A fake KeePass build is more than just a phony password manager. Promoted as a legitimate KeePass installer and spread via Bing ads, KeeLoader steals passwords and establishes Cobalt Strike beacons linked to UNC4696, an IAB known for working with Black Basta and BlackCat/ALPHV affiliates.

Broadcom just plugged a string of VMware bugs. The company issued security patches for four vulnerabilities across ESXi, vCenter Server, Workstation, and Fusion. The most critical (CVE-2025-41225) scores an 8.8 CVSS and lets privileged users execute arbitrary commands on vCenter.

Microsoft Outlook users are in the crosshairs again. A new campaign is abusing the W3LL phishing kit to steal Microsoft 365 credentials via adversary-in-the-middle techniques. This PhaaS toolkit bypasses MFA by intercepting sessions and uses realistic login pages, often posing as Adobe, to fool victims.

Top Malware Reported in the Last 24 Hours

More malicious PyPI packages

Cybersecurity researchers identified three malicious PyPI packages—"checker-SaGaF," "steinlurks," and "sinnercore"—that exploited Instagram and TikTok APIs to validate stolen email addresses, facilitating attacks like credential stuffing and doxxing. Additionally, "dbgpkg," a package posing as a debugging tool, implanted backdoors for data exfiltration, potentially linked to the hacktivist group Phoenix Hyena. Another npm package, "koishi-plugin-pinhaofa," installed a data-exfiltration backdoor in chatbots, capturing sensitive user messages. All these malicious packages have since been removed from their respective repositories.

Fake KeyPass paves way for ransomware

Threat actors have distributed a trojanized version of the KeePass password manager, called KeeLoader, to install Cobalt Strike beacons, steal credentials, and deploy ransomware. The malicious KeePass installer was promoted via Bing advertisements and fake software sites, utilizing modified open-source code. KeeLoader includes functionality to export KeePass database data (including credentials) in cleartext, which is then stolen. Cobalt Strike watermarks in this campaign are linked to an Initial Access Broker associated with Black Basta ransomware attacks. The activity is attributed to UNC4696, a threat actor group previously linked to Nitrogen Loader campaigns and BlackCat/ALPHV ransomware.

Top Vulnerabilities Reported in the Last 24 Hours

Critical vulnerability in Auth0-PHP SDK

A critical vulnerability in the Auth0-PHP SDK, affecting versions 8.0.0-BETA1 and newer with CookieStore session storage configuration, allows brute force attacks on session cookies, enabling unauthorized access. The vulnerability compromises cryptographic authentication tags, leading to potential session hijacking and unauthorized actions by attackers.Affected systems include applications using Auth0 integrations like Symfony, Laravel, and WordPress with the vulnerable configuration. Okta has released a patch in version 8.14.0 of the Auth0-PHP SDK, which fixes the vulnerability by improving cryptographic mechanisms.

Broadcom patches multiple bugs

Broadcom issued fixes for four VMware vulnerabilities affecting ESXi, vCenter Server, Workstation, and Fusion, with risks ranging from RCE to XSS. CVE-2025-41225 allows privileged attackers to execute arbitrary commands on vCenter Server, rated with a CVSS score of 8.8. CVE-2025-41226 is a moderate DoS vulnerability in ESXi, triggered by malicious actors with guest operation privileges. CVE-2025-41227 impacts ESXi, Workstation, and Fusion, enabling host memory exhaustion via low-privilege users in guest OS. CVE-2025-41228 is a reflected XSS vulnerability affecting ESXi and vCenter Server, exploitable through improper input validation. Patches are available for ESXi 7.0 and 8.0, vCenter Server 7.0 and 8.0, Workstation 17.x, and Fusion 13.x.

Top Scams Reported in the Last 24 Hours

W3LL phishing kit steals Outlook credentials

Cybersecurity researchers have identified a phishing campaign using the W3LL phishing kit, targeting Microsoft 365 Outlook credentials through AitM techniques that bypass multi-factor authentication. The kit operates as a PhaaS tool, allowing attackers to create tailored campaigns using deceptive webpages, such as cloned Adobe login pages. Stolen credentials are sent to a remote PHP script on teffcopipe[.]com. The kit employs obfuscated PHP files and utilizes valid Let’s Encrypt certificates to enhance its legitimacy.

Tycoon2FA gang targets Microsoft 365 users

Microsoft 365 users are being targeted by a new phishing campaign orchestrated by the Tycoon2FA group. This campaign employs malformed URLs with backslashes (https:\) to bypass email security filters and lead users to credential-harvesting sites. These phishing emails often mimic legitimate Microsoft notifications, exploiting users' trust and urgency. 

Threats in Spotlight

SideWinder APT targets South Asian ministries

South Asian government institutions in Sri Lanka, Bangladesh, and Pakistan were targeted by the SideWinder APT group using spear-phishing emails and geofenced payloads. The attackers exploited Microsoft Office vulnerabilities (CVE-2017-0199 and CVE-2017-11882) to deploy StealerBot malware, which collects sensitive data such as passwords, keystrokes, and files. SideWinder’s tactics include impersonating official organizations with lure documents, such as the "Sri Lanka Customs National Imports Tariff Guide 2025," to entice victims into opening malicious files. Targeted institutions include Sri Lanka’s Army 55th Division and the Central Bank of Sri Lanka, with customized phishing emails and documents tailored to their interests.