messaging apps

Sweden's law enforcement and security agencies are pushing for legislation that would require messaging platforms Signal and WhatsApp to create technical backdoors for accessing encrypted communications. Meredith Whittaker, President of the Signal Foundation, stated that Signal would exit the Swedish market if forced to comply. The proposed bill could be presented to the Riksdag, requiring Signal and WhatsApp to retain messages and allow authorities to access message histories of criminal suspects. Justice Minister Gunnar Strömmer argued that access to this data is essential for combating crime. However, the Swedish Armed Forces oppose the bill, citing concerns that backdoors could create vulnerabilities for exploitation. Neither Signal nor WhatsApp has commented on the issue. This situation reflects a larger global debate on encrypted communication and law enforcement access, with similar legislative efforts seen in the U.S. and the U.K.

Winsage

February 18, 2025

Earth Preta APT Exploit Microsoft Utility Tool to Control Windows

Researchers from Trend Micro's Threat Hunting team have identified a cyberattack campaign by the APT group Earth Preta, targeting government entities in the Asia-Pacific region, including Taiwan, Vietnam, Malaysia, and Thailand. The group uses spear-phishing emails and advanced malware to compromise Windows systems, notably employing the Microsoft Application Virtualization Injector (MAVInject.exe) to inject malicious payloads into legitimate processes. The attack typically begins with a malicious file, IRSetup.exe, which drops both legitimate and malicious files onto the system, often accompanied by a decoy PDF posing as an official document. Earth Preta utilizes a modified variant of the TONESHELL backdoor malware, sideloaded using OriginLegacyCLI.exe and a malicious DLL, EACore.dll. This malware communicates with a command-and-control server for data exfiltration and remote operations, offering capabilities such as reverse shell access, file deletion, and persistent storage of victim identifiers. The malware adapts its behavior based on the presence of ESET antivirus software, using different techniques for code injection. Trend Micro attributes this campaign to Earth Preta with medium confidence, noting that the group has compromised over 200 victims since at least 2022, primarily focusing on government entities and using phishing as the initial attack vector.

Tech Optimizer

February 14, 2025

New PostgreSQL Zero-Day Potentially Leveraged in BeyondTrust Attacks

Tulsi Gabbard, the newly appointed U.S. Director of National Intelligence, is involved in a debate over digital privacy and national security due to the UK's reported directive to Apple to create a backdoor for accessing encrypted iCloud data. U.S. lawmakers, including Senator Ron Wyden and Representative Andy Biggs, have expressed concerns that such a backdoor could compromise data security and expose sensitive information to unauthorized access and cyber threats. They argue that this policy could have global implications for data protection standards. Gabbard's response to the issue may impact the U.S. stance on encryption and privacy.