Malware Activity
A Multi-Front Cyberattack Campaign Targets Businesses and Consumers
Cybercriminals are launching a multifaceted attack campaign, exploiting various vulnerabilities to infiltrate and compromise systems. One front focuses on WooCommerce store owners. WooCommerce administrators are facing a growing threat from hackers distributing counterfeit security patches that masquerade as legitimate updates, preying on the trust of site owners. Once these rogue patches are installed, they provide attackers with unauthorized access, allowing them to take control of entire websites. This alarming trend underscores the necessity for WooCommerce users to remain vigilant and only download updates from reputable sources; falling prey to these scams can lead to significant security breaches and potential data loss. Simultaneously, a new malware strain known as DSLogDRat is making waves for its sophisticated deployment through vulnerabilities in Ivanti's Endpoint Manager, a popular IT management tool. Leveraging a critical flaw, cybercriminals can gain backdoor access to compromised systems, allowing for data exfiltration and remote code execution (RCE). This malware not only showcases advanced capabilities but also highlights the ongoing threat posed by target-specific exploitation of software vulnerabilities. As organizations continue to rely on such management tools, the importance of regular updates and patch management has never been clearer in safeguarding against emerging threats like DSLogDRat. Another threat actor is deploying Earth Kurma, which is primarily targeting Southeast Asian nations, particularly industries linked to national security and infrastructure. Disguised as legitimate applications, Earth Kurma employs sophisticated social engineering techniques to lure users into unwittingly installing the malicious software. This advanced threat is believed to be operated by a state-sponsored group, raising alarms about the potential for serious data breaches and espionage. Finally, a toy company, seemingly using a sophisticated, yet arguably unethical, tactic, is leveraging a seemingly harmless "LagToy" product to sell access to exploits in its own toys. They're apparently offering access to vulnerabilities in their products, essentially providing a means for hackers to gain unauthorized control. This practice, while seemingly designed to address security issues, raises significant ethical concerns and opens the door for potential misuse of the information by malicious actors. The article suggests that this unusual business strategy might have unintended consequences and could potentially expose the users of their toys to significant security risks and/or allow for further damage to the company's reputation. This coordinated effort showcases a sophisticated and diverse threat landscape, demanding proactive security measures and robust patch management from businesses of all sizes. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: WooCommerce Admins Targeted By Fake Security Patches article
- TheHackerNews: WooCommerce Users Targeted By Fake Patch article
- TheHackerNews: Earth Kurma Targets Southeast Asia With Rootkits article
- TheHackerNews: ToyMaker Uses LAGTOY To Sell Access To CACTUS Ransomware article
- TheHackerNews: DslogdRAT Malware Deployed via Ivanti ICS Zero-Day article
Threat Actor Activity
North Korean Hackers Using GenAI to Spread Malware and Get Hired
North Korean threat actors are using sophisticated methods, including generative artificial intelligence (GenAI) and fake companies, to distribute malware and secure illicit employment in U.S. and European tech firms. The operation known as Contagious Interview involves setting up front companies—BlockNovas LLC, Angeloper Agency, and SoftGlide LLC—in the cryptocurrency consulting industry to spread malware via job interview lures. These companies exploit job-themed social engineering tactics, luring targets to download malware families like BeaverTail, InvisibleFerret, and OtterCookie under the guise of coding assignments or browser fixes. The threat actors also use fraudulent profiles on platforms like LinkedIn and GitHub to enhance their deception, coupled with VPNs and proxy services to obscure their activities. The FBI has seized the BlockNovas domain as part of an action against North Korean cyber actors. The campaign uses AI to create convincing fake personas, facilitating the hiring of North Korean IT workers in Western companies. These workers, aided by U.S.-based facilitators, often hold multiple high-paying jobs simultaneously, funneling their earnings to the North Korean regime, reportedly linked to the DPRK's Munitions Industry Department. Researchers have highlighted the extensive use of GenAI tools to manage communications, generate resumes, and conduct mock interviews, enabling minimally skilled workers to maintain employment and earn revenue for North Korea. AI tools also assist in automating job applications, enhancing resumes to bypass automated CV scanners, and using deepfake technology in interviews. Despite these efforts, the quality of deepfakes is not yet sufficient to deceive experienced interviewers. The Justice Department notes that North Korea has potentially earned hundreds of millions through these schemes. Companies like Coinbase are adapting their hiring processes, implementing rigorous vetting and requiring in-person contact to mitigate this threat. Okta has introduced features such as ID verification to help companies detect and prevent the hiring of illicit workers.
Vulnerabilities
Zero-Day Remote Code Execution Attack Chain Exploited to Pilfer Data
Two (2) critical zero-day vulnerabilities affecting Craft CMS were actively exploited by threat actors to breach servers, deploy backdoors, and exfiltrate data. The attackers initially exploited the first vulnerability, tracked as CVE-2025-32432, abusing Craft CMS's image transformation feature via unauthenticated POST requests and guessing valid asset IDs to inject malicious PHP session data. They then chained the second vulnerability, tracked as CVE-2024-58136, to trigger the execution of this code, installing a PHP file manager and expanding their access, with further steps including uploading additional backdoors and exfiltrating data. Python scripts were used to automate asset ID discovery and payload deployment, with improvements observed between February 10 and 14, 2025. As of April 2025, around 13,000 vulnerable Craft CMS instances were identified, with nearly 300 believed compromised. Craft CMS has patched the flaws in versions 3.9.15, 4.14.15, and 5.6.17, though the default Yii framework version remains outdated; however, the attack chain is now blocked. Administrators are urged to refresh security keys, rotate database credentials, force password resets, inspect firewall and web server logs for suspicious POST requests, and block malicious activity at the firewall level. Full indicators of compromise have been provided by SensePost, and this campaign follows earlier CISA warnings about Craft CMS vulnerabilities being exploited in the wild. CTIX analysts urge impacted readers to follow the guidance linked below to prevent future exploitation.
- Bleeping Computer: Craft CMS Vulnerabilities Article
- The Hacker News: Craft CMS Vulnerabilities Article
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
