Issue 45: HubPhish Targets Thousands, Fortinet Exploits Exposed and DarkGate Malware Surges

Top stories 20 December 2025

1. Critical Fortinet Flaws: Immediate Attention Required
2. HubSpot Exploited By HubPhish: 20,000 Users Targeted
3. DarkGate Malware Deployed Through Microsoft Teams and AnyDesk

Welcome back to Critical Chatter. Your weekly round up of current cybersecurity threats, vulnerabilities and active exploits. Curated by your humble SOC team. ??

Critical Fortinet Flaws: Immediate Attention Required

Fortinet has flagged severe vulnerabilities in its Wireless LAN Manager (FortiWLM) and FortiManager products, urging users to apply critical updates to avoid potential exploits that could compromise system security.

A critical path traversal vulnerability, tracked as CVE-2023-34990 (CVSS 9.6), allows attackers to retrieve sensitive files, including static session IDs. Exploiting this flaw, attackers can hijack administrative sessions or execute unauthorised code by crafting malicious web requests targeting the /ems/cgi-bin/ezrf_lighttpd.cgi endpoint.

Affected versions include:

• FortiWLM 8.6.0 to 8.6.5 (patched in 8.6.6 or later).
• FortiWLM 8.5.0 to 8.5.4 (patched in 8.5.5 or later).

When combined with CVE-2023-48782 (CVSS 8.8), an authenticated command injection flaw, attackers can achieve remote root-level code execution, making these updates crucial for system integrity.

FortiManager systems are vulnerable to CVE-2024-48889 (CVSS 7.2), an OS command injection flaw exploitable via crafted requests. Affected versions span multiple releases:

• 6.4.10 to 6.4.14 (patched in 6.4.15 or later).
• 7.0.5 to 7.0.12 (patched in 7.0.13 or later).

Older FortiManager models, like the 1000E and 3000E series, may also be at risk if the “fmg-status” feature is enabled.

As with any exploit, immediate patching is strongly advised to protect your environment from exploit.

TLDR; Fortinet has identified critical vulnerabilities in its FortiWLM and FortiManager products, including flaws that allow attackers to steal sensitive files, hijack admin sessions, or execute unauthorised code. Users should apply the latest patches to protect against potential exploits.

HubSpot Exploited By HubPhish: 20,000 Users Targeted

Researchers at Palo Alto Networks Unit 42 have identified a phishing operation named HubPhish, targeting over 20,000 European users across industries such as automotive, chemical, and industrial manufacturing. The campaign aims to steal credentials, with attackers using HubSpot’s Free Form Builder tool to craft convincing phishing pages.

HubPhish relies on DocuSign-themed phishing emails to redirect victims to fake HubSpot forms. These forms, masquerading as legitimate, eventually lead victims to counterfeit Office 365 login pages designed to harvest credentials. HubSpot's infrastructure remains uncompromised, but the attackers have used legitimate Free Form Builder links to gain trust.

Active forms redirect victims to domains, often on the ".buzz" TLD, while attackers use Bulletproof VPS hosting for their operations. After gaining access to Azure tenants, attackers establish persistence by adding new devices to the compromised environment.

HubPhish is part of growing phishing trends, including the misuse of trusted platforms like Google Calendar, where attackers embed malicious links in invites or create deceptive emails designed to avoid detection.

Our CEO, Matt Lovell, said...

Targeted attacks using legitimate web services like DocuSign, email platforms, and calendaring tools have become increasingly sophisticated. Attackers now rely on impersonation and bridgehead techniques to deceive end users, stealing credentials without immediate malware deployment.

TLDR; HubPhish is a new a phishing campaign targeting over 20,000 European users by using DocuSign-themed emails and legitimate tools like HubSpot forms to steal credentials through fake Office 365 login pages.

DarkGate Malware Deployed Through Microsoft Teams and AnyDesk

A new campaign utilises Microsoft Teams and AnyDesk to deliver the DarkGate malware. Researchers at Trend Micro reveal that threat actors use social engineering to manipulate victims into downloading remote access tools that facilitate malware deployment.

How does the attack unfold? The operation begins with email bombing to overwhelm victims, followed by impersonation via Microsoft Teams calls. Posing as representatives from external suppliers, attackers persuade victims to install AnyDesk, a legitimate remote access tool.

Through AnyDesk, they deploy payloads such as credential stealers and the DarkGate malware.

Initially observed in 2018, DarkGate has grown into a full-fledged Malware-as-a-Service (MaaS) offering, boasting features like keylogging, screen capture, credential theft, and remote desktop control. Delivered in this campaign via AutoIt scripts, the malware shows how cybercriminals can utilise legitimate tools for malicious purposes.

To avoid these threats we advise:

• Enable multi-factor authentication to add an extra layer of security.
• Allow list remote tools to restrict the use of approved applications.
• Block unverified apps to limit malware entry points.
• Vet third-party providers to reduce risks from external support teams.

TLDR; A new campaign uses Microsoft Teams and AnyDesk to spread DarkGate malware, with attackers impersonating external suppliers to trick victims into installing remote access tools, enabling credential theft, keylogging and other malicious activities.

We're sharing this with you first!

Join Sean Tickle of Littlefish and Yakub Desai, Automation Leader at CloudGuard, as they dive into all things automation. Listen here.

That's all folks!

Thank you for reading Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Martin Vondrous (Senior SOC Analyst).

If you like what you've read, subscribe so you don't miss next week's roundup!