Today’s roundup
Trend Micro Apex Central RCE Flaw Scores 9.8 CVSS in On-Prem Windows Versions
FBI Warns North Korean Hackers Using Malicious QR Codes in Spear-Phishing
WhatsApp Worm Spreads Astaroth Banking Trojan Across Brazil via Contact Auto-Messaging
ChatGPT's Memory Feature Supercharges Prompt Injection
World Economic Forum: Deepfake Face-Swapping Tools Are Creating Critical Security Risks
AI-Powered Truman Show Operation Industrializes Investment Fraud
Who Benefited from the Aisuru and Kimwolf Botnets?
China-linked UAT-7290 spies on telco in South Asia and Europe using modular malware
Chinese-speaking hackers exploited ESXi zero-days long before disclosure
Do Smart People Ever Say They’re Smart? (SmarterTools SmarterMail Pre-Auth RCE CVE-2025-52691)
Summary
Trend Micro patched CVE-2025-69258, a critical RCE flaw (CVSS 9.8) in Apex Central (on-premise Windows versions). Authenticated attackers could execute arbitrary code with SYSTEM privileges, necessitating immediate updates.
The FBI warned that North Korean Kimsuky APT is using malicious QR codes in spear-phishing campaigns. These attacks target U.S. think tanks, academic, and government entities, aiming for credential theft.
A new WhatsApp worm, "Boto Cor-de-Rosa," spreads the Astaroth banking trojan across Brazil. It leverages victim contacts to auto-message malicious links, leading to widespread financial compromise.
A "ZombieAgent" exploit leverages ChatGPT's long-term memory for enhanced prompt injection attacks. This highlights an evolving threat vector for manipulating AI systems and potentially extracting sensitive data.
The World Economic Forum reports commercial deepfake face-swapping tools pose critical security risks, enabling threat actors to bypass corporate security protections and challenging identity verification systems.
Check Point uncovered "Truman Show," a vast AI-powered operation industrializing investment fraud. This sophisticated campaign uses AI for convincing deceptions, significantly increasing financial scam effectiveness.
KrebsOnSecurity detailed Aisuru and Kimwolf botnets, infecting over two million Android TV devices. The report exposed proxy service beneficiaries and botmasters' use of Ethereum Name Service (ENS) for resilient C2.
China-linked UAT-7290 spies on telcos in South Asia and Southeastern Europe since 2022. It uses modular Linux malware (RushDrop, DriveSwitch, SilentRaid, Bulbature) and is linked to APT10/PLA Unit 69010.
Chinese-speaking hackers exploited three VMware ESXi zero-days (CVE-2025-22226, -22224, -22225) over a year before disclosure. Delivered via compromised SonicWall VPNs, the exploit enabled VM escape and persistent hypervisor control.
A critical pre-authentication RCE (CVE-2025-52691, CVSS 10.0) was disclosed in SmarterTools SmarterMail. The flaw allows unauthenticated arbitrary file write via path traversal in the file upload endpoint, enabling server compromise.
Want to dig deeper?
Vulnerabilities
Cyber Groups
| Kimsuky | Black Banshee, Velvet Chollima, Emerald Sleet, THALLIUM, APT43, TA427, Springtail |
| menuPass | Cicada, POTASSIUM, Stone Panda, APT10, Red Apollo, CVNX, HOGFISH, BRONZE RIVERSIDE |
Malware Families