EvilBit Threat Digest - This Week in Security: Burning Platforms and Broken Trust

KryptoKat here. Some weeks feel like a slow burn. This was not one of them. The theme this week was critical trust, critically broken. We saw foundational web frameworks, widely deployed security appliances, and the quiet corners of the internet--like parked domains and package managers--all turned into weapons. When the tools you rely on for development and defense become the vector, it’s a sharp reminder that vigilance can’t be automated away. Let’s get into it.

When the Walls Have Ears (And Backdoors)

It was a particularly brutal week for the folks running the perimeter. Security appliances are supposed to be the hard shell, but this week they were the soft target. If you’re running Fortinet or Cisco gear, stop reading and go patch.

First, Fortinet pushed a critical update for a FortiCloud SSO signature verification bypass. Tracked as CVE-2025-59718 and CVE-2025-59719, this one’s as bad as it sounds. As Arctic Wolf observed, attackers are actively exploiting it to forge SAML assertions, gain administrative access, and dump device configurations. The immediate mitigation is simple: disable FortiCloud SSO login functionality until you can get the patch rolled out. The vendor has a full list of affected products and fixed versions. Don’t wait for the change control meeting on this one.

Not to be outdone, Cisco disclosed that a China-nexus threat actor (UAT-9686) is actively exploiting a zero-day in its Secure Email Gateway (ESA) and Secure Email and Web Manager (SMA) appliances. Talos is tracking the vulnerability as CVE-2025-20393. The attackers are deploying a nasty Python-based toolkit, including a backdoor called AquaShell, the AquaTunnel tunneling tool, and a log-wiper to cover their tracks. According to Cisco Talos, the campaign has been active since at least late November. Given that these are email security gateways, the potential for data exposure and lateral movement is significant. Cisco has issued guidance, so check the advisory and get to hunting.

Frameworks on Fire

UncleSp1d3r here. Just when you thought it was safe to npm install, the whole world of React decided to spontaneously combust. A critical Remote Code Execution vulnerability in React Server Components, dubbed "React2Shell" (CVE-2025-55182), dropped with a perfect 10.0 CVSS score. This isn't some theoretical flaw; it’s an unauthenticated RCE that’s trivial to exploit. If your server accepts requests to a Server Function endpoint, an attacker can send a specially crafted payload and get a shell. We've talked about it a few times this last week, but I'm highlighting it again since it's still an ongoing issue.

As expected, the internet’s finest are already all over it. Bitsight reports that multiple threat groups, from cryptominers to more sophisticated actors, began mass-scanning and exploitation within hours of the disclosure. If you’re running a vulnerable version of Next.js or other frameworks using React Server Components, you are the target. The official React blog has the patch details. Your WAF might buy you some time if you can block requests with funky base64-encoded payloads heading for your RSC endpoints, but patching is the only real fix. Fun times for anyone managing a JavaScript front-end.

The New Wave of Malware

KryptoKat: Beyond the big appliance and framework fires, we saw some fascinating evolution in malware delivery and design. Researchers at QiAnXin X Lab uncovered a massive Android botnet they’re calling Kimwolf. This thing has quietly infected over 1.8 million devices, mostly TV set-top boxes, turning them into a distributed platform for DDoS attacks and proxy services. What stands out is its resilience. The botnet uses DNS-over-TLS (DoT) and the Ethereum Name Service (ENS) for its command-and-control infrastructure, making it much harder to sinkhole or take down. It’s a clever use of modern protocols to solve an old bot-herder problem.

UncleSp1d3r: And for something completely different, Check Point Research did a deep dive on a loader called GachiLoader. I have a soft spot for weird implementation choices, and writing malware loaders in Node.js is definitely one of them. By leveraging the Node.js runtime, the authors managed to build something that flies under the radar of traditional PE-based static analysis. It uses a novel process injection technique the researchers dubbed "Vectored Overloading" to deliver infostealers like Rhadamanthys. The best part? Check Point released an open-source tool, Node.js Tracer, to help analysts trace API calls and deobfuscate this kind of threat. It’s always nice when the good guys share their toys.

Supply Chain and Shady Neighbors

KryptoKat: The theme of abusing trusted systems continued right down the stack. Infoblox published some compelling research on how the seemingly harmless world of parked domains has become a superhighway for scams and malware. Threat actors are using traffic distribution systems (TDS) and affiliate networks to funnel users who land on parked or typosquatted domains through a series of redirects that end in phishing pages or malware downloads. They use cloaking and fingerprinting to show benign content to scanners and security tools, making the problem incredibly hard to see from the outside. It’s a good reminder that DNS-layer security and aggressive filtering of typo domains aren't just nice-to-haves.

UncleSp1d3r: Speaking of typos, the .NET ecosystem got a nasty surprise this week. A malicious NuGet package named Tracer.Fody.NLog was found impersonating the popular Tracer.Fody library. The typosquatted version contains code that diligently searches developer machines for Stratis cryptocurrency wallet files (*.wallet.json). If it finds one, it scrapes the wallet and any passwords it can find in memory, then exfiltrates the data to a hardcoded IP. This thing has been on the registry for years, racking up downloads. If you’re a .NET dev, go check your dependencies, though it appears to have been pulled from the registry as of the time of publication. Right now. It’s another reminder that your supply chain is only as strong as the laziest Install-Package command on your team.

KryptoKat: It feels like we say this every week, but check your logs, apply your patches, and maybe think twice before plugging anything new into the network. Or the build pipeline. Or the cloud. Maybe just go read a book printed on paper this weekend.

Stay safe out there.

-UncleSp1d3r & KryptoKat

Nessus Plugin Roundup

For the vulnerability management crews, Tenable released a batch of new Nessus plugins. Key detections added this week cover vulnerabilities in:

• Git LFS
• Node.js
• Binutils
• libpng
• Apache Tomcat
• PHP
• The Linux kernel

These updates apply to multiple Linux distributions including Rocky Linux, Photon OS, Oracle Linux, SUSE, and Fedora. Check the full list from Tenable for details.