Akira Ransomware Exploits SonicWall VPN Flaw — Global Surge

Cyber Security News by CyberSum.net

Published on October 14, 2025 at 12:00 AM

4 sources

Between July and August 2025, a resurgence in Akira ransomware incidents targeted organizations through SonicWall SSL VPN appliances, exploiting a vulnerability first disclosed over a year ago — CVE-2024-40766. Darktrace’s Threat Research Team identified a coordinated campaign exploiting unpatched or misconfigured SonicWall devices for initial access, followed by lateral movement, credential harvesting, and data exfiltration. The campaign’s success is attributed to organizations failing to patch SonicWall devices or leaving configurations vulnerable. Akira ransomware, known for double extortion tactics, has expanded its reach across various sectors, including manufacturing, education, and healthcare. Darktrace’s MDR team intercepted an ongoing intrusion within a customer’s network, observing multiple stages of compromise, including network reconnaissance, lateral movement, credential theft, and data exfiltration.

Also Read

PhantomVAI Loader: New Multi-Stage .NET Loader in Phishing Campaigns

PhantomVAI Loader, a newly renamed multi-stage .NET loader, is being used in widespread phishing campaigns to deliver various information-stealing malware. The loader, initially identified as Katz Stealer Loader, now supports multiple payloads through an evasive infection chain that includes obfuscated scripts, steganography, and virtual-machine detection. Organizations across multiple sectors have been targeted in this global campaign. The loader is available on underground marketplaces, allowing even low-skill actors to launch complex attacks. The infection chain involves phishing emails with themes of sales, payments, or legal actions, sometimes using homograph attacks to trick recipients. The emails contain ZIP archives with obfuscated JavaScript or VBS files that embed a Base64-encoded PowerShell script, which fetches a GIF file with a steganographically hidden DLL payload. The PhantomVAI Loader performs virtual-machine detection checks and establishes persistence through scheduled tasks or Run registry keys before downloading the final payload and injecting it into a legitimate executable.

By Cyber Security News by CyberSum.netOctober 16, 2025 at 12:00 PM