End-of-Day report
Timeframe: Donnerstag 24-07-2025 18:00 - Freitag 25-07-2025 18:00
Handler: Guenes Holler
Co-Handler: n/a
News
Hacker sneaks infostealer malware into early access Steam game
A threat actor called EncryptHub has compromised a game on Steam to distribute info-stealing malware to unsuspecting users downloading the title. A few days ago, the hacker (also tracked as Larva-208), injected malicious binaries into the Chemia game files hosted on Steam.
https://www.bleepingcomputer.com/news/security/hacker-sneaks-infostealer-malware-into-early-access-steam-game/
New Koske Linux malware hides in cute panda images
A new Linux malware named Koske may have been developed with artificial intelligence and is using seemingly benign JPEG images of panda bears to deploy malware directly into system memory. Researchers from cybersecurity company AquaSec analyzed Koske and described it as "a sophhisticated Linux threat." Based on the observed adaptive behavior, the researchers believe that the malware was developed using large language models (LLMs) or automation frameworks.
https://www.bleepingcomputer.com/news/security/new-koske-linux-malware-hides-in-cute-panda-images/
CastleLoader Malware Infects 469 Devices Using Fake GitHub Repos and ClickFix Phishing
Cybersecurity researchers have shed light on a new versatile malware loader called CastleLoader that has been put to use in campaigns distributing various information stealers and remote access trojans (RATs). The activity employs Cloudflare-themed ClickFix phishing attacks and fake GitHub repositories opened under the names of legitimate applications, Swiss cybersecurity company PRODAFT said in a report shared with The Hacker News.
https://thehackernews.com/2025/07/castleloader-malware-infects-469.html
Phishers Target Aviation Execs to Scam Customers
KrebsOnSecurity recently heard from a reader whose boss-s email account got phished and was used to trick one of the company-s customers into sending a large payment to scammers. An investigation into the attacker-s infrastructure points to a long-running Nigerian cybercrime ring that is actively targeting established companies in the transportation and aviation industries.
https://krebsonsecurity.com/2025/07/phishers-target-aviation-execs-to-scam-customers/
From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944
In mid 2025, Google Threat Intelligence Group (GITG) identified a sophisticated and aggressive cyber campaign targeting multiple industries, including retail, airline, and insurance. This was the work of UNC3944, a financially motivated threat group that has exhibited overlaps with public reporting of "0ktapus," "Octo Tempest," and "Scattered Spider." Following public alerts from the Federal Bureau of Investigation (FBI), the group's targeting became clear. GTIG observed that the group was suspected of turning its ransomware and extortion operations to the U.S. retail sector. The campaign soon broadened further, with airline and transportation organizations in North America having also become targets.
https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-from-unc3944/
Vulnerabilities
Security updates for Friday
Security updates have been issued by AlmaLinux (git, kernel, nginx:1.24, and sudo), Fedora (dpkg, java-21-openjdk, java-25-openjdk, java-latest-openjdk, and valkey), Oracle (apache-commons-vfs, sudo, tigervnc, and xorg-x11-server), Red Hat (kernel, krb5, and openssh), SUSE (gnutls, ImageMagick, iputils, kernel-livepatch-MICRO-6-0-RT_Update_10, kubernetes1.18, libarchive, ovmf, python, and salt), and Ubuntu (iputils, linux-aws-6.14, linux-raspi, openjdk-21, and openjdk-24).
https://lwn.net/Articles/1031426/
Angriffe gegen Citrix Netscaler CVE-2025-6543
https://www.cert.at/de/aktuelles/2025/7/angriffe-gegen-citrix-netscaler-cve-2025-6543
CVE-2025-38350 - ZDI-25-651: (Pwn2Own) Red Hat Enterprise Linux CBS Packet Scheduling Use-After-Free Local Privilege Escalation Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-25-651/
Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6
CISA Releases Six Industrial Control Systems Advisories
https://www.cisa.gov/news-events/alerts/2025/07/24/cisa-releases-six-industrial-control-systems-advisories
Medtronic MyCareLink Patient Monitor
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-205-01