A resurgence of malware deploying XMRig cryptominer was discovered in mid-April 2025, coinciding with a rally in Monero cryptocurrency value. The malware uses a multi-staged approach and LOLBAS techniques, leveraging Windows tools like PowerShell for payload delivery, detection evasion, and persistence. The attack chain involves three stages: initial infection via a batch file, persistence establishment, and cryptomining execution. The malware targets diverse countries, including Russia, Belgium, Greece, and China. It disables Windows Update services, evades Windows Defender, and uses scheduled tasks for persistence. The XMRig miner creates registry entries and drops files for continued operation. Despite its simple, unobfuscated nature, the malware proved effective in avoiding detection.

AlienVault OTX General

Detailed information about Digging Gold with a Spoon – Resurgence of Monero-mining Malware. Get real-time updates, technical details, and mitigation strategies.

Digging Gold with a Spoon – Resurgence of Monero-mining Malware - Live Threat Intelligence - Threat Radar | OffSeq.com

Digging Gold with a Spoon – Resurgence of Monero-mining Malware

The kernel driver, accessible to low-privileged users, exposes a function that fails to properly validate the privileges of the calling process. This allows creating files at arbitrary locations with full user control, ultimately allowing for privilege escalation to SYSTEM.

CVE-2025-1865 is a high-severity privilege escalation vulnerability found in the kernel driver component of Elaborate Bytes AG's Virtual CloneDrive software. The vulnerability arises because the kernel driver exposes a function accessible to low-privileged users that does not properly validate the privileges of the calling process. Specifically, this function allows the creation of files at arbitrary locations on the filesystem with full user control. By exploiting this flaw, an attacker with limited privileges can create or overwrite files in sensitive system locations, ultimately enabling them to escalate their privileges to SYSTEM level on Windows operating systems. The vulnerability is classified under CWE-284, which pertains to improper access control. The CVSS 4.0 score of 8.5 reflects the high impact on confidentiality, integrity, and availability, combined with relatively low attack complexity and no requirement for user interaction. The attack vector is local (AV:L), meaning the attacker must have local access with limited privileges. No known exploits are reported in the wild yet, and no patches have been linked at the time of publication. The vulnerability affects version 0 of Virtual CloneDrive, which likely indicates all current versions up to the disclosure date. Since Virtual CloneDrive is a widely used virtual drive emulator on Windows, this vulnerability poses a significant risk to affected systems, especially in environments where users have local access but should not have elevated privileges.

CVE Database V5

Detailed information about CVE-2025-1865: CWE-284 in Elaborate Bytes AG Virtual CloneDrive affecting Elaborate Bytes AG Virtual CloneDrive. Get real-time update

CVE-2025-1865: CWE-284 in Elaborate Bytes AG Virtual CloneDrive - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-1865: CWE-284 in Elaborate Bytes AG Virtual CloneDrive

A vulnerability has been found in SourceCodester Best Salon Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /panel/admin-profile.php of the component Admin Profile Page. The manipulation of the argument Admin Name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7144 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the SourceCodester Best Salon Management System, specifically within the /panel/admin-profile.php file that handles the Admin Profile Page. The vulnerability arises from improper sanitization or validation of the 'Admin Name' parameter, which can be manipulated remotely by an attacker to inject malicious scripts. This type of vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser session. The CVSS 4.0 vector indicates that the attack can be performed remotely without authentication (AV:N), requires low attack complexity (AC:L), but requires high privileges (PR:H) and user interaction (UI:P). The impact on confidentiality is none (VC:N), on integrity is low (VI:L), and availability is none (VA:N). The vulnerability does not affect system confidentiality or availability but can lead to limited integrity issues, such as session hijacking, defacement, or redirection to malicious sites. Although no public exploits are currently known in the wild, the exploit details have been disclosed, increasing the risk of exploitation. The vulnerability is classified as medium severity with a CVSS score of 4.8. Since the affected product is a niche salon management system, the attack surface is limited to organizations using this specific software version. However, the vulnerability could be leveraged to compromise administrative accounts or manipulate administrative functions if exploited successfully.

Detailed information about CVE-2025-7144: Cross Site Scripting in SourceCodester Best Salon Management System affecting SourceCodester Best Salon Management Sys

CVE-2025-7144: Cross Site Scripting in SourceCodester Best Salon Management System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7144: Cross Site Scripting in SourceCodester Best Salon Management System

Employee gets $920 for credentials used in $140 million bank heist

Source: https://www.bleepingcomputer.com/news/security/employee-gets-920-for-credentials-used-in-140-million-bank-heist/

This security incident involves an employee whose credentials were used in a massive $140 million bank heist, for which the employee received only $920. The event highlights a significant insider threat or credential compromise scenario where legitimate access was leveraged to conduct a large-scale financial fraud. Although specific technical details such as the attack vector, exploited vulnerabilities, or the exact method of credential compromise are not provided, the incident underscores the critical risk posed by compromised or malicious insider credentials in high-value financial environments. The attack likely involved unauthorized access to banking systems or transaction platforms, enabling the perpetrators to execute fraudulent transfers or withdrawals amounting to $140 million. The employee's relatively small payout suggests either a coercion or a minor accomplice role, or possibly that the credentials were sold or leaked without full knowledge of the ensuing fraud. The lack of known exploits or patches indicates this is more of a threat actor exploitation of existing access rather than a software vulnerability. The minimal discussion and low Reddit score imply limited public technical discourse, but the high severity rating and newsworthiness from a trusted source confirm the incident's significance. This case exemplifies the dangers of credential theft, insider threats, and the need for robust identity and access management controls in financial institutions.

Reddit InfoSec News

Detailed information about Employee gets $920 for credentials used in $140 million bank heist. Get real-time updates, technical details, and mitigation strategi

Employee gets $920 for credentials used in $140 million bank heist - Live Threat Intelligence - Threat Radar | OffSeq.com

Employee gets $920 for credentials used in $140 million bank heist

Reddit Discussion: Employee gets $920 for credentials used in $140 million bank heist

A vulnerability has been found in CodeAstro Patient Record Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /login.php. The manipulation of the argument uname leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Detailed information about CVE-2025-7147: SQL Injection in CodeAstro Patient Record Management System affecting CodeAstro Patient Record Management System. Get 

CVE-2025-7147: SQL Injection in CodeAstro Patient Record Management System

CVE-2025-7147: SQL Injection in CodeAstro Patient Record Management System

Description

Technical Details

Related Threats

CVE-2025-1865: CWE-284 in Elaborate Bytes AG Virtual CloneDrive

CVE-2025-7144: Cross Site Scripting in SourceCodester Best Salon Management System

CVE-2025-7143: Cross Site Scripting in SourceCodester Best Salon Management System

CVE-2025-53543: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in kestra-io kestra

CVE-2025-53540: CWE-352: Cross-Site Request Forgery (CSRF) in espressif arduino-esp32

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility