Malware Activity
The Rising Tide of Covert Mobile Surveillance and Security Breaches
The Android spyware campaign that aimed to covertly monitor users by exploiting vulnerabilities and employing undetectable malware design to evade detection ultimately backfired when security researchers uncovered their operation. Then the researchers revealed that approximately 62,000 user logins and sensitive data had been compromised. Additionally, a security researcher, Eric Daigle, uncovered a critical SQL injection vulnerability in the stalkerware platform Catwatchful, which allowed him to access and extract a database containing 62,000 user accounts, including administrative credentials. Catwatchful is marketed as an undetectable spyware kit used predominantly by individuals seeking covert monitoring. Despite widespread breaches of similar software, it continues to operate. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- SecurityWeek: Undetectable Android Spyware Backfires article
- TheRegister: Stalkerware Firm Gets Scooped article
Threat Actor Activity
NightEagle APT Emerges with Zero-Day Exploits Targeting Microsoft Exchange in China
A newly identified threat actor dubbed NightEagle (aka APT-Q-95) has been linked to a stealthy cyber espionage campaign exploiting a zero-day vulnerability in Microsoft Exchange servers to target China's government, defense, and tech sectors. Revealed by QiAnXin's RedDrip Team at CYDES 2025, NightEagle has been active since 2023 and is characterized by rapid infrastructure changes and precision targeting of industries like semiconductors, AI, and quantum tech. The group employed a modified version of the open-source Chisel tool delivered via a .NET loader embedded in IIS, enabling persistent access and data exfiltration. The exploit involved unauthorized deserialization via stolen machineKey values to implant trojans and access email data across compatible Exchange servers. Evidence suggests a North American origin, based on attack timing, and the group's operational sophistication has led researchers to classify it as a fast-moving APT with intelligence-gathering objectives. The Ankura CTIX team will continue to report on up-and-coming threat actors.
Vulnerabilities
Grafana Patches Critical Chromium Vulnerabilities Impacting Image Renderer and Monitoring Tools
Grafana Labs has released urgent security updates to address four (4) high-severity Chromium vulnerabilities (CVE-2025-5959, CVE-2025-6554, CVE-2025-6191, and CVE-2025-6192) affecting its Image Renderer plugin and Synthetic Monitoring Agent. These flaws, based in Chromium's V8 engine and Metrics component, allow remote code execution (RCE) and memory manipulation through maliciously crafted HTML pages. While the vulnerabilities were fixed upstream two (2) weeks earlier, Grafana confirmed exploitability in its products via a bug bounty report. Users of the Image Renderer (prior to version 3.12.9) and Synthetic Monitoring Agent (before version 0.38.3) are urged to update immediately. Although the plugin is not bundled by default, its widespread use for rendering dashboards in production makes timely patching critical. Grafana Cloud and Azure Managed Grafana instances have already been secured. This comes amid concerns about lagging patch adoption, with tens of thousands of instances still unpatched for prior flaws. CTIX analysts strongly urge any administrators to ensure that their instances are patched to prevent future exploitation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
