Advisory ID:   ngCERT-2025-110010

SUMMARY

ngCERT alerts on escalating financial cyber-enabled scams by organised criminal networks targeting global financial systems. These scams are perpetuated by leveraging advanced technology and social engineering tactics, aimed at gaining illegal financial proceeds. In 2024 alone, global scam operations resulted in over $16.6 billion in losses to US victims, a 33% increase from the previous year, with Transnational Crime Organisations (TCOs) in Southeast Asia playing a central role. These networks employ forced labour in scam centres, AI-driven impersonation, and cryptocurrency laundering to target individuals and institutions. Recent international operations have led to thousands of arrests and asset seizures, but the threat persists, driven by high profits estimated at $3 trillion annually and evolving tactics. The severity, frequency and complexity of these scams underscore the need for individuals and financial institutions to implement proactive measures to safeguard their lives and systems.

Damage:      Critical

Probability:  High 

Platform(s): Financial Systems

DESCRIPTION

These criminal networks operate like multinational corporations, establishing scam centres in regions with weak governance, such as Southeast Asia, where they coerce trafficked individuals into perpetrating fraud through debt bondage and violence. Key tactics include:

1. Romance Baiting and Pig-Butchering Scams: Fraudsters build trust through dating apps or social media, posing as romantic interests or friends, then lure victims into fake cryptocurrency or investment platforms. Once invested, scammers drain funds, often using "USDT Token Approval Scams" where victims unknowingly grant wallet access through phishing links.
2. Phishing and Impersonation: Mass phishing campaigns mimic banks or executives in Business Email Compromise (BEC) schemes, tricking users into transferring funds or credentials. Additionally, AI is utilised to enhance deep fakes for voice/video calls.
3. Money Laundering through Mule Networks: Nearly 2 million money mule accounts were reported in 2024, where recruited individuals (often scam victims themselves) launder illicit proceeds through legitimate financial channels, including virtual asset service providers (VASPs).
4. Investment and E-Commerce Fraud: Fake online shopping sites or high-yield investment promises exploit economic vulnerabilities, with proceeds funnelled through stablecoins like Tether (USDT).

CONSEQUENCES

The ramifications of these scams are highlighted as follows:

1. Economic Losses.
2. Human Exploitation.
3. Systemic Risks.
4. Psychological and Societal Harm.

SOLUTION/MITIGATION

ngCERT recommends that financial institutions should:

1. Launch public campaigns to educate users on spotting romance scams, fake investments, and phishing while promoting 2FA and transaction cool-off periods.
2. Deploy AI-powered behavioural biometrics and fraud detection systems to identify and block money mule accounts.
3. Use advanced technology like deep fake detection tools and real-time wallet monitoring, combined with cross-sector intelligence sharing, to disrupt scams early.
4. Tighten KYC/AML rules for high-risk transactions and conduct coordinated international operations against scam call centres.
5. Encourage immediate reporting of all cyber-scam incidents to ngCERT and relevant agencies for rapid response.
6. Establish easy-to-access victim hotlines, fund recovery pathways, and train bank staff to engage coerced money mules instead of prosecuting them.

HYPERLINK

• https://www.biocatch.com/press-release/nearly-two-million-money-laundering-accounts-reported-in-2024
• https://www.interpol.int/en/News-and-Events/News/2024/USD-257-million-seized-in-global-police-crackdown-against-online-scams
• https://www.moodys.com/web/en/us/kyc/resources/insights/how-organized-crime-networks-operate-financial-scams.html
• https://www.interpol.int/en/News-and-Events/News/2024/INTERPOL-Financial-Fraud-assessment-A-global-threat-boosted-by-technology

Advisory ID:   ngCERT-2025-110003

SUMMARY

ngCERT is issuing an alert on the infiltration of Pseudomanuscrypt malware, a sophisticated spyware campaign primarily impacting Windows OS. Notably, this mass-scale operation has infected over 35,000 systems globally, focusing mainly on industrial control systems (ICS) and government entities. Particularly, Pseudomanuscrypt infiltration can lead to theft of sensitive credentials and data, potentially enabling follow-on ransomware attacks, financial fraud, and possible sabotage of critical infrastructure across various sectors. This underscores the need for individuals and organisations to take proactive steps to safeguard against Pseudomanuscrypt infiltration.

Damage:      Critical

Probability:  High 

Platform(s): Microsoft Windows (OS)

DESCRIPTION

Attackers spread Pseudomanuscrypt mainly through fake pirated software installers and cracks downloaded from malicious sites, often sourced from Malware-as-a-Service platforms or delivered through botnets like Glupteba. Once downloaded, a 7z self-extracting archive drops loaders (install.dll and install.dat) into the %TEMP% folder, decodes shellcode, and launches the main payload while creating persistence through registry keys and scheduled tasks. The malware subsequently establishes resilient command-and-control communication using KCP protocol or DNS tunnelling, backed by a Domain Generation Algorithm to evade blocking. After gaining a foothold, it performs extensive reconnaissance, including logging keystrokes, capturing screenshots and video, stealing credentials and clipboard data, while monitoring VPNs, and mapping the network. It also pulls additional modules for deeper espionage or secondary infections, such as cryptocurrency miners.

CONSEQUENCES

A successful Pseudomanuscrypt malware infection can lead to:

1. Theft of sensitive credentials, intellectual property, and operational data.
2. Financial losses through fraud.
3. Ransomware attacks.
4. Sabotage and disruption of critical services and infrastructure.
5. Reputational damage

SOLUTION/MITIGATION

ngCERT recommends the following prioritised actions:

1. Patch and update all systems, especially Windows and ICS software, disable unnecessary services and enforce least-privilege access.
2. Deploy reputable antivirus solutions with behavioural detection configured for real-time scanning. Enable application whitelisting to block unauthorised executables.
3. Avoid downloading cracked or pirated software; verify sources and use official channels. Educate users on phishing and malicious archives through regular awareness training.
4. Implement EDR tools to detect anomalous behaviours like unusual C2 traffic. Segment ICS networks and monitor for persistence artifacts in %TEMP% and registry hives.
5. If infected, isolate affected systems, scan with reputable tools, and reset credentials. Report incidents to ngCERT for coordinated response.

HYPERLINK

• https://breachspot.com/news/cyber-attacks/pseudomanuscrypt-malware-spreads-like-cryptbot-targeting-korean-users/
• https://thehackernews.com/2022/02/pseudomanuscrypt-malware-spreading-same.html
• https://thrive.trellix.com/s/article/KB95251?language=en_US
• https://thehackernews.com/2025/08/microsoft-discloses-exchange-server.html

Advisory ID:   ngCERT-2025-110004

SUMMARY

ngCERT is aware of a high-severity vulnerability which combines elements of CWE-287 (Improper Authentication) with a privilege escalation path identified in Microsoft Exchange Server hybrid deployments. This deployment connects on-premises Exchange servers to Exchange Online within Microsoft 365. The flaw dubbed CVE-2025-53786 arises from weak authentication trust established between the two environments through a shared service principal. Attackers could exploit this weakness if they already hold administrative privileges on-premises and abuse this trust relationship to escalate privileges into the connected cloud environment. Consequently, individuals and organisations are advised to take immediate steps to protect their systems from exploitation by threat actors.

Damage:      Critical

Probability:  High 

Platform(s): Microsoft Exchange Server (Hybrid Deployments)

DESCRIPTION

CVE-2025-53786 stems from improper authentication handling in hybrid Microsoft Exchange Server environments that link on-premises servers with Exchange Online. The flaw affects hybrid Microsoft Exchange setups and combines elements of CWE-287 (Improper Authentication) with a privilege escalation path. Threat actors with elevated privileges on the on-premises Exchange environment can exploit these weaknesses to request or forge tokens, thereby elevating their effective privileges in the cloud and gaining access to cloud services. This movement may occur without typical logging or controls catching the activity, complicating detection and response. Affected systems include Exchange Server 2016, 2019, and Subscription Edition that have not applied Microsoft’s April 2025 hybrid configuration update. Organisations are advised to apply the April 2025 or later Exchange Server hotfix to avoid being vulnerable to cross-environment privilege escalation.

CONSEQUENCES

Successful exploitation of F5 vulnerabilities could result in:

1. Privilege escalation
2. System compromise
3. Persistence across environments
4. Unauthorised cloud account access/takeover
5. Data Exfiltration
6. Lateral movement across a connected cloud environment
7. Data tampering
8. Reputational Damage

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Install the April 2025 or later Exchange Server hotfix on all on-premises servers in hybrid environments.
2. Reconfigure the hybrid deployment to use a dedicated hybrid application in Entra ID instead of the legacy shared service principal model.
3. Implement Microsoft’s Service Principal Clean-Up Mode to revoke and regenerate hybrid service principal credentials.
4. Audit on-premises Exchange settings for hybrid status, update levels, shared principal use, admin access, and abnormal authentication activity.
5. Restrict administrative privileges with the least privilege, enforce MFA, and monitor for suspicious admin activity.
6. Implement logging and alerting for suspicious token requests, credential changes, and cross-environment access anomalies.
7. If immediate patching isn’t possible, apply compensating controls like isolating the Exchange server, limiting outbound traffic, and monitoring hybrid token flows.

HYPERLINK

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786
• https://www.cisa.gov/news-events/alerts/2025/08/06/microsoft-releases-guidance-high-severity-vulnerability-cve-2025-53786-hybrid-exchange-deployments
• https://techcommunity.microsoft.com/blog/vulnerability-management/mdvm-guidance-for-cve-2025-53786-exchange-hybrid-privilege-escalation/4442337
• https://thehackernews.com/2025/08/microsoft-discloses-exchange-server.html

Advisory ID:   ngCERT-2025-110002

SUMMARY

ngCERT is aware of widespread malicious activities linked to the Prometei botnet affecting multiple network infrastructures within Nigeria’s cyberspace. Prometei is a modular malware that targets Windows and Linux servers for credential theft, cryptocurrency mining, and proxy exploitation. Reports indicate that the malware exploits unpatched systems, weak authentication, and exposed services such as Server Message Block (SMB) and Remote Desktop Protocol (RDP). Notably, infections have been observed across finance, education, telecommunications and energy sectors, with implications for prolonged network compromise, large-scale credential harvesting, and use of infected systems as proxies for further attacks. Consequently, organisations are urged to strengthen patching routines, improve authentication security, and monitor for unusual system resource usage.

Damage:      Critical

Probability:  High 

Platform(s): Windows and Linux Servers

DESCRIPTION

Prometei is a sophisticated, self-updating botnet with modular plugins that enable the targeting of both Windows and Linux environments. Initial access is achieved by exploiting exposed services, primarily Microsoft Exchange Server vulnerabilities (ProxyLogon/ProxyShell chains) and weak or default RDP/SSH credentials, among others. Also, brute-force attacks against SMB, RDP, and MSSQL are common vectors. Successful Prometei infiltration exploitation will deliver executable files such as (svchost.exe or systemd-journald) disguised as legitimate system files to escalate privileges using exploits like PrintNightmare or EternalBlue variants, and disable security tools. The malware uses domain generation algorithms (DGA), HTTP/HTTPS over non-standard ports mimicking legitimate traffic, and in newer variants, routes communication through Tor. Furthermore, it aggressively steals credentials, spreads laterally across networks and simultaneously turns infected systems into high-performance Monero miners. It also installs SOCKS5/HTTP proxies for resale on underground markets, and exfiltrates browser passwords and VPN configurations.

CONSEQUENCES

Successful exploitation of F5 vulnerabilities could result in:

1. Severe performance degradation.
2. Data breach.
3. System compromise.
4. Financial losses.
5. Exposure of national networks to global cybercrime operations.

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Apply critical patches; disable legacy services like SMBv1.
2. Enforce MFA and strong password policies.
3. Segment networks and limit administrative access.
4. Deploy EDR/XDR to detect abnormal processes and C2 traffic.
5.  Monitor for CPU spikes, mining processes, and failed login attempts. 
6. Conduct regular audits and access reviews.
7. Isolate infected hosts and reset exposed credentials.
8. Train staff on identifying early indicators of compromise.

HYPERLINK

• https://any.run/malware-trends/prometei/
• https://cybersecuritynews.com/prometei-botnet-attacking-linux-servers/
• https://unit42.paloaltonetworks.com/prometei-botnet-2025-activity/