Malware Activity
Fake VPNs and Malware Campaigns
Recent cybersecurity reports reveal that cybercriminals are using sophisticated tactics to steal personal and organizational data. One group, Storm-2561, is distributing fake VPN software that closely mimics trusted brands like Ivanti, Cisco, and Fortinet. They manipulate search results, so users unknowingly visit counterfeit sites, where malicious downloads capture login details and VPN configurations. The malware is cleverly signed with revoked certificates and disguises its activity with fake error messages, making it harder to detect. Meanwhile, other attackers are targeting macOS users with malware like MacSync through fake search results, ads, and compromised websites, tricking users into executing harmful commands. These campaigns often rely on user interaction, such as copying commands into the terminal, to bypass security. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Fake Enterprise VPN Sites Used To Steal Company Credentials article
- TheHackerNews: ClickFix Campaigns Spread MacSync macOS Infostealer Via Fake AI Tool Installers article
Threat Actor Activity
China-Linked Cyber Espionage Targets Southeast Asian Military Organizations
Palo Alto Networks Unit 42 has identified a suspected China-based cyber espionage operation, by CL-STA-1087. CL STA-1087 has targeted Southeast Asian military organizations since at least 2020. The campaign focuses on collecting intelligence related to military capabilities, organizational structures, and collaboration with Western armed forces. Demonstrating strategic patience, the attackers maintained dormant access for months, allowing them to conduct highly targeted intelligence collection rather than bulk data theft. The operation employs advanced persistent threat (APT) strategies, including custom tools like AppleChris and MemFun backdoors, and the Getpass credential harvester. These tools facilitate sustained unauthorized access to compromised systems, allowing for precise intelligence gathering. The hackers deploy PowerShell scripts to create reverse shells to command-and-control (C2) servers and use DLL hijacking for persistence and payload execution. They exploit Windows environments, targeting domain controllers, web servers, and executive systems. AppleChris variants use Pastebin and Dropbox for C2 communication, dynamically resolving IP addresses to execute commands and perform data operations. MemFun functions as a modular malware platform, leveraging reflective DLL loading to execute backdoor operations. Getpass, a custom version of Mimikatz, targets Windows authentication packages for credential harvesting. The campaign’s infrastructure and operational schedule align with UTC+8 time zone, suggesting a China-based origin, as noted by Unit 42. Palo Alto Networks’ report highlights, in addition, that the espionage group’s use of China-based cloud network infrastructure, Simplified Chinese on a login page, and their focus on military organizational structures and strategic systems suggests state-sponsored backing and China-based operations. CTIX Analysts will continue to stay ahead of the latest Threat Actor activities and operations.
- The Hacker News: Chinese Hacker CL-STA-1087 Article
- Palo Alto Networks: UNIT 42 CL-STA-1087 Report
- Security Week: Chinese Hacker CL-STA-1087 Article
Vulnerabilities
CISA Warns of Actively Exploited Wing FTP Server Vulnerability That Could Enable RCE Attacks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned federal agencies to secure Wing FTP Server instances against an actively exploited vulnerability. The flaw, tracked as CVE-2025-47813, allows attackers with low privileges to obtain the application’s full installation path by abusing error messages generated through a manipulated UID cookie, potentially enabling further compromise. Researchers indicate the vulnerability can be chained with a critical remote code execution (RCE) flaw, CVE-2025-47812, which attackers began exploiting shortly after technical details were disclosed. Both vulnerabilities, along with an additional information disclosure bug (CVE-2025-27889) that could expose user passwords, were patched in Wing FTP Server version 7.4.4 in May 2025. After proof-of-concept exploit code was released by security researcher Julien Ahrens, CISA added CVE-2025-47813 to its Known Exploited Vulnerabilities (KEV) catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to remediate the issue within two weeks under Binding Operational Directive 22-01. Although the directive applies only to federal agencies, CTIX analysts urge all organizations to patch immediately, warning that vulnerabilities in widely deployed file transfer servers remain a common and high-impact attack vector.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
