- with readers working within the Property industries
- within Insurance, Wealth Management and Tax topic(s)
Malware Activity
Advanced Stealth Techniques and Social Engineering Campaigns
The first article involves the "FileFix" attack, which leverages cache smuggling techniques within the Windows operating system to conceal malicious payloads, thereby evading traditional detection methods and complicating security efforts. This deep system-level exploitation underscores the necessity for organizations to implement advanced, behavior-based detection strategies to counter such stealthy intrusions. Concurrently, a Vietnamese threat group known as BatShadow has orchestrated a targeted social engineering campaign aimed at job seekers and digital marketing professionals. By impersonating recruiters and distributing malicious files embedded within ZIP archives, they deploy Vampire Bot, a Go-based malware, through deceptive links and fake error messages in Microsoft Edge. Once infected, victims' systems are subjected to profiling, data theft, and remote-control activities. The campaign's focus on high-value sectors and its sophisticated use of malware and deception techniques reflect a broader trend of increasingly complex and covert cyber operations, emphasizing the critical need for adaptive security measures and heightened vigilance in defending digital assets. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: New FileFix Attack Uses Cache Smuggling To Evade Security Software article
- TheHackerNews: BatShadow Group Uses New Go Based Malware article
Threat Actor Activity
Chinese Hackers Leveraging Legitimate Nezha Monitoring Tool in New Campaign
Threat actors suspected to be affiliated with China have repurposed the legitimate open-source monitoring tool Nezha as an attack vector to deliver Gh0st RAT malware. Observed first in August 2025, this campaign employs a technique known as log poisoning to plant a web shell on servers. This method allows attackers to control the web server using ANTSWORD before deploying Nezha, which facilitates remote command execution. More than a hundred (100) machines have been compromised, predominantly in Taiwan, Japan, South Korea, and Hong Kong. The attackers initially gain access through vulnerable phpMyAdmin panels, leveraging SQL query interfaces to plant PHP web shells. This access allows them to execute commands and remotely control infected hosts via Nezha. Interestingly, the threat actors operate their Nezha dashboard in Russian, indicating a broad reach with victims in countries such as Singapore, Malaysia, India, the U.K., and the U.S. The Nezha agent supports further attacks by executing PowerShell scripts to bypass Microsoft Defender and deploy Gh0st RAT.
Vulnerabilities
Active Exploitation of Critical Service Finder WordPress Vulnerability
Threat actors are aggressively exploiting a critical authentication bypass flaw in the Service Finder WordPress theme and its bundled Service Finder Bookings plugin, allowing them to log in as any user (including administrators) without valid credentials and seize full control of vulnerable sites. The flaw, tracked as CVE-2025-5947 (CVSS 9.8/10), was discovered by researcher "Foxyyy," and stems from improper validation of the "original_user_id" cookie in the "service_finder_switch_back()" function, enabling privilege escalation and site hijacking. All versions up to and including 6.0 are affected, with a patch issued on July 17, 2025, however active exploitation began shortly after public disclosure. Since August 1, Wordfence has recorded over 13,800 attack attempts, with daily spikes exceeding 1,500 starting September 23, primarily from five (5) IP addresses. Attackers typically use a simple HTTP GET request with the "switch_back=1" parameter to impersonate users, potentially inserting malicious redirects, hosting malware, or deleting logs to conceal activity. CTIX analysts urge administrators to follow Wordfence guidance by blocklisting known IPs, reviewing logs for suspicious actions, updating immediately to the patched version, and remaining vigilant, as exploitation remains widespread and the absence of log entries does not guarantee a site is uncompromised.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
