Searching for a legal doc shouldn't get you malware but Gootloader is counting on it. In its latest campaign, the threat actors are using Google Ads to lure users into downloading malicious templates. One click leads to a ZIP file with a JavaScript payload that kicks off scheduled tasks and PowerShell scripts, pulling in further payloads from compromised WordPress blogs.

Ukrainian banking customers are the latest target in a campaign using Emmenhtal Loader to drop SmokeLoader. Delivered via a booby-trapped 7-Zip archive, the attack blends PDF lures with LOLBAS tactics to execute payloads, slipping through defenses with anti-analysis tricks while quietly loading modular malware.

Old routers don’t die, they just become attack surfaces. A 2017 Netgear model, long past its support window, was found riddled with zero-days. Eight vulnerabilities, including command injection and buffer overflows, expose critical functions like UPnP and email settings, giving attackers multiple ways in.

Top Malware Reported in the Last 24 Hours

Hackers exploit Microsoft Teams, drop malware

A new malware campaign targets Microsoft Teams users to gain access to corporate systems. The attack begins with a phishing message sent via Microsoft Teams, tricking users into clicking on malicious links or running embedded scripts. The attackers then use PowerShell scripts to bypass traditional defenses and deliver malware capable of stealing credentials and establishing persistent backdoors. The attack unfolds in several stages, including initial delivery via Teams message, abuse of remote assistance tools, DLL sideloading to evade detection, and establishing C2 through a Node.js-based backdoor.

Updated Hijack Loader surfaces 

Cybersecurity researchers have discovered an updated version of Hijack Loader, which implements new features to evade detection and establish persistence on compromised systems. The new module implements call stack spoofing to hide the origin of function calls and performs anti-VM checks to detect malware analysis environments and sandboxes. Hijack Loader offers the ability to deliver second-stage payloads such as info-stealer and comes with a variety of modules to bypass security software and inject malicious code. The latest iteration of the loader comes with improvements such as the addition of call stack spoofing, the use of Heaven's Gate technique for process injection, and the incorporation of two new modules, namely ANTIVM for detecting virtual machines and modTask for setting up persistence via scheduled tasks.

Gootloader resurfaces in fresh campaign

The Gootloader malware has re-emerged with a new campaign that combines traditional social engineering tactics with modern ad-based delivery methods. The operators are now using Google Ads to target individuals searching for legal document templates. The attack chain begins with a Google search, where a sponsored ad from a seemingly legitimate legal document provider, lawliner[.]com, appears among the top results. Upon clicking, users are prompted to enter their email address to access the document. They then receive an email containing a link to download a ZIP archive with a JavaScript file. When executed, this file performs classic Gootloader behavior, creating a scheduled task, dropping another .js file, and launching PowerShell scripts that attempt to reach out to a series of compromised WordPress blogs. 

Emmenhtal drops SmokeLoader, targets bank

Researchers discovered a malicious campaign targeting the First Ukrainian International Bank using the Emmenhtal Loader, also known as Peaklight, which has been active since early 2024. The campaign uses a 7-Zip archive file delivered via email, which contains a bait PDF file and a PDF shortcut that downloads a file from a remote server. The downloaded file exploits the Target field to execute Mshta via PowerShell, which in turn downloads and executes a binary sample with malicious HTA script from a remote file server. The Emmenhtal Loader is then used to deploy SmokeLoader, a modular malware that can download and execute additional malware, steal credentials, execute remote commands, evade detection, and use anti-analysis and anti-debugging techniques. The use of the Emmenhtal Loader in this campaign is part of an ongoing trend in malware development that leverages LOLBAS techniques, and it allows threat actors to deploy secondary payloads while using advanced evasion techniques. 

Top Vulnerabilities Reported in the Last 24 Hours

Eight 0-days in Netgear routers

A security researcher has discovered eight zero-day vulnerabilities in the Netgear WNR854T, a router model from 2017 that is no longer supported. These vulnerabilities include buffer overflows and command injection flaws, which could potentially allow attackers to gain control of the affected devices. The vulnerabilities are detailed with their respective CVE numbers from CVE-2024-54802 to CVE-2024-54809. They affect various aspects of the router, such as the UPnP service, PPPOE configuration, WAN hostname configuration, email notification functionality, and more. 

Critical bug in Canon printer devices

Microsoft's Offensive Research and Security Engineering (MORSE) team has discovered a critical code execution vulnerability, identified as CVE-2025-1268, in certain Canon printer drivers. This out-of-bounds issue affects production printers, office/small office multifunction printers, and laser printers, specifically impacting the EMF recode processing of Generic Plus PCL6, UFR II, LIPS4, LIPSXL, and PS printer drivers. An attacker could potentially exploit this flaw to prevent printing and/or execute arbitrary code under certain conditions.