Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
SonicWall Discloses Active Exploitation of CVE-2023-44221 and CVE-2024-38475 - On April 29, 2025, SonicWall disclosed two actively exploited vulnerabilities affecting its Secure Mobile Access (SMA) 100 Series Appliances. SMA appliances are secure remote access solutions that enable organisations to provide granular, policy-enforced access to corporate resources for remote users across various devices and platforms. The technical details of these vulnerabilities are as follows:
- CVE-2023-44221 is a high post-authentication OS command injection vulnerability in SMA 100 Series. Exploitation could allow threat actors to execute arbitrary system commands with limited privileges by exploiting improper input sanitisation in the device's management interface.
- CVE-2024-38475 is a critical path traversal vulnerability in SMA 100 Series (SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices). Exploitation could allow threat actors to manipulate URL mappings and gain unauthorised access to unintended file system locations by leveraging improper output escaping in the mod_rewrite module of Apache HTTP Server versions 2.4.59 and earlier.
EPSON Discloses Incorrect Default Permission Vulnerability Affecting Printer Driver for Windows - On April 28, 2025, Epson patched CVE-2025-42598, an incorrect default permission vulnerability affecting its printer driver for Windows systems. The flaw arises when the Epson Windows driver is installed in a non-English environment or when the system language is changed from English to another language. Exploitation could allow threat actors to execute arbitrary code with SYSTEM-level privileges on a Windows system. At the time of writing, there have been no reports of these vulnerabilities being exploited in the wild.
Commvault Reveals Unknown State-Sponsored Threat Actor Exploited CVE-2025-3928 to Breach Its Microsoft Azure Environment - On February 20, 2025, Microsoft notified enterprise data backup provider Commvault of unauthorised activity within its Microsoft Azure environment attributed to a suspected state-sponsored threat actor. According to their March 7, 2025, security advisory, Commvault confirmed that the threat actors exploited a zero-day vulnerability, CVE-2025-3928, affecting the Commvault Web Server. Successful exploitation of CVE-2025-3928 could allow threat actors to create and execute maliciously crafted webshells, leading to system compromise.
In an April 27, 2025, security advisory update, Commvault revealed that the attack impacted a small number of customers shared with Microsoft, but found no evidence of unauthorised access to any customer backup data stored by Commvault. Additionally, investigations revealed that the breach did not disrupt business operations or product delivery.
Potential Threats
Updated TTP Instance for StealC v2 - On April 11, 2025, Insikt Group published a TTP Instance detailing the analysis of StealC v2, an updated version of the information stealer originally discovered in 2022. StealC, written in C++, is known for targeting browser credentials, files, and cryptocurrency wallets.
In March 2025, the StealC developer known as "plymouth" announced the release of StealC v2 on Exploit Forum. StealC v1 was subsequently deprecated on or around April 3, 2025. References to this announcement can be found in the Validation URLs provided in this note.
Ransomware Group Nitrogen Targets Organisations via Fake Utility Downloads and Cobalt Strike Beacons - Nitrogen ransomware group is actively targeting organisations with malvertising campaigns and Cobalt Strike malware for post-exploitation activities. According to an April 29, 2025, report by Nextron Systems, the campaign was first discovered in September 2024 and initially targeted victims in the US and Canada. It later expanded to Africa and Europe. At the time of writing, ransomware[.]live lists 21 known Nitrogen victims.
Nitrogen's malvertising attack chain begins with fake WinSCP download ads. Once victims click the malicious ad, it redirects them to a compromised WordPress site. The site delivers a ZIP archive containing a Python executable labelled setup.exe, three legitimate DLLs, and a malicious Python DLL named python312.dll (NitrogenLoader). Once executed, the installation appears normal, while NitrogenLoader is sideloaded into memory by exploiting Windows' default DLL search order.
Once deployed, NitrogenLoader establishes communication with Nitrogen's command-and-control (C2) server. Following the initial foothold, the group drops additional executables (Intel64.exe, tcpp.exe, and IntelGup.exe) and Cobalt Strike to maintain persistence and enable lateral movement. To evade detection, Nitrogen clears critical Windows event logs, including PowerShell logs, on the compromised system.
Analysis of the New FICORA Botnet Variant - On April 27, 2025, 360 Threat Intelligence Centre published a write-up detailing a new variant of the FICORA botnet, a variant of the Mirai botnet. FICORA, active since at least October 2024, derives its name from the keyword "FICORA" in its decrypted configuration tables.
Per 360 Threat Intelligence Centre, threat actors recently used the new FICORA botnet variant to conduct widespread distributed denial-of-service (DDoS) attacks and have infected over 13,000 devices, primarily located in China. Based on 360 Threat Intelligence Centre's write-up, threat actors distribute FICORA by exploiting vulnerable devices through brute-force attacks.
General News
Harrods becomes latest retailer to announce attempted cyberattack - Harrods, the luxury department store in London, has become the latest U.K. retailer to announce detecting an attempted cyberattack following similar announcements by Marks & Spencer and the Co-op. In a statement on Thursday, Harrods said it had "recently experienced attempts to gain unauthorised access to some of our systems" but that its "IT security team immediately took proactive steps to keep systems safe." "As a result, we have restricted internet access at our sites today," the company added, but stressed that both in-person and online shopping remained unaffected.
It follows a similar announcement by the Co-op, which said Wednesday it had proactively shut down part of its IT systems due to an incident. While staff informed the system that they use to clock-in for their shifts was down, there didn't appear to be any more substantial impact.
Threat Actor Accesses Government and Corporate Messages in TeleMessage Breach - On May 4, 2025, 404 Media reported that an unidentified threat actor gained unauthorised access to internal systems belonging to TeleMessage, an Israeli company that modifies encrypted messaging applications such as Signal, WhatsApp, and Telegram to enable message archiving for government agencies and financial institutions.
The threat actor exfiltrated user credentials and partial message content from these systems. The data included names and contact details of US Customs and Border Protection personnel, employees at Coinbase and Galaxy Digital, and messages discussing the legislative status of a cryptocurrency bill in the US Senate. The breach followed media reports that former National Security Advisor Mike Waltz was photographed using TeleMessage's modified Signal application during a cabinet meeting with President Trump.
According to 404 Media, the actor used credentials exposed in debug data to access TeleMessage's backend system, hosted on an Amazon Web Services production server in Northern Virginia. TM SGNL, TeleMessage's custom-built version of the Signal application for archiving, forwards message content to this server. The Android source code reportedly confirms that the application transmits message data unencrypted, allowing the actor to intercept messages in transit.
Patients left in the dark months after cybercriminals leak testing lab data - More than 11 months after a ransomware group published information from a U.K. pathology services company, the affected patients still have not been informed about what data of theirs was exposed in the incident, with material about sexually transmitted infections and cancer cases being included in the leaks. The data was compromised during an attack by the Qilin cybercrime group against London-based Synnovis last June. The attack severely disrupted care at a large number of National Health Service (NHS) hospitals and care providers in London.
Synnovis maintains an information page about the incident, but it still has not provided an estimate of the number of patients impacted, nor a detailed list of what data was published by the criminals. The page confirms that some patient information was compromised, and says: "In some circumstances this information may contain personal data such as names, NHS numbers and test codes (identifying the requested test), although analysis is ongoing." Contacted again this week, the company described the process as "significantly advanced" but still ongoing.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group’s severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| FIN7 | ● High | → | ● High | ● 81 | → | ● 80 | ● 45 | → | ● 30 |
| BlueDelta | ● High | → | ● High | ● 86 | → | ● 84 | ● 35 | → | ● 25 |
| Pioneer Kitten | ● Moderate | → | ● Moderate | ● 86 | → | ● 84 | ● 35 | → | ● 25 |
| rawmeat | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
| krava | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 26 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren’t disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| Pakistani Hackers | ▲ |
Play Ransomware |
▲ | CVE-2025-3928 | ▲ |
TeleMessage |
▲ |
|
Indian Hackers |
▲ |
Cyber Spying |
▲ | CVE-2025-7399 | ▲ |
Curve |
▲ |
|
Rhysida Ransomware Group |
▲ |
Social Engineering |
▲ | CVE-2025-31324 | ▲ |
Marks & Spencer |
▲ |
|
APT36 |
▲ |
Account Takeover |
▲ | CVE-2025-38475 | ▲ |
Harrods |
▲ |
|
Scattered Spider |
▲ |
ROMCOM RAT |
▲ |
CVE-2025-41040 |
▲ |
IDSA |
▲ |
Prominent Information Security Events
Updated TTP Instance for StealC v2
Source: Insikt Group | Validated Intelligence Event
IOC: SHA256 - f02986c8beb4ae23fd9c1e4d923a208b2afcb69811d52aed3dc85ad60badf472
IOC: SHA256 - 8aefa989626374e451620567517cc8862478a770ec0f2da0a910f3f8b5495422
IOC: SHA256 - a1b2aecdd1b37e0c7836f5c254398250363ea74013700d9a812c98269752f385
On April 11, 2025, Insikt Group published a TTP Instance detailing the analysis of StealC v2, an updated version of the information stealer originally discovered in 2022. StealC, written in C++, is known for targeting browser credentials, files, and cryptocurrency wallets. In March 2025, the StealC developer known as "plymouth" announced the release of StealC v2 on Exploit Forum. StealC v1 was subsequently deprecated on or around April 3, 2025. References to this announcement can be found in the Validation URLs provided in this note.
Insikt Group obtained the following StealC v2 for analysis from Recorded Future Malware Intelligence: • 6b638236003f92b54a83abd988b3a9f92bd58c0c7727a637bc0e191597a421ad
Insikt Group first analysed this sample in a TTP Instance note published on April 11, 2025. On May 1, 2025, cybersecurity firm Zscaler published a blog discussing StealC v2 updates, corroborating the findings observed by Insikt Group, as outlined below.
As observed in StealC v1, StealC v2 continues to use an RC4 key for string decryption. Based on static analysis, StealC v2 includes the following new capabilities:
- RC4 encryption for network communications.
- Introduction of a self_delete flag, allowing the C2 server to instruct the malware to self-delete.
- Transition from WinINet (wininet.dll) to WinHTTP for improved payload download reliability.
- Support for downloading and executing payloads in multiple formats:
- Executable (.exe) files • Microsoft Installer (.msi) files
- PowerShell scripts
- Screenshot capture functionality
- Compiled for x64 architectures
- JSON-based network protocol with RC4 encryption
Analysis of the New FICORA Botnet Variant
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - 198783c5a2a79fa601aeab32c54580f9c94b661c2fd6045671307891b00ea165
IOC: IP - 216[.]146[.]26[.]30
IOC: IP - 194[.]87[.]198[.]253
IOC: IP - 63[.]231[.]92[.]27
On April 27, 2025, 360 Threat Intelligence Centre published a write-up detailing a new variant of the FICORA botnet, a variant of the Mirai botnet. FICORA, active since at least October 2024, derives its name from the keyword “FICORA” in its decrypted configuration tables. Per 360 Threat Intelligence Centre, threat actors recently used the new FICORA botnet variant to conduct widespread distributed denial-of-service (DDoS) attacks and have infected over 13,000 devices, primarily located in China. Based on 360 Threat Intelligence Centre’s write-up, threat actors distribute FICORA by exploiting vulnerable devices through brute-force attacks using the following known security vulnerabilities: CVE-2024-33112: a command injection vulnerability in TOTOLINK router models that allows remote threat actors to execute arbitrary system commands without authentication
- CVE-2024-7029: a critical remote code execution (RCE) vulnerability affecting multiple Zyxel firewall and virtual private network (VPN) products (for example, USG FLEX, ATP, and VPN series), enabling threat actors to upload and run malicious code via crafted network requests
- CVE-2023-1389: an authentication bypass vulnerability in TP-Link Archer AX21 Wi-Fi routers that allows unauthenticated threat actors to gain remote administrative control over the device.
After gaining initial access, threat actors deploy a malicious script specific to the system’s architecture, supporting formats like ARM, X86_64, and MIPS, to implant the FICORA botnet. To evade detection, FICORA randomises its filename from a predefined list of six names and outputs a benign-looking string, “For God so loved the world”, to the system’s terminal.
FICORA then retrieves its command-and-control (C2) infrastructure using two methods. In the first method, FICORA retrieves hard-coded C2 IP addresses embedded within its binary. It randomly selects from a pool of six hard-coded IPs or ten predefined C2 DNS addresses to initiate communication. In the second method, FICORA dynamically obtains C2 addresses over the network: it receives an encrypted string containing a set of C2 IPs decrypted by applying an XOR operation with a hard-coded key and then Base64 decoding the result.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2023-44221 and CVE-2024-38475: Apply the latest security updates from SonicWall and Apache to patch the actively exploited vulnerabilities.
-
CVE-2025-42598: We recommend installing the patch provided by Epson to reduce the risk of exploitation.
- CVE-2025-3928: Upgrade Commvault software to the patched versions to address the actively exploited vulnerability.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.