Hackers hijacked antivirus features to install malware – here’s what we know
- CVE-2025-12480 in Triofox allowed zero-day exploitation via improper access control
- UNC6485 attackers deployed Zoho Assist, AnyDesk, and SSH tunneling for remote access
- Patch released July 26; newer Triofox version available October 14 for mitigation
Popular remote file sharing and collaboration platform Triofox carried a critical vulnerability that was exploited as a zero-day used to deploy a remote access tool which granted the attackers lateral movement capabilities.
Security researchers from Google’s Mandiant and its Threat Intelligence Group (GTIG) flagged that Triofox comes with a built-in antivirus feature, which carried an “improper access control” flaw that allowed access to initial setup pages even after setup is complete.
The flaw, tracked as CVE-2025-12480 and given a severity score of 9.1/10 (critical), was most likely introduced in early April 2025, was fixed in late July. However, the attacks were spotted almost a month later, which suggests that the victim organization did not apply the fix on time.
Who is UNC6485?
The researchers identified the attackers as UNC6485, an attack cluster that hasn’t been reported on in the past.
However, since Google’s Threat Intelligence Team is known for tracking state-sponsored threat actors, it is safe to assume that this group could have ties to nation-states and that the goal of the campaign was either data theft, or cyber-espionage and intelligence gathering.
In the attack, against an unnamed victim, the threat actors used malicious code to deploy Zoho UEMS, through which they installed Zoho Assist and AnyDesk – two legitimate tools that granted them both remote access, and lateral movement capabilities.
They also deployed the Plink and PUTTY tools to create an SSH tunnel and forward remote traffic.
The vulnerability was fixed on July 26, with Triofox version 16.7.10368.56560, and users are advised to apply the patch as soon as possible. What’s more, Gladinet (the company behind Triofox) released a newer version, 16.10.10408.56683, on October 14, which would be even better to install, if possible.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
CVE-2025-12480 in Triofox allowed zero-day exploitation via improper access control UNC6485 attackers deployed Zoho Assist, AnyDesk, and SSH tunneling for remote access Patch released July 26; newer Triofox version available October 14 for mitigation Popular remote file sharing and collaboration platform Triofox carried a critical vulnerability that was exploited as…
