Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Clickbait to Catastrophe: How a Fake Meta Email Leads to Password Plunder
Source: Cofense
The Cofense Phishing Defense Center (PDC) has discovered a new phishing campaign that tricks users into giving out access to their Meta Business accounts. While social media phishing attempts are prevalent, this one went above and beyond by employing fake chat support, providing detailed instructions, and attempting to add itself as a secure login method. Read more.
Nuxt Users Beware: CVE-2025-27415 Opens the Door to Cache Poisoning Attacks
Source: Cybersecurity News
A newly discovered vulnerability in the popular Nuxt framework could allow attackers to poison CDN caches and disrupt access to full-stack Vue.js applications. Tracked as CVE-2025-27415 and scored 7.5 on the CVSS scale. The issue lies in how Nuxt handles certain HTTP requests, particularly ones that resemble: https://yoursite.com/?/_payload.json Read more.
Unboxing Anubis: Exploring the Stealthy Tactics of FIN7’s Latest Backdoor
Source: G Data
In the ever-evolving landscape of advanced persistent threats (APTs), the notorious financial cybercrime group FIN7 has added another sophisticated tool to their arsenal. We have recently discovered a new Python-based backdoor, called “AnubisBackdoor”, being deployed in their latest campaigns. Read more.
Weaver Ant, the Web Shell Whisperer: Tracking a Live China-nexus Operation
Source: Sygnia
Sygnia details Weaver Ant, a China-nexus threat actor infiltrating a major telecom provider. Using web shells and tunneling, the attackers maintained persistence and facilitated cyber espionage. Read more.
Over 150 US Government Database Servers Vulnerable to Internet Exposure
Source: GB Hackers
The investigation, conducted using data from Shodan, a tool often referred to as the “Google of internet-connected devices,” identified over 2,000 instances of exposed government database servers since early 2025. Read more.
Albabat Ransomware Group Potentially Expands Targets to Multiple OS, Uses GitHub to Streamline Operations
Source: Trend Micro
Trend Research uncovered new versions of the Albabat ransomware. The development of these versions signifies the ransomware operators’ potential expansion of their targets from Windows to Linux and macOS. Research also reveals the group’s use of GitHub to streamline operations. Read more.
AI-Generated Zoom Impersonation Attack Exploits Tax Season to Deploy Remote Desktop Tool
Source: Abnormal
Disguised as a routine Zoom meeting invitation related to the 2024 tax season, a campaign recently stopped by Abnormal leveraged generative AI to construct a highly convincing phishing page. However, unlike traditional credential-harvesting scams, these attacks attempted to deceive targets into downloading a RMM tool—granting threat actors full control over their devices. Read more.
UAT-5918 Targets Taiwan’s Critical Infrastructure Using Web Shells and Open-Source Tools
Source: The Hacker News
“UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting,” Cisco Talos researchers Jungsoo An, Asheer Malhotra, Brandon White, and Vitor Ventura said. Read more.
VanHelsing Ransomware
Source: Cyfirma
This new ransomware strain encrypts files and demands payment for decryption. It also employs double extortion tactics, threatening to leak stolen data to pressure victims into paying. Once executed, VanHelsing appends the “.vanhelsing” extension to encrypted files, modifies the desktop wallpaper, and drops a ransom note named “README.txt” on the victim’s system. Read more.
Operation FishMedley
Source: Welivesecurity
Verticals targeted during Operation FishMedley include governments, NGOs, and think tanks, across Asia, Europe, and the United States. Operators used implants – such as ShadowPad, SodaMaster, and Spyder – that are common or exclusive to China-aligned threat actors. We assess with high confidence that Operation FishMedley was conducted by the FishMonger APT group. Read more.