Discover the novel QWCrypt ransomware used by RedCurl in targeted hypervisor attacks. This article details their tactics, including…

Discover the novel QWCrypt ransomware used by RedCurl in targeted hypervisor attacks. This article details their tactics, including DLL sideloading and LOTL abuse, and explores the group’s evolving cybercriminal activities.

Bitdefender Labs has revealed a shift in the operational tactics of the long-standing cyber threat group known as **RedCurl**. This group, also known as Earth Kapre or Red Wolf, has historically maintained a low profile, relying heavily on covert data exfiltration. It has now been linked to a novel ransomware campaign, marking a dramatic change in their activities. This new ransomware strain, dubbed QWCrypt, targets hypervisors, effectively crippling infrastructure while maintaining a stealthy presence.

“This new ransomware…is previously undocumented and distinct from known ransomware families,” the **report** states.

This discovery prompts a reevaluation of RedCurl’s operational model, which has remained largely puzzling since their emergence in 2018. The group’s targeting patterns further complicates their classification.

While telemetry data points to victims primarily in the United States, with additional targets in Germany, Spain, and Mexico, other researchers have reported targets in Russia, a broad geographical scope atypical for state-sponsored actors. The absence of any historical evidence of RedCurl selling stolen data, a common practice in ransomware operations, adds to the mystery.

****Living-off-the-Land (LOTL)****

The group uses sophisticated techniques, including DLL sideloading and the abuse of **Living-off-the-Land** (LOTL) strategies, all while avoiding the use of public leak sites, a critical shift from typical ransomware operations.

The initial access vector used by RedCurl in their ransomware deployment remains consistent with their previous campaigns: phishing emails containing IMG files disguised as CV documents. These files, when opened, execute a malicious screensaver file, which in turn loads a malicious DLL. This DLL then downloads the final payload, using encrypted strings and legitimate Windows tools to evade detection. 

Once inside the network, RedCurl employs lateral movement techniques, utilizing WMI and other built-in Windows tools to gather intelligence and escalate access. The group’s use of a modified wmiexec tool, which bypasses SMB connections, and Chisel, a TCP/UDP tunneling tool, highlights their sophisticated approach.

The ransomware deployment itself is highly targeted. RedCurl uses batch files to disable endpoint security and launch the ransomware’s GO executable, rbcw.exe, which encrypts virtual machines using **XChaCha20-Poly1305** encryption and excludes network gateways.

The file also includes a hardcoded personal ID for victim identification.  The ransom note, researchers claim, is not original, but rather a compilation of sections from other ransomware groups. Additionally, the absence of a dedicated data leak site further complicates the understanding of RedCurl’s motives.Bitdefender

****Bitdefender’s Hypotheses****

Bitdefender proposes two potential hypotheses to explain RedCurl’s unconventional behaviour. The first suggests they may operate as “gun-for-hire” cyber mercenaries, explaining their diverse victimology and inconsistent operational patterns.

The second hypothesis posits that RedCurl prioritizes discreet, direct negotiations with victims, avoiding public attention to maintain extended, low-profile operations. This theory is supported by the group’s targeting of hypervisors while maintaining network gateways, suggesting an attempt to limit disruption and confine the attack to IT departments.

In conclusion, Bitdefender recommends a multilayered defense strategy, enhanced detection and response capabilities, and a focus on preventing LOTL attacks to mitigate the risks posed by groups like RedCurl. They also emphasize the importance of data protection, resilience, and advanced threat intelligence.

RedCurl Uses New QWCrypt Ransomware in Hypervisor Attacks

Cary, North Carolina, 27th March 2025, CyberNewsWire

**Cary, North Carolina, March 27th, 2025, CyberNewsWire**

INE, a global leader in networking and cybersecurity training and certifications, is proud to announce it is the recipient of twelve badges in G2’s Spring 2025 Report, including Grid Leader for Cybersecurity Professional Development, Online Course Providers, and Technical Skills Development, which highlight INE’s superior performance relative to competitors. 

> “INE solves the problem of accessible, hands-on security training with structured learning paths and real-world labs,” says SOC Analyst Sai Tharun K. “It helps bridge the gap between theory and practical skills. For me, it has been very valuable in refining my penetration testing, cloud security, and threat analysis skills.”

G2 calculates rankings using a proprietary algorithm sourced from verified reviews of actual product users and is a trusted review source for thousands of organizations around the world. Its recognition of INE’s strong performance in enterprise, small business, and global impact for technical training showcases the depth and breadth of INE’s online learning library. 

> “We’re incredibly proud to once again be at the forefront of the training industry, recognized by G2 users in a time when cyber threats are escalating in both frequency and complexity,” said Dara Warn, CEO of INE. “This recognition reflects our commitment to providing training that not only keeps pace with but anticipates the dynamic intersection of cybersecurity with networking, cloud services, and broader IT disciplines. At INE, we believe deeply in equipping professionals and organizations with the robust, up-to-date skills necessary to navigate and secure today’s rapidly changing digital landscapes. A huge thank you to our dedicated team and learners, who are essential in our mission to transform cybersecurity training to meet the urgent demands of the current environment.”

INE’s G2 Spring 2025 Report highlights include:

*   **Momentum Leader, Cybersecurity Professional Development**
*   **Momentum Leader, Online Course Providers**
*   **Momentum Leader, Technical Skills Development**
*   **Grid Leader, Cybersecurity Professional Development**
*   **Grid Leader, Online Course Providers**
*   **Grid Leader, Technical Skills Development**
*   **Regional Leader, Europe Online Course Providers**
*   **Regional Leader, Asia Online Course Providers**
*   **Regional Leader, Asia Pacific Online Course Providers**
*   **Grid Leader, Small-Business Technical Skills Development**
*   **Grid Leader, Small-Business Online Course Providers**
*   **High Performer, India Online Course Providers**

> “INE’s hands-on labs and real-world scenarios have helped me refine by skills,” said Leonard R.G., a Pentesting Consultant. “INE is solving the hiring issues most HR people have when they are hiring cybersecurity workers,” adds Batuhan A., a Cyber Security Researcher. 

In 2024, the prestigious SC Awards recognized INE Security, INE’s cybersecurity-specific training, as the **Best IT Security-Related Training Program**. This designation further underscores INE Security’s role as a frontrunner in cybersecurity training for businesses, providing the tools and knowledge essential for tackling today’s complex cyber threats.

INE Security was also presented with 4 awards from Global InfoSec Awards at RSAC 2024, including: 

*   **Best Product – Cybersecurity Education for Enterprises**
*   **Most Innovative – Cybersecurity Education for SMBs**
*   **Publisher’s Choice – Cybersecurity Training**
*   **Cutting Edge – Cybersecurity Training Videos**

Combined, these accolades highlight INE’s leadership in delivering innovative and effective networking and cybersecurity education across various market segments, including enterprises and small to medium-sized businesses.

**About INE Security**

INE Security is the premier provider of online networking and cybersecurity training and certification. Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide for cybersecurity training in business and for IT professionals looking to advance their careers. INE Security’s suite of learning paths offers an incomparable depth of expertise across cybersecurity and is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

**Contact**

**Kathryn Brown**  
**INE Security**  
**\[email protected\]**

G2 Names INE 2025 Cybersecurity Training Leader

UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting.

By Jung soo An, Asheer Malhotra, Brandon White, and Vitor Ventura.

*   Cisco Talos discovered a malicious campaign we track under the UAT-5918 umbrella that has been active since at least 2023. 
*   UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting. 
*   We assess that UAT-5918's post-compromise activity, tactics, techniques, and procedures (TTPs), and victimology overlaps the most with Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit intrusions we’ve observed in the past.

**UAT-5918’s activity cluster****Overview **

Talos assesses with high confidence that UAT-5918 is an advanced persistent threat (APT) group that targets entities in Taiwan to establish long-term persistent access in victim environments. UAT-5918 usually obtains initial access by exploiting N-day vulnerabilities in unpatched web and application servers exposed to the internet. The threat actor will subsequently use a plethora of open-source tools for network reconnaissance to move through the compromised enterprise. 

The activity that we monitored suggests that the post-compromise activity is done manually with the main goal being information theft. Evidently, it also includes deployment of web shells across any discovered sub-domains and internet-accessible servers to open multiple points of entry to the victim organizations. UAT-5918's intrusions harvest credentials to obtain local and domain level user credentials and the creation of new administrative user accounts to facilitate additional channels of access, such as RDP to endpoints of significance to the threat actor.

Typical tooling used by UAT-5918 includes networking tools such as FRPC, FScan, In-Swor, Earthworm, and Neo-reGeorg. Credential harvesting is accomplished by dumping registry hives, NTDS, and using tools such as Mimikatz and browser credential extractors. These credentials are then used to perform lateral movement via either RDP, WMIC (PowerShell remoting), or Impacket. 

**UAT-5918 activity cluster overlapping **

UAT-5918's tooling and TTPs overlap substantially with several APT groups including Volt Typhoon, Flax Typhoon and Dalbit. 

Figure 1. UAT-5918 TTPs and tooling overlaps with similar APT groups.

There is a significant overlap in post-compromise tooling and TTPs with Volt Typhoon, such as using ping and tools like In-Swor for network discovery; gathering system information such as drive and partition; gathering logical drive information such as names, IDs, size, and free spaces; credential dumping from web browser applications; using open-source tools such as frp, Earthworm, and Impacket for establishing control channels; and the absence of custom-made malware. The U.S. government assesses that Volt Typhoon is a PRC state-sponsored actor conducting cyberattacks against U.S. critical infrastructure. 

Multiple tools used in this intrusion also overlap with tooling used by Flax Typhoon in the past, such as the Chopper web shell, Mimikatz, JuicyPotato, Metasploit, WMIC and PowerShell, along with the use of tactics such as relying on RDP and other web shells to persist in the enterprise and WMIC for gathering system information. The U.S. government attributes Flax Typhoon, a Chinese government-sponsored threat actor, to the Integrity Technology Group, a PRC-based company.

Additionally, tooling such as FRP, FScan, In-Swor, and Neo-reGeorg, as well as filepaths and names used by UAT-5918, overlap with those used by Tropic Trooper. Tropic Trooper’s malware suite, specifically Crowdoor Loader and SparrowDoor, overlap with the threat actors known as Famous Sparrow and Earth Estries. We have also observed overlaps in tooling and tactics used in this campaign operated by UAT-5918 and in operations conducted by Earth Estries, including the use of FRP, FScan, Webshells, Impacket, living-off-the-land binaries (LoLBins), etc. Furthermore, we’ve discovered similar tooling between UAT-5918 and Dalbit consisting of port scanners, proxying tools, reverse shells, and reconnaissance TTPs.

It is worth noting that a sub-set of tools UAT-5918 uses such as LaZagne, SNetCracker, PortBrute, NetSpy etc., have not been seen being used by the aforementioned threat actors in public reporting. It is highly likely that this tooling might be exclusively used by UAT-5918 or their usage by other related groups may have been omitted in publicly available disclosures. 

**Victimology and targeted verticals **

UAT-5918 also overlaps with the previously mentioned APT groups in terms of targeted geographies and industry verticals, indicating that this threat actor’s operations align with the strategic goals of the aforementioned set of threat actors. 

We have primarily observed targeting of entities in Taiwan by UAT-5918 in industry verticals such as telecommunications, healthcare, information technology, and other critical infrastructure sectors. Similar verticals and geographies have also been targeted by APT groups such as Volt Typhoon, Flax Typhoon, Earth Estries, Tropic Trooper, and Dalbit. 

**Initial access and reconnaissance **

UAT-5918 typically gains initial access to their victims via exploitation of known vulnerabilities on unpatched servers exposed to the internet. Activity following a successful compromise consists of preliminary reconnaissance to identify users, domains, and gather system information. Typical commands executed on endpoints include: 

ping <IP> 
net user 
systeminfo 
arp –a 
route print 
tasklist 
tasklist -v 
netstat -ano 
whoami 
ipconfig 
query user 
cmd /c dir c:\\users\\<username>\\Desktop 
cmd /c dir c:\\users\\<username>\\Documents 
cmd /c dir c:\\users\\<username>\\Downloads 

 Initial credential reconnaissance is carried out using the cmdkey command: 

cmdkey /list 

The threat actor then proceeds to download and place publicly available red-teaming tools (illustrated in subsequent sections) on endpoints to carry out further actions. In some cases, UAT-5918 also disabled Microsoft Defender’s scanning of their working directories on disk: 

powershell.exe -exec bypass Add-MpPreference -ExclusionPath <working\_directory> 
powershell Get-MpPreference 

**Post-compromise tooling **

UAT-5918's post-compromise tooling consists of web shells, some of which are publicly available, such as the Chopper web shell, multiple red-teaming and network scanning tools, and credentials harvesters.

**Reverse proxies and tunnels **

The actor uses FRP and Neo-reGeorge to establish reverse proxy tunnels for accessing compromised endpoints via attacker controlled remote hosts. The tools are usually downloaded as archives and extracted before execution:

The Earthworm (ew) tool for establishing proxies is also run: 

**Port scanning **

FScan is a port and vulnerability scanning tool that can scan ranges of IP addresses and Ports specified by the attackers:

Talos has observed the actor scanning of these ports in particular: 

 21 22 80 81 83 91 135 443 445 888 808 889 5432 8000 8080 54577 11211

The threat actor also relies extensively on the use of In-Swor, a publicly available tool authored and documented by Chinese speaking individuals, for conducting port scans across ranges of IP addresses. A sample command of In-Swor's use is: 

Run\[.\]exe -h <ip\_range>/24 -nopoc -pwdf pw\[.\]txt -p 1521,6379 -t 4 

In-Swor was used to scan for the following ports across IP address ranges: 

22		SSH 
80		HTTP 
135		RPC 
445		SMB 
1433		SQL server 
1521		Oracle DBs 
3306		MySQL 
3389		RDP 
4194 		Kubernetes? 
5432 		PostgreSQL 
5900 		VNC 
6379 		Redis 
10248 	    ? 
10250 	    Kubernetes 
10255 	    MongoDB 

In other instances, In-Swor was used to establish proxy channels:

svchost\[.\]exe proxy -l \*:22 -k 9999   
svchost\[.\]exe proxy -l \*:443 -k 9999   
svchost\[.\]exe proxy -hc -l \*:443 -k 99997654    
svchost\[.\]exe -hc proxy -l \*:443 -k 99997654    
svchost\[.\]exe proxy -l 443 –v 

 svchost\[.\]exe -type server -proto tcp -listen :443    
svchost\[.\]exe -type server -proto http -listen :443    
svchost\[.\]exe -type server -proto rhttp -listen :443 

In addition to FScan, PortBrute, another password brute forcer for multiple protocols such as FTP, SSH, SMB, MYSQL, MONGODB, etc., was also downloaded and used:

PortBruteWin(5).exe -up <username>:<password> 

**Additional network reconnaissance **

The threat actor uses two utilities for monitoring the current connection to the compromised hosts — NirSoft's CurrPorts utility and TCPView. Both tools are likely used to perform additional network discovery to find accessible hosts to pivot to: 

C:\\Users\\<compromised\_user>\\Desktop\\cports-x64/cports.exe   
C:\\Users\\<compromised\_user>\\Desktop\\TCPView\\tcpview64.exe 

The threat actor also uses PowerShell-based scripts to attempt SMB logins to specific endpoints already identified by them:

powershell\[.\]exe -file C:\\ProgramData\\smblogin-extra-mini.ps1 

Netspy, another tool authored and documented by Chinese speaking individuals, is a network segmentation discovery tool that UAT-5918 employs occasionally for discovery. The fact that the operator had to check the tool help denotes the lack of automation and the unusual usage of such tool:

netspy\[.\]exe -h 

**Gathering local system information **

The attackers may also gather commands to profile the endpoint and its drives:

wmic diskdrive get partitions /value    
fsutil fsinfo drives    
wmic logicaldisk get DeviceID,VolumeName,Size,FreeSpace    
wmic logicaldisk get DeviceID,VolumeName,Size,FreeSpace /format:value 

**Maintaining persistent access to victims **

The threat actor attempts to deploy multiple web shells on systems they find are hosting web applications. The web shells are typically ASP or PHP-based files placed deep inside housekeeping directories such as image directories, user files etc. 

The threat actor uses JuicyPotato’s (a privilege escalation tool) web shell variant that allows JuicyPotato to act as a web shell on the compromised system accepting commands from remote systems to execute:

JuicyPotato is then run to spawn cmd\[.\]exe to run a reverse shell that allows the threat actor to run arbitrary commands: 

Run.exe -t t -p c:\\windows\\system32\\cmd.exe -l 1111 -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D} 

UAT-5918 will also use PuTTY’s pscp tool to connect to and deliver additional web shells to accessible endpoints (likely servers) within the network:

pscp\[.\]exe <web\_shell> <user>@<IP>:/var/www/html/<web\_shell> 

Furthermore, Talos has observed UAT-5918 execute reverse Meterpreter shells to maintain persistent access to the compromised hosts:

C:\\ProgramData\\bind.exe 

C:\\ProgramData\\microbind.exe 

C:\\ProgramData\\reverse.exe 

cmd /c C:/ProgramData/microbind.exe 

**Backdoored user account creation **

UAT-5918 regularly creates and assigns administrative privileges to user accounts they’ve created on compromised endpoints: 

net user <victimname\_username> <password> /add   
net localgroup administrators <username> /add   
net group domain admins <username> /add /domain 

Credential harvesting is a key tactic in UAT-5918 intrusions, instrumented via the use of tools such as Mimikatz, LaZagne, and browser credential stealers: 

**Mimikatz**: A commonly used credential extractor tool is run to obtain credentials from the endpoint:

**LaZagne**: LaZagne is an open-sourced credential extractor: 

C:/ProgramData/LaZagne.exe   
C:/ProgramData/LaZagne.exe -all >> laz.txt 

**Registry dumps**: The “reg” system command is used to take dumps of the SAM, SECURITY and SYSTEM hives:

**Google Chrome information**: The adversary also uses a tool called BrowserDataLite, a tool to extract Login information, cookies, and browsing history from web browsers. The extracted information is subsequently accessed via notepad\[.\]exe: 

BrowserDataLite\_x64.exe 

 C:\\Windows\\system32\\NOTEPAD.EXE Chrome\_LoginPass.txt   
C:\\Windows\\system32\\NOTEPAD.EXE Chrome\_Cookies.txt   
C:\\Windows\\system32\\NOTEPAD.EXE Chrome\_History.txt 

**SNETCracker**: A .NET-based password cracker (brute forcer) for services such as SSH, RDP, FTP, MySQL, SMPT, Telnet, VNC, etc.: 

Finding strings related to credentials such as: 

findstr /s /i /n /d:C:\\ password \*.conf 

**Pivoting to additional endpoints **

UAT-5918 consistently attempts to gain access to additional endpoints within the enterprise. They will perform network reconnaissance cyclically to discover new endpoints worth pivoting to and make attempts to gain access via RDP or Impacket: 

mstsc.exe -v <hostname> 

Impacket was also used on multiple occasions to pivot into additional endpoints and copy over tools: 

python wmiexec\[.\]py Administrator:<password>@<IP> -codec big5 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\ADMIN$\\\_\_<timestamp> 2>&1 

 cmd\[.\]exe /Q /c echo python wmiexec\[.\]py Administrator:<password>@<IP> -codec big5 ^> \\\\<hostname>\\C$\\\_\_output 2^>^&1 > C:\\Windows\\jFcZpIUm\[.\]bat & C:\\Windows\\system32\\cmd\[.\]exe /Q /c C:\\Windows\\jFcZpIUm\[.\]bat & del C:\\Windows\\jFcZpIUm\[.\]bat 

 cmd\[.\]exe /Q /c net use \[\\\]\[\\\]<IP>\\c$ /user:<username> 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1   
cmd\[.\]exe /Q /c dir \[\\\]\\\[\\\]<IP>\\c$ 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1    
cmd\[.\]exe /Q /c copy fscan64\[.\]exe \[\\\]\[\\\]<IP>\\c$\\ 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1    
cmd\[.\]exe /Q /c copy \[\\\]\[\\\]<IP>\\c$\\<scan\_result>.txt 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1    
cmd\[.\]exe /Q /c copy fscan\[.\]exe \[\\\]\[\\\]<IP>\\c$\\ 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1    
cmd\[.\]exe /Q /c copy mimikatz\[.\]exe \[\\\]\[\\\]<IP>\\c$ 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1 

**File collection and staging **

UAT-5918 pivots across endpoints enumerating local and shared drives to find data of interest to the threat actor. This data may include everything that furthers the APT’s strategic and tactical goals and ranges from confidential documents, DB exports and backups to application configuration files. In one instance, the threat actor used the SQLCMD\[.\]exe utility to create a database backup that could be exfiltrated: 

C:/ProgramData/SQLCMD.EXE -S <target\_server\_DB> -U <username> -P <password> -Q BACKUP DATABASE <NAME> to disk='<db\_backup\_location>.bak' 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**IOCs **

IOCs for this research can also be found at our GitHub repository here. 

6F6F7AA6144A1CFE61AC0A80DB7AD712440BDC5730644E05794876EB8B6A41B4 
BAB01D029556CF6290F6F21FEC5932E13399F93C5FDBCFFD3831006745F0EB83 
F7F6D0AFB300B57C32853D49FF50650F5D1DC7CF8111AA32FF658783C038BFE5 
497A326C6C207C1FB49E4DAD81D051FCF6BCBE047E0D3FE757C298EF8FE99ABA 
F9EB34C34E4A91630F265F12569F70B83FEBA039C861D6BF906B74E7FB308648 
DD832C8E30ED50383495D370836688EE48E95334270CBBCE41109594CB0C9FD1 
F7B52EE613F8D4E55A69F0B93AA9AA5472E453B0C458C8390DB963FF8B0B769C 
B994CBC1B5C905A2B731E47B30718C684521E8EC6AFB601AFECF30EF573E5153 
12D4EFE2B21B5053A3A21B49F25A6A4797DC6E9A80D511F29CA67039BA361F63 
2272925B1E83C7C3AB24BDEB82CE727DB84F5268C70744345CDA41B452C49E84 
71EB5115E8C47FFF1AB0E7ACEBAEA7780223683259A2BB1B8DB1EB3F26878CA4 
E159824448A8E53425B38BD11030AA786C460F956C9D7FC118B212E8CED4087A 
7EF22BFB6B2B2D23FE026BDFD7D2304427B6B62C6F9643EFEDDB4820EBF865AF 
EFC0D2C1E05E106C5C36160E17619A494676DEB136FB877C6D26F3ADF75A5777 
B7690c0fc9ec32e1a54663a2e5581e6260fe9318a565a475ee8a56c0638f38d0 
A774244ea5d759c4044aea75128a977e45fd6d1bb5942d9a8a1c5d7bff7e3db9 
31742ab79932af3649189b9287730384215a8dccdf21db50de320da7b3e16bb4 
09cea8aed5c58c446e6ef4d9bb83f7b5d7ba7b7c89d4164f397d378832722b69 
D47e35baee57eb692065a2295e3e9de40e4c57dba72cb39f9acb9f564c33b421 
1753fa34babeeee3b20093b72987b7f5e257270f86787c81a556790cb322c747 
F4ea99dc41cb7922d01955eef9303ec3a24b88c3318138855346de1e830ed09e 
5b0f8c650f54f17d002c01dcc74713a40eccb0367357d3f86490e9d17fcd71e8 
3588bda890ebf6138a82ae2e4f3cd7234ec071f343c9f5db5a96a54734eeaf9f 
95eee44482b4226efe3739bed3fa6ce7ae7db407c1e82e988f27cd27a31b56a6 
02ab315e4e3cf71c1632c91d4914c21b9f6e0b9aa0263f2400d6381aab759a61 
D1825cd7a985307c8585d88d247922c3a51835f9338dc76c10cdbad859900a03 
234899dea0a0e91c67c7172204de3a92a4cbeef37cdc10f563bf78343234ad1d 
8d440c5f0eca705c6d27aa4883c9cc4f8711de30fea32342d44a286b362efa9a 
Ffb8db57b543ba8a5086640a0b59a5def4929ad261e9f3624b2c0a22ae380391

UAT-5918 targets critical infrastructure entities in Taiwan

Regulatory compliance is no longer just a concern for large enterprises. Small and mid-sized businesses (SMBs) are increasingly subject to strict data protection and security regulations, such as HIPAA, PCI-DSS, CMMC, GDPR, and the FTC Safeguards Rule. However, many SMBs struggle to maintain compliance due to limited IT resources, evolving regulatory requirements, and complex security challenges

Why Continuous Compliance Monitoring Is Essential For IT Managed Service Providers

About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability. The vulnerability is from the March Microsoft Patch Tuesday. The VM vendors didn’t highlight it in their reviews. A week later, on March 18, researcher 0x6rss published a write-up and a PoC exploit. According to him, the vulnerability is exploited in the wild, and the exploit has […]

**About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability.** The vulnerability is from the March Microsoft Patch Tuesday. The VM vendors didn’t highlight it in their reviews. A week later, on March 18, researcher 0x6rss published a write-up and a PoC exploit. According to him, the vulnerability is exploited in the wild, and the exploit has likely been available for purchase since November 2024.

The point is this. When Windows File Explorer detects a .library-ms file in a folder, it automatically starts parsing it. If the file contains a link to a remote SMB share, an NTLM authentication handshake begins. An attacker controlling the SMB share can intercept the NTLMv2 hash, crack it, or use it in pass-the-hash attacks.

But how does an attacker deliver such a file to the victim? It turns out that just **extracting a ZIP/RAR archive** with the file is enough to trigger the exploit. No need to open the file.

This is super effective for phishing. 😱

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability

Thorsten picks apart some headlines, highlights Talos’ report on an unknown attacker predominantly targeting Japan, and asks, “Where is the victim, and does it matter?”

Thursday, March 13, 2025 14:04

Welcome to this week’s edition of the Threat Source newsletter.

Let's pick up where we left off in my last newsletter. Please mark your calendars: The free support for Windows 10 will end on October 14, 2025.

When a software loses vendor support, it no longer receives patches or updates. As highlighted in my previous newsletter, the top method for initial access in the last quarter of 2024 was exploiting vulnerabilities in public-facing applications. While Windows 10 isn't typically (or shouldn't be) a public-facing application, unpatched client systems become prime targets for bad actors as they progress through the stages of an attack: Execution, Privilege Escalation, Defense Evasion, Credential Access, and Lateral Movement.

In last week’s newsletter, my colleague Martin asked, "Who is responsible, and does it matter?" As a thought exercise, let's flip the script and ask, "Where is the victim, and does it matter?" I often field questions about threats specific to countries, regions, or continents, but the reality is that software is largely the same regardless of physical location. Yes, there are different language packs, and yes, spam and phishing campaigns may use local languages. However, when it comes to software, operating systems, libraries, and drivers, we share code globally.

Remember Log4j and NotPetya? These vulnerabilities caused chaos around the globe. Both have CVEs listed in the Known Exploited Vulnerabilities (KEV) catalog, which is maintained by the Cybersecurity and Infrastructure Security Agency (CISA).

While researching the KEVs added in 2024, I discovered CVEs dating back to 2012, 2013, and 2014. This underscores that regardless of location, old vulnerabilities can remain relevant and dangerous years after their discovery.

Fast forward to 2025: CVE-2025-22224 was published on Mar. 4, 2025 and added to CISA's KEV Catalog less than two hours later. A week later, over 40,000 vulnerable instances were still detected globally, as shown on the Shadowserver dashboard:

Rather than solely focusing on geography, the global vulnerability landscape suggests we should ask ourselves:

·       "Am I running this software?"  
·       “Is my software up to date?"  
·       "How quickly can I fix it?"  
·       Or, for the brave, "Am I prepared to take the risk?"

While more attributes for CVEs may be beneficial, I personally believe the absence of a geographic attribute is a good thing. Patching and updating software should be prioritized regardless of nationality or geographic context. When it comes to maintaining robust cybersecurity, the only good vulnerability is no vulnerability.

Remember: In the digital world, we're all neighbors. A vulnerability anywhere is a threat just around the corner.

**The one big thing**

Cisco Talos discovered malicious activities conducted by an unknown attacker as early as January 2025, predominantly targeting organizations in Japan. The attacker exploited a vulnerability, CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines.

**Why do I care?**

We reported an increasing trend of threat actors exploiting vulnerable public facing applications for initial access in our quarterly Talos Incident Response report for Q4 2024, and this intrusion highlights this ongoing activity. In this case, the attacker establishes persistence by modifying registry keys, adding scheduled tasks, and creating malicious services using the plugins of the Cobalt Strike kit called “TaoWu.”

**So now what?**

This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see the National Vulnerability Database. Here are the Snort SIDs for this threat:

·       Snort 2: 64632, 64633, 64630, 64631  
·       Snort 3: 301157, 301156

**Top security headlines of the week**

· **The Bluetooth “backdoor” that wasn’t.** The original title, “Undocumented backdoor found in Bluetooth chip used by a billion devices,” was updated to a more precise description: “Undocumented commands found in Bluetooth chip used by a billion devices.” (Bleepingcomputer) (Darkmentor)

· **A ransomware gang leveraged a vulnerable IP camera in an attack, effectively circumventing Endpoint Detection and Response (EDR).** The “Mr. Monk” in me wants to point out that while the article title says “webcam” — which, in my definition, is a camera connected internally or via USB to a PC — the article discusses Linux and SMB shares, which suggests it is an IP camera.  (Bleepingcomputer)

· **Massive alleged cyber attack against X (formerly Twitter).** This past Monday, a series of outages left X unavailable for thousands of users for at least one hour. Not all details are currently known to the public. (Securityweek)

**Can’t get enough Talos?**

  
Cascading Style Sheets (CSS) are ever present in modern day web browsing, however it's far from their own use. Read our latest blog on Abusing with style: Leveraging cascading style sheets for evasion and tracking.

Cisco Talos discovered malicious activities conducted by an unknown attacker since as early as January 2025, predominantly targeting organizations in Japan. Read the full blog here: Unmasking the new persistent attacks on Japan

**Upcoming events where you can find Talos**

· DEVCORE (March 15, 2025) Taipei, Taiwan. Ashley Shen will give a talk on exploit hunting.  
· RSA (April 28-May 1, 2025)  San Francisco, CA  
· PIVOTcon (May 7-May 9, 2025) Malaga, Spain. Ashley Shen and Vitor Ventura will present "Redefining IABs: Impacts of Compartmentalization on Threat Tracking & Modeling."  
· CTA TIPS 2025 (May 14-15, 2025) Arlington, VA   
· Cisco Live U.S. (June 8 – 12, 2025) San Diego, CA 

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Win.Worm.Coinminer::1201

SHA 256: 9c60480afbbfbdf20520a9e7705f60a54ff2d0a94d72e4c26fc2aee55a158a9f  
MD5: 7abf12ab98f4cbed63228bba977cea7e  
VirusTotal:  https://www.virustotal.com/gui/file/9c60480afbbfbdf20520a9e7705f60a54ff2d0a94d72e4c26fc2aee55a158a9f  
Typical Filename: pdfzonepro.msi  
Claimed Product: N/A  
Detection Name: W32.9C60480AFB-95.SBX.TG

 SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
MD5: 71fea034b422e4a17ebb06022532fdde  
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Coinminer:MBT.26mw.in14.Talos

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Typical Filename: c0dwjdi6a.dll  
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991

Patch it up: Old vulnerabilities are everyone’s problems

Blockchain technology is revolutionizing industries by enabling secure transactions, decentralization, and transparency. At the same time, Blockchain software…

Blockchain technology is revolutionizing industries by enabling secure transactions, decentralization, and transparency. At the same time, Blockchain software development services are increasingly sought after by businesses looking to adopt cutting-edge solutions for various use cases such as:

1.  Blockchain solutions for enterprises
2.  Startups and innovators in the blockchain space
3.  Small and medium businesses adopting blockchain

From enhancing supply chain management to implementing smart contracts, companies across different sectors are leveraging blockchain development services to improve their operations.

**Blockchain solutions for enterprises**

Large enterprises are turning to blockchain software development to improve enterprise blockchain development and optimize their existing infrastructure. The integration of blockchain platforms and blockchain networks allows businesses to streamline supply chain management, enhance security, and create custom blockchain solutions.

For enterprises, blockchain technology offers the opportunity to modernize processes, reduce fraud, and improve transparency across the entire blockchain ecosystem. Companies with significant data and transaction volumes can benefit from secure blockchain infrastructure and blockchain consulting services to ensure the smooth implementation of their blockchain projects.

According to 10clouds, a blockchain software development services provider, many companies are turning to blockchain developers to create customised yet secure solutions that improve transaction transparency and operational efficiency.

****Small and medium businesses adopting blockchain****

In addition to large corporations, small and medium-sized businesses (SMBs) are increasingly adopting custom blockchain development services to stay competitive in their respective industries. These businesses are often looking for blockchain application development services that are cost-effective and tailored to their specific needs.

By leveraging blockchain technology, SMBs can provide secure transactions, improve digital asset management, and build decentralized applications (dApps) for better customer engagement. Blockchain app development companies help these businesses achieve their business objectives by implementing blockchain solutions that improve operational efficiency and enhance their customer experience.

****Startups and innovators in the blockchain space****

Startups and companies in the tech space are leading the charge in blockchain app development. These organizations are looking for blockchain software development companies with expertise in building innovative products such as decentralized applications and smart contracts.

By working with the right blockchain development company, these startups can create cutting-edge blockchain solutions that set them apart from the competition. Whether it’s blockchain integration, custom blockchain app development, or blockchain consulting, these companies rely on blockchain developers to bring their ideas to life and scale in the growing blockchain space.

Image by Gerd Altmann from Pixabay

Why Small and Medium Businesses Are Adopting Blockchain Solutions

Xerox Versalink printers are vulnerable to pass-back attacks. Rapid7 discovers LDAP & SMB flaws (CVE-2024-12510 & CVE-2024-12511). Update…

Xerox Versalink printers are vulnerable to pass-back attacks. Rapid7 discovers LDAP & SMB flaws (CVE-2024-12510 & CVE-2024-12511). Update firmware now!

Rapid7 researchers uncovered security weaknesses in Xerox Versalink C7025 multifunction printers, specifically models running firmware version 57.69.91 and earlier. These vulnerabilities designated CVE-2024-12510 and CVE-2024-12511, expose the devices to “pass-back” attacks.

According to Rapid7’s research shared with Hackread.com, these are a type of attacks that allow a malicious actor who has compromised the printer’s administrative functions to redirect authentication requests to a system under their control. This can be achieved by altering settings related to services like Lightweight Directory Access Protocol (LDAP), Server Message Block (SMB), and File Transfer Protocol (FTP).

The LDAP vulnerability allows an attacker to modify the LDAP server’s IP address within the printer’s configuration. By then triggering an LDAP lookup, the printer unwittingly sends authentication credentials to the attacker’s rogue server. The attacker can then capture these credentials in clear text. Similarly, the SMB/FTP vulnerability allows modification of the SMB or FTP server’s IP address in the user’s address book configuration.  

The image illustrates how an attacker might manipulate the server IP address to redirect authentication attempts to a rogue server, thereby stealing the credentials. Predefined login credentials, with the username “MFPservice,” are used for authentication.

While the password itself is obscured, its presence indicates that the printer is configured to authenticate to the LDAP server, a detail central to the pass-back vulnerability where these credentials could be captured by an attacker.

Source: Rapid7

This can be exploited by triggering a scan-to-file operation, which sends authentication credentials to the attacker-controlled server. In the case of SMB, this could expose NetNTLMV2 handshakes, potentially allowing further compromise of Active Directory file servers. For FTP, credentials would be transmitted in clear text.

Successful exploitation of these vulnerabilities requires either administrative access to the printer’s settings or, in some cases, physical access to the console or remote access via the web interface if user-level remote control is enabled. 

The impact of these vulnerabilities is significant, as attackers could potentially gain access to sensitive credentials, including those for Windows Active Directory. This could enable lateral movement within a network, compromising critical servers and systems.

Rapid7 responsibly disclosed these vulnerabilities to Xerox, coordinating the disclosure timeline and working with the vendor to confirm the effectiveness of the patches. Organizations using affected Xerox Versalink printers should immediately upgrade to the latest patched firmware version.

In case immediate patching is not feasible, it is recommended to set a strong and unique password for the printer’s administrative account, avoid the use of domain administrator accounts for LDAP or scan-to-file services, and disable remote console access for unauthenticated users.

Xerox Versalink Printers Vulnerabilities Could Let Hackers Steal Credentials

Attackers are using patched bugs to potentially gain unfettered access to an organization's Windows environment under certain conditions.

Soure: T. Schneider via Shutterstock

A popular small to midrange Xerox business printer contains two now-patched vulnerabilities in its firmware that allow attackers an opportunity to gain full access to an organization's Windows environment.

The vulnerabilities affect firmware version 57.69.91 and earlier in Xerox VersaLink C7025 multifunction printers (MFPs). Both flaws enable what are known as pass-back attacks, a class of attacks that essentially allow a bad actor to capture user credentials by manipulating the MFPs' configuration.

**Complete Access to Windows Environments**

In certain situations, a malicious actor who successfully exploits the Xerox printer vulnerabilities would be able to capture credentials for Windows Active Directory, according to researchers at Rapid7 who discovered the flaws. "This means they could then move laterally within an organization's environment and compromise other critical Windows servers and file systems," Deral Heiland, principal security researcher, IoT, for Rapid7 wrote in a recent blog post.

Xerox describes VersaLink C7025 as a multifunction printer featuring ConnectKey, a Xerox technology that allows customers to interact with the printers over the cloud and via mobile devices. Among other things, the technology includes security features that, according to Xerox, help prevent attacks, detect potentially malicious changes to the printer, and protect against unauthorized transmission of critical data. Xerox has positioned its VersaLink family of printers as ideal for small and medium-sized workgroups that print around 7,000 pages per month.

The two vulnerabilities that Rapid7 discovered in the printer, and which Xerox has since fixed, are CVE-2024-12510 (CVSS score: 6.7), an LDAP pass-back vulnerability; and CVE-2024-12511 (CVSS score: 7.6) an SMB/FTP pass-back vulnerability.

The vulnerabilities, according to Rapid7, allow an attacker to change the MFP's configuration so as to cause the printer to send a user's authentication credentials to an attacker-controlled system. The attack would work if a vulnerable Xerox VersaLink C7025 printer is configured for LDAP and/or SMB services.

In such a situation, CVE-2024-12510 would allow an attacker to access the MFP's LDAP configuration page and change the LDAP server IP address in the printer's settings to point to their own malicious LDAP server. When the printer next tries to authenticate users by checking the LDAP User Mappings page, it connects to the attacker's fake LDAP server instead of the legitimate corporate LDAP server. This paves the way for the attacker to capture clear text LDAP service credentials, Heiland wrote.

CVE-2024-12511 allows similar credential capture when the SMB or FTP scan function is enabled on a vulnerable Xerox VersaLink C7025 printer. An attacker with admin-level access can modify the SMB or FTP server's IP address to their own malicious IP and capture SMM or FTP authentication credentials.

All it takes for an attacker to discover a vulnerable printer is to connect to an affected Xerox MFP device through a Web browser, validate that the default password is still enabled, and ensure that the device is configured for LDAP and/or SMB services, Heiland tells Dark Reading. "Also, it is often possible to query an MFP via SNMP and identify if LDAP services are enabled and configured."

The risk for organizations is that if a malicious actor were to gain any level of access to a business network, they could use the pass-back attack to easily harvest Active Directory credentials without being detected, he says. That would then allow them to pivot to more critical Windows systems within a compromised environment. "Sadly," he adds, "it's also not uncommon to find LDAP settings on MFP devices that contain Domain Admin credentials," which potentially could give a bad actor complete control of an organization's Windows environment.

"Since LDAP and SMB settings on MFP devices typically contain Windows Active Directory credentials, a successful attack would give a malicious actor access to Windows file services, domain information, email accounts, and database systems," Heiland says. "If a Domain Admin account or account with elevated privileges was used for LDAP or SMB, then an attacker would have unfettered access to potentially everything within the organization's Windows environment."

**An Ideal Scenario for Threat Actors**

Jim Routh, chief trust officer at Saviynt, says an attacker would need relatively sophisticated technical skills to exploit these kinds of vulnerabilities. But for those who can, the LDAP vulnerability enables access to Windows Active Directory where all administrator profiles and credentials reside. "It's the ideal scenario for the threat actor," he notes. Every device connected to the Internet has configuration options that offer … an attack surface for the cybercriminal."

Xerox has released a patched version of the affected Xerox VersaLink MFP firmware, allowing customer organizations to update and fix the issues. Organizations that cannot immediately patch should set a "complex password for the admin account and also avoid using Windows authentication accounts that have elevated privileges, such as a Domain Admin account for LDAP or scan-to-file SMB services," according to the Rapid7 blog post. "Also, organizations should avoid enabling the remote-control console for unauthenticated users."

Printer vulnerabilities are a growing problem for many organizations because of the rise in remote and hybrid work models. A 2024 study by Quocirca found 67% of organizations had experienced a security incident tied to a printer vulnerability, up from 61% the prior year. Despite the trend, many organizations continue to underestimate printer-related threats, making it a soft spot for attackers to target.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Xerox Printer Vulnerabilities Enable Credential Capture

Security vulnerabilities have been disclosed in Xerox VersaLink C7025 Multifunction printers (MFPs) that could allow attackers to capture authentication credentials via pass-back attacks via Lightweight Directory Access Protocol (LDAP) and SMB/FTP services.
"This pass-back style attack leverages a vulnerability that allows a malicious actor to alter the MFP's configuration and cause the MFP

Tag

#samba