Article Details

⚡ Weekly Recap: Hyper-V Malware, Malicious AI Bots, RDP Exploits, WhatsApp Lockdown and More. Cyber threats didn't slow down last week—and attackers are getting smarter. We're seeing malware hidden in virtual machines, side-channel leaks exposing AI chats, and spyware quietly targeting Android devices in the wild. But that's just the surface. From sleeper logic bombs to a fresh alliance between major threat groups, this week's roundup highlights a clear shift: cybercrime is evolving fast, and the lines between technical stealth and strategic coordination are blurring. It's worth your time. Every story here is about real risks that your team needs to know about right now. Read the whole recap. ⚡ Threat of the Week Curly COMrades Abuses Hyper-V to Hide Malware in Linux VMs — Curly COMrades, a threat actor supporting Russia's geopolitical interests, has been observed abusing Microsoft's Hyper-V hypervisor in compromised Windows machines to create a hidden Alpine Linux-based virtual machine and deploy malicious payloads. This method allows the malware to run completely outside the host operating system's visibility, effectively bypassing endpoint security tools. The campaign, observed in July 2025, involved the deployment of CurlyShell and CurlyCat. The victims were not publicly identified. The threat actors are said to have configured the virtual machine to use the Default Switch network adaptor in Hyper-V to ensure that the VM's traffic travels through the host's network stack using Hyper-V's internal Network Address Translation (NAT) service, causing all malicious outbound communication to appear to originate from the legitimate host machine's IP address. Further investigation has revealed that the attackers first used the Windows Deployment Image Servicing and Management (DISM) command-line tool to enable the Hyper-V hypervisor, while disabling its graphical management interface, Hyper-V Manager. The group then downloaded a RAR archive masquerading as an MP4 video file and extracted its contents. The archive contained two VHDX and VMCX files corresponding to a pre-built Alpine Linux VM. Lastly, the threat actors used the Import-VM and Start-VM PowerShell cmdlets to import the virtual machine into Hyper-V and launch it with the name WSL, a deception tactic meant to give the impression that the Windows Subsystem for Linux was employed. "The sophistication demonstrated by Curly COMrades confirms a key trend: as EDR/XDR solutions become commodity tools, threat actors are getting better at bypassing them through tooling or techniques like VM isolation," Bitdefender said. The findings paint a picture of a threat actor that uses sophisticated methods to maintain long-term access in target networks, while leaving a minimal forensic footprint. Keeper Security recognized in the 2025 Gartner® Magic Quadrant™ for PAM Legacy Privileged Access Management (PAM) solutions are complex, costly and hard to scale. Keeper Security has been recognized in the 2025 Gartner® Magic Quadrant™ for PAM, which we feel further validates our platform. Access the Gartner MQ report for free today to learn more. 🔔 Top News ‎️‍🔥 Trending CVEs Hackers move fast. They often exploit new vulnerabilities within hours, turning a single missed patch into a major breach. One unpatched CVE can be all it takes for a full compromise. Below are this week's most critical vulnerabilities gaining attention across the industry. Review them, prioritize your fixes, and close the gap before attackers take advantage. This week's list includes — CVE-2025-20354, CVE-2025-20358 (Cisco Unified CCX), CVE-2025-20343 (Cisco Identity Services Engine), CVE-2025-62626 (AMD), CVE-2025-5397 (Noo JobMonster theme), CVE-2025-48593, CVE-2025-48581 (Android), CVE-2025-11749 (AI Engine plugin), CVE-2025-12501 (GameMaker IDE), CVE-2025-23358 (NVIDIA App for Windows), CVE-2025-64458, CVE-2025-64459 (Django), CVE-2025-12058 (Keras AI), CVE-2025-12779 (Amazon WorkSpaces client for Linux), CVE-2025-12735 (JavaScript expr-eval), CVE-2025-62847, CVE-2025-62848, CVE-2025-62849 (QNAP QTS and QuTS hero), CVE-2024-12886, CVE-2025-51471, CVE-2025-48889 (Ollama), CVE-2025-34299 (Monsta FTP), CVE-2025-31133, CVE-2025-52565, CVE-2025-52881 (RunC), CVE-2025-55315 (ASP.NET Core Kestrel server), CVE-2025-64439 (langgraph-checkpoint), CVE-2025-37735 (Elastic Defend on Windows), and seven vulnerabilities in django-allauth. 📰 Around the Cyber World 🎥 Cybersecurity Webinars 🔧 Cybersecurity Tools Disclaimer: These tools are for educational and research use only. They haven't been fully security-tested and could pose risks if used incorrectly. Review the code before trying them, test only in safe environments, and follow all ethical, legal, and organizational rules. 🔒 Tip of the Week Stop Sensitive Data From Reaching AI Chats — Many teams use AI chat tools to get things done faster, like writing scripts, fixing bugs, or making reports shorter. But everything typed into these systems leaves your company network and may be stored, logged, or reused. If that data includes credentials, internal code, or client information, it becomes an easy leak point. Attackers and insiders can retrieve this data later, or models could accidentally expose it in future outputs. One careless prompt can expose a lot more than expected. ✅ Add a security layer before the AI. Use OpenGuardrails or similar open-source frameworks to scan and block sensitive text before it's sent to the model. These tools integrate directly into your apps or internal chat systems. ✅ Pair it with DLP monitoring. Tools like MyDLP or OpenDLP can watch outbound data for patterns like passwords, API keys, or client identifiers. ✅ Create prompt policies. Define what employees can and can't share with AI systems. Treat prompts like data, leaving your network. Don't trust AI companies to keep your secrets safe. Add guardrails to your workflow and keep an eye on what leaves your space. You don't want sensitive data to end up training someone else's model. Conclusion Just reading headlines won't cut it. These attacks show what's coming next—more hidden, more focused, and harder to spot. Whether you work in security or just want to stay in the loop, this update breaks it down fast. Clear, useful, no extra noise. Take a few minutes and get caught up before the next big threat lands.