Kinetic Potential Blog

Certain motherboard models from vendors like ASRock, ASUSTeK Computer, GIGABYTE, and MSI are affected by a security vulnerability that leaves them susceptible to early-boot direct memory access (DMA) attacks across architectures that implement a Unified Extensible Firmware Interface (UEFI) and input–output memory management unit (IOMMU).

UEFI and IOMMU are designed to enforce a security foundation and prevent peripherals from performing unauthorized memory accesses, effectively ensuring that DMA-capable devices can manipulate or inspect system memory before the operating system is loaded.

The vulnerability, discovered by Nick Peterson and Mohamed Al-Sharifi of Riot Games in certain UEFI implementations, has to do with a discrepancy in the DMA protection status. While the firmware indicates that DMA protection is active, it fails to configure and enable the IOMMU during the critical boot phase.

The US cybersecurity agency CISA on Wednesday warned that hackers have been exploiting a critical vulnerability in the now-discontinued Asus Live Update utility.

The exploited flaw is tracked as CVE-2025-59374 (CVSS score of 9.3) and is described as “an embedded malicious code vulnerability”.

CISA notes that the backdoor was introduced in a supply chain compromise, and that the affected devices could be abused to perform unintended actions, if certain conditions were met.

The warning refers to Operation ShadowHammer, a sophisticated supply chain attack mounted in 2018 by Chinese state-sponsored hackers. The attack was linked to the ShadowPad backdoor and attributed to APT41 (also tracked as Brass Typhoon, Wicked Panda, and Barium).

Koi Security has identified a malicious campaign targeting Firefox users via a series of extensions that rely on steganography to hide malware in their icons.

The extensions pose as free VPN services, ad blockers, translation tools, and weather forecast apps, but instead deploy a multi-stage payload that monitors users’ activities, disables security protections, and enables remote code execution (RCE).

According to Koi, which named the campaign GhostPoster, at least 17 such extensions have been published to the browser’s add-ons marketplace, and they have been installed approximately 50,000 times.

One of the extensions, named Free VPN Forever, was published in September 2025 and has been installed over 16,000 times.

Koi observed that the extension would load its logo file and then search through the raw bytes of the image for a specific marker.