Welcome to the weekly Threat Intelligence Digest!

In this edition, we cover a range of critical topics to keep you informed and prepared. Additionally, we will delve into the critical threats and vulnerabilities that could impact the organizations in the United Arab Emirates (UAE), with in-depth summary of the threat, expert recommendations, and references to help you safeguard your digital assets.

ClickFix Technique Leveraged by Multiple State-Sponsored Actors to Deliver Malware

Risk Rating: High

Researchers at Proofpoint have identified phishing campaigns leveraging ‘ClickFix’ social engineering technique, predominantly being utilized by state-sponsored actors from North Korea, Iran, and Russia in espionage activities between late 2024 and early 2025. While the ClickFix technique, involving the use of deceptive dialogue boxes to execute malicious commands, and its growing adoption suggests it may become a more common tool among state-sponsored actors. Although initial usage was observed as singular events, groups like TA427 (North Korea linked) may continue to refine and deploy ClickFix, indicating a likely trend toward broader experimentation among state-sponsored entities.

The emergence of the ClickFix social engineering technique being used by state-sponsored actors from North Korea, Iran, and Russia raises significant concerns for the entities in the United Arab Emirates (UAE), as this method characterized by deceptive prompts urging targets to execute malicious PowerShell commands, indicates a sophisticated evolution in social engineering tactics that can be used in espionage and cyber-attack campaigns.

Recommendation: CPX Threat Intelligence Centre recommends the following measures:

·  Implement regular security awareness training for employees, emphasizing the risk of social engineering techniques such as ClickFix.

·   Strengthen email filtering systems to identify and block phishing emails that exhibit ClickFix characteristics.

·       Employ robust security policies that require strict verification of any instruction to run scripts or commands, especially those found in unsolicited messages.

Reference:https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix

Lumma Stealer Continues to Use Fake CAPTCHA to Target Global Entities 

Risk Rating: High

Researchers at SecureList identified Lumma Stealer campaign, where it was trigged by human interaction and executed a malicious command by a fake CAPTCHA page. The malware uses sophisticated tactics like DLL sideloading, and payload injection into legitimate software to avoid detection and steal sensitive data. Effective defense strategies must focus on early-stage detection to prevent this evolving threat from compromising both individuals and organizations.

The rise of Malware-as-a-Service (MaaS) has democratized access to sophisticated malware, posing significant threats to individuals and entities in the United Arab Emirates (UAE). Lumma Stealer represents a particularly concerning development with its versatile and intricate methods of infection and data exfiltration. Its use of common distribution vectors like phishing, exploit kits, and social engineering, as well as its complex multi-layered infection chains, allows Lumma to stealthily compromise systems and harvest sensitive information. This rapidly expanding threat increases the risk of data breaches and subsequent exploitation by advanced cybercriminal entities, potentially leading to widespread financial and reputational damage.

Recommendation: CPX Threat Intelligence Centre recommends the following measures:

·       Implement comprehensive user awareness training to educate employees about the dangers of phishing emails and fake CAPTCHA scams, ensuring they are better equipped to recognize these threats.

·       Utilize advanced endpoint protection tools that can identify and mitigate the execution of unauthorized scripts, such as those delivered via PowerShell commands or obfuscated JavaScript.

·       Set policies to restrict the execution of unauthorized applications and scripts, employing application whitelisting to ensure only approved software can run on the network.

Reference: https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/

Phishing Campaign Delivers Multi-Layered Agent Tesla Malware

Risk Rating: High

Researchers at Palo Alto Unit42 uncovered a sophisticated multi-layered attack chain delivering malwares like ‘Agent Tesla’, ‘Remcos RAT’, and ‘XLoader’. The campaign is active since December 2024, which relies on complex execution paths, including JavaScript, PowerShell, and either .NET or AutoIt compiled executables, to evade detection and facilitate successful payload deployment. The campaign leverages phishing to deploy the malwares, and threat actor increasingly use intricate delivery methods to avoid detection, circumvent traditional sandboxes, and guarantee the successful deployment and execution of their payloads.

The employment of malware like Agent Tesla variants, Remcos RAT, and XLoader, and the reliance on deceptive phishing emails resembling order release requests, suggest a heightened level of complexity and persistence aimed at bypassing conventional detection methods, poses a significant risk to the entities in the United Arab Emirates (UAE). 

Recommendation: CPX Threat Intelligence Centre recommends the following measures:
•    Implement advanced email filtering systems to identify and block deceptive phishing emails containing malicious attachments.
•    Regularly update intrusion detection and prevention systems to recognize and mitigate multi-layered attack chains and their variants.
•    Conduct ongoing employee training to improve awareness and recognition of phishing attempts and other social engineering tactics.

Reference: https://unit42.paloaltonetworks.com/phishing-campaign-with-complex-attack-chain/

Potential Exploitation of High Severity Flaw in SonicWall SMA Appliances – Immediate Patch Recommended

Risk Rating: High

SonicWall has released an update to an old high severity vulnerability affecting Secure Mobile Access (SMA) 100 series appliances. The flaw was first disclosed and patched in September 2021, tracked as CVE-2021-20035 (CVSS: 7.8) – ‘OS Command Injection’ vulnerability in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user which potentially leads to Denial of Service (DoS).

SonicWall PSIRT team has revised the bulletin to acknowledge that this vulnerability is potentially being exploited in the wild. Researchers at Arctic Wolf tracking an ongoing VPN credential access campaign targeting SMA 100 series appliances, with a starting timeframe as early as January 2025, extending into April 2025.

Successful exploitation of the vulnerability could allow remote authenticated threat actor to inject arbitrary commands, establish persistence and widen the scope of attacks.
Affected Products: SMA 100 Series versions 10.2.1.0-17sv and earlier, 10.2.0.7-34sv and earlier, 9.0.0.10-28sv and earlier.

Recommendation: At the time of writing, there are reports of active exploitation of the vulnerability. Even CISA has added the vulnerability in to its Known Exploited Vulnerabilities (KEV) catalog. So, CPX Threat Intelligence Center recommends customers to act quickly and apply the patches to mitigate any potential threats. 

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-20035, https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0022, https://arcticwolf.com/resources/blog/credential-access-campaign-targeting-sonicwall-sma-devices-potentially-linked-to-exploitation-of-cve-2021-20035/, https://www.cisa.gov/news-events/alerts/2025/04/16/cisa-adds-one-known-exploited-vulnerability-catalog

Iran-nexus Adversary UNC2428 distributes MURKYTOUR Malware through Rafael Job Scam

Risk Rating: High

Mandiant released M-Trends 2025 report, which uncovers activities from Iran-nexus threat actor known as ‘UNC2428’. The threat actor engaged in a sophisticated cyber espionage campaign, using social engineering to distribute the ‘MURKYTOUR’ backdoor. The campaign impersonated the Israeli Defence contractor Rafael, luring targets with a bogus recruitment opportunity. Victims were directed to download an installer, which covertly deployed malware while collecting personal information.

Considering the UNC2428’s cyber espionage activities, particularly the distribution of the MURKYTOUR backdoor, could pose a significant impact on the individuals and entities in the United Arab Emirates (UAE).

Recommendations: CPX Threat Intelligence Centre recommends the following measures:

·       Implement advanced email filtering systems to identify and block deceptive phishing emails containing malicious attachments.

·       Regularly update intrusion detection and prevention systems to recognize and mitigate multi-layered attack chains and their variants.

·       Conduct ongoing employee training to improve awareness and recognition of phishing attempts and other social engineering tactics.

Reference: https://services.google.com/fh/files/misc/m-trends-2025-en.pdf

WinZip MotW Bypass Flaw Exposes Users to Silent Code Execution – No Patch Available, Follow Workaround

Risk Rating: Elevated

A High severity vulnerability has been discovered in WinZip. The flaw tracked as CVE-2025-33028 (CVSS: 7.8) – ‘Mark-of-the-Web (MotW) Bypass’ vulnerability, which allows threat actors to bypass the Mark-of-the-Web protection mechanism on affected installations of WinZip. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, WinZip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user.

Successful exploitation of the vulnerability could lead to:

1.        Arbitrary Code Execution: Attackers can execute malicious code on the victim's system.

2.        Privilege Escalation: Malicious payloads may run with the user's privileges.

3.        Information Disclosure: Sensitive data on the compromised system may be accessed or exfiltrated.

Affected Products: WinZip versions up to 29.0 (or subscription version 76.9).

Recommendation: At the time of writing, there is no official fix been released by WinZip. CPX Threat Intelligence Center strongly urged Users to follow the below Workaround, until the patch is available:

·       Avoid extracting untrusted archives with WinZip.

·       Use alternative archive tools (e.g., Windows’ built-in extractor) that correctly propagate MotW tags.

·       Educate users about the risks of opening files from untrusted sources and the current WinZip vulnerability.

·       Monitor for updates from WinZip and apply patches promptly once available.

Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-33028, https://github.com/EnisAksu/Argonis/blob/main/CVEs/CVE-2025-33028%20(WinZip)/CVE-2025-33028.md,

https://kb.winzip.com/help/help_whatsnew.htm

We hope the insights and recommendations help you to stay ahead of potential threats and enhance your organization's cybersecurity posture. Remember, staying informed and proactive is key to defending against ever-evolving cyber threats. If you have any questions or need further assistance, don't hesitate to reach out to our Threat Intelligence Centre (tic[@]cpx[.]net).

 
Stay safe and secure, and we'll see you in next week's edition!

Note: The risk ratings assigned to each threat are based on comprehensive threat intelligence analysis and our threat intelligence team's visibility. These ratings are intended to prioritize response efforts by focusing on the most significant threats to your security infrastructure.