Anomali Cyber Watch: WinRAR Malware, Erlang OTP Exploitation, Charon Ransomware, and More
WinRAR CVE-2025-8088 Zero-Day Used to Plant Malware via Path Traversal
(published: August 11, 2025)
Researchers detail how the RomCom group abused a newly patched WinRAR path traversal bug, CVE-2025-8088, to deliver backdoors through phishing RAR files. Malicious archives used alternate data streams to drop executables into %TEMP% and place LNK files in Windows Startup so code runs at next logon, with payloads including Mythic Agent, SnipBot, and RustyClaw. ESET observed job-application lures between July 18 and 21 targeting organizations in Europe and Canada. RARLAB fixed the flaw in WinRAR 7.13 on July 30, and because WinRAR does not auto-update, manual upgrades are required. A separate activity cluster tracked as Paper Werewolf also leveraged the bug alongside a June path traversal issue. NVD confirms active exploitation.
Analyst Comment: RomCom’s use of numerous hidden alternate data streams in the malicious RAR files is a deliberate evasion tactic. By filling the archive with bogus paths that trigger benign-looking warnings, the attackers bury their actual payload paths in noise, making them less likely to be noticed. ESET’s complete IoCs for the latest RomCom attacks are available on its GitHub repository and have been ingested into ThreatStream.
MITRE ATT&CK: T1583 - Acquire Infrastructure | T1587.001 - Develop Capabilities: Malware | T1587.004 - Develop Capabilities: Exploits | T1588.003 - Obtain Capabilities: Code Signing Certificates | T1588.005 - Obtain Capabilities: Exploits | T1588.006 - Obtain Capabilities: Vulnerabilities | T1608 - Stage Capabilities | T1189 - Drive-By Compromise | T1053.005 - Scheduled Task/Job: Scheduled Task | T1546.015 - Event Triggered Execution: Component Object Model Hijacking | T1068 - Exploitation For Privilege Escalation | T1622 - Debugger Evasion | T1480 - Execution Guardrails | T1027.011 - Obfuscated Files or Information: Fileless Storage | T1553.002 - Subvert Trust Controls: Code Signing | T1555.003 - Credentials from Password Stores: Credentials From Web Browsers | T1552.001 - Unsecured Credentials: Credentials In Files | T1087 - Account Discovery | T1518 - Software Discovery | T1614 - System Location Discovery | T1021 - Remote Services | T1560 - Archive Collected Data | T1185 - Man In The Browser | T1005 - Data From Local System | T1114.001 - Email Collection: Local Email Collection | T1113 - Screen Capture | T1071.001 - Application Layer Protocol: Web Protocols | T1573.002 - Encrypted Channel: Asymmetric Cryptography | T1041 - Exfiltration Over C2 Channel | T1565 - Data Manipulation | T1657 - Financial Theft
Erlang OTP SSH RCE Campaign Targets OT Firewalls and Appliances (CVE-2025-32433)
(published: August 14, 2025)
Researchers report a surge in exploitation of CVE-2025-32433, a missing authentication bug in the Erlang OTP SSH server that enables pre-authentication remote code execution. Since May, activity has been concentrated on OT perimeters, with roughly 70 percent of observed targets being firewalls. The flaw is patched in OTP versions 27.3.3, 26.2.5.11, and 25.3.2.20, and was added to CISA’s Known Exploited Vulnerabilities catalog in June. Post-exploitation activity includes deployment of reverse shells into victim networks.
Analyst Comment: Most of the recent CVE-2025-32433 exploitation is hitting sectors that cannot easily afford downtime, including healthcare, agriculture, media, and high technology. The concentration of activity in the U.S., Canada, Brazil, India, and Australia suggests adversaries are deliberately going after high-value regional infrastructure. Patching remains the most reliable defense, and given how widely Erlang OTP is embedded in third-party appliances, updates should be confirmed directly with vendors rather than assumed. Where immediate patching is not possible, isolate affected devices from the internet, restrict SSH access to a minimal administrative set, and actively monitor for any outbound traffic from OT edge systems. This campaign follows the same pattern as other recent OT-facing attacks, where unpatched services on perimeter devices become footholds for deeper intrusions. Without rapid remediation, similar exploitation chains will continue to succeed in these sectors.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1059.004 - Command and Scripting Interpreter: Unix Shell | T1071 - Application Layer Protocol | T1071.004 - Application Layer Protocol: Dns
New ‘Charon’ Ransomware Uses APT‑Style Sideloading to Hit Middle East Aviation and Public Sector
(published: August 14, 2025)
Trend Micro reports a new ransomware family, Charon, deployed in targeted intrusions against public sector and aviation organizations in the Middle East. The operators abuse DLL sideloading by launching a signed Edge.exe to load a malicious msedge.dll loader called SWORDLDR, which decrypts shellcode from DumpStack.log and injects the ransomware into svchost.exe. Charon disables security services, deletes shadow copies, appends the .Charon extension, and displays victim‑specific ransom notes. The binary uses Curve25519 plus ChaCha20 for hybrid encryption. Trend Micro notes technical overlap with Earth Baxia tradecraft but stops short of attribution. Separate coverage mentions a BYOVD capability via a Dark‑Kill derived driver that was present but not executed in observed runs.
Analyst Comment: One of the more telling elements in the Trend Micro analysis is the inclusion of a driver compiled from the public Dark-Kill project, built specifically to disable endpoint detection and response solutions. However, in observed attacks, this BYOVD component was present but never executed, suggesting the operators are preparing for scenarios where bypassing EDR becomes essential. Its presence indicates forethought and modular design, allowing them to adjust tactics based on a target’s defenses. This also reinforces that what is seen in a single intrusion may only be a partial view of their full capability set.
MITRE ATT&CK: T1574.002 - Hijack Execution Flow: Dll Side-Loading | T1055 - Process Injection | T1036.005 - Masquerading: Match Legitimate Name Or Location | T1027 - Obfuscated Files Or Information | T1562.001 - Impair Defenses: Disable Or Modify Tools | T1135 - Network Share Discovery | T1486 - Data Encrypted For Impact | T1490 - Inhibit System Recovery | T1489 - Service Stop
ShinyHunters’ Salesforce Extortion May Pivot to Financial Services
(published: August 12, 2025)
An ongoing Salesforce credential‑phishing and data‑extortion campaign attributed to ShinyHunters, with indications of overlap with Scattered Spider, is reportedly broadening its target set to banks, insurers, and fintech firms. Researchers observed coordinated “ticket” themed phishing domains, Okta‑lookalike SSO pages, and vishing that push users to authorize malicious connected apps, enabling Salesforce data exfiltration for extortion. Domain‑registration patterns suggest a shift toward financial services, with finance‑focused registrations up 12% since July 2025. Organizations that rely on Salesforce or connected apps should assume elevated exposure.
Analyst Comment: This campaign exploits Salesforce’s connected app feature, using legitimate OAuth tokens to quietly extract data after user authorization. Focus should be on identity controls, limit who can approve connected apps, enforce phishing-resistant MFA, and alert on new authorizations or unusual export activity. In higher-risk settings, require extra verification before third-party integrations are allowed.
MITRE ATT&CK: T1566.002 - Phishing: Spearphishing Link | T1566.004 - Phishing: Spearphishing Voice | T1078.004 - Valid Accounts: Cloud Accounts | T1671 - Cloud Application Integration | T1567 - Exfiltration Over Web Service
Deepfake Trading Scams Use AI Clones to Lure Investors
(published: August 13, 2025)
Criminal groups are pushing “AI trading” scams that use deepfake videos and voice clones of well‑known figures to sell fake investment platforms. Paid ads and social posts drive victims into WhatsApp or Telegram groups, where handlers escalate deposits and steer them to clone broker sites. Regulators and watchdogs report a sharp rise in these impersonation schemes, with recent UK cases featuring deepfaked finance personalities and other celebrities. Consumers are urged to verify any offer against official warning lists and to treat unsolicited investment pitches as high risk. Losses reported across multiple investigations show these operations are organized and persistent, not isolated pranks.
Analyst Comment: I’ve included this story because deepfakes like these are becoming more common and continue to catch both individuals and organizations off guard. Spreading awareness is the first step toward helping people stay vigilant. Malicious deepfakes and disinformation often blend psychological pressure, professional design, and advanced AI models, producing content that feels authentic enough to bypass natural skepticism. This technology is already difficult to counter and will only grow more convincing, especially if you don’t know what to look for.
MITRE ATT&CK: T1598.004 - Phishing for Information: Spearphishing Voice
Fortinet SSL VPN Brute-Force Surge Tracked Across Two Waves
(published: August 15, 2025)
A large coordinated brute-force campaign against Fortinet SSL VPNs was observed on August 3, with over 780 unique IPs flagged in a single day, the highest recent volume for GreyNoise’s Fortinet SSL VPN Bruteforcer tag. Traffic presented in two distinct waves. The first aligned with a long-running cluster that maintained steady activity, while a second wave began August 5 with a different TCP signature and quickly pivoted from FortiOS SSL VPN endpoints to FortiManager’s FGFM service. JA4+ fingerprinting tied elements of the August activity to traffic seen in June that resolved to a FortiGate device on a residential ISP block, suggesting tool reuse or shared infrastructure rather than random scanning. GreyNoise notes that spikes of this kind have historically preceded vendor vulnerability disclosures in a majority of cases.
Analyst Comment: The evidence points to reusable tooling and infrastructure, which lowers cost and makes repeat campaigns likely. Brute force and credential stuffing thrive on recycled credentials and botnet nodes, so once a playbook works, crews tend to rerun it. Expect more probing and follow-on attempts against adjacent Fortinet surfaces.
MITRE ATT&CK: T1110 - Brute Force
Booking.com Lookalike Phish Uses Japanese “ん” To Masquerade As Legit Links
(published: August 15, 2025)
Threat actors are spoofing Booking.com with Unicode lookalike links that hide the real destination. Emails show text that appears to be an admin.booking.com path, yet the hyperlink resolves to account.booking.comんdetailんrestric-access.www-account-booking[.]com where the Japanese hiragana ん can resemble a slash in some renderings. Victims are redirected to a lookalike domain that delivers a malicious MSI from a CDN, likely to drop infostealers or remote access tools. The tactic blends homoglyph deception with spearphishing links. Microsoft also documented earlier Booking.com themed ClickFix lures against hotels, showing sustained brand abuse of this target set.
Analyst Comment: Typosquatting is nothing new, and IDN homograph attacks are a variant that swap characters with visually similar ones from other alphabets. This case caught my attention because it uses the Japanese hiragana “ん” in place of a slash-like separator “/”, which I have not seen before in a live campaign. On certain screens the difference is barely noticeable, allowing the attacker to make a malicious domain look like part of a legitimate path. Knowing that this character can be used in this way adds to my analyst toolkit and serves as a solid reminder to look for unfamiliar or out-of-place characters in links and URLs.
MITRE ATT&CK: T1583.001 - Acquire Infrastructure: Domains | T1583.006 - Acquire Infrastructure: Web Services | T1608.001 - Stage Capabilities: Upload Malware | T1608.005 - Stage Capabilities: Link Target | T1566.002 - Phishing: Spearphishing Link | T1204.001 - User Execution: Malicious Link | T1204.002 - User Execution: Malicious File
Phishers Force FIDO Passkey Downgrades to Steal Credentials and Sessions
(published: August 12, 2025)
Proofpoint details a downgrade technique where phishing kits detect or fake an unsupported FIDO/WebAuthn flow, nudging users to choose weaker methods like passwords or app codes. Adversary‑in‑the‑middle pages then capture credentials and session tokens, reducing the protection passkeys provide wherever legacy options remain enabled. Coverage indicates phishlets are already adopting this logic and targeting common identity platforms.
Analyst Comment: Most phishing kits fail when they hit FIDO authentication because they do not have the public keys needed to complete the handshake. That’s why it is important to reiterate that FIDO itself is not compromised and continues to work as intended; this technique simply sidesteps the protection without touching the cryptography. Furthermore, Proofpoint notes it is still a proof-of-concept, but history suggests techniques like this do not stay on the shelf for long once they show promise.
MITRE ATT&CK: T1566.002 - Phishing: Spearphishing Link | T1557 - Man-In-The-Middle | T1111 - Two-Factor Authentication Interception | T1539 - Steal Web Session Cookie
Critical Cisco FMC RADIUS Flaw Enables Remote Code Execution
(published: August 15, 2025)
Cisco disclosed a maximum severity bug in Secure Firewall Management Center (FMC) that allows unauthenticated remote code execution via the RADIUS subsystem when RADIUS is enabled for web or SSH management. Tracked as CVE-2025-20265 with a CVSS 10.0 score, the flaw stems from improper handling of user input during authentication, enabling command injection at a high privilege level. The vulnerability affects FMC versions 7.0.7 and 7.7.0, and Cisco reports there are no workarounds.
Analyst Comment: Cisco finding this flaw internally before public exploitation is good news, but the severity and ease of exploitation make it a likely candidate for rapid weaponization once details circulate. The absence of workarounds means defenders cannot rely on temporary configuration changes to reduce exposure, and the narrow set of affected versions makes identification straightforward. So there is no reason to delay patching, if RADIUS is enabled for FMC management, treat this as a priority upgrade.
MITRE ATT&CK: T1210 - Exploitation Of Remote Services | T1059.004 - Command and Scripting Interpreter: Unix Shell
Crypto24 Ransomware Uses Custom EDR-Killer and Legitimate Tools in Stealth Attacks
(published: August 14, 2025)
Crypto24 is a highly coordinated ransomware group targeting large enterprises in financial services, manufacturing, entertainment, and technology across the US, Europe, and Asia. The campaign blends legitimate IT tools such as PSExec, AnyDesk, scheduled tasks, and Group Policy utilities with custom malware for persistence and lateral movement. Operators create unauthorized admin accounts, deploy a keylogger service (WinMainSvc) and a ransomware loader (MSRuntime), and use a customized RealBlindingEDR tool to blind EDR solutions from numerous vendors, including Trend Micro, Kaspersky, Sophos, Bitdefender, Cisco, and Fortinet. They use gpscript.exe to launch Trend Vision One’s uninstaller (XBCUninstaller.exe) after escalating privileges. Stolen data is exfiltrated to Google Drive before shadow copies are deleted and ransomware is executed.
Analyst Comment: Crypto24’s custom RealBlindingEDR variant is built to disable drivers from multiple vendors by matching driver metadata to a hardcoded list, showing deliberate preparation to neutralize common EDR stacks. The most relevant advice is to monitor for unusual service creation, unexpected driver activity, and legitimate uninstallers executing outside normal update cycles.
MITRE ATT&CK: T1136.001 - Create Account: Local Account | T1078 - Valid Accounts | T1053.005 - Scheduled Task/Job: Scheduled Task | T1543.003 - Create or Modify System Process: Windows Service | T1087 - Account Discovery | T1082 - System Information Discovery | T1059.003 - Command and Scripting Interpreter: Windows Command Shell | T1562.001 - Impair Defenses: Disable Or Modify Tools | T1218 - Signed Binary Proxy Execution | T1036.005 - Masquerading: Match Legitimate Name Or Location | T1056.001 - Input Capture: Keylogging | T1021.002 - Remote Services: Smb/Windows Admin Shares | T1570 - Lateral Tool Transfer | T1567.002 - Exfiltration Over Web Service: Exfiltration To Cloud Storage | T1490 - Inhibit System Recovery | T1486 - Data Encrypted For Impact
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
