Hello there 👋
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
SAP Patches Critical NetWeaver Zero-Day Actively Exploited for Server Takeovers
SAP’s emergency NetWeaver patch fixes a zero-day flaw (CVE-2025-31324) exploited to upload webshells and execute code on servers, ReliaQuest warns. Over 400 vulnerable systems remain at risk, urging immediate updates to block attacks.
Key takeaways:
🕵️♂️ Zero-Day Exploitation: CVE-2025-31324, a critical unauthenticated file upload flaw in SAP NetWeaver Visual Composer (CVSS 10.0), allows attackers to upload JSP webshells, enabling remote code execution and full system compromise, actively exploited since at least April 2025.
🌐 Attack Details: ReliaQuest observed attackers using the Metadata Uploader endpoint to deploy Brute Ratel, Heaven’s Gate, and MSBuild-compiled code, with watchTowr confirming ongoing exploitation across multiple customers.
🛡️ SAP’s Response: SAP released out-of-band updates for NetWeaver versions 7.5, 7.02, and 7.30, recommending immediate patching and deep environment scans to remove malicious files, though SAP disputes claims of successful exploitation.
⚠️ Widespread Risk: Over 400 internet-facing SAP NetWeaver systems remain vulnerable, with potential impacts on over 10,000 applications. This highlights the urgency of applying mitigations.
DragonForce Pioneers Ransomware Cartel with White-Label Branding Model
DragonForce is reshaping ransomware with a white-label model, letting affiliates use its encryptor and infrastructure under their own brands for a 20% ransom cut. Secureworks reports this cartel-like structure targets ESXi, NAS, BSD, and Windows, boosting profits and flexibility.
Key takeaways:
🕵️♂️ Cartel-Like Structure: DragonForce, now a “ransomware cartel,” offers a distributed affiliate model. It provides ransomware-as-a-service (RaaS) operations with negotiation tools, data storage, and malware administration and takes 20% of ransom payments.
🌐 White-Label Branding: Affiliates can deploy DragonForce’s encryptor under their own branding, targeting diverse systems like ESXi, NAS, BSD, and Windows, without managing infrastructure, as announced on dark web forums.
🔍 Strategic Expansion: By supporting “unlimited brands,” DragonForce aims to increase profits through a larger affiliate base. Secureworks notes interest from well-known gangs, though the exact members are unclear.
⚠️ Threat Evolution: The model’s flexibility attracts sophisticated actors, reducing their operational overhead and potentially amplifying ransomware’s reach. As a result, organizations must bolster endpoint security and monitoring.
Google Reports 75 Zero-Days Exploited in 2024, Over Half Tied to Spyware Attacks
Google’s 2024 report reveals 75 zero-day vulnerabilities exploited, with over 50% linked to spyware targeting enterprise tools and end-user platforms. Windows, Chrome, and Android were hit hardest, urging urgent patching and stronger defenses.
Key takeaways:
🕵️♂️ Google’s Threat Intelligence Group (GTIG) tracked 75 zero-day exploits in 2024, down from 97 in 2023 but up from 63 in 2022. Over 50% were tied to spyware attacks, primarily for espionage by state-backed actors and vendors.
🌐 End-user platforms like browsers (11 zero-days), mobile devices (9), and Windows (22) accounted for 56% of exploits, while 44% targeted enterprise software, including 20 in security and networking tools from vendors like Ivanti and Cisco.
🔍 Key vendors affected included Microsoft (26 zero-days), Google (11), Ivanti (7), and Apple (5), with a notable November 2024 attack on Ukraine’s Diplomatic Academy website chaining CVE-2024-44308 and CVE-2024-44309 for XSS and cookie theft.
⚠️ The report highlights a steady rise in zero-day exploitation, driven by state-sponsored espionage. GTIG emphasizes rapid patching, enhanced detection, and MFA to counter these sophisticated threats.
Google Threat Intelligence Group
Apple AirBorne Vulnerabilities Enable Zero-Click AirPlay RCE Attacks on Billions of Devices
Critical AirPlay flaws, dubbed AirBorne, expose 2.35B+ Apple devices to zero-click RCE attacks, risking malware spread on shared Wi-Fi networks. Apple patched its devices in March 2025, but unpatched third-party devices remain vulnerable.
Key takeaways:
🕵️♂️ Oligo Security uncovered 23 AirPlay vulnerabilities, including CVE-2025-24252 and CVE-2025-24132. These vulnerabilities enable zero-click and one-click RCE, MITM, and DoS attacks, and two flaws allow wormable malware to spread across networks.
🌐 Exploitation requires attackers to be on the same Wi-Fi network, posing higher risks in public Wi-Fi settings and affecting over 2.35 billion Apple devices and tens of millions of third-party AirPlay-enabled devices like speakers and TVs.
🛡️ Apple released patches on March 31, 2025, for iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, and others, but third-party devices may remain unpatched, as Apple lacks control over their update processes.
⚠️ CarPlay is also vulnerable, though attacks require Bluetooth or USB pairing, reducing real-world risk; users are urged to update devices, secure Wi-Fi, or disable AirPlay to mitigate threats.
Gremlin Stealer: New C# Malware Targets Sensitive Data via Telegram Sales
Gremlin Stealer, a new C# malware sold on Telegram since March 2025, steals credit cards, crypto wallets, and browser data and uploads it to a public server. Unit 42 reports its active development and widespread threat to Windows users.
Key takeaways:
🕵️♂️ Gremlin Stealer, written in C#, emerged in March 2025. It was advertised on Telegram’s CoderSharp channel and targeted Windows systems to steal browser cookies, credit card details, crypto wallets, and Discord/Telegram sessions.
🌐 Stolen data is stored in plain text under LOCAL_APP_DATA, zipped, and sent to a server at 207.244.199[.]46, which hosts 14 ZIP archives for download or deletion, enhancing attacker accessibility.
🔍 The malware bypasses Chrome’s V20 cookie protection and avoids internet downloads during its build, showing active development to evade detection. A configurable portal is included in the sale.
⚠️ Palo Alto Networks’ Cortex XDR and Network Security solutions protect against Gremlin, while Unit 42 shared findings with the Cyber Threat Alliance to disrupt its spread.
Top Tips of the Week
Threat Intelligence
- Stay informed on CTI trends. Adapt strategies to align with emerging techniques and technologies in the threat intelligence landscape.
- Leverage threat intelligence in fraud prevention. Identify and mitigate fraudulent activities with proactive intelligence.
Threat Hunting
- Foster a culture of information sharing. Open communication channels enhance collective ability to respond to threats.
- Utilize threat intelligence for risk assessment. Identify and prioritize potential risks to allocate resources more effectively.
Custom Tooling
- Create custom tools with a focus on data privacy. Implement measures to protect sensitive information and adhere to privacy regulations.
- Secure your custom tool development environment. Implement best practices for secure coding and protect sensitive information.
- Incorporate user feedback into the development of custom tools. Ensure they align with user needs and expectations.
Feature Article
How do you make your intelligence requirements actionable? How do you go from broad questions about threats to operational tasks your cyber threat intelligence team can complete? You need an intelligence collection plan.
An intelligence collection plan is a systematic way of tracking your intelligence requirements, the data sources that empower your team to fulfill them, and the daily tasks that lead to their completion. It is a key piece of documentation that all cyber threat intelligence teams require to move from the planning stage to the collection stage of the threat intelligence lifecycle.
This guide will teach you how to build an intelligence collection plan. It will start by highlighting the key features a collection plan must include, show you a four-step process for creating it, and conclude with advice on building a collection Wiki to support your plan.
Let’s jump in and start making your intelligence requirements actionable!
Learning Resources
Wanting a Security Solution for Home Lab?
If you want a security tool in your home lab or gain hands-on experience with a commercial-grade platform, look at Security Onion 2.4. It is a comprehensive, open-source platform tailored for defenders by defenders, integrating an evolving toolkit for threat hunting, network security monitoring, and incident response.
This practical demo showcases its inbuilt capabilities and tools, such as Suricata, Zeek, and full packet capture, to offer deep visibility into network and endpoint activity. You can create alerts, perform threat hunting by easily pivoting between datasets, build detections, and much more!
If you want to learn hands-on security skills, give it a go
Cyber Security Career Advice
This short but sharp video tackles popular cyber security career advice—separating genuine guidance from misleading myths. It emphasizes starting with a balanced foundation, deepening this over time, not specializing too early, and prioritizing real-world experience over certifications.
It’s a great video that dispels many misconceptions those starting out in security might have about building a successful career. If you’re new to the field or looking to advance in your career, give it a watch!
The Secrets of OPSEC With Mitch Cohen
In this lighthearted podcast episode, Mitch Cohen, an expert in privacy and operational security (OPSEC), delivers an engaging and deeply personal exploration of what protecting your digital identity means.
The episode explores Mitch’s journey into becoming a master at OPSEC, the importance of not oversharing, and how the identities of real-world threat actors are revealed. He also offers actionable tips for improving OPSEC: from deleting old social media posts and using aliases, to understanding the tradeoff between convenience and security.
A recommended listen if you’re interested in OPSEC or digital privacy.
Honeypots and Honey Tokens for the Win!
This insightful podcast episode explores how deception technologies like honeypots and honey tokens are becoming indispensable tools in proactive cyber security defense. They provide defenders with early threat detection, adversary profiling, and real-time insight into evolving tactics without relying on traditional alert systems prone to false positives.
In practical terms, the episode shares how honeypots have revealed new rootkits, inspired PowerShell-based detection scripts, and tips for getting started implementing them. I highly recommend giving it a listen and trying to implement these deception technologies in your own environment, whether that’s creating a single honey token or a complete honeypot.
