ARTICLE
11 July 2025

Ankura CTIX FLASH Update - July 8, 2025

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
The Android spyware campaign that aimed to covertly monitor users by exploiting vulnerabilities and employing undetectable malware design to evade detection ultimately backfired when security...
United States Technology

Malware Activity

The Rising Tide of Covert Mobile Surveillance and Security Breaches

The Android spyware campaign that aimed to covertly monitor users by exploiting vulnerabilities and employing undetectable malware design to evade detection ultimately backfired when security researchers uncovered their operation. Then the researchers revealed that approximately 62,000 user logins and sensitive data had been compromised. Additionally, a security researcher, Eric Daigle, uncovered a critical SQL injection vulnerability in the stalkerware platform Catwatchful, which allowed him to access and extract a database containing 62,000 user accounts, including administrative credentials. Catwatchful is marketed as an undetectable spyware kit used predominantly by individuals seeking covert monitoring. Despite widespread breaches of similar software, it continues to operate. CTIX analysts will continue to report on the latest malware strains and attack methodologies.

Threat Actor Activity

NightEagle APT Emerges with Zero-Day Exploits Targeting Microsoft Exchange in China

A newly identified threat actor dubbed NightEagle (aka APT-Q-95) has been linked to a stealthy cyber espionage campaign exploiting a zero-day vulnerability in Microsoft Exchange servers to target China's government, defense, and tech sectors. Revealed by QiAnXin's RedDrip Team at CYDES 2025, NightEagle has been active since 2023 and is characterized by rapid infrastructure changes and precision targeting of industries like semiconductors, AI, and quantum tech. The group employed a modified version of the open-source Chisel tool delivered via a .NET loader embedded in IIS, enabling persistent access and data exfiltration. The exploit involved unauthorized deserialization via stolen machineKey values to implant trojans and access email data across compatible Exchange servers. Evidence suggests a North American origin, based on attack timing, and the group's operational sophistication has led researchers to classify it as a fast-moving APT with intelligence-gathering objectives. The Ankura CTIX team will continue to report on up-and-coming threat actors.

Vulnerabilities

Grafana Patches Critical Chromium Vulnerabilities Impacting Image Renderer and Monitoring Tools

Grafana Labs has released urgent security updates to address four (4) high-severity Chromium vulnerabilities (CVE-2025-5959, CVE-2025-6554, CVE-2025-6191, and CVE-2025-6192) affecting its Image Renderer plugin and Synthetic Monitoring Agent. These flaws, based in Chromium's V8 engine and Metrics component, allow remote code execution (RCE) and memory manipulation through maliciously crafted HTML pages. While the vulnerabilities were fixed upstream two (2) weeks earlier, Grafana confirmed exploitability in its products via a bug bounty report. Users of the Image Renderer (prior to version 3.12.9) and Synthetic Monitoring Agent (before version 0.38.3) are urged to update immediately. Although the plugin is not bundled by default, its widespread use for rendering dashboards in production makes timely patching critical. Grafana Cloud and Azure Managed Grafana instances have already been secured. This comes amid concerns about lagging patch adoption, with tens of thousands of instances still unpatched for prior flaws. CTIX analysts strongly urge any administrators to ensure that their instances are patched to prevent future exploitation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More