Even security tools aren’t safe from exploitation. A massive malware campaign is abusing a vulnerable Windows driver from Adlice’s product suite to sneak in Gh0st RAT, with over 2,500 unique variants identified. When even protective software turns into a backdoor, no system is off-limits.

Opposition activists and Ukrainian military entities are in the crosshairs. SentinelLABS uncovered a stealthy campaign using weaponized Excel documents to deliver new adaptations of PicassoLoader. This isn’t just cyber warfare, it’s an evolving espionage toolkit aimed at destabilizing governments.

Oracle’s Agile Product Lifecycle Management software has a serious flaw. Now in CISA’s KEV catalog, this bug allows low-privileged attackers to execute arbitrary code, proving once again that supply chain vulnerabilities are prime real estate for cybercriminals.

Top Malware Reported in the Last 24 Hours

Harmful ISO files delivered

A new technique lets hackers bypass Microsoft Outlook’s spam filters, delivering rogue ISO files directly to inboxes. They use hyperlink obfuscation to make rogue links look safe as ISO files can hide malware and bypass traditional detection. While Outlook usually flags risky files, hackers now disguise links to bypass these checks. This poses a significant threat to small and medium businesses as hackers can exploit user trust and evade protections. Firms must boost endpoint security until Microsoft updates its filters.

Fuxnet and FrostyGoop target ICS firms

Two new malware variants, Fuxnet and FrostyGoop, were used in 2024 to disrupt critical industrial processes during the Russia-Ukraine war. Until these discoveries, only seven industrial control system (ICS) malware variants were known. Ransomware attacks on ICS firms saw an 87% rise in 2024. The unique features of Fuxnet and FrostyGoop raise concerns as new threat groups, Bauxite and Graphite, are targeting critical infrastructure and using advanced phishing techniques. There is growing evidence linking state-backed actors with criminal groups, increasing the potential for severe attacks on ICS.

New Gh0st RAT variant 'HiddenGh0st' deployed

A large-scale malware campaign is using a faulty Windows driver related to Adlice's products to avoid detection and spread Gh0st RAT. Attackers modified the driver to create different variants while keeping it signed. Thousands of harmful samples disable endpoint detection and response software using a method called bring your own vulnerable driver (BYOVD) attack. Findings suggest possible involvement from a threat group known as Silver Fox APT. The malware is distributed via fake applications on deceptive websites and messaging apps. It drops the driver and subsequent malware, which targets security processes. The modified driver allowed attackers to bypass Windows protections, leading to the installation of HiddenGh0st, used for remote control and data theft. Microsoft updated its blocklist to prevent this exploitation.

Ukrainian government and Belarusian opposition hit

Ghostwriter, an ongoing campaign active since 2016, is associated with Belarusian government espionage. The campaign focuses on information manipulation and hacking against various European nations. Recent reports from 2022 to 2024 indicate the use of rogue Excel documents to drop PicassoLoader malware. New weaponized Excel documents target interests related to the Ukrainian government and Belarusian opposition, indicating a shift in Ghostwriter's focus. In a recent attack, an email from "Vladimir Nikiforech" led to a rogue Excel file that opened an obfuscated macro and downloaded a DLL file housing a simplified variant of PicassoDownloader. The malware uses various obfuscation techniques to evade detection and downloads additional files, including benign images to mislead victims. Other similar XLS files have been identified, indicating multiple attacks using these tactics. Overall, the activities are linked to a malware cluster associated with Ghostwriter, which has been targeting Ukrainian firms.

Top Vulnerabilities Reported in the Last 24 Hours

CVE-2024-20953 added to CISA's KEV catalog

The CISA added a high-risk deserialization flaw, CVE-2024-20953, in Oracle Agile Product Lifecycle Management (PLM) software to its Known Exploited Vulnerabilities (KEV) catalog. The flaw allows low-privileged attackers to execute arbitrary code. The flaw is caused by the lack of proper validation of user-supplied data. Although no public information exists on attacks exploiting this flaw, it likely requires prior access to a system. CISA has advised federal agencies to fix CVE-2024-20953 by March 17, 2025.

No patch for zero-day in Parallels Desktop for Mac

The latest Parallels Desktop software for macOS has a serious zero-day flaw that allows unauthorized root access, with a proof-of-concept (PoC) exploit available. This issue is a patch bypass affecting a feature that repacks macOS installer applications. The flaw follows a previous bug that was reported and fixed, but the new version didn't resolve the issue. Researcher Mickey Jin identified the bypass and disclosed it after waiting seven months for Parallels to respond. Alludo, the company owning Parallels, acknowledged the lack of communication.