Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
PoC for Critical RCE Vulnerability in jsonpath-plus Published on GitHub - EQST published a PoC for CVE- 2025-1302, a critical RCE vulnerability in jsonpath-plus (versions <10.3.0). The Hlaw stems from insufHicient input validation in "eval='safe'" mode, allowing attackers to inject malicious JSONPath queries and execute arbitrary JavaScript code. The PoC demonstrates remote command execution via crafted HTTP requests, potentially leading to full system compromise.
PolarEdge Botnet Hijacks Cisco, ASUS, QNAP & Synology Devices - Active since late 2023, the PolarEdge botnet exploits CVE-2023-20118, a vulnerability in outdated Cisco routers, to deploy a TLS backdoor for remote command execution. The botnet has sed over 2,000 devices worldwide, including ASUS, QNAP, and Synology systems, leveraging unpatched Hlaws and weak credentials to expand its reach. Threat actors use the backdoor to exHiltrate data, conduct surveillance, and launch further attacks.
CVE-2024-53704, a Critical SonicWall SSL VPN Vulnerability Exploited in the wild – CVE-2024-53704 is a critical authentication Hlaw in SonicWall’s SSL VPN, allowing attackers to bypass authentication and hijack sessions. CISA added it to its Known Exploited Vulnerabilities (KEV) catalogue after reports of active exploitation. The Hlaw in the getSslvpnSessionFromCookie function lets attackers use a manipulated swap cookie for unauthorised access. Affected versions include Gen7 Firewalls, NSv (7.1.x and 7.1.2-7019), and TZ80 (8.0.0- 8035).
Potential Threats
Threat Actors Abuse Modified Truesight Driver to Deploy Gh0st RAT and Disable Security Tools – Check Point Research uncovered a malware campaign using over 2,500 Truesight.sys (v2.0.2) variants to bypass security and deploy Gh0st RAT. Active since mid-2024, it mainly targets Asia, with 75% of infections in China. The attack starts with phishing sites distributing malicious installers, leading to a three-stage infection. In the final stage, the malware disables security tools before deploying Gh0st RAT, enabling remote control, data theft, and command execution.
JavaGhost Exploits AWS Cloud for Phishing Campaigns - Palo Alto Unit 42 found that threat actor TGRUNK- 0011, linked to JavaGhost, has exploited misconfigured AWS environments since 2022 to run phishing campaigns. Using compromised credentials, they evade detection via API calls and configure Amazon SES and WorkMail to send phishing emails. They also create IAM users with admin privileges for persistent access. Mitigation includes enforcing strict IAM policies, monitoring CloudTrail logs, and enabling SES logging.
Newly Discovered Eleven11Botnet Compromised Over 30,000 Devices to Launch DDoS Attack – GreyNoise reported that Eleven11bot, a newly discovered botnet, has infected over 30,000 IoT devices, mainly security cameras and NVRs, to launch DDoS attacks on telecom providers and gaming platforms. It spreads via brute-force attacks on devices with weak credentials. GreyNoise linked 1,400 IPs to the botnet, with 636 traced to Iran. Organisations should block malicious IPs (included in the article), update IoT passwords and firmware, and monitor network traffic for threats.
General News
Microsoft Invests in Veeam to Enhance AI-Driven Cloud Solutions - The partnership aims to integrate Veeam’s backup and disaster recovery solutions with Microsoft’s Azure and AI infrastructure. This collaboration will help businesses protect critical data while leveraging AI to enhance cybersecurity, automation, and efHiciency.
Mozilla Revises Firefox Terms After User Data Concerns - Mozilla has updated its Firefox Terms of Use to clarify its data handling practices after facing criticism over broad language that appeared to grant the company extensive rights over user data.
Angel One Data Breach Exposes Client Information- Indian stockbroker Angel One disclosed a data breach affecting its AWS cloud infrastructure. Discovered on February 27, 2025, the breach involved unauthorised access to client data. The company reset credentials, engaged external experts, and assured that client funds and accounts remain secure.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group’s severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Change | Opportunity Change | Intent Change | ||||
|---|---|---|---|---|---|---|---|
| RedHotel | Moderate | → | Moderate | (53) |
↓2 |
(25) | →0 |
| Rey | New | → | Basic | (30) | ↑ 30 | (30) | ↑ 30 |
| Anubis Ransomware Group | New | → | Basic | (25) | ↑ 25 | (30) | ↑ 30 |
| BoZar45 | New | → | Basic | (30) | ↑ 30 | (25) | ↑ 25 |
| telecoms | New | → | Basic | (30) | ↑ 30 | (5) | ↑ 5 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren’t disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| Qilin (Agenda) Ransomware Group | ▲ | Sagerunex | ▲ | CVE-2025-21333 | ▲ | Veon Ltd | ▲ |
| Lazarus Group (Cyber Warfare Guidance Unit, Diamond Sleet) | ▲ | Backdoor | ▲ | CVE-2024-30085 | ▲ | Bybit Exchange | ▲ |
| North Korean Hackers | ▲ | Botnet | ▲ | CVE-2023-32434 | ▲ | Android Mobile Phone | ▲ |
| Berserk Bear | ▲ | Bring Your Own Vulnerable Driver Attack | ▲ | CVE-2024-24919 | ▲ | Medical Devices Manufacturer | ▲ |
| Hamza | ▲ | Exploit Chain | ▲ |
CVE-2024-39720 |
▲ | Microsoft Office Outlook | ▲ |
Prominent Information Security Events
Threat Actors Abuse Modified Truesight Driver to Deploy Gh0st RAT and Disable Security Tool
Source: Insikt Group, Cyber Security News | Validated Intelligence Event
Intelligence Cards: Intelligence & Reports
IOC: SHA256 -8a955633b93b27bc6c0751064a6ad5d6c0bf7b096d72779ced1a1a73b74cec31
IOC: Domain Name - 129sos.oss-cn-beijing.aliyuncs[.]com
IOC: IP Address - 8.212.102[.]228
Check Point Research uncovered a malware campaign exploiting over 2,500 modified variants of the Truesight.sys (v2.0.2) driver to bypass security measures and deploy Gh0st RAT. Active since mid-2024, the campaign primarily targets victims in Asia, with approximately 75% of infections reported in China. The identity of the threat actor remains unknown.
The campaign follows a three-stage infection process, beginning with phishing websites distributing first-stage payloads disguised as legitimate applications. These payloads act as loaders, downloading and decrypting additional malware.
- Stage 1: The malware retrieves an encrypted second-stage payload disguised as an image file (e.g., PNG, JPG, GIF) and a vulnerable Truesight.sys driver.
- Stage 2: It decrypts and loads the next-stage payload, using DLL side-loading and establishing persistence through scheduled tasks.
- Stage 3: The malware executes an in-memory EDR/AV killer module (S.dll), leveraging Truesight.sys to terminate security processes before deploying Gh0st RAT.
Once installed, Gh0st RAT enables remote access, data exfiltration, and further malware deployment. To evade detection, it encrypts its command-and-control (C2) traffic using a custom XOR+ADD encryption algorithm.
To protect against this campaign, organisations should block the identified indicators of compromise (IOCs). A full list of IOCs can be found in Check Point’s report.
JavaGhost Exploits AWS Cloud for Phishing Campaigns
Source: Insikt Group, Unit 42 | Validated Intelligence Event
Intelligence Cards: Intelligence & Reports
IOC: IP Address - 45.130.83[.]244
IOC: IAM Username: Gh0st_808
IOC: User Agent: aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-113-generic botocore/1.16.19
On 28 February 2025, Palo Alto Unit 42 reported that TGR-UNK-0011, a threat actor linked to JavaGhost, conducted phishing campaigns from 2022 to 2024. JavaGhost, active for over five years, initially engaged in website defacement before shifting to phishing in 2022.
The group exploits misconfigured AWS permissions and uses compromised long-term access keys for initial access. They leverage API calls such as GetServiceQuota and GetFederationToken to evade detection and maintain persistence. JavaGhost exploits Amazon SES and WorkMail to create email accounts and send phishing emails undetected, modifying DKIM settings and SMTP credentials to bypass security.
To ensure persistence, JavaGhost creates IAM users with AdministratorAccess and assigns IAM roles linked to external AWS accounts.
Organisations can mitigate risks by enforcing strict IAM policies, monitoring CloudTrail logs, enabling SES logging, and implementing multi-factor authentication (MFA).
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
CVE-2025-1305 – Update Jsonpath-plus to version 10.3.0
CVE-2023-20118 – Users should disable remote management, block ports 443 and 60443, and replace affected devices with supported models to mitigate the threat.
CVE-2024-53704 – Organisations should upgrade to SonicOS 7.1.3-7015 or 8.0.0-8037 or restrict SSL VPN access as a temporary measure.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.