Microsoft, Apple release security updates to address multiple high-risk bugs, including zero-days
Microsoft's March 2025 Patch Tuesday release addressed over 50 vulnerabilities, including six critical zero-day flaws actively exploited in the wild. The six zero-days are:
-
CVE-2025-24983: A Windows Win32 Kernel Subsystem Use-After-Free (UAF) vulnerability, which allows local attackers to elevate privileges and execute arbitrary code. The flaw has been exploited by cybercriminals to install the PipeMagic backdoor, targeting entities in Asia and Saudi Arabia via a fake OpenAI ChatGPT application.
-
CVE-2025-24984: A Windows NTFS Information Disclosure vulnerability that can be exploited with physical access to the device via a malicious USB drive.
-
CVE-2025-24985: An integer overflow in the Windows Fast FAT file system driver, potentially allowing arbitrary code execution.
-
CVE-2025-24991: A Windows NTFS Out-of-Bounds Read vulnerability, leading to potential local information disclosure.
-
CVE-2025-24993: A Windows NTFS Heap-Based Buffer Overflow, allowing attackers to execute code with elevated privileges.
-
CVE-2025-26633: A Microsoft Management Console vulnerability that could allow attackers to bypass security and gain unauthorized access.
The vulnerabilities primarily affect older Windows versions, including Windows 8.1 and Server 2012 R2, but do not impact more recent systems like Windows 11.
Apple has also released urgent security updates to address a critical zero-day vulnerability that the company warns has been actively exploited in “extremely sophisticated” attacks. The bug, tracked as CVE-2025-24201, resides in WebKit, the cross-platform web browser engine utilized by Apple's Safari browser as well as several other apps and web browsers across macOS, iOS, Linux, and Windows.
The vulnerability could be exploited by attackers to break out of WebKit's Web Content sandbox by using maliciously crafted web content. This would allow the attackers to potentially gain unauthorized access and execute harmful actions within the system. Apple acknowledged that the flaw has already been leveraged in targeted attacks aimed at specific individuals running versions of iOS prior to iOS 17.2.
Threat intelligence firm GreyNoise has warned that a critical PHP vulnerability that affects Windows systems is being mass-exploted by threat actors. Tracked as CVE-2024-4577, the flaw impacts Windows installations of PHP running in CGI (Common Gateway Interface) mode. If successfully exploited, attackers can execute arbitrary code, leading to full system compromise. In a separate report, the firm said it observed at least 400 IPs actively exploiting multiple SSRF CVEs simultaneously.
On the same note, Taiwan-based networking solutions provider Edimax has issued a security advisory acknowledging a vulnerability in one of its legacy camera models, the Edimax IC-7100. However, the company said that no security patches or firmware updates will be released because the said model was discontinued more than ten years ago, and is no longer supported with technical assistance or firmware updates. The vulnerability, tracked as CVE-2025-1316, was discovered by researchers at Akamai, who said that the flaw as being actively exploited by several Mirai-based botnets.
This week’s additions to CISA’s Known Exploited Vulnerabilities (KEV) catalog include CVE-2025-24201 (Apple WebKit), CVE-2025-21590 (Junos OS, details further below), Windows zero-days mentioned above, CVE-2024-57968 (Advantive VeraCore), CVE-2025-25181 (Advantive VeraCore), CVE-2024-13159, CVE-2024-13160, CVE-2024-13161 (Ivanti Endpoint Manager (EPM)).
Also, Taiwanese company Moxa specializing in industrial networking solutions, has released a patch addressing CVE-2024-12297, a flaw in its PT switches that could allow attackers to bypass authentication protections.
New Ballista botnet targets unpatched TP-Link Archer routers
A new botnet, dubbed ‘Ballista,’ has begun exploiting unpatched TP-Link Archer routers, according to a report from Cato CTRL. The vulnerability (CVE-2023-1389), which was first disclosed in 2023, allows attackers to execute arbitrary commands on affected routers. The earliest known exploitation of the CVE-2023-1389 vulnerability dates back to April 2023. Since then, the flaw has been abused by threat actors to drop malware, including Mirai botnet payloads, and later additional malware families such as Condi and AndroxGh0st.
China-nexus hackers UNC3886 target Juniper MX routers with custom backdoors
A China-linked cyberespionage group, tracked as UNC3886, has been targeting Juniper Networks’ end-of-life MX routers running Junos OS with customized malware known as TINYSHELL. First identified in mid-2024, the campaign focuses on the defense, telecommunications, and technology sectors in the US and Asia. The malware includes both active and passive backdoor functions, enabling the group to maintain persistent access. UNC3886 gained access by exploiting legitimate credentials and bypassing security mechanisms, including Veriexec protection. The group injected malicious code into a legitimate process on the router, exploiting a vulnerability tracked as CVE-2025-21590. Six distinct variants of TINYSHELL were found, all designed to exploit the specific vulnerabilities of Juniper’s MX routers.
On the same note, Aqua Nautilus researchers have uncovered a new multi-stage attack campaign targeting interactive computing environments like Jupyter Notebooks. The attack begins with the download of a compressed file from a remote server, which, once executed, deploys malicious tools to exploit the server and maintain persistence. The attackers initially gained access through an unauthenticated JupyterLab instance, enabling them to deploy malware and cryptominers.
SuperBlack ransomware operation exploits recent Fortinet flaws
Researchers have spotted a new ransomware group tracked as Mora_001 suspected to be linked to the LockBit ransomware gang, which began its series of attacks in January. The group exploited two Fortinet vulnerabilities, CVE-2024-55591 and CVE-2025-24472, both authentication bypass flaws disclosed in January. Initially, the attackers gained access to victim environments, escalated privileges, and created disguised admin accounts to maintain persistence. They then deployed a new ransomware variant called SuperBlack. In cases where VPN capabilities were absent, attackers used the compromised credentials to target other firewalls, leveraging high availability (HA) features to propagate the attack across clustered devices.
In related news, a joint advisory from US cybersecurity agencies has warned that the Medusa ransomware operation has affected over 300 victims across various critical infrastructure sectors, including healthcare, education, legal, insurance, technology, and manufacturing. This ransomware-as-a-service (RaaS), first seen in June 2021, uses a double extortion model that involves encrypting data and threatening to release stolen information unless a ransom is paid.
Medusa threat actors gain access through phishing and exploiting unpatched software vulnerabilities like ScreenConnect's authentication bypass (CVE-2024-1709) and Fortinet EMS SQL injection (CVE-2023-48788). Once inside, they use legitimate tools like PowerShell and Windows Management Instrumentation (WMI) to evade detection, move laterally, and deploy encryption payloads. It should be noted that Medusa ransomware is unrelated to MedusaLocker or Medusa mobile malware.
New North Korea-linked Android spyware KoSpy targets Korean and English-speaking users
Lookout Threat Lab researchers have discovered a new Android surveillance tool called KoSpy, believed to target Korean and English-speaking users. Attributed with medium confidence to the North Korean APT group ScarCruft (APT37), KoSpy has been active since March 2022, with recent variants found in March 2024. The spyware is distributed through fake utility apps, such as ‘File Manager’ and ‘Kakao Security,’ and can collect sensitive information from infected devices, including SMS, call logs, location data, files, audio recordings, screenshots, keystrokes, Wi-Fi details, and installed apps.
Chinese hackers Volt Typhoon lurked for nearly a year in systems of US utility company
Chinese hackers linked to the notorious Volt Typhoon cyber espionage campaign infiltrated the systems of a major utility company in Littleton, Massachusetts, and remained inside for nearly a year. The breach is believed to be part of a broader cyberespionage effort by China’s government targeting US critical infrastructure.
Blind Eagle APT targeting Colombian entities in ongoing espionage campaign
Check Point Research has observed a series of ongoing cyberattacks targeting Colombian institutions and government entities, attributed to the South American cyber threat group Blind Eagle (APT-C-36). In this recent campaign, the group is exploiting CVE-2024-43451, a vulnerability that exposes a user's NTLMv2 hash, allowing attackers to authenticate as the user through pass-the-hash or relay attacks.
Also, Trustwave released a deep dive into Russian state-backed actors and their operations.
New malware operation 'Phantom Goblin' distributes info-stealers
Cyble Research and Intelligence Labs (CRIL) has uncovered a sophisticated campaign dubbed ‘Phantom Goblin’, which uses social engineering methods to distribute information-stealing malware.
Microsoft has detected an ongoing phishing campaign impersonating Booking.com to deliver credential-stealing malware via a social engineering technique called ClickFix. The campaign, known as Storm-1865, began in December 2024 and primarily targets individuals in hospitality organizations across regions including North America, Oceania, South and Southeast Asia, and Europe, with fake emails that appear to come from Booking.com.
A separate report from Microsoft details a new variant of XCSSET, a sophisticated modular macOS malware that infects Xcode projects.
SquareX's research team has uncovered a new attack that allows malicious browser extensions to impersonate legitimate extensions installed on victims' browsers, leading to potential account hijacking, data theft, and financial loss.
The polymorphic extension attack, which affects all Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, and others, takes advantage of the way users typically rely on visual cues, such as extension icons, to interact with browser tools. According to SquareX, the malicious extensions create a pixel-perfect replica of the target extension’s icon, HTML popup, and workflows, even going so far as to temporarily disable the legitimate extension, making it nearly impossible for the victim to distinguish between the two.
A new malware campaign, dubbed OBSCURE#BAT by Securonix, has been observed using social engineering tactics to distribute an open-source rootkit called r77. This rootkit allows attackers to maintain persistence and avoid detection on infected systems. It can hide files, registry keys, or tasks that start with a specific prefix. The campaign targets users through fake software downloads or captcha-based social engineering scams.
A report from CyberArk shares details of a new malware campaign that delivers a previously undocumented clipper malware called MassJacker.
Former software developer sabotaged employer’s systems with malware
Davis Lu, a former software developer at Eaton Corporation, was convicted of sabotaging the company’s computer systems after being demoted in 2018. He deployed custom malware that caused a server crash and installed a "kill switch" that locked out thousands of employees after his termination. The sabotage significantly disrupted the company's operations and network infrastructure.
LockBit ransomware developer extradited to the US
Rostislav Panev, a dual Russian and Israeli national, was extradited to the US on charges of being a developer for the LockBit ransomware group. Arrested in Israel in August 2024, Panev allegedly helped develop and maintain LockBit’s malware from 2019 to 2024. The group attacked over 2,500 victims in 120 countries, extorting at least $500 million in ransom and causing billions in damages. Panev’s role involved coding and maintaining LockBit malware, including tools to disable antivirus software and deploy malware across victim networks. Evidence found on his computer linked him to the group’s infrastructure and communication with its primary administrator. Panev admitted to receiving regular cryptocurrency payments for his work with LockBit.
UK’s National Crime Agency (NCA) officer, Paul Chowles, has been charged with 15 offenses following the alleged theft of nearly £60,000 worth of Bitcoin during an investigation into online organized crime. The incident involved the theft of 50 Bitcoin in 2017, which was valued at approximately £60,000 at the time. Chowles, 42, from Bristol, faces 11 charges related to concealing or converting criminal property, three charges for acquiring or possessing criminal property, and one charge of theft.
