Malware Activity
Rising Threats in Software Supply Chains and MacOS Malware
Recent security reports highlight two concerning trends in cyber threats. First, a malicious NPM package named lotusbail, with over 56,000 downloads, mimics a legitimate WhatsApp Web API using a popular library called Baileys. It secretly steals users’ messages, contacts, and credentials by intercepting data through WebSocket connections, encrypting it, and sending it to attackers. It also creates a backdoor, allowing hackers to maintain access even after the package is removed, exposing large-scale risks in software supply chains. Second, a new form of macOS malware, related to MacSync Stealer, disguises itself as a signed, legitimate app, making detection difficult. It is installed silently by exploiting trust in signed applications, downloading malicious scripts from remote servers, and operating mostly in memory to evade detection. These incidents reveal how cybercriminals are increasingly embedding malicious code into trusted software and digital infrastructure, emphasizing the urgent need for stronger security practices to protect users and organizations. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- TheRegister: Poisoned WhatsApp API Package Steals Messages And Accounts article
- InfoSecurityMagazine: Reworked MacSync Stealer Adopts Quieter Installation Process article
Threat Actor Activity
Clop Linked Oracle EBS Breach Exposes Data of Nearly 3.5 Million University of Phoenix Affiliates
The University of Phoenix has disclosed a data breach affecting nearly 3.5 million individuals after attackers gained unauthorized access to its Oracle E Business Suite financial system during an intrusion that occurred between August 13 and August 22, 2025, and remained undetected until November 21, shortly after the university was listed on the Clop ransomware gang leak site. Notifications to regulators and affected individuals confirmed that sensitive personal and financial information belonging to current and former students, employees. Faculty and suppliers were exposed including names contact details dates of birth social security numbers and bank account information, although the university stated the banking data was accessed without a direct method for misuse. The breach is believed to be part of a broader campaign linked to a zero-day vulnerability in Oracle E-Business Suite, tracked as CVE-2025-61882, which has been exploited against more than 100 organizations across multiple sectors and ranks among the largest ransomware related data exposures reported in 2025 based on the number of records affected. While Clop has claimed responsibility some researchers have expressed caution around attribution and no University of Phoenix data has been publicly released to date but the incident highlights ongoing systemic cybersecurity challenges within higher education as similar Oracle E Business Suite compromises have been confirmed at institutions including Harvard the University of Pennsylvania and Dartmouth College. CTIX will continue to report on relevant threat actors and their campaign activity.
Vulnerabilities
Persistent Exploitation of FortiOS 2FA Bypass Highlights Long-Term Risk of Legacy Misconfigurations
Fortinet has repeatedly warned that CVE-2020-12812, a five (5) year old improper authentication flaw in FortiGate SSL VPN, is still being actively exploited in the wild, allowing attackers to bypass two-factor authentication (2FA) under specific configurations. The vulnerability stems from inconsistent username case-sensitivity handling between FortiGate, which is case-sensitive by default, and LDAP directories, which are not, enabling attackers to authenticate without FortiToken by submitting a valid username with altered casing. Exploitation is possible when local FortiGate users have 2FA enabled but authenticate via LDAP, belong to LDAP groups configured on the firewall, and those groups are used in authentication policies for administrative or VPN access, particularly when a misconfigured secondary LDAP group allows authentication fallback. Fortinet states the flaw has been abused by ransomware operators and state-sponsored threat actors for years, was weaponized in widespread perimeter-device attacks in 2021 and was added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S Cybersecurity and Infrastructure Security Agency (CISA) following joint warnings with the FBI. Although the issue was addressed in July 2020 with FortiOS versions 6.0.10, 6.2.4, and 6.4.1, recent advisories confirm continued abuse against unpatched or misconfigured systems. CTIX analysts urge any affected administrators to follow Fortinet’s guidance to upgrade affected devices, disable username case sensitivity, remove unnecessary secondary LDAP groups, and treat any evidence of 2FA bypass as a full compromise requiring immediate credential resets.
- Security Week: CVE-2020-12812 Article
- The Hacker News: CVE-2020-12812 Article
- Bleeping Computer: CVE-2020-12812 Article
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
