Cascading Style Sheets (CSS) are ever present in modern day web browsing, however its far from their own use. This blog will detail the ways adversaries use CSS in email campaigns for evasion and tracking.

Thursday, March 13, 2025 06:00

*   Cisco Talos has identified actors abusing Cascading Style Sheets (CSS) to 1) evade spam filters and detection engines, and 2) track users’ actions and preferences. 
*   This blog is a follow-up to our previous report on how threat actors could abuse CSS using a technique called “hidden text salting” to evade spam filters, email parsers, and detection engines. This technique introduces several security implications. 
*   Additionally, we have observed the abuse of CSS for tracking, which impacts users’ privacy. This abuse ranges from tracking users’ actions to identifying their preferences. Although email clients restrict the execution of JavaScript, we argue that fingerprinting system and hardware configurations is also possible using CSS properties and rules, depending on the users’ clients and system configurations.

Cascading Style Sheets (CSS) specify how HTML materials are rendered and displayed to recipients. In a legitimate context, CSS is mainly used to adjust an email’s content to fit the screen resolution of the recipient. However, we will discuss how CSS can be abused by threat actors to stay under the radar and track recipients at a minimum. The features available in CSS allow attackers and spammers to track users’ actions and preferences, even though several features related to dynamic content (e.g., JavaScript) are restricted in email clients compared to web browsers. In what follows, we provide examples of CSS abuse we've identified in the wild for both evading detection and tracking users. These examples have all been observed from the second half of 2024 up until February 2025.

**The abuse of cascading style sheets for evasion**

Features of HTML and CSS can be used together to include comments and irrelevant content that are not visible to the victim (or recipient) when the email is rendered in an email client but can impact the efficacy of parsers and detection engines. We discussed a few examples in our recent blog post, and we will share more throughout the rest of this section. We will not cover cases that are well-known to the security community, such as including zero-sized fonts.

Threat actors can use the _text\_indent_ property of CSS to conceal content in the email’s body. Below is an example of a phishing email that contains text in different places, but the text is not visible when rendered in an email client.

A phishing email with several gibberish characters added in between the original words.

An inspection of the HTML source of the above email reveals that hidden text salting has been used in several places. For example, in the snippet shown below, the _text-indent_ and _font-size_ properties of CSS are used together to conceal the gibberish characters added in between the original words visible to the recipient of this email.

The HTML source snippet of the above phishing email shows how the __text-indent__ property in CSS is used to hide the irrelevant characters inserted between the original words visible to the recipient of email.

The _text-indent_ property is set to –_9999px_, which moves the text far out of the visible area when the email is rendered in the email client. Additionally, the _font-size_ property is set to an extremely small size, making the text virtually invisible to the human eye on most screens. In some cases, the text color is also set to _transparent_ to ensure the text is completely invisible by rendering it in a color that does not display against any background.

Alternatively, threat actors may use the _opacity_ property of CSS to hide the irrelevant content. An example phishing email is shown below that also impersonates the Blue Cross Blue Shield organization.

A phishing email impersonating the Blue Cross Blue Shield organization.

A close inspection of the HTML source of the above email reveals multiple attempts to conceal content, both in the body of the email and in the email’s preheader. Most email templates enable threat actors to add preheader text to their emails. Such text follows the email’s main subject immediately and is a technique that allows attackers to entice readers with additional information. Note that this field is also used in many email marketing and spam campaigns.

In this example, the attacker has set the _opacity_ property of CSS to zero, making the element fully transparent and invisible. Note that this preheader text is kept hidden by relying on multiple CSS properties, including _color_, _height_, _max-height_, and _max-width_. Additionally, the _mso-hide_ property is set to all to make the preheader invisible in Outlook email clients as well. Also, note that the invisible preheader text is completely irrelevant and appears benign (e.g., “FOUR yummy soup recipes just for you!”) to make it appear less suspicious to spam filters.

The HTML source snippet of the above phishing email shows how the __opacity__ property in CSS is used to hide the preheader text in the above email.

In a third example, the HTML smuggling technique is used to redirect the user to the final phishing page. This was a spear phishing email sent to one of our customers in February 2025. Additionally, the HTML attachment contains a series of German words and phrases that do not form coherent or grammatically correct sentences, and these are made invisible to the recipient of the email via hidden text salting.

A spear phishing email with an HTML attachment.

The email contains the phrase “with regard” in two other languages, including Finnish and Estonian. The rendered HTML attachment is also shown below. Note that the attacker tries to convince the recipient to click on the button and view the document by displaying a Microsoft SharePoint logo.

The rendered HTML attachment of the above email.

When the HTML attachment of the above email is inspected, one can notice that CSS properties are employed in various ways to conceal the irrelevant German phrases. First, the paragraphs' positions are set to _absolute_, allowing them to be placed anywhere on the page, which is often a technique used to hide elements by moving them off-screen. Additionally, the _width_ and _height_ of the paragraphs are set to zero, rendering them invisible in terms of space. The _opacity_ is also set to zero, making the content transparent and unseen by the recipient. Furthermore, a clipping method is utilized to ensure that the added salt remains hidden from the victim. Specifically, the first paragraph is clipped using a rectangle with the _clip_ CSS property (which is deprecated as of this writing) that has zero width and height, effectively making it invisible by limiting its visible area. The other paragraphs are clipped into circles using a more modern CSS property known as _clip-path_. Lastly, the _overflow_ property is set to _hidden_, ensuring that any content that exceeds the boundaries of the div element stays concealed.

The HTML source snippet of the above spear phishing email shows how hidden text salting is used to add irrelevant German phrases to the body of the email, while at the same time being invisible to the recipient.

**The abuse of cascading style sheets for tracking**

Email clients use different rendering engines and support different CSS rules and properties. However, CSS properties can be abused to track users' actions and preferences. We will discuss how fingerprinting recipients' systems and hardware is also possible, although some of these fingerprinting approaches may only work in specific email clients and depend on certain configuration assumptions.  

Marketing campaigns may use these CSS properties to track user engagement and optimize future campaigns, while spammers and threat actors may use this approach to enhance their targeted phishing campaigns, collect information, and craft targeted exploits. In what follows, we provide only a few examples of attempts to compromise the privacy of our customers.

Tracking users' (or email recipients') actions and preferences has been one of the most dominant patterns of CSS abuse identified by Talos in the wild in recent months. This abuse can range from identifying recipients' font and color scheme preferences and client language to even tracking their actions (e.g., viewing or printing emails). Below is an example of a spam email with multiple tracking capabilities.  

An example of a spam email.

The HTML source of the above email is shown below, where several tracking approaches are employed. First, the campaign uses a tracking image to record when the recipient opens the email. Second, different tracking URLs log the recipient's color scheme preference (see the _rd_ and _rl_ characters in the URLs). This is achievable via the CSS _media_ at-rule. Third, a tracking URL records when this email is printed (see the _p_ character in the URL). Finally, different tracking URLs are used to record when the email is opened in a specific email client. Also, note that a unique identifier is assigned to each recipient and used in the tracking URL.

The HTML source snippet of the above spam email shows how the recipient’s actions and preferences are tracked.

A second example email is shown below that tracks even more information, including the recipient's geo-location and device-specific information.

An example of a spam email.

An inspection of the HTML source of the above message, shown below, reveals several tracking clues. First, a tracking image is used to record when the recipient opens the email. Second, the recipient's color scheme preference is tracked via separate URLs. Third, a tracking URL is embedded within this message that records when it is printed. Fourth, different tracking URLs are used to record when the email is opened in a specific email client. Finally, a tracking pixel is appended to the end of the email to collect the recipient’s IP address, the email client used to open the email, and some device-specific information.

The HTML source snippet of the above spam email shows how the recipient’s actions and preferences are tracked and how their geo-location and device-specific information are collected.

As explained earlier, CSS provides a wide range of rules and properties that can help spammers and threat actors fingerprint users, their webmail or email client, and their system. For example, the _media_ at-rule can detect certain attributes of a user’s environment, including screen size, resolution, and color depth. The HTML code snippet below demonstrates how the CSS _media_ at-rule can be used for such purposes. Threat actors can set up different styles or load different resources based on criteria such as the screen width of the recipient’s device.

An example HTML code snippet that shows how the CSS __media__ at-rule can be used to fingerprint the screen width (or screen resolution) of the recipient’s device.

Fingerprinting the operating system of the recipient’s device is also possible and can be done in at least two main ways. In the first approach, the availability of certain fonts on a recipient’s system can indicate which operating system they might be using. Furthermore, threat actors may block the display of certain elements based on the inferred operating system. This can be achieved via the _font-face_ at-rule in CSS.

In the example shown below, the body of the message uses the _Segoe UI_ font, which is commonly available on Windows operating systems by default. Additionally, the _font-face_ at-rule defines a font called _MacFont_, which relies on the local availability of _Helvetica Neue_. This font is typically found on macOS systems. Note that in this example, elements with the class _.mac-style_ are hidden by default (_display: none;_). They are only shown to the recipient (_display: block;_) if the hypothetical media rule detects _MacFont_.

An example HTML code snippet that shows how the CSS __font-face__ at-rule can be used to fingerprint the operating system of the recipient’s device and then show or block specific contents using the availability of certain fonts.

The second method that can be used to fingerprint the operating system of a recipient’s device is to use unique URLs for resources (e.g., images) based on the applicable styles. When the email loads these resources, server logs can provide hints about the recipient's operating system. In the example snippet shown below, different images are loaded depending on the victim's operating system, which can be determined by the availability of certain fonts and styles that were applied.

An example HTML code snippet that shows how CSS can be used to fingerprint the operating system of the recipient’s device by loading different images.

**Mitigations**

As explained with multiple examples, CSS provides functionalities, rules, and properties that could be abused by attackers to evade spam filters and detection engines, as well as to track or fingerprint users and their devices. As such, both the security and privacy of your organization and business are at risk. In what follows, we provide a few mitigation solutions for each domain.

Security mitigations: One security mitigation solution is to rely on advanced filtering mechanisms that can more effectively detect hidden text salting and content concealment. These systems could examine different parts of emails to find and filter out hidden content. Alternatively, relying on features in addition to the text domain, such as the visual characteristics of emails, could be helpful. This approach is particularly beneficial in image-based threats.

Privacy mitigations: One of the most effective solutions in this domain is to use email privacy proxies. This mitigation is designed for email clients and involves rewriting emails to enhance privacy and maintain email integrity across different clients. In particular, the proxy service should be able to perform two main functions: 1) converting top-level CSS rules into style attributes, and 2) rewriting remote resources (e.g., images) to be included directly in the email via data URLs. The former function confines styles to the email itself and prevents conflicts with client-defined styles, while the latter function prevents exfiltration of information and undermines tracking pixels, ensuring the email's integrity over time.

**Protection**

Safeguarding against these complex threats necessitates a comprehensive email security solution that utilizes AI-driven detection. Secure Email Threat Defense employs distinctive deep learning and machine learning models, incorporating Natural Language Processing, within its sophisticated threat detection systems.

Secure Email Threat Defense detects harmful techniques employed in attacks against your organization, extracts unmatched context for particular business risks, offers searchable threat data, and classifies threats to identify which sectors of your organization are most at risk of attack.

Begin strengthening your environment against sophisticated threats. Register now for a free trial of Email Threat Defense.

Abusing with style: Leveraging cascading style sheets for evasion and tracking

Dragos reveals Volt Typhoon hackers infiltrated a US electric utility for 300 days, collecting sensitive data. Learn how this cyberattack threatens infrastructure.

Cybersecurity firm Dragos has revealed a prolonged cyber attack by the Chinese threat actor **Volt Typhoon** into the United States electric grid, specifically targeting the Littleton Electric Light and Water Departments (LELWD) in Massachusetts. This breach lasted over 300 days from February to November 2023.

The incident came to light just before Thanksgiving in 2023 when the FBI alerted LELWD to a potential compromise. Following investigations, with assistance from Dragos, revealed that the Volt Typhoon had infiltrated the utility’s systems as early as February 2023.

According to Dragos’s **report**, during this extensive period, the threat actors collected sensitive **operational technology (OT)** data, including information on energy grid operations, which could facilitate future disruptive attacks on critical infrastructure.

****Volt Typhoon’s Modus Operandi****

Volt Typhoon, also known as VOLTZITE, is a Chinese state-sponsored advanced persistent threat group active since at least mid-2021. The group focuses on cyber espionage, primarily targeting US critical infrastructure sectors **such as telecommunications** and energy. They employ sophisticated techniques to maintain persistent, long-term access to networks while evading detection.

**Tim Mackey**, Head of Software Supply Chain Risk Strategy at Black Duck, emphasizes the challenges posed by the long lifespan of devices in critical infrastructure. He notes that devices designed and tested to best practices available at their release can become vulnerable to more sophisticated attacks later in their lifecycle. Attackers, aware of the emphasis on uptime and service availability in critical infrastructure, may exploit these vulnerabilities to plan targeted attacks rather than opportunistic ones.

****Implications and Recommendations****

The LELWD incident shows the increasing cyber threats to essential services and why the energy sector needs proper cybersecurity measures. Organizations responsible for critical infrastructure must prioritize regular assessments and updates of their cybersecurity protocols to address evolving threats.

Additionally, implementing strong monitoring systems, conducting security audits, and collaborating with cybersecurity experts are essential to securing your infrastructure from threat actors like the Volt Typhoon.

1.  Hackers Have Reportedly Infiltrated The US Power Grids
2.  Retired Software Exploited To Target Power Grids, Microsoft
3.  Critical Solar Power Grid Vulnerabilities Risk Global Blackouts
4.  Hacking Power Grids: TETRA Radio Hacking Risks Infrastructure
5.  Controller-level flaws let hackers physically damage moving bridges

Chinese Volt Typhoon Hackers Infiltrated US Electric Utility for Nearly a Year

Sonatype researchers uncover critical vulnerabilities in picklescan. Learn how these flaws impact AI model security, Hugging Face, and…

Sonatype researchers uncover critical vulnerabilities in picklescan. Learn how these flaws impact AI model security, Hugging Face, and best practices for developers.

Cybersecurity researchers at Sonatype have identified several vulnerabilities within picklescan, a tool used for examining Python pickle files for malicious code. These files, commonly used for storing and retrieving machine learning models, pose a security risk due to their ability to execute arbitrary code during the process of retrieving the stored data.

According to Sonatype’s analysis, shared with Hackread.com, in total four vulnerabilities were found:

*   **CVE-2025-1716**– allows attackers to bypass the tool’s checks and execute harmful code;

*   **CVE-2025-1889**– failure to detect hidden malicious files due to its reliance on file extensions;

*   **CVE-2025-1944**– can be exploited by manipulating ZIP archive filenames to cause the tool to malfunction;

*   **CVE-2025-1945**– failure to detect malicious files when certain bits within ZIP archives are altered.

It is worth noting that platforms such as Hugging Face utilize picklescan as part of their security measures to identify malicious AI models. The discovered vulnerabilities could allow malicious actors to bypass these security checks, thereby posing a threat to developers who rely on open-source AI models, as they can lead to “arbitrary code execution,” researchers noted. This means, an attacker could possibly take complete control of a system.

“Given the role of picklescan within the wider AI/ML hygiene posture (e.g. when used with PyTorch), the vulnerabilities discovered by Sonatype could be leveraged by threat actors to bypass malware scanning (at least in part) and target devs leveraging open source AI,” researchers explained in the blog post.

Good news is that picklescan maintainer showed a strong commitment to security by promptly addressing vulnerabilities, releasing version 0.0.23, which patched flaws, minimizing the opportunity for malicious actors to exploit them.

Sonatype’s chief product officer, Mitchell Johnson, urges developers to avoid using pickle files from untrusted sources whenever possible, and instead utilize safer file formats. If pickle files must be used, they should only be loaded in secure, controlled environments. Moreover, it is important to verify the integrity of AI models through cryptographic signatures and checksums, and implementing multi-layered security scanning.

The findings highlight the growing need for advanced, reliable security measures in AI/ML pipelines. To mitigate the risks, organizations should adopt practices such as utilizing safer file formats, employing multiple security scanning tools, and monitoring for suspicious behaviour when loading pickle files.

Picklescan Vulnerabilities Could Let Hackers Bypass AI Security Checks

Apple has patched a vulnerability in iOS and iPadOS that was under active exploitation in extremely sophisticated attacks.

Apple has patched a vulnerability in iPhone and iPad that was under active exploitation by cybercriminals.

The update is available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.

If you use any of these then you should install updates as soon as you can. To check if you’re using the latest software version, go to **Settings** (or **System Settings**) > **General** > **Software Update**. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

Update Now

Overall, security updates were issued for:

If you use Malwarebytes for iOS, you can use the app to check if you need to update, and be guided through the update process.

Malwarebytes for iOS Trusted Advisor

**Technical details**

WebKit is the browser engine developed by Apple that helps display web content in applications. It allows apps to show web pages without the need for a full web browser. WebKit is used in many Apple products, such as Safari, Mail, and the App Store, as well as in other devices like PlayStation consoles and Amazon Kindle e-readers.

The actively exploited vulnerability is tracked as CVE-2025-24201.

> “An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in visionOS 2.3.2, iOS 18.3.2 and iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.1. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).”

Simply put, that means an attacker could send or lure a target to open a web page which would cause an overflow in the allocated memory for WebKit. The overflow would then enable the attacker to escape from the Web Content Sandbox, which is a security feature used in web browsers to isolate web content, such as web pages and scripts, from the rest of the system. It’s designed to stop malicious code from accessing sensitive system resources or user data outside of the browser.

About a month ago, we reported how Apple fixed another extremely sophisticated attack, that was used against targeted individuals. This one is much more likely to be used against more users so should you prioritise updating your phone as soon as you can.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Update your iPhone now: Apple patches vulnerability used in “extremely sophisticated attacks” 

### Impact
Medium

### Patches
Version 3.4.17 fixes illuminate/validation v 8.0.0 to 11.44.0

### Workarounds
Register \MacropaySolutions\LaravelCrudWizard\Providers\ValidationServiceProvider instead of Illuminate\Validation\ValidationServiceProvider::class if you are using illuminate/validation < 11.44.1

### References
https://github.com/laravel/framework/security/advisories/GHSA-78fx-h6xr-vch4

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-3wgq-h4fr-cwg5: laravel-crud-wizard-free has File Validation Bypass 

Sports betting is a multi-billion-dollar industry, but behind the flashing lights and promises of easy money lies a hidden underworld of deception.

Sports betting is a multi-billion-dollar industry, but behind the flashing lights and promises of easy money lies a hidden underworld of deception.

In recent years, shady betting companies have found a clever way to bypass regulations and continue their operations through **mirror sites**—duplicate versions of their main website that allow them to evade bans, deceive users, and rake in massive profits. 

****How** **g****ambling** **c****ompanies** **e****xploit** **m****irror** **d****omains** **

A mirror site is essentially a clone of an existing betting website, hosted on a different domain. Companies create dozens – sometimes even hundreds – of these mirrors to ensure they remain accessible even when regulators try to shut them down. 

Why do they do this? 

*   **Evade regulation:** Governments and gambling commissions regularly block illegal or unlicensed betting sites. When one gets banned, the company simply redirects users to a new domain. 

*   **SEO and ad manipulation:** More domains mean more search engine presence, allowing these companies to dominate the online gambling market and attract unsuspecting bettors. 

*   **Affiliate and referral loopholes:** Many of these sites exist solely to capture affiliate commissions, misleading users into thinking they are signing up through legitimate sources. 

*   **Phishing and fraud risks:** Users might unknowingly enter personal and financial details on a fake version of the site, opening themselves up to scams and identity theft. 

One of the most infamous cases of gambling companies using mirror domains is 1xBet, a company that built an empire by aggressively bypassing laws through hundreds of duplicate sites. 

1xBet’s tactics were so successful that they made millions in revenue, eventually becoming a global sponsor of FC Barcelona. But despite their rise to legitimacy, their past was riddled with controversy: 

*   They were banned in Russia but continued to operate through mirror sites. 

*   The UK Gambling Commission launched an investigation into their illegal activities, forcing them to suspend operations in the UK. 

*   Reports surfaced that they hosted illegal casino games and even betting on cockfighting. 

Even after being blacklisted in multiple countries, they continued to thrive simply by shifting users to a new domain each time one was blocked. 

****20Bet and MostBet’s expanding mirror network** **

But 1xBet isn’t alone. Recent investigations have revealed that newer betting companies are using the same shady tactics. 

*   20Bet has over 100 active domains, many of which are identical mirrors/referrals of each other. 

*   MostBet has over 40 mirror sites, ensuring that they can never be completely shut down. 

This extensive network allows them to: 

*   Dodge regulatory action and continue operating in countries where they are banned. 

*   Flood search engines and ad networks, making it difficult for users to distinguish legitimate operators from scams. 

*   Run deceptive marketing campaigns, promising risk-free bets and bonuses that are often impossible to claim. 

****The** **r****eal** **d****anger: How** **u****sers** **g****et** **t****rapped** **

Imagine this scenario: A football fan eager to bet on an upcoming match searches for a reliable betting site. They click on a paid ad for 20Bet, promising a “100% Risk-Free Bet Up to $500.” 

*   They sign up and deposit money on what appears to be the official site. 

*   They win their first bet and try to withdraw—but the site suddenly disappears. 

*   They find another 20Bet domain and try logging in—only to realize their credentials don’t work. They’ve been scammed. 

Because so many duplicate domains exist, it’s nearly impossible for users to track where their money is actually going – or whether the site they’re on is real at all. 

****How to protect yourself from betting scams** **

With the rise of mirror sites, it’s more important than ever to be cautious when engaging in online sports betting. Here are some tips to stay safe: 

1.  **Check for proper licensing**: Legitimate betting companies should be licensed by recognized authorities like the UK Gambling Commission or Malta Gaming Authority. 

2.  **Avoid too-good-to-be-true promotions**: If a site is offering unrealistic bonuses or “guaranteed” wins, it’s likely a scam. 

3.  **Use trusted sources for links**: Don’t click on ads or promotional links. Instead, visit the official websites of reputable gambling regulators. 

4.  **Be wary of multiple domains**: If a betting company has dozens of different URLs, it’s a major red flag. 

5.  **Research before depositing**: Look up reviews and complaints from other users before signing up for any site. 

****Final thoughts: A dangerous game of cat and mouse** **

The sports betting industry continues to grow, but its darker side remains hidden beneath layers of deception. Companies like 1xBet, 20Bet, and MostBet have found ways to outmanoeuvre regulators and keep the money flowing—often at the expense of unsuspecting bettors. 

The fact that one of the world’s most controversial gambling companies (1xBet) went from running mirror sites to sponsoring FC Barcelona should serve as a wake-up call. These companies are not just skirting the law – they are thriving because of it. 

Until regulators find a way to effectively combat these tactics, sports bettors must remain vigilant. If something seems off, it probably is. And in the world of online gambling, a single wrong move could mean the difference between a big win and losing everything. 

****IOCs** **

MostBet –   
2d593xv\[.\]com 

3p4hdpmb\[.\]com 

3z9sbhba58mst\[.\]com 

4jls7l19\[.\]com 

4rayasmb\[.\]com 

560rp67\[.\]com 

6q4mhfo\[.\]com 

7tr85sq\[.\]com 

9389z7h\[.\]com 

9mnekb9\[.\]com 

ad2s0rs\[.\]com 

casinomstwins\[.\]com 

cdwxjlz\[.\]com 

jtw2fgmb\[.\]com 

llhrd3wu6vmb\[.\]com 

mfviz8eunkmb\[.\]com 

mkvw5jomb\[.\]com 

mostbet-in33\[.\]com 

mostbet-in34\[.\]com 

mostbet-in36\[.\]com 

mostbet-in37\[.\]com 

mostbet-in46\[.\]com 

mostbet-in56\[.\]com 

mostbet-in62\[.\]com 

mostbethu1\[.\]com 

mostbetru-44\[.\]com 

nfc5wbnalsmb\[.\]com 

ozvfgemb\[.\]com 

rw7e3v5gsumb\[.\]com 

sdma8tw\[.\]com 

sez67b24o7mb\[.\]com 

siosckmb\[.\]com 

sj13ywp\[.\]com 

szakt9s\[.\]com 

tqmdpkthxengz3g1\[.\]com 

v2izr0q9drmb\[.\]com 

vb7awyus6kmb\[.\]com 

w53hy6afrpmb\[.\]com 

winnerzonecasino\[.\]com 

ww16\[.\]mostbetru-44\[.\]com 

ww38\[.\]mostbetru-44\[.\]com 

x2cy2g8\[.\]com 

y16uyxu\[.\]com 

y2iqdt2\[.\]com 

ze59byq\[.\]com 

22bet – 

20-bet\[.\]ar 

20-bet\[.\]at 

20-bet\[.\]ca 

20-bet\[.\]cz 

20-bet\[.\]es 

20-bet\[.\]in 

20-bet\[.\]org 

20-bet\[.\]pt 

20-betbet\[.\]com 

20-winbet\[.\]com 

20bet-bet\[.\]com 

20bet-bg\[.\]com 

20bet-br\[.\]com 

20bet-casino\[.\]org 

20bet-co\[.\]org 

20bet-dk\[.\]org 

20bet-dk\[.\]site 

20bet-es\[.\]com 

20bet-fi\[.\]org 

20bet-hr\[.\]org 

20bet-hu\[.\]org 

20bet-italia\[.\]com 

20bet-jp\[.\]com 

20bet-portuguese\[.\]com 

20bet-s\[.\]com 

20bet-win\[.\]com 

20bet\[.\]asia 

20bet\[.\]be 

20bet\[.\]ch 

20bet\[.\]cl 

20bet\[.\]co\[.\]nz 

20bet\[.\]com 

20bet\[.\]com\[.\]de 

20bet\[.\]com\[.\]in 

20bet\[.\]com\[.\]pl 

20bet\[.\]com\[.\]se 

20bet\[.\]hu 

20bet\[.\]icu 

20bet\[.\]life 

20bet\[.\]me 

20bet\[.\]nz 

20bet\[.\]org\[.\]in 

20bet\[.\]vip 

20bet\[.\]win 

20bet1\[.\]com 

20bet1\[.\]net 

20bet1\[.\]org 

20bet2\[.\]com 

20bet3\[.\]com 

20bet4\[.\]com 

20bet5\[.\]com 

20beta\[.\]com 

20betapk\[.\]com 

20betapp\[.\]com 

20betb\[.\]com 

20betbet\[.\]com 

20betbr\[.\]com\[.\]br 

20betbrasil\[.\]com 

20betcasino\[.\]lat 

20betcasino\[.\]mx 

20betcasino\[.\]net 

20betcasino\[.\]si 

20betcasinoromania\[.\]org 

20betcasinos\[.\]net 

20betcassino\[.\]com 

20betentrar\[.\]com 

20betforum\[.\]com 

20betgame\[.\]net 

20betkasyno\[.\]pl 

20betlogin\[.\]it 

20betluck\[.\]com 

20betlucks\[.\]com 

20betmirror\[.\]com 

20beto\[.\]com 

20betpartners\[.\]com 

20betportugues\[.\]com 

20bets\[.\]cc 

20bets\[.\]com\[.\]br 

20bets\[.\]in 

20bets\[.\]org 

20bets\[.\]pe 

20bets\[.\]pl 

20betsite\[.\]com 

20bett\[.\]com 

20bett\[.\]org 

20bettin\[.\]com 

20betting\[.\]com 

20betzone\[.\]com 

20bplay\[.\]com 

20bwin\[.\]com 

20bwin\[.\]pt 

20bwins\[.\]com 

20glob\[.\]com 

20luckbet\[.\]com 

20media\[.\]world 

20win88\[.\]com 

20winluck\[.\]com 

aposta20bet\[.\]com 

apostas20\[.\]com 

bet-20\[.\]it 

bet-20\[.\]pl 

bet20\[.\]com\[.\]br 

bet20\[.\]com\[.\]pl 

bet20\[.\]com\[.\]pt 

bet20\[.\]gr 

bet20\[.\]online 

bet20\[.\]pt 

bet20brasil\[.\]com 

bet20brazil\[.\]com 

bet20italia\[.\]com 

bet20portugal\[.\]com 

bet20pt\[.\]com 

bonus-20bet\[.\]com 

bookie20\[.\]com 

es20bet\[.\]com 

esbet20\[.\]com 

forum20bet\[.\]com 

free-bookie\[.\]com 

free20bet\[.\]com 

links20\[.\]world 

mail20media\[.\]com 

pt-20bet\[.\]com 

svkzjv\[.\]com 

twentybet\[.\]net 

xxbet\[.\]it 

xxbetportugal\[.\]com

 The dark side of sports betting: How mirror sites help gambling scams thrive  

**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

134.0.3124.62

3/12//2025

134.0.6998.89

CVE-2025-24201: Chromium: CVE-2025-24201 Out of bounds write in GPU on Mac

Lazarus Group targets developers with malicious npm packages, stealing credentials, crypto, and installing backdoor. Stay alert to protect your projects.

The notorious Lazarus Group, a North Korean state-backed hacking group, is back at it again. This time, they’re sneaking malicious code into the popular npm software repository, a vital resource for countless developers worldwide.

Cybersecurity researchers at Socket Research Team have found six new fake packages, already downloaded around 330 times, designed to infiltrate developers’ computers, swipe login details, steal cryptocurrency information, and even install a backdoor for long-term access.

****What’s npm and Why Should I Care?****

Think of npm as a giant online library for JavaScript code. Developers use it to grab pre-built pieces of software (called “packages”) to save time and effort when building their own applications. If a hacker can sneak a bad package into this library, they can infect anyone who downloads and uses it.

****The Sneaky Tactics of The Lazarus Group****

The Lazarus Group is using “typosquatting” in its latest campaign, creating packages with names _very_ similar to legitimate, widely-used ones. For example, they created “is-buffer-validator,” which sounds a lot like the real “is-buffer” package. This makes it easy for developers to accidentally download the wrong thing.

Other malicious packages include yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator.

According to Socket Research Team’s blog post, to make these fake packages look even more trustworthy, the hackers even set up fake GitHub pages for some of them. GitHub is where developers often share and collaborate on code, so having a presence there adds a layer of (false) legitimacy.

The malicious packages used in the campaign (Credit: Socket Research Team)

As Ensar Seker, CSO at cybersecurity company SOCRadar, points out, “Malicious npm packages are a particularly effective attack vector because developers often trust open-source repositories without thorough scrutiny.” He adds that attackers are “embedding malicious code in dependencies, ensuring the malware spreads every time an unsuspecting developer installs or updates the package.”

****What Happens Upon Infection****

The Lazarus Group has a history of targeting developers through supply chain attacks. In this campaign, the malware embedded in compromised packages performs several malicious activities. It steals sensitive data by collecting system details such as the hostname, operating system, and directory structures. Additionally, it extracts credentials by searching browser profiles for stored login information from Chrome, Brave, and Firefox.

The malware also targets cryptocurrency wallets, specifically seeking Solana (id.json) and Exodus (exodus.wallet) wallet files to steal crypto assets. Furthermore, it installs a backdoor by downloading additional malware, including the InvisibleFerret backdoor, which allows attackers to maintain persistent access to the compromised system.

Seker notes that the focus on cryptocurrency aligns with North Korea’s known strategies. “The fact that these packages are designed to steal cryptocurrency-related data aligns with North Korea’s state-backed cybercrime objectives, which involve financial theft to fund regime activities,” he explains. “Lazarus has a long history of targeting crypto wallets, exchanges, and fintech companies.”

The implications extend beyond individual developers. “Once installed, these backdoored packages could give Lazarus access to developer credentials, SSH keys, and cloud access tokens,” Seker warns, “allowing lateral movement across entire organizations, not just individual victims.”

****All Malicious Packages Deleted, but the Threat Remains****

The good news is that GitHub has deleted all the malicious packages identified and reported by the Socket Research Team. However, this does not mean that there are no other malicious packages operated by the Lazarus Group.

****How to Protect Yourself and Your Organization****

To mitigate the risks posed by supply chain attacks, both developers and organizations should adopt proactive security measures. Developers should verify package sources by checking the publisher’s reputation and download numbers before installation.

Utilizing security tools, such as the Socket AI Scanner, can help detect malicious dependencies before they are added to a project. Additionally, enabling multi-layered security by implementing sandboxing, endpoint protection, and blocking suspicious outbound connections adds an extra layer of defence.

Organizations can further enhance security by automating dependency auditing to regularly scan third-party packages for vulnerabilities. Monitoring dependency changes and setting up alerts for unexpected updates in projects can help detect potential threats early. Lastly, educating teams about typosquatting and training developers to recognize suspicious package names is important in preventing attacks.

Lazarus Group Hid Backdoor in Fake npm Packages in Latest Attack

Microsoft today issued more than 50 security updates for its various Windows operating systems, including fixes for a whopping six zero-day vulnerabilities that are already seeing active exploitation.

**Microsoft** today issued more than 50 security updates for its various **Windows** operating systems, including fixes for a whopping _six zero-day vulnerabilities_ that are already seeing active exploitation.

Two of the zero-day flaws include CVE-2025-24991 and CVE-2025-24993, both vulnerabilities in **NTFS**, the default file system for Windows and Windows Server. Both require the attacker to trick a target into mounting a malicious virtual hard disk. CVE-2025-24993 would lead to the possibility of local code execution, while CVE-2025-24991 could cause NTFS to disclose portions of memory.

Microsoft credits researchers at **ESET** with reporting the zero-day bug labeled CVE-2025-24983, an elevation of privilege vulnerability in older versions of Windows. ESET said the exploit was deployed via the PipeMagic backdoor, capable of exfiltrating data and enabling remote access to the machine.

ESET’s **Filip** **Jurčacko** said the exploit in the wild targets only older versions of Windows OS: Windows 8.1 and Server 2012 R2. Although still used by millions, security support for these products ended more than a year ago, and mainstream support ended years ago. However, ESET notes the vulnerability itself also is present in newer Windows OS versions, including **Windows 10 build 1809** and the still-supported **Windows Server 2016**.

Rapid7’s lead software engineer **Adam Barnett** said **Windows 11** and **Server 2019** onwards are not listed as receiving patches, so are presumably not vulnerable.

“It’s not clear why newer Windows products dodged this particular bullet,” Barnett wrote. “The Windows 32 subsystem is still presumably alive and well, since there is no apparent mention of its demise on the Windows client OS deprecated features list.”

The zero-day flaw CVE-2025-24984 is another NTFS weakness that can be exploited by inserting a malicious USB drive into a Windows computer. Barnett said Microsoft’s advisory for this bug doesn’t quite join the dots, but successful exploitation appears to mean that portions of heap memory could be improperly dumped into a log file, which could then be combed through by an attacker hungry for privileged information.

“A relatively low CVSSv3 base score of 4.6 reflects the practical difficulties of real-world exploitation, but a motivated attacker can sometimes achieve extraordinary results starting from the smallest of toeholds, and Microsoft does rate this vulnerability as important on its own proprietary severity ranking scale,” Barnett said.

Another zero-day fixed this month — CVE-2025-24985 — could allow attackers to install malicious code. As with the NTFS bugs, this one requires that the user mount a malicious virtual hard drive.

The final zero-day this month is CVE-2025-26633, a weakness in the **Microsoft Management Console**, a component of Windows that gives system administrators a way to configure and monitor the system. Exploiting this flaw requires the target to open a malicious file.

This month’s bundle of patch love from Redmond also addresses six other vulnerabilities Microsoft has rated “critical,” meaning that malware or malcontents could exploit them to seize control over vulnerable PCs with no help from users.

Barnett observed that this is now the sixth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication.

The SANS Internet Storm Center has a useful list of all the Microsoft patches released today, indexed by severity. Windows enterprise administrators would do well to keep an eye on askwoody.com, which often has the scoop on any patches causing problems. Please consider backing up your data before updating, and leave a comment below if you experience any issues applying this month’s updates.

Microsoft: 6 Zero-Days in March 2025 Patch Tuesday

Microsoft has released its monthly security update for March of 2025 which includes 57 vulnerabilities affecting a range of products, including 6 that Microsoft marked as “critical”.

Tuesday, March 11, 2025 17:55

Microsoft has released its monthly security update for March of 2025 which includes 57 vulnerabilities affecting a range of products, including 6 that Microsoft marked as “critical”. 

There are six vulnerabilities that Microsoft has observed being exploited in the wild. CVE-2025-26633 is a Remoted Code Execution (RCE) vulnerability in Microsoft’s Management Console. Two information disclosure vulnerabilities, CVE-2025-24984 and CVE-2025-24991, and one RCE vulnerability, CVE-2025-24993, in Windows NTFS were observed being exploited in the wild. Microsoft also patched, CVE-2025-24985, another RCE exploited in the wild in the Windows Fast FAT system driver. An Elevation of Privilege (EOP) vulnerability, CVE-2025-24983, was also discovered being exploited in the wild, in Windows’ win32 Kernel Subsystem. 

There are two notable "critical" vulnerabilities. The first is CVE-2025-24035, which is a remote code execution (RCE) vulnerability affecting the Windows Remote Desktop Gateway (RD Gateway) service. This vulnerability is a remote unauthenticated User-after-free (UAF) issue in handling websocket initialization and closing operations which could potentially result in arbitrary code execution in the RD Gateway process. Successful exploitation of this vulnerability requires the attacker to connect to a system with the RD Gateway role. CVE-2025-24035 has been assigned a CVSS 3.1 score of 8.1 and is considered “more likely to be exploited” by Microsoft. 

CVE-2025-24045 is another critical remote code execution vulnerability in the RD Gateway service caused by a UAF issue in handling connection and disconnection callbacks. Successful exploitation of this vulnerability requires the attacker to connect to a system with the RD Gateway role. This vulnerability has also been assigned a CVSS 3.1 score of 8.1 and is considered “more likely to be exploited” by Microsoft. 

CVE-2024-9157 is an elevation of privilege vulnerability in a Synaptics Audio Effect Component service binaries DLL distributed with Windows Update. This vulnerability is caused by the Synaptics service opening a named pipe without any meaningful ACLs and expecting clients to provide the name of a DLL which is then loaded into the Synaptics process, which may allow even a remote unprivileged user to provide a malicious DLL to be loaded in the context of the service. This vulnerability has been assigned a CVSS 3.1 score of 9.9 and is considered “more likely to be exploited” by Microsoft. 

CVE-2025-24064 is an RCE vulnerability in the Windows Domain Name Service flagged as "critical” by Microsoft.  To successfully exploit this vulnerability an attacker needs to send a perfectly timed DNS update message to the vulnerable server which may cause a UAF error and could potentially lead to remote code execution. This vulnerability has been assigned a CVSS 3.1 score of 8.1 and is considered "less likely to be exploited” by Microsoft. 

CVE-2025-24084 is an RCE in the Windows Subsystem for Linux (WSL2) Kernel caused by an untrusted pointer dereference. To exploit this vulnerability an attacker needs to have elevated privileges on the target machine, due to the requirement of manipulating processes, which isn’t usually accessible by regular users. This vulnerability has been assigned a CVSS 3.1 score of 8.4 but was considered "less likely to be exploited” by Microsoft. 

CVE-2025-26645 is a vulnerability in the Remote Desktop (RDP) client caused by a relative path traversal issue. An attacker in control of a Remote Desktop Server could achieve RCE on any vulnerable client machine connecting to the service. This vulnerability has been assigned a CVSS 3.1 score of 8.8 and is considered "less likely to be exploited” by Microsoft. 

Talos would also like to highlight the following vulnerabilities that Microsoft considers to be “important” or "Critical”:     

*   CVE-2025-24057 Microsoft Office Remote Code Execution Vulnerability 
*   CVE-2025-24051 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 
*   CVE-2025-24056 Windows Telephony Service Remote Code Execution Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.   

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64663, 64662, 64432, 64658, 64659, 64656, 64657, 64660, 64661, 64653, 64652. There are also these Snort 3 rules: 64432, 301166, 301164, 301163, 301165, 301162

Tag

#mac