Malware Activity
Rise of Sophisticated Cyber Espionage and Supply Chain Threats
Since early 2023, Russia-linked ColdRiver, associated with the FSB, has escalated its espionage activities against Western targets by deploying advanced malware like LOSTKEYS with fake CAPTCHA prompts and employing social engineering, blockchain obfuscation, and watering hole attacks to evade detection. Simultaneously, cybersecurity researchers uncovered a malicious Python package, discordpydebug, masquerading as a legitimate utility but embedded with a remote access trojan capable of data exfiltration and command execution. The Python package has had over 11,500 downloads since 2022. The presence of numerous similar malicious packages reveals a coordinated effort targeting supply chains, emphasizing the evolving landscape of cyber threats driven by state-sponsored actors and organized cybercriminal groups. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- TheHackerNews: Russian Hackers Using ClickFix Fake CAPTCHA article
- BleepingComputer: Google Links New LostKeys Data Theft Malware article
- TheHackerNews: Researchers Uncover Malware in Fake Discord PyPl Package article
Threat Actor Activity
Increased Activity Amongst Hackers Targeting US Oil and Natural Gas Sectors
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about unsophisticated cyber actors targeting the oil and natural gas sectors in the US, specifically focusing on industrial control systems (ICS) and supervisory control and data acquisition (SCADA) technology. Despite using basic intrusion techniques, these actors exploit poor cyber hygiene and exposed assets, potentially leading to significant consequences such as operational disruptions and physical damage. CISA, along with the FBI, EPA, and DOE, has provided guidance to help organizations reduce the risk of such breaches. Key recommendations include removing public-facing operational technology (OT) devices from the internet, changing default passwords to strong ones, securing remote access with VPNs featuring phishing-resistant multifactor authentication (MFA), and segmenting IT and OT networks using demilitarized zones. Additionally, they advise practicing manual control operations to quickly restore functionality in the event of an incident. Organizations are encouraged to communicate regularly with third-party service providers and system manufacturers to ensure proper system configuration and security. The warning follows a trend of increased attacks on critical infrastructure, including last year's string of Iranian attacks on water utilities using default passwords. The rise of crime-as-a-service (CaaS) operations has facilitated these attacks, providing adversaries with ready-made tools to breach unprotected infrastructure. The convergence of traditional IT and OT environments has expanded the attack surface, making it easier for threat actors to exploit vulnerabilities. With the evolving threat landscape, organizations must ensure comprehensive visibility across their systems and actively monitor suspicious activities to safeguard their infrastructure from both sophisticated and unsophisticated cyber threats. Heightened vigilance and proactive measures are of emphasis to mitigate such risks. Contact Ankura CTIX team if you are at risk and need help reinforcing your cyber safeguards.
Vulnerabilities
Actively Exploited Critical Vulnerability in Langflow Open-source AI Tool Added to CISA's KEV
A critical remote code execution vulnerability in the open-source Langflow platform has been actively exploited by threat actors. Discovered by Horizon3.ai in April 2025, the flaw, tracked as CVE-2025-3248 (CVSS 9.8/10), stems from the /api/v1/validate/code endpoint, which improperly used Python’s exec() function to run user-supplied code without authentication or sandboxing. Attackers have leveraged Python features, such as function decorators and default arguments, to bypass validation and gain full control of vulnerable servers, enabling remote shell access and sensitive data exfiltration. Although intended to offer flexibility in building Agentic AI workflows, this design inadvertently created a severe security gap. A public proof-of-concept (PoC) exploit was released on April 9, 2025, and exploit attempts have already been observed against honeypots. Censys identified 1,156 internet-exposed Langflow servers, with hundreds potentially vulnerable. On May 5, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating that all Federal Civilian Executive Branch (FCEB) agencies patch the flaw by no later than May 26, 2025. Langflow addressed the issue in version 1.3.0 (released March 31, 2025) by adding authentication to the endpoint, and CTIX analysts strongly urge any administrators to update or restrict network access to mitigate risks.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
