Advisory ID: NCC-CSIRT-2025-013

Summary: 

Cybersecurity researchers have uncovered a large-scale phishing-as-a-service (PhaaS) infrastructure on Google Cloud and Cloudflare, which has been operational for years. This infrastructure utilizes fake websites that mimic real company login pages to steal passwords and bypass security codes. The attackers stay hidden by using expired domains and tricks that fool Google into seeing harmless content. 

Damage/Probability: High/Critical

Product(s): 

• Google Cloud Platform (GCP)
• Cloudflare Services
• Expired or Abandoned Domains

Version(s): 

• Google Cloud Platform (GCP): Not version-specific (cloud services, not software releases).
• Cloudflare Services: Not version-specific (service-level abuse).
• Expired or Abandoned Domains: Any domains previously registered but left to expire.

Platform(s): 

Google Cloud, Cloudflare, Re-registered / Expired Domains, and Open Redirect Services (e.g., Google Accelerated Mobile Pages (AMP), Software-as-a-Service (SaaS) platforms).

Description: 

According to the cybersecurity experts, the attackers create fake websites that look exactly like the real login pages of well-known companies (including big defence, finance, and tech firms). Their goal is to trick people into entering their usernames, passwords, and even security codes. Once stolen, this information can be used to hack accounts, steal money, spread malware, or commit fraud.

The group has built an “empire” of fake sites, with almost 50,000 fake hosts across many servers. To stay hidden, they use clever tricks:

• They buy expired websites that already have a good reputation in Google search.
• They make sure Google’s systems see a harmless version of the site, while real users see the fake login page.
• They even load some images or files directly from the real company’s website, so the fake page looks even more convincing.

Because of these tactics, the operation managed to run for years without being shut down.

Impacts: 

• Credential compromise & account takeover (ATO) including Multi-Factor-Authentication (MFA) bypass where Adversary-in-the-Middle (AiTM) kits are used.
• Brand/reputation damage and potential regulatory exposure where cloned sites load legitimate brand assets.
• Downstream malware delivery (e.g., RATs via Cloudflare-hosted chains in adjacent campaigns). .

Solutions: 

What Users Should Do:

• Do not rely on search results for logins. Always type the web address yourself (e.g., www.yourbank.com) or use bookmarks you created earlier.
• Look carefully at website addresses. Fake sites often use unusual spellings or extra words.
• Use stronger sign-in methods. Where possible, use security keys or passkeys (FIDO2/WebAuthn) instead of just passwords and codes. These are very hard for attackers to steal.
• Be alert for suspicious redirects. If a link takes you through multiple pages before reaching a login, it could be a trap.
• Report suspicious sites. If you see a fake site pretending to be your organization, report it immediately to IT/security teams.

  What Organizations Should Do:

• Protect your domains: Renew important website names on time so criminals can’t take them over.
• Monitor your brand: Regularly check if fake versions of your website exist and request takedowns quickly.
• Strengthen staff login security: Use multi-factor authentication, preferably phishing-resistant methods.
• Train employees: Remind staff to never log in through links in emails or search results.

References:

• https://www.darkreading.com/cloud-security/phishing-empire-undetected-google-cloudflare

• https://malwaretips.com/threads/phishing-empire-runs-undetected-on-google-cloudflare.137414/

• https://reporter.deepspecter.com/the-cloak-and-the-dagger-how-google-and-cloudflare-missed-a-global-phishing-empire-ed7176ebf82f

• https://gbhackers.com/google-cloud-and-cloudflare/

• https://cyberpress.org/stealth-phishing-campaign/

Advisory ID: NCC-CSIRT-2025-012

Summary: 

Security experts have discovered a new type of cybersecurity attack targeting Linux systems. Criminals are hiding malicious code inside the names of files stored in a compressed archive (RAR file). This trick enables the malware to bypass many antivirus programs because the harmful code is not embedded within the file itself, but rather in the file’s name. Victims usually receive this malware through emails, pretending to be surveys or promotions. Once the attached .rar file is opened, the hidden code can run if the system or scripts process the filename in an unsafe way. The final result is the installation of a powerful backdoor program (called VShell) that gives attackers complete control of the infected system. 

Damage/Probability: High/Critical

Product(s): 

IoT devices and embedded systems running Linux

Version(s): 

All versions of Linux systems, including servers, cloud platforms, IoT devices, and automated scripts that process RAR files

Platform(s): 

Linux OS

Description: 

Hackers have found a new way to attack Linux computers by hiding harmful code inside the names of files in a RAR archive. Normally, antivirus software looks inside files for threats, but in this case, the danger is in the filename itself, so it often goes undetected.

The attack usually starts with a fake email that has a .rar file attached. When the file is opened and the filenames are handled carelessly by the computer or scripts, the hidden code runs automatically. This code then downloads more malware, which installs a secret program called VShell.

Once installed, VShell gives the hacker full control of the computer: they can steal or delete files, run programs, spy on activity, or even use the machine to attack others. What makes this attack especially dangerous is that the malware runs only in the computer’s memory (not saved on disk), and it pretends to be a normal system process, making it very hard to notice or remove.

Impacts: 

If the attack succeeds, hackers can take over Linux system, steal sensitive data, disrupt services, and use computers for other crimes, all while staying hidden.

Solutions: 

• Be suspicious of unexpected attachments, especially .rar files. If you are not expecting it, do not open it.
• Update and secure script. If you use Linux scripts, avoid unsafe commands like eval and always quote filenames properly.
• Use security tools that monitor behavior, not just file content. Endpoint protection systems that watch for unusual memory activity are more likely to catch this.
• Restrict internet access on sensitive servers to only trusted websites.
• Stay aware! Even something as “harmless” as a filename can be weaponized.

References:

• https://thehackernews.com/2025/08/linux-malware-delivered-via-malicious.html

• https://nubetia.com/linux-malware-exploits-malicious-rar-filenames-to-evade-antivirus-detection/

• https://cybersecuritycue.com/linux-malware-exploits-malicious-rar-filename/

Advisory ID: NCC-CSIRT-2025-011

Summary: 

Security experts have discovered an ongoing scam where fake online ads trick people into downloading bogus software. Instead of the real program, they get PS1Bot, a hidden tool that runs mostly in memory, so it is harder to detect. Once installed, it can stay on the computer, steal information, record keystrokes, take screenshots, spy on activity, and give hackers long-term remote access. This attack has been active all through 2025 and is still happening. 

Damage/Probability: High/Critical

Product(s): 

Windows-based Devices

Version(s): 

All version of Windows endpoints where users browse the web and can execute PowerShell

Platform(s): 

Windows OS

Description: 

Hackers are running an online ad scam where fake ads appear in search results. These ads lead people to websites that appear to offer popular software, but the downloads are infected.

When someone installs the fake program, a hidden tool called PS1Bot secretly runs in the background without leaving obvious files on the computer, making it harder for antivirus software to spot.

Once inside, PS1Bot can:

• Stay on the computer even after a restart.
• Steal saved passwords, browser data, and files.
• Record every key you press and take screenshots.
• Scan the computer and network to learn more about the target.
• Allow hackers to control the computer from far away and install other tools later.

Because it works mostly in memory and can change what it does over time, it is very hard to detect. This attack has been going on all through 2025, and it is still active. 

Impacts: 

1. Theft of sensitive information, including credentials and corporate data.
2. Potential foothold for ransomware or broader network compromise.
3. Increased risk where PowerShell execution is unrestricted and ad filtering is absent.

Solutions: 

• PS1Bot spreads through fake ads; stop it with technical defences and user awareness (education).
• Avoid clicking suspicious ads.
• Do not install software via ads; only install software from pre-approved sources (vendor portals, package managers, internal repositories).
• Only download software from official websites.
• Disable third-party cookies where possible; limit ad exposure using enterprise controls; enforce safe-browsing features.
• Block risky scripts like PowerShell if you do not need them.

• Treat malvertising/SEO-poisoning as a primary initial-access vector in phishing programs.

References:

• https://blog.talosintelligence.com/ps1bot-malvertising-campaign/

• https://thehackernews.com/2025/08/new-ps1bot-malware-campaign-uses.html

• https://undercodenews.com/malvertising-menace-ps1bot-malware-campaign-uncovered-in-2025/

• https://advisory.eventussecurity.com/advisory/malvertising-campaign-delivers-multi-stage-ps1bot-stealer-framework/

• https://nubetia.com/new-ps1bot-malware-campaign-leverages-malvertising-for-multi-stage-in-memory-attacks/

• https://demandteq.com/new-ps1bot-malware-campaign-exploits-malvertising-for-stealthy-multi-stage-attacks/

   

Advisory ID: NCC-CSIRT-2025-010

Summary: 

Security experts at ESET found a serious vulnerability in WinRAR (CVE-2025-8088) that hackers were already using. They sent specially made RAR files which, when opened in older versions of WinRAR, secretly installed harmful programs that run every time the computer starts. This gave attackers control through malware called RomCom, often sent in phishing emails. WinRAR has fixed the problem in version 7.13, and everyone should update immediately to stay safe. 

Damage/Probability: MEDIUM/Critical

Product(s): 

WinRAR for Windows

Version(s): 

Versions before 7.13

Platform(s): 

Windows OS

Description: 

This security vulnerability affects WinRAR versions before 7.13. It lets hackers hide files in a RAR archive that, when opened, can put those files anywhere on your computer, not just in the folder you chose.

In real attacks, hackers sent these malicious RAR files in phishing emails. When people opened them, the files were secretly placed in the computer’s Startup folder so they would run every time the computer turned on. These files installed a harmful program called RomCom, which lets attackers control the computer, steal data, and spread to other systems.

The problem is fixed in WinRAR 7.13, which stops files from being placed outside the chosen extraction folder. Everyone should update as soon as possible..

Impacts: 

If exploited, this flaw can let hackers break into computers, secretly install tools to keep access, steal passwords, move through other systems in the network, and possibly demand ransom or steal sensitive information. The risk is much higher for organizations that let staff open RAR files on their computers without security checks.

Solutions: 

• Update WinRAR to the latest version (7.13+) or uninstall it if you do not require it. Use vendor downloads from the official site.
• Do not extract RAR files received by email unless you can validate the sender and expected content. Prefer vendors that provide password-protected downloads via trusted portals rather than email attachments.
• Enable endpoint protection and ensure it is up to date; run a full system scan if you recently opened a RAR attachment.
• If you suspect infection, disconnect the machine from networks, preserve evidence, and contact your IT/security team or a reputable incident response provider.

References:

• https://www.bleepingcomputer.com/news/security/winrar-zero-day-flaw-exploited-by-romcom-hackers-in-phishing-attacks/

• https://franetic.com/google-data-breach-exposed-potential-ads-customer-info/

• https://techcrunch.com/2025/08/06/google-says-hackers-stole-its-customers-data-in-a-breach-of-its-salesforce-database/

• https://hackread.com/google-salesforce-data-breach-shinyhunters-vishing-scam/