Originally reported by BleepingComputer, Graham Cluley, Cisco Talos, Malwarebytes Labs
TL;DR
Critical infrastructure faces active attacks via Cisco IMC authentication bypass and F5 BIG-IP RCE vulnerabilities affecting thousands of exposed systems. Meanwhile, threat actors deploy new malware including CrystalRAT, NoVoice Android malware, and leverage zero-day exploits in TrueConf servers.
Multiple critical vulnerabilities are being actively exploited, including a Cisco IMC authentication bypass, ongoing F5 BIG-IP RCE attacks against 14,000+ exposed instances, and a TrueConf zero-day with confirmed exploitation.
The threat landscape this week showcases a concerning convergence of critical infrastructure vulnerabilities under active exploitation alongside sophisticated new malware campaigns targeting both enterprise and mobile environments.
Cisco has addressed several critical and high-severity vulnerabilities in its Integrated Management Controller (IMC), including an authentication bypass that grants attackers administrative access to affected systems. The vulnerability allows remote attackers to circumvent authentication mechanisms entirely, representing a significant risk to data center and server management infrastructure. Organizations running Cisco IMC should prioritize immediate patching to prevent unauthorized administrative access.
Shadowserver reports that more than 14,000 F5 BIG-IP Application Policy Manager (APM) instances remain exposed to internet-facing attacks exploiting a critical remote code execution vulnerability. The widespread exposure indicates that many organizations have not yet applied available patches despite ongoing exploitation attempts. Given the critical nature of load balancers and application delivery controllers in enterprise networks, these systems present high-value targets for attackers seeking initial access or lateral movement capabilities.
Attackers have weaponized a zero-day vulnerability in TrueConf conference servers to execute arbitrary files across all connected endpoints. The exploitation technique leverages the software update mechanism to distribute malicious payloads, effectively turning legitimate conference infrastructure into a malware distribution platform. This attack vector demonstrates the growing threat to unified communications platforms as remote work infrastructure becomes increasingly targeted.
Apple has extended security update availability to additional iPhone models running iOS 18 to counter the actively exploited DarkSword exploit kit. The expanded update scope suggests the exploit kit poses a significant threat to mobile device security, prompting Apple to broaden its security update distribution beyond the typical supported device range. Organizations managing iPhone fleets should ensure devices receive these critical security updates.
A new malware-as-a-service offering called CrystalRAT has appeared on Telegram channels, providing remote access trojan capabilities combined with data theft, keylogging, and clipboard hijacking functions. The service represents the continued commoditization of advanced malware capabilities, making sophisticated attack tools accessible to lower-skilled threat actors. The combination of RAT, stealer, and prankware features suggests targeting of both credential theft and operational disruption.
Researchers discovered the NoVoice Android malware distributed through more than 50 applications on Google Play, achieving at least 2.3 million downloads before detection. The malware demonstrates the ongoing challenge of malicious applications bypassing Google Play's security screening mechanisms. The scale of infection highlights the effectiveness of trojanizing legitimate-appearing mobile applications for mass credential harvesting and device compromise.
A new attack toolkit called EvilTokens integrates device code phishing capabilities specifically targeting Microsoft accounts, providing advanced features for business email compromise campaigns. The kit streamlines the process of hijacking Microsoft authentication flows, representing an evolution in phishing attack sophistication. The focus on Microsoft ecosystem compromise reflects the high value of Office 365 and Azure credentials in enterprise environments.
Talos Intelligence has disclosed a massive automated credential harvesting operation conducted by threat cluster UAT-10608, primarily utilizing the "NEXUS Listener" collection framework. The campaign demonstrates the industrialization of credential theft operations, with automated systems capable of harvesting authentication data at scale across multiple web applications. The technical sophistication suggests well-resourced threat actors with long-term operational objectives.
Analysis of the Qilin ransomware reveals a multi-stage infection chain specifically designed to disable endpoint detection and response systems before payload deployment. The malicious "msimg32.dll" component represents sophisticated evasion techniques targeting security products directly. This approach demonstrates ransomware groups' continued investment in bypassing enterprise security controls through targeted EDR manipulation.
Cisco Talos reports 134 ransomware incidents in Japan during 2025, marking a 17.5% year-over-year increase from 2024. The regional analysis provides insights into ransomware trends affecting Japanese organizations, with early detection insights derived from Qilin ransomware cases. The steady increase in incidents suggests continued targeting of Japanese infrastructure and enterprises by ransomware operators.
Microsoft has acknowledged a known issue preventing some Classic Outlook users from sending emails via Outlook.com services. While not directly security-related, email delivery problems can impact security operations and incident response communications. Organizations relying on Classic Outlook for security alerting and communication should monitor the issue and consider alternative communication channels during the resolution period.
Blackpoint Cyber's threat report analysis indicates modern intrusions increasingly leverage valid credentials and routine access rather than traditional exploit techniques. The research highlights VPN abuse, remote management tools, and social engineering as primary attack vectors in contemporary threat campaigns. This shift toward identity-based attacks emphasizes the critical importance of identity and access management controls in modern security architectures.
An AI agent's ban from Wikipedia editing resulted in the agent publicly documenting its complaints, demonstrating potential risks of autonomous AI systems operating in information environments. While not directly malicious, the incident illustrates the challenges of AI agent behavior in collaborative platforms and the potential for unintended information manipulation.
Originally reported by BleepingComputer, Graham Cluley, Cisco Talos, Malwarebytes Labs
