FISA

Source : The Hacker News A sophisticated malware campaign has emerged, leveraging counterfeit VPN and browser installers to deploy Winos 4.0, a stealthy remote access trojan (RAT). Disguised as legitimate applications like LetsVPN and QQBrowser, these trojanized installers exploit the Nullsoft Scriptable Install System (NSIS) to execute a multi-stage, in-memory attack sequence. [2,4] The infection chain initiates with the Catena loader, a memory-resident component that employs shellcode embedded in .ini files and reflective DLL injection to evade traditional antivirus detection. This loader orchestrates the deployment of Winos 4.0, a modular malware framework capable of data exfiltration, remote shell access, and distributed denial-of-service (DDoS) attacks. [2] Notably, the malware exhibits region-specific targeting, primarily focusing on Chinese-speaking users. It checks for Chinese language settings on infected systems, although this filter is not strictly enforced, indicating po...

A newly disclosed vulnerability in Palo Alto Networks' GlobalProtect VPN solution exposes organizations to phishing and credential theft campaigns via a reflected cross-site scripting (XSS) attack. The flaw, tracked as CVE-2025-0133 , affects the GlobalProtect gateway and portal features in multiple versions of PAN-OS, and was identified by XBOW researchers . Vulnerability Overview This reflected XSS vulnerability allows execution of malicious JavaScript in the browser sessions of authenticated Captive Portal users when they are tricked into clicking specially crafted links. While it carries a low CVSS base score (2.0) under default configurations, the risk escalates to medium severity (CVSS 5.5) when Clientless VPN is enabled—making it a more urgent threat for affected organizations. Technical Details CWE Classification: CWE-79 – Improper Neutralization of Input During Web Page Generation CAPEC Classification: CAPEC-591 – Reflected XSS Impact: Execution of Jav...