Telephone: 1-844-NETIZEN
Tel: 1-844-NETIZEN
Email: team (at) Netizen.net
slider

Netizen Cybersecurity Bulletin (October 30th, 2025)

Posted on 30 Oct 2025 at https://www.Netizen.net/news Source Link: https://blog.netizen.net

Overview:

  • Phish Tale of the Week
  • CISA Orders Federal Agencies to Patch VMware Tools Vulnerability Exploited by Chinese State Hackers
  • YouTube Ghost Network: 3,000 Malware-Infested Videos Used to Spread Credential Stealers Across Compromised Channels
  • How can Netizen help?

Phish Tale of the Week

Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this text message, the actors are appearing as the USPS and informing you that action needs to be taken regarding your package’s delivery. The message politely explains that “USPS” is holding our package that we ordered at “the warehouse,” and that we just need to confirm our address in order to get it delivered. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.

Here’s how we can tell not to click on this smishing link:

  1. The first warning sign for this SMS is the fact that it includes a URL in the message. Typically, companies will send notifications like this through SMS, but they’ll end with a call to action within an already trusted environment, for example the statement “check your tracking details for more information.” Always be sure to think twice and check “urgent” statuses like this one through a trusted environment, and never click on links sent through an SMS from an unknown number.
  2. The second warning signs in this text is the messaging. This message tries to create a sense of urgency and get you to take action by using language such as “Within the next 12 hours” and “Please confirm.” Phishing and smishing scams commonly attempt to create a sense of urgency in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link sent through SMS.
  3. The final warning sign for this email is the style of the link. After a quick look at the address, one can quickly deduce that we’ve been sent a phishing link. Trusted companies like USPS typically will use a simple, standardized domain as their website. For example, USPS’s official website is simply “usps.com.” Threat actors typically will utilize message-related words in the links they send you. After taking one quick look at the URL, “uspz.usspaob.top,” it’s very obvious that this text is an attempt at a smish.


General Recommendations:

smishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

  1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
  2. Verify that the sender is actually from the company sending the message.
  3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
  4. Do not give out personal or company information over the internet.
  5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many smishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any SMS requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

Cybersecurity Brief

In this month’s Cybersecurity Brief:

CISA Orders Federal Agencies to Patch VMware Tools Vulnerability Exploited by Chinese State Hackers

The Cybersecurity and Infrastructure Security Agency has ordered federal agencies to patch a high-severity vulnerability in Broadcom’s VMware Aria Operations and VMware Tools after confirming that it is being exploited by Chinese hackers. The flaw, tracked as CVE-2025-41244, allows a local attacker with limited privileges to gain root access on a virtual machine managed by Aria Operations when SDMP is enabled.

CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, which lists security flaws known to be used in real-world attacks. Federal Civilian Executive Branch agencies have until November 20 to apply patches as required under Binding Operational Directive 22-01. The agency warned that unpatched systems remain exposed to ongoing attacks and urged organizations outside the federal government to also apply updates as soon as possible.

Broadcom patched the issue one month ago following reports from security researcher Maxime Thiebaut at NVISO, who discovered that a Chinese state-sponsored actor identified as UNC5174 had been exploiting it since October 2024. Thiebaut released proof-of-concept code showing how an attacker could use the vulnerability to escalate privileges on both Aria Operations and VMware Tools installations, granting full control over the affected virtual machine.

UNC5174, which Google Mandiant has described as a contractor for China’s Ministry of State Security, has been involved in several major intrusions over the past two years. The group was observed selling access to compromised U.S. defense contractors, British government entities, and Asian institutions after exploiting other high-profile vulnerabilities such as CVE-2023-46747 in F5 BIG-IP, CVE-2024-1709 in ConnectWise ScreenConnect, and CVE-2025-31324 in SAP NetWeaver.

Since the beginning of 2025, Broadcom has released patches for three other VMware zero-days and addressed two additional high-severity issues in VMware NSX reported by the National Security Agency. These repeated discoveries highlight the growing focus of advanced threat actors on virtualization platforms, which serve as gateways to large numbers of sensitive systems once compromised.

CISA’s latest directive emphasizes that these vulnerabilities remain a common path for intrusions into government networks and that patching is the most effective mitigation. Agencies and private organizations using affected VMware products are advised to follow Broadcom’s guidance, verify their environments for exposure, and apply available fixes without delay.

To read more about this article, click here.

YouTube Ghost Network: 3,000 Malware-Infested Videos Used to Spread Credential Stealers Across Compromised Channels

A new report from Check Point has revealed a widespread campaign that weaponized YouTube to distribute malware at scale. Dubbed the “YouTube Ghost Network,” the operation involved more than 3,000 videos published across hundreds of compromised channels, many of which had been active since 2021. These videos masqueraded as legitimate tutorials for pirated software or gaming cheats but instead directed users to malware downloads.

The malicious uploads, often disguised with convincing visuals, likes, and comments, were designed to appear trustworthy. Some received well over 200,000 views before being removed. The network relied heavily on hacked accounts whose original content was replaced with fake installation guides for cracked software. Victims were lured to download supposed installers from file-sharing platforms such as MediaFire or Dropbox, or from phishing pages hosted on Google Sites and Blogger. Each of these locations contained hidden payloads leading to information-stealing malware.

Researchers found that the operation was built on a structured, role-based system that assigned functions to different account types. “Video accounts” uploaded the infected videos and pinned download links. “Post accounts” promoted those same links through YouTube’s community tab. “Interact accounts” boosted engagement by liking and commenting on the videos to create a false sense of credibility. This setup allowed the operators to replace banned or removed accounts quickly without disrupting the campaign, maintaining a continuous presence across YouTube.

The network’s organization made it difficult for automated moderation systems to shut it down completely. Even after Google removed a majority of the videos, new ones continued to appear through replacement accounts. Some evidence suggests that the network might operate as a form of “distribution-as-a-service,” meaning multiple groups could be leasing access to it to spread different strains of malware.

Malware families linked to the Ghost Network include Lumma Stealer, Rhadamanthys Stealer, RedLine Stealer, StealC, and Phemedrone. These tools are designed to harvest browser credentials, cryptocurrency wallets, and authentication tokens from infected devices. One hijacked channel with over 120,000 subscribers was caught hosting a fake Adobe Photoshop installer that deployed Hijack Loader, which in turn downloaded Rhadamanthys.

Check Point noted that the growth of this network mirrors a broader shift in cybercrime tactics toward using legitimate platforms as delivery systems. Attackers exploit engagement metrics and user trust rather than relying solely on traditional phishing emails or malicious ads. By embedding malware campaigns within well-known services, they gain both reach and credibility.

The report emphasized that the success of operations like the YouTube Ghost Network demonstrates how cybercriminals are adapting to new content ecosystems. By leveraging social media features such as likes, comments, and community posts, they are able to scale attacks while maintaining the appearance of legitimacy.

Google confirmed that it has removed most of the identified malicious content and continues to work with security researchers to track and disrupt these activities. Still, the campaign shows that large-scale content networks can be turned into malware delivery systems when trust mechanisms are abused, and that vigilance from both platforms and users remains the only reliable defense against such evolving tactics.

To read more about this article, click here.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

News and Updates

Sign up to get the latest news and threat briefs:

Get in Touch

Telephone: 1-844-NETIZEN
Email: Team (at) Netizen.net
Office Locations:
Allentown, PA (Headquarters)
 Arlington, VA (DC Region)
 Charleston, SC (Southeast Region)

Connect With Us

    Facebook
    Twitter
    LinkedIn
    Instagram
    GitHub

Copyright © Netizen Corporation. All Rights Reserved.