CrowdStrike Patches Falcon Sensor Vulnerabilities on Windows
CrowdStrike has released fixes for medium-level vulnerabilities in its Falcon sensor for Windows, identified as CVE-2025-42701 and CVE-2025-42706, that could allow attackers with prior code execution to delete arbitrary files and disrupt system stability. The first flaw, a race condition (CWE-367), carries a CVSS score of 5.6, while the second, a logic validation error (CWE-346), is rated at 6.5. Both issues stem from improper handling of file operations within the sensor, which allows the removal of critical system or application files under certain timing conditions. CrowdStrike discovered the flaws internally through its bug bounty and testing programs, emphasizing that the vulnerabilities affect only Windows sensors, not macOS or Linux deployments. The company states that there is no evidence of exploitation in the wild and that performance remains unaffected by the new patches. The company addressed the vulnerabilities in Falcon sensor version 7.29 and issued hotfixes for earlier builds, including 7.24 through 7.28, as well as 7.16 for Windows 7 and Server 2008 R2 systems. Affected versions include 7.28.20006, 7.27.19907, and earlier, while patched releases begin with 7.28.20008 and above. Customers using long-term visibility sensors for Windows IoT can also apply the 7.24 hotfix as a compatible update. To support enterprise response, CrowdStrike has published a GitHub query enabling organizations to identify at-risk hosts. The disclosure reflects a proactive approach to vulnerability management—reinforcing confidence in Falcon’s security posture while ensuring users can patch without operational disruption.
Polymorphic Python RAT That Rewrites Itself Every Run
SANS Security researchers discovered a Python remote access trojan on VirusTotal that mutates its code with every execution, rendering signature-based detection unreliable. The sample uses self-modifying and polymorphic routines to read its own source, apply random encryption and junk-code transformations, then execute the result from memory instead of writing a clear payload to disk. That behavior lets the malware appear different to scanners each time it runs while preserving the same malicious capabilities. It includes a full offensive toolset: network scanning, credential testing, payload delivery, data exfiltration, propagation, and remote control through bot channels. The sample’s low VirusTotal score and function names such as self_modifying_wrapper() and polymorph_code() point to deliberate design choices intended to evade static analysis and hinder incident response. The takeaway is straightforward, threats are evolving to evade traditional perimeter controls and require defensive strategies that focus on behavior and resilience rather than signatures alone. Operational risk from this RAT is significant because it runs in memory, archives its tools on the fly, and offers hands-off control to operators through command channels. Once inside, it can probe internal systems, move laterally, steal data, deploy ransomware, or install persistent backdoors without leaving obvious artifacts on disk. Detection, therefore, requires monitoring for anomalous behavior, rapid containment, and assuming breach when unusual activity is observed. Organizations should prioritize reducing attacker dwell time by enforcing least privilege, enforcing multi-factor authentication, hardening developer and admin endpoints, and ensuring robust backups and recovery plans are in place. Communication to boards and business leaders should emphasize that prevention will never be perfect, and investments must balance prevention, detection, and recovery to limit business impact if a sophisticated memory-resident threat is encountered.
HR-Themed Zoom Docs Phish Funnels Victims into Live Gmail Cred Theft
Attackers are exploiting spoofed Zoom Docs notifications to deliver phishing payloads that look entirely legitimate. These emails pass all authentication checks (SPF, DKIM, and DMARC), which lowers suspicion for most recipients. The message appears to come from “HR Departments via Zoom Docs” and invites the user to view an “HR application” through what seems to be a normal Zoom share link. In reality, the link routes users to a server hosted on overflow[.]qyrix[.]com[.]de, where a fake “press and hold to confirm” gate appears. This step pretends to verify the user as human but actually serves to evade automated detection systems and make the interaction feel trustworthy. Once the user completes the action, they’re redirected to a forged Gmail login page that looks almost identical to the real thing, except it’s hosted on an off-domain server. Credentials entered here are exfiltrated live through a WebSocket channel to the attacker’s command-and-control system, where they’re tested instantly against Google’s authentication API for valid hits. The warning signs of this attack are specific and easy to identify with a bit of attention. A legitimate Zoom document share will always resolve to a zoom[.]us or zoom[.]com domain; any link redirecting elsewhere should raise an immediate red flag. Google’s authentication process does not include “bot protection” or “human verification” gates, so encountering those before a login prompt means the site is fraudulent. Victims who entered their credentials should go directly to google.com to change their passwords immediately, enable two-factor authentication, and review their account’s recent activity. Password managers can provide an additional safeguard here; they refuse to autofill credentials on pages that don’t match the legitimate domain, signaling something is wrong. Users should also report suspicious Zoom links through Zoom’s abuse portal and submit phishing reports to Google with screenshots and email headers to accelerate takedown. The broader lesson is simple, even trusted platforms can be exploited, so every shared document, even one that looks corporate or familiar, deserves a second glance before you click.
Update: Cache Smuggling Revives ClickFix; A Silent New Way to Deliver Malware
Expel Researchers have uncovered a new wave of ClickFix-style attacks that exploit browser caching instead of direct downloads, making detection far more difficult. The campaign poses as a Fortinet VPN Compliance Checker, leveraging Fortinet’s presence in corporate networks to appear trustworthy. When users visit the fake site, it displays a familiar Fortinet-branded interface and a text box pointing to a supposed internal file path. Hidden behind 139 spaces, however, is a long PowerShell command disguised to look harmless. When the user clicks the text box or “Open File Explorer,” the page silently copies that full command to the clipboard. Pasting it into Windows Explorer’s address bar executes a concealed script through PowerShell, which interacts with the browser’s cache to retrieve and unpack a malicious ZIP file already stored locally. By concealing the harmful portion above the visible area and wrapping it in a believable workflow, the attackers achieve execution without any obvious red flags to the user. What makes this campaign groundbreaking is its use of “cache smuggling” to place malicious content onto a system without triggering traditional download alerts. Instead of fetching files from remote servers, the phishing page quietly loads what appears to be a JPEG image but is actually a disguised ZIP archive, allowing the browser to store it in the cache as a normal operation. The PowerShell script then scans Chrome’s cache, locates the hidden data using specific marker strings, extracts the ZIP file, and runs the malware inside. Because no file download or network request occurs during execution, most antivirus and endpoint systems see nothing suspicious. The sophistication lies in combining technical trickery with social engineering, leveraging trusted branding, realistic UI design, and invisible clipboard manipulation to gain access. This new ClickFix variant reinforces how attackers continue to weaponize normal system behavior, reminding enterprises and executives alike that user trust remains the easiest entry point into a secure environment.
