Malware Activity
Cyber Threats on the Rise: Malware and Spyware Campaigns Targeting Users Worldwide
A series of newly discovered cyber threats are targeting users worldwide, including a new Android malware called Tria, which is being spread through fake wedding invitations on Telegram and WhatsApp, primarily in Malaysia and Brunei, and steals sensitive data from SMS messages, emails, and messaging apps. Meanwhile, a banking malware known as Coyote is targeting Brazilian Windows users, delivering malicious activities such as keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials. Additionally, Meta-owned WhatsApp has disrupted a spyware campaign that targeted around 90 journalists and civil society members across over two dozen countries, using spyware from Israeli company Paragon Solutions, and has sent a "cease and desist" letter to the company. Furthermore, security researchers at SquareX have discovered a new attack technique called "browser syncjacking," which enables malicious extensions to gain full control of a targeted browser and device with minimal user interaction, exploiting a blind spot in enterprise security and allowing attackers to fly under the radar of conventional security measures. These threats highlight the increasing sophistication and reach of cyber-attacks, which can have significant consequences for individuals and organizations, and emphasize the need for enhanced security measures and awareness to protect against these types of threats. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- TheRecord: Hacker Wedding Invitations article
- TheHackerNews: Coyote Malware Expands Reach article
- SecurityAffairs: WhatsApp Disrupted article
- TheHackerNews: Meta Confirms Zero Click WhatsApp article
- InfoSecurityMagazine: Full Browser Device Takeover article
Threat Actor Activity
XE Group Changing Tactics Targeting Zero-Days in Supply Chain Management Software
The XE Group, a cybercriminal organization active for over a decade, has evolved from credit-card skimming to exploiting zero-day vulnerabilities, posing increased risks to global supply chains, particularly in manufacturing and distribution sectors. Initially identified in 2013 for targeting e-commerce platforms, the group has refined its methods over time. They previously exploited known vulnerabilities in tools like Telerik UI for ASP.NET, using webshells for remote access and data theft. By 2024, XE Group shifted its focus to targeted information theft, exploiting two (2) zero-day vulnerabilities in VeraCore, a supply chain management software. These vulnerabilities, an upload validation flaw and a SQL injection flaw, enabled the group to infiltrate systems and exfiltrate configuration files, maintaining access for years. A notable incident in 2024 saw the reactivation of a webshell planted in a 2020 breach, highlighting the group’s patience and operational discipline. The Common Vulnerabilities and Exposures (CVEs) for these flaws are pending validation from MITRE, though a temporary fix for the upload validation flaw was issued in November by VeraCore’s parent company, Adavantive. However, the SQL flaw remains unpatched. The group’s infrastructure includes domains for command-and-control and skimming tools, used to automate their tactics. In 2020, XE Group extracted database credentials through obfuscated Transact-SQL queries to upload malicious files. They have employed customized open-source webshells like ASPXSpy for file manipulation and network scanning. By 2024, their tools incorporated automated data exfiltration and PowerShell-based payload delivery. Recent campaigns utilized Windows utilities like arp and netstat for network mapping, with PowerShell scripts deploying Meterpreter malware to establish covert communication channels. XE Group’s ability to maintain system access for over four (4) years indicates a preference for persistence over immediate monetization, allowing for prolonged intelligence gathering or staging larger attacks. Research suggests the group is likely based in Vietnam, supported by Vietnamese-linked email addresses and pseudonyms like “XeThanh.” Despite minimal efforts to obscure its identity, XE Group’s lack of operational security suggests it is not state-aligned, as state-backed groups typically exercise stricter security measures.
Vulnerabilities
CISA and FDA Notify Healthcare Entities of Critical Backdoor in Contec CMS8000 Patient Monitors Linking back to Chinese IP
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued urgent warnings regarding severe security vulnerabilities in Contec CMS8000 and Epsimed MN-120 patient monitors, manufactured by China-based Contec Medical Systems. These devices, widely used in the U.S. and internationally, contain a hidden backdoor, tracked as CVE-2025-0626, that allows unauthorized remote access to a hard-coded IP address linked to a third-party university, enabling attackers to upload, overwrite, and execute files on the devices without logging any activity. Additionally, a privacy leakage flaw, tracked as CVE-2025-0683, causes patient data, including personally identifiable information (PII) and protected health information (PHI), to be transmitted in plaintext to this hard-coded address, raising concerns over data breaches and adversary-in-the-middle (AiTM) attacks. A third critical vulnerability, tracked as CVE-2024-12248, enables remote attackers to execute arbitrary code through an out-of-bounds write exploit. These flaws pose significant patient safety risks, as compromised monitors could manipulate vital sign readings, potentially leading to misdiagnoses or improper medical responses. Despite multiple firmware updates from Contec, the backdoor persists, with only superficial mitigations that fail to eliminate the exploit. No patches are currently available, prompting CISA and the FDA to strongly advise healthcare providers to disconnect all affected devices from networks, disable wireless connectivity where possible, and monitor them for anomalies. Furthermore, past CISA reports from 2022 identified additional vulnerabilities in Contec CMS8000 devices, including root shell access, denial-of-service (DoS) risks, and hard-coded credentials, further highlighting the long-standing cybersecurity risks associated with these monitors. Given the lack of effective remediation, healthcare organizations are urged to cease using these devices to protect both patient safety and data security. CTIX analysts urge any healthcare entities deploying the affected devices to follow the CISA/FDA guidance, and monitor for when security patches are released.
- Bleeping Computer: Contec CMS8000 Vulnerabilities Article
- The Hacker News: Contec CMS8000 Vulnerabilities Article
- SecurityWeek: Contec CMS8000 Vulnerabilities Article
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
