Malware Activity
Sophisticated Malware Campaigns Targeting Data and Finance
Recent cybersecurity investigations reveal a dual-threat landscape where cybercriminals employ advanced social engineering and malware techniques to compromise devices and extract sensitive information. One campaign uses a clever ClickFix method to distribute EDDIESTEALER, a modular, Rust-based stealer that evades detection through encrypted. Self-deleting operations, targeting credentials, cryptocurrency wallets, browser data via fake CAPTCHA pages and malicious PowerShell scripts are just a few parts of the malware. Simultaneously, a spear-phishing campaign leverages legitimate remote access tools like NetBird, combined with multi-stage encrypted links, to silently establish persistent control over financial and corporate systems. These campaigns exemplify a broader shift toward sophisticated, language-agnostic malware and the strategic use of trusted platforms. Posing significant challenges for organizations striving to protect sensitive data amid rapidly evolving cyber threats. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- TheHackerNews: EDDIESTEALER Malware Uses ClickFix article
- TheHackerNews: Fake Recruiter Emails Target CFOs article
Threat Actor Activity
'Russian Market' is the Leading Marketplace for Stolen Credentials from Infostealers
The "Russian Market" cybercrime marketplace has become a leading platform for trading credentials stolen by information stealer malware. Although it has been active for about six (6) years and gained popularity by 2022, the market's prominence surged following the takedown of the Genesis Market, which left a void in the cybercrime landscape. Despite 85% of the credentials being "recycled" from existing sources, the marketplace attracts a large audience with its diverse offerings and low prices, with some logs available for as little as $2. Infostealer logs, typically text files generated by malware, contain a wealth of stolen information such as account passwords, session cookies, credit card data, cryptocurrency wallet information, and system profiling data. These logs can include thousands of credentials, making the total number potentially reach hundreds of millions. Once collected, the data is uploaded to an attacker's server for further malicious activities or sale on platforms like the Russian Market. Infostealers are increasingly targeting enterprises to obtain session cookies and corporate credentials. Researchers noted that 61% of logs on the Russian Market include SaaS credentials from platforms like Google Workspace, Zoom, and Salesforce, while 77% contain Single Sign-On (SSO) credentials. These compromised accounts provide attackers with access to critical systems and sensitive data. Lumma stealer previously dominated the market, accounting for 92% of credential logs, but its operations were disrupted by a global law enforcement action that seized 2,300 domains. As a result, a new infostealer named Acreed has rapidly gained traction, with over 4,000 logs uploaded in its first week. Acreed targets data stored in browsers like Chrome and Firefox, including passwords, cookies, cryptocurrency wallets, and credit card details. Infostealers infect users via phishing emails, "ClickFix" attacks, malvertising, and videos on platforms like YouTube and TikTok. To mitigate these risks, CTIX analysts recommend vigilance and safe software download practices.
Vulnerabilities
Critical RCE Vulnerability in Cisco IOS XE Exposes Wireless Controllers to Unauthenticated Exploits
A critical remote code execution vulnerability in Cisco IOS XEhas been disclosed and analyzed in depth, revealing significant exploitation risks. The flaw, tracked as CVE-2025-20188 with a CVSS score of 10, affects various Cisco Catalyst 9800 wireless controller models and stems from a hardcoded JSON Web Token (JWT) fallback secret ("notfound") used by backend Lua scripts in the Out-of-Band Access Point (AP) image download feature. When this feature is enabled, unauthenticated attackers can craft HTTPS requests to port 8443, leveraging the weak JWT validation and insufficient path sanitization to perform arbitrary file uploads, path traversal, and ultimately execute commands with root privileges. Horizon3.ai's technical analysis demonstrated that attackers can generate valid JWTs without knowing any real secrets and exploit services like pvp.sh, which monitor specific directories, to trigger configuration file reloads that run attacker-controlled commands. While no ready-made exploit has been released, the detailed information now available makes weaponization highly feasible. Cisco released patches on May 7, 2025, and strongly advises affected users to upgrade to IOS XE version 17.12.04 or later or disable the vulnerable feature if immediate patching is not possible. CTIX analysts recommend that any affected readers should ensure their controllers are patched to prevent future exploitation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
