This week’s ThreatsDay Bulletin highlights a constellation of cybersecurity threats, with a particular focus on the growing exploitation of known vulnerabilities and sophisticated tactics employed by threat actors. Emerging RaaS operations like The Gentlemen, alongside critical vulnerabilities in widely used platforms such as BMC FootPrints and FortiGate, underscore the persistent challenges in maintaining robust digital defenses against evolving attack vectors.
Fortinet Devices and ITSM Platforms Under Siege from Emerging Threats
A new Ransomware-as-a-Service (RaaS) operation named “The Gentlemen” is actively exploiting a critical authentication bypass vulnerability (CVE-2024-55591) in FortiOS and FortiProxy, according to Group-IB. This nascent group, reportedly comprising around 20 members, maintains a substantial operational database of approximately 14,700 exploited FortiGate devices globally and nearly a thousand brute-forced VPN credentials. The Gentlemen also employs defense evasion techniques, including the bring your own vulnerable driver (BYOVD) method to bypass security controls at the kernel level. Since its emergence in mid-2025, the group has already targeted around 94 organizations.
Meanwhile, researchers have disclosed four critical security flaws (CVE-2025-71257, CVE-2025-71258, CVE-2025-71259, and CVE-2025-71260) in BMC FootPrints, a popular IT Service Management (ITSM) solution. These vulnerabilities can be chained to achieve pre-authentication remote code execution. The attack chain begins with an authentication bypass, allowing an attacker to extract a guest session token. This token is then used to exploit a Java deserialization vulnerability, enabling arbitrary file writes and complete remote code execution within the web server’s root directory. Additionally, two server-side request forgery (SSRF) flaws within the same platform could be leveraged for internal data leakage. BMC addressed these issues in September 2025.
Stealthy Malware and Deep Link Abuses Complicate Defense
A continuously evolving malware loader, Hijack Loader, is now observed deploying a previously undocumented C++-based command-and-control (C2) framework dubbed SnappyClient. Zscaler ThreatLabz reports that SnappyClient possesses extensive capabilities, including screenshotting, keylogging, remote terminal access, and data theft from browsers and other applications. The malware employs multiple evasion techniques, such as bypassing the Antimalware Scan Interface (AMSI), utilizing direct system calls, and implementing the “Heaven’s Gate” technique. Initial access is often gained through websites impersonating well-known entities, with a notable campaign leveraging a site that mimicked the Spanish telecom firm Telefónica. Cryptic theft is a primary objective, with potential code similarities suggesting a link between HijackLoader and SnappyClient developers.
Proofpoint has detailed a novel technique termed “CursorJack” that exploits Cursor’s support for Model Context Protocol (MCP) deep links. This method enables local command execution or the installation of a malicious remote MCP server. The attack capitalizes on the common practice for MCP servers to define commands within their “mcp.json” configuration files. A single click, coupled with user acceptance of an installation prompt, can lead to arbitrary command execution or the setup of a malicious server. Proofpoint has released a proof-of-concept exploit for this vulnerability.
Citrix Flaws and Teams Phishing Facilitate Widespread Compromise
A new active campaign is targeting known security vulnerabilities in Citrix NetScaler appliances, specifically CVE-2025-5777 and CVE-2023-4966. Defused Cyber reported observing over 500 exploit attempts against its honeypot system on March 16, 2026, noting that elevated exploitation of older vulnerabilities can sometimes precede the discovery of zero-day exploits.
Meanwhile, Rapid7 has reported an increase in phishing campaigns leveraging Microsoft Teams to impersonate internal IT departments. The primary goal is to trick users into launching Quick Assist, a tool that grants attackers remote access to deploy malware, exfiltrate data, or move laterally across networks. The surge in Teams-based attacks highlights a significant security gap, as Teams often permits external users to message internal staff without adequate gateway filtering, akin to operating an email server without proper defenses.
ClickFix, Stealers, and Live Chat Phishing Emerge as Persistent Threats
A campaign reminiscent of the “ClickFix” attacks has compromised a Pakistani government website, “wasafaisalabad.gop[.]pk,” to distribute fake CAPTCHA lures. The attack chain installs an MSI installer via a disguised clipboard command, which then deploys an AutoHotKey-based backdoor. This backdoor periodically polls a remote server for instructions, according to Gen Digital. This social engineering tactic has proven effective, having been adopted by sophisticated state-sponsored groups. In a related development affecting pirated software, Hijack Loader has also been observed distributing an updated version of the ACRStealer information stealer, which incorporates enhanced evasion techniques and C2 initialization strategies.
A new phishing campaign is utilizing LiveChat, a customer service software, to pilfer sensitive data. Attackers send phishing emails with refund-related themes, directing victims to a link hosted on LiveChat’s service. Within the chat interface, users are prompted to click another link to complete a refund, leading them to enter personal and financial information. Cofense notes that this method, distinct from typical refund scams, engages victims in real-time to harvest credentials, credit card details, multi-factor authentication codes, and other personally identifiable information.
Espionage, Data Exposure, and Account Security Updates
A threat cluster closely associated with SideWinder, known as RagaSerpent, is suspected of using tax audit and government compliance themes in spear-phishing emails. These attacks aim to deliver multi-stage malware for command-and-control (C2) and establish persistent access across targeted organizations in Southeast Asia, including Indonesia and Thailand. Similar campaigns targeting India with tax-related lures have been documented. RagaSerpent’s recent activities indicate an expansion beyond South Asia into Africa, Europe, the Middle East, and Southeast Asia.
DJI has patched a critical security flaw in its backend systems that could have allowed attackers to gain unauthorized access to its Romo smart vacuums. Security researcher Sammy Azdoufal discovered that DJI servers returned data for any device purely by providing its serial number, without any authentication requirements. This vulnerability exposed the locations of over 7,000 Romo smart vacuums and 3,000 DJI portable power stations sharing the same server infrastructure.
In a move to bolster account security, WhatsApp has begun testing support for alphanumeric passwords, which can range from six to 20 characters and require at least one letter and one number. This feature aims to strengthen defenses against brute-force attacks, particularly in scenarios where SIM-swapping might be used to intercept messages, as attackers would still need to bypass the new password requirement to access an account.
Fabricated Ransomware Groups and Google’s Security Initiatives
Evidence continues to mount suggesting that the “0APT” ransomware group is a fabrication. Intel 471 reports that the threat actor has failed to provide credible proof of ransomware or data exfiltration attacks. Data samples purportedly from victim networks appeared fabricated, featuring unusually large file sizes and repeating patterns of null bytes, indicating a lack of actual stolen data.
Google reported rejecting 1.75 million policy-violating Android apps and blocking over 80,000 developer accounts from the Google Play Store in 2025. This represents a decrease from the previous year. During 2025, Google also blocked over 255,000 apps from accessing sensitive user data excessively and enhanced its review process with generative AI. The company’s Play Protect service scans over 350 billion apps daily and has identified millions of malicious apps sideloaded from outside the Play Store. Google is also expanding its Scam Detection feature for phone calls to more Pixel devices and select Samsung Galaxy models.
Vulnerability Trends and EU Privacy Legislation
A report from VulnCheck indicates that a mere 1% of vulnerabilities disclosed in 2025 were actively exploited by the end of the year. Network edge devices accounted for a significant portion of exploited products. IBM X-Force, meanwhile, reported a notable 44% increase in cyberattacks targeting publicly facing applications. These figures highlight the ongoing challenges in prioritizing and patching the most critical vulnerabilities.
The European Parliament has voted to extend a temporary exemption to E.U. privacy legislation until August 2027. This extension allows online platforms to voluntarily detect child sexual abuse material (CSAM). Lawmakers stated that this period is crucial for negotiating and adopting a long-term legal framework to combat CSAM online.
Advanced Malware Evasion and Secret Sprawl on GitHub
A previously undisclosed attack chain, delivered via phishing URLs, distributes malware that stages the Rhadamanthys stealer and XMRig cryptocurrency miner. The primary evasion technique relies on .NET Native Ahead-of-Time (AOT) compiled binaries, which obscure traditional .NET metadata, hindering common analysis tools and forcing analysts to use native-level tooling. Cyderes notes that the AOT loader employs sophisticated anti-analysis measures, including sandbox detection and active suppression of miner activity when monitoring tools are present.
GitGuardian’s “State of Secrets Sprawl” report reveals a significant surge in exposed secrets, with over 28.6 million new secrets added to public GitHub commits in 2025, a 34% increase year-over-year. Secrets related to AI services saw an 81% surge. The report also identified thousands of unique secrets exposed in configuration files, including valid credentials, across public GitHub repositories.
Malicious Themes and Multi-Stage Phishing Campaigns
Six malicious Packagist packages, disguised as OphimCMS themes, have been found to contain trojanized jQuery code. This malicious code exfiltrates URLs, injects full-screen overlay ads, and redirects users to gambling and adult content sites through infrastructure operated by “Funnull.” Socket reported that these packages can even load a second-stage mobile-targeted payload.
A sophisticated phishing attack targeted a C-level executive at Swedish security firm Outpost24, impersonating JPMorgan Chase. The multi-stage redirect campaign leveraged trusted services like Nylas and compromised legitimate infrastructure, including Cisco’s, to bypass security filters and conceal the final phishing destination. Specops noted that the attackers implemented a Cloudflare-based “human validation” step to ensure only real users encountered the credential harvesting page. The attack, ultimately unsuccessful, reportedly used a new phishing-as-a-service (PhaaS) toolkit named Kratos.
The persistence of these varied threats suggests that organizations must remain vigilant. While some minor threats may fade, the underlying tactics and vulnerabilities exploited are likely to evolve. Continuous monitoring, prompt patching, and robust security awareness training will be critical in navigating the evolving threat landscape. The next steps in addressing these issues will involve ongoing advisement from security researchers and potential vendor patches, with organizations needing to prioritize their implementation.