Threat Alerts

A sophisticated cybersecurity threat has emerged, combining social engineering via Microsoft Teams with a previously undocumented persistence technique. This attack campaign targets executives and high-privilege employees in various sectors, potentially leading to ransomware deployment. The attack represents a significant evolution in threat tactics, introducing the first observed case of TypeLib COM hijacking in the wild, making it particularly dangerous due to its ability to evade detection.

The attack begins with precisely timed phishing messages sent through Microsoft Teams, masquerading as IT support personnel. These messages specifically target executives during the post-lunch period when vigilance may be lower. After establishing trust, attackers leverage Windows Quick Assist to gain remote access, blending into legitimate IT workflows. The novel aspect of this attack is the TypeLib hijacking technique that modifies registry entries to download and execute malware whenever certain COM objects are accessed by Windows processes. The payload consists of heavily obfuscated JScript and PowerShell code that creates a unique beaconing URL based on the victim’s hard drive serial number, establishes command and control communication, and reports success to a Telegram bot. Evidence suggests the attackers may be Russian-speaking, with possible connections to groups known for distributing ransomware, though the specific attribution remains uncertain.

A complex phishing campaign demonstrates how attackers are using increasingly sophisticated methods to deliver malware. The campaign utilizes a multi-layered attack chain to distribute well-known malware including Agent Tesla, Remcos RAT, and XLoader. By combining various scripting languages, execution paths, and deceptive social engineering tactics, the attackers effectively evade detection systems and traditional security measures

The attack begins with phishing emails disguised as payment confirmations or order requests that contain malicious attachments. These attachments typically include a .7z file with a JavaScript Encoded (.jse) file designed to look like a legitimate document. When executed, this initial script downloads and launches a PowerShell script containing a Base64-encoded payload. From there, the infection chain branches into two possible paths: one using .NET-compiled executables that inject payloads into RegAsm.exe, and another using AutoIt-compiled droppers that inject shellcode into RegSvcs.exe. Both paths ultimately lead to the execution of information-stealing malware capable of harvesting credentials, clipboard data, and keystrokes. The campaign’s success relies not on heavy obfuscation but on its multi-layered approach, which helps it avoid detection by signature-based tools and traditional sandboxes.

Fortinet has issued patches for a high-severity vulnerability affecting multiple versions of its FortiSwitch product line. Tracked as CVE-2024-48887 (CVSS 8.1), the flaw allows unauthenticated attackers to change administrator passwords remotely without user interaction.

The vulnerability exists in the FortiSwitch web GUI, where the set_password endpoint can be exploited via a specially crafted request. If successfully exploited, this flaw grants remote attackers the ability to gain control over affected devices by resetting admin credentials. Fortinet confirmed the issue stems from unverified password changes (CWE-620) and impacts versions ranging from 6.4.0 to 7.6.0.

Phishing campaigns are increasingly adopting precision-validated tactics, where fake login pages are displayed only to pre-verified email addresses. This selective targeting helps attackers evade detection by hiding malicious content from security tools, researchers, and untargeted users—extending the campaign’s longevity and effectiveness.

Validation typically occurs in two ways: by integrating third-party email verification services through API calls, or by using custom JavaScript that checks user input against a list of harvested email addresses stored on attacker-controlled servers. If an unlisted address is entered, the page either redirects to a legitimate site or returns an error message, concealing the phishing elements entirely. In some cases, attackers send verification codes to targeted victims, requiring them to input the code before proceeding—mimicking legitimate authentication flows and making the phishing page appear more credible.

Microsoft’s April 2025 Patch Tuesday update delivers fixes for 134 vulnerabilities, including 11 critical-rated issues and one actively exploited zero-day. The most serious among them is CVE-2025-29824, an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) driver, which has been exploited in the wild by the Storm-2460 ransomware group through the PipeMagic campaign. This zero-day vulnerability has a CVSS score of 7.8 and allows attackers to gain SYSTEM-level access.

The critical vulnerabilities addressed include CVE-2025-26663 (CVSS 8.8) and CVE-2025-26670 (CVSS 8.1), both remote code execution (RCE) flaws in Windows LDAP and the LDAP Client, respectively, which exploit race conditions via specially crafted requests. Microsoft also patched CVE-2025-27480 and CVE-2025-27482, both CVSS 9.8, which are RCE vulnerabilities in Windows Remote Desktop Services that can be triggered without authentication on systems using Remote Desktop Gateway.

A series of critical RCE vulnerabilities in Microsoft Office—CVE-2025-27745 (CVSS 8.8), CVE-2025-27748 (CVSS 8.3), CVE-2025-27749 (CVSS 8.5), CVE-2025-27752 (CVSS 8.3), and CVE-2025-29791 (CVSS 8.1)—were also addressed. These flaws involve memory corruption, heap overflows, and use-after-free errors, and they require user interaction, such as opening a malicious file, to be exploited. Additionally, CVE-2025-26686 (CVSS 9.0), a critical RCE vulnerability in the Windows TCP/IP stack, could allow attackers to run arbitrary code through crafted packets. Lastly, CVE-2025-27491 (CVSS 8.7) fixes a critical RCE issue in Windows Hyper-V, which could let a guest OS execute code on the host system.

Given the active exploitation of CVE-2025-29824 and the high severity of several critical vulnerabilities, organizations are strongly advised to prioritize patching to reduce the risk of exploitation and potential compromise.

A recent cyberattack campaign has been exploiting Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on Amazon EC2 instances to extract sensitive metadata, including Identity and Access Management (IAM) credentials, from the Instance Metadata Service v1 (IMDSv1). By leveraging these SSRF flaws, attackers can trick vulnerable servers into making internal HTTP requests, enabling them to access the EC2 metadata endpoint. This endpoint provides information about the virtual machine, including configuration details and potentially security credentials. With access to IAM credentials, attackers can escalate privileges, access S3 buckets, or control other AWS services, leading to data exposure, manipulation, and service disruption.

The campaign, identified by F5 Labs researchers, was active between March 13 and 25, 2025, and is believed to have been conducted by a single threat actor based on traffic and behavioral patterns. The exploitation of SSRF vulnerabilities in EC2-hosted websites underscores the importance of securing web applications against such flaws. Organizations are advised to audit their applications for SSRF vulnerabilities, implement proper input validation, and consider upgrading to IMDSv2, which provides enhanced security features to mitigate such attacks.