Analyst Insight
This week in cyber, stealthy malware and third-party risks continue to dominate the threat landscape. A new variant of the Matanbuchus loader has emerged, showcasing advanced evasion techniques and targeting enterprise collaboration tools like Microsoft Teams and Zoom, reflecting the growing abuse of trusted platforms. Meanwhile, international law enforcement dealt a major blow to the DiskStation ransomware gang, which had been exploiting NAS device vulnerabilities to extort businesses. On the vulnerability front, Fortinet patched a critical flaw in its FortiWeb firewall that could allow unauthenticated code execution, while researchers warned of a novel phishing method exploiting Google Gemini’s email summarization to deliver fake alerts via prompt injection. These developments underscore the need for layered defences, vigilant patching, and careful evaluation of AI-generated content.
Email Summary Hijack: A New Phishing Threat via Gemini
A sneaky Gemini trick has surfaced: attackers can embed invisible HTML/CSS instructions in an email, which Google Gemini reads when you click “Summarize this email.” The AI then pushes out a fake alert, like “Your Gmail password has been compromised call support now” even though nothing malicious is visible in the actual email. This flaw, uncovered by Marco Figueroa of Mozilla’s GenAI bounty team via 0din.ai, abuses prompt‑injection to manipulate Gemini’s summaries.
To stay safe, treat AI summaries as helpful, but not foolproof. Always read the original message before reacting to urgent prompts. Security teams should strip or detect hidden styling and filter out alarming content like phone numbers or faux warnings.
Fortinet FortiWeb Patch Released for Critical Vulnerability
A recently disclosed vulnerability, CVE-2025-25257, affects certain versions of Fortinet’s FortiWeb web application firewall. Security researcher Kentaro Kawane from GMO Cybersecurity discovered that attackers could potentially exploit a SQL injection flaw in the get_fabric_user_by_token() function to run unauthorized code without needing to log in.
Fortinet has since released patches covering versions 7.0 through 7.6. While proof-of-concept exploits have been published, no active exploitation has been confirmed as of now. For added security, admins who can’t patch immediately may consider disabling HTTP/HTTPS admin access temporarily.
Police Disrupt DiskStation Ransomware Gang Targeting NAS Devices
International police forces have successfully disrupted the “DiskStation” ransomware gang, which had been exploiting vulnerabilities in NAS (Network Attached Storage) devices. These devices, commonly used by companies for centralized file storage, data backup, recovery, and content hosting, were targeted by the gang, which locked users out of their data and demanded ransom payments for decryption keys. Authorities arrested a 44-year-old Romanian man who is suspected of being the primary operator behind the attacks. The gang’s actions caused major disruptions for businesses, particularly those who failed to keep their devices updated with the latest security patches. This operation, spanning multiple countries, has dealt a serious blow to the ransomware gang.
Matanbuchus Ransomware Update, Targeting Corporate Collaboration Software
Cybersecurity experts have uncovered a new version of the Matanbuchus malware loader, a stealthy Malware-as-a-Service tool used to deploy ransomware and other payloads. Matanbuchus 3.0 features more advanced obfuscation, improved communication protocol techniques, in-memory execution, reverse shell support, and can deliver DLLs, EXEs, and shellcode while evading detection using LOLBins and COM hijacking. The loader also comes fitted with features that can be invoked remotely by a C2 server to collect all executing processes, running services, and a list of installed applications.
“Victims are carefully targeted and persuaded to execute a script that triggers the download of an archive,” Morphisec CTO Michael Gorelik said. “This archive contains a renamed Notepad++ updater (GUP), a slightly modified configuration XML file, and a malicious side-loaded DLL representing the Matanbuchus loader.”
The loader is being rented for up to $10,000 for the HTTPS version and $15,000 for the DNS version a month and has been linked to phishing, malvertising, and compromised sites. Researchers warn that attackers are increasingly using it to exploit enterprise collaboration platforms like Microsoft Teams and Zoom, making it a growing threat to corporate environments.
Go Back
