- with readers working within the Property industries
- within Insurance, Wealth Management and Tax topic(s)
Malware Activity
Evolving Malware and Browser Exploitation Techniques
Recent cybersecurity developments highlight the increasing sophistication and diversity of cyber threats. The notorious malware family Xworm has re-emerged with enhanced capabilities, notably incorporating a ransomware module alongside its traditional worm functions. The malware is supported by over thirty-five (35) plugins that facilitate dynamic adaptation and evade detection. This modular architecture exemplifies how cybercriminals are combining multiple malicious payloads to maximize disruption, increase ransom potential, and complicating defense efforts. Concurrently, new attack vectors such as "cometjacking" have been identified, exploiting vulnerabilities in AI-enhanced browsers like Comet and Perplexity. These techniques rely on social engineering tactics, such as distributing malicious links and executing prompt injections. These methods manipulate browser features to achieve malicious objectives. Attackers can use them to steal emails, access sensitive data, or hijack AI assistants. Often, they bypass traditional security measures by employing obfuscation techniques like Base64 encoding. These evolving threats highlight the critical need for organizations to adopt comprehensive and up-to-date security strategies. It is essential to implement vigilant user practices to reduce the risk of successful attacks. Additionally, organizations should embrace proactive security-by-design measures to strengthen their defenses. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Xworm Malware Resurfaces with Ransomware Module Over 35 Plugins article
- BleepingComputer: CommetJacking Attack Tricks Comet Browser into Stealing Emails article
- TheHackerNews: CometJacking One Click Can Turn Perplexitys Comet AI Browser into a Data Thief article
Threat Actor Activity
Cl0p Leaking Sensitive Data from Oracle via Exploited Vulnerability, Helped by Scattered Lapsus$ Hunters
Cybercriminals, potentially linked to the Cl0p ransomware group, have launched a campaign to extort corporate executives by threatening to leak sensitive information allegedly stolen through Oracle's E-Business Suite. This widely used business platform manages finance, HR, and supply chain functions. Mandiant and Google Threat Intelligence Group (GTIG) are tracking this campaign, which began on September 29, and involves high-volume email extortion attempts. The threat actors claim affiliation with Cl0p, known for exploiting vulnerabilities in file transfer tools to steal data for ransom. Oracle has addressed a critical security flaw in the E-Business Suite, tracked as CVE-2025-61882, which allows remote code execution (RCE) without authentication. This vulnerability was exploited in Cl0p's recent attacks, prompting Oracle to release emergency updates. IOCs include specific IP addresses and Python scripts used in the exploitation. The threat actors, calling themselves "Scattered Lapsus$ Hunters," leaked files on Telegram, including Oracle source code and the exploit used by Cl0p. While Cl0p confirmed their involvement, questions remain about the relationship between Cl0p and Scattered Lapsus$ Hunters. An affiliate from the ShinyHunters hacking group suggested that the exploit might have been shared or sold to Cl0p, highlighting the interconnected nature of cybercriminal activities these days.
Vulnerabilities
Storm-1175 Exploits GoAnywhere MFT Zero-Day to Deliver Medusa Ransomware
A cybercrime affiliate tracked as Storm-1175 has been actively exploiting a deserialization vulnerability in Fortra's GoAnywhere MFT License Servlet, as part of a coordinated Medusa ransomware campaign since at least September 11, 2025. The flaw, tracked as CVE-2025-10035 (CVSS 10/10), allows attackers to forge license response signatures and deserialize arbitrary objects, enabling command injection and remote code execution (RCE) on vulnerable, internet-exposed instances without authentication. Although Fortra patched the flaw on September 18, evidence shows Storm-1175 weaponized it as a zero-day beginning September 10, compromising multiple organizations. After gaining initial access, the group deployed SimpleHelp and MeshAgent RMM tools under the GoAnywhere process to establish persistence, while also planting .jsp webshells. They conducted network reconnaissance with Netscan, executed system and user discovery commands, and achieved lateral movement using mstsc.exe. For command and control, they leveraged RMM tools and Cloudflare tunnels, followed by Rclone-based data exfiltration and eventual Medusa ransomware deployment to encrypt victims' files. This activity builds on Storm-1175's previous exploitation of VMware ESXi flaws linked to Akira and Black Basta ransomware. CTIX analysts urge organizations to follow Microsoft's guidance, immediately patching affected systems, reviewing logs for SignedObject.getObject stack trace errors, restricting outbound connections, enabling EDR in block mode, applying attack surface reduction rules, and monitoring for suspicious activity. Microsoft has rolled out Defender XDR detections, vulnerability management, and Security Copilot integration to support detection, investigation, and response efforts across affected environments.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
