A newly surfaced threat actor, UAT-5918, has been quietly embedding itself into Taiwan’s critical infrastructure since 2023. With a focus on information theft, the group has been targeting multiple sectors using a mix of off-the-shelf tools and stealthy web shells. The threat actor also boasts of an extensive toolkit.

Meanwhile, the Medusa ransomware operation is refining its ability to bypass defenses using a malicious driver disguised as a legitimate security component. Dubbed ABYSSWORKER, the driver is signed with compromised certificates. Once deployed, it disables anti-malware tools and clears the path for ransomware delivery through a loader.

On the plugin front, a critical vulnerability in WP Ghost has put thousands of WordPress sites at risk. If certain non-default settings are enabled, the bug can be used to load arbitrary files - opening the door to remote code execution. Though a patch has been issued in version 5.4.02, the exposure window combined with the plugin’s wide install base makes this a notable concern for site admins still lagging on updates.

Top Malware Reported in the Last 24 Hours

Trusted Signing exploited to drop malware

Cybercriminals are misusing Microsoft's Trusted Signing platform to sign malware executables with short-lived, three-day certificates. This allows them to bypass security filters and make the malware appear legitimate. While Extended Validation code-signing certificates are the preferred choice for threat actors due to their increased trust and reputation boost in SmartScreen, they are difficult to obtain and can be revoked once used in a malware campaign. It has been found that numerous malware samples, including those used in the Crazy Evil Traffers crypto-theft campaign and Lumma Stealer campaigns, have been signed using this service.

UAT-5918 targets Taiwan’s critical infrastructure

A new threat actor, UAT-5918, has been discovered targeting critical infrastructure entities in Taiwan since 2023. This group aims to establish long-term access for information theft and uses web shells and open-sourced tooling for post-compromise activities. The targeted sectors include IT, telecommunications, academia, and healthcare. UAT-5918 shares similarities with several Chinese hacking crews. The group employs Fast Reverse Proxy and Neo-reGeorge for reverse proxy tunnels and tools like Mimikatz, LaZagne, and BrowserDataLite for credential harvesting. UAT-5918 also uses Chopper web shell, Crowdoor, and SparrowDoor, and engages in systematic data theft.

Medusa ransomware disables anti-malware

The Medusa RaaS operation has been using a malicious driver, ABYSSWORKER, to disable anti-malware tools in a BYOVD attack. The ransomware is delivered through a loader packed using a packer-as-a-service called HeartCrypt. The ABYSSWORKER driver, signed with likely stolen, revoked certificates from Chinese companies, mimics a legitimate CrowdStrike Falcon driver. The malware's signed status allows it to bypass security systems. Once launched, ABYSSWORKER can add the process ID to a list of global protected processes and perform various operations, including file manipulation, process and driver termination, and disabling EDR systems.

VanHelsing: New RaaS emerges 

VanHelsingRaaS is a rapidly growing RaaS affiliate program launched on March 7. It allows a wide range of participants to get involved with a $5,000 deposit, and affiliates keep 80% of the ransom payments while the core operators earn 20%. The program provides an intuitive control panel that simplifies operating ransomware attacks. Check Point Research discovered two VanHelsing ransomware variants targeting Windows, but the RaaS mentions in its advertisement that it provides more offerings targeting Linux, BSD, ARM, and ESXi systems. In less than two weeks since its introduction to the cybercrime community, this ransomware operation has already infected three known victims. 

Top Vulnerabilities Reported in the Last 24 Hours

Critical Next[.]js vulnerability

A critical vulnerability, CVE-2025-29927, has been discovered in the Next.js React framework, with a high CVSS score of 9.1. This flaw could potentially allow attackers to bypass authorization checks under certain conditions. The issue arises from the possibility of skipping middleware, which could let requests bypass critical checks like authorization cookie validation. The vulnerability has been addressed in Next[.]js versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3. 

Bug in WP Ghost plugin

A high-severity bug, identified as CVE-2025-26909, has been found in the popular WordPress plugin, WP Ghost, which has over 200,000 active installations. This vulnerability is an unauthenticated local file inclusion flaw that could potentially allow attackers to execute RCE on affected systems. The issue lies in the showFile function, which does not sufficiently validate user-supplied input, leading to the possibility of path traversal and inclusion of arbitrary files. The vulnerability can only be exploited if the "Change Paths" feature in WP Ghost is set to "Lite" or "Ghost" mode, which is not the default setting. The vulnerability has been fixed in WP Ghost version 5.4.02.