1. Hackers Exploit TikTok Videos to Spread Vidar and StealC Malware Via ClickFix Technique
Overview
Cybercriminals just recently adapted the ClickFix social engineering technique. It’s a technique that helps with spreading malwares, Vidar and StealC, as it uses TikTok videos for its malicious working. Its method relies on tricking users into executing malicious PowerShell commands. This command then runs the malware directly in memory. So, this technique makes it harder for security tools to detect it. This is a new approach and it leverages viral nature of TikTok. So this development really marks an escalation in how attackers are using popular platforms to infect systems.
Impact
The attack primarily targets users looking to activate pirated versions of software i.e. Spotify, CapCut, Microsoft Office, etc. When they follow those instructions in TikTok videos, they have unsuspecting individuals end up running malicious commands into their systems and execute malware. The approach is particularly dangerous because the malware is executed in memory. So it can bypass many common security defenses that would typically detect a file written to disk. And as the malware spreads through infected PowerShell scripts, it risks data theft and even further system compromise.
Recommendation
- Disable Windows Run Program
- Monitor/Restrict Social Media Use
- Update Security Software.
- Educate Users; Spread Awareness Training
2. ViciousTrap Leverages Cisco Vulnerability to Set Up Global Honeypot Network
Overview
Experts just uncovered a brand new cyberattack campaign from a threat actor, ViciousTrap. The actor has already successfully compromised approx 5300+ network edge devices in 84 different countries. These devices also include a wide range of Cisco routers as they have been turned into a massive honeypot network.
The attack exploits a critical vulnerability in Cisco’s Small Business Routers (CVE-2023-20118).
The flaw basically allows attackers to control these devices and then redirect traffic to their under-control infrastructure. That said, the attack’s focus appears to be on collecting zero day exploits.
Impact
The infection process involves execution of a shell script, NetGhost. This script gets downloaded on those compromised routers as it helps redirect any incoming network traffic to a third party server that they control effectively. This operation effectively acts as an adversary-in-the-middle (AitM) attack. It allows ViciousTrap to intercept/observe traffic, potentially collecting sensitive info/exploits from other actors.
The attack chain is sophisticated; includes multiple steps i.e. use of the Cisco vulnerability to execute additional malicious scripts which then further extends the attacker’s control.
Recommendation
We highly recommend network admins using Cisco Small Business Routers, particularly the affected models (RV016, RV042, RV042G, RV082, RV320, and RV325), immediately apply patches from Cisco. They immediately need to mitigate CVE-2023-20118 vulnerability.
3. Europol’s Global Crackdown on Ransomware Networks and Dark Web Activities
Overview
Europol and a coalition of international law enforcement agencies dismantled key ransomware networks. They have, till now, seized €3.5+ million in cryptocurrency, in a concerted effort they call Operation Endgame. The operation spanned from May 19 to May 22 as it led to takedown of 300+ servers worldwide and neutralized 650+ malicious domains.
That said, apart from cryptocurrency seizures, 270+ arrests were also made. These arrests were in ten plus countries i.e. the United States, Germany, United Kingdom, etc, as the operation targeted criminal networks involved in illicit cyber maneuvers.
Impact
The takedown marks a substantial blow to ransomware ops that have plagued public/private sectors. These ransomware networks use malware variants i.e. Bumblebee, TrickBot, QakBot, etc, and have been responsible for delivering large scale ransomware attacks. These actors often offer malware services to other cybercriminals as well. It facilitated widespread cyber extortion and data theft. But this coordinated action then led to disruption of several criminal infrastructures i.e. dark web markets. That said, arrest warrants have been issued against 20 key figures tied to these operations.
That said, in an earlier operation, €21+ million in cryptocurrency has been seized, and law enforcement continues to take decisive actions to halt the growth of cybercriminal enterprises.
Recommendation
We recommend organizations upheave cybersecurity measures by upgrading to the latest protective tools.
4. U.S. Dismantles DanaBot Malware Network in Global Cybercrime Operation
Overview
The DanaBot malware network, which is allegedly being operated by a Russia-backed cybercrime organization, has been taken down by the U.S. Department of Justice (DoJ). For background, DanaBot has been a powerful tool used for cybercrime as it has already successfully infected 300000+ computers worldwide.
It facilitated crimes like financial fraud, ransomware attacks, caused at least $50 million of damages as the operation, being part of the DoJ’s broader anti-cyberthreats campaign, has resulted in charges against 16+ individuals for its deployment. There were two key suspects among them: Aleksandr Stepanov and Artem Kalinkin.
The malware initially targeted victims in countries like Ukraine, Poland, etc. before expanding its scope to U.S. and Canada.
Impact
DanaBot malware had a significant global impact. It infected victim systems, allowed attackers to steal banking session data, hijacked online financial activities, captured sensitive personal info, and whatnot. The malware’s modular structure made itself capable of performing quite a lot malicious functions i.e. data theft, keystroke logging, even providing its makers with full remote access to victim machines.
Recommendation
WME’s cybersecurity experts recommend that organizations take immediate steps to secure their systems from similar threats.
5. CISA Alerts on Growing SaaS Attacks Exploiting App Secrets and Misconfigurations in Cloud Environments
Overview
CISA issues an alert regarding a cyber threat surge in which is targeting Microsoft Azure apps. The focus is on Commvault’s SaaS solution, Metallic.
Metallic basically backs up Microsoft 365 environments. CISA says threat actors may have gained unauthorized access to Commvault’s customer environments because exposed apps secrets stored by Commvault might have been helpful in making it possible for them. These breaches are part of a larger trend of attacks on cloud SaaS infrastructure providers.
Impact
The attack is believed to have allowed malicious cyber actors access to Commvault’s sensitive credentials to further authenticate their M365 environments. These credential exposures are linked to that ongoing campaign targeting SaaS providers due to insufficient security configurations i.e. default settings, overly permissive access, etc. Notably, this activity stems from a flaw in their Web Server; the flaw has been identified as CVE-2025-3928.
Recommendation
CISA urges you to take immediate steps to mitigate these risks:
- Monitor Logs.
- Review Logs; Conduct Threat Hunting.
- Apply Conditional Access Policies.
- Review Permissions; Restrict Access to Management Interfaces.
- Implement Web Application Firewalls.
Windows Management Experts
Now A Microsoft Solutions Partner for:
✓ Data & AI
✓ Digital and App Innovation
✓ Infrastructure
✓ Security
The Solutions Partner badge highlights WME’s excellence and commitment. Microsoft’s thorough evaluation ensures we’re skilled, deliver successful projects, and prioritize security over everything. This positions WME in a global tech community, ready to innovate on the cloud for your evolving business needs.
Why not reach out to us at WME?
Contact us and let us transform your business’s security into a strategic advantage for your business. Be sure, with WME, you’re just beginning a path toward a more streamlined and secure future.
Contact us: Sales@winmgmtexperts.com
