⚡ THN Weekly Recap: iOS Zero-Days, 4Chan Breach, NTLM Exploits, WhatsApp Spyware & More

Apr 21, 2025Ravie LakshmananCybersecurity / Hacking News

Can a harmless click really lead to a full-blown cyberattack?

Surprisingly, yes — and that’s exactly what we saw in last week’s activity. Hackers are getting better at hiding inside everyday actions: opening a file, running a project, or logging in like normal. No loud alerts. No obvious red flags. Just quiet entry through small gaps — like a misconfigured pipeline, a trusted browser feature, or reused login tokens. These aren’t just tech issues — they’re habits being exploited.

Let’s walk through the biggest updates from the week and what they mean for your security.

⚡ Threat of the Week

Recently Patched Windows Flaw Comes Under Active Exploitation — A recently patched security flaw affecting Windows NTLM has been exploited by malicious actors to leak NTLM hashes or user passwords and infiltrate systems since March 19, 2025. The flaw, CVE-2025-24054 (CVSS score: 6.5), is a hash disclosure spoofing bug that was fixed by Microsoft last month as part of its Patch Tuesday updates. The security flaw is assessed to be a variant of CVE-2024-43451 (CVSS score: 6.5), which was patched by Microsoft in November 2024 and has also been weaponized in the wild in attacks targeting Ukraine and Colombia by threat actors like UAC-0194 and Blind Eagle.

🔔 Top News

• North Korea Targets Crypto Developers with Fake Python Coding Challenges — The North Korea-linked threat actor known as Slow Pisces (aka Jade Sleet, PUKCHONG, TraderTraitor, and UNC4899) is targeting developers, particularly in the cryptocurrency sector, to deliver new stealer malware under the guise of a coding assignment. These challenges require developers to run a compromised project, infecting their systems using malware named RN Loader and RN Stealer. Jade Sleet is one of the several North Korean threat activity clusters to leverage job opportunity-themed lures as a malware distributor vector, the others being Operation Dream Job, Contagious Interview, Alluring Pisces, and Moonstone Sleet.
• Mustang Panda Targets Myanmar with New Tooling — The China-linked threat actor known as Mustang Panda targeted an unspecified organization in Myanmar with an updated version of its signature backdoor, TONESHELL, in addition to debuting four new attack tools: two keyloggers (PAKLOG and CorKLOG), a utility for facilitating lateral movement (StarProxy), and a driver to evade endpoint detection and response (EDR) software (SplatCloak). The findings demonstrate the continued evolution of the threat actor’s tradecraft to sidestep detection.
• European Diplomats Targeted in GRAPELOADER Attacks — The Russian state-sponsored threat actor known as APT29 has been attributed to an advanced phishing campaign that’s targeting diplomatic entities across Europe with a new variant of WINELOADER and a previously unreported malware loader codenamed GRAPELOADER. The attacks involve the use of phishing emails that employ wine-tasting lures to entice message recipients into opening booby-trapped ZIP archives that lead to GRAPELOADER, a malware loader that’s capable of downloading and retrieving the next stage payload.
• Apple Fixes Two Actively Exploited iOS Flaws Used in Sophisticated Targeted Attacks — Apple has released fixes to address two security flaws that it said have come under active exploitation in the wild. The flaws, a memory corruption vulnerability in the Core Audio framework (CVE-2025-31200) and an unspecified vulnerability in RPAC (CVE-2025-31201), are said to have been weaponized in an “extremely sophisticated attack against specific targeted individuals on iOS.” However, the exact details surrounding the nature of the exploitation and who may have been targeted are not known. The issues have been addressed in iOS 18.4.1, iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, and visionOS 2.4.1.
• UNC5174 Targets Linux Systems with SNOWLIGHT and VShell — A cyberspy crew with ties to China’s Ministry of State Security has infected global organizations with a stealthy remote access trojan (RAT) called VShell to enable its espionage and access resale campaigns. The attacks, attributed to UNC5174, use a mix of custom and open-source malware, including a dropper named SNOWLIGHT that paves the way for the in-memory malware VShell. Besides using VShell, UNC5174 has also used a new command-and-control infrastructure since January 2025. Primary targets of the campaign consist of U.S.-based organizations, although Hong Kong, Taiwan, Japan, Germany, and France are some of the other countries where SNOWLIGHT has been spotted. The campaign is believed to have been ongoing as far back as November 2024.

‎️‍🔥 Trending CVEs

Attackers love software vulnerabilities—they’re easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week’s critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.

This week’s list includes — CVE-2025-2492 (ASUS), CVE-2025-24054 (Microsoft Windows), CVE-2025-32433 (Erlang/OTP), CVE-2021-20035 (SonicWall Secure Mobile Access 100 Series), CVE-2025-31200, CVE-2025-31201 (Apple iOS, iPadOS, macOS Sequoia, tvOS, and visionOS), CVE-2025-24859 (Apache Roller), CVE-2025-1093 (AIHub theme), and CVE-2025-3278 (UrbanGo Membership plugin)

📰 Around the Cyber World

• Google Makes :visited More Private — ​Google is finally taking steps to plug a long-standing privacy issue that, for over 20 years, enabled websites to determine users’ browsing history through the previously visited links. The side-channel attack stemmed from allowing sites to style links as “:visited,” meaning displaying them in the color purple if a user had previously clicked on them. This caused a privacy issue in that it could be abused to leak a user’s browser history, and worse, track them. However, with the release of Chrome 136 on April 23, 2025, Google is adopting what’s called triple-key partitioning that uses a combination of the link URL, top-level site, and frame origin. “With partitioning enabled, your :visited history is no longer a global list that any site can query,” the company said.
• Pegasus Targeted 456 Mexicans via WhatsApp 0-Day in 2019 — NSO Group’s notorious spyware Pegasus was used to target 1,223 WhatsApp users in 51 different countries during a 2019 hacking campaign, a new court document filed as part of a lawsuit filed by WhatsApp against NSO Group. The countries with the most victims of this campaign are Mexico (456), India (100), Bahrain (82), Morocco (69), Pakistan (58), Indonesia (54), Israel (51), Uzbekistan (43), Algeria (38), and Cyprus (31). Also targeted were victims in Spain (12), the Netherlands (11), Syria (11), Hungary (8), France (7), United Kingdom (2), and the United States (1). The court document with the list of victims by country was first reported by Israeli news site CTech. What’s more, a copy of a court hearing transcript obtained by TechCrunch found that the governments of Mexico, Saudi Arabia, and Uzbekistan were among the countries accused of being behind the 2019 hacking campaign, according to a lawyer working for the Israeli spyware maker. The development marks the first time NSO Group has publicly acknowledged its customers.
• Law Enforcement Action Dismantles Drug Trafficking Networks — Authorities have dismantled four major criminal networks responsible for fueling the flow of drugs into the European Union and Türkiye. A coordinated operation conducted by Belgium, France, Germany, the Netherlands, Spain, and Türkiye has resulted in the arrests of 232 suspects and seizures of EUR300 million worth of assets, including 681 properties and 127 vehicles. The law enforcement exercise has been codenamed Operation BULUT. “Using both traditional smuggling routes and sophisticated logistics, the groups were linked to the seizure of at least 21 tonnes of drugs in Europe and Türkiye, including 3.3 million MDMA tablets,” Europol said, adding the investigation was facilitated by intelligence extracted from encrypted communication platforms like Sky ECC and ANoM.
• Microsoft Plans to Disable ActiveX — Microsoft has announced it will begin disabling all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 applications later this month to mitigate security risks associated with the legacy framework. “When ActiveX controls are disabled, you will not be able to create new ActiveX objects or interact with existing ones,” the company said in a support document. “This change applies to Word, Excel, PowerPoint, and Visio.” The tech giant also noted that attackers could use deceptive tactics to trick recipients into changing their ActiveX settings, either via phishing emails or when downloading files from the internet.
• Thailand Pro-Democracy Movement Targeted by JUICYJAM — The pro-democracy movement in Thailand has been targeted by a “sustained, coordinated social media harassment and doxxing campaign” codenamed JUICYJAM since at least August 2020, the Citizen Lab has revealed. “The operation utilized an inauthentic persona over multiple social media platforms (primarily X and Facebook) to target pro-democracy protesters by doxxing individuals, continuously harassing them, and instructing followers to report them to the police,” the inter-disciplinary research organization said. “Through our analysis of public social media posts we determined that the campaign was not only inauthentic, but the information revealed could not have been reasonably sourced from a private individual.” The campaign has been attributed to the Royal Thai Armed Forces and/or the Royal Thai Police. “JUICYJAM’s tactics support a larger network of judicial harassment and democratic suppression that is infrequently enforced by social media platforms, but poses a significant threat to civil society,” it added.
• Attackers Increasingly Shift to NTLM Relay Attacks — Microsoft has warned that threat actors are “consistently” exploiting critical vulnerabilities in Exchange Server and SharePoint Server to gain a persistent foothold inside the target, and ultimately lead to remote code execution, lateral movement, and exfiltration of sensitive data. “More recently, attackers have shifted to NTLM relay and credential leakage techniques on Exchange,” the company said. “Attackers exploit NTLM authentication by relaying credentials to a vulnerable server, potentially resulting in target account compromise. Meanwhile, in recent attacks on SharePoint, we observed increasingly stealthy persistence tactics, such as replacing or appending web shell code into existing files and installing remote monitoring and management (RMM) tools for broader access.”
• OpenID Connect Misconfigurations Within CI/CD Environments — Researchers have identified “problematic patterns and implementations” when it comes to the use of OpenID Connect (OIDC) within continuous integration and continuous deployment (CI/CD) environments that could be exploited by threat actors to gain access to restricted resources. These threat vectors include loosely configured policies used by identity federations, reliance on user-controllable claim values, vendor-side credential handling, and the ability to leverage poisoned pipeline execution (PPE) in combination with permissive identity federation. “OIDC extends the OAuth protocol by adding a new token to the protocol, enabling applications to verify user identities and authorize access to resources using that token,” Palo Alto Networks Unit 42 said. “It plays a crucial role in ensuring secure and seamless authentication and authorization during CI/CD processes. Securing these implementations is critical, as OIDC is rapidly being adopted as the primary foundation for modern cloud authentication workflows.”
• Scammers Pose as FBI IC3 Employees to ‘Help’ Recover Stolen Funds — The U.S. Federal Bureau of Investigation (FBI) is warning that fraudsters are impersonating FBI Internet Crime Complaint Center (IC3) employees with offers to “help” fraud victims recover money lost to other scammers. “Complainants report initial contact from the scammers can vary. Some individuals received an email or a phone call, while others were approached via social media or forums,” the agency said. “Almost all complainants indicated the scammers claimed to have recovered the victim’s lost funds or offered to assist in recovering funds. However, the claim is a ruse to revictimize those who have already lost money to scams.”
• 4Chan Taken Offline After Hack — Controversial internet forum 4chan was breached and its internal data leaked after hackers gained shell access to its hosting server, likely doxxing the entire moderation team along with many of the site’s registered users. A 4chan splinter site called soyjack party, aka sharty, has claimed responsibility for the security breach and posted what they alleged was internal data on their rival website, including source code and information on moderators and janitors. A hacktivist group called the Dark Storm Team also claimed to have taken down the site on its Telegram channel, alongside BreachForums (“breachforums[.]st”). One 4chan janitor told TechCrunch that they are “confident” the leaked data and screenshots are real. In a screenshot shared by Hackmanac on X, the threat actors behind the breach revealed how they managed to gain access to the site’s internal systems: “4chan allows uploading PDF to certain boards (/gd/, /po/, /qst/, /sci/, /tg/) They neglected to verify that the uploaded file is actually a PDF file. As such, PostScript files, containing PostScript drawing commands, can be uploaded. Said PostScript file will be passed into Ghostscript to generate a thumbnail image. The version of Ghostscript that 4chan uses is from 2012, so it is trivial to exploit. From there, we exploit a mistaken SUID binary to elevate to the global user.” The development comes as cybercrime forum Cracked.io has resumed operations under the new cracked[.]sh domain over two months after its earlier version hosted on “cracked[.]io” was seized in a joint law enforcement operation.
• Android Gets Inactivity Reboot Feature — Google has launched an optional security feature in Android that will automatically restart devices after three days of inactivity. After a restart, the phone (or any device that runs the operating system) enters a heightened security state called the Before First Unlock (BFU) where data is encrypted and inaccessible unless users enter the unlock pattern or PIN. The update is rolling out to users as part of an update to Google Play Services version 25.14. It’s worth noting that Apple introduced a similar iPhone Inactivity Reboot feature in iOS 18.1 that triggers a device restart after three days of being locked. The changes are seen as an attempt to make it more challenging to extract data from a phone, particularly by law enforcement using forensic tools made by Cellebrite or Magnet Forensics.
• Edge Network Devices Become Magnets for Initial Access — Compromised network edge devices, such as firewalls, virtual private network appliances, and other access devices, account for a quarter of the initial compromises of businesses in 2024, according to the Sophos Annual Threat Report. Additionally, VPN devices were targeted for initial access in 25% of ransomware and data exfiltration events last year. Some of the top observed malware families included web shells, Cobalt Strike, Akira, Lumma Stealer, LockBit, Fog, ChromeLoader, GootLoader, RansomHub, and Black Basta. “One trend that continues from previous years is the extensive use of generally available commercial, freeware, and open-source software by cybercriminals to conduct ransomware attacks and other malicious activity,” Sophos said. “Dual-use tools are different from living-off-the-land binaries (LOLBins) in that they are full applications deployed and used as intended by malicious actors, rather than operating system-supplied components and scripting engines.” Some of the top dual-use tools comprised SoftPerfect Network Scanner, PsExec, AnyDesk, Impacket, RDPclip, and Mimikatz.
• PRODAFT Plans to Buy Hacker Forum Accounts to Spy on Cyber Criminals — Cyber threat intelligence firm PRODAFT is encouraging users to cybercrime-focused dark web forums like XSS, Exploit.in, RAMP4U, Verified, and BreachForums to turn over a new leaf and sell their accounts in exchange for a cryptocurrency payment as part of an initiative called Sell your Source. The move goes beyond buying forum accounts to stealthily see what’s happening in the criminal underground. Users of these forums can also anonymously report a cybercrime if it’s something that’s unethical or against their values. “In a world of deception, we make ‘trust’ the ultimate weapon by turning hackers into whistleblowers,” said Can Yildizli, CEO of PRODAFT, in a statement shared with The Hacker News. However, it bears noting that only accounts created before December 2022 that aren’t on the FBI’s Most Wanted list will be considered. While the account transfer process is anonymous, PRODAFT will report account purchases to law enforcement authorities. The move is also meant to introduce a layer of psychological warfare, adding some level of uncertainty and paranoia when cybercriminals work with their counterparts, who may or may not be working with PRODAFT. “It could change the way that cybercriminals operate on the dark web and help to erode the loyalty between them,” the company added. “It remains to be seen whether dark web forums will introduce stricter vetting processes, new detection tools, or sweeping rules to ban old accounts in response.”
• Iranian National Charged in Connection With Nemesis Dark Web Marketplace — The U.S. Department of Justice announced that Iranian national Behrouz Parsarad, 36, has been charged for his alleged role as the founder and operator of the Nemesis dark web marketplace. The website facilitated the sale of drugs and cybercrime services between 2021 and 2024, when it was disrupted by law enforcement. “At its peak, Nemesis Market had over 150,000 users and more than 1,100 vendor accounts registered worldwide,” the DoJ said. “Between 2021 and 2024, Nemesis Market processed more than 400,000 orders.” Parsarad was sanctioned by the U.S. Treasury Department last month for running Nemesis. If convicted, Parsarad faces a mandatory minimum penalty of 10 years in federal prison and a maximum penalty of life.
• 83 Flaws Discovered in Vason Print — As many as 83 vulnerabilities have been disclosed in the Vason Print (formerly PrinterLogic) enterprise printer management solution that could allow an attacker to compromise instances, bypass authentication, facilitate lateral movement to clients, and achieve remote code execution. These vulnerabilities, which affect Windows, Linux/macOS, VA, and SaaS client versions, were reported between 2021 and 2024 by security researcher Pierre Barre.
• 35 Countries Use Chinese Networks for Routing Mobile User Traffic — U.S. allies like Japan, South Korea, and New Zealand are among the 35 countries where mobile providers employ China-based networks, including China Mobile International, China Telecom Global, China Unicom Global, CITIC Telecom International, and PCCW Global Hong Kong, for routing sensitive mobile traffic, opening travelers and residents in those nations to potential surveillance. “Although these providers play an important role in the global mobile ecosystem, they also introduce significant risks due to their transport of unencrypted signaling protocols like SS7 and Diameter, coupled with concerns stemming from state ownership and control,” iVerify said. “A major issue lies in the fact that these providers operate under the direction of the Chinese government, raising the risk of global surveillance, data interception, and exploitation for state-sponsored cyber espionage.”
• SheByte Phishing-as-a-Service (PhaaS) Exposed — Last year, LabHost suffered a major blow when its infrastructure was disrupted and 37 individuals were arrested as part of a law enforcement operation. But the void left by the PhaaS has been filled by yet another service dubbed SheByte since mid-June 2024. “SheByte initially offered many of the same features LabHost did, establishing themselves as the logical next platform for customers needing to find a new service,” Fortra said. “SheByte has proudly claimed that the operation is run by a single developer. Additionally, SheByte claims to keep no logs and use complete end-to-end encryption of stolen information.” The service is offered for $199 a month, with customizable phishing pages available for 17 Canadian banks, 4 U.S.-based banks, email providers, telecom companies, toll road collections, and crypto services. The premium membership also grants customers access to the platform’s LiveRAT admin dashboard which functions similarly to LabRAT, allowing them to monitor site visits in real-time. The development comes as a 24-year-old Huddersfield man, Zak Coyne, was sentenced in the U.K. to eight-and-a-half years in prison for his role in creating, operating, and administering the LabHost service, which was used by more than 2,000 criminals to defraud victims all over the world.
• SSL/TLS Certificate Lifespans to Fall to 47 Days by 2029 — The Certification Authority Browser Forum (CA/Browser Forum), a consortium of certification authorities, web browser vendors, and others, has unanimously voted to reduce the lifespan of new SSL/TLS certificates to 47 days over the next four years, down from the current time period of 398 days. From March 15, 2026, the lifespan of certificates and their Domain Control Validation (DCV) will be cut down to 200 days. On March 15, 2027, it will shrink to 100 days. By March 15, 2029, new SSL/TLS certificates will last only 47 days. The shorter certificate renewal is seen as an effort to “protect private keys from being compromised by limiting the time they are exposed to potential threats, ultimately reducing the risk of man-in-the-middle attacks and data breaches,” Sectigo said.
• Mobile Apps Fail Basic Security Measures — An analysis of 54,648 work apps (9,078 for Android and 45,570 for iOS) from official app stores has uncovered several security risks, with 103 Android apps using unprotected or misconfigured cloud storage. Ten other Android apps have been found containing exposed credentials to AWS cloud services. “88% of all apps and 43% of the top 100 use one or more cryptographic methods that don’t follow best practices,” Zimperium said. This included hard-coded cryptographic keys, the use of outdated algorithms like MD2, insecure random number generators, and the reuse of cryptographic keys. These security failures could allow attackers to intercept, decrypt, and gain unauthorized access to sensitive enterprise data.
• Microsoft Uses AI to Find flaws in GRUB2, U-Boot, Barebox Bootloaders — Microsoft said it leveraged Microsoft Security Copilot to uncover several vulnerabilities in multiple open-source bootloaders like GRUB2, U-boot, and Barebox that could allow threat actors to gain and execute arbitrary code. “While threat actors would likely require physical device access to exploit the U-boot or Barebox vulnerabilities, in the case of GRUB2, the vulnerabilities could further be exploited to bypass Secure Boot and install stealthy bootkits or potentially bypass other security mechanisms, such as BitLocker,” Microsoft researcher Jonathan Bar Or said. Bootkits can have serious security implications as they can grant threat actors complete control over the device and result in persistent malware that remains intact even after an operating system reinstallation or a hard drive replacement. Following responsible disclosure, the issues have been addressed as of February 2025.

🎥 Cybersecurity Webinars

1. AI-Powered Impersonation Is Beating MFA—Here’s How to Shut the Door on Identity-Based Attacks — AI-driven impersonation is making traditional MFA useless—and attackers are getting in without ever stealing a password. In this session, you’ll learn how to stop identity-based attacks before they start, using real-time verification, access checks, and advanced deepfake detection. From account takeover prevention to AI-powered identity proofing, see how modern defenses can shut the door on imposters. Join the webinar to see it in action.
2. Smart AI Agents Need Smarter Security—Here’s How to Start — AI agents are helping teams move faster—but without the right security, they can expose sensitive data or be manipulated by attackers. This session walks you through how to build AI agents securely, with practical steps, key controls, and overlooked risks you need to know. Learn how to reduce exposure without losing productivity, and keep your AI tools safe, reliable, and under control. Register now to start securing your AI the right way.

🔧 Cybersecurity Tools

• dAWShund — AWS has powerful tools for managing cloud security — but those same tools can be misused if not closely monitored. dAWShund is a Python framework that helps security teams find, check, and map AWS permissions across accounts and regions. It’s made up of three tools: one to list resources and policies, one to test what actions are allowed, and one to visualize it all using graphs. Whether you’re on defense or offense, dAWShund helps you spot risky access before attackers do.
• Tirreno — It is an open-source fraud prevention tool you can host yourself. Built with PHP and PostgreSQL, it helps you monitor user activity and spot suspicious behavior across websites, apps, SaaS platforms, and online communities. From stopping fake signups and bot traffic to flagging high-risk merchants, Tirreno gives you real-time analytics and smart risk signals — all with a quick 5-minute setup on your own server.

🔒 Tip of the Week

Stop Spam Before It Starts: Use Burner Emails the Smart Way — Most people use the same email everywhere — but when one company leaks or sells your address, your inbox starts filling with spam or phishing emails. A smarter way is to use a burner email system, where you give each company a unique email like netflix@yourdomain.com. To do this, buy a cheap domain (like myaliashub.com) and set up free forwarding with services like ImprovMX or SimpleLogin. Every email sent to any name on that domain will land in your main inbox. If one starts getting spam, just delete or block it — problem solved, no need to change your real email.

If you use Gmail, you can add +something after your name, like alex+uber@gmail.com, and Gmail will still deliver it. This helps you track who shared your email and set filters, but it’s not very private since your real email is still visible. Some websites also block + emails. A better long-term option is to connect a custom domain to Gmail through Google Workspace, which gives you real aliases like shop@yourdomain.com with full control and spam filtering.

Apple users can use Hide My Email (built into iOS and macOS). It creates a random email like x2k4@privaterelay.appleid.com for each website, and forwards messages to your iCloud inbox. You can disable or delete these anytime. It’s great for signups, subscriptions, or trials where you don’t want to share your real email. For even more control, Apple lets you use custom domains too. These tools help you stay organized, stop spam early, and quickly trace any leaks — all without needing to change your main email ever again.

Conclusion

This week made it clear: attackers aren’t just hunting for big holes — they’re slipping through tiny cracks we barely notice. An outdated security setting. A forgotten endpoint. A tool used slightly out of spec. And just like that, they’re in. We’re seeing more cases where the compromise isn’t about breaking in — it’s about being invited in by accident. As systems grow more connected and automated, even the smallest misstep can open a big door.

Stay sharp, stay curious — and double-check the things you think are “too minor to matter.”