janryWang products depath v1.0.6 and cool-path v1.1.2 were discovered to contain a prototype pollution via the set() method at setIn (lib/index.js:90). This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-4h4x-4m75-47j4: depath and cool-path vulnerable to Prototype Pollution via `set()` Method

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/index.js. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

GHSA-799q-f2px-wx8c: @alizeait/unflatto Prototype Pollution via `exports.unflatto` Method

A recent analysis published by Infoblox reveals a sophisticated phishing operation, dubbed Morphing Meerkat, actively exploiting DNS vulnerabilities…

A recent analysis published by Infoblox reveals a sophisticated phishing operation, dubbed Morphing Meerkat, actively exploiting DNS vulnerabilities for years to conduct highly effective phishing campaigns.

According to researchers, this operation utilizes a phishing-as-a-service (**PhaaS**) platform, enabling both technical and non-technical cybercriminals to launch targeted attacks.

The platform is equipped with tools to bypass security systems, including the exploitation of open redirects on adtech servers, redirection through **compromised WordPress websites**, and the use of DNS MX records to identify victim email service providers. Also, they use mass spam delivery and dynamic content tailoring to evade traditional security measures.

“We have discovered a phishing kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored, login pages, spoofing over 100 brands,” researchers noted in the **blog pos**t, shared with Hackread.com ahead of its release.

Regarding the distribution of spam emails, the platform’s primary attack vector, researchers observed a distinct centralization pattern, with a considerable portion originating from servers hosted by iomart (United Kingdom) and HostPapa (United States), indicating a unified network rather than dispersed activity from multiple independent entities.

Top 10 Popular ISPs (Source: Infoblox)

Morphing Meerkat uses a dynamic serving of fake login pages customized to the victim’s email service provider by querying **DNS MX records** using Cloudflare DoH or Google Public DNS. The platform maps these records to corresponding phishing HTML files, featuring over 114 unique brand designs, ensuring a personalized phishing experience and increasing the likelihood of successful credential theft.

The operation has evolved significantly since its detection in January 2020. Initially, it targeted only five email brands (Gmail, Outlook, AOL, Office 365, and Yahoo) and lacked translation capabilities. By July 2023, it had integrated DNS MX records-based dynamic loading of phishing pages and now supports dynamic translation into over a dozen languages, including English, Korean, Spanish, Russian, German, Chinese, and Japanese.

To harvest stolen credentials, they utilize several methods, including email delivery via EmailJS, **PHP scripts**, **AJAX** requests, and communication with Telegram channels using web API hooks. The platform also implements anti-analysis measures, such as disabling keyboard shortcuts and mouse right-clicks and obfuscating code to hinder security researchers.

 As Infoblox points out, “moderately advanced internet users and security researchers often verify the malicious state of a phishing webpage by examining its HTML code.” Morphing Meerkat counters this by actively blocking such inspection.

Morphing Meerkat Attack Chain (Source: Infoblox)

The use of **open redirect vulnerabilities** on adtech platforms, particularly DoubleClick, allows the threat actors to bypass email security systems by leveraging the domain’s high reputation. The platform also employs cloaking techniques, redirecting users to legitimate login pages and inflating code with non-functional elements, complicating threat analysis.

Considering the platform’s potential to exploit security blind spots through open redirects, DoH communication, and file-sharing services, it is essential that organizations strengthen DNS security, restrict DoH communication, and limit access to non-essential infrastructure to prevent exploitation.

New Morphing Meerkat Phishing Kit Exploits DNS to Spoof 100+ Brands

Let’s face it: Rolling out new software across an entire organization can feel like herding cats. Between data…

Let’s face it: Rolling out new software across an entire organization can feel like herding cats. Between data migration, staff training, and system integration, it’s easy to hit roadblocks before you even get started. But when it comes to computerized maintenance management software, the payoff is worth it and then some.

In fact, a report from McKinsey & Company found that digitizing maintenance operations can reduce equipment downtime by up to 30% and cut maintenance costs by 20%, a serious win for any organization. The key? Start with a solid plan. In this guide, we’ll walk through every step of the process, from evaluating your needs to tracking long-term success so your team can hit the ground running and get real results faster.

****Understanding CMMS Software****

To implement this, understanding computerized maintenance management software should be in place. It is used to manage maintenance, track work orders, and organize asset information. Digitizing these processes helps companies work efficiently and minimize downtime. Understanding the value makes it easier to win over stakeholders.

****Assess the Needs of the Organization****

Since there are specific needs unique to every organization, analyzing your exact requirements is the key. Internal audit helps you understand how maintenance is conducted every day, spot potential developments, and prioritize them. This evaluation assists in choosing a CMMS that meets the needs of the organization.

****Selecting the Right CMMS****

There are many variables to consider when selecting the right software. Prioritize features based on the organization’s needs identified earlier. This includes important features such as being easy to use, the ability to scale with your business, and the ability to integrate with the rest of the system that already exists. Getting feedback from other users or expert opinions can help you figure it out, too.

****Building a Dedicated Team****

Teamwork is needed to make the software integration successful. The team should include a mixture of people across departments, such as IT and maintenance. Their expertise will make for a smooth implementation. Clearly defined roles and responsibilities should help maintain focus and test ownership during each step in the process.

****Scheduling the Relevancy Phases****

You also need to have a realistic timeline for when you think things should happen. That way, each phase gets proper care and attention. Organize it around major milestones, software installation, data migration, and training sessions, leaving room for the unexpected. It is important to review progress regularly to keep the project on track.

****Data Migration and Data Integration****

Moving data from current systems to your new CMMS needs to be planned out well. Without correct and complete data migration, it will not be effective. Take into account the complexity and amount of data to decide how this transfer will be done to guarantee easy functionality with other systems of the organization.

****Training and Support****

To successfully adopt these tools, offices must ensure that staff is trained with all the required skills. Conduct extensive training sessions on every aspect of the software. You can enhance confidence with practicals done through hands-on practice experiences. When users have access to ongoing support, which is made available through various support channels, they can transition to the new tool or system while receiving assistance whenever they require it.

****Testing and Feedback****

Tests help identify potential issues before rolling out on a full scale. They allow the team to check on the software’s performance and identify any hiccups for the pilot run. You can use this stage to refine your app with user feedback. By practicing this way, you lower the risk of disruption during the actual launch itself.

****Monitoring and Evaluation****

Following implementation, regular monitoring is critical. Assess system performance periodically to determine if it continues to align with organizational requirements. Decide how you are going to measure success; in other words, create KPIs. Reviewing these metrics allows the identification of areas for improvement and guides future strategic decision-making.

****Continuous Improvement****

Your work doesn’t end after the implementation is done. Your commitment to continuous improvement must remain unchanging. Solicit user feedback to track any changing requirements. Keeping the software updated helps keep it aligned with organizational objectives. Your action-minded strategy is the recipe for success.

****Conclusion****

CMMS signals a substantial improvement in the operation of maintenance throughout an organization. Businesses can transition into the software smoothly by learning the software, identifying needs, and using a process to migrate. The software’s effectiveness is also ensured through continuous evaluation and improvement. Those organizations that embrace this change set themselves up for quicker and more productive changes.

Image by EstudioWebDoce from Pixabay.

How to Implement CMMS Software in Your Organization

The phishing campaign is highly sophisticated!

Silent Push uncovers an alleged Russian intelligence phishing campaign impersonating the CIA, targeting Ukraine supporters, anti-war activists and informants.

Cybersecurity researchers at Silent Push have discovered a complex and extensive phishing operation, allegedly launched by Russian Intelligence Services or a similarly motivated entity, targeting individuals who support Ukraine and oppose the Russian government.

The campaign, which surfaced in early 2025, employed fake website lures to gather personal information from Russian citizens and informants. This was a particularly sensitive endeavour given the illegality of anti-war activities within the Russian Federation.

The phishing sites collected user input using a combination of static HTML and JavaScript. Data exfiltration was often facilitated through simple POST requests to threat-actor-controlled servers or through the abuse of Google Forms.

Researchers identified four distinct phishing clusters, each impersonating a prominent organization: the US Central Intelligence Agency (CIA), the Russian Volunteer Corps (RVC), Legion Liberty, and Hochuzhit, an appeals hotline for Russian service members operated by Ukrainian intelligence.

It is worth noting that the CIA has also been actively encouraging Russian citizens to share secret information with the agency through its official darknet site, offering a secure and anonymous way to communicate.

As for the latest campaign, despite their well-planned impersonations, these clusters share a common objective: the illicit collection of personal data. As noted by the legitimate Liberty of Russia Legion in a March 14, 2024, X post, “We remind you that the only official telegram channel of the Legion is listed on our website: hxxps://legionlibertyarmy. Do not be fooled by fakes. Do not fall into the traps of the security forces of the Putin regime!”

The threat actors utilized a bulletproof hosting provider, Nybula LLC (ASN 401116), to host phishing pages designed to mimic the official websites of these organizations. This tactic, along with the use of Google Forms and website forms to gather data, reveals a sophisticated attempt to deceive and extract sensitive information from unsuspecting victims.

The campaign’s infrastructure analysis revealed interconnectedness across the four clusters, with shared technicalities such as the WHOIS organization name “Semen Gerda,” similar metadata, and common registration through the NiceNIC registrar.

The phishing pages employed various tactics to lure victims. For instance, the rusvolcorpsnet domain lured users with a “Join Here” button, leading to a Google Form requesting detailed personal information. Similarly, the legionlibertytop domain used a blue “Join” button to direct users to a legitimate Google Form, while a green button led to a form controlled by the threat actors.

CIA impersonation involved the creation of domains like ciagovicu and jagotovoffcom, which featured suspicious web forms and embedded illegitimate .onion links. The threat actors even manipulated YouTube content, replacing official CIA links with their phishing domains.

Conversely, the Hochuzhit cluster, targeting Russian service members seeking to surrender, utilized domains like hochuzhitlifecom and hochuzhitlife. Silent Push Threat Analysts, in collaboration with security researcher Artem Tamoian, uncovered additional domains and infrastructure, including legionllbertyarmy, which was hosted on Cloudflare.

Silent Push’s attribution to Russian intelligence services is based on several factors, including the campaign’s focus on targets of strategic interest to the Russian government, the observed TTPs that align with known Russian state-sponsored actor behaviour, and the persistent impersonation of the CIA for intelligence gathering purposes.

Researchers concluded that all domains associated with this Russian Intelligence Agency campaign pose massive privacy and security risks, highlighting the importance of caution and stronger cybersecurity measures.

Russian Phishing Uses Fake CIA Sites to Target Anti-war, Ukraine Supporters

Cisco Talos is actively tracking an ongoing campaign, targeting users in Ukraine with malicious LNK files which run a PowerShell downloader since at least November 2024.

Friday, March 28, 2025 06:00

*   Cisco Talos is actively tracking an ongoing campaign targeting users in Ukraine with malicious LNK files, which run a PowerShell downloader, since at least November 2024. 
*   The file names use Russian words related to the movement of troops in Ukraine as a lure. 
*   The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to download the second stage Zip file containing the Remcos backdoor. 
*   The second stage payload uses DLL side loading to execute the Remcos payload. 
*   Talos assesses with medium confidence that this activity is associated with the Gamaredon threat actor group. 

**Phishing campaign using the invasion of Ukraine as a theme **

The invasion of Ukraine is a common theme used by the Gamaredon group in their phishing campaigns and this campaign continues the use of this technique. The actor distributes LNK files compressed inside ZIP archives, usually disguising the file as an Office document and using names that are related to the invasion.  

Although Talos was not able to pinpoint the exact method by which these files are distributed, it is likely that Gamaredon continues to send phishing e-mails with either the ZIP file directly attached to it or containing a URL link to download the file from a remote host.  

Below are some examples of file names used in this campaign: 

Original Name 

Translation 

3079807576 (Шашило О.В)/ШАШИЛО Олександр Віталійович.docx.lnk 

3079807576 (Shashilo O.V)/SHASHILO Oleksandr Vitaliyovich.docx.lnk 

3151721177 (Рибак С.В)/РИБАК Станіслав Вікторович.docx.lnk 

3151721177 (Rybak S.V)/RYBAK Stanislav Viktorovich.docx.lnk 

3407607951 (Жолоб В.В)/ЖОЛОБ Владислав Вікторович.docx.lnk 

3407607951 (Zholob V.V)/ZHOLOB Vladislav Viktorovich.docx.lnk 

3710407173 (Гур'єв П.А)/ГУР'ЄВ Павло Андрійович.docx.lnk 

3710407173 (Gur'ev P.A)/GUR'EV Pavlo Andriyovich.docx.lnk 

Вероятное расположение узлов связи, установок РЭБ и расчетов БПЛА противника. ЮГ КРАСНОАРМЕЙСКА.docx.lnk 

Probable location of communication nodes, electronic warfare installations and enemy UAV calculations. SOUTH OF THE RED ARMY.docx.lnk 

ГУР'ЄВ Павло Андрійович.docx.lnk 

GUR'EV Pavlo Andriyevich.docx.lnk 

Координаты взлетов противника за 8 дней (Красноармейск).xlsx.lnk 

Coordinates of enemy takeoffs for 8 days (Krasnoarmeysk).xlsx.lnk 

Позиции противника запад и юго-запад.xlsx.lnk 

Positions of the enemy west and southwest.xlsx.lnk 

РИБАК Станіслав Вікторович.docx.lnk 

RYBAK Stanislav Viktorovich.docx.lnk 

ШАШИЛО Олександр Віталійович.docx.lnk 

SHASHILO Oleksandr Vitaliyevich.docx.lnk 

The translation for these names shows the intent of this campaign in using a war-related theme. We can see some of the files use names of Russian or Ukrainian agents, as well as names alluding to troop movements in the region of conflict. 

These files contain metadata indicating only two machines were used in creating the malicious shortcut files. As we mentioned in a previous blog Gamaredon tends to use a short list of machines when creating the LNK files for their campaigns and the ones used in this campaign were previously seen by Talos in incidents related to this threat group. 

The LNK files contain PowerShell code used to download and execute the next stage payload, as well as a decoy file which is shown to the user after the infection occurs as a way to disguise the compromise.  

The PowerShell code uses the cmdlet Get-Command to indirectly execute the functions to download and execute the payload, which could be an attempt to bypass string-based detection by antivirus solutions.  

The servers used in this campaign are based out of Germany and Russia, and at the time of our assessment, all of them return HTTP error 403 when attempting to download the payload files.  

That indicates that either the files were taken offline, or access to the file is being restricted. Gamaredon is known to restrict access to their payload servers only to victims located in Ukraine. We have found evidence in public sample databases that these servers were still hosting the files for specific regions while returning access denied errors in our tests, like this sample available in the "Any.run” public sandbox: 

*   https://app.any.run/tasks/f9dc0beb-b125-478d-9091-739d2e3325be 

**Network infrastructure associated with Campaign **

The servers used in this campaign are mostly hosted in two Internet Service Providers (ISP): GTHost and HyperHosting: 

IP 

ASN 

ISP 

146\[.\]185\[.\]233\[.\]96 

63023 

gthost 

146\[.\]185\[.\]233\[.\]101 

63023 

gthost 

146\[.\]185\[.\]239\[.\]45 

63023 

gthost 

80\[.\]66\[.\]79\[.\]91 

60602 

hyperhosting 

80\[.\]66\[.\]79\[.\]195 

60602 

hyperhosting 

81\[.\]19\[.\]131\[.\]95 

63023 

ispipoceanllc 

80\[.\]66\[.\]79\[.\]159 

60602 

hyperhosting 

80\[.\]66\[.\]79\[.\]200 

60602 

hyperhosting 

80\[.\]66\[.\]79\[.\]155 

60602 

hyperhosting 

146\[.\]185\[.\]239\[.\]51 

63023 

gthost 

146\[.\]185\[.\]233\[.\]90 

63023 

gthost 

146\[.\]185\[.\]233\[.\]97 

63023 

gthost 

146\[.\]185\[.\]233\[.\]98 

63023 

gthost 

146\[.\]185\[.\]239\[.\]47 

63023 

gthost 

146\[.\]185\[.\]239\[.\]56 

63023 

gthost 

146\[.\]185\[.\]239\[.\]33 

63023 

gthost 

146\[.\]185\[.\]239\[.\]60 

63023 

gthost 

These servers are used to distribute the payload and the decoy document, but Talos found evidence of at least one server being used as the Command and Control (C2) server for the Remcos backdoor. 

We have also found evidence of an interesting artifact in the DNS resolution for some of these servers. Even though all the communication with these servers is done directly via the IP address, the reverse DNS record for some of these IPs show an invalid entry that is quite unique: 

Figure: Reverse DNS resolution for Gamaredon's campaign. Modeled using Crime Mapper (by @UK\_Daniel\_Card) 

While this doesn't necessarily mean the attackers manually changed these records, it did help uncover at least two additional IPs matching the characteristics of the other servers in this campaign: 

**DLL sideloading used to load Remcos backdoor **

Gamaredon has previously been known to use custom scripts and tools in their attack chains, but Talos has observed the use of Remcos backdoor as an alternative tool in their campaigns. 

Once the ZIP payload is downloaded from the servers, it is extracted to the %TEMP% folder and executed. The binary which is executed is a clean application which in turn loads the malicious DLL via DLL sideloading method. This file is actually a malicious loader which decrypts and executes the final Remcos payload from encrypted files found within the ZIP. 

The PowerShell files we observed downloading the ZIP files contain hints of various applications being abused for DLL side loading, and they contain a mix of clean and malicious files: 

*   DefenderUpdate/DPMHelper.exe 
*   DefenderUpdate/DZIPR.exe 
*   DefenderUpdate/IDRBackup.exe 
*   DefenderUpdate/IUService.exe 
*   DefenderUpdate/madHcCtrl.exe 
*   DefenderUpdate/palemoon.exe 
*   Drvx64/Compil32.exe 
*   Drvx64/IsCabView.exe 
*   Drvx64/TiVoDiag.exe 
*   Drvx64/WiseTurbo.exe 
*   SecurityCheck/Mp3tag.exe 
*   SysDrive/AcroBroker.exe 
*   SysDrive/DPMHelper.exe 
*   SysDrive/IsCabView.exe 
*   SysDrive/palemoon.exe 
*   SysDrive/SbieSvc.exe 
*   SysDrive/steamerrorreporter64.exe 
*   SysDrive/TiVoDiag.exe 
*   SysDrive/vmhost.exe 

We can see in the previously mentioned sample downloaded by “Any.run” that it contains the clean application TivoDiag.exe, as well as two DLLs. The file “mindclient.dll” is the malicious DLL which is loaded by “TivoDiag.exe” during execution. 

The payload binary is a typical Remcos backdoor which is injected into Explorer.exe. It communicates with the C2 server 146\[.\]185\[.\]233\[.\]96 on port 6856: 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

Snort SIDs for this threat:  

Snort 2: 64707, 64708 

Snort 3:  301171 

**Indicators of Compromise **

IOCs for this threat can be found in our GitHub repository here.

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

Disney’s latest Snow White movie, with a 1.6/10 IMDb rating, isn’t just the biggest flop the company has…

Disney’s latest Snow White movie, with a 1.6/10 IMDb rating, isn’t just the biggest flop the company has ever released. It’s such an embarrassment that the movie isn’t even available on Disney’s own streaming platform, Disney+.

According to cybersecurity researchers at Veriti, scammers are exploiting the situation by offering pirated versions of Snow White, specifically targeting torrent users and tricking them into downloading malware.

Screenshot credit: Hackread.com via IMDb

****The Lure of a Pirated Download****

On March 20th, what initially appeared to be a legitimate blog post on the website “TeamEsteem” (teamesteemmethodcom) offered a pirated version of the 2025 Snow White movie. The post provided a magnet torrent link that appeared safe but was actually a trap. Researchers identified the torrent file as a malicious campaign designed to compromise users’ devices.

According to the company’s blog post shared with Hackread.com, the torrent link led to a package of three files. While it might have seemed like a standard movie download, it was anything but. Veriti found that 45 people were already sharing or “seeding” the file, which could include both unsuspecting victims and attackers working to spread the trap faster.

****A Fake Codec That “Spells” Trouble****

When users downloaded the torrent, they didn’t get a movie. Instead, they got a bundle of files, including a README document and a suspicious file named “xmph_codec.exe.” The README claimed the codec file was necessary to play the movie, a common trick used in the early days of online piracy to fool users into installing malicious software.

However, in this case, running the “codec” file triggered a chain of malicious actions on the user’s device, including the following:

*   **Disables Security:** It shuts down Windows Defender and other built-in protections, leaving the device wide open to more attacks.

*   **Installs Malware:** The file was flagged as malicious by 50 out of 73 security tools on VirusTotal, a popular platform for analyzing suspicious files.

*   **Drops More Threats:** It quietly adds additional harmful files to the system, setting the stage for further damage.

*   **Installs TOR Browser:** It downloads and installs the TOR browser, a tool often used to access the Dark Web, without the user’s knowledge.

*   **Connects to the Dark Web:** The malware communicates with a hidden server on the Dark Web (using a .onion address), making it hard for security tools to track or block it.

In short, what looked like a free movie exposes users to data theft or possibly ransomware.

The malicious post on TeamEsteem blog and File breakdown inside the torrent package (Screenshots via: Veriti)

****What’s The Connection with TeamEsteem?****

TeamEsteemMethod.com is the official website of Team Esteem, LLC, a US-based organization founded by Jamie Levine, dedicated to assisting parents, schools, and educators in addressing various childhood challenges.

Veriti’s team believes the attackers behind this campaign managed to get their malicious blog post onto the TeamEsteem website in one of two ways: either by exploiting a vulnerability in the outdated version of the Yoast SEO plugin or by using stolen admin credentials to access the website.

The vulnerability in question is CVE-2023-40680, found in the outdated version of the Yoast SEO plugin, a popular SEO tool used by over 10 million WordPress websites. Alternatively, the attackers may have logged into the site using stolen admin credentials to post the fake blog entry themselves.

Either way, the attackers used the site as a medium to trick users into downloading their malware, banking on the hype around Snow White to draw in victims.

****Not The First Time****

This isn’t the first time cybercriminals have used pirated movies as bait, and it won’t be the last. High-profile releases like Snow White are prime targets because they attract huge interest, especially when legal options are limited. With no streaming release on platforms like Disney+, many fans turn to torrent sites, hoping to save money or time. But as this campaign shows, there’s no such thing as a “free lunch.”

In the past, attackers have exploited the popularity of movies like John Wick 3, Contagion, Black Widow, Joker, Ford v Ferrari, Pirates of the Caribbean, and many others to distribute malware and ransomware.

The good news? You can still avoid falling into traps by avoiding piracy, being cautious with malicious torrents, keeping your anti-malware updated to detect the latest threats, and using common sense.

Fake Snow White Movie Torrent Infects Devices with Malware

An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.

This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.7.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-12905

**tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File**

High severity GitHub Reviewed Published Mar 27, 2025 to the GitHub Advisory Database • Updated Mar 28, 2025

**Affected versions**

< 1.16.4

\>= 2.0.0, < 2.1.2

\>= 3.0.0, < 3.0.7

**Patched versions**

1.16.4

2.1.2

3.0.8

**Description**

An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.

This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.7.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2024-12905
*   mafintosh/tar-fs@a1dd7e7

Published to the GitHub Advisory Database

Mar 27, 2025

Last updated

Mar 28, 2025

**EPSS score**

GHSA-pq67-2wwv-3xjx: tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File

Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life.

Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life.

The real website of the Ukrainian paramilitary group “Freedom of Russia” legion. The text has been machine-translated from Russian.

Researchers at the security firm **Silent Push** mapped a network of several dozen phishing domains that spoof the recruitment websites of Ukrainian paramilitary groups, as well as Ukrainian government intelligence sites.

The website **legiohliberty\[.\]army** features a carbon copy of the homepage for the Freedom of Russia Legion (a.k.a. “Free Russia Legion”), a three-year-old Ukraine-based paramilitary unit made up of Russian citizens who oppose Vladimir Putin and his invasion of Ukraine.

The phony version of that website copies the legitimate site — **legionliberty\[.\]army —** providing an interactive **Google Form** where interested applicants can share their contact and personal details. The form asks visitors to provide their name, gender, age, email address and/or Telegram handle, country, citizenship, experience in the armed forces; political views; motivations for joining; and any bad habits.

“Participation in such anti-war actions is considered illegal in the Russian Federation, and participating citizens are regularly charged and arrested,” Silent Push wrote in a report released today. “All observed campaigns had similar traits and shared a common objective: collecting personal information from site-visiting victims. Our team believes it is likely that this campaign is the work of either Russian Intelligence Services or a threat actor with similarly aligned motives.”

Silent Push’s **Zach Edwards** said the fake Legion Liberty site shared multiple connections with **rusvolcorps\[.\]net**. That domain mimics the recruitment page for a Ukrainian far-right paramilitary group called the Russian Volunteer Corps (rusvolcorps\[.\]com), and uses a similar Google Forms page to collect information from would-be members.

Other domains Silent Push connected to the phishing scheme include: **ciagov\[.\]icu**, which mirrors the content on the official website of the **U.S. Central Intelligence Agency**; and **hochuzhitlife\[.\]com**, which spoofs the **Ministry of Defense of Ukraine & General Directorate of Intelligence** (whose actual domain is **hochuzhit\[.\]com**).

According to Edwards, there are no signs that these phishing sites are being advertised via email. Rather, it appears those responsible are promoting them by manipulating the search engine results shown when someone searches for one of these anti-Putin organizations.

In August 2024, security researcher **Artem Tamoian** posted on Twitter/X about how he received startlingly different results when he searched for “Freedom of Russia legion” in Russia’s largest domestic search engine **Yandex** versus Google.com. The top result returned by Google was the legion’s actual website, while the first result on Yandex was a phishing page targeting the group.

“I think at least some of them are surely promoted via search,” Tamoian said of the phishing domains. “My first thread on that accuses Yandex, but apart from Yandex those websites are consistently ranked above legitimate in DuckDuckGo and Bing. Initially, I didn’t realize the scale of it. They keep appearing to this day.”

Tamoian, a native Russian who left the country in 2019, is the founder of the cyber investigation platform malfors.com. He recently discovered two other sites impersonating the Ukrainian paramilitary groups — **legionliberty\[.\]world** and **rusvolcorps\[.\]ru** — and reported both to Cloudflare. When Cloudflare responded by blocking the sites with a phishing warning, the real Internet address of these sites was exposed as belonging to a known “bulletproof hosting” network called **Stark Industries Solutions Ltd**.

Stark Industries Solutions appeared two weeks before Russia invaded Ukraine in February 2022, materializing out of nowhere with hundreds of thousands of Internet addresses in its stable — many of them originally assigned to Russian government organizations. In May 2024, KrebsOnSecurity published a deep dive on Stark, which has repeatedly been used to host infrastructure for distributed denial-of-service (DDoS) attacks, phishing, malware and disinformation campaigns from Russian intelligence agencies and pro-Kremlin hacker groups.

In March 2023, Russia’s Supreme Court designated the Freedom of Russia legion as a terrorist organization, meaning that Russians caught communicating with the group could face between 10 and 20 years in prison.

Tamoian said those searching online for information about these paramilitary groups have become easy prey for Russian security services.

“I started looking into those phishing websites, because I kept stumbling upon news that someone gets arrested for trying to join \[the\] Ukrainian Army or for trying to help them,” Tamoian told KrebsOnSecurity. “I have also seen reports \[of\] FSB contacting people impersonating Ukrainian officers, as well as using fake Telegram bots, so I thought fake websites might be an option as well.”

Search results showing news articles about people in Russia being sentenced to lengthy prison terms for attempting to aid Ukrainian paramilitary groups.

Tamoian said reports surface regularly in Russia about people being arrested for trying carry out an action requested by a “Ukrainian recruiter,” with the courts unfailingly imposing harsh sentences regardless of the defendant’s age.

“This keeps happening regularly, but usually there are no details about how exactly the person gets caught,” he said. “All cases related to state treason \[and\] terrorism are classified, so there are barely any details.”

Tamoian said while he has no direct evidence linking any of the reported arrests and convictions to these phishing sites, he is certain the sites are part of a larger campaign by the Russian government.

“Considering that they keep them alive and keep spawning more, I assume it might be an efficient thing,” he said. “They are on top of DuckDuckGo and Yandex, so it unfortunately works.”

Further reading: Silent Push report, Russian Intelligence Targeting its Citizens and Informants.

When Getting Phished Puts You in Mortal Danger

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. 
If an attacker gets access to Kylin's system or project admin permission, the JDBC connection configuration maybe altered to execute arbitrary code from the remote. You are fine as long as the Kylin's system and project admin access is well protected.

This issue affects Apache Kylin: from 4.0.0 through 5.0.1.

Users are recommended to upgrade to version 5.0.2 or above, which fixes the issue.

Tag

#web