Weekly Summary Cyberattacks Aug 28-Sept 03
RapperBot: From Infection to DDoS in a Split Second
New details have emerged on the RapperBot botnet. This Mirai-like malware turns vulnerable IoT devices, such as Network Video Recorders (NVRs), into tools for scanning and launching massive DDoS attacks. The campaign was first noticed when an infected NVR displayed a suspicious "upgrade" message before suddenly flooding the network with UDP packets aimed at port 80 and scanning the Internet for open Telnet services on port 23. Further investigation revealed that the malware infiltrates devices through a targeted exploitation chain: a web server path traversal leak to obtain administrator credentials, followed by a connection to the device's management port (TCP 34567), where a fake firmware update is pushed. This update mounts a remote NFS share to execute malicious binaries, a method chosen because the NVR firmware lacks support for common download utilities such as curl and wget. The malware, after execution, deletes itself and runs in memory, relying on continuous reinfection.
Advanced Lazarus Campaign Uses PondRAT, ThemeForestRAT, and RemotePE in Financial Sector Attacks
Cybersecurity experts from Fox-IT and NCC Group have documented the activities of a Lazarus Group subgroup that continues to target organizations in the financial and cryptocurrency sectors using a combination of three Remote Access Trojans (RATs): PondRAT, ThemeForestRAT, and RemotePE. This subgroup, overlapping with activity previously attributed to AppleJeus, Citrine Sleet, UNC4736, and Gleaming Pisces, has been observed in multiple incident response cases, including one in 2024 where all three RATs were deployed in sequence. The attack chain typically begins with sophisticated social engineering campaigns conducted via Telegram, where the attackers impersonate employees of legitimate trading and investment companies using fake websites and meeting platforms. In at least one case, researchers suspect the use of a Chrome zero-day exploit to gain code execution on a victim machine, followed by deployment of PondRAT as the initial foothold. Persistence was achieved using the Windows SessionEnv service through phantom DLL loading with a custom loader named PerfHLoader, which granted elevated privileges to bypass security controls. PondRAT, a simple cross-platform RAT believed to be the successor of POOLRAT (SimpleTea), was used to read and write files, execute commands, and load shellcode or additional payloads. Despite its simplicity, it served as the entry point for more advanced malware
Advanced Cyber Threats Targeting Formula 1 Fans and Teams Ahead of the Dutch Grand Prix
Cybercriminals are increasingly targeting Formula 1 fans, teams, and associated organizations in the lead-up to the Dutch Grand Prix in Zandvoort. Researchers report that the threat landscape has moved far beyond traditional ticket scams, with attackers now deploying highly advanced techniques, including AI-driven deepfakes, malicious mobile applications, fraudulent hospitality packages, NFT and cryptocurrency scams, telemetry data theft, and supply chain compromises. Deepfake attacks are among the most concerning developments, as criminals impersonate team executives to commit fraud or inflict reputational damage. In one case in 2024, Ferrari narrowly avoided losses after a scammer posing as CEO Benedetto Vigna was exposed only through a personalized challenge-response. Recently, Toto Wolff confirmed the existence of deepfake pornography using his likeness, highlighting how high-profile individuals in F1 are becoming social-engineering targets. At the fan level, malicious F1-themed mobile applications are proliferating, from ghost apps that hide in devices while running scam operations to counterfeit games and unauthorized streaming apps that install persistent malware.
CVE-2025–6543 has been used as a zero day since May 2025
According to information dated August 29, 2025, researcher Kevin Beaumont at DoublePulsar revealed that Citrix allegedly failed to disclose that CVE-2025-6543 has been actively exploited in the wild as a zero-day since at least May 2025. While Citrix patched the issue in late June and characterized it as a memory-overflow flaw leading to unintended control flow or Denial of Service, Beaumont asserts that the vulnerability actually enabled remote code execution, allowing threat actors to deploy webshells, retain persistent access to NetScaler systems, and remain undetected even after patching. Beaumont’s observations are supported by the NCSC Netherlands report, which confirms exploitation dating back to early May and notes that attackers actively erased forensic traces, complicating incident response.Citrix’s official communications did not include details on RCE or persistence, instead downplaying the severity as primarily DoS. Security advisories have now updated to reflect active exploitation and customers are urged to apply patches and investigate potential compromise. While this vulnerability's exploitation is confirmed, the specific identity of the threat actor remains unknown.
High-severity vulnerability in Passwordstate credential manager
According to information dated August 29, 2025, Click Studios has released a fix for a high-severity authentication bypass vulnerability in its enterprise password manager, Passwordstate, urging all users to upgrade immediately to Build 9.9 Build 9972. The vulnerability, yet to be assigned a CVE ID, allows an attacker to gain access to the application’s Administration section by crafting a specific URL that exploits the Emergency Access page, effectively bypassing authentication altogether. The company confirmed the exploit works when a specially crafted URL is used against the Emergency Access page, enabling unauthorized admin-level access. As a temporary mitigation, users can restrict access via the “Emergency Access Allowed IP Address” field under System Settings - Allowed IP Ranges, though Click Studios emphasizes this is only a partial fix and strongly recommends upgrading to the patched version as soon as possible.