Microsoft’s February Patch Tuesday addresses 63 security vulnerabilities, including two actively exploited zero-days. Update your systems now to…

Microsoft’s February Patch Tuesday addresses 63 security vulnerabilities, including two actively exploited zero-days. Update your systems now to protect against these threats.

Microsoft’s February 2025 Patch Tuesday update addresses 63 security vulnerabilities across its product range, including two zero-day exploits actively being used by attackers. Four of these vulnerabilities are classified as critical.

The update covers a variety of vulnerability types, including remote code execution, elevation of privilege, denial of service, spoofing, security feature bypass, information disclosure, and tampering.

Screenshot via SOCRadar

Two zero-day vulnerabilities are of particular concern due to their active exploitation.  

CVE-2025-21391, an elevation of privilege flaw in Windows Storage, could allow attackers to delete critical system files, potentially causing data loss and service disruptions.  While Microsoft states this vulnerability doesn’t expose confidential data, the ability to disrupt services is, nevertheless, a serious concern.  

The second actively exploited zero-day, CVE-2025-21418, affects the Ancillary Function Driver for Windows Sockets.  This vulnerability enables privilege escalation, potentially granting attackers SYSTEM-level access.  Details about the exploitation methods for these vulnerabilities remain undisclosed.

Microsoft is also addressing two publicly disclosed zero-day vulnerabilities. CVE-2025-21194, a hypervisor flaw, could compromise the secure kernel in UEFI-based virtual machines. This vulnerability is speculated to be related to the PixieFail vulnerabilities. Another flaw, CVE-2025-21377, could allow attackers to steal NTLM hashes through minimal user interaction with a malicious file.

Some critical vulnerabilities patched by Microsoft include: CVE-2025-21376, an RCE vulnerability in Windows Lightweight Directory Access Protocol allowing arbitrary code execution. CVE-2025-21177, a Server-Side Request Forgery vulnerability in Dynamics 365 that may lead to privilege escalation. CVE-2025-21379 in the DHCP Client Service and CVE-2025-21381 in Microsoft Excel, both allow remote code execution.  

Another severe flaw addressed was in Microsoft’s High-Performance Compute Pack. Tracked as CVE-2025-21198, it is a remote code execution (RCE) vulnerability that allows attackers to perform RCE on other clusters or nodes connected to the targeted head node by sending a specially crafted HTTPS request

Microsoft also addressed some high-risk flaws in this update including vulnerabilities in Microsoft Office SharePoint, Windows Disk Cleanup Tool, Windows CoreMessaging, Windows Win32 Kernel Subsystem, Windows Setup Files Cleanup, Windows DWM Core Library, and others. These vulnerabilities are considered high-risk due to their potential for exploitation and the lack of existing workarounds.  

Beyond Microsoft’s updates, other vendors, including Adobe, SAP, and Ivanti, have also released security patches.  SAP’s updates address vulnerabilities in BusinessObjects, Supplier Relationship Management, and Approuter, including a critical authorization flaw.  Ivanti’s patch fixes a critical OS command injection vulnerability in its Cloud Services Application.  

These updates highlight the ongoing need for timely security patching. With actively exploited zero-days and a range of critical vulnerabilities, organizations must prioritize applying these updates to mitigate risks. The sheer volume of vulnerabilities tracked by security platforms is staggering, as illustrated by SOCRadar’s Vulnerability Intelligence dashboard.

Screenshot via SOCRadar

Mr. Saeed Abbasi, Manager of Vulnerability Research at Qualys Threat Research Unit, told Hackread.com that CVE-2025-21391, though appearing as a file deletion bug, is actively exploited and far more dangerous when combined with code execution. While it doesn’t threaten confidentiality, it severely impacts integrity and availability, potentially crippling servers. Attackers can exploit it to delete critical system files, replacing them with weakly secured versions, and ultimately gaining SYSTEM-level access. Abbasi warns this is no minor flaw; it’s a stealthy path to full system control.

Patch Tuesday: Microsoft Fixes 63 Bugs with 2 Zero-Days

When it comes to keeping patient information safe, people empowerment is just as necessary as deploying new technologies.

Source: Yuri Arcurs via Alamy Stock Photos

COMMENTARY

Some say artificial intelligence (AI) has changed healthcare in ways we couldn't have imagined just a few years ago. It's now used for everything from paperwork to helping doctors make better diagnoses. But like any new tech, there are risks involved.

Currently, AI is both a potent defense mechanism and an attacker enabler. Therefore, the question that must be asked is clear: Is AI an enemy or a friend of cybersecurity in healthcare? Honestly, the answer is both.

**AI as the Defender: Enhancing Healthcare Security**

Healthcare systems are rich targets for malicious actors, with considerable protected health information (PHI) spread across interconnected assets such as electronic health records, Internet of Things (IoT)-enabled medical devices, and telehealth platforms. It has been proven that traditional cybersecurity tools often lack the resources and features required to protect such complex ecosystems and, as in different industries, struggle to keep pace with both the volume of data being generated and evolving attack methodologies.

The advantage of machine learning algorithms is that they can find a potential threat before it is serious. AI-powered security tools can detect anomalies in system behaviors, such as unauthorized data transfer or suspicious login activities, and thus proactively prevent a breach. Indeed, several hospitals using AI-powered systems have been able to avert ransomware attacks and maintain operational integrity and patient safety.

Artificial Intelligence is also incomparable in terms of its critical role in reducing administrative burdens and further complying with the Health Insurance Portability and Accountability Act (HIPAA) and other regulations. AI-powered tools, such as virtual assistants and data processing systems, take over administrative work while safeguarding sensitive data. These tools protect PHI and free human resources to focus on patient care.

**AI as the Enabler of Cyber Threats**

While AI hardens the defense, it turbocharges the attacker side, too. In such a way, cyber threats in healthcare have become increasingly sophisticated. The game changed with generative AI tools that let attackers create unbelievably realistic tailor-made emails with perfect grammar and formatting that quickly slipped through traditional security filters.

Deepfakes add another layer to these deceptions: generating hyperreal audio and video that makes an attacker sound like senior health leaders or other trusted voices. These fabrications have been used to deceive staff into granting unauthorized access, sharing PHI, and even making fraudulent financial transactions. In some cases, attackers have used deepfakes to spread false medical information or to undermine public confidence, further destabilizing an already complex threat landscape.

AI-powered malware leverages machine learning to make live changes, evade traditional detection, and zero in on critical systems, such as IoT-enabled devices and electronic health records. Attackers manipulate diagnostic data, alter medical imaging, and gain entry through vulnerabilities in lightly secured IoT devices, enabling them to create avenues to coordinate attacks. Combining AI with IoT could pose a greater threat to patient safety and trust in healthcare systems than just financial losses. 

AI-powered threats sound an alarm for information security, IT, and healthcare leaders. These risks are reshaping the cybersecurity landscape. Preemptive defenses require advanced AI tools, employee training, and collaboration across cross-functional teams. This would, in turn, involve policy and detection system reviews to grant top priority for countering AI-impelled social engineering and malware. Constantly being one step ahead of the bad actors requires constant vigilance, innovative thinking, and a core commitment to data safety and patient care.

**Balancing AI's Potential with Realistic Implementation**

As an expert or executive, you face the critical decision of managing the promise of AI and the risk it further introduces into an already overcomplicated cybersecurity landscape. AI is not the Holy Grail; it's a tool that can be used for and against us. AI’s transformative potential in healthcare and security comes from how it is implemented, so leaders must approach its adoption with a balanced perspective. They should be excited yet cautious, knowing full well that attackers are leveraging the very same technology to undermine our systems, data, and trust.

In my experience, the excitement around adopting AI tools like transcript generators, grammar checkers, or automated note-taking systems often takes precedence over critical security assessments. I have seen teams advocate for rapid implementation to save time and resources without assessing the risks; common questions such as where the data is stored, how it is processed, or if the vendor is compliant often are not asked. This rush to embrace convenience creates gaps that attackers can exploit, especially in healthcare, where even minor oversights can lead to significant breaches of PHI or personally identifiable information (PII).

Deepfakes, adaptive malware, and the exploitation of IoT devices, all powered by AI, require a new type of thinking to address these threats — one that changes from legacy defenses or even leading-edge AI-powered tools to placing those tools within an extended proactive security framework encompassing audits, employee training, and reliable governance. For that to happen, health workers and administrators must be empowered to recognize sophisticated attacks, faked video calls, or some other unexpected data transfer AI flagged up. People empowerment is just as necessary in deploying new technologies.

Drive collaboration between IT, security, and clinical teams in developing customized strategies for technical vulnerabilities and operational realities. This means vigilance, from systems monitoring to continuing review of AI's evolving role in your institution.

Safeguarding healthcare systems includes protecting the trust and well-being of the patients it cares for and its entire community. This depends entirely on the type of leadership that doesn't just react to threats but proactively takes bold measures to mitigate risks before they spread. Security embedded in all facets of the organization should ensure continuity of critical operations and uncompromised care of the patients by leaders in healthcare.

**About the Author**

Lead Security Engineer, C4HCO

Claudio Gallo is a lead security engineer of the Colorado Marketplace Exchange, dedicated to protecting critical information in the healthcare and insurance industries. With expertise in application security, cloud architecture, and compliance, Claudio designs innovative strategies to safeguard sensitive data and ensure trust in important services. Passionate about making a meaningful difference, he is equally committed to mentoring aspiring professionals in the information security industry, sharing knowledge, and fostering the next generation of cybersecurity talent.

Is AI a Friend or Foe of Healthcare Security?

But there's plenty in it — including two zero-days — that need immediate attention.

Source: Somphop Krittayaworagul via Shutterstock

Microsoft's February security update contains substantially fewer vulnerabilities for admins to address compared to a month ago, but there's still plenty in it that requires immediate attention.

Topping the list are two zero-day vulnerabilities that attackers are actively exploiting in the wild, two more that are publicly known but not exploited yet, a patch for a zero-day that Microsoft disclosed in December 2024, and an assortment of other common vulnerabilities and exposures (CVEs) with potentially severe consequences for affected organizations.

**63 CVEs, 2 Zero-Days**

In total, Microsoft released patches for 63 unique CVEs, a far cry from the massive 159 CVEs — including a startling eight zero-days — that the company disclosed in January. Microsoft assessed four of the bugs it disclosed today as being of critical severity. It rated the vast majority of the remaining bugs as important to address but of lesser severity for a variety of factors, including attack complexity and privileges required to exploit the vulnerability.

The two actively exploited zero-day bugs in this month's update are CVE-2025-21418 (CVSS score 7.8), an elevation of privilege vulnerability in Windows Ancillary Function Driver for WinSock, and CVE-2025-21391 (CVSS 7.1), another elevation of privilege issue, this time affecting Windows Storage. Per its usual practice, Microsoft's advisories for both bugs offered no details on the exploitation activity. But security researchers had their own take on why organizations need to address the issues ASAP.

CVE-2025-21418, for instance, only enables a local exploit. That means an attacker or malicious insider must already have access to a target machine, via a phishing attack, malicious document, or other vector, said Kev Breen, senior director, cyber threat research, at Immersive Labs. Even so, such flaws are "valuable to attackers as they allow them to disable security tooling, dump credentials, or move laterally across the network to exploit the increased access," Breen said in an emailed comment. An attacker who successfully exploits the flaw can gain SYSTEM level privileges on the affected system, he said, while recommending that organizations make the vulnerability a top priority to fix.

With CVE-2025-21391, the Windows Storage zero-day, the concern is not about the flaw enabling unauthorized data access; rather, the concern is about how attackers could exploit it to affect data integrity and availability. "Microsoft has outlined that if the attacker successfully exploited this vulnerability, they would only be able to delete targeted files on a system," said Natalie Silva, lead cyber security engineer at Immersive Labs, in an emailed comment. "Microsoft has released patches to mitigate this vulnerability. It's recommended for administrators to apply these immediately."

In a blog, researchers at Action1 described the flaw as resulting from a weakness in how Windows Storage resolves file paths and follows links. Attackers can leverage the weakness to "redirect file operations to critical system files or user data, leading to unauthorized deletion," the security vendor said.

Breen recommended that organizations also treat CVE-2025-21377, an NTLM hash disclosure spoofing vulnerability, as a high priority bug that needs immediate attention. When Microsoft originally disclosed the bug in December 2024, it did not have a patch available for it, making the flaw a zero-day threat. "The vulnerability allows a threat actor to steal the NTLM credentials for a victim by sending them a malicious file," Breen said. "The user doesn't have to open or run the executable but simply viewing the file in Explorer could be enough to trigger the vulnerability." Microsoft itself has assessed the vulnerability as something that threat actors are more likely to exploit

The other previously disclosed vulnerability in the February patch update is CVE-2025-21194, a security feature bypass vulnerability in Microsoft Surface.

**Critical Flaws**

The flaws that Microsoft rated as being of critical severity in this latest update are CVE-2025-21379 (CVSS Score 7.1), an RCE in the DHCP client service; CVE-2025-21177 (CVSS Score 8.7), a privilege elevation vulnerability in Microsoft Dynamics 365 Sales; CVE-2025-21381 (CVSS 7.8), a Microsoft Excel RCE; and CVE-2025-21376 (CVSS 8.1), an RCE in Windows LDAP and the only one in the set that Microsoft identified as more vulnerable to exploitation.

Interestingly, one of the flaws that Microsoft rated as critical (CVE-2025-21177) required affected customers to do nothing, but it is an issue that Microsoft has already addressed on its end. This vulnerability makes use of the newer CAR (customer action required) attribute to identify that there is no customer actions required, says Tyler Reguly, associate director security R&D at Fortra. "While these information updates are nice, they can bloat the number of updates that admins may be worried about dealing with on a Patch Tuesday," Reguly said in an emailed comment. "One can't help but wonder if these updates should be issued outside of Patch Tuesday since they do not require customer action."

Meanwhile, the only CVE to earn a severity score of 9.0 in this month's update — (CVE-2025-21198) — is an RCE affecting Microsoft High Performance Compute (HPC) Pack. An attacker cannot exploit the flaw unless they have access to the network used to connect to the high-performance cluster, Reguly said. "This networking requirement should limit the impact of what would otherwise be a more serious vulnerability."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Microsoft's February Patch a Lighter Lift Than January's

Cisco denies recent data breach claims by the Kraken ransomware group, stating leaked credentials are from a resolved 2022 incident. Learn more about Cisco's response and the details of the original attack.

Cisco has refuted claims of a recent data breach after the Kraken ransomware group published sensitive information, allegedly stolen from the company’s internal network, on its dark web leak site. Cyber Press reported on the ransomware group’s claims, which included the exposure of credentials linked to Cisco’s Windows Active Directory environment. 

According to the report, the leaked dataset contained usernames and their associated domains, unique relative identifiers (RIDs) for each user account, and hashed representations of passwords (NTLM hashes). The compromised accounts include privileged administrator accounts, regular user accounts, service and machine accounts linked to domain controllers, and the crucial Kerberos Ticket Granting Ticket (krbtgt) account.

The report further revealed that credential-dumping tools like Mimikatz, pwdump, or hashdump were likely used to extract this information. These tools are commonly employed by cybercriminals and advanced persistent threat (APT) groups to harvest credentials stored within system memory. Alongside the leaked data, the attackers left a threatening message, hinting at their intent to inflict further damage.  

“You lied to us and play for time to kick us out. We will meet you soon, again. Next time you’ll have no chance,” attackers stated.

Files published by the Kraken ransomware group (Image via: CyberPress)

However, Cisco has issued an official statement contradicting the ransomware group’s claims, revealing that the exposed credentials stem from a previously disclosed security incident that occurred back in May 2022.  

“Cisco is aware of certain reports regarding a security incident. The incident referenced in the reports occurred back in May 2022, and we fully addressed it at that time. Based on our investigation there was no impact to our customers,” the company stated.

Hackread.com reported a breach where attackers gained control of a Cisco employee’s personal Google account containing company credentials. Through sophisticated voice phishing (vishing) attacks, the attackers bypassed multi-factor authentication (MFA) and gained access to the target user’s VPN. Cisco confirmed it successfully removed the intruder, who made several unsuccessful attempts to regain access in the following weeks.

Cisco’s CSRIT and Talos teams found no evidence suggesting the attacker accessed critical internal systems, such as the production environment or code signing architecture.  

At the time of the 2022 incident, Cisco believed the perpetrator was an initial access broker (IAB) linked to the group tracked by Mandiant as UNC2447, known for its use of the FiveHands malware, as well as the Lapsus$ threat collective and the Yanluowang ransomware operation.  

While the current claims by the Kraken ransomware group involve data from an older incident, the re-emergence of this information highlights the increasing prevalence of credential-based cyberattacks and the need to implement advanced yet reliable security measures.

Organizations should adopt proactive defences, such as forced password resets, disabling NTLM authentication, implementing multi-factor authentication, monitoring access logs for unauthorized activity, and enhancing network monitoring to detect intrusion attempts.

Cisco Rejects Kraken Ransomware’s Data Breach Claims

State-led data privacy laws and commitment to enforcement play a major factor in shoring up business data security, an analysis shows.

Source: Oleckii Mach via Alamy Stock Photo

States are increasingly embracing data privacy regulation, and Kentucky, Rhode Island, and Tennessee are leading the charge. That has earned them high marks from security experts and landed them at the top of the list of states with the lowest rates of data breaches.

These three states are effectively protecting data because of a dual approach of drafting smart data privacy legislation, and then enforcing those laws when appropriate, according to Anonta Khan, who is with DesignRush, the firm that conducted the state data privacy study. Conversely, South Dakota (which got the lowest safety score in the survey, 65.14 out of 100) and Alaska (66.50) rank at the bottom.

"Some states, like Kentucky (the highest rated at 99.32) and Rhode Island (97.14), do a good job protecting data," Khan says. "They have fewer cybercrimes and data leaks. Others, like South Dakota and Alaska, have weak laws and a lot of cyber threats."

However, she stresses, "having strong laws doesn't always mean a state is safe."

It's more nuanced than that.

**Higher Safety Scores Don't Mean Less Cybercrime**

In general, the results of the study suggest that states with less data breach regulation tend to have higher rates of cybercrime overall. That includes Nevada (with a safety score of 77.64), which last year logged 309.7 cyber incidents per 100,000 people, which is more than triple the national average. But there are other contributing factors. Nevada, for instance, has businesses that are attractive targets for hackers, like casinos, Kahn points out.

Related:CISA Places Election Security Staffers on Leave

Going further, California (89.3) has strong privacy laws but high cybercrime rates; that's because hackers are consistently targeting the state's tech sector, Khan explains. Delaware is another state with strong privacy laws that is likewise plagued by high rates of data breaches, being the state where most financial lending services are incorporated.

The takeaway? "This shows that laws need to be enforced well," Khan says.

A similar report from the Electronic Privacy Information Center (EPIC) in late January outlined areas where states should, in its view, take a more aggressive position against companies leaking personal data. And state governments appear to be moving in that direction, with a new wave of reform efforts on the horizon.

**New State-Led Data Privacy Efforts Are Brewing**

Delaware, for example, has kicked off 2025 with its new Data Privacy Protection Act going into effect. Other states, including Iowa, Nebraska, New Hampshire, and New Jersey, are also adding fresh data privacy laws this year and increasing enforcement budgets.

Related:DeepSeek AI Fails Multiple Security Tests, Raising Red Flag for Businesses

States like Texas have also provided a model for aggressive data privacy regulation enforcement. On Jan. 13, Texas Attorney General Ken Paxton filed suit against the Allstate insurance company for what he alleges was an effort to skirt his state's data privacy rules and track citizens' data without consent.

As these new laws come online, Khan and others are optimistic that data privacy practices are improving across the US, thanks to re-upped efforts at the state level. Moving forward, these laws will be tailored to fit emerging technology use cases, Khan adds.

"Artificial Intelligence (AI) is also becoming a bigger issue," Kahn says. "Colorado's Anti-Discrimination in AI Law starts in 2026, and other states are considering similar rules. Meanwhile, lawsuits over website tracking, biometric data, and online privacy will continue in 2025."

Regardless of state of residence, companies should look at this new era of data privacy protection as an opportunity, according to Ojas Rege, senior vice president and general manager of privacy and data governance at OneTrust.

"With 20 distinct US data privacy laws enacted — all with different requirements and obligations — this is a risk most organizations won't want to take," Rege says. "By moving off spreadsheets, bringing in automation, and designating a senior data privacy leader, organizations can proactively comply with the current wave of US state privacy laws. Adopting AI responsibly also requires an effective data privacy program as a starting point and foundation."

Related:XE Group Shifts From Card Skimming to Supply Chain Attacks

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Data Leaks Happen Most Often in These States — Here's Why

The UK has demanded Apple provides it with a worldwide backdoor into iCloud backups. Privacy organizations are furious.

Last week, an article in the Washington Post revealed the UK had secretly ordered Apple to provide blanket access to protected cloud backups around the world. Since then, privacy focused groups have uttered their objections.

The UK government has demanded to be able to access encrypted data stored by Apple users worldwide in its cloud service. However, Apple itself doesn’t have access to it at the moment, only the holder of the Apple account can access data stored in this way.

Neither the Home Office nor Apple responded on the record to queries about the demand served by the Home Office under the Investigatory Powers Act (IPA) , but the BBC confirmed that it had heard the same information from reliable sources.

Privacy International said the demand is a “misguided attempt” that uses disproportionate government powers to access encrypted data, which may:

> “Set a damaging precedent and encourage abusive regimes around the world to take similar actions.”

The Electronic Frontier Foundation (EFF) stated:

> “Encryption is one of the best ways we have to reclaim our privacy and security in a digital world filled with cyberattacks and security breaches, and there’s no way to weaken it in order to only provide access to the good guys.”

The main goal for the Home Office is an optional feature that turns on end-to-end encryption for backups and other data stored in iCloud. This feature is called Advanced Data Protection. Enabling Advanced Data Protection (ADP), protects the majority of your iCloud data — including iCloud Backup, Photos, Notes, and more — using end-to-end encryption.

For some time, these backups presented law enforcement agencies with a loophole to obtain access to data otherwise not available to them on iPhones with device encryption enabled. If the user hasn’t enabled ADP, this loophole still exists.

The EFF recommends users should turn off the option to create iCloud backups should the UK get its way. As the EFF has said before, and we agree, there is no backdoor that only works for the “good guys” and only targets “bad guys.” It’s all or nothing, and the bad guys will have enough money to find alternatives, while regular users may run out of free options if governments keep doing this.

**What can I do?**

How you wish to proceed after this news is obviously up to you, but we have some options you may be interested in. If you think Apple will stand up against the UK’s Home Office you can enable iCloud backup and Advanced Data Protection.

But if you want to find another place for your backups, these instructions may come in handy.

****How to turn off iCloud backups********On iPhone or iPad****

*   Tap **Settings** > {username} > **iCloud On your iPhone or iPad**.
*   This will list the devices with iCloud Backup turned on.
*   To delete a backup, tap the name of a device, then tap **Turn Off and Delete from iCloud** (or **Delete & Turn Off Backup**).

iCloud backup disabled

****On Mac****

*   Click **Manage** > **Backups**.
*   A list of devices that have iCloud Backup turned on is shown.
*   To delete a backup, select a device, then click **Delete** or the **Remove** button.

Note: If you turn off iCloud Backup for a device, any backups stored in iCloud are kept for 180 days before being deleted.

**How to turn on Advanced Data Protection**

If you haven’t enabled ADP and you want it, first update the iPhone, iPad, or Mac that you’re using to the latest software version.

Turning on ADP on one device enables it for your entire account and all your compatible devices.

****On iPhone or iPad****

1.  Open the **Settings** app.
2.  Tap your name, then tap **iCloud**.
3.  Scroll down, tap **Advanced Data Protection**, then tap **Turn on Advanced Data Protection**.
4.  Follow the onscreen instructions to review your recovery methods and enable Advanced Data Protection.

****On Mac****

1.  Choose **Apple menu** > **System Settings**.
2.  Click your name, then click **iCloud**.
3.  Click **Advanced Data Protection**, then click **Turn On**.
4.  Follow the onscreen instructions to review your recovery methods and enable Advanced Data Protection.

Note: If you’re not able to turn on Advanced Data Protection for a certain period of time, the onscreen instructions may provide more details.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple ordered to grant access to users&#8217; encrypted data 

SystemBC RAT now targets Linux, enabling ransomware gangs like Ryuk & Conti to spread, evade detection, and maintain encrypted C2 traffic for stealthy cyberattacks.

Threat analysts have identified a new and emerging threat: a variant of the SystemBC RAT (Remote Access Trojan) that is now actively targeting Linux-based platforms. This development puts corporate networks, cloud infrastructures, and IoT devices at risk.

The latest version of SystemBC RAT is more stealthy and harder to detect, using encrypted communication to stay hidden while letting attackers move freely through compromised systems.

****SystemBC RAT: From Windows to Linux****

SystemBC is a Remote Access Trojan (RAT) commonly used in cyberattacks to provide attackers with remote control over infected systems. 

Initially a Windows-only threat, it has now expanded to Linux, making it even more dangerous as Linux-based servers are widely used in enterprise environments.

ANY.RUN’s analysts compared SystemBC’s Windows and Linux traffic

****What Makes the Linux Version of SystemBC RAT Dangerous?****

Let’s look at how this malware operates and why it poses a serious threat to Linux-based systems.

****Encrypted Communication with C2 Servers****

The SystemBC RAT for Linux maintains encrypted communication with C2 servers using the same custom protocols as its Windows counterpart. 

This allows attackers to keep a stable connection across a unified infrastructure of both Windows and Linux implants, making it easier to control infected machines without raising suspicion.

While SystemBC RAT is designed to keep its C2 communication encrypted and hidden, it becomes fully visible inside an ANY.RUN analysis session. By running a real sample in the sandbox, security teams can see the malware’s network connections, file modifications, and process activities in real time.

**View ANY.RUN analysis session**

SystemBC RAT analyzed inside ANY.RUN sandbox

Below the Linux Virtual Machine window, all network connections and system modifications related to this specific attack are clearly displayed. 

Suricata rule triggered by SystemBC RAT

In the Threats section, we can see that an alert was triggered by the Suricata rule: “Malware Command and Control Activity Detected – BOTNET SystemBC.Proxy Connection.” This immediate detection allows analysts to track the infection process and understand how the malware operates.

****Proxy Implant for Lateral Movement****

The malware operates as a proxy implant, meaning it can facilitate lateral movement within a compromised network without deploying additional, easily detectable tools. This makes it a powerful weapon for attackers who seek persistence and deeper infiltration within corporate infrastructures.

****Evasion of Traditional Detection****

One of the most concerning aspects is that security vendors struggle to detect this version as belonging to the SystemBC family. This stealthy approach allows the RAT to remain undetected for extended periods, making it a persistent threat.

****Sandbox and Virtualization Evasion****

Besides signature-based evasion, SystemBC also detects virtualized environments to resist dynamic analysis. In a real ANY.RUN analysis session mentioned above, the MITRE ATT&CK framework flags reveal “Virtualization/Sandbox Evasion- System Checks,” showing that the malware actively performs system checks to determine if it’s running inside a security sandbox or virtual machine. 

By identifying these environments, SystemBC can alter its behaviour or terminate execution, helping attackers bypass automated malware analysis tools while remaining fully operational on real infected systems.

Defense evasion techniques and tactics detected by ANY.RUN sandbox

****Integration with Other Malware Strains****

SystemBC is rarely deployed on its own. It often works alongside other malware to expand an attack’s impact. In Windows attacks, it has been observed delivering ransomware like Ryuk and Conti, as well as banking trojans and infostealers. 

With its new Linux variant, similar threats will likely follow, putting enterprise servers and cloud environments at greater risk of data theft, ransomware encryption, and persistent backdoor access.

****Unmasking Hidden Threats Before They Strike****

Cyber threats are getting smarter, and businesses can’t afford to play catch-up. With SystemBC RAT now hitting Linux, attackers have a new way to hide C2 traffic, move through networks unnoticed, and drop additional malware. Traditional security tools often miss these stealthy tactics, leaving corporate networks, and critical infrastructure at risk.

However, with tools like ANY.RUN interactive sandbox, hidden doesn’t mean unstoppable. Your security team can:

*   Analyze threats safely in a controlled environment.
*   Respond faster, containing threats before they spread and cause real harm.
*   Spot evasion techniques before they do damage, exposing how threats slip past defences.
*   Extract key IOCs, strengthening your threat intelligence and prevention strategies.
*   See hidden malware behaviours in real-time, from network traffic to system changes.

SystemBC RAT Now Targets Linux, Spreading Ransomware and Infostealers

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?**

The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or modify network communications. This is called a machine-in-the-middle (MITM) attack.

CVE-2025-21179: DHCP Client Service Denial of Service Vulnerability

CVE-2025-21349: Windows Remote Desktop Configuration Service Tampering Vulnerability

**According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?**

The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.

Tag

#mac