Keylogger attacking major browsers, critical security fixes for Citrix Netscaler and Juniper routers, support ending soon for Microsoft Exchange...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
New Snake Keylogger Attacking Chrome, Edge, and Firefox Users
A sophisticated new variant of the Snake Keylogger (detected as Autolt/Injector.GTY!tr) has emerged as a critical threat to Windows users.
It leverages advanced evasion techniques to steal sensitive data from Chrome, Edge, and Firefox browsers.
FortiGuard Labs reports over 280 million blocked infection attempts since January 2025, with concentrated attacks in China, Türkiye, Indonesia, Taiwan, and Spain.
The malware employs AutoIt scripting, process hollowing, and multi-channel exfiltration to bypass traditional defences, making it one of the most persistent keyloggers observed this year.
The campaign begins with phishing emails distributing malicious attachments or links. Upon execution, Snake Keylogger deploys an AutoIt-compiled binary (ageless.exe) to the %Local_AppData%\supergroup directory, hiding its presence through hidden attributes. This obfuscation complicates static analysis, while dynamic behaviour mimics benign automation tools. This script ensures automatic execution upon system reboot, exploiting Windows’ Startup folder’s low-privilege requirements.
The malware injects its payload into RegSvcs.exe, a legitimate .NET process, using process hollowing. By suspending the process, un-mapping its memory, and loading malicious code, Snake Keylogger evades signature-based detection.
Citrix Releases Security Fix for NetScaler Console Privilege Escalation Vulnerability
Citrix has released security updates for a high-severity security flaw impacting NetScaler Console (formerly NetScaler ADM) and NetScaler Agent that could lead to privilege escalation under certain conditions.
The vulnerability, tracked as CVE-2024-12284, has been given a CVSS v4 score of 8.8 out of a maximum of 10.0.
It has been described as a case of improper privilege management that could result in authenticated privilege escalation if the NetScaler Console Agent is deployed and allows an attacker to execute post-compromise actions.
“The issue arises due to inadequate privilege management and could be exploited by an authenticated malicious actor to execute commands without additional authorization,” NetScaler noted.
“However, only authenticated users with existing access to the NetScaler Console can exploit this vulnerability, thereby limiting the threat surface to only authenticated users.”
The shortcoming affects the below versions –
- NetScaler Console 14.1 before 14.1-38.53
- NetScaler Console 13.1 before 13.1-56.18
- NetScaler Agent 14.1 before 14.1-38.53
- NetScaler Agent 13.1 before 13.1-56.18
It has been remediated in the below versions of the software –
- NetScaler Console 14.1-38.53 and later releases
- NetScaler Console 13.1-56.18 and later releases of 13.1
- NetScaler Agent 14.1-38.53 and later releases
- NetScaler Agent 13.1-56.18 and later releases of 13.1
“Cloud Software Group strongly urges customers of NetScaler Console and NetScaler Agent to install the relevant updated versions as soon as possible,” the company said, adding there are no workarounds to resolve the flaw.
Juniper Session Smart Routers Vulnerability Could Let Attackers Bypass Authentication
Juniper Networks has released security updates to address a critical security flaw impacting Session Smart Router, Session Smart Conductor, and WAN Assurance Router products that could be exploited to hijack control of susceptible devices.
Tracked as CVE-2025-21589, the vulnerability carries a CVSS v3.1 score of 9.8 and a CVS v4 score of 9.3.
“An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router may allow a network-based attacker to bypass authentication and take administrative control of the device,” the company said in an advisory.
The vulnerability impacts the following products and versions –
- Session Smart Router: From 5.6.7 before 5.6.17, from 6.0.8, from 6.1 before 6.1.12-lts, from 6.2 before 6.2.8-lts, and from 6.3 before 6.3.3-r2
- Session Smart Conductor: From 5.6.7 before 5.6.17, from 6.0.8, from 6.1 before 6.1.12-lts, from 6.2 before 6.2.8-lts, and from 6.3 before 6.3.3-r2
- WAN Assurance Managed Routers: From 5.6.7 before 5.6.17, from 6.0.8, from 6.1 before 6.1.12-lts, from 6.2 before 6.2.8-lts, and from 6.3 before 6.3.3-r2
Juniper Networks said the vulnerability was discovered during internal product security testing and research, and that it’s not aware of any malicious exploitation.
The flaw has been addressed in Session Smart Router versions SSR-5.6.17, SSR-6.1.12-lts, SSR-6.2.8-lts, SSR-6.3.3-r2, and later.
Cyber Attacks
Darcula PhaaS can now auto-generate phishing kits for any brand
The Darcula phishing-as-a-service (PhaaS) platform is preparing to release its third major version, with one of the highlighted features, the ability to create do-it-yourself phishing kits to target any brand.
The upcoming release, currently available as a beta, will remove the targeting scope restrictions by offering a finite number of phishing kits and allowing anyone to create their own.
In addition to this new feature, the upcoming release, named ‘Darcula Suite,’ also lifts technical skills requirements, a new user-friendly admin dashboard, IP and bot filtering, campaign performance measurement, and automated credit card theft/digital wallet loading.
Netcraft researchers tested one of the latest beta builds of Darcula Suite for hands-on analysis and confirmed that the announced features are legitimate.
Darcula emerged last year as a massive PhaaS operation relying on 20,000 domains that spoof renowned brands to steal credentials from Android and iOS users in over 100 countries.
With a much more powerful version underway, Netcraft warns that cybercriminals are moving to it even if the official release isn’t out yet.
“Because the container images used to run the admin panel are publicly available at registry[.]magic-cat[.]world, Netcraft was able to get a rough estimate of the number of individuals already exploring this test suite,” reads the report.
“The pull count of the API image has increased by more than 100% and the web image by more than 50% from February 5 to February 10.”
Phishing attack hides JavaScript using invisible Unicode trick
A new JavaScript obfuscation method utilizing invisible Unicode characters to represent binary values is being actively abused in phishing attacks targeting affiliates of an American political action committee (PAC).
Juniper Threat Labs that spotted the attack reports that it took place in early January 2025 and carries signs of sophistication such as the use of:
- Personalized non-public information to target victims,
- Debugger breakpoint and timing checks to evade detection,
- Recursively wrapped Postmark tracking links to obscure final phishing destinations.
JavaScript developer Martin Kleppe first disclosed the obfuscation technique in October 2024, and its quick adoption in actual attacks highlights how quickly new research becomes weaponized.
The new obfuscation technique exploits invisible Unicode characters, specifically Hangul half-width (U+FFA0) and Hangul full width (U+3164).
Each ASCII character in the JavaScript payload is converted into an 8-bit binary representation, and the binary values (ones and zeros) in it are replaced with invisible Hangul characters.
The obfuscated code is stored as a property in a JavaScript object, and since Hangul filler characters are rendered as blank space, the payload in the script looks empty,
A short bootstrap script retrieves the hidden payload using a JavaScript Proxy ‘get() trap.’ When the hidden property is accessed, the Proxy converts the invisible Hangul filler characters back into binary and reconstructs the original JavaScript code.
Juniper analysts report that the attackers use extra concealment steps in addition to the above, like encoding the script with base64 and using anti-debugging checks to evade analysis.
In Other News...
Microsoft's End of Support for Exchange 2016 and 2019: What IT Teams Must Do Now
For decades, Microsoft Exchange has been the backbone of business communications, powering emailing, scheduling and collaboration for organisations worldwide. Whether deployed on-premises or in hybrid environments, companies of all sizes rely on Exchange for seamless internal and external communication, often integrating it deeply with their workflows, compliance policies and security frameworks.
However, Microsoft has officially announced that support for Exchange Server 2016 and Exchange Server 2019 will end on October 14, 2025. While this may seem like a distant concern, businesses and IT teams must start preparing now. The end of support means that Microsoft will no longer provide security patches, bug fixes or technical support, leaving organizations running on these versions exposed to security vulnerabilities, compliance risks and potential operational disruptions.
So, what should businesses do now? In this article, we’ll explore the impact of Microsoft’s decision, the risks of continuing with an unsupported Exchange environment and the available options to ensure business continuity and security. If you’re an IT decision-maker or business leader navigating this transition, keep reading — because ignoring this shift could leave your organization vulnerable.
What does Microsoft’s end of support mean for Exchange 2016 and 2019 users?
The end of support for Exchange 2016 and 2019 isn’t just about losing updates — it’s about serious security, compliance and operational risks.
- Security risks: Without security patches, Exchange 2016 and 2019 become prime targets for cybercriminals. Unpatched vulnerabilities can lead to data breaches, ransomware attacks and email-based threats, putting sensitive business communications at risk.
- Lack of technical support: After October 14, 2025, Microsoft won’t provide fixes, patches or assistance. If something breaks, IT teams will be on their own — leading to longer downtimes, costly troubleshooting and potential business disruptions.
- Compliance risks: Regulations like the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) require businesses to use secure, up-to-date software. Running outdated Exchange versions could lead to fines, audits and legal consequences if a security incident occurs.
- Operational inefficiencies: Older software lacks modern features, performance enhancements and integrations, making communication slower and IT maintenance more complex. Keeping Exchange 2016 or 2019 running will also cost more over time as support resources dwindle.
Important note: This end of support also applies to several related Microsoft products, including Microsoft Office 2016, Microsoft Office 2019, Outlook 2016, Outlook 2019, Skype for Business 2016, Skype for Business 2019, Skype for Business Server 2015 and Skype for Business Server 2019.