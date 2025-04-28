What happens when cybercriminals no longer need deep skills to breach your defenses? Today's attackers are armed with powerful tools that do the heavy lifting — from AI-powered phishing kits to large botnets ready to strike. And they're not just after big corporations. Anyone can be a target when fake identities, hijacked infrastructure, and insider tricks are used to slip past security unnoticed.

This week's threats are a reminder: waiting to react is no longer an option. Every delay gives attackers more ground.

⚡ Threat of the Week

Critical SAP NetWeaver Flaw Exploited as 0-Day — A critical security flaw in SAP NetWeaver (CVE-2025-31324, CVSS score: 10.0) has been exploited by unknown threat actors to upload JSP web shells with the goal of facilitating unauthorized file uploads and code execution. The attacks have also been observed using the Brute Ratel C4 post-exploitation framework, as well as a well-known technique called Heaven's Gate to bypass endpoint protections.

🔔 Top News

Darcula Phishing Kit Gets GenAI Upgrade — The threat actors behind the Darcula phishing-as-a-service (PhaaS) platform have released new updates to their cybercrime suite with generative artificial intelligence (GenAI) capabilities to facilitate phishing form generation in various languages, form field customization, and translation of phishing forms into local languages. The updates further lower the technical barrier for creating phishing pages, making it quick and easy for even a novice criminal to set up complex smishing scams. The Darcula PhaaS suite is user-friendly. All that an aspiring scammer needs to do is sign up for the Darcula service, enter a legitimate brand site, and the platform will generate a bespoke, spoofed phishing version. "Darcula is not just a phishing platform; it's a service model designed for scale," Netcraft said. "Users pay for access to a suite of tools that enable impersonation of organizations in nearly every country. Built using modern technologies like JavaScript frameworks, Docker, and Harbor, the infrastructure mirrors that of legitimate SaaS companies."

— Unknown threat actors have leveraged a novel approach that allowed bogus emails to be sent via Google's infrastructure and redirect message recipients to fraudulent sites that harvest their credentials. The sophisticated phishing attack bypassed email authentication checks, and sought to trick email recipients into clicking on bogus links that are designed to harvest their Google Account credentials. Google has since plugged the attack pathway. Lotus Panda Targets Southeast Asia With Sagerunex — The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. The activity has been found to employ DLL side-loading techniques to drop a backdoor named Sagerunex, as well as two credential stealers ChromeKatz and CredentialKatz that are equipped to siphon passwords and cookies stored in the Google Chrome web browser. In recent months, a cyber espionage campaign known as Operation Cobalt Whisper has targeted multiple industries in Hong Kong and Pakistan, including defense, education, environmental engineering, electrotechnical engineering, energy, cybersecurity, aviation and healthcare, with phasing emails that serve as a conduit to deliver Cobalt Strike. The Pakistan Navy has also been targeted by a likely nation-state adversary to distribute a stealthy infostealer called Sync-Scheduler to the targeted victims. While the tactics exhibited in the campaign overlap with those of SideWinder and Bitter APT, there is no ample evidence to link it to a specific threat actor. And that's not all. Chinese cybersecurity researchers have been targeted by a Vietnamese threat group known as APT32 between mid-September and early October 2024 to deploy Cobalt Strike via trojanized GitHub projects.

‎️‍🔥 Trending CVEs

Attackers love software vulnerabilities—they're easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week's critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.

This week's list includes — CVE-2024-58136, CVE-2025-32432 (Craft CMS), CVE-2025-31324 (SAP NetWeaver), CVE-2025-27610 (Rack), CVE-2025-34028 (Commvault Command Center), CVE-2025-2567 (Lantronix Xport), CVE-2025-33028 (WinZip), CVE-2025-21204 (Microsoft Windows), CVE-2025-1021 (Synology DiskStation Manager), CVE-2025-0618 (FireEye EDR Agent), CVE-2025-1763 (GitLab), CVE-2025-32818 (SonicWall SonicOS), CVE-2025-3248 (Langflow), CVE-2025-21605 (Redis), CVE-2025-23249, CVE-2025-23250, and CVE-2025-23251 (NVIDIA NeMo Framework), CVE-2025-22228 (Spring Framework, NetApp), and CVE-2025-3935 (ScreenConnect).

📰 Around the Cyber World

Lumma Stealer Adopts New Tricks to Evade Detection — The information stealer known as Lumma, which has been advertised as a Malware-as-a-Service (MaaS) starting at $250 a month, is being distributed extensively using various methods such as pirated media, adult content, and cracked software sites, as well as fake Telegram channels for such content to redirect users to fraudulent CAPTCHA verifications that leverage the ClickFix tactic to trick users into downloading and running the malware via PowerShell and MSHTA commands. The stealer, for its part, uses techniques like DLL side-loading and injecting the payload into the overlay section of free software to trigger a complex infection process. "The overlay section is typically used for legitimate software functionality, such as displaying graphical interfaces or handling certain input events," Kaspersky said. "By modifying this section of the software, the adversary can inject the malicious payload without disrupting the normal operation of the application. This method is particularly insidious because the software continues to appear legitimate while the malicious code silently executes in the background." Lumma Stealer has remained an active threat since its debut in 2022, continually receiving updates to evade detection through features like code flow obfuscation, dynamic resolution of API functions during runtime, Heaven's gate, and disabling ETWTi callbacks. It's also designed to detect virtual and sandbox environments. As of August 2023, Lumma Stealer team began testing an AI-based feature to determine if an infected user log is a bot or not. The widespread adoption of Lumma Stealer is also evidenced by the use of diverse infection vectors, which have leveraged the stealer to deliver additional payloads like Amadey. "The operators of LummaStealer run an internal marketplace on Telegram [...] where thousands of logs are bought and sold daily," Cybereason said. "They also include features like a rating system to encourage quality sellers, advanced search options for both passwords and cookies, and a wide price range. Coupled with 24/7 support, the marketplace aims to provide a seamless experience for anyone trading stolen data, reflecting a trend seen across various Telegram and darknet-based stealer communities." According to data from IBM X-Force, there has been an 84% weekly average increase in infostealers delivered via phishing emails last year, compared to 2023.

— A flaw in SSL.com's domain control validation (DCV) process could have allowed attackers to bypass verification and issue fraudulent SSL certificates for any domain linked to certain email providers such as aliyun[.]com. A total of 11 certificates are said to have been issued in this manner. Asian Scam Operations Expand Globally — The United Nations Office on Drugs and Crime (UNODC) has revealed that scam centers run by East and Southeast Asian organized crime gangs have spread like a "cancer" in response to law enforcement efforts, resulting in a global expansion. Nigeria, Zambia, Angola, Brazil, and Peru are some of the new spillover sites where Asian-led groups have migrated to. "The dispersal of these sophisticated criminal networks within areas of weakest governance has attracted new players, benefited from and fueled corruption, and enabled the illicit industry to continue to scale and consolidate, culminating in hundreds of industrial-scale scam centres generating just under US $40 billion in annual profits," the UNODC said.

🎥 Cybersecurity Webinars

AI-Powered Impersonation Is Beating MFA—Here's How to Shut the Door on Identity-Based Attacks — AI-driven impersonation is making traditional MFA useless—and attackers are getting in without ever stealing a password. In this session, you'll learn how to stop identity-based attacks before they start, using real-time verification, access checks, and advanced deepfake detection. From account takeover prevention to AI-powered identity proofing, see how modern defenses can shut the door on imposters. Join the webinar to see it in action. Smart AI Agents Need Smarter Security—Here's How to Start — AI agents are helping teams move faster—but without the right security, they can expose sensitive data or be manipulated by attackers. This session walks you through how to build AI agents securely, with practical steps, key controls, and overlooked risks you need to know. Learn how to reduce exposure without losing productivity, and keep your AI tools safe, reliable, and under control. Register now to start securing your AI the right way.

🔧 Cybersecurity Tools

Varalyze — It is a unified threat intelligence toolkit that connects data from sources like AbuseIPDB, VirusTotal, and URLScan to streamline threat analysis. It automates intel gathering, speeds up triage, and generates clear, actionable reports — all in one simple, Python-powered platform.

Cookiecrumbler — Tired of cookie pop-ups interrupting your browsing or breaking site functionality? Cookiecrumbler is a smart tool designed to automatically detect and analyze cookie consent notices on websites. Whether you're debugging web compatibility issues or identifying cookie banners that slip past existing blockers, Cookiecrumbler helps you spot them fast. It works as a web app, can run local crawls, and even integrates with other systems — no deep technical skills needed.

Eyeballer — It is a smart tool for penetration testers that analyzes large batches of website screenshots to quickly identify high-value targets like login pages, outdated sites, and active web apps. Instead of wasting time on parked domains or harmless 404s, Eyeballer helps you focus on what's likely vulnerable, speeding up triage in wide-scope network tests. Just feed in your screenshots and let Eyeballer highlight what matters.

🔒 Tip of the Week

Don't Let Video Calls Become Backdoors — Attackers are now using fake meeting invites to trick people into giving them remote access during video calls. They set up fake interviews or business meetings, then request screen control — sometimes even changing their name to "Zoom" to make it look like a system message. If you click "Allow" without thinking, they can take over your computer, steal data, or install malware.

To stay safe, disable remote control features if you don't need them. On Zoom, turn it off in Settings under "In Meeting (Basic)." Always double-check who's asking for access, and never approve control just because it looks official. Use browser-based tools like Google Meet when possible — they're safer because they can't easily take control of your system.

For extra protection, Mac users can block Zoom (or any app) from getting special permissions like "Accessibility," which is needed for remote control. IT teams can also set this up across all company devices. And watch out for invites from odd emails or links — real companies won't use personal accounts or fake booking pages. Stay alert, and don't let a simple click turn into a big problem.

Conclusion

The most effective defenses often start with asking better questions. Are your systems behaving in ways you truly understand? How might attackers use your trusted tools against you?

Now is the time to explore security beyond technology — look into how your team handles trust, communication, and unusual behavior. Map out where human judgment meets automation, and where attackers might find blind spots.

Curiosity isn't just for research — it's a powerful shield when used to challenge assumptions and uncover hidden risks.