Welcome to Gone Phishing, your weekly cybersecurity newsletter that dictates the latest on cybersecurity just like Zelenskyy dictates when elections are held. Hahaha kidding Earth 2025 just got interesting 🍿 🎥📺🎞️🎬

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to Juniper, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

Juniper see what you were up to 🙃

🚨 Juniper Networks Critical Flaw – Patch Now! 🔧

Juniper Networks has issued urgent security updates for Session Smart Router, Session Smart Conductor, and WAN Assurance Routers to fix a critical authentication bypass flaw (CVE-2025-21589, CVSS 9.8). 🚨

⚡ What’s the Risk?

Network-based attackers can bypass authentication and take full admin control of affected devices.

🛑 Affected Versions:

Session Smart Router: 5.6.7 → before 5.6.17, 6.1 → before 6.1.12-lts, 6.2 → before 6.2.8-lts, 6.3 → before 6.3.3-r2

Session Smart Conductor: Same as above.

WAN Assurance Managed Routers: Same as above.

🔧 Immediate Action Required!

✅ Update to patched versions ASAP:

SSR-5.6.17, SSR-6.1.12-lts, SSR-6.2.8-lts, SSR-6.3.3-r2

Mist Cloud-managed WAN Assurance devices already patched automatically, but manual updates are still recommended.

🔍 No known exploits yet, but don’t wait! Stay secure! 🛡️

Now, on to this week’s hottest cybersecurity news stories: 

• 🐍 New Snake Keylogger variant uses AutoIt scripting to dodge detection 🔎

• ⚔️ StaryDobry attack: Trojanized game installers deploy cryptocurrency miner ⛏️

• ⛩️ Chinese exploit MAVInject.exe to dodge detection in targeted cyber attacks 👨🏻‍💻

AutoIt you something was up 😏

Gif by lethalweaponfox on Giphy

🚨 Snake Keylogger Strikes Again! New Variant Targeting Windows Users 🐍

A new version of the Snake Keylogger malware is actively targeting Windows users in China, Turkey, Indonesia, Taiwan, and Spain, with over 280 million blocked infection attempts in 2025 alone! 😱

🎯 How It Spreads

🔹 Delivered via phishing emails with malicious attachments or links 📧

🔹 Uses AutoIt scripting to evade traditional detection 🛑

🔹 Hides itself as "ageless.exe" and ensures persistence through VBS scripts 📂

🕵️‍♂️ What It Steals

✅ Keystrokes (including banking & login credentials) 💳

✅ Browser data from Chrome, Edge, and Firefox 🔍

✅ Clipboard contents (potential crypto wallet theft!) 🔥

✅ Victim's IP address & geolocation 🌍

🛠️ How It Works

⚠️ Injects itself into legitimate Windows processes (e.g., regsvcs.exe)

⚠️ Uses SetWindowsHookEx API to capture keystrokes stealthily

⚠️ Exfiltrates data via SMTP & Telegram bots

🚫 Stay Safe!

🔹 Never open unexpected email attachments 📎

🔹 Disable macros & scripts in email attachments ❌

🔹 Use endpoint security with behavioral analysis 🛡️

🔹 Monitor outbound connections to detect C2 traffic 📡

This highly evasive malware is designed to steal your most sensitive data—stay alert and secure your systems! 🚨

Be Prepared – Join the Cyber Resilience Summit on March 5

This exclusive event will feature expert speakers and current Rubrik customers speaking on the topics of Cloud and SaaS data protection, as well as data security.

Plus, 5 attendees have the chance of winning an iPad Mini.

What are you waiting for? Be Resilient.

Try to strike a chord but it’s probably A minerrrrrrrrrrr ⛏️

🎮 StaryDobry: Gamers Targeted with Trojanized Installers 🚨 

Cybercriminals are tricking gamers into downloading trojanized game installers that deploy XMRig cryptocurrency miners on Windows systems.

🎯 Who's Affected?

🔹 Gamers searching for popular simulator & physics games

🔹 Targets in Russia, Brazil, Germany, Belarus, and Kazakhstan

🔹 High-powered gaming PCs exploited for mining 🖥️💰

🎭 How the Attack Works

✅ Fake installers for games like BeamNG.drive, Garry’s Mod, Universe Sandbox uploaded to torrent sites 📂

✅ Installs dropper DLL ("unrar.dll"), which checks for sandboxing/debugging 🕵️‍♂️

✅ Retrieves victim’s IP & location using online APIs 🌍

✅ Deploys a multi-stage payload to install a modified XMRig miner 💻⛏️

✅ Avoids detection by terminating if Task Manager or Process Monitor is running ❌

⚠️ Notable Evasion Tactics

🔹 CPU Check: Only runs if the system has 8 or more cores 🚀

🔹 Stealthy Execution: Uses Windows Shell Extension to mask malicious activity 🕶️

🔹 Custom Mining Pool: Attackers host their own mining server instead of using public pools 🔗

🚫 How to Stay Safe

🔹 Avoid downloading games from unofficial sources (torrent sites) 🚧

🔹 Use endpoint security software to detect mining activity 🛡️

🔹 Monitor system performance for unusual CPU spikes 📈

🔹 Check for unknown startup processes in Windows 🔍

The StaryDobry campaign is yet another reminder to be cautious when downloading games—your gaming rig might be mining crypto for cybercriminals! 🎮💸

Learn AI in 5 minutes a day

What’s the secret to staying ahead of the curve in the world of AI? Information. Luckily, you can join 1,000,000+ early adopters reading The Rundown AI — the free newsletter that makes you smarter on AI with just a 5-minute read per day.

Sign up to start learning.

Did you hear of this Chinese Godfather? He made them an offer they couldn’t understand. 👀

🛡️ Mustang Panda’s New Evasion Technique Targets ESET Antivirus 🎭

The Chinese APT group Mustang Panda (Earth Preta) has been spotted using a clever evasion tactic to bypass detection and maintain control over infected systems, leveraging legitimate Windows utilities for stealthy malware execution.

🚨 Attack Breakdown

🔹 Dropper Executable ("IRSetup.exe") initiates the attack 📦

🔹 Sideloads a rogue DLL ("EACore.dll") using a legitimate EA Games application 🎮

🔹 Deploys a decoy PDF to distract victims 📄

🔹 Targets users in Thailand, suggesting a spear-phishing campaign 🎯

🔹 Checks if ESET antivirus ("ekrn.exe" or "egui.exe") is running 🛑

🏴‍☠️ How the Malware Evades Detection

✅ Abuses MAVInject.exe, a legitimate Windows tool, to inject malicious payload into an external process (waitfor.exe) 🔁

✅ Uses Setup Factory installer to drop and execute the malware while staying undetected 📌

✅ Establishes a remote connection to a C2 server (www.militarytc[.]com:443) for reverse shell access and data exfiltration 📡

🗣️ ESET Responds

ESET disputes Trend Micro’s claim that the malware bypasses their antivirus, stating:

🔹 The technique is not new, and their users are already protected 🔒

🔹 ESET had prior detection for this malware since January 2025 📆

🔹 They attribute the attack to China-aligned CeranaKeeper APT 🎭

🚫 How to Stay Protected 

🔹 Be wary of unexpected emails & attachments 📧

🔹 Ensure security software is updated 🛡️

🔹 Monitor for suspicious process injections 🕵️

🔹 Disable unneeded Windows utilities like MAVInject.exe ⚙️

Mustang Panda continues to evolve, leveraging legitimate tools for stealthy intrusions—but proactive cybersecurity measures can help counter these threats. 🚀

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

• 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

• 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

• 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!