Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Citrix Addresses Three High-Severity Vulnerabilities in Windows virtual machines Running on XenServer and Hypervisor - On May 27, 2025, Citrix addressed three high-severity vulnerabilities, CVE-2025-27462, CVE-2025-27463, and CVE-2025-27464, affecting guest Windows virtual machines (VMs) running on XenServer 8.4 and Citrix Hypervisor 8.2 CU1 LTSR. At the time of writing, there are no reports of exploitation in the wild.
The vulnerabilities affect the PV drivers bundled with XenServer VM Tools for Windows, including the PV Bus driver (versions earlier than 9.1.11.115), PV Interface driver (versions earlier than 9.1.12.94), and XCP-ng PV Bus driver (earlier than 9.0.9065). Successful exploitation allows threat actors to execute unprivileged code inside a guest VM to interact with PV device interfaces configured with excessive permissions, enabling access to kernel-level components and privilege escalation to SYSTEM. Notably, Linux guest VMs are not affected.
Bitwarden Vulnerability CVE-2025-5138 Allows Threat Actors to Trigger Cross-Site Scripting via Malicious PDF Files - A significant security flaw, identified as CVE-2025-5138, has been discovered in Bitwarden versions up to 2.25.1. This vulnerability allows attackers to execute cross-site scripting (XSS) attacks by uploading malicious PDF files containing embedded JavaScript code through the platform’s file handling system.
When these PDFs are accessed, especially via browsers like Chrome, the malicious code can run within the Bitwarden domain, potentially leading to account hijacking and credential theft. The issue arises from inadequate file type restrictions and insufficient input sanitisation in Bitwarden’s Resources upload feature. Security researchers have released a proof-of-concept, increasing the risk of exploitation.
Two Race Condition Vulnerabilities in Linux Crash-Handling Tools Expose Sensitive Data
- On May 29, 2025, Qualys reported details on two race condition vulnerabilities (CVE-2025-5054 and CVE-2025-4598) in the Apport and systemd-coredump, which are Linux crash-handling tools that collect and store core dumps and diagnostic data from crashed processes. At the time of writing, no evidence suggests active exploitation of either vulnerability in the wild. The following outlines the technical details of these vulnerabilities:
- CVE-2025-5054 is a race condition vulnerability in Apport (versions up to 2.33.0, Ubuntu 24.04 and 16.04). Exploitation could allow threat actors to access sensitive information by reusing PIDs through namespace manipulation.
- CVE-2025-4598 is a race condition in systemd-coredump (Fedora 40/41, Red Hat Enterprise Linux 9, and 10). Exploitation enables a local threat actor to crash a Set User ID (SUID) process and replace it with a non-SUID binary, thereby gaining access to the privileged core dump and exposing sensitive data.
Potential Threats
New Rust-Based Information Stealer EDDIESTEALER Delivered Through Fake Captcha - On May 30, 2025, Elastic Security Labs reported on a new Rust-based infostealer called EDDIESTEALER, which is delivered via deceptive CAPTCHA pages on compromised websites. These pages trick users into running a clipboard-loaded PowerShell command that downloads and executes a JavaScript payload (gverify.js), which in turn fetches the EDDIESTEALER malware.
Once installed, the malware avoids reinfection via mutex creation, fetches encrypted configuration data from a C2 server, and exfiltrates sensitive info like browser credentials, crypto wallets, and messaging data using HTTP POST. EDDIESTEALER also uses Chrome’s debugging port to extract passwords from memory and applies heavy obfuscation and sandbox evasion.
Threat Actors Abuse NetBird in Spearphishing Campaign Targeting Finance Executives - On May 28 2025, Trellix uncovered a spearphishing campaign targeting finance execs across multiple regions, using fake job offers from Rothschild & Co. to trick victims into downloading malware. The attack abuses NetBird and OpenSSH for stealthy remote access, delivered via a multi-stage infection chain involving spoofed websites, deceptive ZIP files, and scripts run with elevated privileges.
Over 2,200 emails were sent, and while the infrastructure hints at state-sponsored activity, no specific group has been identified yet.
Threat Actors Impersonate Coursera in Phishing Campaign Using Fake Meta Course Lure - On May 28, 2025, Cofense reported a credential phishing campaign in which threat actors impersonated Coursera to trick users into enrolling in a fake Meta Social Media Marketing course. The phishing email used lures such as "free, internationally recognised certificate" to create a sense of urgency and appeal to users' professional aspirations. Although the sender domain did not match Coursera's official domain, the email appears to be impersonating Coursera's legitimate landing page.
When victims clicked the link, it redirected them to a fake Coursera landing page hosted on a newly registered domain. After victims clicked the "Enroll for Free" button on that page, the website prompted them to log in with their Facebook account, which led to a spoofed Facebook login page crafted to capture their credentials. After victims entered their email and password, the threat actors exfiltrated the data to their command-and-control (C2) server.
General News
ConnectWise Confirms Cyberattack by State-Sponsored Actor Affecting Limited ScreenConnect Users
- On May 28, 2025, American IT management software company ConnectWise reported a cyberattack, wherein a suspected state-sponsored threat group purportedly gained unauthorised access to its environment and affected a limited number of customers using its ScreenConnect (remote desktop software). ConnectWise did not disclose details about the method of initial access, the number of affected customers, or whether any malicious activity occurred within the ScreenConnect instances.
According to a source quoted by BleepingComputer, the threat actors targeted only ScreenConnect instances, breaching them in August 2024; the compromise wasn’t discovered until May 2025. Security researchers also linked the incident to threat actors’ exploitation of CVE-2025-3935, a patched ViewState code injection flaw in ScreenConnect.
US Retailer The North Face Discloses Credential Stuffing Attack Exposing Customer Data - On May 29, 2025, US-based outdoor brand The North Face notified customers of a credential stuffing attack against its website, TheNorthFace.com, which was identified and investigated after unusual activity was observed on April 23, 2025. The company confirmed that unauthorised logins occurred via credentials likely obtained from unrelated breaches, granting access to some customer accounts.
Threat actors may have viewed personal details stored in profiles, including names, contact information, purchase history, and dates of birth, depending on what users had saved. No payment card data was exposed. The North Face confirmed that it uses a third-party payment processor and only stores transaction tokens, which are unusable outside its platform.
This incident marks the fourth credential-based breach the company has disclosed since 2020 and the second in 2025 involving unauthorised access to customer accounts.
UK military to establish new Cyber and Electromagnetic Command - The UK is establishing a new Cyber and Electromagnetic Command under Strategic Command to strengthen its digital and electronic warfare capabilities, as outlined in a strategic defence review set for release on June 2.
This move responds to evolving threats, particularly lessons from Russia’s war in Ukraine, and aims to better integrate cyber and electromagnetic operations with conventional forces. The new formation will reorganise existing capabilities, emphasising faster information sharing, jamming, and signal interception. Recruitment remains a major hurdle, with efforts underway to accelerate training for cyber specialists.
Military leaders stress that successful integration is essential for maintaining a strategic edge in future conflicts.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group’s severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| RedGolf | ● High | → | ● High | ● 79 | → | ● 82 | ● 35 | → | ● 35 |
| Earth Lamia | NEW | → | ● Basic | NEW | → | ● 40 | NEW | → | ● 25 |
| Crypto24 Ransomware Group | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 30 |
| AtomikBot | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
| Dire Wolf Ransomware Group | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 30 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren’t disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| Killnet | ▲ |
Crypojacking |
▲ | CVE-2025-48828 | ▲ |
Luxury Goods |
▲ |
|
Lazarus Group |
▲ |
TA0042 |
▲ | CVE-2025-5419 | ▲ |
BitMEX |
▲ |
|
Stormous Ransomware Group |
▲ |
Credential Stuffing |
▲ | CVE-2025-48827 | ▲ |
HDR Global Trading Limited |
▲ |
|
JabaROOT |
▲ |
Phishing |
▲ | CVE-2025-21479 | ▲ |
Discord |
▲ |
|
BlackSuit Ransomware Group |
▲ |
Botnet |
▲ |
CVE-2025-20188 |
▲ |
Volkswagon |
▲ |
Prominent Information Security Events
New Rust-Based Information Stealer EDDIESTEALER Delivered Through Fake Captcha
Source: Insikt Group | Validated Intelligence Event
IOC: SHA256 - b8b379ba5aff7e4ef2838517930bf20d83a1cfec5f7b284f9ee783518cb989a7
IOC: SHA256 - f6536045ab63849c57859bbff9e6615180055c268b89c613dfed2db1f1a370f2
IOC: URL - hxxps://llll[.]fit/version/
On May 30, 2025, Elastic Security Labs published an in-depth analysis of a newly identified Rust-based information stealer dubbed EDDIESTEALER, which targets Windows systems. This malware is distributed through deceptive campaigns that present fake “I’m not a robot” CAPTCHA screens using obfuscated React JavaScript on compromised websites.
Once triggered, the site uses a clipboard trick to inject a PowerShell command that downloads and silently executes a malicious JavaScript payload (gverify.js). This script then fetches and runs the main malware payload from a now-defunct domain (llll[.]fit), saving it under a randomly generated name in the Downloads folder. Upon execution, EDDIESTEALER establishes a mutex to avoid duplicate infections and contacts its command-and-control (C2) server for encrypted configuration data, enabling it to harvest sensitive credentials, browser history, and crypto wallet data from specific file paths and applications.
EDDIESTEALER is particularly sophisticated, featuring evasion techniques like sandbox detection, system profiling, and dynamic obfuscation methods. It collects host metadata including CPU, GPU, process list, and core count, to determine if it’s being analysed, and uses browser debugging techniques to extract decrypted credentials from Chrome, borrowing methods from tools like COOKIEKATZ.
Threat Actors Abuse NetBird in Spearphishing Campaign Targeting Finance Executives
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - 4cd73946b68b2153dbff7dee004012c3
IOC: URL - hxxps://googl-6c11f[.]firebaseapp[.]com/job/file-846873865383[.]html
IOC: URL - hxxps://googl-6c11f[.]web[.]app/job/9867648797586_Scan_15052025-736574[.]html
IOC: URL - hxxp://192[.]3[.]95[.]152/cloudshare/atr/pull[.]pdf
On May 28, 2025, Trellix reported a highly targeted spearphishing campaign that exploits NetBird, an open-source remote access tool, to infiltrate the systems of CFOs and finance executives across industries like banking, energy, insurance, and investment. This campaign, first observed on May 15, spans regions including Africa, Canada, Europe, the Middle East, and South Asia. Trellix noted similarities to past state-sponsored activity but has not confirmed attribution.
The attack begins with phishing emails posing as job opportunities from Rothschild & Co., directing victims to a Firebase-hosted fake document portal gated by a custom CAPTCHA. Once solved, victims are redirected to another Firebase site that delivers a ZIP archive disguised as a PDF. Inside is a Visual Basic script that, once executed, downloads an obfuscated payload from 192[.]3[.]95[.]152 and uses wscript.exe with elevated privileges to execute it. This script installs NetBird and OpenSSH silently, starts their services, and proceeds to set up full remote access.
To secure control, the malware creates a hidden local administrator account (user / Bs@202122), enables RDP, modifies firewall rules, and schedules tasks for persistence. It also deletes visible shortcuts and artefacts to reduce detection. This stealthy, multi-stage attack highlights a growing trend of leveraging legitimate open-source tools in advanced phishing operations aimed at high-value financial targets.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2025-27462, CVE-2025-27463, CVE-2025-27464: We recommend updating the affected systems to their latest supported version to reduce the risk of exploitation.
- CVE-2025-5138: Users are advised to update to versions beyond 2.25.1 and exercise caution when handling PDF files within Bitwarden.
- CVE-2025-5054, CVE-2025-4598: We recommend disabling core dumps for SUID by setting /proc/sys/fs/suid_dumpable to 0 using root privileges to reduce the risk of exploitation.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.