- with readers working within the Property industries
- within Insurance, Wealth Management and Tax topic(s)
MALWARE ACTIVITY
Advanced Spyware and Botnets Targeting Global Infrastructure
Recent cybersecurity reports highlight the rise of sophisticated malware campaigns, including the Android spyware ClayRat and the botnet RondoDox. Both campaigns demonstrate significant threat levels. ClayRat is actively targeting Russian users by pretending to be popular apps like WhatsApp, TikTok, and YouTube. The malicious apps are using convincing phishing websites and Telegram channels. Once installed, it can steal messages, call logs, notifications, and even make calls showcasing its advanced surveillance capabilities. It uses realistic fake websites and stealthy techniques to bypass security measures and spreads by sending SMS messages to contacts, making it a persistent threat despite efforts from Google's Play Protect. Meanwhile, RondoDox emerged in 2025 as a powerful botnet exploiting over fifty (50) vulnerabilities across more than thirty (30) types of devices. The devices are things such as routers, DVRs, and web servers. It employs a broad "shotgun" approach targeting weaknesses like command injection flaws, often without CVE designations, and rapidly rotates infrastructure to avoid detection. RondoDox's operators use loader-as-a-service models to distribute malware like Mirai and Morte. Thus, enabling large-scale DDoS attacks, cryptocurrency mining, and network breaches. These threats underscore a trend towards more organized, automated, and wide-reaching cyber campaigns which exploit outdated software, weak credentials, and unpatched vulnerabilities. Thereby posing serious risks to internet infrastructure worldwide. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: New Android spyware ClayRat imitates WhatsApp, TikTok, YouTube article
- TheHackerNews: Researchers Warn RondoDox Botnet is Weaponizing Over 50 Flaws Across 30+ Vendors article
- SecurityWeek: RondoDox Botnet Takes Exploit Shotgun Approach article
THREAT ACTOR ACTIVITY
Russian Hacktivist Group Shuts Itself Down After Hacking a Fake Water Utility Honeypot
The pro-Russian hacktivist group TwoNet mistakenly believed they had successfully attacked a Dutch water facility, when in fact they had infiltrated a honeypot set up by cybersecurity firm Forescout. This decoy was designed to mimic critical infrastructure and study attacker behavior. TwoNet's intrusion involved tampering with system settings and disabling alarms, actions that could have been disruptive if executed on a real system. The incident highlights the growing trend of hacktivists targeting operational technology (OT) and industrial control systems (ICS) without fully understanding them, often blurring the lines between propaganda and genuine cyber operations. TwoNet initially focused on distributed denial-of-service (DDoS) attacks before attempting more sophisticated intrusions targeting SCADA systems in countries deemed hostile to Russia. Their claims mirror those of other pro-Russian groups, like CyberTroops and OverFlame, who have boasted of compromising control interfaces at critical infrastructure facilities. While TwoNet's attack was harmless, real-world hacktivist operations have had serious consequences, such as the Cyber Army of Russia Reborn (CARR) causing water tank overflows in Texas.
VULNERABILITIES
Active Exploitation of Gladinet CentreStack and Triofox Zero-Day Enables Remote Code Execution via LFI Chain
Threat actors are actively exploiting a critical zero-day vulnerability in Gladinet's CentreStack and Triofox platforms, which enables unauthenticated Local File Inclusion (LFI) leading to full system compromise. Discovered by Huntress on September 27, 2025, the flaw (tracked as (CVE-2025-11371) allows attackers to read sensitive configuration files (specifically Web.config) to extract machine keys and chain the attack with a prior deserialization bug (CVE-2025-30406), achieving remote code execution (RCE) through ViewState abuse. The vulnerability affects all current and previous product versions, including 16.7.10368.56560, with no patch currently available. At least three (3) companies have already been targeted. Gladinet confirmed awareness and is notifying customers of temporary mitigations, which involve disabling the vulnerable temp handler in UploadDownloadProxy/Web.config. Although this workaround disrupts some platform functionality, it effectively blocks exploitation while users await an official fix. CTIX analysts urge any affected admins to follow the manual mitigation techniques provided by Gladinet and monitor for when a full patch is released.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
