Triaging the Week 081
Vulnerabilities in AI vibe coding tools, malware targets the Google Play store and WhatsApp devs, and new hacking tools hit the cybercrime market
Hello there 👋
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week's top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 10 News Stories
Critical Flaw in Cursor AI Code Editor Allows Remote Code Execution
A high-severity vulnerability, dubbed CurXecute (CVE-2025-54135), has been discovered in the Cursor AI code editor, which could allow attackers to gain complete control over a user's system. The flaw, found by Aim Labs, has been patched in version 1.3, and all users are urged to update immediately.
Key takeaways:
🔒 The Vulnerability: The issue resides in the auto-run feature of custom Model Control Protocol (MCP) servers, which automatically execute new entries without user confirmation. This allows for the injection of malicious commands.
🚨 Attack Vector: Attackers can exploit this by sending a crafted message, potentially through a public Slack channel, which the Cursor agent then processes to inject malicious commands.
💡 Wider Implications: Similar vulnerabilities have been found in other AI-assisted coding tools, including Google's Gemini CLI, indicating a broader trend of security risks in AI coding platforms.
🛡️ Mitigation: The most critical action for users is to upgrade the Cursor AI code editor to version 1.3. Additionally, organizations should implement their own security measures for agentic systems and not rely solely on built-in security features.
🌐 Industry-Wide Concern: The discovery of CurXecute and similar flaws highlights the need for a shift in security models for AI agents, with a greater emphasis on monitoring every interaction and moving from denylists to allowlists for auto-run features.
New 'Plague' PAM Backdoor Exposes Critical Linux Systems to SSH Hijacking
A stealthy and sophisticated Linux backdoor, dubbed "Plague," has been discovered targeting the Pluggable Authentication Module (PAM). This malicious module allows attackers to bypass system authentication, gain persistent SSH access, and steal credentials, all while remaining undetected by most antivirus engines for over a year.
Key takeaways:
🔒 Deep Integration: Plague operates as a malicious PAM, allowing it to deeply integrate into the authentication stack, survive system updates, and leave almost no forensic traces.
🚨 Silent Credential Theft: The backdoor can steal user credentials and allows attackers to bypass authentication checks silently, making it exceptionally dangerous.
🛡️ Evasive Maneuvers: Plague employs advanced obfuscation techniques, anti-debugging, and actively erases its footprint by tampering with environment variables to avoid detection by traditional security tools.
🌐 Active Threat: The presence of multiple variants on VirusTotal suggests that this backdoor is under active development. While attribution is unclear, its sophistication points to a skilled threat actor.
Akira Ransomware Exploiting Suspected Zero-Day in SonicWall VPNs
The Akira ransomware group is actively exploiting a likely zero-day vulnerability in SonicWall SSL VPN devices to gain initial access to corporate networks. Even fully-patched devices are being compromised, leading to rapid ransomware deployment.
Key takeaways:
💀 Zero-Day Suspected: The attacks are bypassing fully-patched SonicWall devices, strongly suggesting a zero-day vulnerability is being used.
⚡ Rapid Attacks: There is a very short timeframe between the initial VPN breach and the deployment of ransomware, indicating a highly efficient attack chain.
📅 Long-Term Campaign: Malicious VPN logins associated with this activity have been observed as far back as October 2024, indicating a sustained targeting of these devices.
💸 Significant Impact: The Akira ransomware group has already extorted approximately $42 million from over 250 victims since it emerged in March 2023.
PlayPraetor Android Trojan Infects Over 11,000 Devices via Fake Google Play Pages
A new Android RAT, PlayPraetor, is rapidly spreading through fake Google Play pages promoted on Meta platforms, infecting over 11,000 devices. The malware steals banking credentials and cryptocurrency wallet information by using deceptive overlay screens and keylogging.
Key takeaways:
🔍 Sophisticated Distribution: Attackers use Meta Ads and SMS messages to distribute links to fraudulent Google Play Store pages, tricking users into downloading the malware.
🤖 Remote Access & Control: PlayPraetor gains full remote control of infected devices by abusing Android's accessibility services, allowing for live screen streaming and credential theft from nearly 200 financial apps.
🌐 Global MaaS Operation: The campaign is managed as a malware-as-a-service (MaaS) with a Chinese command-and-control panel and multiple affiliates, targeting users in Europe, South America, and Asia.
🛡️ Evasive Variants: Five different variants of the malware exist, each with specialized functions like on-device fraud and phishing, making it a versatile and dangerous threat.
🔒 Actionable Advice: Be cautious of unsolicited links from social media ads and messages. Always verify the authenticity of app store pages before downloading and installing applications.
ClickTok Campaign Targets TikTok Shop Users with Spyware
A new global malware campaign, "ClickTok," is using a hybrid phishing and malware model to target TikTok Shop users, aiming to steal cryptocurrency wallets. The attackers lure victims with fake AI-generated videos and Meta ads to impersonate TikTok websites, where they are prompted to install a trojanized app containing the SparkKitty spyware.
Key takeaways:
🎭 Hybrid Threat: The campaign combines phishing tactics on fake websites with malware distribution, tricking users into giving up credentials and installing spyware.
😈 Deceptive Distribution: decoy videos and ads on social media redirect users to thousands of cybersquatted domains mimicking official TikTok pages.
📸 SparkKitty Spyware: The malicious app contains SparkKitty spyware, which can access the user's photo gallery to find and steal screenshots of cryptocurrency wallet credentials.
💰 Crypto Theft: The ultimate goal is to drain users' cryptocurrency wallets, using both stolen credentials and information gathered by the spyware.
🔒 Stay Safe: Always verify website domains before entering credentials, avoid downloading apps from unofficial sources, and use robust security software to protect your devices.
"ClickFix" Malware Spreads via Fake CAPTCHAs and Browser Fixes
A cunning malware campaign, dubbed "ClickFix," is exploiting user trust to infect systems across multiple platforms. This social engineering tactic tricks users into copying and pasting malicious code into their systems, disguised as a solution to a fake problem like a CAPTCHA verification or a browser error.
Key takeaways:
🚨 Don't Trust, Verify: Be wary of any website or pop-up that instructs you to manually copy and paste code, especially into a command line or terminal.
🛡️ Source Matters: If a website prompts you to take unusual steps to view content, it's a major red flag. Close the tab and do not follow the instructions.
💡 Clipboard Hijacking: This attack relies on "pastejacking," where the website secretly copies malicious code to your clipboard. Always be aware of what you are pasting.
🌐 Stay Updated: Keep your operating system and software patched to the latest versions to mitigate vulnerabilities that malware often targets.
🔒 Security Software is Key: A robust antivirus or endpoint detection and response (EDR) solution can help detect and block the malicious payloads delivered by ClickFix.
Red Canary's 2025 Midyear Report: A Surge in Cloud & Identity Threats!
The latest Threat Detection Report from Red Canary reveals a dramatic 500% increase in threats targeting cloud accounts and identities. Adversaries are evolving, with new cloud-based attack techniques making their way into the top 10 most detected threats for the first time.
Key takeaways:
☁️ Identity is the New Perimeter: A fivefold increase in identity-related detections shows that attackers are increasingly targeting user credentials and cloud accounts to gain initial access.
🛡️ New Cloud Attack Vectors: Watch out for emerging techniques like "Data from Cloud Storage" and "Disable or Modify Cloud Firewall," which are now among the most common threats observed.
🎣 Phishing Smarter, Not Harder: While only 16% of user-reported phishing emails were found to be malicious, adversaries are using sophisticated methods, like leveraging Google Translate, to make their attacks more convincing and bypass traditional security.
💡 Evolving Social Engineering: Threat actors are shifting their tactics, with a noticeable move towards "paste-and-run" schemes (also known as ClickFix or fake CAPTCHA) to trick users into executing malicious code.
🔒 Defense in Depth is Crucial: To counter these evolving threats, organizations must prioritize identity security controls like MFA, manage cloud configurations diligently, and enhance user awareness of advanced phishing techniques.
Attackers Are Hiding in Plain Sight: "Ghost Calls" Exploit Zoom and Teams
A new stealthy tactic dubbed "Ghost Calls" allows attackers to abuse video conferencing platforms like Zoom and Microsoft Teams for command-and-control (C2) operations. By hiding their malicious traffic within the legitimate, encrypted data of these popular applications, threat actors can operate undetected within a compromised network.
Key takeaways:
🔒 Covert C2 Channel: Attackers are leveraging the high volume and encrypted nature of Zoom and Teams traffic to create a hidden channel for sending commands to malware and exfiltrating data.
🚨 Bypassing Security: This technique is designed to bypass traditional network security controls, as the traffic appears to be legitimate video conferencing activity. Many organizations even whitelist this traffic from inspection.
💡 How it Works: The method abuses the TURN (Traversal Using Relays around NAT) protocol used by these platforms to tunnel C2 communications through trusted domains associated with Zoom and Microsoft.
🛡️ Defense-in-Depth: Monitor for unusual patterns in web conferencing traffic, even from trusted applications. A defense-in-depth strategy, including endpoint detection and response (EDR), is crucial for identifying such anomalies.
🌐 Evolving Threat Landscape: This is a prime example of how attackers are constantly innovating and repurposing legitimate tools to achieve their malicious objectives.
Fake WhatsApp Libraries Hide Destructive Data-Wiping Malware
Malicious developer libraries posing as legitimate WhatsApp integration tools have been discovered. These packages contain hidden, destructive code designed to wipe all data from the systems they are installed on.
Key takeaways:
🚨 Threat Alert: Malicious actors are publishing harmful packages to open-source registries, targeting unsuspecting developers.
🔒 Verify Your Sources: Always double-check the authenticity and source of third-party libraries. Be wary of packages with names that mimic popular libraries (typosquatting).
🛡️ Isolate New Code: Before integrating new dependencies, test them in a secure, isolated sandbox environment to detect any malicious behavior.
💡 Destructive Payload: The attack leverages a surprisingly simple batch file (.bat) to execute the data-wiping command, demonstrating that devastating attacks don't always require complex code.
🌐 Supply Chain Risk: This incident is a stark reminder of the growing threat of software supply chain attacks. Scrutinizing every component of your development pipeline is more critical than ever.
Ransomware Gangs Unleash New "EDR Killer" to Blind Security Defenses
A new and sophisticated tool, dubbed "EDR Killer," is being actively used by at least eight different ransomware groups to disable and evade endpoint detection and response (EDR) and antivirus products. This allows the attackers to operate undetected on compromised networks before deploying their ransomware.
Key takeaways:
🚨 Widespread Adoption: This isn't an isolated incident. Major ransomware players like LockBit and Hive are using this tool, indicating a significant shift in attacker tactics.
🛡️ Bypassing Defenses: The tool cleverly uses a legitimate, signed driver to terminate security processes, making its malicious activity appear as normal system behavior.
💡 Precursor to Attack: The EDR Killer is a critical pre-ransomware step. Disabling security tools is one of the final actions an attacker takes before encrypting files, highlighting the importance of early detection.
🌐 Defense in Depth: This threat underscores the need for a multi-layered security approach. Relying solely on EDR is not enough; organizations need a combination of network monitoring, user training, and robust backup strategies.
🔒 Urgent Patching: The tool exploits known vulnerabilities. Keeping systems and security software fully patched and up-to-date is a crucial line of defense.
Top Tips of the Week
Threat Intelligence
Collaborate with threat intelligence vendors. Supplement internal capabilities with external expertise for more comprehensive insights.
Threat Hunting
Stay informed on threat intelligence trends in cyber threat hunting. Knowledge of emerging techniques empowers more effective threat detection.
Automate routine tasks to focus on in-depth analysis. Let automation enhance efficiency in threat hunting processes.
Custom Tooling
Consider user feedback in custom tool iterations. Continuous improvement relies on understanding user experiences and needs.
Consider scalability in custom tool design. Anticipate future growth and ensure your tools can handle increased demands.
Optimize custom tools for resource efficiency. Minimize resource usage while maintaining optimal performance and responsiveness.
Collaborate with legal and compliance teams. Ensure that custom tools adhere to relevant regulations and industry standards.
Feature Article
As a cyber threat intelligence (CTI) analyst, do you ever feel like you’re trying to drink from a firehose? In-depth research papers, breaking news articles, cryptic social media chatter, and dozens of raw, unvetted threat feeds. The key to overcoming this challenge lies in understanding the two fundamental forms of data we deal with every day: structured and unstructured threat intelligence.
This guide will demystify these concepts and provide clarity in the chaos. We’ll explore the narrative power of unstructured intelligence, the automated speed of structured threat intelligence, and why you need both to build a complete and effective defense.
We’ll even provide a simple cheat sheet to help them distinguish between the two and demonstrate how they work together to transform a developing story into a precise, machine-readable alert that your security tools can act on instantly. Let’s dive in!
Feature Course
What Will You Learn?
How to set up your own MISP instance to gather and organize cyber threat intelligence.
Configuring your MISP instance to suit your specific use case.
Automatically ingesting threat data into your MISP instance using open-source threat intelligence feeds.
How to search and filter data in your MISP instance.
Using the MISP API to streamline your workflow.
Extracting Indicators of Compromise (IOCs) from your MISP instance to use with other security tools.
Learning Resources
Email Investigations 101
Ever wondered what goes on behind the scenes when a phishing email lands in your inbox? This video breaks down the crucial role of SOC analysts in email investigations.
Here are the key takeaways:
📧 Email is the #1 attack vector: A staggering 94% of organizations have faced phishing attacks, making email security more critical than ever.
🕵️ SOC analysts are the first line of defense: They monitor, triage, and investigate suspicious emails to protect your organization from threats like BEC and malware.
⚙️ SPF, DKIM, and DMARC are your friends: These email authentication methods are essential for verifying the source of an email and preventing spoofing.
🔎 A proven triage framework is key: A consistent process for investigating suspicious emails is crucial for effective and timely remediation.
This video is for any cyber security analyst who needs to protect their organization from phishing. Give it a watch!
Getting the Most from Cursor AI
How do you use Cursor for AI-assisted programming?
If you want to supercharge your workflow, check out this video! It unveils a slick three-step process using Cursor to build applications faster than ever.
Here are the key takeaways:
🚀 Start with a solid plan: Kick things off with a concise product brief and set up your project with a starter kit to hit the ground running.
🔁 Iterative development is your friend: Plan your features, let the AI generate the code, and then iterate on the plan to refine the output.
🤖 Let AI review your code: Use an automated code review to catch common AI-generated issues, then manually test and use tools like Vibe Scan for a final polish.
Try the workflow showcased in your next vibe coding project to get the most out of your AI-powered coding tools.