Weekly One-Shot: February 23 - March 01, 2025

This week's threats and trends.

Author

J.W. Croley
March 04, 2025

In partnership with

Before we dive in, I would like to thank all of you for supporting us with your subscription! My goal is to bring both actionable insights and easy-to-digest information regarding cybersecurity threats to non-tech and technical professionals alike. If this sounds like something that would help someone you know, please share the newsletter!

Optimize global IT operations with our World at Work Guide

Explore this ready-to-go guide to support your IT operations in 130+ countries. Discover how:

  • Standardizing global IT operations enhances efficiency and reduces overhead

  • Ensuring compliance with local IT legislation to safeguard your operations

  • Integrating Deel IT with EOR, global payroll, and contractor management optimizes your tech stack

Leverage Deel IT to manage your global operations with ease.

Cybersecurity news can sometimes feel like a twisted thriller, can't it? Just when we think we’re safe, a new plot twist comes creeping out of the woodwork. This week was no exception, with advanced threats, state-sponsored espionage, and AI-driven attacks making headlines. But don’t worry—we’re here to break it down, demystify the jargon, and arm you with the know-how you need to stay one step ahead.

So grab your coffee (or maybe your incident response plan), and let’s dive into this week’s cybersecurity drama!

This week in Cybersecurity

1. GitVenom Malware Steals $456K in Bitcoin from Developers
A new malware campaign is spreading via GitHub repositories, infecting development tools to steal cryptocurrency wallet credentials and manipulate clipboard transactions.
February 27 Newsletter

2. TrueSightSys Driver Exploited for Kernel-Level Malware
A vulnerable Windows driver is being modified by attackers to disable security tools and execute kernel-level malware.
February 27 Newsletter

3. FatalRAT Targets APAC with Multi-Stage Infection Chains
A Remote Access Trojan (RAT) is spreading through phishing emails, giving attackers persistent access to compromised systems.
February 27 Newsletter

4. Linux Malware ‘Auto-Color’ Gains Root Access
A new Linux backdoor exploits privilege escalation vulnerabilities to gain root access and execute remote commands.
February 27 Newsletter

5. PolarEdge Botnet Exploits Routers for IoT Attacks
Cisco and MikroTik routers are being hijacked for DDoS attacks, proxy abuse, and cryptojacking.
February 27 Newsletter

6. Darcula V3 Phishing Kit Can Clone Any Brand’s Website
A phishing kit is enabling attackers to perfectly mimic legitimate websites, bypassing MFA protections.
February 25 Newsletter

7. TGtoxic Banking Trojan Targeting Android Users
A new banking trojan is stealing login credentials and intercepting SMS authentication codes.
February 25 Newsletter

8. Cracked Software Distributing RATs and InfoStealers
Cybercriminals are embedding malware into pirated software, infecting users with credential stealers and remote access trojans (RATs).
February 25 Newsletter

9. Craft CMS Vulnerability Actively Exploited for Remote Code Execution
A critical RCE vulnerability in Craft CMS is being actively exploited to inject malicious scripts.
February 25 Newsletter

10. *BONUS TOPIC*
Social Engineering Attacks are Targeting High-Level Executives with AI Tools
Attackers are using AI-generated deepfake phone calls and other AI tools to impersonate executives and authorize fraudulent wire transfers.
Ongoing Threat Trends

Biggest Threat This Week

Chinese-Linked Group “Salt Typhoon” Targets U.S. Telecommunications

Nailaolocker Ransomware Exploiting Check Point Vulnerabilities

A Chinese-linked APT is exploiting Check Point security appliances to deploy Nailaolocker ransomware inside enterprise networks. The attack chain involves installing PlugX and ShadowPad backdoors, allowing long-term persistence before executing the ransomware payload.

  • MITRE Tactics: Initial Access, Persistence, Impact

  • Risk Level: Critical – The fact that attackers can use security appliances as a launch point makes this attack particularly dangerous.

Detection & Prevention Tips:
✔ Apply all security patches for Check Point appliances immediately.
✔ Monitor for PlugX and ShadowPad indicators of compromise (IoCs).
✔ Enforce strict firewall rules to block unauthorized remote access.

Training Recommendation

Master Ransomware Incident Response – TryHackMe Blue Team Learning Path

Ransomware isn’t going anywhere. If you’re in incident response, IT security, or SOC operations, learning how to detect, analyze, and contain ransomware attacks is a must.

Wrapping Up:

This week’s ransomware leveraging security appliances is one of the most concerning developments we’ve seen. It underscores why patching is crucial, even for security tools.

Stay patched, stay aware, and stay skeptical of phishing attempts! See you next time.

(P.S. Supporting our partners helps keep this newsletter running!)