Lethal Scale in ClickFix: Over 13,000 Malicious Domains Found Manipulating Cloudflare Routing
A sweeping new investigation has exposed the vast scale of adversarial infrastructure associated with the ClickFix campaign, linking over 13,000 unique hostnames to criminal exploitation of Cloudflare’s rapid routing services. These threat actors orchestrate large-scale redirection of unsuspecting users to malware delivery and fraudulent ad sites.
Deep Dive Into ClickFix Mechanisms
ClickFix attackers register thousands of subdomains through cloud hosting platforms leveraging Cloudflare’s high-availability DNS and traffic proxying. Automations enable bulk domain generation, cloaking malicious endpoints behind legitimate-looking URLs.
Traffic Manipulation and User Exposure
The adversaries exploit URL obfuscation and HTTP request relays to bypass detection by reputation services and ad fraud filters. This allows rapid scaling, redirecting potential victims en masse with minimal time for interventions or takedowns.
Detection and Remediation Challenges
Security researchers emphasize that endpoint filtering and browser reputation databases often lag, making real-time blocking ineffective. Cloud service providers face escalating demands for automated abuse detection and domain instant removal protocols to curb this expansive threat.
Operation Zero Disco: Cisco SNMP Vulnerability Used for Linux Rootkit Deployments
Trend Micro researchers have documented an advanced attack campaign, dubbed “Operation Zero Disco,” targeting a critical SNMP flaw in Cisco devices. Attackers leverage the vulnerability to gain remote access and install persistent Linux rootkits on enterprise equipment.
SNMP Flaw Exploitation Techniques
Attackers exploit insecure SNMP community string configurations, enabling arbitrary device commands. Once access is established, tailored rootkit payloads are dropped, providing undetectable lateral movement capabilities within affected Linux environments.
Rootkit Persistence and Stealth
The adversaries modify kernel modules to avoid process listings and log entries, targeting operational components such as logging daemons and SSH controls. Forensic evidence suggests use of custom packet triggers and encrypted command channels to manage compromise and activate payloads on demand.
Mitigation Strategies
Cisco recommends auditing SNMP configurations, enforcing strong authentication, and applying the latest firmware patches. Network segmentation and behavior anomaly detection tools are advised to minimize intrusion efficacy and post-compromise persistence.
GhostBat RAT Infects Android RTO Apps, Steals Banking Data in Targeted Campaign Against Indian Users
Cyble Research and Intelligence Labs uncovered a new Android malware campaign that uses the GhostBat RAT disguised as Regional Transport Office (RTO) applications to siphon banking credentials and sensitive user data from Indian mobile devices.
Malicious App Distribution Tactics
Attackers distribute compromised RTO apps via unofficial marketplaces and phishing links, relying on social engineering to convince users of legitimacy. These trojanized apps request excessive permissions to enable full device surveillance.
Technical Details of the GhostBat RAT
GhostBat RAT exfiltrates SMS-based one-time passwords, keystroke logs, and banking application data. Network traffic analysis reveals frequent connection attempts to hardcoded command-and-control servers using encrypted communication channels, making detection challenging for traditional security tools.
Recommendations for Protection
Security analysts advise only installing apps from trusted sources, closely monitoring permission requests, and employing mobile endpoint protection with heuristic analysis capabilities. Indian banks are urged to strengthen multi-factor authentication and customer education initiatives.
CISA Flags Rapid7 Velociraptor Vulnerability (CVE-2025-6264) as Actively Exploited in Ransomware Attacks
The US Cybersecurity and Infrastructure Security Agency (CISA) added Rapid7 Velociraptor’s CVE-2025-6264 to its Known Exploited Vulnerabilities catalog, warning of ransomware actors abusing default permissions flaws in the popular endpoint monitoring tool for lateral movement and data theft.
Nature and Scope of the Vulnerability
CVE-2025-6264 affects default file and process permission configurations, allowing authenticated attackers to escalate privileges and deploy ransomware payloads. Exploitation typically follows compromised administrator accounts or phishing campaigns targeting IT support personnel.
Observed Attack Techniques
Incident response teams report adversaries leveraging PowerShell-based droppers and abusing internal API calls to spread ransomware rapidly after gaining Velociraptor access. Evidence indicates that threat actors use this access to disable security monitoring and harvest sensitive configuration data.
Immediate Measures Advised
Organizations deploying Velociraptor should update to the latest patch, audit privilege assignments, and enforce least-privilege best practices. Multi-factor authentication and network segmentation are recommended to prevent privilege escalation and lateral movement.
Windows Agere Modem Driver (ltmdm64.sys) 0-Day Removal Amid Escalation-of-Privilege Attacks
Microsoft rapidly removed the legacy Agere Modem driver, ltmdm64.sys, from Windows after discovering two unpatched elevation of privilege vulnerabilities (tracked as 0-days), which enabled attackers to gain system-level control through crafted user-mode input.
Vulnerability Characteristics
The vulnerabilities reside in IOCTL request handling, allowing non-administrative users to manipulate memory pointers and execute arbitrary code in kernel space. Exploit chains targeting these flaws have been observed in post-compromise escalation scenarios involving ransomware and data exfiltration actors.
Remediation and Forensic Actions
All affected Windows systems must exclude the ltmdm64.sys driver and validate successful removal, as exploiting the outdated driver circumvents core Windows kernel security models. Security teams are advised to monitor event logs for suspicious IOCTL requests and anomalous process launches referencing modem-related DLLs.
Long-Term Defensive Strategies
Microsoft recommends migrating legacy hardware drivers to supported, actively maintained alternatives and deploying Device Guard configurations to restrict driver installation on unmanaged endpoints.