ThreatsDay Bulletin: FortiGate RaaS Exploits 14,700 Devices, Citrix Attacks Surge, MCP Abuse Emerges, and LiveChat Phishing Intensifies
In the evolving landscape of cybersecurity, recent developments highlight a concerning trend in the proliferation of ransomware-as-a-service (RaaS) operations and sophisticated phishing campaigns. The latest ThreatsDay Bulletin sheds light on these issues, revealing a series of attacks that could have significant implications for organizations worldwide.
Emerging RaaS Exploiting FortiGate Vulnerabilities
Group-IB has reported on a new RaaS operation known as “The Gentlemen,” which has emerged from a payment dispute within the cybercrime community. This group, consisting of approximately 20 members, has leveraged the critical authentication bypass vulnerability identified as CVE-2024-55591 in FortiOS/FortiProxy to gain initial access to systems. The group maintains a database of about 14,700 compromised FortiGate devices globally, with plans to exploit 969 validated brute-forced FortiGate VPN credentials.
The Gentlemen employ advanced techniques to evade detection, including the use of bring-your-own-vulnerable-driver (BYOVD) methods to terminate security processes at the kernel level. Since their emergence in mid-2025, they have successfully attacked approximately 94 organizations, raising alarms about the growing sophistication of RaaS operations.
Pre-authentication RCE Chain in ITSM Platforms
In another significant development, four security flaws (CVE-2025-71257, CVE-2025-71258, CVE-2025-71259, and CVE-2025-71260) have been discovered in BMC FootPrints, a widely used IT service management (ITSM) solution. These vulnerabilities can be exploited to achieve pre-authentication remote code execution.
The attack sequence begins with an authentication bypass that allows attackers to extract a guest session token, which can then be used to access unsanitized Java deserialization sinks. This exploitation can lead to arbitrary file writes and full remote code execution, posing a serious risk to organizations relying on this platform. The vulnerabilities were addressed in September 2025, but the potential for exploitation remains a concern.
Loader Deploys Stealthy C2 Malware
The malware loader known as Hijack Loader is being utilized to deliver a previously undocumented command-and-control (C2) framework named SnappyClient. This framework boasts capabilities such as taking screenshots, keylogging, and data theft from various applications.
Zscaler ThreatLabz has noted that SnappyClient employs multiple evasion techniques to avoid detection, including an Antimalware Scan Interface (AMSI) bypass. The attack chain typically begins when a user visits a website impersonating the Spanish telecom firm Telefónica, with the primary objective being cryptocurrency theft. The connection between Hijack Loader and SnappyClient suggests a coordinated effort among threat actors to enhance their operational capabilities.
Deep Link Abuse Enables Command Execution
A new technique, dubbed CursorJack, has been identified by Proofpoint, which exploits the Model Context Protocol (MCP) deep links in Cursor applications. This vulnerability allows for local command execution or the installation of a malicious remote MCP server. The attack leverages social engineering tactics to manipulate users into executing commands that could compromise their systems.
The implications of this technique are significant, as it could enable attackers to bypass traditional security measures through seemingly innocuous interactions. Proofpoint has released a proof-of-concept exploit on GitHub, further emphasizing the need for organizations to remain vigilant against such emerging threats.
Intensified Phishing Campaigns via LiveChat
Rapid7 has reported a surge in phishing campaigns that impersonate internal IT departments through Microsoft Teams. These campaigns aim to convince users to launch Quick Assist, granting attackers remote access to deploy malware or exfiltrate data. The ease with which external users can message internal staff in Teams highlights a critical vulnerability in organizational security practices.
This trend underscores the importance of robust external access management and employee training to mitigate the risk of falling victim to such phishing attempts.
Mass Exploitation of Citrix Flaws
Recent reports indicate that a new campaign is actively targeting known vulnerabilities in Citrix NetScaler, specifically CVE-2025-5777 and CVE-2023-4966. Over 500 exploit attempts were recorded against honeypot systems, suggesting a heightened interest in exploiting these older vulnerabilities.
Defused Cyber noted that increased activity against known flaws often precedes the emergence of zero-day vulnerabilities, indicating a potential escalation in threat levels.
Conclusion
The cybersecurity landscape continues to evolve, with new threats emerging that challenge existing defenses. Organizations must remain proactive in their security measures, addressing vulnerabilities and educating employees to combat sophisticated phishing attempts. The developments outlined in this bulletin serve as a reminder of the persistent and evolving nature of cyber threats.
For further insights into these developments, refer to the reporting on The Hacker News.
Follow the latest cybersecurity developments, threat intelligence, and breaking updates from across the Middle East.
