Cyber Threat Intelligence Digest: Week 13

Executive Summary -
Highlights of Cyber Threat Intelligence Digest

Vulnerabilities

Google Chrome Vulnerability CVE-2025-2783 Actively Exploited - On 27 March 2025, CISA added a critical sandbox escape vulnerability in Google Chromium’s Mojo component, tracked as CVE-2025-2783, to its Known Exploited Vulnerabilities (KEV) catalogue. This vulnerability is actively exploited in the wild and affects versions of Google Chrome on Windows prior to 134.0.6998.177, as well as other Chromium-based browsers like Microsoft Edge and Opera. Successful exploitation could allow threat actors to escape browser sandboxes and fully compromise user systems.

We recommend that organisations immediately update Google Chrome to version 134.0.6998.177 or later and patch other Chromium-based browsers.

CISA Adds Embedded Malicious Code Vulnerability in GitHub Actions to KEV Catalogue - On 24 March 2025, CISA added CVE-2025-30154, a critical embedded malicious code vulnerability affecting GitHub Actions (reviewdog/action-setup@v1), to its Known Exploited Vulnerabilities (KEV) catalogue. Exploitation could allow attackers to escalate privileges and exfiltrate sensitive information, including tokens for AWS, Docker Hub, npm, and GitHub Apps. This vulnerability has been exploited alongside CVE-2025-30066 to compromise GitHub-hosted Actions, impacting at least 218 repositories.

We recommend that organisations immediately update affected products or apply vendor-provided workarounds.

Authentication Bypass Flaw in VMware Tools for Windows - On 25 March 2025, Broadcom disclosed CVE-2025-22230, a high-severity authentication bypass vulnerability in VMware Tools for Windows versions 11.x.x and 12.x.x. The flaw stems from incorrect access control logic, allowing a local user on a Windows guest virtual machine (VM) to bypass authentication and execute privileged operations within the same VM. While exploitation does not permit VM escape, it could lead to privilege escalation.At the time of writing, there have been no confirmed reports of active exploitation.
We recommend organisations update VMware Tools to version 12.5.1 to mitigate the risk.

Potential Threats

Morphing Meerkat Phishing Platform Targets Victims Using DNS MX and DoH - On 27 March 2025, Infoblox reported that the Morphing Meerkat phishing-as-a-service (PhaaS) platform utilises DNS MX records and DNS-over-HTTPS (DoH) queries to deliver custom phishing pages. 

The platform spoofs emails from over 100 brands, including financial providers, and redirects victims through compromised websites, file-sharing platforms, or open redirects. It dynamically serves localised templates based on the victim's email provider and browser settings.

The platform exfiltrates stolen credentials using methods such as EmailJS, AJAX requests, local PHP scripts, and Telegram bots. Evasion techniques, like code obfuscation and blocking right-click actions, are employed.

After two failed login attempts, the platform redirects users to legitimate sites to avoid detection.

State-Sponsored Group RedCurl Now Deploying Ransomware - On 26 March 2025, Bitdefender reported that the Russian-speaking threat group RedCurl deployed a new ransomware strain, "QWCrypt," marking a shift from its previous focus on corporate espionage. Unlike typical ransomware, QWCrypt targets virtual machines running on Microsoft Hyper-V. The attack begins with phishing emails containing .IMG files masquerading as legitimate documents that trigger malware execution.

RedCurl uses living-off-the-land binaries, tunnelling, and custom backdoors to maintain persistence and facilitate lateral movement.

QWCrypt encrypts files using XChaCha20-Poly1305 and ChaCha20/AES algorithms.

RamiGPT, AI-Powered Tool for Automated Privilege Escalation, Published on GitHub - A researcher Mohammed Alshehri released RamiGPT, an AI tool for automating privilege escalation to root access. It integrates tools like PwnTools, LinPEAS, and BeRoot to analyse systems and execute escalation strategies based on OpenAI’s API. RamiGPT connects via SSH, analyses privilege escalation vectors and autonomously applies AI-suggested commands until root access is achieved.

At the time of writing, RamiGPT had gained significant attention on GitHub with 262 stars.

General News

Australian Department of Communities and Justice Breach Exposes 9,000 Sensitive Court Files - The NSW Police Force confirmed a breach of the NSW Online Registry, exposing approximately 9,000 sensitive court documents, including apprehended violence orders and affidavits.

Threat actors accessed the portal, though no claims of responsibility have been made. The Department of Communities and Justice has contained the breach and advised individuals to monitor their personal accounts. 

No stolen data has been found in public sources. Authorities are continuing to assess the platform’s integrity.

FBI investigating cyberattack at Oracle, Bloomberg News reports - The breach at Oracle, which involved the theft of patient data and affected multiple U.S. medical providers, is highly significant due to the sensitive nature of the data involved.

With Oracle's deep ties to healthcare and government contracts, this attack has far-reaching implications, especially for patient privacy and trust in healthcare IT systems.

Daisy Cloud Hacker Group Exposes 30K Login Credentials - On March 25, 2025, cybersecurity firm Resecurity reported that hacker group Daisy Cloud exposed over 30,000 login credentials for cloud-based services on a dark web forum.

These credentials were stolen using brute force and weak password exploits on cloud platforms. The leak affects various sectors, including finance, healthcare, and technology.

Organisations are urged to implement multi-factor authentication (MFA), enforce strong password policies, and audit cloud access logs to mitigate risks.

 

Threat Actor Weekly Graph

Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.

Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.

Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.

Both intent and opportunity are scored out of 100 and are responsible for scoring the group’s severity. These updates can be seen below.

 

 

● Limited Severity

● Basic Severity

● Moderate Severity

● High Severity

Global Trends Powered by Recorded Future

Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol. 

The spikes in references are calculated over 60 days and are normalised to ensure they aren’t disproportionate when compared to bigger entities that will naturally have more baseline mentions.

▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.

Prominent Information Security Events

Morphing Meerkat Phishing Platform Targets Victims Using DNS MX and DoH

Source: Insikt Group, Infosecurity Magazine | Validated Intelligence Event

IOC: IP - 45.133.174[.]25

IOC: IP - 185.117.90[.]212

IOC: Domain – movesfitnesszoom[.]co.uk

IOC: URL - hxxps://login-maildelivery-mailbox.s3.us-east-1.amazonaws[.]com

On 27 March 2025, Infoblox reported that the Morphing Meerkat phishing-as-a-service (PhaaS) platform leverages DNS MX records and DNS-over-HTTPS (DoH) queries to serve phishing pages tailored to victims' email providers. Campaigns are initiated with spoofed spam emails impersonating over 100 brands, including financial software providers. Malicious links redirect users to compromised WordPress sites, public file-sharing platforms, or open redirects on trusted domains such as Google’s DoubleClick.

The phishing kits dynamically generate over 114 localised HTML templates by mapping MX responses to specific login pages, further customising content using ISO 639-1 language codes based on browser settings.

Morphing Meerkat exfiltrates stolen credentials through four primary methods: EmailJS, AJAX requests to remote servers, data submission to local PHP scripts, or transmission via Telegram bot webhooks. The kits are heavily obfuscated to impede forensic analysis and block user actions such as right-clicking or source code inspection. Additionally, the platform employs evasion techniques, including redirecting suspicious users after failed login attempts to minimise detection.

To mitigate these threats, organisations should block DoH services, restrict outbound connections to non-essential domains, and educate users on phishing tactics, particularly redirection-based deception.

State-Sponsored Group RedCurl Now Deploying Ransomware

Source: Insikt Group, The Hacker News | Validated Intelligence Event

IOC: URL - hxxps://mia.nl.tab.digital/remote[.]php/dav/files

IOC: URL - hxxps://my.powerfolder[.]com/webdav/utils/elzp.txt

IOC: HASH - e58e5afa9a94ba474e465dbf919d2c51​

IOC: HASH - c41957f965f8c38b6cedf44b62b09298

 

On 26 March 2025, Bitdefender reported that the Russian-speaking cybercrime group RedCurl deployed a new ransomware strain, "QWCrypt," marking a shift from its usual corporate espionage tactics. Unlike most ransomware targeting VMware ESXi, QWCrypt focuses on Microsoft Hyper-V, likely to evade common defences.

The attack began with phishing emails carrying .IMG files disguised as CVs. When opened, these mounted disk images contained a renamed .SCR file—an Adobe executable vulnerable to DLL sideloading. This enabled the execution of RedCurl’s backdoor, which achieved persistence via scheduled tasks and leveraged living-off-the-land (LotL) binaries like wmic.exe and rundll32.exe. The group used wmiexec and Chisel for internal movement, while QWCrypt was deployed via encrypted .7z archives, with scripts disabling security defences via PowerShell and possibly BYOVD.

Batch scripts exhibited host-specific logic, excluding gateway VMs to prevent widespread network disruption. QWCrypt uses XChaCha20-Poly1305 for key generation and encrypts files with ChaCha20 or AES, appending the .randombits$ extension. No leak site has been identified, and the ransom note borrows language from other ransomware operations, suggesting RedCurl is either using ransomware for secondary monetisation or conducting disruptive attacks for hire.

To mitigate this threat, we recommend application allowlisting to block unauthorised executables, monitoring and restricting LOLBins, and hardening PowerShell with strict execution policies and logging for suspicious activity.

 

Remediation Actions

Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:

 

• CVE-2025-2783 –Update Google Chrome to version 134.0.6998.177 or later and ensure all other Chromium-based browsers are patched
• CVE-2025-30154 - Update the affected products to the latest versions or apply the workarounds provided by the vendors.
• CVE-2025-22230 - Update VMware Tools to version 12.5.1 to mitigate the risk.

 

If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.