1-North Korean hackers use phony cryptocurrency companies and job interview lures to distribute malware
North Korea-linked threat actors behind the Contagious Interview have created front firms to spread malware during phony recruiting.
"In this new campaign, the threat actor group is using three front companies in the cryptocurrency consulting industry—BlockNovas LLC (blocknovas[.] com), Angeloper Agency (angeloper[.]com), and SoftGlide LLC (softglide[.]co)—to spread malware via 'job interview lures," Silent Push said in a deep dive.
Security experts say the behavior is spreading BeaverTail, InvisibleFerret, and OtterCookie malware.
North Korea uses job-themed social engineering tactics like Contagious Interview to trick victims into downloading cross-platform malware for coding assignments or browser issues while turning on camera for video assessments.
The cybersecurity community tracks CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, UNC5342, and Void Dokkaebi.
The use of front organizations to spread malware and create fake accounts on Facebook, LinkedIn, Pinterest, X, Medium, GitHub, and GitLab is a new step for threat actors, who have been utilizing job boards to entice victims.
"The BlockNovas front company has 14 people allegedly working for them, however many of the employee personas [...] appear to be fake," he stated. "When viewing the 'About Us' page of blocknovas[.]com via the Wayback Machine, the group claimed to have been operating for '12+ years' – which is 11 years longer than the business has been registered."
2-Use New Critical SAP NetWeaver Flaw to Drop Web Shell, Brute Ratel Framework
A new SAP NetWeaver vulnerability may allow threat actors to submit JSP web shells for unauthorized file uploads and code execution.
"The exploitation is likely tied to either a previously disclosed vulnerability like CVE-2017-9844 or an unreported remote file inclusion (RFI) issue," ReliaQuest stated this week.
The company stated a zero-day was possible since some affected computers were running the latest updates.
The NetWeaver "/developmentserver/metadatauploader" endpoint allows unknown threat actors to upload malicious JSP-based web shells in the "servlet_jsp/irj/root/" route for permanent remote access and other payloads.
The lightweight JSP web shell uploads illegal files, controls compromised computers, executes remote code, and steals sensitive data.
The Brute Ratel C4 post-exploitation framework and Heaven's Gate have been used to defeat endpoint safeguards in certain situations.
In one example, the threat actors delayed many days to exploit their first access, suggesting that the attacker may be an initial access broker (IAB) selling access to other threat groups on underground forums.
3-Researchers Find Ruby Server Rack::Static Vulnerability That Allows Data Breaches
Cybersecurity experts found three Rack Ruby web server interface security holes that might let attackers to access files, insert malicious material, and tamper with logs.
"Among these vulnerabilities, CVE-2025-27610 is particularly severe, as it could enable unauthenticated attackers to retrieve sensitive information, including configuration files, credentials, and confidential data, thereby leading to data breaches," OPSWAT said in a report to Hacker Web.
Rack::Static, a middleware that serves static content like JavaScript, stylesheets, and images, does not sanitize user-supplied paths before serving files, so an attacker can use a specially crafted path to access files outside the static file directory.
"Specifically, when the :root parameter is not explicitly defined, Rack defaults this value to the current working directory by assigning it the value of Dir.pwd, implicitly designating it as the web root directory for the Rack application," explained OPSWAT.
Thus, an unauthenticated attacker might exploit CVE-2025-27610 by path traversing to access sensitive files outside the intended web directory if the :root option is undefined or misconfigured relative to the :urls option.
The issue may be mitigated by updating to the newest version. If quick patching isn't possible, delete Rack::Static or point root: to a directory path with just public files.
References
https://thehackernews.com/2025/04/north-korean-hackers-spread-malware-via.html
https://thehackernews.com/2025/04/sap-confirms-critical-netweaver-flaw.html
https://thehackernews.com/2025/04/researchers-identify-rackstatic.html
About the Creator
The goals I did not achieve
Every writing goal I made for the year is a wash. It has been this way for a while, but I think it's important to be open about my failures and the reality of how life can get in the way. This is especially true considering the several times I have posted on Vocal about my writing goals, how I was changing my approach, and where I was hoping to be for the upcoming year. I will probably do that again in a couple months, but for now, it is time to acknowledge where I am today.
By Kay Husnick18 days ago in Journal
Fire Safety During Electrical Emergencies: Why the Right Extinguisher Matters
The electricity is cut off, the fire is extinguished and there is no danger anymore in the room, but the air still smells of acute electric fire. Such smell is usually the sole reason to remember how much an electrical fire is waiting to be turned into a full-scale disaster. Severe destruction is not avoided by accident in most cases but due to preparation and proper handling of an electrical hazard-designed fire extinguisher.
By Deborah Larson7 days ago in Journal
Comments
There are no comments for this story
Be the first to respond and start the conversation.