Originally reported by The Hacker News, Microsoft Security, SANS ISC, MSRC Security Updates
TL;DR
Multiple sophisticated attack campaigns emerged this week, including cross-platform RATs distributed via fake Laravel packages, APT41-linked Silver Dragon targeting governments, and AI-assisted attacks hitting FortiGate devices across 55 countries. Certificate abuse and social engineering tactics continue enabling persistent enterprise access.
Multiple active attack campaigns including AI-driven FortiGate exploitation across 55 countries, APT41-linked operations, and widespread malware distribution through compromised certificates and supply chain attacks represent significant ongoing threats requiring immediate attention.
Security researchers have identified three malicious PHP packages on Packagist masquerading as legitimate Laravel utilities. The packages—nhattuanbl/lara-helper, nhattuanbl/simple-queue, and nhattuanbl/lara-swagger—collectively garnered 115 downloads while deploying a cross-platform remote access trojan capable of operating on Windows, macOS, and Linux systems.
The supply chain attack demonstrates continued threat actor interest in targeting developer ecosystems through trusted package repositories. Organizations using PHP dependency management should audit their package dependencies and implement verification processes for third-party components.
Check Point researchers have documented a new APT group dubbed Silver Dragon, linked to APT41 operations targeting government entities across Europe and Southeast Asia since mid-2024. The group employs dual initial access vectors: exploiting public-facing internet servers and delivering malicious attachments via phishing campaigns.
Silver Dragon leverages Cobalt Strike beacons with Google Drive as command-and-control infrastructure, demonstrating sophisticated operational security practices. The campaign's geographic scope and government targeting align with typical APT41 objectives, suggesting continued evolution of this threat actor's capabilities.
Team Cymru's analysis revealed that threat actors behind recent AI-driven attacks against Fortinet FortiGate appliances utilized CyberStrikeAI, an open-source AI-native security testing platform. The campaign, spanning 55 countries, represents a concerning evolution in automated vulnerability exploitation capabilities.
The use of legitimate security testing tools for malicious purposes highlights the dual-use nature of AI-powered offensive security platforms. Organizations should monitor for unusual authentication attempts and implement robust logging for internet-facing appliances.
Microsoft Security documented a campaign leveraging stolen Extended Validation (EV) certificates to sign malware impersonating workplace applications. The signed malware deploys legitimate remote monitoring and management (RMM) tools to establish persistent access within enterprise environments.
The campaign's use of valid certificates circumvents traditional signature-based detection mechanisms, emphasizing the need for behavioral monitoring and certificate validation controls. Organizations should implement certificate pinning where possible and monitor RMM tool deployments.
Huntress researchers identified a social engineering campaign affecting five partner organizations, where threat actors posed as fake IT support personnel. The attacks begin with spam emails followed by phone calls directing victims to install the Havoc command-and-control framework.
This campaign demonstrates the continued effectiveness of voice-based social engineering techniques combined with legitimate-appearing remote access tools. The Havoc framework serves as a precursor to data exfiltration or ransomware deployment, requiring immediate incident response when detected.
SANS Internet Storm Center documented another wave of XWorm malware distribution employing multi-technology delivery mechanisms. While XWorm remains a well-known malware family, threat actors continue refining distribution techniques to evade detection systems.
The evolving delivery methods underscore the importance of maintaining current threat intelligence and updating detection rules to account for new distribution vectors.
Security researchers observed increased brute force scanning activity targeting CrushFTP installations. The Java-based file transfer system has experienced multiple critical vulnerabilities, including CVE-2024-4040 (template injection leading to RCE), CVE-2025-31161 (authentication bypass), and the actively exploited zero-day CVE-2025-54309.
Organizations running CrushFTP should ensure all patches are applied and implement additional access controls to mitigate brute force attempts.
Microsoft published details for CVE-2025-58160, addressing a vulnerability where tracing log user input could result in log poisoning through ANSI escape sequences. While specific impact details remain limited, log integrity vulnerabilities can complicate incident response and forensic analysis.
Originally reported by The Hacker News, Microsoft Security, SANS ISC, MSRC Security Updates