This Weeks Headlines

• Free Online File Converters Spreading Malware Disguised as Useful Tools
• RedCurl Group Shifts from Espionage to Ransomware with QWCrypt Deployment
• Windows 11 Update KB5051987 Causes Veeam Recovery Connection Errors
• Hackers Exploit ‘Atlantis AIO Multi-Checker’ for Credential Stuffing Across 140+ Platforms
• RedCurl Group Shifts from Espionage to Ransomware with QWCrypt Deployment
• Critical RCE Vulnerabilities Discovered in Ingress NGINX Controller for Kubernetes
• Over 150,000 Websites Compromised by JavaScript Supply Chain Attack
• Next.js Releases Patches for Vulnerability Affecting Middleware Authorisation

Free Online File Converters Spreading Malware Disguised as Useful Tools

Malwarebytes has issued a warning about a growing threat involving fake “free online file converters” that actually deliver malware. These deceptive websites trick users into downloading what appear to be helpful tools for converting files (e.g. PDF to Word and vice versa), but instead install malicious software.

The malware installed has the ability to steal sensitive data, install additional payloads, or give attackers remote access to infected machines.

These fraudulent converters often rank high in search results, increasing the likelihood of user interaction. Malwarebytes urges users to avoid downloading such tools from unverified sources and to rely on trusted, well-known services.

Windows 11 Update KB5051987 Causes Veeam Recovery Connection Errors

Following the installation of Windows 11 24H2 update KB5051987, users have encountered connection errors when attempting to restore data using Veeam Recovery Media.

This issue affects systems running build 26100.3194 or higher, leading to failures in establishing connections to Veeam Backup & Replication servers or SMB network shares.

Veeam and Microsoft are actively investigating the root cause, which is suspected to be linked to changes introduced in the recent update.

Users are advised to monitor official channels for updates and potential workarounds.

Hackers Exploit ‘Atlantis AIO Multi-Checker’ for Credential Stuffing Across 140+ Platforms

Cybercriminals are utilising the ‘Atlantis AIO Multi-Checker,’ an e-crime tool designed to automate credential stuffing attacks, enabling the rapid testing of millions of stolen credentials across more than 140 platforms.

This tool targets services including email providers like Hotmail, Yahoo, AOL, GMX, and Web.de, as well as e-commerce sites, streaming services, VPNs, financial institutions, and food delivery services. In addition to credential stuffing, Atlantis AIO can perform brute-force attacks against email platforms and automate account recovery processes for services like eBay and Yahoo.

To mitigate these threats, implementing strict password policies and adopting phishing-resistant multi-factor authentication (MFA) mechanisms are recommended.

RedCurl Group Shifts from Espionage to Ransomware with QWCrypt Deployment

The Russian-speaking hacking group RedCurl, historically known for corporate espionage, has been linked to its first ransomware campaign involving a new strain dubbed QWCrypt.

According to Bitdefender, RedCurl utilised spear-phishing emails with ISO file attachments disguised as CVs to initiate the attack.

The ISO files contained a legitimate Adobe executable vulnerable to DLL side-loading, which was exploited to load a malicious DLL, establishing persistence via scheduled tasks. This backdoor facilitated lateral movement within the network, culminating in the deployment of QWCrypt ransomware.

Notably, the ransomware employed the ‘bring your own vulnerable driver’ (BYOVD) technique to disable endpoint security software, and its ransom note drew inspiration from groups like LockBit and HardBit.

Critical RCE Vulnerabilities Discovered in Ingress NGINX Controller for Kubernetes

Wiz Research has identified multiple unauthenticated remote code execution (RCE) vulnerabilities, collectively termed ‘IngressNightmare,’ in the Ingress NGINX Controller for Kubernetes.

These vulnerabilities, assigned CVSS v3.1 base scores of 9.8, stem from flaws in the admission controller component, which, when exploited, allow attackers to inject arbitrary NGINX configurations.

Successful exploitation can lead to unauthorised access to all secrets across all namespaces, potentially resulting in full cluster compromise.

Approximately 43% of cloud environments are vulnerable, with over 6,500 clusters—including those of Fortune 500 companies—exposing susceptible admission controllers to the public internet. Administrators are strongly advised to apply the latest patches to mitigate these critical risks.

Over 150,000 Websites Compromised by JavaScript Supply Chain Attack

A massive JavaScript supply chain attack has compromised over 150,000 websites through a tampered version of the popular Polyfill.io service.

Threat actors injected malicious code into the polyfill.js library, which was widely used to ensure browser compatibility for older sites. The compromised script redirected users to malicious and scam sites, impacting organizations across various industries.

The attackers exploited the trust placed in CDN-hosted libraries by altering the script to load harmful content dynamically. Security experts urge developers to self-host scripts or vet third-party dependencies rigorously.

This incident underscores the growing risks in software supply chains and highlights the urgent need for secure dependency management.

Next.js Releases Patches for Vulnerability Affecting Middleware Authorisation

Next.js has released version 15.2.3 to address a security vulnerability identified as CVE-2025-29927.

This flaw allowed attackers to bypass Middleware, potentially skipping critical authorisation checks in self-hosted deployments using next start with output: ‘standalone’.

The issue has been patched in versions 15.2.3, 14.2.25, 13.5.9, and 12.3.5. Administrators are advised to update immediately to the appropriate version to ensure security

If you’re ready to chat about how we can help protect your business from cyber threats, contact us using the form below 👇.