UAC-0057 Uses Fake PDFs to Deliver DLL Implants in Eastern European Espionage Campaign
Researchers have detailed a new wave of phishing activity from UAC-0057, a Belarusian-linked espionage group with a long record of targeting Ukraine and Poland. Since April 2025, the actor has distributed RAR and ZIP archives posing as official documents, containing fake PDF invitations that ultimately deliver Excel spreadsheets with heavily obfuscated VBA macros. These macros, often processed through MacroPack, decrypt and execute DLL implants that perform reconnaissance and establish persistence for further compromise. The lures have included invitations to assemblies of Poland’s Union of Rural Municipalities and instructions from Ukraine’s Ministry of Digital Transformation, demonstrating a continued reliance on credible content to enhance social engineering success. Once deployed, the DLL implants initiate host profiling, persistence creation, and outbound connections to attacker-controlled C2 servers, increasingly hosted through Slack integrations and Cloudflare-protected domains. The campaigns combine proven phishing techniques with incremental technical refinements, enabling the group to sustain operations while adapting to defenders’ countermeasures. Investigations between May and July 2025 revealed infection chains labeled in Ukrainian and Polish that unpack Excel files embedding macros to drop ConfuserEx-obfuscated DLLs. Persistence is maintained by creating registry Run keys or scheduled tasks, while additional malware is delivered through steganographic methods that conceal executables within JPEG images hosted on the attacker's infrastructure. Analysts noted consistent code reuse, execution flows involving regsvr32[.]exe or rundll32[.]exe, and recurring infrastructure patterns that strongly align with UAC-0057’s prior activity. Despite the introduction of new C2 channels, modified top-level domains, and obfuscation layers, the group continues to prioritize operational continuity and broad targeting of Eastern European entities. Defenders are advised to monitor for unexpected macro execution, registry modifications tied to persistence, and beaconing to recently registered [.]icu or [.]online domains as part of active defense strategies.
Azure API Connection Flaw Exposes Cross-Tenant Compromise Risks
Azure’s API Connection architecture was found to contain a critical flaw that enabled complete cross-tenant compromise of sensitive resources, including Azure Key Vaults, SQL databases, and connected third-party services, including Salesforce, Slack, and Jira. The vulnerability stemmed from Azure’s design choice to use a globally shared API Management (APIM) instance for all API Connections, coupled with the presence of an undocumented DynamicInvoke endpoint in Azure Resource Manager (ARM). While API Connections are supposed to operate within strict tenant boundaries, this design allowed attackers with Contributor-level access to craft custom Logic App connectors containing path traversal parameters. By supplying malicious paths, requests could be normalized to target another tenant’s API Connection, which ARM then executed using highly privileged service tokens that had global visibility. This effectively granted attackers administrator-level access to victim resources without requiring the role-based permissions usually required for operations, including secret retrieval or SQL queries. The discovery demonstrated that multi-tenant isolation could be bypassed at the architectural level, exposing a much broader attack surface than typical configuration or access control flaws. In practice, exploitation was achieved by defining a custom connector that accepted string path parameters. ARM accepted these requests and forwarded them to the APIM instance, treating them as legitimate and executing them with backend privileges. From there, an attacker could list and retrieve secrets from Key Vaults, access sensitive data in SQL databases, or hijack external integrations tied to an API Connection. The only remaining challenge was discovering valid Connection IDs. Still, these identifiers are not secret and often appear in CI/CD pipelines, logs, or public repositories, making the barrier to entry realistic for adversaries. Microsoft responded quickly, confirming the issue within three days of disclosure in April 2025, and rolling out mitigations a week later by blacklisting path traversal sequences and common URL-encoded variants. This incident highlights the systemic risks associated with hidden shared infrastructure in cloud environments and underscores the importance of secure architectural design, robust input validation, tenant isolation, and continuous adversarial testing to prevent large-scale cross-tenant compromise.
Hackers Deploy Cross-Platform Spy Tools Against Military-Linked Targets in South Asia
Researchers have uncovered a phishing and espionage campaign targeting military and government personnel in South Asia, using defense-themed lures to deliver both desktop and mobile malware. Since early 2025, the activity has involved malicious archives including “Coordination of the Chief of Army Staff’s Visit to China[.]zip, containing phishing PDFs that redirect users to fraudulent Netlify-hosted domains imitating regional defense entities, including the Bangladesh Army, DGDP, and Turkish defense firms. Decoy content has also leveraged themes around international defense expos, Gulf delegations, and IDEF 2025, pointing victims toward credential-harvesting portals masquerading as official email login systems. These phishing kits embed JavaScript obfuscation to hinder inspection, while pivoting on shared file names, URLs, and hashes link the activity to a broader infrastructure cluster. Stolen credentials are funneled into secondary C2 servers, extending the espionage beyond the initial phishing site. The campaign further expands into mobile surveillance operations, distributing weaponized Android apps built on modified Rafel RAT code. Once installed, these APKs exfiltrate sensitive data to C2 panels on domains including quickhelpsolve[.]com. Permissions including ADD_DEVICE_ADMIN, READ_CONTACTS, and READ_EXTERNAL_STORAGE enable full device takeover, persistence, and command execution. Pivoting into the infrastructure revealed additional APKs tied to kutcat-rat[.]com, with evidence of Unix timestamp markers used for campaign synchronization. WHOIS records link the activity to prior phishing clusters through shared registrant email addresses, with infrastructure including play-googyle[.]com, which overlaps with desktop malware samples. These Windows payloads communicate with the same C2 servers as the Android implants, reinforcing cross-platform targeting. Attribution indicators, including PDB paths, reused error strings, and C2 overlaps, align with activity previously tracked as Sidewinder/UNK_ArmyDrive, highlighting the persistent espionage risk posed to military-linked individuals in India, Bangladesh, Pakistan, and Nepal.
ChatGPT-5 Downgrade Exploit Exposes AI Routing Vulnerabilities
Security researchers at Adversa AI have uncovered a new attack in ChatGPT-5 and other multi-model AI systems, revealing that most user queries are silently routed to weaker, cheaper models rather than the premium GPT-5 tier. The vulnerability, named PROMISQROUTE (Prompt-based Router Open-Mode Manipulation Induced via SSRF-like Queries, Reconfiguring Operations Using Trust Evasion), exposes how attackers can manipulate routing logic by embedding simple trigger phrases that include “respond quickly” or “use compatibility mode” into prompts. These minor modifications cause the router to downgrade requests from secure models to less-aligned variants, including GPT-4, GPT-5-mini, or GPT-5-nano, bypassing established safety filters. Adversa’s testing confirms that this downgrade attack is trivial to execute, works consistently across production systems, and undermines years of safety training. Analysis further shows that up to 80% of GPT-5 traffic is already processed by downgraded variants, with OpenAI saving an estimated $1.86 billion annually through this cost-optimization practice. This research highlights that PROMISQROUTE represents a novel class of AI routing vulnerabilities comparable to historical web flaws, including SSRF: it trusts unvalidated user input to make security-critical routing decisions. The architectural weakness is not unique to OpenAI but applies to all layered or agentic routing infrastructures, creating industry-wide risk. In enterprise contexts, the threat escalates when combined with retrieval-augmented generation (RAG) pipelines, where downgraded models expose sensitive data or fail to comply with requirements, such as the GDPR. Mitigation requires the immediate auditing of routing logs and the detection of PROMISQROUTE patterns, as well as the near-term deployment of cryptographic routing that does not parse user prompts. Additionally, longer-term adoption of universal safety filters across all model variants is necessary. This discovery underscores that AI security cannot depend solely on alignment training; long-term resilience requires secure routing architectures, formally verified orchestration mechanisms, and industry-wide standards that prevent adversaries from manipulating requests to weaker models.
Top CVEs of the Week
Top CVEs of the Week - As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
