-
Honeypot: FortiWeb CVE-2025-64446 Exploits, (Sat, Nov 15th)
Like many have reported, we too noticed exploit attempts for CVE-2025-64446 in our honeypots. These are POST requests to this path: With this User Agent String: And this is the data of the POST request: This creates a new admin user (profile: prof_admin). You can find this JSON data back in this PoC. Didier Stevens…
-
Microsoft Office Russian Dolls, (Fri, Nov 14th)
You probably know what are the Russian or Matryoshka dolls. It’s a set of wooden dolls of decreasing size placed one inside another[1]. I found an interesting Microsoft Office document that behaves like this. There was a big decrease in malicious Office documents due to the new Microsoft rules to prevent automatic VBA macros execution. But they remain used, especially RTF…
-
ISC Stormcast For Friday, November 14th, 2025 https://isc.sans.edu/podcastdetail/9700, (Fri, Nov 14th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
Formbook Delivered Through Multiple Scripts, (Thu, Nov 13th)
When I’m teachning FOR610[1], I always say to my students that reverse engineering does not only apply to “executable files” (read: PE or ELF files). Most of the time, the infection path involves many stages to defeat the Security Analyst or security controls. Here is an example that I found yesterday. An email was received…
-
ISC Stormcast For Thursday, November 13th, 2025 https://isc.sans.edu/podcastdetail/9698, (Thu, Nov 13th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
SmartApeSG campaign uses ClickFix page to push NetSupport RAT, (Wed, Nov 12th)
Introduction This diary describes a NetSupport RAT infection I generated in my lab from the SmartApeSG campaign that used a ClickFix-style fake CAPTCHA page. Known as ZPHP or HANEYMANEY, SmartApeSG is a campaign reported as early as June 2024. When it started, this campaign used fake browser update pages. But it currently uses the ClickFix method of fake…
-
ISC Stormcast For Wednesday, November 12th, 2025 https://isc.sans.edu/podcastdetail/9696, (Wed, Nov 12th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
Microsoft Patch Tuesday for November 2025, (Tue, Nov 11th)
Today’s Microsoft Patch Tuesday offers fixes for 80 different vulnerabilities. One of the vulnerabilities is already being exploited, and five are rated as critical. Notable Vulnerabilities: %%cve:2025-62215%%: This vulnerability is already being exploited. It is a privilege escalation vulnerability in the Windows Kernel. These types of vulnerabilities are often exploited as part of a more…
-
ISC Stormcast For Tuesday, November 11th, 2025 https://isc.sans.edu/podcastdetail/9694, (Tue, Nov 11th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
It isn’t always defaults: Scans for 3CX usernames, (Mon, Nov 10th)
Today, I noticed scans using the username “FTP_3cx” showing up in our logs. 3CX is a well-known maker of business phone system software [1]. My first guess was that this was a default user for one of their systems. But Google came up empty for this particular string. The 3CX software does not appear to…
