Cybersecurity Threats and Trends - 02/20/2025

MacOS under fire and your printer can hand over your credentials.

Author

J.W. Croley
February 20, 2025

This isn’t traditional business news

Welcome to Morning Brew—the free newsletter designed to keep you in the know on the business news impacting your career, company, and life—in a way you didn’t know you needed.

Note: this isn’t traditional business news. Morning Brew’s approach cuts through the noise and bore of classic business media, opting for short writeups, witty jokes, and above all—presenting the facts.

Save time, actually enjoy business news, and join over 4 million professionals reading daily.

1. New Backdoor Uses Telegram for C2 Communication

Primary Threat: A new Golang-based backdoor is abusing Telegram as a command-and-control (C2) channel, allowing attackers to execute remote commands, exfiltrate data, and maintain persistence on infected machines. Netskope researchers report that attackers leverage Telegram bot APIs to evade detection and bypass traditional network defenses.

Risk: Unauthorized remote access, data exfiltration, and persistent compromise.

Detection Tips:

  • Monitor for unusual Telegram-related network traffic in enterprise environments.

  • Flag unauthorized Golang binaries running on endpoints.

  • Block suspicious bot API calls from untrusted devices.

2. Microsoft Uncovers New XCSSET macOS Malware Variant

Primary Threat: A new variant of XCSSET, a long-standing macOS malware, is actively targeting Apple users. Microsoft’s Threat Intelligence warns that this strain exploits vulnerabilities to bypass macOS security measures, steal credentials, and inject malicious code into legitimate applications. This updated version is capable of evading Gatekeeper and XProtect, Apple’s built-in defenses.

Risk: Credential theft, unauthorized system modifications, and malware persistence.

Detection Tips:

  • Monitor for unusual system modifications and execution of unsigned binaries.

  • Detect and block network traffic to known XCSSET C2 servers.

  • Enforce strict macOS security policies and keep systems updated

3. Xerox Printer Flaws Allow RCE and Data Theft

Primary Threat: Critical vulnerabilities in Xerox VersaLink C7025 printers could allow attackers to steal credentials, execute arbitrary code, and manipulate print jobs remotely. Rapid7’s security analysis details how attackers can exploit these flaws to gain unauthorized administrative access.

Risk: Network compromise, unauthorized data access, and system takeover.

Detection Tips:

  • Apply Xerox’s security patches immediately to affected printer models.

  • Restrict printer access to internal networks and disable remote administration.

  • Monitor for suspicious print job manipulations or configuration changes.

Did you know...?

Using legitimate Windows processes for malicious execution—like Mavinject.exe—is a common living-off-the-land (LOTL) tactic. This approach allows attackers to blend in with normal system activity, making it harder to detect malicious operations. LOTL techniques were famously used by APT33 (Elfin) and FIN7 in past cyber campaigns.

4. Juniper Smart Routers Vulnerable to Authentication Bypass

Primary Threat: A newly disclosed authentication bypass vulnerability (CVE-2025-21589) in Juniper Session Smart Routers could allow attackers to gain unauthorized administrative access. Juniper’s security bulletin warns that exploiting this flaw requires minimal effort, making it a high-priority concern.

Risk: Full system compromise, unauthorized configuration changes, and potential network takeover.

Detection Tips:

  • Immediately apply Juniper’s security updates to all affected routers.

  • Monitor for unexpected configuration changes or unauthorized logins.

  • Restrict API access and enforce multi-factor authentication (MFA) for administrative logins.

5. FrigidStealer Targets macOS Users via Fake Software Updates

Primary Threat: A new macOS malware strain called FrigidStealer is being spread through fake software updates. Proofpoint researchers warn that FrigidStealer is capable of exfiltrating credentials, financial information, and browser session tokens, allowing attackers to hijack accounts.

Risk: Financial fraud, account takeovers, and persistent credential theft.

Detection Tips:

  • Block unauthorized update prompts from third-party sources.

  • Monitor for unexpected system modifications in macOS logs.

  • Use macOS notarization and app signing policies to prevent unauthorized installations.

6. Chinese Hackers Exploit Mavinject.exe for Malware Execution

Primary Threat: A Chinese-speaking APT group known as Earth Preta is using Mavinject.exe, a legitimate Windows process, to bypass security defenses and execute malware stealthily. Trend Micro’s analysis highlights how this technique evades traditional endpoint protection by leveraging Windows’ own security architecture.

Risk: Evasion of endpoint security, persistence, and remote execution of malicious code.

Detection Tips:

  • Monitor execution of Mavinject.exe for unauthorized use.

  • Restrict process injection techniques using security monitoring tools.

  • Deploy behavior-based endpoint detection and response (EDR) solutions.

IN SUMMARY:

This week’s threats highlight new malware abusing trusted platforms, exploits targeting network infrastructure, and advanced evasion techniques used by APT groups.

🚨 Key Takeaways:
✔️ Telegram-based backdoor abuses encrypted messaging for stealthy C2 communications.
✔️ New XCSSET variant bypasses macOS security, targeting Apple users.
✔️ Xerox printer vulnerabilities enable RCE and credential theft.
✔️ Juniper router flaw (CVE-2025-21589) allows authentication bypass and network takeover.
✔️ FrigidStealer macOS malware spreads via fake software updates.
✔️ Earth Preta APT uses Mavinject.exe for stealthy malware execution.

🔎 Immediate Actions:
✔️ Patch all affected Juniper routers and Xerox printers.
✔️ Block Telegram-based bot API calls in enterprise environments.
✔️ Educate users on the dangers of fake software updates.
✔️ Monitor for unauthorized execution of system-level processes like Mavinject.exe.

Stay vigilant, secure your systems, and keep your defenses updated to counter evolving threats.

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)