exploits Archives

AppWizard

August 20, 2025

Fake Antivirus App Spreads Android Malware to Spy on Russian Users

Cybersecurity experts at Doctor Web have identified a new variant of Android malware called Android.Backdoor.916.origin, active since January 2025. This malware can eavesdrop on conversations, steal messages, stream video, and log keystrokes. It targets Russian business representatives rather than average users, being distributed through direct messages as a fake antivirus app named GuardCB, which mimics the Russian Central Bank's emblem. The app requests extensive permissions, including geolocation, audio recording, camera access, and SMS data, and can function as a keylogger. It is designed for persistence, launching background services and communicating with multiple command-and-control servers. The malware can livestream audio, broadcast video, capture text, and upload contacts and call history. It exploits Android’s Accessibility Service to capture keystrokes and prevent uninstallation. The interface is exclusively in Russian, indicating it is specifically designed for a targeted group. Users in Russia are advised to download applications only from trusted sources to mitigate risks.

Winsage

August 19, 2025

Ransomware gang masking PipeMagic backdoor as ChatGPT desktop app: Microsoft

Microsoft has identified a sophisticated malware called PipeMagic, disguised as a ChatGPT desktop application, linked to the threat actor Storm-2460, who is preparing for ransomware attacks. This malware exploits a zero-day vulnerability (CVE-2025-29824) affecting the Windows Common Log File System Driver (CFLS), first disclosed in April. PipeMagic has targeted sectors such as information technology, financial, and real estate across the U.S., Europe, South America, and the Middle East. It emerged in 2022 during attacks on Asian entities and resurfaced in September 2024. Victims see a blank screen upon opening the malicious application, complicating detection. Hackers modified an open-source ChatGPT project to embed malicious code that activates the malware, allowing privilege escalation and ransomware deployment. Kaspersky reported that PipeMagic was used in a RansomExx ransomware campaign, and Symantec noted its exploitation by the Play ransomware group.

Winsage

August 19, 2025

Threat Actors Abuse Microsoft Help Index File to Execute PipeMagic Malware

Cybersecurity researchers have identified a malware campaign that uses Microsoft Help Index Files (.mshi) to deploy the PipeMagic backdoor, which has primarily targeted organizations in Saudi Arabia and Brazil in 2025. PipeMagic first appeared in December 2022 during a RansomExx ransomware campaign and exploits CVE-2025-29824, a vulnerability recognized by Microsoft as actively exploited. The malware has evolved from exploiting CVE-2017-0144 to using advanced social engineering techniques. The latest campaign employs .mshi files containing obfuscated C# code and encrypted payloads, utilizing the MSBuild framework for execution to bypass security controls. The infection process begins with executing a malicious metafile.mshi, which decrypts shellcode using an RC4 stream cipher and executes it via the Windows API function EnumDeviceMonitor. The decrypted shellcode is designed for 32-bit Windows systems and uses evasion techniques to complicate analysis, ultimately establishing the PipeMagic backdoor on the system and enabling communication through a named pipe at 127.0.0.1:8082.

Tech Optimizer

August 18, 2025

Critical PostgreSQL Vulnerabilities Allow Arbitrary Code Injection During Restoration

The PostgreSQL Global Development Group has released emergency security updates for versions 13 through 17 to address three critical vulnerabilities that could allow attackers to execute arbitrary code during database restoration processes. The vulnerabilities are tracked as CVE-2025-8714, CVE-2025-8715, and CVE-2025-8713, with CVE-2025-8714 and CVE-2025-8715 both rated with a CVSS score of 8.8. CVE-2025-8714 allows malicious superusers to inject arbitrary code during restoration via the pg_dump utility, while CVE-2025-8715 exploits improper neutralization of newlines in object names to trigger code execution. CVE-2025-8713, with a CVSS score of 3.1, permits unauthorized access to restricted data within optimizer statistics. The fixed PostgreSQL versions are 17.6, 16.10, 15.14, 14.19, and 13.22, released on August 14, 2025. Organizations are advised to upgrade immediately and implement strict access controls.

AppWizard

August 14, 2025

Surge in Android Malware Targets Banking Apps with NFC Fraud

A new wave of Android malware is targeting banking applications, utilizing techniques such as NFC relay fraud, call hijacking, and root-level exploits. Variants like PhantomCard, SpyBanker, and KernelSU are designed to infiltrate devices and manipulate transactions in real time. PhantomCard mimics legitimate NFC payment processes, SpyBanker hijacks calls from financial institutions, and KernelSU exploits kernel vulnerabilities for persistent access. This malware has affected thousands of devices, with attackers using disguises on the Google Play Store and phishing campaigns. A related variant, Anatsa, impacted over 90,000 users through fake PDF applications. The rise of such malware correlates with the increasing adoption of contactless payments, particularly in Europe and Asia. Experts recommend that banks enhance their defenses with behavioral analytics and that users enable app verification. Additionally, malware like KernelSU allows evasion of detection by operating at the system's core. Cybersecurity firms suggest a multi-layered security approach, including device encryption and AI-driven threat detection, to combat these evolving threats.

AppWizard

August 13, 2025

Battlefield 6 open beta won’t run if you have Valorant installed, thanks to Riot’s anti-cheat — uninstall if you plan to joint the second open beta this weekend

EA will launch a free open beta for Battlefield 6 from August 14 to August 17, featuring the new "Empire State" map and introducing Rush and Squad deathmatch modes. Players can earn free rewards during the beta. However, players with Valorant installed may face issues launching Battlefield 6 due to a "security violation" error caused by Riot Games' anti-cheat software, Riot Vanguard, which operates at the kernel level. This integration can lead to conflicts between the two games' anti-cheat systems, prompting players to uninstall Valorant to avoid compatibility issues.

Winsage

August 13, 2025

Microsoft’s Patch Tuesday gives sys admins a baker’s dozen

Microsoft's August Patch Tuesday addressed 111 vulnerabilities, including 12 classified as critical. A known elevation of privilege flaw in the Windows Kerberos protocol, CVE-2025-53779, has a CVSS score of 7.2 and requires authenticated access for exploitation. Two critical remote code execution (RCE) vulnerabilities, CVE-2025-50165 and CVE-2025-53766, both rated 9.8, were identified in the Windows Graphics Device Interface. SharePoint has a critical RCE bug, CVE-2025-49712, with a severity score of 8.8. Other critical flaws include vulnerabilities in Microsoft Message Queuing, Office, Hyper-V, and Azure Stack Hub. Adobe released fixes for 68 CVEs, including eight critical RCE bugs in InCopy and critical issues in other products like Commerce, InDesign, and Substance 3D applications. SAP issued 15 security notes, including three critical vulnerabilities rated at 9.9 related to code injection in SAP S/4HANA. Intel released 34 advisories addressing 66 vulnerabilities, including high-severity issues in Xeon 6 processors and Intel Ethernet Drivers. Google updated Android to fix several flaws, including two actively exploited Qualcomm vulnerabilities.

Winsage

August 13, 2025

Microsoft Teams RCE Vulnerability Let Attackers Read, Write and Delete Messages

Microsoft has identified a critical remote code execution (RCE) vulnerability in its Teams software, designated as CVE-2025-53783, during the August 2025 Patch Tuesday updates. This heap-based buffer overflow vulnerability allows unauthorized attackers to manipulate user messages and data through network code execution. It has a CVSS 3.1 score of 7.5, categorized as “Important.” Exploitation requires user interaction, such as clicking a malicious link or opening a specially crafted file. Microsoft has issued a fix and recommends users implement the latest security updates. There have been no public disclosures or active exploitation of this vulnerability, and its likelihood of exploitation is assessed as “Less Likely.” The vulnerability is part of a broader update addressing 107 flaws, including a zero-day vulnerability in Windows Kerberos. Security experts advise organizations using Microsoft Teams to prioritize the August 2025 security updates due to the serious risk of data compromise.

AppWizard

August 13, 2025

Beware the strange file in your messages: This “antivirus” app fakes scans, then watches everything

A new Android app called LunaSpy poses as an antivirus or banking protection tool but is actually sophisticated spyware. It spreads mainly through messaging platforms like Telegram, using social engineering tactics to prompt users to grant extensive permissions by generating fake “threats found” notifications. Once granted access, LunaSpy can read text messages, extract credentials, track locations, and record audio or video. The app is distributed through links that encourage users to sideload an APK rather than downloading from the official Play Store. It requests excessive permissions that legitimate antivirus apps would not demand, making devices vulnerable to data exfiltration. Users are advised to avoid installing APKs from chat links, uninstall suspicious applications, review and revoke excessive permissions, and take steps to secure their accounts.

Winsage

August 12, 2025

Windows DoS Flaws Enable DDoS Attacks on Domain Controllers

Researchers from SafeBreach Labs have identified four denial-of-service (DoS) vulnerabilities in Microsoft’s Windows operating system that could allow attackers to use publicly accessible Windows domain controllers in distributed denial-of-service (DDoS) attacks. These vulnerabilities exploit protocols such as Remote Procedure Call (RPC) and Lightweight Directory Access Protocol (LDAP), enabling the creation of stealthy botnets without authentication. The flaws arise from improper handling of RPC and LDAP requests in Windows Server environments, including versions up to 2025. One flaw allows unauthenticated users to trigger infinite loops, consuming system resources and facilitating reflection attacks. Microsoft released patches for these vulnerabilities in August 2025, but unpatched systems remain at risk. The vulnerabilities were disclosed at DEF CON 33, where proof-of-concept attacks were demonstrated. SafeBreach has labeled these flaws as “Win-DoS” due to their widespread applicability. Organizations are advised to audit network exposures and isolate domain controllers to mitigate risks. The increase in hyper-volumetric DDoS attacks highlights the urgency for proactive defenses, including automated mitigation tools and regular vulnerability scans. Experts recommend implementing stringent firewall rules to restrict RPC and LDAP exposure and using behavioral analytics to detect anomalous traffic.