Cyber Security Weekly Briefing, 5-11 April

April 11, 2025

Microsoft fixes an actively exploited 0-day in its April Patch Tuesday

Microsoft has released its Patch Tuesday for April 2025, in which a total of 134 vulnerabilities have been fixed, including a 0-day security flaw that was being actively exploited. Among the fixed bugs, eleven critical vulnerabilities related to remote code execution stand out. The bug breakdown includes 49 elevation of privilege vulnerabilities, 31 remote code execution vulnerabilities, 17 information disclosure vulnerabilities, 14 denial of service vulnerabilities, 9 security function bypass vulnerabilities and 3 impersonation vulnerabilities.

Specifically, the 0-day vulnerability identified as CVE-2025-29824 (CVSSv3 7.8 according to Microsoft) affects the Windows Common Log File System (CLFS) driver and allows local attackers to gain SYSTEM privileges. Microsoft confirmed that this vulnerability was used by the RansomEXX ransomware group to escalate privileges on compromised systems. At the moment, patches are only available for Windows 11 and Windows Server, with updates for Windows 10 still pending. Microsoft has indicated that these will be available soon.

More info

Analysis of NeptuneRAT

CYFIRMA has published an analysis of the new version of NeptuneRAT, a remote access trojan (RAT) developed in Visual Basic .NET that represents a significant threat to Windows users. Created by ABOLHB and RINO, members of the Freemasonry group, this malware is distributed through platforms such as GitHub, Telegram and YouTube, where it is promoted as the “most advanced RAT”, attracting both beginners and experienced malicious actors.

Its features include the extraction of credentials from more than 270 applications, the alteration of cryptocurrency wallet addresses copied to the clipboard, the ability to deploy ransomware through internal modules such as Ransomware.dll, and real-time monitoring of the victim's desktop. In addition, it can disable antivirus software and manipulate the system registry to ensure its persistence. NeptuneRAT uses advanced obfuscation techniques, such as the use of Arabic characters and emojis in its code, to make it difficult to analyze and detect.

Although its developers claim that it is a free version intended for educational and ethical purposes, they hint at the existence of a more advanced version available for a fee.

More info

The evolution of Russian cybercrime: sophistication, resilience, and new global threats

A new Trend Micro report analyzes the evolution of the Russian-speaking cybercriminal ecosystem, highlighting it as the most sophisticated and resilient in the global landscape. This landscape is characterized by the use of advanced tools, strict internal standards, niche markets and a culture that favors collaboration between malicious actors.

Rooted in a strong technical background and a high tolerance for risk, these groups have expanded their operations into sectors such as IoT, telecommunications and Web3, leveraging biometric data, social networks and deepfakes for massive scams. Furthermore, despite the fact that some forums prohibit talk of ransomware, its associated services continue to be active.

There is also an increasing convergence between physical and digital crime, and greater involvement of actors aligned with geopolitical interests. Tensions stemming from geopolitical conflicts have shifted targets and alliances, even directing their attacks. The report highlights the need to adopt risk exposure management frameworks (CREM) based on strategic intelligence to anticipate these threats.

More info

Patched a RCE bug in WhatsApp Desktop for Windows

Facebook has published and fixed an identified vulnerability in WhatsApp Desktop for Windows. The flaw, tracked as CVE-2025-30401 (CVSSv3 of 6.7 according to CISA), would allow attackers to exploit mismatched file metadata to execute arbitrary code (RCE) on vulnerable systems. The flaw stems from a spoofing issue in the way WhatsApp handles attachments.

The app displays incoming attachments based on their MIME type but selects the file opening handler based on the extension of the attachment file name. This mismatch could be exploited to create a seemingly harmless file but one that executes malicious code when opened. The bug affects WhatsApp Desktop for Windows on all versions prior to 2.2450.6.

Users using WhatsApp for mobile or macOS would not be affected. It is recommended to upgrade to version 2.2450.6 or later to mitigate the flaw, as well as to avoid opening attachments from untrusted or suspicious sources.

More info

Supply chain compromised at GitHub Actions by stolen token

Palo Alto Networks has disclosed a complex attack chain that compromised projects on GitHub Actions using a personal access token (PAT) stolen in December 2024. The attack began when a malicious actor gained access to a SpotBugs project maintainer's token after sending a malicious pull request exploiting the pull_request_target trigger.

In March 2025, the attackers used the token to grant a fake user access to the repository, allowing them to enter a malicious workflow that exfiltrated encrypted data. This also affected the Reviewdog maintainer, whose PAT allowed the reviewdog/action-setup repository to be compromised, altering the v1 tag with malicious code. The attack spread to other projects, including tj-actions/eslint-changed-files and tj-actions/changed-files, used by thousands of repositories.

One of the primary targets was a Coinbase open-source project, although the attack expanded after initially failing. An estimated 160,000 projects were using the compromised share, although data from only 218 repositories was leaked.

More info

◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →