Threat Alerts

The infostealer family known as Lumma Stealer has shown a resurgence in activity recently, following earlier disruption from a doxxing campaign that temporarily curtailed its operations. Although previous momentum waned, new telemetry reveals that the malware now incorporates advanced browser-fingerprinting techniques as part of its command-and-control (C2) infrastructure. The payloads deploy JavaScript modules to harvest detailed system, hardware, and network environment data (such as WebGL, WebRTC, plugin lists, connection bandwidth) and send it to a Fingerprint endpoint (/api/set_agent). This profiling capability enables the actor to assess victim environments for sandbox detection, select high-value targets, and maintain stealth by routing through trusted browser processes like chrome.exe via injection.

Importantly, despite the introduction of new fingerprinting functionality, Lumma Stealer retains its legacy C2 computation routes (parameters like uid, cid, agent, token) and communication methods, indicating the operators are augmenting rather than replacing their established infrastructure. The combination of traditional tactics (process injection, remote thread execution via MicrosoftEdgeUpdate.exe) with new profiling methods underscores the actor’s commitment to stealth, precision, and persistence. While underground visibility of Lumma’s services appears to have weakened (as shown by fixed or sink-holed domains and fewer active forums), the malware remains active and increasingly sophisticated.

A sophisticated malware campaign has been identified distributing backdoor malware disguised as “SteamCleaner,” a legitimate open-source tool designed to clean junk files from the Steam gaming platform. The malware, signed with a valid certificate to appear trustworthy, installs malicious Node.js scripts that enable threat actors to execute remote commands on infected systems. This campaign represents a significant threat as it leverages the popularity of gaming platforms and exploits users seeking utility tools, while being actively distributed through multiple channels including websites offering illegal software downloads that redirect to GitHub repositories hosting the malicious files.
The attack chain begins when users download and execute what appears to be a legitimate installer. The malware employs multiple anti-sandbox techniques to evade detection, checking for virtual machine indicators, specific modules, files, and processes before executing its payload. Once the environment is deemed safe, the malware decrypts and executes PowerShell commands that install Node.js on the system and download two distinct malicious scripts from command-and-control servers. These scripts are then registered in the Windows task scheduler to ensure persistence, executing automatically at system startup and hourly intervals. Both scripts communicate with their respective C2 servers, transmitting infected system information and awaiting commands for execution.
The two Node.js scripts serve different but complementary purposes in the attack infrastructure. The first script can download files from specified URLs and execute them using CMD or PowerShell commands, while the second receives direct commands from the C2 server and executes them using Node.js shell functions with advanced obfuscation applied.

A global law-enforcement effort dubbed Operation Endgame 3.0 has disrupted a major malware-as-a-service ecosystem, dismantling more than 1,000 servers and seizing 20 domains between November 10–13 2025, including infrastructure used by the Rhadamanthys infostealer, VenomRAT, and the Elysium botnet. The network supported “hundreds of thousands” of infected systems and held “several million” stolen credentials, along with access to more than 100 000 cryptocurrency wallets worth millions of euros. These tools enabled large-scale credential theft, remote access, and botnet-driven operations, making them key facilitators for follow-on intrusions, financial fraud, and ransomware activity before the takedown.

An authentication bypass vulnerability in Fortinet FortiWeb Web Application Firewall is being actively exploited globally, allowing attackers to take over administrator accounts and fully compromise devices without authentication.
The exploitation stems from a path traversal flaw that lets adversaries send crafted POST requests to an internal CGI script exposed through the management interface, enabling them to create unauthorized admin accounts. Attackers are using automated tools and known credential combinations to maintain access. Fortinet has not yet published a CVE, leaving many unaware of the severity. Systems that remain unpatched are highly exposed, with widespread evidence suggesting that numerous appliances have already been compromised.

Microsoft’s November 2025 security update resolves 63 vulnerabilities, including five critical flaws and one actively exploited zero-day, CVE-2025-62215. The update focuses on high-severity remote code execution (RCE) and elevation of privilege (EoP) issues across Windows and Microsoft Office components. CVE-2025-62215 (CVSS 7.0) confirmed as exploited in the wild is an EoP flaw in the Windows Kernel allowing authenticated attackers to escalate privileges locally with low attack complexity. Other major vulnerabilities include CVE-2025-60724 (CVSS 9.8) a heap-based buffer overflow in the Windows Graphics Component enabling RCE via crafted metafiles, CVE-2025-30398 (CVSS 8.1) an authorization bypass in PowerScribe 360 granting unauthenticated access to sensitive data and CVE-2025-62199 (CVSS 7.8) a use-after-free bug in Office triggered when users open malicious documents.
The actively exploited zero-day CVE-2025-62215 (CVSS 7.0) involves a race condition in the Windows Kernel where improper synchronization triggers a double-free scenario, resulting in heap corruption and enabling attackers with local access to escalate privileges. CVE-2025-60724 (CVSS 9.8) allows remote code execution when malicious metafiles are processed posing significant risk to systems or web services that automatically handle uploaded documents. CVE-2025-30398 (CVSS 8.1) exposes PowerScribe 360 API endpoints without proper authorization enabling retrieval of sensitive data including PII. Meanwhile CVE-2025-62199 (CVSS 7.8) can be triggered by malicious Office documents including through the Outlook Preview Pane making it a practical vector for targeted phishing attacks.

DanaBot banking Trojan has returned with version 669 after a six-month absence following Operation Endgame’s disruption in May. This multi-stage modular malware targets Windows systems through sophisticated attacks aimed at financial institutions, cryptocurrency wallets, and individual users worldwide.

The malware operates through spear-phishing campaigns and malicious documents that deliver obfuscated payloads via social engineering tactics. Once executed, the initial loader downloads encrypted modules and configuration files from C&C servers. The infection process involves injecting into legitimate Windows processes and establishing persistence through scheduled tasks, allowing remote management of new payloads without user interaction.

DanaBot’s modular architecture enables operators to deploy specialized components for data harvesting, lateral network movement, and credential theft across banking and cryptocurrency platforms. The malware-as-a-service model continues to attract threat actors through subscription-based access, expanding its reach beyond the original targets in Australia and Poland to include users across Europe and North America. This latest variant demonstrates the persistent evolution of banking Trojans despite law enforcement disruptions, maintaining encrypted communications and flexible C2 infrastructure to evade detection and ensure operational continuity.