A new spyware is lurking in fake apps, and it’s tied to North Korea. KoSpy, a newly discovered Android surveillance tool, is believed to be the work of APT37 and has been targeting Korean and English-speaking users. Distributed via Google Play Store and Firebase Firestore, the spyware could access a plethora of information.

Juniper routers are being turned into stealthy backdoors. The Chinese threat group UNC3886 has infiltrated older Juniper MX routers, deploying customized TinyShell backdoors to evade detection. By accessing devices via terminal servers with legitimate credentials, the attackers bypassed Junos OS security protections, allowing persistent access to compromised networks.

A widely used font library is now a security risk. Facebook has warned of a critical flaw in FreeType. The bug, caused by an out-of-bounds write, can lead to arbitrary code execution and has been exploited in attacks.

Top Malware Reported in the Last 24 Hours

Meet Elysium: New Ghost family variant

Netskope has discovered a new ransomware variant, Elysium, which is linked to the Ghost ransomware family. This group has been active since 2021 and targets critical infrastructure, healthcare, and government sectors by exploiting vulnerabilities in outdated applications. Elysium uses a multi-stage attack chain, employing tools like Cobalt Strike, BadPotato, GodPotato, Mimikatz, SharpShares, and WMI. Once the attackers gain access, they deploy the Elysium payload, which disrupts recovery efforts, terminates specific services, and attempts to stop Hyper-V virtual machines. 

APT37 debuts new spyware

A new Android surveillance tool called KoSpy has been discovered, which is believed to be the work of the North Korean APT group ScarCruft (aka APT37). The spyware has been found to target Korean and English-speaking users, using fake utility apps to infect devices. KoSpy was distributed through the Google Play Store and Firebase Firestore, with all associated apps and projects now removed or deactivated. The spyware has extensive data collection capabilities, including accessing SMS messages, call logs, device location, and more. It communicates with C2 servers, some of which are still online but do not respond to requests. 

UNC3886 targets Juniper routers

A Chinese threat group known as UNC3886 has infected various organizations' Juniper Networks routers with custom backdoors. Their attacks mainly targeted older Juniper MX routers that do not support security monitoring tools. UNC3886 initially accessed the routers through terminal servers with legitimate credentials and then infiltrated the routers' operating systems. Once inside, the attackers deployed customized versions of the TinyShell backdoor. The attackers were able to bypass security measures, specifically a feature in Junos OS designed to protect against unauthorized code. 

Top Vulnerabilities Reported in the Last 24 Hours

Facebook warns of FreeType bug

Facebook has warned about a vulnerability in the FreeType open-source font rendering library, which is used in millions of systems and services, including Linux, Android, and online platforms. The flaw, tracked as CVE-2025-27363, can lead to arbitrary code execution and has been reportedly exploited in attacks. It exists in all versions of FreeType up to 2.13 and was fixed in version 2.13.0. The vulnerability is due to an out-of-bounds write when parsing font subglyph structures related to TrueType GX and variable font files. 

Fortinet patches 18 flaws

Fortinet has released 17 new advisories for 18 vulnerabilities found in various products, including FortiOS, FortiProxy, FortiPAM, FortiSRA, FortiAnalyzer, FortiManager, FortiAnalyzer-BigData, FortiSandbox, FortiNDR, FortiWeb, FortiSIEM and FortiADC. High-severity vulnerabilities include an XSS flaw in FortiNDR (CVE-2023-48790), a code execution vulnerability in FortiOS, FortiProxy, FortiPAM, FortiSRA and FortiWeb (CVE-2024-45325), and a remote database password read issue in FortiSIEM (CVE-2023-40723). The medium-severity vulnerabilities can be exploited for code execution, command execution, arbitrary file write, and bypassing web firewall protections. A low-severity issue allowing unauthorized operations has also been patched.