- with readers working within the Retail & Leisure industries
Malware Activity
Hidden Threats in Everyday Tools and Emails Put Sensitive Data at Risk
These articles highlight how attackers are increasingly blending into normal business and development workflows to steal sensitive information without being easily detected. In one case, researchers discovered a malicious NuGet package disguised as a legitimate banking integration tool. The package quietly collected developer credentials, encrypted certificates, and even transaction data, then sent it to an external server. Thus, creating the risk of unauthorized access to financial systems and fraudulent activity. At the same time, a separate campaign uses realistic purchase order phishing emails with attached RAR files to lure employees into triggering a fileless malware infection known as PureLogs. Once opened, the malware runs silently in memory using trusted Windows tools, making it difficult for traditional security systems to detect. It then hides inside legitimate processes to gather browser credentials, session data, cryptocurrency wallets, and other sensitive information. Together, these incidents demonstrate a clear shift toward more subtle and sophisticated attacks that rely on trust, social engineering, and supply chain weaknesses. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- TheHackerNews: Malicious Sicoob NuGet Steals Banking Credentials as npm Packages Target Cloud Secrets article
- HackRead: Fake Purchase Order Emails Spread Fileless PureLogs Malware via RAR Archives article
Threat Actor Activity
Newly Documented GREYVIBE Using AI in Cyberattacks to Target Ukraine
GREYVIBE is a newly documented, Russian-speaking threat actor conducting persistent attacks against Ukraine and Ukraine-related targets since at least August 2025, as reported by WithSecure researchers. Its activity aligns with Kremlin intelligence interests, focusing on military, government, civilian, and business organizations. The group uses multiple delivery vectors, including spear-phishing emails, fake CAPTCHA pages, and fraudulent Ukrainian adult club and charity websites, to deploy custom obfuscators, loaders, and malware. Key attack chains include PhantomMail (phishing leading to JavaScript loaders and the PhantomRelay PowerShell RAT), PhantomClick (ClickFix-style CAPTCHA lures triggering PhantomRelay), and PrincessClub (fake adult sites delivering FallSpy Android spyware and LegionRelay/PhantomRelayV1 PowerShell RATs). These tools support file and browser data theft, screenshots, Telegram/WhatsApp exfiltration, and RDP setup. GREYVIBE heavily leverages GenAI and LLMs (e.g., ChatGPT, Gemini, Ideogram) to generate images, code, obfuscation, and backend tooling, speeding development and complicating attribution, but also introducing design flaws. WithSecure assesses the group as low-to-moderately sophisticated, sitting in a “grey area” between state-aligned espionage and cybercrime, with likely participation by current or former Russian cybercriminals.
Vulnerabilities
Critical IBM WebSphere Plug-In Vulnerability Enables Unauthenticated Remote Code Execution
IBM has disclosed a critical remote code execution (RCE) vulnerability affecting Web Server Plug-ins used with WebSphere Application Server and WebSphere Liberty deployments. The flaw, tracked as
(CVSS 9.8/10), stems from improper control of code generation (CWE-94), allowing remote, unauthenticated attackers to send maliciously crafted HTTP requests that can trigger arbitrary code execution and potentially lead to full system compromise. The vulnerability also introduces HTTP request smuggling risks, enabling attackers to manipulate backend communications and bypass security controls. Affected versions include WebSphere Application Server and Liberty 8.5 and 9.0 environments using the optional Web Server Plug-ins component. Given WebSphere’s widespread use across enterprise and government networks, exploitation could provide a direct path into critical backend systems. CTIX analysts recommend following the IBM guidance by upgrading to the latest supported fix packs, applying interim fixes associated with APAR PH71342, monitoring for anomalous HTTP traffic, restricting external access to plug-in endpoints, deploying web application firewall protections, and conducting threat hunting activities to identify potential compromise. This vulnerability highlights the continued focus of threat actors on middleware and application infrastructure as high-value targets.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]