Advisory ID: NCC-CSIRT-2025-012
Summary:
Security experts have discovered a new type of cybersecurity attack targeting Linux systems. Criminals are hiding malicious code inside the names of files stored in a compressed archive (RAR file). This trick enables the malware to bypass many antivirus programs because the harmful code is not embedded within the file itself, but rather in the file’s name. Victims usually receive this malware through emails, pretending to be surveys or promotions. Once the attached .rar file is opened, the hidden code can run if the system or scripts process the filename in an unsafe way. The final result is the installation of a powerful backdoor program (called VShell) that gives attackers complete control of the infected system.
Damage/Probability: High/Critical
Product(s):
IoT devices and embedded systems running Linux
Version(s):
All versions of Linux systems, including servers, cloud platforms, IoT devices, and automated scripts that process RAR files
Platform(s):
Linux OS
Description:
Hackers have found a new way to attack Linux computers by hiding harmful code inside the names of files in a RAR archive. Normally, antivirus software looks inside files for threats, but in this case, the danger is in the filename itself, so it often goes undetected.
The attack usually starts with a fake email that has a .rar file attached. When the file is opened and the filenames are handled carelessly by the computer or scripts, the hidden code runs automatically. This code then downloads more malware, which installs a secret program called VShell.
Once installed, VShell gives the hacker full control of the computer: they can steal or delete files, run programs, spy on activity, or even use the machine to attack others. What makes this attack especially dangerous is that the malware runs only in the computer’s memory (not saved on disk), and it pretends to be a normal system process, making it very hard to notice or remove.
Impacts:
If the attack succeeds, hackers can take over Linux system, steal sensitive data, disrupt services, and use computers for other crimes, all while staying hidden.
Solutions:
- Be suspicious of unexpected attachments, especially .rar files. If you are not expecting it, do not open it.
- Update and secure script. If you use Linux scripts, avoid unsafe commands like eval and always quote filenames properly.
- Use security tools that monitor behavior, not just file content. Endpoint protection systems that watch for unusual memory activity are more likely to catch this.
- Restrict internet access on sensitive servers to only trusted websites.
- Stay aware! Even something as “harmless” as a filename can be weaponized.
References:
Advisory ID: NCC-CSIRT-2025-011
Summary:
Security experts have discovered an ongoing scam where fake online ads trick people into downloading bogus software. Instead of the real program, they get PS1Bot, a hidden tool that runs mostly in memory, so it is harder to detect. Once installed, it can stay on the computer, steal information, record keystrokes, take screenshots, spy on activity, and give hackers long-term remote access. This attack has been active all through 2025 and is still happening.
Damage/Probability: High/Critical
Product(s):
Windows-based Devices
Version(s):
All version of Windows endpoints where users browse the web and can execute PowerShell
Platform(s):
Windows OS
Description:
Hackers are running an online ad scam where fake ads appear in search results. These ads lead people to websites that appear to offer popular software, but the downloads are infected.
When someone installs the fake program, a hidden tool called PS1Bot secretly runs in the background without leaving obvious files on the computer, making it harder for antivirus software to spot.
Once inside, PS1Bot can:
- Stay on the computer even after a restart.
- Steal saved passwords, browser data, and files.
- Record every key you press and take screenshots.
- Scan the computer and network to learn more about the target.
- Allow hackers to control the computer from far away and install other tools later.
Because it works mostly in memory and can change what it does over time, it is very hard to detect. This attack has been going on all through 2025, and it is still active.
Impacts:
- Theft of sensitive information, including credentials and corporate data.
- Potential foothold for ransomware or broader network compromise.
- Increased risk where PowerShell execution is unrestricted and ad filtering is absent.
Solutions:
- PS1Bot spreads through fake ads; stop it with technical defences and user awareness (education).
- Avoid clicking suspicious ads.
- Do not install software via ads; only install software from pre-approved sources (vendor portals, package managers, internal repositories).
- Only download software from official websites.
- Disable third-party cookies where possible; limit ad exposure using enterprise controls; enforce safe-browsing features.
- Block risky scripts like PowerShell if you do not need them.
- Treat malvertising/SEO-poisoning as a primary initial-access vector in phishing programs.
References:
- https://blog.talosintelligence.com/ps1bot-malvertising-campaign/
-
https://thehackernews.com/2025/08/new-ps1bot-malware-campaign-uses.html
-
https://undercodenews.com/malvertising-menace-ps1bot-malware-campaign-uncovered-in-2025/
-
https://advisory.eventussecurity.com/advisory/malvertising-campaign-delivers-multi-stage-ps1bot-stealer-framework/
-
https://nubetia.com/new-ps1bot-malware-campaign-leverages-malvertising-for-multi-stage-in-memory-attacks/
-
https://demandteq.com/new-ps1bot-malware-campaign-exploits-malvertising-for-stealthy-multi-stage-attacks/
Advisory ID: NCC-CSIRT-2025-010
Summary:
Security experts at ESET found a serious vulnerability in WinRAR (CVE-2025-8088) that hackers were already using. They sent specially made RAR files which, when opened in older versions of WinRAR, secretly installed harmful programs that run every time the computer starts. This gave attackers control through malware called RomCom, often sent in phishing emails. WinRAR has fixed the problem in version 7.13, and everyone should update immediately to stay safe.
Damage/Probability: MEDIUM/Critical
Product(s):
WinRAR for Windows
Version(s):
Versions before 7.13
Platform(s):
Windows OS
Description:
This security vulnerability affects WinRAR versions before 7.13. It lets hackers hide files in a RAR archive that, when opened, can put those files anywhere on your computer, not just in the folder you chose.
In real attacks, hackers sent these malicious RAR files in phishing emails. When people opened them, the files were secretly placed in the computer’s Startup folder so they would run every time the computer turned on. These files installed a harmful program called RomCom, which lets attackers control the computer, steal data, and spread to other systems.
The problem is fixed in WinRAR 7.13, which stops files from being placed outside the chosen extraction folder. Everyone should update as soon as possible..
Impacts:
If exploited, this flaw can let hackers break into computers, secretly install tools to keep access, steal passwords, move through other systems in the network, and possibly demand ransom or steal sensitive information. The risk is much higher for organizations that let staff open RAR files on their computers without security checks.
Solutions:
- Update WinRAR to the latest version (7.13+) or uninstall it if you do not require it. Use vendor downloads from the official site.
- Do not extract RAR files received by email unless you can validate the sender and expected content. Prefer vendors that provide password-protected downloads via trusted portals rather than email attachments.
- Enable endpoint protection and ensure it is up to date; run a full system scan if you recently opened a RAR attachment.
- If you suspect infection, disconnect the machine from networks, preserve evidence, and contact your IT/security team or a reputable incident response provider.
References:
- https://www.bleepingcomputer.com/news/security/winrar-zero-day-flaw-exploited-by-romcom-hackers-in-phishing-attacks/
-
https://franetic.com/google-data-breach-exposed-potential-ads-customer-info/
-
https://techcrunch.com/2025/08/06/google-says-hackers-stole-its-customers-data-in-a-breach-of-its-salesforce-database/
-
https://hackread.com/google-salesforce-data-breach-shinyhunters-vishing-scam/
Advisory ID: NCC-CSIRT-2025-009
Summary:
Researchers at the German cybersecurity firm ERNW disclosed three vulnerabilities affecting Airoha Bluetooth SoCs, chipsets commonly used in True Wireless Stereo (TWS) earbuds, headphones, speakers, and microphones from major vendors. The flaws could enable attackers to hijack devices within ~10 m Bluetooth range, access call history, contacts, audio streams, and even remotely activate microphones via the Hands-Free Profile (HFP).
Damage/Probability: MEDIUM/Critical
Product(s):
- Sony Microphone
- Bose QuietComfort/Noise Cancelling Earbuds
- JBL Live Earbuds
- Beyerdynamic Amiron Microphone
- Marshall ACTON/MAJOR/STANMORE Microphone
- Jabra Elite Microphone
Version(s):
- Sony (e.g., WH‑1000XM3/4/5)
- All versions of Bose QuietComfort/Noise Cancelling Earbuds,
- JBL Live Buds 3
- Beyerdynamic Amiron 300
- All versions of Marshall ACTON/MAJOR/STANMORE
- Jabra Elite 8 Active
Platform(s):
Bluetooth
Description:
The researchers identified three security vulnerabilities in Airoha Bluetooth System-on-Chip (SoC) firmware used in a wide range of Bluetooth audio devices. These flaws exist in both Bluetooth Classic and Bluetooth Low Energy (BLE) protocols and primarily affect devices implementing the Hands-Free Profile (HFP) and proprietary debug interfaces.
1. CVE-2025-20700 – Unauthenticated GATT Access over BLE
-
Airoha SoCs expose BLE GATT services without proper access control. An attacker in range (~10 meters) can perform unauthenticated reads and writes to GATT characteristics. This allows:
- Extraction of metadata (e.g., media status, battery level)
- Memory manipulation and limited device control
2. CVE-2025-20701 – Unauthorized Access via Bluetooth Classic
Bluetooth Classic implementations fail to enforce authentication before accepting control commands. An attacker can:
- Connect to the device without pairing
- Hijack control channels used for media playback and HFP
- Initiate silent calls and activate voice assistants
3. CVE-2025-20702 – Exploitable Debug Protocol
Airoha firmware includes an undocumented debug protocol accessible over Bluetooth. This allows attackers to:
- Dump RAM and Flash memory
- Extract Bluetooth link keys and other sensitive data
- Inject or alter memory contents
- Activate microphone and audio streams remotely
The exploitation Conditions include:
- Proximity: All exploits require physical proximity (typically <10 m).
- No user interaction: Attacks can be carried out without pairing or user consent.
- Complexity: While requiring specialized knowledge, tools and public documentation lower the barrier for advanced attackers.
Impacts:
The flaws let nearby attackers secretly turn Bluetooth audio devices into listening tools, steal call data, and access device memory, posing a serious privacy and surveillance risk.
Solutions:
- Check for firmware updates from device vendors regularly—many are only beginning to release patches following Airoha’s SDK update.
- Temporarily disable Bluetooth or set devices to undiscoverable, especially in sensitive environments.
- Avoid using vulnerable audio devices where confidentiality is critical (e.g., meetings, investigations).
References:
- https://www.techradar.com/pro/security/this-worrying-bluetooth-security-flaw-could-let-hackers-spy-on-your-device-via-microphone
-
https://www.archynewsy.com/bluetooth-security-hacker-microphone-spy-risk/#google_vignette
-
https://www.blackhatethicalhacking.com/news/bluetooth-bugs-in-sony-bose-jbl-devices-could-let-hackers-spy-or-place-calls/#google_vignette
Advisory ID: NCC-CSIRT-2025-008
Summary:
Recent research by Cybernews has found about 30 leaked data collections containing nearly 16 billion stolen login details, the largest number ever recorded. Most of this information was gathered through infostealer malware (e.g., RedLine, Raccoon, Vidar, etc.), rather than through direct hacks of major companies. Although the data comes from many separate incidents, its massive size and recent nature make it a serious threat for large-scale misuse of login credentials.
Damage/Probability: HIGH/Critical
Product(s):
- Windows OS
- Web browsers
- Password managers
Version(s):
- Windows OS (all types and versions)
- Web browsers (all types and versions)
- Password managers (all types and versions)
Platform(s):
- Google (Gmail, Workspace)
- Apple (iCloud, Apple ID)
- Microsoft (Outlook, Office 365)
- Facebook / Meta
- GitHub
- Telegram
- Amazon
- Banking and fintech platforms
- Government (.gov) and enterprise accounts
Description:
Infostealer malware stole over 16 billion usernames, passwords, and session tokens from infected systems in a massive credential leak. Attackers delivered the malware through phishing emails, fake software installers, and malicious advertisements.
Once compromised, users executed the malware, which harvested the following from their systems:
- Credentials stored in browsers
- Session cookies and tokens are used to bypass multi-factor authentication (MFA)
- Autofill and clipboard data
The attackers then exfiltrated the stolen data to servers they controlled and compiled it into large breach datasets. This data enables them to take over accounts, perform credential stuffing attacks, commit identity theft, and bypass MFA protections.
This incident does not stem from a vulnerability in a specific product. Instead, it results from a widespread malware campaign targeting endpoint users worldwide.
Consequences:
-
Account takeover, session hijacking, and identity theft across widely used online platforms.
-
Organizational risk due to the exposure of corporate and government email credentials.
-
Data can be used for phishing, financial fraud, or business email compromise (BEC).
Solution:
A. Immediate Actions for All Users:
- Change all passwords, prioritize financial, corporate, and administrative accounts.
- Enable Multi-Factor Authentication (MFA), prefer non-SMS methods (e.g., authenticator apps, hardware keys)
- Adopt passkeys/passwordless methods where available (Apple, Google, Facebook)
- Use reputable password managers to generate and store complex, unique credentials.
- Run endpoint malware scans to detect and remove infostealer infections).
- Monitor account activity and respond quickly to unauthorized access.
B. Organizational Measures:
- Enforce regular password rotations and MFA policies.
- Deploy EDR solutions and threat intelligence tools to detect infostealer presence (e.g., Hudson Rock, commercial EDR suites)
- Educate users on phishing and malware risks; implement training programs.
- Audit use of session tokens and cookies; enforce token invalidation on password reset.
- Restrict access to sensitive systems using least-privilege and enforce robust logging.
References:
- Multiple Local Privilege Chain Flaws in PAM and udisks/libblockdev Enable Root Access on Major Linux Distributions
- DIRECTORY TRAVERSAL VULNERABILITY
- SECURITY ADVISORY ON LUMMA STEALER (LUMMAC2) – SIGNIFICANT INFO-STEALING MALWARE THREAT
- CRITICAL SURGE IN SEXTORTION ATTACKS TARGETING NIGERIAN INDIVIDUALS