A covert supply chain attack compromised a South Korean VPN provider, with the China-linked APT group PlushDaemon embedding its SlowStepper backdoor into a malicious installer. Active since 2019, this espionage campaign leverages a sophisticated toolkit, hijacked app updates, and server vulnerabilities to target victims across multiple nations.

The Murdoc botnet has emerged as a formidable threat, exploiting vulnerabilities in AVTECH IP cameras and Huawei routers to infect over 1,370 systems in Southeast Asia and Latin America. With its roots in Mirai, this botnet uses shell scripts tailored to IoT architectures, aiming to power massive DDoS campaigns.

Oracle’s latest Critical Patch Update addresses 318 vulnerabilities, including a severe flaw in its Agile Framework. With critical risks spanning products like JD Edwards and Communications Routers, organizations are urged to update immediately to mitigate the danger of exploitation.

Top Malware Reported in the Last 24 Hours

PlushDaemon APT group drops SlowStepper

ESET researchers have found a supply chain attack on a South Korean VPN provider by a new China-linked APT group called PlushDaemon. The attackers replaced the legitimate installer with a malicious one that installed their custom backdoor, SlowStepper. This backdoor has a complex toolkit with over 30 components and has been used for espionage since at least 2019 against targets in several countries. PlushDaemon also gains access by hijacking legitimate updates of Chinese apps and exploiting vulnerabilities in web servers. 

Two ransomware campaigns leverage Office 365

Sophos spotted two campaigns involving two groups of threat actors using Microsoft’s Office 365 platform to access organizations, likely aiming to steal data and install ransomware. The threats are identified as STAC5143 and STAC5777. STAC5777 has connections with the threat group Storm-1811, while STAC5143 is a new threat cluster mimicking Storm-1811, possibly linked to a group known as FIN7, Sangria Tempest, or Carbon Spider. Common tactics include email-bombing, where high volumes of spam overwhelm inboxes, and fake tech support messages sent via Teams. 

Mass Murdoc botnet campaign 

Cybersecurity researchers have reported a large-scale campaign targeting AVTECH IP cameras and Huawei HG532 routers, exploiting security flaws to add these devices to a variant of the Mirai botnet known as Murdoc botnet. This activity, which has been ongoing since at least July 2024, has already infected over 1,370 systems, particularly in Malaysia, Mexico, Thailand, Indonesia, and Vietnam. The botnet exploits vulnerabilities like CVE-2017-17215 and CVE-2024-7029 to access IoT devices and deploy malware through a shell script that aligns with the device's CPU architecture. The main aim of these attacks is to create a botnet capable of launching distributed DDoS attacks. 

Top Vulnerabilities Reported in the Last 24 Hours

Oracle January 2025 patch

Oracle released a Critical Patch Update to address 318 new security vulnerabilities, including a high-severity flaw (CVE-2025-21556) in the Oracle Agile Product Lifecycle Management Framework, which could allow attackers to take control. Other critical vulnerabilities affect products such as JD Edwards EnterpriseOne Tools, Oracle Agile Engineering Data Management, Oracle Communications Diameter Signaling Router, and more. The CISA had flagged one of the vulnerabilities (CVE-2020-2883) as actively exploited. 

Bug in 7-Zip file software

Attackers can exploit a vulnerability (CVE-2025-0411) in 7-Zip to bypass the MotW security feature in Windows. The flaw allows attackers to execute malicious code on users' computers by extracting specially crafted files from nested archives or visiting harmful websites. 7-Zip does not properly handle the MotW when files are extracted, meaning users can unknowingly run malicious code. This issue has been fixed in version 24.09.