Threat Alerts

Microsoft has released security update to patch CVE-2025-33053, a high-severity zero-day vulnerability affecting Web Distributed Authoring and Versioning (WebDAV). The flaw is a remote code execution vulnerability in Microsoft Windows Web Distributed Authoring and Versioning (WebDAV) that allows attackers to execute arbitrary code by tricking users into clicking specially crafted WebDAV URLs.

CVE-2025-33053, with a CVSS score of 8.8 was exploited by the APT group “Stealth Falcon,” the flaw was used in a March 2025 attack targeting a defense company in Turkey. The attackers leveraged a new technique to manipulate a legitimate Windows tool’s working directory to execute malicious files hosted on their controlled WebDAV server. Users and organizations are strongly advised to ensure their browsers are fully updated and that automatic updates are enabled to minimize exposure to this actively exploited threat.

Threat intelligence researchers have identified a new campaign by the Qilin ransomware group targeting Fortinet devices to gain initial access and execute ransomware operations. Active since 2022, Qilin operates a Ransomware-as-a-Service (RaaS) model and is responsible for over 310 known attacks. High-profile victims include Court Services Victoria, Yangfeng, Lee Enterprises, and London-based NHS hospitals—highlighting the operation’s reach and impact. This latest campaign, observed between May and June 2025, reportedly targets multiple organizations in Spanish-speaking countries, with potential global expansion expected.

The campaign exploits several FortiGate vulnerabilities, including CVE-2024-21762 and CVE-2024-55591, which enable attackers to bypass authentication and remotely execute malicious code on unpatched devices. These intrusions are partially automated and serve as the initial access vector for broader ransomware deployment.

Despite the collapse of a major Russian-speaking ransomware-as-a-service group in February 2025 following leaked internal communications, former affiliates continue leveraging established attack methods to target organizations worldwide. The persistent threat demonstrates how cybercriminal networks adapt and survive organizational disruption, with over 35% of similar attacks observed in April 2025 maintaining the group’s signature tactics. Financial and manufacturing sectors face continued exposure to social engineering campaigns that bypass traditional security measures, particularly through Microsoft Teams phishing and advanced payload delivery mechanisms that challenge conventional detection methods.

The evolved attack methodology combines mass email spam campaigns with Microsoft Teams phishing operations, primarily utilizing onmicrosoft.com domains in approximately 50% of observed incidents. Attackers initiate contact through these channels before manipulating victims into establishing remote sessions via legitimate tools like Quick Assist and AnyDesk. Once access is gained, threat actors deploy Python-based payloads through a sophisticated delivery mechanism involving cURL requests to download malicious markdown files, which are subsequently executed as Python scripts for command-and-control communications. Former group members have likely migrated to successor organizations, ensuring the continuation of these refined techniques across multiple threat groups. This evolution represents a significant shift in ransomware operations, where organizational dissolution merely redistributes expertise rather than eliminating the underlying threat landscape.

A newly identified Ransomware-as-a-Service (RaaS) group, Anubis, has emerged with a destructive twist on traditional ransomware. Active since late 2024, Anubis blends standard encryption tactics with file-wiping functionality designed to permanently destroy victim data, even if the ransom is paid. This “wipe mode” significantly raises the stakes of victim coercion and data loss. Operating under a flexible affiliate model, Anubis has already listed victims across the healthcare, engineering, and construction sectors in Australia, Canada, Peru, and the U.S.

Anubis’s attack chain begins with phishing emails and involves command-line execution, privilege escalation using access tokens, and deletion of shadow copies to inhibit recovery. It employs ECIES encryption and a wiper module that zeroes file contents via a dedicated parameter. Defense evasion techniques include the use of valid credentials, and the malware can terminate services and drop ransom notes using double extortion. These features highlight a technically advanced and evolving threat actor capable of inflicting both operational and reputational damage.

GrayAlpha, a financially motivated cybercriminal group linked closely to FIN7, employs diverse infection methods to compromise systems across multiple industries. Known for their persistence and technical expertise, they operate much like a professional organization, with compartmentalized teams managing various aspects of their operations. Their activities primarily target the retail, hospitality, and financial sectors, focusing on payment card theft and unauthorized network access. The group poses significant risks globally, leveraging advanced techniques to bypass security measures and infiltrate critical systems.

Security researchers have identified three primary infection tactics used by GrayAlpha: fake browser update pages mimicking legitimate applications like Google Meet, malicious download sites disguised as legitimate file archiving tools, and the exploitation of a previously unlinked traffic distribution system network. Victims are often redirected to these deceptive websites through malvertising or compromised platforms, where fingerprinting scripts collect system details before deploying malicious payloads. Their custom PowerShell loaders, PowerNet and MaskBat, execute sophisticated sandbox evasion techniques, deploy NetSupport RAT, and rely on resilient infrastructure such as bulletproof hosting providers and distributed command-and-control servers to ensure operational security.

The Fog ransomware group has demonstrated advanced tactics that extend beyond standard encryption attacks, raising concerns of potential espionage masked as financially motivated activity. Their campaigns often begin by exploiting compromised VPN credentials or vulnerabilities in backup software like Veeam and SSL VPN endpoints. Once inside, the attackers use pass-the-hash techniques to escalate privileges and disable defenses such as Windows Defender. A notable feature of their toolkit is the use of Syteca—legitimate employee monitoring software—to record screen activity and keystrokes, enabling credential harvesting. This tool is delivered via the open-source proxy Stowaway and executed using SMBExec from the Impacket suite, reflecting the group’s preference for dual-use software.

What sets Fog apart is its unusual post-encryption persistence strategy, with attackers deploying services days after initial compromise to maintain access. The group uses GC2, a rare post-exploitation framework that communicates via Google Sheets or SharePoint, and Adaptix—an open-source C2 tool—for continued command and control. Additional tools include Process Watchdog for monitoring, and data exfiltration utilities such as MegaSync, FreeFileSync, and 7-Zip. This combination of legitimate, open-source, and evasive tools reflects a sophisticated and persistent threat actor that appears to operate with motives extending beyond immediate financial gain.