Malicious Rust Crates Steal Solana and Ethereum Keys — 8,424 Downloads Confirmed

Researchers uncovered two malicious Rust crates — faster_log and async_println — impersonating the legitimate fast_log library to steal Solana and Ethereum wallet keys. Published on May 25, 2025, by aliases rustguruman and dumbnbased, the crates were downloaded over 8,400 times before being removed from crates.io. The packages contained functional logging code for cover but also included routines that scanned Rust source files for private keys and exfiltrated them via HTTP POST to a Cloudflare Workers domain mimicking Solana’s RPC endpoint.

UNC5221 Uses BRICKSTORM Backdoor to Infiltrate U.S. Legal and Technology Sectors

A China-linked threat group known as UNC5221 has been deploying the BRICKSTORM backdoor against U.S. organizations in the legal, SaaS, BPO, and technology sectors. The campaign, ongoing since at least 2022, is designed to gain long-term stealthy access—averaging 393 days undetected—by exploiting edge devices and appliances that lack endpoint detection. The Go-based malware provides capabilities such as file manipulation, shell command execution, SOCKS proxying, and acting as a web server, while communicating with command-and-control servers over WebSockets. Its objectives include accessing sensitive emails, stealing credentials, and gathering intelligence related to national security, trade, and intellectual property, as well as leveraging SaaS providers to reach downstream customers.

Attackers frequently gain entry through Ivanti Connect Secure zero-day vulnerabilities and then establish persistence by modifying startup scripts, deploying JSP web shells, or using valid credentials to pivot into VMware infrastructure. They have also been observed using BRICKSTEAL, a malicious Apache Tomcat filter, to harvest vCenter credentials and clone critical servers for deeper access. The malware is under active development, with some variants delaying execution to evade detection. Mandiant and Google warn that BRICKSTORM represents a highly sophisticated cyber espionage threat, urging organizations to proactively hunt for hidden backdoors on Linux, BSD, and other appliances outside traditional EDR coverage.

New YiBackdoor Malware Shares Major Code Overlaps with IcedID and Latrodectus

Researchers at Zscaler have uncovered a new malware family called YiBackdoor, which shares major code similarities with IcedID and Latrodectus. Discovered in June 2025, it can execute commands, harvest system info, capture screenshots, and load plugins for added functions, while evading detection with anti-analysis techniques and persistence via the Windows Run registry key. Its limited use so far suggests it is still being tested or developed.

In parallel, new ZLoader versions (2.11.6.0 and 2.13.7.0) have emerged with stronger obfuscation, improved anti-analysis, LDAP-based discovery for lateral movement, and upgraded DNS/WebSocket C2 communication, reflecting ongoing evolution toward stealthier, more targeted attacks.

ShadowV2 Botnet Exploits Misconfigured AWS Docker Containers for DDoS-for-Hire Service

Researchers have uncovered ShadowV2, a new DDoS-for-hire botnet that exploits misconfigured Docker containers on AWS to deploy a Go-based RAT, managed via a Python C2 on GitHub Codespaces. It features advanced attack methods like HTTP/2 Rapid Reset floods and Cloudflare bypass attempts, highlighting its design as a cybercrime-as-a-service platform. The discovery comes amid record-breaking DDoS attacks, including a 22.2 Tbps assault mitigated by Cloudflare, and the rise of the AISURU botnet, which has infected nearly 300,000 IoT devices worldwide.

Microsoft Patches Critical Entra ID Flaw Enabling Global Admin Impersonation Across Tenants

Researchers uncovered a critical flaw in Microsoft Entra ID (CVE-2025-55241, CVSS 10.0) that could have allowed attackers to impersonate any user, including Global Administrators, across any tenant without prior access. The issue arose from insecure handling of service-to-service actor tokens and a validation failure in the legacy Azure AD Graph API, enabling cross-tenant compromise. Exploitation would have bypassed MFA, Conditional Access, and logging, leaving no trace, while granting attackers full control over Azure and Microsoft 365 services. Microsoft patched the flaw on July 17, 2025, with no customer action required, and deprecated the Graph API as of August 31.

The bug was discovered by Dirk-jan Mollema and highlights the risks of legacy API dependencies in cloud environments. It follows a wave of recent cloud security findings affecting Microsoft and AWS, including OAuth misconfigurations, credential leaks, and API abuse leading to cross-tenant access, data exfiltration, and privilege escalation. Collectively, these flaws demonstrate how token misuse, misconfigurations, and insufficient validation in identity systems can expose organizations to silent, tenant-wide compromises in the cloud.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.