Microsoft Patches 126 Flaws Including A CLFS Zero-Day Amid Fake MS Office Add-Ins On SourceForge

Malicious malware is a constant threat to our online actions in today's digital environment. Cybercriminals are always developing new and advanced methods to breach systems, steal confidential information, and interrupt everyday operations.

The array of cyber threats is changing and demands constant surveillance from individuals as well as businesses, whether via downloading relatively harmless software or by applying hidden vulnerabilities in widely used systems of operation.

According to recent reports, two particularly concerning attack vectors include the direct exploitation of critical operating system components and the misuse of trusted application platforms to spread malware.

Let's check out these emerging threats and what they signify for your digital safety.  

Fake Microsoft Office Add-Ins On SourceForge Deliver Cryptojacking Malware

Threat actors are using the open-source software site SourceForge to spread malware-infected fraudulent Microsoft Office add-in tools, which is an alarming pattern.

Undiscovered by Kaspersky, this secretive operation has already penetrated hundreds of PCs, mostly in Russia, using malicious software designed for stealing digital assets and mining cryptocurrencies.

Developers from all over the globe turn to SourceForge.net, a well-established platform for hosting and distributing open-source projects, because it provides advantages like forums and version control.

In this instance, the malicious project, dubbed "officepackage," deceptively presented itself as a collection of tools for developing Office Add-ins. The project's description and associated files were even a direct copy of the legitimate Microsoft project 'Office-Addin-Scripts' available on GitHub, lending a false sense of authenticity.

The attackers cleverly manipulated search engine results, ensuring that users searching for "office add-ins" or similar terms on platforms like Google were directed to "officepackage.sourceforge.io." This project-specific webpage, hosted by SourceForge, was designed to mimic a genuine developer tool page, featuring prominent "Office Add-ins" and "Download" buttons.

Unwary users who clicked these buttons were then prompted to download a ZIP archive named "installer.zip," which was password-protected, along with a separate text file containing the password. Inside this archive was an MSI installer file ("installer.msi") artificially inflated to a substantial 700MB in an attempt to evade detection by antivirus software.

Executing the MSI installer dropped several files, including 'UnRAR.exe' and '51654.rar,' and initiated a Visual Basic script. This script then fetched a batch script ("confvk.bat") from GitHub.


This initial batch script performed checks to identify if it was running within a simulated environment and to detect the presence of active antivirus products. Following these checks, it downloaded a second batch script ("confvz.bat") and proceeded to unpack the previously dropped RAR archive.

The "confvz.bat" script established persistence on the compromised system through modifications to the Windows Registry and the creation of new Windows services. The unpacked RAR file contained a collection of malicious tools: an AutoIT interpreter ("Input.exe"), the Netcat reverse shell tool ("ShellExperienceHost.exe"), and two key payload DLL files ("Icon.dll" and "Kape.dll").

A major discovery made by investigators was that the attack was centered on malicious DLL files. Of them, "Icon.dll" functioned as a hidden cryptocurrency miner, silently using the victims' processing power to produce virtual money for the attacker's wallet.

By acting as a clipper and continuously scanning the system clipboard for copied cryptocurrency wallet addresses, the second DLL, "Kape.dll," successfully redirected any cryptocurrency transfers to the hackers' advantage.

Additionally, the attackers established a direct communication route by putting in place a mechanism to obtain information about the compromised system through Telegram API calls.

Later, more malicious payloads were delivered via this same route, giving attackers more authority over the compromised systems and allowing the invasion to spread.

In a statement to BleepingComputer, Logan Abbott, President of SourceForge, clarified that "There were no malicious files hosted on SourceForge, and there were no breaches of any kind. The malicious actor and project in question were removed almost immediately after it was discovered. All files on SourceForge.net (the main website, not the project website subdomains) are scanned for malware and that is where users should download files from.”

“Regardless, we’ve put additional safeguards in place so that project websites using free web hosting cannot link to externally hosted files or use shady redirects in the future."

The misuse of reliable websites such as SourceForge emphasizes the necessity for consumers to be cautious even when getting software from sources that appear to be trustworthy.

One such example is the RansomEXX gang, which recently exploited Windows zero-day to acquire system-level control. 

RansomEXX Gang Exploits Windows Zero-Day for System-Level Control

Addressing 126 vulnerabilities, Microsoft revealed that the infamous RansomEXX ransomware gang has been aggressively making use of a high-severity zero-day vulnerability in the Windows Common Log File System (CLFS) to obtain SYSTEM-level access on victim machines. This is a different but no less concerning development.

Although Microsoft's most recent Patch Tuesday security update fixed the issue, known as CVE-2025-29824, it has been previously used in a small number of focused attacks. This use-after-free weakness allows local attackers with even low-level privileges to escalate their access to the highest level on the system (SYSTEM) in attacks that are considered low complexity and do not require any user interaction beyond the initial compromise.


Microsoft identified the targets of these attacks as organizations within the information technology (IT) and real estate sectors in the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia.

Notably, systems running Windows 11, version 24H2, were reported to be unaffected by the observed exploitation. Microsoft attributed these attacks to the RansomEXX ransomware gang, which they track under the name Storm-2460. The attackers' modus operandi involved first installing backdoor malware known as “PipeMagic” on compromised systems.

The advanced malware known as PipeMagic was found by Kaspersky in 2022. It can gather private information, grant complete remote access to compromised computers, and allow attackers to insert more malicious payloads for cross-network activity.

This PipeMagic backdoor was then used to deploy the CVE-2025-29824 exploit, ultimately leading to the deployment of the RansomEXX ransomware payloads. Since the CLFS zero-day targets a fundamental Windows component that affects everything from enterprise systems to vital infrastructure, security experts stress that the CLFS zero-day is a major risk.

Full system access is granted to hackers upon successful exploitation, enabling them to travel freely across networks, install malware, modify system settings, deactivate safety features, and obtain sensitive information.

Despite taking distinct approaches, these incidents have one thing in common: using trust to breach systems for malicious reasons.

Digital dangers are becoming more complex, ranging from acting as trustworthy tools to exploiting unidentified operating system flaws.

Do you think trusted sources are still trustworthy in today’s threat landscape?

Drop your thoughts in the comments below.