From malware campaigns targeting critical infrastructure to vulnerabilities in core networking protocols, threat actors are exploiting trust and technical gaps to infiltrate systems. The MintsLoader campaign targets sectors like energy and law with the StealC malware and the BOINC client, masking malicious actions as legitimate. Meanwhile, the DoNot APT group is using the new Tanzeem Android malware to spy on South Asian government and military entities.

Flaws in tunneling protocols put millions of systems at risk of DoS attacks and unauthorized network access, underscoring the need for stronger configurations. Meanwhile, attackers are impersonating CERT-UA using AnyDesk to infiltrate Ukrainian systems under the pretense of a “security audit.”

Top Malware Reported in the Last 24 Hours

DoNot APT Drops Novel Android Malware

Researchers found a new Android malware dubbed Tanzeem linked to the Indian APT group DoNot Team, (aka APT-C-35, Origami Elephant), which has targeted government and military entities since 2016 in South Asia. The malware mimics chat functions and prompts users for accessibility access. The group has begun using OneSignal to send phishing notifications, indicating a shift in tactics. The app can collect sensitive data and maintain a persistent presence on devices, demonstrating the group’s evolving strategies.

MintsLoader Campaign Delivers Stealc and BOINC Client

A malware campaign was discovered using MintsLoader to deliver harmful payloads like StealC and the BOINC client, targeting vital sectors in the U.S. and Europe like Electricity, Oil & Gas, and Law firms. MintsLoader spreads via spam emails and uses PowerShell commands to execute malware, making detection difficult. StealC steals sensitive data and employs anti-analysis tactics to avoid detection. Further, BOINC is used to mask rogue behavior as a legitimate activity.

Gootloader Uses Social Engineering and Rogue SEO

Researchers analyzed the Gootloader malware, known for advanced social engineering and rogue search engine optimization (SEO). Active for over six years, it has targeted users via compromised WordPress sites, using poisoned SEO to attract victims. Gootloader redirects victims to a second server to deliver the first-stage payload, often containing hidden JScript files. It modifies WordPress installations with embedded PHP scripts, making detection hard. The malware blocks repeated visits from the same IP address to prevent detection. Enterprises should update WordPress, monitor database changes, and use advanced endpoint protection.

Top Vulnerabilities Reported in the Last 24 Hours

PoC Available for High-Risk Stack Buffer Overflow Flaw

A cybersecurity researcher uploaded a Proof of Concept (PoC) exploit for a critical security flaw, CVE-2024-54887, in TP-Link TL-WR940N routers. This stack buffer overflow flaw arises from unvalidated string lengths in the DNS server parameters. The PoC exploit uses Return Oriented Programming (ROP) technique for remote code execution (RCE). Affected hardware versions 3 and 4 of the TL-WR940N have reached their end-of-life (EoL). Users should upgrade to newer devices to ensure ongoing protection.

Critical Sentry Bug Facilitated User Account Takeovers

A critical security flaw, CVE-2025-22146, is present in Sentry's SAML SSO system. This flaw could have allowed attackers to take over user accounts. Sentry addressed this flaw in version 25.1.0. Users should upgrade immediately to mitigate risks posed by this flaw.

High-Risk Issue in 7-Zip Affects MoTW Feature

7-Zip, a popular file archiver, had a high-risk flaw, CVE-2025-0411, that could let intruders bypass Windows' security. This flaw affects the "Mark-of-the-Web" (MoTW) feature that warns users about potentially dangerous files. The issue arises when 7-Zip fails to apply this warning to extracted files, leaving users unaware of threats. The flaw has been fixed in version 24.09. Users should update immediately, avoid untrusted files, and use security features in their operating system to mitigate this flaw.

Tunneling Protocol Flaws Enable DoS and Unauthorized Access

Four security flaws were identified in numerous tunneling protocols that could allow perpetrators to misuse systems for one-way proxies and denial-of-service (DoS) attacks. Internet hosts that don't verify the sender's identity can be hijacked for anonymous attacks, with 4.2 million hosts, including VPN servers and routers, found at risk. Affected countries include China, France, Japan, the U.S., and Brazil. The flaws arise from tunneling protocols that lack adequate security measures. To defend against these flaws, using IPSec or WireGuard, accepting packets only from trusted sources, and employing traffic filtering and inspection is recommended.

Top Scams Reported in the Last 24 Hours

CERT-UA Spoofed via AnyDesk to Infiltrate Systems

Attackers are pretending to be Ukraine's Computer Emergency Response Team (CERT-UA) using AnyDesk to access victims' systems. They send connection requests claiming to conduct a "security audit," using the CERT-UA name and logo. These requests are based on trust, and users should be cautious of unexpected ones. CERT-UA advises anyone receiving such requests to report them. To reduce risks, enable remote access programs only during use and coordinate through official channels.