Cybercriminals are finding new ways to exploit the cloud. The financially driven TRIPLESTRENGTH group has been targeting platforms like Google Cloud and AWS for cryptojacking and ransomware, often leveraging stolen credentials from malware infections.

The QakBot loader has a new ally: BackConnect (BC) malware. Researchers uncovered its use in tandem with tools like DarkVNC and KeyHole, bolstering system data theft and remote access capabilities. This innovation is linked to Storm-1811 and the deployment of Black Basta ransomware.

AIRASHI, an AISURU botnet variant, has been exploiting zero-day vulnerabilities in Cambium Networks cnPilot routers to deliver DDoS attacks reaching up to 3 Tbps. Its operators flaunt their capabilities on Telegram, with compromised devices found across the globe.

Top Malware Reported in the Last 24 Hours

TRIPLESTRENGTH hits cloud environments

A financially motivated threat group TRIPLESTRENGTH has been targeting cloud environments for cryptojacking and ransomware attacks. The group conducts illicit cryptocurrency mining, ransomware, and extortion by advertising access to various cloud platforms (Google Cloud, Amazon Web Services). They obtain initial access via stolen credentials, often from malware infections, and use compromised accounts to create resources for mining. Their ransomware attacks focus on on-premises systems. Google plans to boost security, including enforcing multi-factor authentication (MFA) to reduce account takeover (ATO) risks.

Updated Tycoon 2FA evades MFA and detection

An updated version of the phishing kit Tycoon 2FA uses advanced tactics to evade MFA and detection. First seen in August 2023, the new version targets Microsoft 365 session cookies. Tycoon 2FA sends phishing emails from compromised accounts and uses code to hinder analysis. It detects security tools, blocks web inspection actions, disables right-click menus, and obfuscates its web code to mask rogue intentions. 

QakBot-linked BC malware adds new features

Researchers divulged details about novel BackConnect (BC) malware linked to the QakBot loader. The BC module includes 'DarkVNC' and IcedID BackConnect (KeyHole), found on the same infrastructure as ZLoader, which has updated its DNS tunnel for communications. Walmart's analysis shows that the BC module enhances the malware's ability to grab system data and allows remote access. Sophos independently analyzed the BC malware and connected it to the STAC5777 threat cluster, also related to Storm-1811, known for using Quick Assist to deploy Black Basta ransomware. Both threat groups use Microsoft Teams vishing and email bombing to gain remote access, exploiting default settings to initiate chats with internal users. The relationship between QakBot and Black Basta suggests a strong link in the cybercrime ecosystem.

Top Vulnerabilities Reported in the Last 24 Hours

AIRASHI botnet abuses zero-day in DDoS attacks

Threat actors are using a zero-day vulnerability in Cambium Networks cnPilot routers to launch distributed DDoS attacks using a variant of the AISURU botnet called AIRASHI. The botnet has also taken advantage of other vulnerabilities, including CVE-2013-3307 and several others that affect devices like AVTECH IP cameras and LILIN DVRs. The AIRASHI operator shares their DDoS test results on Telegram, showing consistent attack capabilities between 1-3 Tbps. Most compromised devices are in Brazil, Russia, Vietnam, and Indonesia, while the main targets include China, the United States, Poland, and Russia. 

Three Cisco issues including a critical flaw resolved

Cisco issued software updates to fix a critical security flaw, CVE-2025-20156, in Meeting Management that could let remote actors obtain administrator access. This issue arises because the REST API doesn't enforce proper authorization. Security patches are available for affected versions. Cisco also fixed a denial-of-service (DoS) flaw in BroadWorks (CVE-2025-20165) and a third flaw (CVE-2025-20128) related to ClamAV.

Patch for Microcode Signature Verification Flaw

AMD confirmed that some of its microprocessors have a microcode signature verification flaw that was unintentionally disclosed via a beta BIOS update from Asus. The flaw may allow unauthorized microcode to be loaded into AMD processors, potentially enabling someone to alter CPU functionality. So far, the threat level appears low, but there are concerns about leaked data. A bug-finder from Google's Project Zero highlighted the issue when Asus mentioned it in their update notes before AMD could officially respond. AMD confirmed it is working on a security patch but hasn't identified the affected products. They plan to share more guidance soon while advising customers to follow safety practices.