A new ransomware group is making waves with tactics reminiscent of LockBit. Mora_001 has been exploiting Fortinet vulnerabilities to gain access to networks. Subsequently, it deploys its SuperBlack ransomware, ensuring persistent control before encrypting critical systems.

GitLab users should patch now as critical authentication flaws surface. Two newly discovered GitLab vulnerabilities could allow attackers to impersonate users, potentially leading to data breaches and privilege escalation. Security updates have been released to mitigate the risk.

Cybercriminals are faking Clop ransomware attacks to scam businesses. Fraudsters are posing as the Clop ransomware gang, fabricating extortion claims to trick victims into paying ransoms for non-existent data breaches.

Top Malware Reported in the Last 24 Hours

New ransomware group targets Fortinet firewalls

A new ransomware group, Mora_001, has been discovered with potential ties to LockBit. The group has been exploiting two Fortinet vulnerabilities (CVE-2024-55591 and CVE-2025-24472) since January to gain access to victim environments and deploy a new ransomware called SuperBlack. After gaining initial access, attackers escalate their privileges to super-admin, create additional admin accounts, and secure persistent access. They use various methods to gain persistence and laterally move within the network, primarily using SSH to access high-value systems. The ransomware payload used is based on LockBit 3.0 or LockBit Black, with minor modifications. 

The discovery of three unusual malware

Unit42 discovered three unusual malware samples. The first one is a passive IIS backdoor developed in C++/CLI, a language rarely used by malware authors. The second sample is a bootkit that uses an unsecured kernel driver to install a GRUB 2 bootloader for an unusual purpose. The third sample is a Windows implant of a cross-platform post-exploitation framework developed in C++. 

OBSCURE#BAT deploys rootkit r77

A new malware campaign named OBSCURE#BAT has been discovered, which uses social engineering tactics to deliver an open-source rootkit called r77. This campaign primarily targets English-speaking individuals in the U.S., Canada, Germany, and the U.K. The attack begins with an obfuscated Windows batch script that executes PowerShell commands, leading to the deployment of the rootkit. The malware is distributed through two main methods: a fake Cloudflare CAPTCHA verification page and advertising the malware as legitimate software. The malware is designed to evade detection and establish persistence on compromised systems. It modifies system registry keys, sets up scheduled tasks, and employs a variety of obfuscation techniques. The malware also monitors clipboard activity and command history for potential data exfiltration.

Top Vulnerabilities Reported in the Last 24 Hours

GitLab patches two critical bugs in CE and EE

GitLab has released security updates to address nine vulnerabilities in its Community Edition (CE) and Enterprise Edition (EE), with two of them being critical authentication bypass issues in the ruby-saml library. These critical vulnerabilities, tracked as CVE-2025-25291 and CVE-2025-25292, could allow attackers with a valid signed SAML document to impersonate users within the same SAML IdP, potentially leading to data breaches and privilege escalation. GitLab CE/EE versions 17.7.7, 17.8.5, and 17.9.2 have been released to address these issues, and GitLab[.]com is already patched. 

Miniaudio and Adobe vulnerabilities spotted

Cisco Talos disclosed a Miniaudio and three Adobe vulnerabilities, all of which have been patched by their respective vendors. The Miniaudio vulnerability (CVE-2024-41147) is an out-of-bounds write issue. It can cause a buffer overflow leading to memory corruption when a specially crafted FLAC file is played. The three Adobe vulnerabilities are in Adobe Acrobat's font functionality. Two are out-of-bounds read vulnerabilities (CVE-2025-27163 and CVE-2025-27164) that can lead to the disclosure of sensitive information, and one is a memory corruption vulnerability (CVE-2025-27158) that could potentially allow arbitrary code execution. These Adobe vulnerabilities can be triggered by a specially crafted font file embedded in a PDF. 

Top Scams Reported in the Last 24 Hours

Fraudsters mimic Clop ransomware 

Fraudsters are impersonating the Clop ransomware gang to extort businesses. These scammers claim to have exfiltrated sensitive data to extort payments from targets. They often reference media coverage about actual Clop ransomware attacks to appear legitimate. However, these emails lack elements associated with genuine Clop extortion demands, such as a 48-hour payment deadline, links to a secure chat channel for ransom payment negotiations, and partial names of companies whose data was breached.