Your Weekly Cybersecurity Update (11 April 2025)

• PipeMagic Trojan Leverages Windows Zero-Day Flaw to Deliver Ransomware

• Lazarus Group Exploits Job Seekers Through ClickFix to Distribute GolangGhost Malware

• A coordinated series of attacks by hackers has targeted Australia’s biggest pension funds

• Discovery of Hacking Tools and Techniques Shared on Russian Cybercrime Forums

• North Korean Hackers Leverage Social Engineering and Python Scripts for Covert Operations

PipeMagic Trojan Leverages Windows Zero-Day Flaw to Deliver Ransomware

The Hacker News article titled “PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware,” published on April 9, 2025, reports on a critical security flaw in the Windows Common Log File System (CLFS), identified as CVE-2025-29824. This vulnerability was actively exploited as a zero-day to achieve SYSTEM privileges, facilitating ransomware attacks on select targets, including organizations in the IT and real estate sectors in the U.S., the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. 

Microsoft has addressed this privilege escalation bug in its April 2025 Patch Tuesday update. The threat actor, tracked as Storm-2460, utilized a malware named PipeMagic to deliver the exploit and ransomware payloads. The initial access vector remains uncertain, but attackers were observed using the certutil utility to download malware from compromised legitimate sites. The malware involved a malicious MSBuild file containing an encrypted payload, which, when unpacked, launched PipeMagic—a plugin-based trojan active since 2022. 

Notably, this marks the second instance of PipeMagic delivering a Windows zero-day exploit, following its use with CVE-2025-24983, a Windows Win32 Kernel Subsystem privilege escalation bug patched by Microsoft in March 2025. Additionally, PipeMagic was previously linked to Nokoyawa ransomware attacks exploiting another CLFS zero-day flaw, CVE-2023-28252. 

Successful exploitation allowed attackers to extract user credentials by dumping the memory of LSASS and encrypting files on the system. The ransom note included a TOR domain associated with the RansomEXX ransomware family. Microsoft emphasizes the value ransomware threat actors place on post-compromise elevation of privilege exploits, as they enable escalation from initial access to privileged access, facilitating widespread ransomware deployment within an environment. 

Lazarus Group Exploits Job Seekers Through ClickFix to Distribute GolangGhost Malware

The North Korean cyber threat group Lazarus Group has adopted a new social engineering tactic known as “ClickFix” to target job seekers in the cryptocurrency sector. This method involves deceiving individuals into downloading a previously undocumented Go-based backdoor, dubbed GolangGhost, onto Windows and macOS systems. 

This campaign, referred to as ClickFake Interview by cybersecurity firm Sekoia, appears to be an extension of the earlier Contagious Interview operation. Active since at least December 2022, Contagious Interview has been associated with Lazarus Group, a notorious entity linked to North Korea’s Reconnaissance General Bureau (RGB). 

In this latest scheme, Lazarus Group impersonates well-known centralized finance companies such as Coinbase, KuCoin, Kraken, Circle, Securitize, BlockFi, Tether, Robinhood, and Bybit. This marks a shift from their previous focus on decentralized finance (DeFi) entities. They approach candidates via platforms like LinkedIn or X (formerly Twitter), inviting them to prepare for video call interviews. During this process, victims are directed to a fake video interviewing service named Willo, where they are prompted to complete a video assessment. 

The deception intensifies when victims encounter an error message indicating a need to download a driver to enable their camera or microphone. This is the crux of the ClickFix technique. Depending on the victim’s operating system, they are instructed to execute specific commands:

• Windows Users: Prompted to open Command Prompt and execute a curl command that downloads and runs a Visual Basic Script (VBS) file, which subsequently launches a batch script to deploy GolangGhost. 

• macOS Users: Instructed to open the Terminal app and run a curl command to execute a shell script. This script runs a secondary shell script that deploys a stealer module known as FROSTYFERRET (also called ChromeUpdateAlert) alongside the GolangGhost backdoor. 

FROSTYFERRET presents a fake window claiming that the Chrome browser requires access to the user’s camera or microphone, followed by a prompt to enter the system password. Regardless of the validity of the entered password, it is exfiltrated to a Dropbox location, likely as an attempt to access the iCloud Keychain using the stolen credentials.

This development underscores the evolving tactics of Lazarus Group in exploiting job seekers within the cryptocurrency industry, emphasizing the need for heightened vigilance and robust security measures among potential targets.

A coordinated series of attacks by hackers has targeted Australia’s biggest pension funds

Several major Australian superannuation funds have recently fallen victim to cyberattacks involving “credential stuffing,” where attackers use stolen usernames and passwords to access accounts. Notable funds affected include AustralianSuper, Rest, Hostplus, and Australian Retirement Trust. AustralianSuper reported that up to 600 member accounts were compromised, resulting in the theft of approximately $500,000 from four members. 

Rest Super identified unauthorized access to around 8,000 member accounts but reported no financial losses. Hostplus and Australian Retirement Trust also detected unusual login activities and took precautionary measures to secure accounts. 

These breaches have been linked to the absence of multi-factor authentication (MFA) on member accounts, a security measure that provides an additional layer of protection beyond just a password. Despite prior warnings from regulators like the Australian Prudential Regulation Authority (APRA) to implement MFA, some funds had not done so, leaving accounts vulnerable to credential-stuffing attacks. 

In response to the attacks, AustralianSuper has pledged to accelerate the implementation of MFA across its services within a month, a significant acceleration from the previously planned 18-month timeline. 

Authorities, including the Australian Cyber Security Centre and financial regulators, are collaborating with the impacted funds to manage the situation and bolster defences against future attacks. Members are advised to update their passwords, enable MFA where possible, and monitor their accounts for any unauthorized activities. 

This incident underscores the critical need for robust cybersecurity measures within the superannuation sector to protect members’ retirement savings from evolving cyber threats.

Discovery of Hacking Tools and Techniques Shared on Russian Cybercrime Forums

Cybersecurity firm Trend Micro has released a report detailing the inner workings of Russian-speaking cybercrime forums. These underground platforms are buzzing with the exchange of sophisticated hacking tools, exploit kits, and even services like “violence-as-a-service.”

These forums aren’t just chaotic free-for-alls—they’re highly structured, with strict vetting, reputation-based trust systems, and a culture of secrecy that supports a thriving cybercriminal ecosystem.

The research highlights new attack vectors now targeting telecom infrastructure and IoT devices. Even more concerning, there’s increasing overlap between digital and physical crimes, with hackers offering support for real-world criminal operations.

Geopolitical shifts—especially the Russia-Ukraine war—have weakened internal enforcement, leading to more cyberattacks on local targets. Meanwhile, collaboration is growing between Russian and Chinese cybercriminals, who are now sharing exploits and brokering initial access.

As these underground networks evolve, experts warn that a reactive defence won’t cut it. Companies must pivot to proactive, intelligence-led cybersecurity strategies. In other words: it’s no longer just malware; it’s a business model with customer service.

North Korean Hackers Leverage Social Engineering and Python Scripts for Covert Operations

Researchers have uncovered a sneaky new cyber campaign by North Korean hackers using social engineering and Python scripts to worm their way into secure systems. Because apparently, international diplomacy wasn’t moving fast enough.

The attack, tied to the “VMConnect” campaign, involves sending victims a Python-coded “interview challenge” disguised as a legit job opportunity—one charmingly named RookeryCapital_PythonTest.zip, supposedly from “Capital One.” Of course, the only capital here is what’s being drained from your system.

The script looks innocent, but it’s been booby-trapped with encoded commands (Base64 and ROT13 for that vintage hacker flair) that quietly exfiltrate data and execute stealthy system commands.

Here’s how it works:

• It drops a hidden payload in a temporary folder.

• Then, using Python’s subprocess module (aka “run dangerous stuff.exe”), it creates a connection to a remote server.

• The attackers can now send encoded instructions that your computer dutifully obeys, like a very naïve butler.

It’s not just slick code—the real punch is the social engineering. These hackers build entire fake identities and job scenarios to get victims to run the malicious code themselves. It’s like phishing, but with a résumé and a business casual dress code.

The report warns defenders to stay sharp: watch for shady use of Python, suspicious subprocess calls, and clipboard-hijacking job interviews that ask for command-line input.

Because nothing says “dream job” like being tricked into compromising your entire system.