Securonix Threat Labs
Get up-to-date threat content from the experts at Securonix Threat Labs.
Uncover the threats of tomorrow, today.
Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.
Powered by Threat Labs
Autonomous Threat Sweeper
Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.
Latest ATS Entries
All indicators of compromise (IOC) and search queries are available on our GitHub repository.
BRAT_Hijacker_Browser_Manipulation_Malware
MEDIUM
+
—
- Intel Source:
- G-DATA
- Intel Name:
- BRAT_Hijacker_Browser_Manipulation_Malware
- Date of Scan:
- 2025-12-13
- Impact:
- MEDIUM
- Summary:
- Researchers at G DATA CyberDefense have identified a series of browser hijacking techniques used by multiple malware families that target Chromium-based browsers and Firefox. The investigation highlights three distinct mechanisms of compromise, revealing how modern hijackers maintain persistence and evade detection. The first technique involves tampering with browser preference files—such as Chrome’s Secure Preferences or Firefox’s prefs.js—to alter default settings like homepage or search engine configurations, bypassing integrity checks through regenerated HMAC values derived from system data. The second, named BRAT (browser remote access tool), demonstrates the use of automated keystroke emulation to remotely control browser interactions, enabling actions such as tab navigation, clipboard exfiltration, and forced redirections. The third technique leverages a combination of PowerShell and VBScript to disable Chrome’s auto-update policy and install unauthorized extensions via deprecated command-line switches, effectively preventing remediation through normal software updates. Collectively, these techniques show a progression from configuration tampering to full browser automation, representing a growing threat vector that blends persistence, user deception, and credential theft potential.
MoneyMount_ISO_Phantom_Stealer_via_ISO_Files
HIGH
+
—
- Intel Source:
- Seqrite Labs
- Intel Name:
- MoneyMount_ISO_Phantom_Stealer_via_ISO_Files
- Date of Scan:
- 2025-12-13
- Impact:
- HIGH
- Summary:
- Researchers at Seqrite Labs have identified an ongoing phishing campaign, dubbed Operation MoneyMount-ISO, that delivers the Phantom Stealer malware through malicious ISO-mounted executables. The campaign, originating from Russia, employs payment-confirmation–themed phishing emails written in Russian and designed to impersonate legitimate financial correspondence. The attached ZIP archive contains an ISO image that mounts automatically and executes a disguised payload, leading to the deployment of Phantom Stealer. Once active, the malware conducts multi-stage data theft operations, including credential extraction from browsers, Discord token harvesting, cryptocurrency wallet exfiltration, and clipboard and keylogging surveillance. Technical analysis indicates that the malware leverages steganography, anti-virtualization checks, and self-deletion routines to evade detection. Data exfiltration is achieved through multiple channels such as Telegram bots, Discord webhooks, and FTP servers, highlighting a sophisticated exfiltration architecture.
NANOREMOTE_Windows_Backdoor
MEDIUM
+
—
- Intel Source:
- Elastic Security Labs
- Intel Name:
- NANOREMOTE_Windows_Backdoor
- Date of Scan:
- 2025-12-12
- Impact:
- MEDIUM
- Summary:
- Researchers from Elastic Security Labs have uncovered a new Windows backdoor called NANOREMOTE, delivered through a deceptive loader known as WMLOADER, which masquerades as legitimate security software. The developers behind this tool appear to be the same espionage-focused group previously associated with the FINALDRAFT implant, as indicated by overlapping code and shared cryptographic routines. Once deployed, NANOREMOTE provides attackers with extensive remote-access capabilities, including command execution, host reconnaissance, file manipulation, and in-memory execution of additional payloads. Its flexible beaconing and task-based architecture enable sustained, interactive operations. To evade detection, the malware leverages Google Drive and other common cloud services for payload staging and data exfiltration, allowing its traffic to blend seamlessly with legitimate network activity. WMLOADER further enhances stealth by using an invalid code signature and encrypted shellcode to evade basic security controls.
Fake_AI_Pages_Drop_AMOS_Malware
MEDIUM
+
—
- Intel Source:
- Huntress
- Intel Name:
- Fake_AI_Pages_Drop_AMOS_Malware
- Date of Scan:
- 2025-12-12
- Impact:
- MEDIUM
- Summary:
- Researchers from Huntress have uncovered an AMOS Stealer campaign that uses AI-themed troubleshooting pages and search-engine manipulation to lure macOS users. The attack begins when users search for routine Mac maintenance help and are directed to attacker-controlled pages mimicking AI assistants like ChatGPT or Grok. Within these fake chat interfaces, victims are instructed to run benign Terminal commands that actually download and execute a hidden stealer loader. Once active, the malware silently collects system credentials, browser data, and cryptocurrency wallet information while avoiding any visible signs of installation. It persists using standard macOS mechanisms—including LaunchDaemons and user-level watchdog scripts—ensuring it re-launches after reboots or termination attempts. The stealer also checks for virtual machine environments before fully deploying and exfiltrates stolen data to attacker-controlled servers. This campaign exploits user trust in search results, AI chat interfaces, and copy-paste workflows, targeting everyday macOS users, particularly those handling cryptocurrency or sensitive browser-based accounts.
React2Shell_RCE_Exploitation_Campaign
HIGH
+
—
- Intel Source:
- Sophos
- Intel Name:
- React2Shell_RCE_Exploitation_Campaign
- Date of Scan:
- 2025-12-12
- Impact:
- HIGH
- Summary:
- Researchers at Sophos Counter Threat Unit (CTU) have identified widespread exploitation of CVE-2025-55182, a critical remote code execution vulnerability in React Server Components, referred to as React2Shell. The flaw stems from unsafe deserialization of network requests in the React “Flight” protocol, allowing attackers to send a single malicious HTTP request to execute arbitrary JavaScript on affected servers without authentication. Exploitation activity has been observed targeting versions 19.0.0 through 19.2.0 of React, with numerous compromised systems deploying multi-stage Linux loaders designed for persistence via cron jobs, systemd, and rc.local. Sophos analysts report that these payloads included obfuscated JavaScript components using AES-256-CBC encryption to conceal follow-on malware and anti-forensic measures to delete installer traces.
Gogs_RCE_Bypass_Actively_Exploited
HIGH
+
—
- Intel Source:
- WIZ
- Intel Name:
- Gogs_RCE_Bypass_Actively_Exploited
- Date of Scan:
- 2025-12-12
- Impact:
- HIGH
- Summary:
- Researchers at Wiz have identified active exploitation of a previously unknown vulnerability in Gogs, a self-hosted Git service. The flaw, tracked as CVE-2025-8110, is a symbolic link bypass that reopens a remote code execution vector thought to be patched under CVE-2024-55947. The vulnerability allows authenticated users to overwrite files outside the repository directory, enabling arbitrary command execution through modification of Git configuration files. Wiz’s investigation began after detecting malware on a customer’s cloud workload, which was traced to this Gogs zero-day. The threat actor leveraged open registration features and API misuse to compromise exposed instances, with over half of observed Gogs servers showing infection signs.
EtherRAT_DPRK_Ethereum_implant_via_React2Shell
LOW
+
—
- Intel Source:
- Sysdig Threat Research Team
- Intel Name:
- EtherRAT_DPRK_Ethereum_implant_via_React2Shell
- Date of Scan:
- 2025-12-11
- Impact:
- LOW
- Summary:
- The Sysdig Threat Research Team reports EtherRAT, a Node.js-based persistent implant deployed via React2Shell (CVE-2025-55182). The malware uses blockchain-based C2 resolution through Ethereum smart contracts, a four-stage delivery chain, and AES-encrypted payloads. It downloads a legitimate Node.js runtime to reduce detection and installs five Linux persistence mechanisms for durable access. EtherRAT polls nine RPC endpoints for resilient C2 and supports self-updating to evade signatures. While attribution is not confirmed, several techniques overlap with DPRK “Contagious Interview” tooling. The implant provides operators full asynchronous JavaScript execution for continued reconnaissance and tasking
PA_Email_Compromise_via_Malicious_PDFs
MEDIUM
+
—
- Intel Source:
- CERT AGID
- Intel Name:
- PA_Email_Compromise_via_Malicious_PDFs
- Date of Scan:
- 2025-12-11
- Impact:
- MEDIUM
- Summary:
- Researchers at CERT-AGID have identified an ongoing phishing campaign targeting Italian Public Administration (PA) entities through the use of compromised institutional email accounts. The attackers leverage these accounts to distribute convincing emails containing malicious PDF attachments that appear to be legitimate document notifications. When recipients open the attached PDF, they are prompted to click a “Review Documents” button, which redirects them to a genuine Figma login page, exploiting the platform’s legitimacy to collect user credentials. Once the victim attempts to authenticate using an email or Google account, the attackers gain access to real user identifiers and potentially sensitive login information. CERT-AGID confirmed that two PA administrations have been compromised so far, with further spread not ruled out.
BigBlack_Malicious_VS_Code_Extensions
HIGH
+
—
- Intel Source:
- KOI Security
- Intel Name:
- BigBlack_Malicious_VS_Code_Extensions
- Date of Scan:
- 2025-12-10
- Impact:
- HIGH
- Summary:
- Researchers at Koi Security have identified a campaign distributing malicious Visual Studio Code extensions that exfiltrate sensitive developer data through stealthy infostealer payloads. The operation leverages two extensions—one disguised as a cryptocurrency-themed color scheme and another posing as an AI coding assistant—to target developers with varying social engineering lures. Once installed, these extensions execute hidden scripts that download additional payloads capable of capturing screenshots, harvesting WiFi credentials, and stealing browser session tokens. The malware employs DLL hijacking to conceal its activity under legitimate processes, ensuring persistence and evasion of security controls. Analysis of multiple versions revealed iterative refinement by the threat actor, who improved reliability and stealth across updates while maintaining the same command infrastructure and payload delivery chain. Victimology points to software developers and technical professionals, particularly those interested in cryptocurrency or AI-enhanced development tools.
Storm_0249_Shifts_to_Precision_Post_Exploitation
HIGH
+
—
- Intel Source:
- Reliaquest
- Intel Name:
- Storm_0249_Shifts_to_Precision_Post_Exploitation
- Date of Scan:
- 2025-12-10
- Impact:
- HIGH
- Summary:
- ReliaQuest researchers have identified Storm-0249 as a financially motivated initial access broker that has shifted from broad phishing campaigns to more targeted post-exploitation operations aimed at hijacking trusted endpoint security processes. The group leverages a legitimate SentinelOne helper process to sideload a malicious DLL, enabling SYSTEM-level execution and long-term persistence through MSI installers. After delivering these deceptive installers via Microsoft-themed infrastructure, the attackers use curl and PowerShell commands to deploy fileless payloads that execute directly in memory. Once inside a network, Storm-0249 performs extensive host reconnaissance using built-in Windows utilities and registry queries, collecting identifiers such as MachineGuid, which ransomware affiliates can later use to bind encryption keys to specific victims. The group also routes its command-and-control traffic through the same SentinelOne process, causing malicious TLS communications to blend in with legitimate EDR telemetry.
Threat Content
Shared Security Content on Sigma
Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.
Why Security Content Matters
Learn how Securonix is paving the way to make precise, and actionable security content a reality for our customers.
