Threat Alerts

A critical zero-day vulnerability in SAP NetWeaver Visual Composer (CVE-2025-31324, CVSS 10.0) is currently under widespread active exploitation. This unrestricted file upload vulnerability allows unauthenticated attackers to upload malicious files directly to SAP systems without authorization, potentially leading to full system compromise. SAP released an emergency patch on April 24, 2025, but exploitation was observed both before and after the disclosure.

The vulnerability specifically affects the Metadata Uploader component of SAP NetWeaver Visual Composer, where missing authorization checks in the /developmentserver/metadatauploader endpoint allow attackers to upload JSP webshells to publicly accessible directories. These webshells enable remote command execution, file uploads, and potential lateral movement throughout networks. Researchers have observed attackers using sophisticated tools such as Brute Ratel and the Heaven’s Gate technique for execution and evasion.

It is estimated that 50–70% of internet-facing SAP systems have the vulnerable component enabled, leaving a significant portion potentially exposed. The impact is substantial, with activity observed across numerous industries.

Security researchers have identified a financially motivated initial access broker (IAB) dubbed ToyMaker, operating since at least 2023, who compromises internet-facing servers to plant a custom backdoor named LAGTOY. ToyMaker then sells or hands over access to ransomware groups such as Cactus, who conduct double extortion attacks. This collaboration was observed when Cactus actors used credentials and footholds created by ToyMaker to spread laterally across a compromised critical infrastructure network, exfiltrate sensitive data, and deploy ransomware.

ToyMaker’s intrusion typically begins with exploiting unpatched, internet-facing servers. Upon gaining access, the actor rapidly conducts reconnaissance, creates unauthorized accounts, and deploys the LAGTOY backdoor. Credential harvesting is performed using Magnet RAM Capture, followed by archiving the dumps using 7zip and exfiltration over SCP via PuTTY’s pscp utility.

The LAGTOY malware establishes persistence as a service under the name WmiPrvSV, communicates with a hardcoded C2 over raw TCP port 443, and supports executing commands remotely. It features anti-debugging measures using a custom unhandled exception filter and a time-based execution control to evade detection.

After a short dormancy period, ToyMaker transferred access to Cactus ransomware operators. Cactus then conducted further reconnaissance, moved laterally using stolen credentials, installed remote administration tools (AnyDesk, RMS, eHorus, OpenSSH), exfiltrated sensitive data using 7zip and curl, and finally deployed ransomware across the environment.

The ongoing exploitation of Ivanti Connect Secure systems highlights a growing trend of persistent targeting by state-sponsored actors leveraging zero-day and recently patched vulnerabilities. Over 5,000 vulnerable instances remain exposed globally, and scanning activity against Ivanti Connect Secure and Pulse Secure appliances has sharply increased, surging by 800 percent last week, with nearly a quarter of the total scanning volume from the past three months occurring within a single day. This escalation, combined with the deployment of modular malware families like TRAILBLAZE and SPAWNCHIMERA and delayed patch adoption, indicates that attacks on Ivanti systems are likely to intensify throughout 2025 as threat actors continue to seek deeper access into targeted environments.

Researchers found that threat actors are increasingly favoring code exploitation over traditional credential theft as an initial access method into systems. Approximately 20% of breaches were linked to the use of exploit scripts against unpatched vulnerabilities, closely rivaling credential abuse, which remains slightly more prevalent. While social engineering tactics, such as phishing, still contribute significantly to breaches, a notable shift is occurring toward direct technical attacks. Third-party software vulnerabilities also witnessed a sharp rise, now implicated in 30% of incidents compared to 15% the previous year, with VPN services being a particular target. Moreover, state-sponsored activities revealed a dual focus on both espionage and financial gain, frequently using vulnerability exploitation as their primary attack vector. To mitigate these threats, organizations must prioritize timely patch management, implement continuous vulnerability assessments, strengthen monitoring of third-party integrations, and enforce strict credential hygiene practices.

The digital landscape is facing an unprecedented threat with a significant surge in Distributed Denial of Service (DDoS) attacks. Over the past year, such attacks have risen sharply, with the early months of this year witnessing particularly aggressive activity driven by large-scale botnets. These attacks are not only increasing in volume but also evolving in sophistication, demonstrating faster execution, better targeting, and higher persistence. The impact is being felt across industries, putting critical operations and services at substantial risk of disruption, financial loss, and reputational harm.

Modern DDoS botnets exploit vulnerabilities in connected devices like IoT gadgets, routers, and cloud systems to generate massive attack volumes. Their ability to adapt and diversify attack vectors complicates mitigation efforts, allowing them to bypass defenses and overwhelm targets. The infection chain typically begins with compromising vulnerable devices, often by exploiting known security gaps such as unpatched systems. Once compromised, these devices are weaponized to launch extensive, coordinated attacks, causing service outages and operational delays. Industries with online operations, such as finance, telecom, and cloud-based services, are particularly affected due to their reliance on uptime and data security. These attacks serve a range of malicious motives, from ransom demands to operational sabotage. As the threat landscape continues to escalate, the growing precision and volume of such botnet attacks signal the need for renewed vigilance and an understanding that digital risks are no longer rare occurrences but ongoing challenges.

A sophisticated cybersecurity threat has emerged, combining social engineering via Microsoft Teams with a previously undocumented persistence technique. This attack campaign targets executives and high-privilege employees in various sectors, potentially leading to ransomware deployment. The attack represents a significant evolution in threat tactics, introducing the first observed case of TypeLib COM hijacking in the wild, making it particularly dangerous due to its ability to evade detection.

The attack begins with precisely timed phishing messages sent through Microsoft Teams, masquerading as IT support personnel. These messages specifically target executives during the post-lunch period when vigilance may be lower. After establishing trust, attackers leverage Windows Quick Assist to gain remote access, blending into legitimate IT workflows. The novel aspect of this attack is the TypeLib hijacking technique that modifies registry entries to download and execute malware whenever certain COM objects are accessed by Windows processes. The payload consists of heavily obfuscated JScript and PowerShell code that creates a unique beaconing URL based on the victim’s hard drive serial number, establishes command and control communication, and reports success to a Telegram bot. Evidence suggests the attackers may be Russian-speaking, with possible connections to groups known for distributing ransomware, though the specific attribution remains uncertain.