Threat Intelligence

Intel Wrap – February 2025

March 12, 2025

Musa Nadir Sani

This month focuses on the campaign spreading ValleyRAT using fake Google Chrome websites, Microsoft Patching Two Vulnerabilities Being Actively Exploited in the wild, and the recently released Chrome and Firefox patches.

Fake Google Chrome Sites Used To Spread ValleyRAT Malware

Cybercriminals set up bogus websites advertising Google Chrome to distribute a remote access trojan (RAT) called ValleyRAT.

Summary

The malware campaign is linked to Silver Fox, a threat actor.
Attackers strategically focus on individuals in finance, accounting, and sales departments, aiming to gain access to sensitive data and critical systems.
Earlier campaigns distributed ValleyRAT alongside Purple Fox and Gh0st RAT, both commonly used in attacks by Chinese hacking groups.
Users searching for Google Chrome are led to fake Chrome download sites, tricked into downloading a malicious Setup.exe file inside a ZIP archive.
Once executed, the malware downloads additional payloads, including a legitimate Douyin (Chinese TikTok) executable to sideload a malicious DLL that launches ValleyRAT.
The trojan can monitor screen content, log keystrokes, maintain persistence, and communicate with a remote server for further instructions like downloading and executing additional malware.
Attackers abuse signed, legitimate executables vulnerable to DLL search order hijacking to execute their malware stealthily.
Similar drive-by download techniques have been used before to distribute Gh0st RAT through malicious Chrome installer packages, suggesting connections between attack campaigns.
Security researchers report that attackers are also using SVG file attachments to evade detection, delivering AutoIt-based keyloggers like Nymeria or redirecting users to credential harvesting pages.
Read more about it here.

Microsoft Patches Two Vulnerabilities Being Actively Exploited In The Wild

Microsoft recently patched two high-severity vulnerabilities affecting Bing and Power Pages.

Summary

CVE-2025-21355 (CVSS 8.6): Bing Remote Code Execution flaw allowing unauthorized attackers to execute code remotely.
CVE-2025-24989 (CVSS 8.2): Power Pages Elevation of Privilege vulnerability allowing unauthorized access control bypass.
CVE-2025-24989 is already being exploited in the wild, but Microsoft has not disclosed details about the attackers or targets.
The vulnerability in Power Pages, a low-code business website platform, enables attackers to bypass user registration controls and elevate privileges over a network.
The company has mitigated the vulnerabilities and notified affected customers with instructions on checking for exploitation.
Microsoft states that CVE-2025-21355 has been addressed server-side, meaning customers do not need to take further action.
Patches have been released for both vulnerabilities.
Read more about it here.

Chrome 133, Firefox 135 Patch High-Severity Vulnerabilities

Google and Mozilla have released updates for Chrome 133 and Firefox 135 to address multiple high-severity memory safety vulnerabilities.

Summary

This includes use-after-free bugs in Skia (CVE-2025-0444) and V8 JavaScript engine (CVE-2025-0445), along with a medium-severity flaw in the Extensions API.
Google awarded $7,000 for the Skia bug and $2,000 for the Extensions API flaw, but the bounty for the second use-after-free vulnerability is yet to be determined.
Mozilla addressed CVE-2025-1009 and CVE-2025-1010 (use-after-free vulnerabilities in the Custom Highlight API and XSLT). Additional fixes include CVE-2025-1016 and CVE-2025-1020, which could allow code execution.
Mozilla’s patches apply to Thunderbird 135, Thunderbird ESR 128.7, Firefox ESR 128.7, and Firefox ESR 115.20.
While no active exploits have been reported, these vulnerabilities could enable code execution, data corruption, or sandbox escapes, making prompt updates crucial.
Chrome is now rolling out as 133.0.6943.53/54 for Windows and macOS and 133.0.6943.53 for Linux, while Firefox 135 is available for all users.
Read more about it here