Security researchers are working with defense teams to address a shift in how unauthorized parties achieve persistence and evade detection. This activity ranges including the use of AI-generated obfuscation and the targeting of reclassified perimeter vulnerabilities. A primary concern for enterprise environments involves an elevated risk profile for F5 BIG-IP systems. Originally disclosed as a denial-of-service issue last October, a vulnerability in the BIG-IP Access Policy Manager (APM) was reclassified this morning as a critical remote code execution (RCE) flaw. Tracked as CVE-2025-53521 with a CVSS score of 9.8, the vulnerability is involved in active security incidents, prompting its addition to the CISA Known Exploited Vulnerabilities catalog.
This escalation aligns with the discovery of DeepLoad, a malware strain that uses AI-generated code to bypass standard security layers. DeepLoad represents an evolution in credential theft, relying on a "ClickFix" social engineering technique to gain initial access. When a user executes a command to resolve a simulated system error, the software immediately captures credentials and establishes a foothold that requires precise remediation to remove. The emergence of DeepLoad and the targeted activity against F5 perimeters point to coordinated efforts to compromise both network edges and end-user workstations.
Technically, DeepLoad relies on highly specific evasion and persistence mechanisms. To bypass static scanning, it hides its functional logic beneath thousands of lines of irrelevant, AI-generated padding. This volume of data overwhelms signature-based tools, which struggle to identify the core decryption routine. Once active, DeepLoad unpacks entirely in memory and injects its core components into LockAppHost.exe, a legitimate Windows process responsible for the lock screen. Because security tools rarely monitor this specific process for unauthorized activity, the software operates with high stealth.
Defenders should evaluate DeepLoad’s persistence strategy carefully. Beyond standard scheduled tasks, it creates a persistent trigger within Windows Management Instrumentation (WMI). This ensures that even if a host appears remediated through the removal of files or scheduled tasks, the software can re-execute the entire sequence days later. In one investigated instance, the activity re-triggered three days after an initial cleanup effort. Furthermore, the malware uses a PowerShell feature called Add-Type to compile a temporary, randomly named DLL in the Temp directory upon every execution, making file-based indicators a moving target. Lateral movement is also a core capability; DeepLoad can spread to connected USB drives in as little as ten minutes, disguising its components as legitimate installers for applications like Chrome or AnyDesk.
Simultaneously, the threat situation at the network perimeter requires attention following the reclassification of CVE-2025-53521. F5 updated its advisory after receiving new data showing that unauthorized parties can achieve RCE by sending specific traffic to virtual servers configured with BIG-IP APM. This vulnerability affects multiple versions, including 15.1.x, 16.1.x, 17.1.x, and 17.5.x, and impacts systems running in appliance mode. Monitoring activity suggests that malicious actors are moving including generic mass scanning and focused fingerprinting of F5 infrastructure. Researchers have observed unauthorized scanning of the /mgmt/shared/identified-devices/config/device-info REST API endpoint, which is used to map machine IDs and hostnames.
Regarding secure communications, researchers are evaluating a reported zero-click vulnerability in Telegram. Tracked as ZDI-CAN-30207, the flaw reportedly allows for system compromise on Android and Linux clients through the receipt of a specially crafted animated sticker. While the Zero Day Initiative (ZDI) recently lowered the severity score including 9.8 to 7.0 and account for server-side mitigations, the core risk remains: the vulnerability reportedly triggers during the preview generation process, requiring no user interaction. Telegram has stated that their server-side validation prevents corrupted stickers from reaching users. However, Italy’s National Cybersecurity Agency has advised caution until full technical details are disclosed in late July.
These developments require a multi-layered response to protect systems and data. For F5 BIG-IP, immediate patching is necessary. Security teams should audit systems for specific indicators of compromise, such as the presence of /run/bigtlog.pipe or /run/bigstart.ltm. We recommend verifying the integrity of system binaries like /usr/bin/umount and /usr/sbin/httpd, as unauthorized modifications to these files have occurred in recent campaigns.
When addressing a DeepLoad infection, standard file removal is insufficient. Organizations must specifically audit and remove unauthorized WMI event subscriptions to prevent recurrence. Because the software captures credentials from the moment of execution—including live keystrokes and session tokens—remediation must include a comprehensive password reset and session revocation for all accounts associated with the affected host. To detect the obfuscated PowerShell loaders, teams should enable PowerShell Script Block Logging and prioritize behavioral monitoring over static file scanning.
The use of AI to generate tailored obfuscation indicates that environmental noise will become harder to distinguish from legitimate code. As unauthorized parties shift toward less-monitored Windows features like WMI and specialized processes like LockAppHost.exe, defensive strategies must center on behavioral anomalies rather than static indicators. The reported Telegram vulnerability also serves as a reminder that zero-click vectors in messaging applications remain a high-value focus for capable actors targeting individuals with strategic communication needs.
While the server-side mitigations described by Telegram have reduced the immediate severity of the sticker-based issue, the underlying discrepancy between vendor statements and researcher findings leaves a gap in current knowledge. Until the full disclosure in July, users with high-stakes privacy needs should consider utilizing the web version of the application in a sandboxed browser or restricting message reception to trusted contacts.