At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
Stealth in Layers: Unmasking the Loader used in Targeted Email Campaigns
Researchers have uncovered a sophisticated email-based malware campaign targeting organizations across various sectors, including manufacturing and government. The attackers deploy a multi-stage loader using weaponized Office files, malicious Scalable Vector Graphics (SVGs), and compressed archives. To evade detection, they employ advanced stealth tactics such as steganography, trojanized open-source components, and staged payloads. Analysis of shared loader artifacts reveals a reusable delivery framework, suggesting that multiple threat actors may be leveraging the same method to carry out attacks.
RECOMMENDATIONS
- Apply the principle of least privilege to minimize access to sensitive systems and data.
- Enforce Multi-Factor Authentication (MFA) for all accounts, especially administrative ones.
- Regularly patch and update internet-facing systems to mitigate vulnerability exploits.
- Conduct awareness programs to educate users about phishing attacks and social engineering tactics.
Microsoft Fixes High-Severity Spoofing Flaw in Azure Cosmos DB
Microsoft has released 1 security fix for a high-severity vulnerability. The update addresses [High] CVE-2025-64675: Azure Cosmos DB, which allows an unauthorized attacker to perform spoofing over a network due to improper neutralization of input during web page generation (‘cross-site scripting’).
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Attackers Exploit Fortinet Authentication Bypass Flaws
Arctic Wolf Labs reports confirmed active exploitation of two Fortinet authentication bypass vulnerabilities: CVE-2025-59718 and CVE-2025-59719. The observed intrusions involved malicious FortiCloud SSO logins against FortiGate appliances, followed by unauthorized export of system configuration files – through the GUI. The exploitation relies on specially crafted SAML response messages when FortiCloud SSO is enabled.
RECOMMENDATIONS
- Reset all firewall and administrative credentials if affected.
- Assume credentials in exported configs are compromised.
- Disable FortiCloud SSO if not explicitly required.
- Restrict management interface access to trusted internal networks only.
- Upgrade to fixed versions immediately.
Kimwolf Botnet Hits 1.8 Million Android Devices Globally
Kimwolf is a newly identified large-scale Android botnet infecting TV boxes and similar devices, with over 1.8 million compromised systems worldwide. It’s capable of launching near–30 Tbps DDoS attacks; it employs stealth techniques like DNS over TLS and cryptographic C2 authentication to avoid detection. Strong technical similarities suggest a link between Kimwolf to the Aisuru botnet, pointing to a resilient and coordinated threat actor with significant global impact.
RECOMMENDATIONS
- Apply the principle of least privilege to minimize access to sensitive systems and data.
- Enforce MFA for all accounts, especially administrative ones.
- Regularly patch and update internet-facing systems to mitigate vulnerability exploits.
- Conduct awareness programs to educate users about phishing attacks and social engineering tactics.
Apple Releases Emergency Patches for Zero-Day Flaws
Apple has released emergency updates to fix two actively exploited zero-day vulnerabilities, CVE-2025-14174 and CVE-2025-43529, used in highly targeted attacks against specific individuals.
- CVE-2025-14174 is an out-of-bounds memory access flaw in ANGLE that can be triggered via a malicious HTML page, potentially allowing arbitrary code execution.
- CVE-2025-43529 is a WebKit use-after-free vulnerability exploitable through crafted web content, also confirmed in sophisticated real-world attacks.
The issues are addressed in iOS/iPadOS 26.2, iOS/iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Postem Ipsum Plugin Fixes High-Severity Privilege Escalation Flaw
Francisco Palacios has released a security update addressing a high-severity vulnerability in the Postem Ipsum Plugin for WordPress (CVE-2025-14397). The flaw allows privilege escalation due to a missing capability check in the postem_ipsum_generate_users() function, affecting all versions up to and including 3.0.1. This vulnerability enables authenticated attackers with Subscriber-level access or higher to create arbitrary user accounts with administrator privileges.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
References
https://cyble.com/blog/stealth-in-layers-unmasking-loader-in-targeted-email-campaigns/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64675
https://blog.xlab.qianxin.com/kimwolf-botnet/#kimwolf%E4%B8%8Eaisuru%E5%85%B3%E8%81%94
https://plugins.trac.wordpress.org/browser/postem-ipsum/trunk/admin/postem-ipsum-admin.php#L1150
