The Play ransomware group exploited a recently patched privilege escalation flaw in Windows (CVE-2025-29824) during an attack on a U.S. organization. As reported by Symantec, this group, known for double extortion tactics, utilized a public-facing Cisco ASA as an entry point. They deployed a unique information stealer named Grixba to gather sensitive data while masquerading as legitimate software. Their methods included gathering information on networked machines and creating malicious files to escalate privileges and manipulate system settings, underscoring the continual evolution of cyber threats.
The Play ransomware group exploited a recently patched Windows security flaw (CVE-2025-29824) for a targeted attack, demonstrating their continuous evolution in cyber tactics.
Notably, the exploitation involved using Grixba, a unique information stealer linked to Play, which employed clever disguises to enhance its stealth against detection.
Collection
[
|
...
]