Trending Topics - February 19, 2025

New Snake Keylogger Variant Leverages AutoIt Scripting to Evade Detection
Chinese hackers abuse Microsoft APP-v tool to evade antivirus
Mozilla Addresses High-Severity Memory Safety Vulnerabilities in Firefox 135.0.1
CISA Warns of Active Exploitation of SonicWall SonicOS RCE Vulnerability
90,000 WordPress Sites Exposed to Local File Inclusion Attacks

A new Snake Keylogger variant is actively targeting Windows users in China, Turkey, Indonesia, Taiwan, and Spain, with Fortinet blocking over 280 million infection attempts since early 2025. Typically delivered via phishing emails containing malicious attachments or links, the malware is designed to steal login credentials, log keystrokes, and capture clipboard data from popular web browsers like Chrome, Edge, and Firefox. Stolen information is then exfiltrated to attacker-controlled servers via SMTP and Telegram bots, giving cybercriminals real-time access to compromised data. This latest variant leverages AutoIt scripting to evade traditional security measures by embedding its payload within compiled scripts that mimic legitimate automation tools. Once executed, it drops a copy of itself ("ageless[.]exe") in the Local_AppData%\supergroup directory and establishes persistence via a Visual Basic Script (VBS) in the Windows Startup folder, ensuring the malware relaunches with every system reboot. To further avoid detection, it injects itself into regsvcs[.]exe, a legitimate Windows .NET process using process hollowing. This technique replaces a process’ legitimate code with malicious code while keeping the original file name intact. Additionally, the malware uses the SetWindowsHookEx API to log keystrokes and retrieves the victim’s IP address and geolocation through external services, helping attackers track and categorize infected devices. Snake Keylogger’s stealth capabilities and advanced persistence techniques reflect a growing trend in script-based malware designed to evade detection by traditional antivirus solutions. As threat actors refine these tactics, organizations must strengthen email security, enforce strict PowerShell policies, monitor for unusual process injections, and educate users about phishing risks to reduce exposure to evolving threats.
The Chinese APT group Mustang Panda, also tracked as Earth Preta, has been found abusing Microsoft Application Virtualization Injector (MAVInject[.]exe) as a living-off-the-land binary (LOLBIN) to inject malicious payloads into legitimate processes, evading antivirus detection. Researchers at Trend Micro identified the technique, linking it to over 200 attacks since 2022. The group primarily targets government agencies across the Asia-Pacific region using spear-phishing emails impersonating government bodies, NGOs, think tanks, and law enforcement. These emails contain a malicious Setup Factory installer (IRSetup[.]exe) that, once executed, drops multiple files into C:\ProgramData\session, including decoy PDFs, legitimate files, and malware components. This method provides a diversion while executing the attack chain. A key aspect of this campaign is its evasion of antivirus software, particularly ESET security products. When ESET's processes are detected on a compromised machine, Mustang Panda abuses MAVInject[.]exe, a legitimate Windows tool, to inject a modified TONESHELL backdoor into waitfor[.]exe, a trusted Windows utility. This tactic ensures that the malware appears as a legitimate system process, reducing the likelihood of detection. Once active, the TONESHELL backdoor connects to a command-and-control server, exfiltrating system information and providing attackers with a reverse shell for remote command execution and file manipulation. While Trend Micro attributes this technique to Mustang Panda, ESET disputes the findings, arguing that the attack does not bypass its security measures and that the malware is linked to the China-aligned CeranaKeeper APT group instead. ESET asserts that it has been protecting against this method for years and identified and mitigated this malware variant in January 2025 through its Cyber Threat Intelligence service. Despite the dispute, the findings emphasize how APT groups continue refining LOLBIN-based evasion techniques to maintain stealth and persistence in high-profile cyber espionage campaigns.
Mozilla has released Firefox 135.0.1 as an emergency security update to address CVE-2025-1414, a critical memory safety vulnerability that could lead to arbitrary code execution. This patch, issued on February 18, 2025, is Firefox's first major security update this year and highlights the ongoing challenges in securing modern web browsers. The vulnerability stemmed from memory corruption issues within Firefox’s JavaScript engine and graphics rendering components, which attackers could exploit to crash browsers or execute malicious code. While there have been no active attacks, Mozilla confirmed that at least two patched vulnerabilities showed signs of exploitability in controlled environments. Mozilla engineer Andrew McCreight discovered and reported the flaws and identified race conditions in multi-threaded processes as the underlying cause. Mozilla has classified this update as mandatory for all Windows, macOS, and Linux users, emphasizing the urgency of immediate patching to mitigate risks from potential drive-by downloads and malicious ads. Users with automatic updates enabled should have received the patch, while others can manually update via the "About Firefox" menu. Although Firefox’s mobile versions on Android and iOS are not affected, Mozilla has urged enterprise users on Extended Support Release (ESR) versions to expect a backported fix in ESR 135.1 within 72 hours. Security experts have praised Mozilla’s swift response but caution that delayed updates leave systems vulnerable to sophisticated attacks. This security incident highlights the importance of timely patching in mitigating evolving cyber threats, as unpatched browsers remain high-value targets for attackers. Mozilla’s proactive approach reflects lessons learned from past vulnerabilities, like CVE-2023-4863, and underscores the need for continuous vulnerability management. Users are encouraged to verify their browser version and enable automatic updates to stay protected. Meanwhile, Mozilla has announced further stability improvements in Firefox 136, scheduled for release on March 4, 2025, reinforcing its commitment to browser security.
CISA has issued an urgent warning regarding the active exploitation of CVE-2024-53704, a critical remote code execution (RCE) vulnerability in SonicWall’s SonicOS. This flaw, which allows unauthenticated attackers to hijack SSL VPN sessions and bypass authentication mechanisms, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are required to remediate the vulnerability by March 11, 2025, under Binding Operational Directive (BOD) 22-01, while private-sector organizations, particularly in healthcare, finance, and critical infrastructure, are strongly urged to patch their systems due to the exploit’s low complexity and stealthy nature. The vulnerability exists in SonicOS’s getSslvpnSessionFromCookie function, where improper processing of Base64-encoded session cookies with null bytes enables attackers to forge valid session identifiers. Researchers at BishopFox demonstrated the exploit’s simplicity using a Python script, which generates a malicious payload containing 32 null characters encoded in Base64. By injecting this payload into the swap cookie, attackers can access active VPN sessions without credentials, effectively bypassing authentication mechanisms undetected. The flaw’s CVSSv3 score of 9.8 highlights its severity, compounded by the ease of exploitation and lack of privilege requirements. SonicWall has released firmware updates to mitigate the issue for Gen5–Gen7 firewalls. However, organizations that cannot patch immediately should restrict SSL VPN access to trusted IPs, disable internet-facing management interfaces, and enforce MFA. With over 500,000 global customers, SonicWall’s widespread adoption significantly increases the risk of large-scale exploitation. CISA’s alert reflects the growing trend of attackers shifting from software vulnerabilities to network appliances, emphasizing the need for proactive firmware management, stronger authentication controls, and continuous monitoring to prevent sophisticated cyber threats.
A critical vulnerability (CVE-2025-0366) in the Jupiter X Core WordPress plugin, installed on over 90,000 websites, was disclosed on January 6, 2025, exposing sites to RCE via Local File Inclusion (LFI) and unrestricted SVG uploads. The flaw, discovered through the Wordfence Bug Bounty Program, allows authenticated attackers with contributor-level access to upload malicious SVG files and include arbitrary files—including PHP scripts—through improper sanitization in the get_svg() method. By predicting randomized filenames assigned via PHP’s uniqid() function, attackers can inject malicious commands, escalate privileges, and execute remote code. The vulnerability’s CVSS score 8.8 highlights its severity, impacting confidentiality, integrity, and availability. While Wordfence released firewall rules on January 13 for premium users and February 12 for free users, developer Artbees patched the flaw in version 4.8.8 on January 29, implementing SHA-256 hashing for filenames and stricter file validation. Users are strongly urged to update and audit contributor permissions to mitigate potential risks immediately. This incident reinforces the systemic security risks of third-party WordPress plugins, as 60% of WordPress vulnerabilities stem from extensions. SVG files, often assumed safe as static images, pose unique risks due to their XML-based structure, allowing them to embed malicious scripts. Security experts recommend machine learning-based file validation, strict allowlisting, and enforcing zero-trust policies for file uploads. Regular code audits, path traversal detection, and least-privilege access models remain essential to securing WordPress environments from similar threats.