Apr 25 2025
Welcome to Gone Phishing, your weekly cybersecurity newsletter that hooks you up with the latest threats before they reel you in! 🎣💻🛡️🛡️🛡️
Patch of the Week! 🩹
First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳
Congrats to Microsoft, the cybercriminals are no match… for your patch! 🩹
Check out this freshly hatched patch 🐣
🚨 Microsoft Fixes 121 Bugs in April Patch Tuesday: One Zero-Day Exploited in the Wild ⚠️
If you haven't patched your Windows systems yet — now's the time. Microsoft’s April 2025 Patch Tuesday squashes 121 vulnerabilities, including 1 actively exploited zero-day (CVE-2025-29824).
📌 The Numbers:
🧨 11 Critical
🚨 110 Important
🕵️♂️ 1 Zero-Day (exploited in the wild)
🔥 The Zero-Day:
● CVE-2025-29824 – A privilege escalation flaw in the Windows Common Log File System (CLFS) driver
● Exploited by ransomware tied to Storm-2460 using the PipeMagic malware
● Marked Important with a CVSS 7.8
💡 CLFS remains a popular attack vector—Microsoft has patched more than 20 CLFS flaws in the last two years, with several tied to real-world attacks.
⚠️ Other Notables:
● RCEs in Remote Desktop Gateway & LDAP (CVSS 8.1, Critical)
● Privilege Escalation in Active Directory Certificate Services
● SharePoint RCEs requiring authenticated access
👨💻 Affected components span everything from Azure, Office, and Visual Studio to Windows Kernel, Hyper-V, and even Bluetooth services.
🔐 Takeaway:
Patch ASAP. One of these is already being used by ransomware groups, and several others are marked as “Exploitation More Likely.” Don't wait for the next breach.
Now, on to this week’s hottest cybersecurity news stories:
👨🏻💻 Hackers target Russian ‘bulletproof’ hosting provider named Proton66 ⚡
🍇 GRAPELOADER: European diplomats targeted via wine-tasting lures 🍷
🗽 U.S. hit with widespread toll fraud campaign via Chinese smishing kit 🐉
Cybersecurity researchers are raising alarms about a wave of mass scanning, brute-force attacks, and exploit attempts traced to Proton66, a Russian bulletproof hosting provider long known to cater to cybercriminal operations.
🕵️♂️ According to Trustwave SpiderLabs, the campaign has been ongoing since January 8, 2025, and is targeting organizations worldwide with fresh infrastructure and updated exploits.
🔍 The IP Blocks Behind the Storm
📡 Key netblocks involved:
● 45.135.232.0/24
● 45.140.17.0/24
● 193.143.1[.]65
Researchers observed new or previously dormant IPs becoming suddenly active, launching:
● Mass network scans
● Credential brute-force attacks
● Exploit attempts targeting recent critical vulnerabilities
🛠️ CVEs Under Fire
From February 2025, attackers have been exploiting top-tier vulnerabilities, including:
● CVE-2025-0108 – Auth bypass in Palo Alto PAN-OS
● CVE-2024-41713 – Input validation flaw in Mitel MiCollab
● CVE-2024-10914 – Command injection in D-Link NAS
● CVE-2024-55591 & CVE-2025-24472 – Auth bypass in Fortinet FortiOS
🎯 Exploitation of the Fortinet flaws has been linked to Mora_001, an initial access broker delivering a new ransomware strain named SuperBlack.
🧬 Malware Hosted on Proton66
The infrastructure is doubling as a launchpad for multiple malware campaigns, including:
💻 XWorm – Delivered via LNK + PowerShell + obfuscated VBS + Base64-encoded .NET DLL
📨 StrelaStealer – Spread via phishing to German users
💥 WeaXor ransomware – A revamped Mallox variant, C2 hosted at 193.143.1[.]139
🔗 In some cases, C2 servers and phishing pages for these strains were hosted directly on Proton66's IPs.
📱 Android Phishing via WordPress Redirects
🎯 A sneaky mobile campaign uses compromised WordPress sites to redirect Android users to fake Google Play Store pages via:
● Malicious JavaScript hosted on Proton66
● Geo-targeting: French, Spanish, and Greek-speaking users
● Conditional logic: redirects only activate for real Android browsers, not bots, proxies, or VPNs
👀 Redirection logic checks:
● IP fingerprinting via ipify.org
● VPN/proxy detection via ipinfo.io
● Result? A malicious APK download masquerading as a legitimate app.
🤝 Connections to PROSPERO and Beyond
Proton66 is reportedly tied to a linked AS called PROSPERO, previously spotlighted by Intrinsec for:
● Operating under the names Securehost and BEARHOST
● Offering bulletproof services on Russian-language cybercrime forums
🧩 Some Proton66/Prospero traffic was seen routing through infrastructure associated with Kaspersky Lab. Kaspersky has denied involvement, attributing the routing to automated DDoS service prefixes used by telecom partners.
🚨 What You Can Do
Recommended defensive actions:
🚫 Block all CIDR ranges linked to Proton66 and Chang Way Technologies (likely affiliated HK-based provider)
🔍 Monitor for:
● PowerShell + LNK execution chains
● Suspicious traffic to Proton66 IPs
● Unexpected APK installs from unknown sources
🧱 Deploy behavior-based endpoint protections to detect lateral movement and C2 activity
📌 TL;DR: Bulletproof Hosting, Real-World Threats
Proton66 isn't just a shady hosting provider — it's now a core enabler of malware, phishing, and ransomware activity across multiple regions and threat groups. From Android APK lures to critical infrastructure exploits, the IP ranges tied to Proton66 are a hotbed of cybercrime.
🛡️ Stay vigilant. Block early. Hunt often.
Take your first step towards a more secure future. Register for FORWARD on June 4th and stack the deck in your favor against cyber adversaries. You'll Gain real-world recovery insights from industry peers
Russian state-sponsored group APT29 (aka Cozy Bear) is back, this time with a stealthy phishing campaign targeting European diplomatic entities using wine-tasting event lures 🍇🍷.
🔍 Check Point uncovered the use of:
🍇 GRAPELOADER – a new initial-stage loader for fingerprinting, persistence, and payload delivery
🍷 WINELOADER – an updated modular backdoor for later-stage operations
📩 How the Attack Works
Phishing emails spoofing a European Ministry of Foreign Affairs send out fake wine-tasting invites
The attached wine.zip includes:
● wine.exe (legit PowerPoint binary)
● AppvIsvSubsystems64.dll (dependency)
● ppcore.dll (malicious DLL sideloaded via wine.exe)
GRAPELOADER runs, gains persistence via the Windows Registry, and phones home to drop the main payload — believed to be WINELOADER
🕵️♂️ Both loaders use code obfuscation, anti-analysis tricks, and modular structures for stealth and flexibility.
🌍 Target Scope
● Primary focus: Ministries of Foreign Affairs in Europe
● Secondary targets: Embassies and diplomatic staff in the Middle East
● Emails came from: bakenhof[.]com, silry[.]com
🔎 Bonus Threat: Gamaredon’s USB Worm
Meanwhile, Gamaredon (another Russian threat group) continues pushing its PteroLNK malware, infecting USB drives with sneaky LNK + VBScript combos to spread info-stealers like GammaSteel — with heavy targeting of Ukraine.
💡 APT29’s campaign shows a pivot to layered loaders and social engineering over raw complexity, signaling a new phase in high-stakes cyber-espionage.
AI won’t take your job, but a person using AI might. That’s why 1,000,000+ professionals read The Rundown AI – the free newsletter that keeps you updated on the latest AI news and teaches you how to use it in just 5 minutes a day.
A widespread smishing campaign is hitting toll road users across the U.S., tricking them into handing over personal and financial data under the guise of unpaid toll notices.
🛑 Active since October 2024, the campaign impersonates systems like E-ZPass, sending SMS and iMessage alerts to users in WA, FL, PA, VA, TX, OH, IL, and KS.
🧠 The Brains Behind It
● Smishing kits by Wang Duo Yu, a Chinese student-turned-cybercrime entrepreneur
● Distributed via Telegram for as little as $20–$50 per kit
● Linked to the Smishing Triad, known for massive fake delivery scams in over 120+ countries
📲 How the Scam Works
Victims receive a fake toll notice via SMS/iMessage
They're urged to reply "Y" to activate a malicious link
Clicking redirects to a fake E-ZPass site after a fake CAPTCHA
Users enter name, ZIP, and payment details — all stolen instantly
Some attackers use Ghost Tap to enroll cards in mobile wallets for further fraud
🚨 The kits even include backdoors, enabling double theft — victims are hit by both the attacker and the kit's creator.
🛠️ Industrialized Smishing
⚠️ 60,000+ domains linked to these toll scams
Powered by bulk SMS services like Oak Tel, offering:
● Spoofed sender names
● Victim-targeting tools
● Campaign dashboards
● SMS automation APIs
🌍 Expansion in Progress
The same actor is now pivoting to a new Lighthouse kit, targeting banks in Australia and APAC — with alleged backing of “300+ front desk staff” handling fraud operations globally.
🧪 Security firms like Cisco Talos, PRODAFT, and Resecurity are actively tracking the campaign, but the scale and infrastructure make takedown efforts tough.
💡 Smishing kits have become commercialized cybercrime tools, making phishing campaigns more scalable and accessible than ever.
🗞️ Extra, Extra! Read all about it! 🗞️
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾
Let us know what you think.
So long and thanks for reading all the phish!
