A phishing email is all it takes to breach critical infrastructure. The OneClik APT campaign is targeting energy and oil sectors using Microsoft ClickOnce to deliver a .NET loader and Golang backdoor. The malware uses AWS infrastructure to hide in plain sight, evolving through multiple variants with increasingly stealthy techniques.

What do a server board, a home router, and a firewall have in common? They’re all vulnerable, and now officially on CISA’s hit list.CISA has added three exploited vulnerabilities to its KEV catalog, affecting AMI MegaRAC, D-Link DIR-859 routers, and Fortinet FortiOS.

A familiar name in your WhatsApp inbox might not be who you think it is. APT42 is targeting Israeli cybersecurity experts and academics through highly personalized spear-phishing campaigns. By posing as journalists or researchers and using platforms like WhatsApp, they lure victims to phishing pages disguised as Google Meet, aiming to steal credentials. With over 100 domains linked to the campaign, the scope likely extends well beyond Israel.

Top Malware Reported in the Last 24 Hours

OneClik malware campaign uncovered

The OneClik APT campaign targets the energy, oil, and gas sectors through phishing attacks utilizing Microsoft ClickOnce. This campaign deploys a .NET-based loader named OneClikNet, which installs a Golang backdoor called RunnerBeacon. The malware leverages cloud infrastructure, specifically AWS services, to evade detection by blending malicious activity with legitimate traffic. Key techniques include AppDomainManager hijacking, multi-layer encryption, and anti-debugging measures. The campaign has evolved through three variants—v1a, BPI-MDM, and v1d—each exhibiting increasing sophistication in evasion tactics and C2 obfuscation. 

Malicious Python package targets passlib library

Socket discovered a malicious Python package named "psslib," which typosquats the legitimate "passlib" library. This package, published by the threat actor umaraq, forces Windows systems to shut down immediately upon incorrect password input, exploiting developer trust in security libraries. The malicious code uses the `os` module to execute shutdown commands, resulting in data loss and disruption. While effective on Windows, the shutdown command fails harmlessly on Linux and macOS systems, indicating a targeted attack on Windows development environments.

Chinese Hive0154 targets Tibet

IBM X-Force researchers identified targeted cyberattacks by China-aligned group Hive0154 deploying Pubload malware via phishing lures aimed at the Tibetan community. Campaigns coincided with culturally significant events like the Dalai Lama’s 90th birthday and the World Parliamentarians’ Convention on Tibet (WPCT). Hive0154 utilized spear phishing emails with Google Drive links containing weaponized ZIP/RAR archives, exploiting DLL sideloading to activate the Claimloader DLL and Pubload payload. Pubload malware features advanced techniques, including TripleDES decryption, reverse shell access, and dynamic API imports, showcasing Hive0154's technical sophistication. 

Top Vulnerabilities Reported in the Last 24 Hours

CISA issues urgent alert

CISA alerted about severe vulnerabilities in ControlID iDSecure software, risking authentication bypass and sensitive data leakage. The vulnerabilities include Improper Authentication (CVE-2025-49851), Server-Side Request Forgery (CVE-2025-49852), and SQL Injection (CVE-2025-49853), with CVSS scores up to 9.3. ControlID released version 4.7.50.0 to fix these issues, and CISA advised organizations to update and follow defensive measures like network isolation, secure remote access, and risk assessments.

DoS attacks exploit NetScaler bug

Citrix has issued a warning about a critical vulnerability in NetScaler appliances, tracked as CVE-2025-6543, which is being actively exploited in denial-of-service (DoS) attacks. This flaw affects NetScaler ADC and Gateway versions prior to 14.1-47.46 and 13.1-59.19, as well as ADC 13.1-FIPS and NDcPP before 13.1-37.236. The vulnerability allows unauthenticated remote requests to cause the appliance to go offline. Additionally, another critical vulnerability known as "CitrixBleed 2" (CVE-2025-5777) enables attackers to hijack user sessions by extracting session tokens from memory. Both vulnerabilities pose significant risks, and Citrix has released patches for the affected versions.

CISA adds three flaws to KEV catalog

The CISA added three actively exploited vulnerabilities to its KEV catalog, affecting AMI MegaRAC, D-Link DIR-859 routers, and Fortinet FortiOS. CVE-2024-54085 allows remote attackers to take control of AMI MegaRAC SPx devices via authentication bypass. CVE-2024-0769 is a path traversal vulnerability in D-Link DIR-859 routers, enabling privilege escalation; these devices are no longer supported (end-of-life). CVE-2019-6693 involves a hard-coded cryptographic key in Fortinet products, exploited by Akira ransomware actors for network access.

Top Scams Reported in the Last 24 Hours

APT42 spies on Israeli cyber experts

An Iranian state-backed hacking group, APT42 (Charming Kitten, Manticore), is targeting Israeli cybersecurity and computer science experts using spear-phishing tactics. The group impersonates relevant personas, such as journalists or researchers, to gain trust and initiate contact, often using WhatsApp to bypass email filters and appear more legitimate. Their phishing campaigns include personalized messages and requests for meetings, leading victims to credential phishing pages mimicking platforms like Google Meet. The primary targets are high-profile cybersecurity experts, academics, and journalists, possibly as a retaliation for alleged Israeli cyber operations against Iran. Over 100 domains and subdomains have been identified in this campaign, suggesting a broader scope with potential targets beyond Israel.