TRENDING TOPICS JULY 11, 2025

Ducex Android Packer Introduces Advanced Obfuscation to Shield Triada Malware

The Ducex packer represents a significant advancement in Android malware obfuscation, acting as a delivery mechanism for the long-standing Triada malware family. Researchers at ANY.NET initially discovered the malware embedded in a fake Telegram app. Ducex uses multiple layers of evasion to bypass static and dynamic analysis, including encrypted function blocks, string obfuscation, and anti-tool detection. What makes Ducex particularly dangerous is its use of a custom-modified RC4 algorithm with additional shuffling, encrypting entire libraries (such as libducex[.]so) and decrypting them only at runtime. This ensures that reverse engineers and sandboxes see little to no useful code unless the malware is fully executed. Once deployed, Triada uses its privileged access to carry out persistent infections, monetize victims through ad fraud, and install additional payloads. In addition to technical encryption barriers, Ducex also implements aggressive anti-analysis logic that actively detects popular tools such as Frida, Xposed, and Substrate. If any of these are found in memory, execution is terminated immediately to avoid detection. These features signal a broader trend toward advanced mobile malware tooling, where packers play a critical role in maintaining stealth across the infection lifecycle. For defenders, this means traditional antivirus signatures may be insufficient, and more emphasis must be placed on behavior-based and memory analysis techniques. As attackers continue refining their techniques, Ducex demonstrates how even mature threats like Triada can remain viable when paired with modern evasion frameworks. 

eSIM Cloning Flaw Exposes Billions to Silent Phone Identity Hijacking

A serious vulnerability in eSIM technology has allowed researchers to successfully clone subscriber identities and hijack phone communications, posing an unprecedented threat to mobile security. AG Security Research demonstrated how they compromised Kigen eUICC cards—widely used in over 2 billion devices—by extracting private ECC keys and downloading mobile operator profiles from major carriers like AT&T, Vodafone, and Orange in unencrypted form. These profiles were then used to clone eSIMs and silently redirect all voice calls, text messages, and even two-factor authentication codes to attacker-controlled devices. The researchers achieved full identity hijacking without alerting the original user, proving how this exploit bypasses traditional security layers and exposes both consumers and enterprise users relying on SMS-based authentication. The attack targets a flaw in the Java Card virtual machine, specifically exploiting type confusion vulnerabilities to bypass high-level certifications and runtime security protections. The exploit can be launched either with physical access or remotely through over-the-air (OTA) channels using SMS-based provisioning. Researchers emphasized the compromise of key elements like OPc and AMF fields—core to network authentication—as especially dangerous. A live demonstration on Orange Poland’s network showed that two separate devices could run identical eSIMs, with only the attacker receiving inbound communications. Kigen responded by issuing patches to millions of devices and enhancing type safety across JavaCard instructions. At the same time, GSMA has released updated security specifications and disabled all test profiles to prevent unauthorized installations. This incident underscores the critical need for robust, end-to-end protections across the eSIM ecosystem as digital identity becomes increasingly tied to mobile infrastructure. 

Top CVEs of the Week

Top CVEs of the Week: As part of our ongoing monitoring of vulnerabilities, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.  

CVE Security Vulnerability Dashboard
CVE-2025-5777
Critical
Citrix NetScaler
A serious information disclosure vulnerability in Citrix NetScaler, dubbed "Citrix Bleed2," which can expose sensitive memory contents to unauthenticated attackers.
Impact: Citrix has released patched versions. Administrators should update affected appliances immediately and monitor for any abnormal access patterns.
CVE-2025-41672
Critical
WAGO Industrial Systems
This vulnerability affects WAGO industrial control systems and could allow an attacker to perform unauthorized actions or escalate privileges due to improper validation in system services.
Impact: Users should apply the latest firmware updates released by WAGO and follow ICS-CERT guidance to segment networks and limit access.
CVE-2016-10033
Critical
PHPMailer
A remote code execution vulnerability in PHPMailer, a popular PHP email library, due to insufficient sanitization of user-supplied input in email headers.
Impact: Upgrade to PHPMailer version 5.2.23 or later to fully resolve the issue.
💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.