Daily Brief

VMware resolved four critical vulnerabilities found in its ESXi, Workstation, Fusion, and Tools products. The vulnerabilities were exposed during the Pwn2Own Berlin 2025 competition. Three of these vulnerabilities, rated 9.3 in severity, could allow guest virtual machines to execute commands on the host system. These high-severity vulnerabilities are identified as CVE-2025-41236, CVE-2025-41237, and CVE-2025-41238. A fourth issue, CVE-2025-41239, rated at 7.1, involves information disclosure and affects VMware Tools for Windows specifically. No workarounds are available; updating to the latest software versions is required to mitigate the risks. These zero-day vulnerabilities reflect a significant prize pool at Pwn2Own, where researchers earned over $1 million by demonstrating exploits.

Matanbuchus malware, promoted as malware-as-a-service since early 2021, is being distributed via Microsoft Teams by impersonating IT helpdesk calls. This malware executes payloads directly in memory and features enhancements for evasion, making it difficult to detect and analyze. Attackers engage with victims through Microsoft Teams, trick them into opening the remote support tool Quick Assist, and instruct them to run a script that deploys the malware. The latest version, Matanbuchus 3.0, includes updated command-and-control communication, anti-sandbox features, and uses syscalls to avoid detection by bypassing Windows API wrappers and EDR hooks. It collects sensitive information from the infected system, such as user credentials and security tool details, and adjusts its techniques based on the security environment of the targeted system. Morphisec's analysis of Matanbuchus 3.0 reveals significant sophistication in its ability to execute various commands and payloads, as well as its evasion and obfuscation enhancements. Researchers have provided indicators of compromise and detailed technical insights into the threat, noting its development into a sophisticated malware threat.

Google has filed a lawsuit against the operators of the BadBox 2.0 malware botnet, implicated in a massive ad fraud scheme. BadBox 2.0 has infected over 10 million Android Open Source Project (AOSP) devices globally, including smart TVs and streaming devices. The malware functions by converting infected devices into residential proxies for cybercrime or utilizing them for ad fraud on Google's platforms. BadBox 2.0 originated after the disruption of its predecessor by German authorities in December 2024; however, the new version quickly regrouped and expanded its reach. Over 170,000 devices in New York State alone are reported to be part of this botnet. Google has terminated thousands of publisher accounts linked to the fraudulent activities but emphasizes that the threat continues to escalate. Google's lawsuit seeks damages, a permanent injunction against the malware operations, and utilizes the Computer Fraud and Abuse Act and the RICO Act to address unknown perpetrators believed to be in China. The legal action includes demands to dismantle over 100 internet domains that serve as part of the botnet's infrastructure.

LameHug malware, discovered by Ukraine’s CERT-UA, leverages a large language model (LLM) to create real-time data-theft commands for attacking Windows systems. The malware has been linked to APT28, a Russian state-backed cyber threat group, also known under various aliases including Fancy Bear and Sednit. LameHug utilizes Hugging Face’s API and Alibaba Cloud's open-source LLM, Qwen 2.5-Coder-32B-Instruct, to convert natural language prompts into executable code. Initial malware distribution was identified through malicious emails with ZIP attachments impersonating Ukrainian ministry officials. Key functions of the malware include system reconnaissance and theft of sensitive documents from directories such as Documents, Desktop, and Downloads on compromised systems. LameHug transmits stolen data using SFTP or HTTP POST techniques, enhancing the stealthiness of data exfiltration. The implementation of AI for dynamic command generation represents a potential shift in attack strategies, providing adaptability and obfuscation advantages for malware operations. CERT-UA has reported with medium confidence that LameHug's activities are connected to the Russian-sponsored APT28, though the success of the generated commands remains unconfirmed.

Cisco has issued patches for a critical vulnerability in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), rated a perfect 10 in severity. The vulnerability, identified as CVE-2025-20337, allows an unauthenticated, remote attacker to execute arbitrary code with root-level privileges. This bug is related to another severe vulnerability (CVE-2025-20281) disclosed previously, both affecting ISE and ISE-PIC versions 3.3 and 3.4. There are no available workarounds, but Cisco has released software updates that address this and other related security issues. The vulnerabilities stem from insufficient validation of user-supplied input through crafted API requests. Security researchers and potential criminals are highly interested in such high-severity vulnerabilities, though there are no known exploits in the wild yet. It's crucial for users of the affected systems to apply the software updates immediately to prevent potential exploitations.

Threat actors are using public GitHub repositories to host and distribute malicious payloads, including Amadey malware and data stealers. Cisco Talos researchers identified fake GitHub accounts being employed for the bypass of web filtering and streamlined distribution mechanisms. The malware loader Emmenhtal (also known as PEAKLIGHT) is utilized to download Amadey, which in turn fetches additional payloads from GitHub. Similar tactics were observed in a previous phishing campaign that targeted Ukrainian entities using invoice-related lures to distribute SmokeLoader. Amadey not only downloads secondary payloads but also gathers system information and offers extended functionalities through DLL plugins for capabilities like credential theft. GitHub has taken down the identified accounts hosting malicious scripts, but researchers suggest this is part of a broader malware-as-a-service operation abusing the platform. Additional related threats like SquidLoader are targeting financial institutions in Asia, using sophisticated techniques to evade detection and facilitate remote control. The use of social engineering techniques, including QR codes and password-protected emails, continues to rise, complicating detection and response for security teams.

Cryptocurrency exchange BigONE was hacked, resulting in the theft of $27 million in various digital assets. The attack targeted BigONE's hot wallet, but private keys and user data were not compromised. BigONE has confirmed full reimbursement for all affected users from its available reserves. The company has identified and contained the attack method with the help of security firm SlowMist, which is now tracking the movement of the stolen funds across blockchains. No details have been disclosed about the specifics of how the hackers executed the theft, though it is attributed to a supply-chain attack. Following the cyberattack, BigONE quickly restored deposit and trading services and plans to re-enable withdrawal and OTC functions soon. Hackers involved have begun laundering the stolen assets, converting them into various cryptocurrencies including Bitcoin and Ether. BigONE's involvement in processing large amounts of funds from scams highlights broader concerns about security in the cryptocurrency industry.

Chinese state-sponsored hacking group Salt Typhoon breached a U.S. Army National Guard network and remained undetected for nine months in 2024. The hackers exfiltrated network diagrams, configuration files, administrator credentials, and personal information of service members. The stolen data includes network configurations linking every U.S. state and several territories, greatly increasing the risk of further breaches in government networks. Salt Typhoon is believed to be affiliated with China's Ministry of State Security and has previously targeted U.S. telecommunications and government entities. The Department of Homeland Security memo indicates the breach could facilitate future attacks on U.S. critical infrastructure by using the stolen data to compromise additional networks. The National Guard Bureau acknowledged the breach without disclosing specifics; operations were reportedly not disrupted. The DHS has urged cybersecurity teams in the National Guard and other government sectors to patch known vulnerabilities and enhance network security measures. The Chinese embassy responded to allegations by suggesting the U.S. has not provided substantial evidence of Salt Typhoon's links to the Chinese government.

A severe vulnerability in Cisco's Identity Services Engine (ISE), identified as CVE-2025-20337, allows unauthenticated attackers to execute commands and potentially gain root access. The security flaw, rated 10/10 in severity, arose due to insufficient validation of user-supplied input in certain API requests. The vulnerability was discovered by Kentaro Kawane and reported through Trend Micro's Zero Day Initiative. This vulnerability impacts Cisco ISE and ISE-PIC versions 3.3 and 3.4, but not earlier versions like 3.2. Cisco has released patches specifically for ISE versions 3.3 and 3.4 to address this critical issue and two other related vulnerabilities. No practical workarounds are available; system administrators are urged to apply the necessary patches immediately to mitigate risks. Although no exploits of this vulnerability have been detected in the wild, the potential for severe system compromise makes immediate action essential. Additional Cisco bulletins released address various security issues, but CVE-2025-20337 requires particular attention due to its critical nature and high potential impact.

Cybersecurity experts uncovered a new malicious campaign exploiting a vulnerability (CVE-2021-41773) in Apache HTTP Server to distribute a cryptocurrency miner named Linuxsys. The Linuxsys miner deployment utilizes compromised legitimate websites to remain undetected and leverages valid SSL certificates to evade security measures. Attackers host the malware on third-party sites, not directly on their command-and-control server, adding a layer of obfuscation. Additional payloads discovered include Windows executables, indicating that attackers are targeting multiple operating systems. The campaign uses a combination of compromised infrastructure and clever evasion techniques, enabling the long-term, stealthy operation of the cryptocurrency mining malware. Previous related attacks exploited critical vulnerabilities in other software, including OSGeo GeoServer GeoTools, pointing to a consistent pattern by the attackers. The threat actors carefully target victims, avoiding detection by security systems, which often overlook interactions from legitimate, compromised hosts.

Europol has disrupted the central server infrastructure of a pro-Russian hacktivist group known as NoName057(16), significantly hindering their capabilities. The operation, dubbed "Operation Eastwood," involved coordinated efforts across multiple countries, including France, Germany, and Spain, and resulted in two arrests. NoName057(16) has been active since March 2022, engaging in DDoS attacks against Ukraine and its allies following Russia's invasion. Participants were mobilized via Telegram and incentivized with cryptocurrency to carry out attacks using a bespoke program, DDoSia. The crackdown included issuing arrest warrants for six Russians and outreach to over 1,000 individuals involved, warning them of criminal liabilities. The group also developed a botnet consisting of several hundred servers to amplify their attack capabilities, utilizing gamified tactics to recruit and motivate participants. Recent activities have targeted a variety of entities in Sweden and Germany, involving multiple waves of cyber attacks on critical infrastructure and public institutions. The broader trend sees Russian hacktivist groups like Z-Pentest and Dark Engine focusing increasingly on strategic targets beyond typical ideological cyber vandalism.

Peter Gutmann, a computer science professor, dismisses the practicality of quantum cryptanalysis, calling it "nonsense" in a detailed presentation. The US National Institute for Standards and Technology (NIST) has been promoting the development of post-quantum cryptographic (PQC) algorithms since 2016 due to potential quantum computing threats. Gutmann argues that quantum computers, as they currently exist, are more like physics experiments and have not demonstrated the ability to effectively crack complex cryptographic algorithms. His skepticism extends to the hype around quantum computing's promise, comparing unfounded claims to other undelivered technological promises like fusion power. Gutmann challenges the efficacy of recent quantum achievements, noting that effective public key cracking would require quantum processors much larger than those currently available. He views the current shift towards PQC as premature and a diversion from addressing real issues in encryption and cybersecurity. The piece reflects an ongoing debate in the scientific community about the timeline and impact of quantum computing on encryption and security.

The cybersecurity landscape in 2025 demands proactive, adaptive, and actionable security measures. Continuous Threat Exposure Management (CTEM), Vulnerability Management (VM), and Attack Surface Management (ASM) are crucial, overlapping strategies. CTEM offers a systematic approach to constantly monitor, assess, and respond to security exposures across an organization. VM focuses on identifying, analyzing, and managing vulnerabilities within known assets proactively to prevent potential cyberattacks. ASM provides a broader approach by identifying both known and unknown assets, offering insights into critical attacker entry points. Effective CTEM programs incorporate VM and ASM tools along with advanced offensive security techniques like penetration testing. BreachLock offers a unified platform that integrates CTEM, VM, and ASM, simplifying comprehensive security management with a single source of truth. BreachLock's integrated approach helps elevate defense strategies by unifying security testing and validating attack paths.

Three Chinese state-sponsored groups, UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp, engaged in spear-phishing campaigns against Taiwan's semiconductor sector between March and June 2025. UNK_FistBump used phishing emails targeting HR departments with fake resumes to deploy Cobalt Strike and custom malware known as Voldemort, previously linked to Chinese cyber-espionage group APT41. UNK_DropPitch focused on investment analysts within the semiconductor industry, using malicious DLL payloads via email to execute backdoor activities and gather intelligence. UNK_SparkyCarp attempted to capture credentials from a Taiwanese semiconductor company using phishing emails disguised as security alerts, employing a sophisticated adversary-in-the-middle (AitM) kit. The activity reflects China's strategic interest in achieving semiconductor self-sufficiency and reducing reliance on international technologies amid heightened US-Taiwan export controls. Proofpoint also reported evidence of shared infrastructure and tactics among these groups, suggesting a coordinated effort potentially directed by a centralized authority within China. The incidents are consistent with the targeting patterns and technical capabilities historically associated with Chinese cyber espionage aimed at gaining a competitive edge in critical technologies.

Microsoft announced a 6-month extension of security updates for Exchange Server 2016 and 2019, and Skype for Business 2015 and 2019, beyond their official support ending in October 2025. The extension allows users additional time to migrate from these older systems, acknowledging difficulties experienced by a significant customer base. Extended Security Updates (ESU) will only cover Critical-or-Important-rated security updates that may be issued after the support end date. Microsoft will not guarantee the release of updates during the extension and will not provide updates through regular channels like Windows Update. Access to these extended updates will require registration and purchase, details of which can only be obtained through direct communication with Microsoft’s account teams. Microsoft emphasized that this extension is a one-time offer and will definitely conclude on April 14, 2026, with no further extensions to be granted.