Microsoft Telnet Server Vulnerability Allows Guest Login Bypass
A critical security vulnerability has been discovered in Microsoft’s legacy Telnet Server that allows threat actors to bypass guest login restrictions, even in systems where guest access has been explicitly disabled. This flaw, identified by researchers at SecureNet Labs, stems from how the Telnet Server component interprets and processes specific authentication requests. By crafting these requests in a particular manner, attackers can exploit the weakness to gain guest-level access to targeted systems without proper authentication. This effectively undermines a core security control relied upon by administrators, who typically assume that disabling guest login fully mitigates this risk. The vulnerability impacts Windows Server 2012, 2016, and 2019, as well as Windows 10 and 11—but only in configurations where the optional Telnet feature is installed and enabled. Environments where Telnet is either not installed or has been explicitly disabled remain unaffected. Although Telnet is considered outdated and has been largely replaced by secure protocols such as SSH, it is still present in numerous legacy systems, including industrial control environments, educational institutions, and some enterprise networks where backward compatibility is required. This persistence in production environments significantly increases the threat landscape, especially with weak internal segmentation and poor visibility over legacy services. Microsoft has confirmed its vulnerability and is actively developing a patch, which is expected to be included in an upcoming Patch Tuesday security update. In the meantime, organizations are strongly advised to disable Telnet Server across all systems unless it is necessary for specific use cases. Additionally, network administrators should apply strict access controls, segment any systems running legacy services, and monitor system and authentication logs for anomalous login attempts or patterns indicating potential exploitation. While a formal CVE identifier has not yet been assigned to this vulnerability, one is anticipated to be published following the release of Microsoft’s official security advisory. Until then, defenders must recognize the potential for lateral movement and privilege escalation stemming from this flaw and take preemptive actions to harden their environments.
TheWizards APT Group Uses IPv6 Spoofing to Hijack Software Updates in Targeted Attacks
ESET researchers have uncovered an advanced campaign by a China-aligned threat group, TheWizards, which has been targeting organizations and individuals across Asia and the Middle East since 2022. The group uses Spellbinder's custom-built lateral movement tool to perform adversary-in-the-middle attacks through IPv6 SLAAC spoofing. This method allows the attackers to impersonate network routers, redirecting software update traffic from trusted applications to malicious servers. Victims are primarily located in the Philippines, Cambodia, the UAE, Hong Kong, and mainland China, with targets including gambling firms and high-value individuals. Once access is gained, the attackers deploy a modular backdoor named WizardNet that communicates with command servers and executes malicious .NET components on compromised machines. In one instance, they hijacked the update process for Tencent QQ to install their malware quietly. Spellbinder exploits overlooked IPv6 configurations by sending spoofed router advertisements across the local network, tricking Windows systems into using attacker-controlled DNS servers. This setup enables traffic redirection for domains linked to widely used Chinese platforms without compromising an ISP. The DNS servers used in these attacks are tied to AS4134, operated by China Telecom. ESET also identified overlaps in infrastructure with Sichuan Dianke Network Security Technology, a Chinese firm previously linked to surveillance operations against Tibetan and Uyghur groups. In addition to targeting Windows systems, the attackers can infect Android devices through a secondary backdoor known as DarkNights. TheWizards' ability to quietly hijack routine update mechanisms shows a high level of sophistication and ongoing development, making them a serious concern for regional and global cybersecurity.
Anthropic Report Exposes Real-World Abuse of Claude AI in Cyber Operations
A recent report by Anthropic, “Detecting and Countering Malicious Uses of Claude: March 2025,” outlines four real-world incidents where threat actors misused the Claude generative AI model for cybercrime. Documented cases include a politically motivated bot operation using over 100 social media accounts, a credential stuffing campaign targeting IoT security cameras, a fraudulent job recruitment scheme aimed at Eastern Europeans, and malware development using Claude-generated GUI payload generators. Although Anthropic successfully banned the accounts involved, the report highlights a growing risk: language models can scale and enhance traditional cyber threats with little technical expertise required. These examples demonstrate how AI accelerates threat actor capabilities across social engineering, malware creation, and infrastructure automation. Despite this, the report fails to provide actionable technical intelligence—missing key data like attack infrastructure, specific prompts, or malware characteristics. This lack of detailed IOCs emphasizes the need for a new approach in cybersecurity—one focused on identifying and classifying LLM-specific tactics, techniques, and procedures. These include malicious prompt engineering, evasion of AI safety controls, and output exploitation for phishing, influence, or system compromise. Prompts are emerging as the new indicators of compromise, essential for understanding how threat actors exploit LLMs. Efforts like MITRE’s ATLAS matrix and tools like NOVA—a prompt-focused detection framework—are now being developed to fill this gap. NOVA applies rule-based detection to identify adversarial prompts through pattern matching and semantic analysis, allowing defenders to move from reactive to proactive. As misuse of generative AI becomes more frequent and complex, security teams must adopt LLM-aware threat modeling to anticipate attacks before they scale.
