Threat Intelligence - RH-ISAC Blog

Executive Summary Since November 2024, IBM X-Force has been tracking QuirkyLoader, a new malware loader actively used to deliver a variety of well-known payloads, including keyloggers and Remote Access Trojans (RATs). This multi-stage infection begins with a malicious email attachment that exploits dynamic-link library (DLL) side-loading to execute a hidden malicious DLL. The loader, consistently written…

Executive Summary Proofpoint discovered a widespread phishing campaign leveraging fake Microsoft OAuth applications to bypass multifactor authentication (MFA) and harvest Microsoft 365 credentials. The attackers impersonated reputable brands like RingCentral, Adobe, SharePoint, and DocuSign, by luring victims into approving minimal‑privilege access. Even if MFA was declined, victims were redirected through CAPTCHA and a phishing page using…

Executive Summary Microsoft has identified widespread, active exploitation of a new SharePoint remote code execution (RCE) vulnerability chain, designated ToolShell, tracked as CVE-2025-53770. This zero-day exploit, demonstrated publicly on X just days prior, allows unauthenticated attackers to compromise on-premises SharePoint servers globally, extracting cryptographic secrets and enabling full remote control. Microsoft, and CISA, has confirmed the active exploitation and…

Executive Summary Recent major cyber incidents several South Korean entities highlight a critical concern within network-separated, or air-gapped, environments. Despite the inherent security assumptions often associated with these isolated setups, these breaches demonstrate a dangerous decline in caution and a false sense of security. This has led to successful compromises, highlighting that even seemingly air-gapped…

Executive Summary Citrix has released urgent security updates for a critical memory overflow vulnerability, CVE-2025-6543, affecting its NetScaler ADC and Gateway products. This flaw, which can lead to unintended control flow and denial-of-service, is reportedly actively being exploited in the wild. Organizations using affected versions, especially those configured as Gateways or AAA virtual servers, are strongly advised to update…

Executive Summary Users of the UK grocery/retail chain Sainsbury’s Nectar loyalty program are being warned about a surge in points theft, with one customer recently reporting the loss of two years’ worth of saved points. This follows an earlier investigation that revealed £63,000 GBP worth of Nectar points were stolen from readers over a year, prompting Nectar to implement…

Summary Yes24, a major South Korean ticketing platform and online book retailer, has been heavily impacted by a ransomware attack, causing a four-day service outage and significant disruption to the country’s entertainment industry. The attack, which began on Monday, has forced the postponement or cancellation of numerous K-pop concerts, fan meetings, and musical performances. South…

Summary The cybercriminal group known UNC6040 is conducting sophisticated attacks by socially engineering employees into installing maliciously modified versions of Salesforce’s Data Loader tool, facilitating extensive data theft, according to new intelligence from Google Cloud. Exploiting phone-based social engineering (“vishing”), these attackers pose as IT support to trick victims into granting unauthorized Salesforce app access,…

Summary Sophos Managed Detection and Response (MDR) recently intervened in a targeted cyberattack against an unnamed Managed Service Provider (MSP), where threat actors leveraged vulnerabilities in the SimpleHelp remote monitoring and management (RMM) platform to deploy DragonForce ransomware across multiple endpoints. Attackers exploited vulnerabilities CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, initially disclosed in January 2025, to achieve remote execution, arbitrary file…

Context EclecticIQ has identified active exploitation of two critical vulnerabilities (CVE-2025-4427 and CVE-2025-4428) in Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier, allowing for unauthenticated remote code execution. This activity, attributed with high confidence to the China-nexus espionage group UNC5221, began on May 15, 2025, and targets critical sectors globally, including healthcare, telecommunications, and government. The threat actors…