SilverRAT Source Code leaked on GitHub, exposing powerful malware tools for remote access, password theft, and crypto attacks before removal.

The full source code of SilverRAT, a notorious remote access trojan (RAT), has been leaked online briefly appearing on GitHub under the repository “SilverRAT-FULL-Source-Code” before being swiftly taken down.

A snapshot of the repository, captured by Hackread.com via the Wayback Machine, reveals the entire project, its features, build instructions, and even a flashy marketing-style dashboard screenshot.

Screenshot from the now deleted GitHub post (Image credit: Hackread.com)

****What Is SilverRAT?****

SilverRAT is a remote access trojan developed in C#, first surfacing in late 2023. It was attributed to a group known as **Anonymous Arabic**, believed to operate out of Syria. This tool gives attackers control over infected Windows systems, offering a range of malicious capabilities.

Researchers who have analyzed SilverRAT say it has become popular in underground forums, where it’s offered as malware-as-a-service (MaaS). Its feature set includes:

*   Cryptocurrency wallet monitoring
*   Hidden applications and processes
*   Data exfiltration through Discord webhooks
*   Exploit builders for Word, Excel, VBScript, and JavaScript files
*   Antivirus bypass and binder functions to bundle multiple payloads
*   Hidden RDP and VNC sessions (allowing attackers to take over a system invisibly)
*   Password stealing from browsers, apps, games, bank cards, Wi-Fi, and system credentials

The malware’s design and use of Arabic-language components suggest its roots lie in the Middle East, though it’s been observed in campaigns targeting victims globally. The developer behind SilverRAT has been identified as noradlb1, publicly known as MonsterMC.

****Details of the Source Code Leak****

The leaked GitHub repository, posted by a user named Jantonzz, claimed to share the “latest version” of SilverRAT. The project included Visual Studio solution files, build instructions, and code modules that could be easily compiled by anyone with basic .NET knowledge.

The repository description boasted that the RAT is “provided for learning and experimentation purposes only,” though the long list of weaponized features leaves little doubt about its real-world criminal applications. It even promised a “Private Stub,” a customized, fully undetectable (FUD) version that would supposedly be delivered by email within two days.

Within hours, GitHub took down the repository, likely in response to reports or automatic detection of malware content. However, the brief window of public access was enough for the snapshot to be archived and circulated in security research circles.

As of now, the repository has been removed from GitHub, but the archived snapshot (attached below) shows its full content, including the dashboard image, build files, and README instructions:

Screenshot from the now deleted GitHub post (Image credit: Hackread.com)

****Legitimacy and Consequences****

While leaked malware source code often comes with a disclaimer of being “for educational purposes,” the reality is that these leaks can boost cybercrime. With SilverRAT now available to the public, even low-level cybercriminals without programming skills can compile their own copies, modify the malware, or create new variants.

Given that the original developer is believed to have connections to Arabic-speaking cybercrime groups, this leak could expand the malware’s reach to new regions and actors.

****Apparently Not the First Time****

While researching SilverRAT, we found that its source code has also been sold on the notorious Russian cybercrime forum XSS. In a February 2025 post, a seller was offering the full source code for just $100.

SilverRAT Source Code Leaked Online: Here’s What You Need to Know

Plus: A mysterious hacking group’s secret client is exposed, Signal takes a swipe at Microsoft Recall, Russian hackers target security cameras to spy on aid to Ukraine, and more.

This week, WIRED launched our Rogues issue—which included going a bit rough ourselves. WIRED senior correspondent Andy Greenberg flew to Louisiana to see how easy it would be to recreate the 3D-printed gun authorities say they found on Luigi Mangione when they arrested him for the murder of UnitedHealthcare's CEO. The result? It was both easy and legal.

On Wednesday, US, European, and Japanese authorities announced the disruption of one of the world's most widely used infostealer malware. Known as Lumma, the malware was used to steal sensitive information from victims around the world, including passwords, banking information, and cryptocurrency wallets details, according to authorities. Microsoft's Digital Crime Unit aided in the operation, taking down some 2,300 URLs that served as the Lumma infrastructure.

A mysterious database containing more than 184 million records was taken down this week following its discovery by security researcher Jeremiah Fowler. The database contained 47 GB of data, which included information related to Amazon, Apple, Discord, Facebook, Google, Instagram, Microsoft, Netflix, Nintendo, PayPal, Snapchat, Spotify, Twitter, WordPress, Yahoo, and more.

In other news, the US charged 16 Russian nationals for allegedly operating the DanaBot malware, which authorities say was used in a wide variety of attacks, from ransomware to espionage. And a recent webinar revealed how a major venture capitalist helped get Starlink satellite internet activated for Israel following the October 7, 2023 attack by Hamas.

But that's not all. Each week, we round up the security and privacy news we didn't cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

The US intelligence community is looking to create a marketplace where private information gathered by data brokers under the guise of marketing can be purchased by American spies, The Intercept reports. Contracting data shows the US spy agencies intend to create a “Intelligence Community Data Consortium” that uses AI tools to sift through people’s personal data; information that the Office of the Director of National Intelligence has previously acknowledged “could facilitate blackmail, stalking, harassment, and public shaming.” In addition to providing insight into Americans’ behaviors and religious and political beliefs, commercial data frequently includes precise location information, offering the US government the ability to surveil people’s movements without acquiring a warrant—exploiting a widely recognized loophole in US privacy law.

Federal lawmakers attempted to ban the US government from buying what it calls “commercially accessible information” last year, with the Republican-controlled House passing a version of a law known as the “Fourth Amendment Is Not For Sale Act.” However, the US Senate, then controlled by the Democratic Party, rejected the legislation.

Reporting by WIRED has repeatedly demonstrated how such data can offer US adversaries the ability to monitor the movements of US military and intelligence personnel, including in and around sensitive facilities that house nuclear arms.

**A Mysterious Hacking Group Is Revealed to Work for the Spanish Government**

Back in 2014, Russian security firm Kaspersky announced it had discovered a sophisticated hacking group it called Careto, Spanish for “Ugly Face” or “Mask,” that had targeted victims across Europe and Cuba. Now, more than a decade later, former employees of the company have finally confirmed what Kaspersky wouldn’t spell out at the time: That they believe Careto was a rare sighting of hackers working on behalf of the Spanish government. Careto’s targets included energy companies, research institutions, and activists, but it particularly focused on Cuba, likely due to the island nation’s giving refuge to members of a Spanish separatist group designated as terrorists by several European countries. Kaspersky’s researchers found a Spanish phrase in the hackers’ malware code that translates to “I shit in the sea,” an expletive phrase typically used by Spaniards but not other Spanish speakers. Given the sophistication of Careto’s hacking, the public confirmation of Kaspersky’s attribution to Spain adds another known player to the game of high-level state-sponsored hacking.

**Signal Introduces New Feature to Block Screenshots by Microsoft Recall**

Microsoft’s Recall feature, which constantly takes and archives screenshots of Windows users’ activity, still represents a serious privacy problem—even after Microsoft significantly walked back its rollout in response to criticism. So the encrypted messaging app Signal has gone so far as to exploit a digital rights management feature of Windows typically used to protect copyrighted materials to block Recall from taking screenshots of the app by default on Windows machines. After all, the Recall feature—which will likely be required for some corporate or government users—will essentially remove any privacy promise from Signal’s disappearing messages feature for both Recall users and anyone communicating with them. The screenshot-prevention feature can be turned off in Signal’s settings, but it will be turned on by default in Windows. “Microsoft has simply given us no other option,” Signal wrote in a blog post.

**Russia’s Fancy Bear Hackers Targeted Security Cameras to Spy on Ukraine Aid**

The hacker group within Russia’s GRU military intelligence agency known as APT28 or Fancy Bear first rose to infamy for its targeting of the 2016 US election, but it’s no surprise that the group has more recently focused on Ukraine. According to a new assessment from no fewer than 11 countries’ intelligence agencies, the hacker group has been targeting a broad array of technology and logistics firms involved in providing aid to Ukraine. “Dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail” have been targeted in the campaign, the advisory reads. Perhaps most notable about the agencies’ accusations is that the hackers targeted 10,000 security cameras in countries bordering Ukraine, including at border crossings, military facilities, and train stations. According to the agencies, the GRU hackers also carried out reconnaissance of the network of at least one producer of industrial control system components for railway systems—suggesting a possible intention to attempt sabotage—but didn’t actually succeed in breaching the company.

**US Indicts Russian National Over Qakbot Malware**

The US Department of Justice on Thursday indicted a Russian national, Rustam Gallyamov, on allegations that he designed software that was widely used by ransomware gangs and is known to have infected hundreds of thousands of computers, netting the gangs roughly $8.6 million in profit, according to DOJ figures. Prosecutors say more than $24 million was seized from Gallyamov, 48, over the course of its investigation. Federal charges unsealed this week allege that Gallyamov himself gained access to victims’ computers and provided it to an array of cybercriminal organizations, including Dopplepaymer, REvil, Black Basta, and Cactus, among others.

The investigation into the now disrupted malware, known as Qakbot, was announced in August 2023 under former US attorney general Merrick Garland, who credited a multinational operation that included Europol and prosecutors and law enforcement agencies in France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom. Agencies of Canada and Denmark have also been credited in the investigation that targeted Gallyamov.

The US Is Building a One-Stop Shop for Buying Your Data

Akamai researchers reveal a critical flaw in Windows Server 2025 dMSA feature that allows attackers to compromise any…

Akamai researchers reveal a critical flaw in Windows Server 2025 dMSA feature that allows attackers to compromise any Active Directory user. Learn about the BadSuccessor attack and mitigation steps.

A significant security flaw has been uncovered in Windows Server 2025, posing a serious threat to organizations utilizing Active Directory (AD). Discovered by Akamai researcher Yuval Gordon, this privilege escalation vulnerability could allow malicious actors to gain full control over any user account within an organization’s AD, even with minimal initial access.

****The BadSuccessor Attack Explained****

According to Akamai’s research, shared exclusively with Hackread.com, the vulnerability exploits a new feature introduced in Windows Server 2025 called delegated Managed Service Accounts (dMSAs). For your information, dMSAs are designed to streamline the management of service accounts by allowing a new dMSA to _inherit_ permissions from an older account it replaces.

However, Gordon’s research revealed a critical oversight in this process. Attackers can simulate this migration by simply modifying two attributes on a dMSA object: msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState. By setting the first attribute to reference a target user and the second to “2” (indicating migration completion), an attacker can trick the system into believing a legitimate migration occurred.

This deceptive act, dubbed _BadSuccessor_ by the researchers, allows the attacker’s dMSA to automatically gain all the permissions of the targeted user, including highly privileged accounts like Domain Admins. Crucially, this attack doesn’t require any direct permissions on the targeted user’s account itself, only the ability to create or control a dMSA.

****Widespread Impact and No Immediate Patch****

The implications of this discovery are far-reaching. Akamai’s analysis revealed that in 91% of tested environments, users outside the domain admins group already possessed the necessary permissions to execute this attack. This highlights the widespread potential for compromise across organizations that rely on Active Directory.

Even more concerning, Microsoft has acknowledged the issue after a report on April 1, 2025, but currently has no patch available. While Microsoft has assessed the vulnerability as Moderate severity, citing that initial exploitation requires existing permissions on a dMSA object, Akamai researchers strongly disagree.

They emphasize that the ability to create a new dMSA, a benign permission often granted to users, can lead to full domain compromise. They compare its impact to highly critical attacks like DCSync.

“This vulnerability introduces a previously unknown and high-impact abuse path that makes it possible for any user with CreateChild permissions on an OU to compromise any user in the domain and gain similar power to the Replicating Directory Changes privilege used to perform DCSync attacks,” researchers wrote in the blog post.

****Proactive Measures and Ongoing Risks****

With no immediate fix from Microsoft, organizations are urged to take proactive steps to reduce their exposure. Key recommendations include monitoring for new dMSA objects, modifying the msDS-ManagedAccountPrecededByLink attribute, tracking dMSA authentication events, and reviewing permissions on Organizational Units (OUs).

As Windows Server 2025 becomes more widely adopted, organizations must prioritize understanding and mitigating the risks associated with its new features.

BadSuccessor Exploits Windows Server 2025 Flaw for Full AD Takeover

A Chrome zero-day bug, CVE-2025-4664, exposes login tokens on Windows and Linux. Google has issued a fix, users should update immediately.

A newly disclosed vulnerability in Google Chrome and Chromium-based browsers is putting users at risk of data leaks. Tracked as CVE-2025-4664, the flaw allows attackers to extract sensitive information like login tokens and session IDs from previously visited websites.

The security issue was detailed today by Wazuh, a cybersecurity company specializing in open-source threat detection. It affects users on both Windows and Linux, including Debian and Gentoo systems.

****How It Works****

The issue resides in the Chrome’s handling of the Link HTTP header when loading sub-resources like images and scripts. While most browsers ignore referrer policies in these headers, Chrome accepts them, even on cross-origin requests. That means an attacker can intentionally set a relaxed policy, such as unsafe-url, to access full referrer URLs.

These URLs can include sensitive data from other sites a user recently visited. If an attacker controls the destination server, they can quietly collect that data without the user knowing.

****Who’s Affected****

Users on the following systems are vulnerable if their browsers have not been updated:

*   **Windows**: Google Chrome versions before 136.0.7103.113

*   **Debian 11 Linux**: Chromium up to version 120.0.6099.224

*   **Gentoo Linux**: Chrome or Chromium versions before 136.0.7103.113

****What to Do****

Google has issued an emergency update to fix the vulnerability in Chrome on Windows and Chromium on Gentoo Linux. Debian users should uninstall affected versions of Chromium until a patched version becomes available.

****How to Manually Update Chrome (If auto-update is turned off)****

If Chrome isn’t updating automatically, follow these steps to make sure you’re running the latest version and protected against CVE-2025-4664:

1.  **Open Chrome** – Launch Google Chrome on your device.
2.  **Go to the Menu** – Click the three vertical dots in the top-right corner of the browser window.
3.  **Select “Help” → “About Google Chrome”** – This will open a new tab that shows your current version and automatically checks for updates.
4.  **Wait for Chrome to Check for Updates** – If a newer version is available, Chrome will start downloading it right away.
5.  **Click “Relaunch”** – Once the update is downloaded, click “Relaunch” to restart the browser and complete the installation.

****Check Update Status After Relaunch****

To confirm the update, go back to **Help > About Google Chrome**. The browser should now show the latest version number and the message “Google Chrome is up to date.”

If you’re on Windows, make sure the Chrome Update service is enabled in your system settings or through the Group Policy Editor. On Linux systems, especially those using Chromium, updates may require package manager commands or manual downloads depending on the distribution.

Wazuh’s blog post explains the importance of proactive vulnerability detection. Their tools provide real-time tracking and insights that help administrators stay on top of security threats, especially when zero-day flaws like this one come into play.

Chrome 0-Day CVE-2025-4664 Exposes Windows, Linux Browser Activity

Talos analyzed six months of PowerShell network telemetry and found that rare domains are over three times more likely to be malicious compared to frequently contacted ones.

Friday, May 23, 2025 06:00

_By Darin Smith and John Arneson_

*   Cisco Talos reviewed six months of network connection telemetry logs spanning June 1, 2024 – Dec. 31, 2024, containing 3,220,829 log events and 742 unique base domains, to explore if domains that PowerShell rarely contacts are more likely to be malicious. 
*   Key findings reveal that the odds of a rare domain being malicious were 3.18 times higher than for frequently contacted domains (95% CI: 0.39–25.9), suggesting a trend towards higher risk in rare domains. 
*   Notably, the non-rare domain ‘githubusercontent.com’ was flagged as malicious due to activity from its subdomain ‘raw.githubusercontent.com’. This is an example of why subdomains should be considered when looking for malicious network traffic, especially for cloud services where the service itself is legitimate, but the content hosted on it is not guaranteed to be.  

**Research Methodology ****Hypothesis**

At a sufficiently high volume of telemetry, domain names that PowerShell rarely connects to are more likely to be malicious than domains that are frequently connected to, regardless of PowerShell module. 

**Data Collection **

Talos queried telemetry for PowerShell network connection logs from a time period of June 1, 2024 to Dec. 31, 2024. This dataset included the following processes: ‘powershell.exe’, ‘powershell studio.exe’, ‘powershell\_ise.exe’, ‘powershelltools.exe’, ‘powershelltoolsx64.exe’, ‘pwsh’, and ‘pwsh.exe’. All of these processes are different versions of PowerShell. Talos excluded non-public top-level domains (TLDs), such as internal domains, to focus on external connections.  

**Data Processing**

Using the tldextract library, Talos extracted base domains (e.g., ‘automox.com’ from ‘api.automox.com’), resulting in 742 unique base domains. Rarity was defined as an average of ≤5 average contacts per full domain, calculated by dividing the total contacts by the number of unique full domains per base domain. This threshold identified 550 rare domains (74.1% of the total).  

**Threat Intelligence and Manual Review **

Talos assessed domain reputation using ReversingLabs (RL), which flagged a domain as malicious if any third-party source indicated so. To mitigate false positives (e.g., ‘adobe.com’), 29 domains were manually reviewed and overridden as benign, and their process arguments were documented. For subdomains such as ‘raw.githubusercontent.com’ under ‘githubusercontent.com’, the process arguments in those logs were manually reviewed, flagging 5 out of 10 connections as malicious based on commands like downloading PowerSploit or executing Invoke-Mimikatz, ensuring comprehensive threat detection.

**Findings & Analysis ****Domain Contact Distribution **

The distribution of contacts was heavily skewed: 

*   **Percentiles**: 60th percentile at 5.0 contacts, 90th at 82.0, 95th at 321.55, and 99th at 7,925.87 
*   **Top Domains**: ‘automox.com’ (2,282,308 contacts), ‘launchdarkly.com’ (493,812), and ‘amazonaws.com’ (166,536) accounted for most activity.
    *   Automox is a service for automated endpoint configuration and patch management.
    *   LaunchDarkly is a software development platform for managing feature flags and context-aware targeting of features.
    *   Amazon Web Services (AWS) is the largest cloud service provider. 
*   **Rare Domains**: 550 of 742 domains fell into the rare category.

Figure 1. Cumulative distribution of domain contact frequencies. 

**Malicious Domain Statistics **

*   **Rare Domains**: 9 malicious out of 550 (1.64%, 95% CI: 0.86%–3.08%)
*   **Non-Rare Domains**: 1 malicious out of 192 (0.52%, 95% CI: 0.09%–2.89%), notably ‘githubusercontent.com’
*   **Odds Ratio**: 3.18 (95% CI: 0.39–25.9), indicating a trend towards higher risk in rare domains, though not statistically significant (chi-square p=0.4291, Fisher’s exact p=0.4668), likely due to small sample sizes (9 rare, 1 non-rare) 

Figure 2. Malicious rates by domain rarity.

**Case Study: githubusercontent.com **

The non-rare domain ‘githubusercontent.com’ (38 contacts, 2 full domains: ‘raw.githubusercontent.com’ and ‘objects.githubusercontent.com’, average 19.00 contacts per full domain) was flagged as malicious due to 5 manually identified malicious contacts from ‘raw.githubusercontent.com’. These contacts involved potentially malicious PowerShell commands, such as downloading and executing scripts like PowerSploit or Invoke-Mimikatz. The other subdomain, ‘objects.githubusercontent.com’ (28 contacts), showed no malicious activity. This finding illustrates that even frequently contacted domains can host malicious subdomains, emphasizing the need for subdomain-level analysis in threat detection.

**Comparison to other Processes **

Another research question investigated was how the domains contacted by other similar processes would compare to those contacted by PowerShell. For the purposes of this research, Talos chose the following processes for analysis: 

*   ‘rundll32.exe’ 
*   Python (including macOS and Windows versions) 
*   ‘cmd.exe’ 
*   ‘cscript.exe’ 
*   ‘wscript.exe’ 
*   ‘bash’ 
*   ‘zsh’

These processes are primarily other command line or script interpreters, as well as ‘rundll32.exe’, which allows executing Dynamically Linked Libraries (DLLs) from the command line.

When the same heuristics as were utilized for PowerShell were applied to the domains contacted by these processes, the results varied somewhat. Across 156,203 total connection records for ‘rundll32.exe’, 940 unique domains were contacted. Of these, 722 of these domains were “rare,” using the same heuristic applied to PowerShell (i.e., they were contacted at most five times). Only one of the domains contacted was found to be malicious, either among the rare domains or the non-rare domains.

Similarly, among 795,346 total connection records for Python, 825 unique domains were contacted and 616 were rare using the same criteria. None of the rare domains were malicious, while 1 of the non-rare domains was. The processes cscript, cmd, zsh and csh had similar results, with no or single digit numbers of malicious domains contacted. However, wscript was much more interesting. It had a much smaller amount of total utilization in the dataset investigated, with just 6,936 connection events and 82 unique domains contacted. Of these, 58 domains were rare (or roughly 71%), and 5 were found to be malicious.

**Recommendations **

*   **Prioritize Rare Domains**: Security teams should focus investigations on rare domains due to their higher likelihood of being malicious, despite statistical non-significance. This finding applies primarily to PowerShell and wscript among the processes considered in this research.  
*   **Subdomain Analysis**: For frequently contacted domains, analyze subdomains and process arguments to detect malicious activity, as demonstrated with ‘githubusercontent.com’. 
*   **Integrate Manual Review**: Combine automated threat intelligence with manual reviews to reduce false positives and identify nuanced threats, particularly in high-contact domains. 
*   **Investigate Anomalous Utilization of ‘wscript.exe’:** Some environments may still commonly utilize wscript. However, this research suggests that in environments where it is rare, it has the highest likelihood to be used to connect to malicious domains of the processes researched.

**Future Work **

This research presents several opportunities for future research. One opportunity is temporal analysis to determine if there were time-based patterns for contacting domains, and if so, determining if these patterns could be used to identify malicious activity. This could potentially include seeing increased contacts of malicious domains during weekends or off-hours. Time-series analysis could be applied to the data to test this hypothesis.

Another opportunity is the behavioral analysis of process arguments, focusing on identifying recurring patterns tied to malicious activity, such as downloading PowerShell scripts from a remote host, or exfiltration of data. This could be used to refine the current rarity to malicious correlation of 1.64% for rare domains versus 0.52% for non-rare domains. This may spotlight behavioral red flags and give actionable insights for more precision detection logic.

Finally, future research can develop a risk scoring system that integrates multiple factors such as contact frequency, malicious rate, TLDs and even ReversingLabs’ network threat intelligence. This can provide a scalable and practical tool for security teams to prioritize high-risk domains, whether rare or non-rare like ‘githubusercontent.com’. This builds on the current analysis but also paves the way for more robust, data-driven strategies to combat threats, ensuring this research delivers lasting value to the security community.

Scarcity signals: Are rare activities red flags?

A DLL hijacking vulnerability exists in Aspect-Studio version 3.08.03, where the application attempts to load a library named CylonLicence via System.loadLibrary("CylonLicence") without a full path, falling back to the standard library search order. If an attacker can plant a malicious CylonLicence.dll in a writable directory that is searched before the legitimate library path, this DLL will be loaded and executed with the privileges of the user running the application. This flaw enables arbitrary code execution and can be exploited for privilege escalation or persistence, especially in environments where the application is executed by privileged users.

Title: ABB Cylon Aspect Studio 3.08.03 (CylonLicence.dll) Binary Planting  
Advisory ID: ZSL-2025-5952  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (5/5)  
Release Date: 22.05.2025

**Summary**

ABB Cylon ASPECT Studio is a graphical programming tool and integrated development environment (IDE) for ABB Cylon ASPECT products. It's used to engineer comprehensive area control and graphical user interface (GUI) solutions, containing a library of logical and graphical widgets. It allows users to monitor and control facilities from anywhere, providing insights into building performance and enabling timely reactions to issues.

**Description**

A DLL hijacking vulnerability exists in Aspect-Studio version 3.08.03, where the application attempts to load a library named CylonLicence via System.loadLibrary("CylonLicence") without a full path, falling back to the standard library search order. If an attacker can plant a malicious CylonLicence.dll in a writable directory that is searched before the legitimate library path, this DLL will be loaded and executed with the privileges of the user running the application. This flaw enables arbitrary code execution and can be exploited for privilege escalation or persistence, especially in environments where the application is executed by privileged users.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

ASPECT-Studio <=3.08.03

**Tested On**

Microsoft Windows 10 Home (EN)  
OpenJDK 64-Bit Server VM Temurin-21.0.6+7

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[21.05.2025\] No response from the vendor.  
\[22.05.2025\] Public security advisory released.

**PoC**

CylonLicence.cpp

**Credits**

Vulnerability discovered by Gjoko Krstic - <\[email protected\]\>

**References**

\[1\] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5951.php  
\[2\] https://packetstorm.news/files/id/194981/  
\[3\] https://www.exploit-db.com/exploits/52306

**Changelog**

\[22.05.2025\] - Initial release  
\[26.05.2025\] - Added reference \[2\] and \[3\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: \[email protected\]

ABB Cylon Aspect Studio 3.08.03 (CylonLicence.dll) Binary Planting

The application suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'M' flag (Modify) for 'Authenticated Users' group.

Title: ABB Cylon Aspect Studio 3.08.03 Insecure Permissions  
Advisory ID: ZSL-2025-5951  
Type: Local/Remote  
Impact: Privilege Escalation  
Risk: (3/5)  
Release Date: 22.05.2025

**Summary**

ABB Cylon ASPECT Studio is a graphical programming tool and integrated development environment (IDE) for ABB Cylon ASPECT products. It's used to engineer comprehensive area control and graphical user interface (GUI) solutions, containing a library of logical and graphical widgets. It allows users to monitor and control facilities from anywhere, providing insights into building performance and enabling timely reactions to issues.

**Description**

The application suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'M' flag (Modify) for 'Authenticated Users' group.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

ASPECT-Studio <=3.08.03

**Tested On**

Microsoft Windows 10 Home (EN)  
OpenJDK 64-Bit Server VM Temurin-21.0.6+7

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[21.05.2025\] No response from the vendor.  
\[22.05.2025\] Public security advisory released.

**PoC**

abb\_aspect\_perm1.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <\[email protected\]\>

**References**

\[1\] https://packetstorm.news/files/id/194980/

**Changelog**

\[22.05.2025\] - Initial release  
\[26.05.2025\] - Added reference \[1\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: \[email protected\]

ABB Cylon Aspect Studio 3.08.03 Insecure Permissions

Cybersecurity researcher Jeremiah Fowler discovered a misconfigured cloud server containing a massive 184 million login credentials, likely collected…

Cybersecurity researcher Jeremiah Fowler discovered a misconfigured cloud server containing a massive 184 million login credentials, likely collected using infostealer malware.

Cybersecurity researcher Jeremiah Fowler has discovered a misconfigured and unprotected database, containing over 184 million unique login names and passwords. According to Fowler’s research, shared with Hackread.com, this exposed collection amounted to approx. 47.42 gigabytes of data.

****A Massive Data Leak****

The database, which was not secured by a password or encryption, stored credentials for numerous online services. These included popular email providers, major tech platforms like Microsoft, and social media sites such as Facebook, Instagram, Snapchat, and Roblox.

Worse, the leak also contained access information for bank accounts, health platforms, and even government portals from various nations, putting unsuspecting individuals at high risk. Fowler confirmed the authenticity of some records by contacting individuals whose emails were found in the database. Several people verified that the listed passwords were indeed accurate and valid ones.

Upon discovery, Fowler quickly notified the hosting provider, and the database was removed from public access. The database’s IP address pointed to two domain names, one of which appeared to be unregistered. Due to private registration details, the true owner of this data cache remains unknown.

It’s also unclear how long this sensitive information was exposed or if other malicious actors had accessed it before its discovery. Since the hosting provider did not reveal customer details, the purpose of the data collection whether for criminal activity or legitimate research with an oversight.

****The Infostealer Connection****

From the looks of it, the database belonged to cybercriminals who were collecting data using infostealers and ended up exposing their own database in the process. Infostealers are widely used and effective tools among criminals. In fact, reports have shown that even the US military and FBI have had their systems compromised by infostealers costing as little as $10.

Infostealer malware is specifically designed to secretly collect sensitive information from infected computers, typically targeting login credentials stored in web browsers, email programs, and messaging apps.

Hackread.com’s reporting of the recent coordinated action by Microsoft and Europol to disrupt Lumma Stealer’s infrastructure, which infected over 394,000 Windows computers worldwide, offers a critical insight into the kind of threat highlighted by Fowler’s discovery.

As analysed by Fowler, the data, often raw credentials and URLs for login pages, aligns perfectly with what infostealers like Lumma are designed to steal. Although Fowler could not definitively name the specific malware responsible for the exposed database, the characteristics of the data strongly suggest such a method.

Cybercriminals exposing their own servers is nothing new. Just a few months ago, reports revealed that the well-known ShinyHunters and Nemesis hacking groups collaborated to target and extract data from exposed AWS buckets, only to accidentally leak their own in the process.

****Protection Against InfoStealers****

The availability of millions of login details presents a major advantage for cybercriminals who can exploit them through methods like “credential stuffing attacks” and “account takeovers.” These attacks allow criminals to access personal data, enabling identity theft or financial fraud.

The exposed data can also include business credentials, posing risks of corporate espionage, and even sensitive state networks. Knowing an email and an old password can make phishing and social engineering attacks more convincing.

Fowler urges users to stop using their emails as cold storage, regularly perform password updates, especially in cases of unknown breaches, never reuse unique passwords across accounts, use Two-Factor Authentication (2FA), and enable login notifications or suspicious activity alerts.

Database Leak Reveals 184 Million Infostealer-Harvested Emails and Passwords

A privilege escalation flaw has been demonstrated in Windows Server 2025 that makes it possible for attackers to compromise any user in Active Directory (AD).
"The attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement," Akamai security researcher Yuval Gordon said in a

Critical Windows Server 2025 dMSA Vulnerability Enables Active Directory Compromise

The Lumma infostealer infrastructure has suffered a serious blow by a coordinated action of the DOJ and Microsoft.

The US Department of Justice (DOJ) and Microsoft have disrupted the infrastructure of the Lumma information stealer (infostealer).

Lumma Stealer, also known as LummaC or LummaC2, first emerged in late 2022 and quickly established itself as one of the most prolific infostealers. Infostealers is the name we use for a group of malware that collects sensitive information from infected devices and sends the data to an operator. Depending on the type of infostealer and the goals of the operator, infostealers can be interested in taking anything from usernames and passwords to credit card details, and cryptocurrency wallets.

Lumma operates under a malware-as-a-service (MaaS) model, meaning its creators sell access to the malware on underground marketplaces and platforms like Telegram. This model allows hundreds of cybercriminals worldwide to deploy Lumma for their own malicious campaigns.

What makes Lumma particularly dangerous is its wide range of targets and its evolving sophistication. It doesn’t just grab browser-stored passwords or cookies. It’s also capable of extracting autofill data, email credentials, FTP client data, and even two-factor authentication tokens and backup codes, which enables attackers to bypass additional security layers.

As Matthew R. Galeotti, head of the Justice Department’s Criminal Division put it:

> “Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft.”

Over the last few months alone, Microsoft identified over 394,000 Windows computers infected with Lumma worldwide. The FBI estimates that Lumma has been involved in around 10 million infections globally.

Using a court order from the US District Court for the Northern District of Georgia, Microsoft’s DCU seized and facilitated a takedown, suspension, and blocking of approximately 2,300 malicious domains that were part of the infostealer’s backbone.

Most of the seized domains served as user panels, where Lumma customers are able to access and deploy the infostealer, so this will stop the criminals from being able to to access Lumma in order to compromise computers and steal victim information.

Government agencies and researchers sometimes alter DNS addresses to lead the traffic to their own servers (called sinkholes). By redirecting the seized domains to Microsoft-controlled sinkholes, investigators can now monitor ongoing attacks and provide intelligence to help defend against similar threats in the future. This takedown slows down cybercriminals, disrupts their revenue streams, and buys time and knowledge for defenders to strengthen security.

**How to protect yourself**

Even with the Lumma infrastructure disrupted, the threat of information stealers remains very real and evolving. Here are some practical steps to reduce your risk:

*   **Use strong, unique passwords** for every account and consider a reputable password manager to keep track of them.
*   **Enable multi-factor authentication (MFA)** wherever possible. Although Lumma tries to bypass 2FA, having it still adds a crucial layer of defense.
*   **Be cautious with emails and downloads.** Lumma often spreads through phishing emails and malicious downloads, sometimes disguised as legitimate CAPTCHAs or antivirus software.
*   **Keep your software and operating system updated** to patch vulnerabilities that malware can exploit.
*   **Regularly monitor your financial and online accounts** for suspicious activity.
*   **Educate yourself about phishing and social engineering tactics** to avoid falling victim to trickery.
*   **Use an up-to-date real-time anti-malware solution** to block install attempts and detect active information stealers.

By understanding how threats like Lumma operate and by taking the necessary steps to protect ourselves, we can reduce the risk of falling prey to these invisible thieves.

You can use Malwarebytes’ free Digital Footprint Portal to see if any of your data has been stolen by a Lumma infostealer. We have many millions of stolen records stemming from Lumma stealers that are being traded on the Dark Web in our database.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Tag

#windows