Threat Alerts

Researchers have uncovered a campaign by the Russian threat actor Water Gamayun that exploits a zero-day vulnerability in the Microsoft Management Console framework, named MSC EvilTwin (CVE-2025-26633, CVSS 7.0). This attack manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payloads, maintain persistence, and steal sensitive data from infected systems. Organizations that heavily use Microsoft’s administrative tools are particularly at risk, potentially facing data breaches and significant financial losses.

The attack leverages three main techniques to execute malicious code. First, the MSC EvilTwin technique creates two identical .msc files—one clean and one malicious—with the malicious version placed in an en-US directory. When the clean file is executed, the system loads the malicious version instead due to how mmc.exe handles MUIPath. Second, attackers use the ExecuteShellCommand method within MMC to run shell commands through web rendering in MSC files. Third, they create mock trusted directories with names similar to legitimate system paths but with added spaces or special characters to bypass security checks. The attack begins with digitally-signed MSI files disguised as popular Chinese software that fetch the MSC EvilTwin loader from command-and-control servers. This loader then creates deceptive directories and executes the non-malicious version of WmiMgmt.msc, triggering the EvilTwin technique.

The Water Gamayun arsenal includes multiple modules such as the EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, and Rhadamanthys stealer. These components work together to maintain persistence and exfiltrate sensitive data to the attackers’ servers. The vulnerability was disclosed through a bug bounty program, and a patch was released on March 11, 2025. This campaign demonstrates how threat actors continue to refine their tactics by exploiting vulnerabilities in legitimate Windows components, allowing them to proxy malicious code execution through trusted system binaries.

A sophisticated and long-running phishing operation, tracked as Morphing Meerkat, has been observed distributing large-scale phishing campaigns through a phishing-as-a-service (PhaaS) platform. The threat actor sends thousands of spoofed emails that lead to credential harvesting pages tailored to each victim’s email provider. The campaign employs advanced detection evasion techniques and abuses DNS infrastructure to dynamically generate targeted phishing content. This campaign shows signs of centralized management and ongoing development.

Technically, Morphing Meerkat’s phishing kits identify a victim’s email service provider by querying DNS mail exchange (MX) records using DNS over HTTPS (DoH). Based on the MX record, the kit dynamically serves a phishing template imitating the appropriate brand (e.g., Gmail, Outlook, Yahoo). The phishing pages can display in over a dozen languages and automatically pre-fill the victim’s email address. Additional layers of evasion include redirecting suspicious users to legitimate login pages and blocking browser interactions like right-clicking or viewing source code.

The spam emails often leverage open redirect vulnerabilities on adtech infrastructure or are delivered through compromised WordPress sites and free hosting services. Links typically contain fragment identifiers with the victim’s email address to personalize the phishing flow. Once credentials are collected, they are exfiltrated using multiple channels including EmailJS, Telegram bot APIs, or AJAX to actor-controlled endpoints. The kits are heavily obfuscated, using Base64, ASCII character conversion, and decoy code to hinder analysis.

Researchers have identified a sophisticated npm supply chain attack where the ethers-provider2 and ethers-providerz packages compromised locally installed ethers packages by injecting a stealthy reverse shell. Unlike conventional malware that directly targets repositories, this attack covertly modified an existing package on developers’ systems, allowing persistent remote access even after the original malicious package was removed. The attackers cleverly mimicked the widely used ssh2 package, adding subtle modifications to disguise the payload.

Once the ethers package was altered, it secretly established a reverse shell connection to the attackers, ensuring ongoing access. Even if ethers-provider2 was deleted, the malicious patch remained intact, keeping the backdoor open.

This multi-layered attack demonstrates an advanced level of stealth rarely observed in npm malware campaigns, leveraging trusted packages like ssh2 and ethers to evade detection. This incident reinforces the growing risks of software supply chain attacks, highlighting the need for continuous monitoring and enhanced security measures to combat evolving threats.

CoffeeLoader is a newly identified, highly sophisticated malware loader observed in the wild. Designed to download and execute secondary payloads while evading detection, it exhibits notable behavioral similarities to SmokeLoader, with indications of potential code-level overlap between the two families. Its core functionality revolves around stealth and persistence, making it a potent tool for adversaries engaged in multi-stage attack campaigns.

CoffeeLoader employs several advanced evasion techniques, including the use of a GPU-based packer named Armoury, which mimics legitimate ASUS software. Additional methods include call stack spoofing, sleep obfuscation, and leveraging Windows fibers to complicate analysis. The infection chain begins with a dropper that attempts to execute an Armoury-packed DLL payload with elevated privileges, bypassing User Account Control when possible. Persistence is achieved through scheduled tasks configured to run at logon or regular intervals. Once active, CoffeeLoader injects its main module into a suspended dllhost.exe process, enabling anti-analysis protections. It communicates with its C2 infrastructure via HTTPS with certificate pinning, and if unreachable, uses a domain generation algorithm (DGA) to create one backup domain per day. Researchers have observed CoffeeLoader being used to deliver the Rhadamanthys infostealer, indicating its role in broader malicious campaigns

Mozilla has patched a critical vulnerability (CVE-2025-2857, CVSS 10.0) in Firefox and Firefox ESR for Windows that could allow attackers to escape the browser’s sandbox. The flaw affects both standard and Extended Support Release versions and is closely related to a recently exploited Chrome zero-day (CVE-2025-2783). The issue has been resolved in Firefox 136.0.4 and ESR versions 115.21.1 and 128.8.1.

The vulnerability stems from improper inter-process communication (IPC) within Firefox, where a compromised child process could trick the parent process into returning an overly privileged handle. This could enable attackers to break out of the sandbox and escalate privileges on the system.

Google has patched a high-severity zero-day vulnerability in Chrome that has been exploited in targeted attacks to bypass sandbox protections and deploy malware. The flaw is being actively used in an ongoing espionage campaign known as Operation ForumTroll, which targets Russian media, educational, and government entities through phishing emails disguised as forum invitations.

Tracked as CVE-2025-2783 (CVSS score not yet disclosed), the vulnerability is described as an “incorrect handle provided in unspecified circumstances in Mojo on Windows.” Attackers exploited this flaw to escape the Chrome sandbox and execute a second-stage payload for remote code execution. Patches have been issued in Chrome version 134.0.6998.178 for Windows. While specific details remain restricted to protect users, researchers confirmed the exploit was delivered via phishing emails redirecting victims to a malicious domain.