⚡ Weekly Recap: VPN Exploits, Oracle’s Silent Breach, ClickFix Comeback and More TechTricks365

Apr 07, 2025Ravie LakshmananThreat Intelligence / Cybersecurity

Today, every unpatched system, leaked password, and overlooked plugin is a doorway for attackers. Supply chains stretch deep into the code we trust, and malware hides not just in shady apps — but in job offers, hardware, and cloud services we rely on every day.

Hackers don’t need sophisticated exploits anymore. Sometimes, your credentials and a little social engineering are enough.

This week, we trace how simple oversights turn into major breaches — and the silent threats most companies still underestimate.

Let’s dive in.

⚡ Threat of the Week

UNC5221 Exploits New Ivanti Flaw to Drop Malware — The China-nexus cyber espionage group tracked as UNC5221 exploited a now-patched flaw in Ivanti Connect Secure, CVE-2025-22457 (CVSS score: 9.0), to deliver an in-memory dropper called TRAILBLAZE, a passive backdoor codenamed BRUSHFIRE, and the SPAWN malware suite. The vulnerability was originally patched by Ivanti on February 11, 2025, indicating that the threat actors studied the patch and figured out a way to exploit prior versions to breach unpatched systems. UNC5221 is believed to share overlaps with clusters tracked by the broader cybersecurity community under the monikers APT27, Silk Typhoon, and UTA0178.

🔔 Top News

• EncryptHub Unmasked as a Likely Lone Wolf Actor — An up-and-coming threat actor operating under the alias EncryptHub has been exposed due to a series of operational security blunders. What distinguishes EncryptHub from other typical cybercriminals is the dichotomy of their online activities – while conducting malicious campaigns, the individual simultaneously contributed to legitimate security research, even receiving acknowledgment from the Microsoft Security Response Center (MSRC) last month for discovering and reporting CVE-2025-24061 and CVE-2025-2407. Another interesting aspect of EncryptHub is their use of OpenAI ChatGPAT as a “partner in crime,” leveraging it for malware development and translation tasks. In some particularly revealing conversations with the artificial intelligence (AI) chatbot, EncryptHub asked it to evaluate whether he was better suited to be a “black hat or white hat” hacker and if would be better being a “a cool hacker or a malicious researcher,” even going to the extent of confessing to his criminal activities and the exploits he had developed. “When people think of cybercriminals, they tend to imagine high-tech, government-backed teams and elite hackers using cutting-edge technology,” Outpost24 said. “However, many hackers are normal people who at some point decided to follow a dark path.”
• GitHub Action Supply Chain Traced Back to SpotBugs PAT Theft — The cascading supply chain attack that initially targeted Coinbase before becoming broader in scope to single out users of the “tj-actions/changed-files” GitHub Action has been traced further back to the theft of a personal access token (PAT) associated with another open-source project called SpotBugs. The origins of the sophisticated breach are slowly coming into focus amid continued investigation, revealing how the initial compromise happened. It has now emerged that the popular static analysis tool, SpotBugs, was compromised in November 2024, using it as a stepping stone to compromise “reviewdog/action-setup,” which subsequently led to the infection of “tj-actions/changed-files.” This was made possible due to the fact that the maintainer of reviewdog also had access to SpotBugs repositories. The multi-step supply chain attack eventually went on to expose secrets in 218 repositories after the attackers failed in their attempt to breach Coinbase-related projects.
• Contagious Interviews Adopts ClickFix and Spreads Fake npm Packages — The North Korean threat actors behind the ongoing Contagious Interview campaign have been observed adopting the infamous ClickFix social engineering strategy to deliver a previously undocumented backdoor called GolangGhost. The adversarial collective have also published as many as 11 npm packages that deliver the BeaverTail information stealer malware, as well as a new remote access trojan (RAT) loader. The packages were downloaded more than 5,600 times prior to their removal. Meanwhile, North Korean IT workers are expanding their efforts beyond the U.S., and are seeking to fraudulently gain employment with organizations around the world, especially in Europe. Google researchers called out the IT warriors for engaging in “a pattern of providing fabricated references, building a rapport with job recruiters, and using additional personas they controlled to vouch for their credibility.” What’s more, they are increasingly attempting to extort money from these companies once they get discovered and/or fired. In recent years, the U.S. government has made a concentrated push to raise awareness about the insider threat operation, to root out and punish U.S.-based facilitators of the fraudulent scheme, to uncover the IT workers and front companies that help these workers conceal their true origin, and to help organizations detect the risk before it’s too late. In all probability, these heightened law enforcement efforts have caused the operators of the scheme to focus more on targets located elsewhere, while also driving them to embrace more aggressive measures to maintain revenue streams.
• Phony Versions of Android Phones Come Preloaded with Triada Malware — Counterfeit versions of popular smartphone models that are sold at reduced prices have been found to be pre-installed with a modified version of an Android malware called Triada. A majority of infections have been reported in Russia. It’s believed that the infections are the result of a hardware supply chain compromise, although Triada has been observed propagated via unofficial WhatsApp mods and third-party app marketplaces.
• Bad Actors Abuse mu-plugins to Stash Malware — Threat actors are utilizing the WordPress mu-plugins (“must-use plugins”) directory to stealthily run malicious code on every page while evading detection. Because mu-plugins run on every page load and don’t appear in the standard plugin list, they can be used to stealthily perform a wide range of malicious activity, such as stealing credentials, injecting malicious code, or altering HTML output.

‎️‍🔥 Trending CVEs

Attackers love software vulnerabilities—they’re easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week’s critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.

This week’s list includes — CVE-2025-22457 (Ivanti Connect Secure, Policy Secure, and ZTA Gateway), CVE-2025-30065 (Apache Parquet), CVE-2024-10668 (Google Quick Share for Windows), CVE-2025-24362 (github/codeql-action), CVE-2025-1268 (Canon), CVE-2025-1449 (Rockwell Automation Verve Asset Manager), CVE-2025-2008 (WP Ultimate CSV Importer plugin), CVE-2024-3660 (TensorFlow Keras), CVE-2025-20139 (Cisco Enterprise Chat and Email), CVE-2025-20212 (Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series), CVE-2025-27520 (BentoML), CVE-2025-2798 (Woffice CRM theme), CVE-2025-2780 (Woffice Core plugin), CVE-2025-31553 (WPFactory Advanced WooCommerce Product Sales Reporting plugin), CVE-2025-31579 (EXEIdeas International WP AutoKeyword plugin), and CVE-2025-31552 (RSVPMarker plugin).

📰 Around the Cyber World

• Oracle Privately Confirms Data Breach — Enterprise computing giant Oracle is reportedly informing its customers in private that it hackers compromised a “legacy” Oracle environment, exposing usernames, passkeys, and encrypted passwords, contradicting its consistent public denial about the incident. “The company informed customers that the system hasn’t been in use for eight years and that the stolen client credentials therefore pose little risk,” Bloomberg reported. An investigation by the U.S. Federal Bureau of Investigation (FBI) and CrowdStrike is reportedly ongoing. This is the second breach the company has acknowledged to clients in recent weeks. The intrusion is assessed to be separate from another hack at Oracle Health(formerly Cerner) that affected some U.S. healthcare customers last month. News about the breach came to light after an unidentified threat actor named “rose87168” attempted to sell data on BreachForums that they claimed to have stolen from the company’s cloud servers. Multiple cybersecurity companies, including Black Kite, CloudSEK, CyberAngel, Hudson Rock, Orca Security, SOCRadar, Sygnia, and Trustwave, have analyzed and validated the data posted for sale online as directly extracted from Oracle. The attacker is believed to have exploited an unpatched vulnerability in Oracle Fusion Middleware (CVE-2021-35587) to compromise Oracle Cloud’s login and authentication system and steal the data. “This exposure was facilitated via a 2020 Java exploit and the hacker was able to install a web shell along with malware,” CyberAngel said. “The malware specifically targeted the Oracle IDM database and was able to exfil data.” Security researcher Kevin Beaumont said “Oracle are attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility,” adding “Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident. Oracle are denying it on ‘Oracle Cloud’ by using this scope — but it’s still Oracle cloud services that Oracle manage. That’s part of the wordplay.” CloudSEK has developed an online tool that allows organizations to check whether they are impacted by the data breach. Oracle’s private acknowledgment also comes just days after the company was hit with a class action lawsuit over its handling of the security event.
• New Triton RAT Emerges in the Wild — A new Python-based remote access trojan called Triton RAT allows threat actors to remotely access and control a system using Telegram. Written in Python, the malware is publicly available on GitHub and comes with capabilities to log keystrokes, run commands, record screens, gather Wi-Fi information, and steal passwords, clipboard content, and Roblox security cookies. “A Roblox security cookie is a browser cookie that stores the users’ session and can be used to gain access to the Roblox account bypassing 2FA,” Cado Security said. The disclosure comes as CYFIRMA detailed another RAT written in Python that uses Discord’s API for command-and-control (C2) in order to execute arbitrary system commands, steal sensitive information, capture screenshots, and manipulate both local machines and Discord servers.
• U.S. DoJ Announces Recovery of $8.2M Stolen in Romance Baiting Scam — The U.S. Department of Justice (DoJ) has announced the recovery of $8.2 million worth of USDT (Tether) that was stolen via a romance baiting (previously pig butchering) scam. According to a complaint filed in late February 2025, the scam targeted a woman in Ohio, who lost her entire life savings of approximately $663,352, after she responded to a text message from an unknown number in November 2023. While the initial conversation revolved around topics such as hobbies and religion, the victim was persuaded into opening an account at crypto.com and transferred her money into the account. “When the victim wanted to withdraw funds, her ‘friend,’ relented and said additional payments were needed and she complied,” the DoJ said. “When the victim no longer had any funds left after making additional payments, her ‘friend’ began to threaten her that he would send his friends to ‘take care of’ her friends and family.” Over 30 victims are estimated to have fallen for the scheme in total.”
• ClickFix Used to Deliver QakBot — The increasingly popular ClickFix technique has been used as a delivery vector to distribute the previously dormant QakBot malware. The attack pairs the malware with ClickFix, an endpoint compromise method that was first observed towards the end of 2024 and has since gained significant traction in recent months. It involves tricking a victim into running a malicious command under the pretext of fixing an issue, typically a CAPTCHA verification challenge.
• Flaw Disclosed in Verizon Call Filter — Verizon’s Call Filter app had a vulnerability that allowed customers to access the incoming call logs for another Verizon Wireless number through an unsecured API request to the “clr-aqx.cequintvzwecid.com/clr/callLogRetrieval” endpoint. But security researcher Evan Connelly, who discovered and reported the bug on February 22, 2025, found that the request containing the phone number used to retrieve call history logs was not verified against the phone number whose incoming call logs were being requested. This could open the door to a scenario where an attacker could have altered the request with another Verizon phone to retrieve their incoming call history. The vulnerability has since been addressed by Verizon as of March 25, 2025.
• GitHub Unveils Updates to Advanced Security Platform — GitHub has announced updates to its Advanced Security platform after its secret scanning service detected over 39 million leaked secrets in repositories last year. This includes a free, organization-wide secret scan to help teams identify and reduce exposure, as well as the availability of GitHub Secret Protection and a new secret risk assessment tool that aims to offer “clear insights into your organization’s exposure.”
• New Ubuntu Linux Security Bypasses Detailed — Three security bypasses have been discovered in Ubuntu Linux’s unprivileged user namespace restrictions, which could enable a local attacker to exploit vulnerabilities in kernel components. The bypasses, which occur via aa-exec, busybox, and LD_PRELOAD, permit attackers to create user namespaces with elevated privileges. “These bypasses enable local attackers to create user namespaces with full administrative capabilities, which facilitate exploiting vulnerabilities in kernel components requiring powerful administrative privileges within a confined environment,” Qualys said in a statement. “It is important to note that these bypasses alone do not enable complete system takeover; however, they become dangerous when combined with other vulnerabilities, typically kernel-related.” Ubuntu, which acknowledged the issues, said it’s working to “implement further tightening rules in AppArmor.”
• Classiscam Targets Central Asia — Classiscam is an automated scam-as-a-service operation that uses Telegram bots to create fake websites impersonating legitimate services in an attempt to deceive victims into sharing their financial details. The scam, also called Telekopye, essentially involves the fraudsters either posing as a buyer or a seller on online platforms to trick victims into transferring money for non-existent goods or services, or persuading the seller to use a delivery service for the transaction via a fake delivery website that seeks their financial information. These conversations happen over a messaging app like Telegram by claiming that “it is easier to communicate.” Group-IB’s investigation has found that more than ten financial institutions in Uzbekistan, including prominent banks and payment systems, have been targeted by phishing schemes, which employ bogus sites impersonating the services to obtain their customers’ banking credentials. One such team engaged in the fraudulent scheme is Namangun Team, which has primarily provided phishing services aimed at Uzbekistan and Kyrgyzstan since late November 2024, allowing its customers to create phishing pages on the fly using their Telegram bot.

• Google Partners with NVIDIA and HiddenLayer for a New Model Signing Library — Google, in collaboration with NVIDIA and HiddenLayer, has announced the release of a Python library called “model-signing” that offers developers a way to sign and verify machine learning (ML) models in an effort to bolster the security of the ML supply chain and safeguard against emerging threats like model and data poisoning, prompt injection, prompt leaking and prompt evasion. “Using digital signatures like those from Sigstore, we allow users to verify that the model used by the application is exactly the model that was created by the developers,” the tech giant said. The development comes as Python officially standardized a lock file format as part of PEP 751. The new format, named pylock.toml, is a TOML-based format that records exact dependency versions, file hashes, and installation sources. The new standard “brings Python in line with other ecosystems like JavaScript (package-lock.json), Rust (Cargo.lock), and Go (go.sum),” Socket said. “While the PEP doesn’t address all supply chain threats (such as typosquatting, maintainer account compromise, and concealed payloads), it lays the groundwork for better auditing and tamper resistance.”
• Arcanum Trojan Distributed via Fortune-Telling Sites — A new trojan called Arcanum is being distributed via websites dedicated to fortune-telling and esoteric practices, masquerading as a “magic” app for predicting the future. The app, while offering seemingly harmless functionality, connects to a remote server to deploy additional payloads, including the Autolycus. Hermes stealer, the Karma.Miner miner, and the Lysander.Scytale crypto-malware. The captured information is subsequently exfiltrated to an attacker-controlled server. The emergence of the malware coincides with the discovery of a credit card skimmer malware codenamed RolandSkimmer that targets e-commerce users in Bulgaria by means of a Windows shortcut (LNK) file distributed via ZIP archives. The LNK file then initiates a multi-step process that installs a malicious browser extension on web browsers to steal credit card information. “The attackers employ carefully crafted JavaScript payloads, misleading manifest files, and obfuscated VBScripts to maintain persistence across sessions and evade detection,” Fortinet said.
• Identity-Based Attacks on the Rise — Attackers are relying heavily on credential-enabled access points to infiltrate networks and power their operations, rather than using more complex methods like exploiting vulnerabilities or deploying malware, according to Cisco Talos. Ransomware gangs, in particular, are known to use stolen-but-valid credentials procured from initial access brokers (IABs) as a means of initial access into corporate networks. IABs, in turn, leverage commercially-available information stealers like Lumma to capture users’ credentials. This is also exacerbated by the fact that many users recycle passwords across multiple services, creating a “ripple effect of risk” when their credentials are stolen. Based on traffic observed between September and November 2024, 41% of successful logins across websites protected by Cloudflare involve compromised passwords, per the web infrastructure company. What’s more, valid VPN credentials could be abused to gain unrestricted access to sensitive systems, often with elevated privileges that mirror those of legitimate employees or administrators. The use of legitimate credentials by threat actors entirely bypasses security barriers, giving them a “direct path to infiltrate networks, steal data, and deploy ransomware undetected.” “Identity-based attacks are attractive to threat actors because they can allow an adversary to carry out a range of malicious operations, often with minimal effort or without meeting much resistance from a security standpoint,” the company said. “This is due in large part to the activity being difficult to detect because it emanates from seemingly legitimate user accounts.” Data gathered by the company shows that Identity and access management (IAM) applications were most frequently targeted in MFA attacks, accounting for 24% of all attacks targeting multi-factor authentication (MFA).
• Iran-linked OilRig Targets Iraqi Entities — The Iranian hacking group known as OilRig (aka APT34) has been attributed to a series of cyber attacks against Iraqi state entities since 2024 that involve the use of spear-phishing lures to deploy a backdoor that can execute commands, gather host information, and upload/download files. The backdoor makes use of HTTP and email for C2 communications. “The former secretly sends control instructions based on the characteristic value of the body content, and the latter uses a large number of compromised Iraqi official government mailboxes for email communication,” ThreatBook said.
• Security Flaws in PyTorch Lightning — Five deserialization vulnerabilities have been disclosed in PyTorch Lightning versions 2.4.0 and earlier that could be potentially exploited to execute malicious code when loading machine learning models from unknown or untrusted sources. “These vulnerabilities arise from the unsafe use of torch.load(), which is used to deserialize model checkpoints, configurations, and sometimes metadata,” the CERT Coordination Center (CERT/CC) said. “A user could unknowingly load a malicious file from local or remote locations containing embedded code that executes within the system’s context, potentially leading to full system compromise.” CERT/CC said the issues remain unpatched, requiring that users verify the files to be loaded are from trusted sources and with valid signatures.
• Russian Firm Offers $4 Million for Telegram Exploits — Operation Zero, a Russian exploit acquisition firm, says it is willing to pay up to $4 million for full-chain exploits targeting the popular messaging service Telegram. In a post shared on X, the zero-day vulnerability purchase platform said it will pay up to $500,000 for exploits that can achieve 1-click remote code execution (RCE) and $1.5 million for those that can be weaponized to achieve RCE sans any user interaction (i.e., zero-click). “In the scope are exploits for Android, iOS, Windows. The prices are depending on limitations of zero-days and obtained privileges,” Operation Zero said. Exploit brokers often either develop or acquire security vulnerabilities in popular operating systems and apps and then re-sell them for a higher price to clients of interest. For Operation Zero to single out Telegram makes sense, given that the messaging app is popular with users in both Russia and Ukraine. A Telegram spokesperson told TechCrunch that the messaging platform has “never been vulnerable” to a zero-click exploit. The development comes as details emerged about a zero-day flaw in Telegram’s macOS client that could be exploited to achieve RCE. Early last month, security researcher 0x6rss also disclosed an updated version of the EvilVideo flaw in Telegram (CVE-2024-7014), which bypasses existing mitigations via .HTM files. “A file with an ‘.htm’ extension is disguised as a video and sent via the Telegram API, and while the user expects a video, the JavaScript code inside the HTML is actually executed,” the researcher said. The new exploit has been codenamed EvilLoader.
• What are the Most Common Passwords in RDP Attacks? — They are 123456, 1234, Password1, 12345, P@sswOrd, password, Password123, Welcome1, 12345678, and Aa123456, according to Specops, based on an analysis of 15 million passwords used to attack RDP ports. “Attackers are on the lookout for exposed RDP servers as these can be easy targets for brute force attacks,” the company said. “Additionally, attackers may conduct password spraying attacks on RDP servers and try known breached credentials on exposed servers.”

🎥 Expert Webinar

• Shadow AI Is Already Inside Your Apps — Learn How to Lock It Down — AI tools are flooding your environment — and most security teams can’t see half of them. Shadow AI is quietly connecting to critical systems like Salesforce, creating hidden risks that traditional defenses miss. Join Dvir Sasson, Director of Security Research at Reco, to uncover where AI threats are hiding inside your SaaS apps, real-world attack stories, and how leading teams are detecting and shutting down rogue AI before it causes real damage.
• Secure Every Step of the Identity Lifecycle — Before Attackers Exploit It — Today’s attackers are using AI-driven deepfakes and social engineering to bypass weak identity defenses. Securing the entire identity journey — from enrollment to daily access to recovery — is now essential. Join Beyond Identity and Nametag to learn how enterprises are blocking account takeovers, securing access with phishing-resistant MFA and device trust, and defending against AI threats with Deepfake Defense™.

🔧 Cybersecurity Tools

• GoResolver — Golang malware is tough to reverse — obfuscators like Garble hide critical functions. GoResolver, Volexity’s open-source tool, uses control-flow graph similarity to recover hidden function names and reveal package structures automatically. Integrated with IDA Pro and Ghidra, it turns opaque binaries into readable code faster. Available now on GitHub.
• Matano — It is a serverless, cloud-native security data lake built for AWS, giving security teams full control over their logs without vendor lock-in. It normalizes unstructured security data in real time, integrates with 50+ sources out of the box, supports detections-as-code in Python, and transforms logs using powerful VRL scripting — all stored in open formats like Apache Iceberg and ECS. Query your data with tools like Athena or Snowflake, write real-time detections, and cut SIEM costs while keeping ownership of your security analytics.

🔒 Tip of the Week

Detecting Threats Early by Tracking First-Time Connections — Most attackers leave their first real clue not with malware, but when they log in for the first time — from a new IP, device, or location. Catching “first-time” access events is one of the fastest ways to spot breaches early, before attackers blend into daily traffic. Focus on critical systems: VPNs, admin portals, cloud dashboards, and service accounts.

You can automate this easily with free tools like Wazuh (detects new devices and IPs), OSQuery (queries unknown endpoints), or Graylog (builds alerts for unfamiliar connections). More advanced setups like Microsoft Sentinel or CrowdStrike Falcon Free also offer “first seen” detection at scale. Simple rules — like alerting when an admin account logs in from a new country or an unexpected device accesses sensitive data — can trigger early alarms without waiting for malware signatures.

Pro Move: Baseline your “known” users, IPs, and devices, then flag anything new. Bonus points if you combine this with honeytokens (fake credentials) to catch intruders actively probing your network. Remember: attackers can steal credentials, bypass MFA, or hide malware — but they can’t fake never having connected before.

Conclusion

In cybersecurity, the threats that worry us most often aren’t the loudest — they’re the ones we never see coming. A silent API flaw. A forgotten credential. A malware-laced package you installed last month without a second thought.

This week’s stories are a reminder: real risk lives in the blind spots.

Stay curious. Stay skeptical. Your next breach won’t knock first.