This week’s threat intelligence highlights the sophisticated evolution of adversary tactics, where attackers are moving beyond simple malware to exploit legitimate software and virtualisation features for evasion.
We cover a novel technique using Windows Hyper-V to bypass EDR, a critical confirmation that a SonicWall cloud breach was linked to state sponsored actors and a highly exploitable WordPress flaw that puts over 400,000 sites at risk of takeover.
For strategic and resilient organisations, the lessons are clear that security must be layered, extending beyond the endpoint to cover supply chain, cloud backups and third party risk.
1. Advanced Evasion & State Sponsored Threats
Hackers Weaponise Windows Hyper-V to Hide Linux VM and Evade EDR Detection
A threat actor known as Curly COMrades has developed a novel method to bypass traditional Endpoint Detection and Response (EDR) solutions by exploiting Windows’ native virtualisation technology.
The adversary enables the Hyper-V role on victim systems to deploy a hidden, minimalistic, Alpine Linux-based Virtual Machine (VM). This lightweight environment is used to host their custom reverse shell (CurlyShell) and a reverse proxy (CurlCat), allowing the attackers to establish long-term, persistent remote access and execute encrypted commands.
By isolating the malware and its execution environment within a VM, the threat actors effectively bypass many host-based EDR detections.
View SourceOur Take: Defenders must eliminate their blind spots.
This Hyper-V technique is a major strategic shift, turning native OS features into evasion tools. Organisations should focus on host integrity monitoring and leveraging advanced behavioral analytics that can spot the deployment of unauthorised virtualisation layers, even if the tools within the VM are invisible to standard EDR.
SonicWall Confirms State Sponsored Hackers Behind Cloud Backup Breach
SonicWall formally confirmed that the security breach in September, which resulted in the unauthorised exposure of firewall configuration backup files, was carried out by state sponsored threat actors.
The company noted the malicious activity was isolated to unauthorised access of cloud backup files from a specific cloud environment using an API call. While the breach affected firewall configuration backup files for less than 5% of its customers and did not compromise core products, this incident highlights the persistent risk posed by highly resourced nation states targeting critical vendors’ third party cloud environments.
View SourceOur Take: Zero Trust for Cloud to Cloud Integration is Vital.
This is a supply chain attack disguised as a data breach. Clients must enforce rigorous access control and continuous monitoring over all cloud APIs used by vendors, regardless of the vendor’s reputation. Ensure secrets are vaulted and that monitoring covers configuration file access in all backup environments.
2. Vulnerabilities & Exploitation
Critical Site Takeover Flaw Affects 400,000 WordPress Sites
A critical vulnerability allowing Account Takeover via Email Log Disclosure has been discovered and is now being actively exploited in the Post SMTP WordPress plugin, which has over 400,000 active installations.
The flaw allows an unauthenticated attacker to view logged emails, including password reset emails for any user, even an administrator, due to a missing capability check. By retrieving the password reset link from the logs, attackers can achieve a complete site compromise.
The vulnerability has been addressed in version 3.6.1, and users are strongly urged to update immediately.
View SourceOur Take: Patching is Paramount for External Assets.
Vulnerabilities in widely used third party applications like WordPress plugins remain the easiest path to site takeover.
Prioritise the immediate update of the Post SMTP plugin to version 3.6.1.
Project Zero Discloses Technique to Defeat Linux KASLR by Exploiting Static Kernel Mapping
Google Project Zero disclosed a technique to bypass Kernel Address Space Layout Randomisation (KASLR) on 64-bit Arm systems by exploiting the kernel’s design choice to use a static, non-randomised location for the direct map region.
KASLR is a critical defence, but the Linux kernel developers chose to disable randomisation of the linear map to preserve compatibility with the memory hot plugging feature.
This deliberate choice means that an attacker can predict the virtual address of certain kernel symbols, gaining a powerful exploitation primitive and severely weakening a key defensive mitigation against memory corruption attacks.
View SourceOur Take: Depth of Defence is Essential.
This discovery shows that architectural decisions made for performance or compatibility can negate security mitigations. While not immediately exploitable by general malware, this is a powerful technique for high end nation state actors targeting Linux based servers and Android devices.
Review your Linux hardening standards to compensate for weakened KASLR.
3. Supply Chain, Logistics and Resilience
Crooks Exploit RMM Software to Hijack Trucking Firms and Steal Cargo
Cybercriminals are actively targeting trucking and logistics firms by exploiting legitimate Remote Monitoring and Management (RMM) software to hijack cargo bids and steal physical goods. This threat cluster, active since at least June 2025, works directly with organised crime to compromise entities, particularly freight brokers, to loot high value shipments like food and beverages.
Attackers gain initial access via phishing campaigns that deliver RMM tools (like ScreenConnect and SimpleHelp), enabling them to take full machine control, perform credential harvesting and hijack freight in transit.
View SourceOur Take: Supply Chain Integrity is a Physical Risk.
This is a prime example of cyber capabilities leading to physical theft and disruption. Review the security of all RMM tools used across your logistics and IT teams, enforce strong Multi Factor Authentication (MFA) and conduct tailored social engineering training for staff who handle load boards and financial transactions.
Swedish IT Company Breach Exposes 1.5 Million Users
The Swedish Data Protection Authority (IMY) and the Prosecution Authority launched formal investigations into a significant data breach involving Miljödata, an IT company whose security lapse exposed the personal data of over 1.5 million individuals across multiple Swedish municipalities.
The incident, which was publicly confirmed and had data published on the Darknet this week, affected multiple Swedish municipalities and regional entities that relied on Miljödata’s services. This is a critical example of supply chain risk and regulatory accountability under GDPR, prompting an intense focus on technical security deficiencies and third party risk management by affected public sector bodies.
View SourceOur Take: Third Party Risk Management (TPRM) is Non Negotiable.
The regulatory and reputational fallout from a vendor breach (Miljödata) can be more severe than an internal one. Update your TPRM program to include continuous auditing of vendors who handle Personal Identifiable Information (PII) and ensure your contracts clearly define liability for security failures under GDPR.
ENISA Tests EU Wide Cyber Crisis Management in BlueOLEx 2025
The European Union Agency for Cybersecurity (ENISA) recently conducted the BlueOLEx 2025 exercise to test the preparedness and executive level cooperation of EU member states in responding to a large scale, cross border cybersecurity crisis.
Guided by the revised Cyber Blueprint, the exercise used a real life scenario to assess the effectiveness and operational cohesion of the European Cyber Crisis Liaison Organisation (EU-CyCLONe) network.
The goal was to ensure that national executives and EU bodies can effectively communicate, coordinate and act as one team under the pressure of a major cyber incident.
View SourceOur Take: Align Incident Response with EU Standards.
As the EU solidifies its crisis management framework, organisations operating in or with Europe must ensure their own Incident Response (IR) plans are compatible with ENISA’s and national CSIRT procedures.
Elevate Defence Beyond Conventional Endpoint Detection and Response
This week’s intelligence confirms a major challenge for cybersecurity leaders that adversaries are strategically operating in the blind spots of conventional security tools. The use of Hyper-V for EDR evasion and the highly targeted state sponsored breach of vendor cloud backups show that perimeter and endpoint defenses alone are insufficient.
Secora Consulting’s services are strategically designed to counter these advanced threats:
-
Advanced Evasion: Our Vulnerability Assessments and Red Teaming Services stress test your defences against novel evasion techniques like the Hyper-V trick, ensuring your monitoring is truly deep and behavioral.
-
Third Party & Supply Chain Risk: The SonicWall and Miljödata breaches underscore the urgency of Third-Party Risk Management (TPRM). We provide Third Party Assurance Assessments designed to assist in reducing your exposure to supply chain failures and meet regulatory requirements (GDPR, DORA).
-
Vulnerability Remediation: Our Vulnerability Management and Application Penetration Testing services can quickly assess critical flaws like the Post SMTP vulnerability, preventing costly site takeovers.
Contact us today to strengthen your security architecture and turn these threats into actionable defence strategy ⬇️