Cyware Daily Threat Intelligence, February 12, 2025

Shutterstock 2554703011

Daily Threat Briefing February 12, 2025

Pirated software isn’t just a bargain, it’s a backdoor. Russian hackers are using fake KMS activators and bogus Windows updates to slip malware onto unsuspecting systems in Ukraine. By disguising malware as KMS activators and bogus updates, they deploy DarkCrystal RAT, turning routine software installations into a Trojan horse for cyber-espionage.

Microsoft’s February Patch Tuesday is here. This month’s update tackles 55 security flaws, including four zero-days - two of which are actively exploited. Among the most critical fixes are three RCE vulnerabilities, reinforcing why timely patching isn’t just recommended, it’s essential.

Romance scams aren’t new, but cybercriminals are getting bolder just in time for Valentine’s Day. A phishing campaign disguised as a Valentine basket giveaway has been circulating, tricking victims into handing over personal data. Researchers found tens of thousands of newly registered Valentine-themed websites in January alone, with 1 in 72 flagged as malicious.

Top Malware Reported in the Last 24 Hours

Sandworm drops DarkCrystal RAT on Ukraine

The Sandworm Russian military cyber-espionage group is attacking Windows users in Ukraine by using trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates. The attackers use a BACKORDER loader to deploy DarkCrystal RAT (DcRAT) malware, connected to previous Sandworm activities. Researchers identified seven malware distribution campaigns with similar tactics. Sandworm exploits the high usage of pirated software in Ukraine to embed malware in common programs.

Team Triplestrength triples the trouble

A new gang called Triplestrength has been found infecting computers with ransomware and taking over cloud accounts to mine cryptocurrency. Triplestrength has been involved in ransomware attacks since at least 2020, targeting on-premises systems instead of cloud infrastructure. The team has used Windows malware such as LokiLocker, Phobos, and RCRU64, which are leased under a RaaS model. The group also uses tools like Mimikatz and NetScan. 

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft February 2025 Patch Tuesday

Microsoft's February 2025 Patch Tuesday includes security updates for 55 flaws, with four zero-day vulnerabilities, two of which are being actively exploited. There are also three critical vulnerabilities related to remote code execution. The vulnerabilities are categorized as: 19 Elevation of Privilege, 2 Security Feature Bypass, 22 Remote Code Execution, 1 Information Disclosure, 9 Denial of Service, and 3 Spoofing. This Patch Tuesday addresses two actively exploited zero-day vulnerabilities (CVE-2025-21391 and CVE-2025-21418) and two publicly disclosed ones. 

Adobe fixes 45 vulnerabilities

Adobe released patches for at least 45 vulnerabilities in various products, warning users about the risk of remote code execution. Critical bugs were found in Adobe Commerce, which could allow arbitrary code execution and security feature bypass. Adobe advised business customers to apply these patches quickly. Other products like Adobe InDesign, Illustrator, and Substance 3D Designer also received updates for critical vulnerabilities. 

Ivanti patches critical bugs

Ivanti has issued security updates to fix several security flaws in Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA), which could allow hackers to run arbitrary code. The vulnerabilities include CVE-2024-38657, CVE-2025-22467, CVE-2024-10644, and CVE-2024-47908, all scoring high on the CVSS scale. The updates are available in new versions: Ivanti Connect Secure 22.7R2.6, Ivanti Policy Secure 22.7R1.3, and Ivanti CSA 5.0.5.

Patch this SonicWall flaw!

The CVE-2024-53704 vulnerability in the SonicOS SSLVPN application enables unauthorized access by bypassing authentication. Researchers developed an exploit that sends a crafted session cookie to the SSL VPN endpoint, leading to an incorrect validation that logs out the victim and grants the attacker access to their session. This access includes the victim's bookmarks and private network resources. The vulnerability affects specific versions of SonicOS and patches have been released. As of February 7, about 4,500 SonicWall SSL VPN servers remained unprotected.

Top Scams Reported in the Last 24 Hours

Valentine’s Day phishing threats

In late January, Check Point Research found a phishing email campaign offering a Valentine basket. The identical emails had different store names and encouraged recipients to answer questions for a basket, but linked to malicious sites aimed at stealing personal information. The researchers also noted that over 18,000 new Valentine's-related websites were created, a 5% rise from the month before. Among these, 1 in 72 were found to be malicious. There was also a 123% increase in newly registered Valentine’s websites.

Related Threat Briefings