Cybercriminals are getting more sophisticated, turning search engines into traps. A fake Google ad for Cisco AnyConnect led unsuspecting users to a counterfeit website, mimicking a German university to evade security filters. The fraudulent site redirected victims to a spoofed Cisco download page, pushing NetSupport RAT as the legitimate AnyConnect installer.

Russian organizations are under fire as attackers distribute NOVA stealer, a new variant of SnakeLogger, through phishing emails. Advertised on underground forums as MaaS for as little as $50 per month, NOVA is designed for credential theft, keylogging, and clipboard data extraction.

Cisco has patched two critical vulnerabilities in its Identity Services Engine, which could allow remote attackers to execute commands and manipulate system configurations. Exploited through specially crafted API requests, these flaws pose significant risks for enterprises using ISE for authentication and network control.

Top Malware Reported in the Last 24 Hours

University site drops fake Cisco installer

A malicious Google ad for Cisco AnyConnect was recently used for remote access to networks. The attackers exploited the name of a German university to create a fake website intended to avoid security system detection, redirecting victims to a counterfeit Cisco site with a harmful installer for the NetSupport RAT. The malicious ad appears in searches for "cisco anyconnect" and presents a convincing URL. Clicking the ad prompts server-side checks to identify potential victims. Criminals now use AI to craft deceptive pages. 

Fake banking apps target India

Indian bank users have become the primary victims of a sophisticated mobile malware campaign identified by Zimperium zLabs, which involves banking trojans targeting banks and government institutions. The malware uses live phone numbers to intercept SMS messages, stealing sensitive financial and personal data. This campaign is attributed to a single actor called FatBoyPanel, deploying over 1,000 malicious Android apps disguised as legitimate tools, mainly shared via WhatsApp. Victims are tricked into revealing important information like Aadhaar and PAN card details. Around 900 malware samples and 1,000 phone numbers were identified, with many registered in West Bengal, Bihar, and Jharkhand, affecting about 50,000 victims. 

NOVA stealer sold as MaaS

Researchers observed a campaign distributing NOVA stealer, targeting Russian organizations. The malware is a new version of SnakeLogger and is offered as Malware-as-a-Service (MaaS) on underground forums, starting at $50 for a 30-day license. The campaign involves sending phishing emails with NOVA in archive attachments that look like contracts. Once opened, the malware embeds itself in the system and evades detection. NOVA can steal credentials, log keystrokes, take screenshots, and extract clipboard data.

Top Vulnerabilities Reported in the Last 24 Hours

Cisco patches ISE bugs

Cisco has released updates to fix two critical security flaws in the Identity Services Engine (ISE), which could allow remote attackers to run commands and gain higher access on affected devices. One of the vulnerabilities is CVE-2025-20124, which allows attackers to execute commands as the root user. The other one is CVE-2025-20125, which lets attackers access sensitive information and change configurations. Both can be exploited by sending specially crafted data to a specific API. Cisco recommends updating to the fixed software versions to ensure protection, as there are no workarounds available.

XE Group exploits zero-days in VeraCore

XE Group is targeting companies in manufacturing and distribution by exploiting zero-day vulnerabilities in VeraCore software, specifically CVE-2025-25181 and CVE-2024-57968. In a recent incident, the group compromised an IIS server hosting VeraCore software in November 2024, which led to the discovery of unique techniques used to exfiltrate files and run malicious commands. The group evolved from credit card skimming to exploiting vulnerabilities, showing their adaptability. The upload vulnerability was patched in November 2024, but no patch for the other vulnerability is available.

Top Scams Reported in the Last 24 Hours

Scam spoofs Microsoft ADFS login pages

A help desk phishing campaign has been targeting Microsoft Active Directory Federation Services (ADFS) to steal credentials and bypass MFA. The campaign focuses on education, healthcare, and government organizations, hitting at least 150 targets. Attackers send phishing emails pretending to be from the organization's IT team, urging victims to log in for security updates. These emails lead to fake ADFS login pages that mimic legitimate ones, where victims enter their usernames, passwords, and MFA codes.