EvilBit Threat Digest - The Deserialization Blues

Another week, another set of serious vulnerabilities in stuff that really shouldn't be online, but somehow is. It feels like we're stuck in a time loop where the message is always "patch your edge infrastructure," and yet here we are again. This week, we saw active exploitation of huge gaps in enterprise content management, data center orchestration, and e-commerce platforms, all thanks to our old buddy, insecure deserialization.

Meanwhile, the malware teams have been busy fine-tuning their initial access strategies, from sneaky OAuth tricks to hiding RATs in everyday things you click. Let's dive in!

Critical Bugs on the Edge

UncleSp1d3r: This week hit hard, showing us how one tiny flaw in a public app can mess up a whole security program. We're keeping an eye on three big remote code execution (RCE) vulnerabilities that are being actively and widely exploited.

First up is a nasty ViewState deserialization vulnerability in Sitecore products (CVE-2025-53690). Cisco Talos and Google/Mandiant both dropped detailed reports on a China-nexus group they track as UAT-8837, which has been using this bug to hit critical infrastructure in North America. After popping the box, the actor deploys a greatest-hits collection of open-source tooling for reconnaissance and lateral movement, including WEEPSTEEL, EARTHWORM, SharpHound, and DWAgent. The initial vector is unauthenticated RCE, and the goal is full-domain compromise. Sitecore has a patch, and if you're running it, this is an all-hands-on-deck, patch-or-pull-it-offline situation.

Not to be outdone, Hewlett Packard Enterprise is dealing with a CVSS 10.0 unauthenticated RCE in its OneView infrastructure management platform. The bug is in the id-pools REST API endpoint is trivial to exploit. Given that OneView is the god-box for entire data centers, a compromise here is about as bad as it gets. CISA added this one to its Known Exploited Vulnerabilities (KEV) catalog for a reason. HPE has a hotfix and an update to version 11.00 available.

Finally, for the e-commerce world, researchers at Sansec are tracking mass exploitation of "SessionReaper" (CVE-2025-54236), a critical RCE in Adobe Commerce and Magento. Attackers are abusing the REST API to upload malicious session files, leading to account takeovers and the deployment of PHP web shells. Sansec reported that exploitation began around October 2025 and that a majority of stores were still vulnerable. If you're running Magento, stop what you're doing and apply Adobe's emergency patch.

New Twists on Initial Access

KryptoKat: While attackers were busy pounding on unpatched servers, they were also getting better at sweet-talking their way in. We spotted some clever techniques popping up this week that are definitely worth watching.

Researchers at PushSecurity detailed a novel phishing attack they've dubbed "ConsentFix" that abuses legitimate OAuth 2.0 flows in Microsoft Entra ID. The attack tricks a user into initiating an OAuth flow for a legitimate first-party Microsoft app, like the Azure CLI. The user is presented with a real Microsoft login page, but the final authorization code, which is meant to be sent to a local web server on the user's machine, is instead displayed in the browser's address bar on an error page. The phishing site then convinces the user to copy and paste this code into the attacker's site, allowing the attacker to redeem it for privileged access tokens and bypassing Conditional Access policies and device compliance checks in the process. It's a slick bit of social engineering that turns a legitimate process on its head.

In less subtle news, multiple threat actors are weaponizing PDF attachments that contain links to legitimate Remote Management and Monitoring (RMM) tools such as Syncro, ScreenConnect, and NinjaOne. As reported by WithSecure and AhnLab, attackers send phishing emails luring users with fake invoices, tricking them into clicking a link that downloads a signed RMM installer. Because the tools are legitimate, they often bypass endpoint security, giving attackers persistent remote access for follow-on attacks that frequently lead to ransomware. It's a simple but effective technique that exploits trust in signed software.

And for the developer-focused threat, researchers at Red Asgard published a deep dive into the C2 infrastructure used by the Lazarus Group in its "Contagious Interview" campaign. The North Korean APT group targets developers by deploying malicious code repositories on freelance sites. The infection vector is particularly nasty: simply opening the malicious project in Visual Studio Code can be enough to trigger auto-executing tasks, leading to the deployment of malware that steals browser credentials and crypto wallets and installs miners. It's a potent reminder to treat all third-party code with extreme prejudice, even inside the IDE.

Malware Roundup: From the Cloud to the Command Line

It was a busy week for malware analysts, with new frameworks, loaders, and botnets making headlines.

Check Point Research unveiled "VoidLink," a stealthy, cloud-native malware framework for Linux. This isn't your average script-kiddie rootkit. VoidLink is a modular framework with over 30 plugins, in-memory execution capabilities, and even kernel-level components. It's designed to be cloud-aware, fingerprinting environments like AWS, GCP, and Azure, and adapting its behavior for containers and Kubernetes. While there are no confirmed active infections at the time of disclosure, VoidLink represents a significant step up in tooling for attackers targeting modern cloud infrastructure.

On the Windows side, multiple firms have been tracking CastleLoader, a stealthy, multi-stage loader targeting U.S. government entities. The infection chain often starts with social engineering, leading to a loader that uses process hollowing to execute its payload entirely in memory. It's been seen dropping a variety of info-stealers and RATs, including StealC and RedLine. ANY. RUN's analysis provides an excellent technical deep dive and a comprehensive set of IOCs.

Researchers from Infoblox and KrebsOnSecurity also detailed the Kimwolf botnet, which has reportedly infected over 2 million Android devices. The operators abuse residential proxy services to find and compromise Android TV boxes and other IoT devices with the Android Debug Bridge (ADB) port exposed. Once compromised, the devices are used to launch DDoS attacks and expand the proxy network. What's particularly concerning for enterprises is that Infoblox telemetry showed that nearly 25% of their customers had devices on their internal networks making DNS queries for Kimwolf domains, indicating the widespread presence of these proxy endpoints inside corporate environments.

Finally, we saw continued reporting on several active campaigns, including:

• ValleyRAT_S2, a campaign attributed to the Silver Fox APT, targets Chinese-speaking organizations to steal financial data via DLL side-loading.
• LOTUSLITE, a new lightweight backdoor attributed to the Lotus Blossom APT group, targets government and defense sectors with geopolitical lures.
• MonetaStealer, an early-stage macOS infostealer that targets Chrome credentials and cryptocurrency wallets, exfiltrates data via the Telegram API.

A Win for the Blue Team

KryptoKat: In welcome news, Microsoft's Digital Crimes Unit announced the disruption of RedVDS, a criminal-focused virtual desktop service. The service, operated by a group Microsoft tracks as Storm-2470, provided the infrastructure for mass phishing, BEC, and payment fraud operations that resulted in an estimated $40 million in losses in the U.S. alone. Microsoft, in coordination with Europol and German authorities, seized infrastructure and took the marketplace offline. The investigation revealed a fascinating bit of operational security failure: the entire service was run from a single, cloned Windows Server 2022 image with the hostname WIN-BUNS25TD77J. A great reminder that even cybercriminals make mistakes.

This week, the prominent theme is attackers taking the easiest route. Whether it's an unpatched Sitecore server, a user duped into installing an RMM tool, or a misconfigured Android TV box, bad guys will always find the most straightforward way in. Keep your systems updated, stay cautious, and maybe take a moment to double-check those firewall rules on your data center management interfaces.

-- KryptoKat & UncleSp1d3r