Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Phishers Exploit Google Sites and DKIM Replay to Send Signed Emails, Steal Credentials
Source: The Hacker News
In what has been described as an “extremely sophisticated phishing attack,” threat actors have leveraged an uncommon approach that allowed bogus emails to be sent via Google’s infrastructure and redirect message recipients to fraudulent sites that harvest their credentials. Read more.
False Face: Unit 42 Demonstrates the Alarming Ease of Synthetic Identity Creation
Source: Unit 42
Evidence suggests that North Korean IT workers are using real-time deepfake technology to infiltrate organizations through remote work positions, which poses significant security, legal and compliance risks. The detection strategies we outline in this report provide security and HR teams with practical guidance to strengthen their hiring processes against this threat. Read more.
Unmasking the Evolving Threat: A Deep Dive into the Latest Version of Lumma InfoStealer with Code Flow Obfuscation
Source: Trellix
Lumma Stealer, first identified in 2022, remains a significant threat to this day, continuously evolving its tactics, techniques, and procedures (TTPs) to stay aligned with emerging trends. It is distributed on the dark web via a subscription-based model, Malware-As-A-Service(MaaS). Read more.
Critical AnythingLLM Vulnerability Exposes Systems to Remote Code Execution
Source: GBHackers
A critical security flaw (CVE-2024-13059) in the open-source AI framework AnythingLLM has raised alarms across cybersecurity communities. The vulnerability, discovered in February 2025, allows attackers with administrative privileges to execute malicious code remotely, potentially compromising entire systems. Read more.
IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia
Source: SECURE LIST
However, recently we managed to spot attempted deployments of a new version of this implant, occurring in government organizations located in Mongolia and Russia. To us, this observed choice of victims wasn’t surprising, as back in 2018, we wrote that IronHusky, the actor related to this RAT, has a specific interest in targeting these two countries. Read more.
Emulating the Stealthy StrelaStealer Malware
Source: ATTACK IQ
In recent analysis, StrelaStealer has been associated with the threat actor group HIVE-0145, a cluster identified for its focus on credential theft and espionage-driven campaigns. As reported by IBM, HIVE-0145 is likely to be a financially motivated initial access broker (IAB), active since late 2022 and potentially the sole operator of StrelaStealer. Read more.
Cisco Webex bug lets hackers gain code execution via meeting links
Source: BLEEPING COMPUTER
Tracked as CVE-2025-20236, this security flaw was found in the Webex custom URL parser and can be exploited by tricking users into downloading arbitrary files, which lets threat actors execute arbitrary commands on systems running unpatched software in low complexity attacks. Read more.
Billbug: Intrusion Campaign Against Southeast Asia Continues
Source: Symantec
The Billbug espionage group (aka Lotus Blossom, Lotus Panda, Bronze Elgin) compromised multiple organizations in a single Southeast Asian country during an intrusion campaign that ran between August 2024 and February 2025. Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company. Read more.
Malware of the Day – C2 over NTP (goMESA)
Source: Active Countermeasures
To complete the disguise, an attacker’s NTP server used for C2 can often be set up to also respond with valid time information, making the malicious traffic blend seamlessly with legitimate NTP activity and harder to detect by both automated systems and security analysts. This combination of permitted passage, potential for data hiding, and plausible deniability makes NTP an attractive channel for stealthy C2 operations. Read more.
Unmasking the new XorDDoS controller and infrastructure
Source: CISCO TALOS
Cisco Talos observed an existing distributed denial-of-service (DDoS) malware known as XorDDoS, continuing to spread globally between November 2023 and February 2025. A significant finding shows that over 70 percent of attacks using XorDDoS targeted the United States from Nov. 2023 to Feb. 2025. Read more.