Update: VenomRAT Delivered Through Virtual Hard Disk Files in New Stealth Attack
Cybercriminals have adopted a novel technique to distribute VenomRAT, embedding it within virtual hard disk (.VHD) image files to bypass traditional security defenses. The campaign begins with phishing emails disguised as purchase orders, luring recipients into downloading and opening a seemingly harmless attachment. Once the .VHD file is mounted, the system treats it as a new drive, executing a hidden batch script that launches PowerShell commands to establish persistence. The malware then modifies registry settings, ensuring that it remains active even after the system reboots, and places scripts in the Startup folder to execute automatically. This method allows attackers to evade antivirus detection, as .VHD files are typically associated with legitimate virtualization and disk imaging functions rather than malware delivery. Once installed, VenomRAT connects to a command-and-control (C2) server through Pastebin, enabling remote execution of commands while maintaining stealth. The malware logs keystrokes extracts sensitive data, and deploys Hidden Virtual Network Computing (HVNC), allowing attackers to take full control of infected systems without the victim noticing. Additionally, it downloads and executes a .NET-based payload designed to manipulate system files, encrypt data, and further entrench itself within the compromised environment. This multi-layered attack demonstrates a growing shift toward abusing lesser-known file formats and system tools to evade detection, making it harder for security teams to identify and mitigate the threat. To counter this evolving technique, organizations must implement strict email filtering, regularly update endpoint security solutions, and educate users on recognizing suspicious email attachments, particularly those containing unusual file formats.VHD.
Update: ClearFake Campaign Expands Malware Distribution Tactics
The ClearFake campaign continues to evolve, utilizing fake reCAPTCHA and Cloudflare Turnstile verifications to lure victims into downloading information-stealing malware, including Lumma Stealer and Vidar Stealer. Initially identified in July 2023, the campaign began with fake browser update lures on compromised WordPress sites but has since adopted advanced evasion tactics. One of its key innovations is EtherHiding, which uses Binance Smart Chain (BSC) contracts to host and distribute malicious payloads, making it harder to detect and disrupt. As of May 2024, ClearFake incorporated ClickFix, a social engineering tactic that tricks users into running PowerShell commands under the pretense of fixing non-existent technical issues. By embedding key components within smart contracts, the attackers ensure their framework remains resilient to takedowns. At the same time, daily updates to lures and payloads keep security researchers struggling to keep up. In early 2025, Mandiant researchers identified new ClearFake attack chains deploying malware via alternative methods, including compromised auto dealership websites and third-party video services. By February 2025, at least 9,300 websites had been infected, with reports of widespread user exposure to malicious prompts. ClearFake's operators have also integrated Web3 encryption techniques to obfuscate ClickFix-related HTML code, increasing their ability to bypass security solutions. The campaign highlights a broader trend of sophisticated social engineering, where attackers combine advanced evasion techniques with traditional phishing to deliver malware at scale. As these attacks continue to grow in complexity, businesses must adopt stricter content filtering, reinforce PowerShell restrictions, and educate users on recognizing deceptive prompts that could lead to credential theft or system compromise.
State-Sponsored Threat Actors Exploiting 2017 Windows Zero-Day Vulnerability
A previously undisclosed security flaw in Microsoft Windows, tracked as ZDI-CAN-25373, has been actively exploited by 11 state-sponsored threat actors from China, Iran, North Korea, and Russia since 2017. The vulnerability enables attackers to execute hidden malicious commands by leveraging specially crafted Windows Shortcut (.LNK) files, which are padded with whitespace characters to evade detection. Researchers have identified nearly 1,000 malicious .LNK file samples, many of which have been linked to prominent cybercriminal and nation-state groups, including Evil Corp, Kimsuky, Konni, Bitter, and ScarCruft. The primary targets of these attacks include governments, financial institutions, defense agencies, telecommunications providers, and think tanks in the U.S., Canada, Russia, South Korea, Vietnam, and Brazil. The .LNK files have been observed deploying known malware strains like Lumma Stealer, GuLoader, and Remcos RAT, with Evil Corp using the flaw to spread Raspberry Robin malware. Despite nation-state actors' widespread abuse of this vulnerability, Microsoft has classified the issue as low severity and has no immediate plans to release a fix. The company argues that its built-in security features, including Microsoft Defender and Smart App Control, provide adequate protection against attacks leveraging this technique. Additionally, Microsoft has reinforced security warnings for .LNK files downloaded from untrusted sources, advising users against opening them. However, Trendmicro researchers warn that ZDI-CAN-25373 allows adversaries to bypass critical security indicators, increasing the risk of data theft and cyber espionage. The discovery of overlapping use among North Korean threat groups further suggests coordinated efforts within Pyongyang’s cyber operations. As Microsoft considers addressing the issue in a future update, organizations are advised to remain vigilant by restricting the execution of .LNK files from unknown sources and enhancing endpoint detection for suspicious shortcut-based attacks.
Critical SCADA Vulnerabilities in mySCADA myPRO Could Lead to Operational Takeovers
Cybersecurity researchers at Catalyst have uncovered two critical vulnerabilities in mySCADA and myPRO, a widely used Supervisory Control and Data Acquisition (SCADA) system deployed in operational technology (OT) environments. Both flaws, CVE-2025-20014 and CVE-2025-20061, received a CVSS v4 score of 9.3, indicating their high severity and potential impact. The vulnerabilities stem from insufficient input validation, allowing attackers to inject and execute arbitrary operating system commands through maliciously crafted POST requests targeting version and email parameters. If exploited, these flaws could give an attacker full control over SCADA systems, leading to severe operational disruptions, financial losses, and potential safety hazards in critical industrial environments. Attackers leveraging these flaws could manipulate industrial processes, shut down essential services, or use compromised SCADA systems as entry points for larger attacks on interconnected networks. These security flaws emphasize the persistent risks within SCADA and industrial control systems (ICS), which are frequently targeted by cybercriminals and nation-state actors due to their critical role in infrastructure and manufacturing. Unpatched systems remain highly vulnerable, requiring organizations to immediately upgrade to mySCADA PRO Manager 1.3 and mySCADA PRO Runtime 9.2.1, where these vulnerabilities have been addressed. Beyond patching, companies should enforce strict network segmentation, isolating SCADA systems from traditional IT environments to limit an attacker's lateral movement. Implementing multi-factor authentication (MFA) and continuous network monitoring can help detect and mitigate potential exploitation attempts. Given the increasing frequency of SCADA-related cyberattacks, securing these environments is no longer optional; failure could lead to catastrophic disruptions in critical industries such as energy, manufacturing, water treatment, and transportation.
