Malware Activity
From Sophisticated Authentication Bypasses to Stealthy Resource Exploitation
Recent cybersecurity research reveals a convergence of advanced attack strategies targeting digital authentication and e-commerce platforms. The PoisonSeed phishing campaign exploits the cross-device sign-in feature of WebAuthn to bypass FIDO2 protections without exploiting protocol vulnerabilities. Effectively tricking users into approving malicious sessions through QR codes and Bluetooth-based authorization. Meanwhile, a global surge in JavaScript-based cryptocurrency miners, reminiscent of the CoinHive era but more covert, infects over 3,500 websites. It leverages obfuscated scripts to hijack device resources for mining purposes. Attackers are also targeting e-commerce sites, injecting malicious scripts and backdoored plugins to facilitate data theft, spam distribution, and search ranking manipulation. These sophisticated techniques highlight a growing trend toward multi-layered, resource-efficient cyberattacks that undermine security protocols. Emphasizing the importance for organizations to implement rigorous monitoring, device verification, and advanced threat detection measures to stay ahead of evolving cyber threats. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BeepingCmputer: Threat Actors Downgrade Fido2 MFA Auth In Poisonseed Phishing Attack article
- TheHackerNews: PoisonSeed Hackers Bypass Fido Keys article
- TheHackerNews: 3500 Websites Hijacked To Secretly Mine article
Threat Actor Activity
Singapore Blames China's UNC3886 for Attacks on Critical Infrastructure Networks
Singapore's critical infrastructure is currently being targeted by the Chinese espionage group UNC3886, according to Singapore's Coordinating Minister for National Security, K. Shanmugam. This group has a history of targeting routers and network security devices to infiltrate essential entities. Shanmugam emphasized that the threat actor's intent is clear; targeting high-value strategic assets and vital infrastructure providing essential services. While specific details of UNC3886's activities were not disclosed, Shanmugam confirmed the seriousness and ongoing nature of the threat, noting its potential to undermine national security. UNC3886 has been linked to a campaign deploying custom backdoors on Juniper Networks routers, focusing primarily on defense, technology, and telecommunications organizations in the US and Asia. The group prioritizes stealth and long-term persistence, minimizing detection risks, and has also targeted Fortinet and VMware network devices. Singapore has previously faced threats from Chinese APT groups, including Volt Typhoon, which breached Singapore Telecommunications Ltd. in 2024. Shanmugam warned of the cascading impacts such attacks could have on business operations, vendor relationships, and supply chains, suggesting a potential reassessment of trust and usage of certain technologies and partners.
Vulnerabilities
Microsoft Rushes Emergency Patches for Actively Exploited SharePoint Zero-Days in Ongoing "ToolShell" Attacks
Microsoft has issued emergency out-of-band security updates to address two (2) actively exploited zero-day vulnerabilities in on-premises SharePoint Servers tracked as CVE-2025-53770 (a critical remote code execution (RCE) flaw with a CVSS score of 9.8/10) and CVE-2025-53771 (a spoofing flaw rated 6.3/10), which are being weaponized in a global campaign dubbed "ToolShell." Initially exploited at the Pwn2Own Berlin contest and partially patched in the July 2025 Patch Tuesday, the flaws were found to still be exploitable, allowing attackers to bypass existing defenses. At least fifty-four (54) organizations worldwide including banks, universities, healthcare providers, and government agencies have reportedly been compromised. The threat actors are using these vulnerabilities to gain privileged access, bypass MFA and SSO, steal cryptographic material, implant persistent backdoors, and exfiltrate sensitive data. Microsoft has released updated patches for SharePoint 2019 and Subscription Edition but is still working on fixes for SharePoint 2016.
CTIX analysts strongly advise administrators to immediately install the latest updates, rotate ASP.NET machine keys, enable AMSI, restart IIS services, and investigate environments for signs of compromise such as the presence of spinstall0.aspx or suspicious IIS log entries. Given SharePoint's deep integration with Microsoft 365 services, experts warn that patching alone is insufficient and that organizations should assume compromise if their servers are exposed to the internet. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog, reinforcing the urgency for immediate mitigation and incident response.
- Bleeping Computer: SharePoint Vulnerabilities Article
- The Hacker News: SharePoint Vulnerabilities Article
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
