Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Fortinet Releases Advisory on New Post-Exploitation Technique Abusing Known Vulnerabilities – On April 10, 2025, Fortinet reported a new post-exploitation technique used by an unidentified threat actor to gain unauthorized access to FortiGate devices via a symbolic link created through a known vulnerability.
This technique enabled persistent access even after systems were updated, as long as the SSL-VPN feature was enabled. The threat actor exploited three previously disclosed FortiOS vulnerabilities (CVE-2024-21762, CVE-2023-27997, and CVE-2022-42475) and used a symbolic link in the SSL-VPN language file directory to access configuration files without detection.
Fortinet responded by deploying AV/IPS signatures, modifying the SSL-VPN UI, and releasing firmware updates to remove the symbolic link and prevent further exploitation.
SonicWall Addresses Three Vulnerabilities Affecting NetExtender Windows Client- On April 9, 2025, SonicWall patched three vulnerabilities in the NetExtender Windows client affecting versions 10.3.1 and earlier, tracked as CVE-2025-23008, CVE-2025-23009, and CVE-2025-23010. NetExtender is a VPN client used to establish encrypted remote access to SonicWall devices over SSL. At the time of writing, there are no reports of these vulnerabilities being exploited in the wild.
- CVE-2025-23008 is a privilege management vulnerability in the NetExtender Windows client that allows users with limited permissions to modify client settings beyond their intended access level. If exploited, threat actors can change configuration options without proper authorization.
- CVE-2025-23009 is a local privilege escalation vulnerability in the NetExtender Windows client. If exploited, threat actors with limited permissions can delete arbitrary files from the system if exploited.
- CVE-2025-23010 is a link following vulnerability in the NetExtender Windows client that occurs when the application resolves file paths. If exploited, threat actors can redirect the application to access unintended files by manipulating symbolic links.
SonicWall advises organizations to update the NetExtender Windows client to version 10.3.2 or newer to reduce exploitation risks.
Meta Discloses WhatsApp Spoofing Vulnerability CVE-2025-30401 – On April 8, 2025, Meta reported details on CVE-2025-30401, a vulnerability affecting WhatsApp for Windows (versions prior to 2.2450.6). At the time of writing, there have been no reports of this vulnerability being exploited in the wild.
CVE-2025-30401 is a spoofing flaw in WhatsApp for Windows that stems from improper validation of Multipurpose Internet Mail Extensions (MIME) type and file extension, allowing malicious executable files to appear as legitimate documents or images. Exploitation allows threat actors to execute arbitrary code by sending files with mismatched MIME types and extensions.
We recommend updating WhatsApp for Windows to version 2.2450.6 to reduce the risk of exploitation.
Potential Threats
Analysis of StealC v2 Info Stealer – On April 11, 2025, cybersecurity firm TRAC Labs published a write-up detailing StealC v2. StealC, first discovered in 2022, is an information stealer written in C++ known for targeting browser credentials, files, and cryptocurrency wallets. In March 2025, StealC developer “plymouth” announced the release of StealC v2 on Exploit Forum. StealC v1 was later deprecated on or around April 3, 2025.
Per TRAC Labs, StealC v2 introduces an allegedly rebuilt codebase that features server-side decryption for Google Chrome-based credentials, enhanced plugin brute-forcing, and encrypted command-and-control (C2) communication. In March 2025, the developer behind StealC2 announced that exclusively five copies of the original source code would be sold for $3,000 each.
Threat Actors are Using New Precision-Validated Phishing Evasion Tactic to Steal Credentials - Threat actors are deploying Precision-Validated Phishing kits that incorporate real-time email validation to ensure only verified and active email addresses belonging to targets on pre-harvested attacker-controlled databases are targeted.
According to an April 9, 2025, report by Cofense, the phishing kit uses JavaScript-based scripts or integrated application programming interfaces (APIs) to validate the input against pre-harvested data. If the address matches, the phishing page prompts the user for credentials; if not, it redirects the user to benign domains or displays an error message.
In one phishing campaign, threat actors targeted users by redirecting invalid emails to Wikipedia to mask their malicious intent. This process hides the malicious payload from automated scanners and sandboxes.
“Free Trial” of New Version of Neptune RAT Delivered via GitHub, Telegram, and YouTube – On April 7, 2025, cybersecurity firm CYFIRMA published a write-up detailing a new version of Neptune RAT, an advanced Windows-based remote access trojan (RAT) that enables threat actors to hijack, destroy, and surveil compromised systems.
Per CYFIRMA, Neptune RAT’s developer distributes it on GitHub, Telegram, and YouTube, embedding highly obfuscated, modular, and persistent code to support full-scale cyberattacks. The developer also claims this is a “free trial” version of Neptune RAT. CYFIRMA attributes Neptune RAT development to Freemasonry, malware development group.
General News
Landmark Admin Data Breach Affects Approximately 1.6 Million - On April 11, 2025, Landmark Admin, LLC — a third-party administrator for life insurance companies — notified approximately 1.6 million policyholders, beneficiaries, and producers of a data breach. On May 13, 2024, Landmark detected suspicious activity on its network and, on May 14, 2024, determined that an unauthorized third party had attempted to access its systems.
The breach likely exposed sensitive data, including names, addresses, Social Security and tax identification numbers, government-issued IDs, dates of birth, financial account details, medical data, and insurance policy records.
In response, Landmark isolated affected systems, launched a forensic investigation with external experts, and issued breach notifications to affected individuals. The company also advised them to monitor financial activity, check credit reports, and consider placing fraud alerts to reduce the risk of misuse.
Hertz Car Rental Confirms Data Breach Tied to Cleo MFT Attack – On April 11, 20245, Hertz car rental company disclosed a data breach due to unauthorized access to its file transfer vendor system, Cleo MFT.
According to the disclosure filed with the Maine Attorney General’s Office, the breach occurred between October and December 2024 and was discovered on February 10, 2025.
Following an investigation, Hertz identified that files containing names, contact information, and unspecified date elements were compromised.
US to sign Pall Mall pact aimed at countering spyware abuses– The U.S. plans to sign an international agreement designed to govern the use of commercial spyware, the State Department said Thursday.
The announcement comes nearly a week after 21 countries signed a voluntary and non-binding Code of Practice outlining how they intend to jointly regulate commercial cyber intrusion capabilities (CCICs) and combat spyware companies whose products have been increasingly used to target civil society.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group’s severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| FIN7 | ● High | → | ● High | ● 82 | → | ● 82 | ● 49 | → | ● 45 |
| MuddyWater | ● Moderate | → | ● Moderate | ● 61 | → | ● 59 | ● 25 | → | ● 25 |
| GOFFEE | New | → | ● Basic | New | → | ● 35 | New | → | ● 25 |
| bio | New | → | ● Basic | New | → | ● 30 | New | → | ● 25 |
|
DieNet |
New | → | ● Basic | New | → | ● 25 | New | → | ● 25 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren’t disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| BlueBravo | ▲ |
GrapeLoader |
▲ | CVE-2025-30406 | ▲ |
zKSync |
▲ |
|
Slow Pisces |
▲ |
GammeSteel |
▲ | CVE-2025-24054 | ▲ |
Matter Labs |
▲ |
|
RALord Ransomware Group |
▲ |
GPS Spoofing |
▲ | CVE-2025-21204 | ▲ |
Lucy Powell |
▲ |
|
BlueAlpha |
▲ |
CurlBack RAT |
▲ | CVE-2024-11859 | ▲ |
Landmark Admin |
▲ |
|
Cyber Av3ngers |
▲ |
BPFDoor |
▲ |
CVE-2025-31161 |
▲ |
Hertz |
▲ |
Prominent Information Security Events
“Free Trial” of New Version of Neptune RAT Delivered via GitHub, Telegram, and YouTube
Source: Insikt Group, CYFIRMA | TTP Instance
IOC: URL – hxxps://files.catbox[.]moe/3588w9.txt
IOC: SHA256 - 8df1065d03a97cc214e2d78cf9264a73e00012b972f4b35a85c090855d71c3a5
IOC: SHA256 - e8c8f74ae15e7d809d9013bdfa2a10dd54e00d4ea5ff4ed6cd4a163b80d2d318
IOC: SHA256 - 14e196e089014313c9fa8c86ce8cffb1c7adacd7d1df7373d97b30d31b965df9
On April 7, 2025, cybersecurity firm CYFIRMA published a write-up detailing a new version of Neptune RAT, an advanced Windows-based remote access trojan (RAT) that enables threat actors to hijack, destroy, and surveil compromised systems. Per CYFIRMA, Neptune RAT’s developer distributes it on GitHub, Telegram, and YouTube, embedding highly obfuscated, modular, and persistent code to support full-scale cyberattacks.
The developer also claims this is a “free trial” version of Neptune RAT. CYFIRMA attributes Neptune RAT development to Freemasonry, malware development group.
Based on CYFIRMA’s write-up, the threat actor executes a PowerShell command that silently downloads and executes a Base64-encoded batch script named “px5r4x.bat”. Once executed, px5r4x.bat decodes itself and drops malicious payloads into the victim’s AppData directory. It then retrieves a second-stage payload from hxxps://files.catbox[.]moe/3588w9.txt, which contains a Base64-encoded Windows executable.
After decoding, px5r4x.bat attempts to run the executable file; however, a misconfiguration causes it to fail — possibly by design as a limitation of the free version. Despite this failure, previously dropped components continue executing the attack.
After establishing an initial foothold, Neptune RAT establishes a persistent TCP socket and collects system information such as CPU, GPU, RAM, MAC address, and USB device details. It uses this information to generate a unique device ID and connects to the threat actor’s server through a socket configured for up to 500 concurrent sessions.
Neptune RAT copies itself to the Roaming folder and modifies the Windows registry Run key to ensure persistence. It also creates a scheduled task that silently runs every minute, maintaining remote access and control.
Analysis of StealC v2 Infostealer
Source: Insikt Group | TTP Instance
IOC: Hash - 841d0ebecc7dc7b7e06433fcd0cbbec911fa127fee34bfc7c34c946f84aee1ef
IOC: Hash - 6b638236003f92b54a83abd988b3a9f92bd58c0c7727a637bc0e191597a421ad
IOC: URL - hxxp://77.90.153[.]241/2810e254f679458d.php
IOC: URL - hxxp://81.19.131[.]77/6f35b3aacc54463f.php
On April 11, 2025, TRAC Labs released a detailed report on StealC v2, an advanced variant of the StealC information stealer originally discovered in 2022. Developed in C++ by the threat actor “plymouth” and announced on Exploit Forum in March 2025, StealC v2 introduces a rebuilt codebase with significant enhancements.
Key upgrades include server-side decryption of Google Chrome credentials using AES-256-GCM, encrypted C2 communication, improved brute-forcing of cryptocurrency wallet plugins, and expanded targeting of applications like Steam and Microsoft Outlook. The malware employs multiple anti-analysis features such as CIS region language checks, time-based execution limits (expiring November 4, 2025), and enforcement of unique infections based on hardware or IP.
StealC v2 also supports modular payload deployment through EXE, PowerShell, or MSI, with optional privilege escalation. Additional tactics include APC injection into Chrome for DPAPI key exfiltration and use of the Windows Restart Manager API to forcibly close active processes and unlock browser databases. Although advertised as using RC4 encryption, TRAC Labs determined the C2 communications relied solely on Base64 encoding.
StealC v1 was deprecated in early April 2025, with the v2 source code offered for sale at $3,000 per copy.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2024-21762, CVE-2023-27997 and CVE-2022-42475 – To prevent exploitation, we recommend organizations update FortiOS to versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16, or apply Fortinet’s provided workaround
- CVE-2025-23008, CVE-2025-23009, CVE-2025-23010 - Update the NetExtender Windows client to version 10.3.2 or newer to reduce exploitation risks.
- CVE-2025-30401 - We recommend updating WhatsApp for Windows to version 2.2450.6 to reduce the risk of exploitation.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.