Malware Activity
A Tidal Wave of Threats: Surveillance, Malware, and the Digital Dilemma
In a worrying development for privacy advocates, six (6) governments are reportedly set to adopt hacking tools from an Israeli surveillance technology firm, aimed at tracking and monitoring individuals, thus sparking debates over digital rights and ethical governance. Compounding these concerns is the emergence of a critical vulnerability dubbed the "File Backdoor Attack," which allows cybercriminals to manipulate file systems and execute malicious commands remotely, posing a significant threat to application security. This issue is further highlighted by the widespread "Dollyway" malware campaign, which has compromised over 20,000 WordPress sites by exploiting outdated plugins to redirect users to phishing schemes, underlining the urgent need for website security diligence. Adding to the complexity, a new malware variant known as Arcane Infostealer targets gamers on platforms like YouTube and Discord, masquerading as cheat software to steal sensitive information such as session tokens and cryptocurrency details. As the digital landscape evolves, users are advised to exercise caution by avoiding unverified downloads and maintaining robust security practices to defend against these escalating threats. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- TheHackerNews: Six Governments Likely Use Israeli Spyware article
- TheHackerNews: New Rules File Backdoor Attack article
- BleepingComputer: Malware Campaign Dollyway Breached 20,000 WordPress Sites article
- BleepingComputer: New Arcane Infostealer Infects YouTube Discord Users article
Threat Actor Activity
China Claims Taiwanese-linked Individuals Behind Cyberattacks
China’s state security ministry (MSS) has accused four (4) individuals linked to Taiwan’s military of engaging in cyberattacks and espionage against China. The MSS identified these suspects as part of Taiwan's Information, Communications, and Electronic Force Command (ICEFCOM) within the defense ministry, releasing their personal information publicly. Beijing claims ICEFCOM has been active in cyber operations since 2023, targeting critical Chinese infrastructure such as power grids and telecommunications networks. The MSS alleges that ICEFCOM hired hackers and cybersecurity firms to support these government-directed operations, which reportedly include phishing attacks, propaganda emails, and disinformation campaigns using aliases like Anonymous 64. In response, Taiwanese Premier Cho Jung-tai refuted the accusations, suggesting they are fabrications by Beijing to justify its own cyberattacks against Taiwan. ICEFCOM maintains that its operations are defensive, accusing China of using these claims to intimidate the Taiwanese public. The complex cyber relationship between Taiwan and China is characterized by mutual accusations of cyber aggression. Taiwanese officials have attributed most cyberattacks on the island to Chinese hackers, who allegedly target a wide range of sectors including government and high-tech industries. Conversely, China has begun publicly naming alleged Taiwanese hackers, a move that began in 2024 with accusations against the group Anonymous 64, purportedly linked to Taipei. Taiwan has denied these allegations. Following the MSS statement, Chinese cybersecurity firms QiAnXin, Antiy, and Anheng Information released reports on an alleged Taiwan-linked threat actor, APT-Q-20, active since 2006. These reports suggest coordination between Chinese authorities and cybersecurity companies, though they do not directly connect ICEFCOM to APT-Q-20. The simultaneous release of these reports indicates a possible strategic alignment in China's approach to highlighting perceived threats from Taiwan.
Vulnerabilities
CISA Adds Actively Exploited NAKIVO Vulnerability to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity vulnerability in Nakivo Backup & Replication to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation. This absolute path traversal flaw, tracked as CVE-2024-48248 (CVSS score: 8.6/10), allows unauthenticated attackers to access sensitive files, including configuration files, backups, and credentials, potentially leading to further compromises. Originally reported by watchTowr in September 2024, the vulnerability was silently patched in version 11.0.0.88174 in November, but Nakivo only publicly acknowledged it in March 2025. Exploitation attempts have been observed since late February, and due to Nakivo’s extensive integration with enterprise environments and cloud services, attackers could leverage the flaw to gain broader infrastructure access. In response, CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies apply the necessary patches by April 9, 2025, under Binding Operational Directive (BOD) 22-01. Additionally, CISA has flagged two (2) other vulnerabilities. The first flaw, tracked as CVE-2025-1316, is a critical OS command injection flaw in Edimax IP cameras that has been exploited since May 2024 for Mirai botnet attacks. The second flaw, tracked as CVE-2017-12637, is a directory traversal flaw in SAP NetWeaver that has been exploited since 2017. While federal agencies are required to implement mitigations, all organizations are strongly advised to identify affected systems and apply patches immediately to prevent potential security breaches. CTIX analysts urge any administrators to ensure their vulnerable instances are patched as soon as possible to prevent future exploitation.
- The Hacker News: CVE-2024-48248 Article
- Security Week: CVE-2024-48248 Article
- CISA: KEV CVE-2024-48248 Advisory
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
