Weekly Threat Awareness ReportThree Exploited Microsoft Flaws · GentleKiller RaaS · WhatsApp RMM Abuse
Active exploitation is the theme this week: all three CVEs below - an Exchange Server SSRF privilege escalation, an Excel remote-code-execution flaw, and a Microsoft Defender security bypass - are already being used in real-world attacks. On the campaign side, the Gentlemen ransomware crew's GentleKiller EDR-killer framework and a WhatsApp-borne VBScript campaign that silently installs remote-management software round out the briefing.
Vaughn Thomas
Compliance Engineer & Threat Researcher · SOClogix Cyber Group
About the Analyst
Vaughn Thomas is SOClogix's Compliance Engineer and principal threat researcher, operating at the intersection of regulatory compliance and active adversary tradecraft. Each week, Vaughn synthesizes intelligence from dark web forums, vendor security advisories, CISA KEV updates, Shodan/Censys exposure data, and real-time telemetry from SOClogix's managed client network - spanning healthcare, financial services, defense industrial base, manufacturing, and local government - to produce actionable threat awareness briefings written for security teams and executive stakeholders at every level. Vaughn actively tracks over 200 threat actor groups and contributes threat sharing intelligence to multiple ISAC communities. His analysis deliberately bridges raw technical findings and business risk so compliance teams and CISOs can act, not just read.
200+
Threat groups tracked
50+
Intel feeds monitored
3 yrs
Threat research tenure
Top Mentioned CVEs
Most frequently referenced vulnerabilities across this week's intelligence corpus.
CVE-2025-55182CVE-2025-8088CVE-2025-53770CVE-2026-31431CVE-2025-53771CVE-2026-21509CVE-2025-59718CVE-2025-59287CVE-2025-66478CVE-2025-59719CVEs Affecting Client Assets
Vulnerabilities identified this week with direct relevance to common enterprise environments. All three are under active exploitation.
CVE-2026-45504 New this week Actively exploitedMicrosoft Exchange Server - SSRF Privilege Escalation
Server-Side Request Forgery (SSRF) · Requires authorized user · Seen in the wild
A critical flaw in Microsoft Exchange Server lets an authorized attacker escalate privileges over the network. Classified as a server-side request forgery, the server can be tricked into making requests to internal or external resources on the attacker's behalf, often bypassing security controls. Successful exploitation raises an attacker's access within the network, putting email infrastructure and connected systems at risk of unauthorized data access, system manipulation, and potential full compromise. This vulnerability is already under active exploitation; no specific exploit code or APT group has been publicly linked yet, but the confirmed in-the-wild status means attackers are leveraging it now.
Recommended Actions
- Apply the latest Exchange Server security update immediately across all on-prem servers
- Hunt for SSRF indicators: unexpected outbound requests originating from Exchange server processes
- Restrict and monitor Exchange server egress to only required destinations
- Prioritize migration off end-of-life on-prem Exchange where feasible
CVE-2025-60727 New this week Actively exploitedMicrosoft Office Excel - Out-of-Bounds Read Remote Code Execution
Out-of-Bounds Read (CWE-125) · Local file / user execution · In the wild
A high-severity flaw in Microsoft Office Excel allows attackers to execute malicious code without authorization. The root cause is an out-of-bounds read: Excel can be tricked into reading data from a memory location it should not access, which an attacker leverages to inject and run their own code. Successful exploitation can hand an attacker complete control of the machine, enabling data theft, ransomware, or use of the system to attack others. It is being actively exploited in real-world attacks. Because this triggers through a crafted document, user-execution defenses and attachment handling matter as much as patching.
Recommended Actions
- Apply the latest Microsoft Office / Excel security updates across all endpoints
- Enforce Protected View and block macros from the internet via policy
- Filter and sandbox inbound spreadsheet attachments at the email gateway
- Alert on Office applications spawning script interpreters or unusual child processes
CVE-2024-20671 New this week Actively exploitedMicrosoft Defender - Security Feature Bypass
Incorrect Default Permissions (CWE-276) · Public PoC available · Actively exploited
A vulnerability in Microsoft Defender lets attackers bypass its protective measures. The root cause is incorrect default permissions, a misconfiguration in Defender's default settings that grants more access than intended and opens a pathway around its detection and prevention mechanisms. Exploited, it lets attackers execute malicious code, install malware, or gain unauthorized access without being flagged - effectively disarming a core layer of defense. Despite the moderate CVSS score, the risk is elevated: it is being actively used to compromise systems, and a public proof-of-concept exploit confirms its viability.
Recommended Actions
- Ensure Microsoft Defender platform, engine, and signatures are on the latest versions fleet-wide
- Verify Defender is running in a supported, correctly-permissioned configuration (no tampered defaults)
- Add layered detection (EDR/SIEM) so a single Defender bypass does not blind you
- Alert on tampering with Defender services, exclusions, or registry keys
Active Threats & Campaigns
Threat actor campaigns with available detection rules or indicators of compromise.
GentleKiller EDR-Killer Framework
The Gentlemen is a ransomware-as-a-service operation (tracked by Microsoft as Storm-2697) that centrally develops and maintains an EDR-killer suite for its affiliates, built around an in-house framework named GentleKiller with at least eight BYOVD variants plus the integrated third-party killers HexKiller, ThrottleBlood, and HavocKiller. The group uses double extortion, selects victims primarily by FortiGate misconfiguration, and recently claimed the attack on Australia's Mackay Sugar.
Unlike most top-tier RaaS gangs, the Gentlemen operators do not delegate EDR evasion to individual affiliates. Instead they maintain a portfolio of EDR killers and apply a single, consistent defense-evasion layer to every tool: commercial packing with Enigma or Themida, fabricated version information, invalid digital signatures copied from legitimate executables, and matching vendor icons.
Recommended Actions
- Enable tamper protection and BYOVD blocklists (Microsoft vulnerable-driver blocklist) on all endpoints
- Harden and monitor FortiGate configurations - this crew selects victims by FortiGate exposure
- Alert on unsigned/invalidly-signed drivers loading and on EDR service tampering
- Maintain offline, tested backups given the double-extortion model
Threat Actor Profile
Group: The Gentlemen (Storm-2697)
Model: RaaS, double extortion
Toolkit: GentleKiller + 8 BYOVD variants
Also uses: HexKiller, ThrottleBlood, HavocKiller
Targeting: FortiGate misconfiguration
WhatsApp VBScript to ManageEngine RMM Campaign
An unattributed, access-motivated actor is abusing compromised WhatsApp accounts to send that account's contacts heavily obfuscated VBScript files disguised as business and financial documents. When opened, the VBScript runs a multi-stage chain that tampers with Windows User Account Control and silently installs a preconfigured ManageEngine Endpoint Central (RMM) agent, granting the attacker remote access to the victim's machine.
It is a broad, opportunistic campaign that weaponizes trust in WhatsApp: the actor takes over accounts, then pushes malicious VBScript attachments to each account's contacts, with messages carrying only the attachment and no text. File names imitate invoices, account statements, debt notices, and payment records, and several are localized into Portuguese, French, German, and Malay to fit the campaign's global spread.
Recommended Actions
- Block or restrict .vbs / .vbe execution via policy; set the default handler for script files to Notepad
- Alert on unexpected RMM installs - especially ManageEngine Endpoint Central agents not deployed by IT
- Baseline approved RMM tooling and treat any other RMM agent as an indicator of compromise
- Warn staff that unsolicited WhatsApp attachments (even from known contacts) may be account takeovers
Protect your environment
Vaughn Thomas
Compliance Engineer
SOClogix Cyber Group
200+
Threat groups tracked
50+
Intel feeds monitored
52×
Reports per year
Get Weekly Briefings Free
This Week at a Glance
Get Vaughn's Briefing Every Week
Free weekly threat awareness reports delivered to your inbox. CVEs, active campaigns, and actionable guidance - written for security teams, compliance managers, and executive stakeholders.
Prefer a conversation? Talk to our team about managed security monitoring.