In a digital game of cat and mouse, cybercriminals are upping their ante with a new trick up their sleeve. The Black Basta and Cactus ransomware groups have armed themselves with BackConnect malware to maintain persistent control over compromised machines and exfiltrate sensitive data. Once inside, BackConnect—linked to the infamous QakBot loader—takes the reins, ensuring the attackers keep their grip even after initial access.

Phishing emails are casting a wider net, and this time, they’re impersonating the taxman. FortiGuard Labs has uncovered a new wave of cyberattacks targeting Taiwanese companies with the sophisticated Winos 4.0 malware. Spread through phishing emails, the malware arrives via a malicious attachment posing as a tax inspection list. Winos 4.0 is a modular menace, boasting of multiple functionalities.

Even the smallest chip can have a big impact when it comes to security. MediaTek revealed 10 newly discovered vulnerabilities in its chipsets, which power smartphones, tablets, AIoT devices, and smart TVs. Affected chipsets include the MT67xx, MT68xx, and MT69xx series. MediaTek has issued patches to manufacturers.

Top Malware Reported in the Last 24 Hours

Njrat Exploits Microsoft Dev Tunnels

A new campaign using Njrat has been discovered, exploiting Microsoft's Dev Tunnels service for C2 communication. The campaign identified two Njrat samples using different Dev Tunnel URLs but sharing the same Import Hash. These samples connect to specific C2 servers and send status updates about their capabilities. Notably, this version of Njrat can spread through USB devices if certain settings are activated. 

Black Basta and Cactus adopt BackConnect malware

The Black Basta and Cactus ransomware groups have added the BackConnect malware to maintain persistent control and exfiltrate sensitive data from compromised machines. In a campaign, the attackers gained initial access through social engineering, abusing Microsoft Teams for impersonation and privilege escalation, and manipulating users into granting unauthorized access via Quick Assist and similar remote access software. The BackConnect malware was then used to control the compromised machine persistently. The malware has links to QakBot, a loader malware subject to a takedown effort in 2023. 

Phishing campaign spreads Winos 4.0

FortiGuard Labs reported a new wave of cyberattacks targeting companies in Taiwan using the sophisticated Winos 4.0 malware framework. The malware is spread through phishing emails impersonating Taiwan’s National Taxation Bureau, marking a shift from its previous distribution method through gaming-related applications. The emails contain a malicious attachment disguised as a list of enterprises scheduled for tax inspection. Winos 4.0 is a highly modular malware capable of various malicious activities, including keylogging, clipboard hijacking, USB device monitoring, screenshot capture, UAC bypass, and anti-virus evasion. 

Top Vulnerabilities Reported in the Last 24 Hours

BYOVD attacks against Paragon Partition Manager

Ransomware actors have been exploiting a zero-day BYOVD flaw in Paragon Partition Manager, according to an update from CERT/CC. The vulnerability, CVE-2025-0289, is an insecure kernel resource access flaw in version 17 of Paragon's BioNTdrv.sys driver, which attackers can exploit to achieve privilege escalation and execute further malicious code. Even if Paragon Partition Manager is not installed, attackers can leverage a BYOVD technique to exploit systems using a Microsoft-signed driver. Paragon Software has released an updated Partition Manager with a new driver, BioNTdrv.sys version 2.0.0, and users are urged to upgrade.

10 new flaws in MediaTek chipsets

MediaTek has released its March 2025 Product Security Bulletin, which outlines 10 newly discovered security vulnerabilities in its chipsets used in various devices such as smartphones, tablets, AIoT devices, and smart televisions. Three of these vulnerabilities are rated as high severity, with potential impacts including denial of service and privilege escalation. The affected chipset lines include the MT67xx/MT68xx/MT69xx series, among others. MediaTek has provided patches to device manufacturers, who are expected to release firmware and operating system updates. Users are advised to apply these updates as soon as they become available.

Vulnerabilities in Arista EOS devices

Arista Networks has issued a security advisory for two vulnerabilities, CVE-2025-1259 and CVE-2025-1260, in its Extensible Operating System (EOS) software. These vulnerabilities, resulting from issues with the OpenConfig implementation, could allow unauthorized access to sensitive data and configuration changes on affected devices. Affected EOS versions include 4.33.1 and below, along with a wide range of EOS-based products. Arista has released updated EOS versions to address these vulnerabilities and advises users to upgrade immediately.