Update: AnubisBackdoor and Critical Windows Vulnerabilities
Cybercriminals continue to refine their tactics, with the Savage Ladybug group linked to FIN7 introducing AnubisBackdoor. AnubisBackdoor is a Python-based remote access tool designed for stealthy command execution and data theft. Unlike the Android-targeting Anubis banking trojan, this backdoor focuses on system compromise, using mild obfuscation to evade most antivirus detections. It has been actively deployed in malspam campaigns, allowing attackers to gain control over infected machines while remaining undetected. However, AnubisBackdoor is not linked to the Anubis ransomware group. Security teams should monitor known IOCs, including specific IP addresses and file hashes, to detect and mitigate potential intrusions before they escalate into full-scale breaches. At the same time, CISA has flagged multiple high-risk Windows vulnerabilities that demand immediate attention. CVE-2025-24983 is a use-after-free flaw in the Win32k subsystem, allowing attackers to escalate privileges locally. CVE-2025-24985 affects the Fast FAT File System Driver, introducing an integer overflow that could lead to unauthorized code execution, particularly in physical access scenarios. CVE-2025-24991 is an NTFS vulnerability that enables attackers to extract sensitive data through an out-of-bounds read. While none of these flaws are confirmed to be actively exploited in ransomware campaigns, they pose significant risks if left unpatched. Organizations must immediately apply Microsoft security updates, adhere to cloud security directives (BOD 22-01), and, if necessary, temporarily discontinue vulnerable systems until fixes are available. These threats highlight the relentless pace of cyberattacks and the critical need for proactive defense strategies to mitigate risks.
Update: Ballista Botnet Exploits TP-Link Routers as CISA Flags Critical Vulnerabilities
The Ballista botnet is actively targeting unpatched TP-Link Archer AX-21 routers by exploiting CVE-2023-1389, a command injection vulnerability that allows remote code execution. Once infected, compromised routers become part of the botnet, enabling denial-of-service attacks, shell command execution, and further malware distribution. The malware uses a dropper script to fetch and execute its main payload across multiple architectures, then establishes an encrypted command-and-control (C2) channel on port 82. Attackers can remotely trigger different functions, including launching exploits, executing commands, and wiping traces of infection. While early attacks using this vulnerability were linked to the Mirai botnet, Ballista has emerged as a distinct threat, spreading aggressively across thousands of devices in countries like Brazil, Poland, the UK, Bulgaria, and Turkey. Evidence suggests an Italian-based threat actor and newer versions of Ballista are evolving to use TOR network domains, making detection and mitigation more difficult. At the same time, CISA has added CVE-2023-1389 to its Known Exploited Vulnerabilities (KEV) catalog, reinforcing its status as a real-world security risk. Two other actively exploited vulnerabilities were also flagged—CVE-2021-45046, a Log4j2 remote code execution flaw, and CVE-2023-21839, an Oracle WebLogic Server vulnerability that could expose sensitive data. Federal agencies have been ordered to patch these vulnerabilities by May 22, 2023, to prevent potential exploitation. The growing number of unpatched systems and the continued evolution of botnets like Ballista highlight the urgency of applying security updates, monitoring network traffic, and securing vulnerable devices before they become entry points for cybercriminals.
Update: MirrorFace Exploits Windows Sandbox for Stealth Attacks in Japan
The National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) issued a security advisory on January 8, 2025, warning about an APT campaign targeting organizations in Japan. The attack was attributed to MirrorFace, a subgroup of APT10 known for conducting highly sophisticated cyber-espionage operations. This group leveraged Windows Sandbox and Visual Studio Code as part of its strategy to evade detection and maintain persistence on compromised systems. Windows Sandbox, a built-in virtualized environment in Windows 10 and 11, is designed for securely running untrusted applications. However, MirrorFace exploited its default administrative privileges and lack of active Windows Defender protections to deploy LilimRAT, a customized version of the Lilith RAT. The malware was specifically engineered to recognize the WDAGUtilityAccount user profile, ensuring it only executed within the sandbox environment for stealth. Once inside, attackers enabled Windows Sandbox, restarted the system, and executed commands undetected. Recent updates to Windows Sandbox, including background execution and command-line controls, have made detection more difficult. By abusing WSB configuration files, the attackers controlled network access, folder sharing, and automatic script execution, maintaining a hidden foothold until the sandbox was manually terminated. The exploitation of Windows Sandbox highlights a growing trend in cyber warfare, where threat actors manipulate legitimate security tools for malicious purposes. Security professionals must monitor sandbox-related artifacts, enforce stricter privilege controls, and deploy endpoint detection solutions to identify suspicious activity within virtualized environments. The MirrorFace attack demonstrates the evolving complexity of nation-state-backed cyber operations, underscoring the need for proactive threat intelligence and adaptive defense mechanisms to combat future intrusions.
