eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Details on Critical Craft CMS Vulnerability Exploited in the Wild
Bottom Line: A critical Remote Code Execution vulnerability found within Craft CMS has been observed being actively exploited in the wild. With Proof-of-Concept exploit code publicly available, and a large number of vulnerable instances exposed, exploitation of the vulnerability will likely continue, highlighting the need for impacted organizations to apply recommended security patches.
On April 25th, Orange Cyberdefense published an investigation report on a critical vulnerability, CVE-2025-32432 impacting Craft Content Management System (CMS) versions 3.x to 5.x before 3.9.15, 4.14.15, and 5.6.17. The vulnerability was first reported to Craft CMS on April 7th and was confirmed by Craft CMS on April 10th. The vulnerability was confirmed to be exploited in the wild by Craft CMS on April 17th.
Craft CMS is widely used by multiple organizations to create customized websites and web applications. It is a self-hosted PHP application, enabling users to run and control their websites and use databases such as MySQL and PostgreSQL. The identification of CVE-2025-32432 was a result of a forensic investigation conducted by Orange Cyberdefence on a compromised Craft CMS server.
CVE-2025-32432 (CVSS: 10) is a critical, Remote Code Execution (RCE) vulnerability, where an unauthenticated user can send a specially crafted POST request to the endpoint responsible for image transformation, and the data in the POST request is interpreted by the server, leading to RCE. The threat actors leveraged the vulnerability to download a PHP file on the vulnerable server from a GitHub repository. CVE-2025-32432 was identified to be chained with another flaw, CVE 2024-58136 in the Yii framework. Yii is the foundational PHP framework for Craft CMS. CVE-2024-58136 (CVSS: 9.0) is an input validation flaw in the Yii framework impacting versions 2x of the framework.
Upon identification of the Craft CMS vulnerability, Orange Cyberdefense was able to determine that there were over 13,000 vulnerable instances of Craft CMS with the majority located in the United States. Approximately 300 of these vulnerable instances were compromised. Proof-of-Concept (PoC) exploit code for CVE-2025-32432 is available on GitHub.
Craft CMS released versions 3.9.15, 4.14.15, and 5.6.17 with an application-level fix for CVE-2025-32432. CVE-2024-58136 was fixed in Yii framework version 2.0.52.
eSentire Threat Intelligence Analysis:
As CVE-2025-32432 is under active exploitation, and PoC exploit code is publicly available, it is critical that organizations using vulnerable versions of Craft CMS apply the relevant security patches as soon as possible. Craft CMS has contacted customers using potentially vulnerable versions via email and encouraged them to upgrade to the secure versions. While there are no details available on the victims, it is critical that organizations take necessary actions to prevent or mitigate the breach.
Organizations that suspect a breach in their website or web application can review firewall or web server logs for suspicious POST requests targeting the “actions/assets/generate-transform” endpoint in the Craft controller, particularly those containing the “string __class” in the request body. In the event of a suspected breach, Craft CMS also advises rotating database credentials, resetting passwords for database user accounts, and refreshing the security key and any private keys stored as environment variables.
Along with application of the patches, Craft CMS recommends the customers to block malicious POST requests to the actions/assets/generate-transform endpoint for the string __class on perimeter level. If patching is not feasible, organizations should consider installing Craft CMS Security Patches library until the patches are in place.
eSentire MDR for Network has multiple detections in place to identify activities associated with CVE-2025-32432. Known malicious IP addresses associated with the exploitation of CVE-2025-32432 have been added to the eSentire Global Block List. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2025-32432.
TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered
Bottom Line: Details have emerged on new malware families developed by the financially motivated threat group Golden Chickens, who sell access to their malware suite under a Malware-as-a-Service (MaaS) model. The newly developed malware within the suite feature credential theft and keylogging capabilities.
On May 1st, Recorded Future released a report on two new malware families, TerraStealerV2 and TerraLogger, linked to the financially motivated group Golden Chickens (aka Venom Spider). The report indicates that these malware, identified between January and April 2025, are being actively developed for credential theft and keylogging purposes. Golden Chickens is a financially driven group known for its Malware-as-a-Service (MaaS) model. It serves as the "cyber weapon of choice" for three of the top money-making and longest-running Internet crime groups: Russia-based FIN6 and Cobalt Group, as well as Belarus-based Evilnum. Collectively, these three criminal operations are estimated to have caused
financial losses exceeding USD $1.5 billion. In previous campaigns, Golden Chickens’ tools have been used in high-profile attacks against companies like British Airways, Newegg, and Ticketmaster UK.
The new version of the stealer tracked as TerraStealerV2, is designed to collect browser credentials, cryptocurrency wallet data, and browser extension information. Between January and March 2025, ten distinct samples of TerraStealerV2 were observed, utilizing various delivery methods such as MSI, DLL, and LNK files. It exfiltrates stolen data via Telegram and a domain associated with wetransfer. Recorded Future highlights that the stealer might be outdated or under development as it lacked support for decrypting Chrome Application Bound Encryption ABE-protected credentials.
TerraLogger is mentioned as a new keylogger that uses a common low-level keyboard hook to record keystrokes and writes the logs to local files. It is delivered in the form of an OCX file and utilizes the same initial execution verifications as TerraStealerV2. However, the report states that it does not have the functionality for data exfiltration or Command-and-Control (C2) communication.
eSentire Threat Intelligence Analysis:
The Golden Chickens group is actively enhancing their main malware offerings and creating custom-built malware to support financially motivated operations. Furthermore, the development of various malware samples suggests that these actors are attempting to deliver their malware in diverse formats to evade detection. The use of Telegram for data exfiltration reflects a preference for covert C2 channels that are sometimes difficult to detect at the network perimeter.
Stealer malware like Lumma Stealer has introduced features such as data filtering via User Interfaces, allowing cybercriminals to quickly identify and monetize high value credentials or accounts. If Golden Chickens' payloads such as TerraStealerV2 incorporate similar filtering or UI-based triage capabilities, it would drastically reduce the time between compromise and credential abuse. Organizations must assume that stolen credentials are being actively weaponized within minutes of exfiltration. This compresses the response window, making it critical to immediately isolate infected hosts, rapidly block or rotate compromised credentials, and use identified compromised credentials to pivot and define investigation scope.
TerraLogger lacks network-based exfiltration and stores data locally, implying it's in a proof-of-concept or early distribution phase. The absence of exfiltration functionality limits its current threat level, but suggests ongoing Research and Development (R&D) aimed at building a more robust MaaS keylogging solution. It’s possible this tool will later be combined with other modules.
Tools tied to Golden Chickens have been deployed in high-profile attacks underscoring the real-world impact of MaaS ecosystems. Tools like TerraLoader can be used to breach high-value targets, showing how MaaS offerings lower the entry bar for financially motivated cybercrime. eSentire’s Threat Response Unit have conducted in-depth investigations on the Golden Chickens campaigns targeting e-commerce firms titled “Unmasking VENOM SPIDER” and “The Hunt for VENOM SPIDER Part 2”. These two reports provide detailed information about the identities of the threat actors involved in the Golden Chickens campaigns. eSentire researchers have also published a TRU+ blog post and an advisory regarding a spear-phishing incident linked to the "More Eggs" phishing campaign. In this, hackers are posing as job applicants to lure Corporate Hiring Managers into downloading what they believe are resumes. Some of the payloads involved include VenomLNK, TerraLoader, and More Eggs.
As these tools evolve, organizations must take proactive defense measures by deploying Endpoint Detection and Response (EDR) solutions with updated signatures to detect and block malicious files, implement controls to block outbound connections to known C2 infrastructure upon detection, and educate users to avoid saving passwords in web browsers, as these credentials are highly susceptible to theft by malware or unauthorized local access. Organizations can directly prevent users from storing passwords in browsers through Group Policy; password managers offer a secure alternative for storing credentials.
French Cybersecurity Agency Reports on Russian APT Activity
Bottom Line: According to the French Cybersecurity Agency (ANSSI), the Russian state-sponsored threat actor APT28 has persistently targeted Ukraine, North Atlantic Treaty Organisation (NATO) countries, and European Union member states since 2021.
On April 29th, the French Cybersecurity Agency (ANSSI) released a long form report on activity that is attributed to the Russian state-sponsored threat actor APT28. According to ANSSI, APT28 has targeted France and its allies using similar intrusion sets, since 2021, to gather strategic intelligence. APT28, commonly referred to as FancyBear, Sofacy, Forest Blizzard, and Blue Delta, has been directly attributed to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) Unit 26165.
According to ANSSI, APT28 has recently targeted organizations in Ukraine, North Atlantic Treaty Organization (NATO) countries, and European Union member states. At least ten French organizations have been targeted by the group since 2021, including both public and private companies, as well as sports organizations linked to the 2024 Olympic and Paralympic games. Espionage activity in other countries has targeted “foreign affairs departments, political parties, foundations and associations, and entities from the sectors of defence, logistics, arms industry, aerospace, and IT”.
The group employs a variety of different tactics to breach their targets. ANSSI has observed APT28 delivering phishing emails, exploiting both known and zero-day vulnerabilities, and conducting bruteforce attacks against webmail for initial access. Additionally, the report mentions that APT28 performs various attacks against “poorly monitored edge devices”. The goal of this activity relates to espionage; in some cases, data is immediately stolen, while in others, the group maintains long-term access for strategic purposes.
While the report is non-technical, ANSSI does provide three direct examples of observed APT28 activity:
- In 2023, the group was identified using phishing emails to direct potential victims to malicious websites, resulting in the deployment of the HeadLace backdoor
- Between December 2023 - February of 2024, APT28 targeted Ukrainian organizations with the OceanMap stealer, which was deployed using SteelHook and MasePie malicious codes
- In early 2023, APT28 employed a variety of techniques, including compromised routers, in a campaign that involved phishing emails leading to false ZimbraMail or Outlook Web Access login pages
eSentire Threat Intelligence Analysis:
APT28 is a highly sophisticated and well-resourced group with direct ties to the Russian military. Unlike similar groups, such as APT29 which employs a specific team for carrying out opportunistic attacks and then selects organizations from the victim pool for secondary attacks, APT28 carries out the full attack chain and specifically targets their victim organizations. Due to this target selection, they are more likely to persistently attack the same organization through various intrusion vectors until access is gained. To defend against persistent actors like APT28, it is critical that organizations have a robust defence-in-depth approach to security, with overlapping detections to identify potential breaches.
While the goal of APT28’s activity is believed to be espionage, the attacks are not limited to government entities. Organizations and events that may not seem relevant to espionage may be targeted for a variety of strategic reasons. Major international events like the Olympics are notable due to the attendees and projection of soft power; they have been targeted in the past for the theft of attendee information, disruption, and potential interference. IT organizations may be targeted for either the theft of proprietary information, or to conduct supply chain attacks against their downstream customers. The potential scope of APT28 activity is extremely wide, as the theft of both Personally Identifiable Information (PII) and technical information like source code, may be used to gain a strategic advantage over adversarial nations or organizations residing within those borders. Once security best practices are fully implemented, organizations may consider reviewing what information they hold, as well as other factors such as partners and geographical location, to develop a threat model and associated risk model, in order to tailor defenses against the threats most likely to target them.
Russian state-sponsored cyber activity has continued at high volumes. Only a week prior to the ANSSI report, the Dutch military intelligence agency MIVD, disclosed that Russian threat actors had targeted Dutch public service. It is suspected that these attacks, and much of Russia’s recent cyber activity, has been related to the war in Ukraine, but an MIVD representative has stated that, "We see the Russian threat against Europe is increasing, including after a possible end to the war against Ukraine”. This implies that high-levels of Russian state-sponsored APT activity should be expected, even if the impetus for recent activity ceases. The eSentire Threat Intelligence team assesses that it is almost certain Russian APT groups, and specifically APT28, will continue performing similar attacks throughout 2025 and beyond.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
