Cybersecurity Threats and Trends - 02/25/2025

From ransomware leveraging backdoors to phishing kits that can impersonate any brand...

Author

J.W. Croley
February 25, 2025

In partnership with

Learn AI in 5 minutes a day

This is the easiest way for a busy person wanting to learn AI in as little time as possible:

  1. Sign up for The Rundown AI newsletter

  2. They send you 5-minute email updates on the latest AI news and how to use it

  3. You learn how to become 2x more productive by leveraging AI

1. Evolving Snake Keylogger Leverages Advanced Evasion Tactics

Primary Threat: A newly detected Snake Keylogger variant is using enhanced anti-analysis techniques to bypass traditional defenses. Fortinet researchers report that the malware now employs obfuscated payloads and advanced sandbox evasion, making it harder for security tools to detect. Snake Keylogger is designed to steal credentials, monitor keystrokes, and exfiltrate sensitive information.

Risk: Credential theft, financial fraud, and persistent data exfiltration.

Detection Tips:

  • Monitor unusual keystroke logging behaviors and unexpected clipboard activity.

  • Flag unknown processes attempting to access credential stores.

  • Detect and block Snake Keylogger’s known C2 infrastructure.

2. Chinese-Linked Attackers Exploit Check Point Vulnerabilities for Ransomware Distribution

Primary Threat: The Nailaolocker ransomware is being deployed using ShadowPad and PlugX backdoors, both linked to Chinese APTs. Orange Cyber Defense found that attackers are exploiting vulnerabilities in Check Point security appliances to gain access, deploy backdoors, and eventually encrypt entire networks.

Risk: Ransomware deployment, backdoor persistence, and operational downtime.

Detection Tips:

  • Apply Check Point security patches immediately to mitigate known exploits.

  • Monitor for PlugX and ShadowPad indicators of compromise (IoCs).

  • Implement strict firewall rules to detect unauthorized access attempts.

3. CISA Flags Craft CMS Vulnerability as Actively Exploited

Primary Threat: A critical remote code execution (RCE) vulnerability in Craft CMS is now being actively exploited, prompting CISA to add it to its KEV list. The flaw, disclosed in Craft CMS’s security advisory, allows attackers to take control of vulnerable websites, inject malicious scripts, and exfiltrate data.

Risk: Website defacement, data theft, and full system compromise.

Detection Tips:

  • Update Craft CMS immediately to the latest patched version.

  • Monitor for unauthorized changes in CMS configurations.

  • Deploy web application firewalls (WAFs) to block exploit attempts.

Did you know...?

One of the earliest "phishing kits" was discovered in 2004 when cybercriminals used pre-built templates to create fake banking websites.

Fast forward to today, Darcula V3 automates phishing at scale, allowing even low-skilled attackers to bypass security controls with cloned brand websites and MFA capture.

4. Darcula V3 Phishing Kit Can Clone Any Brand’s Website

Primary Threat: A new phishing-as-a-service (PaaS) platform, Darcula V3, is capable of cloning any brand’s website in minutes, making it easy for attackers to conduct highly convincing phishing campaigns. Netcraft’s threat intelligence reveals that this toolkit automates site cloning, bypasses security controls, and steals multi-factor authentication (MFA) codes.

Risk: Credential theft, financial fraud, and corporate account takeovers.

Detection Tips:

  • Educate users about realistic-looking phishing emails mimicking trusted brands.

  • Monitor for login attempts from unrecognized devices or locations.

  • Implement phishing-resistant MFA solutions like hardware security keys.

5. Malware Campaign Uses Cracked Software to Spread RATs

Primary Threat: A cybercriminal campaign is using cracked software downloads to distribute remote access trojans (RATs) and credential stealers. ASEC Intelligence reports that users downloading pirated applications and game cracks unknowingly install malware that allows attackers to steal banking credentials, access webcams, and exfiltrate data.

Risk: System compromise, data exfiltration, and financial loss.

Detection Tips:

  • Block access to known software piracy sites in corporate environments.

  • Monitor for unauthorized remote desktop or webcam access requests.

  • Use application control tools to prevent the execution of unauthorized software.

6. Over 2,500 Variants of TrueSightSys Driver Exploited for Malware Delivery

Primary Threat: Adobe has issued a security bulletin warning of a critical vulnerability in its ColdFusion software, which has an active proof-of-concept (PoC) exploit circulating online. This flaw allows attackers to execute arbitrary code and gain unauthorized control over ColdFusion servers. Immediate patching is strongly recommended to prevent exploitation.

  • Risk: Remote code execution, server compromise, and data exfiltration.

  • Detection Tips:

    • Monitor for unauthorized access to ColdFusion management interfaces.

    • Apply security patches from Adobe immediately.

    • Audit network traffic for signs of exploitation attempts targeting ColdFusion servers.

IN SUMMARY:

Today’s cyber threats showcase new malware evasion techniques, actively exploited vulnerabilities, and phishing innovations:

🚨 Key Takeaways:
✔️ Snake Keylogger is evolving with sandbox evasion tactics.
✔️ Chinese APTs exploit Check Point vulnerabilities to deliver Nailaolocker ransomware.
✔️ Craft CMS vulnerability (CVE-2025-XXXXX) is being actively exploited, requiring immediate patching.
✔️ Darcula V3 phishing kit enables mass credential theft by cloning brand websites.
✔️ Cracked software is spreading RATs, leading to remote access and credential theft.
✔️ 2,500+ TrueSightSys driver variants are being used to bypass security controls.

🔎 Immediate Actions:
✔️ Patch Craft CMS vulnerabilities and Check Point appliances.
✔️ Warn users against downloading cracked software.
✔️ Deploy strong phishing-resistant MFA solutions.
✔️ Monitor for unauthorized driver installations and TrueSightSys-related activity.

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)