In this week’s threat report, we explore deceptive AI installer campaigns delivering ransomware, a critical vulnerability in Microsoft’s OneDrive File Picker, a high-severity flaw in Santesoft’s DICOM Viewer, and a cyberattack on two major NHS trusts via compromised Ivanti software.
Cybercriminals are exploiting the demand for artificial intelligence software by disguising ransomware and destructive malware as legitimate AI tool installers. These threats are distributed through SEO manipulation, fake websites, and social platforms like Telegram.
Threat Details:
Fake installers such as “NovaLeadsAI.exe” deploy embedded PowerShell-based ransomware.
Notable malware includes CyberLock, Lucky_Gh0$t, and a destructive variant called Numero.
CyberLock encrypts files across multiple partitions and uses Windows cipher.exe to prevent forensic recovery.
Industries affected include B2B sales, technology, and marketing—sectors with high AI adoption.
Recommendations:
Download AI tools only from trusted, official vendor sources.
Implement endpoint detection and response (EDR) to flag malicious scripts.
Block suspicious domains and app-sharing channels commonly used for malware distribution.
Provide staff training to recognise and avoid deceptive software downloads.
A security flaw in Microsoft’s OneDrive File Picker grants third-party applications full access to users’ entire OneDrive storage, rather than the specific files selected for sharing. This vulnerability affects popular services like Slack, ChatGPT, ClickUp, and Trello.
Key Risks:
Excessive OAuth scopes (e.g., Files.ReadWrite.All) allow broad access.
Older File Picker versions store sensitive tokens insecurely in browser localStorage.
Long-lived refresh tokens can enable prolonged unauthorised access.
Recommendations:
Review and revoke unnecessary app access through Microsoft account settings.
Apply conditional access policies to limit high-risk third-party integrations.
Developers should avoid storing authentication tokens in plaintext and refrain from requesting unnecessary scopes.
Monitor Graph API and CASB logs for suspicious activity.
Overview:
A high-severity out-of-bounds read vulnerability in Santesoft’s Sante DICOM Viewer Pro may allow local attackers to execute arbitrary code or access sensitive data. The issue, identified as CVE-2025-5307, has a CVSS v4 score of 8.4 and affects version 14.2.1 and earlier.
Details:
The vulnerability requires user interaction but no elevated privileges.
It could be exploited to compromise healthcare systems where the viewer is used.
Recommendations:
Upgrade to version 14.2.2 or later.
Segment medical imaging systems from external networks.
Use secure VPNs for any required remote access and review firewall configurations.
Refer to the CISA advisory ICSMA-25-148-01 for detailed mitigation steps.
University College London Hospitals and University Hospital Southampton experienced a cyberattack via a vulnerability in Ivanti Endpoint Manager Mobile, a mobile device management tool. While no patient data was accessed, staff mobile numbers and IMEI identifiers were exposed.
Attack Summary:
Attackers exploited a remote code execution vulnerability in Ivanti software.
The vulnerability has been patched, but affected systems may remain vulnerable to further attacks if not properly secured.
The attack origin was linked to infrastructure in China.
Recommendations:
Apply the latest security patches to Ivanti EPMM and validate installation.
Conduct internal security reviews to identify any lateral movement.
Limit system permissions and segment device management tools from clinical networks.
Monitor network traffic for anomalies and reinforce incident response readiness.
Find out more about our Threat Intelligence Services here...
Or