In this weekly Threat Intelligence Brief we look back at top stories and security related callouts to provide relevant and actionable insights for the information security consumer.
We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.
In this edition:
'Darcula' advanced phishing suite
Ghost (Cring) ransomware advisory
Palo Alto Networks PAN-OS software vulnerability (CVE-2025-0108)
CISA KEV updates
'Darcula' advanced phishing suite
A report from cybersecurity company Netcraft highlights recent advancements in the Darcula phishing kit. The cybercriminals behind Darcula are evolving their Phishing-as-a-Service (PhaaS) platform with the launch of Darcula-suite, introducing AI-driven personalization and automation that allow phishing kits to be deployed against any brand instantly. Originally exposed by Netcraft in 2024, Darcula has already impacted over 200 brands, with more than 95,000 malicious URLs and 20,000 domains taken down in the past year. This latest innovation lowers the barrier for cybercriminals, making phishing more scalable and accessible than ever—posing a growing threat to organizations worldwide.
One of the most notable improvements from the previous suite of tools is the "the ability for any user to generate a phishing kit for any brand, regardless of technical ability or prior resources." The steps are simple, one only has to: Here's a sample, provided by Netcraft, of a spoofed landing page created using Darcula: For protecting your organization against this type of phishing attack, user awareness and training should still be your number one priority. Conducting convincing and sophisticated phishing simulations that mimic a real world scenario is a great way to help prepare users.
1. Insert the URL for the impersonated brand
2. The platform uses a browser automation tool, like Puppeteer, to export the HTML and all required assets
3. Simply select the HTML element to replace and inject the phishing content
For protecting your organization against this type of phishing attack, user awareness and training should still be your number one priority. Conducting convincing and sophisticated phishing simulations that mimic a real-world scenario is a great way to help prepare users.
Source: Netcraft
Ghost (Cring) ransomware advisory
A joint advisory issued by The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) highlights ransomware IOCs and TTPs identified through FBI investigations of the Ghost (Cring) Ransomware group. The ransomware group, operating out of China, has been actively exploiting outdated software and unpatched vulnerabilities since 2021, targeting organizations across 70+ countries for financial gain. Their evolving tactics—including rotating payloads, modifying ransom notes, and using multiple aliases—have made attribution challenging, with victims spanning critical infrastructure, education, healthcare, government, and businesses. The FBI, CISA, and MS-ISAC urge organizations to apply security patches and follow mitigation strategies to reduce the risk of Ghost ransomware attacks.
The advisory calls out the following actions organizations can take today to help mitigate the threat from this activity:
- Maintain regular system backups stored separately from the source systems, which cannot be altered or encrypted by potentially compromised network devices
- Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe
- Common Vulnerabilities and Exposures (CVE): CVE-2018-13379, CVE-2010- 2861, CVE-2009-3960, CVE-2021- 34473, CVE-2021-34523, CVE-2021- 31207
- Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization
- Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts
To review the full advisory, please follow the linked source material.
Source: CISA
Palo Alto Networks PAN-OS software vulnerability (CVE-2025-0108)
A critical authentication bypass vulnerability in the Palo Alto Networks PAN-OS management web interface allows unauthenticated attackers with network access to invoke certain PHP scripts, potentially impacting system integrity and confidentiality. While this flaw does not enable remote code execution, organizations can mitigate risk by restricting access to the management interface to trusted internal IPs. Notably, Cloud NGFW and Prisma Access are not affected by this vulnerability.
This vulnerability is known to be exploited in the wild.
According to Palo Alto, "the risk is greatest if you enabled access to the management interface from the internet or any untrusted network either:
1. Directly; or
2. Through a dataplane interface that includes a management interface profile
You greatly reduce the risk if you ensure that you allow only trusted internal IP addresses to access the management interface.
Use the following steps to identify your recently detected devices in Palo Alto's internet scans:
1. To find any assets that require remediation action, visit the Assets section of the Customer Support Portal at https://support.paloaltonetworks.com (Products → Assets → All Assets → Remediation Required).
2. Review the list of your devices that were discovered as having an internet-facing management interface and that were tagged with ‘PAN-SA- 2024-0015’ and a last seen timestamp (in UTC)"
Palo Alto recommends securing access to your management interface according to our critical deployment guidelines. Specifically, you should restrict management interface access to only trusted internal IP addresses.
Review information about how to secure management access to your Palo Alto Networks firewalls:
- Palo Alto Networks LIVE community article:https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-themanagement- access-of-your-palo/ba-p/464431
- Palo Alto Networks official and detailed technical documentation:https://docs.paloaltonetworks.com/best-practices/10-1/administrative-accessbest- practices/administrative-access-best-practices/deploy-administrative-access-best-practices
CISA KEV updates
CISA has added 5 new CVEs to their Known Exploited Vulnerability (KEV) catalog this week:
Don't know where to begin with vulnerability management?
Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA.
Source: Known Exploited Vulnerabilities Catalog | CISA
Coretek's managed SOC/SIEM customers benefit from the latest threat intelligence. If you're interested in learning more about what Coretek can offer your organization, please reach out: https://coretek.com/contact