Unauthenticated Remote Access via Triofox Vulnerability Exploited by UNC6485 (Campaign)

Mandiant researchers observed UNC6485 actively exploiting CVE-2025-12480 in Gladinet Triofox (affecting versions before 16.7.10368.56560) by spoofing the Host/localhost header to bypass authentication, create an admin account, and abuse the anti-virus configuration to run SYSTEM-level scripts. The attackers deployed a disguised Zoho UEMS installer from 84.200.80.252 to install Zoho Assist and AnyDesk for persistent remote access, used renamed utilities (silcon.exe, sihosts.exe) to establish an SSH reverse tunnel over port 433 for inbound RDP, and performed reconnaissance, privilege escalation, and lateral movement; Mandiant confirmed a fix is available and recommended immediate upgrading.