This week, we briefed our clients on how Gootloader bypasses cybersecurity tools. We also show how Shinyhunters uses vishing to access major SSO portals.
KEY TAKEAWAYS
Newest Gootloader variant uses malformed ZIP archives to bypass security tools.
SSO platforms actively targeted with sophisticated vishing attacks, ShinyHunters takes credit.
Critical and high-severity vulnerabilities in Fortinet, Cisco, Zoom, Oracle, Palo Alto, and telnet, plus updates to CISA KEV, patch now!
Security researchers at Expel have recently detailed new techniques being used by Gootloader malware. Gootloader is what is known as initial access malware, allowing threat actors to gain that initial foothold in an environment. This access is typically sold to ransomware operators. Gootloader has been documented to be recently associated with Rhysida ransomware. One of Gootloader's main strengths is its ability to bypass a wide range of security tools. The new technique leveraged by Gootloader is a key component of these bypasses.
How it Works
The mechanics of the malware are highly technical and are beyond the scope of this article, but at a high level, the new version of Gootloader works as follows:
How to Protect Your Organization
Since static (hash) detections are not a viable way to detect or prevent Gootloader execution, defenders should instead focus on behavioral characteristics of this malware. After a victim machine successfully unarchives the ZIP file, the user will be presented with a JScript file. If the user double-clicks it, the JScript file will run using Windows Script Host (WScript). Per the documentation from Expel, "since the file isn't explicitly extracted from the ZIP and saved to disk, WScript will execute the JScript from a temporary folder."
Fig. 1: Process tree for the JScript execution via WScript | Source: Expel
This artifact is a key detection and prevention opportunity. Defenders can prevent Gootloader (and any other JScript or JavaScript based malware) from executing on a host by changing the default program that executes these types of files. This can be accomplished via GPO, where administrators can alter the default program to be Notepad, which will prevent the execution of the file when double-clicked. It is recommended to review your environment to see if any applications require this functionality. The following CrowdStrike query (written by Andrew Oesterheld) can be used to find where wscript.exe is used in your environment:
#event_simpleName = ProcessRollup2
| ImageFileName = *wscript* OR CommandLine = *WScript* OR CommandLine = *wscript*
| groupBy([CommandLine, ParentBaseFileName, ComputerName, UserName])
Additional detection opportunities per the Expel research:
Resources
https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation
https://thehackernews.com/2026/01/gootloader-malware-uses-5001000.html
https://redcanary.com/blog/threat-intelligence/notepad-javascript/
Last week, Okta Threat Intelligence published details of multiple phishing kits that are enabling sophisticated voice-based social engineering attacks, also known as "vishing". Per their research, these kits are designed to help threat actors gain access to Google, Microsoft, Okta, and multiple cryptocurrency providers SSO portals. Okta provides the following breakdown of a typical attack sequence:
Due to the nature of SSO, once the threat actor has gained access to the portal, they now have access to every app that is connected to that account. This access typically leads to data theft and extortion.
A day after the article was published by Okta, the ShinyHunters extortion group claimed they were behind some of these attacks. The group claims they are continuing to focus on targeting Salesforce and their customers, who they have been targeting since late 2025.
How to Protect Your Organization
Resources:
https://www.okta.com/blog/threat-intelligence/phishing-kits-adapt-to-the-script-of-callers/
https://www.okta.com/sites/default/files/2024-02/Step-by-step%20guide%20to%20becoming%20phishing%20resistant%20with%20Okta%20FastPass.pdf
https://help.okta.com/en-us/content/topics/security/network/network-zones.htm
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-authenticator-passkey
https://www.bleepingcomputer.com/news/security/shinyhunters-starts-leaking-data-stolen-in-salesforce-attacks/
https://www.bleepingcomputer.com/news/security/okta-sso-accounts-targeted-in-vishing-based-data-theft-attacks/
Vulnerability Roundup
Fortinet recently published an advisory confirming active exploitation of previously patched SSO bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719). These "Improper Verification of Cryptographic Signature" vulnerabilities affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager devices with FortiCloud SSO enabled (this feature is not enabled by default). While these vulnerabilities were patched in December 2025, Fortinet has confirmed that threat actors have found a way to bypass the patch and are still able to exploit the vulnerabilities. Per the new advisory, Fortinet recommends restricting administrative access to only local subnets, and to disable the FortiCloud SSO feature on the device. Administrators should also check the devices for any logons from the accounts "cloud-noc@mail[.]io" and "cloud-init@mail[.]io", as well as local admin account creation with the following account names: audit, backup, itadmin, secadmin, support.
Cisco has released a fix for a 0-day vulnerability affecting Cisco AsyncOS in Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM). The vulnerability, tracked as CVE-2025-20393, only affects these devices with non-standard configurations, where the Spam Quarantine feature is enabled and is exposed to the internet. Affected software releases and their fixed versions, as well as instructions for applying the upgrades can be found here. Administrators are urged to apply the patch as soon as possible as this vulnerability is under active exploitation.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
Last week, Cisco disclosed a critical remote code execution (RCE) vulnerability affecting multiple products, including Cisco Unified Communications Manager (Unified CM), Unified CM Session Management Edition (SME), Unified CM IM & Presence, Cisco Unity Connection, and Webex Calling Dedicated Instance. Tracked as CVE-2026-20045, successful exploitation allows for an attacker to send specially crafted HTTP requests to the web-based management interface of the vulnerable device, allowing the threat actor to gain user-level access to the underlying OS, and then elevate to root privileges. For a full listing of vulnerable versions and their corresponding fix, see the Cisco advisory here.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b
Zoom recently disclosed a critical command injection vulnerability affecting Zoom Node Multimedia Routers (MMRs). The vulnerability, tracked as CVE-2026-22844, affects Zoom MMRs prior to version 5.2.1716.0. Per the advisory, any meeting participant can exploit this vulnerability. Administrators are urged to patch as soon as possible. Instructions for applying upgrades to Zoom Nodes can be found here.
Oracle recently disclosed a maximum-severity vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). The vulnerability, tracked as CVE-2026-21962, allows an unauthenticated attacker with network access via HTTP to compromise the server, resulting in unauthorized creation, deletion, or modification access to critical data. Due to the ease of exploitation and the available proof-of-concept exploit code, administrators are urged to patch as soon as possible.
Security researchers have discovered an authentication bypass vulnerability that has been present in GNU InetUtils telnetd server for over 11 years. Tracked as CVE-2026-24061, an attacker can simply set the USER parameter to "-f root" using the telnet -a command to skip the authentication process and gain root access on the affected system. Administrators are strongly encouraged to disable telnet in the environment and use secure remote shell access such as SSH.
Palo Alto Networks recently disclosed a high-severity denial-of-service (DoS) vulnerability affecting PAN-OS in GlobalProtect Gateway and Portal. The vulnerability, tracked as CVE-2026-0227, allows for an unauthenticated attacker to cause a denial-of-service on the firewall, where repeated attempts to trigger the vulnerability result in the firewall entering into maintenance mode. For a full list of vulnerable versions and their corresponding fixed versions, see the Palo Alto advisory here.
The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:
This report is provided FREE to the cybersecurity community.
Visit our Cyber Threat Intelligence Blog for additional reports.
Subscribe to be notified of future Reports:
NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.