Brief #142: VMware ESXi Ransomware Exploit, GPT-4o Prompt Injection, Mesh Security's $12M Raise

Welcome to the Mandos Brief: Strategic insights to help you stay ahead of threats and the market.

In this week's analysis:

• VMware ESXi Ransomware Exploitation: CISA confirmed ransomware gangs are actively exploiting a high-severity ESXi sandbox escape flaw that's been a zero-day since at least February 2024. Action: If you haven't patched CVE-2025-22225 across ESXi, Fusion, and Cloud Foundation, treat this as your top priority this week - attackers already have a head start.
• Near-Perfect Prompt Injection Attacks on LLMs: Researchers showed that black-box prompt injection can achieve near-100% malicious content retrieval across major embedding models, coercing GPT-4o into exfiltrating SSH keys for as little as $0.21 per query. So What: If you're deploying RAG or multi-agent systems in production, existing defenses are not enough - start evaluating retrieval-layer controls and assume this attack surface will only grow.
• Indurex Launches for Cyber-Physical Security: A new startup from the former Applied Risk founder emerged from stealth with a platform unifying cyber, process, and safety context for industrial environments. Strategy: For security vendors eyeing OT and critical infrastructure, this signals growing demand for converged visibility platforms - fragmented tooling in these environments is becoming a real market gap to fill.

Threats

CISA Confirms VMware ESXi Vulnerability Exploited In Ransomware Attacks

• I've confirmed that ransomware gangs are now actively exploiting CVE-2025-22225, a high-severity VMware ESXi sandbox escape vulnerability that has been used in zero-day attacks since at least February 2024.

• The vulnerability allows attackers with privileged access to trigger an arbitrary kernel write leading to sandbox escape, affecting multiple VMware products including ESXi, Fusion, Cloud Foundation, and vSphere.

• CISA has updated its Known Exploited Vulnerabilities catalog to specifically flag this flaw as being used in ransomware campaigns, though federal agencies were already required to patch by March 25, 2025 under BOD 22-01.

OpenClaw Integrates VirusTotal Scanning to Detect Malicious ClawHub Skills

• OpenClaw has partnered with Google-owned VirusTotal to scan all skills uploaded to ClawHub marketplace using SHA-256 hashes and Code Insight capability, automatically approving benign skills while flagging suspicious ones and blocking malicious content.

• Recent security research has uncovered hundreds of malicious skills on ClawHub that masquerade as legitimate tools but harbor functionality to exfiltrate data, inject backdoors, or install stealer malware through cleverly concealed prompt injection payloads.

• The platform faces significant security challenges including cleartext credential storage, ineffective guardrails against prompt injection attacks, and over 30,000 exposed instances accessible over the internet, prompting China's Ministry of Industry and Information Technology to issue security warnings.

Rapid7 Discovers Chrysalis Backdoor Used by Lotus Blossom APT

• Rapid7 uncovered a sophisticated campaign by Chinese APT group Lotus Blossom that compromised Notepad++ infrastructure to deliver a previously unknown custom backdoor called Chrysalis, which features extensive command and control capabilities including file transfer, remote shell access, and comprehensive system reconnaissance.

• The attack chain leverages DLL sideloading using a renamed Bitdefender Submission Wizard to load malicious log.dll, which then decrypts and executes shellcode that deploys the main Chrysalis backdoor with RC4 encryption and custom API hashing to evade detection.

• Additional forensic analysis revealed the threat actors also deployed Cobalt Strike beacons through multiple loader variants, including one that abuses Microsoft Warbird code protection framework via undocumented NtQuerySystemInformation system calls for stealthy shellcode execution.

Leadership Insights

Action1 Releases 2025-2026 Education Cybersecurity Report Showing Declining Confidence Despite Increased Investment

• School IT leaders are reassessing their cybersecurity readiness more realistically, with 66% rating their maturity as moderate while confidence in being highly prepared dropped from 30% to 18%, reflecting better understanding of today's complex threat landscape.

• Nearly 89% of schools experienced at least one cyber incident in the past year, with phishing attacks being the most common (84%), followed by malware infections (22%) and unauthorized access (15%), while only 3% reported ransomware incidents.

• Despite 38% of schools increasing cybersecurity budgets and more allocating 21-30% of IT spending to security, 74% still operate without a dedicated cybersecurity specialist and 92% expect AI-powered phishing to be the most dangerous threat in the coming year.

StrongestLayer Report Shows 2,042 Advanced Email Threats Bypassed Microsoft E3/E5 and Leading SEGs

• Analysis of Q3-Q4 2025 threats reveals that 77% of attacks impersonated business-critical brands like DocuSign, Microsoft, and Google Calendar, exploiting platforms too operationally critical to block without halting business operations.

• Despite 77% of attacks having failed authentication (SPF/DKIM/DMARC), they still reached inboxes due to DMARC enforcement gaps, while 17 attacks that passed all authentication checks prove that validation confirms infrastructure origin, not malicious intent.

• Approximately 45% of sophisticated attacks showed AI-assistance markers with projections reaching 75-95% within 18 months, creating unique variants that share only 12-18% similarity and bypass traditional pattern-matching detection methods.

Netskope Cloud and Threat Report: 2026 Reveals Major Cybersecurity Trends

• The report reveals a massive surge in generative AI usage, with the number of users tripling and data prompts to AI apps increasing sixfold, while data policy violations doubled to an average of 223 incidents per month as employees send sensitive source code, regulated data, and intellectual property to AI platforms.

• Personal cloud apps continue to pose significant insider threat risks, with 60% of insider threat incidents involving personal app instances and 31% of users uploading data to these platforms monthly, representing more than double the number interacting with AI apps.

• Despite improvements in user awareness, phishing remains persistent with 87 out of every 10,000 users clicking malicious links monthly, while attackers increasingly abuse trusted channels like GitHub, OneDrive, and Google Drive to distribute malware to organizations.

AI & Security

Researchers Develop Black-Box Attack Method That Achieves Near-Perfect Retrieval of Malicious Content in LLM Systems

• Researchers demonstrated that indirect prompt injection attacks can achieve near-100% retrieval rates across 11 benchmarks and 8 embedding models by decomposing malicious content into trigger and attack fragments, with a single poisoned email successfully coercing GPT-4o into exfiltrating SSH keys in over 80% of trials.

• The attack uses a black-box optimization algorithm requiring only API access to embedding models, costs as little as $0.21 per target query on OpenAI's embedding models, and works across both RAG and multi-agent systems without requiring knowledge of corpus contents or model parameters.

• Evaluation of existing defenses found them insufficient to prevent retrieval of malicious text, with the vulnerability persisting across different model architectures, parameter scales, and proprietary services, establishing retrieval as a critical open vulnerability in LLM systems.

MoltBot AI Agent Raises Security Concerns With Plain Text Storage and Unrestricted Access

• MoltBot, an open-source AI agent, stores sensitive data including API keys, memory files, and session logs in plain text files on local machines, making them easy targets for infostealers that scrape common directories.

• The agent operates with deep system access and autonomous capabilities, creating security risks because traditional app security models break down when dealing with adaptive and non-deterministic AI behavior that changes over time.

• 1Password proposes a mediation layer approach where agents receive time-bound, revocable access through identity management rather than long-lived tokens, enabling continuous runtime access control and audit trails.

Operation Bizarre Bazaar: First Attributed LLMjacking Campaign with Commercial Marketplace Monetization

• Pillar Security uncovered a systematic LLMjacking campaign targeting exposed AI infrastructure, capturing 35,000 attack sessions between December 2025 and January 2026 across three interconnected threat actors operating a complete criminal supply chain.

• The operation involves a threat actor "Hecker" running silver.inc, a commercial marketplace that resells unauthorized access to 30+ LLM providers at 40-60% discounts while exploiting exposed Ollama instances, unauthenticated vLLM servers, and accessible MCP endpoints.

• Organizations face risks beyond compute theft including data exfiltration from LLM context windows, lateral movement through compromised Model Context Protocol servers, and supply chain compromise affecting file systems, databases, and internal APIs.

Market Intelligence

Mesh Security Raises $12 Million for CSMA Platform

• The Series A funding round was led by Lobby Capital, bringing Mesh Security's total funding to over $16 million since its 2022 founding.

• Mesh's platform operationalizes CSMA by sitting above existing security stacks to unify fragmented tools into a single interoperable system without disrupting current investments.

• The company will use the investment to advance autonomous agentic capabilities for cross-domain attack paths and scale sales and customer support operations.

AiStrike Raises $7 Million in Seed Funding for AI-Native Cyber Defense Platform

• The startup secured $7 million in seed funding led by Blumberg Capital, with participation from Runtime Ventures, Oregon Venture Fund, and angel investors to scale its AI-native cyber defense platform.

• AiStrike offers Agentic Cyber Defense-as-a-Service (ACDaaS) that unifies exposure analysis, threat intelligence, detection, investigation, and response using AI agents across the security operations lifecycle.

• The platform uses a federated model designed to reduce latency and eliminate cost overhead while continuously hunting threats, analyzing risks, and driving preventive action before incidents occur.

Indurex Emerges From Stealth to Close Security Gap in Cyber-Physical Systems

• Netherlands-based startup Indurex has launched from stealth mode with an AI-powered platform that ingests and correlates data from multiple sources across the cyber-physical stack, focusing on industrial historians, instrumentation and asset management systems, and OT network data.

• The company was founded by Jalal Bouhdada, former founder of industrial cybersecurity firm Applied Risk which was acquired by DNV in 2021, and is currently preparing a pre-seed funding round while remaining bootstrapped.

• Indurex's platform unifies cyber, process, and safety context into a single operational view for utilities, energy operators, and data centers, using adaptive risk scoring to replace fragmented tools and reduce alert noise in critical infrastructure environments.

Security Stack

Onspring OMB A-123 Risk & Controls Management

Federal agency GRC platform for OMB A-123 compliance and internal controls

AppOmni Salesforce Security

SSPM solution for Salesforce security posture management and threat detection

Cayosoft Guardian Protector™

Hybrid AD and Entra ID mgmt, monitoring, and recovery platform

Thank you for reading this week's brief.

If you found this brief valuable, please forward it to one peer who is currently building or securing a B2B startup.

I’m constantly refining this intelligence for you. Was this week's market analysis useful?

Just hit Reply and let me know, I read every message.

P.S. Whenever you’re ready, there are two ways I can help you:

1. Founders: Need a Fractional CISO to unblock enterprise deals or lead your cybersecurity maturity journey? Book a Discovery Call
2. Vendors: Want to get your product in front of 15k+ security researchers on CybersecTools? Submit Your Product

Talk to you in the next one.

Nikoloz