In a digital masquerade, attackers are wielding trust as a weapon to breach elite targets. A highly targeted phishing campaign has struck a few UAE entities in aviation and satellite communications, deploying a new backdoor called Sosano. Using a hijacked email account from an Indian firm, the attackers sent polyglot PDFs, designed to exploit multiple formats.

Your smartphone might be a gateway to more than just selfies in this lawless digital frontier. Google’s latest Android Security Bulletin confronts 44 vulnerabilities, with two actively exploited flaws in Cisco and Windows systems that could hand attackers the keys to your device. Patches are rolling out fast to help lock things down.

Sometimes a simple click can unravel a digital Pandora’s box. A new ClickFix campaign is luring victims into running malicious PowerShell commands. It installs the Havoc post-exploitation framework, granting attackers remote access to the compromised device.

Top Malware Reported in the Last 24 Hours

UNK_CraftyCamel drops polyglot malware

A new, highly targeted phishing campaign has been discovered, aimed at less than five entities in the UAE, particularly in the aviation and satellite communications sectors. The campaign delivered a previously undocumented Golang backdoor named Sosano. The attackers used a compromised email account from an Indian electronics company, INDIC Electronics, to send phishing messages, leveraging its trusted business relationship with the targets. The emails contained URLs leading to a fake domain, hosting a ZIP archive with an XLS file and two PDF files. The XLS file was a Windows shortcut, and the PDF files were polyglots, capable of being interpreted as two different valid formats. The campaign is suspected to be the work of an Iranian-aligned adversary, possibly affiliated with the IRGC.

Info-stealer campaign against ISPs

Researchers discovered a mass exploitation campaign targeting ISPs in China and the U.S. West Coast. Unidentified threat actors are deploying info-stealers and cryptocurrency miners on compromised hosts, with the campaign also involving the delivery of binaries for data exfiltration and persistence on systems. The attacks use brute-force methods to exploit weak credentials, originating from IP addresses linked to Eastern Europe. Over 4,000 ISP provider IP addresses have been targeted. The campaign also involves the use of a masscan tool to target specific ISP infrastructure providers for scanning IP addresses and carrying out credential brute-force attacks.

Top Vulnerabilities Reported in the Last 24 Hours

Google issues Android Security Bulletin

Google released its Android Security Bulletin, addressing 44 vulnerabilities, two of which were actively exploited. The first, CVE-2024-43093, is a high-severity privilege escalation flaw in the Framework component, previously flagged in November 2024. The second, CVE-2024-50302, is a privilege escalation flaw in the HID USB component of the Linux kernel, which was part of a zero-day exploit by Cellebrite in December 2024. Google has issued two security patch levels, 2025-03-01 and 2025-03-05, to allow Android partners to address these vulnerabilities quickly.

CISA flags actively exploited bugs

The CISA alerted U.S. federal agencies about actively exploited vulnerabilities in Cisco and Windows systems. The first flaw, CVE-2023-20118, allows attackers to execute arbitrary commands on certain Cisco VPN routers, particularly when combined with the CVE-2023-20025 authentication bypass. The second issue, CVE-2018-8639, is a Win32k elevation of privilege flaw in Windows systems that can allow local attackers to run arbitrary code in kernel mode and potentially take over vulnerable devices. CISA has added these vulnerabilities to its KEV catalog, giving FCEB agencies until March 23 to secure their networks. 

Top Scams Reported in the Last 24 Hours

New ClickFix attack wreaks ‘Havoc’

A new phishing campaign using the ClickFix social-engineering tactic has been discovered, tricking victims into executing malicious PowerShell commands. The campaign involves phishing emails with an attached HTML document that displays a fake error, prompting users to fix it by updating the DNS cache manually. Clicking the "How to fix" button copies a malicious PowerShell command to the Windows clipboard, which, when executed, downloads and installs the Havoc post-exploitation framework for remote access to compromised devices. 

Phishing campaign targets AWS misconfigurations

Threat actors, tracked under the name TGR-UNK-0011 or JavaGhost, are exploiting misconfigurations in AWS environments to send phishing emails for financial gain. The group gains access to AWS environments by using exposed access keys associated with IAM users. Once inside, they create temporary credentials, establish phishing infrastructure using Amazon Simple Email Service (SES) and WorkMail, and set up new SMTP credentials to send phishing emails. The group also creates new IAM users, some of which serve as long-term persistence mechanisms, and a new IAM role to access the organization's AWS account from another AWS account they control. They leave a calling card by creating a new Amazon Elastic Cloud Compute (EC2) security group named 'Java_Ghost'.