Malware Activity
New Malware Platform and AI Vulnerabilities
Recent cybersecurity reports reveal alarming developments in cybercrime and AI security. A new malware-as-a-service called Atroposia is making it easier for cybercriminals to carry out remote data theft and control infected computers. The malware features hidden access, password and cryptocurrency wallet theft, and DNS hijacking, all for $200 a month. Its modular design allows even less-skilled criminals to launch complex attacks while remaining discreet. Meanwhile, researchers have discovered vulnerabilities in agent-based web browsers like ChatGPT Atlas, where malicious websites can manipulate AI models by feeding them false information. This tactic is called AI-targeted cloaking. This can cause AIs to produce biased or misleading outputs, potentially impacting decision-making and spreading misinformation. Furthermore, many AI systems lack sufficient safeguards against risky actions, increasing the risk of exploitation. These issues underscore the critical need for stronger security measures to protect both users and AI integrity from evolving cyber threats. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
Threat Actor Activity
Qilin Ransomware Running Hot, Exploiting a Combo of WSL and BYOVD in Hybrid Attacks
The Qilin ransomware group, also known as Agenda, Gold Feather, and Water Galura, has emerged as a prominent threat, claiming over forty (40) victims monthly in 2025, reaching up to 100 cases in June. This ransomware-as-a-service (RaaS) operation has targeted more than 700 victims across sixty-two (62) countries, focusing primarily on sectors such as manufacturing, professional services, and wholesale trade. Qilin affiliates leverage leaked administrative credentials to gain initial access through VPN interfaces, followed by RDP connections for further system infiltration. They employ tools like Mimikatz and Cyberduck to harvest credentials and exfiltrate data, while also using legitimate software such as AnyDesk and ScreenConnect for remote access. The group's sophisticated attack chain includes disabling security software using vulnerable drivers (BYOVD technique) and deploying Cobalt Strike for persistent remote access. A notable tactic involves using the Windows Subsystem for Linux (WSL) to execute Linux ransomware binaries on Windows systems, allowing them to bypass traditional security defenses focused on Windows PE behavior. This cross-platform capability enables Qilin to target both Windows and Linux systems. Qilin's approach reflects a broader trend in the ransomware landscape, where groups employ a mix of legitimate tools and innovative methods to maximize impact and evade detection. This includes targeting Veeam backup infrastructure to compromise disaster recovery capabilities and utilizing fake CAPTCHA pages for initial payload delivery. CTIX analysts stay committed to providing up-to-date trends in threat actor activities and campaigns.
- Bleeping Computer: Qilin WSL Article
- The Hacker News: Qilin BYOVD Exploit Article
- The Record: Qilin Trends Article
Vulnerabilities
Active Exploitation of DELMIA Apriso and XWiki Vulnerabilities Target Global Industrial and Software Platforms
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two (2) exploited vulnerabilities (one in Broadcom VMware Tools and VMware Aria Operations, and another in Xwiki) to its Known Exploited Vulnerabilities (KEV) catalog. The VMware flaw, tracked as CVE-2025-41244 (CVSS 7.8/10), allows local attackers with limited privileges to escalate to root access on virtual machines when VMware Tools is managed by Aria Operations with SDMP enabled. Although patched by Broadcom in September 2025, the vulnerability was reportedly exploited as a zero-day since mid-October 2024 by a Chinese state sponsored threat actor tracked by Mandiant as UNC5174, who leveraged the vulnerabilities' ease of exploitation to gain privileged code execution. NVISO Labs discovered the flaw earlier this year during an incident response engagement. Also added to the KEV catalog is CVE-2025-24893, a critical eval injection flaw in XWiki that enables unauthenticated remote code execution (RCE) through the “/bin/get/Main/SolrSearch” endpoint, now being weaponized to deploy cryptocurrency miners. CISA has mandated all Federal Civilian Executive Branch (FCEB) agencies to apply mitigations by no later than November 20, 2025, and CTIX analysts urge all organizations to patch immediately to prevent exploitation.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
