Security controls weren’t bypassed; they were sidestepped. Silver Fox APT is distributing ValleyRAT via a trojanized LINE installer, stealing credentials while evading detection using PoolParty-style code injection and Microsoft Defender exclusions. In parallel, the Interlock ransomware group executed a tightly coordinated, multi-stage intrusion using NodeSnakeRAT and Interlock RAT implants and a zero-day EDR-killing tool, while phishing campaigns increasingly abuse trusted cloud platforms to drive credential theft, account takeovers, and supply-chain compromise. Keep reading further.
01
The Silver Fox APT group is distributing ValleyRAT via a trojanized LINE installer that harvests credentials and uses advanced evasion techniques like PoolParty code injection and Defender exclusions.
02
The Interlock ransomware group, a dedicated non-RaaS actor, executed a multi-stage intrusion using NodeSnakeRAT/Interlock RAT implants and a zero-day process killing tool to disable EDR and exfiltrate/encrypt victim data.
03
Attackers are targeting the Active Directory NTDS.dit database file for credential theft, and details advanced detection and response techniques using correlated telemetry.
04
Analysts observed dual-mode Citrix Gateway reconnaissance traffic leveraging residential proxies to scan versions and probe Citrix infrastructure, suggesting opportunistic large-scale probing campaigns.
05
Attackers exploiting compromised routers redirect DNS queries to “shadow DNS” infrastructure hosted by a sanctioned bulletproof provider (Aeza International), enabling malicious redirects and evasion of detection.
06
Phishing campaigns abusing trusted cloud platforms are rising, exposing enterprises to credential theft, account takeover, and supply chain risks by leveraging legitimate infrastructure for malicious delivery.
07
Exploits of the React2Shell vulnerability (CVE-2025-55182) are now observed dropping cryptomining malware and reverse shells, expanding exploitation beyond simple execution to persistent post-compromise tooling.
08
Critical security bugs (CVE-2025-12743) in Google Looker enable cross-tenant RCE and data exfiltration, allowing malicious actors to breach isolation boundaries between enterprise customers.
09
Six vulnerabilities in Django—including three high-severity SQL injection flaws (CVE-2026-1207, CVE-2026-1287, CVE-2026-1312) and two DoS issues—are patched, with urgent upgrades recommended.
10
A critical unauthenticated RCE flaw (CVE-2025-40551) in SolarWinds Web Help Desk due to unsafe deserialization has been added to CISA’s KEV list, leading to active exploitation warnings.
