Malware Activity
Sophisticated Tactics Exploiting Trusted Software Ecosystems
Cybercriminals are deploying advanced and deceptive techniques to infiltrate organizations and systems. One campaign exploits the ScreenConnect remote access software by using Authenticode-stuffing. Malicious payloads are digitally signed with legitimate certificates, allowing malware to bypass security measures that verify code signatures. This method involves embedding malicious code within legitimate software updates or files. Which makes the malicious activity difficult to detect. Simultaneously, another campaign targets the NPM package ecosystem. By distributing malware through 35 seemingly legitimate packages, it's disguised as interview or resume tools. Once integrated, it enables data theft and remote code execution (RCE). These tactics exploit the trust placed in software updates and popular development tools, emphasizing the need for rigorous validation, continuous monitoring of digital signatures. The campaigns underscore the critical importance for organizations to enhance their security protocols, scrutinize remote access tools, adopt comprehensive measures to defend against sophisticated, and adaptive cyber threats that leverage trusted software channels to facilitate infiltration and compromise. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Hackers Turn ScreenConnect into Malware Using Authenticode Stuffing article
- BleepingComputer: New Wave of Fake Interviews Use 35 NPM Packages to Spread Malware article
Threat Actor Activity
CL-CRI-1014: African Financial Sector Targeted by Stealthy Access Broker Campaign
Since at least mid-2023, a financially motivated threat actor cluster tracked as CL-CRI-1014 has been actively targeting financial institutions across Africa with the apparent goal of selling access to compromised networks as an initial access broker (IAB). The campaign employs a blend of open-source and publicly available tools to maintain persistence, evade detection, and move laterally across the network. Key components of their attack toolkit include PoshC2 for command-and-control (C2), Chisel for tunneling and firewall bypass, PsExec for remote execution, and Classroom Spy for extensive surveillance and control (replacing MeshAgent used in earlier operations). Attackers craft convincing payloads using stolen digital signatures and icons from legitimate applications such as Microsoft Teams and Palo Alto Cortex, masking their malicious activities. The attack chain typically involves staging a proxy machine via PsExec, using Chisel to bypass perimeter defenses, and deploying PoshC2 and Classroom Spy across target endpoints. PoshC2 implants are tailored for target environments and maintained using services, LNK shortcuts, and scheduled tasks. Classroom Spy grants capabilities such as keylogging, screenshot capture, webcam access, file transfers, and audio recording. Despite their sophistication, there's no evidence that the actors exploited zero-day vulnerabilities, instead relying on stealthy, manual techniques and legitimate admin tools to maintain long-term access within financial networks across the continent. CTIX analysts will continue to report on interesting and novel threat groups and their campaigns.
Vulnerabilities
Active Exploitation of Critical NetScaler Vulnerabilities Prompts Urgent Citrix Patching
Citrix has released urgent patches addressing a critical memory overflow vulnerability in NetScaler ADC and NetScaler Gateway that is being actively exploited in the wild. The flaw, tracked as CVE-2025-6543 (CVSS 9.2/10), impacts both supported and end-of-life versions when configured as a Gateway (VPN virtual server, ICA Proxy, etc.) or AAA virtual server, and may lead to denial-of-service (DoS) and unintended control flow. Affected versions include NetScaler ADC and Gateway 14.1 (prior to 14.1-47.46), 13.1 (prior to 13.1-59.19), 13.1-FIPS/NDcPP (prior to 13.1-37.236), as well as legacy versions 12.1 and 13.0, which Citrix urges customers to replace. Secure Private Access on-prem and hybrid deployments using vulnerable instances must also be upgraded. While Citrix has confirmed that they've observed exploitation, it has not released technical details about the attacks. This warning comes just one week after Citrix patched another critical vulnerability, CVE-2025-5777 (CVSS 9.3/10), an out-of-bounds memory read flaw dubbed "CitrixBleed2" by researchers, who caution organizations to act swiftly by patching systems and terminating active sessions to prevent potential exploitation. CTIX analysts urge any affected administrators to ensure their instances are patched and that all guidance from Citrix is followed,
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
