Hackers Exploit Misconfigured Security Testing Apps to Breach Cloud Environments

A campaign targeting AWS customers uses compromised IAM credentials to deploy cryptocurrency mining operations. The attackers employ sophisticated persistence techniques, including disabling instance termination, to evade detection and maximize resource consumption. The activity was first detected on November 2, 2025, and involves the creation of multiple ECS clusters and Lambda functions to facilitate mining operations. The attackers leverage the 'DryRun' flag to validate permissions without incurring costs, and use the 'ModifyInstanceAttribute' action to prevent instance termination. The campaign also involves the creation of autoscaling groups to exploit EC2 service quotas and maximize resource consumption. The campaign started cryptomining within 10 minutes of initial access, using a Docker Hub image that had over 100,000 pulls. Each task was configured with 16,384 CPU units and 32GB of memory, with a desired count of 10 for ECS Fargate tasks. The attacker created two launch templates with startup scripts that automatically initiated cryptomining, and configured 14 auto-scaling groups to deploy at least 20 instances each, with a maximum capacity of up to 999 machines.

In Q3 2025, 44% of true-positive cloud attack alerts were traced to identity-related weaknesses. These include excessive permissions, misconfigured roles, and credential abuse. Cloud keys and credentials are often stored insecurely, leading to phishing or infostealer malware. Attackers exploit these vulnerabilities to escalate access and evade detection. Poor DevOps practices also contribute to the systematic redeployment of legacy vulnerabilities, exacerbating the issue. Organizations must address these identity and DevOps security gaps to mitigate cloud risks.

A critical remote code execution (RCE) vulnerability (CVE-2025-59287) in Windows Server Update Service (WSUS) is being actively exploited in the wild. The flaw allows attackers to run malicious code with SYSTEM privileges on Windows servers with the WSUS Server role enabled. Microsoft has released out-of-band patches for all affected Windows Server versions. Cybersecurity firms have observed exploitation attempts and the presence of publicly available proof-of-concept exploit code. The vulnerability is considered potentially wormable between WSUS servers and poses a significant risk to organizations. The flaw concerns a case of deserialization of untrusted data in WSUS. The vulnerability was discovered and reported by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH. CISA and NSA, along with international partners, have issued guidance to secure Microsoft Exchange Server instances, including recommendations to restrict administrative access, implement multi-factor authentication, and enforce strict transport security configurations. The agencies advise decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Sophos reported threat actors exploiting the vulnerability to harvest sensitive data from U.S. organizations across various industries, with at least 50 victims identified. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update. Attackers use Base64-encoded PowerShell commands to exfiltrate data to a webhook[.]site endpoint. Michael Haag of Splunk noted an alternate attack chain involving the Microsoft Management Console binary (mmc.exe) to trigger cmd.exe execution. Recently, threat actors have been exploiting CVE-2025-59287 to distribute ShadowPad malware, a modular backdoor used by Chinese state-sponsored hacking groups. Attackers used PowerCat, certutil, and curl to obtain a system shell and download ShadowPad. The malware is launched via DLL side-loading and comes with anti-detection and persistence techniques.

The TigerJack campaign continues to target developers with malicious Visual Studio Code (VSCode) extensions, which have now been found to leak access tokens posing a critical software supply chain risk. The campaign has distributed at least 11 malicious VSCode extensions since the beginning of the year, with two extensions, C++ Playground and HTTP Format, removed from VSCode but remaining on OpenVSX. These extensions steal cryptocurrency, plant backdoors, and exfiltrate source code. The threat actor republishes the same malicious code under new names, making detection and removal challenging. Developers are advised to be cautious when downloading extensions from these platforms. Over 100 VSCode extensions were found to leak access tokens, allowing attackers to distribute malicious updates. The leaked tokens include AI provider secrets, cloud service provider secrets, and database secrets. Microsoft has revoked the leaked PATs and is adding secret scanning capabilities to enhance security. Organizations are recommended to develop an extension inventory and consider a centralized allowlist for extensions. A new malicious extension named susvsex with basic ransomware capabilities was published on Microsoft's official VS Code marketplace. The extension was published by 'suspublisher18' and its malicious functionality was openly advertised in its description. The extension's malicious functionality includes file theft to a remote server and encryption of all files with AES-256-CBC. The extension activates on any event, including on installation or when launching VS Code, initializing the 'extension.js' file that contains its hardcoded variables (IP, encryption keys, command-and-control address). The extension calls a function named zipUploadAndEncrypt which checks the presence of a marker text file, and starts the encryption routine. The extension creates a .ZIP archive of the files in the defined target directory and exfiltrates them to the hardcoded C2 address. All the files are then replaced with their encrypted versions. The extension polls a private GitHub repository for commands, periodically checking an 'index.html' file that uses a PAT token for authentication, and tries to execute any commands there. The owner of the repository is likely based in Azerbaijan. The extension is an overt threat and may be the result of an experiment to test Microsoft's vetting process. Secure Annex labels susvsex an 'AI slop' with its malicious actions exposed in the README file, but notes that a few tweaks would make it far more dangerous. Microsoft ignored the report about the extension and did not remove it from the VS Code registry initially, but it was no longer available by the time the article was published. Two new malicious extensions, Bitcoin Black and Codo AI, were found on Microsoft's Visual Studio Code Marketplace. Bitcoin Black masquerades as a color theme and Codo AI as an AI assistant, both published under the developer name 'BigBlack'. Bitcoin Black features a '*' activation event that executes on every VSCode action and can run PowerShell code. Bitcoin Black uses a batch script to download a DLL file and an executable, with the activity occurring with the window hidden. Codo AI includes code assistance functionality via ChatGPT or DeepSeek but also has a malicious section. Both extensions deliver a legitimate executable of the Lightshot screenshot tool and a malicious DLL file that deploys the infostealer under the name runtime.exe. The malware creates a directory in '%APPDATA%\Local\' and stores stolen data including screenshots, WiFi credentials, system information, and cryptocurrency wallets. The malware steals cookies and hijacks user sessions by launching Chrome and Edge browsers in headless mode. The malware steals cryptocurrency wallets like Phantom, Metamask, Exodus, and looks for passwords and credentials. The malicious DLL is flagged as a threat by 29 out of the 72 antivirus engines on Virus Total. Microsoft has removed the extensions BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme from the Marketplace. The extensions activate on every VS Code action and embed malicious functionality within a working tool to bypass detection. Earlier versions of the extensions executed a PowerShell script to download a password-protected ZIP archive from an external server. Subsequent versions of the extensions used a batch script to download the executable and DLL, hiding the PowerShell window. The legitimate Lightshot binary is used to load the rogue DLL via DLL hijacking. The rogue DLL gathers clipboard contents, installed apps, running processes, desktop screenshots, Wi-Fi credentials, and detailed system information. The malware launches Google Chrome and Microsoft Edge in headless mode to grab stored cookies and hijack user sessions. A campaign involving 19 Visual Studio (VS) Code extensions that embed malware inside their dependency folders has been uncovered by cybersecurity researchers. Active since February 2025 but identified on December 2, the operation used a legitimate npm package to disguise harmful files and bundled malicious binaries inside an archive masquerading as a PNG image. This approach, observed by ReversingLabs (RL), enabled attackers to bypass conventional checks and target developers directly. Some extensions imitate popular tools, while others advertise new features but secretly execute unwanted code. In this new campaign, attackers embedded a modified version of the npm package path-is-absolute inside the extensions’ node_modules folders. The original package is widely used, with more than 9 billion downloads since 2021, but the altered version included a class designed to trigger malware when VS Code starts. The attackers also included a file named banner.png, which appeared harmless but opened as an archive containing two binaries. The dropper launched these files via cmstp.exe, a common living-off-the-land binary (LOLBIN). One executable closed the process by simulating a keypress, while the other was a Rust-based Trojan still being analyzed at the time of this report. Although the techniques differed, the goal remained the same: covertly execute malware through trusted components. Detecting malicious VS Code extensions has become increasingly urgent, ReversingLabs warned. The firm said detections grew from 27 in 2024 to 105 in the first 10 months of 2025. To reduce risk, teams are encouraged to inspect extensions before installation, audit all bundled dependencies, and use security tools capable of evaluating package behavior. All the mentioned extensions have been reported to Microsoft. A new malware campaign targeting developers with the Evelyn Stealer malware has been identified. This malware abuses VS Code extensions to exfiltrate sensitive information, including developer credentials and cryptocurrency-related data. The malware harvests clipboard content, installed apps, cryptocurrency wallets, running processes, desktop screenshots, stored Wi-Fi credentials, system information, and credentials and stored cookies from Google Chrome and Microsoft Edge. The malware implements safeguards to detect analysis and virtual environments and terminates active browser processes to ensure seamless data collection. The malware uses specific command-line flags to launch browsers in a stealthy manner, preventing detection and forensic traces. The DLL downloader creates a mutual exclusion (mutex) object to ensure only one instance of the malware can run at any given time. The Evelyn Stealer campaign targets organizations with software development teams that rely on VS Code and third-party extensions. The malware exfiltrates collected data to a remote server (server09.mentality[.]cloud) over FTP in the form of a ZIP file. Two malicious extensions in Microsoft’s Visual Studio Code (VSCode) Marketplace, collectively installed 1.5 million times, exfiltrate developer data to China-based servers. The extensions are advertised as AI-based coding assistants and provide the promised functionality but do not disclose the upload activity or ask users for consent to deliver data to a remote server. The extensions use three distinct data-collection mechanisms: real-time monitoring of files opened in the VS Code client, server-controlled file-harvesting commands, and zero-pixel iframes in the extension’s webview to load four commercial analytics SDKs. The extensions exfiltrate entire file contents and changes to the attackers’ servers, harvest up to 50 files from the victim’s workspace each time, and use SDKs to track user behavior, build identity profiles, fingerprint devices, and monitor activity inside the editor. The extensions pose risks including the exposure of private source code, configuration files, cloud service credentials, and .env files containing API keys and credentials. The extensions are part of a campaign dubbed 'MaliciousCorgi' and share the same code for stealing developer data and use the same spyware infrastructure and communicate with the same backend servers. The extensions are still present on the marketplace at the time of publishing: ChatGPT – 中文版 (publisher: WhenSunset, 1.34 million installs) and ChatMoss (CodeMoss) (publisher: zhukunpeng, 150k installs).

A high-severity flaw in OneLogin's Identity and Access Management (IAM) solution allowed attackers with valid API credentials to retrieve client secrets for all OpenID Connect (OIDC) applications within an organization's tenant. This could enable impersonation and unauthorized access to integrated services. The vulnerability, CVE-2025-59363, was due to an incorrect resource transfer between security boundaries, allowing unauthorized access to confidential data. It was addressed in OneLogin 2025.3.0, released in September 2025. The flaw could facilitate lateral movement within an organization's network, potentially affecting multiple applications and services.