When cybercriminals upgrade their arsenal, staying hidden becomes easier than ever. Several ransomware and cybercrime groups are leveraging the Ragnar Loader malware toolkit to maintain long-term access to compromised systems. Constantly evolving with new features, Ragnar Loader has become more modular and harder to detect. 

A single flaw in a widely used API almost handed attackers full control over vulnerable applications. The Volt API for Livewire recently patched a critical remote code execution vulnerability. The issue has been fixed in version 1.7.0, and users are strongly urged to update to prevent exploitation.

A billion devices, a hidden backdoor, and tens of undocumented commands that could change everything. Security researchers have uncovered a major issue in ESP32 revealing 29 undocumented commands that attackers could exploit for spoofing devices, unauthorized data access, and long-term persistence. This vulnerability raises concerns over supply chain security, as OEMs could unknowingly ship compromised devices. 

Top Malware Reported in the Last 24 Hours

FIN7, FIN8 adopt Ragnar Loader

Several cybercrime and ransomware groups, including Ragnar Locker (aka Monstrous Mantis), FIN7, FIN8, and Ruthless Mantis have been using the Ragnar Loader malware toolkit. Ragnar Loader helps attackers maintain access to compromised systems for long periods. Ragnar Loader is crucial for maintaining access to compromised systems and enabling long-term operations. Its developers are constantly adding new features, making it more modular and harder to detect. The malware is offered to affiliates as an archive file containing multiple components for reverse shell, local privilege escalation, and remote desktop access.

Moonstone Sleet deploys Qilin ransomware

Microsoft reported that a North Korea-linked APT group called Moonstone Sleet has been using Qilin ransomware in limited attacks since February, marking a shift from its previous use of custom ransomware. Moonstone Sleet, also known as Storm-1789, employs various tactics, including fake companies, trojanized tools, and malicious games for financial gain and espionage. They target victims via LinkedIn and freelance sites, using software developer personas to engage organizations. 

Top Vulnerabilities Reported in the Last 24 Hours

Undocumented commands in ESP32 microchip

The ESP32 microchip, manufactured by Espressif and used in over 1 billion devices, has been found to contain 29 undocumented commands that could potentially be used for malicious purposes. These commands allow for actions such as device spoofing, unauthorized data access, and potentially establishing long-term persistence in devices. The undocumented commands, referred to as a "backdoor," could potentially lead to impersonation attacks and permanent infection of sensitive devices. The risks associated with these commands include malicious implementations at the OEM level and supply chain attacks. The issue is now tracked under CVE-2025-27840. 

New RCE bug in WinDbg

A vulnerability, identified as CVE-2025-24043, has been discovered in Microsoft's WinDbg debugger. This flaw, with a CVSS score of 7.5, could allow RCE due to improper cryptographic signature verification in the SOS debugging extension. An attacker with network access could potentially execute malicious code on affected systems. The vulnerability affects certain versions of WinDbg packages, including dotnet-sos, dotnet-dump, and dotnet-debugger-extensions.

Volt fixes severe vulnerability

Volt, a popular functional API for Livewire with over 1.08 million downloads, has addressed a critical RCE vulnerability, tracked as CVE-2025-27517. The vulnerability stemmed from a flaw in Volt's request-handling mechanism, which could potentially allow attackers to execute arbitrary PHP code within vulnerable applications. This could lead to full system compromise, privilege escalation, and deployment of further malware. The Volt team has resolved this issue in version 1.7.0, and users are strongly advised to upgrade immediately. 

Top Scams Reported in the Last 24 Hours

Is it unpaid parking or a scam?

A widespread mobile phishing campaign is currently targeting various U.S. cities, sending fake texts about unpaid parking violations. These messages threaten an additional $35 fine per day if the invoice is not paid. The phishing texts use a Google open redirect to bypass security features, leading users to fake city parking websites. The scammers attempt to steal personal information, including names, addresses, phone numbers, email addresses, and credit card information. The scam can be identified by certain inconsistencies, such as the dollar sign being placed after the amount instead of before.