Weekly Threat Roundup: MicroStealer, Critical ICS Flaws, and Supply Chain Defenses

TL;DR MicroStealer malware targeting education and telecom sectors steals credentials and cryptocurrency wallets via Discord webhooks. Two critical vulnerabilities in Eclipse BaSyx V2 allow external attackers to bypass network segmentation and compromise industrial control systems. The FTC settled with location data broker Kochava over illegal data sales, while pnpm 11 introduced 24-hour delays on package installation to reduce supply chain risk.

What happened

MicroStealer emerged in December 2025 as a credential theft campaign targeting education and telecom sectors. The malware specializes in stealing browser credentials, active session data, screenshots, cryptocurrency wallets, and system information. It spreads via a multi-stage delivery chain with low detection rates and exfiltrates stolen data through Discord webhooks and attacker-controlled servers.

In regulatory action, the Federal Trade Commission (FTC) announced a settlement with location data broker Kochava and its subsidiary Collective Data Solutions. The company was found to be illegally obtaining and selling consumers' yearly incomes, mobile device IDs, app usage, and geolocation data precise to within 10 meters without consent or awareness. Under the settlement terms, Kochava is blocked from selling, sharing, or disclosing sensitive location data without explicit consumer consent and must establish a data retention schedule with predetermined deletion timeframes. The settlement did not impose a financial penalty.

On the industrial control front, two critical vulnerabilities were disclosed in Eclipse BaSyx V2. CVE-2026-7411 (CVSS 10.0) is an unauthenticated path traversal flaw allowing arbitrary file writes and code execution. CVE-2026-7412 (CVSS 8.6) is a blind SSRF flaw that forces the BaSyx server to proxy HTTP POST requests to arbitrary targets. By chaining these flaws, external attackers can bypass network segmentation, compromise the Digital Twin server, and send unauthorized commands directly to isolated PLCs and industrial sensors. Patches are available in Eclipse BaSyx version 2.0.0-milestone-10.

A critical authentication bypass vulnerability, CVE-2026-4670 (CVSS 9.8), affects MOVEit Automation and could result in unauthorized administrative access and data exposure. Censys has observed less than 100 exposed MOVEit Automation web admin interfaces globally, with nearly two-thirds located in the United States.

Supply chain hardening efforts advanced with pnpm 11, which now defaults the minimum release age to 24 hours before newly published packages can be installed. The tool also blocks exotic sub-dependencies resolving from non-standard sources such as Git repositories or direct tarball URLs. This approach aims to reduce the window for automated installation of malicious or compromised packages.

Proton Mail added optional post-quantum encryption support for new encrypted emails, though the feature does not retroactively re-encrypt existing messages. Meta announced AI-powered age verification tools for Facebook and Instagram that analyze profiles for contextual clues and scan photos and videos for physical indicators to identify users under 13. The company emphasized that the approach does not employ facial recognition.

A South Korean court upheld a one-year prison sentence for Oh Dae-hyun, who paid over $16,300 to a North Korean cyber actor between October 2014 and March 2015 to bypass Lineage game security and conduct DDoS attacks on rival gaming servers. Court documents identified the North Korean national as head of a development team at a trading company under the Workers' Party of Korea, believed to be involved in creation and sale of DDoS and cyberterrorism tools.

Analysis of VECT 2.0 ransomware revealed critical encryption flaws. The full encryptor contains an insufficient memory allocation flaw restricting successful encryption to files 32 KB or smaller. The intermittent mode discards nonces for all encrypted segments except the final one, retaining only the last 12-byte nonce in the file footer—rendering the decryption algorithm inoperable for all but the final block.

Why it matters

For developers, these incidents illustrate layered attack surfaces: MicroStealer's multi-stage delivery suggests supply chain and endpoint threats require defense-in-depth. The pnpm 11 release demonstrates a practical mitigation—friction delays can reduce automated exploitation. Post-quantum encryption in Proton Mail signals preparation for future cryptographic threats, though security teams should plan for legacy email exposure.

For system administrators and SOC analysts, the Eclipse BaSyx and MOVEit findings demand immediate attention. Industrial networks historically relied on air-gapping and obscurity; these vulnerabilities show that external attackers can now pivot from IT to OT through a single compromised asset. The MOVEit exposure count—under 100 globally—suggests many instances remain hidden or unindexed, complicating asset inventory.

The Kochava settlement establishes regulatory precedent: data brokers cannot claim passive collection absolves consent obligations. Organizations handling user location or behavioral data face similar FTC scrutiny.

VECT 2.0's encryption failures indicate ransomware development now includes quality control gaps. Defenders may find some victim data partially or wholly unrecoverable even after payment, reducing attacker credibility and lowering ransom negotiation leverage.

Affected systems and CVEs

• Eclipse BaSyx V2: CVE-2026-7411 (CVSS 10.0 — path traversal, arbitrary file write, code execution), CVE-2026-7412 (CVSS 8.6 — blind SSRF)
• MOVEit Automation: CVE-2026-4670 (CVSS 9.8 — authentication bypass)
• MicroStealer: No CVE assigned at the time of publication.
• VECT 2.0 ransomware: No CVE assigned at the time of publication.

What to do

• Update Eclipse BaSyx to version 2.0.0-milestone-10 to patch CVE-2026-7411 and CVE-2026-7412.
• Apply available patches for MOVEit Automation to address CVE-2026-4670; audit exposed instances and restrict web admin interface access to trusted networks.
• Upgrade to pnpm 11 to enable the 24-hour minimum release age and dependency source validation.
• Enable optional post-quantum encryption in Proton Mail for new encrypted messages; plan for retroactive re-encryption of existing mailbox contents if functionality becomes available.
• Implement network segmentation and strict access controls isolating PLCs and industrial sensors from networked Digital Twin servers.
• Audit browser and application memory management to identify plaintext password retention.
• Monitor for MicroStealer indicators of compromise, particularly Discord webhook domains and multi-stage delivery patterns in education and telecom sectors.

Open questions

• No specific patch release dates provided for Eclipse BaSyx, MOVEit, or other vulnerabilities.
• The identity of the North Korean cyber actor remains undisclosed; attribution to specific state or criminal organizations unclear.
• Threat actors and distribution channels behind MicroStealer not named in available reporting.
• The technical means by which MicroStealer achieves low detection rates are not detailed.
• No public confirmation whether VECT 2.0's encryption flaws have been discovered or exploited by defenders or attackers.
• Timeline and adoption scope for pnpm 11 deployment across JavaScript ecosystems remain unclear.
• Meta's AI age verification cannot be opted out of; no documented bypass or appeal process disclosed.

Source

ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories