EvilBit Threat Digest - A KEV-Heavy Halloween Hangover

Well, it seems CISA’s Known Exploited Vulnerabilities (KEV) catalog had a busy week. Hello again, it’s KryptoKat. For those of us who manage sprawling on-premise infrastructure, the flurry of new additions to the "patch now, or else" list is a familiar, if unwelcome, post-Halloween horror. It’s a stark reminder that even as we chase the latest and greatest threats, the real monsters are often the ones already inside the perimeter, festering on unpatched servers.

UncleSp1d3r here. Couldn't agree more. This week is a beautiful case study in the lifecycle of a vulnerability. We’ve got actively exploited flaws in enterprise gear, fresh analysis of the ransomware that follows, and yet another APT content to just live off the land. It’s the circle of life, but with more webshells.

Let's get into the delightful mess.

This is Why We Can't Have Nice On-Prem Things

The big story this week is the follow-through on the SharePoint "ToolShell" vulnerabilities (CVE-2025-53770 / CVE-2025-53771). While we’ve known these were being exploited, researchers at Hybrid Analysis have now published a deep dive into the Warlock ransomware being deployed by the threat actor Microsoft tracks as Storm-2603. After gaining initial access via the SharePoint flaws, the attackers drop webshells, move laterally, and eventually use Group Policy to deploy Warlock across the enterprise. Microsoft’s own guidance is clear: apply the patches, enable AMSI integration, and rotate your ASP.NET machine keys. This is a full-chain attack—don’t get caught with your farm exposed.

In other "patch your management stack" news, CISA has added CVE-2025-41244 to the KEV catalog. This is a nasty local privilege escalation vulnerability in VMware Aria Operations and VMware Tools. As detailed by NVISO Labs, a local authenticated user on a guest VM can elevate to root by abusing the Service Discovery Management Pack (SDMP). Given that The Hacker News reports China-linked actors are already exploiting it, the clock is ticking. Broadcom has shipped fixes, so update Aria Ops and your VMware Tools. If you can’t patch immediately, disable SDMP.

And to round out the trifecta of enterprise pain, another endpoint management tool is under active exploitation. CISA also added CVE-2025-61932 to the KEV. This is a critical unauthenticated RCE in the on-premise client for Motex's LANSCOPE Endpoint Manager. The vendor has confirmed observing malicious packets in the wild targeting the flaw. Patches are available, and given the target is your endpoint security agent, this is about as urgent as it gets.

APTs & Infostealers: The Classics are Classics for a Reason

The Sandworm crew has been busy in Ukraine again. According to multiple reports citing Symantec, Russian state-aligned actors linked to the group have been breaching Ukrainian government and business entities. Their entry method of choice? Good old-fashioned webshells, including their "LocalOlive" variant. Once inside, it’s all about living off the land—using PowerShell and scheduled tasks for persistence and data gathering. It’s a masterclass in minimizing footprint and blending in with normal administrative activity, and a painful reminder to harden and monitor your internet-facing servers.

On the less-sophisticated but equally effective end of the spectrum, we have a malware family called Pxastealer. As outlined in recent sandbox runs, this stealer arrives via the usual spearphishing links. What’s interesting is the execution chain: it uses long, obfuscated cmd.exe commands to decode payloads with certutil, then masquerades as legitimate processes like svchost.exe—but running from the wrong directory. As Infosecurity Magazine notes, this family often uses the Telegram Bot API for C2 and exfiltration. The techniques aren't novel, but they are effective. Keep an eye out for certutil being used for decoding and system binaries running from unexpected locations.

On the Horizon: A Flurry of ZDI Advisories

It was a busy day for the vulnerability brokers at the Zero Day Initiative. They’ve added a slew of pre-disclosure advisories to their "Upcoming" list, giving us all a heads-up on what to prepare for. One to watch is ZDI-CAN-28212, a high-severity (CVSS 8.8) vulnerability in the open-source LLM orchestration tool, Flowise. The vector indicates a remote flaw requiring only low privileges to achieve full C/I/A impact.

Even more curiously, a researcher from Claroty’s Team82 dropped a whole collection of vulnerabilities affecting a vendor named "Algo Solutions," which makes IP-based paging and intercom systems. The reports include ZDI-CAN-28296 (CVSS 8.1, unauthenticated), ZDI-CAN-28300 (CVSS 8.1, unauthenticated), and several others. Details are nil, but the high scores and network-accessible vectors suggest these public address systems might soon have some uninvited voices. The patch deadline for all of these is late February 2026, so you have time. Start with asset inventory. Do you even have any ALGO devices on your network? You have until February to find out.

It’s easy to get lost in the weeds of specific vulnerabilities, but the bigger picture this week is about visibility and control. Whether it's unknown assets on your network, unpatched management servers, or users pasting commands into a terminal, you can't defend what you don't know you have. Time to double-check those inventory lists.

— KryptoKat & UncleSp1d3r