Lifeboat Foundation: Safeguarding Humanity
Toggle light / dark theme

Blog

Category: cybercrime/malcode – Page 13

Chinese Threat Actors Exploit ToolShell SharePoint Flaw Weeks After Microsoft’s July Patch

CVE-2025–53770, assessed to be a patch bypass for CVE-2025–49704 and CVE-2025–49706, has been weaponized as a zero-day by three Chinese threat groups, including Linen Typhoon (aka Budworm), Violet Typhoon (aka Sheathminer), and Storm-2603, the latter of which is linked to the deployment of Warlock, LockBit, and Babuk ransomware families in recent months.

However, the latest findings from Symantec indicate that a much wider range of Chinese threat actors have abused the vulnerability. This includes the Salt Typhoon (aka Glowworm) hacking group, which is said to have leveraged the ToolShell flaw to deploy tools like Zingdoor, ShadowPad, and KrustyLoader against the telecom entity and the two government bodies in Africa.

KrustyLoader, first detailed by Synacktiv in January 2024, is a Rust-based loader previously put to use by a China-nexus espionage group dubbed UNC5221 in attacks exploiting flaws in Ivanti Endpoint Manager Mobile (EPMM) and SAP NetWeaver.

CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw

CISA has confirmed that an Oracle E-Business Suite flaw tracked as CVE-2025–61884 is being exploited in attacks, adding it to its Known Exploited Vulnerabilities catalog.

BleepingComputer previously reported that CVE-2025–61884 is an unauthenticated server-side request forgery (SSRF) vulnerability in the Oracle Configurator runtime component, which was linked to a leaked exploit used in July attacks.

The US cybersecurity agency is now requiring federal agencies to patch the security vulnerability by November 10, 2025.

131 Chrome Extensions Caught Hijacking WhatsApp Web for Massive Spam Campaign

Cybersecurity researchers have uncovered a coordinated campaign that leveraged 131 rebranded clones of a WhatsApp Web automation extension for Google Chrome to spam Brazilian users at scale.

The 131 spamware extensions share the same codebase, design patterns, and infrastructure, according to supply chain security company Socket. The browser add-ons collectively have about 20,905 active users.

“They are not classic malware, but they function as high-risk spam automation that abuses platform rules,” security researcher Kirill Boychenko said. “The code injects directly into the WhatsApp Web page, running alongside WhatsApp’s own scripts, automates bulk outreach and scheduling in ways that aim to bypass WhatsApp’s anti-spam enforcement.”

Europol dismantles SIM box operation renting numbers for cybercrime

European law enforcement in an operation codenamed ‘SIMCARTEL’ has dismantled an illegal SIM-box service that enabled more than 3,200 fraud cases and caused at least 4.5 million euros in losses.

The cybercriminal online services had about 1,200 SIM-box devices with 40,000 SIM cards to provide phone numbers that were used in telecommunication crimes ranging from phishing and investment fraud to impersonation and extortion.

In an announcement today, Europol says that the cybercrime service operated through two websites, gogetsms.com and apisim.com, which have been seized and now display a law enforcement banner.

/* */