DragonRank Targets IIS Servers with BadIIS Malware for SEO Fraud and Gambling Redirects
Overview
Reports assert there has been a brand new wave of cyberattacks attacking Asian Internet Information Services (IIS). The attackers are suspected to be Chinese-speaking as they have been identified with the name, DragonRank. They are using BadIIS malware to manipulate SEO that redirects users to illegal gambling websites. This attack primarily targets servers in countries like India, Thailand, Vietnam, etc. and has been impacting sectors like government, universities, tech sector, etc.
Impact
Once the installation of the BadIIS malware is there, this attack basically modifies the HTTP response headers. The change then redirects legit users coming from okay websites to illegal ones. Their way of manipulation involves first checking certain fields in the HTTP header, say, for example, ‘User-Agent’ and ‘Referer,’ and then determining if they contain specific SEO terms.
The compromised servers also host credential-harvesting pages which is another big risk to organizations relying on them for daily ops. All in all, this SEO manipulation tactic is surely damaging the integrity of the affected systems.
Recommendation
If you are operating IIS servers, especially if you are located in the affected regions, as mentioned above, you should immediately audit your servers. Apply all available security patches. That said, keep monitoring for unauthorized redirects and have your security teams regularly investigate logs for any signs of BadIIS malware.
Critical Security Flaws in Zimbra Collaboration Software Addressed in Recent Updates
Overview
Zimbra rolls out latest security updates as they address some severe vulnerabilities in their collaboration software. The flaws were severe and if they were exploited, they could potentially cause loss of critical info and put your data at risk of exposure.
Zimbra has been proactively providing patches to cover such flaws and the latest one patches the vulnerabilities tracked as CVE-2025-25064. This time, there’s a critical XSS issue and a server-side request forgery SSRF issue, which is medium-severity though. The company officially recommends users update their systems asap.
Impact
The first vulnerability, CVE-2025-25064, has CVSS score 9.8/10. You know this is severe. This flaw basically arises from inadequate input sanitization in the ZimbraSync Service SOAP endpoint. The affected versions include all prior to 10.0.12 and 10.1.4. If this flaw is exploited, malicious SQL queries can be injected and sensitive email metadata can be at risk.
Zimbra has patched XSS vulnerability in their Classic Web Client as well. No CVE score has been assigned to it yet, but it also comes with a big risk of possible execution of malicious scripts. That said, the SSRF flaw has also been addressed, which could let attackers redirect requests to internal network services.
Recommendation
We recommend Zimbra users upgrade to the following patched versions ASAP:
- CVE-2025-25064: To avoid SQL Injection, upgrade to versions 10.0.12, 10.1.4, or later.
- The Stored XSS Vulnerability: Update to versions 9.0.0 Patch 44, 10.0.13, or 10.1.5
- CVE-2025-25065: Upgrade to versions 9.0.0 Patch 43, 10.0.12, or 10.1.4 to avoid the SSRF vulnerability.
XE Hacker Group Exploits VeraCore Zero-Day Vulnerabilities to Deploy Persistent Web Shells
Overview
Some instances of zero-day vulnerabilities in Advantive VeraCore have been detected. This is a quite popular software used in the manufacturing and distribution sectors. XE Group, which is a cybercrime gang based in Vietnam, have been suspectedly exploiting these flaws to drop reverse shells and web shells to achieve persistent access on compromised VeraCore systems. The vulnerabilities, CVE-2024-57968 and CVE-2025-25181, seem to be a part of the broader attack strategy to compromise enterprise systems.
Impact
The vulnerabilities are significant because of the level of ease they provide to attackers to control affected systems. CVE-2024-57968 allows attackers to upload dangerous files to unintended folders. On the other hand, CVE-2025-25181 facilitates SQL injection and arbitrary commands. Exploiting these flaws, XE gang deploys ASPXSpy web shells to enumerate the file system and also allows them to scan networks and run SQL queries.
Recommendation
Advantive VeraCore users should immediately assess their systems for the presence of vulnerable versions (before the fixed version 2024.4.2.1).
Malicious ML Models Exploit Broken Pickle Format to Evade Detection
Overview
Cybersecurity reports just identified two malicious ML models hosted on Hugging Face. Basically, they have been taking advantage of “broken” pickle format to evade detection. The models are typically used to serialize Python objects. Pickle format is necessary for distributing ML models as it brings enormous safety issues if exploited.
The PyTorch-based pickle files had reverse shell payloads which made their malicious nature. Despite being flagged as suspicious, these corrupt files successfully executed the payload without triggering any alarms, and this was because they used their very own unique exploitation method.
Impact
The malicious models found in the Hugging Face repositories:
- glockr1/ballr7
- who-r-u0000/0000000000000000000000000000000000000
were able to execute reverse shell upon deserialization.
The payload connects with a hardcoded IP address which compromises the system and the attack method, commonly called nullifAI, is inordinately dangerous because of the evading capabilities of the broken pickle files.
7z compression format is the reason these models are particularly insidious. They don’t use the common ZIP format as 7z allows them to evade security flagging. That said, the broken pickle format causes issues during deserialization as malicious payloads are executed before deserialization fails. This behavior is the reason the execution tends to be successful without triggering errors that would otherwise alert security mechanisms.
Recommendation
If you are using ML models from Hugging Face, we recommend:
- Thoroughly inspect models obtained from public repositories.
- Ensure tools like Picklescan are updated.
- Disable pickle serialization where feasible.
- Isolate/monitor ML models.
DeepSeek App Exposes Sensitive Data with Weak Security Measures
Overview
Credible security assessments just unveiled some alarming flaws in DeepSeek iOS app. DeepSeek has been identified as recklessly handling important device data, revealed in the recent audit which also exposed their catastrophic overlooking. The app transmits data via the internet unencrypted, which means your prime data is now a catchy target for interception.
This egregious flaw is then compounded with the app’s blatant disregard for essential security standards. You can say they have placed user privacy at some unprecedented risk.
Impact
The lack of encryption definitely opens the door to attacks including both passive and active ones. Any crucial data is unsafe there i.e., any critical mobile registration details, device information, etc. The existing encryption method, if any, is also unsecured because of the infamous algorithm (3DES) which uses a hardcoded key and reused initialization vectors.
The app has also disabled iOS’s App Transport Security feature, which means unencrypted data can now be transmitted, only exacerbating the issue. There is also an added risk: this data is quite likely to be sent over to the Volcano Engine servers operator which is linked to TikTok.
Recommendation
DeepSeek users should avoid transmitting their important data through the app. They should wait for the security flaws to be addressed first. In fact, you can consider alternatives that have implemented secure encrypted communication channels.
Windows Management Experts
Now A Microsoft Solutions Partner for:
✓ Data & AI
✓ Digital and App Innovation
✓ Infrastructure
✓ Security
The Solutions Partner badge highlights WME’s excellence and commitment. Microsoft’s thorough evaluation ensures we’re skilled, deliver successful projects, and prioritize security over everything. This positions WME in a global tech community, ready to innovate on the cloud for your evolving business needs.
Why not reach out to us at WME?
Contact us and let us transform your business’s security into a strategic advantage for your business. Be sure, with WME, you’re just beginning a path toward a more streamlined and secure future.
Contact us: Sales@winmgmtexperts.com
