Apr 12 2025
Welcome to Gone Phishing, your weekly cybersecurity newsletter that treats cybercriminals like Donald Trump treats the World Economy 👀🤯💀💀💀
Patch of the Week! 🩹
First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳
Congrats to WhatsApp, the cybercriminals are no match… for your patch! 🩹
⚠️💻 WhatsApp for Windows Vulnerability – Update NOW! 🚨🐛
If you're using WhatsApp Desktop on Windows, this is your sign to hit that update button 🔄📥
🧨 A flaw tracked as CVE-2025-30401 allowed sneaky attackers to send malicious files disguised as innocent ones—like a wolf in sheep’s clothing 🐺🐑
🔍 How did it work?
WhatsApp trusted what a file claimed to be (its MIME type – like “this is a photo 📸”)
But when you clicked it inside the app? It looked at the file extension (.exe, .jpg, etc.) instead
That means something called cute-pic.jpg.exe could look like a picture 🖼️ but run like a program 💻—and boom 💥 malware
😬 This affected all versions before 2.2450.6—so if you're still on an old version, you're at risk!
🛡️ What to do:
✅ Update to WhatsApp Desktop v2.2450.6 or later ASAP
✅ Be wary of weird or unexpected attachments—even if they look normal
✅ Don't trust file names blindly 👀
🧠 Security pro Nico Chiaraviglio from Zimperium called this a reminder that:
“Attachments are STILL one of the most common ways attackers spread malware.”
💪 He recommends a layered defense:
🔍 Attachment scanning
📈 Behavioral analysis
🧠 User education
🎯 Bottom line: Just because it looks like a file you can trust… doesn't mean it is. Don’t open anything sketchy, even if it comes through WhatsApp.
🛠️ And if you haven’t updated yet—go do it now. Seriously. 🏃💨
Now, on to this week’s hottest cybersecurity news stories:
🔮 Oracle confirms hack-attack: broken systems, stolen credentials 🔑
📥 Don’t get crushed by Crush: FTP system infiltrated by ransomware 💰
🌐 Popular site SourceForge spreads crypto miner and clipper malware 👾
Gif by xbox on Giphy
🔐 Oracle has privately admitted that a legacy system was breached, exposing old client login
data — including usernames, encrypted passwords, and passkeys.
🕵️♂️ What Happened?
Attackers accessed a “legacy environment” (rebranded as “Oracle Classic”)
● FBI and CrowdStrike are now involved
● 6 million records across 140,000 tenants allegedly stolen
● Data includes credentials as recent as 2024
🎭 Public Denial, Private Panic
Oracle previously told the public:
“No breach of Oracle Cloud.”
But insiders and security experts say this is semantic wordplay — the breached system was previously part of Oracle Cloud, just rebranded.
🧠 “They’re splitting hairs to dodge admitting a real cloud breach,” said one researcher.
💸 Extortion & Lawsuits
Hacker “rose87168” demanded $20M before posting data for sale
Malware targeted Oracle’s Identity Manager (IDM) as early as January 2025
Now facing a class action lawsuit for delaying disclosure
🏥 Not the Only Breach
Just last month, Oracle also disclosed a healthcare breach — attackers stole patient data from Cerner servers using compromised credentials.
🚨 Why It Matters
Experts say these breaches challenge the core security promises of cloud platforms.
“A single hack shouldn’t affect 140,000 tenants — this breaks the cloud model,” warns security advisor Sunil Varkey.
🔇 As of now, Oracle still hasn’t made any public statement — sticking to private disclosures only.
This is the easiest way for a busy person wanting to learn AI in as little time as possible:
Sign up for The Rundown AI newsletter
They send you 5-minute email updates on the latest AI news and how to use it
You learn how to become 2x more productive by leveraging AI
Hackers are actively exploiting a serious flaw in CrushFTP, a popular file transfer tool used by thousands of organizations to move sensitive data.
🐞 The Vulnerability: CVE-2025-31161
● Discovered by: Researchers at Outpost24
● Reported to CrushFTP: March 13
● Public alert: March 21
Exploit now in the wild ⚠️
The flaw was originally going to be disclosed after customers had time to patch. But other researchers leaked details early — and attackers pounced.
🧠 "They weaponized the bug before customers had a chance to update,” said CrushFTP.
🦠 Ransomware Gang Claims Stolen Data
The Kill ransomware group now claims it’s using the exploit to steal “significant volumes” of sensitive data — and they’ve begun extorting victims.
🛡️ CISA has confirmed the attacks and told federal agencies to patch by April 28.
🏢 Who’s at Risk?
Hundreds of CrushFTP servers are exposed online, according to Shadowserver and Censys.
Recent versions of v10 and v11 are vulnerable.
Incident responders at Huntress report live attacks at companies in:
🛒 Retail
💡 Marketing
💻 Semiconductors
⚠️ Patch Now — Or Risk Getting Hit
CrushFTP is sending another urgent alert to customers. While some workarounds exist, patching is strongly advised.
“Anyone unpatched needs to urgently update.” — CrushFTP
💣 CrushFTP is the latest in a string of file transfer tools being targeted, following similar attacks on MOVEit, GoAnywhere, Cleo, and Accellion.
Stay alert. Patch fast. The attackers aren’t waiting.
🚨 Malware Alert: Miners & Clippers Spread via Fake Software on SourceForge 🦠
Cybercriminals are back at it — this time using SourceForge, a trusted software hub, to push cryptocurrency miners and clipper malware disguised as cracked Microsoft Office apps.
🎭 The Bait: Fake "Office Add-ins"
One suspicious listing, called “officepackage”, looks harmless at first glance — it even borrows content from a legit GitHub repo.
But clicking “Download” on the site? It redirects you to a shady page on taplink[.]cc.
👀 What happens next?
● You’re served a ZIP file called vinstaller.zip
● Inside: another locked archive (installer.zip) and a text file with the password
● That archive contains a nasty MSI installer 💣
💻 What the Malware Does
Kaspersky says the installer kicks off a complex infection chain:
🧩 Uses VB scripts and PowerShell to download more payloads
📡 Sends your system data via Telegram API
💰 Deploys:
Crypto miner (drains CPU power)
ClipBanker (replaces crypto wallet addresses)
🔐 Drops ShellExperienceHost.exe to open an encrypted backdoor
🪝Executes more hidden commands using ErrorHandler.cmd
📍 Who's Being Targeted?
● Interface is in Russian
● Targets users searching for Microsoft Office on Yandex
● 90% of the 4,600+ victims so far are located in Russia
⚠️ Bigger Picture: This Is Just One Campaign
Kaspersky also spotted TookPS malware spreading via fake AI, remote desktop, and 3D modeling software sites — often promoted through malicious Google ads.
🖥️ One tactic: sideloading malware into TeamViewer, giving attackers stealthy remote access.
💬 “As users seek software outside official sources, attackers offer their own versions — loaded with malware,” said Kaspersky.
🔐 Takeaway:
Always download software from trusted sources. Crack sites and shady "free" tools are often booby-trapped — and malvertising is making it even easier for attackers to reach you.
Stay smart. Stay safe. 💻🛡️
🗞️ Extra, Extra! Read all about it! 🗞️
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾
Let us know what you think.
So long and thanks for reading all the phish!
