Malware Activity:
Cyber Shadows: The Rise of New Malware Threats
A recent trend in cybersecurity shows the emergence of several new malware threats, targeting Linux systems and crypto enthusiasts alike. The "Auto-Color" malware exploits vulnerabilities in Linux systems, providing unauthorized access to remote C2 servers as well as the ability to spawn reverse shells and uninstall itself. Meanwhile, a staggering 2,500 variants of the "TrueSightSys" driver have been discovered, potentially affecting users across various platforms by evading endpoint detection and deploying the Gh0st RAT malware. Adding to the chaos, the "GrassCall" malware campaign employs a social engineering strategy by conducting fake job interviews to steal crypto wallets.
This activity shows the lengths cyber criminals will go to exploit unsuspecting individuals. Collectively, these developments highlight the evolving landscape of cyber threats that demand urgent attention and robust defense mechanisms from users and organizations alike. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- The Hacker News: New Linux Malware Auto Color article
- The Hacker News: 2500 Truesightsys Driver Variants article
- Bleeping Computer: GrassCall Malware Campaign Drains Crypto Wallets article
Threat Actor Activity:
Lazarus Behind $1.5 Billion Ethereum Theft of Bybit
Cryptocurrency exchange Bybit has launched a bounty program following a massive $1.5 billion theft of Ethereum by suspected North Korean hackers, identified as the Lazarus Group. The heist, now considered the largest crypto theft in history, involved manipulating a smart contract during a transfer from Bybit's cold wallet to a hot wallet. This sophisticated attack altered the smart contract logic and signing interface, allowing the attackers to redirect over 400,000 ETH to an unidentified address. Bybit's CEO, Ben Zhou, announced the "lazarusbounty.com" program, offering rewards for information leading to the recovery of stolen funds. Participants can earn 5% of the recovered crypto, with a total bounty pool of about $140 million. Bybit insists it remains liquid and customer accounts are unaffected, despite the theft. The heist was executed by compromising a developer's device at the multisig wallet platform SafeWallet, used by Bybit. Forensic analysis revealed the attack stemmed from SafeWallet's infrastructure. Malicious JavaScript was injected into the SafeWallet platform, activating only under certain conditions to avoid detection. The attackers exploited a potential leak or compromise of SafeWallet's AWS S3 or CloudFront account. Following the incident, SafeWallet implemented a phased rollout to restore services on the Ethereum mainnet, temporarily removing Ledger integration and enhancing security measures. The SafeWallet team has rebuilt and reconfigured infrastructure, rotating all credentials to prevent future attacks. Investigations confirmed links between the Bybit hackers and the Lazarus Group, noting substantial overlaps with previous North Korean thefts. The stolen funds were traced to addresses linked to hacks on Phemex, BingX, and Poloniex, with efforts to obscure the money trail. Chainalysis reported North Korean hackers stole $1.34 billion in 47 crypto heists in 2024 alone, with total thefts exceeding $6 billion since 2017, allegedly funding the country's ballistic missile program.
Vulnerabilities:
CISA Adds Microsoft and Zimbra Vulnerabilities to its Known Exploited Vulnerabilities Catalog
CISA has added multiple security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including flaws in Microsoft Partner Center and Synacor Zimbra Collaboration Suite (ZCS), due to evidence of active exploitation. The first flaw, tracked as CVE-2024-49035, was patched in November 2024, and is an improper access control vulnerability in Microsoft Partner Center, allowing attackers to escalate local privileges. The second vulnerability, tracked as CVE-2023-34192 (addressed in July 2023 with version 8.8.15 Patch 40), is a cross-site scripting (XSS) vulnerability in Synacor ZCS, enabling remote authenticated attackers to execute arbitrary code via a maliciously crafted script. While Microsoft previously confirmed that CVE-2024-49035 had been exploited in-the-wild, details on its real-world weaponization remain undisclosed, and no public reports confirm active abuse of CVE-2023-34192. In accordance with Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies must apply the necessary security updates by no later than March 25, 2025, to mitigate risks. Experts also urge private organizations to review and address these vulnerabilities to protect their infrastructure. This development follows CISA’s recent inclusion of security flaws in Adobe ColdFusion, Oracle Agile PLM, SonicWall SonicOS, and Palo Alto PAN-OS, reinforcing the urgency for organizations to stay ahead of emerging cyber threats. CTIX analysts recommend that any affected administrators apply the appropriate patches and ensure that they monitor update channels for new patches in the future.
- The Hacker News: CVE-2023-34192 & CVE-2024-49035 Article
- Security Affairs: CVE-2023-34192 & CVE-2024-49035 Article
- CISA: CVE-2023-34192 & CVE-2024-49035 Advisory
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
