Threat Alerts

A sophisticated threat actor has advanced from basic phishing tactics into a highly capable adversary that weaponizes legitimate Endpoint Detection and Response (EDR) software to conceal malicious activity. By abusing trusted security processes through DLL sideloading, the group effectively turns defensive tools into attack vectors, allowing their operations to blend seamlessly with normal security software behavior. This evolution represents a significant escalation that undermines traditional defenses and poses severe risks to organizations across all industries.

Analysis shows the attack chain begins with social engineering that convinces victims to execute encoded commands through the Windows Run dialog, followed by the use of built-in Windows utilities to download and run malicious PowerShell payloads directly in memory, bypassing signature-based detection. The attackers deploy a trojanized installer that leverages Windows Installer’s elevated privileges to place a malicious DLL in low-visibility directories, enabling the legitimate EDR executable to load the adversary’s component instead of its authentic counterpart. Once active, the malware establishes encrypted C2 communications disguised as routine EDR traffic. Post-compromise reconnaissance uses native Windows tools to extract system identifiers that facilitate rapid ransomware preparation, reducing the time from initial access to deployment from weeks to days. The abuse of digitally signed executables and TLS encryption renders traditional monitoring ineffective, demonstrating that signature-driven defenses cannot adequately counter adversaries who exploit trust in legitimate security software.

ValleyRAT, also known as Winos or Winos4.0, represents a sophisticated modular backdoor that has experienced significant growth in deployment over recent months. This malware family demonstrates advanced technical capabilities through its comprehensive plugin architecture and embedded kernel-mode rootkit, posing serious risks to organizations worldwide.

The malware operates through a modular system comprising 19 distinct main plugins, each serving specialized functions ranging from initial reconnaissance to advanced system manipulation. The infection typically begins with first-stage components that establish communication with command-and-control infrastructure, followed by selective deployment of additional modules based on victim profiling. Notable capabilities include remote desktop control, keylogging, file management, audio and video capture, DDoS functionality, and registry manipulation. The plugin system demonstrates consistent coding patterns and deep knowledge of Windows internals, suggesting development by a small, specialized team. Each component maintains encrypted communication channels using custom XOR-based schemes and can operate independently while contributing to the overall backdoor functionality.

The most concerning aspect involves a kernel-mode rootkit embedded within the driver plugin, derived from the open-source Hidden project but significantly modified for modern Windows compatibility. This rootkit implements file system filtering, registry hiding, process protection, and APC-based shellcode injection directly from kernel space. Multiple deployment variants were discovered with valid digital signatures that exploit legacy driver signing policy exceptions, allowing successful loading on fully updated Windows 11 systems despite expired certificates. The rootkit includes sophisticated installation modes, including a stealth variant that disrupts network connectivity and employs process impersonation techniques to evade behavioral detection. Additional capabilities enable forceful deletion of security software drivers and persistent system-level access through service configuration manipulation.

SAP released 14 new security notes in its December Patch Day, including three critical vulnerabilities affecting Solution Manager, Commerce Cloud, and jConnect SDK that pose severe risks of code injection, deserialization attacks, and full system compromise. The most critical flaw, CVE-2025-42880 (CVSS 9.9), allows low-privileged users to inject and execute arbitrary code in SAP Solution Manager, while CVE-2025-55754 exposes Commerce Cloud deployments through embedded Apache Tomcat weaknesses, and CVE-2025-42928 enables high-privilege deserialization attacks in jConnect SDK for ASE. Additional high- and medium-severity issues impact NetWeaver, Web Dispatcher, ABAP Server, BusinessObjects, SAPUI5, and S/4HANA components, creating avenues for data exposure, DoS conditions, and privilege misuse. As exploitation risks rise for SAP landscapes, organizations are urged to prioritize the latest patches through the Support Portal, validate environments using EarlyWatch and similar scanning tools, and update vulnerable systems without delay.

CISA has added a critical WinRAR vulnerability, CVE-2025-6218, to its Known Exploited Vulnerabilities catalog following confirmation of active exploitation. The flaw is a path traversal zero-day that allows attackers to craft malicious archive files capable of writing data outside expected extraction directories. When a user opens one of these archives, the payload can escape the restricted folder structure and execute arbitrary code with the user’s privileges. This enables remote code execution, and if the victim is an administrator, attackers can gain full system control, facilitating data theft, backdoor deployment, or ransomware attacks.

Microsoft’s December 2025 Patch Tuesday addresses 56 vulnerabilities across multiple products, including three critical flaws and one actively exploited zero-day. The update targets elevation of privilege and remote code execution vulnerabilities affecting core Windows components, Office applications, and development tools.

The most significant vulnerability is CVE-2025-62221 (CVSS 7.8), a zero-day elevation of privilege flaw in the Windows Cloud Files Mini Filter Driver that was exploited in the wild. Attackers can leverage this vulnerability to escalate to SYSTEM privileges through local authentication. Additional critical vulnerabilities include CVE-2025-62554 and CVE-2025-62557 (both CVSS 8.4), which affect Microsoft Office and enable remote code execution through malicious documents, with the Preview Pane serving as an attack vector that doesn’t require file opening.

Other notable vulnerabilities include CVE-2025-64671 (CVSS 8.4), a command injection flaw in GitHub Copilot for JetBrains IDEs that allows attackers to execute unauthorized commands through malicious cross-prompt injection, and CVE-2025-54100 (CVSS 7.8), a publicly disclosed PowerShell remote code execution vulnerability related to the Invoke-WebRequest command. The patch distribution shows elevation of privilege vulnerabilities comprising 50% of the fixes, followed by remote code execution at 33.9%, indicating continued focus on privilege escalation and code execution attack vectors.

Fortinet has disclosed critical authentication bypass vulnerabilities affecting multiple network security products, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. The flaws, CVE-2025-59718 (CVSS 9.8) and CVE-2025-59719 (CVSS 9.8), allow unauthenticated attackers to bypass FortiCloud SSO login authentication through crafted SAML response messages.

The vulnerabilities stem from improper verification of cryptographic signatures within the FortiCloud Single Sign-On feature. While this functionality is disabled by default in factory settings, it becomes automatically enabled when administrators register devices to FortiCare through the GUI interface, unless explicitly disabled during registration. Attackers can exploit these weaknesses by forging security tokens that the system accepts as valid, potentially granting administrative access without legitimate credentials. The attack vector requires the FortiCloud SSO feature to be active on the target device, making organizations that have registered their devices particularly vulnerable to unauthorized access attempts.

Security updates are available across all affected product lines, with specific version upgrades recommended for each platform. Organizations unable to immediately apply patches can temporarily disable the FortiCloud login feature through system settings or command-line interface until updates are deployed. The discovery adds to a growing list of critical vulnerabilities in network security appliances that have been actively exploited in ransomware and cyber-espionage campaigns, emphasizing the continued targeting of enterprise security infrastructure by threat actors.