Weekly Cyber Threats: Unpatched Flaws, AI-powered Threats, and Ransomware’s Rising Tide

Over the past week, emerging cyber threats have spotlighted new vulnerabilities and attack strategies posing significant risks globally. The North Korean Lazarus Group expanded its operations with a React-based command-and-control platform, "Phantom Circuit," targeting cryptocurrency firms in Europe. Meanwhile, the Mirai botnet resurfaced under the alias "Aquabot," exploiting vulnerabilities in IoT devices, including Mitel SIP phones, for large-scale DDoS attacks. GitHub Desktop users are urged to patch several vulnerabilities (Clone2Leak), which expose developer credentials, highlighting application security concerns. Recurring command injection flaws in Zyxel CPE devices (CVE-2024-40891) remain unpatched, further exposing networks to attack. AI tools such as GhostGPT have emerged on dark web forums, allowing cybercriminals to generate phishing campaigns and malware with ease. Additionally, ransomware attacks have evolved with threat actors using SSH tunnels for long-term access and deploying multi-stage encryption tactics. Key breaches affecting healthcare organizations, including Change Healthcare’s data compromise impacting 190 million individuals, reflect the rising threat of ransomware in critical sectors. With Apple addressing an actively exploited zero-day (CVE-2025-24085), the urgency for timely updates and system patching remains paramount. Collectively, these developments highlight the need for proactive cybersecurity measures, including enhanced monitoring and stronger data protection strategies.

Vulnerability List

1. HeartSender Cybercrime Network Dismantled
   U.S. and Dutch authorities shut down 39 domains tied to the HeartSender group, a business email compromise network responsible for $3 million in fraud through phishing toolkits. This joint operation is a major milestone in tackling global cybercrime.

2. BeyondTrust Zero-Day Breach
   BeyondTrust disclosed a breach affecting 17 SaaS customers due to a compromised API key, exploiting zero-day vulnerabilities (CVE-2024-12356 and CVE-2024-12686). These vulnerabilities are now listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, urging immediate action.

3. Contec CMS8000 Patient Monitor Vulnerabilities
   Critical vulnerabilities (CVE-2025-0626, CVE-2024-12248, and CVE-2025-0683) in Contec’s CMS8000 patient monitors allow attackers to execute remote commands and access patient data. Organizations are advised to disconnect affected devices and implement mitigations.

4. Google AI Misuse (Gemini AI Assistant)
   State-sponsored groups from over 20 countries are abusing Google’s Gemini AI assistant to enhance their cyber operations. Although the AI itself is not launching attacks, its integration is improving operational efficiencies for attackers.

5. DeepSeek Database Exposure
   Over one million log entries, including proprietary AI model data, were exposed due to an unsecured database on DeepSeek’s platform. This incident highlights the security risks associated with rapidly expanding AI technologies.

6. Meta Zero-Click Spyware Attack on WhatsApp
   A zero-click spyware campaign on WhatsApp, attributed to Israeli surveillance firm Paragon Solutions, targeted journalists and activists through malicious PDFs. This incident reflects concerns over the misuse of spyware in targeted attacks.

7. Microsoft Ads Malvertising Campaign
   A malvertising campaign targeted users searching for “Microsoft Ads” through fake Google ads, redirecting victims to credential-harvesting phishing pages disguised as legitimate Microsoft login sites.

8. GitHub Desktop Vulnerabilities (Clone2Leak)
   Multiple vulnerabilities (CVE-2025-23040, CVE-2024-50338, CVE-2024-53263) in GitHub Desktop and related applications expose developer credentials. Immediate updates are recommended to prevent code repository leaks.

9. AI Model Jailbreaking Threats
   Major AI platforms, including ChatGPT, DeepSeek, and Alibaba’s Qwen, face jailbreaking threats that allow attackers to bypass safety protocols, generating malicious output.

10. OAuth Vulnerability in Online Travel Services
    An OAuth flaw within an unnamed travel service allows attackers to hijack user accounts and gain access to integrated airline services, raising concerns over third-party authentication security.

Exploitation of Vulnerabilities and Zero-days

Several critical vulnerabilities were highlighted this week, including Apple’s zero-day (CVE-2025-24085), Fortinet’s zero-day in FortiOS (CVE-2024-55591), and persistent command injection issues in Zyxel’s CPE devices (CVE-2024-40891). Cacti network monitoring software faced a remote code execution vulnerability (CVE-2025-22604) due to improper SNMP parsing. In the healthcare sector, critical backdoor access (CVE-2025-0626) was discovered in Contec CMS8000 patient monitors, prompting urgent action to disconnect affected devices. Developers using GitHub Desktop are at risk from multiple vulnerabilities (Clone2Leak), emphasizing the need for robust patch management and continuous monitoring. These threats, if exploited, could impact Australian businesses relying on affected technologies.

Malware and Botnet Campaigns

The Mirai botnet variant, known as "Aquabot," has re-emerged, targeting IoT devices like Mitel SIP phones via command injection flaws (CVE-2024-41710) to launch DDoS attacks. Phishing campaigns in Europe deploy malware such as Agent Tesla and Snake Keylogger through PureCrypter, using evasive techniques to avoid detection. Meanwhile, backdoor TorNet is being utilized to maintain stealth persistence. The J-Magic backdoor has been identified in attacks on Juniper Networks routers, while Palo Alto Networks firewalls face Secure Boot bypass exploitation. Australian sectors, particularly in manufacturing and critical infrastructure, should remain alert to these evolving malware campaigns.

Ransomware Attacks and Breaches

Ransomware threats escalated with Change Healthcare’s breach compromising 190 million individuals, prompting a $22 million ransom payment. Frederick Health and the New York Blood Center also experienced operational disruptions due to ransomware attacks. Tata Technologies reported an IT systems breach, though customer services were unaffected. The Mizuno USA ransomware attack resulted in the BianLian group leaking sensitive data. These incidents demonstrate the increasing frequency and sophistication of ransomware campaigns, urging organizations to implement advanced backup strategies, encryption, and robust incident response plans.

Cyber Espionage and State-sponsored Threats

The Lazarus Group’s new platform, "Phantom Circuit," is streamlining its global cyber operations targeting cryptocurrency sectors through backdoor-infected applications. Russian state-sponsored UAC-0063 expanded its spear-phishing campaigns targeting European embassies. Meanwhile, China’s DeepSeek AI faces scrutiny for potential intellectual property theft, reflecting AI-driven espionage risks. Australian enterprises, particularly those engaged in critical infrastructure, should remain alert to these trends given the strategic interest of state-sponsored groups.

Phishing and Social Engineering Tactics

Phishing tactics are evolving with the rise of GhostGPT, an uncensored AI tool available on Telegram, which enables cybercriminals to generate sophisticated phishing campaigns and malware scripts. A smishing campaign leveraging USPS branding sends victims undelivered package alerts embedded in PDFs, leading to credential theft. Amazon Prime users have been targeted through fraudulent PDFs, and LinkedIn is being exploited for job-related social engineering attacks by the Lazarus Group. The persistence of phishing across industries necessitates continuous user education and email filtering enhancements.