Perseus Android Malware Targets Your Notes App While CISA Sounds Alarms on Multiple Exploited Vulnerabilities

Page content

Perseus Android Malware Targets Your Notes App While CISA Sounds Alarms on Multiple Exploited Vulnerabilities

You know that feeling when you realize attackers have found a new angle you hadn’t considered? That’s exactly what happened this week with the discovery of Perseus, a new Android malware that’s doing something I haven’t seen before – it’s specifically targeting users’ note-taking apps to steal sensitive information.

While we’ve all gotten pretty good at warning people not to store passwords in plain text files, how many of us have explicitly told users not to jot down crypto wallet recovery phrases or banking details in their phone’s notes app? The Perseus malware is betting that not many of us have had that conversation, and honestly, they’re probably right.

This is a good reminder that as security professionals, we need to think beyond traditional attack vectors. Users naturally treat their notes apps like digital sticky notes – convenient, always accessible, and seemingly private. But Perseus shows us that convenience often comes at the cost of security, especially when that “private” space becomes a goldmine for attackers.

CISA’s Busy Week: SharePoint and Wing FTP Under Active Attack

Meanwhile, CISA has been having a busy week adding vulnerabilities to their Known Exploited Vulnerabilities catalog. Two caught my attention because they represent different sides of the patching challenge we all face.

First up is the SharePoint remote code execution vulnerability CVE-2026-20963. Microsoft patched this one back in January, but CISA is now warning about active exploitation in the wild. This is the classic scenario that keeps us up at night – a critical vulnerability in widely-used enterprise software where the patch exists, but deployment takes time across large organizations.

SharePoint environments can be particularly tricky to patch quickly because they’re often deeply integrated into business workflows. Users notice when SharePoint goes down for maintenance, which means patching windows are limited and carefully planned. Attackers know this, which is why they’re probably targeting this vulnerability specifically.

The second addition is CVE-2025-47813, an information disclosure flaw in Wing FTP that leaks server installation paths. Now, a CVSS score of 4.3 might not seem scary, but the fact that CISA added it to the KEV catalog tells us attackers are finding ways to chain this information disclosure with other techniques to achieve their goals.

This Wing FTP issue is a perfect example of why we can’t just look at CVSS scores in isolation. Path disclosure might seem minor, but in the hands of a skilled attacker, it becomes reconnaissance data that makes subsequent attacks more targeted and effective.

When Government Systems Fail: The Companies House Incident

Speaking of information disclosure, the UK’s Companies House experienced what they’re calling a “web glitch” that exposed corporate and personal details to potential fraudsters. This one hits different because Companies House isn’t just any website – it’s the official registrar of companies in the UK, holding sensitive business information that fraudsters can use for everything from identity theft to business email compromise attacks.

What makes this particularly concerning is the downstream effect. When official government databases leak information, that data becomes the foundation for highly convincing social engineering attacks. Fraudsters can use legitimate business details to craft emails and phone calls that pass initial credibility checks, making them much more dangerous than generic phishing attempts.

The Attack Path Problem We’re All Struggling With

One piece that caught my eye this week was about Mesh CSMA’s approach to attack path analysis. While it’s essentially a product walkthrough, it highlights something we’re all dealing with: we’re drowning in security data but still struggling to understand which vulnerabilities actually matter in our specific environments.

The core question they pose is spot-on: “Which exposures, misconfigurations, and vulnerabilities chain together to create viable attack paths to crown jewels?” This isn’t just a tool problem – it’s a fundamental challenge in how we prioritize our security efforts.

I’ve been in too many meetings where we’re debating whether to patch a medium-severity vulnerability while a combination of low-severity issues creates a highway straight to our most critical assets. The Perseus malware is actually a great example of this – individually, accessing notes might seem low-impact, but when combined with social engineering or credential stuffing attacks, those “harmless” notes become the keys to the kingdom.

What This Means for Our Daily Work

These stories reinforce a few key points for our day-to-day security operations. First, we need to expand our user education beyond traditional password security to include data hygiene in apps users don’t typically think of as security-relevant.

Second, the CISA additions remind us that patch management isn’t just about speed – it’s about understanding which patches address vulnerabilities that attackers are actively weaponizing. Both SharePoint and Wing FTP vulnerabilities are being exploited right now, which means they should jump to the front of our patching queues.

Finally, the attack path complexity issue isn’t going away. We need better ways to understand how individual vulnerabilities combine to create real risk in our environments, because attackers certainly understand these relationships.

Sources