Malware Activity
PLAYFULGHOST Malware Spread via SEO Poisoning and Phishing
Cybersecurity researchers have identified multiple campaigns relating to a new malware dubbed “PLAYFULGHOST”. PLAYFULGHOST’s capabilities overlap with the Gh0st RAT remote access tool, designed to act as backdoor and to steal sensitive information. Attackers either use phishing emails or SEO poisoning to coax victims into downloading a trojanized version of a legitimate VPN application like LetsVPN. The delivery of PLAYFULGHOST can be sophisticated, as researchers noted an execution scenario in which a Windows shortcut combines the contents of two other files to construct a rogue DLL required to load the final payload. PLAYFULGHOST establishes persistence in victim environments via the Run registry key, scheduled task, Windows Startup folder, and Windows service. The malware can gather and exfiltrate data including keystrokes, screenshots, audio, QQ account information, and clipboard content. The malware can also drop additional payloads, clear Windows Event Logs, delete caches and profiles associated with web browsers, and erase profiles and local storage of messaging applications. Other forms of malware that have been deployed via PLAYFULGHOST include Mimikatz, a rootkit, and a utility called Terminator that can kill security processes. Researchers note that these campaigns are likely targeting Chinese-speaking Windows users based on the targeting of popular Chinese-language applications such as Sogou, QQ, and 360 Safety. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
More US OFAC Sanctions, Targeting Chinese Company Linked to Flax Typhoon
More sanctions have been dealt by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), this time against Beijing-based cybersecurity company Integrity Technology Group, also known as Yongxin Zhicheng, for its involvement in cyberattacks orchestrated by the Chinese state-sponsored hacking group Flax Typhoon. Operating since at least mid-2021, Flax Typhoon has targeted various entities across North America, Europe, Africa, and Asia, leveraging known vulnerabilities and using legitimate remote access software to maintain persistent access to victims' systems. Integrity Tech provided infrastructure support for Flax Typhoon's cyber campaigns from mid-2022 to late-2023, facilitating attacks against critical infrastructure, including government agencies, universities, telecommunications providers, and media organizations in the U.S. and overseas. The group used a botnet called Raptor Train, which infected over 260,000 devices, to conduct DDoS attacks and as a proxy for stealthy operations against military, government, and IT sectors, primarily in the U.S. and Taiwan. The sanctions freeze all U.S. assets of Integrity Tech and prohibit U.S. organizations and citizens from conducting transactions with the company. The sanctions follow a series of coordinated actions by U.S. agencies, including the disruption of the Raptor Train botnet and advisories on tactics used by Flax Typhoon.
- The Record: Integrity Technology Group Article
- Security Week: Integrity Technology Group Article
- Bleeping Computer: Integrity Technology Group Article
- The Hacker News: Integrity Technology Group Article
Vulnerabilities
Nuclei Vulnerability Allows for Signature Bypass and Arbitrary Code Execution
A recently patched high-severity vulnerability in ProjectDiscovery’s popular open-source vulnerability scanner, Nuclei, allowed attackers to bypass template signature verification and execute arbitrary code by injecting malicious templates. The flaw, tracked as CVE-2024-43405 (CVSS score of 7.4 to 7.8), impacted Nuclei versions between 3.0.0 and 3.3.1. The issue stemmed from inconsistencies in how Go’s regex-based signature verification and the YAML parser handle newline characters. Specifically, Go’s logic treated “\r” as part of the same line, whereas the YAML parser interpreted it as a line break, enabling attackers to insert additional "# digest:" lines containing unverified malicious content that bypassed signature checks but was executed when processed by the YAML parser. Additionally, Nuclei’s verification process only checked the first "# digest:" line in a template, ignoring subsequent ones, which could be exploited to inject malicious payloads. Discovered by Wiz researchers, the vulnerability posed a significant risk when organizations ran untrusted or community-contributed templates or used automated scanning platforms that allowed user-generated templates. This could lead to arbitrary command execution, data exfiltration, or system compromise. Following responsible disclosure on August 14, 2024, ProjectDiscovery released a fix in version 3.3.2 on September 4, 2024. CTIX analysts strongly advise users to update to the latest version and run Nuclei in isolated or sandboxed environments to mitigate the risk of executing untrusted templates.
- The Hacker News: CVE-2024-43405 Article
- Bleeping Computer: CVE-2024-43405 Article
- Security Week: CVE-2024-43405 Article
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
