Hackers hijacked antivirus features to install malware – here’s what we know

CVE-2025-12480 in Triofox allowed zero-day exploitation via improper access control
UNC6485 attackers deployed Zoho Assist, AnyDesk, and SSH tunneling for remote access
Patch released July 26; newer Triofox version available October 14 for mitigation

Popular remote file sharing and collaboration platform Triofox carried a critical vulnerability that was exploited as a zero-day used to deploy a remote access tool which granted the attackers lateral movement capabilities.

Security researchers from Google’s Mandiant and its Threat Intelligence Group (GTIG) flagged that Triofox comes with a built-in antivirus feature, which carried an “improper access control” flaw that allowed access to initial setup pages even after setup is complete.

The flaw, tracked as CVE-2025-12480 and given a severity score of 9.1/10 (critical), was most likely introduced in early April 2025, was fixed in late July. However, the attacks were spotted almost a month later, which suggests that the victim organization did not apply the fix on time.

Who is UNC6485?

The researchers identified the attackers as UNC6485, an attack cluster that hasn’t been reported on in the past.

However, since Google’s Threat Intelligence Team is known for tracking state-sponsored threat actors, it is safe to assume that this group could have ties to nation-states and that the goal of the campaign was either data theft, or cyber-espionage and intelligence gathering.

In the attack, against an unnamed victim, the threat actors used malicious code to deploy Zoho UEMS, through which they installed Zoho Assist and AnyDesk – two legitimate tools that granted them both remote access, and lateral movement capabilities.

They also deployed the Plink and PUTTY tools to create an SSH tunnel and forward remote traffic.

The vulnerability was fixed on July 26, with Triofox version 16.7.10368.56560, and users are advised to apply the patch as soon as possible. What’s more, Gladinet (the company behind Triofox) released a newer version, 16.10.10408.56683, on October 14, which would be even better to install, if possible.

Via BleepingComputer

The best antivirus for all budgets

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Source link
The post Hackers hijacked antivirus features to install malware – here’s what we know first appeared on TechToday.

This post originally appeared on TechToday.

Tech News

CVE-2025-12480 in Triofox allowed zero-day exploitation via improper access control

UNC6485 attackers deployed Zoho Assist, AnyDesk, and SSH tunneling for remote access

Patch released July 26; newer Triofox version available October 14 for mitigation

Popular remote file sharing and collaboration platform Triofox carried a critical vulnerability that was exploited as a zero-day used to deploy a remote access tool which granted the attackers lateral movement capabilities.

Security researchers from Google’s Mandiant and its Threat Intelligence Group (GTIG) flagged that Triofox comes with a built-in antivirus feature, which carried an “improper access control” flaw that allowed access to initial setup pages even after setup is complete.

The flaw, tracked as CVE-2025-12480 and given a severity score of 9.1/10 (critical), was most likely introduced in early April 2025, was fixed in late July. However, the attacks were spotted almost a month later, which suggests that the victim organization did not apply the fix on time.

You may like

Who is UNC6485?

The researchers identified the attackers as UNC6485, an attack cluster that hasn’t been reported on in the past.

However, since Google’s Threat Intelligence Team is known for tracking state-sponsored threat actors, it is safe to assume that this group could have ties to nation-states and that the goal of the campaign was either data theft, or cyber-espionage and intelligence gathering.

In the attack, against an unnamed victim, the threat actors used malicious code to deploy Zoho UEMS, through which they installed Zoho Assist and AnyDesk – two legitimate tools that granted them both remote access, and lateral movement capabilities.

They also deployed the Plink and PUTTY tools to create an SSH tunnel and forward remote traffic.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The vulnerability was fixed on July 26, with Triofox version 16.7.10368.56560, and users are advised to apply the patch as soon as possible. What’s more, Gladinet (the company behind Triofox) released a newer version, 16.10.10408.56683, on October 14, which would be even better to install, if possible.

Via BleepingComputer

The best antivirus for all budgets

Our top picks, based on real-world testing and comparisons

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Source link
The post Hackers hijacked antivirus features to install malware – here’s what we know first appeared on TechToday.

This post originally appeared on TechToday.

Tech News

Hackers hijacked antivirus features to install malware – here’s what we know

Hackers hijacked antivirus features to install malware – here’s what we know

Record 39 million people registered for the NHS App

From enterprise flash to experimental archival media, these ten technologies could one day challenge traditional hard drives

How IntelliNode Automates Complex Workflows with Vibe Agents

Leave a Reply Cancel reply