Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
VMware Vulnerabilities Actively Exploited – On March 4, 2025, Broadcom released security patches addressing two critical vulnerabilities affecting VMware ESXi, Workstation, and Fusion. CVE-2025-22224 is an out-of-bounds write vulnerability, and CVE-2025-22225 is a sandbox escape vulnerability. These flaws allow remote code execution and information disclosure. Due to ongoing active exploitation, CISA has added them to the Known Exploited Vulnerabilities (KEV) list. Users are strongly advised to apply patches immediately to mitigate risks.
Critical Command Injection in Edimax IP Cameras – On March 7, 2025, Bleeping Computer reported a critical OS command injection vulnerability, CVE-2025-1316, in the Edimax IC-7100 series cameras. This flaw enables remote code execution and is being actively exploited by Mirai-based botnets. As the device has reached its end of life, no official patch is available. CISA recommends minimising internet exposure and using secure access methods, such as VPNs, to mitigate potential risks.
Active Exploitation Linked to Silk Typhoon – On March 6, 20255 GreayNoise reported active exploitation of CVE-2021-26855 (Microsoft Exchange), CVE-2021-44228 (Apache Log4j), and CVE-2024-3400 (PAN-OS GlobalProtect. These attacks target unpatched systems using a combination of vulnerabilities, including serverside request forgery (SSRF) and remote code execution (RCE) attacks. While linked to the Silk Typhoon previously, the current activity hasn't been definitively attributed. Organisations should apply patches and block associated IPs immediately.
Potential Threats
Fake DeepSeek and Grok Chatbot Websites Used in Malware Campaign - Malicious actors are using fake DeepSeek and Grok chatbot websites to distribute malware, including Python stealers and Trojans. Sites like r1-deepseek[.]net and v3-grok[.]com are known to host these threats. Users should verify URLs and block associated IOCs.
Malvertising Campaign Exploits Illegal Streaming Sites - The Storm-0408 malvertising campaign has impacted nearly one million devices, distributing RATs and stealers through illegal streaming sites via platforms like GitHub and Discord. To mitigate the risk Microsoft recommends blocking IOCs and restricting PowerShell, JavaScript, and VBScript execution.
SilentCryptoMiner Spread via YouTube Using Fake Workaround Claims - Threat actors are exploiting YouTube’s copyright system to spread SilentCryptoMiner, a cryptocurrency mining malware. They coerce YouTubers into sharing malicious links, which disable Microsoft Defender and evade detection. Over 2,000 victims, mostly in Russia, are affected. Users should avoid downloading software from YouTube links and verify copyright claims.
General News
Chinese Nationals Charged in Cyber Espionage Scheme - The U.S. Justice Department has charged 12 Chinese nationals, including Ministry of Public Security ofHicers, in a cyber espionage scheme targeting U.S. dissidents, government agencies, and a religious group.
Google Paid Out $12 Million via Bug Bounty Programs in 2024 - Google awarded $11.8 million to 660 researchers for reporting security vulnerabilities through its revamped vulnerability reward programs, marking a continued commitment to security.
New York Sues Allstate Over Data Breach - On 10 March 2025, New York sued Allstate for failing to secure customer data in a breach exposing sensitive personal information. The breach's method was not disclosed, but the state alleges inadequate security practices put customers at risk of identity theft and fraud.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group’s severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Change | Opportunity Change | Intent Change | ||||
|---|---|---|---|---|---|---|---|
| Desorden | New | → | Basic | (35) |
↑ 35 |
(35) | ↑ 35 |
| UNK_CraftyCamel | New | → | Basic | (35) | ↑ 35 | (25) | ↑ 25 |
| Run Some Wares Ransomware Group | New | → | Basic | (25) | ↑ 25 | (30) | ↑ 30 |
| Desert Dexter | New | → | Basic | (30) | ↑ 30 | (25) | ↑ 25 |
| BenjaminFranklin | New | → | Basic | (35) | ↑ 35 | (5) | ↑ 5 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren’t disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| Anonymous | ▲ | Play Ransomware | ▲ | CVE-2024-53104 | ▲ | NTT Group | ▲ |
| Iranian Hackers | ▲ | Agenda Ransomware | ▲ | CVE-2024-4577 | ▲ | CloudFlare | ▲ |
| Fatemiyoun Brigade | ▲ | CrazyHunter | ▲ | CVE-2025-27636 | ▲ | Bybit Exchange | ▲ |
| INC RANSOM | ▲ | AsyncRAT | ▲ | CVE-2025-22224 | ▲ | Public Transportation | ▲ |
| Play Ransomware Group | ▲ | Embargo Ransomware | ▲ |
CVE-2025-27840 |
▲ | Databases | ▲ |
Prominent Information Security Events
Fake DeepSeek and Grok Chatbot Websites Used in Malware Campaign
Source: Insikt Group, Kaspersky | Validated Intelligence Event
Intelligence Cards: Intelligence & Reports
IOC: Hash/ MD5 - e1ea1b600f218c265d09e7240b7ea819
IOC: Domain Name - r1-deepseek[.]net
IOC: Domain Name: deep-seek[.]bar
On 6 March 2025, Kaspersky reported an ongoing malware campaign leveraging fake DeepSeek and Grok chatbot websites to distribute Python stealers, Trojan downloaders, and backdoors. The identity of the threat actors remains unknown.
Kaspersky identified three attack schemes used in this campaign:
- Python-based information stealer – Fake domains like r1-deepseek[.]net and v3-grok[.]com host malware that steals browser data, credentials, and crypto wallets, exHiltrating via Telegram bots.
- Trojan downloader – Sites deepseek-pc-ai[.]com and deepseek-ai-soft[.]com install Trojan- Downloader.Win32.TookPS, modifying SSH configurations for remote access. Attackers spread malware via social media, with a post reaching 1.2 million views on X.
- Backdoor malware – Domains like app.deapseek[.]com deploy Backdoor.Win32.Xkcp.a, establishing remote access tunnels. Another variant, Trojan.Win32.Agent.xbwHho, uses DLL sideloading for persistence.
As DeepSeek has no official Windows client, users may download fake versions unknowingly. Organisations should verify website addresses and block known IOCs to mitigate risks.
Malvertising Campaign Exploits Illegal Streaming Sites
Source: Insikt Group, Bleeping Computer | Validated Intelligence Event
Intelligence Cards: Intelligence & Reports
IOC: Hash/SHA1 - 74df2582af3780d81a8071e260c2b04259efc35a
IOC: Domain Name: physicaltherapytustin[.]com
IOC: Domain Name: compass-point-yachts[.]com
On March 6, 2025, Microsoft Threat Intelligence reported an ongoing global malvertising campaign (Storm- 0408) that has compromised nearly one million devices since December 2024. The campaign uses illegal streaming websites to distribute malware via GitHub, Discord, and Dropbox.
Attack Flow:
- Malvertising – Threat actors embed redirectors within videos on illegal streaming sites. Victims are redirected to malicious GitHub repositories, where the first-stage payload is downloaded.
- Payload Execution – The first-stage payload establishes a foothold on the victim device, acting as a loader for second-stage payloads. These payloads include PowerShell scripts and LOLBAS (e.g., PowerShell.exe, MSBuild.exe) for command injection, payload delivery, and data exfiltration.
- Third-stage Variants – Depending on the second-stage payload, NetSupport RAT may be deployed for remote access or Lumma Stealer for data theft.
- Persistence – A .com file dropped by the second-stage payload modifies Microsoft Defender settings, allowing the malware to bypass security controls and maintain persistence.
Organisations should block IOCs, enable attack surface reduction rules, and restrict JavaScript, VBScript, and PowerShell execution to mitigate risks.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2025-22224 and CVE-2025-22225 –Users are strongly advised to apply patches immediately to mitigate risks.
- CVE-2025-1316 – CISA recommends minimising internet exposure and using secure access methods, such as VPNs, to mitigate potential risks
- CVE-2021-26855, CVE-2021-44228 and CVE-2024-3400 – Organisations should apply patches and block associated IPs immediately.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.