Threat Intelligence Database

CVE-2026-25880 is a high-severity vulnerability in SumatraPDF versions 3.5.2 and earlier, involving an untrusted search path weakness (CWE-426). When a user opens a PDF and clicks File → “Show in folder”, the application executes a binary named explorer.exe located in the same directory as the PDF without proper validation. This allows an attacker to place a malicious executable in the PDF’s folder, leading to arbitrary code execution with the current user's privileges. Exploitation requires user interaction limited to clicking the menu option, with no additional warnings. The vulnerability affects Windows systems running vulnerable SumatraPDF versions. Although no known exploits are reported in the wild yet, the ease of exploitation and high impact on confidentiality, integrity, and availability make this a significant threat. European organizations using SumatraPDF on Windows should prioritize patching or mitigating this issue to prevent potential compromise.

HighVulnerabilityGermanyFranceItaly+7#cve#cve-2026-25880#cwe-426

Threat actors exploited Cloudflare's free-tier infrastructure and Python environments to deploy AsyncRAT, demonstrating advanced evasion techniques. The attack begins with phishing emails containing Dropbox links to malicious files. It uses legitimate Python downloads and sophisticated code injection targeting explorer.exe. The campaign ensures persistence through multiple vectors, including startup folder scripts and WebDAV mounting. It abuses trusted infrastructure like Cloudflare to mask activities and evade detection. The attackers employ social engineering tactics, such as displaying legitimate PDF documents, to reduce suspicion. This campaign highlights the trend of abusing cloud services for malware delivery and execution, emphasizing the need for multi-layered security approaches.

MediumMalwareGermanyFranceUnited Kingdom+7#python#persistence#cloudflare

DarkComet RAT malware has resurfaced disguised as a fake Bitcoin-related tool, distributed via a RAR archive containing a UPX-packed executable. Upon execution, it installs itself as 'explorer.exe' in the user's AppData folder and establishes persistence through a registry run key. The malware communicates with its command and control server at kvejo991.ddns.net on port 1604. It performs keylogging, storing captured keystrokes in a dedicated folder, and uses process injection into notepad.exe to evade detection. The malware also spawns multiple cmd.exe and conhost.

MediumMalwareGermanyFranceNetherlands+3#c2 communication#cryptocurrency#darkcomet rat

A new two-stage malware named LeakyInjector and LeakyStealer has been identified, targeting cryptocurrency wallets and browser history. LeakyInjector uses low-level APIs for injection to avoid detection and injects LeakyStealer into explorer.exe. LeakyStealer implements a polymorphic engine to modify its memory area at runtime. Both stages were signed with valid Extended Validation certificates. The malware performs reconnaissance on infected machines, targeting multiple crypto wallets, including browser extensions, and searches for browser history files from various browsers. It establishes persistence through registry manipulation and beacons to the C2 server at regular intervals. The malware exfiltrates sensitive data and can execute additional commands received from the C2 server.

MediumMalwareGermanyUnited KingdomFrance+3#cryptocurrency#persistence#two-stage

Paramount Macrium Reflect through 2025-06-26 allows attackers to execute arbitrary code with administrator privileges via a crafted .mrimgx or .mrbax backup file and a renamed executable placed in the same directory. When a user with administrative privileges opens the crafted backup file and proceeds to mount it, Reflect launches the renamed executable (e.g., explorer.exe), which is under attacker control. This occurs because of insufficient validation of companion files referenced during backup mounting.

HighVulnerabilityGermanyUnited KingdomFrance+7#cve#cve-2025-53394