Hackers Hijack Triofox: Exploit Turns Antivirus into Attack Vector!

Hot Take:

Oh, Triofox, it’s not you, it’s your anti-virus feature letting your guard down and inviting hackers in for a cozy SYSTEM-level privilege party. Time to patch up and stop repeating history like a bad sequel!

Key Points:

• Triofox flaw CVE-2025-12480 allowed hackers to bypass authentication and run remote access tools.
• The vulnerability was exploited by threat cluster UNC6485, tracked by Google’s Mandiant researchers.
• The attack involved manipulating the antivirus configuration to run malicious scripts with SYSTEM privileges.
• Hackers used the flaw to create new admin accounts, deploy remote access tools, and escalate privileges.
• Mandiant recommends updating Triofox, auditing admin accounts, and monitoring for suspicious activity.

Cracking the Code: Triofox’s Antivirus Feature Goes Rogue

In a plot twist worthy of a cybersecurity thriller, hackers have once again found a way to exploit Triofox’s vulnerabilities, specifically the CVE-2025-12480 flaw. This infamous flaw, with a CVSS score of 9.1, was like a VIP pass for threat actors to bypass authentication and unleash chaos via the platform’s antivirus feature. Mandiant, Google’s cyber-sleuthing arm, has been tracking the antics of these cyber-miscreants, who are part of a threat cluster known as UNC6485. These digital bandits have been exploiting the flaw since August 2025, chaining it with the platform’s antivirus feature to run malicious code. Talk about anti-virus gone anti-hero!

HTTP Request Shenanigans: When Localhost Becomes the Ghost Host

The hackers proved to be quite the clever digital illusionists, manipulating HTTP requests to bypass security measures. By changing the Host header to “localhost,” they bypassed access controls and waltzed into the admin setup process, creating a new admin account charmingly named “Cluster Admin.” This new admin status was their ticket to ride, allowing them to upload and execute malicious scripts with SYSTEM-level privileges. It’s like getting the keys to the castle by just pretending to be the gardener.

Malware Mayhem: A Batch of Trouble

Once in, the attackers used the newly minted admin account to point Triofox’s antivirus path to their malicious script, executing it with SYSTEM privileges. This crafty batch script ran a PowerShell downloader, fetching a payload that installed Zoho UEMS. The sneaky setup then used Zoho Assist and AnyDesk to maintain remote access, while also going on a spree of SMB session enumeration and user account tampering. It’s like inviting your friends over for a sleepover and finding out they’ve rearranged your entire life by morning.

Patch It Up, Triofox: A Lesson in Cybersecurity

Fortunately, all is not lost! The vulnerability has been patched in the latest Triofox version 16.7.10368.56560. Mandiant’s sage advice includes upgrading to this latest release and doing a thorough audit of admin accounts to ensure no malicious leftovers are lurking about. They also recommend ensuring that the antivirus engine isn’t unwittingly set up to run unauthorized scripts or binaries, essentially telling Triofox to stop being so gullible. And for those with a penchant for sleuthing, hunting for attacker tools and monitoring for unusual outbound SSH traffic is highly recommended.

The Takeaway: Stay Vigilant, Stay Updated

This tale of Triofox woe serves as a stark reminder to the cybersecurity community: keeping systems updated and monitoring for strange activities is crucial in the ongoing battle against cyber threats. It’s a never-ending cat-and-mouse game, but with the right strategies and vigilance, we can keep the digital world a safer place—or at least make it a little harder for those pesky cyber-criminals to crash the party.