New CTI Lab: 7-Zip Installer (Proxy Node Campaign): Analysis
In February 2026, security researchers across different organizations exposed a long-running malware distribution campaign targeting users of the popular 7-Zip archiving utility. Operating for an extended period, threat actors behind the operation registered the convincing lookalike domain 7zip[.]com , closely mimicking the legitimate 7-zip.org to distribute trojanized installers that silently convert victims' machines into residential proxy nodes. What is this about? Brand impersonation attacks represent a critical threat vector where attackers exploit user trust rather than software vulnerabilities. In this campaign, operators created a sophisticated intrusion using a fake 7zip[.]com domain that mirrors the structure and content of the official site, the malicious installer carries a now-revoked code-signing certificate from "JOZEAL NETWORK TECHNOLOGY CO., LIMITED," and victims receive a fully functional copy of 7-Zip that deploys malicious payloads onto the victim machine. These malicious Golang binaries establish persistence, manipulate firewall rules, and transform victim machines into nodes for a residential botnet. Why is this critical for you and your team? As security teams increasingly focus on advanced persistent threats and zero-day exploitation, this campaign demonstrates how attackers achieve persistent access through social engineering and trust exploitation. Users downloading software from what appears to be a legitimate source, particularly when following online tutorials or search engine results, and bypassing traditional security awareness training. The malware's use of code-signed binaries, legitimate system directories, and SYSTEM-level service persistence means it evades many endpoint security controls designed to catch obvious malware. Understanding this infection chain and learning to threat hunt for these artefacts is essential for detecting similar tactics in your environment. Who is the content for? Security Analysts Threat Researchers Threat Hunters Here is a link to the lab: 7-Zip Installer (Proxy Node Campaign): AnalysisNew CTI Lab: Lotus Blossom Notepad ++ Campaign: Analysis
In January 2026, threat researchers at Rapid7 detailed a sophisticated supply chain attack targeting the Notepad++ update mechanism. Between July and October 2025, attackers compromised the project’s distribution infrastructure to deliver a custom, undocumented backdoor dubbed Chrysalis. By intercepting update requests, the threat actor distributed malicious NSIS installers to a targeted set of victims across Southeast Asia and Australia. What is this about? Supply chain compromises represent one of the most dangerous threat vectors today. In this campaign, the Chinese state-sponsored group Lotus Blossom (also known as Billbug or Thrip) hijacked a trusted software update pipeline. The attack involves complex DLL sideloading techniques—abusing a renamed Bitdefender binary to execute a multi-layered encrypted payload. Once the Chrysalis backdoor is active, it provides the attackers with persistent, feature-rich remote access to the victim's environment. Why is this critical for you and your team? As organizations rely on legitimate third-party utilities like Notepad++, trust in the update process is paramount. This intrusion highlights how state-sponsored actors can weaponize that trust to bypass perimeter defences. Understanding the Chrysalis infection chain—from the initial NSIS installer to the triple-layer decryption of its C2 configuration—is vital for detecting similar "living-off-the-land" and sideloading tactics in your own network. If your team manages software deployments or monitors developer environments, you must be cognisant of how attackers leverage legitimate, signed binaries to mask malicious behaviour. This lab provides a deep dive into the specific obfuscation and persistence strategies used by one of the region's most persistent threat groups. Who is the content for? Security Analysts Threat Researchers Here is a link to the lab: Lotus Blossom Campaign: AnalysisNew CTI Lab: CVE-2026-23744 (MCPJam RCE): Offensive
On January 16, 2026, advisories were released covering a critical vulnerability in MCPJam Inspector, the local-first development platform for MCP servers. The Latest version, 1.4.2 and earlier, is vulnerable to a remote code execution (RCE) vulnerability, a trivial yet highly impactful vulnerability that allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. What is this about? Model context protocol (MCP) has become more popular as a way to connect applications and services together that use AI, such as connecting tools to your OpenAI account, so the AI can help you work with the tool, perform tasks on your behalf, or work as webhooks between tools. MCPJam is an example of a tool that makes these processes easier and more convenient. Why is this critical for you and your team? As AI adoption across industries and sectors rises, products and services have been released to help people interact with AI pipelines. With MCPJam and tools like it, you can test and develop MCP (model context protocol) servers, emulate deployments, and debug your workflow, making your entire MCP development pipeline much smoother.If you're using any tools like this, where you share you API keys and other sensitive data with the tool, you need to be cognisant of the risks that these tools carry, as many others are vulnerable to basic misconfigurations that can lead to serious impacts. Who is the content for? Penetration Testers Security Analysts Incident Responders Here is a link to the lab: CVE-2026-23744 - MCPJam: Offensive This application has no logging available at all, so no Defensive Variant of this labNew CTI Lab: CVE-2026-21858 (n8n RCE): Offensive
On January 7, 2026, Cyera Research Labs released an advisory for "Ni8mare," a critical unauthenticated remote code execution vulnerability (CVE-2026-21858) in n8n with a CVSS score of 10.0. The flaw stems from a "Content-Type Confusion" bug in the Form Webhook node, which allows attackers to override internal file paths, thereby enabling the arbitrary disclosure of sensitive data, including database.sqlite and the system's unique encryption key. This vulnerability can be exploited to forge administrative sessions and achieve full system takeover. What is this about? n8n has had a lot of vulnerabilities over the last year or so, in particular, these vulnerabilities have required authentication to exploit, meaning the attacker would already need access to the n8n server to leverage the vulnerability. This critical vulnerability has a CVSS score of 10.0, and attackers can achieve unauthenticated remote code execution - making it a poignant discussion point for potential future vulnerabilities and attacks, given that n8n will likely receive more attention from vulnerability researchers and threat actors alike. Why is this critical for you and your team? n8n is very popular with organization and the wider community alike, with over 70,000 active instances exposed to the internet; there is a reasonably wide attack surface to be exploited. If you or your team uses n8n, and there is a reasonably high probability that you do (for example in human resources, project planning, news feeds etc) then learning about and mitigating this vulnerability is essential to protect yourself against attacks. Who is the content for? Penetration Testers Security Analysts Incident Responders Here is a link to the lab: CVE-2026-21858 (n8n RCE): OffensiveNew CTI Lab: CVE-2025-55182 (React - Next.js)
On December 3, 2025, the cybersecurity world received news of a critical vulnerability in the React 19 ecosystem. This critical flaw, tracked as CVE-2025-55182 with a CVSS score of 10.0, affects React Server Components (RSC). A major issue, this flaw allows unauthenticated attackers to achieve Remote Code Execution (RCE) on vulnerable servers by sending a specially crafted HTTP request. AI Hallucination Within the first 24 hours of the vulnerability being announced, a POC was published to GitHub, which looked convincing and, when tested, appeared to achieve the goal successfully, resulting in Code Execution. It turned out that this POC, which was picked up and circulated by researchers and social media, was actually an AI Hallucination. The AI had crafted a deliberately misconfigured and vulnerable server and a POC that appeared to match the requirements of the exploit, but only actually triggered the misconfiguration. What is this about? CVE-2025-55182 is a critical Insecure Deserialization vulnerability. It affects React Server Components (RSC) within the React 19 ecosystem. The flaw is located in the server-side logic that handles the React Flight protocol, which is used for client-to-server interactions, specifically Server Functions or Server Actions. An unauthenticated attacker can execute a specially crafted HTTP request containing a malicious, serialized payload. The vulnerable server-side code fails to validate this payload, allowing the attacker to achieve remote code execution on the server. Why is this critical for you and your team? This critical vulnerability has a CVSS score of 10, is fairly trivial to exploit, and has significant impacts when successfully exploited, given that its impact includes unauthenticated remote code execution. If your team uses React, React Server Components (RSC), or similar, are at risk. This flaw impacts the standard, default configurations of high-profile frameworks like the Next.js App Router, which many organizations rely on for building high-performance sites. Who is the content for? Security Analysts Penetration Testers Incident Responders Vulnerability Management Teams Here is a link to the lab: CVE-2025-55182 (React - Next.js)New CTI Lab: Shai-Hulud 2.0: Analysis
In late November/early December 2025, a set of critical software supply chain intrusions took place when the highly dangerous Shai-Hulud 2.0 worm was used to steal GitHub, Cloud, and other credentials and secrets by gaining access to developer machines through the use of a malicious npm package installation. What is this about? By abusing the inherent trust in the npm ecosystem, Shai-Hulud guarantees execution during the crucial preinstall phase, effectively bypassing many traditional security scans that only review code after installation. Once running, the payload launches a concurrent, parallel attack across your environment: it hunts for local credentials, attempts to steal highly privileged temporary cloud tokens via the Instance Metadata Service (IMDS), and, most critically, can automatically inject itself into every other package the victim maintains on their machine. Why is this critical for you and your team? npm is massively popular, and many of the affected packages are widely used in software development and deployment. Shai-Hulud 2.0 is a devastating self-replicating worm that weaponizes your supply chain to steal highly privileged cloud credentials (IMDS) and establish a permanent C2 backdoor via GitHub Actions if the threat actor decides to set that up. Given the importance of npm packages to developers, customers from any organisation, and across all sectors, it is essential that they understand how this intrusion works to prevent their credentials and secrets from being stolen. Who is the content for? Security Analysts Incident Responders Software Developers/Secure Development teams Cloud Engineers Vulnerability Management Teams Here is a link to the lab: Shai-Hulud 2.0: AnalysisNew CTI Lab: Lazarus Cyberespionage Campaign: Analysis
In early November 2025, North Korean state-sponsored actor Lazarus was reported to have launched various attacks as part of a long-standing cyberespionage campaign linked to Operation DreamJob. Targets of the attacks include European organizations manufacturing unmanned aerial vehicles (UAV), aircraft component manufacturers, and British industrial automation organization. Lazarus's and by extension North Korea's operational objectives with these attacks is assessed with high confidence to be cyber espionage. What is this about? The attacks launched by Lazarus used a custom remote access trojan called ScoringMathTea RAT, which uses its own cipher system to obfuscate its code to conceal its functionality from analysts. The lab involves reverse engineering the malware and identify indicators of compromise by breaking the cipher and using that to identify what the malware is doing. Why is this critical for you and your team? North Korean cybercriminals and state sponsored actors are highly skilled, persistent, and aggressive in the pursuit of the North Korean regimes objectives, and one of those objectives is stealing information from targets that can affect national security. Understanding how North Korean cyber operators conduct attacks and understanding their tooling is essential for analysts to be better equipped to tackle these threats. Who is the content for? Malware Analysts and Reverse Engineers SOC Analysts Incident Responders Threat Hunters Tactical and Operational Cyber Threat Intelligence Analysts Here is a link to the lab: Lazarus Cyberespionage Campaign: AnalysisNew CTI Labs: CVE-2017-1000353 Offensive and Defensive (October 2025 CISA KEV Additions)
In October 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added five new vulnerabilities to its known exploited vulnerabilities catalogue, one of which was a critical 2017 vulnerability affecting Jenkins versions 2.56 and earlier and 2.46 LTS and earlier. This vulnerability allowed attackers to gain remote code execution on vulnerable instances. Why is this critical for you and your team? Jenkins is a widely used application. Shodan reports confirm that there are 000s of instances exposed to the internet, with the vulnerable versions. With this vulnerability being a critical remote code execution vulnerability, the impact is significant. Understanding how to investigate logs for this attack and understanding how to successfully achieve exploitation is important for any team. Even though it's a 2017 vulnerability, it's a very recent addition to CISA KEV, which illustrates just how significant it is, and that even today, attackers are using this vulnerability to gain footholds and compromise vulnerable victims. Who is the lab for? SOC Analysts Incident Responders Penetration Testers Red Teamers Threat Hunters Here are the links to the labs: Offensive: https://immersivelabs.online/v2/labs/cve-2017-1000353-jenkins-command-injection-offensive Defensive: https://immersivelabs.online/v2/labs/cve-2017-1000353-jenkins-command-injection-defensiveNew Labs - Malterminal: Malware Analysis
With artificial intelligence (AI) and large language models (LLMs) fast becoming a more popular and talked-about set of technologies in every industry in society, it's no surprise that LLM-enabled malware now exists that can dynamically generate code, query data, and offload malicious functionality to LLMs, lowering the barrier of entry for threat actors deploying malware. This lab introduces one of the first known malware samples to ever facilitate the use of LLMs to perform malicious functionality. Why should our customers care? Most, if not all, companies are looking into using AI to varying degrees, whether to make their workforce more efficient and productive or to build full models that facilitate technical processes. With this in mind, and with the advent of basic malware that can use API keys to query LLMs and AI services, we will likely see this particular malware set evolve over time. By doing this lab, you'll begin to see how these pieces of malware are just the stub and querier for AI and how they can be used maliciously. This will showcase what this threat is like in its current state. We shall be monitoring how this threat evolves, so stay tuned for more labs. Who is the defensive lab for? SOC Analysts Incident Responders Threat Hunting Here is a link to the lab: https://immersivelabs.online/v2/labs/malterminal-analysisCVE-2025-53770: Critical Zero-Day RCE Vulnerability in Microsoft SharePoint Servers
An unauthenticated remote code execution (RCE) vulnerability, identified as CVE-2025-53770, has been discovered in on-premise Microsoft SharePoint Servers. This critical zero-day flaw allows attackers to execute arbitrary code on a server without needing to authenticate, posing a significant security risk. The vulnerability has been actively exploited in the wild, with researchers detecting an exploit chain as early as July 18, 2025. What is CVE-2025-53770? The vulnerability stems from insufficient validation of user-supplied data, which can be exploited by a specially crafted request to the server. This allows a remote attacker to execute code with the permissions of the SharePoint application pool, leading to a full compromise of the server – meaning they could have access to sensitive data, install malware, and even have complete control over the system. Which systems are affected? This vulnerability impacts multiple versions of on-premise Microsoft SharePoint servers: SharePoint Server Subscription Edition (Versions earlier than KB5002768) SharePoint Server 2019 (Versions earlier than 16.0.10417.20027/KB5002754) SharePoint Server 2016 (Specific version numbers vary, but generally earlier than the latest security updates) SharePoint Server 2013 and 2010 (While these are end-of-life and no longer supported, Microsoft still lists them as being potentially affected) How could attackers use this vulnerability? Bad actors are actively exploiting CVE-2025-53770 to gain initial access to corporate networks. Since the vulnerability is unauthenticated, attackers can scan the internet for vulnerable SharePoint servers and execute their exploit without needing any user credentials. Once exploited, they can deploy web shells to maintain persistent access, install ransomware, exfiltrate sensitive company data, or use the compromised server as a pivot point to move laterally within the network and attack other systems. The fact that it’s easy to exploit and the high level of access it grants make this a particularly dangerous vulnerability for any organization with an on-premise SharePoint deployment. How to protect your organization To protect your organization from this critical vulnerability, you need to take immediate action: Apply security patches Microsoft has released security updates to address this vulnerability. It’s crucial to apply these patches to all affected SharePoint servers immediately. Hunt for indicators of compromise (IoCs) Since this vulnerability was a zero-day and exploited in the wild, it’s essential to check for signs of a breach. Security teams should analyze SharePoint and web server logs for suspicious requests, particularly those involving unexpected file uploads or unusual processes being executed by the SharePoint application pool identity. Look for newly created .aspx or .ashx files in SharePoint directories that aren’t part of a standard installation. Implement network segmentation Restrict access to your SharePoint servers from the internet as much as possible. If external access is necessary, consider placing the server behind a web application firewall (WAF) with rules designed to block common web attack patterns. Enhance monitoring Increase monitoring of SharePoint servers for any anomalous behavior, such as unexpected outbound network connections, high CPU usage from SharePoint-related processes, or suspicious scheduled tasks being created. Conclusion In conclusion, CVE-2025-53770 represents a severe and immediate threat to organizations utilizing on-premise Microsoft SharePoint Servers. As a critical, unauthenticated remote code execution vulnerability being actively exploited in the wild, it provides a direct gateway for attackers to achieve a full compromise of server integrity, leading to potential data breaches, ransomware deployment, and significant operational disruption. Your response to this threat must be swift and comprehensive. Immediately applying Microsoft’s security patches is a critical first step to prevent exploitation. However, due to its nature as a zero-day exploit, organizations must also assume possible compromise and proactively hunt for IoCs. Strengthening network segmentation and enhancing monitoring are vital secondary measures to protect against this and future threats. Ultimately, a decisive and layered security response is essential to mitigate the substantial risks posed by this vulnerability. Recommended content To learn how to detect and exploit this vulnerability in a sandboxed environment, check out the following labs on the Immersive platform: Defensive: CVE-2025-53770 (ToolShell SharePoint RCE) Offensive: CVE-2025-53770 (ToolShell SharePoint RCE) Share your thoughts Have you seen this vulnerability being exploited in the wild? Have you patched your systems yet? Share your thoughts by commenting in the thread below.
